Abstract:
在配置文件中存儲明文密碼,可能會危及系統安全。
Explanation:
在配置文件中存儲明文密碼會使所有能夠訪問該文件的人都能訪問那些用密碼保護的資源。程序員有時候認為,他們不可能阻止應用程序被那些能夠訪問配置文件的攻擊者入侵,但是這種想法會導致攻擊者發動攻擊變得更加容易。健全的 password management 方針從來不會允許以明文形式存儲密碼。
在這種情況下,在 app.properties 中第 42 行上,存在 hardcoded password。
Instance ID: C4F0382440E62AE4949A20A999D076E9
Priority Metadata Values:
IMPACT: 4.0
LIKELIHOOD: 3.2
Legacy Priority Metadata Values:
SEVERITY: 4.0
CONFIDENCE: 5.0
Remediation Effort: 5.0
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Recommendations:
絕不能采用明文的形式存儲密碼。相反,應在系統啟動時,由管理員輸入密碼。如果這種方法不切實際,一個安全性較差、但通常都比較恰當的解決辦法是將密碼模糊化,並把這些去模糊化的資源分散到系統各處,因此,要破譯密碼,攻擊者就必須取得並正確合並多個系統資源。
有些第三方產品宣稱可以采用更加安全的方式管理密碼。例如,WebSphere Application Server 4.x 用簡單的異或加密算法加密數值,但是請不要對諸如此類的加密方式給予完全的信任。WebSphere 以及其他一些應用服務器通常都只提供過期的且相對較弱的加密機制,這對於安全性敏感的環境來說是遠遠不夠的。較為安全的解決方法是由用戶自己創建一個新機制,而這也是如今唯一可行的方法。
Tips:
1. HPE Security Fortify Static Code Analyzer(HPE Security Fortify 靜態代碼分析器)會從配置文件中搜索那些用於密碼屬性的常用名稱。當發現密碼條目中包含明文時,就會將其標記為問題。
2. 如果配置文件中包含一個默認密碼條目,除了需要在配置文件中將其模糊化以外,還需要對其進行修改。
References:
[1] Standards Mapping - Common Weakness Enumeration, CWE ID 13, CWE ID 260, CWE ID 555
[2] Standards Mapping - FIPS200, IA
[3] Standards Mapping - NIST Special Publication 800-53 Revision 4, SC-28 Protection of Information at Rest (P1)
[4] Standards Mapping - OWASP Mobile Top 10 Risks 2014, M2 Insecure Data Storage
[5] Standards Mapping - OWASP Top 10 2004, A8 Insecure Storage
[6] Standards Mapping - OWASP Top 10 2007, A8 Insecure Cryptographic Storage
[7] Standards Mapping - OWASP Top 10 2010, A7 Insecure Cryptographic Storage
[8] Standards Mapping - OWASP Top 10 2013, A6 Sensitive Data Exposure
[9] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1, Requirement 6.5.8, Requirement 8.4
[10] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2, Requirement 6.3.1.3, Requirement 6.5.8, Requirement 8.4
[11] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0, Requirement 6.3.1, Requirement 6.5.3, Requirement 8.4
[12] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0, Requirement 6.3.1, Requirement 6.5.3, Requirement 8.2.1
[13] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1, Requirement 6.3.1, Requirement 6.5.3, Requirement 8.2.1
[14] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2, Requirement 6.3.1, Requirement 6.5.3, Requirement 8.2.1
[15] Standards Mapping - Security Technical Implementation Guide Version 3.1, APP3210.1 CAT II, APP3340 CAT I, APP3350 CAT I
[16] Standards Mapping - Security Technical Implementation Guide Version 3.10, APP3210.1 CAT II, APP3340 CAT I, APP3350 CAT I
[17] Standards Mapping - Security Technical Implementation Guide Version 3.4, APP3210.1 CAT II, APP3340 CAT I, APP3350 CAT I
[18] Standards Mapping - Security Technical Implementation Guide Version 3.5, APP3210.1 CAT II, APP3340 CAT I, APP3350 CAT I
[19] Standards Mapping - Security Technical Implementation Guide Version 3.6, APP3210.1 CAT II, APP3340 CAT I, APP3350 CAT I
[20] Standards Mapping - Security Technical Implementation Guide Version 3.7, APP3210.1 CAT II, APP3340 CAT I, APP3350 CAT I
[21] Standards Mapping - Security Technical Implementation Guide Version 3.9, APP3210.1 CAT II, APP3340 CAT I, APP3350 CAT I
[22] Standards Mapping - Security Technical Implementation Guide Version 4.1, APSC-DV-001740 CAT I, APSC-DV-002330 CAT II, APSC-DV-003110 CAT I