266 – Disable insecure functionalities

Summary

The organization must disable or carefully control the insecure functions of a system (system hardening).

Description

Sometimes, platforms include functionalities that are not required or could be harmful for some applications built on top of or residing in them. Other times, applications are developed including functionalities that allow actions that could be considered insecure. All these functionalities should be disabled or otherwise controlled to prevent them from compromising the system's security. Furthermore, the system must enforce those controls on trusted enforcement points such as access control gateways, severs and serverless functions.

Supported In

Essential: True

Advanced: True

References

• CAPEC-161. Infrastructure manipulation
• CAPEC-212. Functionality misuse
• CAPEC-677. Server Motherboard Compromise
• CAPEC-678. System Build Data Maliciously Altered
• CAPEC-701. Browser in the Middle (BiTM)
• CIS-9_4. Restrict unnecessary or unauthorized browser and email client extensions
• CWE-78. Improper neutralization of special elements used in an OS command ("OS command injection")
• CWE-98. Improper control of filename for include/require statement in PHP program ("PHP remote file inclusion")
• CWE-114. Process control
• CWE-284. Improper access control
• CWE-444. Inconsistent interpretation of HTTP requests ("HTTP request smuggling")
• CWE-548. Exposure of information through directory listing
• CWE-602. Client-side enforcement of server-side security
• CWE-693. Protection mechanism failure
• CWE-749. Exposed dangerous method or function
• CWE-1392. Use of Default Credentials
• CWE-1393. Use of Default Password
• CWE-1394. Use of Default Cryptographic Key
• OWASP10-A1. Broken access control
• OWASP10-A4. Insecure design
• OWASP10-A5. Security misconfiguration
• OWASPM10-M1. Improper platform usage
• AGILE-9. Continuous attention to technical excellence and good design
• AGILE-11. Best architectures, requirements, and designs
• NYDFS-500_2. Cybersecurity program
• MITRE-M1042. Disable or remove feature or program
• MITRE-M1054. Software configuration
• MITRE-M1057. Data loss prevention
• PADSS-5_2_8. Improper access controls
• CMMC-CM_L2-3_4_2. Security configuration enforcement
• HITRUST-03_a. Risk management program development
• ISO27002-8_26. Application security requirements
• ISO27002-8_27. Secure system architecture and engineering principles
• IEC62443-RDF-5_3. User content filtering
• WASSEC-6_2_3_6. Client-side attacks - Flash-related attack
• WASSEC-6_2_4_3. Command execution - OS command injection
• WASSEC-6_2_4_8. Command execution - Remote file includes
• WASSEC-6_2_5_5. Information disclosure - Insecure HTTP methods enabled
• OSSTMM3-9_3_1. Wireless security (active detection verification) - Channel monitoring
• WASC-A_42. Abuse of functionality
• WASC-A_26. HTTP request smuggling
• WASC-A_30. Mail command injection
• WASC-A_31. OS commanding
• WASC-A_05. Remote file inclusion (RFI)
• WASC-W_16. Directory indexing
• NISTSSDF-PS_1_1. Protect all forms of code from unauthorized access and tampering
• NISTSSDF-PW_5_1. Archive and protect each software release
• NISTSSDF-RV_2_2. Assess, prioritize, and remediate vulnerabilities
• ISSAF-F_1. Network security - Router security assessment (router identification)
• ISSAF-J_7_3_5. Network security - Anti-virus system (methodology)
• ISSAF-P_4. Host security - Linux security (identify ports and services)
• ISSAF-P_4_1. Host security - Linux security (identify ports and users)
• ISSAF-P_6_1. Host security - Linux security (remote attacks)
• ISSAF-Q_16_10. Host security - Windows security (SMB attacks)
• ISSAF-T_12_2. Web application assessment - Browsable directories check
• ISSAF-T_13_3. Web application assessment - Test invalidated parameters (Cross Site Tracing)
• ISSAF-V_13. Application security - Source code auditing (command injection)
• PTES-3_4_1_5_8. Corporate - Infrastructure assets (defense technologies)
• PTES-3_6_1_3_8. External footprinting - Active footprinting (DNS bruteforce)
• PTES-5_2_3_2. Vulnerability analysis - Web application scanners (directory listing or brute forcing)
• PTES-5_4_2_3. Vulnerability analysis - Manual validation specific protocol (DNS)
• PTES-6_2_1. Exploitation - Countermeasures (anti-virus)
• PTES-6_2_3. Exploitation - Countermeasures (data execution prevention)
• PTES-6_2_5. Exploitation - Countermeasures (web application firewall)
• PTES-7_3_1_3. Post exploitation - Network infrastructure analysis (DNS servers)
• PTES-7_3_1_5. Post exploitation - Network infrastructure analysis (proxy servers)
• PTES-7_4_4_1. Post Exploitation - Pillaging (user information on system)
• OWASPRISKS-P1. Web application vulnerabilities
• OWASPRISKS-P3. Insufficient data breach response
• MVSP-2_3. Application design controls - Security Headers
• MVSP-3_3. Application implementation controls - Vulnerability prevention
• OWASPSCP-8. Data protection
• OWASPSCP-10. System configuration
• OWASPSCP-11. Database security
• OWASPSCP-14. General coding practices
• BSAFSS-SM_4-1. Software measures to prevent counterfeiting and tampering
• BSAFSS-SI_1-2. Avoid architectural weaknesses of authentication failure
• NIST800171-4_2. Establish and enforce security configuration settings for information technology products
• CWE25-78. Improper neutralization of special elements used in an OS command (OS command injection)
• CWE25-119. Improper restriction of operations within the bounds of a memory buffer
• CWE25-416. User after free
• CWE25-476. NULL pointer dereference
• NIST800115-4_2. Network port and service identification
• SWIFTCSC-2_3. System hardening
• SWIFTCSC-2_10. Application hardening
• SWIFTCSC-3_1. Physical security
• OSAMM-SA. Security Architecture
• OSAMM-OM. Operational Management
• ASVS-5_2_5. Sanitization and sandboxing
• ASVS-5_3_8. Output encoding and injection prevention
• ASVS-8_1_1. General data protection
• ASVS-10_3_3. Application integrity
• ASVS-12_3_6. File execution
• ASVS-14_1_3. Build and deploy
• ASVS-14_4_1. HTTP security headers
• C2M2-9_4_a. Implement software security for cybersecurity architecture
• C2M2-9_4_c. Implement software security for cybersecurity architecture
• PCI-1_2_2. Network security controls are configured and maintained
• PCI-1_2_6. Network security controls are configured and maintained
• PCI-2_2_4. Remove or disable all unnecessary functionality
• PCI-5_3_2. Anti-malware mechanisms and processes are active and monitored
• PCI-6_3_3. Security vulnerabilities are identified and addressed
• PCI-10_7_2. Failures of critical security control systems are detected and responded to promptly
• SIGLITE-SL_89. Is there a formal Software Development Life Cycle (SDLC) process?
• SIG-I_2_1. Application security
• SIG-I_2_9_4. Application security
• ASVS-4_3_1. Other access control considerations
• ASVS-12_3_4. File execution
• ASVS-12_3_5. File execution
• ASVS-13_2_1. RESTful web service
• ASVS-13_2_5. RESTful web service
• ASVS-14_5_1. HTTP request header validation
• OWASPAPI-API3. Broken Object Property Level Authorization
• OWASPAPI-API8. Security Misconfiguration
• OWASPAPI-API9. Improper Inventory Management
• ISO27001-8_26. Application security requirements
• ISO27001-8_27. Secure system architecture and engineering principles
• CASA-4_3_1. Other Access Control Considerations
• CASA-4_3_2. Other Access Control Considerations
• CASA-5_2_5. Sanitization and Sandboxing
• CASA-5_3_8. Output Encoding and Injection Prevention
• CASA-8_1_1. General Data Protection
• CASA-10_3_3. Application Integrity
• OWASPMASVS-PLATFORM-1. The app uses IPC mechanisms securely
• OWASPMASVS-PLATFORM-2. The app uses WebViews securely
• OWASPMASVS-PLATFORM-3. The app uses the user interface securely
• SANS25-4. User after free
• SANS25-5. Improper neutralization of special elements used in an OS command (OS command injection)
• SANS25-12. NULL pointer dereference
• SANS25-17. Improper restriction of operations within the bounds of a memory buffer
• NIST-PR_AA-06. Physical access to assets is managed, monitored, and enforced commensurate with risk

Weaknesses

• 110 – HTTP request smuggling
• 111 – Out-of-bounds read
• 115 – Security controls bypass or absence
• 116 – XS-Leaks
• 125 – Directory listing
• 134 – Insecure or unset HTTP headers - CORS
• 135 – Insecure or unset HTTP headers - X-XSS Protection
• 136 – Insecure or unset HTTP headers - Cache Control
• 137 – Insecure or unset HTTP headers - X-Permitted-Cross-Domain-Policies
• 138 – Inappropriate coding practices
• 140 – Insecure exceptions - Empty or no catch
• 142 – Sensitive information in source code - API Key
• 143 – Inappropriate coding practices - Eval function
• 152 – Insecure or unset HTTP headers - X-Frame Options
• 153 – Insecure or unset HTTP headers - Accept
• 164 – Insecure service configuration
• 165 – Insecure service configuration - AWS
• 166 – Insecure service configuration - Kerberoast
• 167 – Insecure service configuration - Wireless Certificates
• 168 – Insecure service configuration - Keystore
• 170 – Insecure service configuration - Antivirus
• 171 – Insecure service configuration - Firewall
• 172 – Insecure service configuration - App Backup
• 173 – Insecure service configuration - Backup
• 175 – Insecure service configuration - DNS
• 176 – Insecure service configuration - SSH
• 177 – Insecure service configuration - Security Groups
• 178 – Insecure service configuration - RDP
• 179 – Insecure service configuration - SMB
• 180 – Insecure service configuration - SMTP
• 181 – Insecure service configuration - DynamoDB
• 205 – Insufficient Physical Access Controls
• 206 – Security controls bypass or absence - Anti hooking
• 207 – Security controls bypass or absence - SSLPinning
• 208 – Security controls bypass or absence - Antivirus
• 209 – Security controls bypass or absence - Emulator
• 210 – Security controls bypass or absence - Facial Recognition
• 212 – Security controls bypass or absence - Cloudflare
• 250 – Non-encrypted hard drives
• 252 – Automatic information enumeration - Open ports
• 253 – Automatic information enumeration - AWS
• 254 – Automatic information enumeration - Credit Cards
• 255 – Insecure functionality - Pass the hash
• 260 – Insecure Binary compilation
• 268 – Insecure service configuration - Webview
• 270 – Insecure functionality - File Creation
• 271 – Insecure functionality - Password management
• 272 – Insecure functionality - Masking
• 273 – Insecure functionality - Fingerprint
• 278 – Insecure exceptions - NullPointerException
• 283 – Automatic information enumeration - Personal Information
• 285 – Insecure service configuration - App Transport Security
• 293 – Insecure service configuration - Key pair
• 294 – Insecure service configuration - OTP
• 302 – Insecure functionality - Session management
• 305 – Security controls bypass or absence - Data creation
• 308 – Enabled default configuration
• 312 – Insecure service configuration - Signatures
• 313 – Insecure service configuration - Certificates
• 314 – Insecure service configuration - DB
• 315 – Insecure service configuration - CloudDB
• 319 – Insecure service configuration - Roles
• 320 – Insecure service configuration - LDAP
• 324 – Insecure functionality - User management
• 326 – Sensitive information in source code - Dependencies
• 329 – Insecure or unset HTTP headers - Content-Type
• 333 – Insecure service configuration - EC2
• 334 – Insecure service configuration - IAM
• 335 – Insecure service configuration - Bucket
• 338 – Insecure service configuration - Salt
• 339 – Insecure service configuration - Request Validation
• 343 – Insecure service configuration - BREACH Attack
• 345 – Security controls bypass or absence - Session Invalidation
• 347 – Insecure service configuration - Task Hijacking
• 351 – Automatic information enumeration - Corporate information
• 359 – Sensitive information in source code - Credentials
• 367 – Sensitive information in source code - Git history
• 374 – Security controls bypass or absence - Debug Protection
• 375 – Security controls bypass or absence - Tampering Protection
• 376 – Security controls bypass or absence - Reversing Protection
• 380 – Supply Chain Attack - Docker
• 381 – Supply Chain Attack - Terraform
• 384 – Inappropriate coding practices - Wildcard export
• 392 – Security controls bypass or absence - Firewall
• 396 – Insecure service configuration - KMS
• 398 – Fragment Injection
• 404 – OS Command Injection
• 414 – Insecure service configuration - Header Checking
• 417 – Account Takeover
• 418 – Insecure service configuration - Docker
• 422 – Server side template injection
• 426 – Supply Chain Attack - Kubernetes
• 431 – Supply Chain Attack - Lock Files
• 432 – Inappropriate coding practices - relative path command
• 434 – Client-side template injection
• 436 – Security controls bypass or absence - Fingerprint
• 437 – Supply Chain Attack - GitHub Actions
• 439 – Sensitive information in source code - IP
• 440 – Insecure or unset HTTP headers - Permissions-Policy
• 442 – SMTP header injection
• 443 – Insecure service configuration - Business logic
• 444 – Sensitive Information in Auto-Generated Screenshots
• 445 – Bucket takeover
• 446 – Insecure service configuration - Azure
• 447 – Supply Chain Attack - Gradle
• 004 – Remote command execution
• 009 – Sensitive information in source code
• 014 – Insecure functionality
• 044 – Insecure HTTP methods enabled
• 047 – Automatic information enumeration
• 055 – Insecure service configuration - ADB Backups
• 056 – Anonymous connection
• 060 – Insecure service configuration - Host verification
• 061 – Remote File Inclusion
• 070 – Insecure service configuration - ELB

Last updated

2024/03/05