如果將一個 ASP.NET 應用程序配置為利用模擬憑證運行,可能會授予該應用程序不必要的特權。
使用模擬憑證會導致 ASP.NET 應用程序要么享有它所代表的客戶端的特權,要么享有其配置中所賦予的任意特權。
[1] Standards Mapping - OWASP Top 10 2004 - (OWASP 2004) A10 Insecure Configuration Management
[2] Standards Mapping - OWASP Top 10 2010 - (OWASP 2010) A6 Security Misconfiguration
[3] ASP.NET Impersonation Microsoft
[4] Standards Mapping - FIPS200 - (FISMA) CM
[5] Standards Mapping - Common Weakness Enumeration - (CWE) CWE ID 556
[6] Standards Mapping - Web Application Security Consortium 24 + 2 - (WASC 24 + 2) Insufficient Authorization
[7] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 - (PCI 1.1) Requirement 6.5.3
[8] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 - (PCI 1.2) Requirement 6.5.7
[9] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 - (PCI 2.0) Requirement 6.5.8