# Protection Mechanism Failure (CWE-693) The product does not use or incorrectly uses a protection mechanism that provides sufficient defense against directed attacks against the product. **Stack:** JavaScript - Prevalence: 高 頻繁に悪用される - Impact: ハイ 1 件の重大度ハイのルール - Prevention: 文書化済み 8 件の修正例 **OWASP:** Security Misconfiguration (A05:2021-Security Misconfiguration) - #5 ## Description This weakness covers three distinct situations: Missing a protection mechanism, using a faulty protection mechanism, or incorrectly applying a protection mechanism. A missing protection mechanism occurs when the application does not defend against a specific attack. A faulty protection mechanism occurs when the application does defend against a specific attack, but the protection mechanism is not implemented correctly. ## Prevention 1 件の Shoulder 検出ルールに基づく Protection Mechanism Failure の予防策。 ### JavaScript Add Helmet middleware to set security headers automatically ## Warning Signs - [HIGH] Application lacks security headers middleware (helmet, CSP, HSTS, X-Frame-Options, etc.). Without these headers, the app - [HIGH] missing security headers middleware (Helmet) to prevent XSS, clickjacking, and MIME sniffing ## Consequences - 保護メカニズムの回避 - 未承認コードの実行 - 権限の取得 ## Mitigations - 多層防御 (defense in depth) を実装する - 独自実装ではなく、業界標準で検証済みのセキュリティメカニズムを使用する - 保護メカニズムが回避や無効化されないようにする ## Detection - Total rules: 8 - Languages: dockerfile, go, javascript, typescript ## Rules by Language ### Javascript (1 rules) - **Security Headers in Express.js** [HIGH]: Detects missing security headers middleware (Helmet) to prevent XSS, clickjacking, and MIME sniffing. - Remediation: Install and configure helmet middleware: 1. Install: npm install helmet 2. Import: const helmet = require('helmet'); 3. Enable: app.use(helmet()); Example: const express = require('express'); const helmet = require('helmet'); const app = express(); app.use(helmet()); ### Typescript (1 rules) - **Security Headers in Express.js** [HIGH]: Detects missing security headers middleware (Helmet) to prevent XSS, clickjacking, and MIME sniffing. - Remediation: Install and configure helmet middleware: 1. Install: npm install helmet 2. Import: const helmet = require('helmet'); 3. Enable: app.use(helmet()); Example: const express = require('express'); const helmet = require('helmet'); const app = express(); app.use(helmet());