fortify扫描结果速查(JavaScript),篇幅十分大,推荐使用ctrl+F查找~~~
JavaScript
API误用
Code Correctness: Negative Content-Length
ABSTRACT
Content-Length 头文件设为负值。
EXPLANATION
在大多数情况下,设置 Content-Length 请求标题表示开发者对
发送给服务器的 POST 数据长度感兴趣。但是,此标题应为 0 或正整数。
示例 1:以下代码错误地将 Content-Length 头文件设置为负值:
1 | xhr.setRequestHeader("Content-Length", "-1000"); |
RECOMMENDATIONS
请使用能正确计算和设置 Content-Length 头文件的 javascript 库。
REFERENCES
[1] Standards Mapping - Common Weakness Enumeration CWE ID 398
[2] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.6
[3] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.6
[4] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.6
[5] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.6
[6] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
Often Misused: Mixing Template Languages
ABSTRACT
不得混合模板语言,以防止绕过 cross-site scripting 保护。
EXPLANATION
混合模板引擎时,意味着之前为模板实施的保护可能不再起作用,或不再有效。在危害最轻的情况下,这可能会导致功能无法按预期运行,但还可能会让恶意用户能够规避引擎保护,从而引发 cross-site scripting 漏洞。
示例1:在以下代码中,将 AngularJS 模块配置为使用“[[”和“]]”作为表达式分隔符,而不是使用默认值。
1 | myModule.config(function($interpolateProvider){ |
这可能会导致其他模板引擎执行验证,以转义可能与 AngularJS 表达式不兼容的表达式,因而可能会使用户可以绕过常规验证,在浏览器中运行他们自己的代码。
RECOMMENDATIONS
通常最好完全不要混合模板引擎。如果混合,从开发人员的角度而言,将极难同时保护两种模板引擎,而且强制执行这些验证的模板引擎未考虑一种情况,即您可能会将它们的模板引擎与其他模板引擎同时运行。
REFERENCES
[1] AngularJS $interpolateProvider documentation Google
[2] Standards Mapping - General Data Protection Regulation Indirect Access to Sensitive Data
封装
Cross-Frame Scripting
ABSTRACT
如果未能限制在 iframe 内包含应用程序,则会导致跨站请求伪造或钓鱼攻击。
EXPLANATION
当应用程序出现以下情况时,将出现 cross-frame scripting 漏洞:
允许自身包含在 iframe 内。
未能通过 X-Frame-Options 标头指定组帧策略。
使用不力保护,如基于 JavaScript 的 frame busting 逻辑。
跨框架脚本漏洞经常为 clickjacking 攻击奠定基础,攻击者可利用其执行跨站请求伪造或钓鱼攻击。
RECOMMENDATIONS
现代浏览器支持 X-Frame-Options HTTP 标头,它指示允许在帧内还是 iframe 内加载资源。如果响应包含值为 SAMEORIGIN 的标头,则当请求来自同一个站点时,浏览器将只在帧中加载资源。如果标头设置为 DENY,则无论站点是否发出请求,浏览器都将阻止在帧中加载资源。
Helmet 中间件可与 Express 应用程序一起使用,以便于在所有响应中自动包含此标头。使用以下设置启用 XFrameOptionsMiddleware
1 | var express = require('express'); |
REFERENCES
[1] OWASP Cross Frame Scripting
[2] OWASP Clickjacking
[3] OWASP Clickjacking Defense Cheat Sheet
[4] Node.js Security Checklist
[5] Standards Mapping - Common Weakness Enumeration CWE ID 1021
[6] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001310, CCI-001941, CCI-001942
[7] Standards Mapping - FIPS200 SI
[8] Standards Mapping - General Data Protection Regulation Indirect Access to Sensitive Data
[9] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-23 Session Authenticity (P1)
[10] Standards Mapping - OWASP Application Security Verification Standard 4.0 14.4.3 HTTP Security Headers Requirements, 14.4.7 HTTP Security Headers Requirements
[11] Standards Mapping - OWASP Top 10 2004 A10 Insecure Configuration Management
[12] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.6
[13] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.6
[14] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.6
[15] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.6
[16] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[17] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002500 CAT II
[18] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002500 CAT II
[19] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002500 CAT II
[20] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002500 CAT II
[21] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002500 CAT II
[22] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002500 CAT II
[23] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002500 CAT II
[24] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002500 CAT II
[25] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002500 CAT II
[26] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002500 CAT II
[27] Standards Mapping - Web Application Security Consortium Version 2.00 Server Misconfiguration (WASC-14)
Cross-Session Contamination
ABSTRACT
在 localStorage 和 sessionStorage 之间传输值会不知不觉地暴露敏感信息。
EXPLANATION
HTML5 提供 localStorage 和 sessionStorage 映射,以支持开发人员保留程序值。sessionStorage 映射仅在页面实例和即时浏览器会话期间为调用页面提供存储。但是,localStorage 映射会提供可供多个页面实例和浏览器实例访问的存储。此功能允许应用程序在多个浏览器选项卡或窗口中保留和使用同一信息。
例如,开发人员可能希望在旅游应用程序中使用多个浏览器选项卡或实例,以支持用户打开多个选项卡来比较住宿选择,同时保留用户最初的搜索条件。在传统的 HTTP 存储方法中,用户会面临在一个选项卡中执行的购买和决策(并存储在会话或 cookies 中)与另一个选项卡中的购买相干扰的风险。
借助跨多个浏览器选项卡使用用户值的功能,开发人员必须多加小心,以免将敏感信息从 sessionStorage 范围移至 localStorage,反之亦然。
示例:以下示例将信用卡 CCV 信息存储在会话中,表明用户已授权该站点收取文件中卡的购买费用。对于在浏览器选项卡环境中的每个购买尝试,都需要信用卡许可。为避免重新输入 CCV,此信息被存储在 sessionStorage 对象中。但是,开发人员还将信息存储在 localStorage 对象中。
1 | ... |
通过将信息放回localStorage对象中,此 CCV 信息在其他浏览器选项卡和新调用的浏览器中可用。这样可以绕开预期工作流的应用程序逻辑。
RECOMMENDATIONS
不要将敏感数值或业务工作流所依赖的值存储在 localStorage 或 sessionStorage 范围中。将数据从一种存储格式迁移至另一种存储格式时,需要考虑迁移对于问题数据的隐私性和依赖该数据的业务逻辑的影响。
REFERENCES
[1] Standards Mapping - Common Weakness Enumeration CWE ID 501
[2] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001090, CCI-002361
[3] Standards Mapping - FIPS200 SI
[4] Standards Mapping - General Data Protection Regulation Indirect Access to Sensitive Data
[5] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-4 Information in Shared Resources (P1)
[6] Standards Mapping - OWASP Mobile Top 10 Risks 2014 M4 Unintended Data Leakage
[7] Standards Mapping - OWASP Top 10 2004 A1 Unvalidated Input
[8] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.1
[9] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1
[10] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.8
[11] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.8
[12] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.8
[13] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.8
[14] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.8
[15] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 5.4 - Authentication and Access Control
[16] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I
[17] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I
[18] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I
[19] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I
[20] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I
[21] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I
[22] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I
[23] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-000060 CAT II, APSC-DV-002380 CAT II
[24] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-000060 CAT II, APSC-DV-002380 CAT II
[25] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-000060 CAT II, APSC-DV-002380 CAT II
[26] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-000060 CAT II, APSC-DV-002380 CAT II
[27] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-000060 CAT II, APSC-DV-002380 CAT II
[28] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-000060 CAT II, APSC-DV-002380 CAT II
[29] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-000060 CAT II, APSC-DV-002380 CAT II
[30] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-000060 CAT II, APSC-DV-002380 CAT II
[31] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-000060 CAT II, APSC-DV-002380 CAT II
[32] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-000060 CAT II, APSC-DV-002380 CAT II
[33] Standards Mapping - Web Application Security Consortium 24 + 2 Information Leakage
[34] Standards Mapping - Web Application Security Consortium Version 2.00 Information Leakage (WASC-13)
Cross-Site Request Forgery
ABSTRACT
HTTP 请求必须包含用户特有的机密,以防止攻击者发出未经授权的请求。
EXPLANATION
跨站点伪装请求 (CSRF) 漏洞会在以下情况下发生:
Web 应用程序使用会话 cookie。
应用程序未验证请求是否经过用户同意便处理 HTTP 请求。
Nonce 是随消息一起发送的加密随机值,可防止 replay 攻击。如果该请求未包含证明其来源的 nonce,则处理该请求的代码将易受到 CSRF 攻击(除非它并未更改应用程序的状态)。这意味着使用会话 cookie 的 Web 应用程序必须采取特殊的预防措施,确保攻击者无法诱骗用户提交伪请求。假设有一个 Web 应用程序,它允许管理员创建新帐户,如下所示:
1 | var req = new XMLHttpRequest(); |
攻击者可以设置一个包含以下代码的恶意网站。
1 | var req = new XMLHttpRequest(); |
如果 example.com 的管理员在网站上具有活动会话时访问了恶意页面,则会在毫不知情的情况下为攻击者创建一个帐户。这就是 CSRF 攻击。正是由于该应用程序无法确定请求的来源,才有可能受到 CSRF 攻击。任何请求都有可能是用户选定的合法操作,也有可能是攻击者设置的伪操作。攻击者无法查看伪请求生成的网页,因此,这种攻击技术仅适用于篡改应用程序状态的请求。
如果应用程序通过 URL 传递会话标识符(而不是 cookie),则不会出现 CSRF 问题,因为攻击者无法访问会话标识符,也无法在伪请求中包含会话标识符。
CSRF 在 2007 OWASP Top 10 排行榜上名列第 5。
RECOMMENDATIONS
使用会话 Cookie 的应用程序必须在每个表单发布中包含几条信息,以便后端代码可以用来验证请求的来源。为此,其中一种方法就是使用一个随机请求标识符或随机数,如下所示:
1 | RequestBuilder rb = new RequestBuilder(RequestBuilder.POST, "/new_user"); |
这样,后端逻辑可先验证请求标识符,然后再处理其他表单数据。如果可能,每个服务器请求的请求标识符都应该是唯一的,而不是在特定会话的各个请求之间共享。对于会话标识符而言,攻击者越难猜出请求标识符,则越难成功进行 CSRF 攻击。标记不应能够轻松猜出,它应以保护会话标记相同的方法得到保护,例如使用 SSLv3。
其他缓解技术还包括:
框架保护:大多数现代化的 Web 应用框架都嵌入了 CSRF 保护,它们将自动包含并验证 CSRF 标记。
使用质询-响应控制:强制客户响应由服务器发送的质询是应对 CSRF 的强有力防御方法。可以用于此目的的一些质询如下:CAPTCHA、密码重新验证和一次性标记。
检查 HTTP Referer/原始标题:攻击者在执行 CSRF 攻击时无法冒仿这些标题。这使这些标题可以用于预防 CSRF 攻击。
再次提交会话 Cookie:除了实际的会话 ID Cookie 外,将会话 ID Cookie 作为隐藏表单值发送是预防 CSRF 攻击的有效防护方法。服务器在处理其余表单数据之前,会先检查这些值,以确保它们完全相同。如果攻击者代表用户提交表单,他将无法根据同源策略修改会话 ID Cookie 值。
限制会话的有效期:当通过 CSRF 攻击访问受保护的资源时,只有当作为攻击一部分发送的会话 ID 在服务器上仍然有效时,攻击才会生效。限制会话的有效期将降低攻击成功的可能性。
这里所描述的技术可以使用 XSS 攻击破解。有效的 CSRF 缓解包括 XSS 缓解技术。
REFERENCES
[1] A. Klein Divide and Conquer: HTTP Response Splitting, Web Cache Poisoning Attacks, and Related Topics
[2] OWASP 2007 OWASP Top 10
[3] Standards Mapping - Common Weakness Enumeration CWE ID 352
[4] Standards Mapping - Common Weakness Enumeration Top 25 2019 [9] CWE ID 352
[5] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001310, CCI-001941, CCI-001942
[6] Standards Mapping - General Data Protection Regulation Access Violation
[7] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-23 Session Authenticity (P1)
[8] Standards Mapping - OWASP Application Security Verification Standard 4.0 3.5.3 Token-based Session Management, 4.2.2 Operation Level Access Control, 13.2.3 RESTful Web Service Verification Requirements
[9] Standards Mapping - OWASP Mobile Top 10 Risks 2014 M5 Poor Authorization and Authentication
[10] Standards Mapping - OWASP Top 10 2007 A5 Cross Site Request Forgery (CSRF)
[11] Standards Mapping - OWASP Top 10 2010 A5 Cross-Site Request Forgery (CSRF)
[12] Standards Mapping - OWASP Top 10 2013 A8 Cross-Site Request Forgery (CSRF)
[13] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.5.5
[14] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.9
[15] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.9
[16] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.9
[17] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.9
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.9
[19] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 5.4 - Authentication and Access Control
[20] Standards Mapping - SANS Top 25 2009 Insecure Interaction - CWE ID 352
[21] Standards Mapping - SANS Top 25 2010 Insecure Interaction - CWE ID 352
[22] Standards Mapping - SANS Top 25 2011 Insecure Interaction - CWE ID 352
[23] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3585 CAT II
[24] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3585 CAT II
[25] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3585 CAT II
[26] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3585 CAT II
[27] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3585 CAT II
[28] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3585 CAT II
[29] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3585 CAT II
[30] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002500 CAT II
[31] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002500 CAT II
[32] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002500 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002500 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002500 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002500 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002500 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002500 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002500 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002500 CAT II
[40] Standards Mapping - Web Application Security Consortium 24 + 2 Cross-Site Request Forgery
[41] Standards Mapping - Web Application Security Consortium Version 2.00 Cross-Site Request Forgery (WASC-09)
Cross-Site Scripting: Untrusted HTML Downloads
ABSTRACT
禁用要设置为 noopen 的 X-Download-Options 标头后,下载的 HTML 页面可以在提供这些页面的站点的安全上下文中运行。
EXPLANATION
当站点需要能够为用户提供下载时,打开下载文件的选项意味着,所提供的在浏览器中运行的任何文件均可以在与站点位于相同安全上下文的当前浏览器中打开。
如果攻击者能够操纵下载的文件,则他们可以插入在浏览器中运行的 HTML 或脚本作为跨站脚本攻击,从而窃取或操纵当前会话中的信息。
示例 1:以下示例明确禁用了对运行于浏览器中的提供的下载的保护:
1 | var express = require('express'); |
RECOMMENDATIONS
向用户提供可能不受信任的文件,尤其是可在浏览器中运行的文件时,如果可能,站点不应允许立即打开文件。Internet Explorer 为该调用的 X-Download-Options 引入了一个标头,该标头需要设置为 noopen,以防止用户下载并立即打开文件,这样会导致文件在与站点相同的安全上下文中运行。
示例 2:以下示例将 X-Download-Options 标头设置为 noopen:
1 | var express = require('express'); |
设置此标头后,Internet Explorer 用户需要在本地保存文件,然后再将其打开,这意味着该文件不会再在与提供待下载文件的站点相同的安全上下文中运行。
REFERENCES
[1] Standards Mapping - Common Weakness Enumeration CWE ID 79, CWE ID 80
[2] Standards Mapping - Common Weakness Enumeration Top 25 2019 [2] CWE ID 079
[3] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001310, CCI-002754
[4] Standards Mapping - FIPS200 SI
[5] Standards Mapping - General Data Protection Regulation Indirect Access to Sensitive Data
[6] Standards Mapping - NIST Special Publication 800-53 Revision 4 SI-10 Information Input Validation (P1)
[7] Standards Mapping - OWASP Application Security Verification Standard 4.0 5.3.3 Output Encoding and Injection Prevention Requirements, 5.3.6 Output Encoding and Injection Prevention Requirements
[8] Standards Mapping - OWASP Mobile Top 10 Risks 2014 M7 Client Side Injection
[9] Standards Mapping - OWASP Top 10 2004 A4 Cross Site Scripting
[10] Standards Mapping - OWASP Top 10 2007 A1 Cross Site Scripting (XSS)
[11] Standards Mapping - OWASP Top 10 2010 A2 Cross-Site Scripting (XSS)
[12] Standards Mapping - OWASP Top 10 2013 A3 Cross-Site Scripting (XSS)
[13] Standards Mapping - OWASP Top 10 2017 A7 Cross-Site Scripting (XSS)
[14] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.4
[15] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1, Requirement 6.5.1
[16] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.7
[17] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.7
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.7
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.7
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.7
[21] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[22] Standards Mapping - SANS Top 25 2009 Insecure Interaction - CWE ID 079
[23] Standards Mapping - SANS Top 25 2010 Insecure Interaction - CWE ID 079
[24] Standards Mapping - SANS Top 25 2011 Insecure Interaction - CWE ID 079
[25] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I, APP3580 CAT I
[26] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I, APP3580 CAT I
[27] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I, APP3580 CAT I
[28] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I, APP3580 CAT I
[29] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I, APP3580 CAT I
[30] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I, APP3580 CAT I
[31] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I, APP3580 CAT I
[32] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[33] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[34] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[35] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[36] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[37] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[38] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[41] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[42] Standards Mapping - Web Application Security Consortium 24 + 2 Cross-Site Scripting
[43] Standards Mapping - Web Application Security Consortium Version 2.00 Cross-Site Scripting (WASC-08)
HTML5: Easy-to-Guess Database Name
ABSTRACT
容易猜测的 Web SQL 数据库名称可导致未经授权的人窃取数据和破坏数据库。
EXPLANATION
HTML5 的一项功能是在客户端 SQL 数据库存储数据。数据库名称是开始写入数据库或从数据库读取所需的重要信息。因此,数据库名称必须是每位用户特有的唯一字符串。如果数据库名称很容易被猜出,未经授权的人(例如其他用户)可能会窃取敏感数据或损坏数据库条目。
示例:以下代码使用了容易被猜出的数据库名称:
1 | ... |
该代码可成功运行,但是任何猜出数据库名称为 ‘mydb’ 的人都能够访问它。
RECOMMENDATIONS
不要使用容易被猜出的数据库名称。理想情况下,应该使用随机字符串生成器来创建数据库名称并将其存储在服务器上。只有经过授权的用户登录时,才能检索该名称并将其添加到客户端脚本上。然而,这种方法可能不适用于脱机访问。相反,用户可选择脱机密码并将其与用户名一起作为数据库名称使用。
REFERENCES
[1] HTML5 Security Cheatsheet
[2] Standards Mapping - Common Weakness Enumeration CWE ID 330
[3] Standards Mapping - FIPS200 MP
[4] Standards Mapping - General Data Protection Regulation Indirect Access to Sensitive Data
[5] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-28 Protection of Information at Rest (P1)
[6] Standards Mapping - OWASP Mobile Top 10 Risks 2014 M5 Poor Authorization and Authentication
[7] Standards Mapping - OWASP Top 10 2004 A8 Insecure Storage
[8] Standards Mapping - OWASP Top 10 2007 A8 Insecure Cryptographic Storage
[9] Standards Mapping - OWASP Top 10 2010 A7 Insecure Cryptographic Storage
[10] Standards Mapping - OWASP Top 10 2013 A6 Sensitive Data Exposure
[11] Standards Mapping - OWASP Top 10 2017 A3 Sensitive Data Exposure
[12] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.8
[13] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.3, Requirement 6.5.8
[14] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.3
[15] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.3
[16] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.3
[17] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.3
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.3
[19] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 7 - Use of Cryptography
[20] Standards Mapping - SANS Top 25 2009 Porous Defenses - CWE ID 330
[21] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3150.2 CAT II
[22] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3150.2 CAT II
[23] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3150.2 CAT II
[24] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3150.2 CAT II
[25] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3150.2 CAT II
[26] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3150.2 CAT II
[27] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3150.2 CAT II
[28] Standards Mapping - Web Application Security Consortium 24 + 2 Information Leakage
[29] Standards Mapping - Web Application Security Consortium Version 2.00 Predictable Resource Location (WASC-34)
HTML5: Overly Permissive Message Posting Policy
ABSTRACT
程序发布了目标源过于宽松的跨文档消息。
EXPLANATION
HTML5 的一项新功能是跨文档消息传递。该功能允许脚本将消息发布到其他窗口。用户利用相应的 API 可指定目标窗口的源。不过,指定目标源时应小心谨慎,因为如果目标源过于宽松,恶意脚本就能趁机采用不当方式与受害者窗口进行通信,从而导致发生欺骗、数据被盗、转发及其他攻击。
示例 1:以下示例会使用通配符以编程方式指定要发送的消息的目标源。
1 | o.contentWindow.postMessage(message, '*'); |
使用*作为目标源的值表示无论来源如何,脚本都会将信息发送到窗口。
RECOMMENDATIONS
请不要将 * 作为目标源的值。相反,请提供一个特定的目标源。
示例 2:以下代码会为目标源提供一个特定值。
1 | o.contentWindow.postMessage(message, 'www.trusted.com'); |
REFERENCES
[1] Michael Schmidt HTML5 Web Security
[2] Philippe De Ryck, Lieven Desmet, Pieter Philippaerts, and Frank Piessens A Security Analysis of Next Generation Web Standards
[3] Standards Mapping - Common Weakness Enumeration CWE ID 942
[4] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001368, CCI-001414
[5] Standards Mapping - General Data Protection Regulation Access Violation
[6] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-4 Information Flow Enforcement (P1)
[7] Standards Mapping - OWASP Application Security Verification Standard 4.0 14.4.6 HTTP Security Headers Requirements, 14.5.3 Validate HTTP Request Header Requirements
[8] Standards Mapping - OWASP Mobile Top 10 Risks 2014 M5 Poor Authorization and Authentication
[9] Standards Mapping - OWASP Top 10 2013 A5 Security Misconfiguration
[10] Standards Mapping - OWASP Top 10 2017 A6 Security Misconfiguration
[11] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.10
[12] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.8
[13] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.8
[14] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.8
[15] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.8
[16] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.8
[17] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 5.4 - Authentication and Access Control
[18] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-000480 CAT II, APSC-DV-000490 CAT II
[19] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-000480 CAT II, APSC-DV-000490 CAT II
[20] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-000480 CAT II, APSC-DV-000490 CAT II
[21] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-000480 CAT II, APSC-DV-000490 CAT II
[22] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-000480 CAT II, APSC-DV-000490 CAT II
[23] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-000480 CAT II, APSC-DV-000490 CAT II
[24] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-000480 CAT II, APSC-DV-000490 CAT II
[25] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-000480 CAT II, APSC-DV-000490 CAT II
[26] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-000480 CAT II, APSC-DV-000490 CAT II
[27] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-000480 CAT II, APSC-DV-000490 CAT II
JavaScript Hijacking
ABSTRACT
使用 JavaScript 符号来传送敏感数据的应用程序可能会存在 JavaScript hijacking 的漏洞,该漏洞允许未经授权的攻击者从一个易受攻击的应用程序中读取机密数据。
EXPLANATION
如果发生以下情况,应用程序可能会很容易受到 JavaScript 劫持的攻击:1) 将 JavaScript 对象用作数据传输格式 2) 处理机密数据。由于 JavaScript 劫持漏洞不会作为编码错误的直接结果出现,所以 Fortify 安全编码规则包会通过识别在 HTTP 响应中产生的 JavaScript 代码,引起人们对潜在的 JavaScript 劫持漏洞的注意。
Web 浏览器执行同源策略 (Same Origin Policy),以保护用户免受恶意网站的攻击。同源策略 (Same Origin Policy) 规定:如果要使用 JavaScript 来访问某个网页的内容的话,则 JavaScript 和网页必须都来源于相同的域。若不采取同源策略 (Same Origin Policy),恶意网站便可以使用客户端凭证来运行 JavaScript,从其他网站加载的敏感信息,并对这些信息进行提炼,然后将其返回给攻击者。通过 JavaScript 劫持,攻击者可以绕过 Web 应用程序中使用的同源策略 (Same Origin Policy),该应用程序使用 JavaScript 来交流机密信息。同源策略 (Same Origin Policy) 中的漏洞是:通过这一策略,任何网站的 JavaScript 都可以被其他网站的上下文包含或执行。即使恶意网站不能直接在客户端上检查易受攻击的站点中加载的所有数据,但它仍可以通过配置一个特定的环境利用该漏洞。有了这样的环境,恶意网站就可以监视 JavaScript 的执行过程和任何可能发生的相关负面效应。由于许多 Web 2.0 应用程序使用 JavaScript 作为数据传输机制,因此,与传统的 Web 应用程序不同,它们往往很容易受到各种攻击。
JavaScript 中最常见的信息传输格式为 JavaScript Object Notation (JSON)。JSON RFC 将 JSON 语法定义为 JavaScript 类实例文本化定义语法 (object literal syntax)的子集。JSON 基于两种数据结构类型:阵列和对象。所有可以作为一个或多个有效 JavaScript 语句进行解析的数据传送格式都容易受到 JavaScript 劫持的攻击。JSON 使 JavaScript 劫持变得更加容易,因为 JSON 数组坚持认为它自己就是有效的 JavaScript 指令。因为数组是交换列表的一种正常形式,在应用程序需要交换多个值时会普遍使用该形式。换句话说,一个 JSON 数组会直接受到 JavaScript 劫持的攻击。一个 JSON 对象只在其被一些其他 JavaScript 结构包围时才会受到攻击,这些 JavaScript 结构坚持认为它们自己就是有效的 JavaScript 指令。
示例 1:在以下示例中,开头显示了一个在 Web 应用程序的客户端和服务器组件之间进行的合法 JSON 交互,这一 Web 应用程序用于管理潜在商机。接下来,它说明了攻击者如何模仿客户端获取服务器端返回的机密信息。注意,本例子是专为基于 Mozilla 的浏览器而编写的代码。若在创建对象时,没有使用 new 运算符,则其他主流浏览器会禁止重载默认构造函数。
客户端向服务器请求数据,并通过以下代码评估 JSON 结果:
1 | var object; |
当此代码运行时,它会生成一个如下所示的 HTTP 请求:
1 | GET /object.json HTTP/1.1 |
(在本 HTTP 响应和随后的响应中,我们省略了与该解释没有直接关系的 HTTP 头信息。)
服务器使用 JSON 格式的数组进行响应:
1 | HTTP/1.1 200 OK |
这种情况下,JSON 中包含了与当前用户相关的机密信息(一组潜在商机数据)。其他用户如果不知道该用户的会话标识符,便无法访问这些信息。(在大多数现代 Web 应用程序中,会话标识符存储在 cookie 中。)然而,如果受害者访问某个恶意网站,恶意网站就可以使用 JavaScript 劫持提取信息。如果受害者受到欺骗后,访问包含以下恶意代码的网页,受害者的重要信息就会被发送到攻击者的网站中。
1 | <script> |
恶意代码使用脚本标签以在当前页面包含 JSON 对象。Web 浏览器将使用该请求发送相应的会话 cookie。换言之,处理此请求时将认为其源自合法应用程序。
当 JSON 阵列到达客户端时,将在恶意页面的上下文中对其进行评估。为了看清 JSON 的评估,恶意页面重新定义了用于创建新对象的 JavaScript 功能。通过此方法,恶意代码已插入一个钩子,该钩子允许其访问每个对象的创建并将对象的内容传递回恶意网站。与之相反,其他攻击可能会覆盖阵列默认的构造函数。为在混合应用中使用而建的应用程序有时会在每一 JavaScript 消息的末端调用回调功能。回调功能意味着将由混合应用中的其他应用程序定义。回调功能使 JavaScript 挟持攻击变得容易 – 攻击者要做的就是定义该功能。应用程序可以是混合应用 - 友好型或安全型,但不可能两者兼备。如果用户未登录到易受攻击的网站,攻击者可以要求用户登录,然后显示该应用程序的合法登录页面。
这不是钓鱼攻击 – 攻击者未获得用户凭证的访问权限 – 因此反钓鱼对策将无法打败攻击。更复杂的攻击可能会通过使用 JavaScript 动态生成脚本标签,向应用程序作出一系列请求。此相同技术有时会用于创建应用程序混合应用。唯一的不同是,在此混合应用情况中,涉及的应用程序之一是恶意的。
RECOMMENDATIONS
所有使用 JavaScript 进行交流的程序需要采取以下防范措施:1) 拒绝恶意请求:— 在每个返回给 JavaScript 的请求中使用一些令人难以猜测的标识符,如会话标识符。允许服务器验证请求的来源可以防范跨站点请求的伪装攻击。2) 避免直接执行 JavaScript 响应:包括某些响应中的字符,这些响应只有经过了修改,才能成功地转到 JavaScript 解释器进行处理。这样可以防止攻击者使用<script> 标签看清 JavaScript 的执行过程。防范 JavaScript 劫持的最佳方法是同时采取上述两种防范策略。
拒绝恶意请求
从服务器的角度来看,JavaScript 劫持攻击类似于跨站点伪装请求,因此,防止跨站点伪装请求也就可以防止 JavaScript 劫持攻击。为了便于探测各种恶意请求,每个请求均应包含攻击者难以猜测的参数。一种方法是将会话 cookie 作为参数添加到请求中。服务器接收到这样一个请求时,它可以检查并确定会话 cookie 是否与请求中的参数值匹配。恶意代码无法取得会话 cookie(cookie 也需要遵循同源策略 (Same Origin Policy)),因此,攻击者即使制造了请求,也很难再通过检验了。也可以使用其他机密信息代替会话 cookie;只要这个机密信息难以猜测,可以在合法应用程序能够访问的上下文中使用,同时又无法通过其他的域进行访问,就可以防止攻击者制造有效的请求。
有一些框架仅能运行在客户端上。换言之,它们完全由 JavaScript 编写而成,对服务器的工作情况一无所知。这意味着它们并不知道会话 cookie 的名称。即使并不清楚会话 cookie 的名称,它们也能参与基于 cookie 的防范,途径就是将所有的 cookie 附加到发送给服务器的各个请求中。
示例 2:以下 JavaScript 片段描述了这种“盲客户端”策略:
1 | var httpRequest = new XMLHttpRequest(); |
服务器也可以检查 HTTP referer 头信息,以确保请求来自于合法的应用程序,而不是恶意的应用程序。从历史上看,referer 头信息一直都未受到过信任,因此,我们并不建议您将它作为安全机制的基础。您可以为服务器装入一种针对 JavaScript hijacking 的防范方法,即让服务器只对 HTTP POST 请求做出响应,而不回应任何 HTTP GET 请求。这是一项防御技术,原因是 <script> 标签通常使用 GET 方法从外部资源文件中加载 JavaScript。然而,这种防范措施并非尽善尽美。Web 应用程序的专家一致鼓励采用 GET 方法提高性能。如果在 HTTP 方法的选择上缺乏安全方面的考虑,这意味着未来的某一时刻,程序员可能会误认为这种功能上的不足是疏忽所致,而没有将它作为一种安全预警加以认识,进而修改了应用程序以响应 GET 请求。
防止直接执行响应
为了使恶意站点无法执行包含 JavaScript 的响应,合法的客户端应用程序可以利用允许执行前对接收的数据进行修改这一权限,而恶意的应用程序则只能使用 <script>标签执行响应。当服务器序列化某个对象时,该对象应包括一个前缀(也可以是后缀),从而使它无法通过 <script> 标签执行 JavaScript。合法的客户端应用程序可以在运行 JavaScript 前删除这些无关的数据。
例 3:该方法可以通过多种方式来实现。以下例子演示了两种方式。第一种,服务器可以把以下指令作为消息的前缀:
while(1);
除非客户端删除此前缀,否则对此消息求值会将 JavaScript 解释器置于一个无限循环中。客户端会搜索并删除如下前缀:
1 | var object; |
第二种,服务器可以在 JavaScript 附近加注注释字符,这些注释字符必须在 JavaScript 被送往 eval() 函数前删除。以下 JSON 对象已加入了一块注释:
1 | /* |
任何通过<script> 标签来提取敏感 JavaScript 的恶意站点都将无法获取其中所包含的数据。
自第 5 版 EcmaScript 起,已不可能攻击 JavaScript 数组构造函数。
REFERENCES
[1] B. Chess, Y. O’Neil, and J. West JavaScript Hijacking
[2] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001167
[3] Standards Mapping - General Data Protection Regulation Indirect Access to Sensitive Data
[4] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-18 Mobile Code (P2)
[5] Standards Mapping - OWASP Application Security Verification Standard 4.0 3.5.3 Token-based Session Management, 5.3.6 Output Encoding and Injection Prevention Requirements, 14.5.2 Validate HTTP Request Header Requirements, 14.5.3 Validate HTTP Request Header Requirements
[6] Standards Mapping - OWASP Mobile Top 10 Risks 2014 M4 Unintended Data Leakage
[7] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-003300 CAT II
[8] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-003300 CAT II
[9] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-003300 CAT II
[10] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-003300 CAT II
[11] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-003300 CAT II
[12] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-003300 CAT II
[13] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-003300 CAT II
[14] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-003300 CAT II
[15] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-003300 CAT II
[16] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-003300 CAT II
[17] Standards Mapping - Web Application Security Consortium 24 + 2 Information Leakage
[18] Standards Mapping - Web Application Security Consortium Version 2.00 Information Leakage (WASC-13)
JavaScript Hijacking: Vulnerable Framework
ABSTRACT
使用 JavaScript 符号来传送敏感数据的应用程序可能会存在 JavaScript hijacking 的漏洞,该漏洞允许未经授权的攻击者从一个易受攻击的应用程序中读取机密数据。
EXPLANATION
如果发生以下情况,应用程序可能会很容易受到 JavaScript 劫持的攻击:1) 将 JavaScript 对象用作数据传输格式 2) 处理机密数据。由于 JavaScript 劫持漏洞不会作为编码错误的直接结果出现,所以 Fortify 安全编码规则包会通过识别在 HTTP 响应中产生的 JavaScript 代码,引起人们对潜在的 JavaScript 劫持漏洞的注意。
Web 浏览器执行同源策略 (Same Origin Policy),以保护用户免受恶意网站的攻击。同源策略 (Same Origin Policy) 规定:如果要使用 JavaScript 来访问某个网页的内容的话,则 JavaScript 和网页必须都来源于相同的域。若不采取同源策略 (Same Origin Policy),恶意网站便可以使用客户端凭证来运行 JavaScript,从其他网站加载的敏感信息,并对这些信息进行提炼,然后将其返回给攻击者。通过 JavaScript 劫持,攻击者可以绕过 Web 应用程序中使用的同源策略 (Same Origin Policy),该应用程序使用 JavaScript 来交流机密信息。同源策略 (Same Origin Policy) 中的漏洞是:通过这一策略,任何网站的 JavaScript 都可以被其他网站的上下文包含或执行。即使恶意网站不能直接在客户端上检查易受攻击的站点中加载的所有数据,但它仍可以通过配置一个特定的环境利用该漏洞。有了这样的环境,恶意网站就可以监视 JavaScript 的执行过程和任何可能发生的相关负面效应。由于许多 Web 2.0 应用程序使用 JavaScript 作为数据传输机制,因此,与传统的 Web 应用程序不同,它们往往很容易受到各种攻击。
JavaScript 中最常见的信息传输格式为 JavaScript Object Notation (JSON)。JSON RFC 将 JSON 语法定义为 JavaScript 类实例文本化定义语法 (object literal syntax)的子集。JSON 基于两种数据结构类型:阵列和对象。所有可以作为一个或多个有效 JavaScript 语句进行解析的数据传送格式都容易受到 JavaScript 劫持的攻击。JSON 使 JavaScript 劫持变得更加容易,因为 JSON 数组坚持认为它自己就是有效的 JavaScript 指令。因为数组是交换列表的一种正常形式,在应用程序需要交换多个值时会普遍使用该形式。换句话说,一个 JSON 数组会直接受到 JavaScript 劫持的攻击。一个 JSON 对象只在其被一些其他 JavaScript 结构包围时才会受到攻击,这些 JavaScript 结构坚持认为它们自己就是有效的 JavaScript 指令。
示例 1:在以下示例中,开头显示了一个在 Web 应用程序的客户端和服务器组件之间进行的合法 JSON 交互,这一 Web 应用程序用于管理潜在商机。接下来,它说明了攻击者如何模仿客户端获取服务器端返回的机密信息。注意,本例子是专为基于 Mozilla 的浏览器而编写的代码。若在创建对象时,没有使用 new 运算符,则其他主流浏览器会禁止重载默认构造函数。
客户端向服务器请求数据,并通过以下代码评估 JSON 结果:
1 | var object; |
当此代码运行时,它会生成一个如下所示的 HTTP 请求:
1 | GET /object.json HTTP/1.1 |
(在本 HTTP 响应和随后的响应中,我们省略了与该解释没有直接关系的 HTTP 头信息。)
服务器使用 JSON 格式的数组进行响应:
1 | HTTP/1.1 200 OK |
这种情况下,JSON 中包含了与当前用户相关的机密信息(一组潜在商机数据)。其他用户如果不知道该用户的会话标识符,便无法访问这些信息。(在大多数现代 Web 应用程序中,会话标识符存储在 cookie 中。)然而,如果受害者访问某个恶意网站,恶意网站就可以使用 JavaScript 劫持提取信息。如果受害者受到欺骗后,访问包含以下恶意代码的网页,受害者的重要信息就会被发送到攻击者的网站中。
1 | <script> |
恶意代码使用脚本标签以在当前页面包含 JSON 对象。Web 浏览器将使用该请求发送相应的会话 cookie。换言之,处理此请求时将认为其源自合法应用程序。
当 JSON 阵列到达客户端时,将在恶意页面的上下文中对其进行评估。为了看清 JSON 的评估,恶意页面重新定义了用于创建新对象的 JavaScript 功能。通过此方法,恶意代码已插入一个钩子,该钩子允许其访问每个对象的创建并将对象的内容传递回恶意网站。与之相反,其他攻击可能会覆盖阵列默认的构造函数。为在混合应用中使用而建的应用程序有时会在每一 JavaScript 消息的末端调用回调功能。回调功能意味着将由混合应用中的其他应用程序定义。回调功能使 JavaScript 挟持攻击变得容易 – 攻击者要做的就是定义该功能。应用程序可以是混合应用 - 友好型或安全型,但不可能两者兼备。如果用户未登录到易受攻击的网站,攻击者可以要求用户登录,然后显示该应用程序的合法登录页面。
这不是钓鱼攻击 – 攻击者未获得用户凭证的访问权限 – 因此反钓鱼对策将无法打败攻击。更复杂的攻击可能会通过使用 JavaScript 动态生成脚本标签,向应用程序作出一系列请求。此相同技术有时会用于创建应用程序混合应用。唯一的不同是,在此混合应用情况中,涉及的应用程序之一是恶意的。
RECOMMENDATIONS
所有使用 JavaScript 进行通信的程序都应采取以下防范措施:1) 拒绝恶意请求:在每个返回给 JavaScript 的请求中都加入令人难以猜测的标识符,如会话标识符。允许服务器验证请求的来源可以防范跨站点请求的伪装攻击。2) 避免直接执行 JavaScript 响应:在响应中加入一些字符,使其只有经过修改,才能成功地转到 JavaScript 解释器进行处理。这样可以防止攻击者使用 <script>标签看清 JavaScript 的执行过程。防范 JavaScript 劫持的最佳方法是同时采取上述两种防范策略。
拒绝恶意请求
从服务器的角度来看,JavaScript 劫持攻击类似于跨站点伪装请求,因此,防止跨站点伪装请求也就可以防止 JavaScript 劫持攻击。为了便于探测各种恶意请求,每个请求均应包含攻击者难以猜测的参数。一种方法是将会话 cookie 作为参数添加到请求中。服务器接收到这样一个请求时,它可以检查并确定会话 cookie 是否与请求中的参数值匹配。恶意代码无法取得会话 cookie(cookie 也需要遵循同源策略 (Same Origin Policy)),因此,攻击者即使制造了请求,也很难再通过检验了。也可以使用其他机密信息代替会话 cookie;只要这个机密信息难以猜测,可以在合法应用程序能够访问的上下文中使用,同时又无法通过其他的域进行访问,就可以防止攻击者制造有效的请求。
有一些框架仅能运行在客户端上。换言之,它们完全由 JavaScript 编写而成,对服务器的工作情况一无所知。这意味着它们并不知道会话 cookie 的名称。即使并不清楚会话 cookie 的名称,它们也能参与基于 cookie 的防范,途径就是将所有的 cookie 附加到发送给服务器的各个请求中。
示例 2:以下 JavaScript 片段描述了这种“盲客户端”策略:
var httpRequest = new XMLHttpRequest();
…
var cookies=”cookies=”+escape(document.cookie);
http_request.open(‘POST’, url, true);
httpRequest.send(cookies);
服务器也可以检查 HTTPreferer头信息,以确保请求来自于合法的应用程序,而不是恶意的应用程序。从历史上看,referer头信息一直都未受到过信任,因此,我们并不建议您将它作为安全机制的基础。您可以为服务器装入一种针对 JavaScript hijacking 的防范方法,即让服务器只对 HTTP POST 请求做出响应,而不回应任何 HTTP GET 请求。这是一项防御技术,原因是<script>标签通常使用 GET 方法从外部资源文件中加载 JavaScript。然而,这种防范措施并非尽善尽美。Web 应用程序的专家一致鼓励采用 GET 方法提高性能。如果在 HTTP 方法的选择上缺乏安全方面的考虑,这意味着未来的某一时刻,程序员可能会误认为这种功能上的不足是疏忽所致,而没有将它作为一种安全预警加以认识,进而修改了应用程序以响应 GET 请求。
防止直接执行响应
为了使恶意站点无法执行包含 JavaScript 的响应,合法的客户端应用程序可以利用允许执行前对接收的数据进行修改这一权限,而恶意的应用程序则只能使用<script>标签执行响应。当服务器序列化某个对象时,该对象应包括一个前缀(也可以是后缀),从而使它无法通过<script>标签执行 JavaScript。合法的客户端应用程序可以在运行 JavaScript 前删除这些无关的数据。
示例 3:该方法可以通过多种方式来实现。以下例子演示了两种方式。第一种,服务器可以把以下指令作为消息的前缀:
while(1);
除非客户端删除此前缀,否则对此消息求值会将 JavaScript 解释器置于一个无限循环中。客户端会搜索并删除如下前缀:
1 | var object; |
第二种,服务器可以在 JavaScript 附近加注注释字符,这些注释字符必须在 JavaScript 被送往eval()函数前删除。以下 JSON 对象已加入了一块注释:
1 | /* |
客户端可以搜索并删除如下注释字符:
1 | var object; |
任何通过<script>标签来提取敏感 JavaScript 的恶意站点都将无法获取其中所包含的数据。
自第 5 版 EcmaScript 起,已不可能攻击 JavaScript 数组构造函数。
REFERENCES
[1] B. Chess, Y. O’Neil, and J. West JavaScript Hijacking
[2] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001167
[3] Standards Mapping - General Data Protection Regulation Access Violation
[4] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-18 Mobile Code (P2)
[5] Standards Mapping - OWASP Mobile Top 10 Risks 2014 M4 Unintended Data Leakage
[6] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-003300 CAT II
[7] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-003300 CAT II
[8] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-003300 CAT II
[9] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-003300 CAT II
[10] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-003300 CAT II
[11] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-003300 CAT II
[12] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-003300 CAT II
[13] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-003300 CAT II
[14] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-003300 CAT II
[15] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-003300 CAT II
[16] Standards Mapping - Web Application Security Consortium 24 + 2 Information Leakage
[17] Standards Mapping - Web Application Security Consortium Version 2.00 Information Leakage (WASC-13)
Poor Logging Practice: Use of a System Output Stream
ABSTRACT
使用 process.stdout 或 process.stderr 而不是专门的日志记录工具,会导致难以监控程序的运行状况。
EXPLANATION
示例 1:早期的 Node.js 开发人员可能会为了从 stdin 读取程序然后再将其写回 stdout 而编写的简单程序如下所示:
1 | process.stdin.on('readable', function(){ |
虽然大多数程序员继续学习,尤其是关于 JavaScript 和 Node.js 的细微之处,但很多程序员仍依赖于这一基础知识,始终使用 process.stdout.write() 编写标准输出的消息。
这里的问题是,直接在标准输出流或标准错误流中写入信息通常会作为一种非结构化日志记录形式使用。结构化日志记录系统提供了各种要素,如日志级别、统一的格式、日志标示符、次数统计,而且,可能最重要的是,将日志信息指向正确位置的功能。当系统输出流的使用与正确使用日志记录功能的代码混合在一起时,得出的结果往往是一个保存良好但缺少重要信息的日志。
开发者普遍认为需要使用结构化日志记录,但是很多人在“产前”的软件开发中仍使用系统输出流功能。如果您正在检查的代码是在开发阶段的初期生成的,那么对 process.stdout 或 process.stderr 的使用可能会在转向结构化日志记录系统的过程中导致漏洞。
RECOMMENDATIONS
使用 Node.js 日志记录工具,而不使用 process.stdout 或 process.stderr。
示例 2:例如,应用程序可以按照以下方式重写:
1 | process.stdin.on('readable', function(){ |
这并不理想,因为它仍然只是基础信息,并不包含时间戳、进程 ID 或任何其他信息,而且会将用户控制的数据插入日志。使用诸如 “Winston” 或 “Bunyan” 之类的第三方库来进行日志记录是最佳方式,但如果您的特定情况只需要时间戳,则以下方法可能适用:
1 | log = function(msg){ |
REFERENCES
[1] Standards Mapping - Common Weakness Enumeration CWE ID 398
[2] Standards Mapping - FIPS200 AU
[3] Standards Mapping - NIST Special Publication 800-53 Revision 4 SI-11 Error Handling (P2)
[4] Standards Mapping - OWASP Top 10 2004 A7 Improper Error Handling
[5] Standards Mapping - OWASP Top 10 2007 A6 Information Leakage and Improper Error Handling
[6] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.7
[7] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.2, Requirement 6.5.6
[8] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.5
[9] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.5
[10] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.5
[11] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.5
[12] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.5
[13] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 3.6 - Sensitive Data Retention
[14] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3620 CAT II
[15] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3620 CAT II
[16] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3620 CAT II
[17] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3620 CAT II
[18] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3620 CAT II
[19] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3620 CAT II
[20] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3620 CAT II
System Information Leak
ABSTRACT
显示系统数据或调试信息使攻击者能够使用系统信息来计划攻击。
EXPLANATION
当系统数据或调试信息通过输出流或者日志功能流出程序时,就会发生信息泄漏。
示例 1:以下代码会将一个异常写入 AngularJS 中的浏览器控制台:
$log.log(exception);
根据异常的来源,这可能会向导致客户端出错的用户发送信息,或者可能向与服务器端信息相关的远程用户发送信息。
在某些情况下,该错误消息恰好可以告诉攻击者入侵这一系统的可能性究竟有多大。例如,一个数据库错误消息可以揭示应用程序容易受到 SQL Injection 攻击。其他的错误消息可以揭示有关该系统的更多间接线索。
RECOMMENDATIONS
编写错误消息时,始终要牢记安全性。在编码的过程中,尽量避免使用繁复的消息,提倡使用简短的错误消息。限制生成与存储繁复的输出数据可帮助管理员和程序员诊断问题。调试踪迹有时可能出现在不明显的位置(例如,嵌入在错误页 HTML 的注释中)。
即便是并未揭示栈踪迹或数据库转储的简短错误消息,也有可能帮助攻击者发起攻击。例如,“Access Denied”(拒绝访问)消息可以揭示系统中存在一个文件或用户。因此,切勿将信息直接发送到程序外部的资源。
示例 2:以下代码会在从 AJAX 请求收到一个错误后写入一条通用消息。
1 | var errorCallback = function(response){ |
REFERENCES
[1] Standards Mapping - Common Weakness Enumeration CWE ID 497
[2] Standards Mapping - Common Weakness Enumeration Top 25 2019 [4] CWE ID 200
[3] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001312, CCI-001314, CCI-002420
[4] Standards Mapping - General Data Protection Regulation Indirect Access to Sensitive Data
[5] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-4 Information Flow Enforcement (P1)
[6] Standards Mapping - OWASP Application Security Verification Standard 4.0 5.3.4 Output Encoding and Injection Prevention Requirements, 5.3.5 Output Encoding and Injection Prevention Requirements, 8.3.2 Sensitive Private Data, 8.3.4 Sensitive Private Data, 8.3.4 Sensitive Private Data, 14.3.1 Unintended Security Disclosure Requirements, 14.3.2 Unintended Security Disclosure Requirements, 14.3.3 Unintended Security Disclosure Requirements, 14.2.2 Dependency
[7] Standards Mapping - OWASP Mobile Top 10 Risks 2014 M2 Insecure Data Storage
[8] Standards Mapping - OWASP Top 10 2007 A6 Information Leakage and Improper Error Handling
[9] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.5.6
[10] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.5
[11] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.5
[12] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.5
[13] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.5
[14] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.5
[15] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 3.6 - Sensitive Data Retention
[16] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3620 CAT II
[17] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3620 CAT II
[18] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3620 CAT II
[19] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3620 CAT II
[20] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3620 CAT II
[21] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3620 CAT II
[22] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3620 CAT II
[23] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II
[24] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II
[25] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II
[26] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II
[27] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II
[28] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II
[29] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II
[30] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II
[31] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II
[32] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II
[33] Standards Mapping - Web Application Security Consortium 24 + 2 Information Leakage
[34] Standards Mapping - Web Application Security Consortium Version 2.00 Information Leakage (WASC-13)
System Information Leak: External
ABSTRACT
显示系统数据或调试信息使攻击者能够使用系统信息来计划攻击。
EXPLANATION
当系统数据或调试信息通过套接字或网络连接使程序流向远程机器时,就会发生外部信息泄露。外部信息泄露会暴露有关操作系统、完整路径名、现有用户名或配置文件位置的特定数据,从而使攻击者有机可乘,它比内部信息(攻击者更难访问)泄露更严重。
示例 1:以下代码会在网页内文本区域中泄露异常信息:
1 | ... |
该信息可能会显示给远程用户。在某些情况下,该错误消息会告诉攻击者该系统易遭受的确切攻击类型。例如,数据库错误消息可以揭示应用程序容易受到 SQL Injection 攻击。其他错误消息可以揭示有关该系统的更多间接线索。在Example 1 中,泄露的信息可能会暗示有关操作系统类型、系统上安装了哪些应用程序以及管理员在配置程序时采取了哪些保护措施的信息。
RECOMMENDATIONS
编写错误消息时,始终要牢记安全性。在编码的过程中,尽量避免使用繁复的消息,提倡使用简短的错误消息。限制生成与存储繁复的输出数据可帮助管理员和程序员诊断问题。调试踪迹有时可能出现在不明显的位置(例如,嵌入在错误页 HTML 的注释中)。
即便是并未揭示栈踪迹或数据库转储的简短错误消息,也有可能帮助攻击者发起攻击。例如,“Access Denied”(拒绝访问)消息可以揭示系统中存在一个文件或用户。因此,切勿将信息直接发送到程序外部的资源。
REFERENCES
[1] Standards Mapping - Common Weakness Enumeration CWE ID 215, CWE ID 489, CWE ID 497
[2] Standards Mapping - Common Weakness Enumeration Top 25 2019 [4] CWE ID 200
[3] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001312, CCI-001314, CCI-002420
[4] Standards Mapping - General Data Protection Regulation Indirect Access to Sensitive Data
[5] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-4 Information Flow Enforcement (P1)
[6] Standards Mapping - OWASP Application Security Verification Standard 4.0 8.3.4 Sensitive Private Data, 14.3.2 Unintended Security Disclosure Requirements, 14.3.3 Unintended Security Disclosure Requirements, 14.2.2 Dependency
[7] Standards Mapping - OWASP Mobile Top 10 Risks 2014 M2 Insecure Data Storage
[8] Standards Mapping - OWASP Top 10 2007 A6 Information Leakage and Improper Error Handling
[9] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.5.6
[10] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.5
[11] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.5
[12] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.5
[13] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.5
[14] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.5
[15] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 3.6 - Sensitive Data Retention
[16] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3620 CAT II
[17] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3620 CAT II
[18] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3620 CAT II
[19] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3620 CAT II
[20] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3620 CAT II
[21] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3620 CAT II
[22] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3620 CAT II
[23] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II
[24] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II
[25] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II
[26] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II
[27] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II
[28] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II
[29] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II
[30] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II
[31] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II
[32] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II
[33] Standards Mapping - Web Application Security Consortium 24 + 2 Information Leakage
[34] Standards Mapping - Web Application Security Consortium Version 2.00 Information Leakage (WASC-13)
System Information Leak: Internal
ABSTRACT
显示系统数据或调试信息使攻击者能够使用系统信息来计划攻击。
EXPLANATION
通过打印或日志记录功能将系统数据或调试信息发送到本地文件、控制台或屏幕时,就会发生内部信息泄露。
示例 1:以下代码会将一个异常写入标准错误流:
1 | var http = require('http'); |
根据这一系统配置,该信息可能会转储到控制台、写入日志文件或公开给用户。在某些情况下,该错误消息会告诉攻击者该系统易遭受的确切攻击类型。例如,数据库错误消息可以揭示应用程序容易受到 SQL Injection 攻击。其他错误消息可以揭示有关该系统的更多间接线索。在Example 1中,泄露的信息可能会暗示有关操作系统类型、系统上安装了哪些应用程序以及管理员在配置程序时采取了哪些保护措施的信息。
RECOMMENDATIONS
编写错误消息时,始终要牢记安全性。在编码的过程中,尽量避免使用繁复的消息,提倡使用简短的错误消息。限制生成与存储繁复的输出数据可帮助管理员和程序员诊断问题。调试踪迹有时可能出现在不明显的位置(例如,嵌入在错误页 HTML 的注释中)。
即便是并未揭示栈踪迹或数据库转储的简短错误消息,也有可能帮助攻击者发起攻击。例如,“Access Denied”(拒绝访问)消息可以揭示系统中存在一个文件或用户。
REFERENCES
[1] Standards Mapping - Common Weakness Enumeration CWE ID 497
[2] Standards Mapping - Common Weakness Enumeration Top 25 2019 [4] CWE ID 200
[3] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001312, CCI-002420
[4] Standards Mapping - General Data Protection Regulation Indirect Access to Sensitive Data
[5] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-4 Information Flow Enforcement (P1)
[6] Standards Mapping - OWASP Application Security Verification Standard 4.0 8.3.2 Sensitive Private Data, 8.3.4 Sensitive Private Data, 8.3.4 Sensitive Private Data, 14.3.3 Unintended Security Disclosure Requirements
[7] Standards Mapping - OWASP Mobile Top 10 Risks 2014 M2 Insecure Data Storage
[8] Standards Mapping - OWASP Top 10 2007 A6 Information Leakage and Improper Error Handling
[9] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.5.6
[10] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.5
[11] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.5
[12] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.5
[13] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.5
[14] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.5
[15] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 3.6 - Sensitive Data Retention
[16] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3620 CAT II
[17] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3620 CAT II
[18] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3620 CAT II
[19] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3620 CAT II
[20] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3620 CAT II
[21] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3620 CAT II
[22] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3620 CAT II
[23] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[24] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[25] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[26] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[27] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[28] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[29] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[30] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[31] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[32] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[33] Standards Mapping - Web Application Security Consortium 24 + 2 Information Leakage
[34] Standards Mapping - Web Application Security Consortium Version 2.00 Information Leakage (WASC-13)
Trust Boundary Violation
ABSTRACT
在同一数据结构中将可信赖数据和不可信赖数据混合在一起会导致程序员错误地信赖未验证的数据。
EXPLANATION
信任边界可以理解为在程序中划分的分界线。分界线的一边是不可信赖的数据。分界线的另一边则是被认定为是可信赖的数据。验证逻辑的用途是允许数据安全地跨越信任边界 — 从不可信赖的一边移动到可信赖的另一边。
当程序使可信赖和不可信赖的分界线模糊不清时,就会发生 Trust Boundary Violation 漏洞。发生这种错误的最普遍方式是允许可信赖的数据和不可信赖的数据共同混合在同一数据结构中。
示例:以下代码将一个不可信的项目 (URL) 从 iOS 扩展 JavaScript 脚本传递到 iOS 扩展代码。
1 | var GetURL = function() {}; |
若不对信任边界进行合理构建及良好维护,则程序员不可避免地会混淆哪些数据已经过验证,哪些尚未经过验证。这种混淆最终会导致某些数据未经验证就加以使用了。
RECOMMENDATIONS
在应用程序中定义信任边界。不要在数据结构中储存在某些环境下受信任而在其他环境下又转而不可信赖的数据。应尽量减少数据跨越信任边界的方式。
在处理输入之前,需要通过一系列用户交互来累积输入时,有时就会出现 Trust Boundary Violation 漏洞。所以,在得出所有数据之前,不可能进行完整的输入验证。在这种情况下,维护信任边界仍然是非常重要的。应将不可信赖的数据添加到一个不受信任数据结构中,待验证后,再移至可信赖的区域。
REFERENCES
[1] M. Howard, D. LeBlanc Writing Secure Code, Second Edition Microsoft Press
[2] FUNDAMENTALS-4: Establish trust boundaries Oracle
[3] Standards Mapping - Common Weakness Enumeration CWE ID 501
[4] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001084, CCI-002754
[5] Standards Mapping - FIPS200 SI
[6] Standards Mapping - General Data Protection Regulation Indirect Access to Sensitive Data
[7] Standards Mapping - NIST Special Publication 800-53 Revision 4 SI-10 Information Input Validation (P1)
[8] Standards Mapping - OWASP Mobile Top 10 Risks 2014 M8 Security Decisions Via Untrusted Inputs
[9] Standards Mapping - OWASP Top 10 2004 A1 Unvalidated Input
[10] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.1
[11] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1
[12] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I
[13] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I
[14] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I
[15] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I
[16] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I
[17] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I
[18] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I
[19] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002360 CAT II, APSC-DV-002560 CAT I
[20] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002360 CAT II, APSC-DV-002560 CAT I
[21] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002360 CAT II, APSC-DV-002560 CAT I
[22] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002360 CAT II, APSC-DV-002560 CAT I
[23] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002360 CAT II, APSC-DV-002560 CAT I
[24] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002360 CAT II, APSC-DV-002560 CAT I
[25] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002360 CAT II, APSC-DV-002560 CAT I
[26] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002360 CAT II, APSC-DV-002560 CAT I
[27] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002360 CAT II, APSC-DV-002560 CAT I
[28] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002360 CAT II, APSC-DV-002560 CAT I
[29] Standards Mapping - Web Application Security Consortium Version 2.00 Improper Input Handling (WASC-20)
环境配置
HTML5: MIME Sniffing
ABSTRACT
Node.js 应用程序不会将 X-Content-Type-Options 设置为 nosniff,也不会明确禁用此安全标头。
EXPLANATION
MIME 探查是检查字节流内容以尝试推断其中数据格式的一种做法。
如果没有明确禁用 MIME 探查,则有些浏览器会被操控以非预期方式解析数据,从而导致跨站点脚本攻击风险。
对于可能包含用户可控制内容的每个页面,您应该使用 HTTP 标头 X-Content-Type-Options: nosniff。
RECOMMENDATIONS
为了确保应用程序不易遭受 MIME 探查攻击,程序员可以:
为所有页面全局设置 HTTP 标头 X-Content-Type-Options: nosniff,例如,使用 Express 与 Helmet 中间件。
仅对可能包含用户可控制内容的那些页面设置需要的标头。
为了全局设置 HTTP 标头,在与 Express 应用程序一起使用时,Helmet 中间件将默认进行此设置。
1 | var express = require('express'); |
或者,可以使用Express应用程序中不同路由器的不同设置,以类似方式在单独的页面上进行此设置。
1 | var express = require('express'); |
此标头对于防止某些攻击类至关重要,不应删除此标头或将其设置为任何其他值。
REFERENCES
[1] Node.js Security Checklist
[2] OWASP OWASP List of useful HTTP headers
[3] Standards Mapping - Common Weakness Enumeration CWE ID 554
[4] Standards Mapping - Common Weakness Enumeration Top 25 2019 [3] CWE ID 020
[5] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-002754
[6] Standards Mapping - FIPS200 CM
[7] Standards Mapping - General Data Protection Regulation Indirect Access to Sensitive Data
[8] Standards Mapping - NIST Special Publication 800-53 Revision 4 SI-10 Information Input Validation (P1)
[9] Standards Mapping - OWASP Application Security Verification Standard 4.0 5.1.3 Input Validation Requirements, 5.1.4 Input Validation Requirements, 14.1.3 Build
[10] Standards Mapping - OWASP Mobile Top 10 Risks 2014 M1 Weak Server Side Controls
[11] Standards Mapping - OWASP Top 10 2004 A10 Insecure Configuration Management
[12] Standards Mapping - OWASP Top 10 2010 A6 Security Misconfiguration
[13] Standards Mapping - OWASP Top 10 2013 A5 Security Misconfiguration
[14] Standards Mapping - OWASP Top 10 2017 A6 Security Misconfiguration
[15] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.10
[16] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1
[17] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.1
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.1
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.1
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.1
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.1
[22] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[23] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I
[24] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I
[25] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I
[26] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I
[27] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I
[28] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I
[29] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I
[30] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002560 CAT I
[31] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002560 CAT I
[32] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002560 CAT I
[33] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002560 CAT I
[34] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002560 CAT I
[35] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002560 CAT I
[36] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002560 CAT I
[37] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002560 CAT I
[38] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002560 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002560 CAT I
[40] Standards Mapping - Web Application Security Consortium Version 2.00 Application Misconfiguration (WASC-15)
Helmet Misconfiguration: Insecure XSS Filter
ABSTRACT
将所有 Internet Explorer 版本的 X-XSS-Protection 设置为 1; mode=block 会造成在旧版浏览器中产生跨站点脚本缺陷。
EXPLANATION
X-XSS-Protection 是 Microsoft 推出的 HTTP 标头,自推出以来,已被许多其他浏览器采用。该标头旨在帮助阻止 Cross-Site Scripting 攻击成功,但会无意中导致产生缺陷,使得安全的网站易受攻击[1]。由于这个原因,不应将该标头用于旧版 Internet Explorer,应将其设置为 0 以禁用。
示例 1:以下示例在 Express 应用程序中错误地配置 Helmet 中间件,从而为所有 Internet Explorer 版本启用此标头:
1 | var express = require('express'); |
RECOMMENDATIONS
对于最近版本的浏览器,应将 X-XSS-Protection 设置为 1; mode=block,但对于旧版 Internet Explorer(8 及以下),由于它们容易受到攻击,应将此标头设置为 0。
使用 Helmet 中间件时,默认设置是安全的,因此应使用默认设置。绝对不应对所有 Internet Explorer 版本明确启用这种保护。
示例 2:以下内容会修复Example 1 中显示的错误配置:
1 | var express = require('express'); |
REFERENCES
[1] Eduardo Vela Nava, David Lindsay Abusing Internet Explorer 8’s XSS Filters
[2] Standards Mapping - Common Weakness Enumeration CWE ID 554
[3] Standards Mapping - Common Weakness Enumeration Top 25 2019 [3] CWE ID 020
[4] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-002754
[5] Standards Mapping - FIPS200 CM
[6] Standards Mapping - General Data Protection Regulation Indirect Access to Sensitive Data
[7] Standards Mapping - NIST Special Publication 800-53 Revision 4 SI-10 Information Input Validation (P1)
[8] Standards Mapping - OWASP Application Security Verification Standard 4.0 5.1.3 Input Validation Requirements, 5.1.4 Input Validation Requirements, 14.1.3 Build
[9] Standards Mapping - OWASP Mobile Top 10 Risks 2014 M1 Weak Server Side Controls
[10] Standards Mapping - OWASP Top 10 2004 A10 Insecure Configuration Management
[11] Standards Mapping - OWASP Top 10 2010 A6 Security Misconfiguration
[12] Standards Mapping - OWASP Top 10 2013 A5 Security Misconfiguration
[13] Standards Mapping - OWASP Top 10 2017 A6 Security Misconfiguration
[14] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.10
[15] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1
[16] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.1
[17] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.1
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.1
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.1
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.1
[21] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[22] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I
[23] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I
[24] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I
[25] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I
[26] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I
[27] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I
[28] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I
[29] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002560 CAT I
[30] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002560 CAT I
[31] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002560 CAT I
[32] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002560 CAT I
[33] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002560 CAT I
[34] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002560 CAT I
[35] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002560 CAT I
[36] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002560 CAT I
[37] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002560 CAT I
[38] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002560 CAT I
[39] Standards Mapping - Web Application Security Consortium Version 2.00 Improper Input Handling (WASC-20)
输入验证与展示问题
Client-Side Template Injection
ABSTRACT
用户控制的数据用作模板引擎的模板,使得攻击者能够访问模板上下文,并在某些情况下在浏览器中注入和运行恶意代码。
EXPLANATION
模板引擎用于使用动态数据呈现内容。此上下文数据通常由用户控制并通过模板设置格式,以生成 Web 页面、电子邮件等。模板引擎可通过条件、循环等代码构造处理上下文数据,从而允许在模板中使用功能强大的语言表达式来呈现动态内容。如果攻击者能够控制要呈现的模板,他们将能够通过注入表达式来公开上下文数据并在浏览器中运行恶意代码。
示例 1:以下示例显示了如何通过 URL 检索模板并使用模板在 AngularJS 中呈现信息。
1 | function MyController(function($stateParams, $interpolate){ |
在这种情况下,$stateParams.expression将采用可能受用户控制的数据,并将其作为用于指定上下文的模板进行计算。这又可能会允许恶意用户在浏览器中运行他们想要的代码、检索关于代码运行的上下文的信息、查找有关如何创建应用程序的额外信息,或将此代码转换为 full blown XSS 攻击。
RECOMMENDATIONS
尽可能不要让用户提供模板。如果需要由用户提供模板,请谨慎执行输入验证,以防止在模板中注入恶意代码。
不要依赖在 AngularJS 1 中实施的沙盒来阻止漏洞。已经证明沙盒无法完全有效地在所有版本的 AngularJS 中防止 XSS 和应用程序控制,因为这并不是预期的安全功能,而且已从版本 1.6.[1] 中移除。
REFERENCES
[1] AngularJS Security Guide Google
[2] Standards Mapping - Common Weakness Enumeration CWE ID 95
[3] Standards Mapping - Common Weakness Enumeration Top 25 2019 [18] CWE ID 094
[4] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-002754
[5] Standards Mapping - FIPS200 SI
[6] Standards Mapping - General Data Protection Regulation Indirect Access to Sensitive Data
[7] Standards Mapping - NIST Special Publication 800-53 Revision 4 SI-10 Information Input Validation (P1)
[8] Standards Mapping - OWASP Application Security Verification Standard 4.0 5.2.4 Sanitization and Sandboxing Requirements, 5.2.5 Sanitization and Sandboxing Requirements, 5.2.8 Sanitization and Sandboxing Requirements, 5.3.6 Output Encoding and Injection Prevention Requirements
[9] Standards Mapping - OWASP Mobile Top 10 Risks 2014 M1 Weak Server Side Controls
[10] Standards Mapping - OWASP Top 10 2004 A6 Injection Flaws
[11] Standards Mapping - OWASP Top 10 2007 A2 Injection Flaws
[12] Standards Mapping - OWASP Top 10 2010 A1 Injection
[13] Standards Mapping - OWASP Top 10 2013 A1 Injection
[14] Standards Mapping - OWASP Top 10 2017 A1 Injection
[15] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.6
[16] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1, Requirement 6.5.2
[17] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.1
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.1
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.1
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.1
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.1
[22] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[23] Standards Mapping - SANS Top 25 2009 Insecure Interaction - CWE ID 116
[24] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I, APP3570 CAT I
[25] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I, APP3570 CAT I
[26] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I, APP3570 CAT I
[27] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I, APP3570 CAT I
[28] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I, APP3570 CAT I
[29] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I, APP3570 CAT I
[30] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I, APP3570 CAT I
[31] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002560 CAT I
[32] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002560 CAT I
[33] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002560 CAT I
[34] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002560 CAT I
[35] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002560 CAT I
[36] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002560 CAT I
[37] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002560 CAT I
[38] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002560 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002560 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002560 CAT I
[41] Standards Mapping - Web Application Security Consortium Version 2.00 Improper Input Handling (WASC-20)
Command Injection
ABSTRACT
执行不可信赖资源中的命令,或在不可信赖的环境中执行命令,都会导致程序以攻击者的名义执行恶意命令。
EXPLANATION
Command Injection 漏洞主要表现为以下两种形式:
- 攻击者能够篡改程序执行的命令:攻击者直接控制了所执行的命令。
- 攻击者能够篡改命令的执行环境:攻击者间接地控制了所执行的命令。
在这种情况下,我们着重关注第一种情况,即攻击者有可能控制所执行命令。这种类型的 Command Injection 漏洞会在以下情况下出现:
数据从不可信赖的数据源进入应用程序。
数据被用作代表应用程序所执行命令的字符串,或字符串的一部分。
通过命令的执行,应用程序会授予攻击者一种原本不该拥有的特权或能力。
示例 1:以下来自系统实用程序的代码根据环境变量 APPHOME 来决定其安装目录,然后根据指定目录的相对路径来执行初始化脚本。
1 | var cp = require('child_process'); |
Example 1 中的代码可以使攻击者通过修改系统属性 APPHOME 以指向包含恶意版本 INITCMD 的其他路径来提高自己在应用程序中的权限,继而随心所欲地执行命令。由于程序不会验证从环境中读取的值,因此如果攻击者能够控制系统属性 APPHOME 的值,他们就能欺骗应用程序去运行恶意代码,从而取得系统控制权。
示例 2:下面的代码来自一个管理 Web 应用程序,旨在使用户能够使用一个围绕 rman 实用程序的批处理文件封装器来启动 Oracle 数据库备份。脚本 rmanDB.bat 接受单个命令行参数,该参数指定了要执行的备份类型。由于访问数据库受限,所以应用程序执行备份需要具有较高权限的用户。
1 | var cp = require('child_process'); |
这里的问题是:程序除了验证读取自用户的 backuptype参数是否存在之外,没有对其进行任何验证。在调用该 shell 之后,就可能允许执行多个命令,并且由于该应用程序的特性,该应用程序将会使用与数据库进行交互的必要权限来运行,这就意味着攻击者注入的任何命令都会通过这些权限来运行。
示例 3:下面的代码来自一个 Web 应用程序,用户可通过该应用程序提供的界面在系统上更新他们的密码。在某些网络环境中更新密码时,其中的一个步骤就是在 /var/yp 目录中运行 make 命令。
1 | ... |
这里的问题在于,程序没有指定 make 的绝对路径,因此没能在执行 child_process.exec() 调用前清理其环境。如果攻击者能够修改 $PATH 变量,把它指向名为 make 恶意二进制代码,程序就会在其指定的环境下执行,然后加载该恶意二进制代码,而非原本期望的代码。由于应用程序自身的特性,运行该应用程序需要具备执行系统操作所需的权限,这意味着攻击者会利用这些权限执行自己的 make,从而可能导致攻击者完全控制系统。
RECOMMENDATIONS
应当禁止用户直接控制由程序执行的命令。在用户的输入会影响命令执行的情况下,应将用户输入限制为从预定的安全命令集合中进行选择。如果输入中出现了恶意的内容,传递到命令执行函数的值将默认从安全命令集合中选择,或者程序将拒绝执行任何命令。
在需要将用户的输入用作程序命令中的参数时,由于合法的参数集合实在很大,或是难以跟踪,使得这个方法通常都不切实际。开发人员通常的做法是使用黑名单。在输入之前,黑名单会有选择地拒绝或避免潜在的危险字符。但是,任何一个定义不安全内容的列表都很可能是不完整的,并且会严重地依赖于执行命令的环境。更好的方法是创建一份白名单,允许其中的字符出现在输入中,并且只接受完全由这些经认可的字符组成的输入。
攻击者可以通过修改程序运行命令的环境来间接控制这些命令的执行。我们不应当完全信赖环境,还需采取预防措施,防止攻击者利用某些控制环境的手段进行攻击。无论何时,只要有可能,都应由应用程序来控制命令,并使用绝对路径执行命令。如果编译时尚不了解路径(如在跨平台应用程序中),应该在执行过程中利用可信赖的值构建一个绝对路径。应对照一系列定义有效值的常量,仔细地检查从配置文件或者环境中读取的命令值和路径。
有时还可以执行其他检验,以检查这些来源是否已被恶意篡改。例如,如果一个配置文件为可写,程序可能会拒绝运行。如果能够预先得知有关要执行的二进制代码的信息,程序就会进行检测,以检验这个二进制代码的合法性。如果一个二进制代码始终属于某个特定的用户,或者被指定了一组特定的访问权限,这些属性就会在执行二进制代码前通过程序进行检验。
尽管可能无法完全阻止强大的攻击者为了控制程序执行的命令而对系统进行的攻击,但只要程序执行外部命令,就务必使用最小授权原则:不给予超过执行该命令所必需的权限。
REFERENCES
[1] Standards Mapping - Common Weakness Enumeration CWE ID 77, CWE ID 78
[2] Standards Mapping - Common Weakness Enumeration Top 25 2019 [11] CWE ID 078
[3] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001310, CCI-002754
[4] Standards Mapping - FIPS200 SI
[5] Standards Mapping - General Data Protection Regulation Indirect Access to Sensitive Data
[6] Standards Mapping - MISRA C 2012 Rule 1.3
[7] Standards Mapping - MISRA C++ 2008 Rule 0-3-1
[8] Standards Mapping - NIST Special Publication 800-53 Revision 4 SI-10 Information Input Validation (P1)
[9] Standards Mapping - OWASP Application Security Verification Standard 4.0 5.2.2 Sanitization and Sandboxing Requirements, 5.2.3 Sanitization and Sandboxing Requirements, 5.2.5 Sanitization and Sandboxing Requirements, 5.2.8 Sanitization and Sandboxing Requirements, 5.3.6 Output Encoding and Injection Prevention Requirements, 5.3.8 Output Encoding and Injection Prevention Requirements, 10.3.2 Deployed Application Integrity Controls, 12.3.2 File Execution Requirements, 12.3.5 File Execution Requirements
[10] Standards Mapping - OWASP Mobile Top 10 Risks 2014 M7 Client Side Injection
[11] Standards Mapping - OWASP Top 10 2004 A6 Injection Flaws
[12] Standards Mapping - OWASP Top 10 2007 A2 Injection Flaws
[13] Standards Mapping - OWASP Top 10 2010 A1 Injection
[14] Standards Mapping - OWASP Top 10 2013 A1 Injection
[15] Standards Mapping - OWASP Top 10 2017 A1 Injection
[16] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.6
[17] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1, Requirement 6.5.2
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.1
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.1
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.1
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.1
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.1
[23] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[24] Standards Mapping - SANS Top 25 2009 Insecure Interaction - CWE ID 078
[25] Standards Mapping - SANS Top 25 2010 Insecure Interaction - CWE ID 078
[26] Standards Mapping - SANS Top 25 2011 Insecure Interaction - CWE ID 078
[27] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I, APP3570 CAT I
[28] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I, APP3570 CAT I
[29] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I, APP3570 CAT I
[30] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I, APP3570 CAT I
[31] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I, APP3570 CAT I
[32] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I, APP3570 CAT I
[33] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I, APP3570 CAT I
[34] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002510 CAT I, APSC-DV-002560 CAT I
[35] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002510 CAT I, APSC-DV-002560 CAT I
[36] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002510 CAT I, APSC-DV-002560 CAT I
[37] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002510 CAT I, APSC-DV-002560 CAT I
[38] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002510 CAT I, APSC-DV-002560 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002510 CAT I, APSC-DV-002560 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002510 CAT I, APSC-DV-002560 CAT I
[41] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002510 CAT I, APSC-DV-002560 CAT I
[42] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002510 CAT I, APSC-DV-002560 CAT I
[43] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002510 CAT I, APSC-DV-002560 CAT I
[44] Standards Mapping - Web Application Security Consortium 24 + 2 OS Commanding
[45] Standards Mapping - Web Application Security Consortium Version 2.00 OS Commanding (WASC-31)
Cross-Site Scripting: DOM
ABSTRACT
向一个 Web 浏览器发送未经验证的数据会导致该浏览器执行恶意代码。
EXPLANATION
Cross-Site Scripting (XSS) 漏洞在以下情况下发生:
数据通过一个不可信赖的数据源进入 Web 应用程序。对于基于 DOM 的 XSS,将从 URL 参数或浏览器中的其他值读取数据,并使用客户端代码将其重新写入该页面。对于 Reflected XSS,不可信赖的数据源通常为 Web 请求,而对于 Persisted(也称为 Stored)XSS,该数据源通常为数据库或其他后端数据存储。
未经验证但包含在动态内容中的数据将传送给 Web 用户。对于基于 DOM 的 XSS,任何时候当受害人的浏览器解析 HTML 页面时,恶意内容都将作为 DOM(文档对象模型)创建的一部分执行。
传送到 Web 浏览器的恶意内容通常采用 JavaScript 代码片段的形式,但也可能会包含一些 HTML、Flash 或者其他任意一种可以被浏览器执行的代码。基于 XSS 的攻击手段花样百出,几乎是无穷无尽的,但通常它们都会包含传输给攻击者的私人数据(如 Cookie 或者其他会话信息)。在攻击者的控制下,指引受害者进入恶意的网络内容;或者利用易受攻击的站点,对用户的机器进行其他恶意操作。
例 1:下面的 JavaScript 代码片段可从 URL 中读取雇员 ID eid,并将其显示给用户。
1 | <SCRIPT> |
示例 2:考虑使用 HTML 表单:
1 | <div id="myDiv"> |
下面的 jQuery 代码片段可从表单中读取雇员 ID,并将其显示给用户。
1 | $(document).ready(function(){ |
如果文本输入中 ID 为 eid 的雇员 ID 仅包含标准字母数字文本,则这些代码示例可正确运行。如果 eid 中的某个值包含元字符或源代码,则 Web 浏览器就会在显示 HTTP 响应时执行该代码。
示例 3:以下代码显示了 React 应用程序中基于 DOM 的 XSS 示例:
1 | let element = JSON.parse(getUntrustedInput()); |
在Example 3 中,如果攻击者可以控制从 getUntrustedInput() 检索到的整个 JSON 对象,他们可能就能够使 React 将 element 呈现为一个组件,从而可以使用他们自己控制的值传递具有 dangerouslySetInnerHTML的对象,这是一种典型的 Cross-Site Scripting 攻击。
最初,这些代码看起来似乎不会轻易遭受攻击。毕竟,有谁会输入包含可在自己电脑上运行的恶意代码的内容呢?真正的危险在于攻击者会创建恶意的 URL,然后采用电子邮件或社交工程的欺骗手段诱使受害者访问此 URL 的链接。当受害者单击这个链接时,他们不知不觉地通过易受攻击的网络应用程序,将恶意内容带到了自己的电脑中。这种对易受攻击的 Web 应用程序进行盗取的机制通常被称为反射式 XSS。
正如例子中所显示的,XSS 漏洞是由于 HTTP 响应中包含了未验证的数据代码而引起的。受害者遭受 XSS 攻击的途径有三种:
- 系统从 HTTP 请求中直接读取数据,并在 HTTP 响应中返回数据。当攻击者诱使用户为易受攻击的 Web 应用程序提供危险内容,而这些危险内容随后会反馈给用户并在 Web 浏览器中执行时,就会发生 Reflected XSS 漏洞利用。发送恶意内容最常用的方法是,将恶意内容作为一个参数包含在公开发布或通过电子邮件直接发送给受害者的 URL 中。以这种手段构造的 URL 已成为多种网络钓鱼阴谋的核心,攻击者会借此诱骗受害者访问指向易受攻击站点的 URL。当该站点将攻击者的内容反馈给受害者后,便会执行这些内容,接下来会将用户计算机中的各种私密信息(比如可能包含会话信息的 Cookie)传输给攻击者,或者执行其他恶意活动。
— 应用程序将危险数据存储在数据库或其他可信赖的数据存储器中。这些危险数据随后会被回写到应用程序中,并包含在动态内容中。Persistent XSS 盗取发生在如下情况:攻击者将危险内容注入到数据存储器中,且该存储器之后会被读取并包含在动态内容中。从攻击者的角度看,注入恶意内容的最佳位置莫过于一个面向许多用户,尤其是相关用户显示的区域。相关用户通常在应用程序中具备较高的特权,或相互之间交换敏感数据,这些数据对攻击者来说有利用价值。如果某一个用户执行了恶意内容,攻击者就有可能以该用户的名义执行某些需要特权的操作,或者获得该用户个人所有的敏感数据的访问权限。
— 应用程序之外的数据源将危险数据储存在一个数据库或其他数据存储器中,随后这些危险数据被当作可信赖的数据回写到应用程序中,并储存在动态内容中。
RECOMMENDATIONS
针对 XSS 的解决方法是,确保在适当位置进行验证,并检验其属性是否正确。
由于 XSS 漏洞在应用程序的输出中包含恶意数据时出现,因此,合乎逻辑的方法是在数据流出应用程序的前一刻对其进行验证。然而,由于 Web 应用程序常常会包含复杂而难以理解的代码,用以生成动态内容,因此,这一方法容易产生遗漏错误(遗漏验证)。降低这一风险的有效途径是对 XSS 也执行输入验证。
由于 Web 应用程序必须验证输入信息以避免其他漏洞(如 SQL Injection),因此,一种相对简单的解决方法是,加强一个应用程序现有的输入验证机制,将 XSS 检测包括其中。尽管有一定的价值,但 XSS 输入验证并不能取代严格的输出验证。应用程序可能通过共享的数据存储器或其他可信赖的数据源接受输入,而该数据存储器所接受的输入源可能并未执行适当的输入验证。因此,应用程序不能间接地依赖于该数据或其他任意数据的安全性。这就意味着,避免 XSS 漏洞的最佳方法是验证所有进入应用程序以及由应用程序传送至用户端的数据。
针对 XSS 漏洞进行验证最安全的方式是,创建一份安全字符白名单,允许其中的字符出现在 HTTP 内容中,并且只接受完全由这些经认可的字符组成的输入。例如,有效的用户名可能仅包含字母数字字符,电话号码可能仅包含 0-9 的数字。然而,这种解决方法在 Web 应用程序中通常是行不通的,因为许多字符对浏览器来说都具有特殊的含义,编码时这些字符必须被视为合法输入,例如,一个 Web 设计电子公告栏就必须接受其用户提供的 HTML 片段。
更灵活的方法是列入黑名单,但其安全性较差,这种方法在使用输入之前就有选择地拒绝或转义了潜在的危险字符。为了创建这样一个列表,首先需要了解对于 Web 浏览器具有特殊含义的字符集。虽然 HTML 标准定义了哪些字符具有特殊含义,但是许多 Web 浏览器会设法更正 HTML 中的常见错误,并可能在特定的上下文中认为其他字符具有特殊含义,这就是我们不鼓励使用黑名单作为阻止 XSS 的方法的原因。卡耐基梅隆大学 (Carnegie Mellon University) 软件工程学院 (Software Engineering Institute) 下属的 CERT(R) (CERT(R) Coordination Center) 合作中心提供了有关各种上下文中认定的特殊字符的具体信息 [1]:
在有关块级别元素的内容中(位于一段文本的中间):
- “<” 是一个特殊字符,因为它可以引入一个标签。
- “&” 是一个特殊字符,因为它可以引入一个字符实体。
- “>” 是一个特殊字符,之所以某些浏览器将其认定为特殊字符,是基于一种假设,即该页的作者本想在前面添加一个 “<”,却错误地将其遗漏了。
下面的这些原则适用于属性值:
对于外加双引号的属性值,双引号是特殊字符,因为它们标记了该属性值的结束。
对于外加单引号的属性值,单引号是特殊字符,因为它们标记了该属性值的结束。
对于不带任何引号的属性值,空格字符(如空格符和制表符)是特殊字符。
“&” 与某些特定变量一起使用时是特殊字符,因为它引入了一个字符实体。
例如,在 URL 中,搜索引擎可能会在结果页面内提供一个链接,用户可以点击该链接来重新运行搜索。可以将这一方法运用于编写 URL 中的搜索查询语句,这将引入更多特殊字符:
空格符、制表符和换行符是特殊字符,因为它们标记了 URL 的结束。
“&” 是特殊字符,因为它可引入一个字符实体或分隔 CGI 参数。
非 ASCII 字符(即 ISO-8859-1 编码表中所有大于 127 的字符)不允许出现在 URL 中,因此这些字符在此环境下被视为特殊字符。
在服务器端对在 HTTP 转义序列中编码的参数进行解码时,必须过滤掉输入中的 “%” 符号。例如,当输入中出现 “%68%65%6C%6C%6F” 时,只有从输入的内容中过滤掉 “%”,上述字符串才能在网页上显示为 “hello”。
在 <SCRIPT> </SCRIPT> 的正文内:
- 如果可以将文本直接插入到已有的脚本标签中,应该过滤掉分号、省略号、中括号和换行符。
服务器端脚本:
- 如果服务器端脚本会将输入中的感叹号 (!) 转换成输出中的双引号 (“),则可能需要对此进行更多过滤。
其他可能出现的情况:
- 如果攻击者以 UTF-7 格式提交了请求,则特殊字符“<”可能会显示为“+ADw-”,并可能会绕过过滤。如果输出包含在没有确切指定编码格式的网页中,某些浏览器就会设法根据内容自动识别编码(此处采用 UTF-7 格式)。
在应用程序中确定针对 XSS 攻击执行验证的正确要点,以及验证过程中要考虑的特殊字符之后,下一个难点就是确定验证过程中处理各种特殊字符的方式。如果应用程序认定某些特殊字符为无效输入,那么您可以拒绝任何带有这些无效特殊字符的输入。第二种选择就是采用过滤手段来删除这些特殊字符。然而,过滤的负面作用在于,过滤内容的显示将发生改变。在需要完整显示输入内容的情况下,过滤的这种负面作用可能是无法接受的。
如果必须接受带有特殊字符的输入,并将其准确地显示出来,验证机制一定要对所有特殊字符进行编码,以便删除其具有的含义。官方的 HTML 规范 [2] 提供了特殊字符对应的 ISO 8859-1 编码值的完整列表。
许多应用程序服务器都试图避免应用程序出现 Cross-Site Scripting 漏洞,具体做法是为负责设置特定 HTTP 响应内容的函数提供各种实现方式,以检验是否存在进行 Cross-Site Scripting 攻击必需的字符。不要依赖运行应用程序的服务器,以此确保该应用程序的安全。开发了某个应用程序后,并不能保证在其生命周期中它会在哪些应用程序服务器中运行。由于标准和已知盗取方式的演变,我们不能保证应用程序服务器也会保持同步。
REFERENCES
[1] Understanding Malicious Content Mitigation for Web Developers CERT
[2] HTML 4.01 Specification W3
[3] XSS via a spoofed React element Daniel LeCheminant
[4] Standards Mapping - Common Weakness Enumeration CWE ID 79, CWE ID 80
[5] Standards Mapping - Common Weakness Enumeration Top 25 2019 [2] CWE ID 079
[6] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001310, CCI-002754
[7] Standards Mapping - FIPS200 SI
[8] Standards Mapping - General Data Protection Regulation Indirect Access to Sensitive Data
[9] Standards Mapping - NIST Special Publication 800-53 Revision 4 SI-10 Information Input Validation (P1)
[10] Standards Mapping - OWASP Application Security Verification Standard 4.0 5.3.3 Output Encoding and Injection Prevention Requirements, 5.3.6 Output Encoding and Injection Prevention Requirements
[11] Standards Mapping - OWASP Mobile Top 10 Risks 2014 M7 Client Side Injection
[12] Standards Mapping - OWASP Top 10 2004 A4 Cross Site Scripting
[13] Standards Mapping - OWASP Top 10 2007 A1 Cross Site Scripting (XSS)
[14] Standards Mapping - OWASP Top 10 2010 A2 Cross-Site Scripting (XSS)
[15] Standards Mapping - OWASP Top 10 2013 A3 Cross-Site Scripting (XSS)
[16] Standards Mapping - OWASP Top 10 2017 A7 Cross-Site Scripting (XSS)
[17] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.4
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1, Requirement 6.5.1
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.7
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.7
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.7
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.7
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.7
[24] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[25] Standards Mapping - SANS Top 25 2009 Insecure Interaction - CWE ID 079
[26] Standards Mapping - SANS Top 25 2010 Insecure Interaction - CWE ID 079
[27] Standards Mapping - SANS Top 25 2011 Insecure Interaction - CWE ID 079
[28] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I, APP3580 CAT I
[29] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I, APP3580 CAT I
[30] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I, APP3580 CAT I
[31] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I, APP3580 CAT I
[32] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I, APP3580 CAT I
[33] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I, APP3580 CAT I
[34] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I, APP3580 CAT I
[35] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[36] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[37] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[38] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[41] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[42] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[43] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[44] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[45] Standards Mapping - Web Application Security Consortium 24 + 2 Cross-Site Scripting
[46] Standards Mapping - Web Application Security Consortium Version 2.00 Cross-Site Scripting (WASC-08)
Cross-Site Scripting: Persistent
ABSTRACT
向一个 Web 浏览器发送未经验证的数据会导致该浏览器执行恶意代码。
EXPLANATION
Cross-Site Scripting (XSS) 漏洞在以下情况下发生:
数据通过一个不可信赖的数据源进入 Web 应用程序。对于 Persistent(也称为 Stored)XSS,不可信赖的数据源通常为数据库或其他后端数据存储,而对于 Reflected XSS,该数据源通常为 Web 请求。
未经验证但包含在动态内容中的数据将传送给 Web 用户。
传送到 Web 浏览器的恶意内容通常采用 JavaScript 代码片段的形式,但也可能会包含一些 HTML、Flash 或者其他任意一种可以被浏览器执行的代码。基于 XSS 的攻击手段花样百出,几乎是无穷无尽的,但通常它们都会包含传输给攻击者的私人数据(如 Cookie 或者其他会话信息)。在攻击者的控制下,指引受害者进入恶意的网络内容;或者利用易受攻击的站点,对用户的机器进行其他恶意操作。
示例 1:下面的 Node.js 代码片段会根据给定的雇员 ID 查询数据库,并打印相应雇员的姓名。
1 | var http = require('http'); |
如果对 name 的值处理得当,该代码就能正常地执行各种功能;如若处理不当,就会对代码的盗取行为无能为力。这段代码暴露出的危险较小,因为 name 的值是从数据库中读取的,而且显然这些内容是由应用程序管理的。然而,如果 name 的值是由用户提供的数据产生,数据库就会成为恶意内容沟通的通道。如果不对数据库中存储的所有数据进行恰当的输入验证,那么攻击者就可以在用户的 Web 浏览器中执行恶意命令。这种类型的 Persistent XSS(也称为 Stored XSS)盗取极其阴险狡猾,因为数据存储导致的间接性使得辨别威胁的难度增大,而且还提高了一个攻击影响多个用户的可能性。XSS 盗取会从访问提供留言簿 (guestbook) 的网站开始。攻击者会在这些留言簿的条目中嵌入 JavaScript,接下来所有访问该留言簿的用户都会执行这些恶意代码。
示例 2:以下 Node.js 代码片段会在 HTTP 请求中读取雇员 ID eid,并将其显示给用户。
1 | var http = require('http'); |
如Example 1 中所示,如果 eid 只包含标准的字母数字文本,此代码将会正确运行。如果 eid 中的某个值包含元字符或源代码,则 Web 浏览器就会在显示 HTTP 响应时执行该代码。
起初,这个例子似乎是不会轻易遭受攻击的。毕竟,有谁会输入导致恶意代码在自己电脑上运行的 URL 呢?真正的危险在于攻击者会创建恶意的 URL,然后采用电子邮件或社交工程的欺骗手段诱使受害者访问此 URL 的链接。当受害者单击这个链接时,他们不知不觉地通过易受攻击的网络应用程序,将恶意内容带到了自己的电脑中。这种对易受攻击的 Web 应用程序进行盗取的机制通常被称为反射式 XSS。
正如例子中所显示的,XSS 漏洞是由于 HTTP 响应中包含了未经验证的数据代码而引起的。受害者遭受 XSS 攻击的途径有三种:
如Example 1 中所示,应用程序将危险数据存储在数据库或其他可信赖的数据存储中。这些危险数据随后会被读回到应用程序中,并包含在动态内容中。在以下情况下会发生 Persistent XSS 漏洞利用:攻击者将危险内容注入到数据存储中,而这些危险内容随后会被读取并包含在动态内容中。从攻击者的角度看,注入恶意内容的最佳位置莫过于显示给许多用户或显示给特定相关用户的区域。这些相关用户通常在应用程序中具备较高的特权,或者可以与敏感数据交互,这些数据对攻击者来说具有利用价值。如果某一个用户执行了恶意内容,攻击者就有可能以该用户的名义执行某些需要特权的操作,或者获得该用户个人敏感数据的访问权。
如Example 2 中所示,系统从 HTTP 请求中直接读取数据,并在 HTTP 响应中返回数据。当攻击者诱使用户为易受攻击的 Web 应用程序提供危险内容,而这些危险内容随后会反馈给用户并在 Web 浏览器中执行时,就会发生 Reflected XSS 漏洞利用。发送恶意内容最常用的方法是,将恶意内容作为一个参数包含在公开发布或通过电子邮件直接发送给受害者的 URL 中。以这种手段构造的 URL 已成为多种网络钓鱼阴谋的核心,攻击者会借此诱骗受害者访问指向易受攻击站点的 URL。当该站点将攻击者的内容反馈给受害者后,便会执行这些内容,接下来会将用户计算机中的各种私密信息(比如可能包含会话信息的 Cookie)传输给攻击者,或者执行其他恶意活动。
— 应用程序之外的数据源将危险数据储存在一个数据库或其他数据存储器中,随后这些危险数据被当作可信赖的数据回写到应用程序中,并储存在动态内容中。
RECOMMENDATIONS
针对 XSS 的解决方法是,确保在适当位置进行验证,并检验其属性是否正确。
由于 XSS 漏洞在应用程序的输出中包含恶意数据时出现,因此,合乎逻辑的方法是在数据流出应用程序的前一刻对其进行验证。然而,由于 Web 应用程序常常会包含复杂而难以理解的代码,用以生成动态内容,因此,这一方法容易产生遗漏错误(遗漏验证)。降低这一风险的有效途径是对 XSS 也执行输入验证。
由于 Web 应用程序必须验证输入信息以避免其他漏洞(如 SQL Injection),因此,一种相对简单的解决方法是,加强一个应用程序现有的输入验证机制,将 XSS 检测包括其中。尽管有一定的价值,但 XSS 输入验证并不能取代严格的输出验证。应用程序可能通过共享的数据存储器或其他可信赖的数据源接受输入,而该数据存储器所接受的输入源可能并未执行适当的输入验证。因此,应用程序不能间接地依赖于该数据或其他任意数据的安全性。这就意味着,避免 XSS 漏洞的最佳方法是验证所有进入应用程序以及由应用程序传送至用户端的数据。
针对 XSS 漏洞进行验证最安全的方式是,创建一份安全字符白名单,允许其中的字符出现在 HTTP 内容中,并且只接受完全由这些经认可的字符组成的输入。例如,有效的用户名可能仅包含字母数字字符,电话号码可能仅包含 0-9 的数字。然而,这种解决方法在 Web 应用程序中通常是行不通的,因为许多字符对浏览器来说都具有特殊的含义,编码时这些字符必须被视为合法输入,例如,一个 Web 设计电子公告栏就必须接受其用户提供的 HTML 片段。
更灵活的方法是列入黑名单,但其安全性较差,这种方法在使用输入之前就有选择地拒绝或转义了潜在的危险字符。为了创建这样一个列表,首先需要了解对于 Web 浏览器具有特殊含义的字符集。虽然 HTML 标准定义了哪些字符具有特殊含义,但是许多 Web 浏览器会设法更正 HTML 中的常见错误,并可能在特定的上下文中认为其他字符具有特殊含义,这就是我们不鼓励使用黑名单作为阻止 XSS 的方法的原因。卡耐基梅隆大学 (Carnegie Mellon University) 软件工程学院 (Software Engineering Institute) 下属的 CERT(R) (CERT(R) Coordination Center) 合作中心提供了有关各种上下文中认定的特殊字符的具体信息 [1]:
在有关块级别元素的内容中(位于一段文本的中间):
-“<”是一个特殊字符,因为它可以引入一个标签。
-“&”是一个特殊字符,因为它可以引入一个字符实体。
-“>”是一个特殊字符,之所以某些浏览器将其认定为特殊字符,是基于一种假设,即该页的作者本想在前面添加一个“<”,却错误地将其遗漏了。
下面的这些原则适用于属性值:
- 对于外加双引号的属性值,双引号是特殊字符,因为它们标记了该属性值的结束。
- 对于外加单引号的属性值,单引号是特殊字符,因为它们标记了该属性值的结束。
- 对于不带任何引号的属性值,空格字符(如空格符和制表符)是特殊字符。
-“&”与某些特定变量一起使用时是特殊字符,因为它引入了一个字符实体。
例如,在 URL 中,搜索引擎可能会在结果页面内提供一个链接,用户可以点击该链接来重新运行搜索。可以将这一方法运用于编写 URL 中的搜索查询语句,这将引入更多特殊字符:
- 空格符、制表符和换行符是特殊字符,因为它们标记了 URL 的结束。
- “&”是特殊字符,因为它可引入一个字符实体或分隔 CGI 参数。
- 非 ASCII 字符(即 ISO-8859-1 编码表中所有大于 127 的字符)不允许出现在 URL 中,因此这些字符在此环境下被视为特殊字符。
- 在服务器端对在 HTTP 转义序列中编码的参数进行解码时,必须过滤掉输入中的“%”符号。例如,当输入中出现“%68%65%6C%6C%6F”时,只有从输入的内容中过滤掉“%”,上述字符串才能在网页上显示为“hello”。
在 <SCRIPT> </SCRIPT>的正文内:
- 如果可以将文本直接插入到已有的脚本标签中,应该过滤掉分号、省略号、中括号和换行符。
服务器端脚本:
- 如果服务器端脚本会将输入中的感叹号 (!) 转换成输出中的双引号 (“),则可能需要对此进行更多过滤。
其他可能出现的情况:
- 如果攻击者以 UTF-7 格式提交了请求,则特殊字符“<”可能会显示为“+ADw-”,并可能会绕过过滤。如果输出包含在没有确切指定编码格式的网页中,某些浏览器就会设法根据内容自动识别编码(此处采用 UTF-7 格式)。
在应用程序中确定针对 XSS 攻击执行验证的正确要点,以及验证过程中要考虑的特殊字符之后,下一个难点就是确定验证过程中处理各种特殊字符的方式。如果应用程序认定某些特殊字符为无效输入,那么您可以拒绝任何带有这些无效特殊字符的输入。第二种选择就是采用过滤手段来删除这些特殊字符。然而,过滤的负面作用在于,过滤内容的显示将发生改变。在需要完整显示输入内容的情况下,过滤的这种负面作用可能是无法接受的。
如果必须接受带有特殊字符的输入,并将其准确地显示出来,验证机制一定要对所有特殊字符进行编码,以便删除其具有的含义。官方的 HTML 规范 [2] 提供了特殊字符对应的 ISO 8859-1 编码值的完整列表。
许多应用程序服务器都试图避免应用程序出现 Cross-Site Scripting 漏洞,具体做法是为负责设置特定 HTTP 响应内容的函数提供各种实现方式,以检验是否存在进行 Cross-Site Scripting 攻击必需的字符。不要依赖运行应用程序的服务器,以此确保该应用程序的安全。开发了某个应用程序后,并不能保证在其生命周期中它会在哪些应用程序服务器中运行。由于标准和已知盗取方式的演变,我们不能保证应用程序服务器也会保持同步。
REFERENCES
[1] Understanding Malicious Content Mitigation for Web Developers CERT
[2] HTML 4.01 Specification W3
[3] Standards Mapping - Common Weakness Enumeration CWE ID 79, CWE ID 80
[4] Standards Mapping - Common Weakness Enumeration Top 25 2019 [2] CWE ID 079
[5] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001310, CCI-002754
[6] Standards Mapping - FIPS200 SI
[7] Standards Mapping - General Data Protection Regulation Indirect Access to Sensitive Data
[8] Standards Mapping - NIST Special Publication 800-53 Revision 4 SI-10 Information Input Validation (P1)
[9] Standards Mapping - OWASP Application Security Verification Standard 4.0 5.3.3 Output Encoding and Injection Prevention Requirements, 5.3.6 Output Encoding and Injection Prevention Requirements
[10] Standards Mapping - OWASP Mobile Top 10 Risks 2014 M7 Client Side Injection
[11] Standards Mapping - OWASP Top 10 2004 A4 Cross Site Scripting
[12] Standards Mapping - OWASP Top 10 2007 A1 Cross Site Scripting (XSS)
[13] Standards Mapping - OWASP Top 10 2010 A2 Cross-Site Scripting (XSS)
[14] Standards Mapping - OWASP Top 10 2013 A3 Cross-Site Scripting (XSS)
[15] Standards Mapping - OWASP Top 10 2017 A7 Cross-Site Scripting (XSS)
[16] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.4
[17] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1, Requirement 6.5.1
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.7
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.7
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.7
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.7
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.7
[23] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[24] Standards Mapping - SANS Top 25 2009 Insecure Interaction - CWE ID 079
[25] Standards Mapping - SANS Top 25 2010 Insecure Interaction - CWE ID 079
[26] Standards Mapping - SANS Top 25 2011 Insecure Interaction - CWE ID 079
[27] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I, APP3580 CAT I
[28] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I, APP3580 CAT I
[29] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I, APP3580 CAT I
[30] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I, APP3580 CAT I
[31] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I, APP3580 CAT I
[32] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I, APP3580 CAT I
[33] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I, APP3580 CAT I
[34] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[35] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[36] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[37] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[38] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[41] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[42] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[43] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[44] Standards Mapping - Web Application Security Consortium 24 + 2 Cross-Site Scripting
[45] Standards Mapping - Web Application Security Consortium Version 2.00 Cross-Site Scripting (WASC-08)
Cross-Site Scripting: Poor Validation
ABSTRACT
依靠 HTML、XML 和其他类型的编码来验证用户输入可能会导致浏览器执行恶意代码。
EXPLANATION
使用特定的编码函数能避免一部分 cross-site scripting 攻击,但不能完全避免。根据数据出现的上下文,除 HTML 编码的基本字符 <、>、& 和 “ 以及 XML 编码的字符 <、>、&、” 和 ‘ 之外,其他字符可能具有元意。依靠此类编码函数等同于用一个安全性较差的黑名单来防止 cross-site scripting 攻击,并且可能允许攻击者注入恶意代码,并在浏览器中加以执行。由于不可能始终准确地确定静态显示数据的上下文,所以即便进行了编码,Fortify 安全编码规则包仍会报告跨站脚本攻击结果,并将其显示为 Cross-Site Scripting: Poor Validation 问题。
Cross-Site Scripting (XSS) 漏洞在以下情况下发生:
数据通过一个不可信赖的数据源进入 Web 应用程序。对于基于 DOM 的 XSS,将从 URL 参数或浏览器中的其他值读取数据,并使用客户端代码将其重新写入该页面。对于 Reflected XSS,不可信赖的数据源通常为 Web 请求,而对于 Persisted(也称为 Stored)XSS,该数据源通常为数据库或其他后端数据存储。
未经验证但包含在动态内容中的数据将传送给 Web 用户。对于基于 DOM 的 XSS,任何时候当受害人的浏览器解析 HTML 页面时,恶意内容都将作为 DOM(文档对象模型)创建的一部分执行。
传送到 Web 浏览器的恶意内容通常采用 JavaScript 代码片段的形式,但也可能会包含一些 HTML、Flash 或者其他任意一种可以被浏览器执行的代码。基于 XSS 的攻击手段花样百出,几乎是无穷无尽的,但通常它们都会包含传输给攻击者的私人数据(如 Cookie 或者其他会话信息)。在攻击者的控制下,指引受害者进入恶意的网络内容;或者利用易受攻击的站点,对用户的机器进行其他恶意操作。
示例:下面的 JavaScript 代码片段可从 HTTP 请求中读取雇员 ID eid,对其进行转义并显示给用户。
1 | <SCRIPT> |
如果eid只包含标准的字母或数字文本,这个例子中的代码就能正确运行。如果eid中的某个值包含元字符或源代码,则 Web 浏览器就会在显示 HTTP 响应时执行该代码。
起初,这个例子似乎是不会轻易遭受攻击的。毕竟,有谁会输入导致恶意代码在自己电脑上运行的 URL 呢?真正的危险在于攻击者会创建恶意的 URL,然后采用电子邮件或社交工程的欺骗手段诱使受害者访问此 URL 的链接。当受害者单击这个链接时,他们不知不觉地通过易受攻击的网络应用程序,将恶意内容带到了自己的电脑中。这种对易受攻击的 Web 应用程序进行盗取的机制通常被称为反射式 XSS。
正如例子中所显示的,XSS 漏洞是由于 HTTP 响应中包含了未验证的数据代码而引起的。受害者遭受 XSS 攻击的途径有三种:
— 系统从 HTTP 请求中直接读取数据,并在 HTTP 响应中返回数据。当攻击者诱使用户为易受攻击的 Web 应用程序提供危险内容,而这些危险内容随后会反馈给用户并在 Web 浏览器中执行时,就会发生 Reflected XSS 漏洞利用。发送恶意内容最常用的方法是,将恶意内容作为一个参数包含在公开发布或通过电子邮件直接发送给受害者的 URL 中。以这种手段构造的 URL 已成为多种网络钓鱼阴谋的核心,攻击者会借此诱骗受害者访问指向易受攻击站点的 URL。当该站点将攻击者的内容反馈给受害者后,便会执行这些内容,接下来会将用户计算机中的各种私密信息(比如可能包含会话信息的 Cookie)传输给攻击者,或者执行其他恶意活动。
— 应用程序将危险数据存储在数据库或其他可信赖的数据存储器中。这些危险数据随后会被回写到应用程序中,并包含在动态内容中。Persistent XSS 盗取发生在如下情况:攻击者将危险内容注入到数据存储器中,且该存储器之后会被读取并包含在动态内容中。从攻击者的角度看,注入恶意内容的最佳位置莫过于一个面向许多用户,尤其是相关用户显示的区域。相关用户通常在应用程序中具备较高的特权,或相互之间交换敏感数据,这些数据对攻击者来说有利用价值。如果某一个用户执行了恶意内容,攻击者就有可能以该用户的名义执行某些需要特权的操作,或者获得该用户个人所有的敏感数据的访问权限。
— 应用程序之外的数据源将危险数据储存在一个数据库或其他数据存储器中,随后这些危险数据被当作可信赖的数据回写到应用程序中,并储存在动态内容中。
RECOMMENDATIONS
针对 XSS 的解决方法是,确保在适当位置进行验证,并检验其属性是否正确。
由于 XSS 漏洞在应用程序的输出中包含恶意数据时出现,因此,合乎逻辑的方法是在数据流出应用程序的前一刻对其进行验证。然而,由于 Web 应用程序常常会包含复杂而难以理解的代码,用以生成动态内容,因此,这一方法容易产生遗漏错误(遗漏验证)。降低这一风险的有效途径是对 XSS 也执行输入验证。
由于 Web 应用程序必须验证输入信息以避免其他漏洞(如 SQL Injection),因此,一种相对简单的解决方法是,加强一个应用程序现有的输入验证机制,将 XSS 检测包括其中。尽管有一定的价值,但 XSS 输入验证并不能取代严格的输出验证。应用程序可能通过共享的数据存储器或其他可信赖的数据源接受输入,而该数据存储器所接受的输入源可能并未执行适当的输入验证。因此,应用程序不能间接地依赖于该数据或其他任意数据的安全性。这就意味着,避免 XSS 漏洞的最佳方法是验证所有进入应用程序以及由应用程序传送至用户端的数据。
针对 XSS 漏洞进行验证最安全的方式是,创建一份安全字符白名单,允许其中的字符出现在 HTTP 内容中,并且只接受完全由这些经认可的字符组成的输入。例如,有效的用户名可能仅包含字母数字字符,电话号码可能仅包含 0-9 的数字。然而,这种解决方法在 Web 应用程序中通常是行不通的,因为许多字符对浏览器来说都具有特殊的含义,编码时这些字符必须被视为合法输入,例如,一个 Web 设计电子公告栏就必须接受其用户提供的 HTML 片段。
更灵活的方法是列入黑名单,但其安全性较差,这种方法在使用输入之前就有选择地拒绝或转义了潜在的危险字符。为了创建这样一个列表,首先需要了解对于 Web 浏览器具有特殊含义的字符集。虽然 HTML 标准定义了哪些字符具有特殊含义,但是许多 Web 浏览器会设法更正 HTML 中的常见错误,并可能在特定的上下文中认为其他字符具有特殊含义,这就是我们不鼓励使用黑名单作为阻止 XSS 的方法的原因。卡耐基梅隆大学 (Carnegie Mellon University) 软件工程学院 (Software Engineering Institute) 下属的 CERT(R) (CERT(R) Coordination Center) 合作中心提供了有关各种上下文中认定的特殊字符的具体信息 [1]:
在有关块级别元素的内容中(位于一段文本的中间):
- “<” 是一个特殊字符,因为它可以引入一个标签。
- “&” 是一个特殊字符,因为它可以引入一个字符实体。
- “>” 是一个特殊字符,之所以某些浏览器将其认定为特殊字符,是基于一种假设,即该页的作者本想在前面添加一个 “<”,却错误地将其遗漏了。
下面的这些原则适用于属性值:
- 对于外加双引号的属性值,双引号是特殊字符,因为它们标记了该属性值的结束。
- 对于外加单引号的属性值,单引号是特殊字符,因为它们标记了该属性值的结束。
- 对于不带任何引号的属性值,空格字符(如空格符和制表符)是特殊字符。
- “&” 与某些特定变量一起使用时是特殊字符,因为它引入了一个字符实体。
例如,在 URL 中,搜索引擎可能会在结果页面内提供一个链接,用户可以点击该链接来重新运行搜索。可以将这一方法运用于编写 URL 中的搜索查询语句,这将引入更多特殊字符:
- 空格符、制表符和换行符是特殊字符,因为它们标记了 URL 的结束。
- “&” 是特殊字符,因为它可引入一个字符实体或分隔 CGI 参数。
- 非 ASCII 字符(即 ISO-8859-1 编码表中所有大于 127 的字符)不允许出现在 URL 中,因此这些字符在此环境下被视为特殊字符。
- 在服务器端对在 HTTP 转义序列中编码的参数进行解码时,必须过滤掉输入中的 “%” 符号。例如,当输入中出现 “%68%65%6C%6C%6F” 时,只有从输入的内容中过滤掉 “%”,上述字符串才能在网页上显示为 “hello”。
在 <SCRIPT> </SCRIPT>的正文内:
- 如果可以将文本直接插入到已有的脚本标签中,应该过滤掉分号、省略号、中括号和换行符。
服务器端脚本:
- 如果服务器端脚本会将输入中的感叹号 (!) 转换成输出中的双引号 (“),则可能需要对此进行更多过滤。
其他可能出现的情况:
- 如果攻击者以 UTF-7 格式提交了请求,则特殊字符“<”可能会显示为“+ADw-”,并可能会绕过过滤。如果输出包含在没有确切指定编码格式的网页中,某些浏览器就会设法根据内容自动识别编码(此处采用 UTF-7 格式)。
在应用程序中确定针对 XSS 攻击执行验证的正确要点,以及验证过程中要考虑的特殊字符之后,下一个难点就是确定验证过程中处理各种特殊字符的方式。如果应用程序认定某些特殊字符为无效输入,那么您可以拒绝任何带有这些无效特殊字符的输入。第二种选择就是采用过滤手段来删除这些特殊字符。然而,过滤的负面作用在于,过滤内容的显示将发生改变。在需要完整显示输入内容的情况下,过滤的这种负面作用可能是无法接受的。
如果必须接受带有特殊字符的输入,并将其准确地显示出来,验证机制一定要对所有特殊字符进行编码,以便删除其具有的含义。官方的 HTML 规范 [2] 提供了特殊字符对应的 ISO 8859-1 编码值的完整列表。
许多应用程序服务器都试图避免应用程序出现 Cross-Site Scripting 漏洞,具体做法是为负责设置特定 HTTP 响应内容的函数提供各种实现方式,以检验是否存在进行 Cross-Site Scripting 攻击必需的字符。不要依赖运行应用程序的服务器,以此确保该应用程序的安全。开发了某个应用程序后,并不能保证在其生命周期中它会在哪些应用程序服务器中运行。由于标准和已知盗取方式的演变,我们不能保证应用程序服务器也会保持同步。
REFERENCES
[1] Understanding Malicious Content Mitigation for Web Developers CERT
[2] HTML 4.01 Specification W3
[3] Standards Mapping - Common Weakness Enumeration CWE ID 82, CWE ID 83, CWE ID 87, CWE ID 692
[4] Standards Mapping - Common Weakness Enumeration Top 25 2019 [2] CWE ID 079
[5] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001310, CCI-002754
[6] Standards Mapping - FIPS200 SI
[7] Standards Mapping - General Data Protection Regulation Indirect Access to Sensitive Data
[8] Standards Mapping - NIST Special Publication 800-53 Revision 4 SI-10 Information Input Validation (P1)
[9] Standards Mapping - OWASP Application Security Verification Standard 4.0 5.3.3 Output Encoding and Injection Prevention Requirements, 5.3.6 Output Encoding and Injection Prevention Requirements
[10] Standards Mapping - OWASP Mobile Top 10 Risks 2014 M7 Client Side Injection
[11] Standards Mapping - OWASP Top 10 2004 A4 Cross Site Scripting
[12] Standards Mapping - OWASP Top 10 2007 A1 Cross Site Scripting (XSS)
[13] Standards Mapping - OWASP Top 10 2010 A2 Cross-Site Scripting (XSS)
[14] Standards Mapping - OWASP Top 10 2013 A3 Cross-Site Scripting (XSS)
[15] Standards Mapping - OWASP Top 10 2017 A7 Cross-Site Scripting (XSS)
[16] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.4
[17] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1, Requirement 6.5.1
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.7
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.7
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.7
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.7
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.7
[23] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[24] Standards Mapping - SANS Top 25 2009 Insecure Interaction - CWE ID 116
[25] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I, APP3580 CAT I
[26] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I, APP3580 CAT I
[27] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I, APP3580 CAT I
[28] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I, APP3580 CAT I
[29] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I, APP3580 CAT I
[30] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I, APP3580 CAT I
[31] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I, APP3580 CAT I
[32] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[33] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[34] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[35] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[36] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[37] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[38] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[41] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[42] Standards Mapping - Web Application Security Consortium 24 + 2 Cross-Site Scripting
[43] Standards Mapping - Web Application Security Consortium Version 2.00 Cross-Site Scripting (WASC-08)
Cross-Site Scripting: Reflected
ABSTRACT
向一个 Web 浏览器发送未经验证的数据会导致该浏览器执行恶意代码。
EXPLANATION
Cross-Site Scripting (XSS) 漏洞在以下情况下发生:
数据通过一个不可信赖的数据源进入 Web 应用程序。对于 Reflected XSS,不可信赖的数据源通常为 Web 请求,而对于 Persisted(也称为 Stored)XSS,该数据源通常为数据库或其他后端数据存储。
未经验证但包含在动态内容中的数据将传送给 Web 用户。
传送到 Web 浏览器的恶意内容通常采用 JavaScript 代码片段的形式,但也可能会包含一些 HTML、Flash 或者其他任意一种可以被浏览器执行的代码。基于 XSS 的攻击手段花样百出,几乎是无穷无尽的,但通常它们都会包含传输给攻击者的私人数据(如 Cookie 或者其他会话信息)。在攻击者的控制下,指引受害者进入恶意的网络内容;或者利用易受攻击的站点,对用户的机器进行其他恶意操作。
示例 1:以下 Node.js 代码片段会在 HTTP 请求中读取雇员 ID eid,并将其显示给用户。
1 | var http = require('http'); |
如果eid只包含标准的字母或数字文本,这个例子中的代码就能正确运行。如果eid中的某个值包含元字符或源代码,则 Web 浏览器就会在显示 HTTP 响应时执行该代码。
起初,这个例子似乎是不会轻易遭受攻击的。毕竟,有谁会输入导致恶意代码在自己电脑上运行的 URL 呢?真正的危险在于攻击者会创建恶意的 URL,然后采用电子邮件或社交工程的欺骗手段诱使受害者访问此 URL 的链接。当受害者单击这个链接时,他们不知不觉地通过易受攻击的网络应用程序,将恶意内容带到了自己的电脑中。这种对易受攻击的 Web 应用程序进行盗取的机制通常被称为反射式 XSS。
示例 2:下面的 Node.js 代码片段会根据给定的雇员 ID 查询数据库,并打印相应雇员的姓名。
1 | var http = require('http'); |
如同Example 1,如果对name的值处理得当,该代码就能正常地执行各种功能;如若处理不当,就会对代码的漏洞利用行为无能为力。同样,这段代码看起来似乎危险较小,因为name的值是从数据库中读取的,而且这些内容明显是由应用程序管理的。然而,如果name的值来自用户提供的数据,数据库就会成为恶意内容传播的通道。如果不对数据库中存储的所有数据进行恰当的输入验证,那么攻击者就可以在用户的 Web 浏览器中执行恶意命令。这种类型的漏洞利用称为 Persistent XSS(或 Stored XSS),它极其隐蔽,因为数据存储导致的间接行为会增大辨别威胁的难度,并使多个用户受此攻击影响的可能性提高。XSS 漏洞利用首先会在网站上为访问者提供一个“留言簿”。攻击者会在这些留言簿的条目中嵌入 JavaScript,接下来所有访问该留言簿页面的访问者都会执行这些恶意代码。
正如例子中所显示的,XSS 漏洞是由于 HTTP 响应中包含了未经验证的数据代码而引起的。受害者遭受 XSS 攻击的途径有三种:
如Example 1中所示,系统从 HTTP 请求中直接读取数据,并在 HTTP 响应中返回数据。当攻击者诱使用户为易受攻击的 Web 应用程序提供危险内容,而这些危险内容随后会反馈给用户并在 Web 浏览器中执行时,就会发生 Reflected XSS 漏洞利用。发送恶意内容最常用的方法是,将恶意内容作为一个参数包含在公开发布或通过电子邮件直接发送给受害者的 URL 中。以这种手段构造的 URL 已成为多种网络钓鱼阴谋的核心,攻击者会借此诱骗受害者访问指向易受攻击站点的 URL。当该站点将攻击者的内容反馈给受害者后,便会执行这些内容,接下来会将用户计算机中的各种私密信息(比如可能包含会话信息的 Cookie)传输给攻击者,或者执行其他恶意活动。
如Example 2中所示,应用程序将危险数据存储在数据库或其他可信赖的数据存储中。这些危险数据随后会被读回到应用程序中,并包含在动态内容中。在以下情况下会发生 Persistent XSS 漏洞利用:攻击者将危险内容注入到数据存储中,而这些危险内容随后会被读取并包含在动态内容中。从攻击者的角度看,注入恶意内容的最佳位置莫过于显示给许多用户或显示给特定相关用户的区域。这些相关用户通常在应用程序中具备较高的特权,或者可以与敏感数据交互,这些数据对攻击者来说具有利用价值。如果某一个用户执行了恶意内容,攻击者就有可能以该用户的名义执行某些需要特权的操作,或者获得该用户个人敏感数据的访问权。
应用程序之外的数据源将危险数据储存在一个数据库或其他数据存储器中,随后这些危险数据被当作可信赖的数据回写到应用程序中,并储存在动态内容中。
RECOMMENDATIONS
针对 XSS 的解决方法是,确保在适当位置进行验证,并检验其属性是否正确。
由于 XSS 漏洞在应用程序的输出中包含恶意数据时出现,因此,合乎逻辑的方法是在数据流出应用程序的前一刻对其进行验证。然而,由于 Web 应用程序常常会包含复杂而难以理解的代码,用以生成动态内容,因此,这一方法容易产生遗漏错误(遗漏验证)。降低这一风险的有效途径是对 XSS 也执行输入验证。
由于 Web 应用程序必须验证输入信息以避免其他漏洞(如 SQL Injection),因此,一种相对简单的解决方法是,加强一个应用程序现有的输入验证机制,将 XSS 检测包括其中。尽管有一定的价值,但 XSS 输入验证并不能取代严格的输出验证。应用程序可能通过共享的数据存储器或其他可信赖的数据源接受输入,而该数据存储器所接受的输入源可能并未执行适当的输入验证。因此,应用程序不能间接地依赖于该数据或其他任意数据的安全性。这就意味着,避免 XSS 漏洞的最佳方法是验证所有进入应用程序以及由应用程序传送至用户端的数据。
针对 XSS 漏洞进行验证最安全的方式是,创建一份安全字符白名单,允许其中的字符出现在 HTTP 内容中,并且只接受完全由这些经认可的字符组成的输入。例如,有效的用户名可能仅包含字母数字字符,电话号码可能仅包含 0-9 的数字。然而,这种解决方法在 Web 应用程序中通常是行不通的,因为许多字符对浏览器来说都具有特殊的含义,编码时这些字符必须被视为合法输入,例如,一个 Web 设计电子公告栏就必须接受其用户提供的 HTML 片段。
更灵活的方法是列入黑名单,但其安全性较差,这种方法在使用输入之前就有选择地拒绝或转义了潜在的危险字符。为了创建这样一个列表,首先需要了解对于 Web 浏览器具有特殊含义的字符集。虽然 HTML 标准定义了哪些字符具有特殊含义,但是许多 Web 浏览器会设法更正 HTML 中的常见错误,并可能在特定的上下文中认为其他字符具有特殊含义,这就是我们不鼓励使用黑名单作为阻止 XSS 的方法的原因。卡耐基梅隆大学 (Carnegie Mellon University) 软件工程学院 (Software Engineering Institute) 下属的 CERT(R) (CERT(R) Coordination Center) 合作中心提供了有关各种上下文中认定的特殊字符的具体信息 [1]:
在有关块级别元素的内容中(位于一段文本的中间):
-“<”是一个特殊字符,因为它可以引入一个标签。
-“&”是一个特殊字符,因为它可以引入一个字符实体。
-“>”是一个特殊字符,之所以某些浏览器将其认定为特殊字符,是基于一种假设,即该页的作者本想在前面添加一个“<”,却错误地将其遗漏了。
下面的这些原则适用于属性值:
- 对于外加双引号的属性值,双引号是特殊字符,因为它们标记了该属性值的结束。
- 对于外加单引号的属性值,单引号是特殊字符,因为它们标记了该属性值的结束。
- 对于不带任何引号的属性值,空格字符(如空格符和制表符)是特殊字符。
-“&”与某些特定变量一起使用时是特殊字符,因为它引入了一个字符实体。
例如,在 URL 中,搜索引擎可能会在结果页面内提供一个链接,用户可以点击该链接来重新运行搜索。可以将这一方法运用于编写 URL 中的搜索查询语句,这将引入更多特殊字符:
- 空格符、制表符和换行符是特殊字符,因为它们标记了 URL 的结束。
-“&”是特殊字符,因为它可引入一个字符实体或分隔 CGI 参数。
- 非 ASCII 字符(即 ISO-8859-1 编码表中所有大于 127 的字符)不允许出现在 URL 中,因此这些字符在此环境下被视为特殊字符。
- 在服务器端对在 HTTP 转义序列中编码的参数进行解码时,必须过滤掉输入中的“%”符号。例如,当输入中出现“%68%65%6C%6C%6F”时,只有从输入的内容中过滤掉“%”,上述字符串才能在网页上显示为“hello”。
在<SCRIPT> </SCRIPT>的正文内:
- 如果可以将文本直接插入到已有的脚本标签中,应该过滤掉分号、省略号、中括号和换行符。
服务器端脚本:
- 如果服务器端脚本会将输入中的感叹号 (!) 转换成输出中的双引号 (“),则可能需要对此进行更多过滤。
其他可能出现的情况:
- 如果攻击者以 UTF-7 格式提交了请求,则特殊字符“<”可能会显示为“+ADw-”,并可能会绕过过滤。如果输出包含在没有确切指定编码格式的网页中,某些浏览器就会设法根据内容自动识别编码(此处采用 UTF-7 格式)。
在应用程序中确定针对 XSS 攻击执行验证的正确要点,以及验证过程中要考虑的特殊字符之后,下一个难点就是确定验证过程中处理各种特殊字符的方式。如果应用程序认定某些特殊字符为无效输入,那么您可以拒绝任何带有这些无效特殊字符的输入。第二种选择就是采用过滤手段来删除这些特殊字符。然而,过滤的负面作用在于,过滤内容的显示将发生改变。在需要完整显示输入内容的情况下,过滤的这种负面作用可能是无法接受的。
如果必须接受带有特殊字符的输入,并将其准确地显示出来,验证机制一定要对所有特殊字符进行编码,以便删除其具有的含义。官方的 HTML 规范 [2] 提供了特殊字符对应的 ISO 8859-1 编码值的完整列表。
许多应用程序服务器都试图避免应用程序出现 Cross-Site Scripting 漏洞,具体做法是为负责设置特定 HTTP 响应内容的函数提供各种实现方式,以检验是否存在进行 Cross-Site Scripting 攻击必需的字符。不要依赖运行应用程序的服务器,以此确保该应用程序的安全。开发了某个应用程序后,并不能保证在其生命周期中它会在哪些应用程序服务器中运行。由于标准和已知盗取方式的演变,我们不能保证应用程序服务器也会保持同步。
REFERENCES
[1] Understanding Malicious Content Mitigation for Web Developers CERT
[2] HTML 4.01 Specification W3
[3] Standards Mapping - Common Weakness Enumeration CWE ID 79, CWE ID 80
[4] Standards Mapping - Common Weakness Enumeration Top 25 2019 [2] CWE ID 079
[5] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001310, CCI-002754
[6] Standards Mapping - FIPS200 SI
[7] Standards Mapping - General Data Protection Regulation Indirect Access to Sensitive Data
[8] Standards Mapping - NIST Special Publication 800-53 Revision 4 SI-10 Information Input Validation (P1)
[9] Standards Mapping - OWASP Application Security Verification Standard 4.0 5.3.3 Output Encoding and Injection Prevention Requirements, 5.3.6 Output Encoding and Injection Prevention Requirements
[10] Standards Mapping - OWASP Mobile Top 10 Risks 2014 M7 Client Side Injection
[11] Standards Mapping - OWASP Top 10 2004 A4 Cross Site Scripting
[12] Standards Mapping - OWASP Top 10 2007 A1 Cross Site Scripting (XSS)
[13] Standards Mapping - OWASP Top 10 2010 A2 Cross-Site Scripting (XSS)
[14] Standards Mapping - OWASP Top 10 2013 A3 Cross-Site Scripting (XSS)
[15] Standards Mapping - OWASP Top 10 2017 A7 Cross-Site Scripting (XSS)
[16] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.4
[17] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1, Requirement 6.5.1
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.7
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.7
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.7
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.7
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.7
[23] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[24] Standards Mapping - SANS Top 25 2009 Insecure Interaction - CWE ID 079
[25] Standards Mapping - SANS Top 25 2010 Insecure Interaction - CWE ID 079
[26] Standards Mapping - SANS Top 25 2011 Insecure Interaction - CWE ID 079
[27] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I, APP3580 CAT I
[28] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I, APP3580 CAT I
[29] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I, APP3580 CAT I
[30] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I, APP3580 CAT I
[31] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I, APP3580 CAT I
[32] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I, APP3580 CAT I
[33] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I, APP3580 CAT I
[34] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[35] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[36] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[37] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[38] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[41] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[42] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[43] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[44] Standards Mapping - Web Application Security Consortium 24 + 2 Cross-Site Scripting
[45] Standards Mapping - Web Application Security Consortium Version 2.00 Cross-Site Scripting (WASC-08)
Cross-Site Scripting: SOP Bypass
ABSTRACT
允许用户输入以控制以下设置:确定可创建 XSS 漏洞的同源策略 (SOP)。
EXPLANATION
在以下情况下,通过同源策略 (SOP) 绕过发生跨站点脚本 (XSS) 漏洞:
1.数据通过一个不可信赖的数据源进入 Web 应用程序。
2.数据将传递到一个设置,该设置确定脚本可以运行的页面源,例如 document.domain。
执行此操作后,将允许另一个域中的攻击者将 document.domain 设置为相同值,并在页面上执行脚本,就像它们位于完全相同的域中一样。
示例 1:下面,我们取一个 URL 参数 domain,并将其作为页面的同源策略 (SOP) 的域传递。
1 | <SCRIPT> |
大多数浏览器只允许将有效的超域传递给document.domain。因此,如果页面位于“http://www.example.com”,则可以将document.domain设置为“www.example.com”或“example.com”。它不能设置为“com”或“example.org”。
然而,如果攻击者位于他们能够控制的网站的另一部分上,他们也许能够在他们无法控制的网站部分上执行脚本。
RECOMMENDATIONS
在可能的情况下,决不允许用户输入来控制 document.domain。
如果无法做到这一点,则应采用白名单方法,这种方法根据用户输入检查有效参数列表,并使用相关联的参数。这样,就不会发生通过用户控制的输入来确定 document.domain 内容的情况。
示例 2:下面使用白名单方法来解决此问题,注意千万不要直接使用用户控制的输入。
1 | <SCRIPT> |
REFERENCES
[1] Standards Mapping - Common Weakness Enumeration CWE ID 79, CWE ID 80
[2] Standards Mapping - Common Weakness Enumeration Top 25 2019 [2] CWE ID 079
[3] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001310, CCI-002754
[4] Standards Mapping - FIPS200 SI
[5] Standards Mapping - General Data Protection Regulation Indirect Access to Sensitive Data
[6] Standards Mapping - NIST Special Publication 800-53 Revision 4 SI-10 Information Input Validation (P1)
[7] Standards Mapping - OWASP Application Security Verification Standard 4.0 5.3.3 Output Encoding and Injection Prevention Requirements, 5.3.6 Output Encoding and Injection Prevention Requirements
[8] Standards Mapping - OWASP Mobile Top 10 Risks 2014 M7 Client Side Injection
[9] Standards Mapping - OWASP Top 10 2004 A4 Cross Site Scripting
[10] Standards Mapping - OWASP Top 10 2007 A1 Cross Site Scripting (XSS)
[11] Standards Mapping - OWASP Top 10 2010 A2 Cross-Site Scripting (XSS)
[12] Standards Mapping - OWASP Top 10 2013 A3 Cross-Site Scripting (XSS)
[13] Standards Mapping - OWASP Top 10 2017 A7 Cross-Site Scripting (XSS)
[14] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.4
[15] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1, Requirement 6.5.1
[16] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.7
[17] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.7
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.7
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.7
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.7
[21] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[22] Standards Mapping - SANS Top 25 2009 Insecure Interaction - CWE ID 079
[23] Standards Mapping - SANS Top 25 2010 Insecure Interaction - CWE ID 079
[24] Standards Mapping - SANS Top 25 2011 Insecure Interaction - CWE ID 079
[25] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I, APP3580 CAT I
[26] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I, APP3580 CAT I
[27] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I, APP3580 CAT I
[28] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I, APP3580 CAT I
[29] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I, APP3580 CAT I
[30] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I, APP3580 CAT I
[31] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I, APP3580 CAT I
[32] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[33] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[34] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[35] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[36] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[37] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[38] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[41] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[42] Standards Mapping - Web Application Security Consortium 24 + 2 Cross-Site Scripting
[43] Standards Mapping - Web Application Security Consortium Version 2.00 Cross-Site Scripting (WASC-08)
Cross-Site Scripting: Self
ABSTRACT
向一个 Web 浏览器发送未经验证的数据会导致该浏览器执行恶意代码。
EXPLANATION
Cross-Site Scripting (XSS) 漏洞会在以下情况下发生:
1.数据通过一个不可信赖的数据源进入 Web 应用程序。对于 Self-XSS,将从文本框或可以通过 DOM 控制的其他值读取数据,并使用客户端代码将其重新写入该页面。
2.未经验证但包含在动态内容中的数据将传送给 Web 用户。对于 Self-XSS,恶意内容都将作为 DOM(文档对象模型)修改的一部分执行。
对于 Self-XSS,恶意内容通常采用 JavaScript 代码片段的形式,或者其他任意一种可以被浏览器执行的代码的形式。由于 Self-XSS 主要是对自身进行攻击,因此往往被认为不重要,但在以下情况下,应将其与标准 XSS 缺陷同等对待:
在您的网站上识别到 Cross-Site Request Forgery 漏洞。
社会工程攻击可能诱使用户攻击他们自己的帐户,从而破坏其会话。
示例 1:考虑使用 HTML 表单:
1 | <div id="myDiv"> |
下面的 jQuery 代码片段可从文本框中读取雇员 ID,并将其显示给用户。
1 | $(document).ready(function(){ |
如果文本输入中 ID 为 eid 的雇员 ID 仅包含标准字母数字文本,则这些代码示例可正确运行。如果 eid 中的某个值包含元字符或源代码,则在用户点击该按钮之后,代码将被添加到 DOM 以供浏览器执行。如果攻击者可以诱使用户将恶意内容输入到文本输入,就成了基于 DOM 的 XSS。
RECOMMENDATIONS
针对 XSS 的解决方法是,确保在适当位置进行验证,并检验其属性是否正确。
由于 XSS 漏洞在应用程序的输出中包含恶意数据时出现,因此,合乎逻辑的方法是在数据流出应用程序的前一刻(或在呈现之前(如果基于 DOM))对其进行验证。然而,由于 Web 应用程序常常会包含复杂而难以理解的代码,用以生成动态内容,因此,这一方法容易产生遗漏错误(遗漏验证)。降低这一风险的有效途径是对 XSS 也执行输入验证。
由于 Web 应用程序必须验证输入信息以避免其他漏洞(如 SQL Injection),因此,一种相对简单的解决方法是,加强一个应用程序现有的输入验证机制,将 XSS 检测包括其中。尽管有一定的价值,但 XSS 输入验证并不能取代严格的输出验证。应用程序可能通过共享的数据存储器或其他可信赖的数据源接受输入,而该数据存储器所接受的输入源可能并未执行适当的输入验证。因此,应用程序不能间接地依赖于该数据或其他任意数据的安全性。这就意味着,避免 XSS 漏洞的最佳方法是验证所有进入应用程序以及由应用程序传送至用户端的数据。
针对 XSS 漏洞进行验证最安全的方式是,创建一份安全字符白名单,允许其中的字符出现在 HTTP 内容中,并且只接受完全由这些经认可的字符组成的输入。例如,有效的用户名可能仅包含字母数字字符,电话号码可能仅包含 0-9 的数字。然而,这种解决方法在 Web 应用程序中通常是行不通的,因为许多字符对浏览器来说都具有特殊的含义,编码时这些字符必须被视为合法输入,例如,一个 Web 设计电子公告栏就必须接受其用户提供的 HTML 片段。
更灵活的方法是列入黑名单,但其安全性较差,这种方法在使用输入之前就有选择地拒绝或转义了潜在的危险字符。为了创建这样一个列表,首先需要了解对于 Web 浏览器具有特殊含义的字符集。虽然 HTML 标准定义了哪些字符具有特殊含义,但是许多 Web 浏览器会设法更正 HTML 中的常见错误,并可能在特定的上下文中认为其他字符具有特殊含义,这就是我们不鼓励使用黑名单作为阻止 XSS 的方法的原因。卡耐基梅隆大学 (Carnegie Mellon University) 软件工程学院 (Software Engineering Institute) 下属的 CERT(R) (CERT(R) Coordination Center) 合作中心提供了有关各种上下文中认定的特殊字符的具体信息 [1]:
在有关块级别元素的内容中(位于一段文本的中间):
-“<”是一个特殊字符,因为它可以引入一个标签。
-“&”是一个特殊字符,因为它可以引入一个字符实体。
-“>”是一个特殊字符,之所以某些浏览器将其视为特殊字符,是基于一种假设,即页面创建者本想在前面添加一个“<”,却错误地将其遗漏了。
下面的这些原则适用于属性值:
- 对于外加双引号的属性值,双引号是特殊字符,因为它们标记了该属性值的结束。
- 对于外加单引号的属性值,单引号是特殊字符,因为它们标记了该属性值的结束。
- 对于不带任何引号的属性值,空格字符(如空格符和制表符)是特殊字符。
-“&”与某些特定属性一起使用时是特殊字符,因为它可以引入一个字符实体。
例如,在 URL 中,搜索引擎可能会在结果页面内提供一个链接,用户可以单击该链接来重新运行搜索。可以将这一方法运用于编写 URL 中的搜索查询语句,这将引入更多特殊字符:
- 空格符、制表符和换行符是特殊字符,因为它们标记了 URL 的结束。
-“&”是特殊字符,因为它可以引入一个字符实体或分隔 CGI 参数。
- 非 ASCII 字符(即 ISO-8859-1 编码表中所有大于 127 的字符)不允许出现在 URL 中,因此这些字符在此环境下被视为特殊字符。
- 在服务器端对在 HTTP 转义序列中编码的参数进行解码时,必须过滤掉输入中的 “%” 符号。例如,当输入中出现“%68%65%6C%6C%6F”时,只有从输入的内容中过滤掉“%”,上述字符串才能在网页上显示为“hello”。
在 <SCRIPT> </SCRIPT> 正文中:
- 如果可以将文本直接插入到已有的脚本标签中,则应该过滤掉分号、圆括号、花括号和换行符。
服务器端脚本:
- 如果服务器端脚本会将输入中的感叹号 (!) 转换成输出中的双引号 (“),则可能需要对此进行更多过滤。
其他可能出现的情况:
- 如果攻击者以 UTF-7 格式提交了请求,则特殊字符“<”可能会显示为“+ADw-”,并可能会绕过过滤。如果输出包含在没有确切指定编码格式的网页中,某些浏览器就会设法根据内容自动识别编码(此处采用 UTF-7 格式)。
在应用程序中确定针对 XSS 攻击执行验证的正确要点,以及验证过程中要考虑的特殊字符之后,下一个难点就是确定验证过程中处理各种特殊字符的方式。如果应用程序认定某些特殊字符为无效输入,那么您可以拒绝任何带有这些无效特殊字符的输入。第二种选择就是采用过滤手段来删除这些特殊字符。然而,过滤的负面作用在于,过滤内容的显示将发生改变。在需要完整显示输入内容的情况下,过滤的这种负面作用可能是无法接受的。
如果必须接受带有特殊字符的输入,并将其准确地显示出来,验证机制一定要对所有特殊字符进行编码,以便删除其具有的含义。官方的 HTML 规范 [2] 提供了特殊字符对应的 ISO 8859-1 编码值的完整列表。
许多应用程序服务器都试图避免应用程序出现 Cross-Site Scripting 漏洞,具体做法是为负责设置特定 HTTP 响应内容的函数提供各种实现方式,以检验是否存在进行 Cross-Site Scripting 攻击必需的字符。不要依赖运行应用程序的服务器,以此确保该应用程序的安全。开发了某个应用程序后,并不能保证在其生命周期中它会在哪些应用程序服务器中运行。由于标准和已知盗取方式的演变,我们不能保证应用程序服务器也会保持同步。
REFERENCES
[1] Understanding Malicious Content Mitigation for Web Developers CERT
[2] HTML 4.01 Specification W3
[3] Jesse Kornblum Don’t Be a Self XSS Victim Facebook
[4] Hans Petrich Weaponizing self-xss Silent Break Security
[5] Standards Mapping - Common Weakness Enumeration CWE ID 79, CWE ID 80
[6] Standards Mapping - Common Weakness Enumeration Top 25 2019 [2] CWE ID 079
[7] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001310, CCI-002754
[8] Standards Mapping - FIPS200 SI
[9] Standards Mapping - General Data Protection Regulation Indirect Access to Sensitive Data
[10] Standards Mapping - NIST Special Publication 800-53 Revision 4 SI-10 Information Input Validation (P1)
[11] Standards Mapping - OWASP Application Security Verification Standard 4.0 5.3.3 Output Encoding and Injection Prevention Requirements, 5.3.6 Output Encoding and Injection Prevention Requirements
[12] Standards Mapping - OWASP Mobile Top 10 Risks 2014 M7 Client Side Injection
[13] Standards Mapping - OWASP Top 10 2004 A4 Cross Site Scripting
[14] Standards Mapping - OWASP Top 10 2007 A1 Cross Site Scripting (XSS)
[15] Standards Mapping - OWASP Top 10 2010 A2 Cross-Site Scripting (XSS)
[16] Standards Mapping - OWASP Top 10 2013 A3 Cross-Site Scripting (XSS)
[17] Standards Mapping - OWASP Top 10 2017 A7 Cross-Site Scripting (XSS)
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.4
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1, Requirement 6.5.1
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.7
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.7
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.7
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.7
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.7
[25] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[26] Standards Mapping - SANS Top 25 2009 Insecure Interaction - CWE ID 079
[27] Standards Mapping - SANS Top 25 2010 Insecure Interaction - CWE ID 079
[28] Standards Mapping - SANS Top 25 2011 Insecure Interaction - CWE ID 079
[29] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I, APP3580 CAT I
[30] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I, APP3580 CAT I
[31] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I, APP3580 CAT I
[32] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I, APP3580 CAT I
[33] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I, APP3580 CAT I
[34] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I, APP3580 CAT I
[35] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I, APP3580 CAT I
[36] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[37] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[38] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[41] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[42] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[43] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[44] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[45] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[46] Standards Mapping - Web Application Security Consortium 24 + 2 Cross-Site Scripting
[47] Standards Mapping - Web Application Security Consortium Version 2.00 Cross-Site Scripting (WASC-08)
Denial of Service
ABSTRACT
攻击者可以造成程序崩溃或使合法用户无法进行使用。
EXPLANATION
攻击者可能通过对应用程序发送大量请求,而使它拒绝对合法用户的服务,但是这种攻击形式经常会在网络层就被排除掉了。更加严重的是那些只需要使用少量请求就可以使得攻击者让应用程序过载的 bug。这种 bug 允许攻击者去指定请求使用系统资源的数量,或者是持续使用这些系统资源的时间。
示例 1:以下代码允许用户指定要使用的 file system 大小。通过指定一个较大的数字,攻击者可以耗尽 file system 资源。
1 | var fsync = requestFileSystemSync(0, userInput); |
示例 2:下列代码会写入一个文件。由于在用户代理将此文件视为已关闭之前,此文件可能会持续写入和重写,因此磁盘配额、IO 带宽和可能需要分析此文件内容的进程都会受到影响。
1 | function oninit(fs) { |
RECOMMENDATIONS
校验用户输入以确保它不会引起不适当的资源利用。
示例 3:以下代码允许用户指定文件系统大小,就像Example 1 中一样,但前提是该值处于合理范围内。
1 | if (userInput >= SIZE_MIN && |
示例 4:以下代码会写入一个文件,就像Example 2 中一样,但最大文件大小为 MAX_FILE_LEN。
1 | function oninit(fs) { |
REFERENCES
[1] Standards Mapping - Common Weakness Enumeration CWE ID 730
[2] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001094
[3] Standards Mapping - MISRA C++ 2008 Rule 0-3-1
[4] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-5 Denial of Service Protection (P1)
[5] Standards Mapping - OWASP Application Security Verification Standard 4.0 12.1.1 File Upload Requirements
[6] Standards Mapping - OWASP Top 10 2004 A9 Application Denial of Service
[7] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.9
[8] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP6080 CAT II
[9] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP6080 CAT II
[10] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP6080 CAT II
[11] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP6080 CAT II
[12] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP6080 CAT II
[13] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP6080 CAT II
[14] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP6080 CAT II
[15] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002400 CAT II
[16] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002400 CAT II
[17] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002400 CAT II
[18] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002400 CAT II
[19] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002400 CAT II
[20] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002400 CAT II
[21] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002400 CAT II
[22] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002400 CAT II
[23] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002400 CAT II
[24] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002400 CAT II
[25] Standards Mapping - Web Application Security Consortium 24 + 2 Denial of Service
[26] Standards Mapping - Web Application Security Consortium Version 2.00 Denial of Service (WASC-10)
Denial of Service: Regular Expression
ABSTRACT
不受信数据被传递至应用程序并作为正则表达式使用。这会导致线程过度使用 CPU 资源。
EXPLANATION
实施正则表达式评估程序及相关方法时存在漏洞,在评估包含自重复分组表达式的正则表达式时,该漏洞会导致线程挂起。此外,还可以利用任何包含相互重叠的替代子表达式的正则表达式。此缺陷可被攻击者用于执行拒绝服务 (DoS) 攻击。
示例:
(e+)+
([a-zA-Z]+)*
(e|ee)+
已知的正则表达式实现方式均无法避免这种漏洞。所有平台和语言都容易受到这种攻击。
RECOMMENDATIONS
请不要将不可信赖的数据用作正则表达式。
REFERENCES
[1] Bryan Sullivan Regular Expression Denial of Service Attacks and Defenses
[2] Standards Mapping - Common Weakness Enumeration CWE ID 185, CWE ID 730
[3] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001094
[4] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-5 Denial of Service Protection (P1)
[5] Standards Mapping - OWASP Top 10 2004 A9 Application Denial of Service
[6] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.9
[7] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.6
[8] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.6
[9] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.6
[10] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.6
[11] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[12] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP6080 CAT II
[13] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP6080 CAT II
[14] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP6080 CAT II
[15] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP6080 CAT II
[16] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP6080 CAT II
[17] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP6080 CAT II
[18] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP6080 CAT II
[19] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002400 CAT II
[20] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002400 CAT II
[21] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002400 CAT II
[22] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002400 CAT II
[23] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002400 CAT II
[24] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002400 CAT II
[25] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002400 CAT II
[26] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002400 CAT II
[27] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002400 CAT II
[28] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002400 CAT II
[29] Standards Mapping - Web Application Security Consortium 24 + 2 Denial of Service
[30] Standards Mapping - Web Application Security Consortium Version 2.00 Denial of Service (WASC-10)
Dynamic Code Evaluation: Code Injection
ABSTRACT
在运行时中解析用户控制的指令,会让攻击者有机会执行恶意代码。
EXPLANATION
许多现代编程语言都允许动态解析源代码指令。这使得程序员可以执行基于用户输入的动态指令。当程序员错误地认为由用户直接提供的指令仅会执行一些无害的操作时(如对当前的用户对象进行简单的计算或修改用户的状态),就会出现 code injection 漏洞:然而,若不经过适当的验证,用户指定的操作可能并不是程序员最初所期望的。
示例:在这一典型的代码注入示例中,应用程序实施的基本计算器允许用户指定要执行的命令。
1 | ... |
如果operation参数的值为良性值,程序就可以正常运行。例如,当该值为 “8 + 7 * 2” 时,calcResult变量被赋予的值将为 22。然而,如果攻击者指定的语言操作既有可能是有效的,又有可能是恶意的,那么,只有在对主进程具有完全权限的情况下才能执行这些操作。如果底层语言提供了访问系统资源的途径或允许执行系统命令,这种攻击甚至会更加危险。对于 JavaScript,攻击者还可以利用这种漏洞进行 cross-site scripting 攻击。
RECOMMENDATIONS
在任何时候,都应尽可能地避免动态的代码解析。如果程序的功能要求对代码进行动态的解析,您可以通过以下方式将此种攻击的可能性降低到最小:尽可能的限制程序中动态执行的代码数量,将此类代码应用到特定的应用程序和上下文中的基本编程语言的子集。
如果需要执行动态代码,应用程序绝不应当直接执行和解析未验证的用户输入。而应采用间接方法:创建一份合法操作和数据对象列表,用户可以指定其中的内容,并且只能从中进行选择。利用这种方法,就绝不会直接执行由用户提供的输入。
REFERENCES
[1] Standards Mapping - Common Weakness Enumeration CWE ID 95, CWE ID 494
[2] Standards Mapping - Common Weakness Enumeration Top 25 2019 [18] CWE ID 094
[3] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001764, CCI-001774, CCI-002754
[4] Standards Mapping - FIPS200 SI
[5] Standards Mapping - General Data Protection Regulation Indirect Access to Sensitive Data
[6] Standards Mapping - NIST Special Publication 800-53 Revision 4 SI-10 Information Input Validation (P1)
[7] Standards Mapping - OWASP Application Security Verification Standard 4.0 1.14.2 Configuration Architectural Requirements, 5.2.4 Sanitization and Sandboxing Requirements,5.2.5 Sanitization and Sandboxing Requirements, 5.2.8 Sanitization and Sandboxing Requirements, 5.3.6 Output Encoding and Injection Prevention Requirements, 5.5.4 Deserialization Prevention Requirements, 10.3.2 Deployed Application Integrity Controls, 12.3.3 File Execution Requirements, 14.2.3 Dependency
[8] Standards Mapping - OWASP Mobile Top 10 Risks 2014 M7 Client Side Injection
[9] Standards Mapping - OWASP Top 10 2004 A6 Injection Flaws
[10] Standards Mapping - OWASP Top 10 2007 A2 Injection Flaws
[11] Standards Mapping - OWASP Top 10 2010 A1 Injection
[12] Standards Mapping - OWASP Top 10 2013 A1 Injection
[13] Standards Mapping - OWASP Top 10 2017 A1 Injection
[14] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.6
[15] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1, Requirement 6.5.2
[16] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.1
[17] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.1
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.1
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.1
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.1
[21] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[22] Standards Mapping - SANS Top 25 2009 Insecure Interaction - CWE ID 116, Risky Resource Management - CWE ID 094
[23] Standards Mapping - SANS Top 25 2010 Risky Resource Management - CWE ID 494
[24] Standards Mapping - SANS Top 25 2011 Risky Resource Management - CWE ID 494
[25] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I, APP3570 CAT I
[26] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I, APP3570 CAT I
[27] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I, APP3570 CAT I
[28] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I, APP3570 CAT I
[29] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I, APP3570 CAT I
[30] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I, APP3570 CAT I
[31] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I, APP3570 CAT I
[32] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002560 CAT I
[33] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002560 CAT I
[34] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002560 CAT I
[35] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002560 CAT I
[36] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002560 CAT I
[37] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002560 CAT I
[38] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002560 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002560 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002560 CAT I
[41] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002560 CAT I
[42] Standards Mapping - Web Application Security Consortium Version 2.00 Improper Input Handling (WASC-20)
Dynamic Code Evaluation: Script Injection
ABSTRACT
在运行时解析用户控制的指令,会让攻击者有机会执行恶意代码。
EXPLANATION
许多现代编程语言都允许动态解析源代码指令。这使得程序员可以执行基于用户输入的动态指令。当程序员错误地认为由用户直接提供的指令仅会执行一些无害的操作时(如对当前的用户对象进行简单的计算或修改用户的状态),就会出现 code injection 漏洞:然而,若不经过适当的验证,用户指定的操作可能并不是程序员最初所期望的。
示例:在这一典型的代码注入示例中,应用程序实施的基本计算器允许用户指定要执行的命令。
1 | ... |
如果 operation 参数的值为良性值,程序就可以正常运行。例如,当该值为“8 + 7 * 2”时,calcResult 变量被赋予的值将为 22。然而,如果攻击者指定的语言操作既有可能是有效的,又有可能是恶意的,那么,只有在对主进程具有完全权限的情况下才能执行这些操作。如果底层语言提供了访问系统资源的途径或允许执行系统命令,这种攻击甚至会更加危险。对于 JavaScript,攻击者还可以利用这种漏洞进行 cross-site scripting 攻击。
RECOMMENDATIONS
在任何时候,都应尽可能地避免动态的代码解析。如果程序的功能要求对代码进行动态的解析,您可以通过以下方式将此种攻击的可能性降低到最小:尽可能的限制程序中动态执行的代码数量,将此类代码应用到特定的应用程序和上下文中的基本编程语言的子集。
如果需要执行动态代码,应用程序绝不应当直接执行和解析未验证的用户输入。而应采用间接方法:创建一份合法操作和数据对象列表,用户可以指定其中的内容,并且只能从中进行选择。利用这种方法,就绝不会直接执行由用户提供的输入。
REFERENCES
[1] Standards Mapping - Common Weakness Enumeration CWE ID 95, CWE ID 494
[2] Standards Mapping - Common Weakness Enumeration Top 25 2019 [18] CWE ID 094
[3] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001764, CCI-001774, CCI-002754
[4] Standards Mapping - FIPS200 SI
[5] Standards Mapping - General Data Protection Regulation Indirect Access to Sensitive Data
[6] Standards Mapping - NIST Special Publication 800-53 Revision 4 SI-10 Information Input Validation (P1)
[7] Standards Mapping - OWASP Application Security Verification Standard 4.0 1.14.2 Configuration Architectural Requirements, 5.2.4 Sanitization and Sandboxing Requirements, 5.2.5 Sanitization and Sandboxing Requirements, 5.2.8 Sanitization and Sandboxing Requirements, 5.3.6 Output Encoding and Injection Prevention Requirements, 10.3.2 Deployed Application Integrity Controls, 12.3.3 File Execution Requirements, 14.2.3 Dependency
[8] Standards Mapping - OWASP Mobile Top 10 Risks 2014 M7 Client Side Injection
[9] Standards Mapping - OWASP Top 10 2004 A6 Injection Flaws
[10] Standards Mapping - OWASP Top 10 2007 A3 Malicious File Execution
[11] Standards Mapping - OWASP Top 10 2010 A1 Injection
[12] Standards Mapping - OWASP Top 10 2013 A1 Injection
[13] Standards Mapping - OWASP Top 10 2017 A1 Injection
[14] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.6
[15] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1, Requirement 6.5.3
[16] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.1
[17] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.1
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.1
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.1
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.1
[21] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[22] Standards Mapping - SANS Top 25 2009 Insecure Interaction - CWE ID 116, Risky Resource Management - CWE ID 094
[23] Standards Mapping - SANS Top 25 2010 Risky Resource Management - CWE ID 494
[24] Standards Mapping - SANS Top 25 2011 Risky Resource Management - CWE ID 494
[25] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I, APP3570 CAT I
[26] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I, APP3570 CAT I
[27] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I, APP3570 CAT I
[28] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I, APP3570 CAT I
[29] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I, APP3570 CAT I
[30] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I, APP3570 CAT I
[31] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I, APP3570 CAT I
[32] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002560 CAT I
[33] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002560 CAT I
[34] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002560 CAT I
[35] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002560 CAT I
[36] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002560 CAT I
[37] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002560 CAT I
[38] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002560 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002560 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002560 CAT I
[41] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002560 CAT I
[42] Standards Mapping - Web Application Security Consortium Version 2.00 Improper Input Handling (WASC-20)
Dynamic Code Evaluation: Unsafe YAML Deserialization
ABSTRACT
对用户控制的 YAML 流进行反序列化,可能会让攻击者有机会在服务器上执行任意代码、滥用应用程序逻辑和/或导致拒绝服务。
EXPLANATION
将对象图转换为 YAML 格式数据的 YAML 序列化库可能包括重新从 YAML 流重构对象所需的元数据。 如果攻击者可以指定要重构的对象类,并能够强制应用程序运行具有用户控制数据的任意资源库,则在 YAML 流的反序列化期间,他们也许能够执行任意代码。
示例 1: 以下示例使用不安全的 YAML 解析器对不受信任的 YAML 字符串进行反序列化。
1 | var yaml = require('js-yaml'); |
RECOMMENDATIONS
如果可能,在没有验证 YAML 流的内容的情况下,请勿对不受信任的数据进行反序列化。 根据所用的 YAML 库,也许可以将反序列化过程中构造的类列入白名单。
JS-YAML 提供 safeLoad() 方法加载 YAML 文档,同时不允许用户实例化任意类型。
示例 2: 以下示例使用安全的 YAML 解析器对不受信任的 YAML 字符串进行反序列化。
1 | var yaml = require('js-yaml'); |
REFERENCES
[1] Standards Mapping - Common Weakness Enumeration CWE ID 502
[2] Standards Mapping - Common Weakness Enumeration Top 25 2019 [23] CWE ID 502
[3] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001764, CCI-001774, CCI-002754
[4] Standards Mapping - FIPS200 SI
[5] Standards Mapping - General Data Protection Regulation Indirect Access to Sensitive Data
[6] Standards Mapping - NIST Special Publication 800-53 Revision 4 SI-10 Information Input Validation (P1)
[7] Standards Mapping - OWASP Application Security Verification Standard 4.0 1.5.2 Input and Output Architectural Requirements, 5.5.1 Deserialization Prevention Requirements, 5.5.3 Deserialization Prevention Requirements
[8] Standards Mapping - OWASP Mobile Top 10 Risks 2014 M7 Client Side Injection
[9] Standards Mapping - OWASP Top 10 2004 A6 Injection Flaws
[10] Standards Mapping - OWASP Top 10 2007 A2 Injection Flaws
[11] Standards Mapping - OWASP Top 10 2010 A1 Injection
[12] Standards Mapping - OWASP Top 10 2013 A1 Injection
[13] Standards Mapping - OWASP Top 10 2017 A8 Insecure Deserialization
[14] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.6
[15] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1, Requirement 6.5.2
[16] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.1
[17] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.1
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.1
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.1
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.1
[21] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[22] Standards Mapping - SANS Top 25 2009 Insecure Interaction - CWE ID 116
[23] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I, APP3570 CAT I
[24] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I, APP3570 CAT I
[25] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I, APP3570 CAT I
[26] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I, APP3570 CAT I
[27] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I, APP3570 CAT I
[28] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I, APP3570 CAT I
[29] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I, APP3570 CAT I
[30] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002560 CAT I
[31] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002560 CAT I
[32] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002560 CAT I
[33] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002560 CAT I
[34] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002560 CAT I
[35] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002560 CAT I
[36] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002560 CAT I
[37] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002560 CAT I
[38] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002560 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002560 CAT I
[40] Standards Mapping - Web Application Security Consortium Version 2.00 Improper Input Handling (WASC-20)
HTML5: Cross-Site Scripting Protection
ABSTRACT
明确禁用了可能提高 cross-site scripting 攻击风险的 X-XSS-Protection 标头。
EXPLANATION
X-XSS-Protection 是指在 Internet Explorer 8 和更高版本以及 Chrome 的最新版本中自动启用的标头。在标头值设置为 false (0) 时,禁用跨站点脚本保护功能。
可以在多个位置设置标头,并且应检查其中是否存在配置错误和恶意篡改问题。
RECOMMENDATIONS
可通过发送值为“1; mode=block”的 X-XSS-Protection 标头,将 Express 应用程序自动配置为指示浏览器支持其跨站点脚本保护。为此,Helmet 中间件可用于为新浏览器自动执行此操作。请注意,应将设置 setOnOldIE 保留为 false 的默认值,以防止在旧版 Internet Explorer 中产生漏洞。
1 | var express = require('express'); |
REFERENCES
[1] Eduardo Vela Nava, David Lindsay Abusing Internet Explorer 8’s XSS Filters
[2] IE8 Security Part IV: The XSS Filter
[3] OWASP: List of useful HTTP headers
[4] Node.js Security Checklist
[5] Standards Mapping - Common Weakness Enumeration CWE ID 554, CWE ID 1173
[6] Standards Mapping - Common Weakness Enumeration Top 25 2019 [3] CWE ID 020
[7] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-002754
[8] Standards Mapping - FIPS200 CM
[9] Standards Mapping - General Data Protection Regulation Indirect Access to Sensitive Data
[10] Standards Mapping - NIST Special Publication 800-53 Revision 4 SI-10 Information Input Validation (P1)
[11] Standards Mapping - OWASP Application Security Verification Standard 4.0 5.1.3 Input Validation Requirements, 5.1.4 Input Validation Requirements, 14.1.3 Build
[12] Standards Mapping - OWASP Mobile Top 10 Risks 2014 M1 Weak Server Side Controls
[13] Standards Mapping - OWASP Top 10 2004 A10 Insecure Configuration Management
[14] Standards Mapping - OWASP Top 10 2010 A6 Security Misconfiguration
[15] Standards Mapping - OWASP Top 10 2013 A5 Security Misconfiguration
[16] Standards Mapping - OWASP Top 10 2017 A6 Security Misconfiguration
[17] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.10
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.1
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.1
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.7
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.7
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.7
[24] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[25] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I
[26] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I
[27] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I
[28] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I
[29] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I
[30] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I
[31] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I
[32] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002560 CAT I
[33] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002560 CAT I
[34] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002560 CAT I
[35] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002560 CAT I
[36] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002560 CAT I
[37] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002560 CAT I
[38] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002560 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002560 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002560 CAT I
[41] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002560 CAT I
[42] Standards Mapping - Web Application Security Consortium Version 2.00 Application Misconfiguration (WASC-15)
Header Manipulation
ABSTRACT
HTTP 响应头文件中包含未验证的数据会引发 cache-poisoning、cross-site scripting、cross-user defacement、page hijacking、cookie manipulation 或 open redirect。
EXPLANATION
以下情况中会出现 Header Manipulation 漏洞:
数据通过一个不可信赖的数据源进入 Web 应用程序,最常见的是 HTTP 请求。
数据包含在一个 HTTP 响应头文件里,未经验证就发送给了 Web 用户。
如同许多软件安全漏洞一样,Header Manipulation 只是通向终端的一个途径,它本身并不是终端。从本质上看,这些漏洞是显而易见的:一个攻击者将恶意数据传送到易受攻击的应用程序,且该应用程序将数据包含在 HTTP 响应头文件中。
其中最常见的一种 Header Manipulation 攻击是 HTTP Response Splitting。为了成功地实施 HTTP Response Splitting 盗取,应用程序必须允许将那些包含 CR(回车,由 %0d 或 \r 指定)和 LF(换行,由 %0a 或 \n 指定)的字符输入到头文件中。攻击者利用这些字符不仅可以控制应用程序要发送的响应剩余头文件和正文,还可以创建完全受其控制的其他响应。
如今的许多现代应用程序服务器可以防止 HTTP 头文件感染恶意字符。如果您的应用程序服务器能够防止设置带有换行符的头文件,则其具备对 HTTP Response Splitting 的防御能力。然而,单纯地过滤换行符可能无法保证应用程序不受 Cookie Manipulation 或 Open Redirects 的攻击,因此必须在设置带有用户输入的 HTTP 头文件时采取措施。
示例:下列代码片段会从 HTTP 请求中读取网络日志项的作者名字 author,并将其置于一个 HTTP 响应的 cookie 头文件中。
1 | author = form.author.value; |
假设在请求中提交了一个字符串,该字符串由标准的字母数字字符组成,如“Jane Smith”,那么包含该 Cookie 的 HTTP 响应可能表现为以下形式:
1 | HTTP/1.1 200 OK |
然而,因为 cookie 值来源于未经校验的用户输入,所以仅当提交给 AUTHOR_PARAM 的值不包含任何 CR 和 LF 字符时,响应才会保留这种形式。如果攻击者提交的是一个恶意字符串,比如 “Wiley Hacker\r\nHTTP/1.1 200 OK\r\n……”,那么 HTTP 响应就会被分割成以下形式的两个响应:
1 | HTTP/1.1 200 OK |
显然,第二个响应已完全由攻击者控制,攻击者可以用任何所需标头和正文内容构建该响应。如果攻击者可以构造任意 HTTP 响应,则会导致多种形式的攻击,包括:Web 和浏览器 Cache-Poisoning、Cross-Site Scripting 和 Page Hijacking。
Cache Poisoning: 如果多用户 Web 缓存或者单用户浏览器缓存将恶意构建的响应缓存起来,该响应的破坏力会更大。如果响应缓存在共享的 Web 缓存(如在代理服务器中常见的缓存)中,那么使用该缓存的所有用户都会不断收到恶意内容,直到清除该缓存项为止。同样,如果响应缓存在单个用户的浏览器中,那么在清除该缓存项以前,该用户会不断收到恶意内容。然而,影响仅局限于本地浏览器的用户。
Cross-Site Scripting:一旦攻击者控制了应用程序传送的响应,就可以选择多种恶意内容来传播给用户。Cross-Site Scripting 是最常见的攻击形式,这种攻击在响应中包含了恶意的 JavaScript 或其他代码,并在用户的浏览器中执行。基于 XSS 的攻击手段花样百出,几乎是无穷无尽的,但通常它们都会包含传输给攻击者的私人数据(如 Cookie 或者其他会话信息)。在攻击者的控制下,指引受害者进入恶意的网络内容;或者利用易受攻击的站点,对用户的机器进行其他恶意操作。对于易受攻击的应用程序用户,最常见且最危险的攻击就是使用 JavaScript 将会话和 authentication 信息返回给攻击者,而后攻击者就可以完全控制受害者的帐号了。
Page Hijacking:除了利用一个易受攻击的应用程序向用户传输恶意内容,还可以利用相同的根漏洞,将服务器生成的供用户使用的敏感内容重定向,转而供攻击者使用。攻击者通过提交一个会导致两个响应的请求,即服务器做出的预期响应和攻击者创建的响应,致使某个中间节点(如共享的代理服务器)误导服务器所生成的响应,将本来应传送给用户的响应错误地传给攻击者。因为攻击者创建的请求产生了两个响应,第一个被解析为针对攻击者请求做出的响应,第二个则被忽略。当用户通过同一 TCP 连接发出合法请求时,攻击者的请求已经在此处等候,并被解析为针对受害者这一请求的响应。这时,攻击者将第二个请求发送给服务器,代理服务器利用针对受害者(用户)的、由该服务器产生的这一请求对服务器做出响应,因此,针对受害者的这一响应中会包含所有头文件或正文中的敏感信息。
Cookie Manipulation:当与类似跨站请求伪造的攻击相结合时,攻击者就可以篡改、添加、甚至覆盖合法用户的 cookie。
Open Redirect:如果允许未验证的输入来控制重定向机制所使用的 URL,可能会有利于攻击者发动钓鱼攻击。
RECOMMENDATIONS
针对 Header Manipulation 的解决方法是,确保在适当位置进行输入验证并检验其属性是否正确。
由于 Header Manipulation 漏洞出现在应用程序的输出中包含恶意数据时,因此,合乎逻辑的做法是在应用程序输出数据前一刻对其进行验证。然而,由于 Web 应用程序常常会包含复杂而难以理解的代码,用以生成动态响应,因此,这一方法容易产生遗漏错误(遗漏验证)。降低这一风险的有效途径是对 Header Manipulation 也执行输入验证。
由于 Web 应用程序必须验证输入信息以避免出现其他漏洞(如 SQL Injection),因此,一种相对简单的解决方法是增强应用程序现有的输入验证机制,增加针对 Header Manipulation 的检查。尽管具有一定的价值,但 Header Manipulation 输入验证并不能取代严格的输出验证。应用程序可能通过共享的数据存储器或其他可信赖的数据源接受输入,而该数据存储器所接受的输入源可能并未执行适当的输入验证。因此,应用程序不能间接地依赖于该数据或其他任意数据的安全性。这就意味着,避免 Header Manipulation 漏洞的最佳方法是验证所有应用程序输入数据或向用户输出的数据。
针对 Header Manipulation 漏洞进行验证最安全的方式是创建一份安全字符白名单,其中的字符允许出现在 HTTP 响应头文件中,并且只接受完全由这些受认可的字符组成的输入。例如,有效的用户名可能仅包含字母数字字符,帐号可能仅包含 0-9 的数字。
更灵活的方法是列入黑名单,但其安全性较差,这种方法在使用输入之前就有选择地拒绝或转义了潜在的危险字符。为了创建这样的列表,首先需要了解在 HTTP 响应头文件中具有特殊含义的一组字符。尽管 CR 和 LF 字符是 HTTP Response Splitting 攻击的核心,但其他字符,如“:”(冒号)和 ‘=’(等号),在响应标头中同样具有特殊的含义。
在应用程序中确定针对 Header Manipulation 攻击执行验证的正确要点,以及验证过程中要考虑的特殊字符之后,下一个难点就是确定验证过程中处理各种特殊字符的方式。应用程序应拒绝任何要添加到 HTTP 响应头文件中的包含特殊字符的输入,这些特殊字符(特别是 CR 和 LF)是无效字符。
许多应用程序服务器都试图避免应用程序出现 HTTP Response Splitting 漏洞,其做法是为负责设置 HTTP 头文件和 cookie 的函数提供各种执行方式,以检验是否存在进行 HTTP Response Splitting 攻击必需的字符。不要依赖运行应用程序的服务器,以此确保该应用程序的安全。开发了某个应用程序后,并不能保证在其生命周期中它会在哪些应用程序服务器中运行。由于标准和已知盗取方式的演变,我们不能保证应用程序服务器也会保持同步。
REFERENCES
[1] A. Klein Divide and Conquer: HTTP Response Splitting, Web Cache Poisoning Attacks, and Related Topics
[2] D. Crab HTTP Response Splitting
[3] Standards Mapping - Common Weakness Enumeration CWE ID 113
[4] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-002754
[5] Standards Mapping - FIPS200 SI
[6] Standards Mapping - General Data Protection Regulation Indirect Access to Sensitive Data
[7] Standards Mapping - NIST Special Publication 800-53 Revision 4 SI-10 Information Input Validation (P1)
[8] Standards Mapping - OWASP Mobile Top 10 Risks 2014 M8 Security Decisions Via Untrusted Inputs
[9] Standards Mapping - OWASP Top 10 2004 A1 Unvalidated Input
[10] Standards Mapping - OWASP Top 10 2007 A2 Injection Flaws
[11] Standards Mapping - OWASP Top 10 2010 A1 Injection
[12] Standards Mapping - OWASP Top 10 2013 A1 Injection
[13] Standards Mapping - OWASP Top 10 2017 A1 Injection
[14] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.1
[15] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1, Requirement 6.5.2
[16] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.1
[17] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.1
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.1
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.1
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.1
[21] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[22] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I
[23] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I
[24] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I
[25] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I
[26] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I
[27] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I
[28] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I
[29] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002560 CAT I
[30] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002560 CAT I
[31] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002560 CAT I
[32] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002560 CAT I
[33] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002560 CAT I
[34] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002560 CAT I
[35] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002560 CAT I
[36] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002560 CAT I
[37] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002560 CAT I
[38] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002560 CAT I
[39] Standards Mapping - Web Application Security Consortium 24 + 2 HTTP Response Splitting
[40] Standards Mapping - Web Application Security Consortium Version 2.00 HTTP Response Splitting (WASC-25)
Header Manipulation: Cookies
ABSTRACT
在 Cookies 中包含未验证的数据会引发 HTTP 响应头文件操作攻击,并可能导致 cache-poisoning、cross-site scripting、cross-user defacement、page hijacking、cookie manipulation 或 open redirect。
EXPLANATION
以下情况中会出现 Cookie Manipulation 漏洞:
数据通过一个不可信赖的数据源进入 Web 应用程序,最常见的是 HTTP 请求。
数据包含在一个 HTTP Cookie 中,该 Cookie 未经验证就发送给了 Web 用户。
如同许多软件安全漏洞一样,Cookie Manipulation 只是通向终端的一个途径,它本身并不是终端。从本质上看,这些漏洞是显而易见的:攻击者可将恶意数据传送到易受攻击的应用程序,然后该应用程序将这些数据包含在 HTTP Cookie 中。
Cookie Manipulation:当与类似跨站请求伪造的攻击相结合时,攻击者就可以篡改、添加、甚至覆盖合法用户的 cookie。
作为 HTTP 响应头文件,Cookie Manipulation 攻击也可导致其他类型的攻击,例如:
HTTP Response Splitting:
其中最常见的一种 Header Manipulation 攻击是 HTTP Response Splitting。为了成功地实施 HTTP Response Splitting 盗取,应用程序必须允许将那些包含 CR(回车,由 %0d 或 \r 指定)和 LF(换行,由 %0a 或 \n 指定)的字符输入到头文件中。攻击者利用这些字符不仅可以控制应用程序要发送的响应剩余头文件和正文,还可以创建完全受其控制的其他响应。
如今的许多现代应用程序服务器可以防止 HTTP 头文件感染恶意字符。例如,如果尝试使用被禁用的字符设置头文件,最新版本的 Apache Tomcat 会抛出 IllegalArgumentException。如果您的应用程序服务器能够防止设置带有换行符的头文件,则其具备对 HTTP Response Splitting 的防御能力。然而,单纯地过滤换行符可能无法保证应用程序不受 Cookie Manipulation 或 Open Redirects 的攻击,因此必须在设置带有用户输入的 HTTP 头文件时采取措施。
示例:下列代码片段会从 HTTP 请求中读取网络日志项的作者名字 author,并将其置于一个 HTTP 响应的 cookie 头文件中。
1 | author = form.author.value; |
假设在请求中提交了一个字符串,该字符串由标准的字母数字字符组成,如“Jane Smith”,那么包含该 Cookie 的 HTTP 响应可能表现为以下形式:
1 | HTTP/1.1 200 OK |
然而,因为 cookie 值来源于未经校验的用户输入,所以仅当提交给 AUTHOR_PARAM 的值不包含任何 CR 和 LF 字符时,响应才会保留这种形式。如果攻击者提交的是一个恶意字符串,比如 "Wiley Hacker\r\nHTTP/1.1 200 OK\r\n......",那么 HTTP 响应就会被分割成以下形式的两个响应:
1 | HTTP/1.1 200 OK |
显然,第二个响应已完全由攻击者控制,攻击者可以用任何所需标头和正文内容构建该响应。攻击者可以构建任意 HTTP 响应,从而发起多种形式的攻击,包括:cross-user defacement、web and browser cache poisoning、cross-site scripting 和 page hijacking。
Cross-User Defacement:攻击者可以向一个易受攻击的服务器发出一个请求,导致服务器创建两个响应,其中第二个响应可能会被曲解为对其他请求的响应,而这一请求很可能是与服务器共享相同 TCP 连接的另一用户发出的。这种攻击可以通过以下方式实现:攻击者诱骗用户,让他们自己提交恶意请求;或在远程情况下,攻击者与用户共享同一个连接到服务器(如共享代理服务器)的 TCP 连接。最理想的情况是,攻击者通过这种方式使用户相信自己的应用程序已经遭受了黑客攻击,进而对应用程序的安全性失去信心。最糟糕的情况是,攻击者可能提供经特殊技术处理的内容,这些内容旨在模仿应用程序的执行方式,但会重定向用户的私人信息(如帐号和密码),将这些信息发送给攻击者。
Cache Poisoning: 如果多用户 Web 缓存或者单用户浏览器缓存将恶意构建的响应缓存起来,该响应的破坏力会更大。如果响应缓存在共享的 Web 缓存(如在代理服务器中常见的缓存)中,那么使用该缓存的所有用户都会不断收到恶意内容,直到清除该缓存项为止。同样,如果响应缓存在单个用户的浏览器中,那么在清除该缓存项以前,该用户会不断收到恶意内容。然而,影响仅局限于本地浏览器的用户。
Cross-Site Scripting:一旦攻击者控制了应用程序传送的响应,就可以选择多种恶意内容来传播给用户。Cross-Site Scripting 是最常见的攻击形式,这种攻击在响应中包含了恶意的 JavaScript 或其他代码,并在用户的浏览器中执行。基于 XSS 的攻击手段花样百出,几乎是无穷无尽的,但通常它们都会包含传输给攻击者的私人数据(如 Cookie 或者其他会话信息)。在攻击者的控制下,指引受害者进入恶意的网络内容;或者利用易受攻击的站点,对用户的机器进行其他恶意操作。对于易受攻击的应用程序用户,最常见且最危险的攻击就是使用 JavaScript 将会话和 authentication 信息返回给攻击者,而后攻击者就可以完全控制受害者的帐号了。
Page Hijacking:除了利用一个易受攻击的应用程序向用户传输恶意内容,还可以利用相同的根漏洞,将服务器生成的供用户使用的敏感内容重定向,转而供攻击者使用。攻击者通过提交一个会导致两个响应的请求,即服务器做出的预期响应和攻击者创建的响应,致使某个中间节点(如共享的代理服务器)误导服务器所生成的响应,将本来应传送给用户的响应错误地传给攻击者。因为攻击者创建的请求产生了两个响应,第一个被解析为针对攻击者请求做出的响应,第二个则被忽略。当用户通过同一 TCP 连接发出合法请求时,攻击者的请求已经在此处等候,并被解析为针对受害者这一请求的响应。这时,攻击者将第二个请求发送给服务器,代理服务器利用针对受害者(用户)的、由该服务器产生的这一请求对服务器做出响应,因此,针对受害者的这一响应中会包含所有头文件或正文中的敏感信息。
Open Redirect:如果允许未验证的输入来控制重定向机制所使用的 URL,可能会有利于攻击者发动钓鱼攻击。
RECOMMENDATIONS
针对 Cookie Manipulation 的解决方法是,确保在适当位置进行输入验证并检验其属性是否正确。
由于 Header Manipulation 漏洞(类似于 Cookie Manipulation)出现在应用程序的输出中包含恶意数据时,因此,合乎逻辑的做法是在应用程序输出数据前一刻对其进行验证。然而,由于 Web 应用程序常常会包含复杂而难以理解的代码,用以生成动态响应,因此,这一方法容易产生遗漏错误(遗漏验证)。降低这一风险的有效途径是对 Header Manipulation 也执行输入验证。
由于 Web 应用程序必须验证输入信息以避免出现其他漏洞(如 SQL Injection),因此,一种相对简单的解决方法是增强应用程序现有的输入验证机制,增加针对 Header Manipulation 的检查。尽管具有一定的价值,但 Header Manipulation 输入验证并不能取代严格的输出验证。应用程序可能通过共享的数据存储器或其他可信赖的数据源接受输入,而该数据存储器所接受的输入源可能并未执行适当的输入验证。因此,应用程序不能间接地依赖于该数据或其他任意数据的安全性。这就意味着,避免 Header Manipulation 漏洞的最佳方法是验证所有应用程序输入数据或向用户输出的数据。
针对 Header Manipulation 漏洞进行验证最安全的方式是创建一份安全字符白名单,其中的字符允许出现在 HTTP 响应头文件中,并且只接受完全由这些受认可的字符组成的输入。例如,有效的用户名可能仅包含字母数字字符,帐号可能仅包含 0-9 的数字。
更灵活的方法是列入黑名单,但其安全性较差,这种方法在使用输入之前就有选择地拒绝或转义了潜在的危险字符。为了创建这样的列表,首先需要了解在 HTTP 响应头文件中具有特殊含义的一组字符。尽管 CR 和 LF 字符是 HTTP Response Splitting 攻击的核心,但其他字符,如“:”(冒号)和 ‘=’(等号),在响应标头中同样具有特殊的含义。
在应用程序中确定针对 Header Manipulation 攻击执行验证的正确要点,以及验证过程中要考虑的特殊字符之后,下一个难点就是确定验证过程中处理各种特殊字符的方式。应用程序应拒绝任何要添加到 HTTP 响应头文件中的包含特殊字符的输入,这些特殊字符(特别是 CR 和 LF)是无效字符。
许多应用程序服务器都试图避免应用程序出现 HTTP Response Splitting 漏洞,其做法是为负责设置 HTTP 头文件和 cookie 的函数提供各种执行方式,以检验是否存在进行 HTTP Response Splitting 攻击必需的字符。不要依赖运行应用程序的服务器,以此确保该应用程序的安全。开发了某个应用程序后,并不能保证在其生命周期中它会在哪些应用程序服务器中运行。由于标准和已知盗取方式的演变,我们不能保证应用程序服务器也会保持同步。
REFERENCES
[1] A. Klein Divide and Conquer: HTTP Response Splitting, Web Cache Poisoning Attacks, and Related Topics
[2] D. Crab HTTP Response Splitting
[3] Standards Mapping - Common Weakness Enumeration CWE ID 113
[4] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-002754
[5] Standards Mapping - FIPS200 SI
[6] Standards Mapping - General Data Protection Regulation Indirect Access to Sensitive Data
[7] Standards Mapping - NIST Special Publication 800-53 Revision 4 SI-10 Information Input Validation (P1)
[8] Standards Mapping - OWASP Mobile Top 10 Risks 2014 M8 Security Decisions Via Untrusted Inputs
[9] Standards Mapping - OWASP Top 10 2004 A1 Unvalidated Input
[10] Standards Mapping - OWASP Top 10 2007 A2 Injection Flaws
[11] Standards Mapping - OWASP Top 10 2010 A1 Injection
[12] Standards Mapping - OWASP Top 10 2013 A1 Injection
[13] Standards Mapping - OWASP Top 10 2017 A1 Injection
[14] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.1
[15] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1, Requirement 6.5.2
[16] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.1
[17] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.1
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.1
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.1
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.1
[21] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[22] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I
[23] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I
[24] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I
[25] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I
[26] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I
[27] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I
[28] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I
[29] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002560 CAT I
[30] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002560 CAT I
[31] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002560 CAT I
[32] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002560 CAT I
[33] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002560 CAT I
[34] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002560 CAT I
[35] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002560 CAT I
[36] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002560 CAT I
[37] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002560 CAT I
[38] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002560 CAT I
[39] Standards Mapping - Web Application Security Consortium 24 + 2 HTTP Response Splitting
[40] Standards Mapping - Web Application Security Consortium Version 2.00 HTTP Response Splitting (WASC-25)
JSON Injection
ABSTRACT
该方法会将未经验证的输入写入 JSON。攻击者可以利用此调用将任意元素或属性注入 JSON 实体。
EXPLANATION
JSON injection 会在以下情况中出现:
数据从一个不可信赖的数据源进入程序。
将数据写入到 JSON 流。
应用程序通常使用 JSON 来存储数据或发送消息。用于存储数据时,JSON 通常会像缓存数据那样处理,而且可能会包含敏感信息。用于发送消息时,JSON 通常与 RESTful 服务一起使用,并且可以用于传输敏感信息,例如身份验证凭据。
如果应用程序利用未经验证的输入构造 JSON,则可以更改 JSON 文档和消息的语义。在相对理想的情况下,攻击者可能会插入无关的元素,导致应用程序在解析 JSON 文档或请求时抛出异常。在更为严重的情况下,例如涉及 JSON Injection,攻击者可能会插入无关的元素,从而允许对 JSON 文档或请求中对业务非常关键的值执行可预见操作。还有一些情况,JSON Injection 可以导致 Cross-Site Scripting 或 Dynamic Code Evaluation。
示例 1:下列 JavaScript 代码使用 jQuery 解析 JSON,其中有个值来自 URL:
1 | var str = document.URL; |
将不会对 name 中的不可信数据进行验证,以避免与 JSON 相关的特殊字符。这样,用户就可以任意插入 JSON 密钥,可能会更改已序列化的 JSON 的结构。在此示例中,如果非特权用户 mallory 将 “,”role”:”admin 附加到 URL 中的名称参数,JSON 将变成:
1 | { |
此代码将由 jQuery.parseJSON() 解析,并设置为普通对象,这意味着 obj.role 将立即返回 “admin” 而不是 “user”
RECOMMENDATIONS
在将用户提供的数据写入 JSON 时,请遵循以下准则:
不要使用从用户输入派生的名称创建 JSON 属性。
确保使用安全的序列化函数(能够以单引号或双引号分隔不可信赖的数据,并且避免任何特殊字符)执行对 JSON 的所有序列化操作。
示例 2:以下 JavaScript 代码实现的功能与Example 1 相同,但会根据白名单验证名称,并在解析之前拒绝相应值或将该名称设置为“guest”:
1 | var str = document.URL; |
尽管在这种情况下能够以这种方式执行白名单,但是因为我们需要用户控制该名称,所以在其他情况下,最好使用完全不受用户控制的值。
REFERENCES
[1] Standards Mapping - Common Weakness Enumeration CWE ID 91
[2] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-002754
[3] Standards Mapping - FIPS200 SI
[4] Standards Mapping - General Data Protection Regulation Indirect Access to Sensitive Data
[5] Standards Mapping - NIST Special Publication 800-53 Revision 4 SI-10 Information Input Validation (P1)
[6] Standards Mapping - OWASP Mobile Top 10 Risks 2014 M7 Client Side Injection
[7] Standards Mapping - OWASP Top 10 2004 A6 Injection Flaws
[8] Standards Mapping - OWASP Top 10 2007 A2 Injection Flaws
[9] Standards Mapping - OWASP Top 10 2010 A1 Injection
[10] Standards Mapping - OWASP Top 10 2013 A1 Injection
[11] Standards Mapping - OWASP Top 10 2017 A1 Injection
[12] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.6
[13] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1, Requirement 6.5.2
[14] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.1
[15] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.1
[16] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.1
[17] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.1
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.1
[19] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[20] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I
[21] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I
[22] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I
[23] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I
[24] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I
[25] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I
[26] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I
[27] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002560 CAT I
[28] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002560 CAT I
[29] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002560 CAT I
[30] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002560 CAT I
[31] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002560 CAT I
[32] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002560 CAT I
[33] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002560 CAT I
[34] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002560 CAT I
[35] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002560 CAT I
[36] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002560 CAT I
[37] Standards Mapping - Web Application Security Consortium Version 2.00 Improper Input Handling (WASC-20)
Log Forging
ABSTRACT
将未经验证的用户输入写入日志文件可致使攻击者伪造日志条目或将恶意信息内容注入日志。
EXPLANATION
在以下情况下会发生 Log Forging 的漏洞:
数据从一个不可信赖的数据源进入应用程序。
数据写入到应用程序或系统日志文件中。
为了便于以后的审阅、统计数据收集或调试,应用程序通常使用日志文件来储存事件或事务的历史记录。根据应用程序自身的特性,审阅日志文件可在必要时手动执行,也可以自动执行,即利用工具自动挑选日志中的重要事件或带有某种倾向性的信息。
如果攻击者可以向随后会被逐字记录到日志文件的应用程序提供数据,则可能会妨碍或误导日志文件的解读。最理想的情况是,攻击者可能通过向应用程序提供包括适当字符的输入,在日志文件中插入错误的条目。如果日志文件是自动处理的,那么攻击者就可以通过破坏文件格式或注入意外的字符,从而使文件无法使用。更阴险的攻击可能会导致日志文件中的统计信息发生偏差。通过伪造或其他方式,受到破坏的日志文件可用于掩护攻击者的跟踪轨迹,甚至还可以牵连第三方来执行恶意行为 [1]。最糟糕的情况是,攻击者可能向日志文件注入代码或者其他命令,利用日志处理实用程序中的漏洞 [2]。
示例 1:下列 Web 应用程序代码会尝试从一个请求对象中读取整数值。如果数值未被解析为整数,输入就会被记录到日志中,附带一条提示相关情况的错误消息。
1 | var cp = require('child_process'); |
如果用户为“val”提交字符串“twenty-one”,则日志中会记录以下条目:
INFO: Failed to parse val = twenty-one
然而,如果攻击者提交字符串“twenty-one%0a%0aINFO:+User+logged+out%3dbadguy”,则日志中会记录以下条目:
1 | INFO: Failed to parse val=twenty-one |
显然,攻击者可以使用同样的机制插入任意日志条目。
RECOMMENDATIONS
使用间接方法防止 Log Forging 攻击:创建一组与不同事件一一对应的合法日志条目,这些条目必须记录在日志中,并且仅记录该组条目。要捕获动态内容(如用户注销系统),请务必使用由服务器控制的数值,而非由用户提供的数据。这就确保了日志条目中绝不会直接使用由用户提供的输入。
可以按以下方式将例 1 重写为使用预定义的日志条目:
1 | var cp = require('child_process'); |
在某些情况下,这个方法有些不切实际,因为这样一组合法的日志条目实在太大或是太复杂了。这种情况下,开发者往往又会退而采用黑名单方法。在输入之前,黑名单会有选择地拒绝或避免潜在的危险字符。然而,不安全字符列表很快就会不完善或过时。更好的方法是创建一份白名单,允许其中的字符出现在日志条目中,并且只接受完全由这些经认可的字符组成的输入。在大多数 Log Forging 攻击中,最关键的字符是“\n”(换行符),该字符决不能出现在日志条目白名单中。
REFERENCES
[1] A. Muffet The night the log was forged.
[2] G. Hoglund, G. McGraw Exploiting Software Addison-Wesley
[3] Standards Mapping - Common Weakness Enumeration CWE ID 117
[4] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-002754
[5] Standards Mapping - FIPS200 AU, SI
[6] Standards Mapping - General Data Protection Regulation Access Violation
[7] Standards Mapping - MISRA C 2012 Rule 1.3
[8] Standards Mapping - MISRA C++ 2008 Rule 0-3-1
[9] Standards Mapping - NIST Special Publication 800-53 Revision 4 AU-9 Protection of Audit Information (P1)
[10] Standards Mapping - OWASP Application Security Verification Standard 4.0 5.2.1 Sanitization and Sandboxing Requirements, 5.3.1 Output Encoding and Injection Prevention Requirements, 7.3.1 Log Protection Requirements, 7.3.2 Log Protection Requirements
[11] Standards Mapping - OWASP Mobile Top 10 Risks 2014 M8 Security Decisions Via Untrusted Inputs
[12] Standards Mapping - OWASP Top 10 2004 A1 Unvalidated Input
[13] Standards Mapping - OWASP Top 10 2007 A2 Injection Flaws
[14] Standards Mapping - OWASP Top 10 2010 A1 Injection
[15] Standards Mapping - OWASP Top 10 2013 A1 Injection
[16] Standards Mapping - OWASP Top 10 2017 A1 Injection
[17] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.1, Requirement 10.5.2
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1, Requirement 6.5.2, Requirement 10.5.2
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.1, Requirement 10.5.2
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.1, Requirement 10.5.2
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.1, Requirement 10.5.2
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.1, Requirement 10.5.2
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.1, Requirement 10.5.2
[24] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection, Control Objective 8.4 - Activity Tracking
[25] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I, APP3690.2 CAT II, APP3690.4 CAT II
[26] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I, APP3690.2 CAT II, APP3690.4 CAT II
[27] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I, APP3690.2 CAT II, APP3690.4 CAT II
[28] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I, APP3690.2 CAT II, APP3690.4 CAT II
[29] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I, APP3690.2 CAT II, APP3690.4 CAT II
[30] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I, APP3690.2 CAT II, APP3690.4 CAT II
[31] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I, APP3690.2 CAT II, APP3690.4 CAT II
[32] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002560 CAT I
[33] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002560 CAT I
[34] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002560 CAT I
[35] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002560 CAT I
[36] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002560 CAT I
[37] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002560 CAT I
[38] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002560 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002560 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002560 CAT I
[41] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002560 CAT I
[42] Standards Mapping - Web Application Security Consortium Version 2.00 Improper Input Handling (WASC-20)
Log Forging (debug)
ABSTRACT
将未经验证的用户输入写入日志文件可致使攻击者伪造日志条目或将恶意信息内容注入日志。
EXPLANATION
在以下情况下会发生 Log Forging 的漏洞:
数据从一个不可信赖的数据源进入应用程序。
数据写入到应用程序或系统日志文件中。
为了便于以后的审阅、统计数据收集或调试,应用程序通常使用日志文件来储存事件或事务的历史记录。根据应用程序自身的特性,审阅日志文件可在必要时手动执行,也可以自动执行,即利用工具自动挑选日志中的重要事件或带有某种倾向性的信息。
如果攻击者可以向随后会被逐字记录到日志文件的应用程序提供数据,则可能会妨碍或误导日志文件的解读。最理想的情况是,攻击者可能通过向应用程序提供包括适当字符的输入,在日志文件中插入错误的条目。如果日志文件是自动处理的,那么攻击者就可以通过破坏文件格式或注入意外的字符,从而使文件无法使用。更阴险的攻击可能会导致日志文件中的统计信息发生偏差。通过伪造或其他方式,受到破坏的日志文件可用于掩护攻击者的跟踪轨迹,甚至还可以牵连第三方来执行恶意行为 [1]。最糟糕的情况是,攻击者可能向日志文件注入代码或者其他命令,利用日志处理实用程序中的漏洞 [2]。
示例 1:下列 Web 应用程序代码会尝试从一个请求对象中读取整数值。如果数值未被解析为整数,输入就会被记录到日志中,附带一条提示相关情况的错误消息。
1 | var cp = require('child_process'); |
如果用户为“val”提交字符串“twenty-one”,则日志中会记录以下条目:
INFO: Failed to parse val=twenty-one
然而,如果攻击者提交字符串“twenty-one%0a%0aINFO:+User+logged+out%3dbadguy”,则日志中会记录以下条目:
1 | INFO: Failed to parse val=twenty-one |
显然,攻击者可以使用同样的机制插入任意日志条目。
RECOMMENDATIONS
使用间接方法防止 Log Forging 攻击:创建一组与不同事件一一对应的合法日志条目,这些条目必须记录在日志中,并且仅记录该组条目。要捕获动态内容(如用户注销系统),请务必使用由服务器控制的数值,而非由用户提供的数据。这就确保了日志条目中绝不会直接使用由用户提供的输入。
可以按以下方式将例 1 重写为与 NumberFormatException 对应的预定义日志条目:
1 | var cp = require('child_process'); |
在某些情况下,这个方法有些不切实际,因为这样一组合法的日志条目实在太大或是太复杂了。这种情况下,开发者往往又会退而采用黑名单方法。在输入之前,黑名单会有选择地拒绝或避免潜在的危险字符。然而,不安全字符列表很快就会不完善或过时。更好的方法是创建一份白名单,允许其中的字符出现在日志条目中,并且只接受完全由这些经认可的字符组成的输入。在大多数 Log Forging 攻击中,最关键的字符是“\n”(换行符),该字符决不能出现在日志条目白名单中。
REFERENCES
[1] A. Muffet The night the log was forged.
[2] G. Hoglund, G. McGraw Exploiting Software Addison-Wesley
[3] Standards Mapping - Common Weakness Enumeration CWE ID 117
[4] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-002754
[5] Standards Mapping - FIPS200 AU, SI
[6] Standards Mapping - General Data Protection Regulation Access Violation
[7] Standards Mapping - MISRA C 2012 Rule 1.3
[8] Standards Mapping - MISRA C++ 2008 Rule 0-3-1
[9] Standards Mapping - NIST Special Publication 800-53 Revision 4 AU-9 Protection of Audit Information (P1)
[10] Standards Mapping - OWASP Application Security Verification Standard 4.0 5.2.1 Sanitization and Sandboxing Requirements, 5.3.1 Output Encoding and Injection Prevention Requirements, 7.3.1 Log Protection Requirements, 7.3.2 Log Protection Requirements
[11] Standards Mapping - OWASP Mobile Top 10 Risks 2014 M8 Security Decisions Via Untrusted Inputs
[12] Standards Mapping - OWASP Top 10 2004 A1 Unvalidated Input
[13] Standards Mapping - OWASP Top 10 2007 A2 Injection Flaws
[14] Standards Mapping - OWASP Top 10 2010 A1 Injection
[15] Standards Mapping - OWASP Top 10 2013 A1 Injection
[16] Standards Mapping - OWASP Top 10 2017 A1 Injection
[17] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.1, Requirement 10.5.2
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1, Requirement 6.5.2, Requirement 10.5.2
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.1, Requirement 10.5.2
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.1, Requirement 10.5.2
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.1, Requirement 10.5.2
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.1, Requirement 10.5.2
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.1, Requirement 10.5.2
[24] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection, Control Objective 8.4 - Activity Tracking
[25] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I, APP3690.2 CAT II, APP3690.4 CAT II
[26] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I, APP3690.2 CAT II, APP3690.4 CAT II
[27] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I, APP3690.2 CAT II, APP3690.4 CAT II
[28] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I, APP3690.2 CAT II, APP3690.4 CAT II
[29] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I, APP3690.2 CAT II, APP3690.4 CAT II
[30] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I, APP3690.2 CAT II, APP3690.4 CAT II
[31] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I, APP3690.2 CAT II, APP3690.4 CAT II
[32] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002560 CAT I
[33] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002560 CAT I
[34] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002560 CAT I
[35] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002560 CAT I
[36] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002560 CAT I
[37] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002560 CAT I
[38] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002560 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002560 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002560 CAT I
[41] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002560 CAT I
[42] Standards Mapping - Web Application Security Consortium Version 2.00 Improper Input Handling (WASC-20)
Open Redirect
ABSTRACT
如果允许未验证的输入控制重定向机制所使用的 URL,可能会有利于攻击者发动钓鱼攻击。
EXPLANATION
通过重定向,Web 应用程序能够引导用户访问同一应用程序内的不同网页或访问外部站点。应用程序利用重定向来帮助进行站点导航,有时还跟踪用户退出站点的方式。当 Web 应用程序将客户端重定向到攻击者可以控制的任意 URL 时,就会发生 Open redirect 漏洞:
攻击者可以利用 Open redirect 漏洞诱骗用户访问某个可信赖站点的 URL,并将他们重定向到恶意站点。攻击者通过对 URL 进行编码,使最终用户很难注意到重定向的恶意目标,即使将这一目标作为 URL 参数传递给可信赖的站点时也会发生这种情况。因此,Open redirect 常被作为钓鱼手段的一种而滥用,攻击者通过这种方式来获取最终用户的敏感数据。
示例 1:以下 JavaScript 代码会在用户打开链接时,指示用户浏览器打开从 dest 请求参数中读取的 URL。
1 | ... |
如果受害者收到一封电子邮件,指示其打开“http://trusted.example.com/ecommerce/redirect.asp?dest=www.wilyhacker.com”链接,该用户就有可能会单击该链接,因为他会认为该链接会转到可信赖的站点。然而,当受害者单击该链接时,Example 1 中的代码就会将浏览器重定向到“http://www.wilyhacker.com”。
很多用户都被告知,要始终监视通过电子邮件收到的 URL,以确保链接指向一个他们所熟知的可信赖站点。尽管如此,如果攻击者对目标 URL 进行 16 进制编码:
1 | "http://trusted.example.com/ecommerce/redirect.asp?dest=%77%69%6C%79%68%61%63%6B%65%72%2E%63%6F%6D" |
那么,即使再聪明的最终用户也可能会被欺骗,打开该链接。
RECOMMENDATIONS
不应当允许未验证的用户输入控制重定向机制中的目标 URL。而应采用间接方法:创建一份合法 URL 列表,用户可以指定其中的内容,并且只能从中进行选择。利用这种方法,就绝不会直接使用用户提供的输入来指定要重定向到的 URL。
示例2:以下代码引用了一个通过有效 URL 传播的数组。用户单击的链接将通过与所需 URL 对应的数组索引来传递。
1 | ... |
但在某些情况下,这种方法并不可行,因为这样一份合法 URL 列表过于庞大、难以跟踪。这种情况下,有一种类似的方法也能限制用于重定向用户的域,这种方法至少可以防止攻击者向用户发送恶意的外部站点。
REFERENCES
[1] Standards Mapping - Common Weakness Enumeration CWE ID 601
[2] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-002754
[3] Standards Mapping - FIPS200 SI
[4] Standards Mapping - General Data Protection Regulation Indirect Access to Sensitive Data
[5] Standards Mapping - NIST Special Publication 800-53 Revision 4 SI-10 Information Input Validation (P1)
[6] Standards Mapping - OWASP Application Security Verification Standard 4.0 5.1.5 Input Validation Requirements
[7] Standards Mapping - OWASP Mobile Top 10 Risks 2014 M1 Weak Server Side Controls
[8] Standards Mapping - OWASP Top 10 2004 A1 Unvalidated Input
[9] Standards Mapping - OWASP Top 10 2010 A10 Unvalidated Redirects and Forwards
[10] Standards Mapping - OWASP Top 10 2013 A10 Unvalidated Redirects and Forwards
[11] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.1
[12] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1
[13] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.1
[14] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.1
[15] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.1
[16] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.1
[17] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.1
[18] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[19] Standards Mapping - SANS Top 25 2010 Insecure Interaction - CWE ID 601
[20] Standards Mapping - SANS Top 25 2011 Insecure Interaction - CWE ID 601
[21] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I, APP3600 CAT II
[22] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I, APP3600 CAT II
[23] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I, APP3600 CAT II
[24] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I, APP3600 CAT II
[25] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I, APP3600 CAT II
[26] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I, APP3600 CAT II
[27] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I, APP3600 CAT II
[28] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002560 CAT I
[29] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002560 CAT I
[30] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002560 CAT I
[31] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002560 CAT I
[32] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002560 CAT I
[33] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002560 CAT I
[34] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002560 CAT I
[35] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002560 CAT I
[36] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002560 CAT I
[37] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002560 CAT I
[38] Standards Mapping - Web Application Security Consortium 24 + 2 Content Spoofing
[39] Standards Mapping - Web Application Security Consortium Version 2.00 URL Redirector Abuse (WASC-38)
Path Manipulation
ABSTRACT
允许用户输入控制文件系统操作所用的路径会导致攻击者能够访问或修改其他受保护的系统资源。
EXPLANATION
当满足以下两个条件时,就会产生 path manipulation 错误:
1.攻击者能够指定某一文件系统操作中所使用的路径。
- 攻击者可以通过指定特定资源来获取某种权限,而这种权限在一般情况下是不可能获得的。
例如,在某一程序中,攻击者可以获得特定的权限,以重写指定的文件或是在其控制的配置环境下运行程序。
示例 1:以下代码使用来自于 HTTP 请求的输入来创建一个文件名。程序员没有考虑到攻击者可能使用像“../../tomcat/conf/server.xml”一样的文件名,从而导致应用程序删除它自己的配置文件。
1 | ... |
示例 2:以下代码使用来自于本地存储的输入来决定该打开哪个文件,并返回到用户。如果恶意用户能够更改本地存储的内容,就可以使用该程序来读取系统中扩展名为 .txt 的任何文件。
1 | ... |
RECOMMENDATIONS
防止 Path Manipulation 的最佳方法是采用一些间接手段:创建一个必须由用户选择的合法值的列表。通过这种方法,就不能直接使用用户提供的输入来指定资源名称。
但在某些情况下,这种方法并不可行,因为这样一份合法资源名的列表过于庞大,维护难度过大。因此,在这种情况下,程序员通常会采用黑名单的办法。在输入之前,黑名单会有选择地拒绝或避免潜在的危险字符。但是,任何这样一份黑名单都不可能是完整的,而且将随着时间的推移而过时。更好的方法是创建一份白名单,允许其中的字符出现在资源名称中,且只接受完全由这些被认可的字符组成的输入。
REFERENCES
[1] G. Hoglund, G. McGraw Exploiting Software Addison-Wesley
[2] Standards Mapping - Common Weakness Enumeration CWE ID 22, CWE ID 73
[3] Standards Mapping - Common Weakness Enumeration Top 25 2019 [10] CWE ID 022
[4] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-002754
[5] Standards Mapping - FIPS200 SI
[6] Standards Mapping - General Data Protection Regulation Access Violation
[7] Standards Mapping - MISRA C 2012 Rule 1.3
[8] Standards Mapping - MISRA C++ 2008 Rule 0-3-1
[9] Standards Mapping - NIST Special Publication 800-53 Revision 4 SI-10 Information Input Validation (P1)
[10] Standards Mapping - OWASP Application Security Verification Standard 4.0 5.2.2 Sanitization and Sandboxing Requirements, 12.3.1 File Execution Requirements, 12.3.2 File Execution Requirements
[11] Standards Mapping - OWASP Mobile Top 10 Risks 2014 M8 Security Decisions Via Untrusted Inputs
[12] Standards Mapping - OWASP Top 10 2004 A1 Unvalidated Input
[13] Standards Mapping - OWASP Top 10 2007 A4 Insecure Direct Object Reference
[14] Standards Mapping - OWASP Top 10 2010 A4 Insecure Direct Object References
[15] Standards Mapping - OWASP Top 10 2013 A4 Insecure Direct Object References
[16] Standards Mapping - OWASP Top 10 2017 A5 Broken Access Control
[17] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.1
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1, Requirement 6.5.4
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.8
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.8
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.8
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.8
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.8
[24] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 5.4 - Authentication and Access Control
[25] Standards Mapping - SANS Top 25 2009 Risky Resource Management - CWE ID 426
[26] Standards Mapping - SANS Top 25 2010 Risky Resource Management - CWE ID 022
[27] Standards Mapping - SANS Top 25 2011 Risky Resource Management - CWE ID 022
[28] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I, APP3600 CAT II
[29] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I, APP3600 CAT II
[30] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I, APP3600 CAT II
[31] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I, APP3600 CAT II
[32] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I, APP3600 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I, APP3600 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I, APP3600 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002560 CAT I
[36] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002560 CAT I
[37] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002560 CAT I
[38] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002560 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002560 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002560 CAT I
[41] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002560 CAT I
[42] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002560 CAT I
[43] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002560 CAT I
[44] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002560 CAT I
[45] Standards Mapping - Web Application Security Consortium 24 + 2 Path Traversal
[46] Standards Mapping - Web Application Security Consortium Version 2.00 Path Traversal (WASC-33)
Path Manipulation: Zip Entry Overwrite
ABSTRACT
允许用户输入控制文件系统操作中使用的路径会导致攻击者能够随意覆盖系统上的文件。
EXPLANATION
Path Manipulation: 在打开和扩展 ZIP 文件但未检查 ZIP 条目的文件路径时,会出现“ZIP 条目覆盖”错误。
示例: 以下示例从 ZIP 文件中提取文件并以非安全方式将其写入磁盘。
1 | var unzipper = require('unzipper'); |
RECOMMENDATIONS
在解压缩不受信任的 ZIP 文件时,请确保使用安全版本的 ZIP 库(请参见“提示”部分)。
REFERENCES
[1] Standards Mapping - Common Weakness Enumeration CWE ID 22, CWE ID 73
[2] Standards Mapping - Common Weakness Enumeration Top 25 2019 [10] CWE ID 022
[3] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-002754
[4] Standards Mapping - FIPS200 SI
[5] Standards Mapping - General Data Protection Regulation Access Violation
[6] Standards Mapping - NIST Special Publication 800-53 Revision 4 SI-10 Information Input Validation (P1)
[7] Standards Mapping - OWASP Application Security Verification Standard 4.0 12.3.1 File Execution Requirements, 12.3.2 File Execution Requirements
[8] Standards Mapping - OWASP Mobile Top 10 Risks 2014 M8 Security Decisions Via Untrusted Inputs
[9] Standards Mapping - OWASP Top 10 2004 A1 Unvalidated Input
[10] Standards Mapping - OWASP Top 10 2007 A4 Insecure Direct Object Reference
[11] Standards Mapping - OWASP Top 10 2010 A4 Insecure Direct Object References
[12] Standards Mapping - OWASP Top 10 2013 A4 Insecure Direct Object References
[13] Standards Mapping - OWASP Top 10 2017 A5 Broken Access Control
[14] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.1
[15] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1, Requirement 6.5.4
[16] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.8
[17] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.8
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.8
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.8
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.8
[21] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 5.4 - Authentication and Access Control
[22] Standards Mapping - SANS Top 25 2009 Risky Resource Management - CWE ID 426
[23] Standards Mapping - SANS Top 25 2010 Risky Resource Management - CWE ID 022
[24] Standards Mapping - SANS Top 25 2011 Risky Resource Management - CWE ID 022
[25] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I, APP3600 CAT II
[26] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I, APP3600 CAT II
[27] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I, APP3600 CAT II
[28] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I, APP3600 CAT II
[29] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I, APP3600 CAT II
[30] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I, APP3600 CAT II
[31] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I, APP3600 CAT II
[32] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002560 CAT I
[33] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002560 CAT I
[34] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002560 CAT I
[35] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002560 CAT I
[36] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002560 CAT I
[37] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002560 CAT I
[38] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002560 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002560 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002560 CAT I
[41] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002560 CAT I
[42] Standards Mapping - Web Application Security Consortium 24 + 2 Path Traversal
[43] Standards Mapping - Web Application Security Consortium Version 2.00 Path Traversal (WASC-33)
Process Control
ABSTRACT
从一个不可信赖的数据源或是不可信赖的环境中加载库,会导致应用程序以攻击者的名义执行恶意代码。
EXPLANATION
Process control 漏洞主要表现为以下两种形式:
— 攻击者可以篡改程序加载的库的名称:攻击者直接地控制库所使用的名称。
— 攻击者可以篡改库加载的环境:攻击者间接控制库名称的含义。
在这种情况下,我们着重关注第一种情况,即攻击者有可能控制加载的库的名称。这种类型的 Process Control 漏洞会在以下情况下出现:
数据从不可信赖的数据源进入应用程序。
数据作为代表应用程序所加载的库的一个或部分字符串使用。
通过在库中执行代码,应用程序授予攻击者在一般情况下无法获得的权限或能力。
示例 1:以下代码使用 Express 当前未记录的“功能”动态加载库文件。然后,Node.js 将继续在其正则库加载路径中搜索包含此库的文件或目录[1]。
1 | var express = require('express'); |
在 Express 中,传递到 Response.render() 的页面将加载先前未知的扩展库。这对于“foo.pug”等输入来说通常没有问题,因为这意味着加载 pug 库,该库是广为人知的模板引擎。但是,如果攻击者可以控制页面并进而控制扩展,那么他们便可以选择加载 Node.js 模块加载路径内的任何库。因为程序不会验证从 URL 参数接收的信息,所以攻击者可能会欺骗应用程序,去执行恶意代码并取得对系统的控制。
RECOMMENDATIONS
不要允许用户控制由程序加载的库。若加载库的选择一定要涉及用户输入的话,通常情况下,应用程序会期望这个特定的输入是一个很小的数值集合。而不是依赖输入的安全性以及不包含任何恶意信息。因此,应用程序所使用的输入应该仅从一个预先决定的、安全的库的集合中进行选择。如果输入看上去是恶意的,则应该将即将加载的库限制在这一集合的安全数值范围之内,或由程序拒绝继续执行该操作。
攻击者可以通过篡改环境间接地控制程序加载的库。我们不应当完全信赖环境,还需采取预防措施,防止攻击者利用某些控制环境的手段进行攻击。应尽可能由应用程序来控制各个库名称,并使用绝对路径来进行加载。如果编译时不清楚具体的路径,应该在执行的过程中利用可信赖的数值构造一个绝对路径。应对照一系列定义有效参数的不变量对从环境中读取的库名称和路径进行仔细的检查。
针对 Express 应用程序中 Response.render() 的情况,由于获取用于呈现的模板文件首先应全部具有静态扩展,因此对于已通过硬编码路径手动导入的库,仅应使用硬编码扩展。所以,无需使用此“功能”。
有时还可以执行其他校验,以检查环境是否已被恶意篡改。例如,如果一个配置文件为可写,程序可能会拒绝运行。如果事先已知有关要加载的库的信息,程序就会执行检测,以校验文件的有效性。如果一个库应始终归属于某一特定用户,或者被分配了一组特定的权限,则可以在加载库之前,对这些属性进行校验。
最终,程序也许无法完全防范神通广大的攻击者控制其所加载的库。因此,对输入值和环境可能执行的任何操作,都应努力鉴别并加以防范。这样做是为了尽可能地防范各种攻击。
REFERENCES
[1] Node.js Modules Documentation Node.js
[2] Standards Mapping - Common Weakness Enumeration CWE ID 114, CWE ID 494
[3] Standards Mapping - Common Weakness Enumeration Top 25 2019 [3] CWE ID 020
[4] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001764, CCI-001774, CCI-002754
[5] Standards Mapping - FIPS200 SI
[6] Standards Mapping - General Data Protection Regulation Indirect Access to Sensitive Data
[7] Standards Mapping - MISRA C 2012 Rule 1.3
[8] Standards Mapping - MISRA C++ 2008 Rule 0-3-1
[9] Standards Mapping - NIST Special Publication 800-53 Revision 4 SI-10 Information Input Validation (P1)
[10] Standards Mapping - OWASP Application Security Verification Standard 4.0 1.14.2 Configuration Architectural Requirements, 5.1.3 Input Validation Requirements, 5.1.4 Input Validation Requirements, 10.2.3 Malicious Code Search, 10.3.2 Deployed Application Integrity Controls, 12.3.3 File Execution Requirements, 14.2.3 Dependency
[11] Standards Mapping - OWASP Mobile Top 10 Risks 2014 M7 Client Side Injection
[12] Standards Mapping - OWASP Top 10 2004 A1 Unvalidated Input
[13] Standards Mapping - OWASP Top 10 2007 A4 Insecure Direct Object Reference
[14] Standards Mapping - OWASP Top 10 2010 A4 Insecure Direct Object References
[15] Standards Mapping - OWASP Top 10 2013 A4 Insecure Direct Object References
[16] Standards Mapping - OWASP Top 10 2017 A5 Broken Access Control
[17] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.1
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1, Requirement 6.5.4
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.8
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.8
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.8
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.8
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.8
[24] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 5.4 - Authentication and Access Control
[25] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I, APP3570 CAT I
[26] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I, APP3570 CAT I
[27] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I, APP3570 CAT I
[28] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I, APP3570 CAT I
[29] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I, APP3570 CAT I
[30] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I, APP3570 CAT I
[31] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I, APP3570 CAT I
[32] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002560 CAT I
[33] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002560 CAT I
[34] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002560 CAT I
[35] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002560 CAT I
[36] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002560 CAT I
[37] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002560 CAT I
[38] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002560 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002560 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002560 CAT I
[41] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002560 CAT I
[42] Standards Mapping - Web Application Security Consortium Version 2.00 Improper Input Handling (WASC-20),Improper Filesystem Permissions (WASC-17)
Resource Injection
ABSTRACT
使用用户输入控制资源标识符,借此攻击者可以访问或修改其他受保护的系统资源。
EXPLANATION
当满足以下两个条件时,就会发生 resource injection:
- 攻击者可以指定已使用的标识符来访问系统资源。
例如,攻击者可能可以指定用来连接到网络资源的端口号。
- 攻击者可以通过指定特定资源来获取某种权限,而这种权限在一般情况下是不可能获得的。
例如,程序可能会允许攻击者把敏感信息传输到第三方服务器。
注意:如果资源注入涉及存储在文件系统中的资源,则可以将其报告为名为路径篡改的不同类别。有关这一漏洞的详细信息,请参见 path manipulation 的描述。
示例:下面的代码使用读取自 HTTP 请求的 URL 来建立一个套接字。
1 | var socket = new WebSocket(document.URL.indexOf("url=")+20); |
这种受用户输入影响的资源表明其中的内容可能存在危险。例如,包含如句点、斜杠和反斜杠等特殊字符的数据在与 file system 相作用的方法中使用时,具有很大风险。类似的,对于创建远程结点的函数来说,包含 URL 和 URI 的数据也具有很大风险。
RECOMMENDATIONS
阻止 resource injection 的最佳做法是采用一些间接手段。例如创建一份合法资源名的列表,并且规定用户只能选择其中的文件名。通过这种方法,用户就不能直接由自己来指定资源的名称了。
但在某些情况下,这种方法并不可行,因为这样一份合法资源名的列表过于庞大,维护难度过大。因此,在这种情况下,程序员通常会采用黑名单的办法。在输入之前,黑名单会有选择地拒绝或避免潜在的危险字符。但是,任何这样一份黑名单都不可能是完整的,而且将随着时间的推移而过时。更好的方法是创建一份白名单,允许其中的字符出现在资源名称中,且只接受完全由这些被认可的字符组成的输入。
REFERENCES
[1] G. Hoglund, G. McGraw Exploiting Software Addison-Wesley
[2] Standards Mapping - Common Weakness Enumeration CWE ID 99
[3] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-002754
[4] Standards Mapping - FIPS200 SI
[5] Standards Mapping - General Data Protection Regulation Indirect Access to Sensitive Data
[6] Standards Mapping - MISRA C 2012 Rule 1.3
[7] Standards Mapping - MISRA C++ 2008 Rule 0-3-1
[8] Standards Mapping - NIST Special Publication 800-53 Revision 4 SI-10 Information Input Validation (P1)
[9] Standards Mapping - OWASP Mobile Top 10 Risks 2014 M8 Security Decisions Via Untrusted Inputs
[10] Standards Mapping - OWASP Top 10 2004 A1 Unvalidated Input
[11] Standards Mapping - OWASP Top 10 2007 A4 Insecure Direct Object Reference
[12] Standards Mapping - OWASP Top 10 2010 A4 Insecure Direct Object References
[13] Standards Mapping - OWASP Top 10 2013 A4 Insecure Direct Object References
[14] Standards Mapping - OWASP Top 10 2017 A5 Broken Access Control
[15] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.1
[16] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1, Requirement 6.5.4
[17] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.8
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.8
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.8
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.8
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.8
[22] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection, Control Objective 5.4 - Authentication and Access Control
[23] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I, APP3600 CAT II
[24] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I, APP3600 CAT II
[25] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I, APP3600 CAT II
[26] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I, APP3600 CAT II
[27] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I, APP3600 CAT II
[28] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I, APP3600 CAT II
[29] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I, APP3600 CAT II
[30] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002560 CAT I
[31] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002560 CAT I
[32] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002560 CAT I
[33] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002560 CAT I
[34] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002560 CAT I
[35] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002560 CAT I
[36] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002560 CAT I
[37] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002560 CAT I
[38] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002560 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002560 CAT I
[40] Standards Mapping - Web Application Security Consortium Version 2.00 Improper Input Handling (WASC-20)
SQL Injection
ABSTRACT
通过不可信赖的数据源输入构建动态 SQL 语句,攻击者就能够修改语句的含义或者执行任意 SQL 命令。
EXPLANATION
SQL injection 错误在以下情况下发生:
数据从一个不可信赖的数据源进入程序。
数据用于动态地构造一个 SQL 查询。
例 1:以下代码动态地构造并执行了一个 SQL 查询,该查询可以搜索与指定名称相匹配的项。该查询仅会显示条目所有者与被授予权限的当前用户一致的条目。
...
var username = document.form.username.value;
var itemName = document.form.itemName.value;
var query = "SELECT * FROM items WHERE owner = " + username + " AND itemname = " + itemName + ";";
db.transaction(function (tx) {
tx.executeSql(query);
}
)
...
查询计划执行以下代码:
1 | SELECT * FROM items |
但是,由于这个查询是动态构造的,由一个不变的基查询字符串和一个用户输入字符串连接而成,因此只有在itemName不包含单引号字符时,才会正确执行这一查询。如果一个用户名为wiley的攻击者为itemName输入字符串“name’ OR ‘a’=’a”,那么查询就会变成:
1 | SELECT * FROM items |
附加条件OR ‘a’=’a’会使 where 从句永远评估为 true,因此该查询在逻辑上将等同于一个更为简化的查询:
1 | SELECT * FROM items; |
通常,查询必须仅返回已通过身份验证的用户所拥有的条目,而通过以这种方式简化查询,攻击者就可以规避这一要求。现在,查询会返回存储在items表中的所有条目,而不论其指定所有者是谁。
示例 2:此示例说明了将不同的恶意值传递给Example 1.中构造和执行的查询所带来的影响。如果一个用户名为wiley的攻击者为itemName输入字符串“name’; DELETE FROM items; –”,则该查询就会变为以下两个查询:
1 | SELECT * FROM items |
众多数据库服务器,其中包括 Microsoft(R) SQL Server 2000,都可以一次性执行多条用分号分隔的 SQL 指令。对于那些不允许运行用分号分隔的批量指令的数据库服务器,比如 Oracle 和其他数据库服务器,攻击者输入的这个字符串只会导致错误;但是在那些支持这种操作的数据库服务器上,攻击者可能会通过执行多条指令而在数据库上执行任意命令。
注意末尾的一对连字符 (–);这在大多数数据库服务器上都表示该语句剩余部分将视为注释,不会加以执行 [4]。在这种情况下,可通过注释字符删除修改后的查询遗留的末尾单引号。而在不允许通过这种方式使用注释的数据库上,攻击者通常仍可使用类似于Example 1.中所用的技巧进行攻击。如果攻击者输入字符串“name’); DELETE FROM items; SELECT * FROM items WHERE ‘a’=’a”,将创建以下三个有效语句:
1 | SELECT * FROM items |
避免 SQL injection 攻击的传统方法之一是,把它作为一个输入合法性检查的问题来处理,只接受列在白名单中的字符,或者识别并避免那些列在黑名单中的恶意数据。白名单方法是一种非常有效方法,它可以强制执行严格的输入检查规则,但是参数化的 SQL 指令所需维护更少,而且能提供更好的安全保障。而对于通常采用的列黑名单方式,由于总是存在一些小漏洞,所以并不能有效地防止 SQL injection 威胁。例如,攻击者可以:
把没有被黑名单引用的值作为目标
寻找方法以绕过某些需要转义的元字符
使用存储过程隐藏注入的元字符
手动去除 SQL 查询中的元字符有一定的帮助,但是并不能完全保护您的应用程序免受 SQL injection 攻击。
防范 SQL injection 攻击的另外一种常用方式是使用存储过程。虽然存储过程可以阻止某些类型的 SQL injection 攻击,但是对于绝大多数攻击仍无能为力。存储过程有助于避免 SQL injection 的常用方式是限制可作为参数传入的指令类型。但是,有许多方法都可以绕过这一限制,许多危险的表达式仍可以传入存储过程。所以再次强调,存储过程在某些情况下可以避免这种攻击,但是并不能完全保护您的应用系统抵御 SQL injection 的攻击。
RECOMMENDATIONS
造成 SQL injection 攻击的根本原因在于攻击者可以改变 SQL 查询的上下文,使程序员原本要作为数据解析的数值,被篡改为命令了。当构造一个 SQL 查询时,程序员应当清楚,哪些输入的数据将会成为命令的一部分,而哪些仅仅是作为数据。参数化 SQL 指令可以防止直接窜改上下文,避免几乎所有的 SQL injection 攻击。参数化 SQL 指令是用常规的 SQL 字符串构造的,但是当需要加入用户输入的数据时,它们就需要使用捆绑参数,这些捆绑参数是一些占位符,用来存放随后插入的数据。换言之,捆绑参数可以使程序员清楚地分辨数据库中的数据,即其中有哪些输入可以看作命令的一部分,哪些输入可以看作数据。这样,当程序准备执行某个指令时,它可以详细地告知数据库,每一个捆绑参数所使用的运行时的值,而不会被解析成对该命令的修改。
在 HTML5 中,前面的例子可以改成使用参数化 SQL 指令(而不是连接用户提供的字符串),如下所示:
1 | ... |
更加复杂的情况常常出现在报表生成代码中,因为这时需要通过用户输入来改变 SQL 指令的命令结构,比如在WHERE条件子句中加入动态的约束条件。不要因为这一需求,就无条件地接受连续的用户输入,从而创建查询语句字符串。当必须要根据用户输入来改变命令结构时,可以使用间接的方法来防止 SQL injection 攻击:创建一个合法的字符串集合,使其对应于可能要加入到 SQL 指令中的不同元素。在构造一个 SQL 指令时,可使用来自用户的输入,以便从应用程序控制的值集合中进行选择。
REFERENCES
[1] S. J. Friedl SQL Injection Attacks by Example
[2] P. Litwin Stop SQL Injection Attacks Before They Stop You MSDN Magazine
[3] P. Finnigan SQL Injection and Oracle, Part One Security Focus
[4] M. Howard, D. LeBlanc Writing Secure Code, Second Edition Microsoft Press
[5] Standards Mapping - Common Weakness Enumeration CWE ID 89
[6] Standards Mapping - Common Weakness Enumeration Top 25 2019 [6] CWE ID 089
[7] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001310, CCI-002754
[8] Standards Mapping - FIPS200 SI
[9] Standards Mapping - General Data Protection Regulation Indirect Access to Sensitive Data
[10] Standards Mapping - MISRA C 2012 Rule 1.3
[11] Standards Mapping - MISRA C++ 2008 Rule 0-3-1
[12] Standards Mapping - NIST Special Publication 800-53 Revision 4 SI-10 Information Input Validation (P1)
[13] Standards Mapping - OWASP Application Security Verification Standard 4.0 5.3.4 Output Encoding and Injection Prevention Requirements, 5.3.5 Output Encoding and Injection Prevention Requirements
[14] Standards Mapping - OWASP Mobile Top 10 Risks 2014 M7 Client Side Injection
[15] Standards Mapping - OWASP Top 10 2004 A6 Injection Flaws
[16] Standards Mapping - OWASP Top 10 2007 A2 Injection Flaws
[17] Standards Mapping - OWASP Top 10 2010 A1 Injection
[18] Standards Mapping - OWASP Top 10 2013 A1 Injection
[19] Standards Mapping - OWASP Top 10 2017 A1 Injection
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.6
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1, Requirement 6.5.2
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.1
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.1
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.1
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.1
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.1
[27] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[28] Standards Mapping - SANS Top 25 2009 Insecure Interaction - CWE ID 089
[29] Standards Mapping - SANS Top 25 2010 Insecure Interaction - CWE ID 089
[30] Standards Mapping - SANS Top 25 2011 Insecure Interaction - CWE ID 089
[31] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I, APP3540.1 CAT I, APP3540.3 CAT II
[32] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I, APP3540.1 CAT I, APP3540.3 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I, APP3540.1 CAT I, APP3540.3 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I, APP3540.1 CAT I, APP3540.3 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I, APP3540.1 CAT I, APP3540.3 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I, APP3540.1 CAT I, APP3540.3 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I, APP3540.1 CAT I, APP3540.3 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002540 CAT I, APSC-DV-002560 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002540 CAT I, APSC-DV-002560 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002540 CAT I, APSC-DV-002560 CAT I
[41] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002540 CAT I, APSC-DV-002560 CAT I
[42] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002540 CAT I, APSC-DV-002560 CAT I
[43] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002540 CAT I, APSC-DV-002560 CAT I
[44] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002540 CAT I, APSC-DV-002560 CAT I
[45] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002540 CAT I, APSC-DV-002560 CAT I
[46] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002540 CAT I, APSC-DV-002560 CAT I
[47] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002540 CAT I, APSC-DV-002560 CAT I
[48] Standards Mapping - Web Application Security Consortium 24 + 2 SQL Injection
[49] Standards Mapping - Web Application Security Consortium Version 2.00 SQL Injection (WASC-19)
Server-Side Request Forgery
ABSTRACT
应用程序将使用用户控制的数据启动与第三方系统的连接,以创建资源 URI。
EXPLANATION
当攻击者可以影响应用程序服务器建立的网络连接时,将会发生 Server-Side Request Forgery。网络连接源自于应用程序服务器内部 IP 地址,因此攻击者将可以使用此连接来避开网络控制,并扫描或攻击没有以其他方式暴露的内部资源。
示例:在下列示例中,攻击者将能够控制服务器连接至的 URL。
1 | var http = require('http'); |
攻击者能否劫持网络连接取决于他可以控制的 URI 的特定部分以及用于建立连接的库。例如,控制 URI 方案将使攻击者可以使用不同于 http 或 https 的协议,类似于下面这样:
up://
ldap://
jar://
gopher://
mailto://
ssh2://
telnet://
expect://
攻击者将可以利用劫持的此网络连接执行下列攻击:
对内联网资源进行端口扫描。
避开防火墙。
攻击运行于应用程序服务器或内联网上易受攻击的程序。
使用 Injection 攻击或 CSRF 攻击内部/外部 Web 应用程序。
使用 file:// 方案访问本地文件。
在 Windows 系统上,file:// 方案和 UNC 路径可以允许攻击者扫描和访问内部共享。
执行 DNS 缓存中毒攻击。
RECOMMENDATIONS
请勿基于用户控制的数据建立网络连接,并要确保请求发送给预期的目的地。如果需要提供用户数据来构建目的地 URI,请采用间接方法:例如创建一个合法资源名的列表,用户只能选择其中的内容。通过这种方法,就不能直接使用用户提供的输入来指定资源名称。
但在某些情况下,这种方法并不可行,因为这样一份合法资源名的列表过于庞大,维护难度过大。因此,在这种情况下,程序员通常会采用黑名单的办法。在输入之前,黑名单会有选择地拒绝或避免潜在的危险字符。但是,任何这样一份黑名单都不可能是完整的,而且将随着时间的推移而过时。更好的方法是创建一份白名单,允许其中的字符出现在资源名称中,且只接受完全由这些被认可的字符组成的输入。
此外,如果需要,还要确保用户输入仅用于在目标系统上指定资源,但 URI 方案、主机和端口由应用程序控制。这样就可以大大减小攻击者能够造成的损害。
REFERENCES
[1] Alexander Polyakov SSRF vs. Business critical applications BlackHat 2012
[2] SSRF bible. Cheatsheet ONSec Labs
[3] Standards Mapping - Common Weakness Enumeration CWE ID 918
[4] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-002754
[5] Standards Mapping - FIPS200 SI
[6] Standards Mapping - General Data Protection Regulation Access Violation
[7] Standards Mapping - NIST Special Publication 800-53 Revision 4 SI-10 Information Input Validation (P1)
[8] Standards Mapping - OWASP Application Security Verification Standard 4.0 5.2.6 Sanitization and Sandboxing Requirements, 12.6.1 SSRF Protection Requirements
[9] Standards Mapping - OWASP Mobile Top 10 Risks 2014 M5 Poor Authorization and Authentication
[10] Standards Mapping - OWASP Top 10 2004 A1 Unvalidated Input
[11] Standards Mapping - OWASP Top 10 2007 A4 Insecure Direct Object Reference
[12] Standards Mapping - OWASP Top 10 2010 A4 Insecure Direct Object References
[13] Standards Mapping - OWASP Top 10 2013 A4 Insecure Direct Object References
[14] Standards Mapping - OWASP Top 10 2017 A5 Broken Access Control
[15] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.1
[16] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1, Requirement 6.5.4
[17] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.8
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.8
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.8
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.8
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.8
[22] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 5.4 - Authentication and Access Control
[23] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I, APP3600 CAT II
[24] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I, APP3600 CAT II
[25] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I, APP3600 CAT II
[26] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I, APP3600 CAT II
[27] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I, APP3600 CAT II
[28] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I, APP3600 CAT II
[29] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I, APP3600 CAT II
[30] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002560 CAT I
[31] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002560 CAT I
[32] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002560 CAT I
[33] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002560 CAT I
[34] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002560 CAT I
[35] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002560 CAT I
[36] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002560 CAT I
[37] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002560 CAT I
[38] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002560 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002560 CAT I
[40] Standards Mapping - Web Application Security Consortium Version 2.00 Abuse of Functionality (WASC-42)
Server-Side Template Injection
ABSTRACT
用户控制的数据用作模板引擎的模板,使得攻击者能够访问模板上下文,并在某些情况下在应用程序服务器中注入和运行任意代码。
EXPLANATION
模板引擎用于使用动态数据呈现内容。此上下文数据通常由用户控制并通过模板设置格式,以生成 Web 页面、电子邮件等。模板引擎可通过条件、循环等代码构造处理上下文数据,从而允许在模板中使用功能强大的语言表达式来呈现动态内容。如果攻击者能够控制要呈现的模板,他们将能够通过注入表达式来公开上下文数据,甚至在服务器上运行任意命令。
示例 1:下面的示例显示了如何通过 HTTP 请求检索模板并呈现该模板。
1 | app.get('/', function(req, res){ |
Example 1会使用Underscore.js作为Node.js应用程序中的模板引擎。对于该引擎,攻击者可以提交以下模板以在服务器上运行任意命令:
1 | <% cp = process.mainModule.require('child_process');cp.exec(<COMMAND>); %> |
RECOMMENDATIONS
尽可能不要让用户提供模板。如果需要由用户提供模板,请谨慎执行输入验证,以防止在模板中注入恶意代码。
REFERENCES
[1] Server-Side Template Injection: RCE for the modern webapp
[2] Standards Mapping - Common Weakness Enumeration CWE ID 95
[3] Standards Mapping - Common Weakness Enumeration Top 25 2019 [18] CWE ID 094
[4] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-002754
[5] Standards Mapping - FIPS200 SI
[6] Standards Mapping - General Data Protection Regulation Indirect Access to Sensitive Data
[7] Standards Mapping - NIST Special Publication 800-53 Revision 4 SI-10 Information Input Validation (P1)
[8] Standards Mapping - OWASP Application Security Verification Standard 4.0 5.2.4 Sanitization and Sandboxing Requirements, 5.2.5 Sanitization and Sandboxing Requirements, 5.2.8 Sanitization and Sandboxing Requirements, 5.3.6 Output Encoding and Injection Prevention Requirements
[9] Standards Mapping - OWASP Mobile Top 10 Risks 2014 M1 Weak Server Side Controls
[10] Standards Mapping - OWASP Top 10 2004 A6 Injection Flaws
[11] Standards Mapping - OWASP Top 10 2007 A2 Injection Flaws
[12] Standards Mapping - OWASP Top 10 2010 A1 Injection
[13] Standards Mapping - OWASP Top 10 2013 A1 Injection
[14] Standards Mapping - OWASP Top 10 2017 A1 Injection
[15] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.6
[16] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1, Requirement 6.5.2
[17] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.1
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.1
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.1
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.1
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.1
[22] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[23] Standards Mapping - SANS Top 25 2009 Insecure Interaction - CWE ID 116
[24] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I, APP3570 CAT I
[25] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I, APP3570 CAT I
[26] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I, APP3570 CAT I
[27] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I, APP3570 CAT I
[28] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I, APP3570 CAT I
[29] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I, APP3570 CAT I
[30] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I, APP3570 CAT I
[31] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002560 CAT I
[32] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002560 CAT I
[33] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002560 CAT I
[34] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002560 CAT I
[35] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002560 CAT I
[36] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002560 CAT I
[37] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002560 CAT I
[38] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002560 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002560 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002560 CAT I
[41] Standards Mapping - Web Application Security Consortium Version 2.00 Improper Input Handling (WASC-20)
Setting Manipulation
ABSTRACT
允许对系统设置进行外部控制可以导致服务中断或意外的应用程序行为。
EXPLANATION
当攻击者能够通过控制某些值来监控系统的行为、管理特定的资源、或在某个方面影响应用程序的功能时,即表示发生了 Setting Manipulation 漏洞。
由于 Setting Manipulation 漏洞影响到许多功能,因此,对它的任何说明都必然是不完整的。与其在 Setting Manipulation 这一类中寻找各个功能之间的紧密关系,不如往后退一步,考虑有哪些系统数值类型不能由攻击者来控制。
示例 1:下面的 Node.js 代码片段会在 http.IncomingMessage 请求变量中读取字符串,并使用该字符串设置其他 V8 命令行标记。
1 | var v8 = require('v8'); |
在此示例中,攻击者可以导致在 VM 上设置各种不同的标记,这可能会导致不可预知的行为,包括程序崩溃或潜在的数据丢失。
总之,应禁止使用用户提供的数据或通过其他途径获取不可信任的数据,以防止攻击者控制某些敏感的数值。虽然攻击者控制这些数值的影响不会总能立刻显现,但是不要低估了攻击者的攻击力。
RECOMMENDATIONS
禁止由不可信赖的数据来控制敏感数值。在发生此种错误的诸多情况中,应用程序预期通过某种特定的输入,仅得到某一区间内的数值。如果可能的话,应用程序应仅通过输入从预定的安全数值集合中选择数据,而不是依靠输入得到期望的数值,从而确保应用程序行为得当。针对恶意输入,传递给敏感函数的数值应当是该集合中的某些安全选项的默认设置。即使无法事先了解安全数值集合,通常也可以检验输入是否在某个安全的数值区间内。若上述两种验证机制均不可行,则必须重新设计应用程序,以避免应用程序接受由用户提供的潜在危险数值。
REFERENCES
[1] Standards Mapping - Common Weakness Enumeration CWE ID 15
[2] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-002754
[3] Standards Mapping - General Data Protection Regulation Indirect Access to Sensitive Data
[4] Standards Mapping - MISRA C 2012 Rule 1.3
[5] Standards Mapping - MISRA C++ 2008 Rule 0-3-1
[6] Standards Mapping - NIST Special Publication 800-53 Revision 4 SI-10 Information Input Validation (P1)
[7] Standards Mapping - OWASP Application Security Verification Standard 4.0 1.5.4 Input and Output Architectural Requirements, 5.2.1 Sanitization and Sandboxing Requirements, 5.3.1 Output Encoding and Injection Prevention Requirements, 13.1.1 Generic Web Service Security Verification Requirements, 14.4.2 HTTP Security Headers Requirements, 14.4.4 HTTP Security Headers Requirements
[8] Standards Mapping - OWASP Mobile Top 10 Risks 2014 M8 Security Decisions Via Untrusted Inputs
[9] Standards Mapping - OWASP Top 10 2004 A1 Unvalidated Input
[10] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.1
[11] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1
[12] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.1
[13] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.1
[14] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.1
[15] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.1
[16] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[17] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I
[18] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I
[19] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I
[20] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I
[21] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I
[22] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I
[23] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I
[24] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002560 CAT I
[25] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002560 CAT I
[26] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002560 CAT I
[27] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002560 CAT I
[28] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002560 CAT I
[29] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002560 CAT I
[30] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002560 CAT I
[31] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002560 CAT I
[32] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002560 CAT I
[33] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002560 CAT I
[34] Standards Mapping - Web Application Security Consortium Version 2.00 Improper Input Handling (WASC-20)
Setting Manipulation: User-Controlled Expression Delimiters
ABSTRACT
应用程序允许用户定义表达式分隔符,使用户能够规避 cross-site scripting 保护。
EXPLANATION
如果允许用户定义模板引擎使用的分隔符,则意味着之前实施的保护可能不再起作用,或者可能无效。在危害最轻的情况下,这可能会导致功能无法按预期运行,或者导致信息泄露,但还可能会让恶意用户能够规避引擎保护,从而引发 cross-site scripting 漏洞。
示例 1:在以下代码中,AngularJS 模块配置为在 URL 中使用从散列定义的开始符号。
1 | var hash = window.location.hash; |
这样做通常是为了能够同时使用多个模板引擎,这实际上极为危险 [1],可能会导致正在运行的引擎与 AngularJS 表达式不兼容,从而可能导致用户能够绕过常规验证,在浏览器中运行他们自己的代码。
RECOMMENDATIONS
一般而言,最好完全不要混合模板引擎,尤其重要的是,不要允许用户在运行时对此进行定义。从开发人员的角度而言,这样做实际上对两种模板引擎都无法提供保护,而且强制执行这些验证的模板引擎未考虑一种情况,即您可能会将它们的模板引擎与其他模板引擎同时运行。
REFERENCES
[1] AngularJS $interpolateProvider documentation Google
[2] Standards Mapping - Common Weakness Enumeration CWE ID 15
[3] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-002754
[4] Standards Mapping - General Data Protection Regulation Indirect Access to Sensitive Data
[5] Standards Mapping - NIST Special Publication 800-53 Revision 4 SI-10 Information Input Validation (P1)
[6] Standards Mapping - OWASP Mobile Top 10 Risks 2014 M8 Security Decisions Via Untrusted Inputs
[7] Standards Mapping - OWASP Top 10 2004 A1 Unvalidated Input
[8] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.1
[9] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1
[10] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.1
[11] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.1
[12] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.1
[13] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.1
[14] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[15] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I
[16] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I
[17] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I
[18] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I
[19] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I
[20] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I
[21] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I
[22] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002560 CAT I
[23] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002560 CAT I
[24] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002560 CAT I
[25] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002560 CAT I
[26] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002560 CAT I
[27] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002560 CAT I
[28] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002560 CAT I
[29] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002560 CAT I
[30] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002560 CAT I
[31] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002560 CAT I
[32] Standards Mapping - Web Application Security Consortium Version 2.00 Improper Input Handling (WASC-20)
Setting Manipulation: User-Controlled Whitelist
ABSTRACT
应用程序允许用户定义白名单,使用户可以将恶意输入标记为安全。
EXPLANATION
框架通常会定义验证白名单,以免受漏洞攻击。
示例 1:以下代码允许恶意用户设置白名单,AngularJS 使用此白名单确定可以检索哪些类型的链接图像。
1 | myModule.config(function($compileProvider){ |
这样看似正常,但如果用户将正则表达式设置为 /^(http(s)?|javascript):.*/,应用程序可能会允许在图像源 URL 中使用内联 JavaScript,这可能会引发 cross-site scripting 攻击。
对白名单的其他使用可能会阻止所有不同类型的攻击,尤其是 cross-site scripting、command injection、SQL injection 等注入攻击以及业务逻辑缺陷。
RECOMMENDATIONS
总之,不应允许用户设置供框架内部用于进行安全或业务逻辑验证的白名单。除非符合以下条件:对白名单的配置更严格、仅允许管理员设置白名单且通常在配置文件中进行设置。
REFERENCES
[1] Standards Mapping - Common Weakness Enumeration CWE ID 15
[2] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-002754
[3] Standards Mapping - General Data Protection Regulation Indirect Access to Sensitive Data
[4] Standards Mapping - NIST Special Publication 800-53 Revision 4 SI-10 Information Input Validation (P1)
[5] Standards Mapping - OWASP Mobile Top 10 Risks 2014 M8 Security Decisions Via Untrusted Inputs
[6] Standards Mapping - OWASP Top 10 2004 A1 Unvalidated Input
[7] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.1
[8] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1
[9] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.1
[10] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.1
[11] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.1
[12] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.1
[13] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[14] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I
[15] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I
[16] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I
[17] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I
[18] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I
[19] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I
[20] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I
[21] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002560 CAT I
[22] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002560 CAT I
[23] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002560 CAT I
[24] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002560 CAT I
[25] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002560 CAT I
[26] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002560 CAT I
[27] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002560 CAT I
[28] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002560 CAT I
[29] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002560 CAT I
[30] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002560 CAT I
[31] Standards Mapping - Web Application Security Consortium Version 2.00 Improper Input Handling (WASC-20)
XML Injection
ABSTRACT
如果在 XML 文档中写入未验证的数据,可能会使攻击者修改 XML 的结构和内容。
EXPLANATION
XML injection 会在以下情况中出现:
数据从一个不可信赖的数据源进入程序。
数据写入到 XML 文档中。
应用程序通常使用 XML 来存储数据或发送消息。当 XML 用于存储数据时,XML 文档通常会像数据库一样进行处理,而且可能会包含敏感信息。XML 消息通常在 web 服务中使用,也可用于传输敏感信息。XML 消息甚至还可用于发送身份验证凭据。
如果攻击者能够写入原始 XML,则可以更改 XML 文档和消息的语义。危害最轻的情况下,攻击者可能会插入无关的标签,导致 XML 解析器抛出异常。XML injection 更为严重的情况下,攻击者可以添加 XML 元素,更改身份验证凭据或修改 XML 电子商务数据库中的价格。还有一些情况,XML injection 可以导致 cross-site scripting 或 dynamic code evaluation。
例 1:
假设攻击者能够控制下列 XML 中的 shoes。
1 | <order> |
现在假设,在后端 Web 服务请求中包含该 XML,用于订购一双鞋。假设攻击者可以修改请求,并将 shoes 替换成 shoes
1 | <order> |
这样,攻击者可能只花 1 美元就可以购买一双价值 100 美元的鞋。
RECOMMENDATIONS
将用户提供的数据写入 XML 时,应该遵守以下准则:
不要使用从用户输入派生的名称创建标签或属性。
写入到 XML 之前,先对用户输入进行 XML 实体编码。
将用户输入包含在 CDATA 标签中。
REFERENCES
[1] Standards Mapping - Common Weakness Enumeration CWE ID 91
[2] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001310, CCI-002754
[3] Standards Mapping - FIPS200 SI
[4] Standards Mapping - General Data Protection Regulation Indirect Access to Sensitive Data
[5] Standards Mapping - MISRA C 2012 Rule 1.3
[6] Standards Mapping - MISRA C++ 2008 Rule 0-3-1
[7] Standards Mapping - NIST Special Publication 800-53 Revision 4 SI-10 Information Input Validation (P1)
[8] Standards Mapping - OWASP Application Security Verification Standard 4.0 5.3.10 Output Encoding and Injection Prevention Requirements
[9] Standards Mapping - OWASP Mobile Top 10 Risks 2014 M7 Client Side Injection
[10] Standards Mapping - OWASP Top 10 2004 A6 Injection Flaws
[11] Standards Mapping - OWASP Top 10 2007 A2 Injection Flaws
[12] Standards Mapping - OWASP Top 10 2010 A1 Injection
[13] Standards Mapping - OWASP Top 10 2013 A1 Injection
[14] Standards Mapping - OWASP Top 10 2017 A1 Injection
[15] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.6
[16] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1, Requirement 6.5.2
[17] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.1
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.1
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.1
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.1
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.1
[22] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[23] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I
[24] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I, APP3810 CAT I
[25] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I, APP3810 CAT I
[26] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I, APP3810 CAT I
[27] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I, APP3810 CAT I
[28] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I, APP3810 CAT I
[29] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I, APP3810 CAT I
[30] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[31] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[32] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[33] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[34] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[35] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[36] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[37] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[38] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[40] Standards Mapping - Web Application Security Consortium Version 2.00 XML Injection (WASC-23)
安全特性
Access Control: Azure
ABSTRACT
如果在使用用户控制的值且没有适当访问控制的情形下访问 Azure Queue/Blob,则会允许攻击者查看/修改/删除未经授权的 Queue/Blob 及其消息/内容。
EXPLANATION
Azure Cloud 访问控制错误在以下情况下出现:
数据从一个不可信赖的数据源进入程序。
数据用于查看/修改/删除未经授权的 Queue/Blob 及其消息/内容。
示例 1:以下代码可删除给定 Queue 及其消息。
1 | ... |
示例 2:以下代码可删除给定 Blob 容器及其内容。
1 | ... |
虽然Example 1 和Example 2 中的代码会删除给定队列/Blob 容器及其属于当前用户/程序的消息/内容,但攻击者可删除该 Azure 帐户的任何队列/Blob。由于此示例中的代码不会执行检查以确保该用户/程序有权清除请求的队列/Blob,因此即使该队列/Blob 不属于当前用户/程序,它也会被清除。
RECOMMENDATIONS
禁止由不可信赖的数据来控制敏感数值。在发生此错误的许多情况下,应用程序期望获得特定于用户/程序的特定输入。如果可能的话,应用程序应仅通过输入从预定的安全数值集合中选择数据,而不是依靠输入得到期望的数值,从而确保应用程序行为得当。针对恶意输入,传递给敏感函数的数值应当是该集合中的某些安全选项的默认设置。即使无法事先了解安全数值集合,通常也可以检验输入是否在某个安全的数值区间内。若上述两种验证机制均不可行,则必须重新设计应用程序,以避免应用程序接受由用户/程序提供的潜在危险值。
REFERENCES
[1] Standards Mapping - Common Weakness Enumeration CWE ID 639
[2] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000213, CCI-001084, CCI-002165
[3] Standards Mapping - FIPS200 AC
[4] Standards Mapping - General Data Protection Regulation Access Violation
[5] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-3 Access Enforcement (P1)
[6] Standards Mapping - OWASP Application Security Verification Standard 4.0 4.1.2 General Access Control Design, 4.1.3 General Access Control Design, 4.1.5 General Access Control Design, 4.2.1 Operation Level Access Control
[7] Standards Mapping - OWASP Mobile Top 10 Risks 2014 M5 Poor Authorization and Authentication
[8] Standards Mapping - OWASP Top 10 2004 A2 Broken Access Control
[9] Standards Mapping - OWASP Top 10 2007 A4 Insecure Direct Object Reference
[10] Standards Mapping - OWASP Top 10 2010 A4 Insecure Direct Object References
[11] Standards Mapping - OWASP Top 10 2013 A4 Insecure Direct Object References
[12] Standards Mapping - OWASP Top 10 2017 A5 Broken Access Control
[13] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.2
[14] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.5.4
[15] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.8
[16] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.8
[17] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.8
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.8
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.8
[20] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 5.4 - Authentication and Access Control
[21] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3480.1 CAT II
[22] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3480.1 CAT I
[23] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3480.1 CAT I
[24] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3480.1 CAT I
[25] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3480.1 CAT I
[26] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3480.1 CAT I
[27] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3480.1 CAT I
[28] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[29] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[30] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[31] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[32] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[38] Standards Mapping - Web Application Security Consortium 24 + 2 Insufficient Authorization
[39] Standards Mapping - Web Application Security Consortium Version 2.00 Insufficient Authorization (WASC-02)
Access Control: Database
ABSTRACT
如果没有适当的 access control,就会执行一个包含用户控制主键的 SQL 指令,从而允许攻击者访问未经授权的记录。
EXPLANATION
Database access control 错误在以下情况下发生:
数据从一个不可信赖的数据源进入程序。
这个数据用来指定 SQL 查询中主键的值。
示例 1:以下代码使用可转义元字符并防止出现 SQL 注入漏洞的参数化语句,以构建和执行用于搜索与指定标识符 [1] 相匹配的清单的 SQL 查询。您可以从与当前被授权用户有关的所有清单中选择这些标识符。
1 | ... |
问题在于开发者没有考虑到所有可能出现的 id 值。虽然界面生成了属于当前用户的清单标识符列表,但是攻击者可以绕过这个界面,从而获取所需的任何清单。由于此示例中的代码没有执行检查以确保用户具有访问所请求清单的权限,因此它会显示任何清单,即使此清单不属于当前用户。
RECOMMENDATIONS
与其靠表示层来限制用户输入的值,还不如在应用程序和数据库层上进行 access control。任何情况下都不允许用户在没有取得相应权限的情况下获取或修改数据库中的记录。每个涉及数据库的查询都必须遵守这个原则,这可以通过把当前被授权的用户名作为查询语句的一部分来实现。
示例 2:以下代码实现的功能与Example 1 相同,但是附加了一个限制,以验证清单是否属于当前经过身份验证的用户。
1 | ... |
REFERENCES
[1] S. J. Friedl SQL Injection Attacks by Example
[2] Standards Mapping - Common Weakness Enumeration CWE ID 566
[3] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000213, CCI-001084, CCI-002165
[4] Standards Mapping - FIPS200 AC
[5] Standards Mapping - General Data Protection Regulation Access Violation
[6] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-3 Access Enforcement (P1)
[7] Standards Mapping - OWASP Application Security Verification Standard 4.0 4.1.2 General Access Control Design, 4.1.3 General Access Control Design, 4.1.5 General Access Control Design, 4.2.1 Operation Level Access Control, 13.4.2 GraphQL and other Web Service Data Layer Security Requirements
[8] Standards Mapping - OWASP Mobile Top 10 Risks 2014 M5 Poor Authorization and Authentication
[9] Standards Mapping - OWASP Top 10 2004 A2 Broken Access Control
[10] Standards Mapping - OWASP Top 10 2007 A4 Insecure Direct Object Reference
[11] Standards Mapping - OWASP Top 10 2010 A4 Insecure Direct Object References
[12] Standards Mapping - OWASP Top 10 2013 A4 Insecure Direct Object References
[13] Standards Mapping - OWASP Top 10 2017 A5 Broken Access Control
[14] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.2
[15] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.5.4
[16] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.8
[17] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.8
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.8
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.8
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.8
[21] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 5.4 - Authentication and Access Control
[22] Standards Mapping - SANS Top 25 2011 Porous Defenses - CWE ID 863
[23] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3480.1 CAT II
[24] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3480.1 CAT I
[25] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3480.1 CAT I
[26] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3480.1 CAT I
[27] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3480.1 CAT I
[28] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3480.1 CAT I
[29] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3480.1 CAT I
[30] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[31] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[32] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[40] Standards Mapping - Web Application Security Consortium 24 + 2 Insufficient Authorization
[41] Standards Mapping - Web Application Security Consortium Version 2.00 Insufficient Authorization (WASC-02)
AngularJS Misconfiguration: Dangerous Protocol Allowed
ABSTRACT
应用程序允许 JavaScript 成为允许使用的协议,这可能会引发 cross-site scripting 漏洞。
EXPLANATION
某些框架(例如 AngularJS)将限制可能为指向其他站点和图像的链接设置的协议。这主要是为了阻止内联 JavaScript 运行,因为其运行可能会导致应用程序中出现其他的 cross-site scripting 漏洞。
示例 1:以下代码更改了 AngularJS 中的默认白名单协议,以允许图像 HTML 元素允许内联 JavaScript。
1 | myModule.config(function($compileProvider){ |
RECOMMENDATIONS
几乎没有理由用此方式内联 JavaScript,因此不应允许 JavaScript 在默认被禁止的位置内联运行。通常会有更简洁、更安全的方法来运行相同功能,而无需在应用程序中开放潜在的安全漏洞。
REFERENCES
[1] AngularJS $compileProvider documentation Google
[2] Standards Mapping - Common Weakness Enumeration CWE ID 554
[3] Standards Mapping - Common Weakness Enumeration Top 25 2019 [3] CWE ID 020
[4] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-002754
[5] Standards Mapping - FIPS200 CM
[6] Standards Mapping - General Data Protection Regulation Indirect Access to Sensitive Data
[7] Standards Mapping - NIST Special Publication 800-53 Revision 4 SI-10 Information Input Validation (P1)
[8] Standards Mapping - OWASP Application Security Verification Standard 4.0 5.1.3 Input Validation Requirements, 5.1.4 Input Validation Requirements, 14.1.3 Build
[9] Standards Mapping - OWASP Mobile Top 10 Risks 2014 M1 Weak Server Side Controls
[10] Standards Mapping - OWASP Top 10 2004 A10 Insecure Configuration Management
[11] Standards Mapping - OWASP Top 10 2010 A6 Security Misconfiguration
[12] Standards Mapping - OWASP Top 10 2013 A5 Security Misconfiguration
[13] Standards Mapping - OWASP Top 10 2017 A6 Security Misconfiguration
[14] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.10
[15] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1
[16] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.1
[17] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.1
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.1
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.1
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.1
[21] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[22] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I
[23] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I
[24] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I
[25] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I
[26] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I
[27] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I
[28] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I
[29] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002560 CAT I
[30] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002560 CAT I
[31] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002560 CAT I
[32] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002560 CAT I
[33] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002560 CAT I
[34] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002560 CAT I
[35] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002560 CAT I
[36] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002560 CAT I
[37] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002560 CAT I
[38] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002560 CAT I
[39] Standards Mapping - Web Application Security Consortium Version 2.00 Improper Input Handling (WASC-20)
AngularJS Misconfiguration: Strict Contextual Escaping Disabled
ABSTRACT
在 AngularJS 1 应用程序中禁用严格上下文转义,可能会导致多个新的漏洞。
EXPLANATION
严格上下文转义 (SCE) 是 AngularJS 应用程序中的一种机制,可帮助保护应用程序免受攻击者攻击,阻止一整套不同攻击手段的多种漏洞。最突出的是,其可阻止某些类型的 cross-site scripting 攻击。在此应用程序中,此保护机制已被禁用。
示例 1:在此示例中,我们在一个模块上禁用了 SCE。
1 | myModule.config(function($sceProvider){ |
RECOMMENDATIONS
通常建议禁用此保护机制,此保护机制仅应用于调试。使用此保护机制会使框架中产生极少量的开销,安全确定是否应关闭此机制的唯一方式是,如果您确定站点 100% 安全,不会受漏洞攻击,即如果情况确实如此,则此应用程序将是一个非常简单的应用程序,没有任何用户输入。
REFERENCES
[1] Strict Contextual Escaping Google
[2] Standards Mapping - Common Weakness Enumeration CWE ID 554
[3] Standards Mapping - Common Weakness Enumeration Top 25 2019 [3] CWE ID 020
[4] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-002754
[5] Standards Mapping - FIPS200 CM
[6] Standards Mapping - General Data Protection Regulation Indirect Access to Sensitive Data
[7] Standards Mapping - NIST Special Publication 800-53 Revision 4 SI-10 Information Input Validation (P1)
[8] Standards Mapping - OWASP Application Security Verification Standard 4.0 5.1.3 Input Validation Requirements, 5.1.4 Input Validation Requirements, 14.1.3 Build
[9] Standards Mapping - OWASP Mobile Top 10 Risks 2014 M1 Weak Server Side Controls
[10] Standards Mapping - OWASP Top 10 2004 A10 Insecure Configuration Management
[11] Standards Mapping - OWASP Top 10 2010 A6 Security Misconfiguration
[12] Standards Mapping - OWASP Top 10 2013 A5 Security Misconfiguration
[13] Standards Mapping - OWASP Top 10 2017 A6 Security Misconfiguration
[14] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.10
[15] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1
[16] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.1
[17] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.1
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.1
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.1
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.1
[21] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[22] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I
[23] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I
[24] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I
[25] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I
[26] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I
[27] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I
[28] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I
[29] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002560 CAT I
[30] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002560 CAT I
[31] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002560 CAT I
[32] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002560 CAT I
[33] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002560 CAT I
[34] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002560 CAT I
[35] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002560 CAT I
[36] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002560 CAT I
[37] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002560 CAT I
[38] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002560 CAT I
[39] Standards Mapping - Web Application Security Consortium Version 2.00 Improper Input Handling (WASC-20)
Cookie Security: Cookie not Sent Over SSL
ABSTRACT
创建了 cookie,但未将 secure 标记设置为 true。
EXPLANATION
现今的 Web 浏览器支持每个 cookie 的 secure 标记。如果设置了该标记,那么浏览器只会通过 HTTPS 发送 cookie。通过未加密的通道发送 cookie 将使其受到网络截取攻击,因此安全标记有助于保护 cookie 值的保密性。如果 cookie 包含私人数据或带有会话标识符,那么该标记尤其重要。
示例 1:在下面的示例中,在未将 secure 属性设置为 true 的情况下,为响应添加了一个 Cookie。
1 | res.cookie('important_cookie', info, {domain: 'secure.example.com', path: '/admin', httpOnly: true, secure: false}); |
如果应用程序同时使用 HTTPS 和 HTTP,但没有设置 secure 标记,那么在 HTTPS 请求过程中发送的 cookie 也会在随后的 HTTP 请求过程中被发送。通过未加密的无线连接截取网络信息流对攻击者而言十分简单,因此通过 HTTP 发送 cookie(特别是具有会话 ID 的 cookie)可能会危及应用程序安全。
RECOMMENDATIONS
对所有新 cookie 设置 Secure 标记,指示浏览器不要以明文形式发送这些 cookie。
示例 2:
1 | res.cookie('important_cookie', info, {domain: 'secure.example.com', path: '/admin', httpOnly: true, secure: true}); |
REFERENCES
[1] Mike Perry Automated HTTPS Cookie Hijacking
[2] Node.js Security Checklist
[3] Standards Mapping - Common Weakness Enumeration CWE ID 614
[4] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001184, CCI-002418, CCI-002420, CCI-002421, CCI-002422
[5] Standards Mapping - FIPS200 CM, SC
[6] Standards Mapping - General Data Protection Regulation Insufficient Data Protection
[7] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-8 Transmission Confidentiality and Integrity (P1)
[8] Standards Mapping - OWASP Application Security Verification Standard 4.0 2.6.3 Look-up Secret Verifier Requirements, 3.2.3 Session Binding Requirements, 3.4.1 Cookie-based Session Management, 6.2.1 Algorithms, 8.1.6 General Data Protection
[9] Standards Mapping - OWASP Mobile Top 10 Risks 2014 M4 Unintended Data Leakage
[10] Standards Mapping - OWASP Top 10 2004 A10 Insecure Configuration Management
[11] Standards Mapping - OWASP Top 10 2007 A9 Insecure Communications
[12] Standards Mapping - OWASP Top 10 2010 A9 Insufficient Transport Layer Protection
[13] Standards Mapping - OWASP Top 10 2013 A6 Sensitive Data Exposure
[14] Standards Mapping - OWASP Top 10 2017 A3 Sensitive Data Exposure
[15] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 4.1, Requirement 6.5.3
[16] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 4.1, Requirement 6.3.1.4, Requirement 6.5.7, Requirement 6.5.9
[17] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 4.1, Requirement 6.5.4
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 4.1, Requirement 6.5.4, Requirement 6.5.10
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 4.1, Requirement 6.5.4, Requirement 6.5.10
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 4.1, Requirement 6.5.4, Requirement 6.5.10
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 4.1, Requirement 6.5.4, Requirement 6.5.10
[22] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 6.2 - Sensitive Data Protection, Control Objective 7 - Use of Cryptography
[23] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3250.1 CAT I, APP3250.2 CAT I, APP3250.3 CAT II, APP3250.4 CAT II, APP3260.1 CAT II
[24] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3250.1 CAT I, APP3250.2 CAT I, APP3250.3 CAT II, APP3250.4 CAT II, APP3260 CAT II
[25] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3250.1 CAT I, APP3250.2 CAT I, APP3250.3 CAT II, APP3250.4 CAT II, APP3260 CAT II
[26] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3250.1 CAT I, APP3250.2 CAT I, APP3250.3 CAT II, APP3250.4 CAT II, APP3260 CAT II
[27] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3250.1 CAT I, APP3250.2 CAT I, APP3250.3 CAT II, APP3250.4 CAT II, APP3260 CAT II
[28] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3250.1 CAT I, APP3250.2 CAT I, APP3250.3 CAT II, APP3250.4 CAT II, APP3260 CAT II
[29] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3250.1 CAT I, APP3250.2 CAT I, APP3250.3 CAT II, APP3250.4 CAT II, APP3260 CAT II
[30] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002220 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[31] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002220 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[32] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002220 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002220 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002220 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002220 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002220 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002220 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002220 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002220 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[40] Standards Mapping - Web Application Security Consortium 24 + 2 Insufficient Authentication
[41] Standards Mapping - Web Application Security Consortium Version 2.00 Insufficient Transport Layer Protection (WASC-04)
Cookie Security: HTTPOnly not Set
ABSTRACT
程序创建了 cookie,但未能将 HttpOnly 标记设置为 true。
EXPLANATION
所有主要浏览器均支持 HttpOnly Cookie 属性,可阻止客户端脚本访问 Cookie。Cross-Site Scripting 攻击通常会访问 Cookie,以试图窃取会话标识符或身份验证令牌。如果未启用 HttpOnly,攻击者就能更容易地访问用户 Cookie。
示例 1:以下代码会在未设置 httpOnly 属性的情况下创建一个 Cookie。
1 | res.cookie('important_cookie', info, {domain: 'secure.example.com', path: '/admin'}); |
RECOMMENDATIONS
在创建 Cookie 时启用 HttpOnly 属性。
示例 2:以下代码创建的 Cookie 与Example 1 中的代码相同,但这次会将 httpOnly 属性设置为 true。
1 | res.cookie('important_cookie', info, {domain: 'secure.example.com', path: '/admin', httpOnly: true}); |
已开发出了多种绕过将 HttpOnly设置为 true 的机制,因此它并非完全有效。
REFERENCES
[1] Amit Klein Round-up: Ways to bypass HttpOnly (and HTTP Basic auth)
[2] Node.js Security Checklist
[3] Standards Mapping - Common Weakness Enumeration CWE ID 1004
[4] Standards Mapping - Common Weakness Enumeration Top 25 2019 [15] CWE ID 732
[5] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001184, CCI-002418, CCI-002420, CCI-002421, CCI-002422
[6] Standards Mapping - FIPS200 CM
[7] Standards Mapping - General Data Protection Regulation Indirect Access to Sensitive Data
[8] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-8 Transmission Confidentiality and Integrity (P1), SC-23 Session Authenticity (P1)
[9] Standards Mapping - OWASP Application Security Verification Standard 4.0 3.2.3 Session Binding Requirements, 3.4.2 Cookie-based Session Management, 4.1.3 General Access Control Design, 4.2.1 Operation Level Access Control, 4.3.3 Other Access Control Considerations, 13.1.4 Generic Web Service Security Verification Requirements
[10] Standards Mapping - OWASP Mobile Top 10 Risks 2014 M4 Unintended Data Leakage
[11] Standards Mapping - OWASP Top 10 2004 A10 Insecure Configuration Management
[12] Standards Mapping - OWASP Top 10 2010 A6 Security Misconfiguration
[13] Standards Mapping - OWASP Top 10 2013 A6 Sensitive Data Exposure
[14] Standards Mapping - OWASP Top 10 2017 A3 Sensitive Data Exposure
[15] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.3
[16] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.5.7
[17] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.10
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.10
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.10
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.10
[21] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[22] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002210 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[23] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002210 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[24] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002210 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[25] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002210 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[26] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002210 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[27] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002210 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[28] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002210 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[29] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002210 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[30] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002210 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[31] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002210 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[32] Standards Mapping - Web Application Security Consortium 24 + 2 Insufficient Authentication
[33] Standards Mapping - Web Application Security Consortium Version 2.00 Insufficient Authentication (WASC-01)
Cookie Security: Overly Broad Domain
ABSTRACT
域范围过大的 Cookie 为攻击者利用其他应用程序攻击某个应用程序创造了条件。
EXPLANATION
开发人员通常将 Cookie 设置为在类似“.example.com”的基本域中处于活动状态。这会使 Cookie 暴露在基本域和任何子域中的所有 Web 应用程序下。由于 Cookie 通常包含敏感信息(如会话标识符),因此在应用程序之间共享 Cookie 可能会导致其中一个应用程序的漏洞危及其他应用程序安全。
示例 1:
假设您有一个安全应用程序并将其部署在 http://secure.example.com/ 上,当用户登录时,该应用程序将使用域“.example.com”设置会话 ID cookie。
例如:
1 | cookie_options = {}; |
假设您在 http://insecure.example.com/ 上有另一个不太安全的应用程序,它包含 cross-site scripting 漏洞。任何浏览到 http://insecure.example.com 的 http://secure.example.com 认证用户面临着暴露来自 http://secure.example.com 的会话 cookie 的风险。
除了读取 cookie 外,攻击者还可能使用 insecure.example.com 进行 cookie poisoning 攻击,创建自己范围过大的 cookie,并覆盖来自 secure.example.com 的 cookie。
RECOMMENDATIONS
将 cookie 域设置为具有尽可能高的限制性。
示例 2:以下代码显示如何针对“说明”部分中的示例将 cookie 域设置为“secure.example.com”。
1 | cookie_options = {}; |
REFERENCES
[1] Node.js Security Checklist
[2] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001368, CCI-001414
[3] Standards Mapping - FIPS200 CM
[4] Standards Mapping - General Data Protection Regulation Access Violation
[5] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-4 Information Flow Enforcement (P1)
[6] Standards Mapping - OWASP Mobile Top 10 Risks 2014 M4 Unintended Data Leakage
[7] Standards Mapping - OWASP Top 10 2004 A10 Insecure Configuration Management
[8] Standards Mapping - OWASP Top 10 2007 A6 Information Leakage and Improper Error Handling
[9] Standards Mapping - OWASP Top 10 2010 A6 Security Misconfiguration
[10] Standards Mapping - OWASP Top 10 2013 A6 Sensitive Data Exposure
[11] Standards Mapping - OWASP Top 10 2017 A3 Sensitive Data Exposure
[12] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.3
[13] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.5.7
[14] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.10
[15] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.10
[16] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.10
[17] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.10
[18] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[19] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-000480 CAT II, APSC-DV-000490 CAT II
[20] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-000480 CAT II, APSC-DV-000490 CAT II
[21] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-000480 CAT II, APSC-DV-000490 CAT II
[22] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-000480 CAT II, APSC-DV-000490 CAT II
[23] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-000480 CAT II, APSC-DV-000490 CAT II
[24] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-000480 CAT II, APSC-DV-000490 CAT II
[25] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-000480 CAT II, APSC-DV-000490 CAT II
[26] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-000480 CAT II, APSC-DV-000490 CAT II
[27] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-000480 CAT II, APSC-DV-000490 CAT II
[28] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-000480 CAT II, APSC-DV-000490 CAT II
[29] Standards Mapping - Web Application Security Consortium 24 + 2 Information Leakage
[30] Standards Mapping - Web Application Security Consortium Version 2.00 Information Leakage (WASC-13)
Cookie Security: Overly Broad Path
ABSTRACT
可通过相同域中的其他应用程序访问路径范围过大的 cookie。
EXPLANATION
开发人员通常将 Cookie 设置为可从根上下文路径“/”进行访问。这会使 Cookie 暴露在该域的所有 Web 应用程序下。由于 Cookie 通常包含敏感信息(如会话标识符),因此在应用程序之间共享 Cookie 可能会导致其中一个应用程序的漏洞危及其他应用程序安全。
示例 1:
假设您有一个论坛应用程序并将其部署在 http://communitypages.example.com/MyForum 上,当用户登录该论坛时,该应用程序将使用路径“/”设置会话 ID cookie。
例如:
1 | cookie_options = {}; |
假设攻击者在http://communitypages.example.com/EvilSite上创建了另一个应用程序,并在论坛上发布了该站点的链接。当论坛用户点击该链接时,浏览器会将/MyForum设置的 Cookie 发送到在/EvilSite上运行的应用程序。通过这种方式窃取会话 ID 后,攻击者就能够危及浏览到/EvilSite的任何论坛用户的帐户安全。
除了读取 cookie 外,攻击者还可能使用/EvilSite进行 cookie poisoning 攻击,创建自己范围过大的 cookie,并覆盖来自/MyForum的 cookie。
RECOMMENDATIONS
确保将 cookie 路径设置为具有尽可能高的限制性。
示例 2:以下代码显示如何针对“说明”部分中的示例将 cookie 路径设置为“/MyForum”。
1 | cookie_options = {}; |
REFERENCES
[1] Node.js Security Checklist
[2] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001368, CCI-001414
[3] Standards Mapping - FIPS200 CM
[4] Standards Mapping - General Data Protection Regulation Access Violation
[5] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-4 Information Flow Enforcement (P1)
[6] Standards Mapping - OWASP Application Security Verification Standard 4.0 3.4.5 Cookie-based Session Management
[7] Standards Mapping - OWASP Mobile Top 10 Risks 2014 M4 Unintended Data Leakage
[8] Standards Mapping - OWASP Top 10 2004 A10 Insecure Configuration Management
[9] Standards Mapping - OWASP Top 10 2007 A6 Information Leakage and Improper Error Handling
[10] Standards Mapping - OWASP Top 10 2010 A6 Security Misconfiguration
[11] Standards Mapping - OWASP Top 10 2013 A6 Sensitive Data Exposure
[12] Standards Mapping - OWASP Top 10 2017 A3 Sensitive Data Exposure
[13] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.3
[14] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.5.7
[15] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.10
[16] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.10
[17] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.10
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.10
[19] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[20] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-000480 CAT II, APSC-DV-000490 CAT II
[21] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-000480 CAT II, APSC-DV-000490 CAT II
[22] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-000480 CAT II, APSC-DV-000490 CAT II
[23] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-000480 CAT II, APSC-DV-000490 CAT II
[24] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-000480 CAT II, APSC-DV-000490 CAT II
[25] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-000480 CAT II, APSC-DV-000490 CAT II
[26] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-000480 CAT II, APSC-DV-000490 CAT II
[27] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-000480 CAT II, APSC-DV-000490 CAT II
[28] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-000480 CAT II, APSC-DV-000490 CAT II
[29] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-000480 CAT II, APSC-DV-000490 CAT II
[30] Standards Mapping - Web Application Security Consortium 24 + 2 Information Leakage
[31] Standards Mapping - Web Application Security Consortium Version 2.00 Information Leakage (WASC-13)
Insecure Randomness
ABSTRACT
标准的伪随机数值生成器不能抵挡各种加密攻击。
EXPLANATION
在对安全性要求较高的环境中,使用能够生成可预测值的函数作为随机数据源,会产生 Insecure Randomness 错误。
电脑是一种具有确定性的机器,因此不可能产生真正的随机性。伪随机数生成器 (PRNG) 近似于随机算法,始于一个能计算后续数值的种子。
PRNG 包括两种类型:统计学的 PRNG 和密码学的 PRNG。统计学的 PRNG 提供很多有用的统计属性,但其输出结果很容易预测,因此容易复制数值流。在安全性所依赖的生成值不可预测的情况下,这种类型并不适用。密码学的 PRNG 生成的输出结果较难预测,可解决这一问题。为保证值的加密安全性,必须使攻击者根本无法、或几乎不可能鉴别生成的随机值和真正的随机值。通常情况下,如果并未声明 PRNG 算法带有加密保护,那么它很可能就是统计学的 PRNG,因此不应在对安全性要求较高的环境中使用,否则会导致严重的漏洞(如易于猜测的密码、可预测的加密密钥、Session Hijacking 和 DNS Spoofing)。
示例: 下面的代码可利用统计学的 PRNG 为购买产品后仍在有效期内的收据创建一个 URL。
1 | function genReceiptURL (baseURL){ |
这段代码使用 Math.random() 函数为它生成的收据页面生成“唯一”的标识符。由于 Math.random() 是统计学的 PRNG,攻击者很容易猜到其生成的字符串。尽管收据系统的底层设计并不完善,但若使用不会生成可预测收据标识符的随机数生成器(如密码学的 PRNG),就会更安全些。
RECOMMENDATIONS
当不可预测性至关重要时,如大多数对安全性要求较高的环境都采用随机性,这时可以使用密码学的 PRNG。不管选择了哪一种 PRNG,都要始终使用带有充足熵的数值作为该算法的种子。(切勿使用诸如当前时间之类的数值,因为它们只提供很小的熵。)
在 JavaScript 中,常规的建议是使用 Mozilla API 中的 window.crypto.random() 函数。但这种方法在多种浏览器中都不起作用,包括 Mozilla Firefox 的最新版本。目前没有适用于功能强大的密码学 PRNG 的跨浏览器解决方案。此时应考虑在 JavaScript 之外处理任意 PRNG 功能。
REFERENCES
[1] J. Viega, G. McGraw Building Secure Software Addison-Wesley
[2] JavaScript crypto: window.crypto.random() Mozilla
[3] Standards Mapping - Common Weakness Enumeration CWE ID 338
[4] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-002450
[5] Standards Mapping - FIPS200 MP
[6] Standards Mapping - General Data Protection Regulation Insufficient Data Protection
[7] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-13 Cryptographic Protection (P1)
[8] Standards Mapping - OWASP Application Security Verification Standard 4.0 2.3.1 Authenticator Lifecycle Requirements, 2.6.2 Look-up Secret Verifier Requirements, 3.2.2 Session Binding Requirements, 3.2.4 Session Binding Requirements, 6.3.1 Random Values, 6.3.2 Random Values, 6.3.3 Random Values
[9] Standards Mapping - OWASP Mobile Top 10 Risks 2014 M6 Broken Cryptography
[10] Standards Mapping - OWASP Top 10 2004 A8 Insecure Storage
[11] Standards Mapping - OWASP Top 10 2007 A8 Insecure Cryptographic Storage
[12] Standards Mapping - OWASP Top 10 2010 A7 Insecure Cryptographic Storage
[13] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.8
[14] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.3, Requirement 6.5.8
[15] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.3
[16] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.3
[17] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.3
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.3
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.3
[20] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 7.3 - Use of Cryptography
[21] Standards Mapping - SANS Top 25 2009 Porous Defenses - CWE ID 330
[22] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3150.2 CAT II
[23] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3150.2 CAT II
[24] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3150.2 CAT II
[25] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3150.2 CAT II
[26] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3150.2 CAT II
[27] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3150.2 CAT II
[28] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3150.2 CAT II
[29] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[30] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[31] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[32] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
Insecure SSL: Server Identity Verification Disabled
ABSTRACT
当进行 SSL 连接时,服务器身份验证处于禁用状态。
EXPLANATION
在某些使用 SSL 连接的库中,默认情况下不验证服务器证书。这相当于信任所有证书。
示例 1:此服务器错误地尝试验证客户端连接:
1 | ... |
创建 https.Server 对象时,requestCert 设置会指定为 true,但未设置 rejectUnauthorized,其默认设置为 false。这意味着尽管服务器是为了通过 SSL 验证客户端而创建,但即使未使用提供的 CA 列表对证书进行授权,也仍然会接受连接。
示例 2:此应用程序尝试通过 SSL 连接到服务器:
1 | var tls = require('tls'); |
在此示例中,如果 rejectUnauthorized 设置为 false,这意味着将接受未经授权的证书,并且仍然会与无法识别的服务器建立安全连接。此时,当服务器被黑客攻击发生 SSL 连接中断时,应用程序可能会泄漏用户敏感信息。
RECOMMENDATIONS
当进行 SSL 连接时,不要忘记服务器验证检查。根据所使用的库,一定要验证服务器身份并建立安全的 SSL 连接。
示例 3:此代码实现的功能与Example 1 相同,但会确保拒绝未经验证的客户端,而不仅仅是将连接标记为来自无法识别的客户端:
1 | ... |
REFERENCES
[1] Standards Mapping - Common Weakness Enumeration CWE ID 297
[2] Standards Mapping - Common Weakness Enumeration Top 25 2019 [13] CWE ID 287, [25] CWE ID 295
[3] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000185, CCI-001941, CCI-001942, CCI-002418, CCI-002420, CCI-002421, CCI-002422
[4] Standards Mapping - FIPS200 CM, SC
[5] Standards Mapping - General Data Protection Regulation Insufficient Data Protection
[6] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-8 Transmission Confidentiality and Integrity (P1)
[7] Standards Mapping - OWASP Application Security Verification Standard 4.0 2.6.3 Look-up Secret Verifier Requirements, 2.7.1 Out of Band Verifier Requirements, 2.7.2 Out of Band Verifier Requirements, 2.7.3 Out of Band Verifier Requirements, 2.8.4 Single or Multi Factor One Time Verifier Requirements, 2.8.5 Single or Multi Factor One Time Verifier Requirements, 3.7.1 Defenses Against Session Management Exploits, 6.2.1 Algorithms, 9.2.1 Server Communications Security Requirements, 9.2.3 Server Communications Security Requirements
[8] Standards Mapping - OWASP Mobile Top 10 Risks 2014 M3 Insufficient Transport Layer Protection
[9] Standards Mapping - OWASP Top 10 2004 A3 Broken Authentication and Session Management
[10] Standards Mapping - OWASP Top 10 2007 A9 Insecure Communications
[11] Standards Mapping - OWASP Top 10 2010 A9 Insufficient Transport Layer Protection
[12] Standards Mapping - OWASP Top 10 2013 A6 Sensitive Data Exposure
[13] Standards Mapping - OWASP Top 10 2017 A3 Sensitive Data Exposure
[14] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 4.1, Requirement 6.5.10
[15] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 4.1, Requirement 6.3.1.4, Requirement 6.5.9
[16] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 4.1, Requirement 6.5.4
[17] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 4.1, Requirement 6.5.4
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 4.1, Requirement 6.5.4
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 4.1, Requirement 6.5.4
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 4.1, Requirement 6.5.4
[21] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 3.3 - Sensitive Data Retention, Control Objective 6.2 - Sensitive Data Protection, Control Objective 7.1 - Use of Cryptography
[22] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3250.1 CAT I, APP3250.2 CAT I, APP3250.3 CAT II, APP3250.4 CAT II
[23] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3250.1 CAT I, APP3250.2 CAT I, APP3250.3 CAT II, APP3250.4 CAT II
[24] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3250.1 CAT I, APP3250.2 CAT I, APP3250.3 CAT II, APP3250.4 CAT II
[25] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3250.1 CAT I, APP3250.2 CAT I, APP3250.3 CAT II, APP3250.4 CAT II
[26] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3250.1 CAT I, APP3250.2 CAT I, APP3250.3 CAT II, APP3250.4 CAT II
[27] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3250.1 CAT I, APP3250.2 CAT I, APP3250.3 CAT II, APP3250.4 CAT II
[28] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3250.1 CAT I, APP3250.2 CAT I, APP3250.3 CAT II, APP3250.4 CAT II
[29] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-001810 CAT I, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[30] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-001810 CAT I, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[31] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-001810 CAT I, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[32] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-001810 CAT I, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-001810 CAT I, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-001810 CAT I, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-001810 CAT I, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-001810 CAT I, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-001810 CAT I, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-001810 CAT I, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[39] Standards Mapping - Web Application Security Consortium 24 + 2 Information Leakage
[40] Standards Mapping - Web Application Security Consortium Version 2.00 Insufficient Transport Layer Protection (WASC-04)
Insecure Transport
ABSTRACT
该调用会使用未加密的协议(而非加密的协议)与服务器通信。
EXPLANATION
所有利用 HTTP、FTP 或 Gopher 的通信均未经过身份验证和加密。因此可能面临风险,特别是在移动环境中,设备要利用 WiFi 连接来频繁连接不安全的公共无线网络。
示例 1:以下示例通过 HTTP 协议(而不是 HTTPS 协议)读取数据。
1 | var http = require('http'); |
由于传入的 http.IncomingMessage 对象 res 通过未加密和未经验证的通道传输,因而可能存在安全隐患。
RECOMMENDATIONS
应尽可能使用 HTTPS 等安全协议与服务器交换数据。
REFERENCES
[1] Designing for Security Android
[2] S. Fahl, M. Harbach, T. Muders, M. Smith, L. Baumgartner, B. Friesleben Why Eve and Mallory Love Android:An Analysis of Android SSL (In)Security
[3] Standards Mapping - Common Weakness Enumeration CWE ID 319
[4] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000068, CCI-001453, CCI-002418, CCI-002420, CCI-002421, CCI-002422, CCI-002890, CCI-003123
[5] Standards Mapping - FIPS200 SC
[6] Standards Mapping - General Data Protection Regulation Insufficient Data Protection
[7] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-8 Transmission Confidentiality and Integrity (P1)
[8] Standards Mapping - OWASP Application Security Verification Standard 4.0 1.9.1 Communications Architectural Requirements, 1.14.1 Configuration Architectural Requirements, 2.2.5 General Authenticator Requirements, 2.6.3 Look-up Secret Verifier Requirements, 2.8.3 Single or Multi Factor One Time Verifier Requirements, 2.7.1 Out of Band Verifier Requirements, 2.7.2 Out of Band Verifier Requirements, 2.7.3 Out of Band Verifier Requirements, 2.8.4 Single or Multi Factor One Time Verifier Requirements, 2.8.5 Single or Multi Factor One Time Verifier Requirements, 2.9.3 Cryptographic Software and Devices Verifier Requirements, 3.7.1 Defenses Against Session Management Exploits, 6.2.1 Algorithms, 6.2.2 Algorithms, 6.2.3 Algorithms, 6.2.4 Algorithms, 6.2.5 Algorithms, 6.2.6 Algorithms, 6.2.7 Algorithms, 8.1.6 General Data Protection, 8.3.1 Sensitive Private Data, 8.3.4 Sensitive Private Data, 8.3.7 Sensitive Private Data, 9.1.1 Communications Security Requirements, 9.1.2 Communications Security Requirements, 9.1.3 Communications Security Requirements, 9.2.1 Server Communications Security Requirements, 9.2.2 Server Communications Security Requirements, 9.2.3 Server Communications Security Requirements, 14.1.3 Build, 14.4.5 HTTP Security Headers Requirements
[9] Standards Mapping - OWASP Mobile Top 10 Risks 2014 M3 Insufficient Transport Layer Protection
[10] Standards Mapping - OWASP Top 10 2004 A10 Insecure Configuration Management
[11] Standards Mapping - OWASP Top 10 2007 A9 Insecure Communications
[12] Standards Mapping - OWASP Top 10 2010 A9 Insufficient Transport Layer Protection
[13] Standards Mapping - OWASP Top 10 2013 A6 Sensitive Data Exposure
[14] Standards Mapping - OWASP Top 10 2017 A3 Sensitive Data Exposure
[15] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 4.1, Requirement 6.5.10
[16] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 4.1, Requirement 6.3.1.4, Requirement 6.5.9
[17] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 4.1, Requirement 6.5.4
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 4.1, Requirement 6.5.4
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 4.1, Requirement 6.5.4
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 4.1, Requirement 6.5.4
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 4.1, Requirement 6.5.4
[22] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 6.2 - Sensitive Data Protection, Control Objective 7 - Use of Cryptography
[23] Standards Mapping - SANS Top 25 2009 Insecure Interaction - CWE ID 319
[24] Standards Mapping - SANS Top 25 2010 Porous Defenses - CWE ID 311
[25] Standards Mapping - SANS Top 25 2011 Porous Defenses - CWE ID 311
[26] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3250.1 CAT I, APP3250.2 CAT I, APP3250.3 CAT II, APP3250.4 CAT II, APP3260.1 CAT II
[27] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3250.1 CAT I, APP3250.2 CAT I, APP3250.3 CAT II, APP3250.4 CAT II, APP3260 CAT II
[28] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3250.1 CAT I, APP3250.2 CAT I, APP3250.3 CAT II, APP3250.4 CAT II, APP3260 CAT II
[29] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3250.1 CAT I, APP3250.2 CAT I, APP3250.3 CAT II, APP3250.4 CAT II, APP3260 CAT II
[30] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3250.1 CAT I, APP3250.2 CAT I, APP3250.3 CAT II, APP3250.4 CAT II, APP3260 CAT II
[31] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3250.1 CAT I, APP3250.2 CAT I, APP3250.3 CAT II, APP3250.4 CAT II, APP3260 CAT II
[32] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3250.1 CAT I, APP3250.2 CAT I, APP3250.3 CAT II, APP3250.4 CAT II, APP3260 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[43] Standards Mapping - Web Application Security Consortium 24 + 2 Information Leakage
[44] Standards Mapping - Web Application Security Consortium Version 2.00 Insufficient Transport Layer Protection (WASC-04)
Insecure Transport: HSTS not Set
ABSTRACT
应用程序未设置 HTTP 严格传输安全 (HSTS) 头文件,这使得攻击者能够通过执行 HTTPS stripping 攻击使用普通 HTTP 连接替换 SSL/TLS 连接并窃取敏感信息。
EXPLANATION
HTTPS stripping 攻击是一种中间人攻击,攻击者可在所有 HTTP 流量中监视引用 HTTPS 的位置标头和链接,并使用 HTTP 版本予以替换。攻击者保留所有 HTTP 替换版本的列表,以使 HTTPS 请求返回到服务器。所有断开的 HTTP 连接通过 HTTPS 代理连接到了服务器。受害者和攻击者之间的所有流量均通过 HTTP 发送,从而暴露了用户名、密码和其他私人信息,但服务器仍然从攻击者接收预期的 HTTPS 流量,因此一切看似正常。
HTTP 严格传输安全 (HSTS) 是一种安全标头,它指示浏览器在标头自身指定的期间始终连接到通过 SSL/TLS 返回 HSTS 标头的站点。即使用户在浏览器 URL 栏中输入了 http://,通过 HTTP 到服务器的连接还是将自动替换为 HTTPS 版本。
RECOMMENDATIONS
可以在 Express 应用程序中使用 Helmet 中间件,以轻松在应用程序中默认添加此标头。
1 | var express = require('express'); |
REFERENCES
[1] OWASP HTTP Strict Transport Security
[2] Moxie Marlinspike sslstrip
[3] Node.js Security Checklist
[4] Standards Mapping - Common Weakness Enumeration CWE ID 319
[5] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000068, CCI-001453, CCI-002418, CCI-002420, CCI-002421, CCI-002422, CCI-002890, CCI-003123
[6] Standards Mapping - FIPS200 CM, SC
[7] Standards Mapping - General Data Protection Regulation Insufficient Data Protection
[8] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-8 Transmission Confidentiality and Integrity (P1)
[9] Standards Mapping - OWASP Application Security Verification Standard 4.0 1.9.1 Communications Architectural Requirements, 2.2.5 General Authenticator Requirements, 2.6.3 Look-up Secret Verifier Requirements, 6.2.1 Algorithms, 8.3.1 Sensitive Private Data, 8.1.6 General Data Protection, 9.1.1 Communications Security Requirements, 9.2.2 Server Communications Security Requirements, 14.4.5 HTTP Security Headers Requirements
[10] Standards Mapping - OWASP Mobile Top 10 Risks 2014 M3 Insufficient Transport Layer Protection
[11] Standards Mapping - OWASP Top 10 2004 A10 Insecure Configuration Management
[12] Standards Mapping - OWASP Top 10 2007 A9 Insecure Communications
[13] Standards Mapping - OWASP Top 10 2010 A9 Insufficient Transport Layer Protection
[14] Standards Mapping - OWASP Top 10 2013 A6 Sensitive Data Exposure
[15] Standards Mapping - OWASP Top 10 2017 A3 Sensitive Data Exposure
[16] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 4.1, Requirement 6.5.10
[17] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 4.1, Requirement 6.3.1.4, Requirement 6.5.9
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 4.1, Requirement 6.5.4
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 4.1, Requirement 6.5.4
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 4.1, Requirement 6.5.4
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 4.1, Requirement 6.5.4
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 4.1, Requirement 6.5.4
[23] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 6.2 - Sensitive Data Protection, Control Objective 7.1 - Use of Cryptography
[24] Standards Mapping - SANS Top 25 2009 Insecure Interaction - CWE ID 319
[25] Standards Mapping - SANS Top 25 2010 Porous Defenses - CWE ID 311
[26] Standards Mapping - SANS Top 25 2011 Porous Defenses - CWE ID 311
[27] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3250.1 CAT I, APP3250.2 CAT I, APP3250.3 CAT II, APP3250.4 CAT II, APP3260.1 CAT II
[28] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3250.1 CAT I, APP3250.2 CAT I, APP3250.3 CAT II, APP3250.4 CAT II, APP3260 CAT II
[29] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3250.1 CAT I, APP3250.2 CAT I, APP3250.3 CAT II, APP3250.4 CAT II, APP3260 CAT II
[30] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3250.1 CAT I, APP3250.2 CAT I, APP3250.3 CAT II, APP3250.4 CAT II, APP3260 CAT II
[31] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3250.1 CAT I, APP3250.2 CAT I, APP3250.3 CAT II, APP3250.4 CAT II, APP3260 CAT II
[32] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3250.1 CAT I, APP3250.2 CAT I, APP3250.3 CAT II, APP3250.4 CAT II, APP3260 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3250.1 CAT I, APP3250.2 CAT I, APP3250.3 CAT II, APP3250.4 CAT II, APP3260 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[44] Standards Mapping - Web Application Security Consortium 24 + 2 Information Leakage
[45] Standards Mapping - Web Application Security Consortium Version 2.00 Insufficient Transport Layer Protection (WASC-04)
Insecure Transport: Weak SSL Protocol
ABSTRACT
SSLv2、SSLv23 和 SSLv3 协议包含多个使它们变得不安全的缺陷,因此不应该使用它们来传输敏感数据。
EXPLANATION
传输层安全 (TLS) 协议和安全套接字层 (SSL) 协议提供了一种保护机制,可以确保在客户端和 Web 服务器之间所传输数据的真实性、保密性和完整性。TLS 和 SSL 都进行了多次修订,因此需要定期进行版本更新。每次新的修订都旨在解决以往版本中发现的安全漏洞。使用不安全版本的 TLS/SSL 将削弱数据保护力度,并可能允许攻击者危害、窃取或修改敏感信息。
弱版本的 TLS/SSL 可能会呈现出以下其中一个或所有属性:
没有针对中间人攻击的保护
身份验证和加密使用相同密钥
消息身份验证控制较弱
没有针对 TCP 连接关闭的保护
这些属性的存在可能会允许攻击者截取、修改或篡改敏感数据。
示例 1:此 Node.js 片段尝试通过安全连接创建服务器:
1 | ... |
由于 Node.js 将 secureProtocol 的默认值设置为 SSLv23_method,因此,在未专门覆盖 secureProtocol 时,服务器本身就并不安全。
RECOMMENDATIONS
强烈建议强制客户端仅使用最安全的协议。
示例 2:此 Node.js 代码段与Example 1 相同,只不过它会强制通过 TLSv1.2 协议进行通信:
1 | ... |
REFERENCES
[1] David Wagner and Bruce Schneier Analysis of the SSL 3.0 protocol
[2] CVE 2014-3566
[3] Standards Mapping - Common Weakness Enumeration CWE ID 327
[4] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000068, CCI-000382, CCI-001453, CCI-001941, CCI-001942, CCI-002418, CCI-002420, CCI-002421, CCI-002422, CCI-002890, CCI-003123
[5] Standards Mapping - FIPS200 CM, SC
[6] Standards Mapping - General Data Protection Regulation Insufficient Data Protection
[7] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-8 Transmission Confidentiality and Integrity (P1)
[8] Standards Mapping - OWASP Application Security Verification Standard 4.0 2.6.3 Look-up Secret Verifier Requirements, 2.9.3 Cryptographic Software and Devices Verifier Requirements, 6.2.1 Algorithms, 6.2.2 Algorithms, 8.3.7 Sensitive Private Data, 9.1.2 Communications Security Requirements, 9.1.3 Communications Security Requirements
[9] Standards Mapping - OWASP Mobile Top 10 Risks 2014 M3 Insufficient Transport Layer Protection
[10] Standards Mapping - OWASP Top 10 2004 A10 Insecure Configuration Management
[11] Standards Mapping - OWASP Top 10 2007 A9 Insecure Communications
[12] Standards Mapping - OWASP Top 10 2010 A9 Insufficient Transport Layer Protection
[13] Standards Mapping - OWASP Top 10 2013 A5 Security Misconfiguration
[14] Standards Mapping - OWASP Top 10 2017 A6 Security Misconfiguration
[15] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 4.1, Requirement 6.5.10
[16] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 4.1, Requirement 6.3.1.4, Requirement 6.5.9
[17] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 4.1, Requirement 6.5.4
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 4.1, Requirement 6.5.4
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 4.1, Requirement 6.5.4
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 4.1, Requirement 6.5.4
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 4.1, Requirement 6.5.4
[22] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 3.3 - Sensitive Data Retention, Control Objective 6.2 - Sensitive Data Protection, Control Objective 7.1 - Use of Cryptography
[23] Standards Mapping - SANS Top 25 2009 Porous Defenses - CWE ID 327
[24] Standards Mapping - SANS Top 25 2010 Porous Defenses - CWE ID 327
[25] Standards Mapping - SANS Top 25 2011 Porous Defenses - CWE ID 327
[26] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3250.1 CAT I, APP3260.1 CAT II
[27] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3250.1 CAT I, APP3260 CAT II
[28] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3250.1 CAT I, APP3260 CAT II
[29] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3250.1 CAT I, APP3260 CAT II
[30] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3250.1 CAT I, APP3260 CAT II
[31] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3250.1 CAT I, APP3260 CAT II
[32] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3250.1 CAT I, APP3260 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001510 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001510 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001510 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001510 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001510 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001510 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001510 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001510 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001510 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001510 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[43] Standards Mapping - Web Application Security Consortium Version 2.00 Insufficient Transport Layer Protection (WASC-04)
Key Management: Empty Encryption Key
ABSTRACT
空加密密钥可能会削弱安全性,一旦出现安全问题将无法轻易修正。
EXPLANATION
使用空加密密钥绝非好方法,因为这样将会大幅减弱由良好的加密算法提供的保护,而且还会使解决这一问题变得极其困难。在问题代码投入使用之后,除非对软件进行修补,否则将无法更改空加密密钥。如果受空加密密钥保护的帐户遭受入侵,系统所有者将必须在安全性和可用性之间做出选择。
示例 1:以下代码使用空加密密钥执行 AES 加密:
1 | ... |
不仅任何可以访问此代码的人可以确定它使用空加密密钥,而且任何具有最基本破解技术的人都更有可能成功解密所有加密数据。在应用程序发布之后,必须对软件进行修补才能更改空加密密钥。雇员可以利用手中掌握的信息访问权限入侵系统。即使攻击者只能访问应用程序的可执行文件,他们也可以提取使用了空加密密钥的证据。
RECOMMENDATIONS
加密密钥不能为空,而应对加密密钥加以模糊化,并在外部资源文件中进行管理。如果在系统中采用明文的形式存储加密密钥(空或非空),任何有足够权限的人即可读取加密密钥,还可能误用这些加密密钥。
REFERENCES
[1] Standards Mapping - Common Weakness Enumeration CWE ID 321
[2] Standards Mapping - Common Weakness Enumeration Top 25 2019 [13] CWE ID 287, [19] CWE ID 798
[3] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-002450
[4] Standards Mapping - FIPS200 IA
[5] Standards Mapping - General Data Protection Regulation Insufficient Data Protection
[6] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-12 Cryptographic Key Establishment and Management (P1)
[7] Standards Mapping - OWASP Application Security Verification Standard 4.0 2.6.3 Look-up Secret Verifier Requirements, 2.7.1 Out of Band Verifier Requirements, 2.7.2 Out of Band Verifier Requirements, 2.7.3 Out of Band Verifier Requirements, 2.8.4 Single or Multi Factor One Time Verifier Requirements, 2.8.5 Single or Multi Factor One Time Verifier Requirements, 2.9.1 Cryptographic Software and Devices Verifier Requirements, 2.10.2 Service Authentication Requirements, 2.10.4 Service Authentication Requirements, 3.5.2 Token-based Session Management, 3.7.1 Defenses Against Session Management Exploits, 6.2.1 Algorithms, 6.4.1 Secret Management, 6.4.2 Secret Management, 9.2.3 Server Communications Security Requirements, 10.2.3 Malicious Code Search
[8] Standards Mapping - OWASP Mobile Top 10 Risks 2014 M6 Broken Cryptography
[9] Standards Mapping - OWASP Top 10 2004 A8 Insecure Storage
[10] Standards Mapping - OWASP Top 10 2007 A8 Insecure Cryptographic Storage
[11] Standards Mapping - OWASP Top 10 2010 A7 Insecure Cryptographic Storage
[12] Standards Mapping - OWASP Top 10 2013 A6 Sensitive Data Exposure
[13] Standards Mapping - OWASP Top 10 2017 A3 Sensitive Data Exposure
[14] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.8, Requirement 8.4
[15] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.3, Requirement 6.5.8, Requirement 8.4
[16] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.3.1, Requirement 6.5.3, Requirement 8.4
[17] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.3.1, Requirement 6.5.3, Requirement 8.2.1
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.3.1, Requirement 6.5.3, Requirement 8.2.1
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.3.1, Requirement 6.5.3, Requirement 8.2.1
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.3.1, Requirement 6.5.3, Requirement 8.2.1
[21] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 7.2 - Use of Cryptography
[22] Standards Mapping - SANS Top 25 2009 Porous Defenses - CWE ID 259
[23] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3210.1 CAT II, APP3350 CAT I
[24] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3210.1 CAT II, APP3350 CAT I
[25] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3210.1 CAT II, APP3350 CAT I
[26] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3210.1 CAT II, APP3350 CAT I
[27] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3210.1 CAT II, APP3350 CAT I
[28] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3210.1 CAT II, APP3350 CAT I
[29] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3210.1 CAT II, APP3350 CAT I
[30] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002010 CAT II
[31] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002010 CAT II
[32] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002010 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002010 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002010 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002010 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002010 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002010 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002010 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002010 CAT II
[40] Standards Mapping - Web Application Security Consortium Version 2.00 Information Leakage (WASC-13)
Key Management: Hardcoded Encryption Key
ABSTRACT
硬编码加密密钥可能会削弱安全性,一旦出现安全问题将无法轻易修正。
EXPLANATION
使用硬编码方式处理加密密钥绝非好方法,因为这样所有项目开发人员都能查看该加密密钥,而且还会使解决这一问题变得极其困难。在代码投入使用之后,必须对软件进行修补才能更改加密密钥。如果受加密密钥保护的帐户遭受入侵,系统所有者将必须在安全性和可用性之间做出选择。
示例 1:以下代码使用了硬编码加密密钥:
1 | ... |
任何可访问该代码的人都能访问加密密钥。在应用程序发布之后,除非对程序进行修补,否则将无法更改加密密钥。雇员可以利用手中掌握的信息访问权限入侵系统。如果攻击者可以访问应用程序的可执行文件,他们就可以提取加密密钥值。
RECOMMENDATIONS
请勿对加密密钥进行硬编码,而应对加密密钥加以模糊化,并在外部资源文件中进行管理。如果在系统中采用明文的形式存储加密密钥,任何有足够权限的人即可读取加密密钥,还可能误用这些密码。
REFERENCES
[1] Standards Mapping - Common Weakness Enumeration CWE ID 321
[2] Standards Mapping - Common Weakness Enumeration Top 25 2019 [13] CWE ID 287, [19] CWE ID 798
[3] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-002450
[4] Standards Mapping - FIPS200 IA
[5] Standards Mapping - General Data Protection Regulation Insufficient Data Protection
[6] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-12 Cryptographic Key Establishment and Management (P1)
[7] Standards Mapping - OWASP Application Security Verification Standard 4.0 2.6.3 Look-up Secret Verifier Requirements, 2.7.1 Out of Band Verifier Requirements, 2.7.2 Out of Band Verifier Requirements, 2.7.3 Out of Band Verifier Requirements, 2.8.4 Single or Multi Factor One Time Verifier Requirements, 2.8.5 Single or Multi Factor One Time Verifier Requirements, 2.9.1 Cryptographic Software and Devices Verifier Requirements, 2.10.2 Service Authentication Requirements, 2.10.4 Service Authentication Requirements, 3.5.2 Token-based Session Management, 3.7.1 Defenses Against Session Management Exploits, 6.2.1 Algorithms, 6.4.1 Secret Management, 6.4.2 Secret Management, 9.2.3 Server Communications Security Requirements, 10.2.3 Malicious Code Search
[8] Standards Mapping - OWASP Mobile Top 10 Risks 2014 M6 Broken Cryptography
[9] Standards Mapping - OWASP Top 10 2004 A8 Insecure Storage
[10] Standards Mapping - OWASP Top 10 2007 A8 Insecure Cryptographic Storage
[11] Standards Mapping - OWASP Top 10 2010 A7 Insecure Cryptographic Storage
[12] Standards Mapping - OWASP Top 10 2013 A6 Sensitive Data Exposure
[13] Standards Mapping - OWASP Top 10 2017 A3 Sensitive Data Exposure
[14] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.8, Requirement 8.4
[15] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.3, Requirement 6.5.8, Requirement 8.4
[16] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.3.1, Requirement 6.5.3, Requirement 8.4
[17] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.3.1, Requirement 6.5.3, Requirement 8.2.1
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.3.1, Requirement 6.5.3, Requirement 8.2.1
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.3.1, Requirement 6.5.3, Requirement 8.2.1
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.3.1, Requirement 6.5.3, Requirement 8.2.1
[21] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 7.2 - Use of Cryptography
[22] Standards Mapping - SANS Top 25 2009 Porous Defenses - CWE ID 259
[23] Standards Mapping - SANS Top 25 2010 Porous Defenses - CWE ID 798
[24] Standards Mapping - SANS Top 25 2011 Porous Defenses - CWE ID 798
[25] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3210.1 CAT II, APP3350 CAT I
[26] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3210.1 CAT II, APP3350 CAT I
[27] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3210.1 CAT II, APP3350 CAT I
[28] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3210.1 CAT II, APP3350 CAT I
[29] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3210.1 CAT II, APP3350 CAT I
[30] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3210.1 CAT II, APP3350 CAT I
[31] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3210.1 CAT II, APP3350 CAT I
[32] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002010 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002010 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002010 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002010 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002010 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002010 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002010 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002010 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002010 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002010 CAT II
[42] Standards Mapping - Web Application Security Consortium Version 2.00 Information Leakage (WASC-13)
Key Management: Null Encryption Key
ABSTRACT
null 加密密钥可能会削弱安全性,一旦出现安全问题将无法轻易修正。
EXPLANATION
请勿使用 null 加密密钥,因为这样将会大幅减弱由优质加密算法提供的保护强度,并会大大增加解决问题的难度。一旦问题代码投入使用,要更改 null 加密密钥,就必须进行软件修补。如果受 null 加密密钥保护的帐户遭受入侵,系统所有者就必须在安全性和可用性之间做出选择。
示例 1:以下代码会使用 null 加密密钥执行 AES 加密:
1 | ... |
不仅任何可以访问此代码的人能够确定它使用的是null加密密钥,而且任何掌握最基本破解技术的人都更有可能成功解密任何加密数据。一旦应用程序发布,要更改null加密密钥,就必须进行软件修补。雇员可以利用手中掌握的信息访问权限入侵系统。即使攻击者只能访问应用程序的可执行文件,他们也可以提取使用了null加密密钥的证据。
RECOMMENDATIONS
加密密钥绝不能为 null,而应对其加以模糊化,并在外部源中进行管理。在系统中的任何位置采用明文的形式存储加密密钥(null 或非 null),会造成任何有足够权限的人均可读取和无意中误用此加密密钥。
REFERENCES
[1] Standards Mapping - Common Weakness Enumeration CWE ID 321
[2] Standards Mapping - Common Weakness Enumeration Top 25 2019 [13] CWE ID 287, [19] CWE ID 798
[3] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-002450
[4] Standards Mapping - FIPS200 IA
[5] Standards Mapping - General Data Protection Regulation Insufficient Data Protection
[6] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-12 Cryptographic Key Establishment and Management (P1)
[7] Standards Mapping - OWASP Application Security Verification Standard 4.0 2.6.3 Look-up Secret Verifier Requirements, 2.7.1 Out of Band Verifier Requirements, 2.7.2 Out of Band Verifier Requirements, 2.7.3 Out of Band Verifier Requirements, 2.8.4 Single or Multi Factor One Time Verifier Requirements, 2.8.5 Single or Multi Factor One Time Verifier Requirements, 2.9.1 Cryptographic Software and Devices Verifier Requirements, 2.10.2 Service Authentication Requirements, 2.10.4 Service Authentication Requirements, 3.5.2 Token-based Session Management, 3.7.1 Defenses Against Session Management Exploits, 6.2.1 Algorithms, 6.4.1 Secret Management, 6.4.2 Secret Management, 9.2.3 Server Communications Security Requirements, 10.2.3 Malicious Code Search
[8] Standards Mapping - OWASP Mobile Top 10 Risks 2014 M6 Broken Cryptography
[9] Standards Mapping - OWASP Top 10 2004 A8 Insecure Storage
[10] Standards Mapping - OWASP Top 10 2007 A8 Insecure Cryptographic Storage
[11] Standards Mapping - OWASP Top 10 2010 A7 Insecure Cryptographic Storage
[12] Standards Mapping - OWASP Top 10 2013 A6 Sensitive Data Exposure
[13] Standards Mapping - OWASP Top 10 2017 A3 Sensitive Data Exposure
[14] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.8, Requirement 8.4
[15] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.3, Requirement 6.5.8, Requirement 8.4
[16] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.3.1, Requirement 6.5.3, Requirement 8.4
[17] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.3.1, Requirement 6.5.3, Requirement 8.2.1
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.3.1, Requirement 6.5.3, Requirement 8.2.1
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.3.1, Requirement 6.5.3, Requirement 8.2.1
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.3.1, Requirement 6.5.3, Requirement 8.2.1
[21] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 7.2 - Use of Cryptography
[22] Standards Mapping - SANS Top 25 2009 Porous Defenses - CWE ID 259
[23] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3210.1 CAT II, APP3350 CAT I
[24] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3210.1 CAT II, APP3350 CAT I
[25] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3210.1 CAT II, APP3350 CAT I
[26] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3210.1 CAT II, APP3350 CAT I
[27] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3210.1 CAT II, APP3350 CAT I
[28] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3210.1 CAT II, APP3350 CAT I
[29] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3210.1 CAT II, APP3350 CAT I
[30] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002010 CAT II
[31] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002010 CAT II
[32] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002010 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002010 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002010 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002010 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002010 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002010 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002010 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002010 CAT II
[40] Standards Mapping - Web Application Security Consortium Version 2.00 Information Leakage (WASC-13)
Password Management
ABSTRACT
采用明文的形式存储密码会危及系统安全。
EXPLANATION
当密码以明文形式存储在应用程序中时,会发生 password management 漏洞。
示例:以下代码使用 hardcoded password 来连接应用程序和检索地址簿条目:
1 | ... |
该代码会正常运行,但是任何能够访问其中所包含的网页的人都能得到这个密码。
RECOMMENDATIONS
绝不能采用明文的形式存储密码。应由管理员在系统启动时输入密码。如果这种方法不切实际,一个安全性较差、但通常都比较恰当的解决办法是将密码模糊化,并把这些去模糊化的资源分散到系统各处,因此,要破译密码,攻击者就必须取得并正确合并多个系统资源。
有些第三方产品宣称可以采用更加安全的方式管理密码。例如,WebSphere Application Server 4.x 用简单的异或加密算法加密数值,但是请不要对诸如此类的加密方式给予完全的信任。WebSphere 以及其他一些应用服务器通常都只提供过期的且相对较弱的加密机制,这对于安全性敏感的环境来说是远远不够的。安全的做法来是采用由用户创建的所有者机制,而这似乎也是目前唯一可行的方法。
REFERENCES
[1] Standards Mapping - Common Weakness Enumeration CWE ID 256
[2] Standards Mapping - Common Weakness Enumeration Top 25 2019 [13] CWE ID 287
[3] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000196, CCI-001199
[4] Standards Mapping - FIPS200 IA
[5] Standards Mapping - General Data Protection Regulation Access Violation
[6] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-28 Protection of Information at Rest (P1)
[7] Standards Mapping - OWASP Application Security Verification Standard 4.0 2.1.1 Password Security Requirements, 2.1.2 Password Security Requirements, 2.1.3 Password Security Requirements, 2.1.4 Password Security Requirements, 2.1.7 Password Security Requirements, 2.1.8 Password Security Requirements, 2.1.9 Password Security Requirements, 2.7.5 Out of Band Verifier Requirements, 2.10.3 Service Authentication Requirements, 2.10.4 Service Authentication Requirements, 2.1.1 Password Security Requirements, 2.1.2 Password Security Requirements, 2.1.3 Password Security Requirements, 2.1.4 Password Security Requirements, 2.1.7 Password Security Requirements, 2.1.8 Password Security Requirements, 2.1.9 Password Security Requirements, 2.3.1 Authenticator Lifecycle Requirements, 2.6.2 Look-up Secret Verifier Requirements, 2.6.3 Look-up Secret Verifier Requirements, 2.7.1 Out of Band Verifier Requirements, 2.7.2 Out of Band Verifier Requirements, 2.7.3 Out of Band Verifier Requirements, 2.8.3 Single or Multi Factor One Time Verifier Requirements, 2.8.4 Single or Multi Factor One Time Verifier Requirements, 2.8.5 Single or Multi Factor One Time Verifier Requirements, 2.10.1 Service Authentication Requirements, 2.10.2 Service Authentication Requirements, 2.10.3 Service Authentication Requirements, 2.10.4 Service Authentication Requirements, 3.5.2 Token-based Session Management, 3.5.2 Token-based Session Management, 3.7.1 Defenses Against Session Management Exploits, 6.4.1 Secret Management, 6.2.1 Algorithms, 6.2.3 Algorithms, 6.2.4 Algorithms, 6.2.5 Algorithms, 6.2.6 Algorithms, 6.4.1 Secret Management, 8.2.2 Client-side Data Protection, 8.3.4 Sensitive Private Data, 9.1.2 Communications Security Requirements, 9.1.3 Communications Security Requirements, 9.2.3 Server Communications Security Requirements, 10.2.1 Malicious Code Search, 10.2.3 Malicious Code Search, 14.1.3 Build
[8] Standards Mapping - OWASP Mobile Top 10 Risks 2014 M2 Insecure Data Storage
[9] Standards Mapping - OWASP Top 10 2004 A8 Insecure Storage
[10] Standards Mapping - OWASP Top 10 2007 A8 Insecure Cryptographic Storage
[11] Standards Mapping - OWASP Top 10 2010 A7 Insecure Cryptographic Storage
[12] Standards Mapping - OWASP Top 10 2013 A6 Sensitive Data Exposure
[13] Standards Mapping - OWASP Top 10 2017 A3 Sensitive Data Exposure
[14] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.8, Requirement 8.4
[15] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.3, Requirement 6.5.8, Requirement 8.4
[16] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.3.1, Requirement 6.5.3, Requirement 8.4
[17] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.3.1, Requirement 6.5.3, Requirement 8.2.1
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.3.1, Requirement 6.5.3, Requirement 8.2.1
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.3.1, Requirement 6.5.3, Requirement 8.2.1
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.3.1, Requirement 6.5.3, Requirement 8.2.1
[21] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 5.3 - Authentication and Access Control, Control Objective 7 - Use of Cryptography
[22] Standards Mapping - SANS Top 25 2010 Porous Defenses - CWE ID 311
[23] Standards Mapping - SANS Top 25 2011 Porous Defenses - CWE ID 311
[24] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3210.1 CAT II, APP3340 CAT I
[25] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3210.1 CAT II, APP3340 CAT I
[26] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3210.1 CAT II, APP3340 CAT I
[27] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3210.1 CAT II, APP3340 CAT I
[28] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3210.1 CAT II, APP3340 CAT I
[29] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3210.1 CAT II, APP3340 CAT I
[30] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3210.1 CAT II, APP3340 CAT I
[31] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[32] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
Password Management: Empty Password
ABSTRACT
Empty password 可能会危及系统安全,并且无法轻易修正出现的安全问题。
EXPLANATION
使用空密码绝非好方法。一旦代码投入使用,解决这一问题将变得极其困难。除非对软件进行修补,否则将无法更改密码。如果受空密码保护的帐户遭受入侵,系统所有者将必须在安全性和可用性之间做出选择。
示例:以下代码使用 empty password 来连接应用程序和检索地址簿条目:
1 | ... |
这些代码将成功运行,但任何人员在知道用户名后均可进行访问。
RECOMMENDATIONS
密码始终不能为空。一般来说,应对密码加以模糊化,并在外部资源中进行管理。如果将密码以明文形式存储在网站中任意位置,会造成任何有充分权限的人读取和无意中误用密码。对于需要输入密码的 JavaScript 引用,最好在连接时就提示用户输入密码。
REFERENCES
[1] Standards Mapping - Common Weakness Enumeration CWE ID 259
[2] Standards Mapping - Common Weakness Enumeration Top 25 2019 [13] CWE ID 287, [19] CWE ID 798
[3] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000196, CCI-001199, CCI-003109
[4] Standards Mapping - FIPS200 IA
[5] Standards Mapping - General Data Protection Regulation Insufficient Data Protection
[6] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-28 Protection of Information at Rest (P1)
[7] Standards Mapping - OWASP Application Security Verification Standard 4.0 2.1.1 Password Security Requirements, 2.1.2 Password Security Requirements, 2.1.3 Password Security Requirements, 2.1.4 Password Security Requirements, 2.1.7 Password Security Requirements, 2.1.8 Password Security Requirements, 2.1.9 Password Security Requirements, 2.3.1 Authenticator Lifecycle Requirements, 2.6.2 Look-up Secret Verifier Requirements, 2.7.1 Out of Band Verifier Requirements, 2.7.2 Out of Band Verifier Requirements, 2.7.3 Out of Band Verifier Requirements, 2.8.4 Single or Multi Factor One Time Verifier Requirements, 2.8.5 Single or Multi Factor One Time Verifier Requirements, 2.10.1 Service Authentication Requirements, 2.10.2 Service Authentication Requirements, 2.10.4 Service Authentication Requirements, 3.5.2 Token-based Session Management, 3.7.1 Defenses Against Session Management Exploits, 6.4.1 Secret Management, 9.2.3 Server Communications Security Requirements, 10.2.3 Malicious Code Search
[8] Standards Mapping - OWASP Mobile Top 10 Risks 2014 M2 Insecure Data Storage
[9] Standards Mapping - OWASP Top 10 2004 A8 Insecure Storage
[10] Standards Mapping - OWASP Top 10 2007 A8 Insecure Cryptographic Storage
[11] Standards Mapping - OWASP Top 10 2010 A7 Insecure Cryptographic Storage
[12] Standards Mapping - OWASP Top 10 2013 A6 Sensitive Data Exposure
[13] Standards Mapping - OWASP Top 10 2017 A3 Sensitive Data Exposure
[14] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.8, Requirement 8.4
[15] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.3, Requirement 6.5.8, Requirement 8.4
[16] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.3.1, Requirement 6.5.3, Requirement 8.4
[17] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.3.1, Requirement 6.5.3, Requirement 8.2.1
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.3.1, Requirement 6.5.3, Requirement 8.2.1
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.3.1, Requirement 6.5.3, Requirement 8.2.1
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.3.1, Requirement 6.5.3, Requirement 8.2.1
[21] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 5.3 - Authentication and Access Control, Control Objective 6.3 - Sensitive Data Protection, Control Objective 7 - Use of Cryptography
[22] Standards Mapping - SANS Top 25 2009 Porous Defenses - CWE ID 259
[23] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3210.1 CAT II, APP3340 CAT I, APP3350 CAT I
[24] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3210.1 CAT II, APP3340 CAT I, APP3350 CAT I
[25] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3210.1 CAT II, APP3340 CAT I, APP3350 CAT I
[26] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3210.1 CAT II, APP3340 CAT I, APP3350 CAT I
[27] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3210.1 CAT II, APP3340 CAT I, APP3350 CAT I
[28] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3210.1 CAT II, APP3340 CAT I, APP3350 CAT I
[29] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3210.1 CAT II, APP3340 CAT I, APP3350 CAT I
[30] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II, APSC-DV-003270 CAT II, APSC-DV-003280 CAT I
[31] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II, APSC-DV-003270 CAT II, APSC-DV-003280 CAT I
[32] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II, APSC-DV-003270 CAT II, APSC-DV-003280 CAT I
[33] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II, APSC-DV-003270 CAT II, APSC-DV-003280 CAT I
[34] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II, APSC-DV-003270 CAT II, APSC-DV-003280 CAT I
[35] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II, APSC-DV-003270 CAT II, APSC-DV-003280 CAT I
[36] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II, APSC-DV-003270 CAT II, APSC-DV-003280 CAT I
[37] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II, APSC-DV-003270 CAT II, APSC-DV-003280 CAT I
[38] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II, APSC-DV-003270 CAT II, APSC-DV-003280 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II, APSC-DV-003270 CAT II, APSC-DV-003280 CAT I
[40] Standards Mapping - Web Application Security Consortium 24 + 2 Insufficient Authentication
[41] Standards Mapping - Web Application Security Consortium Version 2.00 Insufficient Authentication (WASC-01)
Password Management: Hardcoded Password
ABSTRACT
Hardcoded password 可能会削弱系统安全性,一旦出现安全问题将无法轻易修正。
EXPLANATION
使用硬编码方式处理密码绝非好方法。这不仅是因为所有项目开发人员都可以使用通过硬编码方式处理的密码,而且还会使解决这一问题变得极其困难。在代码投入使用之后,除非对软件进行修补,否则将无法更改密码。如果受密码保护的帐户遭受入侵,系统所有者将必须在安全性和可用性之间做出选择。
示例:以下代码使用 hardcoded password 来连接应用程序和检索地址簿条目:
1 | ... |
该代码会正常运行,但是任何能够访问其中所包含的网页的人都能得到这个密码。
RECOMMENDATIONS
绝不能对密码进行硬编码。通常情况下,应对密码加以模糊化,并在外部资源文件中进行管理。如果将密码以明文形式存储在网站中任意位置,会造成任何有充分权限的人读取和无意中误用密码。对于需要输入密码的 JavaScript 引用,最好在连接时就提示用户输入密码。
REFERENCES
[1] Standards Mapping - Common Weakness Enumeration CWE ID 259, CWE ID 798
[2] Standards Mapping - Common Weakness Enumeration Top 25 2019 [13] CWE ID 287, [19] CWE ID 798
[3] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000196, CCI-001199, CCI-002367, CCI-003109
[4] Standards Mapping - FIPS200 IA
[5] Standards Mapping - General Data Protection Regulation Insufficient Data Protection
[6] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-28 Protection of Information at Rest (P1)
[7] Standards Mapping - OWASP Application Security Verification Standard 4.0 2.3.1 Authenticator Lifecycle Requirements, 2.6.2 Look-up Secret Verifier Requirements, 2.7.1 Out of Band Verifier Requirements, 2.7.2 Out of Band Verifier Requirements, 2.7.3 Out of Band Verifier Requirements, 2.8.4 Single or Multi Factor One Time Verifier Requirements, 2.8.5 Single or Multi Factor One Time Verifier Requirements, 2.10.1 Service Authentication Requirements, 2.10.2 Service Authentication Requirements, 2.10.4 Service Authentication Requirements, 3.5.2 Token-based Session Management, 3.5.2 Token-based Session Management, 3.7.1 Defenses Against Session Management Exploits, 6.4.1 Secret Management, 6.4.1 Secret Management, 9.2.3 Server Communications Security Requirements, 10.2.3 Malicious Code Search
[8] Standards Mapping - OWASP Mobile Top 10 Risks 2014 M2 Insecure Data Storage
[9] Standards Mapping - OWASP Top 10 2004 A8 Insecure Storage
[10] Standards Mapping - OWASP Top 10 2007 A8 Insecure Cryptographic Storage
[11] Standards Mapping - OWASP Top 10 2010 A7 Insecure Cryptographic Storage
[12] Standards Mapping - OWASP Top 10 2013 A6 Sensitive Data Exposure
[13] Standards Mapping - OWASP Top 10 2017 A3 Sensitive Data Exposure
[14] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.8, Requirement 8.4
[15] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.3, Requirement 6.5.8, Requirement 8.4
[16] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.3.1, Requirement 6.5.3, Requirement 8.4
[17] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.3.1, Requirement 6.5.3, Requirement 8.2.1
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.3.1, Requirement 6.5.3, Requirement 8.2.1
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.3.1, Requirement 6.5.3, Requirement 8.2.1
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.3.1, Requirement 6.5.3, Requirement 8.2.1
[21] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 5.3 - Authentication and Access Control, Control Objective 6.3 - Sensitive Data Protection, Control Objective 7 - Use of Cryptography
[22] Standards Mapping - SANS Top 25 2009 Porous Defenses - CWE ID 259
[23] Standards Mapping - SANS Top 25 2010 Porous Defenses - CWE ID 798
[24] Standards Mapping - SANS Top 25 2011 Porous Defenses - CWE ID 798
[25] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3210.1 CAT II, APP3340 CAT I, APP3350 CAT I
[26] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3210.1 CAT II, APP3340 CAT I, APP3350 CAT I
[27] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3210.1 CAT II, APP3340 CAT I, APP3350 CAT I
[28] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3210.1 CAT II, APP3340 CAT I, APP3350 CAT I
[29] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3210.1 CAT II, APP3340 CAT I, APP3350 CAT I
[30] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3210.1 CAT II, APP3340 CAT I, APP3350 CAT I
[31] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3210.1 CAT II, APP3340 CAT I, APP3350 CAT I
[32] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II, APSC-DV-003110 CAT I, APSC-DV-003270 CAT II, APSC-DV-003280 CAT I
[33] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II, APSC-DV-003110 CAT I, APSC-DV-003270 CAT II, APSC-DV-003280 CAT I
[34] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II, APSC-DV-003110 CAT I, APSC-DV-003270 CAT II, APSC-DV-003280 CAT I
[35] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II, APSC-DV-003110 CAT I, APSC-DV-003270 CAT II, APSC-DV-003280 CAT I
[36] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II, APSC-DV-003110 CAT I, APSC-DV-003270 CAT II, APSC-DV-003280 CAT I
[37] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II, APSC-DV-003110 CAT I, APSC-DV-003270 CAT II, APSC-DV-003280 CAT I
[38] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II, APSC-DV-003110 CAT I, APSC-DV-003270 CAT II, APSC-DV-003280 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II, APSC-DV-003110 CAT I, APSC-DV-003270 CAT II, APSC-DV-003280 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II, APSC-DV-003110 CAT I, APSC-DV-003270 CAT II, APSC-DV-003280 CAT I
[41] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II, APSC-DV-003110 CAT I, APSC-DV-003270 CAT II, APSC-DV-003280 CAT I
[42] Standards Mapping - Web Application Security Consortium 24 + 2 Insufficient Authentication
[43] Standards Mapping - Web Application Security Consortium Version 2.00 Insufficient Authentication (WASC-01)
Password Management: Null Password
ABSTRACT
Null password 可导致代码混乱。
EXPLANATION
使用 null 密码绝非好方法。
示例:以下代码最初会将密码设置为 null:
1 | ... |
RECOMMENDATIONS
为避免混乱,应当立即为秘码变量指定正确的变量。
REFERENCES
[1] Standards Mapping - Common Weakness Enumeration CWE ID 259
[2] Standards Mapping - Common Weakness Enumeration Top 25 2019 [13] CWE ID 287, [19] CWE ID 798
[3] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000196, CCI-001199, CCI-003109
[4] Standards Mapping - FIPS200 IA
[5] Standards Mapping - General Data Protection Regulation Insufficient Data Protection
[6] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-28 Protection of Information at Rest (P1)
[7] Standards Mapping - OWASP Application Security Verification Standard 4.0 2.3.1 Authenticator Lifecycle Requirements, 2.6.2 Look-up Secret Verifier Requirements, 2.7.1 Out of Band Verifier Requirements, 2.7.2 Out of Band Verifier Requirements, 2.7.3 Out of Band Verifier Requirements, 2.8.4 Single or Multi Factor One Time Verifier Requirements, 2.8.5 Single or Multi Factor One Time Verifier Requirements, 2.10.1 Service Authentication Requirements, 2.10.2 Service Authentication Requirements, 2.10.4 Service Authentication Requirements, 3.5.2 Token-based Session Management, 3.7.1 Defenses Against Session Management Exploits, 6.4.1 Secret Management, 9.2.3 Server Communications Security Requirements, 10.2.3 Malicious Code Search
[8] Standards Mapping - OWASP Mobile Top 10 Risks 2014 M2 Insecure Data Storage
[9] Standards Mapping - OWASP Top 10 2004 A8 Insecure Storage
[10] Standards Mapping - OWASP Top 10 2007 A8 Insecure Cryptographic Storage
[11] Standards Mapping - OWASP Top 10 2010 A7 Insecure Cryptographic Storage
[12] Standards Mapping - OWASP Top 10 2013 A6 Sensitive Data Exposure
[13] Standards Mapping - OWASP Top 10 2017 A3 Sensitive Data Exposure
[14] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.8, Requirement 8.4
[15] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.3, Requirement 6.5.8, Requirement 8.4
[16] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.3.1, Requirement 6.5.3, Requirement 8.4
[17] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.3.1, Requirement 6.5.3, Requirement 8.2.1
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.3.1, Requirement 6.5.3, Requirement 8.2.1
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.3.1, Requirement 6.5.3, Requirement 8.2.1
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.3.1, Requirement 6.5.3, Requirement 8.2.1
[21] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 2.2 - Secure Defaults, Control Objective 5.3 - Authentication and Access Control, Control Objective 6.3 - Sensitive Data Protection, Control Objective 7 - Use of Cryptography
[22] Standards Mapping - SANS Top 25 2009 Porous Defenses - CWE ID 259
[23] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3210.1 CAT II, APP3340 CAT I, APP3350 CAT I
[24] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3210.1 CAT II, APP3340 CAT I, APP3350 CAT I
[25] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3210.1 CAT II, APP3340 CAT I, APP3350 CAT I
[26] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3210.1 CAT II, APP3340 CAT I, APP3350 CAT I
[27] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3210.1 CAT II, APP3340 CAT I, APP3350 CAT I
[28] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3210.1 CAT II, APP3340 CAT I, APP3350 CAT I
[29] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3210.1 CAT II, APP3340 CAT I, APP3350 CAT I
[30] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II, APSC-DV-003270 CAT II, APSC-DV-003280 CAT I
[31] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II, APSC-DV-003270 CAT II, APSC-DV-003280 CAT I
[32] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II, APSC-DV-003270 CAT II, APSC-DV-003280 CAT I
[33] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II, APSC-DV-003270 CAT II, APSC-DV-003280 CAT I
[34] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II, APSC-DV-003270 CAT II, APSC-DV-003280 CAT I
[35] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II, APSC-DV-003270 CAT II, APSC-DV-003280 CAT I
[36] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II, APSC-DV-003270 CAT II, APSC-DV-003280 CAT I
[37] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II, APSC-DV-003270 CAT II, APSC-DV-003280 CAT I
[38] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II, APSC-DV-003270 CAT II, APSC-DV-003280 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II, APSC-DV-003270 CAT II, APSC-DV-003280 CAT I
[40] Standards Mapping - Web Application Security Consortium 24 + 2 Insufficient Authentication
[41] Standards Mapping - Web Application Security Consortium Version 2.00 Insufficient Authentication (WASC-01)
Password Management: Password in Comment
ABSTRACT
以明文形式在系统或系统代码中存储密码或密码详细信息可能会以无法轻松修复的方式危及系统安全。
EXPLANATION
使用硬编码方式处理密码绝非好方法。在注释中存储密码详细信息等同于对密码进行硬编码。这不仅会使所有项目开发人员都可以查看密码,而且还会使解决这一问题变得极其困难。在代码投入使用之后,密码便会外泄,除非对软件进行修补,否则将无法保护或更改密码。如果受密码保护的帐户遭受入侵,系统所有者将必须在安全性和可用性之间做出选择。
示例:以下注释指定连接到数据库的默认密码:
1 | ... |
该代码可以正常运行,但是有权访问该代码的任何人都能得到这个密码。一旦程序发布,除非修补该程序,否则可能无法更改数据库用户“scott”和密码“tiger”。雇员可以利用手中掌握的信息访问权限入侵系统。
RECOMMENDATIONS
绝不能对密码进行硬编码。通常情况下,应对密码加以模糊化,并在外部资源文件中进行管理。在系统中采用明文的形式存储密码,会造成任何有充分权限的人读取和无意中误用密码。
REFERENCES
[1] Standards Mapping - Common Weakness Enumeration CWE ID 615
[2] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000196, CCI-001199, CCI-002367
[3] Standards Mapping - FIPS200 IA
[4] Standards Mapping - General Data Protection Regulation Insufficient Data Protection
[5] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-28 Protection of Information at Rest (P1)
[6] Standards Mapping - OWASP Mobile Top 10 Risks 2014 M2 Insecure Data Storage
[7] Standards Mapping - OWASP Top 10 2004 A8 Insecure Storage
[8] Standards Mapping - OWASP Top 10 2007 A8 Insecure Cryptographic Storage
[9] Standards Mapping - OWASP Top 10 2010 A7 Insecure Cryptographic Storage
[10] Standards Mapping - OWASP Top 10 2013 A6 Sensitive Data Exposure
[11] Standards Mapping - OWASP Top 10 2017 A3 Sensitive Data Exposure
[12] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.8, Requirement 8.4
[13] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.3, Requirement 6.5.8, Requirement 8.4
[14] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.3.1, Requirement 6.5.3, Requirement 8.4
[15] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.3.1, Requirement 6.5.3, Requirement 8.2.1
[16] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.3.1, Requirement 6.5.3, Requirement 8.2.1
[17] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.3.1, Requirement 6.5.3, Requirement 8.2.1
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.3.1, Requirement 6.5.3, Requirement 8.2.1
[19] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 6.1 - Sensitive Data Protection, Control Objective 7 - Use of Cryptography
[20] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3210.1 CAT II, APP3340 CAT I, APP3350 CAT I
[21] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3210.1 CAT II, APP3340 CAT I, APP3350 CAT I
[22] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3210.1 CAT II, APP3340 CAT I, APP3350 CAT I
[23] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3210.1 CAT II, APP3340 CAT I, APP3350 CAT I
[24] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3210.1 CAT II, APP3340 CAT I, APP3350 CAT I
[25] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3210.1 CAT II, APP3340 CAT I, APP3350 CAT I
[26] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3210.1 CAT II, APP3340 CAT I, APP3350 CAT I
[27] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II, APSC-DV-003110 CAT I
[28] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II, APSC-DV-003110 CAT I
[29] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II, APSC-DV-003110 CAT I
[30] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II, APSC-DV-003110 CAT I
[31] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II, APSC-DV-003110 CAT I
[32] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II, APSC-DV-003110 CAT I
[33] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II, APSC-DV-003110 CAT I
[34] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II, APSC-DV-003110 CAT I
[35] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II, APSC-DV-003110 CAT I
[36] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II, APSC-DV-003110 CAT I
[37] Standards Mapping - Web Application Security Consortium 24 + 2 Information Leakage
[38] Standards Mapping - Web Application Security Consortium Version 2.00 Information Leakage (WASC-13)
Password Management: Weak Cryptography
ABSTRACT
采用普通的编码方式给密码加密并不能有效地保护密码。
EXPLANATION
当密码以明文形式存储在应用程序的属性文件或其他配置文件中时,会发生 password management 漏洞。程序员试图通过编码函数来遮蔽密码,以修补 password management 漏洞,例如使用 64 位基址编码方式,但都不能起到充分保护密码的作用。
示例:以下代码使用 hardcoded password 来连接应用程序和检索地址簿条目:
1 | ... |
该代码会正常运行,但是任何能够访问其中所包含的网页的人都能得到这个密码。
RECOMMENDATIONS
绝不能采用明文的形式存储密码。应由管理员在系统启动时输入密码。如果这种方法不切实际,一个安全性较差、但通常都比较恰当的解决办法是将密码模糊化,并把这些去模糊化的资源分散到系统各处,因此,要破译密码,攻击者就必须取得并正确合并多个系统资源。
有些第三方产品宣称可以采用更加安全的方式管理密码。例如,WebSphere Application Server 4.x 用简单的异或加密算法加密数值,但是请不要对诸如此类的加密方式给予完全的信任。WebSphere 以及其他一些应用服务器通常都只提供过期的且相对较弱的加密机制,这对于安全性敏感的环境来说是远远不够的。较为安全的解决方法来是采用由用户创建的所有者机制,而这似乎也是如今唯一可行的方法。
REFERENCES
[1] Standards Mapping - Common Weakness Enumeration CWE ID 261
[2] Standards Mapping - Common Weakness Enumeration Top 25 2019 [13] CWE ID 287
[3] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000196, CCI-001199
[4] Standards Mapping - FIPS200 IA
[5] Standards Mapping - General Data Protection Regulation Insufficient Data Protection
[6] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-28 Protection of Information at Rest (P1)
[7] Standards Mapping - OWASP Application Security Verification Standard 4.0 2.6.3 Look-up Secret Verifier Requirements, 2.7.1 Out of Band Verifier Requirements, 2.7.2 Out of Band Verifier Requirements, 2.7.3 Out of Band Verifier Requirements, 2.8.3 Single or Multi Factor One Time Verifier Requirements, 2.8.4 Single or Multi Factor One Time Verifier Requirements, 2.8.5 Single or Multi Factor One Time Verifier Requirements, 2.10.1 Service Authentication Requirements, 2.10.2 Service Authentication Requirements, 3.7.1 Defenses Against Session Management Exploits, 6.2.1 Algorithms, 6.2.3 Algorithms, 6.2.4 Algorithms, 6.2.5 Algorithms, 6.2.6 Algorithms, 9.1.2 Communications Security Requirements, 9.1.3 Communications Security Requirements, 9.2.3 Server Communications Security Requirements
[8] Standards Mapping - OWASP Mobile Top 10 Risks 2014 M6 Broken Cryptography
[9] Standards Mapping - OWASP Top 10 2004 A8 Insecure Storage
[10] Standards Mapping - OWASP Top 10 2007 A8 Insecure Cryptographic Storage
[11] Standards Mapping - OWASP Top 10 2010 A7 Insecure Cryptographic Storage
[12] Standards Mapping - OWASP Top 10 2013 A6 Sensitive Data Exposure
[13] Standards Mapping - OWASP Top 10 2017 A3 Sensitive Data Exposure
[14] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.8, Requirement 8.4
[15] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.3, Requirement 6.5.8, Requirement 8.4
[16] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.3.1, Requirement 6.5.3, Requirement 8.4
[17] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.3.1, Requirement 6.5.3, Requirement 8.2.1
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.3.1, Requirement 6.5.3, Requirement 8.2.1
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.3.1, Requirement 6.5.3, Requirement 8.2.1
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.3.1, Requirement 6.5.3, Requirement 8.2.1
[21] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 7 - Use of Cryptography
[22] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3150.1 CAT II
[23] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3150.1 CAT II
[24] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3150.1 CAT II
[25] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3150.1 CAT II
[26] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3150.1 CAT II
[27] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3150.1 CAT II
[28] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3150.1 CAT II
[29] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[30] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[31] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[32] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[39] Standards Mapping - Web Application Security Consortium 24 + 2 Information Leakage
[40] Standards Mapping - Web Application Security Consortium Version 2.00 Information Leakage (WASC-13)
Privacy Violation
ABSTRACT
对机密信息(如客户密码或社会保障号码)处理不当会危及用户的个人隐私,这是一种非法行为。
EXPLANATION
Privacy Violation 会在以下情况下发生:
用户私人信息进入了程序。
数据被写到了一个外部介质,例如控制台、file system 或网络。
示例:以下代码将用户的明文密码存储到本地存储。
1 | localStorage.setItem('password', password); |
虽然许多开发人员认为本地存储是存储数据的安全位置,但这不是绝对的,特别是在涉及到隐私问题时。
可以通过多种方式将私人数据输入到程序中:
— 以密码或个人信息的形式直接从用户处获取
— 由应用程序访问数据库或者其他数据存储形式
— 间接地从合作者或者第三方处获取
有时,某些数据并没有贴上私人数据标签,但在特定的上下文中也有可能成为私人信息。比如,通常认为学生的学号不是私人信息,因为学号中并没有明确而公开的信息用以定位特定学生的个人信息。但是,如果学校用学生的社会保障号码生成学号,那么这时学号应被视为私人信息。
安全和隐私似乎一直是一对矛盾。从安全的角度看,您应该记录所有重要的操作,以便日后可以鉴定那些非法的操作。然而,当其中牵涉到私人数据时,这种做法就存在一定风险了。
虽然私人数据处理不当的方式多种多样,但常见风险来自于盲目信任。程序员通常会信任运行程序的操作环境,因此认为将私人信息存放在文件系统、注册表或者其他本地控制的资源中是值得信任的。尽管已经限制了某些资源的访问权限,但仍无法保证所有访问这些资源的个体都是值得信任的。例如,2004 年,一个不道德的 AOL 员工将大约 9200 万个私有客户电子邮件地址卖给了一个通过垃圾邮件进行营销的境外赌博网站 [1]。
鉴于此类备受瞩目的信息盗取事件,私人信息的收集与管理正日益规范化。要求各个组织应根据其经营地点、所从事的业务类型及其处理的私人数据性质,遵守下列一个或若干个联邦和州的规定:
Safe Harbor Privacy Framework [3]
Gramm-Leach Bliley Act (GLBA) [4]
Health Insurance Portability and Accountability Act (HIPAA) [5]
California SB-1386 [6]
尽管制定了这些规范,Privacy Violation 漏洞仍时有发生。
RECOMMENDATIONS
当安全和隐私的需要发生矛盾时,通常应优先考虑隐私的需要。为满足这一要求,同时又保证信息安全的需要,应在退出程序前清除所有私人信息。
为加强隐私信息的管理,应不断改进保护内部隐私的原则,并严格地加以执行。这一原则应具体说明应用程序应该如何处理各种私人数据。在贵组织受到联邦或者州法律的制约时,应确保您的隐私保护原则尽量与这些法律法规保持一致。即使没有针对贵组织的相应法规,您也应当保护好客户的私人信息,以免失去客户的信任。
保护私人数据的最好做法就是最大程度地减少私人数据的暴露。不应允许应用程序、流程处理以及员工访问任何私人数据,除非是出于职责以内的工作需要。正如最小授权原则一样,不应该授予访问者超出其需求的权限,对私人数据的访问权限应严格限制在尽可能小的范围内。
REFERENCES
[1] J. Oates AOL man pleads guilty to selling 92m email addies The Register
[2] Privacy Initiatives U.S. Federal Trade Commission
[3] Safe Harbor Privacy Framework U.S. Department of Commerce
[4] Financial Privacy: The Gramm-Leach Bliley Act (GLBA) Federal Trade Commission
[5] Health Insurance Portability and Accountability Act (HIPAA) U.S. Department of Human Services
[6] California SB-1386 Government of the State of California
[7] M. Howard, D. LeBlanc Writing Secure Code, Second Edition Microsoft Press
[8] Standards Mapping - Common Weakness Enumeration CWE ID 359
[9] Standards Mapping - Common Weakness Enumeration Top 25 2019 [4] CWE ID 200
[10] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000169, CCI-000196, CCI-000197, CCI-001199, CCI-001312, CCI-001314
[11] Standards Mapping - General Data Protection Regulation Privacy Violation
[12] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-4 Information Flow Enforcement (P1)
[13] Standards Mapping - OWASP Application Security Verification Standard 4.0 2.2.1 General Authenticator Requirements, 2.6.3 Look-up Secret Verifier Requirements, 2.7.1 Out of Band Verifier Requirements, 2.7.2 Out of Band Verifier Requirements, 2.7.3 Out of Band Verifier Requirements, 2.8.4 Single or Multi Factor One Time Verifier Requirements, 2.8.5 Single or Multi Factor One Time Verifier Requirements, 2.10.2 Service Authentication Requirements, 2.10.3 Service Authentication Requirements, 3.7.1 Defenses Against Session Management Exploits, 6.2.1 Algorithms, 8.2.1 Client-side Data Protection, 8.2.2 Client-side Data Protection, 8.3.6 Sensitive Private Data, 8.1.1 General Data Protection, 8.1.2 General Data Protection, 8.3.4 Sensitive Private Data, 9.2.3 Server Communications Security Requirements, 10.2.1 Malicious Code Search, 14.3.3 Unintended Security Disclosure Requirements
[14] Standards Mapping - OWASP Mobile Top 10 Risks 2014 M2 Insecure Data Storage
[15] Standards Mapping - OWASP Top 10 2007 A6 Information Leakage and Improper Error Handling
[16] Standards Mapping - OWASP Top 10 2013 A6 Sensitive Data Exposure
[17] Standards Mapping - OWASP Top 10 2017 A3 Sensitive Data Exposure
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 3.2, Requirement 3.4, Requirement 4.2, Requirement 8.4
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 3.2, Requirement 3.4, Requirement 4.2, Requirement 6.5.6, Requirement 8.4
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 3.2, Requirement 3.4, Requirement 4.2, Requirement 6.5.5, Requirement 8.4
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 3.2, Requirement 3.4, Requirement 4.2, Requirement 8.2.1
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 3.2, Requirement 3.4, Requirement 4.2, Requirement 8.2.1
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 3.2, Requirement 3.4, Requirement 4.2, Requirement 8.2.1
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 3.2, Requirement 3.4, Requirement 4.2, Requirement 8.2.1
[25] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 3.3 - Sensitive Data Retention, Control Objective 6.1 - Sensitive Data Protection, Control Objective 7 - Use of Cryptography, Control Objective A.2.3 - Cardholder Data Protection
[26] Standards Mapping - SANS Top 25 2010 Porous Defenses - CWE ID 311
[27] Standards Mapping - SANS Top 25 2011 Porous Defenses - CWE ID 311
[28] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3210.1 CAT II, APP3310 CAT I, APP3340 CAT I
[29] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3210.1 CAT II, APP3340 CAT I
[30] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3210.1 CAT II, APP3340 CAT I
[31] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3210.1 CAT II, APP3340 CAT I
[32] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3210.1 CAT II, APP3340 CAT I
[33] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3210.1 CAT II, APP3340 CAT I
[34] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3210.1 CAT II, APP3340 CAT I
[35] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-000650 CAT II, APSC-DV-001740 CAT I, APSC-DV-001750 CAT I, APSC-DV-002330 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-000650 CAT II, APSC-DV-001740 CAT I, APSC-DV-001750 CAT I, APSC-DV-002330 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-000650 CAT II, APSC-DV-001740 CAT I, APSC-DV-001750 CAT I, APSC-DV-002330 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-000650 CAT II, APSC-DV-001740 CAT I, APSC-DV-001750 CAT I, APSC-DV-002330 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-000650 CAT II, APSC-DV-001740 CAT I, APSC-DV-001750 CAT I, APSC-DV-002330 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-000650 CAT II, APSC-DV-001740 CAT I, APSC-DV-001750 CAT I, APSC-DV-002330 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-000650 CAT II, APSC-DV-001740 CAT I, APSC-DV-001750 CAT I, APSC-DV-002330 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-000650 CAT II, APSC-DV-001740 CAT I, APSC-DV-001750 CAT I, APSC-DV-002330 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-000650 CAT II, APSC-DV-001740 CAT I, APSC-DV-001750 CAT I, APSC-DV-002330 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-000650 CAT II, APSC-DV-001740 CAT I, APSC-DV-001750 CAT I, APSC-DV-002330 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II
[45] Standards Mapping - Web Application Security Consortium 24 + 2 Information Leakage
[46] Standards Mapping - Web Application Security Consortium Version 2.00 Information Leakage (WASC-13)
Weak Cryptographic Hash
ABSTRACT
弱加密散列值无法保证数据完整性,且不能在安全性关键的上下文中使用。
EXPLANATION
MD2、MD4、MD5、RIPEMD-160 和 SHA-1 是常用的加密散列算法,通常用于验证消息和其他数据的完整性。然而,由于最近的密码分析研究揭示了这些算法中存在的根本缺陷,因此它们不应该再用于安全性关键的上下文中。
由于有效破解 MD 和 RIPEMD 散列的技术已得到广泛使用,因此不应该依赖这些算法来保证安全性。对于 SHA-1,目前的破坏技术仍需要极高的计算能力,因此比较难以实现。然而,攻击者已发现了该算法的致命弱点,破坏它的技术可能会导致更快地发起攻击。
RECOMMENDATIONS
停止使用 MD2、MD4、MD5、RIPEMD-160 和 SHA-1 对安全性关键的上下文中的数据进行验证。目前,SHA-224、SHA-256、SHA-384、SHA-512 和 SHA-3 都是不错的备选方案。但是,由于安全散列算法 (Secure Hash Algorithm) 的这些变体并没有像 SHA-1 那样得到仔细研究,因此请留意可能影响这些算法安全性的未来研究结果。
REFERENCES
[1] Xiaoyun Wang MD5 and MD4 Collision Generators
[2] Xiaoyun Wang, Yiqun Lisa Yin, and Hongbo Yu Finding Collisions in the Full SHA-1
[3] Xiaoyun Wang and Hongbo Yu How to Break MD5 and Other Hash Functions
[4] SDL Development Practices Microsoft
[5] Standards Mapping - Common Weakness Enumeration CWE ID 328
[6] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-002450
[7] Standards Mapping - FIPS200 MP
[8] Standards Mapping - General Data Protection Regulation Insufficient Data Protection
[9] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-13 Cryptographic Protection (P1)
[10] Standards Mapping - OWASP Application Security Verification Standard 4.0 2.4.1 Credential Storage Requirements, 2.4.2 Credential Storage Requirements, 2.4.5 Credential Storage Requirements, 2.6.3 Look-up Secret Verifier Requirements, 2.8.3 Single or Multi Factor One Time Verifier Requirements, 2.9.3 Cryptographic Software and Devices Verifier Requirements, 6.2.1 Algorithms, 6.2.2 Algorithms, 6.2.3 Algorithms, 6.2.4 Algorithms, 6.2.5 Algorithms, 6.2.6 Algorithms, 6.2.7 Algorithms, 8.3.7 Sensitive Private Data, 9.1.2 Communications Security Requirements, 9.1.3 Communications Security Requirements
[11] Standards Mapping - OWASP Mobile Top 10 Risks 2014 M6 Broken Cryptography
[12] Standards Mapping - OWASP Top 10 2004 A8 Insecure Storage
[13] Standards Mapping - OWASP Top 10 2007 A8 Insecure Cryptographic Storage
[14] Standards Mapping - OWASP Top 10 2010 A7 Insecure Cryptographic Storage
[15] Standards Mapping - OWASP Top 10 2013 A6 Sensitive Data Exposure
[16] Standards Mapping - OWASP Top 10 2017 A3 Sensitive Data Exposure
[17] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.8
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.3, Requirement 6.5.8
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.3
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.3
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.3, Requirement 4.1
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.3, Requirement 4.1
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.3, Requirement 4.1
[24] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 7.1 - Use of Cryptography, Control Objective 7.4 - Use of Cryptography
[25] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3150.1 CAT II
[26] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3150.1 CAT II
[27] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3150.1 CAT II
[28] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3150.1 CAT II
[29] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3150.1 CAT II
[30] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3150.1 CAT II
[31] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3150.1 CAT II
[32] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002010 CAT II, APSC-DV-002020 CAT II, APSC-DV-002030 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002010 CAT II, APSC-DV-002020 CAT II, APSC-DV-002030 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002010 CAT II, APSC-DV-002020 CAT II, APSC-DV-002030 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002010 CAT II, APSC-DV-002020 CAT II, APSC-DV-002030 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002010 CAT II, APSC-DV-002020 CAT II, APSC-DV-002030 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002010 CAT II, APSC-DV-002020 CAT II, APSC-DV-002030 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002010 CAT II, APSC-DV-002020 CAT II, APSC-DV-002030 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002010 CAT II, APSC-DV-002020 CAT II, APSC-DV-002030 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002010 CAT II, APSC-DV-002020 CAT II, APSC-DV-002030 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002010 CAT II, APSC-DV-002020 CAT II, APSC-DV-002030 CAT II
Weak Encryption
ABSTRACT
识别调用会使用无法保证敏感数据的保密性的弱加密算法。
EXPLANATION
过时的加密算法(如 DES)无法再为敏感数据的使用提供足够的保护。加密算法依赖于密钥大小,这是确保加密强度的主要方法之一。加密强度通常以生成有效密钥所需的时间和计算能力来衡量。计算能力的提高使得在合理的时间内获得较小的加密密钥成为可能。例如,在二十世纪七十年代首次开发出 DES 算法时,要破解在该算法中使用的 56 位密钥将面临巨大的计算障碍,但今天,使用常用设备能在不到一天的时间内破解 DES。
RECOMMENDATIONS
使用密钥较大的强加密算法来保护敏感数据。DES 的一个强大替代方案是 AES(高级加密标准,以前称为 Rijndael)。在选择算法之前,首先要确定您的组织是否已针对特定算法和实施进行了标准化。
REFERENCES
[1] Java Cryptography Architecture Standard Algorithm Name Documentation Sun Microsystems
[2] distributed.net DES
[3] FAQ About the Electronic Frontier Foundation’s “DES Cracker” Machine Electronic Frontier Foundation
[4] SDL Development Practices Microsoft
[5] Microsoft Security Fundamentals Microsoft
[6] John Kelsey, Bruce Schneier, and David Wagner Related-key cryptanalysis of 3-WAY, Biham-DES, CAST, DES-X, NewDES, RC2, and TEA
[7] Standards Mapping - Common Weakness Enumeration CWE ID 327
[8] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-002450
[9] Standards Mapping - FIPS200 MP
[10] Standards Mapping - General Data Protection Regulation Insufficient Data Protection
[11] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-13 Cryptographic Protection (P1)
[12] Standards Mapping - OWASP Application Security Verification Standard 4.0 1.6.2 Cryptographic Architectural Requirements, 2.8.2 Single or Multi Factor One Time Verifier Requirements, 2.8.3 Single or Multi Factor One Time Verifier Requirements, 2.9.1 Cryptographic Software and Devices Verifier Requirements, 2.9.3 Cryptographic Software and Devices Verifier Requirements, 2.6.3 Look-up Secret Verifier Requirements, 2.9.3 Cryptographic Software and Devices Verifier Requirements, 6.2.2 Algorithms, 6.2.3 Algorithms, 6.2.4 Algorithms, 6.2.5 Algorithms, 6.2.6 Algorithms, 6.4.2 Secret Management, 6.2.1 Algorithms, 6.2.2 Algorithms, 8.3.7 Sensitive Private Data, 8.3.7 Sensitive Private Data, 9.1.2 Communications Security Requirements, 9.1.3 Communications Security Requirements, 9.1.2 Communications Security Requirements, 9.1.3 Communications Security Requirements
[13] Standards Mapping - OWASP Mobile Top 10 Risks 2014 M6 Broken Cryptography
[14] Standards Mapping - OWASP Top 10 2004 A8 Insecure Storage
[15] Standards Mapping - OWASP Top 10 2007 A8 Insecure Cryptographic Storage
[16] Standards Mapping - OWASP Top 10 2010 A7 Insecure Cryptographic Storage
[17] Standards Mapping - OWASP Top 10 2013 A6 Sensitive Data Exposure
[18] Standards Mapping - OWASP Top 10 2017 A3 Sensitive Data Exposure
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.8
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.3, Requirement 6.5.8
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.3
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.3
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.3
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.3
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.3
[26] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 7.1 - Use of Cryptography
[27] Standards Mapping - SANS Top 25 2009 Porous Defenses - CWE ID 327
[28] Standards Mapping - SANS Top 25 2010 Porous Defenses - CWE ID 327
[29] Standards Mapping - SANS Top 25 2011 Porous Defenses - CWE ID 327
[30] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3150.1 CAT II
[31] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3150.1 CAT II
[32] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3150.1 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3150.1 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3150.1 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3150.1 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3150.1 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
Weak Encryption: Insufficient Key Size
ABSTRACT
另外,当使用的密钥长度不够时,强大的加密算法便容易受到强力攻击。
EXPLANATION
当前的密码指南建议,RSA 算法使用的密钥长度至少应为 2048 位。但是,计算能力和因子分解技术方面的持续进步 [1] 意味着未来将不可避免地需要提高建议的密钥大小。
示例 1:以下代码可生成 512 位 RSA 密钥。
1 | ... |
对于对称加密,密钥长度必须至少为 128 位。
RECOMMENDATIONS
最低限度下,确保 RSA 密钥长度不少于 2048 位。未来几年需要较强加密的应用程序的密码长度应至少为 4096 位。
如果使用 RSA 算法,请确保特定密钥的长度至少为 2048 位。
示例 2:以下代码可生成 2048 位 RSA 密钥。
1 | ... |
同样,如果使用对称加密,请确保特定密钥的长度至少为 128 位(适用于 AES)和 168 位(适用于 Triple DES)。
REFERENCES
[1] J. Cheng 307-digit key crack endangers 1024-bit RSA
[2] Cryptographic Algorithms and Key Sizes for Personal Identity Verification NIST
[3] B. Chess and J. West, Secure Programming with Static Analysis. Boston, MA: Addison-Wesley, 2007.
[4] Standards Mapping - Common Weakness Enumeration CWE ID 326
[5] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-002450
[6] Standards Mapping - FIPS200 MP
[7] Standards Mapping - General Data Protection Regulation Insufficient Data Protection
[8] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-12 Cryptographic Key Establishment and Management (P1)
[9] Standards Mapping - OWASP Application Security Verification Standard 4.0 2.6.3 Look-up Secret Verifier Requirements, 2.8.3 Single or Multi Factor One Time Verifier Requirements, 6.2.1 Algorithms, 6.2.3 Algorithms, 6.2.4 Algorithms, 6.2.5 Algorithms, 6.2.6 Algorithms, 9.1.2 Communications Security Requirements, 9.1.3 Communications Security Requirements
[10] Standards Mapping - OWASP Mobile Top 10 Risks 2014 M6 Broken Cryptography
[11] Standards Mapping - OWASP Top 10 2004 A8 Insecure Storage
[12] Standards Mapping - OWASP Top 10 2007 A8 Insecure Cryptographic Storage
[13] Standards Mapping - OWASP Top 10 2010 A7 Insecure Cryptographic Storage
[14] Standards Mapping - OWASP Top 10 2013 A6 Sensitive Data Exposure
[15] Standards Mapping - OWASP Top 10 2017 A3 Sensitive Data Exposure
[16] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 3.6.1, Requirement 6.5.8
[17] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 3.6.1, Requirement 6.3.1.3, Requirement 6.5.8
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 3.6.1, Requirement 6.5.3
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 3.6.1, Requirement 6.5.3
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 3.6.1, Requirement 6.5.3
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 3.6.1, Requirement 6.5.3
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 3.6.1, Requirement 6.5.3
[23] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 7.2 - Use of Cryptography
[24] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3150.1 CAT II
[25] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3150.1 CAT II
[26] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3150.1 CAT II
[27] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3150.1 CAT II
[28] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3150.1 CAT II
[29] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3150.1 CAT II
[30] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3150.1 CAT II
[31] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[32] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
时间和状态
Race Condition
ABSTRACT
所设置的回调可能导致争用条件。
EXPLANATION
Node.js 允许开发人员将回调分配给 IO 阻止的事件。这样可提高性能,因为回调可异步运行,从而使主应用程序不会被 IO 阻止。但是,如果回调外部的某些内容依赖于先运行的回调内的代码,这反过来会造成争用条件。
示例 1:以下代码可基于数据库对用户进行身份验证。
1 |
|
在此示例中,我们应当调用到后端数据库,以确定用户用于登录的凭据,确认有效后,将变量设置为 true,否则设置为 false。令人遗憾的是,由于回调被 IO 阻止,它将异步运行且可能在检查 if (authenticated) 之后运行,由于默认值为 true,它将进入 if-statement,确认用户实际上是否已经过身份验证。
RECOMMENDATIONS
创建 Node.js 应用程序时,必须特别注意 IO 阻止的事件以及相关回调所执行的功能。可能存在需要按特定顺序调用的一系列回调,或者存在只能在运行某个回调后访问的代码。
示例 2:以下代码会修复Example 1 中的争用条件。
1 | ... |
这是一个简单的示例,现实生活中的情况可能要复杂得多,并且完成修复可能需要大量修改基本代码。尝试避免这些问题的简单方法是使用采用 promises 的 API,因为它们代表异步操作的最终结果,并且可用于指定成功的回调和失败的回调。如果经常使用此段代码,则最好创建可返回 promise 以进行身份验证的 API,从而将开发人员需要编写的代码简化为:
1 | promiseAuthentication() |
这反过来能够更轻松地执行代码并防止争用条件,因为代码将始终按明确定义的顺序运行。
REFERENCES
[1] Kristopher Kowal Documentation for q
[2] Piotr Pelczar Asynchronous programming done right.
[3] Standards Mapping - Common Weakness Enumeration CWE ID 362, CWE ID 367
[4] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-003178
[5] Standards Mapping - General Data Protection Regulation Indirect Access to Sensitive Data
[6] Standards Mapping - OWASP Application Security Verification Standard 4.0 1.11.2 Business Logic Architectural Requirements, 1.11.3 Business Logic Architectural Requirements, 1.11.2 Business Logic Architectural Requirements, 1.11.3 Business Logic Architectural Requirements, 11.1.6 Business Logic Security Requirements
[7] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.6
[8] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.6
[9] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.6
[10] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.6
[11] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[12] Standards Mapping - SANS Top 25 2009 Insecure Interaction - CWE ID 362
[13] Standards Mapping - SANS Top 25 2010 Insecure Interaction - CWE ID 362
[14] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3630.1 CAT II
[15] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3630.1 CAT II
[16] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3630.1 CAT II
[17] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3630.1 CAT II
[18] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3630.1 CAT II
[19] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3630.1 CAT II
[20] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3630.1 CAT II
[21] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-001995 CAT II
[22] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-001995 CAT II
[23] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-001995 CAT II
[24] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-001995 CAT II
[25] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-001995 CAT II
[26] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-001995 CAT II
[27] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-001995 CAT II
[28] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-001995 CAT II
[29] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-001995 CAT II
[30] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-001995 CAT II
本文链接: http://dayun.shystartree.online/2020/04/20/fortify%E6%89%AB%E6%8F%8F%E7%BB%93%E6%9E%9C%E9%80%9F%E6%9F%A5(JavaScript)/
版权声明:本博客所有文章除特别声明外,均采用知识共享署名-非商业性使用-相同方式共享4.0国际许可协议
许可协议。欢迎转载,但转载请注明来自qingyu’s blog,并保持转载后文章内容的完整,本人保留所有版权相关权利。
