2021最新19大常見弱掃修補法

弱掃修補的目的:主要是讓程設寫的系統能夠順利地上架到PROD,講白話就是先騙過弱掃工具,但那只是最低階的做法,最重要還是要乖乖的按照弱掃給的提示去修復,以免網站遭受Hacker攻擊而得不償失。

1.STORED_XSS

在接參數過程中,要用HttpUtility.UrlEncode避免跨網站攻擊

例如:

prtModel.NameBmp = HttpUtility.UrlEncode(NameBmpBase64);

2.REFLECTED_XSS_ALL_CLIENT

參數在傳遞過程中,要用HttpUtility.UrlEncode在HttpUtility.UrlDecode,

避免跨網站攻擊

例如:

string printID = HttpUtility.UrlDecode(HttpUtility.UrlEncode(SecurityUtility.Encrypt(txtPrtid.Text)));

3.MISSING_ HSTS_HEADER

a.在web.xml要做HSTS Header 設定 max-age等。

<system.webServer>

    <httpProtocol>

      <customHeaders>

        <add name=”Strict-Transport-Security” value=”max-age=31536000; includeSubDomains”/>

        <add name=”X-Frame-Options” value=”SAMEORIGIN” />

      </customHeaders>

    </httpProtocol>

  </system.webServer>

4.HTTPONLYCOOKIE

在HttpCookie的屬性,要設定HttpOnly=true

HttpCookie responseCookie = new HttpCookie(token)

{

 HttpOnly = true

}

在web.xml 或 web.config加入

<System.web>

<HttpCookie httpOnlyCookie = true>

</HttpCookie>

<System.web>

5.HTTPCOOKIE IN CONFIG

在web.config要設定httpCookie

<System.Web>

  <httpCookies httpOnlyCookies= true/>

</System.web>

6.REQUIRE_SSL

在web.config設定 requireSSL=true

<authentication mode=”Forms”>

<!–下方需修改 domain name–>

<forms name=”xxxx-xxxx.com.tw” requireSSL=”true” loginUrl=”http://localhost:95/Login.aspx” timeout=”30″ domain=”ECompulsory.xxxx.com.tw” protection=”All” enableCrossAppRedirects=”true” path=”/” defaultUrl=”~/Security/Main.aspx” />

</authentication>

7.HTTP_RESPONSE_SPLITTING

接回來的參數要經過httpUtility.UrlDecode與httpUtility.UrlEncode處理,

在使用處理過的參數之前要先經過!string.IsNullOrWhiteSpace檢核

原始

String para = Request[“printId”];

修復

String para = HttpUtility.UrlDecode(HttpUtility.UrlEncode(Request.QueryString[“printId”]));

If (!string.IsNullOrWhiteSpace(para)

{

String filename = ReplaceString(filename);

Response.addHeader(, “filename = “ + filename);

Response.addHeader(,  result.ToString());                                      )

Public string ReplaceString(string str)
{

       Str = str.Replace(“%0d%0a”, “”);

     Str = str.Replace(“%0D%0A”, “”);

     Str = str.Replace(“\r\n”, “”);

       Return str;

}

}

8.HEAP_INSPECTION

機敏性參數要用securestring處理,防止gc問題

Private string pwd à private SecureString pwd

9.NO_REQUEST_VALIDATION

a.在程式加入:

validateRequest=”false”

b.或web.config

<Configuration>

<System.web>

        <pages validateRequest=”false”>

</System.web>

</Configuration>

10.   TRUST_BOUNDARY_VIOLATION

除了參數要經過HttpUtility加解密外,在放入Model之前要經過string.IsNullOrWhiteSpace檢核

原始

String strPolyn1 = this.txtPolyn1.Text.Trim();

queryModel.Polyn1 = strPolyn1;

修復

String strPolyn1 = HttpUtility.UrlDecode(HttpUtility.UrlEncode(this.txtPolyn1.Text.Trim()));

If (!string.IsNullOrWhiteSpace(strPolyn1))

{
        queryModel.Polyn1 = strPolyn1;

}

11.LOG_FORGING

就是logger.info(“ XXXXX , User Id =” + UserID);

UserID是user input

UserID要做檢核例如經過HttpUtility.HtmlDecode(HttpUtility.HtmlEncode)處理

12.MISSING_CONTENT_SECURITY_POLICY

在web.config加

sDefault-src self限定source只能從本站載入
<system.webServer>

    <httpProtocol>

      <customHeaders>

        <add name=”Content-Security-Policy” value= “default-src ‘self'” />

      </customHeaders>

    </httpProtocol>

  </system.webServer>

載入資源列表

script-src:外部指令碼 style-src:樣式表 img-src:影象 media-src:媒體檔案(音訊和視訊) font-src:字型檔案 object-src:外掛(比如 Flash) child-src:框架

13.Missing_Column_Encryption

在程式中取得Connectiion後,加上 “;Integrated Security=true;Column Encryption Setting=enabled”

例:

string dbConfig = getDBConfig(DbName);

dbConfig += “;Integrated Security=true;Column Encryption Setting=enabled”;

說明:因Entity物件的屬性命名與資料庫物件綁定,改變物件屬性命名會影響系統底層判斷DB物件,建議暫列排除項目。

14.SLIDINGEXPIRATION

在Web.config設定 slidingexpiration = false

要注意測試網站功能是否正常

<authentication mode=”Forms”>

      <forms name=”xxxx-china.com.tw” loginUrl=”~/VerifyUser.aspx” timeout=”180″ slidingExpiration=”false” domain=”xxxx-china.com.tw” protection=”All” enableCrossAppRedirects=”true” path=”/” defaultUrl=”~/Security/CarMain.aspx”/>

</authentication>

15. SQL_INJECTION

原始:

strSQL_d = “select Seriel from fireseriel where Bknum = ‘” + xBknum + “‘ and Years = ‘” + xYears + “‘ and Unit = ‘” + xUnit + “‘ and clasno = ‘” + xClasno + “‘ and automk = ‘1’ “;

修復:

StringBuilder sql = new StringBuilder();

sql.Append(“select Seriel from fireseriel where Bknum = ‘”).Append(xBknum).Append(“‘ and Years = ‘”).Append(xYears).Append(“‘ and Unit = ‘”).Append(xUnit).Append(“‘ and clasno = ‘”).Append(xClasno);

16.PATH TRAVERSAL

a.

string savePath = Server.MapPath(“~/Upload/”);  //定義上傳後存檔路徑

DirectoryInfo dir = new DirectoryInfo(savePath);

string[] allowedExtensions = { “.txt” };       //定義允許的檔案格式

string filename = Path.GetFileName(HttpUtility.UrlDecode(HttpUtility.UrlEncode(fileUPObj.FileName)));       //檔案名稱

//列舉全部檔案再比對檔名

FileInfo file = dir.EnumerateFiles().FirstOrDefault(m => m.Name == filename);

b.原始

string newfilename2 = filename.Remove(filename.LastIndexOf(‘.’)) + “_” + hidORDERNO.Value + “_” + DateTime.Now.ToString(“yyyyMMddHHmmss”) + fileExtension;

修復

if (!string.IsNullOrWhiteSpace(hidORDERNO.Value))

{

string newfilename2 = filename.Remove(filename.LastIndexOf(‘.’)) + “_” + hidO

RDERNO.Value + “_” + DateTime.Now.ToString(“yyyyMMddHHmmss”) + fileExtension;

}

17.Data_Filter_Injection

將可能造成SQL Injection的符號例如:’ , ?, &等

addr.Replace(“‘”, “””);

DataRow[] rows = dtEarth.Select(“Inloct like ‘”+ addr + “‘”);

18.Client Side Validation

在弱點頁的Page_Load加!Page.IsValid

protected void Page_Load(object sender, EventArgs e)

{

     if (!Page.IsValid)

     {

         return;

     }

}

19.  Second Order SQL Injection

因查詢出來的值,又帶入其他SQL做查詢,可能會造成Hacker Injection的弱點。用HttpUtility.HtmlDecode再HttpUtility.HtmlEncode處理參數.

原始:

Student

修復HttpUtility.HtmlDecode(HttpUtility.HtmlEncode(Student))

發佈留言

發佈留言必須填寫的電子郵件地址不會公開。 必填欄位標示為 *