1. 前言
客戶的案子希望提供簡單的弱點掃描服務,這次使用OWASP ZAP 2.11.1版本進行掃描測試。如何修復弱點…過程是痛苦的(可能心中只想寫程式…),於是決定寫下筆記,或許之後會用得上。(朋友提醒我,要注意軟體有沒有誤判)
2. Missing Anti-clickjacking Header (風險:中)
2.1. Description
The response does not include either Content-Security-Policy with ‘frame-ancestors’ directive or X-Frame-Options to protect against ‘Click.Jacking’ attacks.
2.2. Solution
Modern Web Browsers support the Content-Security-Policy and X-Frame-Options HTTP headers. Ensure one of them is set on all web pages returned by your site/app.
If you expect the page to be framed only by pages on your server(e.g. it’s part of a FRAMESET) then you’ll want to use SAMEORIGIN. otherwise if you nerver expect the page to be framed,you should use DENY. Alternatively consider implementing Content Security Policy’s “frame-ancestors” directive.
2.3. Before response header
2.4. 解決方式
設定web.config ,加入<add name="X-Frame-Options" value="SAMEORIGIN" />
1 | <configuration> |
2.5. After Response header
2.6. 進行OWASP ZAP 驗證
2.7. 小結
其實跟下一題解決方式一樣(X-Frame-Options Setting Malformed),筆者這邊只是練習了二次,別分使用web.config、IIS工具介面,想知道效果是不是一樣的。這裡比較令我感到好奇的是,同一個解法解決了「Missing Anti-clickjacking Header」、「X-Frame-Options Setting Malformed 」二個題目,只是有時候OWASP ZAP 出現的alert 卻是不同的。
3. X-Frame-Options Setting Malformed (風險:中)
3.1. Description
An X-Frame-Options header was present in the response but the value was not correctly set.
3.2. Solution
Ensure a valid setting is used on all web pages returned by your site (if you expect the page to be framed only by pages on your server (e.g. it’s part of a FRAMESET) then you’ll want to use SAMEORIGIN, otherwise if you never expect the page to be framed, you should use DENY. Alternatively consider implementing Content Security Policy’s “frame-ancestors” directive.
3.3. Before response header
3.4. 解決方式
在IIS介面使用HTTP回應標題點擊進入後,再點擊右邊的新增,開始填寫名稱、值。
3.5. After response header
3.6. 進行OWASP ZAP 驗證
4. Re-examine Cache-control Directives(風險:低)
無圖(忘了截圖,放棄補…)
4.1. Description
The cache-control header has not been set properly or is missing, allowing the browser and proxies to cache content. For static assets like css, js, or image files this might be intended, however, the resources should be reviewed to ensure that no sensitive content will be cached.
4.2. Solution
For secure content, ensure the cache-control HTTP header is set with “no-cache, no-store, must-revalidate”. If an asset should be cached consider setting the directives “public, max-age, immutable”.
4.3. Before response header
4.4. 解決方式
如果在站台下有web.config檔,則會自動添加紅色區塊的設定
4.5. After Response header
4.6. 進行OWASP ZAP驗證
無圖(忘了截圖,放棄補…)
5. X-Content-Type-Options Header Missing (風險:低)
5.1. Description
The Anti-MIME-Sniffing header X-Content-Type-Options was not set to ‘nosniff’. This allows older versions of Internet Explorer and Chrome to perform MIME-sniffing on the response body, potentially causing the response body to be interpreted and displayed as a content type other than the declared content type. Current (early 2014) and legacy versions of Firefox will use the declared content type (if one is set), rather than performing MIME-sniffing.
5.2. Solution
Ensure that the application/web server sets the Content-Type header appropriately, and that it sets the X-Content-Type-Options header to ‘nosniff’ for all web pages.
If possible, ensure that the end user uses a standards-compliant and modern web browser that does not perform MIME-sniffing at all, or that can be directed by the web application/web server to not perform MIME-sniffing.
5.3. Before response header
5.4. 解決方式
加入 <add name="X-Content-Type-Options" value="nosniff" />
1 | <configuration> |
5.5. After response header
5.6. 進行OWASP ZAP 驗證
6. Content Security Policy (CSP)
6.1. 心得說明
使用vscode的Live Serverextension跑一個臨時起一個網站,這種方式設定CSP,瀏覽器的確會吃到這個設定,比方說default-src 'none';,網頁確實都沒有相關載入資源,但是去查看response header 卻看不出CSP的設定,而且在OWASP ZAP去attack這個http://127.0.0.1:5502網站,也是會回饋沒有設定CSP。
對照的另一個實驗是在客戶的伺服器上,使用的是IIS機器。如果有設定CSP的情況下,在response header就會有看到CSP的設定,在OWASP ZAP的掃描的確有掃到CSP,並且是alert另一種CSP的問題。
可能的狀況是HTTP、HTTPS的不同? 有實體的IIS 與臨時的extension架站有實質上的差異? 不過…都沒有關係,就先以客戶的https機器 + IIS 進行測試吧…。
PS:因為跑客戶的實體機一次掃描都太久了,所以在想有沒有更快的作法,比如先掃自己電腦架的網站(的確掃描速度非常快…但就是不太正常,alert 消不掉)。
6.2. Content Security Policy(CSP) Header Not Set(風險:中)
6.2.1. Description
Content Security Policy (CSP) is an added layer of security that helps to detect and mitigate certain types of attacks, including Cross Site Scripting (XSS) and data injection attacks. These attacks are used for everything from data theft to site defacement or distribution of malware. CSP provides a set of standard HTTP headers that allow website owners to declare approved sources of content that browsers should be allowed to load on that page — covered types are JavaScript, CSS, HTML frames, fonts, images and embeddable objects such as Java applets, ActiveX, audio and video files.
6.2.2. Solution
Ensure that your web server, application server, load balancer, etc. is configured to set the Content-Security-Policy header, to achieve optimal browser support: “Content-Security-Policy” for Chrome 25+, Firefox 23+ and Safari 7+, “X-Content-Security-Policy” for Firefox 4.0+ and Internet Explorer 10+, and “X-WebKit-CSP” for Chrome 14+ and Safari 6+.
6.2.3. Before response header
6.2.4. 解決方式
加上Content-Security-Policy,參考如下
1 | <configuration> |
6.2.5. After response header
6.2.6. 進行OWASP ZAP 驗證
6.3. CSP:Wildcard Directive(風險:中)
6.3.1. Description
Content Security Policy (CSP) is an added layer of security that helps to detect and mitigate certain types of attacks. Including (but not limited to) Cross Site Scripting (XSS), and data injection attacks. These attacks are used for everything from data theft to site defacement or distribution of malware. CSP provides a set of standard HTTP headers that allow website owners to declare approved sources of content that browsers should be allowed to load on that page — covered types are JavaScript, CSS, HTML frames, fonts, images and embeddable objects such as Java applets, ActiveX, audio and video files.
6.3.2. Other Info
The following directives either allow wildcard sources (or ancestors), are not defined, or are overly broadly defined:
frame-ancestors, form-actionThe directive(s): frame-ancestors, form-action are among the directives that do not fallback to default-src, missing/excluding them is the same as allowing anything.
6.3.3. Solution
Ensure that your web server, application server, load balancer, etc. is properly configured to set the Content-Security-Policy header.
6.3.4. Before response header
6.3.5. 解決方法
在OWASP ZAP 的 other info 裡其實有提到 frame-ancestors form-action director,所以補上了這個兩個director:
1 | <configuration> |
6.3.6. After response header
6.3.7. 進行OWASP ZAP驗證
6.4. CSP: script-src unsafe-inline(風險:中)
6.4.1. Description
Content Security Policy (CSP) is an added layer of security that helps to detect and mitigate certain types of attacks. Including (but not limited to) Cross Site Scripting (XSS), and data injection attacks. These attacks are used for everything from data theft to site defacement or distribution of malware. CSP provides a set of standard HTTP headers that allow website owners to declare approved sources of content that browsers should be allowed to load on that page — covered types are JavaScript, CSS, HTML frames, fonts, images and embeddable objects such as Java applets, ActiveX, audio and video files.
6.4.2. Other Info
script-src includes unsafe-inline.
6.4.3. Solution
Ensure that your web server, application server, load balancer, etc. is properly configured to set the Content-Security-Policy header.
Before response header
6.4.4. 解決方式
在某一次的嘗試CSP設定為如下:
1 | <configuration> |
當時還不是很懂隨便亂設定,讓OWASP ZAP 掃描,就發現了這個風險中的alert。解決方式很簡單,將script-src改為self就可以了:
1 | <configuration> |
除此之外,在程式的部分不能有類似inlineJS的寫法,如下:
1 | <a href="javascript:goTop()" class="fs-4 bg-secondary px-2" title="Go to top" alt="go to top">TOP</a> |
這種JS寫法,必須移到index.js(舉例,可能是別的js名稱)裡面去定義相關的實作。
同樣的,在style-src 也有一樣inline的問題,我們來舉例個有問題的程式,如下:
1 | <a accesskey="M" href="#M" id="MU" class="nav-link text-white pe-0 " style="vertical-align: bottom;" title="相關連結區塊">:::</a> |
這種css寫法,必須移到all.css裡面去定義相關的實作。
6.4.5. 如果沒改會怎樣?
你會發現這定這樣的CSP規則,而程式卻沒有遵循,瀏覽器是會報錯的,並且網頁的LAYOUT會壞掉哦…(畫面就不方便截圖了), 報錯畫面如下:
6.5. OWASP ZAP 到這裡…就沒有alert了
接下來後面的東西是為了加強資安進行的實驗,於是改了一下CSP設定:
1 | <configuration> |
提供一個產生CSP規則的網站:report-uri.com
7. 其它小筆記
7.1. chrome extension CSP scanner
這個工具還滿不錯的,可以針對CSP問題進行檢測,並且回饋您一些資訊與建議。最後在用OWASP ZAP 大部分時間都是在測試 CSP的問題,但是OWASP ZAP 是很全面的掃描,所以一輪下來都會花不少時間(2~5min)。這個工具就可以直接針對CSP 進行掃描。我猜想或許在OWASP ZAP 可以設定針對CSP掃描也說不定。
7.2. IIS 的 web.config 的記錄
太久沒玩web.config了,所以稍微記錄一下實驗心得,方便回憶。
放在某個專案底下的資料夾:
web.config:
1 | <configuration> |
改完通常不用重啟服務,就直接生效了(不管是在web.config 還是在 IIS 工具介面設定都一樣)
8. 備註
寫一些有關文件
- SSH 、固定IP 在 IIS上設定的文件(複習)
- site map .xml(複習)
- robots(複習)
- 寫一個CSP相關概念文件
9. 相關連結
CSP Inline Styles
X-Content-Type-Options
SiteMap
sitemap.xml網站地圖是什麼?從工具/產生器/程式製作到進行提交教學
robots
[WordPress] 通過 OWASP ZAP 黑箱安全性檢測的幾個要點
Cache-Control
CSP 產生網站
https://report-uri.com/home/generate
CSP介紹
淺談 Content Security Policy (CSP)
Content Security Policy Reference
Content Security Policy for IIS
Content Security Policy (CSP) 筆記
Web Security 魔法使攻略─CSP bypasss
WEB應用內容安全策略(Content Security Policy)
【學習筆記】Content Security Policy 入門教程
Content-Security-Policy - HTTP Headers 的資安議題 (2)
CSP 評估
6 Common Web Application Client-side Vulnerabilities
隨手記 - IIS / IIS Express 伺服器 config 檔
X-Frame-Options
看這篇就對了->X-Frame-Options 回應標頭