Pafupifupi chaka chapitacho, ife ku DataLine tinayambitsa kuti mufufuze ndikuwunika zovuta mu mapulogalamu a IT. Utumikiwu umachokera ku Qualys cloud solution, ponena za ntchito yake . Pakupita kwa chaka chogwira ntchito ndi yankholi, tidasanthula 291 masamba osiyanasiyana ndikupeza ziwerengero zokhudzana ndi zovuta zomwe wamba pamawebusayiti.
M'nkhani yomwe ili pansipa ndikuwonetsani ndendende zomwe mabowo achitetezo awebusayiti amabisika kuseri kwa magawo osiyanasiyana ovuta. Tiyeni tiwone zovuta zomwe makina ojambulira amapeza nthawi zambiri, chifukwa chake angachitike, komanso momwe mungadzitetezere.
Qualys amagawa zovuta zonse zapaintaneti m'magulu atatu ofunikira: otsika, apakati ndi apamwamba. Ngati muyang'ana kugawa ndi "kuuma", zikuwoneka kuti zonse sizili zoipa. Pali zofooka zochepa zokhala ndi kutsutsa kwakukulu, makamaka zonse ndizosafunikira:
Koma kudzudzula sikutanthauza kuti palibe vuto. Angathenso kuwononga kwambiri.
Zofooka zapamwamba "zosafunikira".
- Zowonongeka zosakanikirana.
Muyezo wachitetezo cha webusayiti ndi kusamutsa deta pakati pa kasitomala ndi seva kudzera pa protocol ya HTTPS, yomwe imathandizira kubisa komanso kuteteza chidziwitso kuti zisasokonezeke.
Mawebusayiti ena amagwiritsa ntchito zosakanikirana: Zambiri zimasamutsidwa kudzera pa protocol ya HTTP yosatetezeka. Umu ndi momwe amalankhulira nthawi zambiri zinthu zopanda pake - chidziwitso chomwe chimangokhudza kuwonekera kwa tsambalo: zithunzi, masitaelo a css. Koma nthawi zina umu ndi mmene zimafalira yogwira ntchito: zolembedwa zomwe zimawongolera machitidwe a tsambalo. Pachifukwa ichi, pogwiritsa ntchito mapulogalamu apadera, mukhoza kusanthula zambiri zomwe zimachokera ku seva, sinthani mayankho anu pa ntchentche ndikupanga makinawo kuti azigwira ntchito m'njira yomwe sanapangidwe ndi omwe adayipanga.
Mitundu yatsopano ya asakatuli imachenjeza ogwiritsa ntchito kuti masamba omwe ali ndi zinthu zosakanikirana ndi osatetezeka ndipo amaletsa zomwe zili. Opanga mawebusayiti amalandilanso machenjezo a msakatuli mu console. Mwachitsanzo, izi ndi momwe zimawonekera :
Zowopsa: Zigawenga zimagwiritsa ntchito protocol yosatetezeka kuti iwononge zambiri za ogwiritsa ntchito, m'malo mwake zolemba ndikutumiza zopempha kutsambalo m'malo mwake. Ngakhale ngati mlendo watsamba sanalowemo deta, izi sizimamuteteza chinyengo - kupeza zinsinsi pogwiritsa ntchito njira zachinyengo. Mwachitsanzo, pogwiritsa ntchito script, mutha kulozera wogwiritsa ntchito patsamba losatetezeka lomwe amadzipanga ngati lodziwika kwa wogwiritsa ntchito. Nthawi zina, malo oyipa amawoneka bwino kuposa oyamba, ndipo wogwiritsa ntchito amatha kudzaza fomuyo yekha ndikutumiza zinsinsi.Zomwe wopanga intaneti ayenera kukumbukira: Ngakhale woyang'anira malo ayika ndikukonza satifiketi ya SSL/TLS, chiwopsezo chikhoza kubwera chifukwa cha zolakwika zamunthu. Mwachitsanzo, ngati pa tsamba limodzi simunayike ulalo wachibale, koma ulalo wathunthu kuchokera ku http, komanso kuwonjezera apo simunakhazikitse zolozera kuchokera ku http kupita ku https.
Mutha kuzindikira zosakanikirana patsamba pogwiritsa ntchito msakatuli: fufuzani kachidindo katsamba, werengani zidziwitso mumsakatuli. Komabe, wopangayo amayenera kuyang'ana ma code kwa nthawi yayitali komanso movutikira. Mutha kufulumizitsa ntchitoyi ndi zida zowunikira zokha, mwachitsanzo: , pulogalamu yaulere ya Lighthouse kapena mapulogalamu olipidwa Kukuwa Frog SEO Spider.
Komanso, kusatetezeka kungabwere chifukwa cha zovuta ndi code-code - yomwe idatengera. Mwachitsanzo, ngati masamba ena apangidwa pogwiritsa ntchito template yakale, yomwe siiganizira za kusintha kwa masamba kupita ku https.
- Ma cookie opanda "HTTPOnly" ndi mbendera "zotetezedwa".
Mawonekedwe a "HTTPOnly" amateteza ma cookie kuti asakatulidwe ndi zolemba zomwe oukira amagwiritsa ntchito kuba data. Mbendera "yotetezedwa" siyilola kuti makeke atumizidwe momveka bwino. Kulankhulana kudzaloledwa kokha ngati protocol yotetezedwa ya HTTPS ikugwiritsidwa ntchito kutumiza makeke.
Makhalidwe onsewa akufotokozedwa muzinthu za cookie:
Set-Cookie: Secure; HttpOnlyZowopsa: Ngati wopanga webusayiti sanatchule izi, wowukira atha kuyang'ana zambiri za wogwiritsa ntchito pa cookie ndikugwiritsa ntchito. Ngati ma cookie agwiritsidwa ntchito potsimikizira ndi kuvomereza, azitha kubera gawo la wogwiritsa ntchito ndikuchitapo kanthu pamalowo m'malo mwake.
Zomwe wopanga intaneti ayenera kukumbukira: Monga lamulo, muzinthu zodziwika bwino izi zimakhazikitsidwa zokha. Komabe yang'anani kasinthidwe ka seva ndikuyika mbendera: Set-Cookie HttpOnly; Otetezeka.
Pankhaniyi, mawonekedwe a "HTTPOnly" apangitsa makeke kuti asawonekere ku JavaScript yanu.
- Zowopsa Zotengera Njira.
Sikanayo ikunena za kusatetezeka koteroko ngati ipeza fayilo yomwe anthu ambiri amapeza kapena chikwatu chatsamba lomwe lili ndi chidziwitso chachinsinsi. Mwachitsanzo, imazindikira mafayilo amasinthidwe amtundu uliwonse kapena mwayi wofikira pamafayilo onse. Izi ndizotheka ngati ufulu wopeza wayikidwa molakwika patsamba.
Zowopsa: Ngati fayilo "ikutuluka," wowukira akhoza kugwera mu mawonekedwe ogwiritsira ntchito ndikuyesera kupeza mafoda okhala ndi mawu achinsinsi ngati asungidwa m'mawu omveka bwino (musatero!). Kapena mutha kuba ma hashes achinsinsi ndikukakamiza mwankhanza mawu achinsinsi, komanso kuyesa kukweza mwayi pamakina ndikusunthira mozama muzomangamanga.
Zomwe wopanga intaneti ayenera kukumbukira: Musaiwale za ufulu wopeza ndikusintha nsanja, seva yapaintaneti, kugwiritsa ntchito intaneti kotero kuti sizingatheke "kuthawa" ndandanda yapaintaneti.
- Mafomu olowetsa deta yachinsinsi ndikuyatsa kudzaza zokha.
Ngati wogwiritsa ntchito nthawi zambiri amadzaza mafomu pamasamba, msakatuli wawo amasunga izi pogwiritsa ntchito mawonekedwe a autofill.
Mafomu a pawebusaiti angaphatikizepo magawo omwe ali ndi zidziwitso zachinsinsi, monga mawu achinsinsi kapena manambala a kirediti kadi. Pazigawo zotere, ndikofunikira kuyimitsa mawonekedwe a autofill pamasamba omwewo.
Zowopsa: Ngati msakatuli wa wogwiritsa ntchito asunga zidziwitso zachinsinsi, wowukira atha kuzilanda pambuyo pake, mwachitsanzo kudzera muchinyengo. Kwenikweni, wopanga intaneti yemwe wayiwala zamtunduwu akukhazikitsa ogwiritsa ntchito ake.
Zomwe wopanga intaneti ayenera kukumbukira: Pamenepa, tili ndi mikangano yakale: kumasuka vs chitetezo. Ngati wogwiritsa ntchito intaneti akuganiza za zomwe ogwiritsa ntchito akumana nazo, amatha kusankha mwachidwi. Mwachitsanzo, ngati kuli kofunika kutsatira - malingaliro okhudzana ndi kupezeka kwa zomwe zili kwa ogwiritsa ntchito olumala.
Kwa asakatuli ambiri, mutha kuletsa kumaliza ndi autocompete="off", mwachitsanzo:
<body> <form action="/ny/form/submit" method="get" autocomplete="off"> <div> <input type="text" placeholder="First Name"> </div> <div> <input type="text" id="lname" placeholder="Last Name" autocomplete="on"> </div> <div> <input type="number" placeholder="Credit card number"> </div> <input type="submit"> </form> </body>Koma sizigwira ntchito kwa Chrome. Izi zimazunguliridwa pogwiritsa ntchito JavaScript, njira yosinthira ikhoza kupezeka .
- Mutu wa X-Frame-Options sunakhazikitsidwe mu code yatsamba.
Mutuwu umakhudza ma frame, iframe, embed, kapena tag zachinthu. Ndi chithandizo chake, mutha kuletsa kwathunthu kuyika tsamba lanu mkati mwa chimango. Kuti muchite izi, muyenera kufotokoza mtengo wa X-Frame-Zosankha: kukana. Kapena mutha kufotokozera Zosankha za X-Frame: sameorigin, kenako kulowa mu iframe kumangopezeka patsamba lanu.
Zowopsa: Kusowa kwa mutu wotere kungagwiritsidwe ntchito pamasamba oyipa clickjacking. Pakuukira uku, wowukirayo amapanga chimango chowonekera pamwamba pa mabatani ndikupusitsa wogwiritsa ntchito. Mwachitsanzo: scammers amaika masamba ochezera pa intaneti. Wogwiritsa akuganiza kuti akudina batani patsamba lino. M'malo mwake, kudina kumaletsedwa ndipo pempho la wogwiritsa ntchito limatumizidwa kumalo ochezera a pa Intaneti komwe kuli gawo logwira ntchito. Umu ndi momwe owukira amatumizira sipamu m'malo mwa wogwiritsa ntchito kapena kupeza olembetsa ndi zokonda.
Ngati simuzimitsa izi, wowukira atha kuyika batani la pulogalamu yanu patsamba loyipa. Akhoza kukhala ndi chidwi ndi pulogalamu yanu yotumizira kapena ogwiritsa ntchito anu.
Zomwe wopanga intaneti ayenera kukumbukira: Chiwopsezochi chikhoza kuchitika ngati X-Frame-Options yokhala ndi mtengo wosemphana iyikidwa pa seva yapaintaneti kapena chowongolera. Pachifukwa ichi, seva ndi balancer zidzangolembanso mutu, popeza ali ndi zofunikira kwambiri poyerekeza ndi code backend.
Kukana komanso komwekuchokera pamutu wa X-Frame-Options kudzasokoneza magwiridwe antchito a Yandex web viewer. Kuti mulole kugwiritsa ntchito ma iframe kwa wowonera pa intaneti, muyenera kulemba lamulo losiyana pazokonda. Mwachitsanzo, kwa nginx mutha kuyisintha motere:
http{ ... map $http_referer $frame_options { "~webvisor.com" "ALLOW-FROM http://webvisor.com"; default "SAMEORIGIN"; } add_header X-Frame-Options $frame_options; ... } - PRSSI (Path-relative stylesheet import) kusatetezeka.
Izi ndizovuta pamakongoletsedwe atsambali. Zimachitika ngati maulalo achibale monga href="/ny/somefolder/styles.css/" agwiritsidwa ntchito kulumikiza mafayilo. Wowukira atenga mwayi pa izi ngati apeza njira yotumizira wogwiritsa ntchito patsamba loyipa. Tsambalo liyika ulalo wachibale mu ulalo wake ndikuyerekeza kuyimba kwamasitayilo. Mupeza pempho ngati badsite.ru/β¦/somefolder/styles.css/, lomwe lingathe kuchita zoyipa motengera kalembedwe.
Zowopsa: Wachinyengo angagwiritse ntchito chiwopsezo ichi ngati apeza bowo lina lachitetezo. Zotsatira zake, ndizotheka kuba deta ya ogwiritsa ntchito ku makeke kapena ma tokeni.
Zomwe wopanga intaneti ayenera kukumbukira: Khazikitsani mutu wa X-Content-Type-Options kuti: nosniff. Pankhaniyi, msakatuli ayang'ana mtundu wazomwe zili pamasitayelo. Ngati mtunduwo uli wosiyana ndi malemba/css, msakatuli adzaletsa pempholo.
Zofooka kwambiri
- Tsamba lokhala ndi mawu achinsinsi limatumizidwa kuchokera ku seva kudzera panjira yosatetezeka (fomu ya HTML yomwe ili ndi mawu achinsinsi imatumizidwa pa HTTP).
Mayankho ochokera kwa seva panjira yosasinthika amakhala pachiwopsezo cha "Man in between". Wowukira amatha kusokoneza magalimoto ndikudzitsekera pakati pa kasitomala ndi seva pomwe tsamba likuyenda kuchokera pa seva kupita kwa kasitomala.
Zowopsa: Wonyengayo adzatha kusintha tsambalo ndi kutumiza wogwiritsa ntchito fomu yachinsinsi chachinsinsi, chomwe chidzapita ku seva ya wotsutsa.
Zomwe wopanga intaneti ayenera kukumbukira: Masamba ena amatumizira ogwiritsa ntchito nambala yanthawi imodzi kudzera pa imelo/foni m'malo molemba mawu achinsinsi. Pankhaniyi, kusatetezeka sikuli kofunikira, koma makinawo asokoneza miyoyo ya ogwiritsa ntchito.
- Kutumiza fomu yokhala ndi malowedwe ndi mawu achinsinsi panjira yosatetezeka (Fomu Yolowera Simaperekedwa Kudzera pa HTTPS).
Pachifukwa ichi, fomu yokhala ndi malowedwe ndi mawu achinsinsi imatumizidwa kuchokera kwa wogwiritsa ntchito kupita ku seva kudzera panjira yosadziwika.
Zowopsa: Mosiyana ndi nkhani yapitayi, izi ndizovuta kwambiri. Ndikosavuta kuphatikizira deta yovuta chifukwa simufunikanso kulemba code kuti muchite.
- Kugwiritsa ntchito malaibulale a JavaScript okhala ndi zovuta zodziwika.
Panthawi yojambula, laibulale yomwe imagwiritsidwa ntchito kwambiri inali jQuery yokhala ndi mitundu yambiri. Mtundu uliwonse uli ndi vuto limodzi, kapena kupitilira apo, zodziwika bwino. Zotsatira zimatha kukhala zosiyana kwambiri kutengera momwe chiwopsezocho chilili.
Zowopsa: Pali zopindulitsa pazowopsa zodziwika, mwachitsanzo:
Zomwe wopanga intaneti ayenera kukumbukira: Nthawi zonse bwererani kumayendedwe: fufuzani zofooka zomwe zimadziwika - konzani - fufuzani. Ngati mumagwiritsa ntchito malaibulale obadwa mwadala, mwachitsanzo kuthandiza asakatuli akale kapena kusunga ndalama, yang'anani mwayi wokonza chiwopsezo chodziwika. - Kulemba pamasamba (XSS).
Cross-Site Scripting (XSS), kapena scripting-site, ndikuwukira kwa pulogalamu yapaintaneti yomwe imapangitsa kuti pulogalamu yaumbanda ilowe munkhokwe. Ngati Qualys apeza chiwopsezo chotere, zikutanthauza kuti wowukira atha kapena wapereka kale zolemba zake za js pamakhodi atsamba kuti achite zoyipa.Kusungidwa kwa XSS zowopsa kwambiri, popeza script imayikidwa pa seva ndikuchitidwa nthawi iliyonse tsamba lowukiridwa litsegulidwa mu msakatuli.
Chiwonetsero cha XSS zosavuta kuchita popeza script yoyipa imatha kubayidwa muzopempha za HTTP. Pulogalamuyo ilandila pempho la HTTP, silingatsimikizire zomwe datayo, liziyika, ndikutumiza nthawi yomweyo. Ngati wowukira asokoneza magalimoto ndikuyika script ngati
<script>/*+ΡΡΠΎ+ΡΠΎ+ΠΏΠ»ΠΎΡ ΠΎΠ΅+*/</script>ndiye pempho loyipa lidzatumizidwa m'malo mwa kasitomala.
Chitsanzo chochititsa chidwi cha XSS: js sniffers omwe amatsanzira masamba olowetsa CVC, tsiku lotha ntchito yamakhadi, ndi zina zotero.
Zomwe wopanga intaneti ayenera kukumbukira: Pamutu wa Content-Security-Policy, gwiritsani ntchito mawonekedwe a script-src kukakamiza msakatuli wamakasitomala kuti angotsitsa ndikukhazikitsa ma code kuchokera kugwero lodalirika. Mwachitsanzo, script-src 'self' imatsimikizira zolemba zonse patsamba lathu lokha.
Njira yabwino kwambiri ndi Inline code: ingololani javascript yapaintaneti pogwiritsa ntchito mtengo wosatetezeka. Mtengowu umalola kugwiritsa ntchito inline js/css, koma sikuletsa kuphatikiza mafayilo a js. Kuphatikiza ndi script-src 'self' timaletsa zolemba zakunja kuti zisamachitidwe.Onetsetsani kuti mwalemba chilichonse pogwiritsa ntchito lipoti-uri ndikuyang'ana zoyeserera kuti mugwiritse ntchito patsambalo.
- jakisoni wa SQL.
Chiwopsezochi chikuwonetsa kuthekera kolowetsa khodi ya SQL patsamba lomwe limapeza tsamba lawebusayiti mwachindunji. Jekeseni wa SQL ndi wotheka ngati deta yochokera kwa wogwiritsa ntchitoyo sinayesedwe: sichifufuzidwa kuti ikhale yolondola ndipo imagwiritsidwa ntchito nthawi yomweyo pafunso. Mwachitsanzo, izi zimachitika ngati fomu pawebusaiti siyang'ana ngati zolowetsazo zikufanana ndi mtundu wa data.Zowopsa: Ngati wowukira alowetsa funso la SQL mu fomu iyi, akhoza kusokoneza database kapena kuwulula zinsinsi.
Zomwe wopanga intaneti ayenera kukumbukira: Osakhulupirira zomwe zimachokera msakatuli. Muyenera kudziteteza kumbali zonse za kasitomala ndi mbali ya seva.
Kumbali ya kasitomala, lembani kutsimikizira kwa gawo pogwiritsa ntchito JavaScript.
Ntchito zomangidwa m'mapangidwe otchuka zimathandizanso kuthawa zilembo zokayikitsa pa seva. Ndikulimbikitsidwanso kugwiritsa ntchito mafunso a database ya parameterized pa seva.
Dziwani komwe kuyanjana kwenikweni ndi nkhokwe kumachitika pa intaneti.
Kuyanjana kumachitika tikalandira chidziwitso chilichonse: pempho lokhala ndi id (kusintha kwa id), kupangidwa kwa wogwiritsa ntchito watsopano, ndemanga yatsopano, kapena zolemba zatsopano mu database. Apa ndipamene jakisoni wa SQL angachitike. Ngakhale titachotsa mbiri kuchokera ku database, jakisoni wa SQL ndizotheka.
Malingaliro aakulu
Osayambitsanso gudumu - gwiritsani ntchito zida zotsimikiziridwa. Monga lamulo, mafelemu otchuka amakhala otetezeka kwambiri. Kwa .NET - ASP.NET MVC ndi ASP.NET Core, ya Python - Django kapena Flask, ya Ruby - Ruby pa Rails, ya PHP - Symfony, Laravel, Yii, ya JavaScript - Node.JS-Express.js, ya Java - Spring MVC.
Tsatirani zosintha za ogulitsa ndikusintha pafupipafupi. Adzapeza chiwopsezo, kenaka alembe zomwe akugwiritsa ntchito, aziwonetsa poyera, ndipo zonse zidzachitikanso. Lembetsani ku zosintha zamitundu yokhazikika kuchokera kwa ogulitsa mapulogalamu.
Onani zilolezo. Pa mbali ya seva, nthawi zonse muzichitira khodi yanu ngati kuti, kuyambira koyamba mpaka kalata yomaliza, inalembedwa ndi mdani wanu wodedwa kwambiri, yemwe akufuna kuswa malo anu, kuphwanya kukhulupirika kwa deta yanu. Komanso, nthawi zina izi ndi zoona.
Gwiritsani ntchito ma clones, malo oyesera, ndiyeno muwagwiritse ntchito popanga. Izi zidzathandiza, choyamba, kupeΕ΅a zolakwa ndi zolakwika m'malo opindulitsa: malo opindulitsa amabweretsa ndalama, malo osavuta obala ndi ofunika kwambiri. Mukawonjezera, kukonza kapena kutseka vuto lililonse, ndikofunikira kugwira ntchito pamalo oyeserera, ndikuwunika magwiridwe antchito ndi zofooka zomwe zapezeka, kenako ndikukonzekera kugwira ntchito ndi malo opanga.
Tetezani pulogalamu yanu yapaintaneti ndi ndikuphatikiza malipoti ochokera ku scanner yowopsa nayo. Mwachitsanzo, DataLine imagwiritsa ntchito Qualys ndi FortiWeb ngati mtolo wa mautumiki.
Source: www.habr.com