Cishe unyaka owedlule, thina kwaDathaLine sethule ukusesha nokuhlaziya ubungozi ezinhlelweni ze-IT. Isevisi isekelwe kusixazululo sefu se-Qualys, mayelana nokusebenza kwayo . Ngokuhamba konyaka wokusebenza nesixazululo, senze ukuskena okungu-291 kumasayithi ahlukene futhi saqoqa izibalo zobungozi obuvamile ezinhlelweni zokusebenza zewebhu.
Esihlokweni esingezansi ngizokukhombisa kahle ukuthi yiziphi izimbobo ekuvikelekeni kwewebhusayithi ezifihliwe ngemuva kwamazinga ahlukene wokugxeka. Ake sibone ukuthi yikuphi ukukhubazeka okutholwe isithwebuli ikakhulukazi kaningi, kungani kungase kwenzeke, nokuthi ungazivikela kanjani.
I-Qualys ihlukanisa bonke ubungozi bezinhlelo zokusebenza zewebhu zibe amazinga amathathu okubucayi: aphansi, aphakathi nendawo naphezulu. Uma ubheka ukusatshalaliswa "ngokuqina", kubonakala sengathi konke akukubi kakhulu. Kunokukhubazeka okumbalwa okunezinga eliphezulu lokugxeka, kakhulukazi konke akubalulekile:
Kodwa ukungagxeki akusho ukungabi nangozi. Zingabangela nomonakalo omkhulu.
Ukuba sengozini okuphezulu βokungabalulekileβ
- Ukuba sengozini kokuqukethwe okuxubile.
Izinga lokuphepha kwewebhusayithi ukudluliswa kwedatha phakathi kweklayenti neseva ngephrothokholi ye-HTTPS, esekela ukubethela futhi evikela imininingwane ekungeneni.
Ezinye izingosi zisebenzisa okuqukethwe okuxubile: Enye idatha idluliswa ngephrothokholi ye-HTTP engavikelekile. Yile ndlela evame ukudluliswa ngayo okuqukethwe kokungenzi lutho β ulwazi oluthinta kuphela ukuvezwa kwesayithi: izithombe, izitayela ze-css. Kodwa ngezinye izikhathi yile ndlela edluliselwa ngayo okuqukethwe okusebenzayo: imibhalo elawula ukuziphatha kwesayithi. Kulesi simo, usebenzisa isofthiwe ekhethekile, ungakwazi ukuhlaziya ulwazi ngokuqukethwe okusebenzayo okuvela kuseva, uguqule izimpendulo zakho ngokushesha futhi wenze umshini usebenze ngendlela engazange ihloselwe abadali bawo.
Izinguqulo ezintsha zeziphequluli zixwayisa abasebenzisi ukuthi amasayithi anokuqukethwe okuxubile awaphephile futhi avimbe okuqukethwe. Abathuthukisi bewebhusayithi futhi bathola izexwayiso zesiphequluli kukhonsoli. Ngokwesibonelo, le yindlela ebukeka ngayo :
Kungani kuyingozi?: Abahlaseli basebenzisa iphrothokholi engavikelekile ukuze babambe imininingwane yomsebenzisi, bashintshe imibhalo futhi bathumele izicelo kusayithi egameni lakhe. Ngisho noma isivakashi sesayithi singayifaki idatha, lokhu akumvikeli kuyo ubugebengu bokweba imininingwane ebucayi - ukuthola ulwazi oluyimfihlo usebenzisa izindlela zokukhwabanisa. Isibonelo, usebenzisa iskripthi, ungaqondisa kabusha umsebenzisi kusayithi elingaphephile elizenza elijwayelekile kumsebenzisi. Kwezinye izimo, isayithi eliyingozi libukeka lingcono kakhulu kunelokuqala, futhi umsebenzisi angakwazi ukugcwalisa ifomu futhi athumele idatha eyimfihlo.Yini umthuthukisi wewebhu okufanele ayikhumbule: Ngisho noma umlawuli wesayithi efake futhi walungisa isitifiketi se-SSL/TLS, ubungozi bungase buvele ngenxa yephutha lomuntu. Isibonelo, uma kwelinye lamakhasi ungafaki isixhumanisi esihlobene, kodwa isixhumanisi esiphelele esivela ku-http, futhi ngaphezu kwalokho awuzange umise ukuqondisa kabusha kusuka ku-http kuya ku-https.
Ungathola okuqukethwe okuxubile kusayithi usebenzisa isiphequluli: sesha ikhodi yomthombo yekhasi, funda izaziso kukhonsoli yonjiniyela. Kodwa-ke, umthuthukisi kuzodingeka ahlaziye ikhodi isikhathi eside futhi eyisicefe. Ungakwazi ukusheshisa inqubo ngamathuluzi okuhlaziya azenzakalelayo, isibonelo: , isofthiwe yamahhala ye-Lighthouse noma isofthiwe ekhokhelwayo I-Screaming Frog SEO Spider.
Futhi, ubungozi bungase buvele ngenxa yezinkinga zekhodi yefa - ikhodi ezuzwe njengefa. Isibonelo, uma amanye amakhasi enziwa kusetshenziswa isifanekiso esidala, esinganaki ukuguqulwa kwamasayithi aye ku-https.
- Amakhukhi ngaphandle kwefulegi elithi "HTTPOnly" kanye "nokuvikela".
Isibaluli se-"HTTPOnly" sivikela amakhukhi ukuthi angacutshungulwa yimibhalo abahlaseli abayisebenzisela ukweba idatha yomsebenzisi. Ifulegi "elivikelekile" alikuvumeli amakhukhi ukuthi athunyelwe ngombhalo ocacile. Ukuxhumana kuzovunyelwa kuphela uma ngabe iphrothokholi evikelekile ye-HTTPS isetshenziselwa ukuthumela amakhukhi.
Zombili izibaluli zicaciswe kuzakhiwo zekhukhi:
Set-Cookie: Secure; HttpOnlyKungani kuyingozi?: Uma umthuthukisi wesayithi engazicacisanga lezi zibaluli, umhlaseli angakwazi ukuvimba ulwazi lomsebenzisi kukhukhi futhi alisebenzise. Uma amakhukhi esetshenziselwa ukuqinisekiswa nokugunyazwa, uzokwazi ukuduna isikhathi somsebenzisi futhi enze izenzo kusayithi egameni lakhe.
Yini umthuthukisi wewebhu okufanele ayikhumbule: Njengomthetho, ezinhlelweni ezidumile lezi zimfanelo zisethwa ngokuzenzakalelayo. Kodwa noma kunjalo hlola ukucushwa kweseva yewebhu bese usetha ifulegi: Set-Cookie HttpOnly; Kuvikelekile.
Kulesi simo, isibaluli se-"HTTPOnly" sizokwenza amakhukhi angabonakali ku-JavaScript yakho.
- Ubungozi obusekelwe emzileni.
Iskena sibika ubungozi obunjalo uma sithola ifayela elifinyeleleka esidlangalaleni noma uhla lwemibhalo lwewebhusayithi olunolwazi olungase lube yimfihlo. Isibonelo, ithola amafayela okucushwa kwesistimu ngayinye noma ukufinyelela kulo lonke uhlelo lwefayela. Lesi simo singenzeka uma amalungelo okufinyelela esethwe ngokungalungile kusayithi.
Kungani kuyingozi?: Uma isistimu yefayela "inamathela," umhlaseli angawela kusixhumi esibonakalayo sesistimu yokusebenza futhi azame ukuthola amafolda anamagama ayimfihlo uma egcinwe embhalweni ocacile (ungakwenzi lokho!). Noma ungantshontsha ama-hashi e-password bese uphoqa iphasiwedi, futhi uzame ukukhulisa amalungelo ohlelweni futhi ungene ujule kungqalasizinda.
Yini umthuthukisi wewebhu okufanele ayikhumbule: Ungakhohlwa mayelana namalungelo okufinyelela futhi ulungiselele inkundla, iseva yewebhu, uhlelo lokusebenza lwewebhu ukuze kungenzeki "ukubalekela" inkomba yewebhu.
- Amafomu okufaka idatha ebucayi enokugcwalisa okuzenzakalelayo okunikwe amandla.
Uma umsebenzisi evame ukugcwalisa amafomu kumawebhusayithi, isiphequluli sakhe sigcina lolu lwazi sisebenzisa isici sokugcwalisa ngokuzenzakalelayo.
Amafomu akuwebhusayithi angase afake izinkambu ezinolwazi olubucayi, olufana namaphasiwedi noma izinombolo zekhadi lesikweletu. Ezinkambuni ezinjalo, kufanelekile ukukhubaza umsebenzi wokugcwalisa ngokuzenzakalela kusayithi ngokwalo.
Kungani kuyingozi?: Uma isiphequluli somsebenzisi sigcina ulwazi olubucayi, umhlaseli angalwa nalo ngokuhamba kwesikhathi, isibonelo ngobugebengu bokweba imininingwane ebucayi. Empeleni, umthuthukisi wewebhu okhohliwe ngale nuance usetha abasebenzisi bakhe.
Yini umthuthukisi wewebhu okufanele ayikhumbule: Kulesi simo, sinokungqubuzana kwakudala: ukunethezeka vs ukuphepha. Uma umthuthukisi wewebhu ecabanga ngolwazi lomsebenzisi, angakwazi ukukhetha ukuqedela ngokuzenzakalela. Isibonelo, uma kubalulekile ukulandela - izincomo zokufinyeleleka kokuqukethwe kubasebenzisi abakhubazekile.
Ezipheqululini eziningi, ungakhubaza ukuqedela ngokuzenzakalela ngesibaluli se-autocompete="off", isibonelo:
<body> <form action="/zu/form/submit" method="get" autocomplete="off"> <div> <input type="text" placeholder="First Name"> </div> <div> <input type="text" id="lname" placeholder="Last Name" autocomplete="on"> </div> <div> <input type="number" placeholder="Credit card number"> </div> <input type="submit"> </form> </body>Kodwa ngeke isebenze ku-Chrome. Lokhu kuvinjelwa kusetshenziswa i-JavaScript, okuhlukile kweresiphi kungatholakala .
- Isihloko se-X-Frame-Options asisethwanga kukhodi yesayithi.
Lo unhlokweni uthinta ifreyimu, iframe, ukushumeka, noma omaka bento. Ngosizo lwayo, ungakwenqabela ngokuphelele ukushumeka isayithi lakho ngaphakathi kohlaka. Ukuze wenze lokhu, udinga ukucacisa inani le-X-Frame-Options: phika. Noma ungacacisa Izinketho Ze-X-Frame: sameorigin, bese ukushumeka ku-iframe kuzotholakala kuphela esizindeni sakho.
Kungani kuyingozi?: Ukungabikho kwesihloko esinjalo kungasetshenziswa kumasayithi anonya ukuze ukuchofoza. Kulokhu kuhlasela, umhlaseli udala ifreyimu ebonisa ngale phezu kwezinkinobho futhi akhohlise umsebenzisi. Isibonelo: abakhohlisi bafaka amakhasi ezinkundla zokuxhumana kuwebhusayithi. Umsebenzisi ucabanga ukuthi uchofoza inkinobho kuleli sayithi. Kunalokho, ukuchofoza kuyavinjwa futhi isicelo somsebenzisi sithunyelwa kunethiwekhi yokuxhumana nabantu lapho kuneseshini esebenzayo. Lena yindlela abahlaseli abathumela ngayo ugaxekile esikhundleni somsebenzisi noma bathole ababhalisile nokuthandwayo.
Uma ungasikhubazi lesi sici, umhlaseli angabeka inkinobho yohlelo lwakho lokusebenza kusayithi eliyingozi. Angase abe nentshisekelo kuhlelo lwakho lokudlulisela noma kubasebenzisi bakho.
Yini umthuthukisi wewebhu okufanele ayikhumbule: Ukuba sengozini kungenzeka uma Izinketho ze-X-Frame ezinenani elingqubuzanayo zisethwa kuseva yewebhu noma isilinganisi sokulayisha. Kulesi simo, iseva nebhalansi bazomane babhale kabusha unhlokweni, njengoba banokubaluleke kakhulu uma kuqhathaniswa nekhodi ye-backend.
Amanani okuphika kanye nemvelaphi efanayo yesihloko se-X-Frame-Options azophazamisa ukusebenza kwesibukeli sewebhu se-Yandex. Ukuvumela ukusetshenziswa kwama-iframe kusibukeli sewebhu, udinga ukubhala umthetho ohlukile kuzilungiselelo. Isibonelo, nge-nginx ungayilungisa kanje:
http{ ... map $http_referer $frame_options { "~webvisor.com" "ALLOW-FROM http://webvisor.com"; default "SAMEORIGIN"; } add_header X-Frame-Options $frame_options; ... } - I-PRSSI (ukungenisa kweshidi lesitayela esihlobene nendlela) ubungozi.
Lokhu ukuba sengozini kwesitayela sesayithi. Kuyenzeka uma izixhumanisi ezihlobene ezifana ne- href="/zu/somefolder/styles.css/" zisetshenziselwa ukufinyelela amafayela esitayela. Umhlaseli uzosebenzisa lokhu uma ethola indlela yokuqondisa kabusha umsebenzisi ekhasini elinonya. Ikhasi lizofaka isixhumanisi esihlobene ku-url yalo futhi lilingise ikholi yezitayela. Uzothola isicelo esifana ne-badsite.ru/β¦/somefolder/styles.css/, esingenza izenzo ezinonya ngaphansi kokucasha kwesitayela.
Kungani kuyingozi?: Umkhohlisi angasebenzisa lobu bungozi uma ethola enye imbobo yokuvikela. Ngenxa yalokho, kungenzeka ukweba idatha yomsebenzisi kumakhukhi noma amathokheni.
Yini umthuthukisi wewebhu okufanele ayikhumbule: Setha unhlokweni we-X-Content-Type-Options ukuze uthi: i-nosniff. Kulesi simo, isiphequluli sizohlola uhlobo lokuqukethwe lwezitayela. Uma uhlobo lungaphandle kombhalo/css, isiphequluli sizovimba isicelo.
Ubuthakathaka obubalulekile
- Ikhasi elinenkambu yephasiwedi lithunyelwa lisuka kuseva ngeshaneli engavikelekile (ifomu le-HTML eliqukethe izinkambu zephasiwedi linikezwa nge-HTTP).
Impendulo evela kuseva ngesiteshi esingabetheliwe isengozini yokuhlaselwa "Umuntu ophakathi nendawo". Umhlaseli angakwazi ukuvimba ithrafikhi futhi azihlukanise phakathi kweklayenti neseva njengoba ikhasi lihamba lisuka kuseva liya kuklayenti.
Kungani kuyingozi?: Umkhohlisi uzokwazi ukushintsha ikhasi futhi athumele umsebenzisi ifomu ledatha eyimfihlo, elizoya kuseva yomhlaseli.
Yini umthuthukisi wewebhu okufanele ayikhumbule: Amanye amasayithi athumela abasebenzisi ikhodi yesikhathi esisodwa nge-imeyili/ngocingo esikhundleni sephasiwedi. Kulokhu, ubungozi abubalulekile kangako, kodwa indlela izoba nzima izimpilo zabasebenzisi.
- Ukuthumela ifomu elinokungena ngemvume nephasiwedi ngesiteshi esingavikelekile (Ifomu Lokungena Ngemvume Alithunyelwa Nge-HTTPS).
Kulokhu, ifomu elinokungena ngemvume nephasiwedi lithunyelwa lisuka kumsebenzisi liye kuseva ngesiteshi esingabetheliwe.
Kungani kuyingozi?: Ngokungafani nesimo sangaphambilini, lokhu sekuvele kusengozini enkulu. Kulula ukuthola idatha ebucayi ngoba awudingi ngisho nokubhala ikhodi ukuze ukwenze.
- Ukusebenzisa amalabhulali e-JavaScript anobungozi obaziwayo.
Ngesikhathi sokuskena, umtapo osetshenziswa kakhulu kwakuyi-jQuery enezinguqulo eziningi. Inguqulo ngayinye inobuthakathaka obubodwa, noma ngaphezulu, obaziwayo. Umthelela ungahluka kakhulu kuye ngohlobo lokuba sengozini.
Kungani kuyingozi?: Kukhona ukusizakala kobungozi obaziwayo, isibonelo:
Yini umthuthukisi wewebhu okufanele ayikhumbule: Buyela njalo kumjikelezo: sesha ubungozi obaziwayo - lungisa - hlola. Uma usebenzisa amalabhulali ayigugu ngamabomu, ngokwesibonelo ukuxhasa iziphequluli ezindala noma ukonga imali, bheka ithuba lokulungisa ukuba sengozini okwaziwayo. - I-Cross-site scripting (XSS).
I-Cross-Site Scripting (XSS), noma i-cross-site scripting, iwukuhlasela kohlelo lokusebenza lwewebhu oluholela ekungenisweni kohlelo olungayilungele ikhompuyutha kusizindalwazi. Uma u-Qualys ethola ubungozi obunjalo, kusho ukuthi umhlaseli ongase abe umhlaseli angakwazi noma usevele esethule esakhe iskripthi se-js kukhodi yesayithi ukuze enze izenzo ezinonya.I-XSS egciniwe kuyingozi kakhulu, njengoba iskripthi sishumekwe kuseva futhi sisetshenziswa njalo lapho kuvulwa ikhasi elihlaselwe esipheqululini.
I-XSS ebonisiwe kulula ukwenza njengoba iskripthi esinonya singafakwa esicelweni se-HTTP. Uhlelo lokusebenza luzothola isicelo se-HTTP, ngeke luqinisekise idatha, luzoyipakisha, futhi luyithumele ngokushesha. Uma umhlaseli ehlasela ithrafikhi futhi afake umbhalo onjengo
<script>/*+ΡΡΠΎ+ΡΠΎ+ΠΏΠ»ΠΎΡ ΠΎΠ΅+*/</script>isicelo esinonya sizothunyelwa egameni leklayenti.
Isibonelo esimangalisayo se-XSS: js sniffers ezilingisa amakhasi okufaka i-CVC, usuku lokuphelelwa yisikhathi kwekhadi, njalo njalo.
Yini umthuthukisi wewebhu okufanele ayikhumbule: Kusihloko se-Content-Security-Policy, sebenzisa isibaluli se-script-src ukuze uphoqelele isiphequluli seklayenti ukuthi silande kuphela futhi sikhiphe ikhodi evela kumthombo othembekile. Isibonelo, i-script-src 'self' igunyaza zonke izikripthi ezisuka kusayithi lethu kuphela.
Ukwenza okungcono kakhulu Ikhodi engaphakathi komugqa: vumela kuphela i-javascript engaphakathi usebenzisa inani elingaphephile lomugqa. Leli nani livumela ukusetshenziswa kwe-inline js/css, kodwa alikuvimbeli ukufakwa kwamafayela e-js. Ngokuhambisana ne-script-src 'self' sikhubaza imibhalo yangaphandle kusukela ekusetshenzisweni.Qiniseka ukuthi ufaka yonke into usebenzisa i-report-uri futhi ubheke imizamo yokuyisebenzisa kusayithi.
- Imijovo ye-SQL.
Ukuba sengozini kubonisa ukuthi kungenzeka kufakwe ikhodi ye-SQL kuwebhusayithi efinyelela kusizindalwazi sewebhusayithi ngokuqondile. Umjovo we-SQL uyenzeka uma idatha evela kumsebenzisi ingahloliwe: ayihloliwe ukufaneleka futhi isetshenziswa ngokushesha embuzweni. Isibonelo, lokhu kwenzeka uma ifomu kuwebhusayithi lingahloli ukuthi okokufaka kufana nohlobo lwedatha.Kungani kuyingozi?: Uma umhlaseli efaka umbuzo we-SQL kuleli fomu, angaphahlazeka kusizindalwazi noma aveze ulwazi oluyimfihlo.
Yini umthuthukisi wewebhu okufanele ayikhumbule: Ungakwethembi okuvela kusiphequluli. Udinga ukuzivikela ohlangothini lweklayenti kanye nohlangothi lweseva.
Ohlangothini lweklayenti, bhala ukuqinisekiswa kwenkambu usebenzisa i-JavaScript.
Imisebenzi eyakhelwe ngaphakathi kuzinhlaka ezidumile futhi isiza ukubalekela izinhlamvu ezisolisayo kuseva. Kuyanconywa futhi ukusebenzisa imibuzo yesizindalwazi esinepharamitha kuseva.
Nquma ukuthi ukusebenzelana ngqo nesizindalwazi kwenzeka kuphi ohlelweni lokusebenza lwewebhu.
Ukusebenzelana kwenzeka lapho sithola noma yiluphi ulwazi: isicelo esine-id (ushintsho lwe-id), ukudalwa komsebenzisi omusha, ukuphawula okusha, noma okufakiwe okusha kusizindalwazi. Yilapho imijovo ye-SQL ingenzeka khona. Ngisho noma sisusa irekhodi kusizindalwazi, umjovo we-SQL uyenzeka.
Izincomo ezijwayelekile
Ungalisunguli kabusha isondo - sebenzisa izinhlaka eziqinisekisiwe. Njengomthetho, izinhlaka ezidumile zivikeleke kakhulu. Okwe-.NET - ASP.NET MVC kanye ne-ASP.NET Core, yePython - Django noma Flask, ye-Ruby - Ruby on Rails, ye-PHP - Symfony, Laravel, Yii, ye-JavaScript - Node.JS-Express.js, ye-Java - Intwasahlobo ye-MVC.
Landela izibuyekezo zomthengisi futhi ubuyekeze njalo. Bazothola ubungozi, bese bebhala ukuxhaphaza, bakwenze kutholakale esidlangalaleni, futhi yonke into izophinde yenzeke. Bhalisela izibuyekezo zezinguqulo ezizinzile ezivela kumthengisi wesofthiwe.
Hlola amalungelo okufinyelela. Ohlangothini lweseva, phatha njalo ikhodi yakho njengokungathi, kusukela kweyokuqala kuya kweyokugcina, yabhalwa isitha sakho esizondwa kakhulu, esifuna ukuphula isayithi lakho, iphule ubuqotho bedatha yakho. Ngaphezu kwalokho, ngezinye izikhathi lokhu kuyiqiniso.
Sebenzisa ama-clones, amasayithi okuhlola, bese uwasebenzisela ukukhiqiza. Lokhu kuzosiza, okokuqala, ukugwema amaphutha namaphutha endaweni ekhiqizayo: indawo ekhiqizayo iletha imali, indawo elula yokukhiqiza ibalulekile. Lapho ungeza, ulungisa noma uvala noma iyiphi inkinga, kufanelekile ukusebenza endaweni yokuhlola, bese uhlola ukusebenza nokuba sengozini okutholiwe, bese uhlela ukusebenza nendawo yokukhiqiza.
Vikela isicelo sakho sewebhu nge futhi uhlanganise imibiko evela kusikena sokuba sengozini nayo. Isibonelo, i-DataLine isebenzisa i-Qualys ne-FortiWeb njengenqwaba yezinsizakalo.
Source: www.habr.com