本文共 19080 字,大约阅读时间需要 63 分钟。
owasp十大web漏洞
I remember the first time one of my sites got hacked.
我记得我的网站第一次被黑客入侵。
The client emailed saying their website was taking ages to load. I jumped online as soon as I got home from college and noticed somebody had used SQL injection to inject a <script>
tag into all the product titles.
该客户通过电子邮件发送电子邮件,说他们的网站需要花很长时间才能加载。 我刚从大学回到家,就上网了,发现有人使用SQL注入将<script>
标记注入所有产品标题中。
The script attempted to redirect visitors to a malicious website. I was devastated.
该脚本试图将访问者重定向到恶意网站。 我被毁了。
This was back in 2004, and I had just taught myself ASP and SQL Server. It was a sobering moment and one that brought home the realisation that any website could be a target, no matter how small.
早在2004年,我就自学了ASP和SQL Server。 那是一个沉思的时刻,使人们意识到任何网站都可以成为目标,无论规模如何。
It also taught me about the importance of web security, and it’s been at the forefront of my development process ever since.
它也使我了解了网络安全的重要性,自那时以来,它一直是我开发过程中的最前沿。
No site can ever be completely safe — the sheer number of high-profile breaches are a testament to this. But you can follow some best practices to make your site less of a target for a casual malicious actor or automated script.
任何站点都不可能永远是完全安全的-数量众多的引人注目的违规事件证明了这一点。 但是,您可以遵循一些最佳做法,以使您的站点不再是偶然的恶意参与者或自动脚本的目标。
The Open Web Application Security Project (OWASP) is an international non-profit organisation dedicated to creating awareness about web application security.
开放Web应用程序安全项目(OWASP)是一个国际性的非营利组织,致力于提高人们对Web应用程序安全性的认识。
The OWASP Top Ten is a standard awareness guide about web application security and consists of the topmost critical security risks to web applications.
OWASP十大标准是有关Web应用程序安全性的标准意识指南,其中包括对Web应用程序的最严重的关键安全风险。
Laravel is one of my favourite PHP frameworks. I’ve used it extensively over the years for anything from small business sites to large fintech and e-commerce applications demanding security at the core.
Laravel是我最喜欢PHP框架之一。 多年来,我已广泛使用它,从小型企业站点到大型金融科技以及要求核心安全的电子商务应用程序。
The great thing is, Laravel takes care of many of these security features out the box.
很棒的是,Laravel开箱即用地处理了许多安全功能。
I’ll run through the OWASP Top Ten and note how you can harden your Laravel web applications with some basic security best practices.
我将介绍OWASP的前十名,并说明如何使用一些基本的安全最佳实践来加强Laravel Web应用程序。
“Injection flaws, such as SQL, NoSQL, OS, and LDAP injection, occur when untrusted data is sent to an interpreter as part of a command or query. The attacker’s hostile data can trick the interpreter into executing unintended commands or accessing data without proper authorisation.” —
“当将不可信数据作为命令或查询的一部分发送给解释器时,就会出现诸如SQL,NoSQL,OS和LDAP注入之类的注入缺陷。 攻击者的敌对数据可能会诱使解释器执行未经预期的命令或未经适当授权就访问数据。” —
The Laravel query builder uses PDO parameter binding to protect the application against SQL injection attacks. This means you don’t have to sanitise values being passed as bindings.
Laravel查询构建器使用PDO参数绑定来保护应用程序免受SQL注入攻击。 这意味着您不必清理作为绑定传递的值。
Be aware that Laravel also allows you to run raw SQL queries. You should avoid this if possible. Stick to instead.
请注意,Laravel还允许您运行原始SQL查询。 如果可能,应该避免这种情况。 坚持 。
Bear in mind that PDO does not support binding column names. You should never use input from users to dictate the table column name, including columns used in an ORDER BY
statement.
请记住,PDO不支持绑定列名称。 您永远不应使用用户输入来决定表列名,包括在ORDER BY
语句中使用的列。
If you do need some flexibility, ensure you check the column names against a whitelist.
如果确实需要一些灵活性,请确保对照白名单检查列名。
“Application functions related to authentication and session management are often implemented incorrectly, allowing attackers to compromise passwords, keys, or session tokens, or to exploit other implementation flaws to assume other users’ identities temporarily or permanently.” —
“与身份验证和会话管理相关的应用程序功能常常被错误地实施,从而使攻击者能够破坏密码,密钥或会话令牌,或者利用其他实施缺陷来临时或永久地假定其他用户的身份。” —
There are several strategies you can use to protect your application from this type of attack.
您可以使用几种策略来保护您的应用程序免受此类攻击。
Rate-limit login attempts. If used in conjunction with CAPTCHA, it allows for a great defence-in-depth strategy. Laravel has a that can be used straight away in your routes or controllers to throttle requests.
限速登录尝试。 如果与CAPTCHA结合使用,它可以提供出色的纵深防御策略。 Laravel有一个 ,可以在您的路由或控制器中立即使用它来限制请求。
Build multi-factor authentication for your member and admin accounts. There are great available that you can use to generate QR codes and validate one-time password codes upon login. Avoid other means of delivering this code, such as email or SMS. It simply .
为您的会员和管理员帐户建立多因素身份验证。 有很多可用的 ,可用于在登录时生成QR码并验证一次性密码。 避免使用其他传递此代码的方法,例如电子邮件或SMS。 它根本 。
Never commit any default login details or sensitive API credentials to your code repository. Maintain these settings in the .env
file in the project root.
切勿将任何默认登录详细信息或敏感的API凭证提交到您的代码存储库。 在项目根目录的.env
文件中维护这些设置。
Configure sessions securely: they should be sent over HTTPS only and never display in your application. The secure
setting can be enabled in the session.php
config file of your Laravel application.
安全地配置会话:它们应该仅通过HTTPS发送,并且永远不要显示在您的应用程序中。 可以在Laravel应用程序的session.php
配置文件中启用secure
设置。
“Many web applications and APIs do not properly protect sensitive data, such as financial, healthcare, and PII. Attackers may steal or modify such weakly protected data to conduct credit card fraud, identity theft, or other crimes. Sensitive data may be compromised without extra protection, such as encryption at rest or in transit, and requires special precautions when exchanged with the browser.” —
“许多Web应用程序和API不能正确地保护敏感数据,例如金融,医疗保健和PII。 攻击者可能会窃取或修改这些受保护程度不高的数据,以进行信用卡欺诈,身份盗窃或其他犯罪。 在没有额外保护的情况下,敏感数据可能会受到损害,例如静态或传输中的加密,并且与浏览器进行交换时需要采取特殊的预防措施。” —
Not a week goes by without news about another high-profile data breach. And most concerning of all is that at times, these breaches reveal how the company used weak security practices. Weak password hashes and unsecured S3 buckets are common occurrences.
没有一周之久没有关于另一个引人注目的数据泄露的消息。 最令人担忧的是,有时这些漏洞揭示了公司如何使用弱安全实践。 弱密码哈希和不安全的S3存储桶是常见的情况。
Here are a few ways you can combat this:
您可以通过以下几种方法来解决此问题:
Ensure you serve the entire application over HTTPS with a TLS certificate. If users try to access the HTTP equivalent, redirect them to the secure route instead and make use of headers.
确保使用TLS证书通过HTTPS服务整个应用程序。 如果用户尝试访问等效的HTTP,请改为将他们重定向到安全路由,并使用标头。
Encrypt all sensitive data stored at rest. Never use your own developed encryption functions. Instead, use Laravel’s built-in that use OpenSSL to provide AES-256 and AES-128 encryption.
对静态存储的所有敏感数据进行加密。 切勿使用自己开发的加密功能。 而是使用Laravel的内置 ,该使用OpenSSL提供AES-256和AES-128加密。
If you use enumeration for files or primary keys to identify records, you could be inadvertently be exposing information about your system. Using a URL like /member-profile/23
will reveal you have (at least) 23 members on your system. If you include uploaded files like /user-images/45.jpg
, you could open yourself to an enumeration attack where a malicious actor could try all number combinations and extract all user images from your website. To combat this, use a different scheme like UUIDv4 to identify records that are public and might require protection. For files, use automatically generated file names or a hashed folder structure to prevent enumeration.
如果对文件或主键使用枚举来标识记录,则可能会无意间公开了有关系统的信息。 使用/member-profile/23
类的URL将显示您(至少)系统上有23个成员。 如果您包含/user-images/45.jpg
类的上传文件,则可能会遭受枚举攻击,恶意行为者可能会尝试所有数字组合并从您的网站中提取所有用户图像。 为了解决这个问题,请使用UUIDv4之类的其他方案来标识公开的记录并可能需要保护。 对于文件,请使用自动生成的文件名或哈希文件夹结构以防止枚举。
Never trust user-uploaded files. If these uploaded files are not validated or handled correctly, they can allow access to your entire system. The OWASP page includes several precautions to take. You can implement most of these using Laravel’s validation functionality:
永远不要信任用户上传的文件。 如果这些上传的文件未经验证或处理不正确,则可以允许您访问整个系统。 OWASP 页面包括一些预防措施。 您可以使用Laravel的验证功能来实现其中的大多数功能:
Setting a minimum and maximum .
设置最小和最大 。
Only allow specific file types by checking their .
通过检查仅允许特定文件类型。
Best of all, you can wrap this all into a Laravel and simply call this rule as part of your validation flow.
最重要的是,您可以将所有这些包装到Laravel 并在验证流程中简单地调用此规则。
“Many older or poorly configured XML processors evaluate external entity references within XML documents. External entities can be used to disclose internal files using the file URI handler, internal file shares, internal port scanning, remote code execution, and denial of service attacks.” —
许多旧的或配置不当的XML处理器会评估XML文档中的外部实体引用。 外部实体可以使用文件URI处理程序,内部文件共享,内部端口扫描,远程代码执行和拒绝服务攻击来公开内部文件。” —
This vulnerability applies to any system that parses XML. A security researcher found this vulnerability in Facebook a few years ago. This goes into more detail about how this was accomplished.
此漏洞适用于任何解析XML的系统。 几年前,一位安全研究人员在Facebook中发现了此漏洞。 这篇详细介绍了如何实现此目的。
The quickest way to prevent this attack is to disable external entity resolution when using the default . This is done by setting libxml_disable_entity_loader
to true
.
防止这种攻击的最快方法是使用默认的时禁用外部实体 。 这可以通过将libxml_disable_entity_loader
设置为true
来完成。
If you cannot disable this functionality, make sure that your XML parser is updated and that you’re using at least SOAP v1.2 or higher where applicable. Always be vigilant when it comes to user-uploaded or third-party XML.
如果无法禁用此功能,请确保已更新XML解析器,并且在适用的情况下至少使用SOAP v1.2或更高版本。 当涉及到用户上传或第三方XML时,请始终保持警惕。
“Restrictions on what authenticated users are allowed to do are often not properly enforced. Attackers can exploit these flaws to access unauthorised functionality and/or data, such as access other users’ accounts, view sensitive files, modify other users’ data, change access rights, etc.” —
“通常没有正确执行对经过身份验证的用户的限制。 攻击者可以利用这些缺陷来访问未经授权的功能和/或数据,例如访问其他用户的帐户,查看敏感文件,修改其他用户的数据,更改访问权限等。” —
In , attackers made off with details of over 200,000 Citigroup customers after discovering an exploit in the way they handled customer account numbers. Once they logged into an account, all they had to do was change the customer number in the URL to jump to the record of another customer.
在 ,攻击者在发现花旗集团(Citigroup)客户处理客户帐号的方式后,利用其详细信息,窃取了详细信息。 一旦他们登录帐户,他们要做的就是更改URL中的客户编号以跳转到另一个客户的记录。
This allowed them to create an automated process that would cycle through all possible numbers and capture all the confidential data.
这使他们能够创建一个自动化的过程,该过程将遍历所有可能的数字并捕获所有机密数据。
The system didn’t have any authorisation checks in place to ensure the account number being accessed belonged to the logged-in user.
系统没有进行任何授权检查,以确保所访问的帐号属于登录用户。
There are popular RBAC (Role-Based Access Control) that can be used with Laravel allowing you to manage user permissions and roles. You can also use Laravel’s .
Laravel可以使用流行的RBAC(基于角色的访问控制) ,从而允许您管理用户权限和角色。 您还可以使用Laravel的 。
“Security misconfiguration is the most commonly seen issue. This is commonly a result of insecure default configurations, incomplete or ad hoc configurations, open cloud storage, misconfigured HTTP headers, and verbose error messages containing sensitive information. Not only must all operating systems, frameworks, libraries, and applications be securely configured, but they must be patched/upgraded in a timely fashion.” —
安全配置错误是最常见的问题。 这通常是由于不安全的默认配置,不完整或临时的配置,开放的云存储,错误配置的HTTP标头以及包含敏感信息的冗长错误消息的结果。 不仅必须安全地配置所有操作系统,框架,库和应用程序,而且还必须及时对其进行补丁/升级。” —
When configuring your web application, always consider the principle of least functionality. Harden your installation by removing or disabling all services you don’t need.
配置Web应用程序时,请始终考虑最少功能的原则。 通过删除或禁用不需要的所有服务来加强安装。
Back in 2001, the Nimda worm wreaked worldwide havoc by exploiting several IIS (Internet Information Server) vulnerabilities.
早在2001年,Nimda蠕虫就利用了多个IIS(Internet信息服务器)漏洞在全世界范围内造成了严重破坏。
Many systems had IIS installed by default, even though they didn’t use the Microsoft web server at all. The result was a high infection rate that could have been prevented by hardening the system and uninstalling any services not required by the system or network.
许多系统默认情况下都安装了IIS,即使它们根本不使用Microsoft Web服务器也是如此。 结果是高感染率,可以通过强化系统并卸载系统或网络不需要的任何服务来防止感染。
Disable debugging on production servers. Even on staging servers, debugging can reveal sensitive server information by outputting all your environment variables. Make use of the debug_hide
app in Laravel to prevent this.
在生产服务器上禁用调试。 即使在登台服务器上,调试也可以通过输出所有环境变量来揭示敏感的服务器信息。 利用debug_hide
中的debug_hide
应用程序来防止这种情况。
“XSS flaws occur whenever an application includes untrusted data in a new web page without proper validation or escaping, or updates an existing web page with user-supplied data using a browser API that can create HTML or JavaScript. XSS allows attackers to execute scripts in the victim’s browser which can hijack user sessions, deface web sites, or redirect the user to malicious sites.” —
“只要应用程序在未经适当验证或转义的情况下在新网页中包含不受信任的数据,或者使用可创建HTML或JavaScript的浏览器API用用户提供的数据更新现有网页,就会发生XSS漏洞。 XSS允许攻击者在受害者的浏览器中执行脚本,这些脚本可以劫持用户会话,破坏网站或将用户重定向到恶意网站。” —
Never display user-supplied input without escaping the data. Laravel’s template engine, Blade, automatically escapes content rendered using the default { { $var }}
syntax. This sends it through PHPs htmlspecialchars
function.
在不转义数据的情况下,切勿显示用户提供的输入。 Laravel的模板引擎Blade会自动转义使用默认{ { $var }}
语法呈现的内容。 这通过PHP的htmlspecialchars
函数发送。
Escaping all output this way will reduce your website visitors’ exposure to XSS and CSRF (Cross-Site Request Forgery) attacks.
以这种方式逃避所有输出将减少您的网站访问者遭受XSS和CSRF(跨站点请求伪造)攻击的风险。
Unfortunately, it’s not always as simple as that. If you’ve ever included WYSIWYG HTML editors in your application such as TinyMCE or CKEditor, you know this poses a risk (especially since escaping the output would result in a bunch of HTML tags rather than the formatted content).
不幸的是,它并不总是那么简单。 如果您曾经在应用程序中包括所见即所得HTML编辑器(例如TinyMCE或CKEditor),您就会知道这会带来风险(尤其是,转义输出会导致产生许多HTML标记而不是格式化的内容)。
In these instances, use a package like to remove any potentially malicious code.
在这些情况下,请使用类的程序包删除所有潜在的恶意代码。
“Insecure deserialisation often leads to remote code execution. Even if deserialisation flaws do not result in remote code execution, they can be used to perform attacks, including replay attacks, injection attacks, and privilege escalation attacks.” —
“不安全的反序列化通常会导致远程执行代码。 即使反序列化漏洞不会导致远程代码执行,也可以将它们用于执行攻击,包括重播攻击,注入攻击和特权升级攻击。” —
Be wary of unserialising anything from untrusted sources. This includes cookies your application might create. A malicious user can edit that cookie in their browser and use this as an attack vector against your application.
小心不要将来自不受信任来源的任何内容序列化。 这包括您的应用程序可能创建的cookie。 恶意用户可以在其浏览器中编辑该cookie,并将其用作对您的应用程序的攻击媒介。
By default, all cookies created by Laravel are encrypted and signed. This means they’ll be invalid if a client tampers with them.
默认情况下,Laravel创建的所有cookie都经过加密和签名。 这意味着如果客户篡改它们,它们将无效。
“Components, such as libraries, frameworks, and other software modules, run with the same privileges as the application. If a vulnerable component is exploited, such an attack can facilitate serious data loss or server takeover. Applications and APIs using components with known vulnerabilities may undermine application defenses and enable various attacks and impacts.” —
“组件(例如库,框架和其他软件模块)以与应用程序相同的特权运行。 如果利用了易受攻击的组件,则此类攻击可能会导致严重的数据丢失或服务器接管。 使用具有已知漏洞的组件的应用程序和API可能破坏应用程序防御,并造成各种攻击和影响。” —
Because most of the dependencies you may be using in Laravel are open source, it allows malicious users to analyse the packages and find ways to exploit vulnerabilities. A few ideas to mitigate this problem:
因为您可能在Laravel中使用的大多数依赖项都是开源的,所以它允许恶意用户分析软件包并找到利用漏洞的方法。 一些缓解此问题的方法:
Subscribe to security bulletins and include a security scanner (such as ) as part of your CI/CD pipeline.
订阅安全公告,并将安全扫描程序(例如 )作为CI / CD管道的一部分。
“Insufficient logging and monitoring, coupled with missing or ineffective integration with incident response, allows attackers to further attack systems, maintain persistence, pivot to more systems, and tamper, extract, or destroy data. Most breach studies show time to detect a breach is over 200 days, typically detected by external parties rather than internal processes or monitoring.” —
“日志记录和监控不足,再加上事件响应的缺失或无效集成,使攻击者可以进一步攻击系统,保持持久性,转向更多系统以及篡改,提取或破坏数据。 大多数违规研究表明,发现违规的时间超过200天,通常是由外部各方而不是内部流程或监视来检测。” —
When it comes to your application and server, log everything, including failed login attempts and password resets.
当涉及到应用程序和服务器时,请记录所有内容,包括失败的登录尝试和密码重置。
Laravel comes with out of the box. You can even integrate it with a third party logging service like and receive alerts for specific log events.
Laravel自带开箱。 您甚至可以将其与第三方记录服务(如并接收有关特定日志事件的警报。
Thank you for reading, I hope this has proven useful! or where I’ll share insightful web development articles to supercharge your skills.
感谢您的阅读,希望这对您有所帮助! 或 ,我将在其中分享有见地的Web开发文章,以增强您的技能。
The OWASP website is a brilliant source of information, and they provide several in-depth guides about many of the security issues mentioned above.
OWASP网站是一个很好的信息来源,它们提供了有关上述许多安全问题的深入指南。
View the ().
查看 ( )。
View and download .
查看和下载 。
Latest .
最新的 。
翻译自:
owasp十大web漏洞
转载地址:http://nmgwd.baihongyu.com/