FixVibe
Covered by FixVibemedium

Kwatanta Na'urorin Tsaro Na atomatik: Ƙarfafawa da Hatsarin Aiki

Na'urorin tsaro na atomatik suna da mahimmanci don gano munanan lahani kamar allurar SQL da XSS. Duk da haka, suna iya lalata tsarin manufa ba da gangan ba ta hanyar hulɗar da ba ta dace ba. Wannan binciken yana kwatanta ƙwararrun kayan aikin DAST tare da masu lura da tsaro kyauta kuma yana zayyana mafi kyawun ayyuka don amintaccen gwaji mai sarrafa kansa.

CWE-79CWE-89CWE-352CWE-611CWE-22CWE-918

Tasiri

Na'urorin tsaro masu sarrafa kansu na iya gano munanan lahani kamar allurar SQL da Rubutun Rubutun Rubutu (XSS), amma kuma suna haifar da haɗarin lalata tsarin manufa saboda hanyoyin mu'amalarsu mara kyau [S1]. Sikanin da ba daidai ba yana iya haifar da rushewar sabis, lalata bayanai, ko halayen da ba a yi niyya ba a cikin matsuguni masu rauni [S1]. Duk da yake waɗannan kayan aikin suna da mahimmanci don gano kurakurai masu mahimmanci da inganta yanayin tsaro, amfani da su yana buƙatar kulawa da hankali don guje wa tasirin aiki [S1].

Tushen Dalili

Haɗarin farko ya samo asali ne daga yanayin sarrafa kansa na kayan aikin DAST, waɗanda ke bincika aikace-aikacen tare da abubuwan biyan kuɗi waɗanda zasu iya haifar da ƙararraki a cikin mahimmin ma'anar [S1]. Bugu da ƙari, yawancin aikace-aikacen yanar gizo sun kasa aiwatar da saitunan tsaro na asali, kamar masu taurin kai na HTTP yadda ya kamata, waɗanda ke da mahimmanci don karewa daga barazanar tushen yanar gizo na gama gari [S2]. Kayan aiki kamar Mozilla HTTP Observatory suna haskaka waɗannan gibin ta hanyar nazarin bin ka'idojin tsaro da ƙa'idodin [S2].

Ƙarfin Ganewa

Masu sana'a da na'urorin daukar hoto na al'umma suna mai da hankali kan nau'ikan rashin ƙarfi da yawa:

  • Hare-haren Injection: Gano allurar SQL da Wutar Wuta ta XML (XXE) [S1].

Saukewa: ZXCVFIXVIBESEG10

  • Buƙatar Gudanarwa: Gano Buƙatun Jarumi na Gefen Sabar (SSRF) da Buƙatar Jarumin Wurin Wuta (CSRF) [S1].

Saukewa: ZXCVFIXVIBESEG11

  • Ikon Shiga: Bincike don Traversal Directory da sauran izini yana ƙetare [S1].

Saukewa: ZXCVFIXVIBESEG12

  • Binciken Kanfigareshan: Kimanta kanun HTTP da saitunan tsaro don tabbatar da bin ingantattun ayyuka na masana'antu [S2].

Saukewa: ZXCVFIXVIBESEG13

Gyaran Kankare

Saukewa: ZXCVFIXVIBESEG14

  • Izinin Bincike na Farko: Tabbatar duk gwajin sarrafa kansa yana da izini daga mai tsarin don sarrafa haɗarin yuwuwar lalacewa [S1].

Saukewa: ZXCVFIXVIBESEG15

  • Shirye-shiryen Muhalli: Ajiye duk tsarin da aka yi niyya kafin fara aikin sikanin raunin aiki don tabbatar da murmurewa idan an gaza [S1].

Saukewa: ZXCVFIXVIBESEG16

  • Aiwatar da Shugaban: Yi amfani da kayan aiki kamar Mozilla HTTP Observatory don tantancewa da aiwatar da bayanan tsaro da suka ɓace kamar Manufar Tsaron Abun ciki (CSP) da Tsaro-Transport-Transport (HSTS) ZXCVFIZXVIBECTOKEN.

Saukewa: ZXCVFIXVIBESEG17

  • Gwaje-gwajen Jigila: Gudanar da bincike mai ƙarfi mai ƙarfi a cikin keɓantaccen tsari ko yanayin haɓakawa maimakon samarwa don hana tasirin aiki [S1].

Yadda FixVibe yayi gwajinsa

FixVibe ya riga ya keɓance samar da amintaccen cak na bincike-bincike mai aiki da izini. Samfurin headers.security-headers mai ɗorewa yana ba da ɗaukar hoto irin na Observatory ba tare da aika kaya ba. Binciken tasiri mafi girma kamar active.sqli, active.ssti, active.blind-ssrf, da bincike masu alaƙa suna gudana ne kawai bayan tabbatar da ikon mallakar yanki da shaidar farawa ta fara dubawa, kuma suna amfani da ƙayyadaddun ƙididdiga marasa lalacewa.