FixVibe
Covered by FixVibehigh

CORS Kuskuren Tsare-tsare: Hatsari na Manufofi Masu Halatta

Rarraba Albarkatun Asalin Ketare (CORS) wata hanya ce ta burauza wacce aka ƙera don shakata Manufofin Asalin Same ɗaya (SOP). Yayin da ya zama dole don ƙa'idodin gidan yanar gizo na zamani, aiwatar da rashin dacewa-kamar sake maimaita taken Asalin mai nema ko ba da izinin asalin 'rauni'—na iya ƙyale mugayen shafuka don fitar da bayanan mai amfani masu zaman kansu.

CWE-942

Tasiri

Mai hari na iya satar bayanai masu mahimmanci, ingantattun bayanai daga masu amfani da aikace-aikacen da ba shi da rauni [S2]. Idan mai amfani ya ziyarci gidan yanar gizon mugu yayin shiga cikin ƙa'idar mai rauni, rukunin yanar gizon na iya yin buƙatun tushen ga API na app kuma ya karanta martanin [S1][S2]. Wannan na iya haifar da satar bayanan sirri, gami da bayanan mai amfani, alamun CSRF, ko saƙonnin sirri [S2].

Tushen Dalili

CORS shine tushen tushen tushen HTTP wanda ke ba da damar sabobin don tantance asalin (yanki, makirci, ko tashar jiragen ruwa) an yarda su loda albarkatun [S1]. Lalacewar yawanci suna tasowa lokacin da manufofin uwar garken CORS suka yi saurin sassauya ko rashin aiwatar da su [S2]:

  • Tsarin Tushen Tushen: Wasu sabobin suna karanta taken Origin daga buƙatun abokin ciniki kuma suna mayar da martani a cikin Access-Control-Allow-Origin (ACAO) taken amsa [S2]. Wannan yadda ya kamata ya ba kowane gidan yanar gizon damar samun damar albarkatun [S2].
  • Katunan daji maras kyau: Yayin da katin daji na * yana ba da damar kowane asali don samun dama ga albarkatu, ba za a iya amfani da shi don buƙatun da ke buƙatar takaddun shaida (kamar kukis ko taken izini) [S3]. Masu haɓakawa sau da yawa suna ƙoƙarin ƙetare wannan ta hanyar samar da taken ACAO bisa ga buƙatar [S2].
  • Whitelisting 'null': Wasu aikace-aikacen suna ba da izinin asalin null, waɗanda za a iya jawo su ta hanyar buƙatun da aka tura ko fayilolin gida, suna barin rukunin yanar gizo masu ɓarna su yi kama da asalin null don samun damar shiga. [S2][S3].

Saukewa: ZXCVFIXVIBESEG10

  • Kurakurai Tsayawa: Kurakurai a cikin regex ko daidaita kirtani lokacin tabbatar da taken Origin na iya ba wa maharan damar amfani da yankuna kamar trusted-domain.com.attacker.com [S2].

Saukewa: ZXCVFIXVIBESEG11 Yana da mahimmanci a lura cewa CORS ba kariya ba ce daga Buƙatun Buƙatun Rubutun Giciye (CSRF) [S2].

Saukewa: ZXCVFIXVIBESEG12

Gyaran Kankare

Saukewa: ZXCVFIXVIBESEG13

  • Yi amfani da Littattafai Tsayayye: Ka guji samar da kai tsaye na Access-Control-Allow-Origin daga buƙatun Origin [S2]. Madadin haka, kwatanta asalin buƙatar da jerin amintattun yankuna [S3].

Saukewa: ZXCVFIXVIBESEG14

  • A Gujewa Asalin 'marasa': Kada a haɗa da null a cikin jerin abubuwan da aka yarda da ku na tushen izini [S2].

Saukewa: ZXCVFIXVIBESEG15

  • Ƙuntata Takaddun shaida: Saita kawai Access-Control-Allow-Credentials: true idan ya zama dole don takamaiman hulɗar tushen giciye [S3].

Saukewa: ZXCVFIXVIBESEG16

  • Yi Amfani da Ingantacciyar Tabbatarwa: Idan dole ne ku goyi bayan tushen asali da yawa, tabbatar da ingantacciyar dabarar taken Origin tana da ƙarfi kuma ba za a iya ketare ta ta hanyar yanki ko yanki mai kama da [S2].

Saukewa: ZXCVFIXVIBESEG17

Yadda FixVibe yayi gwajinsa

FixVibe yanzu ya haɗa da wannan azaman bincike mai aiki gated. Bayan tabbatar da yanki, active.cors yana aika buƙatun API na asali iri ɗaya tare da asalin maharin roba da kuma bitar kanun amsa CORS. Yana bayar da rahoton da aka nuna na asali na sabani, CORS, da faffadan CORS akan abubuwan da ba na jama'a ba na API yayin guje wa hayaniyar kadarorin jama'a.