FixVibe
Covered by FixVibehigh

Kariyar CSRF: Kare Canje-canjen Jiha mara izini

Buƙatar Ƙirar Rushewar Yanar Gizo (CSRF) ta kasance babbar barazana ga aikace-aikacen yanar gizo. Wannan binciken yana bincika yadda tsarin zamani kamar Django ke aiwatar da kariya da kuma yadda matakan bincike-bincike kamar SameSite ke ba da zurfin tsaro-zurfin buƙatun mara izini.

CWE-352

Tasiri

Buƙatar Jarumin Rukunin Yanar Gizo (CSRF) yana bawa maharin damar yaudarar mai binciken wanda aka azabtar don yin ayyukan da ba'a so akan wani gidan yanar gizo na daban inda a halin yanzu aka tabbatar da wanda aka azabtar. Saboda masu bincike ta atomatik sun haɗa da bayanan sirri kamar kukis a cikin buƙatun, maharin na iya ƙirƙira ayyukan canza yanayi-kamar canza kalmomin shiga, share bayanai, ko fara mu'amala-ba tare da sanin mai amfani ba.

Tushen Dalili

Babban dalilin CSRF shine tsohuwar dabi'ar mai binciken gidan yanar gizo na aika kukis masu alaƙa da yanki a duk lokacin da aka yi buƙatu zuwa wannan yanki, ba tare da la'akari da asalin buƙatar [S1] ba. Ba tare da takamaiman tabbacin cewa buƙatar da gangan aka jawo ta daga mahaɗin mai amfani na aikace-aikacen ba, uwar garken ba zai iya bambanta tsakanin halaltaccen aikin mai amfani da na jabu ba.

Django CSRF Hanyoyin Kariya

Django yana ba da tsarin tsaro da aka gina don rage waɗannan haɗari ta hanyar haɗawar tsakiya da samfuri [S2].

Kunna Middleware

Saukewa: ZXCVFIXVIBESEG10 django.middleware.csrf.CsrfViewMiddleware yana da alhakin kariyar CSRF kuma yawanci ana kunna shi ta tsoho [S2]. Dole ne a sanya shi kafin kowane ra'ayi na tsakiya wanda ke ɗauka cewa an riga an sarrafa harin CSRF [S2].

Saukewa: ZXCVFIXVIBESEG11

Aiwatar da Samfura

Saukewa: ZXCVFIXVIBESEG12 Ga kowane nau'i na POST na ciki, masu haɓakawa dole ne su haɗa da alamar {% csrf_token %} a cikin rukunin <form> [S2]. Wannan yana tabbatar da cewa an haɗa alamar sirri ta musamman a cikin buƙatun, wanda uwar garken sai ta inganta a kan zaman mai amfani.

Saukewa: ZXCVFIXVIBESEG13

Hatsarin Leakage Token

Saukewa: ZXCVFIXVIBESEG14 Bayanin aiwatarwa mai mahimmanci shine cewa bai kamata a haɗa {% csrf_token %} a cikin sifofin da ke niyya URLs na waje [S2]. Yin hakan zai ba da alamar alamar CSRF ta sirri ga wani ɓangare na uku, mai yuwuwar lalata tsaron zaman mai amfani [S2].

Saukewa: ZXCVFIXVIBESEG15

Tsaro-Level Tsaro: SameSite Kukis

Saukewa: ZXCVFIXVIBESEG16 Masu bincike na zamani sun gabatar da sifa SameSite don taken Set-Cookie don samar da layin tsaro-zurfin [S1]. Saukewa: ZXCVFIXVIBESEG17

  • Taƙaitawa: Ana aika kuki ne kawai a mahallin ƙungiya ta farko, ma'ana rukunin yanar gizon da ke cikin mashin URL yayi daidai da yankin kuki [S1].
  • Lax: Ba'a aika kuki ɗin akan buƙatun rukunin yanar gizo (kamar hotuna ko firam) amma ana aika lokacin da mai amfani ya kewaya zuwa wurin asalin, kamar ta bin madaidaicin hanyar haɗi [S1].

Saukewa: ZXCVFIXVIBESEG19

Yadda FixVibe yayi gwajinsa

Saukewa: ZXCVFIXVIBESEG20 FixVibe yanzu ya haɗa da kariyar CSRF azaman bincike mai aiki gated. Bayan tabbatar da yanki, active.csrf-protection yana bincika fom ɗin canza yanayin da aka gano, bincika abubuwan shigar da sifofi-token CSRF da siginonin kuki na SameSite, sannan yayi ƙoƙarin ƙaddamar da asali na ƙirƙira kaɗan kuma yana ba da rahoto kawai lokacin da uwar garken ya karɓa. Binciken kuki kuma yana nuna raunin halayen SameSite waɗanda ke rage zurfin tsaro na CSRF.