Tasiri
Maharan na iya yin amfani da rashin shugabanni na tsaro don yin Rubutun Rubutun Rubutu (XSS), danna jack, da hare-haren na'ura-a-tsakiyar [S1][S3]. Idan ba tare da waɗannan kariyar ba, za a iya fitar da bayanan mai amfani masu mahimmanci, kuma ana iya lalata amincin aikace-aikacen ta hanyar muggan rubutun da aka shigar a cikin mahallin burauza [S3].
Tushen Dalili
AI-tuƙa kayan aikin haɓakawa galibi suna ba da fifikon lambar aiki akan daidaitawar tsaro. Saboda haka, yawancin samfuran AI da aka ƙirƙira suna barin mahimman bayanan amsa HTTP waɗanda masu bincike na zamani suka dogara da su don zurfin tsaro [S1]. Bugu da ƙari, rashin hadedde Dynamic Application Security Testing (DAST) a lokacin ci gaba yana nufin waɗannan ɓangarorin daidaitawa da wuya a gano su kafin tura [S2].
Gyaran Kankare
- Aiwatar da Maganganun Tsaro *: Sanya uwar garken gidan yanar gizo ko tsarin aikace-aikacen don haɗawa da
Content-Security-Policy,Strict-Transport-Security,X-Frame-Options, daX-Content-Type-OptionsZXCVIZ - Maki mai sarrafa kansa *: Yi amfani da kayan aikin da ke samar da maki na tsaro dangane da gaban kai da ƙarfi don kiyaye babban yanayin tsaro [S1].
Saukewa: ZXCVFIXVIBESEG10
- Ci gaba da Dubawa *: Haɗa na'urori masu saurin lalacewa ta atomatik a cikin bututun CI/CD don samar da gani mai gudana a cikin farfajiyar harin aikace-aikacen [S2].
Saukewa: ZXCVFIXVIBESEG11
Yadda FixVibe yayi gwajinsa
Saukewa: ZXCVFIXVIBESEG12 FixVibe ya riga ya rufe wannan ta hanyar madaidaicin na'urar daukar hotan takardu na headers.security-headers. A lokacin sikelin wucewa ta al'ada, FixVibe yana ɗaukar manufa kamar mai bincike kuma yana bincika HTML masu ma'ana da martanin haɗin kai don CSP, HSTS, X-Frame-Zaɓuɓɓuka, Nau'in-abun ciki-X, Nau'in-Zaɓuɓɓuka-Policy. Har ila yau, tsarin yana ba da tutoci masu rauni CSP tushen rubutun kuma yana guje wa ƙiyayyar ƙarya akan JSON, 204, turawa, da martanin kuskure inda masu rubutun kawai ba su aiki.