Mmetụta
Arịrịọ Arịrịọ-N'akụkụ nkesa (SSRF) bụ adịghị ike dị oke egwu nke na-enye ohere ka onye na-awakpo weta ngwa n'akụkụ ihe nkesa iji rịọ ka ebe a na-atụghị anya ya [S1]. Nke a nwere ike bute ikpughe ọrụ dị n'ime nwere mmetụta, ịnweta njedebe metadata igwe ojii na-enweghị ikike, ma ọ bụ ngafe nke firewalls netwọk [S1].
Ihe kpatara ya
SSRF na-emekarị mgbe ngwa na-ahazi URL onye ọrụ wetara na-enweghị nkwado zuru oke, na-enye ohere ka ejiri sava ahụ mee ihe nnọchiteanya maka arịrịọ ọjọọ [S1]. E wezụga ntụpọ ndị na-arụsi ọrụ ike, n'ozuzu nchekwa ọnọdụ saịtị na-emetụta nke ukwuu site na nhazi nkụnye eji isi mee HTTP ya [S2]. Amalitere na 2016, Mozilla's HTTP Observatory enyochala ihe karịrị nde weebụsaịtị 6.9 iji nyere ndị ọchịchị aka iwusi nchekwa ha megide ihe iyi egwu ndị a na-ahụkarị site na ịchọpụta na idozi adịghị ike nchekwa [S2].
Kedu ka FixVibe si nwalee ya
FixVibe ekpuchilarị akụkụ abụọ nke isiokwu nyocha a:
- Gated SSRF nkwenye *:
active.blind-ssrfna-agba naanị n'ime nyocha na-arụ ọrụ. Ọ na-eziga canaries azụghachi azụ azụ na-enweghị oke n'ime paramita URL yana SSRF nkụnye eji isi mee achọpụtara n'oge iri ari, wee na-akọ okwu ahụ naanị mgbe FixVibe nwetara oku azụ kechiri na nyocha ahụ. - Nrube isi nke isi *:
headers.security-headersna-enyocha ndị isi nzaghachi saịtị maka otu njikwa ihe nchọgharị na-emesi ike site na nyocha ụdị nke Observatory, gụnyere CSP, HSTS, X-FFra Nhọrọ X-Ọdịnaya-Ụdị-Nhọrọ, Ntugharị-Amụma, na ikike-Amụma.
Ihe nyocha SSRF anaghị achọ arịrịọ mbibi ma ọ bụ nweta ezitere. A na-ekewa ya na ebumnuche ndị enyochagoro ma na-akọ akụkọ ihe akaebe azụghachi azụ kama ịkọpụta site na aha oke naanị.