FixVibe
Covered by FixVibemedium

Ukuqhathanisa Izikena Zokuphepha Ezizenzakalelayo: Amakhono Nezingozi Zokusebenza

Izikena zokuphepha ezizenzakalelayo zibalulekile ekuhlonzeni ubungozi obubalulekile obufana nomjovo we-SQL kanye ne-XSS. Kodwa-ke, angakwazi ukulimaza ngokungafanele amasistimu aqondiwe ngokusebenzisa ukuxhumana okungajwayelekile. Lolu cwaningo luqhathanisa amathuluzi e-DAST angochwepheshe nezibukeli zokuphepha zamahhala futhi luveza izinqubo ezihamba phambili zokuhlola okuzenzakalelayo okuphephile.

CWE-79CWE-89CWE-352CWE-611CWE-22CWE-918

Umthelela

Izikena zokuphepha ezizenzakalelayo zingakwazi ukubona ubungozi obubalulekile obunjengomjovo we-SQL kanye ne-Cross-Site Scripting (XSS), kodwa futhi zibeka engcupheni yokulimaza izinhlelo eziqondiwe ngenxa yezindlela zazo zokuxhumana ezingajwayelekile [S1]. Izikena ezingalungiselelwe kahle zingaholela ekuphazamisekeni kwesevisi, ekonakaleni kwedatha, noma ukuziphatha okungahlosiwe ezindaweni ezisengozini [S1]. Nakuba la mathuluzi ebalulekile ekutholeni iziphazamisi ezibucayi nokuthuthukisa ukuma kwezokuphepha, ukusetshenziswa kwawo kudinga ukuphathwa ngokucophelela ukuze kugwenywe umthelela wokusebenza [S1].

Imbangela

Ubungozi obuyinhloko busukela kumvelo yokuzenzakalela yamathuluzi e-DAST, aphenya izinhlelo zokusebenza ezinokulayishwa okukhokhelwayo okungase kuqalise izimo ezibucayi kungqondongqondo engaphansi [S1]. Ngaphezu kwalokho, izinhlelo zokusebenza eziningi zewebhu ziyehluleka ukusebenzisa ukucushwa okuyisisekelo kokuphepha, okufana nezihloko ze-HTTP eziqiniswe kahle, ezibalulekile ekuvikeleni izinsongo ezivamile ezisekelwe kuwebhu [S2]. Amathuluzi afana ne-Mozilla HTTP Observatory agqamisa lezi zikhala ngokuhlaziya ukuthobelana namathrendi amisiwe okuphepha nemihlahlandlela [S2].

Amakhono Okuthola

Izikena ezichwepheshile nezezinga lomphakathi zigxila ezigabeni ezimbalwa zobungozi obunamandla:

  • Ukuhlasela komjovo: Ukuthola umjovo we-SQL kanye nomjovo we-XML External Entity (XXE) [S1].
  • Ukukhohlisa Kwesicelo: Ukuhlonza I-Server-Side Application Forgery (SSRF) kanye ne-Cross-Site Request Forgery (CSRF) [S1].
  • Ukulawula Ukufinyelela: Ukuhlola Ukudlula Kwemibhalo nokunye kokugunyazwa okudlulayo [S1].
  • Ukuhlaziya Ukucushwa: Ukuhlola izihloko ze-HTTP nezilungiselelo zokuphepha ukuze kuqinisekiswe ukuthobelana nemikhuba ehamba phambili yomkhakha [S2].

Ukulungiswa kukakhonkolo

  • Ukugunyazwa Kokuskena Ngaphambili: Qinisekisa ukuthi konke ukuhlola okuzenzakalelayo kugunyazwe umnikazi wesistimu ukuze kulawuleke ubungozi bomonakalo ongaba khona [S1].
  • Ukulungiselela Imvelo: Yenza ikhophi yasenqolobaneni yawo wonke amasistimu okuqondiwe ngaphambi kokuqala ukuskena okusebenzayo kokuba sengozini ukuze uqinisekise ukululama esimweni sokwehluleka [S1].
  • Ukusetshenziswa Kwesihloko: Sebenzisa amathuluzi afana ne-Mozilla HTTP Observatory ukuze uhlole futhi usebenzise izihloko zokuphepha ezingekho njengeNqubomgomo Yokuphepha Kokuqukethwe (CSP) kanye Nezokuphepha Eziqinile-Zokuthutha (HSTS) [S2].
  • Izivivinyo Zesiteji: Yenza ukuskena okuphezulu okusebenzayo endaweni yesiteji engayodwa noma indawo yokuthuthukiswa kunokukhiqiza ukuvimbela umthelela wokusebenza [S1].

I-FixVibe iyihlolela kanjani

I-FixVibe isivele ihlukanisa ukuhlolwa kokungenzi lutho okuphephile kokukhiqiza kuma-probe asebenzayo anesango lokuvuma. Imojula ye-headers.security-headers engenzi lutho inikeza ukumbozwa kwesihloko sesitayela se-Observatory ngaphandle kokuthumela okukhokhelwayo. Ukuhlola okunomthelela ophezulu okufana ne-active.sqli, active.ssti, active.blind-ssrf, nama-probe ahlobene asebenza kuphela ngemva kokuqinisekisa ubunikazi besizinda kanye nobufakazi bokuqalisa ukuskena, futhi zisebenzisa imithwalo eboshiwe engabhubhisi enonogada bamanga.