FixVibe
Covered by FixVibehigh

Ucwaningo Lokuba sengcupheni: SSRF kanye Nokuhambisana Nesihloko Sokuphepha

Lesi sihloko socwaningo sihlola i-Server-Side Request Forgery (SSRF) kanye nokubaluleka kokuthobela unhlokweni wokuphepha we-HTTP. Sisebenzisa imininingwane evela ku-PortSwigger ne-Mozilla, sihlola ukuthi ukuskena okuzenzakalelayo kubukhomba kanjani lobu bungozi nokuthi i-FixVibe ingasebenzisa kanjani amandla okuthola afanayo.

CWE-918

Umthelela

I-Server-Side Request Forgery (SSRF) iwubungozi obubalulekile obuvumela umhlaseli ukuthi anxenxe uhlelo lokusebenza lohlangothi lweseva ukuthi enze izicelo endaweni engahlosiwe [S1]. Lokhu kungaholela ekuchayekeni kwamasevisi angaphakathi azwelayo, ukufinyelela okungagunyaziwe kuma-endpoints wemethadatha yefu, noma ekudluleni kwezicishamlilo zenethiwekhi [S1].

Imbangela

I-SSRF ngokuvamile yenzeka lapho uhlelo lokusebenza lucubungula ama-URL anikezwe umsebenzisi ngaphandle kokuqinisekisa okwanele, okuvumela iseva ukuthi isetshenziswe njengommeleli wezicelo ezinonya [S1]. Ngale kwamaphutha asebenzayo, ukuma kokuvikeleka kukonke kwesayithi kuthonywa kakhulu ukulungiselelwa kwesihloko se-HTTP [S2]. Eyethulwe ngo-2016, i-HTTP Observatory ye-Mozilla ihlaziye amawebhusayithi angaphezu kwezigidi ezingu-6.9 ukuze isize abalawuli baqinise ukuzivikela kwabo ngokumelene nalezi zinsongo ezivamile ngokuhlonza nokubhekana nokuba sengozini kwezokuvikela [S2].

I-FixVibe iyihlolela kanjani

I-FixVibe isivele ihlanganisa zombili izingxenye zalesi sihloko socwaningo:

  • Isiqinisekiso se-SSRF esifakwe kusango: I-active.blind-ssrf isebenzisa kuphela izikena ezisebenzayo eziqinisekisiwe. Ithumela i-callback canaries eboshwe ngaphandle kwebhendi kumapharamitha amise okwe-URL kanye nezihloko ezihambisana ne-SSRF ezitholwe ngesikhathi sokucaca, bese ibika inkinga kuphela uma i-FixVibe ithola ukuphinda kushayelwe okuboshelwe kuleso skena.
  • Ukuthobela unhlokweni: I-headers.security-headers ihlola ngokunganaki izihloko zempendulo zesayithi ngezilawuli ezifanayo zokuqina kwesiphequluli ezigcizelelwa ukubuyekezwa kwesitayela se-Observatory, okuhlanganisa i-CSP, HSTS, X-Options,Type-Options,X-Options,Type-Options Inqubomgomo Ye-Referrer, kanye Nenqubomgomo Yezimvume.

Uphenyo lwe-SSRF aludingi izicelo ezilimazayo noma ukufinyelela okuqinisekisiwe. Ifinyelelwa kokuhlosiwe okuqinisekisiwe futhi ibike ubufakazi obuphathekayo bokuphinda ubuyele emuva kunokuqagela kumagama epharamitha kuphela.