安全原因,以维护允许的HTTP响应标头的白名单
[英]Security reasons to maintain a whitelist of allowed HTTP response headers
问题描述
As a web developer, I'm increasingly debugging issues only to find that our IT department are using our firewall to filter HTTP response headers. 
作为Web开发人员,我越来越多地调试问题,发现我们的IT部门正在使用我们的防火墙来过滤HTTP响应标头。
They are using a whitelist of known headers, so certain newer technologies (CORS, websockets, etc) are automatically stripped until I debug the problem and request whitelisting. 他们正在使用已知标头的白名单,因此某些较新的技术(CORS,websockets等)会被自动剥离,直到我调试问题并请求列入白名单。
The affected responses are third-party services we are consuming - so if we have an internal site that uses disqus, comments cannot be loaded because the response from disqus is having it's headers stripped. 受影响的响应是我们正在使用的第三方服务 - 因此,如果我们有一个使用disqus的内部站点,则无法加载注释,因为disqus的响应正在删除它的标头。 The resources we are serving are not affected, as it's only traffic coming in to the office. 我们服务的资源不会受到影响,因为它只是进入办公室的流量。
Are there genuine reasons to block certain headers? 是否有正当理由阻止某些标题? Obviously there are concerns such as man-in-the-middle, redirects to phishing sites etc but these require more than just an errant header to be successful. 显然存在诸如中间人,重定向到钓鱼网站等问题,但这些需要的不仅仅是错误的标题才能成功。
What are the security reasons to maintain a whitelist of allowed HTTP response headers? 维护允许的HTTP响应标头的白名单有哪些安全原因?
1 个解决方案
解决方案1
2 2014-12-10 15:42:01
Fingerprinting could be the main reason to strip the response headers: 指纹识别可能是剥离响应头的主要原因:
https://www.owasp.org/index.php/Fingerprint_Web_Server_%28OTG-INFO-002%29 https://www.owasp.org/index.php/Fingerprint_Web_Server_%28OTG-INFO-002%29
It depends on the stack that you're running, and most of the time, the information included in the response headers is configurable in each server, but it requires tampering with each serving application individually (and there might be cases when the software is privative and doesn't offer the option to set the HTTP headers). 这取决于您正在运行的堆栈,并且大多数情况下,响应头中包含的信息可在每个服务器中配置,但它需要单独篡改每个服务应用程序(并且可能存在软件错误的情况)并且不提供设置HTTP标头的选项。
Let's go with an easy example: 让我们举一个简单的例子:
In our example datacenter, we're running a set of servers for different purposes, and we have configured them properly, so that they're returning no unnecessary metadata on the headers. 在我们的示例数据中心中,我们为不同的目的运行一组服务器,并且我们已正确配置它们,以便它们不会在标头上返回不必要的元数据。
However, a new (imaginary) closed-source application for managing the print jobs is installed on one of the servers, and it offers a web interface that we want to use for whatever reason. 但是,用于管理打印作业的新(虚构)闭源应用程序安装在其中一个服务器上,它提供了我们想要出于任何原因使用的Web界面。 If this application returns an additional header such as (let's say) "x-printman-version" (and it might want to do that, to ensure compatibility with clients that use its API), it will be effectively exposing its version. 如果此应用程序返回一个额外的标题,例如(假设)“x-printman-version”(并且它可能希望这样做,以确保与使用其API的客户端兼容),它将有效地公开其版本。
And, if this print job manager has known vulnerabilities for certain versions, an attacker just has to query it to know whether this particular install is vulnerable. 而且,如果此打印作业管理器已知某些版本的漏洞,则攻击者只需查询它以了解此特定安装是否易受攻击。
This, that might not seem so important, opens a window for automated/random attacks , scanning ports of interests, and waiting for the right headers to appear ("fingerprints"), in order to launch an attack with certainty of success. 这可能看起来不那么重要,它打开了一个窗口,用于自动/随机攻击 ,扫描感兴趣的端口,并等待出现正确的标题(“指纹”),以便在确定成功的情况下发起攻击。
Therefore, stripping most (setting policies and rules for those that we want to keep) of the additional HTTP headers might sound sensible in an organisation. 因此,在组织中剥离大多数(为我们想要保留的那些设置策略和规则)可能听起来很合理。
With that being clear, stripping the headers from outgoing connections responses is overkill . 有了这一点, 从传出连接响应中剥离标题是过度的 。 It's true that they can constitute a vector, but since it's an outgoing connection, this means we "trust" the endpoint. 确实,它们可以构成一个向量,但由于它是一个传出连接,这意味着我们“信任”端点。 There's no straightforward reason why an attacker with control over the trusted endpoint would use the metadata instead of the payload. 控制可信端点的攻击者将使用元数据而不是有效负载,这并不是直接的原因。
I hope this helps! 我希望这有帮助!
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.