跨站点历史操作解决方案
[英]Cross Site History Manipulation resolution
问题描述
We have developed a new application, and before moving the changes we did a static scan of code using checkmarx. 
我们开发了一个新的应用程序,在移动更改之前,我们使用checkmarx对代码进行了静态扫描。 There is a medium level vulnerablity that is found in the code named Cross Site History Manipulation. 在名为Cross Site History Manipulation的代码中存在中等级别的漏洞。
This is detacted in the JSP page where I am validating the session values : 这在我正在验证会话值的JSP页面中被删除:
if(request.getSession().getAttribute("sesStrUID")!=null)
Can you please help me understand this vulnerabilty and what should be done to eliminate this? 能否帮助我理解这个漏洞以及应该采取哪些措施来消除这种漏洞?
3 个解决方案
解决方案1
4 2015-01-06 09:53:35
This is more a browser vulnerability than a website vulnerability in Internet Explorer from 2010 : 这是一个浏览器漏洞,而不是2010年Internet Explorer中的网站漏洞 :
Checkmarx Research Labs has identified a new critical vulnerability in Internet Explorer (other browsers are probably exposed the same way) that would allow hackers to easily compromise web applications.
This is a violation of the Same Origin Policy by the browser and it is not something you should be fixing in your web application. 这违反了浏览器的同源策略,并不是您应该在Web应用程序中修复的内容。 The vulnerability reported is probably referring to a redirect you are doing based on your 报告的漏洞可能是指您根据自己的情况进行的重定向
request.getSession().getAttribute("sesStrUID")!=null
condition. 条件。 It is saying that if you're redirecting server side based on the session sesStrUID value, then an attacker could IFrame your website, and if it detects that you are redirecting it can infer whether sesStrUID is null or not. 这是说如果您根据会话sesStrUID值重定向服务器端,那么攻击者可以IFrame您的网站,如果它检测到您正在重定向,则可以推断sesStrUID是否为空。
This is only a problem if your users are using a broken browser. 如果您的用户使用损坏的浏览器,这只是一个问题。
If your users are using modern browsers then this is not worth fixing IMO.
如果您的用户使用的是现代浏览器,那么这不值得修复IMO。
If you want to be extra safe and also protect against clickjacking attacks, you could output the X-Frame-Options: DENY HTTP header to prevent framing. 如果您想要更加安全并且还能防止点击劫持攻击,您可以输出X-Frame-Options: DENY HTTP标头以防止框架。 Please note that this would only protect you against the IFrame version of the attack. 请注意,这只会保护您免受IFrame版本的攻击。 For other attack vectors discussed in depth, check out this XSHM paper . 对于深入讨论的其他攻击向量, 请查看此XSHM文章 。
Edit after @adar's answer : 在@adar的回答后编辑 :
Adar's answer is very similar to mine and contains much the same information, except that the poster states that this is still an issue.
Adar的答案与我的非常相似,并且包含大致相同的信息,但海报说这仍然是一个问题。
However, XSHM is not a problem if you are redirecting server side via the
location HTTP header .
但是,如果您通过
location HTTP标头重定向服务器端,则XSHM不是问题。
HTTP 3xx redirects do not cause the value of
history.length to be increased in modern browsers, so this cannot be used to determine whether the user is logged into a particular site.
HTTP 3xx重定向不会导致
history.length的值在现代浏览器中增加,因此不能用于确定用户是否登录到特定站点。
If you are outputting JavaScript code to redirect after your
如果您要输出JavaScript代码,请在重定向后重定向
if(request.getSession().getAttribute("sesStrUID")!=null)
code then XSHM is an issue, if you are redirecting server side
代码然后XSHM是一个问题,如果您重定向服务器端
<% String redirectURL = "http://example.com/myJSPFile.jsp"; response.sendRedirect(redirectURL); %>
then you are not vulnerable.
那你就不脆弱了。
Edit after @adar's answer II : 在@adar的回答II之后编辑 :
@adar is correct: If you try the following attack scenario: @adar是正确的:如果您尝试以下攻击情形:
- Open
Login.jspin an IFrame - history containsLogin.jsp.在IFrame中打开Login.jsp- 历史记录包含Login.jsp。 - Open
ShowSecretInfo.jsp- if the server then redirects toLogin.jspwith HTTP 3xx, thenhistory.lengthwill remain the same, if a server showsShowSecretInfo.jsp-history.lengthwill be increased by 1.打开ShowSecretInfo.jsp- 如果服务器随后使用HTTP 3xx重定向到Login.jsp,则history.length将保持不变,如果服务器显示ShowSecretInfo.jsp-history.length将增加1。
Therefore if history.length increases, you can determine that the user is logged in. I could recreate the above with IE 11 and Firefox 33.1 on Windows 7. Chrome 39 is not vulnerable in this way from my tests, but it is in another: 因此,如果history.length增加,您可以确定用户已登录。我可以在Windows 7上使用IE 11和Firefox 33.1重新创建上述内容.Chrome 39在我的测试中不会以这种方式受到攻击,但它在另一个中:
Assuming that /ShowSecretInfo.jsp redirects to /Login.jsp (with no query) if the user is not logged in. 假设/ShowSecretInfo.jsp重定向到/Login.jsp (没有查询),如果用户没有登录。
- Open
/ShowSecretInfo.jspin an IFrame - history contains/ShowSecretInfo.jsp.在IFrame中打开/ShowSecretInfo.jsp- 历史记录包含/ShowSecretInfo.jsp。 - Set the IFrame src to
/Login.jsp- ifhistory.lengthdoes not increase, then you know the user is logged in.将IFrame src设置为/Login.jsp- 如果history.length没有增加,那么您就知道用户已登录。
It appears that Chrome does not try to redirect if the src is already set to the current URL. 如果src已设置为当前网址,Chrome似乎不会尝试重定向。 I could also recreate this in IE and Firefox. 我也可以在IE和Firefox中重新创建它。
解决方案2
4 2015-01-09 21:12:24
Here's the answer I got from Alex Roichman, Chief Software Architect @ Checkmarx : 以下是我从@ Checkmarx首席软件架构师Alex Roichman那里得到的答案 :
Cross-site history manipulation is a browser same origin policy breach where it's possible to know a state of a condition from another origin. 跨站点历史记录操作是浏览器相同的原始策略违规,其中可以从另一个来源知道条件的状态。 For example, many sites check if a user was authenticated prior to showing them his private data. 例如,许多站点在向用户显示其私人数据之前检查用户是否已通过身份验证。 This can be done by following code: 这可以通过以下代码完成:
If (!IsAuthenticated())
Redirect “login.jsp”
By using XSHM it's possible from another site to know if a user is currently authenticated to that site. 通过使用XSHM,可以从其他站点了解用户当前是否已对该站点进行身份验证。
Now let's look for a given line: 现在让我们来寻找一个给定的行:
if(request.getSession().getAttribute("sesStrUID")!=null)
This line seems to check if a user has a session or even already authenticated. 此行似乎检查用户是否有会话或甚至已经过身份验证。 Since inside 'if' statement there is 'redirect', it's possible for any other site to know that request.getSession().getAttribute("sesStrUID")!=null or if a user was already authenticated. 由于在'if'语句内部存在'重定向',因此任何其他站点都可以知道request.getSession().getAttribute("sesStrUID")!=null或者用户是否已经过身份验证。
Thus this result is true and it has nothing with old or modern browsers: all modern browsers provide an access to history.lengh, this property can lead to privacy violation via XSHM, and there is no simple fix because of backward compatibility issues. 因此,这个结果是正确的,它与旧的或现代的浏览器没有任何关系:所有现代浏览器都提供对history.lengh的访问,此属性可能导致通过XSHM侵犯隐私,并且由于向后兼容性问题,没有简单的修复。
X-Frame-Options: DENY can protect against the IFrame version of XSHM, but old browsers don't support this option. X-Frame-Options:DENY可以防止XSHM的IFrame版本,但旧浏览器不支持此选项。
Edit after SilverlightFox's answer 在SilverlightFox的回答后编辑
I agree we have very similar answers. 我同意我们有非常相似的答案。
Still, concerning: 关于:
"3xx redirects do not cause the value of history.length to be increased in modern browsers"
This is right and XSHM is based exactly on this. 这是正确的,XSHM正是基于此。
Look for the following attack scenario: 查找以下攻击情形:
- Open 'Login.jsp' in an IFrame - now history contains 'login.jsp' on top of it. 在IFrame中打开“Login.jsp” - 现在历史记录中包含“login.jsp”。
- Open 'ShowSecretInfo.jsp' - if a server will redirect to 'Login.jsp' with 3xx, then history.length will remain the same, if a server will show 'ShowSecretInfo.jsp'- history.length will be increased by 1. 打开'ShowSecretInfo.jsp' - 如果服务器将使用3xx重定向到'Login.jsp',那么history.length将保持不变,如果服务器将显示'ShowSecretInfo.jsp'- history.length将增加1。
and this means that an attacked user is authenticated – privacy violation. 这意味着受攻击的用户已通过身份验证 - 隐私侵犯。
解决方案3
0 2015-01-05 17:01:31
From OWASP Site 来自OWASP网站
Cross-Site History Manipulation (XSHM) is a SOP (Same Origin Policy) security breach.
With request.getSession().getAttribute("sesStrUID") , you are not doing anything that goes to browser history, So looks like its wrong detection 使用request.getSession().getAttribute("sesStrUID") ,你没有做任何与浏览器历史记录有关的事情,所以看起来它的错误检测
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.