Information service online penetration detection network security inspection report and solution 3 (system vulnerability scanning, relative path coverage RPO vulnerability, nginx vulnerability repair)

Enterprise 2023-04-08 13:19:14 views: null

Series Article Directory

  1. Information service online penetration detection network security inspection report and solution 2 (installation file information leakage, management path leakage, XSS vulnerability, weak password, logic vulnerability, ultimate upload vulnerability upgrade)
  2. Information service online Penetration detection network security inspection report and solution

insert image description here

Article directory

foreword

The information service online penetration detection network security inspection report and solution 3 are based on the core system of leak time, and are applied in different projects. After the third-party professional company conducts vulnerability scanning and online detection, it is constantly repaired and improved in practice.

1. Medium Risk Vulnerabilities

Relative Path Override (RPO) Vulnerability

Vulnerability name Relative Path Override (RPO) Vulnerability
danger level Medium risk
submission method GET

describe

RPO (Relative Path Overwrite) is a new attack technique first proposed by Gareth Heyes in his published article. It mainly uses some features of the browser and the loopholes caused by the configuration differences of some servers. Through some techniques, we can introduce other resource files through relative paths, so as to achieve our desired purpose. As far as the current situation is concerned, this attack method depends on the response of the browser and the web server, the server-based Web cache technology and configuration differences, and the parsing differences between the server and the client browser, using the relative path of the css/js loaded in the front-end code To load other files, the browser finally parses the file that is not css/js returned by the server as css/js, which leads to XSS, information leakage and other vulnerabilities.

solution

Because there are two basic prerequisites for triggering this vulnerability: (1) The Apache configuration error causes the AllowEncodedSlashes option to be turned on (for Apache, the AllowEncodedSlashes option is turned off by default), or the nginx server. (2) There is a reference to js or css with a relative path. Therefore, first of all, developers need to pay attention to code writing specifications, and secondly, avoid directly using relative paths to load static files in the page. |

reason:

  • Visit the current URL and check whether the response header is configured with the x-content-type-options header;
  • If there is no configuration, check the response content. If the response content is HTML without a DOCTYPE statement, and there are css and js resources referenced by relative paths, the vulnerability is considered to exist.

2. Low Risk Vulnerabilities

1. Support lower version TLS protocol

Vulnerability name Support lower version TLS protocol
danger level low risk
submission method GET

2. Clickjacking: Missing X-Frame-Options header

Vulnerability name Clickjacking: Missing X-Frame-Options header
danger level low risk
submission method GET

3. The HTTP Referrer-Policy response header is missing

Vulnerability name HTTP Referrer-Policy response header is missing
danger level low risk
submission method GET

4. The HTTP Content-Security-Policy response header is missing

Vulnerability name The HTTP Content-Security-Policy response header is missing
danger level low risk
submission method GET

5. The HTTP X-Permitted-Cross-Domain-Policies response header is missing

Vulnerability name HTTP X-Permitted-Cross-Domain-Policies response header is missing
danger level low risk
submission method GET

6. The HTTP X-XSS-Protection response header is missing

Vulnerability name The HTTP Content-Security-Policy response header is missing
danger level low risk
submission method GET

7. The HTTP X-Download-Options response header is missing

Vulnerability name HTTP X-Download-Options response header is missing
danger level low risk
submission method GET

8. The HTTP X-Content-Type-Options response header is missing

Vulnerability name The HTTP X-Content-Type-Options response header is missing
danger level low risk
submission method GET

9. Detection and discovery of firewall devices

Vulnerability name Detect and discover firewall devices
danger level low risk
submission method GET

10. Cookie is not set to HttpOnly

Vulnerability name Cookie not set HttpOnly
danger level low risk
submission method GET

11.Cookie does not set the secure attribute

Vulnerability name HTTP X-Download-Options response header is missing
danger level low risk
submission method GET

3. Low Risk Vulnerabilities

The case uses the pagoda system to directly modify the nginx configuration file, as shown in the figure:

nginx configuration file

Configure it under http or under server, in http, server or location of nginx. Check whether the addition is successful, visit the website again to check whether the response header is included, if not, clear the browser cache and visit again. Generally, if the configuration is correct and the configuration is reloaded, the response header will be seen.
insert image description here
After configuration, reload and click restart.
insert image description here

add_header configuration content

add_header X-Frame-Options "SAMEORIGIN";
add_header X-Content-Type-Options nosniff;                                                                                                
#防止跨站脚本 Cross-site scripting (XSS)                                                                                                  
add_header X-XSS-Protection "1; mode=block";                                                                                                                                                        
#并不限制内容加载来源                                                                                    
add_header Content-Security-Policy "script-src * 'unsafe-inline' 'unsafe-eval'";                                                                                         
#将本站内部http链接自动改为https,并不限制内容加载来源                                                                                    
#add_header Content-Security-Policy "upgrade-insecure-requests;content *;img-src '*'";

Configuration comparison
insert image description here
insert image description here

Summarize

After the application system vulnerability scanning of the department was carried out 发现高风险漏洞0项,中风险漏洞1项,低风险漏洞11项, The business department revises medium and high-risk vulnerabilities in a timely manner according to the recommendations of professional security evaluation companies. After the modification, we promptly carry out secondary vulnerability scanning. Ensure that application system vulnerabilities are controlled within the requirements of safety regulations to ensure information and data security. @ Leak sometimes

Guess you like

Origin blog.csdn.net/weixin_41290949/article/details/129328669
Recommended
微软回应中国区AI团队“打包赴美”传闻
Ranking
How to use ChatGPT to write 100,000+ hot articles for public accounts (includes prompt words)
sudo echo command execution Permission denied
ADO: Using Transactions to Operate Oracle Database
[Java] [Class and Object] equals, hashCode, clone methods
Linux virtual host function
Порт управления rabbitmq открыт
on,where
jQuery WeUI
How can there be a weed pilot in Hangzhou?
tcp / ip model four
Daily
More
2024-05-15(5)
2024-05-14(9)
2024-05-13(8)
2024-05-12(28)
2024-05-11(32)
2024-05-10(34)
2024-05-09(32)
2024-05-08(18)
2024-05-07(34)
2024-05-06(6)

Code World

© 2018 codetd.com