Reino: Security Features

La seguridad de un software no es un software de seguridad. Nos preocupamos de cuestiones como la autenticación, el control de acceso, la confidencialidad, la criptografía y la gestión de privilegios.

ASP.NET Bad Practices: Compression Over Encrypted WebSocket Connection

C#/VB.NET/ASP.NET

Abstract

La aplicación permite una compresión peligrosa.

Explanation

La aplicación utiliza código que habilita la extensión WebSocket de deflación de mensajes que permite la compresión a través de conexiones cifradas. La habilitación de este tipo de compresión hace que la aplicación esté sujeta a ataques de tipo CRIME y BREACH.

Ejemplo 1: El siguiente código establece DangerousEnableCompression en true para habilitar la extensión "per-message-deflate":


    app.Run(async context => {
        using var websocket = await context.WebSockets.AcceptWebSocketAsync(new WebSocketAcceptContext() { DangerousEnableCompression = true });
        await websocket.SendAsync(...);
        await websocket.ReceiveAsync(...);
        await websocket.CloseAsync(WebSocketCloseStatus.NormalClosure, null, default);
    });

Ejemplo 2: El siguiente código utiliza DangerousDeflateOptions para configurar las opciones para la extensión "per-message-deflate":


    using ClientWebSocket ws = new() {
        Options = {
            CollectHttpResponseDetails = true,
            DangerousDeflateOptions = new WebSocketDeflateOptions() {
                ClientMaxWindowBits = 10,
                ServerMaxWindowBits = 10
            }
        }
    };

References

[1] WebSocketAcceptContext DangerousEnableCompression Property, Microsoft

[2] ClientWebSocketOptions DangerousDeflateOptions Property, Microsoft

[3] CRIME, CVE

[4] BREACH, CVE

[5] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration

[6] Standards Mapping - OWASP Application Security Verification Standard 4.0 9.1.1 Communications Security Requirements (L1 L2 L3), 9.1.1 Communications Security Requirements (L1 L2 L3), 9.1.1 Communications Security Requirements (L1 L2 L3)

[7] Standards Mapping - OWASP Mobile 2024 M8 Security Misconfiguration

[8] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 4.2.1, Requirement 6.2.4

[9] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3150.1 CAT II, APP3150.1 CAT II

[10] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3150.1 CAT II, APP3150.1 CAT II

[11] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3150.1 CAT II, APP3150.1 CAT II

[12] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3150.1 CAT II, APP3150.1 CAT II

[13] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3150.1 CAT II, APP3150.1 CAT II

[14] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3150.1 CAT II, APP3150.1 CAT II

[15] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3150.1 CAT II, APP3150.1 CAT II

desc.semantic.dotnet.asp_dotnet_bad_practices_compression_over_encrypted_websocket_connection