Reino: Security Features

Segurança de software não é o mesmo que software de segurança. Aqui, estamos interessados em tópicos como autenticação, controle de acesso, confidencialidade, criptografia e gestão de privilégios.

HTML5: Insecure Cross-Origin Opener Policy

Python

Abstract

O programa define uma Política de Abertura de Origens Cruzadas (COOP) excessivamente permissiva

Explanation

Tornou-se importante impor a privacidade dos dados de um determinado documento da Web devido à existência de explorações de canais laterais resultantes de vulnerabilidades como Spectre e Meltdown. A Política de Abertura de Origens Cruzadas (COOP) foi criada para ajudar a prevenir a exposição de informações confidenciais devido a ataques de canal lateral. Especificamente, o COOP pode impor o isolamento do grupo de contexto de navegação de um documento em relação a outros documentos externos, como pop-ups.

Exemplo 1: O código a seguir mostra uma configuração COOP insegura de "unsafe-none" na estrutura do Django. Isso pode permitir que um documento externo acesse os dados privados do grupo de contexto de navegação de um documento de origem devido a um ataque de canal lateral.


SECURE_CROSS_ORIGIN_OPENER_POLICY = 'unsafe-none'

References

[1] Eiji Kitamura, Domenic Denicola Why you need "cross-origin isolated" for powerful features

[2] Standards Mapping - Common Weakness Enumeration CWE ID 346

[3] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001368, CCI-001414

[4] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data

[5] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-4 Information Flow Enforcement (P1)

[6] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-4 Information Flow Enforcement

[7] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration

[8] Standards Mapping - OWASP Application Security Verification Standard 4.0 3.5.3 Token-based Session Management (L2 L3), 5.3.6 Output Encoding and Injection Prevention Requirements (L1 L2 L3), 14.5.2 Validate HTTP Request Header Requirements (L1 L2 L3), 14.5.3 Validate HTTP Request Header Requirements (L1 L2 L3)

[9] Standards Mapping - OWASP Mobile 2014 M1 Weak Server Side Controls

[10] Standards Mapping - OWASP Top 10 2013 A5 Security Misconfiguration

[11] Standards Mapping - OWASP Top 10 2017 A6 Security Misconfiguration

[12] Standards Mapping - OWASP Top 10 2021 A05 Security Misconfiguration

[13] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.6

[14] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.6

[15] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.6

[16] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.6

[17] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4

[18] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection

[19] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection

[20] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective C.3.6 - Web Software Attack Mitigation

[21] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-000480 CAT II, APSC-DV-000490 CAT II

[22] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-000480 CAT II, APSC-DV-000490 CAT II

[23] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-000480 CAT II, APSC-DV-000490 CAT II

[24] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-000480 CAT II, APSC-DV-000490 CAT II

[25] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-000480 CAT II, APSC-DV-000490 CAT II

[26] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-000480 CAT II, APSC-DV-000490 CAT II

[27] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-000480 CAT II, APSC-DV-000490 CAT II

[28] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-000480 CAT II, APSC-DV-000490 CAT II

[29] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-000480 CAT II, APSC-DV-000490 CAT II

[30] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000480 CAT II, APSC-DV-000490 CAT II

[31] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-000480 CAT II, APSC-DV-000490 CAT II

[32] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000480 CAT II, APSC-DV-000490 CAT II

[33] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000480 CAT II, APSC-DV-000490 CAT II

[34] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000480 CAT II, APSC-DV-000490 CAT II

[35] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-000480 CAT II, APSC-DV-000490 CAT II

[36] Standards Mapping - Web Application Security Consortium Version 2.00 Abuse of Functionality (WASC-42)

desc.structural.python.html5_insecure_cross_origin_opener_policy