Reino: Environment

Esta seção contém tudo o que fica fora do código-fonte, porém que é essencial para a segurança do produto que está sendo criado. Como os problemas tratados neste domínio não são diretamente relacionados com o código-fonte, nós o separamos dos demais domínios.

HTML5: MIME Sniffing

Abstract

O método Application_BeginRequest está vazio ou não inclui uma chamada de função para definir X-Content-Type-Options como nosniff, ou tenta remover esse cabeçalho.

Explanation

Sniffing de MIME é a prática de inspecionar o conteúdo de um fluxo de bytes para tentar deduzir o formato de arquivo dos dados em seu interior.

Se o sniffing de MIME não estiver explicitamente desabilitado, alguns navegadores poderão ser manipulados para interpretar dados de maneiras não planejadas, possibilitando ataques de criação de scripts entre sites.

Para cada página que pode incluir conteúdo controlável pelo usuário, você deve usar o Cabeçalho HTTP X-Content-Type-Options: nosniff.

References

[1] Reducing MIME type security risks

[2] ASP.NET Configuration Files

[3] Global.asax Syntax

[4] IE8 Security Part V: Comprehensive Protection

[5] Custom HttpModule Example

[6] HttpResponse Class

[7] MIME types and stylesheets

[8] Standards Mapping - Common Weakness Enumeration CWE ID 554

[9] Standards Mapping - Common Weakness Enumeration Top 25 2019 [3] CWE ID 020

[10] Standards Mapping - Common Weakness Enumeration Top 25 2020 [3] CWE ID 020

[11] Standards Mapping - Common Weakness Enumeration Top 25 2021 [4] CWE ID 020

[12] Standards Mapping - Common Weakness Enumeration Top 25 2022 [4] CWE ID 020

[13] Standards Mapping - Common Weakness Enumeration Top 25 2023 [6] CWE ID 020

[14] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-002754

[15] Standards Mapping - FIPS200 CM

[16] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data

[17] Standards Mapping - NIST Special Publication 800-53 Revision 4 SI-10 Information Input Validation (P1)

[18] Standards Mapping - NIST Special Publication 800-53 Revision 5 SI-10 Information Input Validation

[19] Standards Mapping - OWASP Application Security Verification Standard 4.0 5.1.3 Input Validation Requirements (L1 L2 L3), 5.1.4 Input Validation Requirements (L1 L2 L3), 14.1.3 Build (L2 L3)

[20] Standards Mapping - OWASP Mobile 2014 M1 Weak Server Side Controls

[21] Standards Mapping - OWASP Mobile 2024 M8 Security Misconfiguration

[22] Standards Mapping - OWASP Top 10 2004 A10 Insecure Configuration Management

[23] Standards Mapping - OWASP Top 10 2010 A6 Security Misconfiguration

[24] Standards Mapping - OWASP Top 10 2013 A5 Security Misconfiguration

[25] Standards Mapping - OWASP Top 10 2017 A6 Security Misconfiguration

[26] Standards Mapping - OWASP Top 10 2021 A05 Security Misconfiguration

[27] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.10

[28] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1

[29] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.1

[30] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.1

[31] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.1

[32] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.1

[33] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.1

[34] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4

[35] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection

[36] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection

[37] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection

[38] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I

[39] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I

[40] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I

[41] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I

[42] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I

[43] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I

[44] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I

[45] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002560 CAT I

[46] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002560 CAT I

[47] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002560 CAT I

[48] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002560 CAT I

[49] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002560 CAT I

[50] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002560 CAT I

[51] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002560 CAT I

[52] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002560 CAT I

[53] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002560 CAT I

[54] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002560 CAT I

[55] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002560 CAT I

[56] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002560 CAT I

[57] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002560 CAT I

[58] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002560 CAT I

[59] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002560 CAT I

[60] Standards Mapping - Web Application Security Consortium Version 2.00 Application Misconfiguration (WASC-15)

desc.structural.dotnet.html5_mime_sniffing

Abstract

O aplicativo aplica o algoritmo de MIME Sniffing ou não define X-Content-Type-Options como nosniff..

Explanation

MIME sniffing é a prática de inspecionar o conteúdo de um fluxo de bytes para tentar reduzir o formato dos dados de arquivos nele.

Se o sniffing de MIME não estiver explicitamente desabilitado, alguns navegadores poderão ser manipulados para interpretar dados de maneiras não planejadas, possibilitando ataques de criação de scripts entre sites.
Ao escrever um aplicativo Web, use o cabeçalho HTTP X-Content-Type-Options: nosniff para cada página que possa ter conteúdo controlável pelo usuário.
Ao escrever um aplicativo cliente, você não deve usar o algoritmo de MIME Sniffing para determinar a resposta do servidor Content-Type.

Exemplo: O código a seguir usa net.http.DetectContentType() para determinar a resposta Content-Type:


    ...
    resp, err := http.Get("http://example.com/")
    if err != nil {
        // handle error
    }
    defer resp.Body.Close()
    body, err := ioutil.ReadAll(resp.Body)

    content_type := DetectContentType(body)
    ...

References

[1] OWASP OWASP Secure Headers Project

[2] WHATWG MIME Sniffing

[3] Standards Mapping - Common Weakness Enumeration CWE ID 554

[4] Standards Mapping - Common Weakness Enumeration Top 25 2019 [3] CWE ID 020

[5] Standards Mapping - Common Weakness Enumeration Top 25 2020 [3] CWE ID 020

[6] Standards Mapping - Common Weakness Enumeration Top 25 2021 [4] CWE ID 020

[7] Standards Mapping - Common Weakness Enumeration Top 25 2022 [4] CWE ID 020

[8] Standards Mapping - Common Weakness Enumeration Top 25 2023 [6] CWE ID 020

[9] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-002754

[10] Standards Mapping - FIPS200 CM

[11] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data

[12] Standards Mapping - NIST Special Publication 800-53 Revision 4 SI-10 Information Input Validation (P1)

[13] Standards Mapping - NIST Special Publication 800-53 Revision 5 SI-10 Information Input Validation

[14] Standards Mapping - OWASP Application Security Verification Standard 4.0 5.1.3 Input Validation Requirements (L1 L2 L3), 5.1.4 Input Validation Requirements (L1 L2 L3), 14.1.3 Build (L2 L3)

[15] Standards Mapping - OWASP Mobile 2014 M1 Weak Server Side Controls

[16] Standards Mapping - OWASP Mobile 2024 M8 Security Misconfiguration

[17] Standards Mapping - OWASP Top 10 2004 A10 Insecure Configuration Management

[18] Standards Mapping - OWASP Top 10 2010 A6 Security Misconfiguration

[19] Standards Mapping - OWASP Top 10 2013 A5 Security Misconfiguration

[20] Standards Mapping - OWASP Top 10 2017 A6 Security Misconfiguration

[21] Standards Mapping - OWASP Top 10 2021 A05 Security Misconfiguration

[22] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.10

[23] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1

[24] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.1

[25] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.1

[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.1

[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.1

[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.1

[29] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4

[30] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection

[31] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection

[32] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection

[33] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I

[34] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I

[35] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I

[36] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I

[37] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I

[38] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I

[39] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I

[40] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002560 CAT I

[41] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002560 CAT I

[42] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002560 CAT I

[43] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002560 CAT I

[44] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002560 CAT I

[45] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002560 CAT I

[46] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002560 CAT I

[47] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002560 CAT I

[48] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002560 CAT I

[49] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002560 CAT I

[50] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002560 CAT I

[51] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002560 CAT I

[52] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002560 CAT I

[53] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002560 CAT I

[54] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002560 CAT I

[55] Standards Mapping - Web Application Security Consortium Version 2.00 Application Misconfiguration (WASC-15)

desc.dataflow.golang.html5_mime_sniffing

Abstract

O aplicativo não define X-Content-Type-Options como nosniff ou desabilita esse cabeçalho de segurança explicitamente.

Explanation

MIME Sniffing é a prática de inspecionar o conteúdo de um fluxo de bytes para deduzir o formato de arquivo dos dados nele.

Se MIME Sniffing não for desabilitado explicitamente, os invasores poderão manipular alguns navegadores para interpretar os dados de maneira inadequada, permitindo ataques de cross-site scripting. Para cada página que pode incluir conteúdo controlável pelo usuário, você deve usar o cabeçalho HTTP X-Content-Type-Options: nosniff.

Exemplo: O seguinte código configura um aplicativo protegido do Spring Security para desabilitar a proteção contra MIME Sniffing:


	<http auto-config="true">
        ...
        <headers>
            ...
            <content-type-options disabled="true"/>
        </headers>
	</http>

References

[1] OWASP OWASP Secure Headers Project

[2] Standards Mapping - Common Weakness Enumeration CWE ID 554

[3] Standards Mapping - Common Weakness Enumeration Top 25 2019 [3] CWE ID 020

[4] Standards Mapping - Common Weakness Enumeration Top 25 2020 [3] CWE ID 020

[5] Standards Mapping - Common Weakness Enumeration Top 25 2021 [4] CWE ID 020

[6] Standards Mapping - Common Weakness Enumeration Top 25 2022 [4] CWE ID 020

[7] Standards Mapping - Common Weakness Enumeration Top 25 2023 [6] CWE ID 020

[8] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-002754

[9] Standards Mapping - FIPS200 CM

[10] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data

[11] Standards Mapping - NIST Special Publication 800-53 Revision 4 SI-10 Information Input Validation (P1)

[12] Standards Mapping - NIST Special Publication 800-53 Revision 5 SI-10 Information Input Validation

[13] Standards Mapping - OWASP Application Security Verification Standard 4.0 5.1.3 Input Validation Requirements (L1 L2 L3), 5.1.4 Input Validation Requirements (L1 L2 L3), 14.1.3 Build (L2 L3)

[14] Standards Mapping - OWASP Mobile 2014 M1 Weak Server Side Controls

[15] Standards Mapping - OWASP Mobile 2024 M8 Security Misconfiguration

[16] Standards Mapping - OWASP Top 10 2004 A10 Insecure Configuration Management

[17] Standards Mapping - OWASP Top 10 2010 A6 Security Misconfiguration

[18] Standards Mapping - OWASP Top 10 2013 A5 Security Misconfiguration

[19] Standards Mapping - OWASP Top 10 2017 A6 Security Misconfiguration

[20] Standards Mapping - OWASP Top 10 2021 A05 Security Misconfiguration

[21] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.10

[22] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1

[23] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.1

[24] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.1

[25] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.1

[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.1

[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.1

[28] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4

[29] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection

[30] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection

[31] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection

[32] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I

[33] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I

[34] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I

[35] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I

[36] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I

[37] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I

[38] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I

[39] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002560 CAT I

[40] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002560 CAT I

[41] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002560 CAT I

[42] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002560 CAT I

[43] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002560 CAT I

[44] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002560 CAT I

[45] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002560 CAT I

[46] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002560 CAT I

[47] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002560 CAT I

[48] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002560 CAT I

[49] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002560 CAT I

[50] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002560 CAT I

[51] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002560 CAT I

[52] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002560 CAT I

[53] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002560 CAT I

[54] Standards Mapping - Web Application Security Consortium Version 2.00 Application Misconfiguration (WASC-15)

desc.config.java.html5_mime_sniffing

Abstract

O aplicativo Node.js não define X-Content-Type-Options como nosniff ou desabilita esse cabeçalho de segurança explicitamente.

Explanation

References

[1] Node.js Security Checklist

[2] OWASP OWASP Secure Headers Project