Reino: Security Features

Segurança de software não é o mesmo que software de segurança. Aqui, estamos interessados em tópicos como autenticação, controle de acesso, confidencialidade, criptografia e gestão de privilégios.

ASP.NET Bad Practices: Compression Over Encrypted WebSocket Connection

C#/VB.NET/ASP.NET

Abstract

O aplicativo permite compactação perigosa.

Explanation

O código define DangerousEnableCompression como true, que habilita a extensão WebSocket 'permessage-deflate'. Ao habilitar essa compactação em uma conexão criptografada, você abre o aplicativo para ataques CRIME e BREACH.

Exemplo 1: O código a seguir define DangerousEnableCompression como true:


    app.Run(async context => {
      using var websocket = await context.WebSockets.AcceptWebSocketAsync(new WebSocketAcceptContext() { DangerousEnableCompression = true });
      await websocket.SendAsync(...);
      await websocket.ReceiveAsync(...);
      await websocket.CloseAsync(WebSocketCloseStatus.NormalClosure, null, default);
    });

References

[1] WebSocketAcceptContext DangerousEnableCompression Property, Microsoft

[2] CRIME, CVE

[3] BREACH, CVE

[4] Standards Mapping - CIS Azure Kubernetes Service Benchmark 1

[5] Standards Mapping - CIS Microsoft Azure Foundations Benchmark partial

[6] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 5

[7] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1

[8] Standards Mapping - CIS Google Kubernetes Engine Benchmark integrity

[9] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration

[10] Standards Mapping - OWASP Application Security Verification Standard 4.0 9.1.1 Communications Security Requirements (L1 L2 L3), 9.1.1 Communications Security Requirements (L1 L2 L3), 9.1.1 Communications Security Requirements (L1 L2 L3)

[11] Standards Mapping - OWASP Mobile 2024 M8 Security Misconfiguration

[12] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 4.2.1, Requirement 6.2.4

[13] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3150.1 CAT II, APP3150.1 CAT II

[14] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3150.1 CAT II, APP3150.1 CAT II

[15] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3150.1 CAT II, APP3150.1 CAT II

[16] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3150.1 CAT II, APP3150.1 CAT II

[17] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3150.1 CAT II, APP3150.1 CAT II

[18] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3150.1 CAT II, APP3150.1 CAT II

[19] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3150.1 CAT II, APP3150.1 CAT II

desc.semantic.dotnet.asp_dotnet_bad_practices_compression_over_encrypted_websocket_connection