界: Security Features
軟體安全性並非安全性軟體。我們關注驗證、Access Control、保密性、加密以及權限管理之類的主題。
ASP.NET Bad Practices: Compression Over Encrypted WebSocket Connection
Abstract
應用程式啟用了危險的壓縮。
Explanation
該應用程式使用啟用 Permessage-deflate WebSocket 擴充功能的程式碼,允許透過加密連線進行壓縮。啟用這種類型的壓縮後,會使應用程式可能遭受 CRIME 和 BREACH 類型的攻擊。
範例 1:以下程式碼將
DangerousEnableCompression
設定為 true
,以啟用 'per-message-deflate' 擴充功能:範例 2:以下程式碼使用
app.Run(async context => {
using var websocket = await context.WebSockets.AcceptWebSocketAsync(new WebSocketAcceptContext() { DangerousEnableCompression = true });
await websocket.SendAsync(...);
await websocket.ReceiveAsync(...);
await websocket.CloseAsync(WebSocketCloseStatus.NormalClosure, null, default);
});
DangerousDeflateOptions
設定 'per-message-deflate' 擴充功能的選項:
using ClientWebSocket ws = new() {
Options = {
CollectHttpResponseDetails = true,
DangerousDeflateOptions = new WebSocketDeflateOptions() {
ClientMaxWindowBits = 10,
ServerMaxWindowBits = 10
}
}
};
References
[1] WebSocketAcceptContext DangerousEnableCompression Property, Microsoft
[2] ClientWebSocketOptions DangerousDeflateOptions Property, Microsoft
[3] CRIME, CVE
[4] BREACH, CVE
[5] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[6] Standards Mapping - OWASP Application Security Verification Standard 4.0 9.1.1 Communications Security Requirements (L1 L2 L3), 9.1.1 Communications Security Requirements (L1 L2 L3), 9.1.1 Communications Security Requirements (L1 L2 L3)
[7] Standards Mapping - OWASP Mobile 2024 M8 Security Misconfiguration
[8] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 4.2.1, Requirement 6.2.4
[9] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 4.2.1, Requirement 6.2.4
[10] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3150.1 CAT II, APP3150.1 CAT II
[11] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3150.1 CAT II, APP3150.1 CAT II
[12] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3150.1 CAT II, APP3150.1 CAT II
[13] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3150.1 CAT II, APP3150.1 CAT II
[14] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3150.1 CAT II, APP3150.1 CAT II
[15] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3150.1 CAT II, APP3150.1 CAT II
[16] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3150.1 CAT II, APP3150.1 CAT II
desc.semantic.dotnet.asp_dotnet_bad_practices_compression_over_encrypted_websocket_connection