界: Security Features
軟體安全性並非安全性軟體。我們關注驗證、Access Control、保密性、加密以及權限管理之類的主題。
Privacy Violation: BREACH
Abstract
應用程式可能會洩漏 HTTP 回應中所包含之經由已啟用 SSL/TLS 的通道進行傳輸的敏感資料。
Explanation
Browser Reconnaissance and Exfiltration via Adaptive Compression of Hypertext (BREACH) 攻擊是一種側通道攻擊,可讓攻擊者竊取 HTTP 回應中所包含之經由已啟用 SSL/TLS 的通道進行傳輸的敏感資訊。所有現有的 SSL/TLS 版本和密碼都容易受到此攻擊。如果滿足以下三個條件,則攻擊者可能成功對應用程式發起 BREACH 攻擊:
1. 應用程式在回應中傳輸機密資訊 (例如,防 CSRF 權杖)。
2. 應用程式在包含機密資訊的同一回應中反映使用者輸入。
3. Web 伺服器配置為使用 HTTP 壓縮。
使用 gzip 壓縮之回應的大小取決於在其內容中發現的重複資料數量。因此,字元重複出現的次數越多,回應大小越小。這樣,攻擊者便可使用 HTTP 壓縮做為預測,用於指示攻擊者透過反映的參數值提供給應用程式的猜測是否正確。如果猜測的字元符合機密資訊中對應的字元,則壓縮的回應大小較小。攻擊者可能使用此程序,透過分析每個要求的壓縮比率,逐字元地取得完整機密資訊。
即使應用程式已設定為經由安全通道提供內容,攻擊者也可能使用此技術,從 HTTP 回應中擷取機密資訊。
若要評估應用程式是否容易受到 BREACH 攻擊,請先檢閱應用程式是否已配置為啟用 HTTP 壓縮。如果是,則針對包含要保護之機密資訊的每個回應,評估其中是否包含使用者輸入。
報告此問題是因為 Django 應用程式已配置為使用 CSRF 權杖和 GZip 壓縮:
1. 應用程式在回應中傳輸機密資訊 (例如,防 CSRF 權杖)。
2. 應用程式在包含機密資訊的同一回應中反映使用者輸入。
3. Web 伺服器配置為使用 HTTP 壓縮。
使用 gzip 壓縮之回應的大小取決於在其內容中發現的重複資料數量。因此,字元重複出現的次數越多,回應大小越小。這樣,攻擊者便可使用 HTTP 壓縮做為預測,用於指示攻擊者透過反映的參數值提供給應用程式的猜測是否正確。如果猜測的字元符合機密資訊中對應的字元,則壓縮的回應大小較小。攻擊者可能使用此程序,透過分析每個要求的壓縮比率,逐字元地取得完整機密資訊。
即使應用程式已設定為經由安全通道提供內容,攻擊者也可能使用此技術,從 HTTP 回應中擷取機密資訊。
若要評估應用程式是否容易受到 BREACH 攻擊,請先檢閱應用程式是否已配置為啟用 HTTP 壓縮。如果是,則針對包含要保護之機密資訊的每個回應,評估其中是否包含使用者輸入。
報告此問題是因為 Django 應用程式已配置為使用 CSRF 權杖和 GZip 壓縮:
MIDDLEWARE = (
...
'django.middleware.csrf.CsrfViewMiddleware',
'django.middleware.gzip.GZipMiddleware',
...
)
References
[1] BREACH Advisory
[2] Mitre CVE-2013-3587
[3] The gzip Home Page
[4] Django Foundation GZip middleware
[5] Standards Mapping - Common Weakness Enumeration CWE ID 310
[6] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000197, CCI-002418, CCI-002420, CCI-002421, CCI-002422
[7] Standards Mapping - FIPS200 CM, SC
[8] Standards Mapping - General Data Protection Regulation (GDPR) Privacy Violation
[9] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-4 Information Flow Enforcement (P1), IA-5 Authenticator Management (P1), SC-8 Transmission Confidentiality and Integrity (P1)
[10] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-4 Information Flow Enforcement, IA-5 Authenticator Management, SC-8 Transmission Confidentiality and Integrity
[11] Standards Mapping - OWASP Application Security Verification Standard 4.0 2.6.3 Look-up Secret Verifier Requirements (L2 L3), 6.2.1 Algorithms (L1 L2 L3)
[12] Standards Mapping - OWASP Mobile 2014 M3 Insufficient Transport Layer Protection
[13] Standards Mapping - OWASP Mobile 2024 M5 Insecure Communication
[14] Standards Mapping - OWASP Top 10 2004 A10 Insecure Configuration Management
[15] Standards Mapping - OWASP Top 10 2007 A9 Insecure Communications
[16] Standards Mapping - OWASP Top 10 2010 A9 Insufficient Transport Layer Protection
[17] Standards Mapping - OWASP Top 10 2013 A5 Security Misconfiguration
[18] Standards Mapping - OWASP Top 10 2017 A3 Sensitive Data Exposure
[19] Standards Mapping - OWASP Top 10 2021 A02 Cryptographic Failures
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.1, Requirement 6.5.10
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.4, Requirement 6.5.9
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.4
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.4
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.4
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.4
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.4
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[29] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 6.2 - Sensitive Data Protection
[30] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 6.2 - Sensitive Data Protection
[31] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 6.2 - Sensitive Data Protection, Control Objective C.4.1 - Web Software Communications
[32] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3250.1 CAT I, APP3260.1 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3250.1 CAT I, APP3260 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3250.1 CAT I, APP3260 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3250.1 CAT I, APP3260 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3250.1 CAT I, APP3260 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3250.1 CAT I, APP3260 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3250.1 CAT I, APP3260 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-001750 CAT I, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-001750 CAT I, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-001750 CAT I, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-001750 CAT I, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-001750 CAT I, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-001750 CAT I, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-001750 CAT I, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-001750 CAT I, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-001750 CAT I, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-001750 CAT I, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-001750 CAT I, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-001750 CAT I, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-001750 CAT I, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-001750 CAT I, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[53] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-001750 CAT I, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[54] Standards Mapping - Web Application Security Consortium Version 2.00 Insufficient Transport Layer Protection (WASC-04)
desc.structural.python.privacy_violation_breach