界: Security Features
軟體安全性並非安全性軟體。我們關注驗證、Access Control、保密性、加密以及權限管理之類的主題。
Spring Security Misconfiguration: Overly Permissive Firewall Policy
Abstract
Spring Security HTTP 防火牆設定了 lax 政策。
Explanation
Spring Security 包含 HTTP 防火牆,可透過清理含有潛在惡意字元的要求,協助保護應用程式。Spring 透過將
範例 1:以下程式碼會鬆懈防火牆政策,以允許
如果以不一致方式錯誤處理潛在惡意字元,則允許這些字元可能會導致產生弱點。例如,允許分號啟用路徑參數 (如 RFC 2396 中所定義),而前端 Web 伺服器 (例如 nginx) 和應用程式伺服器 (例如 Apache Tomcat) 未一致地加以處理。這些不一致可能會被用於 Path Traversal 攻擊或略過 Access Control。
HttpFirewall 包含在其 FilterChainProxy 中來實現此功能,其會在傳送要求之前透過篩選鏈處理要求。Sprint Security 預設會使用 StrictHttpFirewall 實作。範例 1:以下程式碼會鬆懈防火牆政策,以允許
%2F 和 ; 字元:
<beans:bean id="httpFirewall" class="org.springframework.security.web.firewall.StrictHttpFirewall" p:allowSemicolon="true" p:allowUrlEncodedSlash="true"/>
如果以不一致方式錯誤處理潛在惡意字元,則允許這些字元可能會導致產生弱點。例如,允許分號啟用路徑參數 (如 RFC 2396 中所定義),而前端 Web 伺服器 (例如 nginx) 和應用程式伺服器 (例如 Apache Tomcat) 未一致地加以處理。這些不一致可能會被用於 Path Traversal 攻擊或略過 Access Control。
References
[1] Class DefaultHttpFirewall Spring
[2] Standards Mapping - FIPS200 CM
[3] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[4] Standards Mapping - NIST Special Publication 800-53 Revision 4 CM-6 Configuration Settings (P1)
[5] Standards Mapping - NIST Special Publication 800-53 Revision 5 CM-6 Configuration Settings
[6] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[7] Standards Mapping - OWASP Mobile 2014 M1 Weak Server Side Controls
[8] Standards Mapping - OWASP Top 10 2004 A10 Insecure Configuration Management
[9] Standards Mapping - OWASP Top 10 2010 A6 Security Misconfiguration
[10] Standards Mapping - OWASP Top 10 2013 A5 Security Misconfiguration
[11] Standards Mapping - OWASP Top 10 2017 A6 Security Misconfiguration
[12] Standards Mapping - OWASP Top 10 2021 A05 Security Misconfiguration
[13] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.10
[14] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.4.1
[15] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.4.1
[16] Standards Mapping - Web Application Security Consortium Version 2.00 Server Misconfiguration (WASC-14)
desc.config.java.spring_security_misconfiguration_overly_permissive_firewall_policy