Question

我使用CheckMarx平台来测试我网站的安全性（以测试联系表），但不幸的是，它告诉我有关标头注入风险的信息，我已经对此进行了一些检查，但是它仍然告诉我有关风险的信息

探测到底是什么？我希望你能理解这个问题，非常感谢您的建议！

有我的php代码：

/* Preventing header injection */
function cleaninjections($test) {
// Remove injected headers
    $find = array("/bcc\:/i",
        "/Content\-Type\:/i",
        "/Mime\-Version\:/i",
        "/cc\:/i",
        "/from\:/i",
        "/to\:/i",
        "/Content\-Transfer\-Encoding\:/i");
    $ret = preg_replace($find, "", $test);
    return $ret;
}

// Specify which fields to require from form
$required_fields = array('name','email','phone', 'additional_info', 'company_type');

$errors = array();
$message = "";

foreach($_POST as $key => $value){
    $_POST[$key] = trim($value);
    $_POST[$key] = cleaninjections($value);
}

// Check required fields and return error if blank
foreach($required_fields as $value){
    if(!isset($_POST[$value]) || empty($_POST[$value])){
        $errors[] = "אנא מלא את כל השדות"; // message about empty fields  "אנא מלא את כל השדות"
    }
}

// Validate name field. Accepts a-z, space, period for Dr., and ' for O'Malley
if(isset($_POST['name']) && !empty($_POST['name'])){
    if(!preg_match("/^[a-z '.]+$/i",stripslashes($_POST['name']))){
        $errors[] = "שם לא חוקי"; // message about invalid name 'שם לא חוקי'
    }
}

// Validate email field
if(isset($_POST['email']) && !empty($_POST['email'])){
    if(!preg_match("/^[a-z0-9_.-]+@[a-z0-9.-]+.[a-z]{2,6}$/i",stripslashes($_POST['email']))){
        $errors[] = "כתובת דואר אלקטרוני אינה תקינה"; /* 'כתובת דואר אלקטרוני אינה תקינה' */ /* message about incorrect email */
    }
}

// Display any errors and exit if errors exist.
if (count($errors)) {
    $errors = array_unique($errors);
    foreach ($errors as $value) {
        print "<li> $value</li>";
    }
    exit;
}
/* Preventing header injection */

另一个以CheckMarx顺序显示错误消息的示例（其中一个）：

您还可以检查所有PHP代码：

<?php

/* Preventing header injection */
function cleaninjections($test) {
// Remove injected headers
    $find = array("/bcc\:/i",
        "/Content\-Type\:/i",
        "/Mime\-Version\:/i",
        "/cc\:/i",
        "/from\:/i",
        "/to\:/i",
        "/Content\-Transfer\-Encoding\:/i");
    $ret = preg_replace($find, "", $test);
    return $ret;
}

// Specify which fields to require from form
$required_fields = array('name','email','phone', 'additional_info', 'company_type');

$errors = array();
$message = "";

foreach($_POST as $key => $value){
    $_POST[$key] = trim($value);
    $_POST[$key] = cleaninjections($value);
}

// Check required fields and return error if blank
foreach($required_fields as $value){
    if(!isset($_POST[$value]) || empty($_POST[$value])){
        $errors[] = "אנא מלא את כל השדות"; // message about empty fields  "אנא מלא את כל השדות"
    }
}

// Validate name field. Accepts a-z, space, period for Dr., and ' for O'Malley
if(isset($_POST['name']) && !empty($_POST['name'])){
    if(!preg_match("/^[a-z '.]+$/i",stripslashes($_POST['name']))){
        $errors[] = "שם לא חוקי"; // message about invalid name 'שם לא חוקי'
    }
}

// Validate email field
if(isset($_POST['email']) && !empty($_POST['email'])){
    if(!preg_match("/^[a-z0-9_.-]+@[a-z0-9.-]+.[a-z]{2,6}$/i",stripslashes($_POST['email']))){
        $errors[] = "כתובת דואר אלקטרוני אינה תקינה"; /* 'כתובת דואר אלקטרוני אינה תקינה' */ /* message about incorrect email */
    }
}

// Display any errors and exit if errors exist.
if (count($errors)) {
    $errors = array_unique($errors);
    foreach ($errors as $value) {
        print "<li> $value</li>";
    }
    exit;
}
/* Preventing header injection */

// MailChimp API credentials
$apiKey = '17837943924******dbccb48e99-us18';
$listID = 'c0*****c9fa';

// MailChimp API URL
$memberID = hash('sha256', strtolower($_POST['email']));
$dataCenter = substr($apiKey,strpos($apiKey,'-')+1);
$url = 'https://' . $dataCenter . '.api.mailchimp.com/3.0/lists/' . $listID . '/members/' . $memberID;

// member information
$json = json_encode([
    'email_address' => $_POST['email'],
    'status'        => 'subscribed',
    'merge_fields'  => [
        'FNAME'     => $_POST['name'],
        'PHONE_NUMB'=> $_POST['phone'],
        'ADD_INFO'  => $_POST['additional_info'],
        'C_TYPE'    => $_POST['company_type'],
    ]
]);

// send a HTTP POST request with curl
$ch = curl_init($url);
curl_setopt($ch, CURLOPT_USERPWD, 'user:' . $apiKey);
curl_setopt($ch, CURLOPT_HTTPHEADER, ['Content-Type: application/json']);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_TIMEOUT, 10);
curl_setopt($ch, CURLOPT_CUSTOMREQUEST, 'PUT');
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
curl_setopt($ch, CURLOPT_POSTFIELDS, $json);
$result = curl_exec($ch);
$httpCode = curl_getinfo($ch, CURLINFO_HTTP_CODE);
curl_close($ch); ?>

Answer 1

问题在于您的函数 cleaninjections 只是刷了一些标头。因此对于Checkmarx来说，由于存在很多标头，因此将其视为 HTTP注入标头的可能性

Answer 2

好吧，您正在使用用户数据作为curl的参数，即使您对输入进行了某种程度的验证并将其放在json中，也仍然会有某种“绕过”，我没有足够的时间考虑一种可能的利用此方法的方法，但是将用户数据传递给curl等东西并不是一个好习惯。

说这话，您可能很安全，除非可能的攻击者设法以某种方式看到此来源，否则很难通过黑盒渗透测试来利用此资源，不幸的是，我不是卷曲开发的专家太多，但是无论如何，正如我所说，这篇文章可能会有所帮助，特别是因为您使用的是json编码，可以对您提供给他的数据进行清理。

TL; DR：您不必担心太多，因为您正在使用json_encode

https://statuscode.ch/2016/01/subtle-vulnerabilties-with-php-and-curl/

如何避免HTTP标头注入攻击

2 个答案: