Netsparker给出“通过引荐来源策略进行跨站点引荐来源泄漏”错误

时间:2019-09-18 10:23:53

标签: http security http-referer crlf-vulnerability

我开发了一个项目,并将其发布在https://www.sekerleasing.com.tr上! Netsparker是一个检查安全漏洞的程序。泄漏之一是“通过引荐来源政策进行跨站点引荐来源的泄漏”

结果具有分类代码

OWASP 2013A6 OWASP 2017A6 CWE200 OWASPPCC9

如何消除泄漏。

我检查了所有链接(hrefs,srcs)和代码。

我找到了一些重定向http网站的链接。 SekerLeasing网站使用https协议。

我将下面的代码放在项目的web.config文件中。

  `<httpProtocol>
  <customHeaders>
    <clear />
    <remove name="X-AspNetMvc-Version" />
    <remove name="X-Powered-By" />

<!-- SECURITY HEADERS - https://securityheaders.io/? -->
  <!-- Protects against Clickjacking attacks. ref.: http://stackoverflow.com/a/22105445/1233379 -->
  <add name="X-Frame-Options" value="SAMEORIGIN" />
  <!-- Protects against Clickjacking attacks. ref.: https://www.owasp.org/index.php/HTTP_Strict_Transport_Security_Cheat_Sheet -->
  <add name="Strict-Transport-Security" value="max-age=31536000; includeSubDomains"/>
  <!-- Protects against XSS injections. ref.: https://www.veracode.com/blog/2014/03/guidelines-for-setting-security-headers/ -->
  <add name="X-XSS-Protection" value="1; mode=block" />
  <!-- Protects against MIME-type confusion attack. ref.: https://www.veracode.com/blog/2014/03/guidelines-for-setting-security-headers/ -->
  <add name="X-Content-Type-Options" value="nosniff" />
  <!-- CSP modern XSS directive-based defence, used since 2014. ref.: http://content-security-policy.com/ -->
  <!-- <add name="Content-Security-Policy" value="default-src 'self'; font-src *;img-src * data:; script-src *; style-src *;" /> -->
  <add name="Content-Security-Policy" value="default-src 'self'; connect-src *; font-src *; frame-src *; img-src * data:; media-src *; object-src *; script-src * 'unsafe-inline' 'unsafe-eval'; style-src * 'unsafe-inline';" />

  <!-- Prevents from leaking referrer data over insecure connections. ref.: https://scotthelme.co.uk/a-new-security-header-referrer-policy/ -->
  <add name="Referrer-Policy" value="strict-origin" />

  </customHeaders>
</httpProtocol>`

这些消息包括请求和响应信息

 `
8.1. https://www.sekerleasing.com.tr/ Confirmed
https://www.sekerleasing.com.tr/
HttpHeaderRefererPolicy
strict‐origin
Request
GET / HTTP/1.1
Host: www.sekerleasing.com.tr
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Accept‐Encoding: gzip, deflate
Accept‐Language: en‐us,en;q=0.5
Cache‐Control: no‐cache
Connection: Keep‐Alive
User‐Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.99 Safari/537.36
X‐Scanner: Netsparker
Response
…
; object‐src *; script‐src * 'unsafe‐inline' 'unsafe‐eval'; style‐src * 
   'unsafe‐inline';
X‐Frame‐Options: SAMEORIGIN
Strict‐Transport‐Security: max‐age=31536000; includeSubDomains
Referrer‐Policy: strict‐origin
Content‐Type: text/html; charset=utf‐8
Content‐Length: 106474
Date: Thu, 05 Sep 2019 08:37:03 GMT
Cache‐Control: private`

0 个答案:

没有答案
相关问题
最新问题