Izingozi Eziphezulu Eziyi-10 Zokuphepha ze-OWASP | Uhlolojikelele
Okuqukethwe
Yini i-OWASP?
I-OWASP yinhlangano engenzi nzuzo ezinikele emfundweni yokuphepha yohlelo lokusebenza lwewebhu.
Izinto zokufunda ze-OWASP ziyatholakala kuwebhusayithi yazo. Amathuluzi abo awusizo ekwenzeni ngcono ukuphepha kwezinhlelo zokusebenza zewebhu. Lokhu kuhlanganisa amadokhumenti, amathuluzi, amavidiyo, nezinkundla.
I-OWASP Top 10 iwuhlu olugqamisa ukukhathazeka okuphezulu kwezokuphepha kwezinhlelo zokusebenza zewebhu namuhla. Bancoma ukuthi zonke izinkampani zifake lo mbiko ezinhlelweni zazo ukuze zinciphise ubungozi bezokuphepha. Ngezansi kunohlu lwezingozi zokuphepha ezifakwe embikweni we-OWASP Top 10 2017.
I-SQL Injection
Umjovo we-SQL wenzeka uma umhlaseli ethumela idatha engalungile kuhlelo lokusebenza lwewebhu ukuze aphazamise uhlelo kuhlelo lokusebenza..
Isibonelo somjovo we-SQL:
Umhlaseli angafaka umbuzo we-SQL efomini lokufaka elidinga igama lomsebenzisi elingenalutho. Uma ifomu lokufaka lingavikelekile, lizoholela ekusetshenzisweni kombuzo we-SQL. Lokhu kuyathunyelwa njengomjovo we-SQL.
Ukuze uvikele izinhlelo zokusebenza zewebhu ekujovweni kwekhodi, qiniseka ukuthi onjiniyela bakho basebenzisa ukuqinisekiswa kokokufaka kudatha ethunyelwe umsebenzisi. Ukuqinisekisa lapha kusho ukwenqatshwa kokokufaka okungavumelekile. Umphathi wesizindalwazi angasetha nezilawuli ukuze kuncishiswe inani le Imininingwane okungenzeka kudalulwe ekuhlaselweni komjovo.
Ukuze uvimbele umjovo we-SQL, i-OWASP incoma ukugcina idatha ihlukene nemiyalo nemibuzo. Inketho encono ukusebenzisa isivikelo API ukuvimbela ukusetshenziswa komhumushi, noma ukuthuthela ku-Object Relational Mapping Tools (ORMs).
Ukuqinisekisa Okuphukile
Ubungozi bokuqinisekisa bungavumela umhlaseli ukuthi afinyelele ama-akhawunti omsebenzisi futhi onakalise isistimu esebenzisa i-akhawunti yomqondisi.. Isigebengu se-inthanethi singasebenzisa umbhalo ukuze sizame izinkulungwane zenhlanganisela yamaphasiwedi ohlelweni ukuze sibone ukuthi iyiphi esebenzayo. Uma isigebengu se-inthanethi sesingenile, singakhohlisa ubunikazi bomsebenzisi, sibanikeze ukufinyelela olwazini oluyimfihlo..
Ukuba sengozini okuphukile kokuqinisekisa bukhona ezinhlelweni zokusebenza zewebhu ezivumela ukungena ngemvume okuzenzakalelayo. Indlela edumile yokulungisa ubungozi bokufakazela ubuqiniso ukusetshenziswa kobuqiniso bezinto eziningi. Futhi, umkhawulo wesilinganiso sokungena ungangena kufakwe kuhlelo lokusebenza lwewebhu ukuvimbela ukuhlaselwa kwe-brute force.
Ukuvezwa Kwedatha Okubucayi
Uma izinhlelo zokusebenza zewebhu zingavikeli abahlaseli abazwelayo bangafinyelela futhi bazisebenzisele inzuzo yabo. Ukuhlasela endleleni kuyindlela edumile yokweba ulwazi olubucayi. Ingozi yokuchayeka incane uma yonke idatha ebucayi ibethelwe. Abathuthukisi bewebhu kufanele baqinisekise ukuthi ayikho idatha ebucayi evezwayo esipheqululini noma egcinwe kungenasidingo.
Izinkampani zangaphandle ze-XML (XEE)
Isigebengu se-inthanethi singase sikwazi ukulayisha noma sihlanganise okuqukethwe okunonya kwe-XML, imiyalo, noma ikhodi ngaphakathi kwedokhumenti ye-XML. Lokhu kubavumela ukuthi babuke amafayela ohlelweni lwefayela leseva yohlelo lokusebenza. Uma sebekwazi ukufinyelela, bangakwazi ukusebenzisana neseva ukwenza ukuhlasela kwe-server-side request forgery (SSRF)..
Ukuhlaselwa kwebhizinisi langaphandle le-XML kungakwazi kuvinjwe ukuvumela izinhlelo zokusebenza zewebhu ukwamukela izinhlobo zedatha eziyinkimbinkimbi njenge-JSON. Ukukhubaza ukucubungula kwebhizinisi langaphandle le-XML nakho kunciphisa amathuba okuhlaselwa kwe-XEE.
Ukulawula Ukufinyelela Okuphukile
Ukulawula ukufinyelela kuyiphrothokholi yesistimu ekhawulela abasebenzisi abangagunyaziwe kulwazi olubucayi. Uma isistimu yokulawula ukufinyelela iphukile, abahlaseli bangakweqa ukufakazela ubuqiniso. Lokhu kubanika ukufinyelela olwazini olubucayi njengokungathi bagunyaziwe. Ukulawula Ukufinyelela kungavikelwa ngokusebenzisa amathokheni okugunyazwa ekungeneni komsebenzisi. Kuso sonke isicelo umsebenzisi asenzayo ngenkathi sigunyazwa, ithokheni yokugunyazwa nomsebenzisi iyaqinisekiswa, okukhomba ukuthi umsebenzisi ugunyaziwe ukwenza leso sicelo.
Ukulungiswa okungalungile kokuvikela
Ukungalungiselelwa kahle kwezokuvikela yinkinga evamile leyo Ukuphepha kwe-cyber ochwepheshe bayaqaphela ezinhlelweni zokusebenza zewebhu. Lokhu kwenzeka ngenxa yezihloko ze-HTTP ezingalungiselelwe kahle, izilawuli zokufinyelela eziphukile, nokuboniswa kwamaphutha aveza ulwazi kuhlelo lokusebenza lwewebhu.. Ungalungisa Ukulungiswa Okungalungile Kwezokuvikela ngokususa izici ezingasetshenzisiwe. Kufanele futhi unamathisele noma uthuthukise amaphakheji wakho wesofthiwe.
Imibhalo Yesiphambano Yesayithi (XSS)
Ukuba sengozini kwe-XSS kwenzeka lapho umhlaseli ekhohlisa i-DOM API yewebhusayithi ethenjwayo ukuze asebenzise ikhodi enonya esipheqululini somsebenzisi.. Ukwenziwa kwale khodi enonya kuvame ukwenzeka lapho umsebenzisi achofoza isixhumanisi okubonakala sengathi sivela kuwebhusayithi ethenjwayo.. Uma iwebhusayithi ingavikelekile ekubeni sengozini ye-XSS, ingakwazi ube sengozini. Ikhodi enonya ukuthi uyabulawa inikeza umhlaseli ukufinyelela esikhathini sokungena sabasebenzisi, imininingwane yekhadi lesikweletu, nenye idatha ebucayi.
Ukuze uvimbele i-Cross-site Scripting (XSS), qinisekisa ukuthi i-HTML yakho ihlanzwe kahle. Lokhu kungakwenza kungazuzwa nge ukukhetha izinhlaka ezithenjwayo kuye ngolimi olukhethwayo. Ungasebenzisa izilimi ezifana ne-.Net, Ruby on Rails, ne-React JS njengoba zingasiza ekuhlaziyeni nasekuhlanzeni ikhodi yakho ye-HTML. Ukuphatha yonke idatha evela kubasebenzisi abagunyaziwe noma abangagunyaziwe njengabangathenjwa kunganciphisa ubungozi bokuhlaselwa kwe-XSS.
I-Deserialization Engavikelekile
I-Deserialization ukuguqulwa kwedatha ye-serialized isuka kuseva iye entweni. Ukuchithwa kwedatha kuyisenzakalo esivamile ekuthuthukisweni kwesofthiwe. Akuphephile uma idatha is deerialized emthonjeni ongathenjwa. Lokhu kungaba kungenzeka veza isicelo sakho ekuhlaselweni. Ukukhishwa okungavikelekile kwedatha kwenzeka lapho idatha esusiwe emthonjeni ongathenjwa iholela ekuhlaselweni kwe-DDOS, ukuhlaselwa kokukhishwa kwekhodi okukude, noma ukudlula kokuqinisekisa..
Ukuze ugweme ukuchithwa okungavikelekile, umthetho wesithupha ukuthi ungalokothi uthembe idatha yomsebenzisi. Yonke idatha yokufaka yomsebenzisi kufanele welashwe as kungenzeka enonya. Gwema ukuchithwa kwedatha emithonjeni engathenjwa. Qinisekisa ukuthi umsebenzi we-deserialization isetshenziswe kuhlelo lwakho lokusebenza lewebhu kuphephile.
Ukusebenzisa Izingxenye Ezinokukhubazeka Okwaziwa
Imitapo yolwazi nezinhlaka zikwenze kwashesha kakhulu ukuthuthukisa izinhlelo zokusebenza zewebhu ngaphandle kokudinga ukusungula kabusha isondo. Lokhu kunciphisa ukungafuneki ekuhlolweni kwekhodi. Bavula indlela yokuthi onjiniyela bagxile ezintweni ezibaluleke kakhulu zezinhlelo zokusebenza. Uma abahlaseli bethola ukuxhashazwa kulezi zinhlaka, yonke i-codebase esebenzisa uhlaka ingakwenza ube sengozini.
Abathuthukisi bezingxenye bavame ukuhlinzeka ngeziqephu zokuphepha nezibuyekezo zamalabhulali engxenye. Ukuze ugweme ubungozi bengxenye, kufanele ufunde ukugcina izinhlelo zakho zokusebenza zisesikhathini samanje ngeziqephu zokuphepha zakamuva kanye nokuthuthukiswa. Izingxenye ezingasetshenzisiwe kufanele asuswe kusuka kuhlelo lokusebenza ukusika ama-vectors okuhlasela.
Ukungena Nokugada Okungenele
Ukungena ngemvume nokuqapha kubalulekile ukuze ubonise imisebenzi kuhlelo lwakho lokusebenza lewebhu. Ukungena ngemvume kwenza kube lula ukulandelela amaphutha, Ukuqapha ukungena kwabasebenzisi, nemisebenzi.
Ukungena nokugadwa okunganele kwenzeka uma izehlakalo ezibucayi kwezokuvikela zingangenanga kahle. Abahlaseli basebenzisa lokhu ukuze bahlasele isicelo sakho ngaphambi kokuba kube khona impendulo ebonakalayo.
Ukungena ngemvume kungasiza inkampani yakho ukuthi yonge imali nesikhathi ngoba abathuthukisi bakho bangakwazi kalula thola izimbungulu. Lokhu kuzivumela ukuthi zigxile kakhulu ekuxazululeni iziphazamisi kunokuzicinga. Empeleni, ukungena ngemvume kungasiza ukugcina amasayithi akho namaseva esebenza njalo ngaphandle kokuthi ahlangabezane nanoma yisiphi isikhathi sokungasebenzi.
Isiphetho
Ikhodi enhle ayikho nje mayelana nokusebenza, kumayelana nokugcina abasebenzisi bakho nohlelo lokusebenza luphephile. I-OWASP Top 10 iwuhlu lwezingozi ezibaluleke kakhulu zokuvikeleka kwezinhlelo zokusebenza iyinsiza enkulu yamahhala yabathuthukisi yokubhala iwebhu evikelekile nezinhlelo zokusebenza zeselula.. Ukuqeqesha onjiniyela eqenjini lakho ukuze bahlole futhi bangene ezingozini kungasindisa isikhathi seqembu lakho nemali ngokuhamba kwesikhathi. Uma ungathanda funda kabanzi mayelana nendlela yokuqeqesha iqembu lakho ku-OWASP Top 10 chofoza lapha.
