使用 OWASP Zap 进行的渗透测试发现了许多路径遍历“漏洞”,但要么报告没有告诉我整个故事,要么它们对我来说似乎完全安全。例如:
URL: http://[xxxx]/News/GetContactsList/2
Parameter: Id
Attack: 2
“2”是调用实体的id,我们的系统需要。很多地方显然都在使用同样的东西,但这是 Zap 唯一一次抱怨。它找到了一些示例,通常通过将 2 替换为另一个整数,或者在另一个参数“PressContacts”中传递一个完全有效的字符串。
在 MVC 中,这些绑定到整数和整数列表,据我所知,这些都是经过清理的。
我怎样才能确切地找出问题所在,或者告诉 Zap 它在叫错树?我们有不同的 MVC 操作来响应 GET 和 POST,报告并不清楚它击中的是哪一个。
如果我遗漏了一些非常明显的东西,请提前道歉。这是我第一次使用 Zap,所以也许我完全误解了一些东西。
This is actually a very common form of attack and the ZAP is right. The integer ID in the URL is easy to change and easy to guess because it is most likely a sequential auto generated number.
Let's say user A has permission to access the id range of 1 to 100 and user B has access to the id range of 1 to 500. User A can login and simply change the id from 100 to 300 and gain access to a record that he/she was not supposed see.
The solution is to use a unique identifier that is NOT sequential and is NOT easy to guess. The most common approach is using a GUID instead of the id in the URL.