修正 ASP.NET MVC 常見 Checkmarx 原碼檢測漏洞 (Fix ASP.NET MVC Common Vulnerability Scan By Checkmarx)


  1. 高風險項目 | Critical Risk
    1. 🔴 Reflected_XSS_All_Clients
    2. 🔴 Stored_XSS
  2. 中風險項目 | Medium Risk
    1. 🟡 HttpOnlyCookies_In_Config
    2. 🟡 Parameter_Tampering
    3. 🟡 Missing_HSTS_Header
    4. 🟡 Unsafe_Object_Binding
  3. 參考資料
  4. 相關連結
  5. 尚未處理過的風險項目
    1. 高風險項目 | Critical Risk
      1. 🔴 Code_Injection
      2. 🔴 Command_Injection
      3. 🔴 Connection_String_Injection
      4. 🔴 Deserialization_of_Untrusted_Data
      5. 🔴 Deserialization_of_Untrusted_Data_MSMQ
      6. 🔴 LDAP_Injection
      7. 🔴 Resource_Injection
      8. 🔴 Second_Order_SQL_Injection
      9. 🔴 SQL_Injection
      10. 🔴 UTF7_XSS
      11. 🔴 XPath_Injection
    2. 中風險項目 | Medium Risk
      1. 🟡Buffer_Overflow
      2. 🟡CGI_XSS
      3. 🟡Cookie_Injection
      4. 🟡Cross_Site_History_Manipulation
      5. 🟡Data_Filter_Injection
      6. 🟡DB_Parameter_Tampering
      7. 🟡DoS_by_Sleep
      8. 🟡Hardcoded_password_in_Connection_String
      9. 🟡Heap_Inspection
      10. 🟡HTTP_Response_Splitting
      11. 🟡Improper_Locking
      12. 🟡Improper_Restriction_of_XXE_Ref
      13. 🟡Insecure_Cookie
      14. 🟡Insufficient_Connection_String_Encryption
      15. 🟡Integer_Overflow
      16. 🟡Missing_Column_Encryption
      17. 🟡MVC_View_Injection
      18. 🟡No_Request_Validation
      19. 🟡Path_Traversal
      20. 🟡Persistent_Connection_String
      21. 🟡Privacy_Violation
      22. 🟡Race_Condition_within_a_Thread
      23. 🟡ReDoS_By_Regex_Injection
      24. 🟡ReDoS_In_Code
      25. 🟡ReDoS_In_Validation
      26. 🟡Reflected_XSS_Specific_Clients
      27. 🟡Session_Fixation
      28. 🟡SQL_Injection_Evasion_Attack
      29. 🟡Stored_Command_Injection
      30. 🟡Stored_LDAP_Injection
      31. 🟡Stored_XPath_Injection
      32. 🟡Trust_Boundary_Violation
      33. 🟡Unclosed_Connection
      34. 🟡Use_of_Cryptographically_Weak_PRNG
      35. 🟡Use_of_Hard_coded_Cryptographic_Key
      36. 🟡Value_Shadowing
      37. 🟡XSRF

本篇實驗用最基本的 ASP.NET MVC 專案進行 Checkmarx OWASP:2017 原碼檢測,並驗證如何修正檢驗出的漏洞,並將整個過程加以筆記。

logo

高風險項目 | Critical Risk

🔴 Reflected_XSS_All_Clients

說明

CWE Definition

惡意內容 (Html Tags 或者 JS Scripts) 被加入到 URL 或者 Html Form 之中,URL 或者注入惡意內容的結果被瀏覽,導致使用者受害。

Example

Code Before:

public ActionResult Action(string str)
{
    return Content($"<h1>{str}</h1>");
}

Code After:

public ActionResult Action(string str)
{
    var encodeStr = HttpUtility.UrlEncode(str);
    return Content($"<h1>{encodeStr}</h1>");
}

Example 2

Code Before:

public ActionResult Action(string Id)
{
    ViewBag.Id = Id;
    return View();
}

Code After:

public ActionResult Action(string Id)
{
    var encodeId = HttpUtility.UrlEncode(Id);
    ViewBag.Id = encodeId;
    return View();
}

Example 3

使用 Html.Raw 會被判定問題,只得另尋它法改寫渲染方式。

<p>
  @Html.Raw(Model.UserInput)
</p>

🔴 Stored_XSS

說明

CWE Definition

資料庫被寫入惡意的 Html Tags 或者 JS Scripts,被應用程式直接渲染呈現給 Client 端,Client 端直接將內容呈現導致使用者受害。

Example

Code Before:

public ActionResult Action(int? Id)
{
    ViewBag.SelectList = new SelectList(db.Table, "Col1", "Col2");
    return View();
}

Code After:

public ActionResult Action(int? Id)
{
    List<SelectListItem> tableEncode = db.Table
        .Where(condition)
        .AsEnumerable()
        .Select(i => new SelectListItem { Text = HttpUtility.HtmlEncode(i.Col1), Value = HttpUtility.HtmlEncode(i.Col2)})
        .ToList();    
    
    ViewBag.SelectList = TableEncode;
    return View();
}

中風險項目 | Medium Risk

🟡 HttpOnlyCookies_In_Config

CWE Definition

說明

Cookies 可能會被藉由 XSS 操作並竊取使用者 Cookies 中隱私的資料傳送到特定 URL,藉由 HttpOnly 能夠降低 XSS 的傷害。僅允許 HttpHeader中傳遞 Cookies,避免讓 Client 端的 JS 直接操作 Cookies,web.config 加入下列內容即可:

web.config

<configuration>
  <system.web>
    <httpCookies httpOnlyCookies="true"/>
  </system.web>
</configuration>  

🟡 Parameter_Tampering

CWE Definition

說明

惡意使用者可以藉由操作 URL, Html From, Html Input Field 的值,來達到異常權限的存取、編輯與刪除資料等行為。強化對於傳入參數的檢查,能夠有效避免。

Code Before:

public JsonResult GetInfo(int? Id)
{
    return Json(new SelectList(db.Table.Where(i => i.Object.Id == Id), "Column1", "Column2"));
}

Code After:

這個處理方式需要再檢討,ASP.NET MVC 本身已經針對傳入的資料型別與內容做檢查,是否仍需要重工的轉型為字串、編碼後再轉型 😑

public JsonResult GetInfo(int? Id)
{
  var filterId = int.Parse(HttpUtility.UrlEncode(Id.ToString()));
    return Json(new SelectList(db.Table.Where(i => i.Object.Id == Id), "Column1", "Column2"));
}

🟡 Missing_HSTS_Header

CWE Definition

HSTS Header 負責將 http 強制轉為 https,如果已經實作 https 機制,則將 web.config 加入下列內容即可。

<system.webServer>
   <httpProtocol>
     <customHeaders>
      <add name="Strict-Transport-Security" value="max-age=31536000; includeSubDomains" />
     </customHeaders>
   </httpProtocol>
</system.webServer>

🟡 Unsafe_Object_Binding

說明

CWE Definition

問題分為兩類:

(一)方法中的物件沒有限定允許的屬性範圍,可能造成屬性被惡意修改,造成惡意的結果。

例如:

[HttpPost]
public ActionResult Index(LoginUser user)
{
    ...
}

藉由 Bind Include 來限定可傳入物件的參數,藉此避免使用者惡意修改物件屬性的問題。

[HttpPost]
public ActionResult Index([Bind(Include = "UserName, UserPassword")] LoginUser user)
{
    ...
}

6 Ways To Avoid Mass Assignment in ASP.NET MVC

(二)參數為可以迭代猜測的 Interger、Guid 或者是 String。

尋找處理的辦法中 🤔

參考資料

CxIAST Documentation

可以從列表中找到 CWE Link,獲得更多的弱點相關資訊以及可能的處理方式。

相關連結


尚未處理過的風險項目

高風險項目 | Critical Risk

🔴 Code_Injection

CWE Definition

🔴 Command_Injection

CWE Definition

🔴 Connection_String_Injection

CWE Definition

🔴 Deserialization_of_Untrusted_Data

CWE Definition

🔴 Deserialization_of_Untrusted_Data_MSMQ

CWE Definition

🔴 LDAP_Injection

CWE Definition

🔴 Resource_Injection

CWE Definition

🔴 Second_Order_SQL_Injection

CWE Definition

🔴 SQL_Injection

CWE Definition

🔴 UTF7_XSS

CWE Definition

🔴 XPath_Injection

CWE Definition

中風險項目 | Medium Risk

🟡Buffer_Overflow

CWE Definition

🟡CGI_XSS

CWE Definition

🟡Cookie_Injection

CWE Definition

🟡Cross_Site_History_Manipulation

CWE Definition

🟡Data_Filter_Injection

CWE Definition

🟡DB_Parameter_Tampering

CWE Definition

🟡DoS_by_Sleep

CWE Definition

🟡Hardcoded_password_in_Connection_String

CWE Definition

🟡Heap_Inspection

CWE Definition

🟡HTTP_Response_Splitting

CWE Definition

🟡Improper_Locking

CWE Definition

🟡Improper_Restriction_of_XXE_Ref

CWE Definition

CWE Definition

🟡Insufficient_Connection_String_Encryption

CWE Definition

🟡Integer_Overflow

CWE Definition

🟡Missing_Column_Encryption

CWE Definition

🟡MVC_View_Injection

CWE Definition

🟡No_Request_Validation

CWE Definition

🟡Path_Traversal

CWE Definition

🟡Persistent_Connection_String

CWE Definition

🟡Privacy_Violation

CWE Definition

🟡Race_Condition_within_a_Thread

CWE Definition

🟡ReDoS_By_Regex_Injection

CWE Definition

🟡ReDoS_In_Code

CWE Definition

🟡ReDoS_In_Validation

CWE Definition

🟡Reflected_XSS_Specific_Clients

CWE Definition

🟡Session_Fixation

CWE Definition

🟡SQL_Injection_Evasion_Attack

CWE Definition

🟡Stored_Command_Injection

CWE Definition

🟡Stored_LDAP_Injection

CWE Definition

🟡Stored_XPath_Injection

CWE Definition

🟡Trust_Boundary_Violation

CWE Definition

🟡Unclosed_Connection

CWE Definition

🟡Use_of_Cryptographically_Weak_PRNG

CWE Definition

🟡Use_of_Hard_coded_Cryptographic_Key

CWE Definition

🟡Value_Shadowing

CWE Definition

🟡XSRF

CWE Definition