网页开发安全注意事项:
Key Items关键项(安全等级最高):
1)WEB.14 敏感信息不能包含在cookie中。WEB.14 - Cookies must not contain sensitive information.
2)WEB.16 隐藏或不显示的文字不应该包含敏感信息或者权限相关的信息。 WEB.16- Undisplayed text must not contain privileged or sensitive information.
3)AX.2 每个ActiveX控件的每个变量都必须有一个独立的UUID。 AX.2 - Every single variant, no matter how small the difference, of every single ActiveX control must have a unique UUID.
4)ASVS.V3.2 用户登出时必须将会话作废。ASVS.V3.2 - Sessions must be invalidated when the user logs out.
5)ASVS.V4.8 访问控制必须安全地处理失败的情况,即error handling处理应该也保证是安全的。ASVS.V4.8- Access controls must fail securely.
6)ASVS.V9.3 敏感信息必须是通过HTTP的消息包或消息头发送给服务器的,而不能通过其他方式发生。(比如通过URL的参数)ASVS.V9.3- All sensitive data must be sent to the server in the HTTP message body or headers (i.e., URL parameters are never used to send sensitive data).
安全等级高High
1) WEB.12 用户必须能够在安全的机制下更改他们的证件。
WEB.12 - Users must be able to safely change their credentials using a secure mechanism.
2)WEB.8 必须阻止用户访问那些不应该直接访问的资源。比如(XML配置文件,JSP文件,一些文件和属性文件等)。这些资源应该被存放在一个被保护的目录中,比如WEB-INF。
WEB.8 - Access to all resources that should not be directly accessed by users (such as resources, XML files, JSP files, include files, properties) must be prevented. They should be stored in a protected directory, such as WEB-INF.
3)WEB.10 访问控制的决策数据必须是可信的。比如不能使用依赖HTTP的参考值来验证是否可以访问网页,因为这些值可以很容易的被串改。
WEB.10 - Access control decisions must only use trusted data. Do not rely on the HTTP Referer value to validate access to web pages because this value can easily be spoofed.
4)WEB.11 当服务器和客户端的IP并不期望是一致的时候,访问控制的决策不应该基于客户端的IP地址或者DNS名称。
WEB.11 - When the client IP and the server IP are not expected to be the same, access control decisions must not be made based on the client IP address or DNS name.
5)WEB.14 一定不可以让用户来操控用户和数据的属性,以及被用来访问控制的决策信息,触发是特别授权的用户。
WEB.14 - It must not be possible for end users to manipulate user and data attributes or policy information used by access controls, unless specifically authorized.
6)WEB.15 不应通过使用特定参数名称来作为一个安全机制。(比如说留一个后门允许一些操作,只有参数为"XYZ=TRUE")
WEB.15 - The knowledge of a parameter name as a security mechanism must not be used. (For example, do not leave back doors that allow any action as long as the parameter “XYZ=TRUE” is set.)
7)WEB.21 敏感信息不能被缓存。可以通过cache-control:no-store设置.
WEB.21 - Sensitive information must not be cached. Any page, including forms or fields, containing sensitive data must disable caching of that data by implementing the Cache-control: no-store HTTP response header (preferably it should be in both the request and response).
8) WEB.24 所有发送到客户端的敏感信息的副本必须被保护起来,以免未授权的访问。
WEB.24 - All temporary copies of sensitive data sent to the client must be protected from unauthorized access.
9) WEB.26对于所有包含敏感信息的表单或字段,autocomplet功能必须关闭。
WEB.26 - The autocomplete attribute must be set to "off" for any form, or field, containing sensitive data.
10)确保ActiveX控件只标识为脚本安全的以及或使用时初始化安全。事实上,只有这样,这个控件才是安全的。
AX.12 - Ensure that ActiveX controls are only marked Safe for Scripting and/or Safe for Initialization where required. A control should only be marked as safe if it is, in fact, safe.
11)会话必须有实效性,一定时间内没有活动则应设为超时。
ASVS.V3.3 -Sessions must timeout after a specified period of inactivity.
12)所有需要认证的页面必须很容易的很方便的看到登出功能除非使用的是单点登录。
ASVS.V3.5 - All pages that require authentication must have easy and visible access to logout functionality unless Single Sign On is supported.
13)Session ID 永远不要暴露在URL中, 错误消息或者日志中。应用程序应该必须不支持session cookies的URL rewriting。
ASVS.V3.6 - The session id must never be disclosed in URLs, error messages, or logs. The application must not support URL rewriting of session cookies.
14)所有成功的认证以及重新认证都必须产生一个新的session和session ID。
ASVS.V3.7 - All successful authentication and re-authentication must generate a new session and session id.
15)Session Id必须充分的长,随机,以及在正确的所有会话中是独立的。
ASVS.V3.11 - Session ids must be sufficiently long, random and unique across the correct active session base.
16)任何时候都必须遵循最小权限原则。即用户必须只能根据他们拥有的特定的授权来访问,只能访问那些有权访问的功能,数据,URL等资源。
ASVS.V4.1 - The principle of least privilege must apply at all times. Users must only be able to access functions, data files, URLs, controllers, services, and other resources, for which they possess specific authorization. This implies protection against spoofing and elevation of privilege.
17)访问敏感记录必须被保护,以此只有授权的对象或数据才可以被对应的用户访问。比如需要避免用户通过串改一个参数来查看或修改其他人的账户信息。
ASVS.V4.4 - Access to sensitive records must be protected, such that only authorized objects or data is accessible to each user (for example, protect against users tampering with a parameter to see or alter another user's account).
18)存在客户端的数据必须不包含敏感信息或PII。比如存储在HTML5的local storage, session storage, IndexedDB, Regular cookies, Flash cookies里的数据必须不能有敏感信息。
ASVS.V9.9 - Data stored in client side storage , (such as HTML5 local storage, session storage, IndexedDB, regular cookies , or Flash cookies, ) must not contain sensitive information or PII.
19)对具有管理员或管理功能的页面访问必须限定在只有管理员才能访问。
ASVS.V18.2 - Access to administration and management functions within a Web Service Application must be limited to web service administrators.
安全等级中(medium)
1)必须可以生成每次访问控制决策的日志。默认审核管理员的访问记录。
WEB.18 - It must be possible to log all access control decisions. Auditing of administrative access control decisions must be enabled by default.
2)应用程序必须不能接受HTTP的GET/POST请求方式的交换。即get和post都可以,没有做区分,这是不对的。
WEB.22 - Applications must not accept HTTP request methods GET/POST interchangeably.
3)除非有合法的需求要对cookie进行持有化,否则cookies都必须永远以会话cookie的形式产生。Cookie的过期时间属性不应该设置在会话cookies中,不设置默认为仅当前会话有效(browser-session-only)。
WEB.32 - Unless there is a justified need for persistent cookies, cookies should always be generated as session cookies. The expiration time should not be set in session cookies.
4)Cookie必须针对源web server,应用程序必须默认以源web server作为cookie域而不是去指定一个域名。
WEB.33 - Cookies should be scoped to the originating web server. The application must default the cookie domain to the originating web server by not specifying a domain.
5)HttpOnly标志必须使用在所有那些javascript不用访问的cookie上,包含会话cookie。
WEB.35 - The HttpOnly flag must be used on all cookies that do not specifically require access from JavaScript, including the session cookie.
6)security标志必须用在所有包含敏感数据的cookies上,包括session cookie.
WEB.36 - The secure flag must be used on all cookies that contain sensitive data, including the session cookie.
7)应用程序必须提供一种机制来防止CSRF攻击。
WEB.39 - An application must provide a mechanism to defend against Cross-Site Request Forgery (CSRF).
8)如果网站内容不应该被第三方x-Frame可见,那么HTTP头X-Frame-Options就必须使用。这样可以防止被frame。一个通用的中间方法就是发送SAMEORIGIN,意思就是只有同一个origin的网站才可以frame它。
WEB.40 - The HTTP header, X-Frame-Options must be in use for sites where content should not be viewed in a 3rd-party X-Frame. A common middle ground is to send SAMEORIGIN, meaning only websites of the same origin may frame it.
9)Session必须在管理员配置的最大时间点timeout, 不管是否是活动的session.
ASVS.V3.4 - Sessions must timeout after an administratively-configurable maximum time period regardless of activity (an absolute timeout).
10)只有应用程序框架生成的session ID才能被程序认为是active的。
ASVS.V3.10 - Only session ids generated by the application framework must be recognized as active by the application.
11)目录浏览必须disable掉,除非是故意地特定需求。
ASVS.V4.5 - Directory browsing must be disabled unless deliberately desired.
12)表示层实现的访问控制规则必须在服务器端加强,即服务器端也要做类似的访问控制,否则可以绕过访问控制规则。
ASVS.V4.9 - Access control rules implied by the presentation layer must be enforced on the server side.
13)应用程序必须只接受定义的一系列HTTP请求方式,不使用的请求方式必须显示地阻止掉。
ASVS.V11.1 - The application must only accept a defined set of HTTP request methods, such as GET and POST, and unused methods (e.g. TRACE, PUT, DELETE) must be explicitly blocked.
14)每个HTTP响应必须包含一个content type头来说明可用的安全的字符集。
ASVS.V11.2 - Every HTTP response must contain a content type header specifying a safe character set (e.g. UTF-8, ISO 8859-1).
15)所有被授信地代理或者SSO设备添加的HTTP headers必须被应用程序认证。
ASVS.V11.3 - HTTP headers added by a trusted proxy or SSO devices, such as a bearer token, must be authenticated by the application.
16)HTTP头或HTTP响应部分都不应该暴露系统组件的版本信息。
ASVS.V11.5 - The HTTP headers or any part of the HTTP response must not expose detailed version information of system components.
17)所有API响应必须包括X-Content-Type-Options: nosgiff以及Content-Disposition:attachment;filename="api.json"(或其他应用程序文件名),这样可以阻止基于MIME的攻击。
ASVS.V11.6 - All API responses must contain X-Content-Type-Options: nosniff and Content-Disposition: attachment; filename="api.json" (or other appropriate file name for the content type).
18)消息头“X-XSS-Protection: 1; mode=block”必须使用。(这是IE8+的一个功能,通过这个可以来开关IE的XSS-Filter功能。
ASVS.V11.8 - The header X-XSS-Protection: 1; mode=block header must be used.
19)基于SOAP的web services至少必须与WS-I的基本的profile一致。
ASVS.V18.5 - SOAP based Web services must be compliant with Web Services-Interoperability (WS-I) Basic Profile at a minimum.
参考文章: