练习Test方法
SAST, DAST, SAC
DAST案例四, APIs接口扫描测试,但是是针对单个接口的。我练习用的是免费版的,商业版支持自动修复,也可能支持swagger整合。
snapshot:
打开程序安装目录运行zap.bat(因为我本地使用jdk版本过高)
点击这里闪电tab,录入项目url地址,点击Attack开始扫描页面所有关联性的url地址。
Alerts扫描问题结果
修复常见header和CSRF问题,留下两个low级别bug
fix问题:
Cross-Site Request Forgery (CSRF)
flask 启动类添加全局变量
csrf = CSRFProtect(app)
html post请求
<form action="{{ url_for('login') }}" method="POST" >
<input type="hidden" name="csrf_token" value="{{ csrf_token() }}"/>
</form>
Python, Flask: How to set response header for all responses
@app.after_request
def apply_caching(response):
response.headers["X-Frame-Options"] = "SAMEORIGIN"
return response
Security Headers完整配置:
@app.after_request
def apply_caching(response):
#XSS
response.headers["X-Frame-Options"] = "SAMEORIGIN"
response.headers["X-XSS-Protection"] = "0"
response.headers["X-Content-Type-Options"] = "nosniff"
response.headers["Content-Type"] = "text/html; charset=utf-8"
app.config.update(
SESSION_COOKIE_SECURE=True,
SESSION_COOKIE_HTTPONLY=True,
SESSION_COOKIE_SAMESITE='Lax',
)
response.set_cookie('username', 'flask', secure=True, httponly=True, samesite='Lax')
return response
启动问题: zap使用的是jdk1.8我本地安装的是jdk12(支持sonarQube)
Problem starting OWASP ZAP with OpenJDK 11 installed
This application requires a Java Runime Eviroment 1.8.0
https://www.zaproxy.org/faq/what-versions-of-java-are-supported/
Reference:
Download ZAP
https://www.zaproxy.org/download/
CSRF Protection
https://flask-wtf.readthedocs.io/en/1.0.x/csrf/
Security Headers
https://owasp.org/www-community/Security_Headers
Security Considerations
https://flask.palletsprojects.com/en/2.1.x/security/
Python, Flask: How to set response header for all responses
https://stackoverflow.com/questions/30717152/python-flask-how-to-set-response-header-for-all-responses
owasp zap jdk requirement
https://stackoverflow.com/questions/67968805/problem-starting-owasp-zap-with-openjdk-11-installed
test project (zap branch, fix bug)
https://github.com/WillingChin/flaskProject
4220
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
