我非常担心我构建的网络应用程序的安全性,因此我一直在使用各种工具来抓取我的每个应用程序。
虽然在编程方面可以完成的所有事情都已经完成,但现成的类(如 Active Record)无法预见,但有一个问题我不断收到警报,我不知道从哪里开始解决这个问题。
我在 Nginx 和 Rails 4.1 后面运行 Unicorn。我不断收到的警报是这样的:
An attacker can manipulate the Host header as seen by the
web application and cause the application to behave in
unexpected ways. Developers often resort to the exceedingly
untrustworthy HTTP Host header (_SERVER["HTTP_HOST"] in PHP).
Even otherwise-secure applications trust this value enough to
write it to the page without HTML-encoding it with code equivalent to:
<link href="https://_SERVER['HOST']" (Joomla)
...and append secret keys and tokens to links containing it:
(Django, Gallery, others)
....and even directly import scripts from it:
(Various)
发出以下建议:
The web application should use the SERVER_NAME instead
of the Host header. It should also create a dummy vhost
that catches all requests with unrecognized Host headers.
This can also be done under Nginx by specifying a non-wildcard
SERVER_NAME, and under Apache by using a non-wildcard serverName
and turning the UseCanonicalName directive on. Consult references
for detailed information.
当然,无论如何..据我所知,这种漏洞通常是无害的,但在各种网络应用程序中可能有害,具体取决于它们的种类。
我该怎么做才能阻止这种攻击?感谢您的任何建议。
最佳答案
我找到了绕过该行为并停止收到警报的方法。我不知道这是否是最好的方法,因此接受评论、建议和新答案。
我们开始吧。
应用程序 Controller .rb
class ApplicationController < ActionController::Base
before_action :debug_headers
private
def debug_headers
if request.env['HTTP_X_FORWARDED_HOST']
request.env.except!('HTTP_X_FORWARDED_HOST') # just drop the variable
end
end # def
end # class
关于ruby-on-rails - rails : HOST Header Attack vulnerability,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/24903831/