owasp十大web漏洞_如何保护Laravel Web应用程序免受OWASP十大安全风险

owasp十大web漏洞

I remember the first time one of my sites got hacked.

我记得我的网站第一次被黑客入侵。

The client emailed saying their website was taking ages to load. I jumped online as soon as I got home from college and noticed somebody had used SQL injection to inject a <script> tag into all the product titles.

该客户通过电子邮件发送电子邮件，说他们的网站需要花很长时间才能加载。我刚从大学回到家，就上网了，发现有人使用SQL注入将<script>标记注入所有产品标题中。

The script attempted to redirect visitors to a malicious website. I was devastated.

该脚本试图将访问者重定向到恶意网站。我被毁了。

This was back in 2004, and I had just taught myself ASP and SQL Server. It was a sobering moment and one that brought home the realisation that any website could be a target, no matter how small.

早在2004年，我就自学了ASP和SQL Server。这是一个沉思的时刻，使人们意识到任何网站都可以成为目标，无论规模如何。

It also taught me about the importance of web security, and it’s been at the forefront of my development process ever since.

它也使我了解了网络安全的重要性，自那时以来，它一直是我开发过程中的最前沿。

No site can ever be completely safe — the sheer number of high-profile breaches are a testament to this. But you can follow some best practices to make your site less of a target for a casual malicious actor or automated script.

任何站点都不可能永远是完全安全的-数量众多的引人注目的违规事件证明了这一点。但是，您可以遵循一些最佳做法，以使您的网站不再是偶然的恶意参与者或自动脚本的目标。

OWASP和Laravel (OWASP & Laravel)

The Open Web Application Security Project (OWASP) is an international non-profit organisation dedicated to creating awareness about web application security.

开放式Web应用程序安全项目(OWASP)是一个国际性非营利组织，致力于提高人们对Web应用程序安全性的认识。

The OWASP Top Ten is a standard awareness guide about web application security and consists of the topmost critical security risks to web applications.

OWASP十大标准是有关Web应用程序安全性的标准意识指南，其中包括对Web应用程序的最严重的关键安全风险。

Laravel is one of my favourite PHP frameworks. I’ve used it extensively over the years for anything from small business sites to large fintech and e-commerce applications demanding security at the core.

Laravel是我最喜欢PHP框架之一。多年来，我已广泛使用它，从小型企业站点到大型金融科技以及要求核心安全的电子商务应用程序。

The great thing is, Laravel takes care of many of these security features out the box.

很棒的是，Laravel开箱即用地处理了许多安全功能。

I’ll run through the OWASP Top Ten and note how you can harden your Laravel web applications with some basic security best practices.

我将介绍OWASP的前十名，并注意如何使用一些基本的安全最佳实践来加强Laravel Web应用程序。

1.注射 (1. Injection)

owasp十大web漏洞_如何保护Laravel Web应用程序免受OWASP十大安全风险 — Source: https://xkcd.com/327/

The Laravel query builder uses PDO parameter binding to protect the application against SQL injection attacks. This means you don’t have to sanitise values being passed as bindings.

Laravel查询构建器使用PDO参数绑定来保护应用程序免受SQL注入攻击。这意味着您不必清理作为绑定传递的值。

Be aware that Laravel also allows you to run raw SQL queries. You should avoid this if possible. Stick to Eloquent instead.

请注意，Laravel还允许您运行原始SQL查询。如果可能，应该避免这种情况。坚持口才。

Bear in mind that PDO does not support binding column names. You should never use input from users to dictate the table column name, including columns used in an ORDER BY statement.

请记住，PDO不支持绑定列名称。您永远不应使用用户输入来决定表列名，包括在ORDER BY语句中使用的列。

If you do need some flexibility, ensure you check the column names against a whitelist.

如果确实需要一些灵活性，请确保对照白名单检查列名。

2.身份验证失败 (2. Broken Authentication)

There are several strategies you can use to protect your application from this type of attack.

您可以使用几种策略来保护您的应用程序免受此类攻击。

Use CAPTCHA for any endpoints that can be exploited using brute-force techniques. This includes login, registration, and forgot password forms. CAPTCHA will stop most automated attacks. Go with something like Google’s reCAPTCHA rather than developing your own implementation.
将CAPTCHA用于可以使用蛮力技术加以利用的任何端点。这包括登录，注册和忘记密码表格。 CAPTCHA将阻止大多数自动攻击。使用Google的reCAPTCHA之类的东西，而不是开发自己的实现。
Rate-limit login attempts. If used in conjunction with CAPTCHA, it allows for a great defence-in-depth strategy. Laravel has a middleware that can be used straight away in your routes or controllers to throttle requests.

限速登录尝试。如果与CAPTCHA结合使用，它可以提供出色的纵深防御策略。 Laravel有一个中间件，可以在您的路由或控制器中立即使用它来限制请求。
Build multi-factor authentication for your member and admin accounts. There are great packages available that you can use to generate QR codes and validate one-time password codes upon login. Avoid other means of delivering this code, such as email or SMS. It simply isn’t secure enough.

为您的会员和管理员帐户建立多因素身份验证。有很多可用的软件包，可用于在登录时生成QR码并验证一次性密码。避免使用其他传递此代码的方法，例如电子邮件或SMS。它根本不够安全。
Never commit any default login details or sensitive API credentials to your code repository. Maintain these settings in the .env file in the project root.

切勿将任何默认登录详细信息或敏感的API凭证提交到您的代码存储库。在项目根目录的.env文件中维护这些设置。
Configure sessions securely: they should be sent over HTTPS only and never display in your application. The secure setting can be enabled in the session.php config file of your Laravel application.

安全地配置会话：它们应该仅通过HTTPS发送，并且永远不要显示在您的应用程序中。可以在Laravel应用程序的session.php配置文件中启用secure设置。

3.敏感数据公开 (3. Sensitive Data Exposure)

Not a week goes by without news about another high-profile data breach. And most concerning of all is that at times, these breaches reveal how the company used weak security practices. Weak password hashes and unsecured S3 buckets are common occurrences.

没有一个星期过去了，没有关于另一个引人注目的数据泄露的消息。最令人担忧的是，有时这些漏洞揭示了公司如何使用弱安全措施。弱密码哈希和不安全的S3存储桶是常见的情况。

Here are a few ways you can combat this:

您可以通过以下几种方法来解决此问题：

Ensure you serve the entire application over HTTPS with a TLS certificate. If users try to access the HTTP equivalent, redirect them to the secure route instead and make use of HSTS headers.

确保使用TLS证书通过HTTPS服务整个应用程序。如果用户尝试访问等效的HTTP，请改为将他们重定向到安全路由，并使用HSTS标头。
Hash all passwords using an adaptive salted hashing function. These are hash functions where the work factor can be increased over time as processor power increases. Laravel supports both Bcrypt and Argon2 by default.
使用自适应加盐散列函数散列所有密码。这些是散列函数，随着处理器能力的提高，工作因子可以随着时间增加。 Laravel默认同时支持Bcrypt和Argon2。
Encrypt all sensitive data stored at rest. Never use your own developed encryption functions. Instead, use Laravel’s built-in encryption functions that use OpenSSL to provide AES-256 and AES-128 encryption.

对静态存储的所有敏感数据进行加密。切勿使用自己开发的加密功能。而是使用Laravel的内置加密功能，该功能使用OpenSSL提供AES-256和AES-128加密。
If you use enumeration for files or primary keys to identify records, you could be inadvertently be exposing information about your system. Using a URL like /member-profile/23 will reveal you have (at least) 23 members on your system. If you include uploaded files like /user-images/45.jpg, you could open yourself to an enumeration attack where a malicious actor could try all number combinations and extract all user images from your website. To combat this, use a different scheme like UUIDv4 to identify records that are public and might require protection. For files, use automatically generated file names or a hashed folder structure to prevent enumeration.

如果对文件或主键使用枚举来标识记录，则可能会无意间公开了有关系统的信息。使用/member-profile/23类的URL将显示您(至少)系统上有23个成员。如果您包含/user-images/45.jpg类的上传文件，则可能会遭受枚举攻击，恶意行为者可能会尝试所有数字组合并从您的网站中提取所有用户图像。为了解决这个问题，请使用UUIDv4之类的其他方案来标识公开的记录并可能需要保护。对于文件，请使用自动生成的文件名或哈希文件夹结构以防止枚举。

Never trust user-uploaded files. If these uploaded files are not validated or handled correctly, they can allow access to your entire system. The OWASP Unrestricted File Upload page includes several precautions to take. You can implement most of these using Laravel’s validation functionality:

永远不要信任用户上传的文件。如果这些上传的文件未经验证或处理不正确，则可以允许您访问整个系统。 OWASP 不受限制的文件上传页面包括一些预防措施。您可以使用Laravel的验证功能来实现其中的大多数功能：

Setting a minimum and maximum file upload size.

设置最小和最大文件上传大小。
Limiting the number of simultaneous file uploads.
限制同时上传文件的数量。
Only allow specific file types by checking their MIME.

通过检查MIME仅允许特定文件类型。
Rename all files upon upload.
上载时重命名所有文件。
Upload files to a non-public directory or third-party object storage like AWS S3. You don’t want somebody uploading a PHP shell script, allowing them to run commands directly on your server.
将文件上传到非公共目录或第三方对象存储(例如AWS S3)。您不希望有人上传PHP Shell脚本，从而允许他们直接在您的服务器上运行命令。

Best of all, you can wrap this all into a Laravel rule and simply call this rule as part of your validation flow.

最重要的是，您可以将所有这些包装到Laravel 规则中，并在验证流程中简单地调用此规则。

4. XML外部实体(XXE) (4. XML External Entities (XXE))

This vulnerability applies to any system that parses XML. A security researcher found this vulnerability in Facebook a few years ago. This SensePost article goes into more detail about how this was accomplished.

此漏洞适用于任何解析XML的系统。几年前，一位安全研究人员在Facebook中发现了此漏洞。这篇SensePost文章详细介绍了如何实现此目的。

The quickest way to prevent this attack is to disable external entity resolution when using the default PHP XML parser. This is done by setting libxml_disable_entity_loader to true.

防止这种攻击的最快方法是使用默认的PHP XML解析器时禁用外部实体解析。这可以通过将libxml_disable_entity_loader设置为true来完成。

If you cannot disable this functionality, make sure that your XML parser is updated and that you’re using at least SOAP v1.2 or higher where applicable. Always be vigilant when it comes to user-uploaded or third-party XML.

如果无法禁用此功能，请确保已更新XML解析器，并且在适用的情况下至少使用SOAP v1.2或更高版本。当涉及到用户上传或第三方XML时，请始终保持警惕。

5.损坏的访问控制 (5. Broken Access Control)

In 2011, attackers made off with details of over 200,000 Citigroup customers after discovering an exploit in the way they handled customer account numbers. Once they logged into an account, all they had to do was change the customer number in the URL to jump to the record of another customer.

在2011年，攻击者在发现花旗集团(Citigroup)客户帐户号码的利用方式后，就窃取了超过20万名客户的详细信息。一旦他们登录帐户，他们要做的就是更改URL中的客户编号以跳转到另一个客户的记录。

This allowed them to create an automated process that would cycle through all possible numbers and capture all the confidential data.

这使他们能够创建一个自动化的过程，该过程将遍历所有可能的数字并捕获所有机密数据。

The system didn’t have any authorisation checks in place to ensure the account number being accessed belonged to the logged-in user.

系统没有进行任何授权检查，以确保所访问的帐号属于登录用户。

Always perform authorisation checks on any operations that are only available to logged-in users. This includes the page (for example, allowing you to update details), as well as the destination of the form submit.
始终对仅登录用户可用的任何操作执行授权检查。这包括页面(例如，允许您更新详细信息)以及表单提交的目的地。
There are popular RBAC (Role-Based Access Control) packages that can be used with Laravel allowing you to manage user permissions and roles. You can also use Laravel’s built-in authorisation services.

Laravel可以使用流行的RBAC(基于角色的访问控制) 软件包，从而允许您管理用户权限和角色。您还可以使用Laravel的内置授权服务。

6.安全配置错误 (6. Security Misconfiguration)

When configuring your web application, always consider the principle of least functionality. Harden your installation by removing or disabling all services you don’t need.

配置Web应用程序时，请始终考虑最少功能的原则。通过删除或禁用不需要的所有服务来加强安装。

Back in 2001, the Nimda worm wreaked worldwide havoc by exploiting several IIS (Internet Information Server) vulnerabilities.

早在2001年，Nimda蠕虫就利用了多个IIS(Internet信息服务器)漏洞在全世界范围内造成了严重破坏。

Many systems had IIS installed by default, even though they didn’t use the Microsoft web server at all. The result was a high infection rate that could have been prevented by hardening the system and uninstalling any services not required by the system or network.

许多系统默认情况下都安装了IIS，即使它们根本不使用Microsoft Web服务器也是如此。结果是高感染率，可以通过强化系统并卸载系统或网络不需要的任何服务来防止感染。

Keep all server software and any dependencies in your web application up to date.
使所有服务器软件和Web应用程序中的任何依赖关系保持最新。
Disable directory listing for your web server.
禁用Web服务器的目录列表。
Disable debugging on production servers. Even on staging servers, debugging can reveal sensitive server information by outputting all your environment variables. Make use of the debug_hide app configuration option in Laravel to prevent this.

在生产服务器上禁用调试。即使在登台服务器上，调试也可以通过输出所有环境变量来揭示敏感的服务器信息。利用debug_hide中的debug_hide应用程序配置选项可以防止这种情况。

7.跨站点脚本(XSS) (7. Cross-Site Scripting (XSS))

Never display user-supplied input without escaping the data. Laravel’s template engine, Blade, automatically escapes content rendered using the default {{ $var }} syntax. This sends it through PHPs htmlspecialchars function.

在不转义数据的情况下，切勿显示用户提供的输入。 Laravel的模板引擎Blade会自动转义使用默认{{ $var }}语法呈现的内容。这通过PHP的htmlspecialchars函数发送。

Escaping all output this way will reduce your website visitors’ exposure to XSS and CSRF (Cross-Site Request Forgery) attacks.

以这种方式逃避所有输出将减少您的网站访问者遭受XSS和CSRF(跨站点请求伪造)攻击的风险。

Unfortunately, it’s not always as simple as that. If you’ve ever included WYSIWYG HTML editors in your application such as TinyMCE or CKEditor, you know this poses a risk (especially since escaping the output would result in a bunch of HTML tags rather than the formatted content).

不幸的是，它并不总是那么简单。如果您曾经在应用程序中包括所见即所得HTML编辑器(例如TinyMCE或CKEditor)，您就会知道这会带来风险(尤其是，转义输出会导致一堆HTML标签而不是格式化的内容)。

In these instances, use a package like HTMLPurifier to remove any potentially malicious code.

在这些情况下，请使用HTMLPurifier之类的程序包删除所有潜在的恶意代码。

8.不安全的反序列化 (8. Insecure Deserialisation)

Be wary of unserialising anything from untrusted sources. This includes cookies your application might create. A malicious user can edit that cookie in their browser and use this as an attack vector against your application.

小心不要将来自不受信任来源的任何内容序列化。这包括您的应用程序可能创建的cookie。恶意用户可以在其浏览器中编辑该cookie，并将其用作对您的应用程序的攻击媒介。

By default, all cookies created by Laravel are encrypted and signed. This means they’ll be invalid if a client tampers with them.

默认情况下，Laravel创建的所有cookie都经过加密和签名。这意味着如果客户篡改它们，它们将无效。

9.使用具有已知漏洞的组件 (9. Using Components with Known Vulnerabilities)

Because most of the dependencies you may be using in Laravel are open source, it allows malicious users to analyse the packages and find ways to exploit vulnerabilities. A few ideas to mitigate this problem:

因为您可能在Laravel中使用的大多数依赖项都是开源的，所以它允许恶意用户分析软件包并找到利用漏洞的方法。一些缓解此问题的方法：

Ensure you keep all dependencies up to date.
确保使所有依赖项保持最新状态。
Remove any dependencies not in use. This will reduce the potential number of attack entry points.
删除所有未使用的依赖项。这将减少潜在的攻击入口点数量。
Subscribe to security bulletins and include a security scanner (such as Snyk) as part of your CI/CD pipeline.

订阅安全公告，并将安全扫描程序(例如Snyk )作为CI / CD管道的一部分。
Consider using an LTS (Long Term Support) version of Laravel rather than the latest version. LTS versions receive security fixes for three years rather than the one year for non-LTS releases.
考虑使用Laravel的LTS(长期支持)版本，而不是最新版本。 LTS版本收到的安全修补程序为三年而不是非LTS版本的一年。

10.记录和监视不足 (10. Insufficient Logging and Monitoring)

When it comes to your application and server, log everything, including failed login attempts and password resets.

当涉及到应用程序和服务器时，请记录所有内容，包括失败的登录尝试和密码重置。

Laravel comes with Monolog out of the box. You can even integrate it with a third party logging service like Papertrail and receive alerts for specific log events.

Laravel自带独白开箱。您甚至可以将其与第三方日志记录服务(如Papertrail)集成，并接收有关特定日志事件的警报。

结论 (Conclusion)

Thank you for reading, I hope this has proven useful! Sign up to my newsletter or visit my blog where I’ll share insightful web development articles to supercharge your skills.

感谢您的阅读，希望这对您有所帮助！注册我的时事通讯或访问我的博客，我将在其中分享有见地的Web开发文章，以增强您的技能。

资源资源 (Resources)

The OWASP website is a brilliant source of information, and they provide several in-depth guides about many of the security issues mentioned above.

OWASP网站是一个很好的信息来源，它们提供了有关上述许多安全问题的深入指南。

View the OWASP Top 10 (PDF download).

查看OWASP Top 10 ( PDF下载 )。
View and download OWASP Cheat Sheets.

查看和下载OWASP备忘单。
Latest Laravel documentation.

最新的Laravel文档。