diff options
Diffstat (limited to 'doc/user/application_security/dast/checks')
7 files changed, 83 insertions, 7 deletions
diff --git a/doc/user/application_security/dast/checks/1004.1.md b/doc/user/application_security/dast/checks/1004.1.md index dfbc600b05b..9626973eb36 100644 --- a/doc/user/application_security/dast/checks/1004.1.md +++ b/doc/user/application_security/dast/checks/1004.1.md @@ -4,7 +4,7 @@ group: Dynamic Analysis info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/engineering/ux/technical-writing/#assignments --- -# Sensitive cookie without `HttpOnly` attribute +# Sensitive cookie without HttpOnly attribute ## Description diff --git a/doc/user/application_security/dast/checks/16.2.md b/doc/user/application_security/dast/checks/16.2.md index 95461e8677d..484460b6642 100644 --- a/doc/user/application_security/dast/checks/16.2.md +++ b/doc/user/application_security/dast/checks/16.2.md @@ -38,7 +38,7 @@ the `Server` header. ## Links -- [cwe](https://cwe.mitre.org/data/definitions/16.html) +- [CWE](https://cwe.mitre.org/data/definitions/16.html) - [Apache ServerTokens](https://blog.mozilla.org/security/2016/08/26/mitigating-mime-confusion-attacks-in-firefox/) - [NGINX server_tokens](https://nginx.org/en/docs/http/ngx_http_core_module.html#server_tokens) - [IIS 10 Remove Server Header](https://docs.microsoft.com/en-us/iis/configuration/system.webserver/security/requestfiltering/#attributes) diff --git a/doc/user/application_security/dast/checks/16.3.md b/doc/user/application_security/dast/checks/16.3.md index 6f80a2a32c6..e4fc2468dae 100644 --- a/doc/user/application_security/dast/checks/16.3.md +++ b/doc/user/application_security/dast/checks/16.3.md @@ -32,4 +32,4 @@ information from the `X-Powered-By` header. ## Links - [CWE](https://cwe.mitre.org/data/definitions/16.html) -- [PHP `expose_php`](https://www.php.net/manual/en/ini.core.php#ini.expose-php) +- [PHP expose_php](https://www.php.net/manual/en/ini.core.php#ini.expose-php) diff --git a/doc/user/application_security/dast/checks/200.1.md b/doc/user/application_security/dast/checks/200.1.md new file mode 100644 index 00000000000..98a482b4a0f --- /dev/null +++ b/doc/user/application_security/dast/checks/200.1.md @@ -0,0 +1,29 @@ +--- +stage: Secure +group: Dynamic Analysis +info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/engineering/ux/technical-writing/#assignments +--- + +# Exposure of sensitive information to an unauthorized actor (private IP address) + +## Description + +A private RFC 1918 was identified in the target application. Public facing websites should not be issuing +requests to private IP Addresses. Attackers attempting to execute subsequent attacks, such as Server-Side +Request Forgery (SSRF), may be able to use this information to identify additional internal targets. + +## Remediation + +Identify the resource that is incorrectly specifying an internal IP address and replace it with it's public +facing version, or remove the reference from the target application. + +## Details + +| ID | Aggregated | CWE | Type | Risk | +|:---|:--------|:--------|:--------|:--------| +| 200.1 | true | 200 | Passive | Low | + +## Links + +- [CWE](https://cwe.mitre.org/data/definitions/200.html) +- [RFC](https://datatracker.ietf.org/doc/html/rfc1918) diff --git a/doc/user/application_security/dast/checks/548.1.md b/doc/user/application_security/dast/checks/548.1.md new file mode 100644 index 00000000000..94f747739c5 --- /dev/null +++ b/doc/user/application_security/dast/checks/548.1.md @@ -0,0 +1,45 @@ +--- +stage: Secure +group: Dynamic Analysis +info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/engineering/ux/technical-writing/#assignments +--- + +# Exposure of information through directory listing + +## Description + +The target web server is configured to list the contents of directories that do not contain an index file +such as `index.html`. This could lead to accidental exposure of sensitive information, or give an attacker +details on how filenames and directories are structured and stored. + +## Remediation + +Directory indexing should be disabled. + +Apache: +For Apache based web sites, ensure all `<Directory>` definitions have `Options -Indexes` configured in the +`apache2.conf` or `httpd.conf` configuration file. + +NGINX: +For NGINX based websites, ensure all `location` definitions have the `autoindex off` directive set in the +`nginx.conf` file. + +IIS: +For IIS based websites version 7.0 and above you can use the `<directoryBrowse enabled="false" />` element +in the `applicationHost.config` or `Web.config` files. + +For all other server types, please consult your product's documentation on how to disable directory +indexing. + +## Details + +| ID | Aggregated | CWE | Type | Risk | +|:---|:--------|:--------|:--------|:--------| +| 548.1 | false | 548 | Passive | Low | + +## Links + +- [CWE](https://cwe.mitre.org/data/definitions/598.html) +- [Apache Options](https://httpd.apache.org/docs/2.4/mod/core.html#options) +- [NGINX autoindex](https://nginx.org/en/docs/http/ngx_http_autoindex_module.html) +- [IIS directoryBrowse element](https://docs.microsoft.com/en-us/iis/configuration/system.webserver/directorybrowse) diff --git a/doc/user/application_security/dast/checks/614.1.md b/doc/user/application_security/dast/checks/614.1.md index 46f7f61b0c7..ec68ce33529 100644 --- a/doc/user/application_security/dast/checks/614.1.md +++ b/doc/user/application_security/dast/checks/614.1.md @@ -4,7 +4,7 @@ group: Dynamic Analysis info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/engineering/ux/technical-writing/#assignments --- -# Sensitive cookie without `Secure` attribute +# Sensitive cookie without Secure attribute ## Description @@ -35,6 +35,6 @@ Set-Cookie: {cookie_name}=<random secure value>; Secure ## Links -- [owasp](https://owasp.org/www-community/controls/SecureCookieAttribute) +- [OWASP](https://owasp.org/www-community/controls/SecureCookieAttribute) - [CWE](https://cwe.mitre.org/data/definitions/614.html) - [Mozilla MDN](https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies#restrict_access_to_cookies) diff --git a/doc/user/application_security/dast/checks/index.md b/doc/user/application_security/dast/checks/index.md index a3b89e09751..97224554723 100644 --- a/doc/user/application_security/dast/checks/index.md +++ b/doc/user/application_security/dast/checks/index.md @@ -10,12 +10,14 @@ The [DAST browser-based crawler](../browser_based.md) provides a number of vulne | ID | Check | Severity | Type | |:---|:------|:---------|:-----| -| [1004.1](1004.1.md) | Sensitive cookie without `HttpOnly` attribute | Low | Passive | +| [1004.1](1004.1.md) | Sensitive cookie without HttpOnly attribute | Low | Passive | | [16.1](16.1.md) | Missing Content-Type header | Low | Passive | | [16.2](16.2.md) | Server header exposes version information | Low | Passive | | [16.3](16.3.md) | X-Powered-By header exposes version information | Low | Passive | | [16.4](16.4.md) | X-Backend-Server header exposes server information | Info | Passive | | [16.5](16.5.md) | AspNet header exposes version information | Low | Passive | | [16.6](16.6.md) | AspNetMvc header exposes version information | Low | Passive | -| [614.1](614.1.md) | Sensitive cookie without `Secure` attribute | Low | Passive | +| [200.1](200.1.md) | Exposure of sensitive information to an unauthorized actor (private IP address) | Low | Passive | +| [548.1](548.1.md) | Exposure of information through directory listing | Low | Passive | +| [614.1](614.1.md) | Sensitive cookie without Secure attribute | Low | Passive | | [693.1](693.1.md) | Missing X-Content-Type-Options: nosniff | Low | Passive | |