2018年4月16日 星期一

[研究][JavaScript] CKeditor 4.9.1 與 Fortify SCA v17.20

[研究][JavaScript] CKeditor 4.9.1 與 Fortify SCA v17.20

2018-04-16

續這篇

[研究] [C#] [ASP.NET] ckeditor-full 4.6.1 安裝 (NuGet) 與使用
http://shaurong.blogspot.com/2017/01/c-aspnet-ckeditor-full-461-nuget.html

目前 NuGet 安裝 ckeditor.full 出到 4.9.1 版。

用 Fortify SCA v17.20 白箱測試工具檢查,會發現 ckeditor 會有 2 個 Critical 問題。

Password Management: Hardcoded Password
  ckeditor.js  ( Password Management: Hardcoded Password )
  textfield.js  ( Password Management: Hardcoded Password )




Details 內容
Abstract:

Hardcoded passwords may compromise system security in a way that cannot be easily remedied.

Explanation:

It is never a good idea to hardcode a password. Not only does hardcoding a password allow all of the project's developers to view the password, it also makes fixing the problem extremely difficult. Once the code is in production, the password cannot be changed without patching the software. If the account protected by the password is compromised, the owners of the system will be forced to choose between security and availability.

Example: The following code uses a hardcoded password to connect to an application and retrieve address book entries:
...
obj = new XMLHttpRequest();
obj.open('GET','/fetchusers.jsp?id='+form.id.value,'true','scott','tiger');
...
This code will run successfully, but anyone who accesses the containing web page will be able to view the password.



Recommendations: 內容
Recommendations:

Passwords should never be hardcoded and should generally be obfuscated and managed in an external source. Storing passwords in plaintext anywhere on the web site allows anyone with sufficient permissions to read and potentially misuse the password. For JavaScript calls that require passwords, it is better to prompt the user for the password at connection time.


Tips:

1. Avoid hardcoding passwords in source code and avoid using default passwords. If a hardcoded password is the default, require that it be changed and remove it from the source code.

2. When identifying null, empty, or hardcoded passwords, default rules only consider fields and variables that contain the word password. However, the HPE Security Fortify Custom Rules Editor provides the Password Management wizard that makes it easy to create rules for detecting password management issues on custom-named fields and variables.


********************************************************************************
解決方法:

(下圖) 在 Visual Studio 2017 把 password 換成其他字,例如:passwoord (多一個 o)、passwd、pwd、、、
(替換時候注意大小寫,大寫開頭的字換大寫開頭的字;小寫開頭的換小寫開頭的)


(下圖) 沒有找到 Password 字串 ( P 大寫)

(下圖) 存檔,再掃描一次,正常

但是這不是好方法,因為 ckeditor 一旦更新版本,改掉的東西會被覆蓋回去,又要改一次,最好是 ckeditor 的原作者去解決這個問題,這有賴大家向作者反映。

聯絡網址
https://ckeditor.com/contact/

(完)

相關

[研究][ASP.NET] 用了 AntiXssEncoder.HtmlEncoder 仍被 Fortify SCA v17.20 說有問題
http://shaurong.blogspot.com/2018/04/aspnet-antixssencoderhtmlencoder.html

[研究][JavaScript] CKeditor 4.9.1 與 Fortify SCA v17.20
http://shaurong.blogspot.com/2018/04/javascript-ckeditor-491-fortify-sca.html

[研究][ASP.NET][JavaScript] hideShowPassword 與 Fortify SCA 白箱測試
http://shaurong.blogspot.com/2018/04/aspnetjavascript-hideshowpassword.html

[研究] [C#] [ASP.NET] ckeditor-full 4.6.1 安裝 (NuGet) 與使用
http://shaurong.blogspot.com/2017/01/c-aspnet-ckeditor-full-461-nuget.html

[研究] WebForm 用 NuGet 增加 ckeditor 4.6.1 前後比較

沒有留言:

張貼留言