即使添加了CSP标头,OWASP也会发出CSP警报

k5ifujac  于 2023-02-06  发布在  .NET
关注(0)|答案(1)|浏览(383)

我正在使用OWASP ZAP 2.12.0自动测试ASP.NET Web应用程序的漏洞。它发出了一些CSP警报,我不知道为什么,因为CSP标头添加在Web.config中。需要帮助来解决发出的警报。

CSP标题

<httpProtocol>
    <customHeaders>
    <add name="Content-Security-Policy" 
        value="default-src 'self' 'unsafe-inline' http://localhost:50/master/child/; 
            script-src 'self' 'unsafe-inline' 'unsafe-eval' http://localhost:50/master/child/;
            img-src 'self' data: http://localhost:50/master/child/; 
            style-src 'self' 'unsafe-inline' http://localhost:50/master/child/;
            object-src 'self' http://localhost:50/master/child/;
            font-src 'self' data:;
            media-src 'self';
            frame-ancestors 'self';
            upgrade-insecure-requests;
            connect-src 'self';
            frame-src 'self';" />
    </customHeaders>
  </httpProtocol>

警报

Alerts (14)
CSP: Wildcard Directive (8)
GET: http://localhost:50/Master/Child/UI/App_Themes/images/ajax-loader.gif
GET: http://localhost:50/Master/Child/UI/App_Themes/Login/css/style.css
GET: http://localhost:50/Master/Child/UI/App_Themes/Styles/HTMLStyle.css
GET: http://localhost:50/Master/Child/UI/Login.aspx
GET: http://localhost:50/Master/Child/UI/Login.aspx/GetBranches
GET: http://localhost:50/Master/Child/UI/Scripts/jquery-ui-1.8.16.min.js
POST: http://localhost:50/Master/Child/UI/Login.aspx
POST: http://localhost:50/Master/Child/UI/Login.aspx/GetBranches

CSP: script-src unsafe-inline (8)
GET: http://localhost:50/Master/Child/UI/App_Themes/images/ajax-loader.gif
GET: http://localhost:50/Master/Child/UI/App_Themes/Login/css/style.css
GET: http://localhost:50/Master/Child/UI/App_Themes/Styles/HTMLStyle.css
GET: http://localhost:50/Master/Child/UI/Login.aspx
GET: http://localhost:50/Master/Child/UI/Login.aspx/GetBranches
GET: http://localhost:50/Master/Child/UI/Scripts/jquery-ui-1.8.16.min.js
POST: http://localhost:50/Master/Child/UI/Login.aspx
POST: http://localhost:50/Master/Child/UI/Login.aspx/GetBranches

CSP: style-src unsafe-inline (8)
GET: http://localhost:50/Master/Child/UI/App_Themes/images/ajax-loader.gif
GET: http://localhost:50/Master/Child/UI/App_Themes/Login/css/style.css
GET: http://localhost:50/Master/Child/UI/App_Themes/Styles/HTMLStyle.css
GET: http://localhost:50/Master/Child/UI/Login.aspx
GET: http://localhost:50/Master/Child/UI/Login.aspx/GetBranches
GET: http://localhost:50/Master/Child/UI/Scripts/jquery-ui-1.8.16.min.js
POST: http://localhost:50/Master/Child/UI/Login.aspx
POST: http://localhost:50/Master/Child/UI/Login.aspx/GetBranches
asp.net

1条答案

按热度按时间
o75abkj4

o75abkj41#

根据评论,始终查看ZAP警报详细信息,他们应该准确解释问题所在。如果不清楚,请通过ZAP User Group联系ZAP团队-我们应该能够解释问题所在,并在需要时改进警报详细信息。

赞(0)分享  回复(0)举报  2023-02-06
我来回答

相关问题

    查看更多

    热门标签

    更多
    JavaquerypythonNode开发语言requestUtil数据库Table后端算法LoggerMessageElementParser

    最新问答

    更多
    • 蜀ICP备13028337号-1 大数据知识库 https://www.saoniuhuo.com © All rights reserved
    • 本站内容来源互联网,如果侵犯您的权益请联系我们删除, 联系方式:448109455@qq.com