Nginx配置CORS跨域漏洞

1、问题描述

CORS 策略根据任意初始头进行设置
严重性: 中
CVSS 分数: 5.3
URL:: http://192.168.100.190:8080/
实体: 192.168.100.190 (Page)
风险: 可能会收集有关 Web 应用程序的敏感信息,如用户名、密码、机器名和/或敏感文件位置
可能会劝说初级用户提供诸如用户名、密码、信用卡号、社会保险号等敏感信息
原因: 不安全的 Web 应用程序编程或配置
固定值: 修改“Access-Control-Allow-Origin”头以仅获取允许的站点
差异: 标题 Origin 已添加至请求: http://bogus.hcl.com
推理: AppScan 检测到“Access-Control-Allow-Origin”头的许可权太多

2、解决方法一:添加请求头(无效)

location / { 
    add_header Access-Control-Allow-Origin 'http://192.168.100.190:8080'; 
    add_header Access-Control-Allow-Methods GET, POST, OPTIONS; 
    add_header Access-Control-Allow-Headers Content-Type; 
} 

发现即使添加了请求头配置,当origin为其他域名时仍能正常访问。 这个办法并不管用

3、解决方法二:http下配置map指令(可行)

http {
...省略
    # 1、定义合法 Origin 映射表(支持正则匹配)
    map $http_origin $allow_cors {
        default "";
        ~*^http://192.168.100.190:8080$  $http_origin;  # 允许当前服务地址
        "~http://192.168.100.190:8080/*" $http_origin;
        "~http://192.168.100.190:*" $http_origin;
        "~*" "";
    }

#2、在对应的后端请求添加配置,通过map做正则匹配
        if ($allow_cors = ""){
            return 403;
        }

效果如下:

$ curl -H "Origin: http://192.168.100.190:8080" -I http://192.168.100.190:8080/aifn/ysh/api/api/public-service/statistics
HTTP/1.1 405
Server: nginx
Date: Tue, 29 Apr 2025 08:15:29 GMT
Content-Type: application/json
Connection: keep-alive
Vary: Origin
Vary: Access-Control-Request-Method
Vary: Access-Control-Request-Headers
Access-Control-Allow-Origin: http://192.168.100.190:8080
Access-Control-Allow-Credentials: true
Allow: POST
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
X-Frame-Options: SAMEORIGIN


$ curl -H "Origin: http://bogus.hcl.com" -I http://192.168.100.190:8080/aifn/ysh/api/api/public-service/statistics
HTTP/1.1 403 Forbidden
Server: nginx
Date: Tue, 29 Apr 2025 08:15:38 GMT
Content-Type: text/html
Content-Length: 146
Connection: keep-alive

完整的配置文件:

user  nginx;  
worker_processes  auto;  
  
error_log  /var/log/nginx/error.log notice;  
pid        /var/run/nginx.pid;  
  
events {  
    worker_connections  1024;  
}

http {  
    include       /etc/nginx/mime.types;  
    default_type  application/octet-stream;  
  
    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '  
                      '$status $body_bytes_sent "$http_referer" '  
                      '"$http_user_agent" "$http_x_forwarded_for"';  
  
    access_log  /var/log/nginx/access.log  main;  
  
    sendfile        on;  
    #tcp_nopush     on;  
  
    keepalive_timeout  65;  
    server_tokens off;  
  
    #include /etc/nginx/conf.d/*.conf;  
    # 定义合法 Origin 映射表(支持正则匹配)  
    map $http_origin $allow_cors {  
        default "";  
        ~*^http://192.168.100.190:8080$  $http_origin;  # 允许当前服务地址  
        "~http://192.168.100.190:8080/*" $http_origin;  
        "~http://192.168.100.190:*" $http_origin;  
        "~*" "";  
    }  
  
    server {  
    listen 80;  
    server_name localhost;  
      
    client_max_body_size 2048M;  
    server_tokens off;  
    #charset koi8-r;  
    access_log /var/log/nginx/host.access.log main;  
    error_log /var/log/nginx/error.log error;  
  
    #error_page 404 /404.html;  
  
    error_page 500 502 503 504 /50x.html;  
    location = /50x.html {  
        root /usr/share/nginx/html;  
    }  
  
    # 处理 /yshj 路径(独立目录)  
    location   /aifn/ysh {  
        alias /usr/share/nginx/html/aiyshj/dist;  # 映射到 dist 目录  
        index index.html index.htm;  
        try_files $uri $uri/ /aiyshj/index.html;  # 回退到子目录的 index.html  
        # 代理 Cookie 安全设置(若需要代理则保留)  
        proxy_cookie_flags ~ secure samesite=lax httponly;  
    }  
  
    location /aifn/ysh/api/ {  
        if ($allow_cors = ""){  
            return 403;  
        }  
        proxy_pass http://192.168.0.109:18092/api/;  
        proxy_set_header Host $host;  
        proxy_set_header X-Real-IP $remote_addr;  
        proxy_set_header X-Forwarded-For- $proxy_add_x_forwarded_for;  
        proxy_set_header X-Forwarded-Proto $scheme;  
    }  
  }  
}

Nginx配置origin限制,修复CORS跨域漏洞_清晨的技术博客_51CTO博客

本文由博客一文多发平台 OpenWrite 发布!

stic9527
1 声望0 粉丝