Protection Mechanism Failure
The product does not use or incorrectly uses a protection mechanism that provides sufficient defense against directed attacks against the product.
This weakness covers three distinct situations: Missing a protection mechanism, using a faulty protection mechanism, or incorrectly applying a protection mechanism. A missing protection mechanism occurs when the application does not defend against a specific attack. A faulty protection mechanism occurs when the application does defend against a specific attack, but the protection mechanism is not implemented correctly.
如何修复此漏洞
基于 8 条 Shoulder 检测规则的 Protection Mechanism Failure 预防策略。
Add a HEALTHCHECK instruction to enable container health monitoring
FROM node:24-alpine WORKDIR /app COPY . . EXPOSE 3000 + HEALTHCHECK --interval=30s --timeout=10s --retries=3 \ + CMD curl -f http://localhost:3000/health || exit 1 CMD ["node", "server.js"]
Add security headers middleware to Chi router
package main import ( "net/http" "github.com/go-chi/chi/v5" ) - func main() { - r := chi.NewRouter() + func securityHeaders(next http.Handler) http.Handler { + return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { + w.Header().Set("X-Frame-Options", "DENY") + w.Header().Set("X-Content-Type-Options", "nosniff") + w.Header().Set("X-XSS-Protection", "1; mode=block") + next.ServeHTTP(w, r) + }) + } + + func main() { + r := chi.NewRouter() + r.Use(securityHeaders) r.Get("/", homeHandler) http.ListenAndServe(":8080", r) }
Add Echo Secure middleware to set security HTTP headers
package main - import "github.com/labstack/echo/v4" - - func main() { - e := echo.New() + import ( + "github.com/labstack/echo/v4" + "github.com/labstack/echo/v4/middleware" + ) + + func main() { + e := echo.New() + e.Use(middleware.SecureWithConfig(middleware.SecureConfig{ + XFrameOptions: "DENY", + ContentTypeNosniff: "nosniff", + XSSProtection: "1; mode=block", + ContentSecurityPolicy: "default-src 'self'", + })) e.GET("/", homeHandler) e.Start(":8080") }
Add Fiber Helmet middleware to set security HTTP headers
package main - import "github.com/gofiber/fiber/v2" - - func main() { - app := fiber.New() + import ( + "github.com/gofiber/fiber/v2" + "github.com/gofiber/fiber/v2/middleware/helmet" + ) + + func main() { + app := fiber.New() + app.Use(helmet.New()) app.Get("/", homeHandler) app.Listen(":3000") }
Add Helmet middleware to set security headers automatically
const express = require('express'); - const app = express(); + const helmet = require('helmet'); + const app = express(); + + app.use(helmet()); app.get('/', (req, res) => { res.send('<h1>Hello</h1>'); });
查找代码中的漏洞
使用Shoulder扫描代码中的Protection Mechanism Failure模式。 8 规则.
# Scan with Shoulder CLI npx @shoulderdev/cli trust --cwe=693 # Or scan entire project npx @shoulderdev/cli trust .
检测规则 (8)
代码审查中需要关注的内容
这些模式表明潜在的Protection Mechanism Failure漏洞。在代码审查和安全审计中注意查找。