권장 취약점 카테고리
We treat all reports with high priority and investigate all issues directly with the reporter as quickly as possible. Please when you make a report, do so in English via firstname.lastname@example.org and include the following information:
- Target – ESET server identified by IP address, hostname, URL and so forth or the ESET product, including version number (see our KnowledgeBase article to determine the version number)
- Type of issue – the type of vulnerability (e.g. according to OWASP, such as cross-site scripting, buffer overflow, SQL injection, etc.) and include a general description of the vulnerability.
- Proof-of-concept and/or URL demonstrating the vulnerability – a demonstration of the vulnerability that shows how it works. Examples include:
● URL containing payload – e.g. XSS in GET request parameters
● Link to general checker – e.g. SSL vulnerabilities
● Video – generally useable (if uploading to a streaming service, please mark it as private)
● Log file from ESET SysInspector (see how to create ESET SysInspector log) or Microsoft Problem Steps Recorder (see how to use Problem Steps Recorder), if applicable
● Please provide as detailed description as you can, or send us a combination of any of the previous choices.
We warmly welcome any recommendations on how to fix the vulnerability, if applicable.
ESET에 보내는 이메일을 암호화하려면, PGP 공개키를 사용하십시오:
범위를 벗어난 취약점
- Descriptive error messages (e.g. Stack Traces, application or server errors).
- HTTP 404 codes/pages or other HTTP non-200 codes/pages.
- Fingerprinting / banner disclosure on common/public services.
- Disclosure of known public files or directories, (e.g. robots.txt).
- Clickjacking and issues only exploitable through clickjacking.
- CSRF on forms that are available to anonymous users (e.g. the contact form).
- Logout Cross-Site Request Forgery (logout CSRF).
- Presence of application or web browser ‘autocomplete’ or ‘save password’ functionality.
- Lack of Secure/HTTP Only flags on non-sensitive Cookies.
- Lack of Security Speedbump when leaving the site.
- Weak Captcha / Captcha Bypass
- Forgot Password page brute force and account lockout not enforced.
- OPTIONS HTTP method enabled
- Username / email enumeration
● via Login Page error message
● via Forgot Password error message
- Missing HTTP security headers, specifically (https://www.owasp.org/index.php/List_of_useful_HTTP_headers), e.g.
● Content-Security-Policy, X-Content-Security-Policy, X-WebKit-CSP
- SSL Issues, e.g.
● SSL Attacks such as BEAST, BREACH, Renegotiation attack
● SSL Forward secrecy not enabled
● SSL weak / insecure cipher suites
- Banner disclosure on common/public services
- Self-XSS and issues exploitable only through Self-XSS
- Findings derived primarily from social engineering (e.g. phishing, vishing, smishing)
- dll injection in ESET installers
- No SSL in update/download servers
ESET is a strong believer in, as well as a practitioner of, the responsible disclosure process and publicly credits security vulnerability reporters for their efforts if they do not wish to remain anonymous.