Местоположение изображения и сканер конфиденциальности

Image Location and Privacy Scanner

Пассивно сканирует местоположение GPS и другие данные, связанные с конфиденциальностью, на изображениях во время обычной оценки безопасности веб-сайтов. Сканер местоположения изображения и конфиденциальности (ILS) помогает в ситуациях, когда конечные пользователи могут публиковать изображения профилей и, возможно, выдавать свое домашнее местоположение, например. сайт знакомств или детский чат.

More information on this topic, including a white paper based on a real-world site audit given as a presentation at the New Jersey chapter of the OWASP organization, can be found at https://www.veggiespam.com/ils/.

This software scans images to find the GPS information inside of Exif tags, IPTC codes, and proprietary camera tags. Then, ILS flags the findings in the ZAP Alerts list as an information message. Аудитор должен определить, действительно ли обнаружение местоположения представляет угрозу безопасности в зависимости от контекста.

Sample Findings

Configure the web browser to proxy through ZAP and then browse to a few sample sites to see Alerts being raised:

• MetaData Extractor's SampleOutput page contains some good images. (Note: For some URLs, you need a GitHub session cookie)
  • iPhone 4 shows GPS data.
  • FujiFilm FinePix S1 Pro has embedded IPTC locations and keywords.
  • Panasonic DMC-TZ10 shows proprietary Panasonic MakerNote tags including city, state, country along with facial recognition information, like the name and age of the person in the picture. ZAP screenshot is shown below.
• This professional photographer utilizes Exif & IPTC data in many of the full-sized (non-thumbnail) photos: Raia.com

Usage Notes

• Before ZAP 2.7.x, you must manually enabled image scanning with: Tools → Options → Display → "Process images in the HTTP requests/responses" for ILS to function at all.
• By default, ZAP hides images in the history, but ILS stills scan these images for findings. If an alert is triggered, then the image and its alerts will appear in the Alerts tab but not in the History tab. To show images in the history, both with alerts and without, enable with "Process images in the HTTP" as above.
• If you have image processing completely disabled via Tools → Options → Network → Global Exclusions → Extension - Image (née Global Exclude URL), then any passive image scanner, like ILS, will be unable to see the images and report on privacy issues - thus disuse this feature with images so ILS can function.