OWASP Top 10 All rights reserved www keepcoding
- Slides: 87
OWASP Top 10 © All rights reserved. www. keepcoding. io
Entorno de práctica ● Web. Goat ○ http: //localhost: 8080/Web. Goat curl https: //raw. githubusercontent. com/Web. Goat/master/docker-compose. yml | docker-compose -f - up © All rights reserved. www. keepcoding. io
HTTP Proxies ● ● Burp Proxy Owasp ZAP Postman Insomnia © All rights reserved. www. keepcoding. io
Burp Suite © All rights reserved. www. keepcoding. io
Burp Suite © All rights reserved. www. keepcoding. io
Burp Suite ● Es necesario añadir el certificado de cara a poder interceptar tráfico HTTPS ● Permitir proxy en localhost © All rights reserved. www. keepcoding. io
A 1: 2017 - Injection ● Fallos que permiten inyección, como SQL, No. SQL, OS y LDAP ● Ocurren cuando un atacante consigue enviar datos que modifican una query o comando © All rights reserved. www. keepcoding. io
SQL Injection ● SQL injection consiste en modificar una consulta a través de una entrada ● Un ataque satisfactorio puede llevar: ○ Leer y modificar datos de la base de datos ○ Ejecutar tareas de administración en la base de datos ○ Tomar control de la máquina © All rights reserved. www. keepcoding. io https: //web. net/viaje. php? id=25
SQL Injection ● Forzar a True la consulta ● ‘ or ‘ 1’=’ 1 © All rights reserved. www. keepcoding. io
SQL Injection ● 1 or 1=1 ● Necesitamos dar un número © All rights reserved. www. keepcoding. io
SQL Injection ● El uso de union y join nos puede permitir obtener más información ● Control de errores ○ ‘ ○ Dave © All rights reserved. www. keepcoding. io
SQL Injection Carlos'; select * from user_system_data; -1. ‘: Cierre de consulta 2. User_system_data Tabla de usuarios 3. -- Comentario: Ignorar el resto de la query © All rights reserved. www. keepcoding. io
Blind SQL Injection ● El control de errores dificulta el ataque pero no lo hace inviable ● Se utilizan consultas con un resultado booleano ○ https: //my-shop. com? article=4 AND 1=1 ○ https: //my-shop. com? article=4 AND 1=2 ● Consultas basadas en tiempo ○ article = 4; sleep(10) -- © All rights reserved. www. keepcoding. io
SQLMap ● Herramienta open source que permite detectar y explotar inyecciones SQL https: //github. com/sqlmapproject/sqlmap © All rights reserved. www. keepcoding. io
SQL Injection - Solución ● Immutable Queries ○ select * from users where user = "'" + session. get. Attribute("User. ID") + "'"; ● Parameterized Queries ○ String query = "SELECT * FROM users WHERE last_name = ? "; Prepared. Statement statement = connection. prepare. Statement(query); statement. set. String(1, account. Name); Result. Set results = statement. execute. Query(); ● Stored procedures ● Uso de ORMs © All rights reserved. www. keepcoding. io
SQL Injection - Solución ● Validación de la entrada del usuario ○ Nunca debemos confiar en los datos proporcionados por el usuario ● Conectarse con los menores privilegios ○ Permisos de lectura/escritura ○ Limitar acceso a tablas © All rights reserved. www. keepcoding. io
SQL Injection - Solución ● Validación solo con JS © All rights reserved. www. keepcoding. io
A 2: 2017 - Broken Authentication Las funciones de autenticación y manejo de sesiones no están implementadas correctamente. Permiten a atacantes robar contraseñas, claves, tokens de sesión o explotar otros fallos ● Permite ataques de fuerza bruta ● Contraseñas débiles o conocidas © All rights reserved. www. keepcoding. io
2 FA Password Reset © All rights reserved. www. keepcoding. io
2 FA Password Reset © All rights reserved. www. keepcoding. io
JSON Web Tokens (JWT) Muchas aplicaciones usan JSON Web Tokens para la sesión de un usuario © All rights reserved. www. keepcoding. io
JSON Web Tokens (JWT) © All rights reserved. www. keepcoding. io
JSON Web Tokens (JWT) access_token=ey. Jhb. Gci. Oi. JIUz. Ux. Mi. J 9. ey. Jp. YXQi. Oj. E 1 NDQ 0 NDI 3 Nj. Is. Im. F kb. Wlu. Ijoi. Zm. Fsc 2 Ui. LCJ 1 c 2 Vy. Ijoi. VG 9 t. In 0. dl. ND 2 zn. OLLUJCv_226 r 9 e. RQ Q 1 tb. Fb. D 6 nm_eq 5 j. FABNa. NJre_5 XI 3 Yi. Mdu 8 vh. G 68 Pgn 9_Ht_Pt. Pao_Pu. H GJd. HKA; JSESSIONID=AC 1 B 89 B 44 E 4748 E 65 D 41 A 7288 A 7 DEEF 7 1. ey. Jhb. Gci. Oi. JIUz. Ux. Mi. J 9 2. ey. Jp. YXQi. Oj. E 1 NDQ 0 NDI 3 Nj. Is. Im. Fkb. Wlu. Ijoi. Zm. Fsc 2 Ui. LCJ 1 c 2 Vy. Ijoi. VG 9 t. In 0 3. dl. ND 2 zn. OLLUJCv_226 r 9 e. RQQ 1 tb. Fb. D 6 nm_eq 5 j. FABNa. NJre_5 XI 3 Yi. M du 8 vh. G 68 Pgn 9_Ht_Pt. Pao_Pu. HGJd. HKA © All rights reserved. www. keepcoding. io
JSON Web Tokens (JWT) 1. ey. Jhb. Gci. Oi. JIUz. Ux. Mi. J 9 a. {"alg": "HS 512"} 2. ey. Jp. YXQi. Oj. E 1 NDQ 0 NDI 3 Nj. Is. Im. Fkb. Wlu. Ijoi. Zm. Fsc 2 Ui. LCJ 1 c 2 Vy. I joi. VG 9 t. In 0 a. {"iat": 1544442762, "admin": "false", "user": "Tom”} 3. dl. ND 2 zn. OLLUJCv_226 r 9 e. RQQ 1 tb. Fb. D 6 nm_eq 5 j. FABNa. NJre_5 XI 3 Yi. Mdu 8 vh. G 68 Pgn 9_Ht_Pt. Pao_Pu. HGJd. HKA © All rights reserved. www. keepcoding. io
JSON Web Tokens (JWT) © All rights reserved. www. keepcoding. io
JSON Web Tokens (JWT) © All rights reserved. www. keepcoding. io
JWT cracking ey. Jhb. Gci. Oi. JIUz. I 1 Ni. Is. In. R 5 c. CI 6 Ikp. XVCJ 9. ey. Jpc 3 Mi. Oi. JXZWJHb 2 F 0 I FRva 2 Vu. IEJ 1 a. Wxk. ZXIi. LCJp. YXQi. Oj. E 1 Mj. Qy. MTA 5 MDQs. Im. V 4 c. CI 6 M TYx. ODkw. NTMw. NCwi. YXVk. Ijoid 2 Vi. Z 29 hd. C 5 vcmci. LCJzd. WIi. Oi. J 0 b 21 Ad 2 Vi. Z 29 hd. C 5 jb 20 i. LCJ 1 c 2 Vybm. Ft. ZSI 6 Il. Rvb. SIs. Ik. Vt. YWls. Ijoid. G 9 t. Q Hdl. Ymdv. YXQu. Y 29 t. Iiwi. Um 9 s. ZSI 6 Wy. JNYW 5 h. Z 2 Vy. Iiwi. UHJvam. Vjd. C BBZG 1 pbmlzd. HJhd. G 9 y. Il 19. v. Peq. QPOt 78 z. K 8 wrb. N 1 Tj. NJj 3 Le. X 9 Qbch 6 oo 23 RUJg. M © All rights reserved. www. keepcoding. io
JWT cracking ● {"alg": "HS 256", "typ": "JWT"} ● {"iss": "Web. Goat Token Builder", "iat": 1524210904, "exp": 1618905304, "aud": "webgoat. org ", "sub": "tom@webgoat. com", "username": "Tom", "Email": "tom@w ebgoat. com", "Role": ["Manager", "Project Administrator"]} ● bcf 7 bea 903 ceb 7 bf 332 bcc 2 b 6 cdd 538 cd 263 dcb 797 f 506 dc 87 aa 2 8 db 74542603 © All rights reserved. www. keepcoding. io
JWT cracking ● {"alg": "HS 256", "typ": "JWT"} ● {"iss": "Web. Goat Token Builder", "iat": 1524210904, "exp": 1618905304, "aud": "webgoat. org ", "sub": "tom@webgoat. com", "username": "Web. Goat", "Email": "to m@webgoat. com", "Role": ["Manager", "Project Administrator"]} ● bcf 7 bea 903 ceb 7 bf 332 bcc 2 b 6 cdd 538 cd 263 dcb 797 f 506 dc 87 aa 2 8 db 74542603 © All rights reserved. www. keepcoding. io
JWT cracking ● {"alg": "HS 256", "typ": "JWT"} ● {"iss": "Web. Goat Token Builder", "iat": 1524210904, "exp": 1618905304, "aud": "webgoat. org ", "sub": "tom@webgoat. com", "username": "Web. Goat", "Email": "to m@webgoat. com", "Role": ["Manager", "Project Administrator"]} ● 8 f 74 ccb 13 f 936 bb 1 b 055 f 36 edf 2 ef 85245049 bcef 9 b 600 cf 20 cd 14 c 8 a 314 a 7 da © All rights reserved. www. keepcoding. io
¿Usar JWT? ● Su uso es muy cuestionado a la hora de establecer sesiones de usuario ● Sin embargo, bien implementado, es un buen protocolo para comunicación entre servidores © All rights reserved. www. keepcoding. io
A 3 -Sensitive Data Exposure Muchas aplicaciones y APIs no tratan correctamente datos sensibles, como datos financieros o contraseñas. Comunicación de datos sensibles sin cifrado ● ¿Hay datos transmitidos en claro? HTTP, SMTP, FTP ● Uso de algoritmos criptográficos antiguos como MD 5 ● No se fuerza el uso de comunicación cifrada © All rights reserved. www. keepcoding. io
Insecure Login © All rights reserved. www. keepcoding. io
A 4 -XML External Entities (XXE) ● Muchos parseadores de XML antiguos o mal configurados permiten utilizar entidad externas en documentos XML ● Esto puede ser utilizado para mostrar archivos internos, escanear puertos, ejecutar código remotamente y denegación de servicio © All rights reserved. www. keepcoding. io
XXE ● XML, e. Xtensible Markup Language, lanzamiento en 1998 ● XML Entity © All rights reserved. www. keepcoding. io
XXE © All rights reserved. www. keepcoding. io
CSRF - Cross-Site Request Forgery ● Ataque contra usuarios autenticados ● Forzar a un usuario a realizar una acción http: //example. com/transfer? amount=1000000&account=User <img src="http: //example. com/transfer? amount=1000000&account=Fred" /> © All rights reserved. www. keepcoding. io
CSRF © All rights reserved. www. keepcoding. io
CSRF © All rights reserved. www. keepcoding. io
CSRF ● http: //localhost: 8080/Web. Goat/csrf/basic-getflag? csrf=true&submit=Submit+Query ● El token CSRF debe variar en cada petición © All rights reserved. www. keepcoding. io
CSRF © All rights reserved. www. keepcoding. io
CSRF <html> <form action=http: //localhost: 8080/Web. Goat/csrf/review method=post enctype='application/x-www-form-urlencoded; charset=UTF-8'> <input name='review. Text' value='perfecto' type='hidden'> <input name='stars' value='5' type='hidden'> <input name='validate. Req' value='2 aa 14227 b 9 a 13 d 0 bede 0388 a 7 fba 9 aa 9' type='hidden'> <input type=submit value="Submit"> </form> </html> © All rights reserved. www. keepcoding. io
CSRF y content-type ● Muchas APIs solo admiten application/json como content-type ● No es una solución válida para protegerse contra ataques CSRF © All rights reserved. www. keepcoding. io
CSRF y content-type <html> <form action=http: //localhost: 8080/Web. Goat/csrf/feedback/message method=post enctype="text/plain"> <input name='{"name": "Webgoat", "email": "webgoat@webgoat. org", "conte nt": "Claro", "ignore": "' value='test"}' type='hidden'> <input type=submit value="Submit"> </form> </html> © All rights reserved. www. keepcoding. io
A 5: 2017 -Broken Access Control ● Las restricciones acerca de lo que puede hacer y no hacer un usuario autenticado muchas veces no se encuentran bien configuradas ● Un atacante puede acceder a sitios o funciones a las que no está autorizado: acceder cuentas de otros usuarios, ver archivos privados, modificar datos, cambiar permisos, etc © All rights reserved. www. keepcoding. io
Access Control Flaws ● Direct Object References ○ https: //some. company. tld/dor? id=12345 ○ https: //some. company. tld/images? img=12345 ○ https: //some. company. tld/dor/12345 1. https: //some. company. tld/app/user/23398 2. https: //some. company. tld/app/user/23399 © All rights reserved. www. keepcoding. io
Access Control Flaws © All rights reserved. www. keepcoding. io
Access Control Flaws © All rights reserved. www. keepcoding. io
Access Control Flaws ● Testear el servicio REST ● Descubrir rutas para ver nuestro propio perfil © All rights reserved. www. keepcoding. io
Access Control Flaws IDOR/profile/{user. Id} user. Id: 2342384 © All rights reserved. www. keepcoding. io
Access Control Flaws IDOR/profile/{user. Id} user. Id: 2342384 Web. Goat/IDOR/profile/234284 © All rights reserved. www. keepcoding. io
Access Control Flaws ● Enumeración de usuarios © All rights reserved. www. keepcoding. io
Access Control Flaws ● Enumeración de usuarios © All rights reserved. www. keepcoding. io
Access Control Flaws ● Enumeración de usuarios http: //pro 2. wallapop. com/shnm-portlet/api/v 1/user. json/{user. Id} © All rights reserved. www. keepcoding. io
Access Control Flaws ● Modificar datos de usuarios ○ /Web. Goat/IDOR/profile/{profile. Id} © All rights reserved. www. keepcoding. io
Access Control Flaws PUT /Web. Goat/IDOR/profile/2342388 HTTP/1. 1 Host: localhost: 8080 User-Agent: Mozilla/5. 0 (X 11; Ubuntu; Linux x 86_64; rv: 63. 0) Gecko/20100101 Firefox/63. 0 Accept: */* Accept-Language: en-US, en-GB; q=0. 7, en; q=0. 3 Accept-Encoding: gzip, deflate Referer: http: //localhost: 8080/Web. Goat/start. mvc Content-Type: application/json X-Requested-With: XMLHttp. Request Connection: close Cookie: JSESSIONID=4 DDD 52929520172 A 5 B 5 ACC 2 CC 80191 D 2 {"user. Id": "2342388", "role": "1", "color": "red"} © All rights reserved. www. keepcoding. io
Missing Function Level Access Control ● Es un error confiar que ocultar elementos nos va a proteger ● No podemos confiar en el front de cara ocultar elementos © All rights reserved. www. keepcoding. io
Missing Function Level Access Control ●. hidden-menu-item ● Podemos mostrar los elementos ocultos © All rights reserved. www. keepcoding. io
Fuzzing ● Fuzzing es una técnica de pruebas de software, a menudo automatizado o semiautomatizado, que implica proporcionar datos inválidos, inesperados o aleatorios a las entradas de un programa © All rights reserved. www. keepcoding. io
Fuzzing © All rights reserved. www. keepcoding. io
Missing Function Level Access Control ● Testear control de usuarios ● http: //localhost: 8080/Web. Goat/users © All rights reserved. www. keepcoding. io
Missing Function Level Access Control GET /Web. Goat/users HTTP/1. 1 Host: localhost: 8080 User-Agent: Mozilla/5. 0 (X 11; Linux x 86_64; rv: 52. 0) Gecko/20100101 Firefox/52. 0 Accept: application/json Content-Type: application/json ; charset=UTF-8 Accept-Language: en-US, en; q=0. 5 Accept-Encoding: gzip, deflate Cookie: JSESSIONID=A 6 BBAEF 6 CAD 56184 ACDF 870 C 21 FEF 94 C Connection: close Upgrade-Insecure-Requests: 1 Content-Length: 2 © All rights reserved. www. keepcoding. io
A 6 -Security Misconfiguration Configuración errónea es la causa más común. Configuraciones inseguras por defecto, incompletas, almacenamientos en la nube abiertos, configuración errónea de cabeceras HTTP y mensajes de error con información sensible. Aparte de configurar adecuadamente cada pieza de software es necesario mantenerlo actualizado. © All rights reserved. www. keepcoding. io
Patreon Hacked © All rights reserved. www. keepcoding. io
Debug True ● Tras producirse un error se abre una consola ○ RCE - Remote code execution © All rights reserved. www. keepcoding. io
A 7: 2017 -Cross-Site Scripting (XSS) ● XSS ocurre cuando una aplicación incluye datos en una web sin validación o escape ● XSS permite a los atacantes inyectar HTML o Java. Script en una página web ● Robar sesiones ● Deface de webs ● Redirigir a una web maliciosa © All rights reserved. www. keepcoding. io
XSS javascript: alert("XSS Test"); javascript: alert(document. cookie); <script>alert("XSS Test")</script> ● Misma document. cookie en distintas pestañas © All rights reserved. www. keepcoding. io
XSS © All rights reserved. www. keepcoding. io
XSS tipos ● Reflejado: Contenido malicioso es inyectado en la página realizando una petición concreta ○ DOM-based ○ some. com/page. html? default=<script>alert(document. cookie )</script> ● Persistente: Código malicioso es persistente en el servidor © All rights reserved. www. keepcoding. io
XSS © All rights reserved. www. keepcoding. io
XSS © All rights reserved. www. keepcoding. io
XSS <script>alert('Alpha Security')</script> © All rights reserved. www. keepcoding. io
XSS © All rights reserved. www. keepcoding. io
XSS /Web. Goat/start. mvc#test/<script>webgoat. customjs. phone. Home(); < %2 Fscript> ● Caracteres especiales necesitan ser encodeados ● %2 F © All rights reserved. www. keepcoding. io
XSS Stored ● Buscamos crear un comentario que ejecute webgoat. customjs. phone. Home © All rights reserved. www. keepcoding. io
XSS Stored <embed src="javascript: webgoat. customjs. phone. Home(); "> ● Chrome incorpora protecciones frente a XSS © All rights reserved. www. keepcoding. io
XSS Soluciones ● Output encoding ● https: //www. owasp. org/index. php/OWASP_Java_Encoder_Project © All rights reserved. www. keepcoding. io
A 8: 2017 -Insecure Deserialization ● La deserialización insegura de componentes puede llevar a la ejecución de código ○ Serialización es traducir estructuras u objetos a un formato que puede ser guardado ● Ejemplos: ○ https: //docs. python. org/2/library/pickle. html ○ PHP Serialization © All rights reserved. www. keepcoding. io
A 8: 2017 -Insecure Deserialization Al deserializar se ejecuta el método read. Object de la clase © All rights reserved. www. keepcoding. io
A 8: 2017 -Insecure Deserialization © All rights reserved. www. keepcoding. io
A 8: 2017 -Insecure Deserialization ● Aunque es bastante complicado encontrar un componente que deserializado haga algo dañino para el sistema, se pueden encadenar deserializaciones que sí que lo hagan © All rights reserved. www. keepcoding. io
A 8: 2017 -Insecure Deserialization https: //github. com/frohoff/ysoserial © All rights reserved. www. keepcoding. io
A 8: 2017 -Insecure Deserialization ● Usar serializador sólo si es imprescindible ● Sólo deserializar datos de fuentes confiables ○ La mayor parte de las veces, sólo nosotros somos una fuente confiable © All rights reserved. www. keepcoding. io
A 9: 2017 -Using Components with Known Vulnerabilities ● Utilizar componentes con vulnerabilidades conocidas ● Recomendable mirar siempre ○ https: //www. cvedetails. com/ ● Ejemplos: ○ Apache Struts 2 ■ https: //cve. mitre. org/cgi-bin/cvename. cgi? name=CVE 2017 -5638 ○ Wordpress 4. 9. 2 ■ https: //cve. mitre. org/cgi-bin/cvename. cgi? name=CVE 2018 -6389 © All rights reserved. www. keepcoding. io
A 9: 2017 -Using Components with Known Vulnerabilities © All rights reserved. www. keepcoding. io
A 9: 2017 -Using Components with Known Vulnerabilities ● CVE-2013 -7285 ○ https: //github. com/Web. Goat/blob/4 d 7 d 0058 c 3 ba 0 b 4 e 542 ed 7 e 964 ee 1056207 b 7 a 08/webgoatlessons/vulnerablecomponents/src/main/java/org/owasp/webgoat/plugin/Vulner able. Components. Lesson. java © All rights reserved. www. keepcoding. io
A 10: 2017 -Insufficient Logging & Monitoring ● ● Es necesario mantener logs y que estén monitorizados Permiten una respuesta a incidentes (DFIR) Digital Forensics and Incident Response Detectar ataques de forma temprana © All rights reserved. www. keepcoding. io
- All rights reserved example
- Copyright 2015 all rights reserved
- All rights reserved sentence
- Creative commons vs all rights reserved
- Confidential all rights reserved
- Sentinel repetition
- Copyright 2015 all rights reserved
- 2012 pearson education inc
- Microsoft corporation. all rights reserved.
- Microsoft corporation. all rights reserved.
- Microsoft corporation. all rights reserved
- Pearson education inc. all rights reserved
- Dell all rights reserved copyright 2009
- Warning all rights reserved
- Siprop
- Quadratic equation cengage
- Warning all rights reserved
- Confidential all rights reserved
- Microsoft corporation. all rights reserved
- 2010 pearson education inc
- Copyright © 2018 all rights reserved
- 2017 all rights reserved
- Pearson education inc all rights reserved
- 2010 pearson education inc
- Confidential all rights reserved
- Confidential all rights reserved
- Missing function level access control example
- R rights reserved
- Rights reserved
- Buffer overflow owasp
- 7/10/2010
- Owasp top 10 2013
- Owasp top ten 2016
- Owasp top 10 2010
- Owasp top ten mobile
- Owasp top 10 2012
- Owasp cloud top 10
- Owasp top 10 privacy risks
- Owasp top ten most critical web application vulnerabilities
- Owasp
- Www.app inject.top
- Negative rights vs positive rights
- Define littoral rights
- Duty towards self
- Legal rights and moral rights
- Negative rights vs positive rights
- Negative rights vs positive rights
- Positive rights vs negative rights
- Negative right
- Name three lines
- Stupidest quotes of all time
- In 1929 the top 5 percent of all american households
- What are delegated reserved and concurrent powers
- Reserved powers definition
- Reserved power
- Mpls label operations
- Although frieda is typically very reserved as
- Find the names of sailors who have reserved a red boat
- Reserved addresses
- Inherent powers
- Example of concurrent powers
- In a banyan switch micro switch
- Space reserved
- Find the colors of boats reserved by lubber
- Reserved mark
- The galenical prepared by extraction
- Space reserved
- Reserved power
- Reserved
- Reserved material
- Reserved mark
- Reserved mark
- Reserved mark
- Pizza mark
- Reserved mark
- Reserved mark
- Reserved mark
- Reserved mark
- Asvs levels
- Security misconfiguration cwe
- Owasp a1 injection
- Owasp dragon
- Penetration testing methodology owasp
- Owasp foundation
- Owasp clasp
- Owasp denver
- Owasp broken web application
- Owasp belgium