tag:blogger.com,1999:blog-74908175706521803122024-03-06T03:00:22.062-03:00Security HackSitio personal de Ariel M. Liguori De GottigAriel M. Liguori de Gottighttp://www.blogger.com/profile/02714929794781699420noreply@blogger.comBlogger3125tag:blogger.com,1999:blog-7490817570652180312.post-36098164614754205712009-01-15T14:35:00.004-02:002009-01-15T14:54:30.921-02:00Broken Authentication attackUno de los errores más comunes y críticos en la programación web susede en el momento del diseño de estructuras de acceso de usuarios o comúnmente conocidas "Login Pages". Es aquí donde se ingresa la información sensible, es la puerta al sitio que queremos vulnerar y es un método para entrar sin que nadie se de cuenta. <br />A pesar de su criticidad los ataques por aprovechamiento de Broken Authentication son elevados, así lo afirma OWASP al incluirlos en el puesto número 7 de su TOP10. <br /><br />¿Qué podemos hacer al respecto? Primero, entender en que consiste.<br /><br />Un ataque por broken authentication se basa en el error de los métodos de protección de una determinada página, en la cual, por definición de vulnerable, se emplean malos hábitos para la gestión del acceso a un área en particular, dichos errores pueden ser la utilizacion de métodos GET en lugar de POST, la no-utilizacion de SSL, el no cifrado de los session-id, el permitir _e_interpretar_como_correctos_ parámetros malformados por un atacante, etc, etc, etc...<br /><br /><a href="http://www.acunetix.com/blog/how-to/tutorial-on-how-to-test-for-broken-authentication-using-acunetix-wvs-tools/">Aquí les dejo un video</a> con el ejemplo de como realizar una vulnerabilidad por Broken Authentication (No es casualidad que tenga este archivo aquí y ahora, el verlo inspiro este post).<br /><br />¿Como prevenirlo? Leamos lo que nos recomiendan los que saben. <a href="http://www.owasp.org/index.php/Broken_Authentication_and_Session_Management#How_to_Protect_Yourself">Link a Recomendaciones de OWASP.</a><br /><br />Saludos,Ariel M. Liguori de Gottighttp://www.blogger.com/profile/02714929794781699420noreply@blogger.com0tag:blogger.com,1999:blog-7490817570652180312.post-39124241024379606692008-11-28T17:06:00.004-02:002008-11-28T17:11:37.459-02:00Top 10 de vulnerabilidades en la Web.Pasenado por la página de la OWASP me tope con <a href="http://www.owasp.org/index.php/Top_10_2007">ésto</a> (ojo! es del 2007, calculo que en estos días se deberían publicar los del 2008), increíble, realmente es un análisis que debería sorprendernos y a la vez darnos el shock necesario para entender de una buena vez que hay hábitos a los cuales acostumbrarnos, medidas que esperan ser adoptadas y sobre todo una conciencia que después de ver ésto no deberá descansar tranquila :-)<br /><br />Abajo les adjunto el listado:<span id="fullpost"><br /><h2><span class="mw-headline"></span></h2> <table border="1" cellpadding="2"> <tbody><tr> <td><a href="http://www.owasp.org/index.php/Top_10_2007-A1" title="Top 10 2007-A1">A1 - Cross Site Scripting (XSS)</a> </td><td>XSS flaws occur whenever an application takes user supplied data and sends it to a web browser without first validating or encoding that content. XSS allows attackers to execute script in the victim's browser which can hijack user sessions, deface web sites, possibly introduce worms, etc. </td></tr> <tr> <td><a href="http://www.owasp.org/index.php/Top_10_2007-A2" title="Top 10 2007-A2">A2 - Injection Flaws</a> </td><td>Injection flaws, particularly SQL injection, are common in web applications. Injection occurs when user-supplied data is sent to an interpreter as part of a command or query. The attacker's hostile data tricks the interpreter into executing unintended commands or changing data. </td></tr> <tr> <td><a href="http://www.owasp.org/index.php/Top_10_2007-A3" title="Top 10 2007-A3">A3 - Malicious File Execution</a> </td><td>Code vulnerable to remote file inclusion (RFI) allows attackers to include hostile code and data, resulting in devastating attacks, such as total server compromise. Malicious file execution attacks affect PHP, XML and any framework which accepts filenames or files from users. </td></tr> <tr> <td><a href="http://www.owasp.org/index.php/Top_10_2007-A4" title="Top 10 2007-A4">A4 - Insecure Direct Object Reference</a> </td><td>A direct object reference occurs when a developer exposes a reference to an internal implementation object, such as a file, directory, database record, or key, as a URL or form parameter. Attackers can manipulate those references to access other objects without authorization. </td></tr> <tr> <td><a href="http://www.owasp.org/index.php/Top_10_2007-A5" title="Top 10 2007-A5">A5 - Cross Site Request Forgery (CSRF)</a> </td><td>A CSRF attack forces a logged-on victim's browser to send a pre-authenticated request to a vulnerable web application, which then forces the victim's browser to perform a hostile action to the benefit of the attacker. CSRF can be as powerful as the web application that it attacks. </td></tr> <tr> <td><a href="http://www.owasp.org/index.php/Top_10_2007-A6" title="Top 10 2007-A6">A6 - Information Leakage and Improper Error Handling</a> </td><td>Applications can unintentionally leak information about their configuration, internal workings, or violate privacy through a variety of application problems. Attackers use this weakness to steal sensitive data, or conduct more serious attacks. </td></tr> <tr> <td><a href="http://www.owasp.org/index.php/Top_10_2007-A7" title="Top 10 2007-A7">A7 - Broken Authentication and Session Management</a> </td><td>Account credentials and session tokens are often not properly protected. Attackers compromise passwords, keys, or authentication tokens to assume other users' identities. </td></tr> <tr> <td><a href="http://www.owasp.org/index.php/Top_10_2007-A8" title="Top 10 2007-A8">A8 - Insecure Cryptographic Storage</a> </td><td>Web applications rarely use cryptographic functions properly to protect data and credentials. Attackers use weakly protected data to conduct identity theft and other crimes, such as credit card fraud. </td></tr> <tr> <td><a href="http://www.owasp.org/index.php/Top_10_2007-A9" title="Top 10 2007-A9">A9 - Insecure Communications</a> </td><td>Applications frequently fail to encrypt network traffic when it is necessary to protect sensitive communications. </td></tr> <tr> <td><a href="http://www.owasp.org/index.php/Top_10_2007-A10" title="Top 10 2007-A10">A10 - Failure to Restrict URL Access</a> </td><td>Frequently, an application only protects sensitive functionality by preventing the display of links or URLs to unauthorized users. Attackers can use this weakness to access and perform unauthorized operations by accessing those URLs directly. </td></tr></tbody></table></span>Ariel M. Liguori de Gottighttp://www.blogger.com/profile/02714929794781699420noreply@blogger.com0tag:blogger.com,1999:blog-7490817570652180312.post-28971534909331631022008-11-27T15:59:00.003-02:002008-11-27T16:36:57.585-02:00Conceptos claveEs de vital importancia tener conocimiento de algunos aspectos que se encuentran día a día en el área de la seguridad informática. Si trabajamos en ella no podemos desconocer los siguientes conceptos y todas las variantes e implicancias que poseen:<br /><br /><a href="https://www.owasp.org/index.php/Category:Attack">Attack</a><br /><a href="https://www.owasp.org/index.php/Category:Vulnerability">Vulnerabilities</a><br /><a href="https://www.owasp.org/index.php/Category:Control">Control</a><br /><a href="https://www.owasp.org/index.php/Category:Threat_Agent">Threat Agent</a><br /><br />Algunos links interesantes:<br /><ul><li> <a href="http://web.mit.edu/Saltzer/www/publications/protection/Basic.html" class="external text" title="http://web.mit.edu/Saltzer/www/publications/protection/Basic.html" rel="nofollow">Saltzer and Schroeder</a> (see section 3) </li><li> <a href="http://www.emergentchaos.com/starwars.html" class="external text" title="http://www.emergentchaos.com/starwars.html" rel="nofollow">Saltzer and Schroeder Applied to <i>Star Wars</i></a> </li><li> <a href="http://www.ranum.com/security/computer_security/editorials/dumb/index.html" class="external text" title="http://www.ranum.com/security/computer_security/editorials/dumb/index.html" rel="nofollow">The Six Dumbest Ideas in Computer Security</a> </li><li> <a href="http://news.com.com/2008-1082-276319.html" class="external text" title="http://news.com.com/2008-1082-276319.html" rel="nofollow">Gary McGraw's 10 steps to secure software</a> </li><li> <a href="https://www.owasp.org/index.php/OWASP_Guide_Project" title="OWASP Guide Project">OWASP Development Guide Project</a> </li><li> <a href="http://csrc.nist.gov/publications/nistpubs/800-27A/SP800-27-RevA.pdf" class="external text" title="http://csrc.nist.gov/publications/nistpubs/800-27A/SP800-27-RevA.pdf" rel="nofollow">Engineering Principles for Information Technology Security (EP-ITS), by Gary Stoneburner, Clark Hayden, and Alexis, NIST Special Publication (SP) 800-27 (PDF)</a> </li><li> <a href="http://www.developer.com/java/data/article.php/10932_3667601_1" class="external text" title="http://www.developer.com/java/data/article.php/10932_3667601_1" rel="nofollow">Secure Design Principles</a> from "Foundations of Security: What Every Programmer Needs To Know" by Neil Daswani, Christoph Kern, and Anita Kesavan (<a href="http://www.biblio.com/isbn/1590597842.html" class="external text" title="http://www.biblio.com/isbn/1590597842.html" rel="nofollow">ISBN 1590597842</a>) </li><li> <a href="http://assuredbydesign.com/haa/" class="external text" title="http://assuredbydesign.com/haa/" rel="nofollow">High-Assurance Design</a> by Cliff Berg, 2005, Addison-Wesley. Foreword by Peter G. Neumann. Design principles and patterns for secure and reliable design. </li></ul>Ariel M. Liguori de Gottighttp://www.blogger.com/profile/02714929794781699420noreply@blogger.com0