Vulnerabilidades en sitios web (english)
-
Upload
miguel-de-la-cruz -
Category
Engineering
-
view
85 -
download
4
Transcript of Vulnerabilidades en sitios web (english)
1
Vulnerabilidades en sitios web
Vulnerabilidades en sitios web
Aradi Pineda Barranca
Alba Nidya Soto Domínguez
Instituto Tecnológico de Tuxtepec
Abril 2014
2
Vulnerabilidades en sitios web
AGRADECIMIENTOS
MY PARENTS:
With all my love and my love to the people who made everything in life so that I could
achieve my dreams, for motivating me and shake my hand when I felt that the road
ended, to you forever my heart and gratitude.
Aradi Pineda Barranca
To carry out this project in the best possible way was needed the support of many
people to whom I want to thank.
First God giving me life and for giving me the family gave me.
To my mother for her unconditional support and for encouraging me to do things the
best way possible as their support for the realization of this software, Vicente has
helped me to in my studies and supported me in everything I propose.
My brother for their love, unconditional support and for encouraging me to be a better
person in life.
Thanks also to my friends for helping me and supporting me unconditionally and for
being part of my life in these 4 years in and out of school. Thanks for the friendship
that I offer.
Alba Nidya Soto Domínguez
3
Vulnerabilidades en sitios web
RESUMEN & ABSTRACT
To protect information, a web application can be objective of malicious users looking
to access it. In the same way, when implemented the application analysts, designer
and developers can leave without knowing some security hole. Additionally, the
software and hardware used for the implementation of the application can have a
vulnerability or security hole.
Therefore, you should be aware of the possible risks to web applications, as well as
the impact and actions that can be taken to correct such situations.
OWASP is a group of security professionals and web applications with several years
of experience to help remedy some of the problems that arise in the field of web
application development.
This group focuses on understanding and improving security for applications and
web services.
OWASP has free guides available for development, recommendation for good
practice, current information of common vulnerabilities in web applications and a
learning tool for web application security known as “WebGoat”.
4
Vulnerabilidades en sitios web
PALABRAS CLAVE/KEYWORDS
WPScan
Nmap
TamperData
OWASP
5
Vulnerabilidades en sitios web
INTRODUCCIÓN
In 1980, Tim Berners-Lee, develped ENQUIRE, as a personal database of people
and software models, but also as a way of interacting with hypertext. In 1990,
Berners-Lee had developed all the tools needed to work the web: HTTP, HTML, the
first web server WorldWideWeb and the first web browser.
The websites have countless vulnerabilities that make these at great risk of attack
from several points, with this document is expected to have the theoretical tools for
mastering the topic to be addressed in each of the sections.
The aim is to encourage organizations that use websites to mature in the
understanding and management of security applications.
6
Vulnerabilidades en sitios web
MÉTODOS Y MATERIALES
VULNERABILIDADES DE SEGURIDAD EN UN SISTEMA
To protect information, a web application can be targeted by malicious users looking
to access it. Likewise, when implemented application analysts, designers and
developers can leave without knowing a security hole. Additionally, the software and
hardware used for the implementation of the application may have a vulnerability or
security hole.
Therefore, you should be aware of potential risks will affect web applications as well
as the impact and actions that can be taken to correct such situations.
OWASP takes account of the attacks and most critical vulnerabilities in web
applications. Are reported with examples and details that explain these risks for
software developers, administrators and interested in web security.
The aim is to encourage organizations to mature in the understanding and
management of security applications.
7
Vulnerabilidades en sitios web
TOP 10 DE OWASPP
1. Injection
Involves sending malicious code to the system by a user or by another system, often
the code is sent in plain text.
The code can try to send for any input:
• Consultations to Active Directory.
• Queries to the database.
• Entries in web forms.
• XPath queries.
• Operating system commands.
• Check function.
It happens when you are not properly validating user-supplied input, trusting that it
enters the system.
CONSEQUENCES
• Loss and / or corruption of data.
• Denial of access.
ACTIONS
• Implement secure code: input validation, even from other systems.
• Use tools to search for vulnerabilities injection attacks.
• It is highly recommended to keep untrusted data separate from commands
and queries.
8
Vulnerabilidades en sitios web
• Using API's safe (no interpreters).
2. Loss authentication and session management
Vulnerabilities are related to the loss of authentication and session management.
Are critical to the security of applications and especially web applications, since they
allow an attacker to spoof the information from a particular user, being able to obtain
an administrative account that allows you to sabotage checks authorization and
registration application.
CONSEQUENCES
• Unauthorized access to any information that is stored on the server.
• Access to services that have been compromised.
ACTIONS
• Consider a good user authentication.
• Protect session data (id, token, password).
• Perform robust session tracking.
• Avoid XSS vulnerabilities as they can cause the abduction of session data.
9
Vulnerabilidades en sitios web
3. Cross -Site Scripting (XSS)
Is the insertion of text strings not valid in your own web application by a malicious
user (you can be in the system as a user or administered, or elsewhere), which is
expected to be executed to obtain information or a benefit.
It is classified into three different types:
• Storage. It is this code that is permanently stored in the web application
server. For example, in the database.
• Reflected. Is the code that is not stored in the database of the web
application that is attacked, but it was running at the time you enter into any
entry that does not validate the input provided.
• Based on DOM. It is this code that modifies the DOM of the original web
application.
CONSEQUENCES
• Abduction of user sessions.
• Destruction of websites.
• Installation of malicious code in browsers.
• Re - routing to malicious sites.
ACTIONS
• Perform code analysis tests.
• Using tools of static and dynamic scanning.
• Separate unreliable data from active browser content.
• data entry validation.
10
Vulnerabilidades en sitios web
4. Insecure direct object reference
It is to replace the value of a parameter that refers to an object by another object and
is given even if unauthorized access.
CONSEQUENCES
• Access to restricted information.
• Access to all information that is referenced by similar parameters.
ACTIONS
• Perform code analysis and manual tests.
• Perform checks to code level for direct references to restricted resources.
• Make use of indirect references per user or session.
• Check the user access to objects.
11
Vulnerabilidades en sitios web
5. Incorrect configuration of security
It's a failure or error in the configuration of security defined and implemented for the
application, frameworks, application server, web server, database and platform. All
these settings should be defined, implemented, and maintained. This includes
keeping all software up to date, including code libraries used by the application.
It can occur in:
• Platforms.
• Web Servers.
• Application Servers.
• work environments.
• Custom Codes.
It makes use of:
• Auditors default.
• Pages not used.
• Software not updated or patched.
• Unprotected files or directories.
CONSEQUENCES
• Unauthorized access to data or system functions.
ACTIONS
• Use automated tools to locate: pending updates , faulty settings , default
active accounts, active services not needed.
• Ensure all levels of the application stack.
12
Vulnerabilidades en sitios web
6. Exposure of sensitive data
It consists of not properly protecting sensitive data such as credit cards, IDs , tax
and database authentication credentials . Attackers may steal or modify data to
conduct credit card fraud, identity theft or other crimes can happen with or while
stored data transmission is performed.
CONSEQUENCES
• Theft of sensitive data such as health records , credentials, personal data ,
credit cards , etc. .
ACTIONS
• Encrypt sensitive data stored during transmission.
• Do not store sensitive data unnecessarily.
• Encrypt passwords are stored with an algorithm designed specifically for
password protection, as bcrypt , or PBKDF2 scrypt .
• Disable autocomplete in forms capture sensitive data and disable caching
of pages that contain sensitive data.
7. Lack of access control function level
Is the lack of access controls for private functions of web applications. If no requests
are verified, attackers will be able to force requests in order to access the features
of the application without proper authorization.
CONSEQUENCES
• Access to private functions of the application by common users.
13
Vulnerabilidades en sitios web
• Access and modify system data.
ACTIONS
• Implement authentication modules for private functions of the system.
8. CSRF (Cross-Site Request Forgery)
It is an attack which forces the user to execute unwanted actions on this one that
currently authenticated web application actions. With a little help from social
engineering (like sending a link via e-mail or chat), an attacker can force users of the
web application to execute actions of the attacker's choice. If the target user is the
administrator account, this can compromise the entire web application.
CONSEQUENCES
• You can access, modify and use any data or are authorized to use this
function.
ACTIONS
• Review of source code.
• Perform penetration testing.
• Discard protection as session cookies, source IP addresses and other
information.
• Analyze links and forms that invoke functions that allow change states.
14
Vulnerabilidades en sitios web
9. Using components with known vulnerabilities
Is the use of components such as libraries, frameworks and other vulnerable
software modules, which almost always run with administrator privileges. If a
vulnerable component is exploited, can facilitate the loss of important data or take
control of the server.
CONSEQUENCES
• Code Injections.
• XSS.
• Breaking access controls.
ACTIONS
• Maintain updated each implemented component.
• When using components that are own developments, security testing on
them.
10. Redirects and Forwards invalid
Is a redirection or forwarding by web applications to other pages or websites without
proper validation. Attackers can redirect victims to phishing or malware sites.
CONSEQUENCES
• Theft authentication credentials.
• Installing malware.
• Phishing.
15
Vulnerabilidades en sitios web
ACTIONS
• Conduct a site mapping (spidering) for detecting malicious redirects.
• Avoid using redirects and forwards.
• If used, do not add the user parameters on the target.
• If you can not avoid the target parameters, ensure that the value provided is
valid and authorized user.
PENETRATION TESTING METHODOLOGY
1. Penetration tests (pentest)
A pentest is a test on web applications, which attempt to reproduce actions malicious
users (internal and external to the organization). These actions cover both the
interaction with the application as part of configurations and software used.
Help find security holes that can allow access to sensitive information, modify the
original functionality of the site, among other actions.
Penetration testing should consider aspects such as:
• Testing SQL Injection.
• Testing Cross -Site Scripting (XSS).
• Testing JavaScript.
• Alerts and network port scanning.
16
Vulnerabilidades en sitios web
ADVANTAGES
• Generate timely reports.
• Improvement in the strategy.
• Improved application.
DISADVANTAGES
• Risk of unavailability.
• Risk of loss or alteration of information.
To perform a penetration test is necessary to follow a methodology to carry around
an order and expected results are achieved.
2. Methodology of Penetration Testing
Phases of penetration testing:
• Planning.
• Recognition.
• Scan.
• Farm.
• Documentation.
2.1 Planning
Allows fully define the project, setting limits and establishing the elements to assess
and most importantly , getting the authorization to endorse the pentester throughout
their activity, both technically and legally.
17
Vulnerabilidades en sitios web
Generally you can list the following items in this stage of preparation:
• Interview with the applicant.
• Information consequences of testing.
• Integration team.
• Permit.
• Confidentiality Agreement.
• Contract.
2.2. Recognition
It is the process of investigating the destination organization to gather information on
available sources, such as the services of domain registration and web sites. Some
people include techniques such as social engineering and dumpsterdiving in the
reconstruction phase information.
The specialist in pentest should try to get as much information as possible about the
target. Recognition can be done using two techniques: passive and active.
A passive technique is the best choice to start, as would normally be an IDS or other
forms of protection. It seeks to discover publicly available information on the Internet,
flyers, among others.
An active technique is more intrusive, which could be to use an automated or
implement social engineering tool.
18
Vulnerabilidades en sitios web
2.3. Scanning
The aim at this stage is to find vulnerable entries evaluated, such as wireless access
points, available systems, listening ports and vulnerabilities.
Scanning is the process of finding openings in the target organization, such as
Internet gateways, wireless access points, available systems, listening ports and lists
of vulnerabilities. Some popular tools for this stage are:
• Port scanning
• Nmap
• Vulnerability scanning
• Nessus
2.4. Exploitation
At the end of the scanning phase possible potential vulnerabilities identified and
information such as the OS, which is very useful as it will create an attack vector to
help choose the tools , exploits or appropriate techniques to exploit systems. At this
stage the vulnerabilities are tested with a high risk rating given by the vulnerability
scanner and possibly be the aim to exploit the evaluation.
This phase aims to:
• Reduce or eliminate false positives.
• Meet the real impact of a vulnerability.
At this stage the vulnerabilities found in the previous phase are tested are reviewed
and evaluated in detail because sometimes tools can list false positives ; if it can
exploit any of these flaws to the system access or disclosure of sensitive information
is guarantee .
19
Vulnerabilidades en sitios web
2.5. Documentation.
The documentation in this phase include the following:
• Executive Summary.
• Introduction.
• Methodology.
• Findings.
• High risk.
• Medium risk.
• Low risk.
• Recommendations.
The objective of this phase is to archive the results obtained from the beginning of
the recognition phase to the operational phase to generate a final report of the
findings during the entire testing process.
20
Vulnerabilidades en sitios web
RESULTS
At the time of writing this article it was expected that the reader can locate the
vulnerabilities that exist on websites, also if the reader was who elaborated these
sites keep alert and should guard against the various risks that exist.
As supposed, there are several books, articles and reports of the topic, reporting on
the risks that exist when a website developed.
It was possible to study different vulnerabilities in web applications and mechanisms
to decrease these risks.
The knowledge gained enabled the reader to perform different tests to detect
vulnerabilities and so this, to focus on the faults found.
21
Vulnerabilidades en sitios web
DISCUSSION
We obtained the expected results, the reader was attracted and motivated in
conducting tests to determine if your website had or has a bug.
This work is expected to see the person you clear your doubts and dares to
investigate thoroughly about the vulnerabilities that exist and to which it is exposed.
22
Vulnerabilidades en sitios web
REFERENCES
(Open Web Application Security Project OWASP Top 10, s.f.)
(Pruebas de penetración, s.f.)
(Foundation, 2008)
(Análisis de vulnerabilidades y auditorías de seguridad bajo demanda, s.f.)
(México, 2013)