JJ
Uploaded byJosé A. Jiménez
PPTX, PDF287 views

Let's shield Liferay

The document emphasizes the importance of security in Liferay Portal, detailing various web application security risks from the OWASP Top 10 and recommended safeguards. It covers strategies to mitigate vulnerabilities, such as updating software, using parameterized APIs, and implementing strong authentication measures. Additionally, it advises on the importance of logging, monitoring, and proper configuration to protect sensitive data from various attack vectors.

Software
Related topics:
Information Security

Embed presentation

Download to read offline
let’s shield liferay @jajcampoy José A. Jiménez
let’s take the security seriously Do you want to be involved? https://portal.liferay.dev/learn/security Reporting issues Send an email: security@liferay.com Open a ticket: https://issues.liferay.com Avoid details in any public channel
web application security risks Learn about the OWASP Top 10 Web Application Security Risks https://owasp.org/www-project-top-ten Risk > Threat > Vulnerability > Impact Safeguard Have in mind: > Code > Data > Infrastructure > Configuration
using components with known vulnerabilities Liferay Portal is a big platform, with a lot of features, multiple systems integrations and a lot of facilities for developing: libraries, frameworks and software modules that need to be updated Threat: It is easy to find already-written exploits for many known vulnerabilities. Other vulnerabilities require concentrated effort to develop a custom exploit. A vulnerable component can be exploited. Impact: Attack can facilitate serious data loss or server takeover or whatever Custom developments Liferay Safeguard: Update
https://portal.liferay.dev/learn/security/known-vulnerabilities
keep you liferay ce updated > Update your version 7.3 Rolling releases => <new> 7.3 GA3 7.2 GA2+ > 7.1, 7.0, 6.2 => diy Get the code https://liferay.dev/blogs/-/blogs/security-patches-for-liferay-portal-6-2-7-0-and-7-1 Build patched versions https://portal.liferay.dev/learn/security/patching
routine Building our custom patches 10 REVIEW YOUR CODE 20 BUILD 30 BACKUP 40 DEPLOY 50 UPGRADE DB 60 TEST 70 END
community power - working together Dominike Marks - Complete guide and binaries https://liferay.dev/blogs/-/blogs/creating-liferay-security-binary-patches Arund Dask - Binaries for 6.2 https://liferay.dev/blogs/-/blogs/security-patches-for- liferay-portal-6-2-7-0-and-7-1 NOTE: Use binaries under your responsibility
Untrusted data is sent to the interpreter as part of a command or query. Threat: The attacker’s hostile data can trick the interpreter into executing unintended commands or accessing data without proper authorization. SQL, NoSQL, OS, LDAP, XPath, etc. Impact: Lost/corruption of data, DoS injection Safeguard: Use parameterized APIs and tested tools- Finders created by Service Builder are parametrized. Custom SQLs and custom finders => prepared statements
Untrusted data in a web page without proper validation or escaping Threat: Attackers execute scripts in the victim’s browser which can hijack user sessions, deface web sites, or redirect the user to malicious sites cross-site scripting - xss Safeguard: Validate untrusted data before to store them and escape them in the web page taglibs <aui:input … /> com.liferay.portal.kernel.util.HtmlUtil > escape() > escapeAttribute() > escapeURL()
http://dom1.mycompanydomain.com/c/login?redirect=dom1.mycompanydomein.com unvalidated redirects and forwards > Explicit list of IPs or domains, examples: redirect.url.security.mode=ip redirect.url.ips.allowed=127.0.0.1,SERVER_IP,192.168.0.12,192.168.0.13,192.168.0.99 redirect.url.security.mode=domain redirect.url.domains.allowed=dom1.mycompany.com,dom2.mycompany.com redirect.url.security.mode=domain redirect.url.domains.allowed=*.mycompany.com
broken authentication Threat: a bad implemented authentication and/or session management, allowing attackers to compromise passwords, keys, or session tokens Impact: attackers assume other users’ identities temporarily or permanently > Use secure protocols for connections (SSL,TLS, etc) > A robust authentication mechanism: Second-factor authentication OOTB in Liferay 7.3 > Multi-factor authentication (work in progress) > OAUTH 2.0 to invoke your APIs / JAX-RS Web Services https://help.liferay.com/hc/articles/360028711432-OAuth-2-0
Threat: Web Apps or APIs do not properly protect sensitive data Impact: Attackers can steal or modify such weakly protected data. sensitive data exposure > Select a strong encryption algorithm. Are you upgrading? company.encryption.algorithm=AES company.encryption.key.size=12 passwords.encryption.algorithm=PBKDF2WithHmacSHA1/160/128000 #passwords.encryption.algorithm.legacy= > Review connections and protocols: Securize LDAP (ldaps) Securize Elasticsearch 7, available for CE in 7.2 and 7.3 > Strong password policy https://help.liferay.com/hc/articles/360028819212-Password-Policies
> Enable https and force it when authenticating or other accesses, and minimize the access having explicit IPs lists / ranges. company.security.auth.requires.https=false # {0} = main | json | atom | tunnel | webdav {0}.servlet.hosts.allowed= {0}.servlet.https.required=false rss.feeds.hosts.allowed= > Define Service Access Policies https://help.liferay.com/hc/articles/360028711272-Service-Access-Policies sensitive data exposure
Threat: an attack that tricks the victim into submitting a malicious request Impact: It inherits the identity and privileges of the victim to perform an undesired function on the victim’s behalf cross-site request forgery - csrf > POST method for action requests > Multi-step transactions, captchas > Auth tokens for action URLs: p_auth & p_p_auth auth.token.check.enabled=true portlet.add.default.resource.check.enabled=true > Configure CORS (Cross-Origin Resource Sharing) https://help.liferay.com/hc/es/articles/360030377272-Configuring-CORS
Monitorize the infrastructure and the users > Limited resources > Performance > DoS > CPU > MEM > Pool BBDD Example: Query no-cacheable in each request or users.update.last.login=true > Log access to sensitive data or special actions Users management: Control Panel > Configuration > Audit Other actions https://liferay.dev/blogs/-/blogs/auditing-liferay-dxp-who-has-done-what- and-when Insufficient logging and monitoring
> Do not execute processes with root (app server, patching tool, etc) > Define your default admin user default.admin.password=test default.admin.screen.name=test default.admin.email.address.prefix=test default.admin.first.name=Test default.admin.middle.name= default.admin.last.name=Test > Disable Unused SSO RememberMe: company.security.auto.login=false and many more…
thank you! @jajcampoy

More Related Content

PPTX
Secure Code Warrior - Os command injection
bySecure Code Warrior
 
PPTX
Secure Code Warrior - Local file inclusion
bySecure Code Warrior
 
PDF
OWASP Top 10 2017
bySiddharth Phatarphod
 
PPTX
OWASP Top 10 2017 - New Vulnerabilities
byDilum Bandara
 
PPTX
Secure Code Warrior - LDAP injection
bySecure Code Warrior
 
PDF
OWASP Top 10 - 2017
byHackerOne
 
PPTX
Owasp 2017 oveview
byShreyas N
 
PDF
Web application security I
byMd Syed Ahamad
 
Secure Code Warrior - Os command injection
bySecure Code Warrior
 
Secure Code Warrior - Local file inclusion
bySecure Code Warrior
 
OWASP Top 10 2017
bySiddharth Phatarphod
 
OWASP Top 10 2017 - New Vulnerabilities
byDilum Bandara
 
Secure Code Warrior - LDAP injection
bySecure Code Warrior
 
OWASP Top 10 - 2017
byHackerOne
 
Owasp 2017 oveview
byShreyas N
 
Web application security I
byMd Syed Ahamad
 

What's hot

PPTX
OWASP -Top 5 Jagjit
byJagjit Singh Brar
 
PDF
Top 10 Web Application vulnerabilities
byTerrance Medina
 
PPTX
Application Security Vulnerabilities: OWASP Top 10 -2007
byVaibhav Gupta
 
PPT
Owasp Top 10 And Security Flaw Root Causes
byMarco Morana
 
PPT
302 Content Server Security Challenges And Best Practices
byphanleson
 
PPTX
Owasp top 10 2017
byibrahimumer2
 
PPTX
Owasp first5 presentation
byAshwini Paranjpe
 
PPTX
OWASP Top 10 - 2017 Top 10 web application security risks
byKun-Da Wu
 
PDF
The New OWASP Top Ten: Let's Cut to the Chase
bySecurity Innovation
 
PPT
OWASP Serbia - A3 broken authentication and session management
byNikola Milosevic
 
PPTX
OWASP
bygehad hamdy
 
PPTX
A Security Overview of OWASP's Top 10 Vulnerabilities
bymilagerova
 
PDF
t r
byelectronicmingle01
 
PPTX
A5: Security Misconfiguration
byTariq Islam
 
PDF
OWASP TOP 10 & .NET
byDaniel Krasnokucki
 
PPTX
OWASP Top 10 2017 rc1 - The Ten Most Critical Web Application Security Risks
byAndre Van Klaveren
 
PPT
OWASP Serbia - A6 security misconfiguration
byNikola Milosevic
 
PDF
Owasp top 10
byYasserElsnbary
 
PPT
Secure Web Applications Ver0.01
byVasan Ramadoss
 
PPTX
Beyond the OWASP Top 10
byiphonepentest
 
OWASP -Top 5 Jagjit
byJagjit Singh Brar
 
Top 10 Web Application vulnerabilities
byTerrance Medina
 
Application Security Vulnerabilities: OWASP Top 10 -2007
byVaibhav Gupta
 
Owasp Top 10 And Security Flaw Root Causes
byMarco Morana
 
302 Content Server Security Challenges And Best Practices
byphanleson
 
Owasp top 10 2017
byibrahimumer2
 
Owasp first5 presentation
byAshwini Paranjpe
 
OWASP Top 10 - 2017 Top 10 web application security risks
byKun-Da Wu
 
The New OWASP Top Ten: Let's Cut to the Chase
bySecurity Innovation
 
OWASP Serbia - A3 broken authentication and session management
byNikola Milosevic
 
OWASP
bygehad hamdy
 
A Security Overview of OWASP's Top 10 Vulnerabilities
bymilagerova
 
t r
byelectronicmingle01
 
A5: Security Misconfiguration
byTariq Islam
 
OWASP TOP 10 & .NET
byDaniel Krasnokucki
 
OWASP Top 10 2017 rc1 - The Ten Most Critical Web Application Security Risks
byAndre Van Klaveren
 
OWASP Serbia - A6 security misconfiguration
byNikola Milosevic
 
Owasp top 10
byYasserElsnbary
 
Secure Web Applications Ver0.01
byVasan Ramadoss
 
Beyond the OWASP Top 10
byiphonepentest
 

Similar to Let's shield Liferay

PDF
Liferay hardening principles
byAmbientia
 
PPTX
Hacking liferay
byArmel Nene
 
PDF
Top 10 Vulnerabilities Exploited by Hackers.pdf
bymanisha06650
 
PPT
Security Vulnerabilities
byMarius Vorster
 
PPTX
CyberSecurityppt. pptx
byiamayesha2526
 
PDF
Demystify Information Security & Threats for Data-Driven Platforms With Cheta...
byChetan Khatri
 
PPTX
Best practices of web app security (samvel gevorgyan)
byClubHack
 
PPTX
Owasp top ten 2017
byAnukaJinadasa
 
PPTX
Secure practices with dot net services.pptx
byKnoldus Inc.
 
PDF
Web application sec_3
byvhimsikal
 
PDF
Alert logic anatomy owasp infographic
byCMR WORLD TECH
 
PDF
Lets Make our Web Applications Secure
byAryashree Pritikrishna
 
PPTX
Prevent Malicious Hacking Attacks on your APIs
bySmartBear
 
PDF
Web Security
byGerald Villorente
 
PPTX
OWASP top 10-2013
bytmd800
 
PDF
They Ought to Know Better: Exploiting Security Gateways via Their Web Interfaces
bymichelemanzotti
 
PDF
Insecurity-In-Security version.1 (2010)
byAbhishek Kumar
 
PDF
OWASP TOP 10 by Team xbios
byVi Vek
 
PDF
Cso oow12-summit-sonny-sing hv4
byOracleIDM
 
PDF
Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulner...
byMichael Pirnat
 
Liferay hardening principles
byAmbientia
 
Hacking liferay
byArmel Nene
 
Top 10 Vulnerabilities Exploited by Hackers.pdf
bymanisha06650
 
Security Vulnerabilities
byMarius Vorster
 
CyberSecurityppt. pptx
byiamayesha2526
 
Demystify Information Security & Threats for Data-Driven Platforms With Cheta...
byChetan Khatri
 
Best practices of web app security (samvel gevorgyan)
byClubHack
 
Owasp top ten 2017
byAnukaJinadasa
 
Secure practices with dot net services.pptx
byKnoldus Inc.
 
Web application sec_3
byvhimsikal
 
Alert logic anatomy owasp infographic
byCMR WORLD TECH
 
Lets Make our Web Applications Secure
byAryashree Pritikrishna
 
Prevent Malicious Hacking Attacks on your APIs
bySmartBear
 
Web Security
byGerald Villorente
 
OWASP top 10-2013
bytmd800
 
They Ought to Know Better: Exploiting Security Gateways via Their Web Interfaces
bymichelemanzotti
 
Insecurity-In-Security version.1 (2010)
byAbhishek Kumar
 
OWASP TOP 10 by Team xbios
byVi Vek
 
Cso oow12-summit-sonny-sing hv4
byOracleIDM
 
Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulner...
byMichael Pirnat
 

Recently uploaded

PDF
apidays Paris 2025 | AI and APIs - Ensuring Platform Migration Reliability wi...
byapidays
 
PDF
End-to-End Web & Mobile App Development Roadmap for Modern Businesses.pdf
byNaestinn
 
PDF
Software Development Company in India.pdf
byitswssoftware
 
PDF
Common CRM Implementation Mistakes & How to Avoid Them.pdf
byCRMLeaf
 
PDF
GOOGLE_VERTEX_AI web development 1.pdf
bydavidjohansen1597
 
PDF
apidays Paris 2025 - What If GraphQL Knew Accessibility.pdf
byapidays
 
PPT
Data Structure & Algorithm Lec- HeapSort.ppt
bypanhra1
 
PPTX
Managing Multiple Projects from One ERP Dashboard - by biCanvas ERP
bybiCanvasERP
 
PPTX
Object Oriented Programming - Lecture 02
byAbdul Baqi Malik
 
PDF
Job Interview for Global Federal Government MD Panel Presentation
byafnupe09
 
PDF
ment.tech-What Infrastructure as Code Means for Businesses.pdf
bysj2643598
 
PPTX
Choosing Your Web3 Architecture: L1 vs L2 vs Appchain
bystorygamemarketing
 
PDF
Dues Collection Software Intelligent Revenue Management.pdf
byCollege Pro
 
PPTX
Why Airline Platforms Fail at Change and How Etihad Fixed It
byIT IDOL Technologies
 
PDF
DSD-INT 2025 The National Hydrological Model of Denmark and its enhancements ...
byDeltares
 
PDF
The Hidden Cost of “Quick” Web App Development
byiProgrammer Solutions Private Limited
 
PPTX
European Food Delivery Benchmarking – Wolt, Bolt Food, Foodora, TakeAway
byinfoactowizsolutions
 
PPTX
Publix Data Scraping for Grocery Prices & Store Analysis.pptx
byMobile App Scraping
 
PDF
AI Development Services: MVP to Production Guide
byShiv Technolabs Pvt. Ltd.
 
PDF
Best SaaS Growth Strategy for 2026: Referral Programs That Retain Better
byReferral Factory
 
apidays Paris 2025 | AI and APIs - Ensuring Platform Migration Reliability wi...
byapidays
 
End-to-End Web & Mobile App Development Roadmap for Modern Businesses.pdf
byNaestinn
 
Software Development Company in India.pdf
byitswssoftware
 
Common CRM Implementation Mistakes & How to Avoid Them.pdf
byCRMLeaf
 
GOOGLE_VERTEX_AI web development 1.pdf
bydavidjohansen1597
 
apidays Paris 2025 - What If GraphQL Knew Accessibility.pdf
byapidays
 
Data Structure & Algorithm Lec- HeapSort.ppt
bypanhra1
 
Managing Multiple Projects from One ERP Dashboard - by biCanvas ERP
bybiCanvasERP
 
Object Oriented Programming - Lecture 02
byAbdul Baqi Malik
 
Job Interview for Global Federal Government MD Panel Presentation
byafnupe09
 
ment.tech-What Infrastructure as Code Means for Businesses.pdf
bysj2643598
 
Choosing Your Web3 Architecture: L1 vs L2 vs Appchain
bystorygamemarketing
 
Dues Collection Software Intelligent Revenue Management.pdf
byCollege Pro
 
Why Airline Platforms Fail at Change and How Etihad Fixed It
byIT IDOL Technologies
 
DSD-INT 2025 The National Hydrological Model of Denmark and its enhancements ...
byDeltares
 
The Hidden Cost of “Quick” Web App Development
byiProgrammer Solutions Private Limited
 
European Food Delivery Benchmarking – Wolt, Bolt Food, Foodora, TakeAway
byinfoactowizsolutions
 
Publix Data Scraping for Grocery Prices & Store Analysis.pptx
byMobile App Scraping
 
AI Development Services: MVP to Production Guide
byShiv Technolabs Pvt. Ltd.
 
Best SaaS Growth Strategy for 2026: Referral Programs That Retain Better
byReferral Factory
 

Let's shield Liferay

  • 1.
  • 2.
    let’s take thesecurity seriously Do you want to be involved? https://portal.liferay.dev/learn/security Reporting issues Send an email: security@liferay.com Open a ticket: https://issues.liferay.com Avoid details in any public channel
  • 3.
    web application securityrisks Learn about the OWASP Top 10 Web Application Security Risks https://owasp.org/www-project-top-ten Risk > Threat > Vulnerability > Impact Safeguard Have in mind: > Code > Data > Infrastructure > Configuration
  • 4.
    using components withknown vulnerabilities Liferay Portal is a big platform, with a lot of features, multiple systems integrations and a lot of facilities for developing: libraries, frameworks and software modules that need to be updated Threat: It is easy to find already-written exploits for many known vulnerabilities. Other vulnerabilities require concentrated effort to develop a custom exploit. A vulnerable component can be exploited. Impact: Attack can facilitate serious data loss or server takeover or whatever Custom developments Liferay Safeguard: Update
  • 5.
  • 6.
    keep you liferayce updated > Update your version 7.3 Rolling releases => <new> 7.3 GA3 7.2 GA2+ > 7.1, 7.0, 6.2 => diy Get the code https://liferay.dev/blogs/-/blogs/security-patches-for-liferay-portal-6-2-7-0-and-7-1 Build patched versions https://portal.liferay.dev/learn/security/patching
  • 7.
    routine Building our custompatches 10 REVIEW YOUR CODE 20 BUILD 30 BACKUP 40 DEPLOY 50 UPGRADE DB 60 TEST 70 END
  • 8.
    community power -working together Dominike Marks - Complete guide and binaries https://liferay.dev/blogs/-/blogs/creating-liferay-security-binary-patches Arund Dask - Binaries for 6.2 https://liferay.dev/blogs/-/blogs/security-patches-for- liferay-portal-6-2-7-0-and-7-1 NOTE: Use binaries under your responsibility
  • 9.
    Untrusted data issent to the interpreter as part of a command or query. Threat: The attacker’s hostile data can trick the interpreter into executing unintended commands or accessing data without proper authorization. SQL, NoSQL, OS, LDAP, XPath, etc. Impact: Lost/corruption of data, DoS injection Safeguard: Use parameterized APIs and tested tools- Finders created by Service Builder are parametrized. Custom SQLs and custom finders => prepared statements
  • 10.
    Untrusted data ina web page without proper validation or escaping Threat: Attackers execute scripts in the victim’s browser which can hijack user sessions, deface web sites, or redirect the user to malicious sites cross-site scripting - xss Safeguard: Validate untrusted data before to store them and escape them in the web page taglibs <aui:input … /> com.liferay.portal.kernel.util.HtmlUtil > escape() > escapeAttribute() > escapeURL()
  • 11.
    http://dom1.mycompanydomain.com/c/login?redirect=dom1.mycompanydomein.com unvalidated redirects andforwards > Explicit list of IPs or domains, examples: redirect.url.security.mode=ip redirect.url.ips.allowed=127.0.0.1,SERVER_IP,192.168.0.12,192.168.0.13,192.168.0.99 redirect.url.security.mode=domain redirect.url.domains.allowed=dom1.mycompany.com,dom2.mycompany.com redirect.url.security.mode=domain redirect.url.domains.allowed=*.mycompany.com
  • 12.
    broken authentication Threat: abad implemented authentication and/or session management, allowing attackers to compromise passwords, keys, or session tokens Impact: attackers assume other users’ identities temporarily or permanently > Use secure protocols for connections (SSL,TLS, etc) > A robust authentication mechanism: Second-factor authentication OOTB in Liferay 7.3 > Multi-factor authentication (work in progress) > OAUTH 2.0 to invoke your APIs / JAX-RS Web Services https://help.liferay.com/hc/articles/360028711432-OAuth-2-0
  • 13.
    Threat: Web Appsor APIs do not properly protect sensitive data Impact: Attackers can steal or modify such weakly protected data. sensitive data exposure > Select a strong encryption algorithm. Are you upgrading? company.encryption.algorithm=AES company.encryption.key.size=12 passwords.encryption.algorithm=PBKDF2WithHmacSHA1/160/128000 #passwords.encryption.algorithm.legacy= > Review connections and protocols: Securize LDAP (ldaps) Securize Elasticsearch 7, available for CE in 7.2 and 7.3 > Strong password policy https://help.liferay.com/hc/articles/360028819212-Password-Policies
  • 14.
    > Enable httpsand force it when authenticating or other accesses, and minimize the access having explicit IPs lists / ranges. company.security.auth.requires.https=false # {0} = main | json | atom | tunnel | webdav {0}.servlet.hosts.allowed= {0}.servlet.https.required=false rss.feeds.hosts.allowed= > Define Service Access Policies https://help.liferay.com/hc/articles/360028711272-Service-Access-Policies sensitive data exposure
  • 15.
    Threat: an attackthat tricks the victim into submitting a malicious request Impact: It inherits the identity and privileges of the victim to perform an undesired function on the victim’s behalf cross-site request forgery - csrf > POST method for action requests > Multi-step transactions, captchas > Auth tokens for action URLs: p_auth & p_p_auth auth.token.check.enabled=true portlet.add.default.resource.check.enabled=true > Configure CORS (Cross-Origin Resource Sharing) https://help.liferay.com/hc/es/articles/360030377272-Configuring-CORS
  • 16.
    Monitorize the infrastructureand the users > Limited resources > Performance > DoS > CPU > MEM > Pool BBDD Example: Query no-cacheable in each request or users.update.last.login=true > Log access to sensitive data or special actions Users management: Control Panel > Configuration > Audit Other actions https://liferay.dev/blogs/-/blogs/auditing-liferay-dxp-who-has-done-what- and-when Insufficient logging and monitoring
  • 17.
    > Do notexecute processes with root (app server, patching tool, etc) > Define your default admin user default.admin.password=test default.admin.screen.name=test default.admin.email.address.prefix=test default.admin.first.name=Test default.admin.middle.name= default.admin.last.name=Test > Disable Unused SSO RememberMe: company.security.auto.login=false and many more…
  • 18.

Editor's Notes

  • #4 El Open Web Application Security Project (OWASP) es una fundación sin fines de lucro que trabaja para mejorar la seguridad del software. Suele ser la organización referente para todas las empresas de desarrarollo y comunidades de desarrolladores en cuanto a materia de Seguridad y Anualmente realizan una clasificación de los riesgos más importantes a tener en cuenta en nuestras aplicaciones web. Herramientas y recursos Comunidad y redes Educación y entrenamiento
  • #5 Dependiendo de los assets que esté protegiendo, tal vez este riesgo debería estar en la parte superior de la lista. Libraries, frameworks, software modules Sistemas etc. La prevalencia de este problema está muy extendida. Los patrones de desarrollo con muchos componentes pueden hacer que los equipos de desarrollo ni siquiera comprendan qué componentes usan en su aplicación o API, y mucho menos mantenerlos actualizados. Components, such as libraries, frameworks, and other software modules, run with the same privileges as the application. If a vulnerable component is exploited, such an attack can facilitate serious data loss or server takeover. Applications and APIs using components with known vulnerabilities may undermine application defenses and enable various attacks and impacts. Algunos escáneres como retire.js ayudan en la detección, pero determinar la explotabilidad requiere un esfuerzo adicional. Si bien algunas vulnerabilidades conocidas provocan solo impactos menores, algunas de las violaciones más grandes hasta la fecha se han basado en la explotación de vulnerabilidades conocidas en los componentes.
  • #6 La prevalencia de este problema está muy extendida. Los patrones de desarrollo con muchos componentes pueden hacer que los equipos de desarrollo ni siquiera comprendan qué componentes usan en su aplicació, y mucho menos mantenerlos actualizados. Dependiendo de los assets que esté protegiendo, tal vez este riesgo debería estar en la parte superior de la lista. Components, such as libraries, frameworks, and other software modules, run with the same privileges as the application. If a vulnerable component is exploited, such an attack can facilitate serious data loss or server takeover. Applications and APIs using components with known vulnerabilities may undermine application defenses and enable various attacks and impacts. Algunos escáneres como retire.js ayudan en la detección, pero determinar la explotabilidad requiere un esfuerzo adicional. Si bien algunas vulnerabilidades conocidas provocan solo impactos menores, algunas de las violaciones más grandes hasta la fecha se han basado en la explotación de vulnerabilidades conocidas en los componentes.
  • #10 Los datos no confiables se envían al intérprete como parte de un comando o consulta. Amenaza: los datos hostiles del atacante pueden engañar al intérprete para que ejecute comandos no deseados o acceda a los datos sin la autorización adecuada. SQL, NoSQL, OS, LDAP, XPath, etc. Impacto: pérdida / corrupción de datos, DoS Protección: utilice API parametrizadas y herramientas probadas: Los buscadores creados por Service Builder están parametrizados. SQL personalizados => declaraciones preparadas
  • #11 Datos no confiables en una página web sin una validación o escape adecuados Amenaza: los atacantes ejecutan scripts en el navegador de la víctima que pueden secuestrar sesiones de usuario, desfigurar sitios web o redirigir al usuario a sitios maliciosos
  • #14 Se produce La aplicación o las apis no protegen adecuadamente los datos sensibles tales como datos personales, tarjetas, credenciales, etc. Un atacante puede acceder a estos datos y los puede robar, usar a su antojo, modificar, etc. Salvaguarda: encriptado fuerte de datos, tanto en transporte, como en persistencia. Usar protocolos seguros, y algoritmos de cifrado fuertes. Fuertes políticas de contraseñas. > Tablas arcoiris, bases de datos de contraseñas fácilmente vulnerables, etc.
  • #15 La aplicación o las apis no protegen adecuadamente los datos sensibles tales como datos personales, tarjetas, credenciales, etc. Un atacante puede acceder a estos datos y los puede robar, usar a su antojo, modificar, etc. Salvaguarda: encriptado fuerte de datos, tanto en transporte, como en persistencia. Usar protocolos seguros, y algoritmos de cifrado fuertes. Fuertes políticas de contraseñas. > Tablas arcoiris, bases de datos de contraseñas fácilmente vulnerables, etc.
  • #16 Peticiones a servidores predecibles y fácilmente construibles XSRF, “Sea Surf”, Session Riding, Cross-Site Reference Forgery, and Hostile Linking, One-Click attack.
  • #17 Find a Portlet Preferences and update/store them as part of rendering a portlet in the Theme
  • #18 Service access policies comprise a layer of web service security that defines services or service methods that can be invoked remotely. Methods corresponding to a web service invocation request must be whitelisted by each service access policy that’s in effect. You can use wildcards to reduce the number of service classes and methods that must be explicitly whitelisted.
  • #19 Buenas tardes, soy José Ángel Jiménez, Jose, Jose Angel