A set of good practices in a Liferay project following some of the OWASP Top 10 Web Application Security Risks recommendations.
The slides were used in a meetup of the Liferay User Group Spain.
Follow @LUGSpain in twitter
Author: @jajcampoy
OWASP Top 10 2017 - New VulnerabilitiesDilum Bandara
New Vulnerabilities introduced in OWASP Top 10 2017. Cover Broken Access Control ,
XML External Entities (XXE), Insecure Deserialization, and Insufficient Logging & Monitoring, as well as solutions
The Open Web Application Security Project, is an online community that produces freely-available articles, methodologies, documentation, tools, and technologies in the field of web application security.
One of those projects, The OWASP Top Ten, provides a powerful awareness document for web application security. The OWASP Top Ten represents a broad consensus about what the most critical web application security flaws are.
The OWASP team recently released the 2017 revised and updated version of the ten most critical web application security risks and so we’ve created these flash cards for you, your friends, and your colleagues (especially product and engineering :) to test your knowledge and learn more about these important issues.
Company-wide security awareness is a powerful way to improve the overall security of your organization. So adorn your waiting rooms, cubicles, and snack rooms with these flash cards for easy learning and remembrance.
OWASP Top 10 2017 - New VulnerabilitiesDilum Bandara
New Vulnerabilities introduced in OWASP Top 10 2017. Cover Broken Access Control ,
XML External Entities (XXE), Insecure Deserialization, and Insufficient Logging & Monitoring, as well as solutions
The Open Web Application Security Project, is an online community that produces freely-available articles, methodologies, documentation, tools, and technologies in the field of web application security.
One of those projects, The OWASP Top Ten, provides a powerful awareness document for web application security. The OWASP Top Ten represents a broad consensus about what the most critical web application security flaws are.
The OWASP team recently released the 2017 revised and updated version of the ten most critical web application security risks and so we’ve created these flash cards for you, your friends, and your colleagues (especially product and engineering :) to test your knowledge and learn more about these important issues.
Company-wide security awareness is a powerful way to improve the overall security of your organization. So adorn your waiting rooms, cubicles, and snack rooms with these flash cards for easy learning and remembrance.
A walkthrough of web application defense strategies, based around the Open Web Application Security Project's top 10 list. Presented to the Classic City Developers Meetup in August 2017.
Application Security Vulnerabilities: OWASP Top 10 -2007Vaibhav Gupta
General concepts of web application security vulnerabilities primarily based on OWASP Top 10 list-2007(I know its too old :-))
I, along with Sandeep and Vishal, presented on this at IIIT-Delhi college in April, 2014
OWASP Top 10 - 2017 Top 10 web application security risksKun-Da Wu
The OWASP team recently released the 2017 revised version of the ten most critical web application security risks. This presentation brief the OWASP Top 10 - 2017 for you to learn more about these important security issues.
The OWASP Top Ten is the de-facto web application security standard because it reflects the evolving threat landscape, providing organizations a framework to manage and mitigate application security risk.
This presentation examines the critical newcomers and pesky incumbents from both an offensive and defensive perspective. Our experts share their insight on how to harden Web applications and align your program towards OWASP compliance.
OWASP is an open community dedicated to enabling organizations to conceive, develop, acquire, operate, and maintain applications that can be trusted. All of the OWASP tools, documents, forums, and chapters are free and open to anyone interested in improving application security.
OWASP Top 10 2017 rc1 - The Ten Most Critical Web Application Security RisksAndre Van Klaveren
A presentation of the OWASP Top 10 2017 release candidate, expected to be finalized in summer 2017. Presented at the St. Louis CYBER meetup on Wednesday, June 7, 2017.
A walkthrough of web application defense strategies, based around the Open Web Application Security Project's top 10 list. Presented to the Classic City Developers Meetup in August 2017.
Application Security Vulnerabilities: OWASP Top 10 -2007Vaibhav Gupta
General concepts of web application security vulnerabilities primarily based on OWASP Top 10 list-2007(I know its too old :-))
I, along with Sandeep and Vishal, presented on this at IIIT-Delhi college in April, 2014
OWASP Top 10 - 2017 Top 10 web application security risksKun-Da Wu
The OWASP team recently released the 2017 revised version of the ten most critical web application security risks. This presentation brief the OWASP Top 10 - 2017 for you to learn more about these important security issues.
The OWASP Top Ten is the de-facto web application security standard because it reflects the evolving threat landscape, providing organizations a framework to manage and mitigate application security risk.
This presentation examines the critical newcomers and pesky incumbents from both an offensive and defensive perspective. Our experts share their insight on how to harden Web applications and align your program towards OWASP compliance.
OWASP is an open community dedicated to enabling organizations to conceive, develop, acquire, operate, and maintain applications that can be trusted. All of the OWASP tools, documents, forums, and chapters are free and open to anyone interested in improving application security.
OWASP Top 10 2017 rc1 - The Ten Most Critical Web Application Security RisksAndre Van Klaveren
A presentation of the OWASP Top 10 2017 release candidate, expected to be finalized in summer 2017. Presented at the St. Louis CYBER meetup on Wednesday, June 7, 2017.
OWASP Portland - OWASP Top 10 For JavaScript DevelopersLewis Ardern
With the release of the OWASP TOP 10 2017 we saw new issues rise as contenders of most common issues in the web landscape. Much of the OWASP documentation displays issues, and remediation advice/code relating to Java, C++, and C#; however not much relating to JavaScript. JavaScript has drastically changed over the last few years with the release of Angular, React, and Vue, alongside the popular use of NodeJS and its libraries/frameworks. This talk will introduce you to the OWASP Top 10 explaining JavaScript client and server-side vulnerabilities.
A presentation of OWASP's top 10 most common web application security flaws. The content in the slides is sourced from various sources listed in the references section.
+ Background & Basics of Web App Security, The HTTP Protocol, Web.
+ Application Insecurities, OWASP Top 10 Vulnerabilities (XSS, SQL Injection, CSRF, etc.)
+ Web App Security Tools (Scanners, Fuzzers, etc), Remediation of Web App
+ Vulnerabilities, Web Application Audits and Risk Assessment.
Web Application Security 101 was conducted by:
Vaibhav Gupta, Vishal Ashtana, Sandeep Singh from Null.
● PHP and the OWASP Top Ten Security
Vulnerabilities
● Secure Programming With The Zend
Framework
● Apache HTTPD
Security
● MySQL Security
● PHP Security Tools
The goal of the Top 10 project is to raise awareness about application security by identifying some of the most critical risks facing organizations. The Top 10 project is referenced by many standards, books, tools, and organizations, including MITRE, PCI DSS, DISA, FTC, and many more. This release of the OWASP Top 10 marks this project’s eighth year of raising awareness of the importance of application security risks. The OWASP Top 10 was first released in 2003, minor updates were made in 2004 and 2007, and this is the 2010 release.
May Marketo Masterclass, London MUG May 22 2024.pdfAdele Miller
Can't make Adobe Summit in Vegas? No sweat because the EMEA Marketo Engage Champions are coming to London to share their Summit sessions, insights and more!
This is a MUG with a twist you don't want to miss.
Navigating the Metaverse: A Journey into Virtual Evolution"Donna Lenk
Join us for an exploration of the Metaverse's evolution, where innovation meets imagination. Discover new dimensions of virtual events, engage with thought-provoking discussions, and witness the transformative power of digital realms."
Transform Your Communication with Cloud-Based IVR SolutionsTheSMSPoint
Discover the power of Cloud-Based IVR Solutions to streamline communication processes. Embrace scalability and cost-efficiency while enhancing customer experiences with features like automated call routing and voice recognition. Accessible from anywhere, these solutions integrate seamlessly with existing systems, providing real-time analytics for continuous improvement. Revolutionize your communication strategy today with Cloud-Based IVR Solutions. Learn more at: https://thesmspoint.com/channel/cloud-telephony
E-commerce Application Development Company.pdfHornet Dynamics
Your business can reach new heights with our assistance as we design solutions that are specifically appropriate for your goals and vision. Our eCommerce application solutions can digitally coordinate all retail operations processes to meet the demands of the marketplace while maintaining business continuity.
AI Fusion Buddy Review: Brand New, Groundbreaking Gemini-Powered AI AppGoogle
AI Fusion Buddy Review: Brand New, Groundbreaking Gemini-Powered AI App
👉👉 Click Here To Get More Info 👇👇
https://sumonreview.com/ai-fusion-buddy-review
AI Fusion Buddy Review: Key Features
✅Create Stunning AI App Suite Fully Powered By Google's Latest AI technology, Gemini
✅Use Gemini to Build high-converting Converting Sales Video Scripts, ad copies, Trending Articles, blogs, etc.100% unique!
✅Create Ultra-HD graphics with a single keyword or phrase that commands 10x eyeballs!
✅Fully automated AI articles bulk generation!
✅Auto-post or schedule stunning AI content across all your accounts at once—WordPress, Facebook, LinkedIn, Blogger, and more.
✅With one keyword or URL, generate complete websites, landing pages, and more…
✅Automatically create & sell AI content, graphics, websites, landing pages, & all that gets you paid non-stop 24*7.
✅Pre-built High-Converting 100+ website Templates and 2000+ graphic templates logos, banners, and thumbnail images in Trending Niches.
✅Say goodbye to wasting time logging into multiple Chat GPT & AI Apps once & for all!
✅Save over $5000 per year and kick out dependency on third parties completely!
✅Brand New App: Not available anywhere else!
✅ Beginner-friendly!
✅ZERO upfront cost or any extra expenses
✅Risk-Free: 30-Day Money-Back Guarantee!
✅Commercial License included!
See My Other Reviews Article:
(1) AI Genie Review: https://sumonreview.com/ai-genie-review
(2) SocioWave Review: https://sumonreview.com/sociowave-review
(3) AI Partner & Profit Review: https://sumonreview.com/ai-partner-profit-review
(4) AI Ebook Suite Review: https://sumonreview.com/ai-ebook-suite-review
#AIFusionBuddyReview,
#AIFusionBuddyFeatures,
#AIFusionBuddyPricing,
#AIFusionBuddyProsandCons,
#AIFusionBuddyTutorial,
#AIFusionBuddyUserExperience
#AIFusionBuddyforBeginners,
#AIFusionBuddyBenefits,
#AIFusionBuddyComparison,
#AIFusionBuddyInstallation,
#AIFusionBuddyRefundPolicy,
#AIFusionBuddyDemo,
#AIFusionBuddyMaintenanceFees,
#AIFusionBuddyNewbieFriendly,
#WhatIsAIFusionBuddy?,
#HowDoesAIFusionBuddyWorks
A Study of Variable-Role-based Feature Enrichment in Neural Models of CodeAftab Hussain
Understanding variable roles in code has been found to be helpful by students
in learning programming -- could variable roles help deep neural models in
performing coding tasks? We do an exploratory study.
- These are slides of the talk given at InteNSE'23: The 1st International Workshop on Interpretability and Robustness in Neural Software Engineering, co-located with the 45th International Conference on Software Engineering, ICSE 2023, Melbourne Australia
Top Features to Include in Your Winzo Clone App for Business Growth (4).pptxrickgrimesss22
Discover the essential features to incorporate in your Winzo clone app to boost business growth, enhance user engagement, and drive revenue. Learn how to create a compelling gaming experience that stands out in the competitive market.
AI Genie Review: World’s First Open AI WordPress Website CreatorGoogle
AI Genie Review: World’s First Open AI WordPress Website Creator
👉👉 Click Here To Get More Info 👇👇
https://sumonreview.com/ai-genie-review
AI Genie Review: Key Features
✅Creates Limitless Real-Time Unique Content, auto-publishing Posts, Pages & Images directly from Chat GPT & Open AI on WordPress in any Niche
✅First & Only Google Bard Approved Software That Publishes 100% Original, SEO Friendly Content using Open AI
✅Publish Automated Posts and Pages using AI Genie directly on Your website
✅50 DFY Websites Included Without Adding Any Images, Content Or Doing Anything Yourself
✅Integrated Chat GPT Bot gives Instant Answers on Your Website to Visitors
✅Just Enter the title, and your Content for Pages and Posts will be ready on your website
✅Automatically insert visually appealing images into posts based on keywords and titles.
✅Choose the temperature of the content and control its randomness.
✅Control the length of the content to be generated.
✅Never Worry About Paying Huge Money Monthly To Top Content Creation Platforms
✅100% Easy-to-Use, Newbie-Friendly Technology
✅30-Days Money-Back Guarantee
See My Other Reviews Article:
(1) TubeTrivia AI Review: https://sumonreview.com/tubetrivia-ai-review
(2) SocioWave Review: https://sumonreview.com/sociowave-review
(3) AI Partner & Profit Review: https://sumonreview.com/ai-partner-profit-review
(4) AI Ebook Suite Review: https://sumonreview.com/ai-ebook-suite-review
#AIGenieApp #AIGenieBonus #AIGenieBonuses #AIGenieDemo #AIGenieDownload #AIGenieLegit #AIGenieLiveDemo #AIGenieOTO #AIGeniePreview #AIGenieReview #AIGenieReviewandBonus #AIGenieScamorLegit #AIGenieSoftware #AIGenieUpgrades #AIGenieUpsells #HowDoesAlGenie #HowtoBuyAIGenie #HowtoMakeMoneywithAIGenie #MakeMoneyOnline #MakeMoneywithAIGenie
Launch Your Streaming Platforms in MinutesRoshan Dwivedi
The claim of launching a streaming platform in minutes might be a bit of an exaggeration, but there are services that can significantly streamline the process. Here's a breakdown:
Pros of Speedy Streaming Platform Launch Services:
No coding required: These services often use drag-and-drop interfaces or pre-built templates, eliminating the need for programming knowledge.
Faster setup: Compared to building from scratch, these platforms can get you up and running much quicker.
All-in-one solutions: Many services offer features like content management systems (CMS), video players, and monetization tools, reducing the need for multiple integrations.
Things to Consider:
Limited customization: These platforms may offer less flexibility in design and functionality compared to custom-built solutions.
Scalability: As your audience grows, you might need to upgrade to a more robust platform or encounter limitations with the "quick launch" option.
Features: Carefully evaluate which features are included and if they meet your specific needs (e.g., live streaming, subscription options).
Examples of Services for Launching Streaming Platforms:
Muvi [muvi com]
Uscreen [usencreen tv]
Alternatives to Consider:
Existing Streaming platforms: Platforms like YouTube or Twitch might be suitable for basic streaming needs, though monetization options might be limited.
Custom Development: While more time-consuming, custom development offers the most control and flexibility for your platform.
Overall, launching a streaming platform in minutes might not be entirely realistic, but these services can significantly speed up the process compared to building from scratch. Carefully consider your needs and budget when choosing the best option for you.
OpenMetadata Community Meeting - 5th June 2024OpenMetadata
The OpenMetadata Community Meeting was held on June 5th, 2024. In this meeting, we discussed about the data quality capabilities that are integrated with the Incident Manager, providing a complete solution to handle your data observability needs. Watch the end-to-end demo of the data quality features.
* How to run your own data quality framework
* What is the performance impact of running data quality frameworks
* How to run the test cases in your own ETL pipelines
* How the Incident Manager is integrated
* Get notified with alerts when test cases fail
Watch the meeting recording here - https://www.youtube.com/watch?v=UbNOje0kf6E
Quarkus Hidden and Forbidden ExtensionsMax Andersen
Quarkus has a vast extension ecosystem and is known for its subsonic and subatomic feature set. Some of these features are not as well known, and some extensions are less talked about, but that does not make them less interesting - quite the opposite.
Come join this talk to see some tips and tricks for using Quarkus and some of the lesser known features, extensions and development techniques.
Software Engineering, Software Consulting, Tech Lead, Spring Boot, Spring Cloud, Spring Core, Spring JDBC, Spring Transaction, Spring MVC, OpenShift Cloud Platform, Kafka, REST, SOAP, LLD & HLD.
Custom Healthcare Software for Managing Chronic Conditions and Remote Patient...Mind IT Systems
Healthcare providers often struggle with the complexities of chronic conditions and remote patient monitoring, as each patient requires personalized care and ongoing monitoring. Off-the-shelf solutions may not meet these diverse needs, leading to inefficiencies and gaps in care. It’s here, custom healthcare software offers a tailored solution, ensuring improved care and effectiveness.
Atelier - Innover avec l’IA Générative et les graphes de connaissancesNeo4j
Atelier - Innover avec l’IA Générative et les graphes de connaissances
Allez au-delà du battage médiatique autour de l’IA et découvrez des techniques pratiques pour utiliser l’IA de manière responsable à travers les données de votre organisation. Explorez comment utiliser les graphes de connaissances pour augmenter la précision, la transparence et la capacité d’explication dans les systèmes d’IA générative. Vous partirez avec une expérience pratique combinant les relations entre les données et les LLM pour apporter du contexte spécifique à votre domaine et améliorer votre raisonnement.
Amenez votre ordinateur portable et nous vous guiderons sur la mise en place de votre propre pile d’IA générative, en vous fournissant des exemples pratiques et codés pour démarrer en quelques minutes.
Utilocate offers a comprehensive solution for locate ticket management by automating and streamlining the entire process. By integrating with Geospatial Information Systems (GIS), it provides accurate mapping and visualization of utility locations, enhancing decision-making and reducing the risk of errors. The system's advanced data analytics tools help identify trends, predict potential issues, and optimize resource allocation, making the locate ticket management process smarter and more efficient. Additionally, automated ticket management ensures consistency and reduces human error, while real-time notifications keep all relevant personnel informed and ready to respond promptly.
The system's ability to streamline workflows and automate ticket routing significantly reduces the time taken to process each ticket, making the process faster and more efficient. Mobile access allows field technicians to update ticket information on the go, ensuring that the latest information is always available and accelerating the locate process. Overall, Utilocate not only enhances the efficiency and accuracy of locate ticket management but also improves safety by minimizing the risk of utility damage through precise and timely locates.
2. let’s take the security seriously
Do you want to be involved? https://portal.liferay.dev/learn/security
Reporting issues
Send an email: security@liferay.com
Open a ticket: https://issues.liferay.com
Avoid details in any public channel
3. web application security risks
Learn about the OWASP Top 10 Web Application Security Risks
https://owasp.org/www-project-top-ten
Risk > Threat > Vulnerability > Impact
Safeguard
Have in mind:
> Code
> Data
> Infrastructure
> Configuration
4. using components with known vulnerabilities
Liferay Portal is a big platform, with a lot of features, multiple
systems integrations and a lot of facilities for developing:
libraries, frameworks and software modules that need to be updated
Threat: It is easy to find already-written exploits for many known
vulnerabilities. Other vulnerabilities require concentrated effort to
develop a custom exploit. A vulnerable component can be exploited.
Impact: Attack can facilitate serious data loss or server takeover or
whatever
Custom developments Liferay
Safeguard: Update
6. keep you liferay ce updated
> Update your version
7.3 Rolling releases => <new> 7.3 GA3
7.2 GA2+
> 7.1, 7.0, 6.2 => diy
Get the code
https://liferay.dev/blogs/-/blogs/security-patches-for-liferay-portal-6-2-7-0-and-7-1
Build patched versions
https://portal.liferay.dev/learn/security/patching
7. routine
Building our custom patches
10 REVIEW YOUR CODE
20 BUILD
30 BACKUP
40 DEPLOY
50 UPGRADE DB
60 TEST
70 END
8. community power - working together
Dominike Marks - Complete guide and binaries
https://liferay.dev/blogs/-/blogs/creating-liferay-security-binary-patches
Arund Dask - Binaries for 6.2 https://liferay.dev/blogs/-/blogs/security-patches-for-
liferay-portal-6-2-7-0-and-7-1
NOTE: Use binaries under your responsibility
9. Untrusted data is sent to the interpreter as part of a command or query.
Threat: The attacker’s hostile data can trick the interpreter into
executing unintended commands or accessing data without proper
authorization.
SQL, NoSQL, OS, LDAP, XPath, etc.
Impact: Lost/corruption of data, DoS
injection
Safeguard: Use parameterized APIs and tested tools-
Finders created by Service Builder are parametrized.
Custom SQLs and custom finders => prepared statements
10. Untrusted data in a web page without proper validation or escaping
Threat: Attackers execute scripts in the victim’s browser which can
hijack user sessions, deface web sites, or redirect the user to
malicious sites
cross-site scripting - xss
Safeguard: Validate untrusted data before to store them and escape them
in the web page
taglibs <aui:input … />
com.liferay.portal.kernel.util.HtmlUtil > escape()
> escapeAttribute()
> escapeURL()
11. http://dom1.mycompanydomain.com/c/login?redirect=dom1.mycompanydomein.com
unvalidated redirects and forwards
> Explicit list of IPs or domains, examples:
redirect.url.security.mode=ip
redirect.url.ips.allowed=127.0.0.1,SERVER_IP,192.168.0.12,192.168.0.13,192.168.0.99
redirect.url.security.mode=domain
redirect.url.domains.allowed=dom1.mycompany.com,dom2.mycompany.com
redirect.url.security.mode=domain
redirect.url.domains.allowed=*.mycompany.com
12. broken authentication
Threat: a bad implemented authentication and/or session management,
allowing attackers to compromise passwords, keys, or session tokens
Impact: attackers assume other users’ identities temporarily or
permanently
> Use secure protocols for connections (SSL,TLS, etc)
> A robust authentication mechanism: Second-factor authentication OOTB
in Liferay 7.3 > Multi-factor authentication (work in progress)
> OAUTH 2.0 to invoke your APIs / JAX-RS Web Services
https://help.liferay.com/hc/articles/360028711432-OAuth-2-0
13. Threat: Web Apps or APIs do not properly protect sensitive data
Impact: Attackers can steal or modify such weakly protected data.
sensitive data exposure
> Select a strong encryption algorithm. Are you upgrading?
company.encryption.algorithm=AES
company.encryption.key.size=12
passwords.encryption.algorithm=PBKDF2WithHmacSHA1/160/128000
#passwords.encryption.algorithm.legacy=
> Review connections and protocols:
Securize LDAP (ldaps)
Securize Elasticsearch 7, available for CE in 7.2 and 7.3
> Strong password policy
https://help.liferay.com/hc/articles/360028819212-Password-Policies
14. > Enable https and force it when authenticating or other accesses, and
minimize the access having explicit IPs lists / ranges.
company.security.auth.requires.https=false
# {0} = main | json | atom | tunnel | webdav
{0}.servlet.hosts.allowed=
{0}.servlet.https.required=false
rss.feeds.hosts.allowed=
> Define Service Access Policies
https://help.liferay.com/hc/articles/360028711272-Service-Access-Policies
sensitive data exposure
15. Threat: an attack that tricks the victim into submitting a malicious
request
Impact: It inherits the identity and privileges of the victim to perform
an undesired function on the victim’s behalf
cross-site request forgery - csrf
> POST method for action requests
> Multi-step transactions, captchas
> Auth tokens for action URLs: p_auth & p_p_auth
auth.token.check.enabled=true
portlet.add.default.resource.check.enabled=true
> Configure CORS (Cross-Origin Resource Sharing)
https://help.liferay.com/hc/es/articles/360030377272-Configuring-CORS
16. Monitorize the infrastructure and the users
> Limited resources > Performance > DoS
> CPU
> MEM
> Pool BBDD
Example: Query no-cacheable in each request or users.update.last.login=true
> Log access to sensitive data or special actions
Users management: Control Panel > Configuration > Audit
Other actions https://liferay.dev/blogs/-/blogs/auditing-liferay-dxp-who-has-done-what-
and-when
Insufficient logging and monitoring
17. > Do not execute processes with root (app server, patching tool, etc)
> Define your default admin user
default.admin.password=test
default.admin.screen.name=test
default.admin.email.address.prefix=test
default.admin.first.name=Test
default.admin.middle.name=
default.admin.last.name=Test
> Disable Unused SSO
RememberMe:
company.security.auto.login=false
and many more…
El Open Web Application Security Project (OWASP) es una fundación sin fines de lucro que trabaja para mejorar la seguridad del software.
Suele ser la organización referente para todas las empresas de desarrarollo y comunidades de desarrolladores en cuanto a materia de Seguridad y Anualmente realizan una clasificación de los riesgos más importantes a tener en cuenta en nuestras aplicaciones web.
Herramientas y recursos
Comunidad y redes
Educación y entrenamiento
Dependiendo de los assets que esté protegiendo, tal vez este riesgo debería estar en la parte superior de la lista.
Libraries, frameworks, software modules Sistemas etc.
La prevalencia de este problema está muy extendida. Los patrones de desarrollo con muchos componentes pueden hacer que los equipos de desarrollo ni siquiera comprendan qué componentes usan en su aplicación o API, y mucho menos mantenerlos actualizados.
Components, such as libraries, frameworks, and other software modules, run with the same privileges as the application. If a vulnerable component is exploited, such an attack can facilitate serious data loss or server takeover. Applications and APIs using components with known vulnerabilities may undermine application defenses and enable various attacks and impacts.
Algunos escáneres como retire.js ayudan en la detección, pero determinar la explotabilidad requiere un esfuerzo adicional.
Si bien algunas vulnerabilidades conocidas provocan solo impactos menores, algunas de las violaciones más grandes hasta la fecha se han basado en la explotación de vulnerabilidades conocidas en los componentes.
La prevalencia de este problema está muy extendida. Los patrones de desarrollo con muchos componentes pueden hacer que los equipos de desarrollo ni siquiera comprendan qué componentes usan en su aplicació, y mucho menos mantenerlos actualizados.
Dependiendo de los assets que esté protegiendo, tal vez este riesgo debería estar en la parte superior de la lista.
Components, such as libraries, frameworks, and other software modules, run with the same privileges as the application. If a vulnerable component is exploited, such an attack can facilitate serious data loss or server takeover. Applications and APIs using components with known vulnerabilities may undermine application defenses and enable various attacks and impacts.
Algunos escáneres como retire.js ayudan en la detección, pero determinar la explotabilidad requiere un esfuerzo adicional.
Si bien algunas vulnerabilidades conocidas provocan solo impactos menores, algunas de las violaciones más grandes hasta la fecha se han basado en la explotación de vulnerabilidades conocidas en los componentes.
Los datos no confiables se envían al intérprete como parte de un comando o consulta.
Amenaza: los datos hostiles del atacante pueden engañar al intérprete para que ejecute comandos no deseados o acceda a los datos sin la autorización adecuada.
SQL, NoSQL, OS, LDAP, XPath, etc.
Impacto: pérdida / corrupción de datos, DoS
Protección: utilice API parametrizadas y herramientas probadas:
Los buscadores creados por Service Builder están parametrizados.
SQL personalizados => declaraciones preparadas
Datos no confiables en una página web sin una validación o escape adecuados
Amenaza: los atacantes ejecutan scripts en el navegador de la víctima que pueden secuestrar sesiones de usuario, desfigurar sitios web o redirigir al usuario a sitios maliciosos
Se produce La aplicación o las apis no protegen adecuadamente los datos sensibles tales como datos personales, tarjetas, credenciales, etc.
Un atacante puede acceder a estos datos y los puede robar, usar a su antojo, modificar, etc.
Salvaguarda: encriptado fuerte de datos, tanto en transporte, como en persistencia. Usar protocolos seguros, y algoritmos de cifrado fuertes.
Fuertes políticas de contraseñas. > Tablas arcoiris, bases de datos de contraseñas fácilmente vulnerables, etc.
La aplicación o las apis no protegen adecuadamente los datos sensibles tales como datos personales, tarjetas, credenciales, etc.
Un atacante puede acceder a estos datos y los puede robar, usar a su antojo, modificar, etc.
Salvaguarda: encriptado fuerte de datos, tanto en transporte, como en persistencia. Usar protocolos seguros, y algoritmos de cifrado fuertes.
Fuertes políticas de contraseñas. > Tablas arcoiris, bases de datos de contraseñas fácilmente vulnerables, etc.
Peticiones a servidores predecibles y fácilmente construibles
XSRF, “Sea Surf”, Session Riding, Cross-Site Reference Forgery, and Hostile Linking, One-Click attack.
Find a Portlet Preferences and update/store them as part of rendering a portlet in the Theme
Service access policies comprise a layer of web service security that defines services or service methods that can be invoked remotely.
Methods corresponding to a web service invocation request must be whitelisted by each service access policy that’s in effect. You can use wildcards to reduce the number of service classes and methods that must be explicitly whitelisted.
Buenas tardes,
soy José Ángel Jiménez, Jose, Jose Angel