lunes, 29 de enero de 2018

ABOUT THIS BUGS XSS - CSRF - SSRF






The different Modes of Introduction provide information about how and when this weakness may be introduced. The Phase identifies a point in the software life cycle at which introduction may occur, while the Note provides a typical scenario related to introduction during the given phase.

IN OTHERS WORDS

Server Side Request Forgery (SSRF) refers to an attack where in an attacker is able to send a crafted request from a vulnerable web application. SSRF is usually used to target internal systems behind firewalls that are normally inaccessible to an attacker from the external network. Additionally, it’s also possible for an attacker to leverage SSRF to access services from the same server that is listening on the loopback interface (127.0.0.1).

Typically Server Side Request Forgery (SSRF) occurs when a web application is making a request, where an attacker has full or partial control of the request that is being sent. A common example is when an attacker can control all or part of the URL to which the web application makes a request to some third-party service.

Detecting Server Side Request Forgery (SSRF)

In order to detect Server Side Request Forgery (SSRF) automatically, we’ll need to rely on an intermediary service since the detection of such a vulnerability requires an out-of-band and time-delay vector. Acunetix solves this by making use of AcuMonitor as its intermediary service during an automated scan.

During a scan, Acunetix will make requests containing a unique AcuMonitor URL. If AcuMonitor receives a request on one of these unique URLs, it will send a notification back to Acunetix indicating it should raise an alert for Server Side Request Forgery (SSRF).

The following is the result of an Acunetix scan with AcuMonitor to detect Server Side Request Forgery (SSRF). The alert contains information about the HTTP request that was performed including the IP address of the server that made this request and the User-agent string used in the request, if any. This information can help the developers identify the source of the problem and fix it.

Mitigating Server Side Request Forgery (SSRF)

Whitelists and DNS resolution

Implementing simple blacklists or regular expressions directly on the user’s input to filter out which IP addresses or domains can make requests is a bad approach to take when mitigating an SSRF.

In general, blacklists are a poor security control because there will always be bypasses not envisaged by a developer. In this case, bypass by an attacker are as easy as using an HTTP redirect, a wildcard DNS service such as xip.io or even alternate IP encoding.

Instead, the most robust way of dealing with Server Side Request Forgery (SSRF) is to whitelist the DNS name or IP address which your application needs access to. If a whitelist approach does not suit your use case, and you must rely on a blacklist, it’s important to validate user input properly. An example of this is to not allow requests to private (“non-routable”) IP addresses (detailed in RFC 1918), however, in the case of a blacklist, the correct mitigation to adopt will vary from application to application. In other words, there is no universal “fix” to SSRF since it highly depends on the application’s functionality and business requirements.

 

Response handling

Ensuring that the response received by the remote server is indeed what the server is expecting is important to prevent any unforeseen response data leaking to the attacker. Above all else, under no circumstances should the raw response body from the request sent by the server be delivered to the client.

 

Disable unused URL schemas

If your application only makes use of HTTP or HTTPS to make requests, only allow those URL schemas. Disabling unused URL schemas will prevent a web application from making requests using potentially dangerous URL schemas such as file:///, dict://, ftp:// and gopher://.

 

Authentication on internal services

Services such as Memcached, Redis, Elasticsearch and MongoDB do not require authentication by default. Server Side Request Forgery vulnerabilities could provide an attacker with the opportunity to access some of these services without any authentication standing in the way. Therefore, it’s best to enable authentication wherever possible as another defense mechanism.

OBTAINED FROM DIFFERENT SOURCES
Acunetix: www.acunetix.com/blog/articles/server-side-request-forgery-vulnerability/
& others great authors


+ Applicable Platforms
 
The listings below show possible areas for which the given weakness could appear. These may be for specific named Languages, Operating Systems, Architectures, Paradigms, Technologies, or a class of such platforms. The platform is listed along with how frequently the given weakness appears for that instance.
Languages

Class: Language-Independent (Undetermined Prevalence)

Paradigms

Web Based (Undetermined Prevalence)

Technologies

Web Server (Undetermined Prevalence)

+ Common Consequences

The table below specifies different individual consequences associated with the weakness. The Scope identifies the application security area that is violated, while the Impact describes the negative technical impact that arises if an adversary succeeds in exploiting this weakness. The Likelihood provides information about how likely the specific consequence is expected to be seen relative to the other consequences in the list. For example, there may be high likelihood that a weakness will be exploited to achieve a certain impact, but a low likelihood that it will be exploited to achieve a different impact.



Technical Impact: Execute Unauthorized Code or Commands
   
+ Notes

Relationship
 
CWE-918 (SSRF) and CWE-611 (XXE) are closely related, because they both involve web-related technologies and can launch outbound requests to unexpected destinations. However, XXE can be performed client-side, or in other contexts in which the software is not acting directly as a server, so the "Server" portion of the SSRF acronym does not necessarily apply.

lunes, 8 de enero de 2018

WPHARDENING - Chequeo de seguridad de WORDPRESS




Antes de comenzar con este artículo amigos cabe señalar que esta herramienta lanza nuevas versiones regularmente. Asegúrense de actualizar sus dependencias con frecuencia para obtener la última versión consultando el registro de cambios o CHANGELOG.md para conocer las nuevas funciones.

WPHardening es una herramienta para automatizar y realizar diversos chequeos de seguridad para que nuestra web este configurada de forma segura y como podemos ver esta hecha en python y la mas nueva versión es la v 1.6 basados en la revisión del changelog que esta en el siguiente link:

https://github.com/elcodigok/wphardening/releases

Entre las opciones de seguridad que tiene esta gran utilería podemos describir las siguientes:

  • Modificar los permisos de los archivos a 755 en el directorio y 644 en archivos.
  • Eliminar archivos y directorios.
  • Creación de los famosos y bien ponderados ROBOTS.TXT.
  • Eliminar huellas de IDENTIFICACIÓN DE WORDPRESS.
  • Cambio de propietario de archivos y directorios. 
  • Descargar complementos de seguridad. 
  • Utilizar un proxy HTTP para conectarse a la URL de destino.
  • Negar  la visualización de contenidos de los directorios. 
  • Comprimir archivos estáticos .css y .js. 
  • Escanear en busca de Malware en el proyecto de WordPress.
  • La posibilidad de usar FIREWALL 6G.
  • Desactivación de las API´s REST.

Como pueden ver amigos esta utilería es de gran ayuda  para la configuración y hardening de nuestro WORDPRESS, pero cabe señalar que si bajas un plugin con vulnerabilidades esto no lo podrá parar. ok.


INSTALACIÓN

Los creadores de esta utilería no la pusieron muy fácil la instalación ya que con el siguiente comando lo podremos instalar en LINUX.

$ pip install -r requirements.txt
 
 
  y además podremos bajar varios plugins con los acules podremos interactuar para mejorar mas la seguridad en WORDPRESS.

  • AntiVirus
  • Bad Behavior
  • Block Bad Queries
  • Exploit Scanner
  • Latch
  • NinjaFirewall
  • Simple History
  • Stream
  • WP Security Scan
  • WP-DBManager
  • WPS Hide Login 
 Que ya en breve explicaremos uno a uno en coordinación y apoyo a la página:


 
 





Saludos y nos vemos en la próxima edición.

LI. Rodolfo h. Baz

Crowdstrike -> Solución de errores de actualización de CrowdStrike con BitLocker habilitado

En este pequeño articulo ver como componer el problema de CROWDSTRIKE cuando esta habilitado el BITLOCKER, cabe resaltar que puede ser una e...