•
• • •
WHY
Capital One Date : March 22 and 23, 2019 Number of records breached : 106 million Information exposed : Names, addresses, ZIP codes, phone numbers, email addresses, birthdates and self-reported income. Customer credit scores, credit limits, balances, payment history, and contact information. Evite Date : February 22, 2019 Number of records breached : 100 million Information exposed : Names, email addresses, passwords, and IP addresses of Evite customers. American Medical Collection Agency Date : August 1, 2018, to March 30, 2019 Number of records breached : More than 20 million Information exposed : Social Security numbers, dates of birth, payment card data, and credit card information. src: https://us.norton.com/internetsecurity-emerging-threats-2019-data-breaches.html
confidential
HOW
src: https://www.owasp.org/images/7/72/OWASP_Top_10-2017_%28en%29.pdf.pdf
Src: https://owasp.org/www-staff/operating-plan/2020.html
14 Confidential
src: https://www.hackerone.com/top-10-vulnerabilities
src: https://www.hackerone.com/top-10-vulnerabilities
WHAT
CNA NAME Base ased (C (Company Le Level) yourcompanydomain.biz yourcompanyblog.biz
CNA NAME Base ased (C (Company Le Level) yourcompanydomain.biz blog.yourcompanydomain.biz yourcompanyblog.biz blog.yourcompanydomain.biz. 3600 IN CNAME yourcompanyblog.biz.
CNA NAME Base ased (C (Company Le Level) yourcompanydomain.biz blog.yourcompanydomain.biz yourcompanyblog.biz blog.yourcompanydomain.biz. 3600 IN CNAME yourcompanyblog.biz.
CNA NAME Base ased (C (Company Le Level) yourcompanyblog.biz yourcompanydomain.biz blog.yourcompanydomain.biz yourcompanyblog.biz blog.yourcompanydomain.biz. 3600 IN CNAME yourcompanyblog.biz.
CNA NAME Base ased (C (Company Le Level) yourcompanydomain.biz blog.yourcompanydomain.biz blog.yourcompanydomain.biz yourcompanyblog.biz blog.yourcompanydomain.biz. 3600 IN CNAME yourcompanyblog.biz.
CNA NAME Base ased (D (Dev Le Level) l) yourcompanydomain.biz opensource.yourcompanydomain.biz opensource.github.io opensource.yourcompanydomain.biz. 3600 IN CNAME opensource.github.io.
CNA NAME Base ased (D (Dev Le Level) l) yourcompanydomain.biz opensource.yourcompanydomain.biz opensource.github.io opensource.yourcompanydomain.biz. 3600 IN CNAME opensource.github.io.
CNA NAME Base ased (D (Dev Le Level) l) opensource.github.io yourcompanydomain.biz opensource.yourcompanydomain.biz opensource.github.io opensource.yourcompanydomain.biz. 3600 IN CNAME opensource.github.io.
CNA NAME Base ased (D (Dev Le Level) l) yourcompanydomain.biz opensource.yourcompanydomain.biz opensource.yourcompanydomain.biz opensource.github.io opensource.yourcompanydomain.biz. 3600 IN CNAME opensource.github.io.
Si Simila ilar Behaviour Wit ith • Amazon S3 • Her Heroku • Sho Shopify fy • Mic icrosoft Azur ure • St Statuspage • Tumblr lr • Wor ordpress ss • And mor ore … Src: https://github.com/EdOverflow/can-i-take-over-xyz
Be aware that this als lso works wit ith NS and MX DNS entries
Paid Service
Self lf-Serv rvice
AWS GCP PORT 80,443 ALLOWED AZURE
AWS GCP PORT 80,443 ALLOWED AZURE
AWS GCP SSRF PORT 80,443 ALLOWED AZURE
Examples: Ex Examples: : Digital Ocean http://169.254.169.254/metadata/v1.json AWS http://169.254.169.254/metadata/v1/ http://169.254.169.254/metadata/v1/id http://169.254.169.254/latest/user-data http://169.254.169.254/metadata/v1/user-data http://169.254.169.254/latest/user-data/iam/security-credentials/[ROLE NAME] http://169.254.169.254/metadata/v1/hostname http://169.254.169.254/latest/meta-data/iam/security-credentials/[ROLE NAME] http://169.254.169.254/metadata/v1/region http://169.254.169.254/latest/meta-data/ami-id http://169.254.169.254/latest/meta-data/reservation-id http://169.254.169.254/metadata/v1/interfaces/public/0/ipv6/address http://169.254.169.254/latest/meta-data/hostname http://169.254.169.254/latest/meta-data/public-keys/0/openssh-key http://169.254.169.254/latest/meta-data/public-keys/[ID]/openssh-key Oracle Cloud GCP http://192.0.0.192/latest/ http://192.0.0.192/latest/user-data/ Requires the header "Metadata-Flavor: Google" or "X-Google-Metadata- http://192.0.0.192/latest/meta-data/ Request: True" http://192.0.0.192/latest/attributes/ http://169.254.169.254/computeMetadata/v1/ http://metadata.google.internal/computeMetadata/v1/ http://metadata/computeMetadata/v1/ http://metadata.google.internal/computeMetadata/v1/instance/hostname http://metadata.google.internal/computeMetadata/v1/instance/id http://metadata.google.internal/computeMetadata/v1/project/project-id Src: https://gist.github.com/jhaddix/78cece26c91c6263653f31ba453e273b
Demo
Whiteli list IP IP Ra Ranges s / / DN DNS Na Names e.g. 192.168.0.1/24 range AWS GCP SSRF PORT 80,443 ALLOWED AZURE
Use se Authentic ication Als lso for In Internal l Se Services AWS GCP SSRF PORT 80,443 ALLOWED AZURE
Di Disable le Unnecessary URL Sc Schemes AWS file: file:// dict dict:// ftp:/ ftp :// GCP go gophe pher:// SSRF PORT 80,443 ALLOWED AZURE
Mon onitor Response Se Sent Bac ack to o th the Use ser AWS GCP SSRF PORT 80,443 ALLOWED AZURE
Backend Server 1 User 1 HTTP 1 1 1 1 2 2 2 Requests Proxy / LB Backend Server 2 User 2 Backend Server 3
User 1 POST /sec4devBenign HTTP/1.1 Host: sec4dev.io HTTP Content-Length: 19 Requests testparam=testvalue User 2
User 1 POST /sec4devBenign HTTP/1.1 Host: sec4dev.io HTTP Transfer-Encoding: chunked Requests 13 testparam=testvalue 0 User 2
User 1 POST /sec4devDesync HTTP/1.1 Host: sec4dev.io HTTP Content-Length: 17 Requests Transfer-Encoding: chunked 0 SEC4DEVROCKS User 2
1 1 1 x Backend Server 1 User 1 Coming 1 1 1 from x1 user 1 HTTP 1 1 1 x 2 2 2 Requests Coming x2 from Proxy / LB 2 2 Backend Server 2 user 2 2 2 2 User 2 Backend Server 3
Demo
Use se Se Separate Ne Network Con onnections For Eac ach Request Backend Server 1 User 1 HTTP 1 Requests 2 Proxy / LB Backend Server 2 User 2 Backend Server 3
Use se HTTP/2 For or Bac ackend Con onnections User 1 POST /sec4devBenign HT HTTP/2 Host: sec4dev.io HTTP Content-Length: 19 Requests testparam=testvalue User 2
Use se Exact Sa Same So Software for Fr Frontend / / Bac ackend Backend Server 1 User 1 HTTP 1 1 1 1 2 2 2 Requests Proxy / LB Backend Server 2 User 2 Backend Server 3
confidential
Build Awareness Enable Employees
Use Secrets Vault / Manager
pre-commit hooks
Git ithub Token Scanning Service
• • • • •
• • • • •
• •
• • • •
• •
• • •
Recommend
More recommend