why
play

WHY Capital One Date : March 22 and 23, 2019 Number of - PowerPoint PPT Presentation

WHY Capital One Date : March 22 and 23, 2019 Number of records breached : 106 million Information exposed : Names, addresses, ZIP codes, phone numbers, email addresses, birthdates and self-reported income. Customer credit


  1. • • •

  2. WHY

  3. Capital One Date : March 22 and 23, 2019 Number of records breached : 106 million Information exposed : Names, addresses, ZIP codes, phone numbers, email addresses, birthdates and self-reported income. Customer credit scores, credit limits, balances, payment history, and contact information. Evite Date : February 22, 2019 Number of records breached : 100 million Information exposed : Names, email addresses, passwords, and IP addresses of Evite customers. American Medical Collection Agency Date : August 1, 2018, to March 30, 2019 Number of records breached : More than 20 million Information exposed : Social Security numbers, dates of birth, payment card data, and credit card information. src: https://us.norton.com/internetsecurity-emerging-threats-2019-data-breaches.html

  4. confidential

  5. HOW

  6. src: https://www.owasp.org/images/7/72/OWASP_Top_10-2017_%28en%29.pdf.pdf

  7. Src: https://owasp.org/www-staff/operating-plan/2020.html

  8. 14 Confidential

  9. src: https://www.hackerone.com/top-10-vulnerabilities

  10. src: https://www.hackerone.com/top-10-vulnerabilities

  11. WHAT

  12. CNA NAME Base ased (C (Company Le Level) yourcompanydomain.biz yourcompanyblog.biz

  13. CNA NAME Base ased (C (Company Le Level) yourcompanydomain.biz blog.yourcompanydomain.biz yourcompanyblog.biz blog.yourcompanydomain.biz. 3600 IN CNAME yourcompanyblog.biz.

  14. CNA NAME Base ased (C (Company Le Level) yourcompanydomain.biz blog.yourcompanydomain.biz yourcompanyblog.biz blog.yourcompanydomain.biz. 3600 IN CNAME yourcompanyblog.biz.

  15. CNA NAME Base ased (C (Company Le Level) yourcompanyblog.biz yourcompanydomain.biz blog.yourcompanydomain.biz yourcompanyblog.biz blog.yourcompanydomain.biz. 3600 IN CNAME yourcompanyblog.biz.

  16. CNA NAME Base ased (C (Company Le Level) yourcompanydomain.biz blog.yourcompanydomain.biz blog.yourcompanydomain.biz yourcompanyblog.biz blog.yourcompanydomain.biz. 3600 IN CNAME yourcompanyblog.biz.

  17. CNA NAME Base ased (D (Dev Le Level) l) yourcompanydomain.biz opensource.yourcompanydomain.biz opensource.github.io opensource.yourcompanydomain.biz. 3600 IN CNAME opensource.github.io.

  18. CNA NAME Base ased (D (Dev Le Level) l) yourcompanydomain.biz opensource.yourcompanydomain.biz opensource.github.io opensource.yourcompanydomain.biz. 3600 IN CNAME opensource.github.io.

  19. CNA NAME Base ased (D (Dev Le Level) l) opensource.github.io yourcompanydomain.biz opensource.yourcompanydomain.biz opensource.github.io opensource.yourcompanydomain.biz. 3600 IN CNAME opensource.github.io.

  20. CNA NAME Base ased (D (Dev Le Level) l) yourcompanydomain.biz opensource.yourcompanydomain.biz opensource.yourcompanydomain.biz opensource.github.io opensource.yourcompanydomain.biz. 3600 IN CNAME opensource.github.io.

  21. Si Simila ilar Behaviour Wit ith • Amazon S3 • Her Heroku • Sho Shopify fy • Mic icrosoft Azur ure • St Statuspage • Tumblr lr • Wor ordpress ss • And mor ore … Src: https://github.com/EdOverflow/can-i-take-over-xyz

  22. Be aware that this als lso works wit ith NS and MX DNS entries

  23. Paid Service

  24. Self lf-Serv rvice

  25. AWS GCP PORT 80,443 ALLOWED AZURE

  26. AWS GCP PORT 80,443 ALLOWED AZURE

  27. AWS GCP SSRF PORT 80,443 ALLOWED AZURE

  28. Examples: Ex Examples: : Digital Ocean http://169.254.169.254/metadata/v1.json AWS http://169.254.169.254/metadata/v1/ http://169.254.169.254/metadata/v1/id http://169.254.169.254/latest/user-data http://169.254.169.254/metadata/v1/user-data http://169.254.169.254/latest/user-data/iam/security-credentials/[ROLE NAME] http://169.254.169.254/metadata/v1/hostname http://169.254.169.254/latest/meta-data/iam/security-credentials/[ROLE NAME] http://169.254.169.254/metadata/v1/region http://169.254.169.254/latest/meta-data/ami-id http://169.254.169.254/latest/meta-data/reservation-id http://169.254.169.254/metadata/v1/interfaces/public/0/ipv6/address http://169.254.169.254/latest/meta-data/hostname http://169.254.169.254/latest/meta-data/public-keys/0/openssh-key http://169.254.169.254/latest/meta-data/public-keys/[ID]/openssh-key Oracle Cloud GCP http://192.0.0.192/latest/ http://192.0.0.192/latest/user-data/ Requires the header "Metadata-Flavor: Google" or "X-Google-Metadata- http://192.0.0.192/latest/meta-data/ Request: True" http://192.0.0.192/latest/attributes/ http://169.254.169.254/computeMetadata/v1/ http://metadata.google.internal/computeMetadata/v1/ http://metadata/computeMetadata/v1/ http://metadata.google.internal/computeMetadata/v1/instance/hostname http://metadata.google.internal/computeMetadata/v1/instance/id http://metadata.google.internal/computeMetadata/v1/project/project-id Src: https://gist.github.com/jhaddix/78cece26c91c6263653f31ba453e273b

  29. Demo

  30. Whiteli list IP IP Ra Ranges s / / DN DNS Na Names e.g. 192.168.0.1/24 range AWS GCP SSRF PORT 80,443 ALLOWED AZURE

  31. Use se Authentic ication Als lso for In Internal l Se Services AWS GCP SSRF PORT 80,443 ALLOWED AZURE

  32. Di Disable le Unnecessary URL Sc Schemes AWS file: file:// dict dict:// ftp:/ ftp :// GCP go gophe pher:// SSRF PORT 80,443 ALLOWED AZURE

  33. Mon onitor Response Se Sent Bac ack to o th the Use ser AWS GCP SSRF PORT 80,443 ALLOWED AZURE

  34. Backend Server 1 User 1 HTTP 1 1 1 1 2 2 2 Requests Proxy / LB Backend Server 2 User 2 Backend Server 3

  35. User 1 POST /sec4devBenign HTTP/1.1 Host: sec4dev.io HTTP Content-Length: 19 Requests testparam=testvalue User 2

  36. User 1 POST /sec4devBenign HTTP/1.1 Host: sec4dev.io HTTP Transfer-Encoding: chunked Requests 13 testparam=testvalue 0 User 2

  37. User 1 POST /sec4devDesync HTTP/1.1 Host: sec4dev.io HTTP Content-Length: 17 Requests Transfer-Encoding: chunked 0 SEC4DEVROCKS User 2

  38. 1 1 1 x Backend Server 1 User 1 Coming 1 1 1 from x1 user 1 HTTP 1 1 1 x 2 2 2 Requests Coming x2 from Proxy / LB 2 2 Backend Server 2 user 2 2 2 2 User 2 Backend Server 3

  39. Demo

  40. Use se Se Separate Ne Network Con onnections For Eac ach Request Backend Server 1 User 1 HTTP 1 Requests 2 Proxy / LB Backend Server 2 User 2 Backend Server 3

  41. Use se HTTP/2 For or Bac ackend Con onnections User 1 POST /sec4devBenign HT HTTP/2 Host: sec4dev.io HTTP Content-Length: 19 Requests testparam=testvalue User 2

  42. Use se Exact Sa Same So Software for Fr Frontend / / Bac ackend Backend Server 1 User 1 HTTP 1 1 1 1 2 2 2 Requests Proxy / LB Backend Server 2 User 2 Backend Server 3

  43. confidential

  44. Build Awareness Enable Employees

  45. Use Secrets Vault / Manager

  46. pre-commit hooks

  47. Git ithub Token Scanning Service

  48. • • • • •

  49. • • • • •

  50. • •

  51. • • • •

  52. • •

  53. • • •

Recommend


More recommend