why
play

WHY Capital One Date : March 22 and 23, 2019 Number of - PowerPoint PPT Presentation

Aug 30, 2023 •201 likes •1.05k views

WHY Capital One Date : March 22 and 23, 2019 Number of records breached : 106 million Information exposed : Names, addresses, ZIP codes, phone numbers, email addresses, birthdates and self-reported income. Customer credit

  2. • • •

  4. WHY

  5. Capital One Date : March 22 and 23, 2019 Number of records breached : 106 million Information exposed : Names, addresses, ZIP codes, phone numbers, email addresses, birthdates and self-reported income. Customer credit scores, credit limits, balances, payment history, and contact information. Evite Date : February 22, 2019 Number of records breached : 100 million Information exposed : Names, email addresses, passwords, and IP addresses of Evite customers. American Medical Collection Agency Date : August 1, 2018, to March 30, 2019 Number of records breached : More than 20 million Information exposed : Social Security numbers, dates of birth, payment card data, and credit card information. src: https://us.norton.com/internetsecurity-emerging-threats-2019-data-breaches.html

  6. confidential

  7. HOW

  8. src: https://www.owasp.org/images/7/72/OWASP_Top_10-2017_%28en%29.pdf.pdf

  9. Src: https://owasp.org/www-staff/operating-plan/2020.html

  12. 14 Confidential

  15. src: https://www.hackerone.com/top-10-vulnerabilities

  16. src: https://www.hackerone.com/top-10-vulnerabilities

  22. WHAT

  25. CNA NAME Base ased (C (Company Le Level) yourcompanydomain.biz yourcompanyblog.biz

  26. CNA NAME Base ased (C (Company Le Level) yourcompanydomain.biz blog.yourcompanydomain.biz yourcompanyblog.biz blog.yourcompanydomain.biz. 3600 IN CNAME yourcompanyblog.biz.

  27. CNA NAME Base ased (C (Company Le Level) yourcompanydomain.biz blog.yourcompanydomain.biz yourcompanyblog.biz blog.yourcompanydomain.biz. 3600 IN CNAME yourcompanyblog.biz.

  29. CNA NAME Base ased (C (Company Le Level) yourcompanyblog.biz yourcompanydomain.biz blog.yourcompanydomain.biz yourcompanyblog.biz blog.yourcompanydomain.biz. 3600 IN CNAME yourcompanyblog.biz.

  30. CNA NAME Base ased (C (Company Le Level) yourcompanydomain.biz blog.yourcompanydomain.biz blog.yourcompanydomain.biz yourcompanyblog.biz blog.yourcompanydomain.biz. 3600 IN CNAME yourcompanyblog.biz.

  31. CNA NAME Base ased (D (Dev Le Level) l) yourcompanydomain.biz opensource.yourcompanydomain.biz opensource.github.io opensource.yourcompanydomain.biz. 3600 IN CNAME opensource.github.io.

  32. CNA NAME Base ased (D (Dev Le Level) l) yourcompanydomain.biz opensource.yourcompanydomain.biz opensource.github.io opensource.yourcompanydomain.biz. 3600 IN CNAME opensource.github.io.

  34. CNA NAME Base ased (D (Dev Le Level) l) opensource.github.io yourcompanydomain.biz opensource.yourcompanydomain.biz opensource.github.io opensource.yourcompanydomain.biz. 3600 IN CNAME opensource.github.io.

  35. CNA NAME Base ased (D (Dev Le Level) l) yourcompanydomain.biz opensource.yourcompanydomain.biz opensource.yourcompanydomain.biz opensource.github.io opensource.yourcompanydomain.biz. 3600 IN CNAME opensource.github.io.

  36. Si Simila ilar Behaviour Wit ith • Amazon S3 • Her Heroku • Sho Shopify fy • Mic icrosoft Azur ure • St Statuspage • Tumblr lr • Wor ordpress ss • And mor ore … Src: https://github.com/EdOverflow/can-i-take-over-xyz

  37. Be aware that this als lso works wit ith NS and MX DNS entries

  39. Paid Service

  41. Self lf-Serv rvice

  45. AWS GCP PORT 80,443 ALLOWED AZURE

  46. AWS GCP PORT 80,443 ALLOWED AZURE

  47. AWS GCP SSRF PORT 80,443 ALLOWED AZURE

  48. Examples: Ex Examples: : Digital Ocean http://169.254.169.254/metadata/v1.json AWS http://169.254.169.254/metadata/v1/ http://169.254.169.254/metadata/v1/id http://169.254.169.254/latest/user-data http://169.254.169.254/metadata/v1/user-data http://169.254.169.254/latest/user-data/iam/security-credentials/[ROLE NAME] http://169.254.169.254/metadata/v1/hostname http://169.254.169.254/latest/meta-data/iam/security-credentials/[ROLE NAME] http://169.254.169.254/metadata/v1/region http://169.254.169.254/latest/meta-data/ami-id http://169.254.169.254/latest/meta-data/reservation-id http://169.254.169.254/metadata/v1/interfaces/public/0/ipv6/address http://169.254.169.254/latest/meta-data/hostname http://169.254.169.254/latest/meta-data/public-keys/0/openssh-key http://169.254.169.254/latest/meta-data/public-keys/[ID]/openssh-key Oracle Cloud GCP http://192.0.0.192/latest/ http://192.0.0.192/latest/user-data/ Requires the header "Metadata-Flavor: Google" or "X-Google-Metadata- http://192.0.0.192/latest/meta-data/ Request: True" http://192.0.0.192/latest/attributes/ http://169.254.169.254/computeMetadata/v1/ http://metadata.google.internal/computeMetadata/v1/ http://metadata/computeMetadata/v1/ http://metadata.google.internal/computeMetadata/v1/instance/hostname http://metadata.google.internal/computeMetadata/v1/instance/id http://metadata.google.internal/computeMetadata/v1/project/project-id Src: https://gist.github.com/jhaddix/78cece26c91c6263653f31ba453e273b

  49. Demo

  52. Whiteli list IP IP Ra Ranges s / / DN DNS Na Names e.g. 192.168.0.1/24 range AWS GCP SSRF PORT 80,443 ALLOWED AZURE

  53. Use se Authentic ication Als lso for In Internal l Se Services AWS GCP SSRF PORT 80,443 ALLOWED AZURE

  54. Di Disable le Unnecessary URL Sc Schemes AWS file: file:// dict dict:// ftp:/ ftp :// GCP go gophe pher:// SSRF PORT 80,443 ALLOWED AZURE

  55. Mon onitor Response Se Sent Bac ack to o th the Use ser AWS GCP SSRF PORT 80,443 ALLOWED AZURE

  57. Backend Server 1 User 1 HTTP 1 1 1 1 2 2 2 Requests Proxy / LB Backend Server 2 User 2 Backend Server 3

  58. User 1 POST /sec4devBenign HTTP/1.1 Host: sec4dev.io HTTP Content-Length: 19 Requests testparam=testvalue User 2

  59. User 1 POST /sec4devBenign HTTP/1.1 Host: sec4dev.io HTTP Transfer-Encoding: chunked Requests 13 testparam=testvalue 0 User 2

  60. User 1 POST /sec4devDesync HTTP/1.1 Host: sec4dev.io HTTP Content-Length: 17 Requests Transfer-Encoding: chunked 0 SEC4DEVROCKS User 2

  61. 1 1 1 x Backend Server 1 User 1 Coming 1 1 1 from x1 user 1 HTTP 1 1 1 x 2 2 2 Requests Coming x2 from Proxy / LB 2 2 Backend Server 2 user 2 2 2 2 User 2 Backend Server 3

  62. Demo

  65. Use se Se Separate Ne Network Con onnections For Eac ach Request Backend Server 1 User 1 HTTP 1 Requests 2 Proxy / LB Backend Server 2 User 2 Backend Server 3

  66. Use se HTTP/2 For or Bac ackend Con onnections User 1 POST /sec4devBenign HT HTTP/2 Host: sec4dev.io HTTP Content-Length: 19 Requests testparam=testvalue User 2

  67. Use se Exact Sa Same So Software for Fr Frontend / / Bac ackend Backend Server 1 User 1 HTTP 1 1 1 1 2 2 2 Requests Proxy / LB Backend Server 2 User 2 Backend Server 3

  69. confidential

  71. Build Awareness Enable Employees

  72. Use Secrets Vault / Manager

  75. pre-commit hooks

  77. Git ithub Token Scanning Service

  79. • • • • •

  80. • • • • •

  81. • •

  82. • • • •

  83. • •

  84. • • •

Recommend

More recommend