Download - Seguridad web
![Page 1: Seguridad web](https://reader036.vdocuments.net/reader036/viewer/2022081519/557abc36d8b42acf1b8b4bfd/html5/thumbnails/1.jpg)
SEGURIDAD WEBSEGURIDAD WEBMarc Rivero López
![Page 2: Seguridad web](https://reader036.vdocuments.net/reader036/viewer/2022081519/557abc36d8b42acf1b8b4bfd/html5/thumbnails/2.jpg)
About me…
• E-crime intelligence analyst
• Fraud researcher• Crazy Drummer• DragonJAR, Flu-
Project, Security by Default
@seifreed
![Page 3: Seguridad web](https://reader036.vdocuments.net/reader036/viewer/2022081519/557abc36d8b42acf1b8b4bfd/html5/thumbnails/3.jpg)
Índice de la charla
• Introducción• Casos reales• ¿Porqué ocurre?• SQL injection• XSS• Mas vulnerabilidades• CMS• WAF• Recomendaciones
![Page 4: Seguridad web](https://reader036.vdocuments.net/reader036/viewer/2022081519/557abc36d8b42acf1b8b4bfd/html5/thumbnails/4.jpg)
¿EXISTE LA SEGURIDAD?
![Page 5: Seguridad web](https://reader036.vdocuments.net/reader036/viewer/2022081519/557abc36d8b42acf1b8b4bfd/html5/thumbnails/5.jpg)
CASOS REALES
• Web con tecnología Open source
• 437.691,5 € con vulnerabilidades
![Page 6: Seguridad web](https://reader036.vdocuments.net/reader036/viewer/2022081519/557abc36d8b42acf1b8b4bfd/html5/thumbnails/6.jpg)
CASOS REALES
![Page 7: Seguridad web](https://reader036.vdocuments.net/reader036/viewer/2022081519/557abc36d8b42acf1b8b4bfd/html5/thumbnails/7.jpg)
CASOS REALES
![Page 8: Seguridad web](https://reader036.vdocuments.net/reader036/viewer/2022081519/557abc36d8b42acf1b8b4bfd/html5/thumbnails/8.jpg)
CASOS REALES
![Page 9: Seguridad web](https://reader036.vdocuments.net/reader036/viewer/2022081519/557abc36d8b42acf1b8b4bfd/html5/thumbnails/9.jpg)
CASOS REALES
![Page 10: Seguridad web](https://reader036.vdocuments.net/reader036/viewer/2022081519/557abc36d8b42acf1b8b4bfd/html5/thumbnails/10.jpg)
CASOS REALES
![Page 11: Seguridad web](https://reader036.vdocuments.net/reader036/viewer/2022081519/557abc36d8b42acf1b8b4bfd/html5/thumbnails/11.jpg)
CASOS REALES
![Page 12: Seguridad web](https://reader036.vdocuments.net/reader036/viewer/2022081519/557abc36d8b42acf1b8b4bfd/html5/thumbnails/12.jpg)
CASOS REALES
![Page 13: Seguridad web](https://reader036.vdocuments.net/reader036/viewer/2022081519/557abc36d8b42acf1b8b4bfd/html5/thumbnails/13.jpg)
CASOS REALES
![Page 14: Seguridad web](https://reader036.vdocuments.net/reader036/viewer/2022081519/557abc36d8b42acf1b8b4bfd/html5/thumbnails/14.jpg)
CASOS REALES
![Page 15: Seguridad web](https://reader036.vdocuments.net/reader036/viewer/2022081519/557abc36d8b42acf1b8b4bfd/html5/thumbnails/15.jpg)
CASOS REALES
![Page 16: Seguridad web](https://reader036.vdocuments.net/reader036/viewer/2022081519/557abc36d8b42acf1b8b4bfd/html5/thumbnails/16.jpg)
¿PORQUE OCURRE ?
![Page 17: Seguridad web](https://reader036.vdocuments.net/reader036/viewer/2022081519/557abc36d8b42acf1b8b4bfd/html5/thumbnails/17.jpg)
¿PORQUE OCURRE ?
• Fallos de programación
• Prisas• 0day• Personal no
formado• La web te la hago
por 10€ o por 437.691.5 €
• CMS, CMS everywhere
![Page 18: Seguridad web](https://reader036.vdocuments.net/reader036/viewer/2022081519/557abc36d8b42acf1b8b4bfd/html5/thumbnails/18.jpg)
Entornos vulnerables
![Page 19: Seguridad web](https://reader036.vdocuments.net/reader036/viewer/2022081519/557abc36d8b42acf1b8b4bfd/html5/thumbnails/19.jpg)
SQL Injection
• Error en la validación• Inyección de código• Alteración del
funcionamiento
![Page 20: Seguridad web](https://reader036.vdocuments.net/reader036/viewer/2022081519/557abc36d8b42acf1b8b4bfd/html5/thumbnails/20.jpg)
SQL Injection
||
![Page 21: Seguridad web](https://reader036.vdocuments.net/reader036/viewer/2022081519/557abc36d8b42acf1b8b4bfd/html5/thumbnails/21.jpg)
XSS REFLECTED Y STORED
• Inyección de código Javascript
• Saltar medidas de protección• <script>alert(23);</
script>';alert(String.fromCharCode(88,83,83))//';alert(String.fromCharCode(88,83,83))//"; alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//-- ></SCRIPT>">'><SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT>
![Page 22: Seguridad web](https://reader036.vdocuments.net/reader036/viewer/2022081519/557abc36d8b42acf1b8b4bfd/html5/thumbnails/22.jpg)
¿MAS VULNERABILIDADES?
• LFI, RFI• Vulnerabilidad
es de servidor
![Page 23: Seguridad web](https://reader036.vdocuments.net/reader036/viewer/2022081519/557abc36d8b42acf1b8b4bfd/html5/thumbnails/23.jpg)
CMS
• Vulnerabilidades en plugins, no en el core
• Instalación a ciegas
![Page 24: Seguridad web](https://reader036.vdocuments.net/reader036/viewer/2022081519/557abc36d8b42acf1b8b4bfd/html5/thumbnails/24.jpg)
CMS
![Page 25: Seguridad web](https://reader036.vdocuments.net/reader036/viewer/2022081519/557abc36d8b42acf1b8b4bfd/html5/thumbnails/25.jpg)
WAF, WAF,WAF
![Page 26: Seguridad web](https://reader036.vdocuments.net/reader036/viewer/2022081519/557abc36d8b42acf1b8b4bfd/html5/thumbnails/26.jpg)
Los WAF no son invencibles
![Page 27: Seguridad web](https://reader036.vdocuments.net/reader036/viewer/2022081519/557abc36d8b42acf1b8b4bfd/html5/thumbnails/27.jpg)
Los WAF no son invencibles
![Page 28: Seguridad web](https://reader036.vdocuments.net/reader036/viewer/2022081519/557abc36d8b42acf1b8b4bfd/html5/thumbnails/28.jpg)
Recomendaciones