Recientemente, en los grupos y comunidades de seguridad ofensiva, se ha popularizado el término Spring4Shell. Esto, por lo crítico que es aplicar las medidas contra la vulnerabilidad y del riesgo que significa. Pero, ¿por qué debemos preocuparnos de Spring4Shell?
The purpose of the article is to be a source of information for users who have found any of these on their sites, to encourage site owners to check their online properties for any of these, and to provide a line or two on how to fix them wherever possible.
If you’re not sure how to check your site for any of the vulnerabilities mentioned here, then a free Hackmetrix account could be a good start. It only takes a minute to sign up and you’ll have your first report in just a couple hours.
As time goes by we’ll also be expanding on each of these with more in-depth guides explaining each of these issues and how to solve them.
Let’s get to it!
Our most frequently found vulnerability is (luckily?) not a high risk one. Cross Site Request Forgery (CSRF), is a type of attack that tricks a user’s browser into performing an unwanted action on a trusted site where the user is authenticated, and it works even if the user doesn’t have that site open at the time.
This works because of the trusting nature of web browsers. A browser doesn’t check to see if an outgoing request is going out from a specific domain, and so in a similar way you might be able to tweet or check an Instagram post from an external website, a more ill-meaning site could use an open session in one of those sites to post, or take some other action, on your account without you ever noticing.
For example, let’s say you regularly check Twitter and so your session on that site remains open (an open session is what makes it possible for you to open a new tab and go to twitter.com and see your feed without having to log in every time). While you’re checking your friends’ tweets you click on a very enticing link to a questionnaire to find out what kind of fast food you are. Irresistible.
That questionnaire though, holds hidden and nefarious intentions, and as soon as you click a button on it to see the results it takes advantage of your open session on Twitter to tweet on your behalf a link to itself and follow a bunch of unknown accounts. This without you ever consenting, or finding out until you look at your own feed.
Now take that and imagine it being used on, instead of Twitter, a bank account. CSRF is a common problem, and one of the ways it can be prevented is by using =&2=&.
Using an anti-CSRF token would mean that each time a website loads it includes a unique string of characters, then when a request is made (in our example that would be each time you try perform some action on Twitter), the server expects to receive that same token back, and if it doesn’t then it will refuse to perform the action requested. You can see then why it’s highly recommended to implement an Anti-CSRF Token, and why not doing so is considered a vulnerability.
=&3=&=&4=&
The goal of this article is to show you a few ways that you might become vulnerable to XSS while using Vue, and hopefully, how to prevent them.
The goal of this post is to be an easy to understand resource get you started on the path to a more secure app. This is a guide that early stage CTOs (and anyone else) can use to harden their security, without it feeling like a chore.
Connections to your infra and non-public properties (hosted CIs, Admin interfaces, databases etc.) should only be accessible through a bounce host (VPC, VPN etc.)
Limit the network’s visibility. Split your network into subnetworks, each one being a network segment.
Take control of who accesses the network by implementing VLANs. Your network structure is only visible locally, so the attacker will find themselves with the task of understanding the non-visible network infrastructure, that’s one more step for them and a little more peace of mind for you.
This measure allows the business to limit the effects of issues or failures generated in a network segment, in this way, the segment could be put on quarantine avoiding the damage propagation to the other segments.
Avoid pivoting to give some additional security to your network segments.
“Will do!”, you say, “but what the heck is pivoting?”
Well, it’s the technique of jumping from one network segment to another to gain a broader attack range. So, how can I be safe from this? Hardening is a common network technique where we give special attention to device configurations.
This usually means to update default credentials and remove unnecessary software, logins, and services. In the following list we will give you some basic tasks that are hardening activities.
Firewalls are beautiful programs that could be the difference between a server working correctly, and a server being down.
The firewall’s job is to protect internal networks from unauthorized external access and attack attempts.
Have your firewall carefully configured, they are really useful, but if you don’t take the time to customize it, it could just be a waste of valuable resources.
If an attacker successfully hacks your application, having your services running as a restricted-user will force them to scale privileges, making it harder for the attacker to take over the host and/or to bounce to other services.
Privileged users are called =&5=& on Unix systems, and =&6=& or =&7=& on Windows systems.
These users have complete control of the system, so it’s really important leave them alone and only use them on those cases where they are specifically and inevitably necessary.
A common scenario is to find the databases running as root/system or under a unique user for more than one database, which brings us to another weakness.
If an attacker gains access to one of database, they automatically will have access to all the rest. So, don’t use privileged users and create one user and password for each database and service you have.
As a company you rely on a variety of services like Google Apps, Slack, WordPress etc. Don’t settle for the security defaults of these tools, they are some of the first things the attackers try and they can be an easy attack vector if not configured properly.
There are different tools to generate and save credentials like KeePass or LastPass, they use a master key to access the information, or in their mobile versions, allow you to use touch ID.
Also, make sure you update everything regularly, this is not only because you’ll get a nicer interface, but in the majority of cases updates are released to fix vulnerabilities and add new functionality, which could include new security measures.
So, if you have any default credentials, update them! And, if you have any software, service, or platform with a pending update, update it!
=&9=&
How to harden your Google Apps
Backup all your critical assets. Ensure that you attempt to restore your backups frequently so you can guarantee that they’re working as intended.
Don’t do it only when you remember to do it, nor with a year between each backup. Be regular, and do it with reasonable periods of time. Don’t take unnecessary risks. S3 is a very cheap and effective way to backup your assets:
Guide to backing up files on Amazon S3
Guide to backup on Digital Ocean
Guide to backup on Azure through Resource Manager
“Admin1234”
Please, don’t act surprised if I just guessed at least one of your passwords.
Hackmetrix 2018. All rights reserved.
