Qué es una Inyección SQL (SQL Injection) y cómo solucionarla
8 minutos de lectura
La inyección SQL es un tipo de vulnerabilidad en la que un atacante inserta su propio código en un sitio web con el fin acceder a datos protegidos o sensibles.
8 minutos de lectura
La inyección SQL es un tipo de vulnerabilidad en la que un atacante inserta su propio código en un sitio web con el fin acceder a datos protegidos o sensibles.
8 minutos de lectura
El IDOR es un tipo de vulnerabilidad que ocurre cuando una aplicación le permite a un usuario acceder directamente a objetos (como recursos, funciones o archivos) en función de la consulta que éste realice, sin realizar el debido control de acceso.
7 minutos de lectura
Cuando las cosas van mal y se presentan situaciones extremas que ponen a prueba la vida de una empresa es importante contar con un plan B para mantenerte a flote.
9 minutos de lectura
Si dijéramos que obtener la certificación de ISO 27001 es tener el sello de “la startup más codiciada”, no estaríamos mintiendo.
Índice
Esto es lo primero que debes leer si estás aprendiendo sobre ISO 27001. Aquí te dejamos el índice para que veas cuáles son los siguientes artículos de la saga.
[~6 minutos de lectura]
El vocabulario emprendedor maneja términos muy sexys como crecimiento, expansión o internacionalización. Sin embargo, las regulaciones y normativas de ciberseguridad son esas pequeñas cláusulas en el contrato de las que nadie te habla cuando se trata de ir a nuevos mercados.
7 minutos de lectura
Si estás aquí, muy probablemente ya recibiste un cuestionario de ciberseguridad o estás en el fastidioso proceso de completarlo.
The purpose of the article is to be a source of information for users who have found any of these on their sites, to encourage site owners to check their online properties for any of these, and to provide a line or two on how to fix them wherever possible.
If you’re not sure how to check your site for any of the vulnerabilities mentioned here, then a free Hackmetrix account could be a good start. It only takes a minute to sign up and you’ll have your first report in just a couple hours.
As time goes by we’ll also be expanding on each of these with more in-depth guides explaining each of these issues and how to solve them.
Let’s get to it!
Our most frequently found vulnerability is (luckily?) not a high risk one. Cross Site Request Forgery (CSRF), is a type of attack that tricks a user’s browser into performing an unwanted action on a trusted site where the user is authenticated, and it works even if the user doesn’t have that site open at the time.
This works because of the trusting nature of web browsers. A browser doesn’t check to see if an outgoing request is going out from a specific domain, and so in a similar way you might be able to tweet or check an Instagram post from an external website, a more ill-meaning site could use an open session in one of those sites to post, or take some other action, on your account without you ever noticing.
For example, let’s say you regularly check Twitter and so your session on that site remains open (an open session is what makes it possible for you to open a new tab and go to twitter.com and see your feed without having to log in every time). While you’re checking your friends’ tweets you click on a very enticing link to a questionnaire to find out what kind of fast food you are. Irresistible.
That questionnaire though, holds hidden and nefarious intentions, and as soon as you click a button on it to see the results it takes advantage of your open session on Twitter to tweet on your behalf a link to itself and follow a bunch of unknown accounts. This without you ever consenting, or finding out until you look at your own feed.
Now take that and imagine it being used on, instead of Twitter, a bank account. CSRF is a common problem, and one of the ways it can be prevented is by using =&2=&.
Using an anti-CSRF token would mean that each time a website loads it includes a unique string of characters, then when a request is made (in our example that would be each time you try perform some action on Twitter), the server expects to receive that same token back, and if it doesn’t then it will refuse to perform the action requested. You can see then why it’s highly recommended to implement an Anti-CSRF Token, and why not doing so is considered a vulnerability.
=&3=&=&4=&
A medida que seguimos trabajando para crear el scanner de seguridad más fácil de utilizar y