SLIDE 1
WHY Capital One Date : March 22 and 23, 2019 Number of - - PowerPoint PPT Presentation
WHY Capital One Date : March 22 and 23, 2019 Number of - - PowerPoint PPT Presentation
WHY Capital One Date : March 22 and 23, 2019 Number of records breached : 106 million Information exposed : Names, addresses, ZIP codes, phone numbers, email addresses, birthdates and self-reported income. Customer credit
SLIDE 2
SLIDE 3
SLIDE 4
WHY
SLIDE 5
Capital One
Date: March 22 and 23, 2019 Number of records breached: 106 million Information exposed: Names, addresses, ZIP codes, phone numbers, email addresses, birthdates and self-reported income. Customer credit scores, credit limits, balances, payment history, and contact information.American Medical Collection Agency
Date: August 1, 2018, to March 30, 2019 Number of records breached: More than 20 million Information exposed: Social Security numbers, dates of birth, payment card data, and credit card information.Evite
Date: February 22, 2019 Number of records breached: 100 million Information exposed: Names, email addresses, passwords, and IP addresses of Evite customers. src: https://us.norton.com/internetsecurity-emerging-threats-2019-data-breaches.html SLIDE 6 confidential
SLIDE 7
HOW
SLIDE 8 src: https://www.owasp.org/images/7/72/OWASP_Top_10-2017_%28en%29.pdf.pdf
SLIDE 9 Src: https://owasp.org/www-staff/operating-plan/2020.html
SLIDE 10
SLIDE 11
SLIDE 12 14
Confidential
SLIDE 13
SLIDE 14
SLIDE 15 src: https://www.hackerone.com/top-10-vulnerabilities
SLIDE 16 src: https://www.hackerone.com/top-10-vulnerabilities
SLIDE 17
SLIDE 18
SLIDE 19
SLIDE 20
SLIDE 21
SLIDE 22
WHAT
SLIDE 23
SLIDE 24
SLIDE 25
CNA NAME Base ased (C (Company Le Level)
yourcompanydomain.biz yourcompanyblog.biz
SLIDE 26
yourcompanydomain.biz yourcompanyblog.biz
blog.yourcompanydomain.biz blog.yourcompanydomain.biz. 3600 IN CNAME yourcompanyblog.biz.
CNA NAME Base ased (C (Company Le Level)
SLIDE 27
yourcompanydomain.biz yourcompanyblog.biz
blog.yourcompanydomain.biz blog.yourcompanydomain.biz. 3600 IN CNAME yourcompanyblog.biz.
CNA NAME Base ased (C (Company Le Level)
SLIDE 28
SLIDE 29
yourcompanydomain.biz yourcompanyblog.biz
blog.yourcompanydomain.biz blog.yourcompanydomain.biz. 3600 IN CNAME yourcompanyblog.biz.
yourcompanyblog.biz
CNA NAME Base ased (C (Company Le Level)
SLIDE 30
yourcompanydomain.biz yourcompanyblog.biz
blog.yourcompanydomain.biz blog.yourcompanydomain.biz. 3600 IN CNAME yourcompanyblog.biz.
blog.yourcompanydomain.bizCNA NAME Base ased (C (Company Le Level)
SLIDE 31
yourcompanydomain.biz
- pensource.github.io
- pensource.yourcompanydomain.biz
- pensource.yourcompanydomain.biz. 3600 IN CNAME opensource.github.io.
CNA NAME Base ased (D (Dev Le Level) l)
SLIDE 32
yourcompanydomain.biz
- pensource.github.io
- pensource.yourcompanydomain.biz
CNA NAME Base ased (D (Dev Le Level) l)
- pensource.yourcompanydomain.biz. 3600 IN CNAME opensource.github.io.
SLIDE 33
SLIDE 34
yourcompanydomain.biz
- pensource.github.io
- pensource.yourcompanydomain.biz
- pensource.github.io
CNA NAME Base ased (D (Dev Le Level) l)
- pensource.yourcompanydomain.biz. 3600 IN CNAME opensource.github.io.
SLIDE 35
yourcompanydomain.biz
- pensource.github.io
- pensource.yourcompanydomain.biz
- pensource.yourcompanydomain.biz
CNA NAME Base ased (D (Dev Le Level) l)
- pensource.yourcompanydomain.biz. 3600 IN CNAME opensource.github.io.
SLIDE 36
Si Simila ilar Behaviour Wit ith
- Amazon S3
- Her
Heroku
- Sho
Shopify fy
- Mic
icrosoft Azur ure
- St
Statuspage
- Tumblr
lr
- Wor
- rdpress
ss
- And mor
- re…
SLIDE 37
Be aware that this als lso works wit ith NS and MX DNS entries
SLIDE 38
SLIDE 39
Paid Service
SLIDE 40
SLIDE 41
Self lf-Serv rvice
SLIDE 42
SLIDE 43
SLIDE 44
SLIDE 45
GCP AZURE AWS PORT 80,443 ALLOWED
SLIDE 46
GCP AZURE AWS PORT 80,443 ALLOWED
SLIDE 47
GCP AZURE AWS SSRF PORT 80,443 ALLOWED
SLIDE 48
Examples: : AWS
http://169.254.169.254/latest/user-data http://169.254.169.254/latest/user-data/iam/security-credentials/[ROLE NAME] http://169.254.169.254/latest/meta-data/iam/security-credentials/[ROLE NAME] http://169.254.169.254/latest/meta-data/ami-id http://169.254.169.254/latest/meta-data/reservation-id http://169.254.169.254/latest/meta-data/hostname http://169.254.169.254/latest/meta-data/public-keys/0/openssh-key http://169.254.169.254/latest/meta-data/public-keys/[ID]/openssh-keyGCP
Requires the header "Metadata-Flavor: Google" or "X-Google-Metadata- Request: True" http://169.254.169.254/computeMetadata/v1/ http://metadata.google.internal/computeMetadata/v1/ http://metadata/computeMetadata/v1/ http://metadata.google.internal/computeMetadata/v1/instance/hostname http://metadata.google.internal/computeMetadata/v1/instance/id http://metadata.google.internal/computeMetadata/v1/project/project-idDigital Ocean
http://169.254.169.254/metadata/v1.json http://169.254.169.254/metadata/v1/ http://169.254.169.254/metadata/v1/id http://169.254.169.254/metadata/v1/user-data http://169.254.169.254/metadata/v1/hostname http://169.254.169.254/metadata/v1/region http://169.254.169.254/metadata/v1/interfaces/public/0/ipv6/addressOracle Cloud
http://192.0.0.192/latest/ http://192.0.0.192/latest/user-data/ http://192.0.0.192/latest/meta-data/ http://192.0.0.192/latest/attributes/ Src: https://gist.github.com/jhaddix/78cece26c91c6263653f31ba453e273bEx Examples:
SLIDE 49
Demo
SLIDE 50
SLIDE 51
SLIDE 52
GCP AZURE AWS SSRF PORT 80,443 ALLOWED
Whiteli list IP IP Ra Ranges s / / DN DNS Na Names
e.g. 192.168.0.1/24 range
SLIDE 53
GCP AZURE AWS SSRF PORT 80,443 ALLOWED
Use se Authentic ication Als lso for In Internal l Se Services
SLIDE 54
GCP AZURE AWS SSRF PORT 80,443 ALLOWED
Di Disable le Unnecessary URL Sc Schemes
file: file:// dict dict:// ftp ftp:/ :// go gophe pher://
SLIDE 55
GCP AZURE AWS SSRF PORT 80,443 ALLOWED
Mon
- nitor Response Se
Sent Bac ack to
- th
the Use ser
SLIDE 56
SLIDE 57
HTTP Requests Proxy / LB
Backend Server 1 Backend Server 2 Backend Server 3 User 1 User 21 1 1 1 2 2 2
SLIDE 58
HTTP Requests
User 1 User 2POST /sec4devBenign HTTP/1.1 Host: sec4dev.io Content-Length: 19 testparam=testvalue
SLIDE 59
HTTP Requests
User 1 User 2POST /sec4devBenign HTTP/1.1 Host: sec4dev.io Transfer-Encoding: chunked 13 testparam=testvalue
SLIDE 60
HTTP Requests
User 1 User 2POST /sec4devDesync HTTP/1.1 Host: sec4dev.io Content-Length: 17 Transfer-Encoding: chunked SEC4DEVROCKS
SLIDE 61
HTTP Requests Proxy / LB
Backend Server 1 Backend Server 2 Backend Server 3 User 1 User 21 1 1 x 2 2 2 2 2 2 1 1 1 x
Coming from user 2 Coming from user 11 1 x2 2 2 x1 1
SLIDE 62
Demo
SLIDE 63
SLIDE 64
SLIDE 65
HTTP Requests Proxy / LB
Backend Server 1 Backend Server 2 Backend Server 3 User 1 User 21 2
Use se Se Separate Ne Network Con
- nnections For Eac
ach Request
SLIDE 66
HTTP Requests
User 1 User 2POST /sec4devBenign HT HTTP/2 Host: sec4dev.io Content-Length: 19 testparam=testvalue
Use se HTTP/2 For
- r Bac
ackend Con
- nnections
SLIDE 67
HTTP Requests Proxy / LB
Backend Server 1 Backend Server 2 Backend Server 3 User 1 User 21 1 1 1 2 2 2
Use se Exact Sa Same So Software for Fr Frontend / / Bac ackend
SLIDE 68
SLIDE 69 confidential
SLIDE 70
SLIDE 71
Build Awareness Enable Employees
SLIDE 72
Use Secrets Vault / Manager
SLIDE 73
SLIDE 74
SLIDE 75
pre-commit hooks
SLIDE 76
SLIDE 77
Git ithub Token Scanning Service
SLIDE 78
SLIDE 79
SLIDE 80
SLIDE 81
SLIDE 82
SLIDE 83
SLIDE 84