Kuwunika kwachitetezo kwa nsanja yamtambo ya MCS

Madzulo a SkyShip ndi SeerLight

Kumanga ntchito iliyonse kumaphatikizapo kugwira ntchito nthawi zonse pachitetezo. Chitetezo ndi njira yopitilira yomwe imaphatikizapo kusanthula kosalekeza ndikuwongolera chitetezo chazinthu, kuyang'anira nkhani zokhudzana ndi chiwopsezo ndi zina zambiri. Kuphatikizapo ma audits. Kufufuza kumachitika m'nyumba komanso ndi akatswiri akunja, omwe angathandize kwambiri chitetezo chifukwa sakumizidwa ndi polojekitiyi ndipo amakhala ndi maganizo omasuka.

Nkhaniyi ikunena za malingaliro olunjika awa a akatswiri akunja omwe adathandizira gulu la Mail.ru Cloud Solutions (MCS) kuyesa ntchito yamtambo, komanso zomwe adapeza. Monga "mphamvu yakunja," MCS idasankha kampani ya Digital Security, yomwe imadziwika ndi ukatswiri wake wachitetezo chazidziwitso. Ndipo m'nkhaniyi tisanthula zovuta zina zosangalatsa zomwe zimapezeka ngati gawo la kafukufuku wakunja - kuti mupewe zomwezo mukamapanga ntchito yanu yamtambo.

Ndondomeko ya katundu

Mail.ru Cloud Solutions (MCS) ndi nsanja yomanga zomangamanga zenizeni mumtambo. Zimaphatikizapo IaaS, PaaS, ndi malo amsika a zithunzi zokonzedwa kale za omanga. Poganizira kamangidwe ka MCS, kunali koyenera kuyang'ana chitetezo cha mankhwalawa m'madera otsatirawa:

• kuteteza maziko a chilengedwe cha virtualization: hypervisors, routing, firewall;
• chitetezo chamakasitomala pafupifupi: kudzipatula kwa wina ndi mnzake, kuphatikiza maukonde, ma network achinsinsi mu SDN;
• OpenStack ndi zigawo zake zotseguka;
• S3 ya mapangidwe athu;
• IAM: mapulojekiti ambiri okhala ndi chitsanzo;
• Masomphenya (mawonekedwe apakompyuta): APIs ndi zofooka pamene mukugwira ntchito ndi zithunzi;
• mawonekedwe a ukonde ndi zida zapamwamba zapaintaneti;
• kufooka kwa zigawo za PaaS;
• API ya zigawo zonse.

Mwina ndizo zonse zomwe zili zofunika kwa mbiri yakale.

Kodi ndi ntchito yotani imene inkachitika ndipo n’chifukwa chiyani inkafunika?

Kuwunika kwachitetezo kumayang'ana kuzindikira zofooka ndi zolakwika za kasinthidwe zomwe zingayambitse kutayikira kwa data yanu, kusintha zidziwitso zachinsinsi, kapena kusokoneza kupezeka kwa ntchito.

Panthawi ya ntchito, yomwe imakhala pafupifupi miyezi 1-2, owerengera amabwereza zomwe angawononge ndikuyang'ana zofooka mu kasitomala ndi magawo a seva a ntchito yosankhidwa. Pakuwunika kwa nsanja yamtambo ya MCS, zolinga zotsatirazi zidadziwika:

1. Kusanthula kwa kutsimikizika muutumiki. Zowopsa zomwe zili mu gawoli zitha kuthandiza kulowa muakaunti ya anthu ena nthawi yomweyo.
2. Kuphunzira chitsanzo ndi kulamulira mwayi pakati pa nkhani zosiyanasiyana. Kwa wowukira, mwayi wopeza makina enieni a munthu wina ndi cholinga chofunikira.
3. Zofooka za kasitomala. XSS/CSRF/CRLF/etc. Kodi ndizotheka kuwukira ogwiritsa ntchito ena kudzera pa maulalo oyipa?
4. Zowonongeka za seva: RCE ndi mitundu yonse ya jakisoni (SQL/XXE/SSRF ndi zina zotero). Zowopsa za seva nthawi zambiri zimakhala zovuta kupeza, koma zimadzetsa chiwopsezo cha ogwiritsa ntchito ambiri nthawi imodzi.
5. Kuwunika kwa kudzipatula kwa gawo la ogwiritsa pa intaneti. Kwa wowukira, kusowa kwa kudzipatula kumawonjezera kwambiri kuukira kwa ogwiritsa ntchito ena.
6. Kusanthula kwamalingaliro abizinesi. Kodi ndizotheka kunyenga mabizinesi ndikupanga makina enieni kwaulere?

Ntchitoyi idachitika molingana ndi mtundu wa "Grey-box": owerengera adalumikizana ndi ntchitoyi ndi mwayi wa ogwiritsa ntchito wamba, koma pang'ono anali ndi magwero a API ndipo anali ndi mwayi wofotokozera zambiri ndi opanga. Izi nthawi zambiri zimakhala zosavuta, ndipo nthawi yomweyo chitsanzo chowoneka bwino cha ntchito: zambiri zamkati zimatha kusonkhanitsidwa ndi wowukira, ndi nkhani yanthawi.

Zowopsa zapezeka

Woyang'anira asanayambe kutumiza zolipira zosiyanasiyana (zolipira zomwe zimagwiritsidwa ntchito pochita chiwembucho) kumalo osasinthika, ndikofunikira kumvetsetsa momwe zinthu zimagwirira ntchito komanso ntchito zomwe zimaperekedwa. Zingawoneke kuti izi ndizopanda ntchito, chifukwa m'malo ambiri omwe amaphunzira sipadzakhala zofooka. Koma kungomvetsetsa momwe pulogalamuyo imagwirira ntchito komanso malingaliro ake momwe imagwirira ntchito kumapangitsa kuti athe kupeza ma vector ovuta kwambiri.

Ndikofunika kupeza malo omwe akuwoneka okayikitsa kapena osiyana kwambiri ndi ena mwanjira ina. Ndipo chiwopsezo choyamba chowopsa chidapezeka motere.

IDOR

Kusatetezeka kwa IDOR (Insecure Direct Object Reference) ndi chimodzi mwazowopsa zomwe zimafala kwambiri pamaganizidwe abizinesi, zomwe zimalola m'modzi kapena mnzake kupeza zinthu zomwe siziloledwa. Kusatetezeka kwa IDOR kumapangitsa mwayi wopeza chidziwitso chokhudza wogwiritsa ntchito mosiyanasiyana.

Chimodzi mwazosankha za IDOR ndikuchita zinthu ndi zinthu zamakina (ogwiritsa ntchito, maakaunti aku banki, zinthu zomwe zili m'ngolo yogulira) ndikuwongolera zizindikiritso zopezeka pazinthu izi. Izi zimabweretsa zotsatira zosayembekezereka kwambiri. Mwachitsanzo, kuthekera kosintha akaunti ya wotumiza ndalama, momwe mungabere kwa ogwiritsa ntchito ena.

Pankhani ya MCS, owerengera angopeza kusatetezeka kwa IDOR komwe kumalumikizidwa ndi zozindikiritsa zopanda chitetezo. Muakaunti yamunthu wogwiritsa ntchito, zozindikiritsa za UUID zidagwiritsidwa ntchito kupeza zinthu zilizonse, zomwe zimawoneka, monga momwe akatswiri achitetezo amanenera, zosatetezeka (ndiko kuti, zotetezedwa ku ziwopsezo zankhanza). Koma kwa mabungwe ena, zidadziwika kuti manambala odziwikiratu amagwiritsidwa ntchito kuti adziwe zambiri za omwe akugwiritsa ntchito pulogalamuyi. Ine ndikuganiza inu mukhoza kulingalira kuti zinali zotheka kusintha wosuta ID ndi mmodzi, kutumiza pempho kachiwiri ndipo potero kupeza mfundo kulambalala ACL (kufikira mndandanda, malamulo kupeza deta njira ndi owerenga).

Server Side Request Forgery (SSRF)

Ubwino wazogulitsa za OpenSource ndikuti ali ndi mabwalo ambiri ofotokozera mwatsatanetsatane zovuta zomwe zimabuka ndipo, ngati muli ndi mwayi, kufotokozera yankho. Koma ndalamayi ili ndi mbali yake: zofooka zodziwika zimafotokozedwanso mwatsatanetsatane. Mwachitsanzo, pali mafotokozedwe odabwitsa a zofooka patsamba la OpenStack [XSS] и [SSRF], zomwe pazifukwa zina palibe amene ali wofulumira kukonza.

Ntchito yodziwika bwino pamapulogalamu ndikutha kwa wogwiritsa ntchito kutumiza ulalo ku seva, komwe seva imadina (mwachitsanzo, kutsitsa chithunzi kuchokera kugwero lodziwika). Ngati zida zachitetezo sizisefa maulalo okha kapena mayankho omwe abwezedwa kuchokera ku seva kupita kwa ogwiritsa ntchito, magwiridwe antchitowa atha kugwiritsidwa ntchito ndi omwe akuukira.

Kuwonongeka kwa SSRF kumatha kupititsa patsogolo chitukuko cha kuwukira. Wowononga akhoza kupeza:

• mwayi wochepa wopezeka pa netiweki yakomweko, mwachitsanzo, kudzera mumagulu ena amtaneti ndikugwiritsa ntchito protocol inayake;
• mwayi wokwanira wopita ku netiweki yakomweko, ngati kutsika kuchokera pamlingo wofunsira kupita pamlingo wamayendedwe ndikotheka ndipo, chifukwa chake, kasamalidwe kazinthu zonse pamlingo wofunsira;
• mwayi wowerengera mafayilo am'deralo pa seva (ngati fayilo: /// chiwembu chathandizidwa);
• ndi zina zambiri.

Chiwopsezo cha SSRF chadziwika kale ku OpenStack, chomwe ndi "khungu" m'chilengedwe: mukalumikizana ndi seva, simulandira yankho kuchokera kwa izo, koma mumalandira mitundu yosiyanasiyana ya zolakwika / kuchedwa, kutengera zotsatira za pempho. . Kutengera izi, mutha kupanga sikani ya doko pa makamu omwe ali pa netiweki yamkati, ndi zotsatira zonse zomwe siziyenera kunyalanyazidwa. Mwachitsanzo, katundu akhoza kukhala ndi API ya kuofesi yomwe imapezeka kokha kuchokera pa netiweki yamakampani. Ndi zolemba (musaiwale zamkati), wowukira atha kugwiritsa ntchito SSRF kupeza njira zamkati. Mwachitsanzo, ngati mumatha kupeza pafupifupi mndandanda wa ma URL othandiza, ndiye kugwiritsa ntchito SSRF mutha kudutsamo ndikuchita zopempha - kunena pang'ono, kusamutsa ndalama kuchokera ku akaunti kupita ku akaunti kapena kusintha malire.

Aka sikoyamba kuti chiwopsezo cha SSRF chapezeka mu OpenStack. M'mbuyomu, zinali zotheka kutsitsa zithunzi za VM ISO kuchokera ku ulalo wachindunji, zomwe zidabweretsanso zotsatira zofananira. Izi tsopano zachotsedwa ku OpenStack. Mwachiwonekere, anthu ammudzi analingalira kuti iyi ndiyo njira yosavuta komanso yodalirika yothetsera vutoli.

Ndipo mkati izi lipoti lomwe likupezeka poyera kuchokera ku ntchito ya HackerOne (h1), kugwiritsa ntchito SSRF yomwe sinali wakhungu komanso yokhoza kuwerenga metadata yachitsanzo kumabweretsa mwayi wofikira ku Mizu kuzinthu zonse za Shopify.

Mu MCS, ziwopsezo za SSRF zidapezeka m'malo awiri omwe ali ndi magwiridwe antchito ofanana, koma zinali zosatheka kugwiritsa ntchito chifukwa cha zozimitsa moto ndi chitetezo china. Mwanjira ina, gulu la MCS linakonza vuto limeneli, popanda kuyembekezera anthu ammudzi.

XSS m'malo mokweza zipolopolo

Ngakhale mazana a maphunziro olembedwa, chaka ndi chaka XSS (cross-site scripting) kuukira akadali kwambiri kukumana pafupipafupi kusatetezeka kwa intaneti (kapena kuwukira?).

Kuyika mafayilo ndi malo omwe amakonda kwambiri wofufuza zachitetezo. Nthawi zambiri zimakhala kuti mutha kuyika zolemba zosagwirizana (asp/jsp/php) ndikuchita malamulo a OS, m'mawu a pentesters - "chipolopolo chonyamula". Koma kutchuka kwa zofooka zotere kumagwira ntchito mbali zonse ziwiri: zimakumbukiridwa ndipo zithandizo zimapangidwira motsutsana nawo, kotero kuti posachedwa mwayi wa "kukweza chipolopolo" umakhala zero.

Gulu lowukira (loyimiridwa ndi Digital Security) linali ndi mwayi. CHABWINO, mu MCS kumbali ya seva zomwe zili m'mafayilo otsitsidwa zidafufuzidwa, zithunzi zokha zidaloledwa. Koma SVG ndi chithunzi. Kodi zithunzi za SVG zitha bwanji kukhala zoopsa? Chifukwa mutha kuyikamo zidule za JavaScript!

Zinapezeka kuti mafayilo otsitsidwa amapezeka kwa onse ogwiritsa ntchito MCS, zomwe zikutanthauza kuti ndizotheka kuukira ogwiritsa ntchito mitambo, omwe ndi oyang'anira.

Chitsanzo cha kuukira kwa XSS pa fomu yolowera pachinyengo

Zitsanzo za kugwiritsa ntchito kuukira kwa XSS:

• Bwanji muyesere kuba gawo (makamaka popeza tsopano ma cookie a HTTP-Only ali paliponse, otetezedwa ku kuba pogwiritsa ntchito js scripts), ngati script yodzaza imatha kupeza API yothandizira nthawi yomweyo? Pachifukwa ichi, malipiro amatha kugwiritsa ntchito zopempha za XHR kuti asinthe kasinthidwe ka seva, mwachitsanzo, onjezani fungulo la SSH la anthu onse ndikupeza mwayi wa SSH ku seva.
• Ngati mfundo za CSP (mfundo zoteteza zinthu) zimaletsa JavaScript kuti ibayidwe, wowukira atha kupitilira popanda iyo. Pogwiritsa ntchito HTML yoyera, pangani fomu yolowera yabodza pa tsambalo ndikuberani mawu achinsinsi a woyang'anira kudzera pazabodza izi: tsamba laphishing la wogwiritsa ntchito limathera pa ulalo womwewo, ndipo zimakhala zovuta kuti wosuta azindikire.
• Pomaliza, wowukirayo akhoza kukonza kasitomala DoS - ikani Ma cookie akulu kuposa 4 KB. Wogwiritsa ntchito amangofunika kutsegula ulalo kamodzi, ndipo tsamba lonselo limakhala losafikirika mpaka wogwiritsa ntchito akuganiza kuyeretsa msakatuli: nthawi zambiri, seva yapaintaneti imakana kuvomereza kasitomala wotere.

Tiyeni tiwone chitsanzo cha XSS ina yomwe idapezeka, nthawi ino ndikugwiritsa ntchito mwanzeru. Ntchito ya MCS imakupatsani mwayi wophatikiza zoikamo zozimitsa moto m'magulu. Dzina la gululi ndi pomwe XSS idapezeka. Chodabwitsa chake chinali chakuti vekitala sichinayambike nthawi yomweyo, osati poyang'ana mndandanda wa malamulo, koma pochotsa gulu:

Ndiko kuti, zochitikazo zinakhala zotsatirazi: wowukira amapanga lamulo la firewall ndi "katundu" m'dzina, woyang'anira amaziwona patapita kanthawi ndikuyambitsa ndondomeko yochotsa. Ndipo apa ndi pomwe JS yoyipa imagwira ntchito.

Kuti opanga MCS ateteze ku XSS pazithunzi za SVG zomwe zidakwezedwa (ngati sizingasiyidwe), gulu la Digital Security linalimbikitsa:

• Ikani mafayilo omwe adakwezedwa ndi ogwiritsa ntchito pamalo ena omwe alibe chochita ndi "ma cookie". Zolembazo zidzagwiritsidwa ntchito potengera dera lina ndipo sizidzawopseza MCS.
• Mumayankhidwe a HTTP a seva, tumizani mutu wa "Content-disposition: attachment". Ndiye owona adzakhala dawunilodi ndi osatsegula ndipo osati anaphedwa.

Kuphatikiza apo, pali njira zambiri zomwe opanga azitha kuchepetsa kuopsa kwa kugwiritsidwa ntchito kwa XSS:

• pogwiritsa ntchito mbendera ya "HTTP Only", mutha kupanga mitu ya "Cookies" kuti isafikike ku JavaScript yoyipa;
• ndondomeko ya CSP yoyendetsedwa bwino zipangitsa kuti zikhale zovuta kwambiri kuti wowukira agwiritse ntchito XSS;
• Ma injini amakono a template monga Angular kapena React amayeretsa deta ya ogwiritsa ntchito asanaitulutse kwa osatsegula.

Zowopsa zotsimikizira zinthu ziwiri

Kupititsa patsogolo chitetezo cha akaunti, ogwiritsa ntchito amalangizidwa nthawi zonse kuti athetse 2FA (kutsimikizika kwazinthu ziwiri). Zowonadi, iyi ndi njira yabwino yoletsera wowukira kuti asapeze mwayi wogwiritsa ntchito ngati zidziwitso za wogwiritsa ntchito zasokonezedwa.

Koma kodi kugwiritsa ntchito chinthu chachiwiri chotsimikizira nthawi zonse kumatsimikizira chitetezo cha akaunti? Pali zinthu zotsatirazi zachitetezo pakukhazikitsa 2FA:

• Kusaka kwamphamvu kwa code ya OTP (makhodi anthawi imodzi). Ngakhale kuphweka kwa ntchito, zolakwika monga kusowa kwa chitetezo ku mphamvu zankhanza za OTP zimakumananso ndi makampani akuluakulu: Mlandu wodekha, Nkhani ya Facebook.
• Ma aligorivimu am'badwo wofooka, mwachitsanzo kuthekera kodziwiratu code yotsatira.
• Zolakwa zomveka, monga kutha kufunsa OTP ya munthu wina pafoni yanu, monga chonchi anali kuchokera ku Shopify.

Pankhani ya MCS, 2FA ikugwiritsidwa ntchito kutengera Google Authenticator ndi awiriwa. Protocol yokhayo idayesedwa kale, koma kukhazikitsidwa kwa kutsimikizira kachidindo kumbali yofunsira ndikofunikira kuyang'ana.

MCS 2FA imagwiritsidwa ntchito m'malo angapo:

• Potsimikizira wogwiritsa ntchito. Pali chitetezo ku mphamvu yankhanza: wogwiritsa ntchito amangoyesa pang'ono kuti alowe mawu achinsinsi a nthawi imodzi, ndiye kuti zolowetsazo zimatsekedwa kwa kanthawi. Izi zimalepheretsa mwayi wosankha mwankhanza wa OTP.
• Mukapanga ma code osunga pa intaneti kuti muzichita 2FA, komanso kuyimitsa. Apa, palibe chitetezo chankhanza chomwe chidakhazikitsidwa, zomwe zidapangitsa kuti, ngati mutakhala ndi mawu achinsinsi pa akauntiyo komanso gawo logwira ntchito, kukonzanso ma code osungira kapena kuletsa 2FA kwathunthu.

Poganizira kuti ma code osunga zobwezeretsera anali mumitundu yofananira yazingwe monga yomwe idapangidwa ndi pulogalamu ya OTP, mwayi wopeza codeyo pakanthawi kochepa unali wapamwamba kwambiri.

Njira yosankha OTP kuletsa 2FA pogwiritsa ntchito chida cha "Burp: Intruder".

chifukwa

Zonsezi, MCS ikuwoneka ngati yotetezeka ngati mankhwala. Panthawi yowunika, gulu loyang'anira silinathe kupeza ma VM a kasitomala ndi deta yawo, ndipo zofooka zomwe zidapezeka zidakonzedwa mwachangu ndi gulu la MCS.

Koma apa ndikofunikira kuzindikira kuti chitetezo ndi ntchito yopitilira. Ntchito sizimakhazikika, zikusintha nthawi zonse. Ndipo ndizosatheka kupanga chinthu popanda zovuta. Koma mutha kuwapeza munthawi yake ndikuchepetsa mwayi wobwereranso.

Tsopano zofooka zonse zomwe zatchulidwa mu MCS zakonzedwa kale. Ndipo kuti chiwerengero cha atsopano chikhale chochepa komanso kuchepetsa moyo wawo, gulu la nsanja likupitiriza kuchita izi:

• kuwunika pafupipafupi ndi makampani akunja;
• thandizirani ndikulimbikitsa kutenga nawo mbali mu pulogalamu ya Mail.ru Gulu Bug Bounty;
• kuchita zachitetezo. 🙂

Source: www.habr.com