Kuvaka chero sevhisi kunosanganisira kugara uchishandira kuchengetedza. Chengetedzo inzira inoenderera mberi inosanganisira kuongororwa nguva dzose uye kuvandudzwa kwekuchengetedzwa kwechigadzirwa, kutarisa nhau nezvekusagadzikana uye zvimwe zvakawanda. Kusanganisira ongororo. Kuongorora kunoitwa mukati meimba uye nenyanzvi dzekunze, dzinogona kubatsira zvakanyanya nekuchengetedza nekuti ivo havana kunyudzwa mupurojekiti uye vane pfungwa dzakavhurika.
Chinyorwa chiri pamusoro peiyi maonero akatwasanuka enyanzvi dzekunze dzakabatsira boka reMail.ru Cloud Solutions (MCS) kuyedza sevhisi yegore, uye nezve zvavakawana. Se "simba rekunze," MCS yakasarudza kambani yeDigital Security, inozivikanwa nehunyanzvi hwayo hwepamusoro mukuchengetedzwa kwemashoko. Uye mune ino chinyorwa tichaongorora kumwe kunonakidza kusagadzikana kunowanikwa sechikamu chekuongorora kwekunze - kuti iwe udzivise reki imwechete kana iwe uchigadzira yako yega sevhisi yegore.
Product Description
- kuchengetedza zvivakwa zveiyo virtualization nharaunda: hypervisors, routing, firewalls;
- kuchengetedzwa kwevatengi 'zvakanyanya zvivakwa: kuzviparadzanisa kubva kune mumwe nemumwe, kusanganisira network, yakavanzika network muSDN;
- OpenStack uye zvikamu zvayo zvakavhurika;
- S3 yekugadzirwa kwedu;
- IAM: mapurojekiti akawanda ane mutevedzeri;
- Chiratidzo (chiono chekombuta): APIs uye kushaya simba paunenge uchishanda nemifananidzo;
- web interface uye classic web kurwisa;
- kushaya simba kwePaaS zvikamu;
- API yezvikamu zvese.
Zvichida ndizvo chete izvo zvakakosha kune imwezve nhoroondo.
Ibasa rei rakaitwa uye nei raidiwa?
Ongororo yekuchengetedza ine chinangwa chekuona kusasimba uye zvikanganiso zvekugadzirisa izvo zvinogona kutungamira mukuburitswa kwedata remunhu, kugadziridzwa kweruzivo rwakadzama, kana kukanganisa kuwanikwa kwesevhisi.
Munguva yebasa, iro rinotora paavhareji 1-2 mwedzi, vaongorori vanodzokorora zviito zvevanogona kurwisa uye vanotarisa kusasimba muvatengi uye sevha zvikamu zvebasa rakasarudzwa. Muchirevo chekuongorora kweMCS cloud platform, zvinangwa zvinotevera zvakaonekwa:
- Ongororo yehuchokwadi mubasa. Kusagadzikana muchikamu ichi kwaizobatsira kuti nekukasika kupinda mumaakaundi evamwe vanhu.
- Kudzidza muenzaniso uye kuwana kutonga pakati peakaundi akasiyana. Kune anorwisa, kugona kuwana mukana kune mumwe munhu chaiwo muchina chinangwa chinodiwa.
- Client side vulnerabilities. XSS/CSRF/CRLF/etc. Zvinoita here kurwisa vamwe vashandisi kuburikidza nehutsinye zvinongedzo?
- Server side vulnerabilities: RCE nemarudzi ese emajekiseni (SQL/XXE/SSRF zvichingodaro). Kusagadzikana kweSeva kunowanzo kunetsa kuwana, asi kunotungamira mukukanganisika kwevashandisi vazhinji kamwechete.
- Kuongororwa kwechikamu chemushandisi chekuzviparadzanisa padanho retiweki. Kune anorwisa, kushomeka kwekuzviparadzanisa nevamwe kunowedzera zvakanyanya nzvimbo yekurwisa kune vamwe vashandisi.
- Business logic analysis. Zvinoita here kunyengedza mabhizinesi uye kugadzira chaiwo michina yemahara?
Muchirongwa ichi, basa rakaitwa zvinoenderana neiyo "Grey-bhokisi" modhi: vaongorori vakadyidzana nesevhisi neropafadzo dzevashandisiwo zvavo, asi vaine chikamu cheiyo kodhi kodhi yeAPI uye vakawana mukana wekujekesa ruzivo nevagadziri. Iyi ndiyo inowanzoita yakanyanya kunaka, uye panguva imwe chete yechokwadi muenzaniso webasa: ruzivo rwemukati runogona kuunganidzwa neanorwisa, ingori nyaya yenguva.
Kusagadzikana kwawanikwa
Muongorori asati atanga kutumira mitoro yakasiyana-siyana (mubhadharo unoshandiswa kurwisa) kunzvimbo dzisina kujairika, zvinodikanwa kuti unzwisise kuti zvinhu zvinoshanda sei uye mashandiro api anopihwa. Zvinogona kuita sekuti iyi ibasa risingabatsiri, nekuti munzvimbo zhinji dzakadzidzwa hapazove nekusagadzikana. Asi kungonzwisisa chimiro chechishandiso uye logic yekushanda kwayo kuchaita kuti zvikwanise kuwana yakanyanya kuoma kurwisa mavector.
Zvakakosha kuwana nzvimbo dzinoita sedzinonyumwira kana kuti dzakatosiyana nedzimwe neimwe nzira. Uye yekutanga njodzi ine njodzi yakawanikwa nenzira iyi.
IDOR
IDOR (Insecure Direct Object Reference) kusavimbika ndechimwe chezvinhu zvinonyanya kunetsa mubhizinesi pfungwa, izvo zvinobvumira mumwe kana mumwe kuwana mukana kune zvinhu zvisingabvumirwe kuwana. Kusagadzikana kweIDOR kunogadzira mukana wekuwana ruzivo nezve mushandisi weakasiyana madhigirii ekutsoropodza.
Imwe yesarudzo dzeIDOR ndeyekuita zviito nezvinhu zvehurongwa (vashandisi, maakaundi ebhangi, zvinhu zviri mungoro yekutengera) nekushandisa zviziviso zvekuwana kune izvi zvinhu. Izvi zvinotungamirira kumigumisiro isingatarisirwi. Semuenzaniso, mukana wekutsiva iyo account yeanotumira mari, kuburikidza iyo iwe yaunogona kuvaba kubva kune vamwe vashandisi.
Panyaya yeMCS, vaongorori vakangowana kusagadzikana kweIDOR kwakabatana nevasina kuchengetedzwa. Muaccount yemushandisi, zviziviso zveUUID zvaishandiswa kuwana chero zvinhu, zvaiita senge nyanzvi dzezvekuchengetedza dzinotaura, kusachengeteka zvisingaite (kureva kuti, kuchengetedzwa kubva mukurwiswa nechisimba). Asi kune mamwe masangano, zvakaonekwa kuti nhamba dzinogara dzichifungidzirwa dzinoshandiswa kuwana ruzivo nezvevashandisi vekushandisa. Ndinofunga unogona kufungidzira kuti zvainge zvichibvira kuchinja mushandisi ID nomumwe, kutumira chikumbiro zvakare uye nokudaro kuwana mashoko nokunzvenga ACL (kuwanika control list, data kuwana mitemo kuti maitiro uye vanoshandisa).
Server Side Chikumbiro Forgery (SSRF)
Chinhu chakanaka nezve OpenSource zvigadzirwa ndechekuti ivo vane hombe nhamba yemaforamu ane yakadzama tekinoroji tsananguro yematambudziko anomuka uye, kana iwe uine rombo rakanaka, tsananguro yemhinduro. Asi mari iyi ine flip side: kusasimba kunozivikanwa kunotsanangurwa zvakadzama. Semuenzaniso, kune tsananguro inoshamisa yekusagadzikana pane OpenStack foramu
Kushanda kwakajairwa kwezvishandiso ndiko kugona kwemushandisi kutumira chinongedzo kune sevha, iyo inodzvanya server pairi (semuenzaniso, kurodha chifananidzo kubva kune yakatarwa sosi). Kana maturusi ekuchengetedza akasasefa zvinongedzo pachazvo kana mhinduro dzakadzoserwa kubva kuseva kune vashandisi, mashandiro akadaro anogona kushandiswa nyore nevanorwisa.
Kusagadzikana kweSSRF kunogona kufambisira mberi kusimudzira kwekurwiswa. Anorwisa anogona kuwana:
- kuwana kushomeka kune yakarwiswa yenzvimbo network, semuenzaniso, chete kuburikidza nemamwe masegneti etiweki uye kushandisa imwe protocol;
- kuwana kwakazara kune network yemuno, kana kudzikisira kubva padanho rekunyorera kusvika padanho rekufambisa zvinogoneka uye, semhedzisiro, kutonga kwakazara kwemutoro padanho rekushandisa;
- kuwana kuverenga mafaera emunharaunda pane sevha (kana iyo faira: /// chirongwa ichitsigirwa);
- uye nezvimwe zvakawanda.
Kusagadzikana kweSSRF kwagara kuchizivikanwa muOpenStack, iri "bofu" mumasikirwo: paunobata sevha, haugamuchire mhinduro kubva kwairi, asi unogamuchira akasiyana marudzi ekukanganisa / kunonoka, zvichienderana nemhedzisiro yechikumbiro. . Zvichienderana neizvi, iwe unogona kuita chiteshi chekutarisa kune vanogamuchira pane yemukati network, nemhedzisiro yese inotevera iyo isingafanirwe kurerutswa. Semuenzaniso, chigadzirwa chinogona kunge chine back-office API iyo inongowanikwa chete kubva kune yekambani network. Nezvinyorwa (usakanganwa nezvemukati), anorwisa anogona kushandisa SSRF kuwana nzira dzemukati. Semuyenzaniso, kana iwe neimwe nzira wakakwanisa kuwana runyorwa rwemaURL anobatsira, wobva washandisa SSRF unogona kuenda nemavari uye woita chikumbiro - tichingotaura, kuendesa mari kubva kuaccount kuenda kuaccount kana kushandura miganho.
Aka hakasi kekutanga kusazvibata kweSSRF kuwanikwa muOpenStack. Munguva yakapfuura, zvaikwanisika kudhawunirodha VM ISO mifananidzo kubva kune yakananga link, izvo zvakakonzerawo kumhedzisiro yakafanana. Ichi chimiro chabviswa kubva kuOpenStack. Sezviri pachena, nzanga yakaona iyi semhinduro yakapfava uye yakavimbika zvikuru yechinetso chacho.
Uye mukati
MuMCS, kusasimba kweSSRF kwakawanikwa munzvimbo mbiri dzine mashandiro akafanana, asi zvakange zvisingaite kushandisa nekuda kwemafirewall nezvimwe zvidziviriro. Imwe nzira kana imwe, boka reMCS rakagadzirisa dambudziko iri zvisinei, pasina kumirira nzanga.
XSS pane kurodha mabhomba
Kunyangwe mazana ezvidzidzo zvakanyorwa, gore negore XSS (cross-site scripting) kurwisa kuchiri kwakanyanya
Mafaira ekurodha inzvimbo inofarira kune chero chengetedzo muongorori. Zvinowanzoitika kuti iwe unogona kurodha script yekupokana (asp/jsp/php) uye kuita mirairo yeOS, mune izwi remapentesters - "load shell". Asi kufarirwa kwekusagadzikana kwakadaro kunoshanda mumativi ese maviri: vanoyeukwa uye mishonga inogadzirwa kwavari, zvekuti munguva pfupi yapfuura mukana we "kurodha goko" unosvika zero.
Chikwata chinorwisa (chinomiririrwa neDigital Security) chakaita rombo rakanaka. Zvakanaka, muMCS kudivi reseva zviri mukati memafaira akadhaunirodwa zvakatariswa, mifananidzo chete ndiyo yaibvumidzwa. Asi SVG zvakare mufananidzo. Mifananidzo yeSVG inogona sei kuva nengozi? Nekuti unogona kudzvanya JavaScript snippets mavari!
Zvakazoitika kuti mafaira akatorwa anowanikwa kune vese vashandisi veMCS sevhisi, zvinoreva kuti zvinokwanisika kurwisa vamwe vashandisi vegore, vanova vatariri.
Muenzaniso wekurwiswa kweXSS pane fomu rekupinda rekunyepedzera
Mienzaniso yeXSS kurwisa kushandiswa:
- Sei uchiedza kuba chikamu (kunyanya kubva ikozvino HTTP-Chete makuki ari kwese kwese, akadzivirirwa kubva pakubiwa uchishandisa js scripts), kana iyo yakatakurwa script inokwanisa kuwana iyo sosi API nekukurumidza? Muchiitiko ichi, mubhadharo unogona kushandisa zvikumbiro zveXHR kuti uchinje gadziriro yevhavha, semuenzaniso, wedzera anorwisa SSH kiyi yeruzhinji uye uwane SSH yekuwana server.
- Kana mutemo weCSP (content protection policy) ukarambidza JavaScript kubaiwa jekiseni, anorwisa anogona kupfuura asina. Uchishandisa yakachena HTML, gadzira fomu rekunyepedzera resaiti uye ubire password yemutungamiriri kuburikidza neiyi yepamusoro phishing: iyo phishing peji yemushandisi inoguma pane imwechete URL, uye zvakanyanya kuoma kuti mushandisi azvione.
- Pakupedzisira, anorwisa anogona kuronga
mutengi DoS - seta Cookies yakakura kupfuura 4 KB. Mushandisi anongoda kuvhura chinongedzo kamwe chete, uye saiti yese inove isingasvikike kudzamara mushandisi afunga kunyatso kuchenesa bhurawuza: muhuwandu hwezviitiko, sevha yewebhu inoramba kugamuchira mutengi akadaro.
Ngatitarisei muenzaniso weimwe yakaonekwa XSS, panguva ino ine hungwaru hwekushandisa. Iyo MCS sevhisi inobvumidza iwe kusanganisa firewall marongero mumapoka. Zita rechikwata ndipo pakaonekwa XSS. Hunhu hwayo hwaive hwekuti vector haina kukonzereswa nekukasira, kwete pakuona rondedzero yemitemo, asi pakudzima boka:
Ndiko kuti, mamiriro acho ezvinhu akazova anotevera: munhu anorwisa anogadzira mutemo we firewall ne "mutoro" muzita, mutungamiri anozviona mushure mechinguva uye anotanga nzira yekudzima. Uye apa ndipo panoshanda JS yakaipa.
Kune vanogadzira MCS, kuchengetedza kubva kuXSS mumifananidzo yakatorwa yeSVG (kana isingagone kusiiwa), Digital Security timu yakakurudzira:
- Isa mafaira akakwidzwa nevashandisi pane imwe nzvimbo isina chekuita ne "cookies". Iyo script ichaitwa muchirevo cheimwe nzvimbo uye haizokonzeri njodzi kuMCS.
- Mumhinduro yeHTTP yeserver, tumira iyo "Content-disposition: attachment" musoro. Ipapo mafaera anozotorwa nebrowser uye kwete kuurayiwa.
Pamusoro pezvo, pane nzira dzakawanda dziripo kune vanogadzira kudzikisira njodzi dzekushandiswa kweXSS:
- uchishandisa "HTTP Chete" mureza, unogona kuita kuti "Makuki" misoro isasvike kune yakaipa JavaScript;
yakaitwa nemazvo mutemo weCSP zvichaita kuti zvinyanye kuoma kune anorwisa kushandisa XSS;- emazuva ano template injini dzakadai seAngular kana React inochenesa data remushandisi isati yaburitsa kune browser yemushandisi.
Zvisikwa zviviri-zvimisikidzo zvechokwadi
Kuti uvandudze kuchengetedzeka kweakaunti, vashandisi vanogara vachirairwa kuti vagonese 2FA (mbiri-factor authentication). Chokwadi, iyi inzira inoshanda yekudzivirira munhu anorwisa kuti asawane mukana wekuwana sevhisi kana zvitupa zvemushandisi zvakanganiswa.
Asi kushandisa chechipiri chechokwadi chechokwadi nguva dzose kunovimbisa kuchengetedza account? Pane zvinotevera nyaya dzekuchengetedza mukuitwa kwe2FA:
- Kutsvaga kweBrute-force kwekodhi yeOTP (makodhi enguva imwe chete). Zvisinei nekureruka kwekushanda, zvikanganiso zvakaita sekushaikwa kwedziviriro kubva kuOTP brute force zvinosanganawo nemakambani makuru:
Slack case ,Facebook kesi . - Weak generation algorithm, semuenzaniso kugona kufanotaura kodhi inotevera.
- Zvikanganiso zvine musoro, sekugona kukumbira OTP yemumwe munhu pafoni yako, seizvi
zvakanga kubva Shopify.
Panyaya yeMCS, 2FA inoshandiswa zvichibva paGoogle Authenticator uye
MCS 2FA inoshandiswa munzvimbo dzinoverengeka:
- Paunenge uchisimbisa mushandisi. Kune dziviriro kubva kune hutsinye simba: mushandisi anongoyedza mashoma ekuisa imwe-nguva password, ipapo iyo yekuisa inovharwa kwechinguva. Izvi zvinovharira mukana wekusarudzwa kwehutsinye-simba reOTP.
- Paunenge uchigadzira makodhi ekuchengetedza pasina Indaneti kuita 2FA, pamwe nekuidzima. Pano, hapana kudzivirira kwechisimba kwechisimba kwakaitwa, izvo zvakaita kuti zvigoneke, kana iwe uine password yeakaunti uye musangano unoshanda, kudzorera macode ekuchengetedza kana kudzima 2FA zvachose.
Tichifunga kuti macode ekuchengetedza aive mune imwecheteyo tambo tsika seaya akagadzirwa neOTP application, mukana wekuwana iyo kodhi munguva pfupi yaive yakakwira zvakanyanya.
Maitiro ekusarudza OTP kudzima 2FA uchishandisa "Burp: Intruder" chishandiso
mugumisiro
Pamwe chete, MCS inoratidzika kuva yakachengeteka sechigadzirwa. Munguva yekuongorora, timu yepentesting haina kukwanisa kuwana maVM evatengi nedata ravo, uye kusagadzikana kwakawanikwa kwakagadziriswa nekukurumidza nechikwata cheMCS.
Asi pano zvakakosha kuziva kuti kuchengetedza ibasa rinoramba riripo. Masevhisi haana kumira, anogara achishanduka. Uye hazvibviri kugadzira chigadzirwa zvachose pasina hurema. Asi iwe unogona kuzviwana munguva uye kuderedza mukana wekudzoka kwavo.
Ikozvino kusakwana kwese kwataurwa muMCS kwakatogadziriswa. Uye kuitira kuchengetedza huwandu hwevatsva hushoma uye kuderedza hupenyu hwavo, timu yepuratifomu inoramba ichiita izvi:
- nguva dzose kuita ongororo nemakambani ekunze;
- tsigira nekusimudzira kutora chikamu
muMail.ru Boka Bug Bounty chirongwa ; - kuita kuchengeteka. π
Source: www.habr.com