ProHoster > Blog > Utongi > Chengetedzo yekuongorora yeMCS Cloud platform

Chengetedzo yekuongorora yeMCS Cloud platform

Chengetedzo yekuongorora yeMCS Cloud platform
SkyShip Dusk by SeerLight

Kuvaka chero sevhisi kunosanganisira kugara uchishandira kuchengetedza. Chengetedzo inzira inoenderera mberi inosanganisira kuongororwa nguva dzose uye kuvandudzwa kwekuchengetedzwa kwechigadzirwa, kutarisa nhau nezvekusagadzikana uye zvimwe zvakawanda. Kusanganisira ongororo. Kuongorora kunoitwa mukati meimba uye nenyanzvi dzekunze, dzinogona kubatsira zvakanyanya nekuchengetedza nekuti ivo havana kunyudzwa mupurojekiti uye vane pfungwa dzakavhurika.

Chinyorwa chiri pamusoro peiyi maonero akatwasanuka enyanzvi dzekunze dzakabatsira boka reMail.ru Cloud Solutions (MCS) kuyedza sevhisi yegore, uye nezve zvavakawana. Se "simba rekunze," MCS yakasarudza kambani yeDigital Security, inozivikanwa nehunyanzvi hwayo hwepamusoro mukuchengetedzwa kwemashoko. Uye mune ino chinyorwa tichaongorora kumwe kunonakidza kusagadzikana kunowanikwa sechikamu chekuongorora kwekunze - kuti iwe udzivise reki imwechete kana iwe uchigadzira yako yega sevhisi yegore.

Product Description

Mail.ru Cloud Solutions (MCS) ipuratifomu yekuvaka virtual infrastructure mugore. Inosanganisira IaaS, PaaS, uye nzvimbo yemusika yemifananidzo yakagadzirira-yakagadzirirwa yevagadziri. Tichifunga nezvemagadzirirwo eMCS, zvaive zvakafanira kutarisa kuchengetedzwa kwechigadzirwa munzvimbo dzinotevera:

  • kuchengetedza zvivakwa zveiyo virtualization nharaunda: hypervisors, routing, firewalls;
  • kuchengetedzwa kwevatengi 'zvakanyanya zvivakwa: kuzviparadzanisa kubva kune mumwe nemumwe, kusanganisira network, yakavanzika network muSDN;
  • OpenStack uye zvikamu zvayo zvakavhurika;
  • S3 yekugadzirwa kwedu;
  • IAM: mapurojekiti akawanda ane mutevedzeri;
  • Chiratidzo (chiono chekombuta): APIs uye kushaya simba paunenge uchishanda nemifananidzo;
  • web interface uye classic web kurwisa;
  • kushaya simba kwePaaS zvikamu;
  • API yezvikamu zvese.

Zvichida ndizvo chete izvo zvakakosha kune imwezve nhoroondo.

Ibasa rei rakaitwa uye nei raidiwa?

Ongororo yekuchengetedza ine chinangwa chekuona kusasimba uye zvikanganiso zvekugadzirisa izvo zvinogona kutungamira mukuburitswa kwedata remunhu, kugadziridzwa kweruzivo rwakadzama, kana kukanganisa kuwanikwa kwesevhisi.

Munguva yebasa, iro rinotora paavhareji 1-2 mwedzi, vaongorori vanodzokorora zviito zvevanogona kurwisa uye vanotarisa kusasimba muvatengi uye sevha zvikamu zvebasa rakasarudzwa. Muchirevo chekuongorora kweMCS cloud platform, zvinangwa zvinotevera zvakaonekwa:

  1. Ongororo yehuchokwadi mubasa. Kusagadzikana muchikamu ichi kwaizobatsira kuti nekukasika kupinda mumaakaundi evamwe vanhu.
  2. Kudzidza muenzaniso uye kuwana kutonga pakati peakaundi akasiyana. Kune anorwisa, kugona kuwana mukana kune mumwe munhu chaiwo muchina chinangwa chinodiwa.
  3. Client side vulnerabilities. XSS/CSRF/CRLF/etc. Zvinoita here kurwisa vamwe vashandisi kuburikidza nehutsinye zvinongedzo?
  4. Server side vulnerabilities: RCE nemarudzi ese emajekiseni (SQL/XXE/SSRF zvichingodaro). Kusagadzikana kweSeva kunowanzo kunetsa kuwana, asi kunotungamira mukukanganisika kwevashandisi vazhinji kamwechete.
  5. Kuongororwa kwechikamu chemushandisi chekuzviparadzanisa padanho retiweki. Kune anorwisa, kushomeka kwekuzviparadzanisa nevamwe kunowedzera zvakanyanya nzvimbo yekurwisa kune vamwe vashandisi.
  6. Business logic analysis. Zvinoita here kunyengedza mabhizinesi uye kugadzira chaiwo michina yemahara?

Muchirongwa ichi, basa rakaitwa zvinoenderana neiyo "Grey-bhokisi" modhi: vaongorori vakadyidzana nesevhisi neropafadzo dzevashandisiwo zvavo, asi vaine chikamu cheiyo kodhi kodhi yeAPI uye vakawana mukana wekujekesa ruzivo nevagadziri. Iyi ndiyo inowanzoita yakanyanya kunaka, uye panguva imwe chete yechokwadi muenzaniso webasa: ruzivo rwemukati runogona kuunganidzwa neanorwisa, ingori nyaya yenguva.

Kusagadzikana kwawanikwa

Muongorori asati atanga kutumira mitoro yakasiyana-siyana (mubhadharo unoshandiswa kurwisa) kunzvimbo dzisina kujairika, zvinodikanwa kuti unzwisise kuti zvinhu zvinoshanda sei uye mashandiro api anopihwa. Zvinogona kuita sekuti iyi ibasa risingabatsiri, nekuti munzvimbo zhinji dzakadzidzwa hapazove nekusagadzikana. Asi kungonzwisisa chimiro chechishandiso uye logic yekushanda kwayo kuchaita kuti zvikwanise kuwana yakanyanya kuoma kurwisa mavector.

Zvakakosha kuwana nzvimbo dzinoita sedzinonyumwira kana kuti dzakatosiyana nedzimwe neimwe nzira. Uye yekutanga njodzi ine njodzi yakawanikwa nenzira iyi.

IDOR

IDOR (Insecure Direct Object Reference) kusavimbika ndechimwe chezvinhu zvinonyanya kunetsa mubhizinesi pfungwa, izvo zvinobvumira mumwe kana mumwe kuwana mukana kune zvinhu zvisingabvumirwe kuwana. Kusagadzikana kweIDOR kunogadzira mukana wekuwana ruzivo nezve mushandisi weakasiyana madhigirii ekutsoropodza.

Imwe yesarudzo dzeIDOR ndeyekuita zviito nezvinhu zvehurongwa (vashandisi, maakaundi ebhangi, zvinhu zviri mungoro yekutengera) nekushandisa zviziviso zvekuwana kune izvi zvinhu. Izvi zvinotungamirira kumigumisiro isingatarisirwi. Semuenzaniso, mukana wekutsiva iyo account yeanotumira mari, kuburikidza iyo iwe yaunogona kuvaba kubva kune vamwe vashandisi.

Panyaya yeMCS, vaongorori vakangowana kusagadzikana kweIDOR kwakabatana nevasina kuchengetedzwa. Muaccount yemushandisi, zviziviso zveUUID zvaishandiswa kuwana chero zvinhu, zvaiita senge nyanzvi dzezvekuchengetedza dzinotaura, kusachengeteka zvisingaite (kureva kuti, kuchengetedzwa kubva mukurwiswa nechisimba). Asi kune mamwe masangano, zvakaonekwa kuti nhamba dzinogara dzichifungidzirwa dzinoshandiswa kuwana ruzivo nezvevashandisi vekushandisa. Ndinofunga unogona kufungidzira kuti zvainge zvichibvira kuchinja mushandisi ID nomumwe, kutumira chikumbiro zvakare uye nokudaro kuwana mashoko nokunzvenga ACL (kuwanika control list, data kuwana mitemo kuti maitiro uye vanoshandisa).

Server Side Chikumbiro Forgery (SSRF)

Chinhu chakanaka nezve OpenSource zvigadzirwa ndechekuti ivo vane hombe nhamba yemaforamu ane yakadzama tekinoroji tsananguro yematambudziko anomuka uye, kana iwe uine rombo rakanaka, tsananguro yemhinduro. Asi mari iyi ine flip side: kusasimba kunozivikanwa kunotsanangurwa zvakadzama. Semuenzaniso, kune tsananguro inoshamisa yekusagadzikana pane OpenStack foramu [XSS] ΠΈ [SSRF], iyo nokuda kwechimwe chikonzero hapana ari kukurumidza kugadzirisa.

Kushanda kwakajairwa kwezvishandiso ndiko kugona kwemushandisi kutumira chinongedzo kune sevha, iyo inodzvanya server pairi (semuenzaniso, kurodha chifananidzo kubva kune yakatarwa sosi). Kana maturusi ekuchengetedza akasasefa zvinongedzo pachazvo kana mhinduro dzakadzoserwa kubva kuseva kune vashandisi, mashandiro akadaro anogona kushandiswa nyore nevanorwisa.

Kusagadzikana kweSSRF kunogona kufambisira mberi kusimudzira kwekurwiswa. Anorwisa anogona kuwana:

  • kuwana kushomeka kune yakarwiswa yenzvimbo network, semuenzaniso, chete kuburikidza nemamwe masegneti etiweki uye kushandisa imwe protocol;
  • kuwana kwakazara kune network yemuno, kana kudzikisira kubva padanho rekunyorera kusvika padanho rekufambisa zvinogoneka uye, semhedzisiro, kutonga kwakazara kwemutoro padanho rekushandisa;
  • kuwana kuverenga mafaera emunharaunda pane sevha (kana iyo faira: /// chirongwa ichitsigirwa);
  • uye nezvimwe zvakawanda.

Kusagadzikana kweSSRF kwagara kuchizivikanwa muOpenStack, iri "bofu" mumasikirwo: paunobata sevha, haugamuchire mhinduro kubva kwairi, asi unogamuchira akasiyana marudzi ekukanganisa / kunonoka, zvichienderana nemhedzisiro yechikumbiro. . Zvichienderana neizvi, iwe unogona kuita chiteshi chekutarisa kune vanogamuchira pane yemukati network, nemhedzisiro yese inotevera iyo isingafanirwe kurerutswa. Semuenzaniso, chigadzirwa chinogona kunge chine back-office API iyo inongowanikwa chete kubva kune yekambani network. Nezvinyorwa (usakanganwa nezvemukati), anorwisa anogona kushandisa SSRF kuwana nzira dzemukati. Semuyenzaniso, kana iwe neimwe nzira wakakwanisa kuwana runyorwa rwemaURL anobatsira, wobva washandisa SSRF unogona kuenda nemavari uye woita chikumbiro - tichingotaura, kuendesa mari kubva kuaccount kuenda kuaccount kana kushandura miganho.

Aka hakasi kekutanga kusazvibata kweSSRF kuwanikwa muOpenStack. Munguva yakapfuura, zvaikwanisika kudhawunirodha VM ISO mifananidzo kubva kune yakananga link, izvo zvakakonzerawo kumhedzisiro yakafanana. Ichi chimiro chabviswa kubva kuOpenStack. Sezviri pachena, nzanga yakaona iyi semhinduro yakapfava uye yakavimbika zvikuru yechinetso chacho.

Uye mukati izvi Chirevo chinowanikwa pachena kubva kuHackerOne sevhisi (h1), kushandiswa kweiyo isisiri bofu SSRF nekugona kuverenga muenzaniso metadata inotungamira kuMudzi kuwana kune yese Shopify zvivakwa.

MuMCS, kusasimba kweSSRF kwakawanikwa munzvimbo mbiri dzine mashandiro akafanana, asi zvakange zvisingaite kushandisa nekuda kwemafirewall nezvimwe zvidziviriro. Imwe nzira kana imwe, boka reMCS rakagadzirisa dambudziko iri zvisinei, pasina kumirira nzanga.

XSS pane kurodha mabhomba

Kunyangwe mazana ezvidzidzo zvakanyorwa, gore negore XSS (cross-site scripting) kurwisa kuchiri kwakanyanya kazhinji kusangana webhu vulnerability (kana kurwisa?).

Mafaira ekurodha inzvimbo inofarira kune chero chengetedzo muongorori. Zvinowanzoitika kuti iwe unogona kurodha script yekupokana (asp/jsp/php) uye kuita mirairo yeOS, mune izwi remapentesters - "load shell". Asi kufarirwa kwekusagadzikana kwakadaro kunoshanda mumativi ese maviri: vanoyeukwa uye mishonga inogadzirwa kwavari, zvekuti munguva pfupi yapfuura mukana we "kurodha goko" unosvika zero.

Chikwata chinorwisa (chinomiririrwa neDigital Security) chakaita rombo rakanaka. Zvakanaka, muMCS kudivi reseva zviri mukati memafaira akadhaunirodwa zvakatariswa, mifananidzo chete ndiyo yaibvumidzwa. Asi SVG zvakare mufananidzo. Mifananidzo yeSVG inogona sei kuva nengozi? Nekuti unogona kudzvanya JavaScript snippets mavari!

Zvakazoitika kuti mafaira akatorwa anowanikwa kune vese vashandisi veMCS sevhisi, zvinoreva kuti zvinokwanisika kurwisa vamwe vashandisi vegore, vanova vatariri.

Chengetedzo yekuongorora yeMCS Cloud platform
Muenzaniso wekurwiswa kweXSS pane fomu rekupinda rekunyepedzera

Mienzaniso yeXSS kurwisa kushandiswa:

  • Sei uchiedza kuba chikamu (kunyanya kubva ikozvino HTTP-Chete makuki ari kwese kwese, akadzivirirwa kubva pakubiwa uchishandisa js scripts), kana iyo yakatakurwa script inokwanisa kuwana iyo sosi API nekukurumidza? Muchiitiko ichi, mubhadharo unogona kushandisa zvikumbiro zveXHR kuti uchinje gadziriro yevhavha, semuenzaniso, wedzera anorwisa SSH kiyi yeruzhinji uye uwane SSH yekuwana server.
  • Kana mutemo weCSP (content protection policy) ukarambidza JavaScript kubaiwa jekiseni, anorwisa anogona kupfuura asina. Uchishandisa yakachena HTML, gadzira fomu rekunyepedzera resaiti uye ubire password yemutungamiriri kuburikidza neiyi yepamusoro phishing: iyo phishing peji yemushandisi inoguma pane imwechete URL, uye zvakanyanya kuoma kuti mushandisi azvione.
  • Pakupedzisira, anorwisa anogona kuronga mutengi DoS - seta Cookies yakakura kupfuura 4 KB. Mushandisi anongoda kuvhura chinongedzo kamwe chete, uye saiti yese inove isingasvikike kudzamara mushandisi afunga kunyatso kuchenesa bhurawuza: muhuwandu hwezviitiko, sevha yewebhu inoramba kugamuchira mutengi akadaro.

Ngatitarisei muenzaniso weimwe yakaonekwa XSS, panguva ino ine hungwaru hwekushandisa. Iyo MCS sevhisi inobvumidza iwe kusanganisa firewall marongero mumapoka. Zita rechikwata ndipo pakaonekwa XSS. Hunhu hwayo hwaive hwekuti vector haina kukonzereswa nekukasira, kwete pakuona rondedzero yemitemo, asi pakudzima boka:

Chengetedzo yekuongorora yeMCS Cloud platform

Ndiko kuti, mamiriro acho ezvinhu akazova anotevera: munhu anorwisa anogadzira mutemo we firewall ne "mutoro" muzita, mutungamiri anozviona mushure mechinguva uye anotanga nzira yekudzima. Uye apa ndipo panoshanda JS yakaipa.

Kune vanogadzira MCS, kuchengetedza kubva kuXSS mumifananidzo yakatorwa yeSVG (kana isingagone kusiiwa), Digital Security timu yakakurudzira:

  • Isa mafaira akakwidzwa nevashandisi pane imwe nzvimbo isina chekuita ne "cookies". Iyo script ichaitwa muchirevo cheimwe nzvimbo uye haizokonzeri njodzi kuMCS.
  • Mumhinduro yeHTTP yeserver, tumira iyo "Content-disposition: attachment" musoro. Ipapo mafaera anozotorwa nebrowser uye kwete kuurayiwa.

Pamusoro pezvo, pane nzira dzakawanda dziripo kune vanogadzira kudzikisira njodzi dzekushandiswa kweXSS:

  • uchishandisa "HTTP Chete" mureza, unogona kuita kuti "Makuki" misoro isasvike kune yakaipa JavaScript;
  • yakaitwa nemazvo mutemo weCSP zvichaita kuti zvinyanye kuoma kune anorwisa kushandisa XSS;
  • emazuva ano template injini dzakadai seAngular kana React inochenesa data remushandisi isati yaburitsa kune browser yemushandisi.

Zvisikwa zviviri-zvimisikidzo zvechokwadi

Kuti uvandudze kuchengetedzeka kweakaunti, vashandisi vanogara vachirairwa kuti vagonese 2FA (mbiri-factor authentication). Chokwadi, iyi inzira inoshanda yekudzivirira munhu anorwisa kuti asawane mukana wekuwana sevhisi kana zvitupa zvemushandisi zvakanganiswa.

Asi kushandisa chechipiri chechokwadi chechokwadi nguva dzose kunovimbisa kuchengetedza account? Pane zvinotevera nyaya dzekuchengetedza mukuitwa kwe2FA:

  • Kutsvaga kweBrute-force kwekodhi yeOTP (makodhi enguva imwe chete). Zvisinei nekureruka kwekushanda, zvikanganiso zvakaita sekushaikwa kwedziviriro kubva kuOTP brute force zvinosanganawo nemakambani makuru: Slack case, Facebook kesi.
  • Weak generation algorithm, semuenzaniso kugona kufanotaura kodhi inotevera.
  • Zvikanganiso zvine musoro, sekugona kukumbira OTP yemumwe munhu pafoni yako, seizvi zvakanga kubva Shopify.

Panyaya yeMCS, 2FA inoshandiswa zvichibva paGoogle Authenticator uye vaviri. Iyo protocol pachayo yakatove yakaedzwa-nguva, asi kuisirwa kwekodhi kodhi padivi rekushandisa kwakakodzera kuongororwa.

MCS 2FA inoshandiswa munzvimbo dzinoverengeka:

  • Paunenge uchisimbisa mushandisi. Kune dziviriro kubva kune hutsinye simba: mushandisi anongoyedza mashoma ekuisa imwe-nguva password, ipapo iyo yekuisa inovharwa kwechinguva. Izvi zvinovharira mukana wekusarudzwa kwehutsinye-simba reOTP.
  • Paunenge uchigadzira makodhi ekuchengetedza pasina Indaneti kuita 2FA, pamwe nekuidzima. Pano, hapana kudzivirira kwechisimba kwechisimba kwakaitwa, izvo zvakaita kuti zvigoneke, kana iwe uine password yeakaunti uye musangano unoshanda, kudzorera macode ekuchengetedza kana kudzima 2FA zvachose.

Tichifunga kuti macode ekuchengetedza aive mune imwecheteyo tambo tsika seaya akagadzirwa neOTP application, mukana wekuwana iyo kodhi munguva pfupi yaive yakakwira zvakanyanya.

Chengetedzo yekuongorora yeMCS Cloud platform
Maitiro ekusarudza OTP kudzima 2FA uchishandisa "Burp: Intruder" chishandiso

mugumisiro

Pamwe chete, MCS inoratidzika kuva yakachengeteka sechigadzirwa. Munguva yekuongorora, timu yepentesting haina kukwanisa kuwana maVM evatengi nedata ravo, uye kusagadzikana kwakawanikwa kwakagadziriswa nekukurumidza nechikwata cheMCS.

Asi pano zvakakosha kuziva kuti kuchengetedza ibasa rinoramba riripo. Masevhisi haana kumira, anogara achishanduka. Uye hazvibviri kugadzira chigadzirwa zvachose pasina hurema. Asi iwe unogona kuzviwana munguva uye kuderedza mukana wekudzoka kwavo.

Ikozvino kusakwana kwese kwataurwa muMCS kwakatogadziriswa. Uye kuitira kuchengetedza huwandu hwevatsva hushoma uye kuderedza hupenyu hwavo, timu yepuratifomu inoramba ichiita izvi:

Source: www.habr.com

Voeg