GHrxexUTk8Cy9ibyQ09EFsI4Tl8sPmI2qnpAKStw
Bookmark

Owasp Top 10 Series — A4 (Insecure Design)

Author
Author
Update:
... menit baca
Dengarkan

Insecure Design merupakan sebuah kerentanan yang ada pada Konsep / design dari aplikasi itu sendiri.


Pengantar

Artikel kali ini kita akan membahas owasp top 10 yang ada di urutan ke empat untuk tahun 2021 (owasp tiap 4 tahun sekali), ialah Insecure Design.

OWASP merupakan singkatan dari Open Web Application Security Project, yang merupakan sebuah project Security Web Application open source yang diperkasai oleh para penggiat teknologi atau pengembang aplikasi, OWASP sering mengadakan seminar, forum diskusi serta pendidikan untuk para Developer.

jadi yang dimaksud OWASP TOP 10? owasp top 10 merupakan sebuah cara untuk mengkategorikan resiko kerentanan yang sering terjadi pada sebuah aplikasi berbasis website, dari yang paling atas (resiko tertinggi) hingga yang paling bawah (tingkat resiko rendah), Tujuannya apa ?, tentu saja ini sangat berguna bagi para developer aplikasi supaya mereka jadi lebih aware terhadap kerentanan di aplikasi mereka.

Apa itu Insecure Design ?

Insecure Design merupakan sebuah kerentanan yang ada pada Konsep / design dari aplikasi itu sendiri. sebelum melakukan koding developer wajib menerapkan prinsip Secure Coding pada aplikasi buatannya.

Insecure Design ini merupakan kerentanan yang dimana perbaikan nya cukup sulit di perbaiki oleh developer (dikarenakan yang bermasalah itu adalah desain / fondasinya) makanya dibutuhkan waktu yang cukup banyak.

Insecure Implementation merupakan kerentanan yang disebabkan dari prinsip Secure Coding itu sendiri. dikarenakan developer tidak mengimplementasikan Sengaja/tidak sengaja prinsip dari Secure Coding.

Berikut saya cantumkan beberapa contoh report dari orang lain di celah keamanan Insecure Design :

Sumber : https://hackerone.com/reports/1353244

  • Attacker menuju url : quality.samokat.ru/info.php, dan mendapati respon File Not Found
  • kemudian Attacker mengulangi requestnya, lalu ke Turbo Intruder yang ada pada Burpsuite
  • Payload : /§fuzz§ HTTP/2
  • Attacker mendapatkan informasi yang sensitive

Request :

GET /§Fuzz§ HTTP/2

Host: quality.samokat.ru

Upgrade-Insecure-Requests: 1

Sec-Fetch-Mode: navigate

Sec-Fetch-User: ?1

Connection: close

Response :

HTTP/2 500 Internal Server Error

Date: Tue, 28 Sep 2021 07:49:15 GMT

Content-Type: text/html; charset=UTF-8

Cache-Control: no-cache, private

Cf-Cache-Status: DYNAMIC

Expect-Ct: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"

Server: cloudflare

Cf-Ray: 695b5fbd09a84a1d-SIN



# CALLED CODE DOCUMENT LINE

44 Doctrine\DBAL\Driver\PDOConnection->__construct(…) ~/vendor/laravel/framework/src/Illuminate/Database/Connectors/Connector.php 64

43 Illuminate\Database\Connectors\Connector->createPdoConnection(…) ~/vendor/laravel/framework/src/Illuminate/Database/Connectors/Connector.php 97

42 Illuminate\Database\Connectors\Connector->tryAgainIfCausedByLostConnection(…) ~/vendor/laravel/framework/src/Illuminate/Database/Connectors/Connector.php 47

41 Illuminate\Database\Connectors\Connector->createConnection(…) ~/vendor/laravel/framework/src/Illuminate/Database/Connectors/PostgresConnector.php 33

40 Illuminate\Database\Connectors\PostgresConnector->connect(…) ~/vendor/october/rain/src/Database/Connectors/ConnectionFactory.php 29

39 October\Rain\Database\Connectors\ConnectionFactory->October\Rain\Database\Connectors\{closure}()

38 call_user_func(…) ~/vendor/laravel/framework/src/Illuminate/Database/Connection.php 915

37 Illuminate\Database\Connection->getPdo() ~/vendor/laravel/framework/src/Illuminate/Database/DatabaseManager.php 248

36 Illuminate\Database\DatabaseManager->refreshPdoConnections(…) ~/vendor/laravel/framework/src/Illuminate/Database/DatabaseManager.php 234

35 Illuminate\Database\DatabaseManager->reconnect(…) ~/vendor/laravel/framework/src/Illuminate/Database/DatabaseManager.php 168

34 Illuminate\Database\DatabaseManager->Illuminate\Database\{closure}(…)

33 call_user_func(…) ~/vendor/laravel/framework/src/Illuminate/Database/Connection.php 753

32 Illuminate\Database\Connection->reconnect() ~/vendor/laravel/framework/src/Illuminate/Database/Connection.php 767

31 Illuminate\Database\Connection->reconnectIfMissingConnection() ~/vendor/laravel/framework/src/Illuminate/Database/Connection.php 616

30 Illuminate\Database\Connection->run(…) ~/vendor/laravel/framework/src/Illuminate/Database/Connection.php 333

29 Illuminate\Database\Connection->select(…) ~/vendor/laravel/framework/src/Illuminate/Database/Query/Builder.php 1719

28 Illuminate\Database\Query\Builder->runSelect() ~/vendor/laravel/framework/src/Illuminate/Database/Query/Builder.php 1704

27 Illuminate\Database\Query\Builder->get(…) ~/vendor/october/rain/src/Database/QueryBuilder.php 217

26 October\Rain\Database\QueryBuilder->October\Rain\Database\{closure}() ~/vendor/laravel/framework/src/Illuminate/Cache/Repository.php 323

25 Illuminate\Cache\Repository->remember(…) ~/vendor/laravel/framework/src/Illuminate/Cache/CacheManager.php 304

24 Illuminate\Cache\CacheManager->__call(…) ~/vendor/october/rain/src/Database/QueryBuilder.php 158

23 October\Rain\Database\QueryBuilder->getCached(…) ~/vendor/october/rain/src/Database/QueryBuilder.php 121

22 October\Rain\Database\QueryBuilder->getDuplicateCached(…) ~/vendor/october/rain/src/Database/QueryBuilder.php 92

21 October\Rain\Database\QueryBuilder->get(…) ~/vendor/laravel/framework/src/Illuminate/Database/Eloquent/Builder.php 481

20 Illuminate\Database\Eloquent\Builder->getModels(…) ~/vendor/laravel/framework/src/Illuminate/Database/Eloquent/Builder.php 465

19 Illuminate\Database\Eloquent\Builder->get(…) ~/vendor/laravel/framework/src/Illuminate/Database/Concerns/BuildsQueries.php 77

18 Illuminate\Database\Eloquent\Builder->first() ~/modules/system/behaviors/SettingsModel.php 114

17 System\Behaviors\SettingsModel->getSettingsRecord() ~/modules/system/behaviors/SettingsModel.php 76

16 System\Behaviors\SettingsModel->instance() ~/modules/system/behaviors/SettingsModel.php 135

15 System\Behaviors\SettingsModel->get(…)

14 call_user_func_array(…) ~/vendor/october/rain/src/Extension/ExtendableTrait.php 414

13 October\Rain\Database\Model->extendableCall(…) ~/vendor/october/rain/src/Database/Model.php 647

12 October\Rain\Database\Model->__call(…) ~/vendor/laravel/framework/src/Illuminate/Database/Eloquent/Model.php 1489

11 Illuminate\Database\Eloquent\Model::__callStatic(…) ~/modules/system/models/EventLog.php 37

10 System\Models\EventLog::useLogging() ~/modules/system/ServiceProvider.php 286

9 System\ServiceProvider->System\{closure}(…)

8 call_user_func_array(…) ~/vendor/october/rain/src/Events/Dispatcher.php 233

7 October\Rain\Events\Dispatcher->dispatch(…) ~/vendor/laravel/framework/src/Illuminate/Log/Writer.php 295

6 Illuminate\Log\Writer->fireLogEvent(…) ~/vendor/laravel/framework/src/Illuminate/Log/Writer.php 201

5 Illuminate\Log\Writer->writeLog(…) ~/vendor/laravel/framework/src/Illuminate/Log/Writer.php 114

4 Illuminate\Log\Writer->error(…) ~/vendor/laravel/framework/src/Illuminate/Support/Facades/Facade.php 221

3 Illuminate\Support\Facades\Facade::__callStatic(…) ~/vendor/october/rain/src/Foundation/Exception/Handler.php 66

2 October\Rain\Foundation\Exception\Handler->report(…) ~/vendor/laravel/framework/src/Illuminate/Foundation/Bootstrap/HandleExceptions.php 81

1 Illuminate\Foundation\Bootstrap\HandleExceptions->handleException(…)

dari penjelasan di atas attacker mendapatkan informasi sensitif yan ada pada pesan error karena developer tidak menggunakan error handler yang baik.

jadi ketika Attacker memasukkan data tidak sesuai dengan data yang aplikasi minta menyebabkan kebocoran informasi.

Menurut NIST 800-63b, the OWASP ASVS, and the OWASP Top 10 Questions and answers merupakan alat verifikasi pengguna yang tidak valid.

misalnya kita mempunyai akun google seperti berikut :

  • name : rebelsec
  • username : rebelsec
  • password : 123ib12!@#$SAD%&A%SDEWDFAS%^D&
  • recovery : siapa nama ibu saya ?

nah jika attacker ingin membajak/mengambil ahli akun dari rebelsec, kalau pakai teknik Bruteforce kan tidak mungkin, karna passwordnya sudah sangat aman.

tapi terdapat kelemahan dari desain aplikasi ini, yaitu di recovery. attacker tinggal mencari tahu nama ibu dari akun rebelsec, yang di zaman sekarang ini mencari informasi seseoran itu cukup mudah, bisa pakai Osint, atau teknik lainnya.

  • Ikuti OWASP top 10
  • Menimplementasikan SDLC pada life cycle development, dan tetap lakukan pentesting / konsultasi security aplikasi untuk evaluasi.
  • Selalu update sistem/library.
  • Menerapkan keamanan bukan hanya di Aplication layer, tetapi di layer lain juga, seperti Network layer

Referensi

OWASP Cheat Sheet: Secure Design Principles>

OWASP SAMM: Design:Security Architecture

OWASP SAMM: Design:Threat Assessment </p

NIST – Guidelines on Minimum Standards for Developer Verification of Software

The Threat Modeling Manifesto

Awesome Threat Modeling

Beberapa kerentanan lain di list CWE

CWE-73 External Control of File Name or Path)

CWE-183 Permissive List of Allowed Inputs)

CWE-209 Generation of Error Message Containing Sensitive Information)

CWE-213 Exposure of Sensitive Information Due to Incompatible Policies)

CWE-235 Improper Handling of Extra Parameters)

CWE-256 Unprotected Storage of Credentials)

CWE-257 Storing Passwords in a Recoverable Format)

CWE-266 Incorrect Privilege Assignment)

CWE-269 Improper Privilege Management)

CWE-280 Improper Handling of Insufficient Permissions or Privileges)

CWE-311 Missing Encryption of Sensitive Data)

CWE-312 Cleartext Storage of Sensitive Information)

CWE-313 Cleartext Storage in a File or on Disk)

CWE-316 Cleartext Storage of Sensitive Information in Memory)

CWE-419 Unprotected Primary Channel)

CWE-430 Deployment of Wrong Handler)

CWE-434 Unrestricted Upload of File with Dangerous Type)

CWE-444 Inconsistent Interpretation of HTTP Requests (‘HTTP Request Smuggling’))

CWE-451 User Interface (UI) Misrepresentation of Critical Information)

CWE-472 External Control of Assumed-Immutable Web Parameter)

CWE-501 Trust Boundary Violation)

CWE-522 Insufficiently Protected Credentials)

CWE-525 Use of Web Browser Cache Containing Sensitive Information)

CWE-539 Use of Persistent Cookies Containing Sensitive Information)

CWE-579 J2EE Bad Practices: Non-serializable Object Stored in Session)

CWE-598 Use of GET Request Method With Sensitive Query Strings)

CWE-602 Client-Side Enforcement of Server-Side Security)

CWE-642 External Control of Critical State Data)

CWE-646 Reliance on File Name or Extension of Externally-Supplied File)

CWE-650 Trusting HTTP Permission Methods on the Server Side)

CWE-653 Insufficient Compartmentalization)

CWE-656 Reliance on Security Through Obscurity)

CWE-657 Violation of Secure Design Principles)

CWE-799 Improper Control of Interaction Frequency)

CWE-807 Reliance on Untrusted Inputs in a Security Decision)

CWE-840 Business Logic Errors)

CWE-841 Improper Enforcement of Behavioral Workflow)

CWE-927 Use of Implicit Intent for Sensitive Communication)

CWE-1021 Improper Restriction of Rendered UI Layers or Frames)

CWE-1173 Improper Use of Validation Framework)

Related Posts
Posting Komentar
Diposting oleh:
Author
Author
“Yes I'm seeking for someone, to help me. So that some day I will be the someone to help some other one.”

Related Posts

Posting Komentar