Pengantar
Artikel kali ini kita akan membahas owasp top 10 yang ada di urutan ke empat untuk tahun 2021 (owasp tiap 4 tahun sekali), ialah Insecure Design.
OWASP merupakan singkatan dari Open Web Application Security Project, yang merupakan sebuah project Security Web Application open source yang diperkasai oleh para penggiat teknologi atau pengembang aplikasi, OWASP sering mengadakan seminar, forum diskusi serta pendidikan untuk para Developer.
jadi yang dimaksud OWASP TOP 10? owasp top 10 merupakan sebuah cara untuk mengkategorikan resiko kerentanan yang sering terjadi pada sebuah aplikasi berbasis website, dari yang paling atas (resiko tertinggi) hingga yang paling bawah (tingkat resiko rendah), Tujuannya apa ?, tentu saja ini sangat berguna bagi para developer aplikasi supaya mereka jadi lebih aware terhadap kerentanan di aplikasi mereka.
Insecure Design
Apa itu Insecure Design ?
Insecure Design merupakan sebuah kerentanan yang ada pada Konsep / design dari aplikasi itu sendiri. sebelum melakukan koding developer wajib menerapkan prinsip Secure Coding pada aplikasi buatannya.
Insecure Design ini merupakan kerentanan yang dimana perbaikan nya cukup sulit di perbaiki oleh developer (dikarenakan yang bermasalah itu adalah desain / fondasinya) makanya dibutuhkan waktu yang cukup banyak.
Insecure Implementation merupakan kerentanan yang disebabkan dari prinsip Secure Coding itu sendiri. dikarenakan developer tidak mengimplementasikan Sengaja/tidak sengaja prinsip dari Secure Coding.
Praktikal
Berikut saya cantumkan beberapa contoh report dari orang lain di celah keamanan Insecure Design :
#1353244 [samokat.ru] PHP modules path disclosure due to lack of error handling
Sumber : https://hackerone.com/reports/1353244
- Attacker menuju url : quality.samokat.ru/info.php, dan mendapati respon File Not Found
- kemudian Attacker mengulangi requestnya, lalu ke Turbo Intruder yang ada pada Burpsuite
- Payload : /§fuzz§ HTTP/2
- Attacker mendapatkan informasi yang sensitive
Request :
GET /§Fuzz§ HTTP/2
Host: quality.samokat.ru
Upgrade-Insecure-Requests: 1
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Connection: close
Response :
HTTP/2 500 Internal Server Error
Date: Tue, 28 Sep 2021 07:49:15 GMT
Content-Type: text/html; charset=UTF-8
Cache-Control: no-cache, private
Cf-Cache-Status: DYNAMIC
Expect-Ct: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
Server: cloudflare
Cf-Ray: 695b5fbd09a84a1d-SIN
# CALLED CODE DOCUMENT LINE
44 Doctrine\DBAL\Driver\PDOConnection->__construct(…) ~/vendor/laravel/framework/src/Illuminate/Database/Connectors/Connector.php 64
43 Illuminate\Database\Connectors\Connector->createPdoConnection(…) ~/vendor/laravel/framework/src/Illuminate/Database/Connectors/Connector.php 97
42 Illuminate\Database\Connectors\Connector->tryAgainIfCausedByLostConnection(…) ~/vendor/laravel/framework/src/Illuminate/Database/Connectors/Connector.php 47
41 Illuminate\Database\Connectors\Connector->createConnection(…) ~/vendor/laravel/framework/src/Illuminate/Database/Connectors/PostgresConnector.php 33
40 Illuminate\Database\Connectors\PostgresConnector->connect(…) ~/vendor/october/rain/src/Database/Connectors/ConnectionFactory.php 29
39 October\Rain\Database\Connectors\ConnectionFactory->October\Rain\Database\Connectors\{closure}()
38 call_user_func(…) ~/vendor/laravel/framework/src/Illuminate/Database/Connection.php 915
37 Illuminate\Database\Connection->getPdo() ~/vendor/laravel/framework/src/Illuminate/Database/DatabaseManager.php 248
36 Illuminate\Database\DatabaseManager->refreshPdoConnections(…) ~/vendor/laravel/framework/src/Illuminate/Database/DatabaseManager.php 234
35 Illuminate\Database\DatabaseManager->reconnect(…) ~/vendor/laravel/framework/src/Illuminate/Database/DatabaseManager.php 168
34 Illuminate\Database\DatabaseManager->Illuminate\Database\{closure}(…)
33 call_user_func(…) ~/vendor/laravel/framework/src/Illuminate/Database/Connection.php 753
32 Illuminate\Database\Connection->reconnect() ~/vendor/laravel/framework/src/Illuminate/Database/Connection.php 767
31 Illuminate\Database\Connection->reconnectIfMissingConnection() ~/vendor/laravel/framework/src/Illuminate/Database/Connection.php 616
30 Illuminate\Database\Connection->run(…) ~/vendor/laravel/framework/src/Illuminate/Database/Connection.php 333
29 Illuminate\Database\Connection->select(…) ~/vendor/laravel/framework/src/Illuminate/Database/Query/Builder.php 1719
28 Illuminate\Database\Query\Builder->runSelect() ~/vendor/laravel/framework/src/Illuminate/Database/Query/Builder.php 1704
27 Illuminate\Database\Query\Builder->get(…) ~/vendor/october/rain/src/Database/QueryBuilder.php 217
26 October\Rain\Database\QueryBuilder->October\Rain\Database\{closure}() ~/vendor/laravel/framework/src/Illuminate/Cache/Repository.php 323
25 Illuminate\Cache\Repository->remember(…) ~/vendor/laravel/framework/src/Illuminate/Cache/CacheManager.php 304
24 Illuminate\Cache\CacheManager->__call(…) ~/vendor/october/rain/src/Database/QueryBuilder.php 158
23 October\Rain\Database\QueryBuilder->getCached(…) ~/vendor/october/rain/src/Database/QueryBuilder.php 121
22 October\Rain\Database\QueryBuilder->getDuplicateCached(…) ~/vendor/october/rain/src/Database/QueryBuilder.php 92
21 October\Rain\Database\QueryBuilder->get(…) ~/vendor/laravel/framework/src/Illuminate/Database/Eloquent/Builder.php 481
20 Illuminate\Database\Eloquent\Builder->getModels(…) ~/vendor/laravel/framework/src/Illuminate/Database/Eloquent/Builder.php 465
19 Illuminate\Database\Eloquent\Builder->get(…) ~/vendor/laravel/framework/src/Illuminate/Database/Concerns/BuildsQueries.php 77
18 Illuminate\Database\Eloquent\Builder->first() ~/modules/system/behaviors/SettingsModel.php 114
17 System\Behaviors\SettingsModel->getSettingsRecord() ~/modules/system/behaviors/SettingsModel.php 76
16 System\Behaviors\SettingsModel->instance() ~/modules/system/behaviors/SettingsModel.php 135
15 System\Behaviors\SettingsModel->get(…)
14 call_user_func_array(…) ~/vendor/october/rain/src/Extension/ExtendableTrait.php 414
13 October\Rain\Database\Model->extendableCall(…) ~/vendor/october/rain/src/Database/Model.php 647
12 October\Rain\Database\Model->__call(…) ~/vendor/laravel/framework/src/Illuminate/Database/Eloquent/Model.php 1489
11 Illuminate\Database\Eloquent\Model::__callStatic(…) ~/modules/system/models/EventLog.php 37
10 System\Models\EventLog::useLogging() ~/modules/system/ServiceProvider.php 286
9 System\ServiceProvider->System\{closure}(…)
8 call_user_func_array(…) ~/vendor/october/rain/src/Events/Dispatcher.php 233
7 October\Rain\Events\Dispatcher->dispatch(…) ~/vendor/laravel/framework/src/Illuminate/Log/Writer.php 295
6 Illuminate\Log\Writer->fireLogEvent(…) ~/vendor/laravel/framework/src/Illuminate/Log/Writer.php 201
5 Illuminate\Log\Writer->writeLog(…) ~/vendor/laravel/framework/src/Illuminate/Log/Writer.php 114
4 Illuminate\Log\Writer->error(…) ~/vendor/laravel/framework/src/Illuminate/Support/Facades/Facade.php 221
3 Illuminate\Support\Facades\Facade::__callStatic(…) ~/vendor/october/rain/src/Foundation/Exception/Handler.php 66
2 October\Rain\Foundation\Exception\Handler->report(…) ~/vendor/laravel/framework/src/Illuminate/Foundation/Bootstrap/HandleExceptions.php 81
1 Illuminate\Foundation\Bootstrap\HandleExceptions->handleException(…)
dari penjelasan di atas attacker mendapatkan informasi sensitif yan ada pada pesan error karena developer tidak menggunakan error handler yang baik.
jadi ketika Attacker memasukkan data tidak sesuai dengan data yang aplikasi minta menyebabkan kebocoran informasi.
#Questions and Aanswers
Menurut NIST 800-63b, the OWASP ASVS, and the OWASP Top 10 Questions and answers merupakan alat verifikasi pengguna yang tidak valid.
misalnya kita mempunyai akun google seperti berikut :
- name : rebelsec
- username : rebelsec
- password : 123ib12!@#$SAD%&A%SDEWDFAS%^D&
- recovery : siapa nama ibu saya ?
nah jika attacker ingin membajak/mengambil ahli akun dari rebelsec, kalau pakai teknik Bruteforce kan tidak mungkin, karna passwordnya sudah sangat aman.
tapi terdapat kelemahan dari desain aplikasi ini, yaitu di recovery. attacker tinggal mencari tahu nama ibu dari akun rebelsec, yang di zaman sekarang ini mencari informasi seseoran itu cukup mudah, bisa pakai Osint, atau teknik lainnya.
Mitigasi
- Ikuti OWASP top 10
- Menimplementasikan SDLC pada life cycle development, dan tetap lakukan pentesting / konsultasi security aplikasi untuk evaluasi.
- Selalu update sistem/library.
- Menerapkan keamanan bukan hanya di Aplication layer, tetapi di layer lain juga, seperti Network layer
Referensi
OWASP Cheat Sheet: Secure Design Principles>
OWASP SAMM: Design:Security Architecture
OWASP SAMM: Design:Threat Assessment </p
NIST – Guidelines on Minimum Standards for Developer Verification of Software
Beberapa kerentanan lain di list CWE
CWE-73 External Control of File Name or Path)
CWE-183 Permissive List of Allowed Inputs)
CWE-209 Generation of Error Message Containing Sensitive Information)
CWE-213 Exposure of Sensitive Information Due to Incompatible Policies)
CWE-235 Improper Handling of Extra Parameters)
CWE-256 Unprotected Storage of Credentials)
CWE-257 Storing Passwords in a Recoverable Format)
CWE-266 Incorrect Privilege Assignment)
CWE-269 Improper Privilege Management)
CWE-280 Improper Handling of Insufficient Permissions or Privileges)
CWE-311 Missing Encryption of Sensitive Data)
CWE-312 Cleartext Storage of Sensitive Information)
CWE-313 Cleartext Storage in a File or on Disk)
CWE-316 Cleartext Storage of Sensitive Information in Memory)
CWE-419 Unprotected Primary Channel)
CWE-430 Deployment of Wrong Handler)
CWE-434 Unrestricted Upload of File with Dangerous Type)
CWE-444 Inconsistent Interpretation of HTTP Requests (‘HTTP Request Smuggling’))
CWE-451 User Interface (UI) Misrepresentation of Critical Information)
CWE-472 External Control of Assumed-Immutable Web Parameter)
CWE-501 Trust Boundary Violation)
CWE-522 Insufficiently Protected Credentials)
CWE-525 Use of Web Browser Cache Containing Sensitive Information)
CWE-539 Use of Persistent Cookies Containing Sensitive Information)
CWE-579 J2EE Bad Practices: Non-serializable Object Stored in Session)
CWE-598 Use of GET Request Method With Sensitive Query Strings)
CWE-602 Client-Side Enforcement of Server-Side Security)
CWE-642 External Control of Critical State Data)
CWE-646 Reliance on File Name or Extension of Externally-Supplied File)
CWE-650 Trusting HTTP Permission Methods on the Server Side)
CWE-653 Insufficient Compartmentalization)
CWE-656 Reliance on Security Through Obscurity)
CWE-657 Violation of Secure Design Principles)
CWE-799 Improper Control of Interaction Frequency)
CWE-807 Reliance on Untrusted Inputs in a Security Decision)
CWE-840 Business Logic Errors)
CWE-841 Improper Enforcement of Behavioral Workflow)
CWE-927 Use of Implicit Intent for Sensitive Communication)
CWE-1021 Improper Restriction of Rendered UI Layers or Frames)
Posting Komentar