8/10/2019 0x01 Owasp Peru Oscar Martinez
1/60
8/10/2019 0x01 Owasp Peru Oscar Martinez
2/60
WHOAMI?
Oscar Martnez Ruiz de Castilla
ChalacoIngeniero Electrnico
Magister en Ciencias de la Computacin
CISM C!ISSO
OSC" C#EH C#H$I C!"%E C!"%C C!SWAE
C!&$E OSEH' Sophos Certi(ied Engineer
Especialista en Seguridad In(orm)tica
Con m)s de *+ a,os de e-periencia en %I
.et/or0 1 We2 application penetration tester
oscarmrdc3gmail4com
(ier'5o/l42logspot4com
3oscar6mrdc
8/10/2019 0x01 Owasp Peru Oscar Martinez
3/60
%u desarrollador1analista 57 tam2i8n de(iendes9
*4 "ara(raseando a :ielsa
;4 4
8/10/2019 0x01 Owasp Peru Oscar Martinez
4/60
Cu)ntos tra2aan atacando?
Cu)ntos tra2aan de(endiendo?
Cu)ntos son analistas 1 programadores?
Cu)ntos en
8/10/2019 0x01 Owasp Peru Oscar Martinez
5/60
8/10/2019 0x01 Owasp Peru Oscar Martinez
6/60
8/10/2019 0x01 Owasp Peru Oscar Martinez
7/60
8/10/2019 0x01 Owasp Peru Oscar Martinez
8/60
8/10/2019 0x01 Owasp Peru Oscar Martinez
9/60
8/10/2019 0x01 Owasp Peru Oscar Martinez
10/60
8/10/2019 0x01 Owasp Peru Oscar Martinez
11/60
8/10/2019 0x01 Owasp Peru Oscar Martinez
12/60
So' seguro porue cumplo "CI 1 .%" ;F++*G
8/10/2019 0x01 Owasp Peru Oscar Martinez
13/60
"CI compliance is a 2usiness issue not atechnolog' issue4 %here is no single technolog'
solution that /ill ma0e 'our organization "CIcompliant4 :ecause it is a 2usiness issue thata((ects the entire organization "CI compliance
calls (or a multidisciplinar' team including at least$inance I% and li0el' Internal Audit4
8/10/2019 0x01 Owasp Peru Oscar Martinez
14/60
8/10/2019 0x01 Owasp Peru Oscar Martinez
15/60
8/10/2019 0x01 Owasp Peru Oscar Martinez
16/60
8/10/2019 0x01 Owasp Peru Oscar Martinez
17/60
8/10/2019 0x01 Owasp Peru Oscar Martinez
18/60
8/10/2019 0x01 Owasp Peru Oscar Martinez
19/60
8/10/2019 0x01 Owasp Peru Oscar Martinez
20/60
8/10/2019 0x01 Owasp Peru Oscar Martinez
21/60
@44* Inection (la/s particularl' S
8/10/2019 0x01 Owasp Peru Oscar Martinez
22/60
@44> Insecure communications
@44 Improper error handling
@44F Cross5site scripting BSS!
@44K Improper access control Bsuch asinsecure direct o2ect re(erences (ailure torestrict LRD access director' traJersal and(ailure to restrict user access to (unctions!4
8/10/2019 0x01 Owasp Peru Oscar Martinez
23/60
@44 Cross5site reuest (orger' BCSR$!
@44*+ :ro0en authentication and sessionmanagement
8/10/2019 0x01 Owasp Peru Oscar Martinez
24/60
@44*+ :ro0en authentication and sessionManagement
.oteN Reuirement @44*+ is a 2est practiceuntil une =+ ;+* a(ter /hich it 2ecomes a
reuirement4
8/10/2019 0x01 Owasp Peru Oscar Martinez
25/60
8/10/2019 0x01 Owasp Peru Oscar Martinez
26/60
Da Realidad en "erP?
Muchos con S
8/10/2019 0x01 Owasp Peru Oscar Martinez
27/60
8/10/2019 0x01 Owasp Peru Oscar Martinez
28/60
Mecanismos de &e(ensa
8/10/2019 0x01 Owasp Peru Oscar Martinez
29/60
Gestionar el acceso del usuarioBa las (uncionalidades ' datos!
Qestionar los datos ingresados por el usuario
Qestionar los ataues Bmedidas de(ensiJas ' o(ensiJas!
8/10/2019 0x01 Owasp Peru Oscar Martinez
30/60
Qestionar el acceso del usuario Ba las (uncionalidades ' datos!
AutenticacinB(ormularios /e2 certi(icados to0ens etc!Login pero tam2i8nN recuperacin de cuenta cam2io decontrase,a auto registro etc4
Maneo de sesiones
Http no es orientado a la cone-in%o0ens de sesin campos de (ormulario ocultos etc4%imeout4
Control de accesos
&ecidir si el usuario esta autorizado para usar un recurso
El mecanismo es tan (uerte como el m)s d82il de suscomponentes
8/10/2019 0x01 Owasp Peru Oscar Martinez
31/60
Qestionar los datos ingresados por el usuario
ariedad de datosN .om2res edades (echas etc4%ipoDongitud
E-presiones regulares
Distas negras
Distas 2lancas
8/10/2019 0x01 Owasp Peru Oscar Martinez
32/60
Qestionar los ataues Bmedidas de(ensiJas ' o(ensiJas!Igual ocurrir)n errores 57 anticiparlosN
Manear errores%r'5catch errores gen8ricos
Mantener logs de auditora
"ara entender ue pas Breuerimientos de seguridad 1 dise,o!
Alertas a los administradores"ara tomar una accin inmediata ' no esperar a reJisar los logs
Reaccionar a los ataues%erminar la sesin 2louear al usuario etc4
8/10/2019 0x01 Owasp Peru Oscar Martinez
33/60
Reuerimientos de seguridad en
Aplicaciones We2 BOWAS"ASS!
Application Securit' eri(ication Standard
ASS puede ser utilizado para esta2lecer un niJel de con(ianza en
8/10/2019 0x01 Owasp Peru Oscar Martinez
34/60
ASS puede ser utilizado para esta2lecer un niJel de con(ianza enla seguridad de aplicaciones /e2
8/10/2019 0x01 Owasp Peru Oscar Martinez
35/60
8/10/2019 0x01 Owasp Peru Oscar Martinez
36/60
8/10/2019 0x01 Owasp Peru Oscar Martinez
37/60
8/10/2019 0x01 Owasp Peru Oscar Martinez
38/60
8/10/2019 0x01 Owasp Peru Oscar Martinez
39/60
:ene(icios de implementar seguridad en aplicaciones?
Reduce costos de desarrollo recuperacin ante incidentes 'parches4
Reduce costo de testeo de seguridad de terceros4
8/10/2019 0x01 Owasp Peru Oscar Martinez
40/60
alidar longitud tipo etcN
import java.util.regex.Pattern;import java.util.regex.Matcher;
String code= request.getParameter(code);
String codevalid=;Pattern pat = Pattern.compile(!"#$%&'*);Matcher mat = pat.matcher(code);
i+ (mat.matches()) &codevalid=code;
* else &codevalid=;
,,response.send-edirect(o++ice.jsp);*
8/10/2019 0x01 Owasp Peru Oscar Martinez
41/60
8/10/2019 0x01 Owasp Peru Oscar Martinez
42/60
Codi(icar datos de salidaN
SSAntesN script7alertB*!1script7
&espu8sN ltTscriptgtTalertU-;KT*U-;TltTU-;(TscriptgtT
8/10/2019 0x01 Owasp Peru Oscar Martinez
43/60
Java Logging
BouncyCastle
Spring
Log4j
Jasypt
JCE
JAASCryptix
HDIVxml!sig
xmlenc
"any"ore
ACE#I
CommonsVali!ator
Struts
$e%orm Anti&SS
Stinger
Stan!ar!Control
Java'attern
Java ($LEnco!er
)rite Custom
Co!e
*+ Intuitivo, Integra!o o Amiga-le .para el !esarrolla!or/0
8/10/2019 0x01 Owasp Peru Oscar Martinez
44/60
SegPn las 2uenas pr)cticas en el desarrollo seguro deaplicaciones se recomienda el uso de li2reras A"Is como
ESA"I BEnterprise Securit' A"I 5 OWAS"! la cual implementa una2i2lioteca de controles ue (acilita a los programadores a escri2ir
aplicaciones /e2 de menor riesgo4
Das 2i2liotecas ESA"I est)n dise,adas para (acilitar a losprogramadores adaptar la seguridad en las aplicaciones /e2
e-istentes4
8/10/2019 0x01 Owasp Peru Oscar Martinez
45/60
Actualmente la Jersin para aJa EE se encuentra en la Jersin;4*4+ de Setiem2re de ;+*=4
Re(erenciasNhttpsN11///4o/asp4org1inde-4php1EsapiUta2VaJa6EE
httpsN11code4google4com1p1o/asp5esapi5aJa1
Implementacin de Controles
8/10/2019 0x01 Owasp Peru Oscar Martinez
46/60
Implementacin de Controles
8/10/2019 0x01 Owasp Peru Oscar Martinez
47/60
Validate:
8/10/2019 0x01 Owasp Peru Oscar Martinez
48/60
Validate:
getValidDate()
getValidCreditCard()
getValidInput()
getValidNumber()
BackendController BusinessFunctions
User Data Laer
!resentationLaer
Validate:
getValidDate()
getValidCreditCard()
getValid"a#e$%&L()
getValidInput()
getValidNumber()
getValidFileName()
getValid'edirect()
sa#e'eadLine()
Validation
ngine
Validation
ngine
8/10/2019 0x01 Owasp Peru Oscar Martinez
49/60
getalidInput
aJa4lang4String getalidInputBaJa4lang4String conte-t aJa4lang4String input aJa4lang4String t'pe
int ma-Dength 2oolean allo/.ull!
thro/s alidationE-ception IntrusionE-ception
Returns canonicalized and Jalidated input as a String4 InJalid input/ill generate a descriptiJe alidationE-ception and input that isclearl' an attac0 /ill generate a descriptiJe IntrusionE-ception4
8/10/2019 0x01 Owasp Peru Oscar Martinez
50/60
"arametersNconte-t5 A descriptiJe name o( the parameter that 'ou are
Jalidating Be4g4 Dogin"age6Lsername$ield!4 %his Jalue is used 2'an' logging or error handling that is done /ith respect to the Jaluepassed in4
input5 %he actual user input data to Jalidate4t'pe5 %he regular e-pression name that maps to the actual regular
e-pression (rom ESA"I4properties4ma-Dength5 %he ma-imum post5canonicalized String length
allo/ed4allo/.ull5 I( allo/.ull is true then an input that is .LDD or anempt' string /ill 2e legal4 I( allo/.ull is (alse then .LDD or an
empt' String /ill thro/ a alidationE-ception4
ReturnsN%he canonicalized user input4
8/10/2019 0x01 Owasp Peru Oscar Martinez
51/60
alidatorN
"ara Jalidar los datos de entrada ingresados por el usuarioN
String validated7irst8ame =9S:P6.validator().getalid6nput(7irst8ame
mvalidation.properties +ile
8/10/2019 0x01 Owasp Peru Oscar Martinez
52/60
ncode:
encodeFor"L()
encodeForLD*!()
encodeFor+&L()
encodeFor+!at,()
encodeFor-"()
ncoding
ngine
BackendController Business
Functions
User Data Laer
!resentationLaer
ncode:
encodeFor$%&L()
encodeFor$%&L*ttribute()
encodeFor.a/a"cript()
encodeForC""()
encodeForU'L()
ncoding
ngine
Codecs:
$%&L ntit Codec
!ercent Codec
.a/a"cript Codec
VB"cript Codec
C"" Codec
Validation
ngine
Decoding
ngine
8/10/2019 0x01 Owasp Peru Oscar Martinez
53/60
encode$orH%MD
aJa4lang4String encode$orH%MDBaJa4lang4String input!
Encode data (or use in H%MD using H%MD entit' encoding.ote that the (ollo/ing charactersN ++5+K +:5+C +E5*$ and F$5$
cannot 2e used in H%MD4
"arametersNinput5 the te-t to encode (or H%MD
ReturnsNinput encoded (or H%MD
8/10/2019 0x01 Owasp Peru Oscar Martinez
54/60
9ncoder?
Para codi+icar los datos de salida?
String sa+e@utput =9S:P6.encoder().encode7orABMC( cleanomment );
8/10/2019 0x01 Owasp Peru Oscar Martinez
55/60
BackendController BusinessFunctions
User Data Laer
!resentation
Laer
"*!I
Logging
Intrusion
Detection
%ailorable
uotas
uota0ceeded
Log Intrusion/ent
*ut,entication
Users
Logout User1 Lock *ccount
EnterpriseSecurit'E-ception is the 2ase class (or all securit'related e-ceptions
8/10/2019 0x01 Owasp Peru Oscar Martinez
56/60
related e-ceptions4
All EnterpriseSecurit'E-ceptions haJe t/o messages one (or the
user and one (or the log (ile4
Method Summar'
getDogMessageB!Returns a message that is sa(e to displa' in logs 2ut
pro2a2l' not to users
getLserMessageB!
Returns message meant (or displa' to users .ote that i( 'ouare unsure o( /hat set this message it /ould pro2a2l' 2e a goodidea to encode this message 2e(ore displa'ing it to the end user4
Codi(icar tam2i8n los datos enJiados a los logs9
8/10/2019 0x01 Owasp Peru Oscar Martinez
57/60
BackendController BusinessFunctions
User Data Laer
!resentationLaer
Crpto:
encrpt() 2 decrpt()
,as,()
seal() 2 unseal()
sign()
/eri#"eal()
/eri#"ignature()
ncrptor
encr'pt
8/10/2019 0x01 Owasp Peru Oscar Martinez
58/60
encr'pt
Cipher%e-t encr'ptB"lain%e-t plainte-t!
thro/s Encr'ptionE-ception
Encr'pts the proJided plainte-t 2'tes using the cipher
trans(ormation speci(ied 2' the propert'Encr'ptor4Cipher%rans(ormationand the master encr'ption 0e' asspeci(ied 2' the propert' Encr'ptor4MasterXe'as de(ined in the
ESA"I4properties (ile4%his method is pre(erred oJer encr'ptBString! 2ecause it also
allo/s encr'pting o( general 2'te streams rather than simpl'strings and also 2ecause it returns a Cipher%e-t o2ect and thussupports cipher modes that reuire an Initialization ector BI!
such as Cipher :loc0 Chaining BC:C!4
8/10/2019 0x01 Owasp Peru Oscar Martinez
59/60
"arametersNplainte-t5 %he "lain%e-t to 2e encr'pted4
ReturnsNthe Cipher%e-t o2ect (rom /hich the ra/ cipherte-t the I the
cipher trans(ormation and man' other aspects a2out theencr'ption detail ma' 2e e-tracted4
8/10/2019 0x01 Owasp Peru Oscar Martinez
60/60