业务漏洞
Contextualizing Security Vulnerabilities
上下文化安全漏洞
As a former penetration tester turned product-focused security professional, one of the most important things I’ve realized is that translating security risk to business impact is crucial in making your work resonate. Often times, the buyer of whatever security offering you’re selling will not care about the granular details of vulnerabilities your tool or service is able to uncover. For security analysts on the front line, contextualizing the “so what?” with the buyer will help build trust and leave a lasting impression.
作为一名前渗透测试人员转为以产品为中心的安全专业人员,我意识到最重要的事情之一就是将安全风险转化为业务影响对于使您的工作产生共鸣至关重要。 通常,您所出售的任何安全产品的购买者都不会关心您的工具或服务能够发现的漏洞的详细细节。 对于在一线的安全分析师来说,将“那又如何?”进行上下文化与买方合作将有助于建立信任并留下持久的印象。
Stepping into the world of web application security, let’s take a look at some of my favorite vulnerabilities to test for and how each can be succinctly translated to an executive. For these examples, I’ll assume we’re working with a banking client.
进入Web应用程序安全性世界,让我们看一下我最喜欢的一些漏洞以进行测试,以及如何将每个漏洞简洁地翻译给执行人员。 对于这些示例,我假设我们正在与银行客户合作。
SQL Injection
SQL注入
The Technical Story
技术故事
“I came across functionality within your website that looked to be housed on top of a back end-data store. I crafted SQL injection payloads that returned metadata pertaining to the backend database in the HTTP response body. I then used the technology disclosure to enhance my payloads and enumerate database columns, ultimately extracting and viewing data pertaining to client accounts that I am not provisioned to see.”
“我遇到了您网站中的功能,这些功能似乎位于后端数据存储的顶部。 我精心制作了SQL注入有效负载,这些负载在HTTP响应主体中返回了与后端数据库有关的元数据。 然后,我使用该技术公开来增强我的有效负载并枚举数据库列,最终提取和查看与我没有看到的客户账户有关的数据。”
The Business Impact
业务影响
“Your website is vulnerable to SQL injection, which means I can manipulate the database that stores banking accounts you manage. If news were to break that attackers can extract sensitive client information with a few clicks, you’ll ruin the trust you’ve built, and they’ll look to take their business elsewhere. Less clients means less revenue, which means less profit.”
“您的网站容易受到SQL注入的攻击,这意味着我可以操纵存储您管理的银行帐户的数据库。 如果有消息传出,攻击者只需单击几下即可提取敏感的客户端信息,那么您将破坏已建立的信任,他们将把自己的业务转移到其他地方。 更少的客户意味着更少的收入,这意味着更少的利润。”
Cross-Site Scripting (XSS)
跨站脚本(XSS)
The Technical Story
技术故事
“I came across functionality within your website that appears to render unsanitized payloads in the HTTP response body. The page is rendered in HTML, so I injected an XSS payload by closing an open script tag, opening a new one, and including JavaScript that steals the user’s session token (</script><script>alert(document.cookie)</script>). This proves that an attacker can embed malicious JavaScript into the application by taking advantage of missing input sanitization and/or output encoding.”
“我在您的网站上遇到了一些功能,这些功能似乎可以在HTTP响应正文中呈现未经消毒的有效负载。 该页面以HTML呈现,因此我关闭了一个打开的脚本标签,打开了一个新标签,并包含了窃取用户会话令牌JavaScript(</ script> <script> alert(document.cookie)</脚本>)。 这证明攻击者可以利用缺少的输入清理和/或输出编码功能,将恶意JavaScript嵌入到应用程序中。”
The Business Impact
业务影响
“Your website is vulnerable to Cross-Site Scripting, which means I can make your users do things they weren’t intending to. With one click, attackers can redirect them to a site of their choice, steal their username/password, or deface your website entirely. If a successful attack is carried out, you’ll likely be in the news, and your users will lose trust in you quickly. Aside from reputational impact of prospective clients, your current clients will think twice before using your website again, which could lead to lost business.”
“您的网站容易受到跨站点脚本的攻击,这意味着我可以让您的用户执行他们不想要的事情。 只需单击一下,攻击者即可将其重定向到他们选择的站点,窃取其用户名/密码或完全破坏您的网站。 如果进行了成功的攻击,您很可能会成为新闻,您的用户将很快失去对您的信任。 除了潜在客户的声誉影响外,您目前的客户在再次使用您的网站之前会三思而后行,这可能会导致业务损失。”
Clickjacking
点击劫持
The Technical Story
技术故事
“Your website does not set the X-Frame-Options header in its HTTP response. I was able to render your website into an HTML frame or Iframe tag and steal the clicks of users. Even worse, I was able to do so on the login page and implement a keystroke logger, allowing me to capture the victim’s keystrokes when he/she entered their username and password.”
“您的网站未在其HTTP响应中设置X-Frame-Options标头。 我能够将您的网站呈现为HTML框架或iframe标签,并窃取用户的点击。 更糟糕的是,我能够在登录页面上执行此操作并实现了击键记录器,从而使我能够在受害者输入用户名和密码时捕获受害者的击键。”
The Business Impact
业务影响
“Your website is vulnerable to clickjacking, which means users’ clicks and keystrokes can be easily captured by an attacker. If an attacker set up a spoofing site, he/she could make it look exactly like yours on the surface and steal the clicks and keystrokes of your clients. If your client entered his/her username and password on a spoofed login page, the attacker would gain possession and could theoretically log in to your real website as your client. Your client would be upset if this happened, and you’ll likely lose their business.”
“您的网站容易遭受点击劫持,这意味着攻击者可以轻松捕获用户的点击和击键。 如果攻击者设置了欺骗站点,则他/她可以使其表面上看起来完全像您的欺骗站点,并窃取客户的点击和击键。 如果您的客户在欺骗性的登录页面上输入了他/她的用户名和密码,则攻击者将获得财产,并且理论上可以作为客户登录到您的真实网站。 如果发生这种情况,您的客户会不高兴,您可能会失去生意。”
Cross-Site Request Forgery (CSRF)
跨站请求伪造(CSRF)
The Technical Story
技术故事
“I utilized CSRF to manipulate payment transfer functionality, re-routing a transfer from the user’s bank account to mine. I intercepted the original HTTP request that transfers money and generated a CSRF PoC. I then manipulated the bank account parameter’s value to equal my account instead of the user’s. While the user is logged in, I crafted a targeted phishing attack and subsequently tricked the user to clicking a URL that executes the request upon clicking. This was accomplished by taking advantage of the browser’s trust in the user’s session.”
“我利用CSRF来操纵付款转账功能,将用户的银行帐户转账到我的账户。 我拦截了原始的HTTP请求,该请求转账并生成了CSRF PoC。 然后,我操纵银行帐户参数的值使其等于我的帐户,而不是用户的帐户。 在用户登录时,我进行了有针对性的网络钓鱼攻击,随后诱骗用户单击一个URL,该URL在单击后便会执行请求。 这是通过利用浏览器对用户会话的信任来实现的。”
The Business Impact
业务影响
“Your website is vulnerable to CSRF, which means attackers can steal money from your clients if they get tricked into clicking a link. On top of the adverse reputational damage, it’s likely quite resource intensive to clean up and restore stolen funds to your clients. Your clients will likely lose trust in you, which could lead to lost business, and you’d have to allocate overhead to handle the downstream effects of money being stolen.”
“您的网站容易受到CSRF的攻击,这意味着攻击者如果被诱骗点击链接,就可以从您的客户那里窃取资金。 除了对声誉造成的不利损害外,清理和恢复客户的赃款可能还需要大量资源。 您的客户可能会失去对您的信任,这可能会导致业务损失,您将不得不分配开销来处理被盗钱的下游影响。”
Conclusion
结论
At the end of the day, both the technical story and business impact behind vulnerabilities are important to keep a pulse on. As a security professional, you’ll likely end up explaining the technical side more in your day-to-day, but having the business side down is just as important to prove value to the executive-level buyer. When all else fails, remember to put yourself in their shoes, consider the downstream effects, and think “so what?”.
归根结底,漏洞背后的技术故事和业务影响都至关重要。 作为安全专家,您可能最终会在日常工作中对技术方面进行更多的说明,但是使业务方面面朝下对于向执行层级买方证明价值同样重要。 当所有其他方法都失败时,请记住将自己放进自己的鞋子,考虑下游影响,然后思考“那又怎样?”。
业务漏洞
7128
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
