{"id":116,"date":"2007-03-28T12:17:46","date_gmt":"2007-03-28T15:17:46","guid":{"rendered":"http:\/\/talsoft.com.ar\/weblog\/?p=116"},"modified":"2007-03-28T12:17:46","modified_gmt":"2007-03-28T15:17:46","slug":"tutorial-para-realizar-tu-propia-auditoria-web","status":"publish","type":"post","link":"https:\/\/www.talsoft-security.com\/site\/tutorial-para-realizar-tu-propia-auditoria-web\/","title":{"rendered":"Tutorial para realizar tu propia auditor\u00c3\u00ada Web"},"content":{"rendered":"<p>Hacer auditor\u00c3\u00adas Web no tiene ning\u00c3\u00ban misterio. Basta con conocer los m\u00c3\u00a9todos, para despu\u00c3\u00a9s aplicarlos con rigor, y que la mezcla entre constancia y experiencia haga que no dejemos cabos sueltos sin atar. No obstante, se trata de hacer siempre lo mismo, ya que los puntos de control habituales son independientes de la plataforma en muchos casos. As\u00c3\u00ad, por ejemplo, nos da igual que haya un Cross-Site Scripting en un aplicativo Web que corre en Apache+Linux que en un aplicativo que corre en IIS+Windows 2003. Se trata de fallos equivalentes.<\/p>\n<p>Para comprobar que el m\u00c3\u00a9todo no tiene ning\u00c3\u00ban misterio, os enlazo <a href=\"http:\/\/www.sans.edu\/resources\/securitylab\/audit_web_apps.php\">este tutorial de auditor\u00c3\u00adas Web de SANS Institute<\/a>, en el que se puede apreciar claramente lo sencillo que es el m\u00c3\u00a9todo.<\/p>\n<p>El tutorial consta de las siguientes partes<\/p>\n<p>1. Introducci\u00c3\u00b3n<br \/>\n2. Herramientas necesarias<br \/>\n3. Preparaci\u00c3\u00b3n<br \/>\n4. El proceso de auditor\u00c3\u00ada<br \/>\n5. Conclusiones<br \/>\n6. Referencias<\/p>\n<p>En el apartado 4 se ejemplifican los puntos de an\u00c3\u00a1lisis habituales que son:<\/p>\n<ol>\n<li>An\u00c3\u00a1lisis de robots.txt<\/li>\n<li>Cross-Site Scripting<\/li>\n<li>Inyecci\u00c3\u00b3n SQL<\/li>\n<li>Cookies y campos ocultos<\/li>\n<li>Sesiones<\/li>\n<li>Google Hacking<\/li>\n<li>Spidering<\/li>\n<\/ol>\n<p><strong>Localizar y arreglar vulnerabilidades no sirve de nada (si es lo \u00c3\u00banico que hacemos)<\/strong><\/p>\n<p>Especial inter\u00c3\u00a9s tiene para m\u00c3\u00ad el final del art\u00c3\u00adculo de SANS, que reproducimos a continuaci\u00c3\u00b3n:<\/p>\n<blockquote><p>We did not say much about how to defend against each of these tests. <strong>However, the overall approach should not be to fix vulnerabilities one at a time as they are found, but to develop strategies and procedures that will prevent these vulnerabilities in the first place<\/strong>. It is imperative for a Web application to create a library of authentication, access control, session handling, and validation functions that are used consistently throughout the application.<\/p><\/blockquote>\n<p>Es crucial que los an\u00c3\u00a1lisis que hagamos sean eso, cosas \u00c3\u00batiles. Parchear vulnerabilidades es una soluci\u00c3\u00b3n deficiente, y que aporta escasa o nula utilidad para el propietario de los sistemas. Lo \u00c3\u00banico que aporta valor a\u00c3\u00b1adido es desarrollar, tal y como dicen en SANS, estrategias para prevenir las vulnerabilidades.<\/p>\n<p>Tambi\u00c3\u00a9n muy acertado el comentario de que la mejor auditor\u00c3\u00ada posible de un aplicativo Web es aquella en la que se analiza el c\u00c3\u00b3digo fuente.<\/p>\n<p>Fuente: <a href=\"http:\/\/www.sahw.com\/wp\/\">http:\/\/www.sahw.com\/wp\/<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Hacer auditor\u00c3\u00adas Web no tiene ning\u00c3\u00ban misterio. Basta con conocer los m\u00c3\u00a9todos, para despu\u00c3\u00a9s aplicarlos con rigor, y que la mezcla entre constancia y experiencia haga que no dejemos cabos sueltos sin atar. No obstante, se trata de hacer siempre lo mismo, ya que los puntos de control habituales son independientes de la plataforma en [&hellip;]<\/p>\n","protected":false},"author":3,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_et_pb_use_builder":"","_et_pb_old_content":"","_et_gb_content_width":"","footnotes":""},"categories":[3,1],"tags":[],"class_list":["post-116","post","type-post","status-publish","format-standard","hentry","category-articulos","category-profesional"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v26.6 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>TalSoft - Seguridad Inform\u00e1tica Empresarial - Tutorial para realizar tu propia auditor\u00c3\u00ada Web<\/title>\n<meta name=\"description\" content=\"Talsoft transforma la visi\u00f3n de las empresas para que puedan proteger su informaci\u00f3n cr\u00edtica y confidencial frente ataques inform\u00e1ticos. Cons\u00faltenos sin cargo.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.talsoft-security.com\/site\/tutorial-para-realizar-tu-propia-auditoria-web\/\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Leandro Ferrari\" \/>\n\t<meta name=\"twitter:label2\" content=\"Estimated reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"2 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/www.talsoft-security.com\/site\/tutorial-para-realizar-tu-propia-auditoria-web\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/www.talsoft-security.com\/site\/tutorial-para-realizar-tu-propia-auditoria-web\/\"},\"author\":{\"name\":\"Leandro Ferrari\",\"@id\":\"https:\/\/www.talsoft-security.com\/site\/#\/schema\/person\/83d2ebde035a5a030c14e522351953c8\"},\"headline\":\"Tutorial para realizar tu propia auditor\u00c3\u00ada Web\",\"datePublished\":\"2007-03-28T15:17:46+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/www.talsoft-security.com\/site\/tutorial-para-realizar-tu-propia-auditoria-web\/\"},\"wordCount\":382,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\/\/www.talsoft-security.com\/site\/#organization\"},\"articleSection\":[\"Art\u00c3\u00adculos\",\"Profesional\"],\"inLanguage\":\"en-GB\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\/\/www.talsoft-security.com\/site\/tutorial-para-realizar-tu-propia-auditoria-web\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.talsoft-security.com\/site\/tutorial-para-realizar-tu-propia-auditoria-web\/\",\"url\":\"https:\/\/www.talsoft-security.com\/site\/tutorial-para-realizar-tu-propia-auditoria-web\/\",\"name\":\"TalSoft - Seguridad Inform\u00e1tica Empresarial - Tutorial para realizar tu propia auditor\u00c3\u00ada Web\",\"isPartOf\":{\"@id\":\"https:\/\/www.talsoft-security.com\/site\/#website\"},\"datePublished\":\"2007-03-28T15:17:46+00:00\",\"description\":\"Talsoft transforma la visi\u00f3n de las empresas para que puedan proteger su informaci\u00f3n cr\u00edtica y confidencial frente ataques inform\u00e1ticos. Cons\u00faltenos sin cargo.\",\"inLanguage\":\"en-GB\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.talsoft-security.com\/site\/tutorial-para-realizar-tu-propia-auditoria-web\/\"]}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.talsoft-security.com\/site\/#website\",\"url\":\"https:\/\/www.talsoft-security.com\/site\/\",\"name\":\"TalSoft TS - Services IT Security\",\"description\":\"Talsoft is transforming awareness, control and decision-making power so that companies can protect their critical and confidential information from computer attacks.\",\"publisher\":{\"@id\":\"https:\/\/www.talsoft-security.com\/site\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.talsoft-security.com\/site\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-GB\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/www.talsoft-security.com\/site\/#organization\",\"name\":\"Talsoft TS\",\"url\":\"https:\/\/www.talsoft-security.com\/site\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-GB\",\"@id\":\"https:\/\/www.talsoft-security.com\/site\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/www.talsoft-security.com\/site\/wp-content\/uploads\/2014\/02\/talsoft_logo_270x125.png\",\"contentUrl\":\"https:\/\/www.talsoft-security.com\/site\/wp-content\/uploads\/2014\/02\/talsoft_logo_270x125.png\",\"width\":270,\"height\":125,\"caption\":\"Talsoft TS\"},\"image\":{\"@id\":\"https:\/\/www.talsoft-security.com\/site\/#\/schema\/logo\/image\/\"},\"sameAs\":[\"http:\/\/www.facebook.com\/talsoftsrl\",\"https:\/\/x.com\/talsoft\"]},{\"@type\":\"Person\",\"@id\":\"https:\/\/www.talsoft-security.com\/site\/#\/schema\/person\/83d2ebde035a5a030c14e522351953c8\",\"name\":\"Leandro Ferrari\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-GB\",\"@id\":\"https:\/\/www.talsoft-security.com\/site\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/cd259c10675b9fd302b2e6264231febeeeb3de578400cf8c91c6577e50a0d34a?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/cd259c10675b9fd302b2e6264231febeeeb3de578400cf8c91c6577e50a0d34a?s=96&d=mm&r=g\",\"caption\":\"Leandro Ferrari\"},\"sameAs\":[\"http:\/\/www.talsoft.com.ar\",\"https:\/\/www.facebook.com\/talsoftsrl\/\",\"https:\/\/x.com\/avatar_leandro\"],\"url\":\"https:\/\/www.talsoft-security.com\/site\/author\/leandro\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"TalSoft - Seguridad Inform\u00e1tica Empresarial - Tutorial para realizar tu propia auditor\u00c3\u00ada Web","description":"Talsoft transforma la visi\u00f3n de las empresas para que puedan proteger su informaci\u00f3n cr\u00edtica y confidencial frente ataques inform\u00e1ticos. Cons\u00faltenos sin cargo.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.talsoft-security.com\/site\/tutorial-para-realizar-tu-propia-auditoria-web\/","twitter_misc":{"Written by":"Leandro Ferrari","Estimated reading time":"2 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.talsoft-security.com\/site\/tutorial-para-realizar-tu-propia-auditoria-web\/#article","isPartOf":{"@id":"https:\/\/www.talsoft-security.com\/site\/tutorial-para-realizar-tu-propia-auditoria-web\/"},"author":{"name":"Leandro Ferrari","@id":"https:\/\/www.talsoft-security.com\/site\/#\/schema\/person\/83d2ebde035a5a030c14e522351953c8"},"headline":"Tutorial para realizar tu propia auditor\u00c3\u00ada Web","datePublished":"2007-03-28T15:17:46+00:00","mainEntityOfPage":{"@id":"https:\/\/www.talsoft-security.com\/site\/tutorial-para-realizar-tu-propia-auditoria-web\/"},"wordCount":382,"commentCount":0,"publisher":{"@id":"https:\/\/www.talsoft-security.com\/site\/#organization"},"articleSection":["Art\u00c3\u00adculos","Profesional"],"inLanguage":"en-GB","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/www.talsoft-security.com\/site\/tutorial-para-realizar-tu-propia-auditoria-web\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/www.talsoft-security.com\/site\/tutorial-para-realizar-tu-propia-auditoria-web\/","url":"https:\/\/www.talsoft-security.com\/site\/tutorial-para-realizar-tu-propia-auditoria-web\/","name":"TalSoft - Seguridad Inform\u00e1tica Empresarial - Tutorial para realizar tu propia auditor\u00c3\u00ada Web","isPartOf":{"@id":"https:\/\/www.talsoft-security.com\/site\/#website"},"datePublished":"2007-03-28T15:17:46+00:00","description":"Talsoft transforma la visi\u00f3n de las empresas para que puedan proteger su informaci\u00f3n cr\u00edtica y confidencial frente ataques inform\u00e1ticos. Cons\u00faltenos sin cargo.","inLanguage":"en-GB","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.talsoft-security.com\/site\/tutorial-para-realizar-tu-propia-auditoria-web\/"]}]},{"@type":"WebSite","@id":"https:\/\/www.talsoft-security.com\/site\/#website","url":"https:\/\/www.talsoft-security.com\/site\/","name":"TalSoft TS - Services IT Security","description":"Talsoft is transforming awareness, control and decision-making power so that companies can protect their critical and confidential information from computer attacks.","publisher":{"@id":"https:\/\/www.talsoft-security.com\/site\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.talsoft-security.com\/site\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-GB"},{"@type":"Organization","@id":"https:\/\/www.talsoft-security.com\/site\/#organization","name":"Talsoft TS","url":"https:\/\/www.talsoft-security.com\/site\/","logo":{"@type":"ImageObject","inLanguage":"en-GB","@id":"https:\/\/www.talsoft-security.com\/site\/#\/schema\/logo\/image\/","url":"https:\/\/www.talsoft-security.com\/site\/wp-content\/uploads\/2014\/02\/talsoft_logo_270x125.png","contentUrl":"https:\/\/www.talsoft-security.com\/site\/wp-content\/uploads\/2014\/02\/talsoft_logo_270x125.png","width":270,"height":125,"caption":"Talsoft TS"},"image":{"@id":"https:\/\/www.talsoft-security.com\/site\/#\/schema\/logo\/image\/"},"sameAs":["http:\/\/www.facebook.com\/talsoftsrl","https:\/\/x.com\/talsoft"]},{"@type":"Person","@id":"https:\/\/www.talsoft-security.com\/site\/#\/schema\/person\/83d2ebde035a5a030c14e522351953c8","name":"Leandro Ferrari","image":{"@type":"ImageObject","inLanguage":"en-GB","@id":"https:\/\/www.talsoft-security.com\/site\/#\/schema\/person\/image\/","url":"https:\/\/secure.gravatar.com\/avatar\/cd259c10675b9fd302b2e6264231febeeeb3de578400cf8c91c6577e50a0d34a?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/cd259c10675b9fd302b2e6264231febeeeb3de578400cf8c91c6577e50a0d34a?s=96&d=mm&r=g","caption":"Leandro Ferrari"},"sameAs":["http:\/\/www.talsoft.com.ar","https:\/\/www.facebook.com\/talsoftsrl\/","https:\/\/x.com\/avatar_leandro"],"url":"https:\/\/www.talsoft-security.com\/site\/author\/leandro\/"}]}},"_links":{"self":[{"href":"https:\/\/www.talsoft-security.com\/site\/wp-json\/wp\/v2\/posts\/116","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.talsoft-security.com\/site\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.talsoft-security.com\/site\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.talsoft-security.com\/site\/wp-json\/wp\/v2\/users\/3"}],"replies":[{"embeddable":true,"href":"https:\/\/www.talsoft-security.com\/site\/wp-json\/wp\/v2\/comments?post=116"}],"version-history":[{"count":0,"href":"https:\/\/www.talsoft-security.com\/site\/wp-json\/wp\/v2\/posts\/116\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.talsoft-security.com\/site\/wp-json\/wp\/v2\/media?parent=116"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.talsoft-security.com\/site\/wp-json\/wp\/v2\/categories?post=116"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.talsoft-security.com\/site\/wp-json\/wp\/v2\/tags?post=116"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}