kys9

2026-06-02 22:16:25 +01:00
parent ad84c1ba29
commit 05cbbfbe18
9 changed files with 3750 additions and 42 deletions
--- a/relatorio/relatorio.aux
+++ b/relatorio/relatorio.aux
@@ -42,11 +42,11 @@
 \@writefile{toc}{\contentsline {subsection}{\numberline {4.1}Information Gathering}{12}{subsection.4.1}\protected@file@percent }
 \@writefile{toc}{\contentsline {subsection}{\numberline {4.2}Configuration and Deployment Management Testing}{12}{subsection.4.2}\protected@file@percent }
 \@writefile{toc}{\contentsline {subsection}{\numberline {4.3}Identity Management Testing}{12}{subsection.4.3}\protected@file@percent }
-\@writefile{toc}{\contentsline {subsection}{\numberline {4.4}Authentication Testing}{12}{subsection.4.4}\protected@file@percent }
+\@writefile{toc}{\contentsline {subsection}{\numberline {4.4}Authentication Testing}{13}{subsection.4.4}\protected@file@percent }
 \@writefile{toc}{\contentsline {subsection}{\numberline {4.5}Authorization Testing}{13}{subsection.4.5}\protected@file@percent }
 \@writefile{toc}{\contentsline {subsection}{\numberline {4.6}Session Management Testing}{13}{subsection.4.6}\protected@file@percent }
 \@writefile{toc}{\contentsline {subsection}{\numberline {4.7}Input Validation Testing}{13}{subsection.4.7}\protected@file@percent }
-\@writefile{toc}{\contentsline {subsection}{\numberline {4.8}Testing for Error Handling}{13}{subsection.4.8}\protected@file@percent }
-\@writefile{toc}{\contentsline {subsection}{\numberline {4.9}Client Side Testing}{13}{subsection.4.9}\protected@file@percent }
+\@writefile{toc}{\contentsline {subsection}{\numberline {4.8}Testing for Error Handling}{14}{subsection.4.8}\protected@file@percent }
+\@writefile{toc}{\contentsline {subsection}{\numberline {4.9}Client Side Testing}{14}{subsection.4.9}\protected@file@percent }
 \@writefile{toc}{\contentsline {section}{\numberline {5}Conclusions}{14}{section.5}\protected@file@percent }
 \gdef \@abspage@last{14}
--- a/relatorio/relatorio.listing
+++ b/relatorio/relatorio.listing
@@ -1,3 +1,12 @@
+SecRuleEngine On
+SecRequestBodyAccess On
+SecResponseBodyAccess Off
+SecDebugLog /var/log/modsecurity/debug.log
+SecDebugLogLevel 0
+SecAuditLogParts ABIJ
+SecAuditLogType Serial
+SecAuditLog /var/log/modsecurity/audit.log
+
 # sql injection
 SecRule ARGS "['\";]|--" \
    "id:950001,phase:2,deny,status:403,msg:'SQL Injection Attack Detected',log"
@@ -7,9 +16,21 @@ SecRule ARGS "<.*>" \
    "id:950003,phase:2,deny,status:403,msg:'XSS/HTML Injection Detected',log"

 # command injection
-SecRule ARGS "exec|cat|more|ls|dir|/etc/passwd" \
+SecRule ARGS "(\"role\".*:.*\"admin\")|exec|cat|more|ls|dir|/etc/passwd" \
    "id:950006,phase:2,deny,status:403,msg:'Command Injection Detected',log"

 # path traversal
-SecRule ARGS "(\./|\.\./)|ftp|metrics|api-docs" \
+SecRule ARGS "\%00|\%2500|(\./|\.\./)|ftp|metrics|api-docs" \
    "id:950007,phase:2,deny,status:403,msg:'Path Traversal Attempt',log"
+
+# exposed stuff
+SecRule REQUEST_URI "\%00|\%2500|ftp|metrics|api-docs" \
+    "id:950008,phase:2,deny,status:500,msg:'Attempt to access ftp, metrics, api-docs',log"
+
+# rate limiting on login endpoint (max 5 requests per 30s per IP)
+SecAction \
+    "id:950009,phase:1,initcol:ip=%{REMOTE_ADDR},pass,nolog"
+SecRule REQUEST_URI "@streq /rest/user/login" \
+    "id:950010,phase:2,pass,nolog,setvar:ip.login_count=+1,expirevar:ip.login_count=30"
+SecRule IP:LOGIN_COUNT "@gt 5" \
+    "id:950011,phase:2,deny,status:429,msg:'Rate Limit Exceeded on Login',log"
--- a/relatorio/relatorio.log
+++ b/relatorio/relatorio.log
@@ -1,4 +1,4 @@
-This is pdfTeX, Version 3.141592653-2.6-1.40.29 (TeX Live 2026/Arch Linux) (preloaded format=pdflatex 2026.5.3)  31 MAY 2026 21:14
+This is pdfTeX, Version 3.141592653-2.6-1.40.29 (TeX Live 2026/Arch Linux) (preloaded format=pdflatex 2026.5.3)  31 MAY 2026 22:42
 entering extended mode
 restricted \write18 enabled.
 %&-line parsing enabled.
@@ -1160,27 +1160,27 @@ LaTeX Font Info:    Font shape `T1/Raleway-OsF/b/n' will be
 LaTeX Font Info:    Font shape `T1/Raleway-OsF/m/it' will be
 (Font)              scaled to size 10.95pt on input line 28.
 LaTeX Font Info:    Trying to load font information for TS1+Raleway-OsF on inpu
-t line 48.
+t line 54.

 (/usr/share/texmf-dist/tex/latex/raleway/TS1Raleway-OsF.fd
 File: TS1Raleway-OsF.fd 2025/04/09 (autoinst) Font definitions for TS1/Raleway-
 OsF.
 )
 LaTeX Font Info:    Font shape `TS1/Raleway-OsF/m/n' will be
-(Font)              scaled to size 10.95pt on input line 48.
+(Font)              scaled to size 10.95pt on input line 54.
 LaTeX Font Info:    Font shape `T1/Raleway-OsF/bold/n' aliased to
-(Font)              `T1/Raleway-OsF/b/n' on input line 54.
+(Font)              `T1/Raleway-OsF/b/n' on input line 62.
 LaTeX Font Info:    Font shape `T1/Raleway-OsF/b/n' will be
-(Font)              scaled to size 12.0pt on input line 54.
+(Font)              scaled to size 12.0pt on input line 62.
 [3{/usr/share/texmf-dist/fonts/enc/dvips/raleway/a_2drkug.enc}{/usr/share/texm
 f-dist/fonts/enc/dvips/cm-super/cm-super-t1.enc}]
 \g__tcobox_out_iow=\write6
 \openout6 = `relatorio.listing'.

 LaTeX Font Info:    Font shape `T1/cmtt/bx/n' in size <10.95> not available
-(Font)              Font shape `T1/cmtt/m/n' tried instead on input line 89.
+(Font)              Font shape `T1/cmtt/m/n' tried instead on input line 101.
 LaTeX Font Info:    Font shape `T1/cmtt/bx/n' in size <9> not available
-(Font)              Font shape `T1/cmtt/m/n' tried instead on input line 89.
+(Font)              Font shape `T1/cmtt/m/n' tried instead on input line 101.
 (./relatorio.listing
 LaTeX Font Info:    Font shape `T1/Raleway-OsF/m/n' will be
 (Font)              scaled to size 9.0pt on input line 1.
@@ -1188,12 +1188,12 @@ LaTeX Font Info:    Font shape `T1/Raleway-OsF/m/n' will be
 <./imgs/ftp.png, id=201, 1587.9325pt x 401.5pt>
 File: ./imgs/ftp.png Graphic file (type png)
 <use ./imgs/ftp.png>
-Package pdftex.def Info: ./imgs/ftp.png  used on input line 103.
+Package pdftex.def Info: ./imgs/ftp.png  used on input line 119.
 (pdftex.def)             Requested size: 452.9679pt x 114.5267pt.
 <./imgs/metrics.png, id=202, 1927.2pt x 1010.77625pt>
 File: ./imgs/metrics.png Graphic file (type png)
 <use ./imgs/metrics.png>
-Package pdftex.def Info: ./imgs/metrics.png  used on input line 109.
+Package pdftex.def Info: ./imgs/metrics.png  used on input line 125.
 (pdftex.def)             Requested size: 452.9679pt x 237.5633pt.


@@ -1202,7 +1202,7 @@ LaTeX Warning: `!h' float specifier changed to `!ht'.
 <./imgs/swagger.png, id=203, 1923.185pt x 995.72pt>
 File: ./imgs/swagger.png Graphic file (type png)
 <use ./imgs/swagger.png>
-Package pdftex.def Info: ./imgs/swagger.png  used on input line 115.
+Package pdftex.def Info: ./imgs/swagger.png  used on input line 131.
 (pdftex.def)             Requested size: 452.9679pt x 234.5108pt.

 LaTeX Warning: `!h' float specifier changed to `!ht'.
@@ -1215,7 +1215,7 @@ ger.png (PNG copy)>]
 <./imgs/email-unique.png, id=220, 475.7775pt x 361.35pt>
 File: ./imgs/email-unique.png Graphic file (type png)
 <use ./imgs/email-unique.png>
-Package pdftex.def Info: ./imgs/email-unique.png  used on input line 172.
+Package pdftex.def Info: ./imgs/email-unique.png  used on input line 214.
 (pdftex.def)             Requested size: 317.07614pt x 240.82956pt.


@@ -1225,7 +1225,7 @@ LaTeX Warning: `!h' float specifier changed to `!ht'.
 <./imgs/email-invalido.png, id=243, 504.88625pt x 541.02126pt>
 File: ./imgs/email-invalido.png Graphic file (type png)
 <use ./imgs/email-invalido.png>
-Package pdftex.def Info: ./imgs/email-invalido.png  used on input line 188.
+Package pdftex.def Info: ./imgs/email-invalido.png  used on input line 235.
 (pdftex.def)             Requested size: 317.07614pt x 339.772pt.


@@ -1235,12 +1235,12 @@ LaTeX Warning: `!h' float specifier changed to `!ht'.
 <./imgs/suspiciouserrors.png, id=251, 1150.2975pt x 568.1225pt>
 File: ./imgs/suspiciouserrors.png Graphic file (type png)
 <use ./imgs/suspiciouserrors.png>
-Package pdftex.def Info: ./imgs/suspiciouserrors.png  used on input line 207.
+Package pdftex.def Info: ./imgs/suspiciouserrors.png  used on input line 266.
 (pdftex.def)             Requested size: 317.07614pt x 156.60258pt.
 <./imgs/suspiciouserrors2.png, id=252, 900.36375pt x 471.7625pt>
 File: ./imgs/suspiciouserrors2.png Graphic file (type png)
 <use ./imgs/suspiciouserrors2.png>
-Package pdftex.def Info: ./imgs/suspiciouserrors2.png  used on input line 213.
+Package pdftex.def Info: ./imgs/suspiciouserrors2.png  used on input line 272.
 (pdftex.def)             Requested size: 317.07614pt x 166.13432pt.


@@ -1248,7 +1248,7 @@ LaTeX Warning: `!h' float specifier changed to `!ht'.

 [8 <./imgs/email-invalido.png (PNG copy)> <./imgs/suspiciouserrors.png (PNG cop
 y)>]
-Overfull \hbox (6.24345pt too wide) in paragraph at lines 230--231
+Overfull \hbox (6.24345pt too wide) in paragraph at lines 297--298
 []\T1/Raleway-OsF/b/n/10.95 Tentativa com Script Di-reto: \T1/Raleway-OsF/m/n/1
 0.95 In-se-ri-mos o pay-load tra-di-ci-o-nal \T1/cmtt/m/n/10.95 <script>alert("
 someones
@@ -1264,7 +1264,7 @@ someones
 <./imgs/stack-trace.png, id=270, 643.90562pt x 378.91562pt>
 File: ./imgs/stack-trace.png Graphic file (type png)
 <use ./imgs/stack-trace.png>
-Package pdftex.def Info: ./imgs/stack-trace.png  used on input line 282.
+Package pdftex.def Info: ./imgs/stack-trace.png  used on input line 361.
 (pdftex.def)             Requested size: 317.07614pt x 186.59535pt.


@@ -1277,20 +1277,27 @@ LaTeX Warning: `!h' float specifier changed to `!ht'.
 \openout6 = `relatorio.listing'.

 (./relatorio.listing) [11 <./imgs/stack-trace.png>]
-Overfull \hbox (2.16914pt too wide) in paragraph at lines 339--340
+Overfull \hbox (2.16914pt too wide) in paragraph at lines 444--447
 \T1/Raleway-OsF/m/n/10.95 com tags HTML nos cam-pos de \T1/Raleway-OsF/m/it/10.
 95 in-put\T1/Raleway-OsF/m/n/10.95 , como \T1/cmtt/m/n/10.95 <h1>STRONG\T1/Rale
 way-OsF/m/n/10.95 , de-vol-vendo um erro \T1/cmtt/m/n/10.95 403 Forbidden
 []

-[12]
-Overfull \hbox (111.73438pt too wide) in paragraph at lines 363--364
+
+Overfull \hbox (51.12938pt too wide) in paragraph at lines 448--454
+\T1/Raleway-OsF/m/n/10.95 corpo JSON do re-gisto) \T1/Raleway-OsF/b/n/10.95 é m
+i-ti-gada pela re-gra id:950006\T1/Raleway-OsF/m/n/10.95 , que de-teta a se-quê
+n-cia \T1/cmtt/m/n/10.95 "role".*:.*"admin"
+ []
+
+[12] [13]
+Overfull \hbox (111.73438pt too wide) in paragraph at lines 507--511
 \T1/Raleway-OsF/m/n/10.95 O pay-load de ex-fil-tra-ção do to-ken JWT via XSS (\
 T1/cmtt/m/n/10.95 <img src="x"onerror="alert(localStorage.getItem('token'))^^T\
 T1/Raleway-OsF/m/n/10.95 )
 []

-[13] [14] (./relatorio.aux)
+[14] (./relatorio.aux)
 ***********
 LaTeX2e <2025-11-01>
 L3 programming layer <2026-01-19>
@@ -1299,10 +1306,10 @@ Package rerunfilecheck Info: File `relatorio.out' has not changed.
 (rerunfilecheck)             Checksum: 71F23F30E8D22A202B518A954FE83332;4897.
 ) 
 Here is how much of TeX's memory you used:
- 31790 strings out of 469495
- 627577 string characters out of 5470099
+ 31810 strings out of 469495
+ 627873 string characters out of 5470099
 1238894 words of memory out of 5000000
- 59761 multiletter control sequences out of 15000+600000
+ 59760 multiletter control sequences out of 15000+600000
 791342 words of font info for 89 fonts, out of 8000000 for 9000
 16 hyphenation exceptions out of 8191
 113i,8n,122p,697b,1727s stack positions out of 10000i,1000n,20000p,200000b,200000s
@@ -1311,10 +1318,10 @@ hare/texmf-dist/fonts/type1/impallari/raleway/Raleway-Italic.pfb></usr/share/te
 xmf-dist/fonts/type1/impallari/raleway/Raleway-Regular.pfb></usr/share/texmf-di
 st/fonts/type1/public/cm-super/sftt0900.pfb></usr/share/texmf-dist/fonts/type1/
 public/cm-super/sftt1095.pfb>
-Output written on relatorio.pdf (14 pages, 879988 bytes).
+Output written on relatorio.pdf (14 pages, 882504 bytes).
 PDF statistics:
- 399 PDF objects out of 1000 (max. 8388607)
- 335 compressed objects within 4 object streams
- 126 named destinations out of 1000 (max. 500000)
+ 425 PDF objects out of 1000 (max. 8388607)
+ 361 compressed objects within 4 object streams
+ 147 named destinations out of 1000 (max. 500000)
 413 words of extra memory for PDF output out of 10000 (max. 10000000)

--- a/relatorio/relatorio.pdf
+++ b/relatorio/relatorio.pdf
--- a/relatorio/relatorio.toc
+++ b/relatorio/relatorio.toc
@@ -19,10 +19,10 @@
 \contentsline {subsection}{\numberline {4.1}Information Gathering}{12}{subsection.4.1}%
 \contentsline {subsection}{\numberline {4.2}Configuration and Deployment Management Testing}{12}{subsection.4.2}%
 \contentsline {subsection}{\numberline {4.3}Identity Management Testing}{12}{subsection.4.3}%
-\contentsline {subsection}{\numberline {4.4}Authentication Testing}{12}{subsection.4.4}%
+\contentsline {subsection}{\numberline {4.4}Authentication Testing}{13}{subsection.4.4}%
 \contentsline {subsection}{\numberline {4.5}Authorization Testing}{13}{subsection.4.5}%
 \contentsline {subsection}{\numberline {4.6}Session Management Testing}{13}{subsection.4.6}%
 \contentsline {subsection}{\numberline {4.7}Input Validation Testing}{13}{subsection.4.7}%
-\contentsline {subsection}{\numberline {4.8}Testing for Error Handling}{13}{subsection.4.8}%
-\contentsline {subsection}{\numberline {4.9}Client Side Testing}{13}{subsection.4.9}%
+\contentsline {subsection}{\numberline {4.8}Testing for Error Handling}{14}{subsection.4.8}%
+\contentsline {subsection}{\numberline {4.9}Client Side Testing}{14}{subsection.4.9}%
 \contentsline {section}{\numberline {5}Conclusions}{14}{section.5}%