modsecurity

2026-05-31 14:55:52 +01:00
parent a17feb0e1b
commit ded74f1a45
15 changed files with 215 additions and 76 deletions
--- a/SERVER.sh
+++ b/SERVER.sh
@@ -43,6 +43,7 @@ sudo iptables -t nat -A POSTROUTING -o enp0s8 -j MASQUERADE
 sudo iptables-save > /etc/sysconfig/iptables

 sudo cp conf/httpd.conf /etc/httpd/httpd.conf
+sudo cp conf/modsecurity.conf /etc/httpd/conf/modsecurity.conf

 # instalar juice-shop se nao existir
 jspath="/var/juice-shop"
@@ -54,10 +55,6 @@ if [[ ! -f "$jspath/package.json" ]]; then
    sudo chown -R $USER:$USER "$jspath"
 fi

-# apache WAF (desativado por default)
-s stop httpd
-s disable httpd
-
 # correr juice shop via npm
 cd "$jspath"
 npm start
--- a/conf/httpd.conf
+++ b/conf/httpd.conf
@@ -4,8 +4,9 @@ User apache
 Group apache

 Include conf.modules.d/*.conf
-IncludeOptional modsecurity.d/*.conf
-IncludeOptional modsecurity.d/activated_rules/*.conf
+Include conf/modsecurity.conf
+# IncludeOptional modsecurity.d/*.conf
+# IncludeOptional modsecurity.d/activated_rules/*.conf

 <Directory />
    AllowOverride none
--- a/conf/modsecurity.conf
+++ b/conf/modsecurity.conf
@@ -0,0 +1,23 @@
+SecRuleEngine On
+SecRequestBodyAccess On
+SecResponseBodyAccess Off
+SecDebugLog /var/log/modsecurity/debug.log
+SecDebugLogLevel 0
+SecAuditLogParts ABIJ
+SecAuditLogType Serial
+SecAuditLog /var/log/modsecurity/audit.log
+
+# SQL Injection protection
+SecRule ARGS "(?i)(union(\s+all)?\s+select|select\s+.*\s+from|insert\s+into|update\s+.*\s+set|delete\s+from|drop\s+table|or\s+1=1|--|#|/\*|\*/|\bexec\b|\bexecute\b)" "id:'950001',phase:2,deny,status:403,msg:'SQL Injection Attack Detected',log"
+
+# XSS / HTML Injection protection
+SecRule ARGS "(?i)<script|javascript:|on\\w+=|<img|<svg|<iframe|<object|<embed|<form|<input|%3c|%3e|%22|%27|%60" "id:'950003',phase:2,deny,status:403,msg:'XSS/HTML Injection Detected',log"
+
+# Remote File Inclusion protection
+SecRule ARGS "(?i)(https?|ftp)://" "id:'950005',phase:2,deny,status:403,msg:'Remote File Inclusion Attempt',log"
+
+# Command Injection protection
+SecRule ARGS "(?i)(;|&&|\|\||\$\(|\`|\bexec\b|\bcmd\b|\bsystem\b)" "id:'950006',phase:2,deny,status:403,msg:'Command Injection Detected',log"
+
+# Path Traversal protection
+SecRule ARGS "(\../|\..\\)" "id:'950007',phase:2,deny,status:403,msg:'Path Traversal Attempt',log"
--- a/relatorio/imgs/dir-fuzzing.png
+++ b/relatorio/imgs/dir-fuzzing.png
--- a/relatorio/imgs/ftp.png
+++ b/relatorio/imgs/ftp.png
--- a/relatorio/imgs/metrics.png
+++ b/relatorio/imgs/metrics.png
--- a/relatorio/imgs/suspiciouserrors.png
+++ b/relatorio/imgs/suspiciouserrors.png
--- a/relatorio/imgs/suspiciouserrors2.png
+++ b/relatorio/imgs/suspiciouserrors2.png
--- a/relatorio/imgs/swagger.png
+++ b/relatorio/imgs/swagger.png
--- a/relatorio/relatorio.aux
+++ b/relatorio/relatorio.aux
@@ -13,24 +13,40 @@
 \@writefile{toc}{\contentsline {subsection}{\numberline {2.3}Services}{3}{subsection.2.3}\protected@file@percent }
 \@writefile{toc}{\contentsline {section}{\numberline {3}Web application security testing}{4}{section.3}\protected@file@percent }
 \@writefile{toc}{\contentsline {subsection}{\numberline {3.1}Information Gathering}{4}{subsection.3.1}\protected@file@percent }
+\@writefile{lof}{\contentsline {figure}{\numberline {1}{\ignorespaces ftp}}{4}{figure.1}\protected@file@percent }
+\newlabel{fig:ftp}{{1}{4}{ftp}{figure.1}{}}
 \@writefile{toc}{\contentsline {subsection}{\numberline {3.2}Configuration and Deployment Management Testing}{4}{subsection.3.2}\protected@file@percent }
-\@writefile{toc}{\contentsline {subsection}{\numberline {3.3}Identity Management Testing}{5}{subsection.3.3}\protected@file@percent }
+\@writefile{lof}{\contentsline {figure}{\numberline {2}{\ignorespaces metrics}}{5}{figure.2}\protected@file@percent }
+\newlabel{fig:metrics}{{2}{5}{metrics}{figure.2}{}}
+\@writefile{lof}{\contentsline {figure}{\numberline {3}{\ignorespaces swagger}}{5}{figure.3}\protected@file@percent }
+\newlabel{fig:swagger}{{3}{5}{swagger}{figure.3}{}}
+\@writefile{toc}{\contentsline {subsection}{\numberline {3.3}Identity Management Testing}{6}{subsection.3.3}\protected@file@percent }
+\@writefile{lof}{\contentsline {figure}{\numberline {4}{\ignorespaces email-unique}}{7}{figure.4}\protected@file@percent }
+\newlabel{fig:email-unique}{{4}{7}{email-unique}{figure.4}{}}
 \@writefile{toc}{\contentsline {subsection}{\numberline {3.4}Authentication Testing}{7}{subsection.3.4}\protected@file@percent }
 \@writefile{toc}{\contentsline {subsection}{\numberline {3.5}Authorization Testing}{7}{subsection.3.5}\protected@file@percent }
-\@writefile{toc}{\contentsline {subsection}{\numberline {3.6}Session Management Testing}{7}{subsection.3.6}\protected@file@percent }
-\@writefile{toc}{\contentsline {subsection}{\numberline {3.7}Input Validation Testing}{7}{subsection.3.7}\protected@file@percent }
-\@writefile{toc}{\contentsline {subsubsection}{\numberline {3.7.1}Testing for SQL Injection}{8}{subsubsection.3.7.1}\protected@file@percent }
-\@writefile{toc}{\contentsline {subsection}{\numberline {3.8}Testing for Error Handling}{8}{subsection.3.8}\protected@file@percent }
-\@writefile{toc}{\contentsline {subsection}{\numberline {3.9}Client Side Testing}{9}{subsection.3.9}\protected@file@percent }
-\@writefile{toc}{\contentsline {section}{\numberline {4}Web Application Security Firewall}{10}{section.4}\protected@file@percent }
-\@writefile{toc}{\contentsline {subsection}{\numberline {4.1}Information Gathering}{10}{subsection.4.1}\protected@file@percent }
-\@writefile{toc}{\contentsline {subsection}{\numberline {4.2}Configuration and Deployment Management Testing}{10}{subsection.4.2}\protected@file@percent }
-\@writefile{toc}{\contentsline {subsection}{\numberline {4.3}Identity Management Testing}{10}{subsection.4.3}\protected@file@percent }
-\@writefile{toc}{\contentsline {subsection}{\numberline {4.4}Authentication Testing}{10}{subsection.4.4}\protected@file@percent }
-\@writefile{toc}{\contentsline {subsection}{\numberline {4.5}Authorization Testing}{10}{subsection.4.5}\protected@file@percent }
-\@writefile{toc}{\contentsline {subsection}{\numberline {4.6}Session Management Testing}{10}{subsection.4.6}\protected@file@percent }
-\@writefile{toc}{\contentsline {subsection}{\numberline {4.7}Input Validation Testing}{10}{subsection.4.7}\protected@file@percent }
-\@writefile{toc}{\contentsline {subsection}{\numberline {4.8}Testing for Error Handling}{10}{subsection.4.8}\protected@file@percent }
-\@writefile{toc}{\contentsline {subsection}{\numberline {4.9}Client Side Testing}{10}{subsection.4.9}\protected@file@percent }
-\@writefile{toc}{\contentsline {section}{\numberline {5}Conclusions}{10}{section.5}\protected@file@percent }
-\gdef \@abspage@last{10}
+\@writefile{lof}{\contentsline {figure}{\numberline {5}{\ignorespaces email-invalido}}{8}{figure.5}\protected@file@percent }
+\newlabel{fig:email-invalido}{{5}{8}{email-invalido}{figure.5}{}}
+\@writefile{lof}{\contentsline {figure}{\numberline {6}{\ignorespaces suspiciouserrors}}{8}{figure.6}\protected@file@percent }
+\newlabel{fig:suspiciouserrors}{{6}{8}{suspiciouserrors}{figure.6}{}}
+\@writefile{lof}{\contentsline {figure}{\numberline {7}{\ignorespaces suspiciouserrors2}}{9}{figure.7}\protected@file@percent }
+\newlabel{fig:suspiciouserrors2}{{7}{9}{suspiciouserrors2}{figure.7}{}}
+\@writefile{toc}{\contentsline {subsection}{\numberline {3.6}Session Management Testing}{9}{subsection.3.6}\protected@file@percent }
+\@writefile{toc}{\contentsline {subsection}{\numberline {3.7}Input Validation Testing}{9}{subsection.3.7}\protected@file@percent }
+\@writefile{toc}{\contentsline {subsubsection}{\numberline {3.7.1}Testing for SQL Injection}{10}{subsubsection.3.7.1}\protected@file@percent }
+\@writefile{toc}{\contentsline {subsection}{\numberline {3.8}Testing for Error Handling}{10}{subsection.3.8}\protected@file@percent }
+\@writefile{lof}{\contentsline {figure}{\numberline {8}{\ignorespaces stack-trace}}{11}{figure.8}\protected@file@percent }
+\newlabel{fig:stack-trace}{{8}{11}{stack-trace}{figure.8}{}}
+\@writefile{toc}{\contentsline {subsection}{\numberline {3.9}Client Side Testing}{11}{subsection.3.9}\protected@file@percent }
+\@writefile{toc}{\contentsline {section}{\numberline {4}Web Application Security Firewall}{12}{section.4}\protected@file@percent }
+\@writefile{toc}{\contentsline {subsection}{\numberline {4.1}Information Gathering}{12}{subsection.4.1}\protected@file@percent }
+\@writefile{toc}{\contentsline {subsection}{\numberline {4.2}Configuration and Deployment Management Testing}{12}{subsection.4.2}\protected@file@percent }
+\@writefile{toc}{\contentsline {subsection}{\numberline {4.3}Identity Management Testing}{12}{subsection.4.3}\protected@file@percent }
+\@writefile{toc}{\contentsline {subsection}{\numberline {4.4}Authentication Testing}{12}{subsection.4.4}\protected@file@percent }
+\@writefile{toc}{\contentsline {subsection}{\numberline {4.5}Authorization Testing}{12}{subsection.4.5}\protected@file@percent }
+\@writefile{toc}{\contentsline {subsection}{\numberline {4.6}Session Management Testing}{12}{subsection.4.6}\protected@file@percent }
+\@writefile{toc}{\contentsline {subsection}{\numberline {4.7}Input Validation Testing}{12}{subsection.4.7}\protected@file@percent }
+\@writefile{toc}{\contentsline {subsection}{\numberline {4.8}Testing for Error Handling}{12}{subsection.4.8}\protected@file@percent }
+\@writefile{toc}{\contentsline {subsection}{\numberline {4.9}Client Side Testing}{12}{subsection.4.9}\protected@file@percent }
+\@writefile{toc}{\contentsline {section}{\numberline {5}Conclusions}{12}{section.5}\protected@file@percent }
+\gdef \@abspage@last{12}
--- a/relatorio/relatorio.log
+++ b/relatorio/relatorio.log
@@ -1,4 +1,4 @@
-This is pdfTeX, Version 3.141592653-2.6-1.40.29 (MiKTeX 26.2) (preloaded format=pdflatex 2026.5.30)  31 MAY 2026 13:33
+This is pdfTeX, Version 3.141592653-2.6-1.40.29 (MiKTeX 26.2) (preloaded format=pdflatex 2026.5.30)  31 MAY 2026 14:43
 entering extended mode
 restricted \write18 enabled.
 %&-line parsing enabled.
@@ -1297,24 +1297,71 @@ LaTeX Font Info:    Font shape `T1/cmtt/bx/n' in size <9> not available
 (relatorio.listing
 LaTeX Font Info:    Font shape `T1/Raleway-OsF/m/n' will be
 (Font)              scaled to size 9.0pt on input line 1.
-) [4]
+)
+<./imgs/ftp.png, id=199, 1587.9325pt x 401.5pt>
+File: ./imgs/ftp.png Graphic file (type png)
+<use ./imgs/ftp.png>
+Package pdftex.def Info: ./imgs/ftp.png  used on input line 103.
+(pdftex.def)             Requested size: 452.9679pt x 114.5267pt.
+<./imgs/metrics.png, id=200, 1927.2pt x 1010.77625pt>
+File: ./imgs/metrics.png Graphic file (type png)
+<use ./imgs/metrics.png>
+Package pdftex.def Info: ./imgs/metrics.png  used on input line 109.
+(pdftex.def)             Requested size: 452.9679pt x 237.5633pt.
+
+
+LaTeX Warning: `!h' float specifier changed to `!ht'.
+
+<./imgs/swagger.png, id=201, 1923.185pt x 995.72pt>
+File: ./imgs/swagger.png Graphic file (type png)
+<use ./imgs/swagger.png>
+Package pdftex.def Info: ./imgs/swagger.png  used on input line 115.
+(pdftex.def)             Requested size: 452.9679pt x 234.5108pt.
+
+LaTeX Warning: `!h' float specifier changed to `!ht'.
+
+[4 <./imgs/ftp.png (PNG copy)>] [5 <./imgs/metrics.png (PNG copy)> <./imgs/swag
+ger.png (PNG copy)>]
 \openout6 = `relatorio.listing'.

 (relatorio.listing)
-<./imgs/email-unique.png, id=205, 475.7775pt x 361.35pt>
+<./imgs/email-unique.png, id=218, 475.7775pt x 361.35pt>
 File: ./imgs/email-unique.png Graphic file (type png)
 <use ./imgs/email-unique.png>
-Package pdftex.def Info: ./imgs/email-unique.png  used on input line 148.
-(pdftex.def)             Requested size: 226.48395pt x 172.01245pt.
- [5]
-<./imgs/email-invalido.png, id=228, 504.88625pt x 541.02126pt>
+Package pdftex.def Info: ./imgs/email-unique.png  used on input line 172.
+(pdftex.def)             Requested size: 317.07614pt x 240.82956pt.
+
+
+LaTeX Warning: `!h' float specifier changed to `!ht'.
+
+[6]
+<./imgs/email-invalido.png, id=241, 504.88625pt x 541.02126pt>
 File: ./imgs/email-invalido.png Graphic file (type png)
 <use ./imgs/email-invalido.png>
-Package pdftex.def Info: ./imgs/email-invalido.png  used on input line 159.
-(pdftex.def)             Requested size: 226.48395pt x 242.69781pt.
- [6 <./imgs/email-unique.png (PNG copy)> <./imgs/email-invalido.png (PNG copy)>
-]
-Overfull \hbox (6.24345pt too wide) in paragraph at lines 185--186
+Package pdftex.def Info: ./imgs/email-invalido.png  used on input line 188.
+(pdftex.def)             Requested size: 317.07614pt x 339.772pt.
+
+
+LaTeX Warning: `!h' float specifier changed to `!ht'.
+
+[7 <./imgs/email-unique.png (PNG copy)>]
+<./imgs/suspiciouserrors.png, id=249, 1150.2975pt x 568.1225pt>
+File: ./imgs/suspiciouserrors.png Graphic file (type png)
+<use ./imgs/suspiciouserrors.png>
+Package pdftex.def Info: ./imgs/suspiciouserrors.png  used on input line 207.
+(pdftex.def)             Requested size: 317.07614pt x 156.60258pt.
+<./imgs/suspiciouserrors2.png, id=250, 900.36375pt x 471.7625pt>
+File: ./imgs/suspiciouserrors2.png Graphic file (type png)
+<use ./imgs/suspiciouserrors2.png>
+Package pdftex.def Info: ./imgs/suspiciouserrors2.png  used on input line 213.
+(pdftex.def)             Requested size: 317.07614pt x 166.13432pt.
+
+
+LaTeX Warning: `!h' float specifier changed to `!ht'.
+
+[8 <./imgs/email-invalido.png (PNG copy)> <./imgs/suspiciouserrors.png (PNG cop
+y)>]
+Overfull \hbox (6.24345pt too wide) in paragraph at lines 230--231
 []\T1/Raleway-OsF/b/n/10.95 Tentativa com Script Di-reto: \T1/Raleway-OsF/m/n/1
 0.95 In-se-ri-mos o pay-load tra-di-ci-o-nal \T1/cmtt/m/n/10.95 <script>alert("
 someones
@@ -1322,19 +1369,24 @@ someones

 \openout6 = `relatorio.listing'.

-(relatorio.listing) [7]
+(relatorio.listing) [9 <./imgs/suspiciouserrors2.png (PNG copy)>]
 \openout6 = `relatorio.listing'.

- (relatorio.listing)
-<./imgs/stack-trace.png, id=245, 643.90562pt x 378.91562pt>
+
+(relatorio.listing)
+<./imgs/stack-trace.png, id=268, 643.90562pt x 378.91562pt>
 File: ./imgs/stack-trace.png Graphic file (type png)
 <use ./imgs/stack-trace.png>
-Package pdftex.def Info: ./imgs/stack-trace.png  used on input line 235.
-(pdftex.def)             Requested size: 452.9679pt x 266.56314pt.
- [8]
+Package pdftex.def Info: ./imgs/stack-trace.png  used on input line 282.
+(pdftex.def)             Requested size: 317.07614pt x 186.59535pt.
+
+
+LaTeX Warning: `!h' float specifier changed to `!ht'.
+
+[10]
 \openout6 = `relatorio.listing'.

- (relatorio.listing) [9 <./imgs/stack-trace.png>] [10] (relatorio.aux)
+ (relatorio.listing) [11 <./imgs/stack-trace.png>] [12] (relatorio.aux)
 ***********
 LaTeX2e <2025-11-01>
 L3 programming layer <2026-03-20>
@@ -1343,10 +1395,10 @@ Package rerunfilecheck Info: File `relatorio.out' has not changed.
 (rerunfilecheck)             Checksum: 71F23F30E8D22A202B518A954FE83332;4897.
 ) 
 Here is how much of TeX's memory you used:
- 31700 strings out of 467691
- 636648 string characters out of 5414987
- 1246039 words of memory out of 5000000
- 60099 multiletter control sequences out of 15000+600000
+ 31781 strings out of 467691
+ 638393 string characters out of 5414987
+ 1247303 words of memory out of 5000000
+ 60170 multiletter control sequences out of 15000+600000
 791342 words of font info for 89 fonts, out of 8000000 for 9000
 1141 hyphenation exceptions out of 8191
 113i,8n,122p,699b,1803s stack positions out of 10000i,1000n,20000p,200000b,200000s
@@ -1356,9 +1408,9 @@ Here is how much of TeX's memory you used:
 ri/raleway/Raleway-Bold.pfb><C:/Users/lcorp/AppData/Local/Programs/MiKTeX/fonts
 /type1/impallari/raleway/Raleway-Italic.pfb><C:/Users/lcorp/AppData/Local/Progr
 ams/MiKTeX/fonts/type1/impallari/raleway/Raleway-Regular.pfb>
-Output written on relatorio.pdf (10 pages, 263252 bytes).
+Output written on relatorio.pdf (12 pages, 869774 bytes).
 PDF statistics:
- 461 PDF objects out of 1000 (max. 8388607)
- 98 named destinations out of 1000 (max. 500000)
- 388 words of extra memory for PDF output out of 10000 (max. 10000000)
+ 486 PDF objects out of 1000 (max. 8388607)
+ 108 named destinations out of 1000 (max. 500000)
+ 413 words of extra memory for PDF output out of 10000 (max. 10000000)

--- a/relatorio/relatorio.pdf
+++ b/relatorio/relatorio.pdf
--- a/relatorio/relatorio.synctex.gz
+++ b/relatorio/relatorio.synctex.gz
--- a/relatorio/relatorio.tex
+++ b/relatorio/relatorio.tex
@@ -80,7 +80,7 @@ Realisticamente estas etapas podiam continuar a repetir-se, até que estivessemo

 Utilizámos a política por omissão (\textit{default policy}) para a realização do \textit{Active Scan} através do OWASP ZAP. Com esta abordagem, obtivemos múltiplos alertas automáticos. De forma a priorizar a análise, investigamos as alertas principais com base no maior nível de risco e grau de confiança reportados pela ferramenta.

-Para conseguir informação inicial realizamos um \textit{Active Scan} através do \textit{OWASP ZAP}, o policy utilizado para esse scan foi \textit{Default Policy}. Foi obtido vários aletas automáticos devido a esse scan e decidimos investigar as alertas principais com base no nível de risco e grau de confiança reportado pela ferramenta.
+% Para conseguir informação inicial realizamos um \textit{Active Scan} através do \textit{OWASP ZAP}, o policy utilizado para esse scan foi \textit{Default Policy}. Foi obtido vários aletas automáticos devido a esse scan e decidimos investigar as alertas principais com base no nível de risco e grau de confiança reportado pela ferramenta.

 Adicionalmente, realizámos testes de infraestrutura  utilizando ferramentas especializadas:

@@ -93,11 +93,31 @@ Ao executar o \textit{sqlmap}, descobrimos que o sistema de gestão de base de d
 Paralelamente, realizámos uma descoberta de ficheiros e diretórios através de técnicas de \textit{fuzzing} de URLs no OWASP ZAP recorrendo à lista de permissões da \textit{DirBuster}. Esta exploração revelou os seguintes endpoints publicamente expostos:

 \begin{itemize}
-    \item \texttt{/ftp}: Servidor de armazenamento e transferência de ficheiros exposto.
-    \item \texttt{/metrics}: Métricas internas da infraestrutura expostas.
-    \item \texttt{/api-docs}: Documentação e esquemas estruturais da API.
+    \item \texttt{/ftp}: Servidor de armazenamento e transferência de ficheiros exposto. (Figura \ref{fig:ftp})
+    \item \texttt{/metrics}: Métricas internas da infraestrutura expostas. (Figura \ref{fig:metrics})
+    \item \texttt{/api-docs}: Documentação e esquemas estruturais da API. (Figura \ref{fig:swagger})
 \end{itemize}

+\begin{figure}[h!]
+    \centering
+    \includegraphics[width=\textwidth]{ftp}
+    \caption{ftp}
+    \label{fig:ftp}
+\end{figure}
+\begin{figure}[h!]
+    \centering
+    \includegraphics[width=\textwidth]{metrics}
+    \caption{metrics}
+    \label{fig:metrics}
+\end{figure}
+\begin{figure}[h!]
+    \centering
+    \includegraphics[width=\textwidth]{swagger}
+    \caption{swagger}
+    \label{fig:swagger}
+\end{figure}
+
+

 \subsection{Configuration and Deployment Management Testing}

@@ -113,6 +133,8 @@ Testámos os métodos HTTP permitidos pelo servidor através do envio de pedidos

 Analisámos as permissões de acesso no diretório \texttt{/ftp}. Verificámos que a falta de restrições rígidas ao nível do sistema de ficheiros permite a qualquer utilizador anónimo listar o conteúdo de diretórios estruturais e descarregar ficheiros não indexados na interface principal da aplicação.

+
+
 \subsection{Identity Management Testing}

 \subsubsection*{Test Role Definitions}
@@ -145,7 +167,12 @@ O servidor backend processou o pedido sem validar se o utilizador possuía autor

 Ao tentar registar um utilizador com o e-mail \texttt{admin@juice-sh.op}, verificámos que a aplicação devolve uma mensagem de erro explícita indicando que o e-mail já se encontra registado no sistema. Este comportamento confirma a vulnerabilidade de enumeração de contas, permitindo a um atacante mapear quais os e-mails válidos na plataforma.

-\includegraphics[width=0.5\textwidth]{email-unique}
+\begin{figure}[h!]
+    \centering
+    \includegraphics[width=0.7\textwidth]{email-unique}
+    \caption{email-unique}
+    \label{fig:email-unique}
+\end{figure}

 \subsubsection*{Testing for Weak or Unenforced Username Policy}

@@ -156,11 +183,16 @@ Após testar vários caracteres especiais no formulário de registo, criámos um
 \end{itemize}
 A aplicação aceitou o registo sem validar a presença de carateres de injeção SQL ou tags HTML. Contudo, verificámos que é impossível efetuar login com esta conta posteriormente, uma vez que o processo de autenticação falha e resulta num erro genérico do tipo \texttt{[object Object]} no ecrã.

-\includegraphics[width=0.5\textwidth]{email-invalido}
+\begin{figure}[h!]
+    \centering
+    \includegraphics[width=0.7\textwidth]{email-invalido}
+    \caption{email-invalido}
+    \label{fig:email-invalido}
+\end{figure}

 \subsection{Authentication Testing}

-Realizámos testes de \textit{fuzzing} automatizado contra o formulário de login utilizando dicionários de credenciais. Identificámos que a aplicação não implementa mecanismos de bloqueio de conta (*Account Lockout*) ou limitação de taxa de pedidos (*Rate Limiting*), permitindo ataques contínuos de \textit{brute force}.
+Realizámos testes de \textit{fuzzing} automatizado contra o formulário de login utilizando dicionários de credenciais. Identificámos que a aplicação não implementa mecanismos de bloqueio de conta ou limitação de taxa de pedidos \textit{rate limiting}, permitindo ataques contínuos de \textit{brute force}.



@@ -170,6 +202,19 @@ Testámos as permissões de acesso ao diretório \texttt{/ftp} e verificámos qu

 Seguidamente, explorámos falhas na validação de inputs através de uma injeção de \textit{Null Byte} codificado (\texttt{\%2500.md} ou \texttt{\%2500.pdf}). O ataque foi bem-sucedido e contornou a validação de extensões do servidor, garantindo o acesso e descarregamento de ficheiros confidenciais restritos: \texttt{encrypt.pyc} e \texttt{suspicious\_errors.yml}.

+\begin{figure}[h!]
+    \centering
+    \includegraphics[width=0.7\textwidth]{suspiciouserrors}
+    \caption{suspiciouserrors}
+    \label{fig:suspiciouserrors}
+\end{figure}
+\begin{figure}[h!]
+    \centering
+    \includegraphics[width=0.7\textwidth]{suspiciouserrors2}
+    \caption{suspiciouserrors2}
+    \label{fig:suspiciouserrors2}
+\end{figure}
+
 \subsection{Session Management Testing}

 Identificámos que o cookie \texttt{token}, responsável por armazenar o identificador da sessão ativa do utilizador, possui a flag \texttt{HttpOnly} configurada como \texttt{false}. A ausência desta proteção significa que o token está totalmente exposto e pode ser lido por scripts do lado do cliente, tornando a sessão criticamente vulnerável a roubo por Cross-Site Scripting (XSS).
@@ -232,7 +277,12 @@ Ao tentar forçar o acesso a uma página ou ficheiro inexistente no servidor de



-\includegraphics[width=\textwidth]{stack-trace}
+\begin{figure}[h!]
+    \centering
+    \includegraphics[width=0.7\textwidth]{stack-trace}
+    \caption{stack-trace}
+    \label{fig:stack-trace}
+\end{figure}

 \subsection{Client Side Testing}

--- a/relatorio/relatorio.toc
+++ b/relatorio/relatorio.toc
@@ -7,22 +7,22 @@
 \contentsline {section}{\numberline {3}Web application security testing}{4}{section.3}%
 \contentsline {subsection}{\numberline {3.1}Information Gathering}{4}{subsection.3.1}%
 \contentsline {subsection}{\numberline {3.2}Configuration and Deployment Management Testing}{4}{subsection.3.2}%
-\contentsline {subsection}{\numberline {3.3}Identity Management Testing}{5}{subsection.3.3}%
+\contentsline {subsection}{\numberline {3.3}Identity Management Testing}{6}{subsection.3.3}%
 \contentsline {subsection}{\numberline {3.4}Authentication Testing}{7}{subsection.3.4}%
 \contentsline {subsection}{\numberline {3.5}Authorization Testing}{7}{subsection.3.5}%
-\contentsline {subsection}{\numberline {3.6}Session Management Testing}{7}{subsection.3.6}%
-\contentsline {subsection}{\numberline {3.7}Input Validation Testing}{7}{subsection.3.7}%
-\contentsline {subsubsection}{\numberline {3.7.1}Testing for SQL Injection}{8}{subsubsection.3.7.1}%
-\contentsline {subsection}{\numberline {3.8}Testing for Error Handling}{8}{subsection.3.8}%
-\contentsline {subsection}{\numberline {3.9}Client Side Testing}{9}{subsection.3.9}%
-\contentsline {section}{\numberline {4}Web Application Security Firewall}{10}{section.4}%
-\contentsline {subsection}{\numberline {4.1}Information Gathering}{10}{subsection.4.1}%
-\contentsline {subsection}{\numberline {4.2}Configuration and Deployment Management Testing}{10}{subsection.4.2}%
-\contentsline {subsection}{\numberline {4.3}Identity Management Testing}{10}{subsection.4.3}%
-\contentsline {subsection}{\numberline {4.4}Authentication Testing}{10}{subsection.4.4}%
-\contentsline {subsection}{\numberline {4.5}Authorization Testing}{10}{subsection.4.5}%
-\contentsline {subsection}{\numberline {4.6}Session Management Testing}{10}{subsection.4.6}%
-\contentsline {subsection}{\numberline {4.7}Input Validation Testing}{10}{subsection.4.7}%
-\contentsline {subsection}{\numberline {4.8}Testing for Error Handling}{10}{subsection.4.8}%
-\contentsline {subsection}{\numberline {4.9}Client Side Testing}{10}{subsection.4.9}%
-\contentsline {section}{\numberline {5}Conclusions}{10}{section.5}%
+\contentsline {subsection}{\numberline {3.6}Session Management Testing}{9}{subsection.3.6}%
+\contentsline {subsection}{\numberline {3.7}Input Validation Testing}{9}{subsection.3.7}%
+\contentsline {subsubsection}{\numberline {3.7.1}Testing for SQL Injection}{10}{subsubsection.3.7.1}%
+\contentsline {subsection}{\numberline {3.8}Testing for Error Handling}{10}{subsection.3.8}%
+\contentsline {subsection}{\numberline {3.9}Client Side Testing}{11}{subsection.3.9}%
+\contentsline {section}{\numberline {4}Web Application Security Firewall}{12}{section.4}%
+\contentsline {subsection}{\numberline {4.1}Information Gathering}{12}{subsection.4.1}%
+\contentsline {subsection}{\numberline {4.2}Configuration and Deployment Management Testing}{12}{subsection.4.2}%
+\contentsline {subsection}{\numberline {4.3}Identity Management Testing}{12}{subsection.4.3}%
+\contentsline {subsection}{\numberline {4.4}Authentication Testing}{12}{subsection.4.4}%
+\contentsline {subsection}{\numberline {4.5}Authorization Testing}{12}{subsection.4.5}%
+\contentsline {subsection}{\numberline {4.6}Session Management Testing}{12}{subsection.4.6}%
+\contentsline {subsection}{\numberline {4.7}Input Validation Testing}{12}{subsection.4.7}%
+\contentsline {subsection}{\numberline {4.8}Testing for Error Handling}{12}{subsection.4.8}%
+\contentsline {subsection}{\numberline {4.9}Client Side Testing}{12}{subsection.4.9}%
+\contentsline {section}{\numberline {5}Conclusions}{12}{section.5}%