79 lines
2.9 KiB
Markdown
79 lines
2.9 KiB
Markdown
# OWASP Top 10 Security Checklist
|
|
|
|
## Estado: Validado
|
|
|
|
| # | Vulnerabilidad | Mitigación Implementada | Ubicación |
|
|
|---|---------------|-------------------------|-----------|
|
|
| A01 | **Broken Access Control** | No aplica (sin autenticación requerida) | N/A |
|
|
| A02 | **Cryptographic Failures** | HTTPS forzado en producción (HSTS) | `Program.cs:127` |
|
|
| A03 | **Injection** | FluentValidation + Regex sanitization, EF Core parameterized queries | `CreateStudentValidator.cs`, `EnrollStudentValidator.cs` |
|
|
| A04 | **Insecure Design** | Clean Architecture, input validation en todas las capas | Arquitectura por capas |
|
|
| A05 | **Security Misconfiguration** | Security headers (CSP, X-Frame-Options, etc.), Exception details disabled in prod | `Program.cs:106-130`, `GraphQLExtensions.cs:53` |
|
|
| A06 | **Vulnerable Components** | Dependencias actualizadas (.NET 10, Angular 21) | `*.csproj`, `package.json` |
|
|
| A07 | **Auth Failures** | No aplica (sin autenticación en este MVP) | N/A |
|
|
| A08 | **Data Integrity Failures** | Input validation, FluentValidation, GraphQL type safety | Validators |
|
|
| A09 | **Security Logging Failures** | Serilog structured logging, sensitive data filtering | `appsettings.json:38-45` |
|
|
| A10 | **Server-Side Request Forgery** | No endpoints que acepten URLs externas | N/A |
|
|
|
|
## Medidas de Seguridad Implementadas
|
|
|
|
### Backend (.NET)
|
|
|
|
1. **Input Validation**
|
|
- FluentValidation con regex patterns
|
|
- Sanitización de HTML/scripts
|
|
- Longitud máxima de campos
|
|
- Validación de formato email
|
|
|
|
2. **Security Headers**
|
|
- `Content-Security-Policy`
|
|
- `X-Content-Type-Options: nosniff`
|
|
- `X-Frame-Options: DENY`
|
|
- `Referrer-Policy: strict-origin-when-cross-origin`
|
|
- `Permissions-Policy`
|
|
- `Strict-Transport-Security` (producción)
|
|
|
|
3. **Rate Limiting**
|
|
- 100 requests/minuto para queries GraphQL
|
|
- 30 mutations/minuto
|
|
- Queue limit para prevenir acumulación
|
|
|
|
4. **GraphQL Security**
|
|
- Query depth limit: 5 niveles
|
|
- Query complexity limit: 100
|
|
- Execution timeout: 30 segundos
|
|
- Pagination max: 50 items
|
|
|
|
5. **Logging Seguro**
|
|
- Filtrado de datos sensibles (passwords, tokens)
|
|
- Structured logging con Serilog
|
|
- Rotación de logs (7 días)
|
|
|
|
### Frontend (Angular)
|
|
|
|
1. **XSS Prevention**
|
|
- Angular sanitization por defecto
|
|
- Content Security Policy
|
|
|
|
2. **CSRF Protection**
|
|
- No cookies de sesión (stateless GraphQL)
|
|
|
|
3. **Secure Communication**
|
|
- Solo HTTPS en producción
|
|
- GraphQL sobre HTTPS
|
|
|
|
## Pruebas de Seguridad Recomendadas
|
|
|
|
```bash
|
|
# Test security headers
|
|
curl -I http://localhost:5000/graphql
|
|
|
|
# Test rate limiting (debe retornar 429 después de 100 requests)
|
|
for i in {1..150}; do curl -s -o /dev/null -w "%{http_code}\n" http://localhost:5000/graphql; done
|
|
|
|
# Test query depth (debe fallar con depth > 5)
|
|
curl -X POST http://localhost:5000/graphql \
|
|
-H "Content-Type: application/json" \
|
|
-d '{"query":"{ students { enrollments { subject { professor { subjects { name } } } } } }"}'
|
|
```
|