Upload
prof-tariq
View
224
Download
0
Embed Size (px)
Citation preview
8/14/2019 Protection and Information Security
1/22
..
. ,,
.
.
|
.
162009
8/14/2019 Protection and Information Security
2/22
7rs Group| 4Best Security |
2
www.7rs.cc [email protected]
..
, ,
global vision,
globally
locally
, "
".
, ,
,
, !
,
" "", " .
,
.
, ""
, ""
" ",
"
"
,
.
:
"""information security "
"information systems"
" "
"information hacking" :
,.
8/14/2019 Protection and Information Security
3/22
7rs Group| 4Best Security |
3
www.7rs.cc [email protected]
.
,
,
,
,
"" .
:
.
,
,
, .
. 90%
.
,
.
8/14/2019 Protection and Information Security
4/22
7rs Group| 4Best Security |
4
www.7rs.cc [email protected]
3:
1- rules/permission
-2users/ownerships
3- Firewalls
-4Security bugs
.
LinuxUnix
,
,
:rules/permission :
sharing,
,
.
/
: ,
.
:
,
.
:
.
8/14/2019 Protection and Information Security
5/22
7rs Group| 4Best Security |
5
www.7rs.cc [email protected]
Linux/Unix:
chmod
chmod [permission] [file/folder name]
permission ,
:
: /
, r,w
x, .
a,g ,u o
(-nobody)
file.exe
:
chmod a+rx file.exe
: /
,
4, 2
1
(,,) ,:
" " , , -
nobody
:
Chmod 555 file.exe
:
Chmod 151 file.exe
..
: users/ownerships:
.
8/14/2019 Protection and Information Security
6/22
7rs Group| 4Best Security |
6
www.7rs.cc [email protected]
:
/
.
.
chown:
Chown [-R] [:Group ID/Name] [target]
,
/Employers
chown
:
Chown R :Department /Employers
Employers
R
chmod :
Chmod 400 /Employers
/
,
, .
,
(
).
chown
:
Chown R [user ID/Name] [target]
8/14/2019 Protection and Information Security
7/22
7rs Group| 4Best Security |
7
www.7rs.cc [email protected]
,
/Employers,
:
Chown R 500:Department /Employers
Chmod 460 /Employers
nobody
:
Chown nobody /tmp
/tmp:
Chmod 774 /tmp
: Firewalls:
.
,
.
""
Linux
htpasswd.
htpasswd." "
""
.
8/14/2019 Protection and Information Security
8/22
7rs Group| 4Best Security |
8
www.7rs.cc [email protected]
:htpasswd
1- http://www.clockwatchers.com/htaccess_tool.html
2- 1. .htaccess Tool
Password
Protection, create it
htaccess
3- 2. .htpasswd Tool username
password , ,
create it DES
htpasswd
-4
.
: ecurity bugs:
.
,
www.securityfocus.com
,
"Vulnerability".
.Error Exception
,
,
.
http://www.clockwatchers.com/htaccess_tool.htmlhttp://www.securityfocus.com/http://www.securityfocus.com/http://www.clockwatchers.com/htaccess_tool.html8/14/2019 Protection and Information Security
9/22
7rs Group| 4Best Security |
9
www.7rs.cc [email protected]
. Input validation errors
"" .
o :
Command Injection (1
2) Path Traversal
: ommand Injection:
"GET , POST"
.
:
:SQL Injection -1
SQL
, .
:
,
illegal input.
,
integer,
string.
8/14/2019 Protection and Information Security
10/22
7rs Group| 4Best Security |
10
www.7rs.cc [email protected]
: :
,
php:
1
5 Article's List
7
11
12
8/14/2019 Protection and Information Security
11/22
7rs Group| 4Best Security |
11
www.7rs.cc [email protected]
17
URL
SQL.
and 1=0
http://site.com/file.php?id=1 and 1=0
$_GET[id]
:
select id,title,content from articles where id=1 and 1=0
and 1=0false
$_GET[id]
.
intval()
Integer ,
11abcd
11,
3.5
3,..
,
,
17 :
$id=intval($_GET[id]);
17:
$res=mysql_query("select id,title,content from articles where id=".$id);
.
8/14/2019 Protection and Information Security
12/22
7rs Group| 4Best Security |
12
www.7rs.cc [email protected]
:
,
:
1
8/14/2019 Protection and Information Security
13/22
7rs Group| 4Best Security |
13
www.7rs.cc [email protected]
1615
.
, 'or '1'='1
:
select * from login where adm_uname='' or '1' = '1' and adm_upass='' or '1' = '1 '
, 18
! ,
',
,\
\'.
mysql_escape_string,
quotes,
.
10
:
$name= mysql_escape_string ($_POST['username']);
$pass= mysql_escape_string ($_POST['password']);
:
select * from login
where adm_uname='\' or \'1\' = \'1' and adm_upass='\' or \'1\' = \'1 '
: .
8/14/2019 Protection and Information Security
14/22
7rs Group| 4Best Security |
14
www.7rs.cc [email protected]
:(Cross-Site-Scripting (Xss -2
.
:
Your search for 'securtiy news' returned the following results:
:
Your search for ' write("form.field.value");' returned the following
results:
: ,
") alert('XSS')
:
Your search for ' write("") alert('XSS')
8/14/2019 Protection and Information Security
15/22
7rs Group| 4Best Security |
15
www.7rs.cc [email protected]
:
HTML Entities
Character Encoding
< < or > or >
& & or &
" " or "
' ' or '
( (
) )
# #
% %
; ;
+ +
- -
php
.
.()htmlentities
:
write("htmlentities(") alert('hello admin !')
8/14/2019 Protection and Information Security
16/22
7rs Group| 4Best Security |
16
www.7rs.cc [email protected]
: .. .
!
javascript
, replace
javascript:
1
2 function killXSS() {3
4 var text = document.getElementById('secure').innerHTML;
5 text = text.replace(/\n/m,"
");
6 text = text.replace(/\r/m,"
");
7 text = text.replace(/\
8/14/2019 Protection and Information Security
17/22
7rs Group| 4Best Security |
17
www.7rs.cc [email protected]
:
!
:ath Traversal
,
.
:
/etc/passwd,
..Brute Force.
/etc/shadow,
DES,
.
.htpasswd,
,
DES.
.
:
:
http://site.com/files.php?get=ebook.pdf
include()php
.
8/14/2019 Protection and Information Security
18/22
7rs Group| 4Best Security |
18
www.7rs.cc [email protected]
:
1
pdfiles
$pdfiles
:http://site.com/files.php?pdfile_include=security.pdf
,
, ../
index.php
:
/home/users/public_html/index.php
:
http://site.com/files.php?pdfile_include =../index.php
pdfile_includeinclude()
:
/home/users/public_html/pdfiles/../index.php
:
home/users/public_html/index.php
.
8/14/2019 Protection and Information Security
19/22
7rs Group| 4Best Security |
19
www.7rs.cc [email protected]
:
http://site.com/files.php?pdfile_include=../../../../etc/passwd
..
Local File Include
Remote File Include.
,
.
?
%00" Null".
:
1
.
8/14/2019 Protection and Information Security
20/22
7rs Group| 4Best Security |
20
www.7rs.cc [email protected]
:
:
. Global variable -1
2- ../ .
.
file_1.pdf , file_2.pdf
,
pdf_file
, ,
Intval()
.
:
1
8/14/2019 Protection and Information Security
21/22
7rs Group| 4Best Security |
21
www.7rs.cc [email protected]
.
1) ( sharing,
ftp), (
.(
. (2
3) internet security
anti-virus
,
.
4)
.
(5
,
.
6)
.
(7
.
8) Social Engineering
,
,
, .
8/14/2019 Protection and Information Security
22/22
7rs Group| 4Best Security |
References:http://en.wikipedia.org universal encyclopedia
http://www.owasp.org open community for webapp security
http://sla.ckers.org Security Forum
http://www.acunetix.com/websitesecurityspecialist of security issues
http://en.wikipedia.org/http://en.wikipedia.org/http://www.owasp.org/http://www.owasp.org/http://sla.ckers.org/http://sla.ckers.org/http://www.acunetix.com/websitesecurityhttp://www.acunetix.com/websitesecurityhttp://www.acunetix.com/websitesecurityhttp://sla.ckers.org/http://www.owasp.org/http://en.wikipedia.org/