中央大学电子计算机中心多媒体与网路应用资讯推广课程.ppt

中央大學電子計算機中心多媒體與網路應用資訊推廣課程,網頁應用程式的安全入門,日期:2011/03/27講師:資工三 張竟 cwebb dot tw at gmail dot com,Agenda,嘴砲OWSAP Top 10SQL injectionXSScookie&session,2,Agenda,嘴砲OWSAP Top 10SQL injectionXSScookie&session,3,不要做壞事！,4,不要被抓到！,5,不要被抓到！,6,不要說我教的,7,Agenda,嘴砲OWSAP Top 10SQL injectionXSScookie&session,8,網頁安全？,早年 vs 現代靜態 vs 動態有程式 就有漏洞!,9,ways to attack,OSweb serverweb application,10,attack scenarios,attack web server gain privilege steal informations to attack usersattack other user steal informations execute other attacksmay be composite,11,Agenda,嘴砲OWSAP Top 10SQL injectionXSScookie&session,12,13,OWASP Top 10-2010,A1:InjectionA2:Cross-Site Scripting(XSS)A3:Broken Authentication and Session ManagementA4:Insecure Direct Object ReferencesA5:Cross-Site Request Forgery(CSRF),14,OWASP Top 10-2010,A6:Security MisconfigurationA7:Insecure Cryptographic StorageA8:Failure to Restrict URL AccessA9:Insufficient Transport Layer ProtectionA10:Unvalidated Redirects and Forwards,15,OWASP Top 10-2010,A1:InjectionA2:Cross-Site Scripting(XSS)A3:Broken Authentication and Session ManagementA4:Insecure Direct Object ReferencesA5:Cross-Site Request Forgery(CSRF),16,OWASP Top 10-2010,A6:Security MisconfigurationA7:Insecure Cryptographic StorageA8:Failure to Restrict URL AccessA9:Insufficient Transport Layer ProtectionA10:Unvalidated Redirects and Forwards,17,Agenda,嘴砲OWSAP Top 10SQL injectionXSScookie&session,18,Injections,駭客的填空遊戲where can attacker inject?database(MySQL,MS SQL,PostgreSQL.)no-sql Directory Service(LDAP)system command!,19,how SQL works in web,login page for example,client,web server,sql server,request whitid and pwd,select from account where id=id and pwd=pwd,return result,return login success/failed,20,Why SQL?,廣大使用儲存大量的網站資料injection friendly,21,how injections work?,以MySQL為例子$query=“select from account where id=$id and pwd=$pwd$id=or 1=1-select from account where id=-.,22,attack skills,unionblind attack,23,影響,資料被偷/被改獲得網站權限整個網站被拿下#,24,how to defense,safe API過濾逃脫字元 不要直接把使用者輸入加入query找程式掃描弱點,25,Practice,26,Agenda,嘴砲OWSAP Top 10SQL injectionXSScookie&session,27,XSS,Cross Site Scripting在別人的網站上寫程式！,28,background knowledge,HTTP GETHTTP POST,29,how to attack,attack using POST/GETthe“scripting”in the serverstrange url,30,how to attack,javascript/,31,example,http:/Orange”),32,what may happened?,take you to bad sitesend your information to attackerJust For Fun!,33,Just For Fun Samy,MySpace XSS attackSamy is my hero!Infection,34,Big Site also XSSable,MySpaceFacebooktwitterPlurk.,35,how to defense,for server該逃的還是要逃找程式掃描弱點for user看到奇怪連結要警覺瀏覽器/防毒軟體,36,practice,37,Agenda,嘴砲OWSAP Top 10SQL injectionXSScookie&session,38,background knowledge,cookiesession,A cookie is a piece of text stored by a users web browser.A cookie can be used for authentication,storing site preferences,shopping cart contents,the identifier for a server-based session,or anything else that can be accomplished through storing text data.,The session information is stored on the web server using the session identifier(session ID)generated as a result of the first(sometimes the first authenticated)request from the end user running a web browser.The storage of session IDs and the associated session data(user name,account number,etc.)on the web server is accomplished using a variety of techniques including,but not limited to:local memory,flat files,and databases.,39,40,41,如果偷到了cookie,可以.,42,how to steal it?,43,44,把cookie送到雲端!,用GET/POST方式讓網頁把cookie送走/ex:.join(sever side is simplejust keep the cookie,45,哪個白痴會點這鬼連結,http:/,46,hidden,有種東西叫短網址(/0rz.tw/goo.gl/bit.ly)塞進別的網頁裡(ex:iframe長寬設0或1)ugly url EVERY WHERE,https:/,https:/,47,防範,鎖定user agent/header綁IP*不要被攻擊成功*,48,鎖定user agent/header,if(isset($_SESSIONHTTP_USER_AGENT)if($_SESSIONHTTP_USER_AGENT!=md5($_SERVERHTTP_USER_AGENT)exit();else$_SESSIONHTTP_USER_AGENT=md5($_SERVERHTTP_USER_AGENT);,但是.當你偷的到cookie 會拿不到header嗎?,49,Practice,50,Q&A?,51,end,52,Reference,53,http:/www.owasp.org/http:/en.wikipedia.org/http:/goo.gl/cA3ahttp:/goo.gl/IwGbXhttp:/goo.gl/uQ4I1,