1、Agenda嘴砲OWSAP Top 10SQL injectionXSScookie&session1A g e n d a 嘴砲1Agenda嘴砲OWSAP Top 10SQL injectionXSScookie&session2A g e n d a 嘴砲2不要做不要做壞事!壞事!3不要做壞事!3不要被不要被抓到!抓到!4不要被抓到!4不要被不要被抓到!抓到!5不要被抓到!5不要說我教的不要說我教的6不要說我教的6Agenda嘴砲OWSAP Top 10SQL injectionXSScookie&session7A g e n d a 嘴砲7網頁安全?早年 vs 現代靜態 vs 動態有
2、程式 就有漏洞!8網頁安全?早年 v s 現代8ways to attackOSweb serverweb application9w a y s t o a t t a c k O S 9attack scenariosattack web server gain privilege steal informations to attack usersattack other user steal informations execute other attacksmay be composite10a t t a c k s c e n a r i o s a t t a c k w e
3、b s e rAgenda嘴砲OWSAP Top 10SQL injectionXSScookie&session11A g e n d a 嘴砲1 1121 2OWASP Top 10-2010A1:InjectionA2:Cross-Site Scripting(XSS)A3:Broken Authentication and Session ManagementA4:Insecure Direct Object ReferencesA5:Cross-Site Request Forgery(CSRF)13O WA S P T o p 1 0 -2 0 1 0 A 1:I n j e c
4、t iOWASP Top 10-2010A6:Security MisconfigurationA7:Insecure Cryptographic StorageA8:Failure to Restrict URL AccessA9:Insufficient Transport Layer ProtectionA10:Unvalidated Redirects and Forwards14O WA S P T o p 1 0 -2 0 1 0 A 6:S e c u r i tOWASP Top 10-2010A1:InjectionA2:Cross-Site Scripting(XSS)A3
5、:Broken Authentication and Session ManagementA4:Insecure Direct Object ReferencesA5:Cross-Site Request Forgery(CSRF)15O WA S P T o p 1 0 -2 0 1 0 A 1:I n j e c t iOWASP Top 10-2010A6:Security MisconfigurationA7:Insecure Cryptographic StorageA8:Failure to Restrict URL AccessA9:Insufficient Transport
6、Layer ProtectionA10:Unvalidated Redirects and Forwards16O WA S P T o p 1 0 -2 0 1 0 A 6:S e c u r i tAgenda嘴砲OWSAP Top 10SQL injectionXSScookie&session17A g e n d a 嘴砲1 7Injections駭客的填空遊戲where can attacker inject?database(MySQL,MS SQL,PostgreSQL.)no-sql Directory Service(LDAP)system command!18I n j
7、e c t i o n s 駭客的填空遊戲1 8how SQL works in weblogin page for exampleclientweb serversql serverrequest whitid and pwdselect from account where id=id and pwd=pwdreturn result return login success/failed19h o w S Q L w o r k s i n w e b l o g i n p a g eWhy SQL?廣大使用儲存大量的網站資料injection friendly20Wh y S Q L
8、?廣大使用2 0how injections work?以MySQL為例子$query=“select from account where id=$id and pwd=$pwd$id=or 1=1-select from account where id=-.21h o w i n j e c t i o n s w o r k?以My S Q L 為例子2attack skillsunionblind attack22a t t a c k s k i l l s u n i o n 2 2影響資料被偷/被改獲得網站權限整個網站被拿下#23影響資料被偷/被改2 3how to defen
9、sesafe API過濾逃脫字元 不要直接把使用者輸入加入query找程式掃描弱點24h o w t o d e f e n s e s a f e A P I 2 4Practice25P r a c t i c e 2 5Agenda嘴砲OWSAP Top 10SQL injectionXSScookie&session26A g e n d a 嘴砲2 6XSSCross Site Scripting在別人的網站上寫程式!27X S S C r o s s S i t e S c r i p t i n g 2 7background knowledgeHTTP GETHTTP POST
10、28b a c k g r o u n d k n o w l e d g e H T T P G E T 2 8how to attackattack using POST/GETthe“scripting”in the serverstrange url29h o w t o a t t a c k a t t a c k u s i n g P O S Thow to attackjavascript/30h o w t o a t t a c k j a v a s c r i p t 3 0example http:/ Orange”)31e x a m p l e h t t p:
11、/g o o d s i t e.cwhat may happened?take you to bad sitesend your information to attackerJust For Fun!32w h a t m a y h a p p e n e d?t a k e y o u t o Just For Fun SamyMySpace XSS attackSamy is my hero!Infection33J u s t F o r F u n S a m y My S p a c e X S S aBig Site also XSSableMySpaceFacebooktw
12、itterPlurk.34B i g S i t e a l s o X S S a b l e My S p a c e 3 4how to defensefor server該逃的還是要逃找程式掃描弱點for user看到奇怪連結要警覺瀏覽器/防毒軟體35h o w t o d e f e n s e f o r s e r v e r 3 5practice36p r a c t i c e 3 6Agenda嘴砲OWSAP Top 10SQL injectionXSScookie&session37A g e n d a 嘴砲3 7background knowledgecookies
13、essionA cookie is a piece of text stored by a users web browser.A cookie can be used for authentication,storing site preferences,shopping cart contents,the identifier for a server-based session,or anything else that can be accomplished through storing text data.The session information is stored on t
14、he web server using the session identifier(session ID)generated as a result of the first(sometimes the first authenticated)request from the end user running a web browser.The storage of session IDs and the associated session data(user name,account number,etc.)on the web server is accomplished using
15、a variety of techniques including,but not limited to:local memory,flat files,and databases.38b a c k g r o u n d k n o w l e d g e c o o k i eA393 9404 0如果偷到了cookie可以.41如果偷到了c o o k i e 可以.4 1how to steal it?42h o w t o s t e a l i t?4 2434 3把cookie送到雲端!用GET/POST方式讓網頁把cookie送走/ex:.join(sever side is
16、 simplejust keep the cookie44把c o o k i e 送到雲端!用G E T /P O S T 方式讓網頁把哪個白痴會點這鬼連結http:/ t t p:/e x a m p l e.c o m/hidden有種東西叫短網址 ( (ex:iframe長寬設0或1)ugly url EVERY WHEREhttps:/ i d d e n 有種東西叫短網址 (t i n y u r l.c防範鎖定user agent/header綁IP*不要被攻擊成功*47防範鎖定u s e r a g e n t /h e a d e r 4 7鎖定user agent/head
17、er if(isset($_SESSIONHTTP_USER_AGENT)if($_SESSIONHTTP_USER_AGENT!=md5($_SERVERHTTP_USER_AGENT)exit();else$_SESSIONHTTP_USER_AGENT=md5($_SERVERHTTP_USER_AGENT);但是.當你偷的到cookie 會拿不到header嗎?48鎖定u s e r a g e n t /h e a d e r i f (i s s ePractice49P r a c t i c e 4 9Q&A?50Q&A?5 0end51e n d 5 1Reference52http:/www.owasp.org/http:/en.wikipedia.org/http:/goo.gl/cA3ahttp:/goo.gl/IwGbXhttp:/goo.gl/uQ4I1R e f e r e n c e 5 2 h t t p:/w w w.o w a s p.o r
