tim hieu ve lo hong web va cach phong chong
TRANSCRIPT
- 1. 1 Tm hi u v l h ng web v cch phng ch ng Th c hi n: V Trung Kin L Th Lin Nguy n Ph ng Duy L p : AT9c Tr ng: HV k thu t M t m
2. 2 Tm t t n i dung T ng quan v website L h ng Injection L h ng XSS Demo khai thc l h ng SQL Injection 3. 3 T ng quan v website 4. 4 N i dung chnh: 1, M t website v cch ho t ng 2, Cc d ch v v ng d ng trn n n web 3, Cc l i b o m t thng d ng trn web 5. 5 1, M T WEBSITE V CCH HO T NG Website l g? Website l 1 trang web trn m ng internet. L n i gi i thi u nh ng thng tin, hnh nh v doanh nghi p v s n ph m, d ch v c a doanh nghi p (hay gi i thi u b t c thng tin g) 6. 6 T O NN 1 WEBSITE C N 3 Y U T C B N: C n ph i c tn mi n (domain) N i l u tr website (hosting) N i dung cc trang thng tin (web page) 7. 7 Th no l tn mi n Tn mi n l a ch website, trn internet ch t n t i duy nh t 1 a ch (t c l t n t i duy nh t m t tn mi n) C 2 lo i tn mi n: + Tn mi n Qu c t : l tn mi n c d ng .com; .net; .org; .biz; .name..... + Tn mi n Vi t Nam: l tn mi n c d ng: .vn; .com.vn; .net.vn; .org.vn; gov.vn 8. 8 M t website c l u tr u? 9. 9 D li u thng tin c a website ph i c l u tr trn m t my tnh (my ch server) lun ho t ng v k t n i v i m ng internet. M t server c th l u tr nhi u tn website, n u server ny b s c th khng ai c th truy c p c nh ng website l u tr trn server t i th i i m 10. 10 N i dung cc trang thng tin N i dung cc trang thng tin c thi t k v hi n th theo 2 cch: Website ng Website tnh N i dung cc trang thng tin c thi t k v hi n th theo 2 cch: Website ng Website tnh 11. 11 Website ng (Dynamic website) + L website c c s d li u, c cung c p cng c qu n l website (Admin Tool). + Linh ho t v c th c p nh t thng tin th ng xuyn, qu n l cc thnh ph n trn website d dng. + Th ng c vi t b ng cc ngn ng l p trnh nh PHP, Asp.net, JSP, ., qu n tr C s d li u b ng SQL ho c MySQL... Website tnh + Do ng i l p trnh bng ngn ng HTML theo t ng trang + Khng c c s d li u v khng c cng c qu n l thng tin trn website. + t thay i n i dung +Thng th ng website tnh c thi t k b ng cc ph n m m nh FrontPage, Dreamwaver,.... 12. 12 2, Cc d ch v v ng d ng trn n n web Nh ng ng d ng vi t trn n n web khng ch c g i l m t ph n c a website n a, gi y chng c g i l ph n m m vi t trn n n web. C r t nhi u ph n m m ch y trn n n web nh Google word (x l vn b n), Google spreadsheets (x l b ng tnh), Email..... 13. 13 M t s u i m c a ph n m m hay ng d ng ch y trn n n web: + M i ng i u c trnh duy t v b n ch c n trnh duy t ch y ph n m m. + Ph n m m lun lun c c p nh t v chng ch y trn server. + Lun s n sng 24/7. + D dng backup d li u th ng xuyn. + C th truy c p m i lc, m i n i, mi n l b n c m ng. + Chi ph tri n khai c c r so v i ph n m m ch y trn Desktop 14. 14 3, Cc l i b o m t thng d ng trn web L h ng l g? L h ng l cc ch ng trnh h p php v i cc l h ng b o m t c nguy c a n m t s r i ro cho php tin t c c th c nh t n cng ho c thay i m thng qua ng d ng web t i m t h thng khc. Ton b nh ng dng scripts c vi t b ng Perl, Python v cc ngn ng khc c th c p d ng i v i nh ng ng i thi t k web trnh khng cao v th c thi n trn h thng. B t k khi no m t ng d ng web s d ng m t cng c thng d ch b t k d ng no u c th c nguy b t n cng l h ng b o m t. 15. 15 Cc l h ng ph bi n: L H ng Injection 16. 16 Injection l g? L m t d ng c bi t c lan r ng v l d ng nguy hi m trong s t n cng L l h ng m tin t c c th t n cng ho c thay i m thng qua ng d ng web B ng vi c c n th n g n cc m c vo ci tham bi n, tin t c c th trick ng d ng web thng qua vi c chuy n ti n cc truy v n mang m c t i h th ng 17. 17 SQL Injection L 1 d ng ph bi n c a Injection L 1 l h ng m r t nhi u cc website b hacker khai thc v t n cng 18. 18 L H ng Cross-Site Scripting - XSS 19. 19 Cross-Site Scripting (g i t t l XSS thay v CSS trnh nh m l n v i CSS Casscading Style Sheet c a HTML ) l m t trong nh ng l h ng c a Web Application ph bi n nh t hin nay, bng cch chn vo cc website ng (ASP, PHP, CGI,) Nh ng th HTML, VBscript, ActiveX ho c Flash nguy hi m c kh nng nh c p thng tin quan tr ng nh cookies, m t kh u, passwordc a nh ng ng i truy c p vo website b dnh l i XSS. 20. 20 SQL injection L 1 li ph bin nht ca Injection Li c hacker thng xuyn khai thc 21. 21 Thng k Sql injection l 22. 22 Ti sao li c li Sqli? Ch yu l do ngi lp trnh vit SQL code trong ng dng stringcmdStr="INSERTINTOCustomer(Name,Address,Email,Phone)VALU ('"+txtName.Text+"','"+txtEmail.Text+"','"+txtPhone.Text+"')"; conn.Open(); SqlCommandcmd=newSqlCommand(cmdStr,conn); cmd.ExecuteNonQuery(); 23. 23 Minh ha Sqli 24. 24 Cc l i sqli th ng g p Khng kim tra k t thot truy vn: y l dng li SQL injection xy ra khi thiu on m kim tra d liu u vo trong cu truy vn SQL statement="SELECT*FROMusersWHEREname='"+userName+"';" 25. 25 Cc li sqli thng gp Khi thm userName= a' or 't'='t , s c cu truy v n: Cc ga tr c a bi n userName s gy ra xa ng i dng t b ng ng i dng SELECT*FROMusersWHEREname='a'OR't'='t'; a';DROPTABLEusers;SELECT*FROMdataWHERE't'='t 26. 26 Cc li Sqli thng gp X l khng ng kiu: Li SQL injection dng ny thng xy ra do lp trnh vin hay ngi dng nh ngha u vo d liu khng r rng hoc thiu bc kim tra v lc kiu d liu u vo Khi thit lp bin a_variable= 1;DROP TABLE users n s thc hin thao tc xa ngi dng c id tng ng khi c s d liu statement:="SELECT*FROMdataWHEREid="+a_variable+";" SELECT*FROMDATAWHEREid=1;DROPTABLEusers; 27. 27 Cc li sqli thng gp Li bo mt bn trong my ch c s d liu: - i khi l hng c th tn ti chnh trong phn mm my ch c s d liu - iu ny c th gip cho k tn cng thc hin c sqli Blind SQL injection: Li ny tn ti ngay trong ng dng web, n s gy ra s sai khc ni dung ca 1 trang b li sqli 28. 28 Cc li sqli thng gp Thay i gi tr iu kin truy vn: Dng li ny khin cho k tn cng c th thay i gi tr iu kin trong cu truy vn, lm hin th sai lch ca 1 ng dng S hin th mt trang mt cch bnh thng, trong khi: s hin th mt ni dung khc hoc khng hin th g SELECTbooktitleFROMbooklistWHEREbookId='OOk14cd'AND1=1; SELECTbooktitleFROMbooklistWHEREbookId='OOk14cd'AND1=2; 29. 29 Cch phng chng sqli Trnh vit SQL code trong ng dng Kim sot d liu u vo Chun ha d liu C cc bin php bo v Database Bo v t nn tng h thng. 30. 30 Demo khai thc l hng sqli 31. 31 Tm hi u v l h ng Cross-site scripting - XSS 32. 32 N i dung chnh: 1. XSS l g? 2. Hi n tr ng v m c nguy hi m XSS. 3. Nguyn l ho t ng c a XSS. 4. Phn lo i XSS. 5. Ph ng php ki m tra l i. 6. T n cng. 7. Bi n php phng ch ng. 33. 33 1. XSS l g ? XSS ( Cross-Site Scripting) l m t trong nh ng l h ng c a Web Application ph bi n nh t hi n nay cho php hacker chy cc client side scripts (HTML, Flash,...v c bit l JavaScript) ca h khi c ngi khc truy cp vo trang web. 34. 34 2. Hin trng v mc nguy him Vi s bng n ca Internet nh hin nay, cc website c pht trin vi cc cng ngh mi, c nhiu ng dng c th thm vo gia tng s tng tc vi ngi dng nh bng thng bo, xem file nh km, d dng chia s ti nguyn th nguy c b tn cng rt cao. 35. 35 XSStrongtop10OWASP Nm2009:17% Nm2011:50% Quas li utrncth th yl h ngXSS tnglnr tnhanh.M c nguyhi mngy cngcao,gyranhi ur idol n 36. 36 Mc tiu: M c tiu c a k t n cng l n c p cookie, m t kh u c a ng i dng, l a o qu n tr website, chi m cc session V ch hot ng trn trnh duyt pha client v ch hot ng trn b mt website nn khng lm nh hng ti m ngun, c s d liu trn sever 37. 37 3. Nguyn l hot ng XSS Khi website b chn cc th HTML, Script...ca hacker th khi ngi s dng click vo nhng link th ton b cookies, mt khu lu trn trnh duyt s c gi v cho hacker thng qua email hoc mt file no trn host c thit lp t trc. 38. 38 4. Phn loi XSS Gm 2 loi Stored XSS Reflected XSS: 39. 39 Stored xss K tn cng chn mt on Script nguy him vo website ( comment, search, guestbook...) v c lu li trong database, t client khc truy cp vo s dnh m c t k tn cng. victim attacker Website(database) 1 2 3 4 40. 40 Reflected XSS k tn cng gn thm on m c URL vo website v gi n nn nhn, khi nn nhn truy cp vo URL s b dnh m c victim victim victim attcker website website SendURL Requestpage Webserverreturnsthepage 41. 41 5.Phng php kim tra XSS Li XSS thng xut hin ti nhng ch m ngi dng c th nhp d liu vo v s nhn c thng bo tr v t website nh khung search, comment, result, web- form... 42. 42 43. 43 Cch 1: Trong khung tm kim search, bn nhp error XSS, nu kt qu tr v l: Khng tm thy kt qu cho error XSS error XSS kt qu ny khng tn ti Your search for error XSS is not vaild Hay bt c mt kt qu tr v c error XSS th 99% site ny b dnh li. 44. 44 Cch 2 Nhp mt on script sau Nu trang web hin ra khung thng bo sau th site ny b li XSS 45. 45 Cch 3: k thut bypass bng > 46. 46 6. T n cng t n cng, hacker chn m c m h vi t ra ri chn ln nh ng ch c l i XSS. Ty vo t ng tr ng h p c th th h c th chn Flash, th iframe ( HTML), URL ch a m c d n ng link t i web c a hacker. 47. 47 V d : File stealer.php Flie logs.txt r ng ch a cookie c a victim 48. 48 Sau khi c 2 file trn th h chu n b m t hosting, v d http://www.attacker.net v up 2 file trn ln host. Khi hacker s c c m t o n script n c p cookie: 49. 49 Gi s site dnh l i l http:// www.sitebiloi.com th hacker s chn o n script vo nh ng ch xc nh l l i XSS. Cng vi c c a h l ng i ch victim truy c p vo v dng ti n ch add-on cookie login. 50. 50 7. Phng ch ng XSS 7.1. i v i ng i thi t k v pht tri n web 7.2. i v i ng i dng. 51. 51 7.1. Ng i pht tri n web Ch ch p nh n nh ng y u t h p l theo nh yu c u trong cng vi c l p trnh web. Lin t c ki m tra v thanh l c d li u u vo. T o ra danh sch th HTML c php s d ng. Xa b th