Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Web Security - The Basics
Search
Inndy
October 07, 2016
Technology
0
600
Web Security - The Basics
2016/Computer Security at National Taiwan University of Science and Technology (NTUST)
Inndy
October 07, 2016
Tweet
Share
More Decks by Inndy
See All by Inndy
工程師一定要懂的 Text Encoding
inndy
1
540
資訊安全:麻瓜的黑魔法防禦術
inndy
3
2.7k
HackmeCTF 平台背後的心酸血淚史
inndy
2
770
COSCUP 2018 Lightning Talk - 審稿好難,所以我們來寫程式吧
inndy
0
370
逆向工程:從入門到放棄
inndy
7
3.4k
HITCON 2017 Zeroday 發表會
inndy
0
1.3k
No More Crypto Fails
inndy
33
7.8k
你再共用密碼啊
inndy
1
700
CTF From Zero To One
inndy
5
4.7k
Other Decks in Technology
See All in Technology
サーバーレスAPI(API Gateway+Lambda)とNext.jsで 個人ブログを作ろう!
shuntaka
PRO
0
560
地理情報とAPIのトレンド
nagix
0
160
サービス開発を前に進めるために 新米リードエンジニアが 取り組んだこと / Steps Taken by a Novice Lead Engineer to Advance Service Development
nologyance
0
180
目標設定は好きですか? アジャイルとともに目標と向き合い続ける方法 / Do you like target Management?
kakehashi
10
3k
AWSサービスメニュー開発をしていてAWSを好きだ!と感じた瞬間
toru_kubota
0
130
DDDにおける認可の扱いとKotlinにおける実装パターン / authorization-for-ddd-and-kotlin-implement-pattern
urmot
4
390
ギークの理想が7つ集まるエムスリーで夢を叶えよう - エムスリー株式会社
m3_engineering
1
260
スタートアップにおける組織設計とスクラムの長期戦略 / Scrum Fest Kanazawa 2024
yoshikiiida
13
3.6k
Amazon FSx for NetApp ONTAPのパフォーマンスチューニング要素をまとめてみた #cm_odyssey #devio2024
non97
0
220
20240725 LLMによるDXのビジョンと、今何からやるべきか @Azure OpenAI Service Dev Day
nrryuya
3
1.2k
頼られるのが大好きな 皆さんへ - 支援相手との期待の合わせ方、突き放し方 -/For_people_who_like_to_be_relied_on
naitosatoshi
1
290
サービスの持続的な成長と技術負債について
siva_official
PRO
10
4.4k
Featured
See All Featured
Statistics for Hackers
jakevdp
792
220k
Keith and Marios Guide to Fast Websites
keithpitt
408
22k
For a Future-Friendly Web
brad_frost
173
9.2k
Templates, Plugins, & Blocks: Oh My! Creating the theme that thinks of everything
marktimemedia
23
1.9k
GraphQLとの向き合い方2022年版
quramy
36
13k
Art, The Web, and Tiny UX
lynnandtonic
291
20k
What's new in Ruby 2.0
geeforr
338
31k
Building Flexible Design Systems
yeseniaperezcruz
323
37k
Adopting Sorbet at Scale
ufuk
71
8.8k
Distributed Sagas: A Protocol for Coordinating Microservices
caitiem20
325
21k
In The Pink: A Labor of Love
frogandcode
139
22k
What the flash - Photography Introduction
edds
65
11k
Transcript
$PNQVUFS4FDVSJUZBU/5645 *OOEZJOOEZUX!HNBJMDPN 8FC4FDVSJUZ5IF#BTJDT
4PVSDFDPEFPGIUUQTWVMTFDVSJUZOUVTUJTBWBJMBCMFBU IUUQTHJUIVCDPNJOOEZXFCTFD
XIPBNJ ˙ *OOEZ加啄 ˙ 1MBZ$5' ˙ 3FWFSTF&OHJOFFSJOH ˙ (BNF)BDLJOH ˙
JOOEZUX!HNBJMDPN
0VUMJOF ˙ *OUFSOFUBOE/FUXPSL ˙ 'SPOUFOE#BDLFOE ˙ )551 ˙ $PNNPO)551)FBEFST ˙
$PPLJF ˙ &ODPEJOH ˙ 44-5-4 ˙ 08"415PQ
*OUFSOFUBOE/FUXPSL
*OUFSOFUBOE/FUXPSL 1PSUPG,BPITJVOH
*OUFSOFUBOE/FUXPSL XXXOUVTUFEVUX
*OUFSOFUBOE/FUXPSL '51 44) 5FMOFU 155 )551
)5514 .Z42- 3%1 7/$ 3FEJT
8FC"SDIJUFDUVSF
4FSWFS $MJFOU Ճ)551PWFS*OUFSOFUՃ
#BDLFOE 'SPOUFOE Ճ)551PWFS*OUFSOFUՃ
OHJOYBQBDIFMJHIUUQE 1)1QZUIPOSVCZ )5.-$44 +BWB4DSJQU Ճ)551PWFS*OUFSOFUՃ
8FC'SPOUFOE
)5.-
)5.- $44
)5.- $44 +BWB4DSJQU
8FC#BDLFOE
)5513FRVFTU
8IBUIBQQFOFEBGUFS&OUFS $MJFOU ˙ %/4MPPLVQ *GOFFEFE ˙ $SFBUF5$1DPOOFDUJPO ˙
44-IBOETIBLF *GOFFEFE ˙ $PNQPTFBOETFOE)551SFRVFTU
8IBUIBQQFOFEBGUFS&OUFS 4FSWFS ˙ "DDFQU5$1DPOOFDUJPO ˙ 1BSTFSFRVFTUIFBEFST ˙ $IFDLSPVUFSVMFT ˙
'JMFPS3FWFSTFQSPYZ
8IBUIBQQFOFEBGUFS&OUFS 'JMFCBTFE ˙ $IFDLJGMFFYJTUT ˙ *GOPU SFTQPOTFXJUIFSSPS ˙
*TJUBTUBUJDMF ˙ *GTP TFOEJUUPDMJFOU ˙ 0UIFSXJTF DBMMSFTQPOEJOHQSPDFTTPS ˙ .BZCFBDHJ QIQ QFSMTDSJQU ˙ 4FOESFTQPOTFUPDMJFOU
8IBUIBQQFOFEBGUFS&OUFS 4PGUXBSFSVMFT ˙ 1BSTFSFRVFTUGSPN)551TFSWFS ˙ 3PVUF ˙ %JTQBUDIDPOUSPMMFS ˙
1SPDFTTSFRVFTUBOE3FOEFSSFTQPOTFEBUB ˙ 4FOEJUCBDLUP)551TFSWFS ˙ 4FSWFSTFOESFTQPOTFEBUBUPDMJFOU
8IBUIBQQFOFEBGUFS&OUFS $MJFOU ˙ (PUSFTQPOTFEBUB .BZCFB)5.-EPDVNFOU ˙ 1BSTF)5.-BOE%PXOMPBESFMBUFEBTTFUT ˙
$44 *NBHF +BWB4DSJQU 'MBTI PS0UIFSNFEJBDPOUFOU ˙ 3FOEFSFOHJOFTUBSUXPSLJOHXJUI$44BOE)5.- ˙ 8FCLJU (FDLP #MJOL 5SJEFOU &EHF)5.- ˙ +BWB4DSJQUFOHJOFSVOUIFTDSJQUT ˙ 7 4QJEFS.POLFZ $BSBLBO $IBLSB 3IJOP
)551
)5513FRVFTU$PNQPTJUJPO POST /sqlinj/ HTTP/1.1<CRLF> Host: vul.security.ntu.st<CRLF> Content-Length: 45<CRLF> Content-Type: application/x-www-form-urlencoded<CRLF>
<CRLF> title=title+text&msg=This+is+message+content. .FUIPE 1BUI 1SPUPDPM7FSTJPO "\r\n"JO$
)5513FRVFTU$PNQPTJUJPO POST /sqlinj/ HTTP/1.1<CRLF> Host: vul.security.ntu.st<CRLF> Content-Length: 45<CRLF> Content-Type: application/x-www-form-urlencoded<CRLF>
<CRLF> title=title+text&msg=This+is+message+content. 3FRVFTU)FBEFST 3FRVFTU#PEZ .BZCFCJOBSZEBUB
)5513FTQPOTF$PNQPTJUJPO HTTP/1.1 200 OK<CRLF> Server: nginx<CRLF> Date: Thu, 06 Oct
2016 15:03:36 GMT<CRLF> Content-Type: text/html; charset=UTF-8<CRLF> Content-Length: 1973<CRLF> Connection: keep-alive<CRLF> <CRLF> <!DOCTYPE html>..... )5517FSTJPO 3FTQPOTF4UBUVT
)5513FTQPOTF$PNQPTJUJPO HTTP/1.1 200 OK<CRLF> Server: nginx<CRLF> Date: Thu, 06 Oct
2016 15:03:36 GMT<CRLF> Content-Type: text/html; charset=UTF-8<CRLF> Content-Length: 1973<CRLF> Connection: keep-alive<CRLF> <CRLF> <!DOCTYPE html>..... (1973 bytes) 3FTQPOTF)FBEFST 3FTQPOTF#PEZ .BZCFCJOBSZEBUB
-FUTUSZOD $ nc www.ntust.edu.tw 80 GET / HTTP/1.1 Host: www.ntust.edu.tw
<Enter> <Enter>
)5514UBUVT$PEF ˙ 99 ˙ *UTOF ˙ 99 ˙ 3FEJSFDUJPO ˙
99 ˙ *UTZPVSGBVMU ˙ 99 ˙ *UTNZGBVMU
)5514UBUVT$PEF ˙ 0, ˙ *UTBMMHPPE ˙ /P$POUFOU ˙ 3FRVFTUJTOFCVU*IBWFOPUIJOHUPUBML ˙
1BSJUBM$POUFOU ˙ *IBWFQBSUPGEBUBGPSZPV
)5514UBUVT$PEF ˙ .PWFE1FSNBOFOUMZ ˙ 'PVOE ˙ 7FSZDPNNPOGPSSFEJSFDUJPO ˙ /PU.PEJFE ˙
$BDIFJTOF ˙ 5FNQPSBSZ3FEJSFDU
)5514UBUVT$PEF ˙ #BE3FRVFTU ˙ :PVKVTUHBWFNFXSPOHUIJOHT ˙ 6OBVUIPSJ[FE ˙ 'PSCJEEFO ˙
:PVBSFOPUBMMPXFEIFSF ˙ /PU'PVOE ˙ .FUIPE/PU"MMPXFE ˙ *NBUFBQPU ˙ 6OBWBJMBCMF'PS-FHBM3FBTPOT
)5514UBUVT$PEF ˙ *OUFSOBM4FSWFS&SSPS ˙ &YDFQUJPOSBJTFEJOZPVSDPEF ˙ #BE(BUFXBZ ˙ 6QTUSFBNPGSFWFSTFQSPYZJTEFBE ˙
4FSWJDF6OBWBJMBCMF ˙ .BJOUFOBODFNPEF ˙ (BUFXBZ5JNFPVU ˙ 6QTUSFBNPGSFWFSTFQSPYZUJNFPVU
8IBUTUIFEJFSFODF
)551.FUIPE (&5 1045 165 1"5$) %&-&5& 015*0/4 )&"% $0//&$5 53"$&
$034 "QBDIFEFCVHQVSQPTF )551QSPYZ /PSFTQPOTFCPEZ
)551.FUIPE ˙ (&5 ˙ %PXOMPBETPNFUIJOHGSPNXFCTJUF ˙ 1045 ˙ 4FOETPNFUIJOHUPXFCTJUF ˙
)&"% ˙ +VTUHJWFNFSFTQPOTFIFBEFST CVU*EPOUXBOUCPEZ ˙ 53"$& ˙ "QBDIFXJMMSFUVSOXIPMFSFRVFTUBTQMBJOUFYUUPZPV ˙ $0//&$5 ˙ 4QFDJBMNFUIPEGPSQSPYZUPEFBMXJUI)5514SFRVFTU
)551.FUIPE 3&45GVM"1* ˙ (&5 ˙ (FUMJTUBSFTPVSDF ˙ 1045 ˙ $SFBUFBOFXSFTPVSDF
˙ 165 ˙ 3FQMBDFBOFYJTUFESFTPVSDF ˙ 1"5$) ˙ 1BSUJBMVQEBUFBOFYJTUFESFTPVSDF ˙ %&-&5& ˙ %FMFUFBOFYJTUFESFTPVSDF
$PNNPO3FRVFTU)FBEFST&TTFOUJBM ˙ )PTUOUVTU ˙ 3FRVJSFE ˙ :PVDBOIBWFNVMUJQMFXFCTJUFPOPOF*1IPTU
$PNNPO3FRVFTU)FBEFST$PNNPO ˙ "DDFQUUFYUIUNMUFYUQMBJO ˙ 8IJDIUZQFPGDPOUFOUEPFTDMJFOUBDDFQU ˙ "DDFQU&ODPEJOH H[JQ]EFBUF]TEDI]C[JQ]Y[
˙ )PXUPDPNQSFTTEBUB ˙ "DDFQU-BOHVBHF[IUXFO ˙ 8IBUMBOHVBHFEPZPVQSFGFS ˙ "MPUPGXFCTJUFDPOTJEFS[IUXBT[I
$PNNPO3FRVFTU)FBEFST$PNNPO ˙ 3FGFSFS63- ˙ 8IFSFEJEZPVGSPN ˙ 8FCQBHFBDPNCIUNMIBWF<img src="b.com/a.jpg"> ˙
3FRVFTUUPCDPNBKQHDPOUBJOTIFBEFS • Referer: http://a.com/b.html ˙ 1SJWBDZJTTVF ˙ KNQESPQCPYSFGFSFSWVM
$PNNPO3FRVFTU)FBEFST$PNNPO ˙ 6TFS"HFOU.P[JMMB .BDJOUPTI*OUFM.BD049SW (FDLP'JSFGPY ˙ *UUFMMTTFSWFSXIJDICSPXTFS041MBUGPSNBSFZPVVTJOH ˙ 3FEJSFDUHPHPPHMFDPNDISPNFJG*&EFUFDUFE
˙ 5FMMTTFSWFSXIJDIFYQMPJUQBZMPBEUPTFOE ˙ #BEGPSQSJWBDZ UPP
$PNNPO3FRVFTU)FBEFST"VUIFOUJDBUJPO ˙ "VUIFOUJDBUJPO #BTJD]#FBSFS "65)@50,&/ ˙ "VUIUPLFOJTVTVBMMZCBTFTUSJOH ˙ CBTF 64&3/".&1"44803%
GPS)551 CBTJDBVUIFOUJDBUJPO ˙ 0"VUIVTFT#FBSFS
$PNNPO3FRVFTU)FBEFST$POOFDUJPO ˙ $POOFDUJPOLFFQBMJWF ˙ 5$1IBOETIBLFJTFYQFOTJWF TPXFXBOUUPSFVTFFYJTUFEDPOOFDUJPO ˙ "TLTFSWFSOPUUPTIVUEPXO5$1DPOOFDUJPOBGUFSUIJTSFTQPOTF ˙ 4VQQPSUFETJODF)551
˙ 3FTQPOTFIFBEFSTXJMMDPOUBJOTBNFIFBEFSJGTFSWFSTVQQPSUTJU ˙ *UTVTFGVMBOEJNQPSUBOUUPFYQMPJUTPNFCVH FY"4-3QSPUFDUJPO
$PNNPO3FRVFTU)FBEFST3FRVFTU#PEZ ˙ $POUFOU-FOHUI ˙ *UNFBOTXFIBWFCZUFTPGCPEZDPOUFOUBGUFSSFRVFTUIFBEFST ˙ $POUFOU5ZQF.*.& • application/x-www-form-urlencoded ˙
/PSNBMGPSNQPTU • multipart/form-data; boundary=$RANDOM_STRING ˙ 4UBOEBSEMFVQMPBEUBLFTUIJT ˙ UZQJDBMCPVOEBSZGPSXFCLJU----WebKitFormBoundaryo3CVe... ˙ application/jsonGPS8FC"1*
$PNNPO3FRVFTU)FBEFST.JTD ˙ %/5 ˙ %P/PU5SBDL ˙ 93FRVFTUFE8JUI9.-)UUQ3FRVFTU ˙ 'PS"+"9SFRVFTUT ˙
3BOHFCZUFT ˙ 3FRVFTUQBSUJBMDPOUFOU %PZPVLOPX'MBTI(FU ˙ .VMUJUISFBEFEMFEPXOMPBE ˙ 9'PSXBSEFE'PS ˙ 1SPYZNBZBEEUIJTIFBEFSXIJMFGPSXBSEJOHSFRVFTUUPUBSHFUTFSWFS
$PNNPO3FTQPOTF)FBEFST3FTQPOTF#PEZ ˙ $POUFOU-FOHUI ˙ 5IJT)551SFTQPOTFIBTCZUFTPGCPEZDPOUFOU ˙ $POUFOU&ODPEJOH H[JQ]EFBUF]TEDI]C[JQ]Y[ ˙
*OEJDBUFXIBUDPNQSFTTJPONFUIPEXBTVTFEXJUISFTQPOTFEBUB ˙ $POUFOU5ZQF.*.& ˙ text/html; charset=utf-8JTWFSZDPNNPOJONPEFSOXFCQBHFT ˙ &5BH)"4) ˙ )BTIWBMVFGPSDBDIFEBUB
$PNNPO3FTQPOTF)FBEFST3FEJSFDU ˙ -PDBUJPOIUUQTHPPHMFDPN ˙ 3FEJSFDUJNNFEJBUFMZ ˙ 3FGSFTIVSMIUUQTTFDVSJUZOUVTU ˙ 3FEJSFDUCVUEFMBZGPSTFDPOET VTFGVMUPTIPXTPNFNFTTBHF
$PNNPO3FTQPOTF)FBEFST.JTD ˙ 4FSWFSOHJOY ˙ )BDLFSTXJMMCFIBQQZUPLOPXXIJDI)551TFSWFSZPVBSFVTJOH ˙ 91PXFSFE#Z1)1 ˙ )BDLFSTXJMMCFIBQQZUPLOPXXIBUMBOHVBHFZPVBSFVTJOH UPP
˙ %BUF5IV 0DU(.5 ˙ 4PNFTFSWFSTFOETEBUF JUTBHPPEXBZUPPCUBJOEBUF
$PNNPO3FTQPOTF)FBEFST4FDVSJUZ ˙ 99441SPUFDUJPONPEFCMPDL ˙ #BTJD944QSPUFDUJPO EFGBVMUFOBCMFEJO(PPHMF$ISPNF ˙ 3FGVTFUPFYFDVUF+4XIJDIBQQFBS ˙ 9'SBNF0QUJPOTEFOZ
˙ $BOUIJTXFCQBHFQVUUFEJOBJGSBNF ˙ $POUFOU4FDVSJUZ1PMJDZ ˙ *UTDPNQMJDBUFE JUQSPWJEFEBCVODIPGTFDVSJUZQSPUFDUJPO
$PPLJFT
ˊ8JLJQFEJB չ$PPLJFJTBTNBMMQJFDFPGEBUBTFOUGSPNB XFCLJUBOETUPSFEJOUIFVTFSTXFCCSPXTFS XIJMFUIFVTFSJTCSPXTJOHպ
$PPLJF ˙ "DPPLJFDPOUBJOT ˙ /BNF ˙ 7BMVF ˙ %PNBJO ˙
1BUI ˙ .BY"HF ˙ )5510OMZ'MBH ˙ 4FDVSF'MBH
$PPLJF ˙ IUUQTWVMTFDVSJUZOUVTUDPPLJF ˙ IUUQTWVMTFDVSJUZOUVTUDPPLJFTJOHMFQIQ ˙ 4FU$PPLJFTJOHMF@DPPLJFEBUB PG TJOHMF DPPLJF
˙ -FUTPCTFSWFJUJO$ISPNFTEFWFMPQFSUPPMT
$PPLJFBOE4FTTJPO ˙ 4FTTJPOJOEJFSFOUGSBNFXPSLNBZIBWFUIFJSJNQMFNFOUBUJPO ˙ #VUUIFZIBWFTBNFJEFB ˙ 4UPSFEBUBJOTPNFXIFSFTBGFUZBOEHJWFZPVUIFLFZ TFTJTPOJE ˙
&ODSZQUFEDPPLJF ˙ $BDIFTFSWJDF 3FEJT .FNDBDIFE ˙ 5FNQPSBSZMF 1)1TEFGBVMUTFTTJPO ˙ 4UPSFEJOEBUBCBTF
&ODPEJOH5FYU&ODPEJOH
&ODPEJOH ˙ )PXUPFYQSFTTBOVNCFS ˙ CJO#JOBSZ ˙ PJO0DUBM ˙ JO%FDJNBM
˙ YBDJO)FY ˙ =YD=YB=Y=YJOCZUFTMJUUMFFOEJBOJOUFHFS
5FYU&ODPEJOH ˙ )PXUPFYQSFTTBDIBSBDUFS" ˙ STUBMQIBCFUJOVQQFSDBTF ˙ " ˙ BTDJJDPEFY
5FYU&ODPEJOH ˙ )PXUPFYQSFTTBDIBSBDUFS꽺 ˙ 꽺 ˙ 6OJDPEFYFE ˙ #JH&ODPEJOH=YD=Y ˙
4UBUJDNBQQJOH ˙ 65'&ODPEJOH=YF=YB=YBE ˙ 8FIBWFBSVMFUPUSBOTGPSNCFUXFFOVOJDPEFBOE65'
&ODPEJOH 4(7TC(T*'EWDNYL*2
&ODPEJOH ˙ 8FBMTPIBWFPUIFSFODPEJOH ˙ )FYFODPEF ˙ CBTF ]] FODPEF ˙
63-&ODPEF
44-5-4
44-5VOOFM GET /user/login.php HTTP/1.1.... $MJFOU 4FSWFS
openssl s_client -host google.com -port 443
08"415PQ
08"41 0QFO8FC"QQMJDBUJPO4FDVSJUZ1SPKFDU
"6OWBMJEBUFE3FEJSFDUTBOE'PSXBSET ˙ 4PNFUJNFTZPVOETPNFUIJOHJO63- ˙ FYBNQMFDPNMPHJOQIQ SFEJSFDUIPNFQIQ ˙ 8FDIBOHFSFEJSFDUUPBQIJTIJOHTJUF BOETFOEJUUPTPNFPOF ˙
FYBNQMFDPNMPHJOQIQ SFEJSFDUNBMXBSFDPNIPNFQIQ
"6TJOH$PNQPOFOUTXJUI,OPXO7VMOFSBCJMJUJFT ˙ 7VMOFSBCJMJUJFTJOUIJSEQBSUZMJCSBSZ ˙ &YDLFEJUPS
"$SPTT4JUF3FRVFTU'PSHFSZ $43' ˙ 4FOESFRVFTUGSPNBOPUIFSEPNBJO ˙ JNHTSDFYBQMFDPNMPHPVUQIQ ˙ IUUQTVQFSMPHPVUDPN ˙ &YQMPJU944CVHUPNBLFBGPSNBOEQPTUJU
".JTTJOH'VODUJPO-FWFM"DDFTT$POUSPM ˙ *DBODIBOHFPUIFSVTFSTQBTTXPSECVU*NOPUBENJO • curl https://vul.security.ntu.st/sqlinj/ --data 'truncate_confirm=1'
"4FOTJUJWF%BUB&YQPTVSF ˙ IUUQTWVMTFDVSJUZOUVTUTRMJOKDPOHJOD
"4FDVSJUZ.JTDPOHVSBUJPO • google('"index of"') ˙ 4PNFUJNFT JUMFBLTTPNFVTFGVMJOGPSNBUJPOUPIBDLFST
"*OTFDVSF%JSFDU0CKFDU3FGFSFODFT ˙ *VQMPBEFENZQSJWBUFQIPUPTUPTPNFXFCEJTL CVUBOZPOFDBO EPXOMPBEJUXJUIMFBLFE63-/PBDDFTTDPOUSPMPOUIBUMF
"$SPTT4JUF4DSJQUJOH 944 • "><script>alert(1)</script><br " ˙ %FNP
"#SPLFO"VUIFOUJDBUJPOBOE4FTTJPO.BOBHFNFOU • function is_admin() { return $_COOKIE['role'] == 'admin; }
˙ %FNP
"*OKFDUJPO • ' or '' = ' ˙ %FNP
4PNF6TFGVM5PPMT
#VSQ4VJUF
)BDLCBS
$PPLJF.BOBHFS
.PEJGZ)FBEFST
6TFS"HFOU4XJUDIFS
8BQQBMZ[FS