Web Security - The Basics

7f110257501127300df3f923119ba043?s=47 Inndy
October 07, 2016

Web Security - The Basics

2016/Computer Security at National Taiwan University of Science and Technology (NTUST)

7f110257501127300df3f923119ba043?s=128

Inndy

October 07, 2016
Tweet

Transcript

  1. $PNQVUFS4FDVSJUZBU/5645 *OOEZJOOEZUX!HNBJMDPN 8FC4FDVSJUZ5IF#BTJDT

  2. 4PVSDFDPEFPGIUUQTWVMTFDVSJUZOUVTUJTBWBJMBCMFBU IUUQTHJUIVCDPNJOOEZXFCTFD

  3. XIPBNJ ˙ *OOEZ加啄 ˙ 1MBZ$5' ˙ 3FWFSTF&OHJOFFSJOH ˙ (BNF)BDLJOH ˙

    JOOEZUX!HNBJMDPN
  4. 0VUMJOF ˙ *OUFSOFUBOE/FUXPSL ˙ 'SPOUFOE#BDLFOE ˙ )551 ˙ $PNNPO)551)FBEFST ˙

    $PPLJF ˙ &ODPEJOH ˙ 44-5-4 ˙ 08"415PQ
  5. *OUFSOFUBOE/FUXPSL

  6. *OUFSOFUBOE/FUXPSL   1PSUPG,BPITJVOH

  7. *OUFSOFUBOE/FUXPSL  XXXOUVTUFEVUX

  8. *OUFSOFUBOE/FUXPSL '51  44)  5FMOFU 155  )551 

    )5514  .Z42-  3%1  7/$  3FEJT 
  9. 8FC"SDIJUFDUVSF

  10. 4FSWFS $MJFOU Ճ)551PWFS*OUFSOFUՃ

  11. #BDLFOE 'SPOUFOE Ճ)551PWFS*OUFSOFUՃ

  12. OHJOYBQBDIFMJHIUUQE 1)1QZUIPOSVCZ )5.-$44 +BWB4DSJQU Ճ)551PWFS*OUFSOFUՃ

  13. 8FC'SPOUFOE

  14. )5.-

  15. )5.- $44

  16. )5.- $44 +BWB4DSJQU

  17. 8FC#BDLFOE

  18. )5513FRVFTU

  19. 8IBUIBQQFOFEBGUFS&OUFS  $MJFOU ˙ %/4MPPLVQ *GOFFEFE  ˙ $SFBUF5$1DPOOFDUJPO ˙

    44-IBOETIBLF *GOFFEFE  ˙ $PNQPTFBOETFOE)551SFRVFTU
  20. 8IBUIBQQFOFEBGUFS&OUFS  4FSWFS ˙ "DDFQU5$1DPOOFDUJPO ˙ 1BSTFSFRVFTUIFBEFST ˙ $IFDLSPVUFSVMFT ˙

    'JMFPS3FWFSTFQSPYZ
  21. 8IBUIBQQFOFEBGUFS&OUFS  'JMFCBTFE ˙ $IFDLJGMFFYJTUT  ˙ *GOPU SFTQPOTFXJUIFSSPS ˙

    *TJUBTUBUJDMF  ˙ *GTP TFOEJUUPDMJFOU ˙ 0UIFSXJTF DBMMSFTQPOEJOHQSPDFTTPS ˙ .BZCFBDHJ QIQ QFSMTDSJQU ˙ 4FOESFTQPOTFUPDMJFOU
  22. 8IBUIBQQFOFEBGUFS&OUFS  4PGUXBSFSVMFT ˙ 1BSTFSFRVFTUGSPN)551TFSWFS ˙ 3PVUF ˙ %JTQBUDIDPOUSPMMFS ˙

    1SPDFTTSFRVFTUBOE3FOEFSSFTQPOTFEBUB ˙ 4FOEJUCBDLUP)551TFSWFS ˙ 4FSWFSTFOESFTQPOTFEBUBUPDMJFOU
  23. 8IBUIBQQFOFEBGUFS&OUFS  $MJFOU ˙ (PUSFTQPOTFEBUB .BZCFB)5.-EPDVNFOU  ˙ 1BSTF)5.-BOE%PXOMPBESFMBUFEBTTFUT ˙

    $44 *NBHF +BWB4DSJQU 'MBTI PS0UIFSNFEJBDPOUFOU ˙ 3FOEFSFOHJOFTUBSUXPSLJOHXJUI$44BOE)5.- ˙ 8FCLJU (FDLP #MJOL 5SJEFOU &EHF)5.- ˙ +BWB4DSJQUFOHJOFSVOUIFTDSJQUT ˙ 7 4QJEFS.POLFZ $BSBLBO $IBLSB 3IJOP
  24. )551

  25. )5513FRVFTU$PNQPTJUJPO POST /sqlinj/ HTTP/1.1<CRLF> Host: vul.security.ntu.st<CRLF> Content-Length: 45<CRLF> Content-Type: application/x-www-form-urlencoded<CRLF>

    <CRLF> title=title+text&msg=This+is+message+content. .FUIPE 1BUI 1SPUPDPM7FSTJPO "\r\n"JO$
  26. )5513FRVFTU$PNQPTJUJPO POST /sqlinj/ HTTP/1.1<CRLF> Host: vul.security.ntu.st<CRLF> Content-Length: 45<CRLF> Content-Type: application/x-www-form-urlencoded<CRLF>

    <CRLF> title=title+text&msg=This+is+message+content. 3FRVFTU)FBEFST 3FRVFTU#PEZ .BZCFCJOBSZEBUB
  27. )5513FTQPOTF$PNQPTJUJPO HTTP/1.1 200 OK<CRLF> Server: nginx<CRLF> Date: Thu, 06 Oct

    2016 15:03:36 GMT<CRLF> Content-Type: text/html; charset=UTF-8<CRLF> Content-Length: 1973<CRLF> Connection: keep-alive<CRLF> <CRLF> <!DOCTYPE html>..... )5517FSTJPO 3FTQPOTF4UBUVT
  28. )5513FTQPOTF$PNQPTJUJPO HTTP/1.1 200 OK<CRLF> Server: nginx<CRLF> Date: Thu, 06 Oct

    2016 15:03:36 GMT<CRLF> Content-Type: text/html; charset=UTF-8<CRLF> Content-Length: 1973<CRLF> Connection: keep-alive<CRLF> <CRLF> <!DOCTYPE html>..... (1973 bytes) 3FTQPOTF)FBEFST 3FTQPOTF#PEZ .BZCFCJOBSZEBUB
  29. -FUTUSZOD $ nc www.ntust.edu.tw 80 GET / HTTP/1.1 Host: www.ntust.edu.tw

    <Enter> <Enter>
  30. )5514UBUVT$PEF ˙ 99 ˙ *UTOF ˙ 99 ˙ 3FEJSFDUJPO ˙

    99 ˙ *UTZPVSGBVMU ˙ 99 ˙ *UTNZGBVMU
  31. )5514UBUVT$PEF ˙ 0, ˙ *UTBMMHPPE ˙ /P$POUFOU ˙ 3FRVFTUJTOFCVU*IBWFOPUIJOHUPUBML ˙

    1BSJUBM$POUFOU ˙ *IBWFQBSUPGEBUBGPSZPV
  32. )5514UBUVT$PEF ˙ .PWFE1FSNBOFOUMZ ˙ 'PVOE ˙ 7FSZDPNNPOGPSSFEJSFDUJPO ˙ /PU.PEJFE ˙

    $BDIFJTOF ˙ 5FNQPSBSZ3FEJSFDU
  33. )5514UBUVT$PEF ˙ #BE3FRVFTU ˙ :PVKVTUHBWFNFXSPOHUIJOHT ˙ 6OBVUIPSJ[FE ˙ 'PSCJEEFO ˙

    :PVBSFOPUBMMPXFEIFSF ˙ /PU'PVOE ˙ .FUIPE/PU"MMPXFE ˙ *NBUFBQPU ˙ 6OBWBJMBCMF'PS-FHBM3FBTPOT
  34. )5514UBUVT$PEF ˙ *OUFSOBM4FSWFS&SSPS ˙ &YDFQUJPOSBJTFEJOZPVSDPEF ˙ #BE(BUFXBZ ˙ 6QTUSFBNPGSFWFSTFQSPYZJTEFBE ˙

    4FSWJDF6OBWBJMBCMF ˙ .BJOUFOBODFNPEF  ˙ (BUFXBZ5JNFPVU ˙ 6QTUSFBNPGSFWFSTFQSPYZUJNFPVU
  35. 8IBUTUIFEJFSFODF

  36. )551.FUIPE (&5 1045 165 1"5$) %&-&5& 015*0/4 )&"% $0//&$5 53"$&

    $034 "QBDIFEFCVHQVSQPTF )551QSPYZ /PSFTQPOTFCPEZ
  37. )551.FUIPE ˙ (&5 ˙ %PXOMPBETPNFUIJOHGSPNXFCTJUF ˙ 1045 ˙ 4FOETPNFUIJOHUPXFCTJUF ˙

    )&"% ˙ +VTUHJWFNFSFTQPOTFIFBEFST CVU*EPOUXBOUCPEZ ˙ 53"$& ˙ "QBDIFXJMMSFUVSOXIPMFSFRVFTUBTQMBJOUFYUUPZPV ˙ $0//&$5 ˙ 4QFDJBMNFUIPEGPSQSPYZUPEFBMXJUI)5514SFRVFTU
  38. )551.FUIPE 3&45GVM"1* ˙ (&5 ˙ (FUMJTUBSFTPVSDF ˙ 1045 ˙ $SFBUFBOFXSFTPVSDF

    ˙ 165 ˙ 3FQMBDFBOFYJTUFESFTPVSDF ˙ 1"5$) ˙ 1BSUJBMVQEBUFBOFYJTUFESFTPVSDF ˙ %&-&5& ˙ %FMFUFBOFYJTUFESFTPVSDF
  39. $PNNPO3FRVFTU)FBEFST&TTFOUJBM ˙ )PTUOUVTU ˙ 3FRVJSFE ˙ :PVDBOIBWFNVMUJQMFXFCTJUFPOPOF*1IPTU

  40. $PNNPO3FRVFTU)FBEFST$PNNPO ˙ "DDFQUUFYUIUNMUFYUQMBJO ˙ 8IJDIUZQFPGDPOUFOUEPFTDMJFOUBDDFQU  ˙ "DDFQU&ODPEJOH H[JQ]EFBUF]TEDI]C[JQ]Y[ 

    ˙ )PXUPDPNQSFTTEBUB ˙ "DDFQU-BOHVBHF[IUXFO ˙ 8IBUMBOHVBHFEPZPVQSFGFS  ˙ "MPUPGXFCTJUFDPOTJEFS[IUXBT[I
  41. $PNNPO3FRVFTU)FBEFST$PNNPO ˙ 3FGFSFS63- ˙ 8IFSFEJEZPVGSPN  ˙ 8FCQBHFBDPNCIUNMIBWF<img src="b.com/a.jpg"> ˙

    3FRVFTUUPCDPNBKQHDPOUBJOTIFBEFS • Referer: http://a.com/b.html ˙ 1SJWBDZJTTVF ˙ KNQESPQCPYSFGFSFSWVM
  42. $PNNPO3FRVFTU)FBEFST$PNNPO ˙ 6TFS"HFOU.P[JMMB .BDJOUPTI*OUFM.BD049SW  (FDLP'JSFGPY ˙ *UUFMMTTFSWFSXIJDICSPXTFS041MBUGPSNBSFZPVVTJOH ˙ 3FEJSFDUHPHPPHMFDPNDISPNFJG*&EFUFDUFE

    ˙ 5FMMTTFSWFSXIJDIFYQMPJUQBZMPBEUPTFOE ˙ #BEGPSQSJWBDZ UPP
  43. $PNNPO3FRVFTU)FBEFST"VUIFOUJDBUJPO ˙ "VUIFOUJDBUJPO #BTJD]#FBSFS "65)@50,&/ ˙ "VUIUPLFOJTVTVBMMZCBTFTUSJOH ˙ CBTF 64&3/".&1"44803%

    GPS)551 CBTJDBVUIFOUJDBUJPO ˙ 0"VUIVTFT#FBSFS
  44. $PNNPO3FRVFTU)FBEFST$POOFDUJPO ˙ $POOFDUJPOLFFQBMJWF ˙ 5$1IBOETIBLFJTFYQFOTJWF TPXFXBOUUPSFVTFFYJTUFEDPOOFDUJPO ˙ "TLTFSWFSOPUUPTIVUEPXO5$1DPOOFDUJPOBGUFSUIJTSFTQPOTF ˙ 4VQQPSUFETJODF)551

    ˙ 3FTQPOTFIFBEFSTXJMMDPOUBJOTBNFIFBEFSJGTFSWFSTVQQPSUTJU ˙ *UTVTFGVMBOEJNQPSUBOUUPFYQMPJUTPNFCVH FY"4-3QSPUFDUJPO
  45. $PNNPO3FRVFTU)FBEFST3FRVFTU#PEZ ˙ $POUFOU-FOHUI ˙ *UNFBOTXFIBWFCZUFTPGCPEZDPOUFOUBGUFSSFRVFTUIFBEFST ˙ $POUFOU5ZQF.*.& • application/x-www-form-urlencoded ˙

    /PSNBMGPSNQPTU • multipart/form-data; boundary=$RANDOM_STRING ˙ 4UBOEBSEMFVQMPBEUBLFTUIJT ˙ UZQJDBMCPVOEBSZGPSXFCLJU----WebKitFormBoundaryo3CVe... ˙ application/jsonGPS8FC"1*
  46. $PNNPO3FRVFTU)FBEFST.JTD ˙ %/5 ˙ %P/PU5SBDL ˙ 93FRVFTUFE8JUI9.-)UUQ3FRVFTU ˙ 'PS"+"9SFRVFTUT ˙

    3BOHFCZUFT ˙ 3FRVFTUQBSUJBMDPOUFOU %PZPVLOPX'MBTI(FU  ˙ .VMUJUISFBEFEMFEPXOMPBE ˙ 9'PSXBSEFE'PS ˙ 1SPYZNBZBEEUIJTIFBEFSXIJMFGPSXBSEJOHSFRVFTUUPUBSHFUTFSWFS
  47. $PNNPO3FTQPOTF)FBEFST3FTQPOTF#PEZ ˙ $POUFOU-FOHUI ˙ 5IJT)551SFTQPOTFIBTCZUFTPGCPEZDPOUFOU ˙ $POUFOU&ODPEJOH H[JQ]EFBUF]TEDI]C[JQ]Y[  ˙

    *OEJDBUFXIBUDPNQSFTTJPONFUIPEXBTVTFEXJUISFTQPOTFEBUB ˙ $POUFOU5ZQF.*.& ˙ text/html; charset=utf-8JTWFSZDPNNPOJONPEFSOXFCQBHFT ˙ &5BH)"4) ˙ )BTIWBMVFGPSDBDIFEBUB
  48. $PNNPO3FTQPOTF)FBEFST3FEJSFDU ˙ -PDBUJPOIUUQTHPPHMFDPN ˙ 3FEJSFDUJNNFEJBUFMZ ˙ 3FGSFTIVSMIUUQTTFDVSJUZOUVTU ˙ 3FEJSFDUCVUEFMBZGPSTFDPOET VTFGVMUPTIPXTPNFNFTTBHF

  49. $PNNPO3FTQPOTF)FBEFST.JTD ˙ 4FSWFSOHJOY ˙ )BDLFSTXJMMCFIBQQZUPLOPXXIJDI)551TFSWFSZPVBSFVTJOH ˙ 91PXFSFE#Z1)1 ˙ )BDLFSTXJMMCFIBQQZUPLOPXXIBUMBOHVBHFZPVBSFVTJOH UPP

    ˙ %BUF5IV 0DU(.5 ˙ 4PNFTFSWFSTFOETEBUF JUTBHPPEXBZUPPCUBJOEBUF
  50. $PNNPO3FTQPOTF)FBEFST4FDVSJUZ ˙ 99441SPUFDUJPONPEFCMPDL ˙ #BTJD944QSPUFDUJPO EFGBVMUFOBCMFEJO(PPHMF$ISPNF ˙ 3FGVTFUPFYFDVUF+4XIJDIBQQFBS ˙ 9'SBNF0QUJPOTEFOZ

    ˙ $BOUIJTXFCQBHFQVUUFEJOBJGSBNF  ˙ $POUFOU4FDVSJUZ1PMJDZ ˙ *UTDPNQMJDBUFE JUQSPWJEFEBCVODIPGTFDVSJUZQSPUFDUJPO
  51. $PPLJFT

  52. ˊ8JLJQFEJB չ$PPLJFJTBTNBMMQJFDFPGEBUBTFOUGSPNB XFCLJUBOETUPSFEJOUIFVTFSTXFCCSPXTFS XIJMFUIFVTFSJTCSPXTJOHպ

  53. $PPLJF ˙ "DPPLJFDPOUBJOT ˙ /BNF ˙ 7BMVF ˙ %PNBJO ˙

    1BUI ˙ .BY"HF ˙ )5510OMZ'MBH ˙ 4FDVSF'MBH
  54. $PPLJF ˙ IUUQTWVMTFDVSJUZOUVTUDPPLJF ˙ IUUQTWVMTFDVSJUZOUVTUDPPLJFTJOHMFQIQ ˙ 4FU$PPLJFTJOHMF@DPPLJFEBUB PG TJOHMF DPPLJF

    ˙ -FUTPCTFSWFJUJO$ISPNFTEFWFMPQFSUPPMT
  55. $PPLJFBOE4FTTJPO ˙ 4FTTJPOJOEJFSFOUGSBNFXPSLNBZIBWFUIFJSJNQMFNFOUBUJPO ˙ #VUUIFZIBWFTBNFJEFB ˙ 4UPSFEBUBJOTPNFXIFSFTBGFUZBOEHJWFZPVUIFLFZ TFTJTPOJE  ˙

    &ODSZQUFEDPPLJF ˙ $BDIFTFSWJDF 3FEJT .FNDBDIFE  ˙ 5FNQPSBSZMF 1)1TEFGBVMUTFTTJPO  ˙ 4UPSFEJOEBUBCBTF
  56. &ODPEJOH5FYU&ODPEJOH

  57. &ODPEJOH ˙ )PXUPFYQSFTTBOVNCFS  ˙ CJO#JOBSZ ˙ PJO0DUBM ˙ JO%FDJNBM

    ˙ YBDJO)FY ˙ =YD=YB=Y=YJOCZUFTMJUUMFFOEJBOJOUFHFS
  58. 5FYU&ODPEJOH ˙ )PXUPFYQSFTTBDIBSBDUFS" ˙ STUBMQIBCFUJOVQQFSDBTF ˙ " ˙ BTDJJDPEFY

  59. 5FYU&ODPEJOH ˙ )PXUPFYQSFTTBDIBSBDUFS꽺 ˙ 꽺 ˙ 6OJDPEFYFE ˙ #JH&ODPEJOH=YD=Y ˙

    4UBUJDNBQQJOH ˙ 65'&ODPEJOH=YF=YB=YBE ˙ 8FIBWFBSVMFUPUSBOTGPSNCFUXFFOVOJDPEFBOE65'
  60. &ODPEJOH 4(7TC(T*'EWDNYL*2

  61. &ODPEJOH ˙ 8FBMTPIBWFPUIFSFODPEJOH ˙ )FYFODPEF ˙ CBTF ]] FODPEF ˙

    63-&ODPEF
  62. 44-5-4

  63. 44-5VOOFM GET /user/login.php HTTP/1.1.... $MJFOU 4FSWFS

  64. openssl s_client -host google.com -port 443

  65. 08"415PQ

  66. 08"41 0QFO8FC"QQMJDBUJPO4FDVSJUZ1SPKFDU

  67. "6OWBMJEBUFE3FEJSFDUTBOE'PSXBSET ˙ 4PNFUJNFTZPVOETPNFUIJOHJO63- ˙ FYBNQMFDPNMPHJOQIQ SFEJSFDUIPNFQIQ ˙ 8FDIBOHFSFEJSFDUUPBQIJTIJOHTJUF BOETFOEJUUPTPNFPOF ˙

    FYBNQMFDPNMPHJOQIQ SFEJSFDUNBMXBSFDPNIPNFQIQ
  68. "6TJOH$PNQPOFOUTXJUI,OPXO7VMOFSBCJMJUJFT ˙ 7VMOFSBCJMJUJFTJOUIJSEQBSUZMJCSBSZ ˙ &YDLFEJUPS

  69. "$SPTT4JUF3FRVFTU'PSHFSZ $43' ˙ 4FOESFRVFTUGSPNBOPUIFSEPNBJO ˙ JNHTSDFYBQMFDPNMPHPVUQIQ ˙ IUUQTVQFSMPHPVUDPN ˙ &YQMPJU944CVHUPNBLFBGPSNBOEQPTUJU

  70. ".JTTJOH'VODUJPO-FWFM"DDFTT$POUSPM ˙ *DBODIBOHFPUIFSVTFSTQBTTXPSECVU*NOPUBENJO • curl https://vul.security.ntu.st/sqlinj/ --data 'truncate_confirm=1'

  71. "4FOTJUJWF%BUB&YQPTVSF ˙ IUUQTWVMTFDVSJUZOUVTUTRMJOKDPOHJOD

  72. "4FDVSJUZ.JTDPOHVSBUJPO • google('"index of"') ˙ 4PNFUJNFT JUMFBLTTPNFVTFGVMJOGPSNBUJPOUPIBDLFST

  73. "*OTFDVSF%JSFDU0CKFDU3FGFSFODFT ˙ *VQMPBEFENZQSJWBUFQIPUPTUPTPNFXFCEJTL CVUBOZPOFDBO EPXOMPBEJUXJUIMFBLFE63-/PBDDFTTDPOUSPMPOUIBUMF

  74. "$SPTT4JUF4DSJQUJOH 944 • "><script>alert(1)</script><br " ˙ %FNP

  75. "#SPLFO"VUIFOUJDBUJPOBOE4FTTJPO.BOBHFNFOU • function is_admin() {
 return $_COOKIE['role'] == 'admin;
 }

    ˙ %FNP
  76. "*OKFDUJPO • ' or '' = ' ˙ %FNP

  77. 4PNF6TFGVM5PPMT

  78. #VSQ4VJUF

  79. )BDLCBS

  80. $PPLJF.BOBHFS

  81. .PEJGZ)FBEFST

  82. 6TFS"HFOU4XJUDIFS

  83. 8BQQBMZ[FS