Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
HTTP协议相关的若干安全问题
Search
Sponsored
·
SiteGround - Reliable hosting with speed, security, and support you can count on.
→
LI Daobing
August 09, 2013
Programming
1.2k
9
Share
Embed
Copy iframe code
Copy JS code
Copy link
Start on current slide
HTTP协议相关的若干安全问题
LI Daobing
August 09, 2013
More Decks by LI Daobing
See All by LI Daobing
How to attack TLS in PQC decade, part I
lidaobing
0
52
出了问题不要靠猜
lidaobing
40
4.1k
Debian & Packaging
lidaobing
1
580
Java 质量保障
lidaobing
3
310
OAuth: How and Why?
lidaobing
1
160
从 Struts 迁移到 Spring MVC,以及为什么?
lidaobing
2
670
glusterfs 文件系统
lidaobing
2
210
如何学习 Shell
lidaobing
3
340
Other Decks in Programming
See All in Programming
地域 SRE コミュニティ最前線 - ホンマでっかSRE勉強会
tk3fftk
0
220
コーディングルールの鮮度を保ちたい for SRE NEXT 2026 / keep-fresh-go-internal-conventions-sre-next-2026
handlename
0
140
えっ!!コードを読まずに開発を!?
hananouchi
0
190
例外の正しい扱い方 そのエラー try-catchして大丈夫?
jinwatanabe
0
360
Welcome to the "Parametricity" 🏙️ − Generic だけど Specific な世界 −
guvalif
PRO
1
150
OS アップデート対応の取り組み方がもっと共有されてほしい
andpad
0
110
エンジニアと一緒にテストコードの設計と実装を改善した話
mototakatsu
0
260
symfony/aiとlaravel/boost
77web
0
120
AI駆動開発を妨げる技術的負債の解消アプローチ / ai-refactoring-approach
minodriven
17
8.9k
LLMによるContent Moderationの本番運用の裏側と品質担保への挑戦
suikabar
3
840
Embedded SREと共に達成した会員管理システムのAWS移行 - SRE NEXT 2026 ランチスポンサーセッション
niftycorp
PRO
1
2.3k
The Bowling Game- From Imperative to Functional Programming - Part 1
philipschwarz
PRO
0
310
Featured
See All Featured
The AI Revolution Will Not Be Monopolized: How open-source beats economies of scale, even for LLMs
inesmontani
PRO
3
3.6k
The SEO Collaboration Effect
kristinabergwall1
1
500
Documentation Writing (for coders)
carmenintech
77
5.4k
Six Lessons from altMBA
skipperchong
29
4.3k
A Modern Web Designer's Workflow
chriscoyier
698
190k
Lessons Learnt from Crawling 1000+ Websites
charlesmeaden
PRO
1
1.4k
Dominate Local Search Results - an insider guide to GBP, reviews, and Local SEO
greggifford
PRO
0
210
Building a Scalable Design System with Sketch
lauravandoore
463
34k
Information Architects: The Missing Link in Design Systems
soysaucechin
0
1k
Unlocking the hidden potential of vector embeddings in international SEO
frankvandijk
0
870
Utilizing Notion as your number one productivity tool
mfonobong
4
380
How to Create Impact in a Changing Tech Landscape [PerfNow 2023]
tammyeverts
55
3.4k
Transcript
HTTP协议相关的若干安全问 题 LI Daobing <
[email protected]
> https:/ /github.com/lidaobing Friday, August 9,
13
194011݄7 http:/ /en.wikipedia.org/wiki/Tacoma_Narrows_Bridge_(1940) Friday, August 9, 13
19884݄28 http:/ /en.wikipedia.org/wiki/Aloha_Airlines_Flight_243 Friday, August 9, 13
20022݄? http:/ /en.wikipedia.org/wiki/SQL_injection Friday, August 9, 13
问题 㟬 现 ࡏࡏ 过桥 త 时 ީձ୲৺ 这
问题 㜮ʁ ʢҼ 为桥 తݐஜ 设计师 ੋ༗ 证 తʁʣ 㟬 现 ࡏࡏ࠱ 飞 صత 时 ީձ୲৺ 这 问题 㜮ʁ ʢҼ 为飞 صత 设计师 ੋ༗ 证 తʁʣ Friday, August 9, 13
问题 㟬্᠓త 时 ީ୲৺㟬తີ 码 /㟨҆શ㜮ʁ զ 还 ୲৺ɼݪҼ 这
࿙ಎग़ 现 త 时间还 ෆ䭧 长 ʁ 㟬㣛తɼ䇖 发 ᠓తੋᏠ 证 ఔং 员 ීวෆࡏҙ҆શ 问题 Friday, August 9, 13
HTTP 协议 ૬䎔తएׯ҆ ॄ㜮ੋ HTTP 协议 GET ܕ CSRF POST
ܕ CSRF ۲߸ 问题 SSL Same Origin Policy ༩ ލҬ௨৴ HTTP Headers Friday, August 9, 13
ෆ 讲 ॄ㜮 DDoS DoS: લऀ䳭ྲྀᔁ, ऀ䳭Ꮰ 赖 软
݅࿙ಎ: 紧盯 CVE 发 ߦ൛త҆શ௨ࠂ XSS: ଖ 实这 ࠽ੋେ 头 SQL Inject: 这 2013ྃ, 㟬ཁল HTTP Cache: 细节 ଠଟɼ 还 ࢉ҆શ Friday, August 9, 13
访问 Ұ᠓ 页 Friday, August 9, 13
༻HTTP 协议 ၏ॄ㜮ʁ Լ 载 ᠓ 页 Լ 载图 ย
Լ 载 CSS Լ 载 JS Լ 载 ࣈମ AJAX Լ 载 swf, ... Friday, August 9, 13
HTTP 协议 ᣂྫ $ curl -v http:/ /www.google.com.hk/ > GET
/ HTTP/1.1 > User-Agent: curl/7.24.0 (x86_64-apple-darwin12.0) libcurl/7.24.0 OpenSSL/0.9.8r zlib/1.2.5 > Host: www.google.com.hk > Accept: */* > < HTTP/1.1 200 OK < Date: Wed, 24 Apr 2013 13:15:02 GMT < Expires: -1 < Cache-Control: private, max-age=0 < Content-Type: text/html; charset=Big5 < Set-Cookie: PREF=ID=5dee4c0efb2fd080:FF=0:NW=1:TM=136680[snip] < Set-Cookie: NID=67=DyKygko82Qz6Xxjed6pZEZvekjy6YFHRAEh[snip] < Server: gws < X-XSS-Protection: 1; mode=block < X-Frame-Options: SAMEORIGIN < Transfer-Encoding: chunked < <!doctype html><html><head>...</head><body>...</body></html> Friday, August 9, 13
telnet 拟 HTTP 请 ٻ Friday, August 9, 13
CSRF ੋॄ㜮ʁ Cross-site request forgery (ލ 请 ٻ 伪 )
༻ 户 ظҰߦ 为 ʢൺ 转账 ɼථɼ䎔 闭 bug, ...ʣੋࡏ 对应 త᠓্ 发 ੜɼୠࡏ 访问 Ұ ෆ૬䎔త᠓ 时 ٫৮ 发 ྃ 该 ߦ 为 ൺզࡏ䶯ḦɼᏠᡅ 图 ɼ 结 Ռ৮ 发 ྃզ ࡏ 17startup ্ 给 ᠓ྃ5 Friday, August 9, 13
GET ܕ CSRF Friday, August 9, 13
GET ܕ CSRF 17startup తථ 请 ٻ: http:/ /17startup.com/ startup/vote/9439/5
߈ 击 ख๏1: 发 ૹurl 给 डਓɼՌड ਓቮ 经 ొ 录 17startup ኂ 击 ྃ url, बೳ 㢦㟬ථ Friday, August 9, 13
伪 图 ย http:/ /is.gd/eGsWc7.jpg વ 发 ౸䬟ࠣࢧ࣋֎ 链
త 论坛 , डਓՌቮ 经 ొ 录过 17startup, ಹ㜮 访问这 论坛时 बՄҎ 㢦㟬ථ ߋత 伪 : ߈ 击图 ย์ࡏ႓ 张 ਖ਼ৗ 图 ยத 间 Friday, August 9, 13
ޚ GET ܕ CSRF ຌੋधཁߋվ 务 ثঢ় 态 త 请
ٻɼෆಘ༻ GET, ՄҎ༻ POST, PUT, DELETE Friday, August 9, 13
ٕ 术时间 : Request Method ҆શ 幂 HEAD √
√ GET √ √ POST × × PUT × √ DELETE × √ PATCH × × TRACE, OPTIONS, CONNECT (TRACK, DEBUG) Friday, August 9, 13
POST ܕ CSRF Friday, August 9, 13
POST ܕత CSRF Friday, August 9, 13
۩ମԿૢ࡞ ࡏࣗݾత 页 ໘ 设 ஔҰiframe, iframe ཬ 边 ༗
Ұ form, ࢦඃ߈ 击 ɼኂ༻ JS ৮ 发 ࣗ 动 ఏަ (҃ऀ 诱导 डਓఏަ) Ҿ 导 डਓ 访问 㟬త 页 ໘ Friday, August 9, 13
ҙࣄ 项 iframe શՄҎੋ 隐 ܗతɼॴҎडਓՄೳ શ༗ 觉 ౸ቮ 经
ड౸߈ 击 ྃ 验证码对这 䝅߈ 击 ޚᏈՌࠩɼҼ 为 զՄҎ 验证码 过 དྷ 诱导 ༻ 户 రࣸɻ Friday, August 9, 13
Կޚ form ཬ 边 ՃCSRF TOKENʢ፺ࡧ㟬తᐽՍ໊শ +CSRFबೳፙ౸େྔతจᑆʣ ༻ෆؚ form త
AJAX 时 , ဓ HTML தఏऔ CSRF TOKEN Ճೖ㟬తࢀɻ 䐾 查 ᠓తAPI: 㟬త API Մೳձඃ༻ဋ POST CSRF ߈ 击 ɻ Friday, August 9, 13
۲߸ 问题 这问题 ্զ൜ 过错误 EverBox 项 测时 ग़
过 ۲߸ 问题 Friday, August 9, 13
۲߸ݪཧ sinatra ᐽՍ᠍ল༻ rack-session rack-session ༻ Kernel.rand དྷੜ session id
memcache session storage ༗၏ session id ੋ൱ଘࡏత 检验 unicorn ༻ fork དྷੜଟ 进 ఔ(䫩গ 启动时 Friday, August 9, 13
ٕ 术时间 : Session อଘ 问题 优 ᠍ Cookie
Session ߱ 务 压 ྗ䐾 杂 ੑ ਾᔔ࿐, େখݶ੍, ࿘ 费 ྲྀ ྔɼᏠ๏㖘੍ొग़ Memcache Session ෆґ 赖 ဋਾ 库 ༻ 户 मվີ 码 ొग़༻ 户 ຑ 烦 ɼਗ਼ཧ cache 时 ձ 导 க༻ 户 ొग़ Database Session ޭೳ㖘େ ফਾ 库资 ݯ Friday, August 9, 13
Session ߷࣋ޚ Session Id Ӭ 远 ෆཁग़ 现 ࡏ HTML
த Session Id త Cookie Ӭ 远 ཁ HttpOnly 记录浏览 ثগ 变 Խత HTTP 头 User Agent Accept Encoding Accept Language IP(?) Friday, August 9, 13
SSL 历 ࢙༩ 现 ঢ় SSL 2.0 త҆શ࿙ಎ ଖଞ߈ 击
ํࣜ SSL 3.0 / TLS 1.0 త҆શ࿙ಎ Friday, August 9, 13
SSLత 历 ࢙ SSL 1.0, Netscape 䇖 发 ɼະެ䇖 SSL
2.0, 19952݄ SSL 3.0, 1996 TLS 1.0(RFC2246) ≈ SSL 3.0, 1999 TLS 1.1(RFC 4346), 20064݄ Friday, August 9, 13
SSL ࢧ࣋ႎ [ې༻] SSL 2.0, 19952݄ [OK] SSL 3.0, 1996
[OK] TLS 1.0(RFC2246) ≈ SSL 3.0, 1999 [ෆࢧ࣋] TLS 1.1(RFC 4346), 20064݄ [ෆࢧ࣋] TLS 1.2(RFC 5246, 6176), 20088݄ Friday, August 9, 13
SSL 2.0 ଘࡏత 问题 1. 长 扩 ల߈ 击
(Length extension attack) MAC = MD5(secret + content) MAC2 = MD5(secret + content+ attack_suffix) Friday, August 9, 13
SSL 2.0 ଘࡏత 问题 1. 长 扩 ల߈ 击
(Length extension attack) 2. ҆શ߱ 级 ߈ 击 ༻໌จ 协 ௨৴ࣜɼத 间 ՄҎ 篡 վ௨৴ ߱Ճີ 级 䫲 Friday, August 9, 13
SSL 2.0 ଘࡏత 问题 1. 长 扩 ల߈ 击
(Length extension attack) 2. ҆શ߱ 级 ߈ 击 3. TCP 䎔 闭 ߈ 击 SSL ༻ TCP FIN དྷ 结 ଋɼத 间 ਓՄҎ௨ 过 发 ૹ TCP FIN དྷׯ 扰 SSL 连 (٬ 户 ෆ ձҙ 识 ౸ඃ߈ 击 ) Friday, August 9, 13
SSL తଖଞ҆શ 问题 证书问题 ෆཁ༻ࣗ 签 ໊త 证书 ෆཁ 让
༻ 户 ҆ࠜ 证书 䇖௨ެڞ 邮 ശతޭೳతҬ্໊࠷ෆཁਃ 请 证书 (sohu 邮 ശத 过 ট) Friday, August 9, 13
SSLStrip େ෦ https 请 ٻདྷࣗ http త 转 恶 ҙத
间 ਓՄҎ 拦 ፊ 请 ٻɼ 导 கத 间 ਓ༩ 浏览 ثత௨৴ 为 ໌จ Friday, August 9, 13
SSLStrip తޚ HTTP Header: Strict-Transport-Security 预 ஔधཁ https త᠓ྻද: chrome
ࢧ࣋ Friday, August 9, 13
SSL 3.0 / TLS 1.0 త 风险 BEAST ߈ 击
: ར༻ CBC(Cipher-block chaining) తҰ᠍᮷ CRIME ߈ 击 : 构 䉰ኂ 观 压缩 RC4 ߈ 击 : 长时间 ༻ಉҰ key 导 கඃ߈ 击 Friday, August 9, 13
CRIME ߈ 击 ၊ఆ㟬త session id 为 a1b2c3d4 ಹ㜮Ռ 请
ٻࢀؚ༗ a1b ҃ऀ 1b2 ҃ऀ b2c 时 ɼ 请 ٻత 压缩 ՄҎఏߴ(SSL ҃ ऀ SPDY ձ 启 ༻ 压缩 ) ༻ sniffer 监 ჶ㑌 请 ٻత 长 ɼፙ౸ 压缩 ภߴతแɼࡏࠜਾยஈॏ৽㣥䫪ग़ cookie Friday, August 9, 13
Same Origin Policy ༩ ލ Same Origin Policy 对 ෆಉҬݶ੍:
frame ೭ 间 ෆೳޓ૬ 访问 发 ىత GET 请 ٻᏠ๏ 获 औ༰ Ꮰ๏ 发 ى POST ܕ AJAX 请 ٻ(ୠՄҎ POST FORM) Ꮰ๏༻ࣈମ/Flash/Java Applet ɻɻɻ Friday, August 9, 13
ղႊํҊ1 JSONP ೳੋ GET 请 ٻ Ꮰ๏্ 传 จ݅ ഁᆀ
语义 /CSRF߈ 击 长 ݶ੍ Friday, August 9, 13
ղႊํҊ2 CORS (Cross-origin resource sharing) Access-Control-Allow-Origin: * ༻ AJAX ্
传 จ݅ (ൺ S3 बࢧ࣋) Ҹ 许 ލҾ༻ font, swf(?) খܕ 应 ༻ ݐ 议 ༻ಠཱҬ໊ɼආ໔ඃ߈ 击 Friday, August 9, 13
ղႊํҊ3 Cross-document messaging window.postMessage(‘hello’, ‘http:/ / example.com`) IEࢧ࣋ෆଠ: IE8 Ҏલෆࢧ࣋,
IE8 ෦ࢧ ࣋(ࢧ࣋iframe), IE10 શ෦ࢧ࣋ Friday, August 9, 13
HTTP Headers Cookie HttpOnly: ආ໔ session id ඃ Secure: ආ໔
session id ඃჶ Strict-Transport-Security: max-age=16070400; includeSubDomains Clickjacking X-Frame-Options: deny X-Frame-Options: sameorigin Friday, August 9, 13
HTTP Headers X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block P3P: ... Friday,
August 9, 13
Sponsored by Friday, August 9, 13
Q & A Thanks for your attention Friday, August 9,
13
Friday, August 9, 13
Friday, August 9, 13
Friday, August 9, 13