HTTP协议相关的若干安全问题

Transcript

1. HTTP协议相关的若干安全问 题 LI Daobing <[email protected]> https:/ /github.com/lidaobing Friday, August 9,

   13

2. 1940೥11݄7೔ http:/ /en.wikipedia.org/wiki/Tacoma_Narrows_Bridge_(1940) Friday, August 9, 13

3. 1988೥4݄28೔ http:/ /en.wikipedia.org/wiki/Aloha_Airlines_Flight_243 Friday, August 9, 13

4. 2002೥2݄?೔ http:/ /en.wikipedia.org/wiki/SQL_injection Friday, August 9, 13

5. 问题 㟬 现 ࡏࡏ 过桥 త 时 ީձ୲৺ 这 ࿽

   问题 㜮ʁ ʢҼ 为桥 తݐஜ 设计师 ౎ੋ༗ 证 తʁʣ 㟬 现 ࡏࡏ࠱ 飞 صత 时 ީձ୲৺ 这 ࿽ 问题 㜮ʁ ʢҼ 为飞 صత 设计师 ౎ੋ༗ 证 తʁʣ Friday, August 9, 13

6. 问题 㟬্᠓᜾త 时 ީ୲৺㟬తີ 码 /਎㟨҆શ㜮ʁ զ 还 ୲৺ɼݪҼ 这

   ࿽࿙ಎग़ 现 త 时间还 ෆ䭧 长 ʁ 㟬㣛తɼ䇖 发 ᠓᜾త౎ੋᏠ 证 ఔং 员 ීวෆࡏҙ҆શ 问题 Friday, August 9, 13

7. HTTP 协议 ૬䎔తएׯ҆ ॄ㜮ੋ HTTP 协议 GET ܕ CSRF POST

   ܕ CSRF ۲߸ 问题 SSL Same Origin Policy ༩ ލҬ௨৴ HTTP Headers Friday, August 9, 13

8. ෆ 讲 ॄ㜮 DDoS ࿨ DoS: લऀ䳭ྲྀᔁ, ޳ऀ䳭Ꮰ 赖 软

   ݅࿙ಎ: 紧盯 CVE ࿨ 发 ߦ൛త҆શ௨ࠂ XSS: ଖ 实这 ࿽࠽ੋେ 头 SQL Inject: 这 ౎2013೥ྃ, 㟬ཁ൓ল HTTP Cache: 细节 ଠଟɼ 还 ࢉ҆શ Friday, August 9, 13

9. 访问 Ұ࿽᠓ 页 Friday, August 9, 13

10. ༻HTTP 协议 ၏ॄ㜮ʁ Լ 载 ᠓ 页 Լ 载图 ย

    Լ 载 CSS Լ 载 JS Լ 载 ࣈମ AJAX Լ 载 swf, ... Friday, August 9, 13

11. HTTP 协议 ᣂྫ $ curl -v http:/ /www.google.com.hk/ > GET

    / HTTP/1.1 > User-Agent: curl/7.24.0 (x86_64-apple-darwin12.0) libcurl/7.24.0 OpenSSL/0.9.8r zlib/1.2.5 > Host: www.google.com.hk > Accept: */* > < HTTP/1.1 200 OK < Date: Wed, 24 Apr 2013 13:15:02 GMT < Expires: -1 < Cache-Control: private, max-age=0 < Content-Type: text/html; charset=Big5 < Set-Cookie: PREF=ID=5dee4c0efb2fd080:FF=0:NW=1:TM=136680[snip] < Set-Cookie: NID=67=DyKygko82Qz6Xxjed6pZEZvekjy6YFHRAEh[snip] < Server: gws < X-XSS-Protection: 1; mode=block < X-Frame-Options: SAMEORIGIN < Transfer-Encoding: chunked < <!doctype html><html><head>...</head><body>...</body></html> Friday, August 9, 13

12. telnet ໛ 拟 HTTP 请 ٻ Friday, August 9, 13

13. CSRF ੋॄ㜮ʁ Cross-site request forgery (ލ᜾ 请 ٻ 伪 ଄)

    ༻ 户 ظ๬Ұ࿽ߦ 为 ʢൺ೗ 转账 ɼ౤ථɼ䎔 闭 bug, ...ʣੋࡏ 对应 త᠓᜾্ 发 ੜɼୠࡏ 访问 Ұ ࿽ෆ૬䎔త᠓᜾ 时 ٫৮ 发 ྃ 该 ߦ 为 ൺ೗զࡏ䶯Ḧ୿ɼ؃؃Ꮰᡅ 图 ɼ 结 Ռ৮ 发 ྃզ ࡏ 17startup ্ 给 ๭࿽᠓᜾౤ྃ5੕ Friday, August 9, 13

14. GET ܕ CSRF Friday, August 9, 13

15. GET ܕ CSRF 17startup త౤ථ 请 ٻ: http:/ /17startup.com/ startup/vote/9439/5

    ߈ 击 ख๏1: ௚઀ 发 ૹurl 给 ड֐ਓɼ೗Ռड֐ ਓቮ 经 ొ 录 17startup ኂ׌఺ 击 ྃ url, बೳ 㢦㟬׬੒౤ථ Friday, August 9, 13

16. 伪 ૷੒ 图 ย http:/ /is.gd/eGsWc7.jpg વ޳ 发 ౸䬟ࠣࢧ࣋֎ 链

    త 论坛 , ड֐ਓ೗Ռቮ 经 ొ 录过 17startup, ಹ㜮 访问这 ࿽ 论坛时 बՄҎ 㢦㟬౤ථ ߋ޷త 伪 ૷: ೺߈ 击图 ย์ࡏ႓ 张 ਖ਼ৗ 图 ยத 间 Friday, August 9, 13

17. ๷ޚ GET ܕ CSRF ຌੋधཁߋվ෰ 务 ثঢ় 态 త 请

    ٻɼෆಘ࢖༻ GET, ՄҎ࢖༻ POST, PUT, DELETE Friday, August 9, 13

18. ٕ 术时间 : Request Method ҆શ 幂 ౳ HEAD √

    √ GET √ √ POST × × PUT × √ DELETE × √ PATCH × × TRACE, OPTIONS, CONNECT (TRACK, DEBUG) Friday, August 9, 13

19. POST ܕ CSRF Friday, August 9, 13

20. POST ܕత CSRF Friday, August 9, 13

21. ۩ମ೗Կૢ࡞ ࡏࣗݾత 页 ໘ 设 ஔҰ࿽iframe, iframe ཬ 边 ༗

    Ұ࿽ form, ࢦ޲ඃ߈ 击 ᜾఺ɼኂ׌༻ JS ৮ 发 ࣗ 动 ఏަ (҃ऀ 诱导 ड֐ਓఏަ) Ҿ 导 ड֐ਓ 访问 㟬త 页 ໘ Friday, August 9, 13

22. ஫ҙࣄ 项 iframe ׬શՄҎੋ 隐 ܗతɼॴҎड֐ਓՄೳ׬ શ຅༗࡯ 觉 ౸ቮ 经

    ड౸߈ 击 ྃ 验证码对这 䝅߈ 击 ๷ޚᏈՌ኷ࠩɼҼ 为 զՄҎ ೺ 验证码 ፛ 过 དྷ 诱导 ༻ 户 రࣸɻ Friday, August 9, 13

23. ೗Կ๷ޚ form ཬ 边 ՃCSRF TOKENʢ፺ࡧ㟬తᐽՍ໊শ +CSRFबೳፙ౸େྔతจᑆʣ ࢖༻ෆؚ form త

    AJAX 时 , ဓ HTML தఏऔ CSRF TOKEN Ճೖ㟬తࢀ਺ɻ 䐾 查 ᠓᜾తAPI: 㟬త API Մೳձඃ༻ဋ POST CSRF ߈ 击 ɻ Friday, August 9, 13

24. ۲߸ 问题 这问题 ্զ൜ 过错误 EverBox 项 ໨಺ 测时 ग़

    过 ۲߸ 问题 Friday, August 9, 13

25. ۲߸ݪཧ sinatra ᐽՍ᠍ল࢖༻ rack-session rack-session ࢖༻ Kernel.rand དྷੜ੒ session id

    memcache session storage ຅༗၏ session id ੋ൱ଘࡏత 检验 unicorn ࢖༻ fork དྷੜ੒ଟ࿽ 进 ఔ(䫩গ 启动时 Friday, August 9, 13

26. ٕ 术时间 : Session อଘ 问题 优 ఺ ᠍఺ Cookie

    Session ߱௿෰ 务 ୺ 压 ྗ࿨䐾 杂 ੑ ਺ਾᔔ࿐, େখݶ੍, ࿘ 费 ྲྀ ྔɼᏠ๏㖘੍ొग़ Memcache Session ෆґ 赖 ဋ਺ਾ 库 ༻ 户 मվີ 码 ޳ొग़༻ 户 ຑ 烦 ɼਗ਼ཧ cache 时 ձ 导 க༻ 户 ొग़ Database Session ޭೳ㖘େ ফ໣਺ਾ 库资 ݯ Friday, August 9, 13

27. Session ߷࣋๷ޚ Session Id Ӭ 远 ෆཁग़ 现 ࡏ HTML

    த Session Id త Cookie Ӭ 远 ཁ HttpOnly 记录浏览 ث኷গ 变 Խత HTTP 头 User Agent Accept Encoding Accept Language IP(?) Friday, August 9, 13

28. SSL 历 ࢙༩ 现 ঢ় SSL 2.0 త҆શ࿙ಎ ଖଞ߈ 击

    ํࣜ SSL 3.0 / TLS 1.0 త҆શ࿙ಎ Friday, August 9, 13

29. SSLత 历 ࢙ SSL 1.0, Netscape 䇖 发 ɼະެ䇖 SSL

    2.0, 1995೥2݄ SSL 3.0, 1996೥ TLS 1.0(RFC2246) ≈ SSL 3.0, 1999೥ TLS 1.1(RFC 4346), 2006೥4݄ Friday, August 9, 13

30. SSL ࢧ࣋৘ႎ [ې༻] SSL 2.0, 1995೥2݄ [OK] SSL 3.0, 1996೥

    [OK] TLS 1.0(RFC2246) ≈ SSL 3.0, 1999೥ [ෆࢧ࣋] TLS 1.1(RFC 4346), 2006೥4݄ [ෆࢧ࣋] TLS 1.2(RFC 5246, 6176), 2008೥8݄ Friday, August 9, 13

31. SSL 2.0 ଘࡏత 问题 1. 长 ౓ 扩 ల߈ 击

    (Length extension attack) MAC = MD5(secret + content) MAC2 = MD5(secret + content+ attack_suffix) Friday, August 9, 13

32. SSL 2.0 ଘࡏత 问题 1. 长 ౓ 扩 ల߈ 击

    (Length extension attack) 2. ҆શ߱ 级 ߈ 击 ࢖༻໌จ 协 ঎௨৴໛ࣜɼத 间 ՄҎ 篡 վ௨৴ ߱௿Ճີ 级 䫲 Friday, August 9, 13

33. SSL 2.0 ଘࡏత 问题 1. 长 ౓ 扩 ల߈ 击

    (Length extension attack) 2. ҆શ߱ 级 ߈ 击 3. TCP 䎔 闭 ߈ 击 SSL ࢖༻ TCP FIN དྷ 结 ଋɼத 间 ਓՄҎ௨ 过 发 ૹ TCP FIN དྷׯ 扰 SSL 连 ઀(׌٬ 户 ୺ෆ ձҙ 识 ౸ඃ߈ 击 ) Friday, August 9, 13

34. SSL తଖଞ҆શ 问题 证书问题 ෆཁ࢖༻ࣗ 签 ໊త 证书 ෆཁ 让

    ༻ 户 ҆૷ࠜ 证书 䇖௨ެڞ 邮 ശతޭೳతҬ্໊࠷޷ෆཁਃ 请 证书 (sohu 邮 ശத 过 ট) Friday, August 9, 13

35. SSLStrip େ෦෼ https 请 ٻ౎དྷࣗ http త௓ 转 恶 ҙத

    间 ਓՄҎ 拦 ፊ 请 ٻɼ 导 கத 间 ਓ༩ 浏览 ثత௨৴ 为 ໌จ Friday, August 9, 13

36. SSLStrip త๷ޚ HTTP Header: Strict-Transport-Security 预 ஔधཁ https త᠓᜾ྻද: chrome

    ࢧ࣋ Friday, August 9, 13

37. SSL 3.0 / TLS 1.0 త 风险 BEAST ߈ 击

    : ར༻ CBC(Cipher-block chaining) తҰ࿽᠍᮷ CRIME ߈ 击 : 构 ଄䉰಍ኂ 观 ࡯ 压缩 ཰ RC4 ߈ 击 : 长时间 ࢖༻ಉҰ࿽ key 导 கඃ߈ 击 Friday, August 9, 13

38. CRIME ߈ 击 ၊ఆ㟬త session id 为 a1b2c3d4 ಹ㜮೗Ռ 请

    ٻࢀ਺ؚ༗ a1b ҃ऀ 1b2 ҃ऀ b2c 时 ɼ੔࿽ 请 ٻత 压缩 ཰ՄҎఏߴ(SSL ҃ ऀ SPDY ձ 启 ༻ 压缩 ) ༻ sniffer 监 ჶ㑌࿽ 请 ٻత 长 ౓ɼፙ౸ 压缩 ཰ภߴతแɼࡏࠜਾยஈॏ৽㣥䫪ग़ cookie Friday, August 9, 13

39. Same Origin Policy ༩ ލ Same Origin Policy 对 ෆಉҬݶ੍:

    frame ೭ 间 ෆೳޓ૬ 访问 发 ىత GET 请 ٻᏠ๏ 获 औ಺༰ Ꮰ๏ 发 ى POST ܕ AJAX 请 ٻ(ୠՄҎ௚઀ POST FORM) Ꮰ๏࢖༻ࣈମ/Flash/Java Applet ɻɻɻ Friday, August 9, 13

40. ղႊํҊ1 JSONP ୞ೳੋ GET 请 ٻ Ꮰ๏্ 传 จ݅ ഁᆀ

    语义 /CSRF߈ 击 长 ౓ݶ੍ Friday, August 9, 13

41. ղႊํҊ2 CORS (Cross-origin resource sharing) Access-Control-Allow-Origin: * ࢖༻ AJAX ্

    传 จ݅ (ൺ೗ S3 बࢧ࣋) Ҹ 许 ލ᜾Ҿ༻ font, swf(?) খܕ 应 ༻ ݐ 议 ࢖༻ಠཱҬ໊ɼආ໔ඃ߈ 击 Friday, August 9, 13

42. ղႊํҊ3 Cross-document messaging window.postMessage(‘hello’, ‘http:/ / example.com`) IEࢧ࣋ෆଠ޷: IE8 Ҏલෆࢧ࣋,

    IE8 ෦෼ࢧ ࣋(୞ࢧ࣋iframe), IE10 શ෦ࢧ࣋ Friday, August 9, 13

43. HTTP Headers Cookie HttpOnly: ආ໔ session id ඃ઄ Secure: ආ໔

    session id ඃ઄ჶ Strict-Transport-Security: max-age=16070400; includeSubDomains Clickjacking X-Frame-Options: deny X-Frame-Options: sameorigin Friday, August 9, 13

44. HTTP Headers X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block P3P: ... Friday,

    August 9, 13

45. Sponsored by Friday, August 9, 13

46. Q & A Thanks for your attention Friday, August 9,

    13

47. Friday, August 9, 13

48. Friday, August 9, 13

49. Friday, August 9, 13