HTTP协议相关的若干安全问题

HTTP协议相关的若干安全问题 LI Daobing <[email protected]> https:/ /github.com/lidaobing Friday, August 9,
13

1940೥11݄7೔ http:/ /en.wikipedia.org/wiki/Tacoma_Narrows_Bridge_(1940) Friday, August 9, 13

1988೥4݄28೔ http:/ /en.wikipedia.org/wiki/Aloha_Airlines_Flight_243 Friday, August 9, 13

2002೥2݄?೔ http:/ /en.wikipedia.org/wiki/SQL_injection Friday, August 9, 13

问题㟬现 ࡏࡏ 过桥 త 时 ީձ୲৺ 这 ࿽
问题㜮ʁ ʢҼ 为桥 తݐஜ 设计师 ౎ੋ༗ 证 తʁʣ 㟬现 ࡏࡏ࠱ 飞 صత 时 ީձ୲৺ 这 ࿽ 问题㜮ʁ ʢҼ 为飞 صత 设计师 ౎ੋ༗ 证 తʁʣ Friday, August 9, 13

问题㟬্᠓᜾త 时 ީ୲৺㟬తີ 码 /਎㟨҆શ㜮ʁ զ 还 ୲৺ɼݪҼ 这
࿽࿙ಎग़ 现 త 时间还 ෆ䭧长 ʁ 㟬㣛తɼ䇖发 ᠓᜾త౎ੋᏠ 证 ఔং 员 ීวෆࡏҙ҆શ 问题 Friday, August 9, 13

HTTP 协议 ૬䎔తएׯ҆ ॄ㜮ੋ HTTP 协议 GET ܕ CSRF POST
ܕ CSRF ۲߸ 问题 SSL Same Origin Policy ༩ ލҬ௨৴ HTTP Headers Friday, August 9, 13

ෆ 讲 ॄ㜮 DDoS ࿨ DoS: લऀ䳭ྲྀᔁ, ޳ऀ䳭Ꮰ 赖软
݅࿙ಎ: 紧盯 CVE ࿨ 发 ߦ൛త҆શ௨ࠂ XSS: ଖ 实这 ࿽࠽ੋେ 头 SQL Inject: 这 ౎2013೥ྃ, 㟬ཁ൓ল HTTP Cache: 细节 ଠଟɼ 还 ࢉ҆શ Friday, August 9, 13

访问 Ұ࿽᠓ 页 Friday, August 9, 13

༻HTTP 协议 ၏ॄ㜮ʁ Լ 载 ᠓ 页 Լ 载图 ย
Լ 载 CSS Լ 载 JS Լ 载 ࣈମ AJAX Լ 载 swf, ... Friday, August 9, 13

HTTP 协议 ᣂྫ $ curl -v http:/ /www.google.com.hk/ > GET
/ HTTP/1.1 > User-Agent: curl/7.24.0 (x86_64-apple-darwin12.0) libcurl/7.24.0 OpenSSL/0.9.8r zlib/1.2.5 > Host: www.google.com.hk > Accept: */* > < HTTP/1.1 200 OK < Date: Wed, 24 Apr 2013 13:15:02 GMT < Expires: -1 < Cache-Control: private, max-age=0 < Content-Type: text/html; charset=Big5 < Set-Cookie: PREF=ID=5dee4c0efb2fd080:FF=0:NW=1:TM=136680[snip] < Set-Cookie: NID=67=DyKygko82Qz6Xxjed6pZEZvekjy6YFHRAEh[snip] < Server: gws < X-XSS-Protection: 1; mode=block < X-Frame-Options: SAMEORIGIN < Transfer-Encoding: chunked < <!doctype html><html><head>...</head><body>...</body></html> Friday, August 9, 13

telnet ໛ 拟 HTTP 请 ٻ Friday, August 9, 13

CSRF ੋॄ㜮ʁ Cross-site request forgery (ލ᜾ 请 ٻ 伪 ଄)
༻ 户 ظ๬Ұ࿽ߦ 为 ʢൺ೗ 转账 ɼ౤ථɼ䎔闭 bug, ...ʣੋࡏ 对应 త᠓᜾্ 发 ੜɼୠࡏ 访问 Ұ ࿽ෆ૬䎔త᠓᜾ 时 ٫৮ 发 ྃ 该 ߦ 为 ൺ೗զࡏ䶯Ḧ୿ɼ؃؃Ꮰᡅ 图 ɼ 结 Ռ৮ 发 ྃզ ࡏ 17startup ্ 给 ๭࿽᠓᜾౤ྃ5੕ Friday, August 9, 13

GET ܕ CSRF Friday, August 9, 13

GET ܕ CSRF 17startup త౤ථ 请 ٻ: http:/ /17startup.com/ startup/vote/9439/5
߈ 击 ख๏1: ௚઀ 发 ૹurl 给 ड֐ਓɼ೗Ռड֐ ਓቮ 经 ొ 录 17startup ኂ׌఺ 击 ྃ url, बೳ 㢦㟬׬੒౤ථ Friday, August 9, 13

伪 ૷੒ 图 ย http:/ /is.gd/eGsWc7.jpg વ޳ 发 ౸䬟ࠣࢧ࣋֎ 链
త 论坛 , ड֐ਓ೗Ռቮ 经 ొ 录过 17startup, ಹ㜮访问这 ࿽ 论坛时 बՄҎ 㢦㟬౤ථ ߋ޷త 伪 ૷: ೺߈ 击图 ย์ࡏ႓ 张 ਖ਼ৗ 图 ยத 间 Friday, August 9, 13

๷ޚ GET ܕ CSRF ຌੋधཁߋվ෰ 务 ثঢ় 态 త 请
ٻɼෆಘ࢖༻ GET, ՄҎ࢖༻ POST, PUT, DELETE Friday, August 9, 13

ٕ 术时间 : Request Method ҆શ 幂 ౳ HEAD √
√ GET √ √ POST × × PUT × √ DELETE × √ PATCH × × TRACE, OPTIONS, CONNECT (TRACK, DEBUG) Friday, August 9, 13

POST ܕ CSRF Friday, August 9, 13

POST ܕత CSRF Friday, August 9, 13

۩ମ೗Կૢ࡞ ࡏࣗݾత 页 ໘ 设 ஔҰ࿽iframe, iframe ཬ 边 ༗
Ұ࿽ form, ࢦ޲ඃ߈ 击 ᜾఺ɼኂ׌༻ JS ৮ 发 ࣗ 动 ఏަ (҃ऀ 诱导 ड֐ਓఏަ) Ҿ 导 ड֐ਓ 访问㟬త 页 ໘ Friday, August 9, 13

஫ҙࣄ 项 iframe ׬શՄҎੋ 隐 ܗతɼॴҎड֐ਓՄೳ׬ શ຅༗࡯ 觉 ౸ቮ 经
ड౸߈ 击 ྃ 验证码对这䝅߈ 击 ๷ޚᏈՌ኷ࠩɼҼ 为 զՄҎ ೺ 验证码 ፛ 过 དྷ 诱导 ༻ 户 రࣸɻ Friday, August 9, 13

೗Կ๷ޚ form ཬ 边 ՃCSRF TOKENʢ፺ࡧ㟬తᐽՍ໊শ +CSRFबೳፙ౸େྔతจᑆʣ ࢖༻ෆؚ form త
AJAX 时 , ဓ HTML தఏऔ CSRF TOKEN Ճೖ㟬తࢀ਺ɻ 䐾查 ᠓᜾తAPI: 㟬త API Մೳձඃ༻ဋ POST CSRF ߈ 击 ɻ Friday, August 9, 13

۲߸ 问题这问题 ্զ൜ 过错误 EverBox 项 ໨಺ 测时 ग़
过 ۲߸ 问题 Friday, August 9, 13

۲߸ݪཧ sinatra ᐽՍ᠍ল࢖༻ rack-session rack-session ࢖༻ Kernel.rand དྷੜ੒ session id
memcache session storage ຅༗၏ session id ੋ൱ଘࡏత 检验 unicorn ࢖༻ fork དྷੜ੒ଟ࿽ 进 ఔ(䫩গ 启动时 Friday, August 9, 13

ٕ 术时间 : Session อଘ 问题优 ఺ ᠍఺ Cookie
Session ߱௿෰ 务 ୺ 压 ྗ࿨䐾杂 ੑ ਺ਾᔔ࿐, େখݶ੍, ࿘ 费 ྲྀ ྔɼᏠ๏㖘੍ొग़ Memcache Session ෆґ 赖 ဋ਺ਾ 库 ༻ 户 मվີ 码 ޳ొग़༻ 户 ຑ 烦 ɼਗ਼ཧ cache 时 ձ 导 க༻ 户 ొग़ Database Session ޭೳ㖘େ ফ໣਺ਾ 库资 ݯ Friday, August 9, 13

Session ߷࣋๷ޚ Session Id Ӭ 远 ෆཁग़ 现 ࡏ HTML
த Session Id త Cookie Ӭ 远 ཁ HttpOnly 记录浏览 ث኷গ 变 Խత HTTP 头 User Agent Accept Encoding Accept Language IP(?) Friday, August 9, 13

SSL 历 ࢙༩ 现 ঢ় SSL 2.0 త҆શ࿙ಎ ଖଞ߈ 击
ํࣜ SSL 3.0 / TLS 1.0 త҆શ࿙ಎ Friday, August 9, 13

SSLత 历 ࢙ SSL 1.0, Netscape 䇖发 ɼະެ䇖 SSL
2.0, 1995೥2݄ SSL 3.0, 1996೥ TLS 1.0(RFC2246) ≈ SSL 3.0, 1999೥ TLS 1.1(RFC 4346), 2006೥4݄ Friday, August 9, 13

SSL ࢧ࣋৘ႎ [ې༻] SSL 2.0, 1995೥2݄ [OK] SSL 3.0, 1996೥
[OK] TLS 1.0(RFC2246) ≈ SSL 3.0, 1999೥ [ෆࢧ࣋] TLS 1.1(RFC 4346), 2006೥4݄ [ෆࢧ࣋] TLS 1.2(RFC 5246, 6176), 2008೥8݄ Friday, August 9, 13

SSL 2.0 ଘࡏత 问题 1. 长 ౓ 扩 ల߈ 击
(Length extension attack) MAC = MD5(secret + content) MAC2 = MD5(secret + content+ attack_sufﬁx) Friday, August 9, 13

(Length extension attack) 2. ҆શ߱ 级 ߈ 击 ࢖༻໌จ 协 ঎௨৴໛ࣜɼத 间 ՄҎ 篡 վ௨৴ ߱௿Ճີ 级䫲 Friday, August 9, 13

(Length extension attack) 2. ҆શ߱ 级 ߈ 击 3. TCP 䎔闭 ߈ 击 SSL ࢖༻ TCP FIN དྷ 结 ଋɼத 间 ਓՄҎ௨ 过发 ૹ TCP FIN དྷׯ 扰 SSL 连 ઀(׌٬ 户 ୺ෆ ձҙ 识 ౸ඃ߈ 击 ) Friday, August 9, 13

SSL తଖଞ҆શ 问题证书问题 ෆཁ࢖༻ࣗ 签 ໊త 证书 ෆཁ 让
༻ 户 ҆૷ࠜ 证书䇖௨ެڞ 邮 ശతޭೳతҬ্໊࠷޷ෆཁਃ 请证书 (sohu 邮 ശத 过 ট) Friday, August 9, 13

SSLStrip େ෦෼ https 请 ٻ౎དྷࣗ http త௓ 转恶 ҙத
间 ਓՄҎ 拦 ፊ 请 ٻɼ 导 கத 间 ਓ༩ 浏览 ثత௨৴ 为 ໌จ Friday, August 9, 13

SSLStrip త๷ޚ HTTP Header: Strict-Transport-Security 预 ஔधཁ https త᠓᜾ྻද: chrome
ࢧ࣋ Friday, August 9, 13

SSL 3.0 / TLS 1.0 త 风险 BEAST ߈ 击
: ར༻ CBC(Cipher-block chaining) తҰ࿽᠍᮷ CRIME ߈ 击 : 构 ଄䉰಍ኂ 观 ࡯ 压缩 ཰ RC4 ߈ 击 : 长时间 ࢖༻ಉҰ࿽ key 导 கඃ߈ 击 Friday, August 9, 13

CRIME ߈ 击 ၊ఆ㟬త session id 为 a1b2c3d4 ಹ㜮೗Ռ 请
ٻࢀ਺ؚ༗ a1b ҃ऀ 1b2 ҃ऀ b2c 时 ɼ੔࿽ 请 ٻత 压缩 ཰ՄҎఏߴ(SSL ҃ ऀ SPDY ձ 启 ༻ 压缩 ) ༻ sniffer 监 ჶ㑌࿽ 请 ٻత 长 ౓ɼፙ౸ 压缩 ཰ภߴతแɼࡏࠜਾยஈॏ৽㣥䫪ग़ cookie Friday, August 9, 13

Same Origin Policy ༩ ލ Same Origin Policy 对 ෆಉҬݶ੍:
frame ೭ 间 ෆೳޓ૬ 访问发 ىత GET 请 ٻᏠ๏ 获 औ಺༰ Ꮰ๏ 发 ى POST ܕ AJAX 请 ٻ(ୠՄҎ௚઀ POST FORM) Ꮰ๏࢖༻ࣈମ/Flash/Java Applet ɻɻɻ Friday, August 9, 13

ղႊํҊ1 JSONP ୞ೳੋ GET 请 ٻ Ꮰ๏্ 传 จ݅ ഁᆀ
语义 /CSRF߈ 击长 ౓ݶ੍ Friday, August 9, 13

ղႊํҊ2 CORS (Cross-origin resource sharing) Access-Control-Allow-Origin: * ࢖༻ AJAX ্
传 จ݅ (ൺ೗ S3 बࢧ࣋) Ҹ 许 ލ᜾Ҿ༻ font, swf(?) খܕ 应 ༻ ݐ 议 ࢖༻ಠཱҬ໊ɼආ໔ඃ߈ 击 Friday, August 9, 13

ղႊํҊ3 Cross-document messaging window.postMessage(‘hello’, ‘http:/ / example.com`) IEࢧ࣋ෆଠ޷: IE8 Ҏલෆࢧ࣋,
IE8 ෦෼ࢧ ࣋(୞ࢧ࣋iframe), IE10 શ෦ࢧ࣋ Friday, August 9, 13

HTTP Headers Cookie HttpOnly: ආ໔ session id ඃ઄ Secure: ආ໔
session id ඃ઄ჶ Strict-Transport-Security: max-age=16070400; includeSubDomains Clickjacking X-Frame-Options: deny X-Frame-Options: sameorigin Friday, August 9, 13

HTTP Headers X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block P3P: ... Friday,
August 9, 13

HTTP协议相关的若干安全问题

HTTP协议相关的若干安全问题

More Decks by LI Daobing

Other Decks in Programming

Featured

Transcript