Blue-lotus Web security 培训

Transcript

1. Web Security Training I Lukesun629@NISL [Blue-Lotus] [email protected]

2. Outline Introduction to Web Security Basic Knowledge about Web application

   OWASP TOP 10 Introduction to Burp Suite Injection(command injection) SQL injection XSS

3. Introduction to Web Security • Web Application is used everywhere

   • SONY PSN security Event ? • CSDN&&RenRen SQL injection event ? • Weibo XSS event • How much does a Credit card information? • How to shop free online ? • Does 12306.cn safe ?

4. Basic Knowledge about Web Application HTTP REQUEST: GET /account.html HTTP/1.1

   Host: www.amazon.com HTTP RESPONSE: HTTP/1.0 200 OK <HTML> . . . </HTML>

5. URLs • Global identifiers of network-retrievable documents URL == URI

   • Example http://safebank.com:81/account ?id=10#statement Protocol Hostname ports Path Query Fragment

6. Http Request Get twitter.com HTTP/1.1 Accept text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Encoding gzip, deflate

   Accept-Languagezh-cn,en-us;q=0.7,en;q=0.3 Connection keep-alive Cookie guest_id=v1%3A1347156841979559; twll=l%3D1352943802; remember_checked=0; __Host twitter.com Proxy-Authorization Basic eXo6ZmFuZ2JpbnhpbmdxdXNp User-Agent Mozilla/5.0 (Windows NT 6.1; WOW64; rv:16.0) Gecko/20100101 Firefox/16.0 Method File Http Version Headers

7. HTTP Response HTTP/1.1 200 OK Cache-Control no-cache, no-store, must- revalidate,

   pre-check=0, post-check=0 Content-Encoding deflate Content-Type text/html; charset=utf-8 Date Fri, 16 Nov 2012 04:23:46 GMT Etag "6e086e7ca8f9523473ba382e1390 3024" Expires Tue, 31 Mar 1981 05:00:00 GMT Last-Modified Fri, 16 Nov 2012 04:23:45 GMT Pragma no-cache Server tfe Set-Cookie ……….. Vary Accept-Encoding X-Firefox-Spdy 3 X-Frame-Options SAMEORIGIN X-XSS-Protection 1; mode=block status 200 OK x-mid 7a3afc80a659f66d32c8044659aee432ad 9c70b7 x-runtime 0.81789 x-transaction cc1a154a93d8cbaf

8. How browser renders a page • Suppose you are visiting

   http://amazon.com in a modern browser ChromeBar UI Browser Engine Network Stack Display URL isCached（URI）=false retrieveData(URI) Renderer Engine pageData /*HTML, CSS, etc*/ renderBitmap(pageData) Render UI

9. Rendering and events • Basic execution model • Each browser

   window or frame Loads content • Renders • Processes HTML and scripts to display page • May involve images, subframes, etc. • Responds to events • Events can be • User actions: OnClick, OnMouseover • Rendering: OnLoad, OnBeforeUnload • Timing: setTimeout(), clearTimeout()

10. Document Object Model (DOM) • Object-oriented interface used to read

    and write rendered pages web page in HTML is structured data DOM provides representation of this hierarchy HTML <html> <body> <div> foo <a>foo2</a> </div> <form> <input type="text” /> <input type=”radio” /> <input type=”checkbox” /> </form> </body> </html> DOM Tree |-> Document |-> Element (<html>) |-> Element (<body>) |-> Element (<div>) |-> text node |-> Anchor |-> text node |-> Form |-> Text-box |-> Radio Button |-> Check Box |-> Button

11. How browser renders a page

12. OWASP TOP 10 (2010) A1 –Injection A2 –Cross-Site Scripting (XSS)

    A3 –Broken Authentication and Session Management A4 –Insecure Direct Object References A5 –Cross Site Request Forgery (CSRF) A6 –Security Misconfiguration A7 –Insecure Cryptographic Storage A8 –Failure to Restrict URL Access A9 –Insecure Communications A10 UnvalidatedRedirects and Forwards (NEW)

13. Burp suite Burp Suite is an integrated platform for performing

    security testing of web applications • Java application && OS independent • Commercial && free version Main function • Proxy • Spider • Scanner • Intruder • Repeater • Sequencer

14. Injection • Command Injection • SQL Injection common SOL injection

    blind SQL injection

15. Command Injection Client Browser Web Server foo.php Web Page PHP

    -> Web Page UID :www

16. Quick Background on PHP display.php: <? echo system("cat ".$_GET['file']); ?>

    <? php-code ?> executes php-code at this point in the document echo expr: evaluates expr and embeds in doc system(call, args) performs a system call in the working directory “ ….. ”, ‘ ….. ’ String literal. Double-quotes has more possible escaped characters. (dot). Concatenates strings. _GET[‘key’] returns value corresponding to the key/value pair sent as extra data in the HTTP GET request

17. Command Injection Client Browser Display.php?file=note.txt Web Page Display.php System(“cat”.$_GET[‘file’]) UID

    :www Shell Command Cat notes.txt Web Server display.php: <? echo system("cat ".$_GET['file']); ?> Content of notes.txt

18. Command Injection Test: display.php: <? echo system("cat ".$_GET['file']); ?> a.http://www.example.net/display.php?get=rm

    b.http://www.example.net/display.php?file=rm%20-rf%20%2F%3B c.http://www.example.net/display.php?file=notes.txt%3B%20rm%20-rf%20%2F%3B%0A%0A d.http://www.example.net/display.php?file=%20%20%20%20%20

19. Command Injection Test: display.php: <? echo system("cat ".$_GET['file']); ?> a.http://www.example.net/display.php?get=rm

    b.http://www.example.net/display.php?file=rm -rf /; c.http://www.example.net/display.php?file=notes.txt; rm -rf /; d.http://www.example.net/display.php?file= a.<? echo system("cat rm"); ?> b.<? echo system("cat rm -rf /;"); ?> c.<? echo system("cat notes.txt; rm -rf /;"); ?> d.<? echo system("cat "); ?>

20. Injection Injection is a general problem: • Typically, caused when

    data and code share the same channel. • For example, the code is “cat” and the filename the data. But ‘;’ allows attacker to start a new command.

21. Practice 1 • DVWA command injection security level low &&

    medium level Goal: get the /etc/passwd file

22. SQL Injection • SQL: A query language for database E.g

    SELECT statement, WHERE clauses • More info E.g http://en.wikipedia.org/wiki/SQL

23. Running Example Consider a web page that logs in a

    user by seeing if a user exists with the given username and password. It sees if results exist and if so logs the user in and redirects them to their user control panel. login.php: $result = pg_query("SELECT * from users WHERE uid = '".$_GET['user']."' AND pwd = '".$_GET['pwd']."';"); if (pg_query_num($result) > 0) { echo "Success"; user_control_panel_redirect();

24. SQL Injection Client Browser login.php?user=pikachu&pwd=password123 login.php connect to database using

    dbuser login. Execute query with $_GET['user'] $_GET['pwd'] Web Server Database Server SELECT * from users WHERE uid='pikachu' AND pwd = 'password123'; Query Results: 25 | pikachu | password123 | electric Result Success and redirect to user control panel.

25. SQL injection login.php: $result = pg_query("SELECT * from users WHERE

    uid = '".$_GET['user']."' AND pwd = '".$_GET['pwd']."';"); if (pg_query_num($result) > 0) { echo "Success"; user_control_panel_redirect(); } Question: a.http://www.example.net/login.php?user=admin&pwd=' b.http://www.example.net/login.php?user=admin--&pwd=foo c.http://www.example.net/login.php?user=admin'--&pwd=f

26. SQL injection URI: http://www.example.net/login.php?user=admin'--&pwd=f pg_query("SELECT * from users WHERE uid

    = 'admin'--' AND pwd = 'f';"); pg_query("SELECT * from users WHERE uid = 'admin';");

27. SQl injection Q: Under the same premise as before, which

    URI can delete the users table in the database? a.www.example.net/login.php?user=;DROP TABLE users;-- b.www.example.net/login.php?user=admin%27%3B%20DROP%20TA BLE%20users--%3B&pwd=f c.www.example.net/login.php?user=admin;%20DROP%20TABLE%2 0users;%20--&pwd=f d.It is not possible. (None of the above)

28. SQl injection b.www.example.net/login.php?user=admin’; DROP TABLE users;--&pwd=f (decode) pg_query("SELECT * from

    users WHERE uid = 'admin'; DROP TABLE users;--‘ AND pwd = 'f';"); pg_query("SELECT * from users WHERE uid = 'admin'; DROP TABLE users;");

29. Input validation for SQL login.php: <? if(!preg_match("/^[a-z0-9A-Z.]*$/", $_GET[‘user'])) { echo

    "Username should be alphanumeric."; return; } GET INPUT PASSED ? Pikachu YES O’Donnel NO Pikachu’; DROP TABLE users-- NO

30. After input Validation pg_query("SELECT * from users WHERE uid =

    '".$_GET['user']."' AND pwd = '".$_GET['pwd']."';"); a.http://www.example.net/login.php?user=admin&pwd=admin b.http://www.example.net/login.php?user=admin&pwd='%20OR %201%3D1;-- c.http://www.example.net/login.php?user=admin'--&pwd=f d.http://www.example.net/login.php?user=admin&pwd='--

31. After input Validation pg_query("SELECT * from users WHERE uid =

    '".$_GET['user']."' AND pwd ='".$_GET['pwd']."';"); b.http://www.example.net/login.php?user=admin&pwd=' OR 1=1;-- pg_query("SELECT * from users WHERE uid = 'admin' AND pwd = '' OR 1 = 1;--';");

32. Practice 2 Webgoat SQL injection Goal: get familiar with SQL

    injection DVWA SQL injection security level low && medium Goal: get the passwd hash from data (learn to use SQL Query)

33. Cross-site Scripting (XSS) What is Cross-site Scripting (XSS)? Vulnerability in

    web application that enables attackers to inject client- side scripts into web pages viewed by other users.

34. Three type of XSS • Type 2: Persistent or Stored

    The attack vector is stored at the server • Type 1: Reflected The attack value is ‘reflected’ back by the server • Type 0: DOM Based The vulnerability is in the client side code

35. Persistent or Stored XSS 1 User ask a question via

    HTTP post Message: “How do I get a loan?” 2 Server Store the message in databases; user asscosiate 3. Associate requests the questions page 4.Server retrieves all questions from the DB 5. Server returns HTML embedded with the question PHP CODE: <? echo "<div class=’question'>$question</div>";?> HTML Code: <div class=’question'>”How do I get a loan?”</div>

36. Persistent or Stored XSS a.'; system('rm –rf /'); b.rm –rf

    / c.DROP TABLE QUESTIONS; d.<script>doEvil()</script> <html><body> ... <div class=‘question’> <script>doEvil()</script> </div> ... </body></html>

37. Persistent or Stored XSS 1 User ask a question via

    HTTP post Message: “ <script>doEvil()</script > ” 2 Server Store the message in databases; user asscosiate 3. Associate requests the questions page 4.Server retrieves all questions from the DB 5. Server returns HTML embedded with the question PHP CODE: <? echo "<div class=’question'>$question</div>";?> HTML Code: <div class=’question'>” <script>doEvil()</script> ”</div>

38. Reflected XSS • safebank.com also has a transaction search interface

    at search.php • search.php accepts a query and shows the results, with a helpful message at the top. • What is a possible malicious URI an attacker could use to exploit this? • <? echo “Your query $_GET['query'] returned $num results.";?> • Example: Your query chocolate returned 81 results • What is a possible malicious URI an attacker could use to exploit this?

39. Reflected XSS • A request to “search.php?query=<script>doEvil()</script>” • causes script

    injection. Note that the query is never stored on the server, hence the term 'reflected' • HTML Code: Your query <script>doEvil()</script> returned 0 results • But this only injects code in the attacker’s page. The attacker needs to make the user click on this link, for the attack to be effective.

40. Reflected XSS Send Email with malicious link safebank.com/search.php?query=<script>doEvil()</script> User 4,HTML

    with injected attack code 2. Click on Link with malicious params 3. Server inserts malicious params into HTML Vulnerable Server Your query <script>doEvil()</script> returned 0 results 5. Execute embedded malicious script.

41. DOM Based XSS • Traditional XSS vulnerabilities occur in the

    server side code, and the fix involves improving sanitization at the server side. • Web 2.0 applications include significant processing logic, at the client side, written in JavaScript. • Similar to the server, this code can also be vulnerable. • When the XSS vulnerability occurs in the client side code, it is termed as a DOM Based XSS vulnerability

42. DOM Based XSS Suppose safebank.com uses client side code to

    display a friendly welcome to the user. For example, the following code shows “Hello Joe” if the URL is http://safebank.com/welcome.php?name=Joe Hello <script> var pos=document.URL.indexOf("name=")+5; document.write(document.URL.substring(pos,document.U RL.length)); </script>

43. DOM Based XSS a.http://attacker.com b.http://safebank.com/welcome.php?name=doEvil() c.http://safebank.com/welcome.php?name=<script>doEvil()</script>

44. DOM Based XSS 1 Send Email with malicious link safebank.com/welcome.php?query=<script>doEvil()</script>

    User 4.Safe HTML 2. Click on Link with malicious params 3. Server uses the params in a safe fashion, or ignores the malicious param Vulnerable Server 5. JavaScript code ON THE CLIENT uses the malicious params in an unsafe manner, causing code execution

45. Practice 3 Webgoat XSS Goal: get familiar with XSS DVWA

    XSS security level low && medium Goal: get the cookie in XSS

46. Summary What is Web application security Basic function of Web

    Application (a lot more to be specify) How to use Burp Suite Command injection SQL injection XSS (detail and practice) SQL injection is not end

47. To be Continued… Security features of web application && browser

    (SOP, Cookies,frame,localStorage) Blind SQL injection Rest of OWASP TOP 10 and Practice New technology in Web Application