威脅類型
組成元素
偽冒
(S)
竄改
(T)
否認
行為
(R)
資訊
洩漏
(I)
拒絕存
取服務
(D)
權限
提升
(E)
威脅列表
使用者 V S︰未對來源進行驗證
新增留言 V V
D︰同時間可能有大量存取
E︰該程序使用過高系統權限
留言內容 V V
T︰未對資料進行完整性保護
I︰未對資料進行加密保護
留言資料表 V R︰未記錄資料存取行為
A1-Injection Security Misconfiguration
Broken Authentication Cross-Site Scripting (XSS)
Sensitive Data Exposure Insecure Deserialization
XML External Entities (XXE)
Using Components with Known
Vulnerabilities
Broken Access Control Insufficient Logging&Monitoring
SQL Injection
SQL 語句中的「動態字串結合」的導致攻擊成功的主因。
SELECT * FROM Account
WHERE username='admin' or 1='1' AND
password='*'
SELECT * FROM Account
WHERE username= 'admin' AND
password='password'
Slide 142
Slide 142 text
SQL Injection
http://demo.testfire.net/login.jsp
SELECT * FROM Account
WHERE username=''or'1'='1' AND password='*'
Slide 143
Slide 143 text
弱點機會
'
Slide 144
Slide 144 text
資料庫存取程式改寫
傳統的寫法程式範例: Bad SQL Injection
string userName = ctx.getAuthenticatedUserName();
string query = "SELECT * FROM items WHERE owner = "'"
+ userName + "' AND itemname = '"
+ ItemName.Text + "'";
sda = new SqlDataAdapter(query, conn);
DataTable dt = new DataTable();
sda.Fill(dt);
...
Password Crackers
John the Ripper
http://www.openwall.com/john/
DES/MD5/Salted MD5/LM
John The Ripper MPI Patch
http://bindshell.net/tools/johntheripper
DES/MD5/Salted MD5/LM/NTLM/…
Cain & Abel
http://www.oxid.it/
LM/NTLM/MD5/SHA1/…
RainbowCrack
http://www.antsight.com/zsl/rainbowcrack/
MD5/SHA1/LM/NTLM/…
Java Secure Hashing
https://howtodoinjava.com/security/how-to-generate-secure-password-hash-md5-sha-pbkdf2-bcrypt-examples/
private static byte[] getSalt() throws NoSuchAlgorithmException
{
//Always use a SecureRandom generator
SecureRandom sr = SecureRandom.getInstance("SHA1PRNG");
//Create array for salt
byte[] salt = new byte[16];
//Get a random salt
sr.nextBytes(salt);
//return salt
return salt;
}
Slide 193
Slide 193 text
防護建議
For encryption keys
別在程式裡寫入加密金鑰或資料庫的存取資訊
For configuration store
內容加密
.NET : Aspnet_setreg.exe
https://support.microsoft.com/en-us/help/329290/how-to-use-the-asp.net-utility-to-encrypt-credentials-and-session-stat
Slide 194
Slide 194 text
XML External Entities
04
Slide 195
Slide 195 text
XML External Entities
XML 外部實體攻擊
此漏洞發生在應用程式解析 XML 輸入時,沒有禁止外部實體
的載入。
主要是針對使用XML互動的Web應用程式的攻擊方法。
https://www.owasp.org/index.php/OWASP_Top_Ten_Cheat_Sheet
Slide 196
Slide 196 text
XML Basic
https://www.cnblogs.com/r00tuser/p/7255939.html
*DTD 外部宣告
*DTD 內部宣告
]>
George
John
Reminder
Don't forget the meeting!
George
John
Reminder
Don't forget the meeting!
All Your Nodes Are Belong To Us
https://www.bishijie.com/shendu_2085
The Story of an EOS Chain Remote Code Execution Bug
Slide 235
Slide 235 text
All Your Nodes Are Belong To Us
Reviewing EOS source code on Github
http://blogs.360.cn/post/eos-node-remote-code-execution-vulnerability.html
The Story of an EOS Chain Remote Code Execution Bug
全球最大男性交友網站
Slide 236
Slide 236 text
All Your Nodes Are Belong To Us
The Bug in Web Assembly Sample Code :
libraries/chain/webassembly/binaryen.cpp (Line 78)
Function binaryen_runtime::instantiate_module
The Story of an EOS Chain Remote Code Execution Bug
Out-of-Bounds Write Here
• Useless checking here: assert doesn't work in release build
• Copy-pasted code from WebAssembly project wasm-js.cpp
• No code review & misunderstanding the scope of asser
Slide 237
Slide 237 text
All Your Nodes Are Belong To Us
The Bug in Web Assembly Sample Code :
libraries/chain/webassembly/binaryen.cpp (Line 78)
Function binaryen_runtime::instantiate_module
The Story of an EOS Chain Remote Code Execution Bug
Out-of-Bounds Write Here
• Useless checking here: assert doesn't work in release build
• Copy-pasted code from WebAssembly project wasm-js.cpp
• No code review & misunderstanding the scope of asser
Slide 238
Slide 238 text
The Bug
The table is a vector from std::vector and resized before written
The valid value of the module->table.initial is 0~1024
The offset is a signed int32 read from WASM file
By manipulate the fields of WASM file, we could
overwrite memory behind the table vector
Slide 239
Slide 239 text
Bug Reporting
We directly contacted Daniel Larimer on Telegram and sent the bug report to him
Slide 240
Slide 240 text
Bug Fixing
The Final Fixed Version
Force converted the “offset” to unsigned int64 to avoid overflow
Slide 241
Slide 241 text
The Bug is Fixed, But…
Slide 242
Slide 242 text
The Truth is…
They lost “significant” money because the factor that EOS is buggy was leaked
740M USD(22B TWD) of market cap. of EOS vanished, 2 hours after our report