網站黑魔法:姆咪篇 web security basics
TRANSCRIPT
![Page 1: 網站黑魔法:姆咪篇 Web security basics](https://reader036.vdocuments.net/reader036/viewer/2022082204/5a6d25f47f8b9a10428b4db1/html5/thumbnails/1.jpg)
網站黑魔法:姆咪篇Web Security:Basics
Splitline @ 台科資安社2017/10/12
![Page 2: 網站黑魔法:姆咪篇 Web security basics](https://reader036.vdocuments.net/reader036/viewer/2022082204/5a6d25f47f8b9a10428b4db1/html5/thumbnails/2.jpg)
隨便的自我介紹。
● 我是黃志仁 Splitline
● 四資工二甲
● 廢文社社長
● 沒有技能樹,只有技能莽原
![Page 3: 網站黑魔法:姆咪篇 Web security basics](https://reader036.vdocuments.net/reader036/viewer/2022082204/5a6d25f47f8b9a10428b4db1/html5/thumbnails/3.jpg)
Outline我們要幹嘛
● 前端?後端?
● HTTP簡介
○ HTTP是啥?
○ 請求(Request)方法
● Web知識
○ Cookie
○ PHP語法的隨便介紹
● OWASP Top 10:十大漏洞基本介紹
● 好用的工具介紹
![Page 4: 網站黑魔法:姆咪篇 Web security basics](https://reader036.vdocuments.net/reader036/viewer/2022082204/5a6d25f47f8b9a10428b4db1/html5/thumbnails/4.jpg)
總之先來個應該不會
有趣的基礎概念介紹。
![Page 5: 網站黑魔法:姆咪篇 Web security basics](https://reader036.vdocuments.net/reader036/viewer/2022082204/5a6d25f47f8b9a10428b4db1/html5/thumbnails/5.jpg)
後端? 前端?
![Page 6: 網站黑魔法:姆咪篇 Web security basics](https://reader036.vdocuments.net/reader036/viewer/2022082204/5a6d25f47f8b9a10428b4db1/html5/thumbnails/6.jpg)
後端Back End
前端Front End
![Page 7: 網站黑魔法:姆咪篇 Web security basics](https://reader036.vdocuments.net/reader036/viewer/2022082204/5a6d25f47f8b9a10428b4db1/html5/thumbnails/7.jpg)
你看不到的 你看得到的
![Page 8: 網站黑魔法:姆咪篇 Web security basics](https://reader036.vdocuments.net/reader036/viewer/2022082204/5a6d25f47f8b9a10428b4db1/html5/thumbnails/8.jpg)
Server Client
![Page 9: 網站黑魔法:姆咪篇 Web security basics](https://reader036.vdocuments.net/reader036/viewer/2022082204/5a6d25f47f8b9a10428b4db1/html5/thumbnails/9.jpg)
Apache, nginx
PHP, Django, RoRs
HTML, CSS,
Javascript
![Page 10: 網站黑魔法:姆咪篇 Web security basics](https://reader036.vdocuments.net/reader036/viewer/2022082204/5a6d25f47f8b9a10428b4db1/html5/thumbnails/10.jpg)
所以我說,那個HTTP到底是啥啦?
![Page 11: 網站黑魔法:姆咪篇 Web security basics](https://reader036.vdocuments.net/reader036/viewer/2022082204/5a6d25f47f8b9a10428b4db1/html5/thumbnails/11.jpg)
我們每次瀏覽網頁都在做HTTP Request
![Page 12: 網站黑魔法:姆咪篇 Web security basics](https://reader036.vdocuments.net/reader036/viewer/2022082204/5a6d25f47f8b9a10428b4db1/html5/thumbnails/12.jpg)
我們是怎麼給網頁資料的?
![Page 13: 網站黑魔法:姆咪篇 Web security basics](https://reader036.vdocuments.net/reader036/viewer/2022082204/5a6d25f47f8b9a10428b4db1/html5/thumbnails/13.jpg)
GET Request
舉個🌰
http://moodle.ntust.edu.tw/course/view.php?id=13970
Key Value
id 13970
![Page 14: 網站黑魔法:姆咪篇 Web security basics](https://reader036.vdocuments.net/reader036/viewer/2022082204/5a6d25f47f8b9a10428b4db1/html5/thumbnails/14.jpg)
POST Request
各種看起來有輸入框的地方,87%都是POST
觀察用Tools
● Burp Suite
● Tamper Data(Firefox Addon)
![Page 15: 網站黑魔法:姆咪篇 Web security basics](https://reader036.vdocuments.net/reader036/viewer/2022082204/5a6d25f47f8b9a10428b4db1/html5/thumbnails/15.jpg)
其他的
● HEAD給我沒body的response喇
● TRACEApache會把整個request用純文字傳給你(底爸個用的)
● CONNECTproxy要處理HTTPS用的方法
● PUT移動一個資源
● PATCH更新部分資料
● DELETE刪除資料
右邊這裏是RESTful API表達語義用的
![Page 16: 網站黑魔法:姆咪篇 Web security basics](https://reader036.vdocuments.net/reader036/viewer/2022082204/5a6d25f47f8b9a10428b4db1/html5/thumbnails/16.jpg)
POST /login/index.php HTTP/1.1\r\nHost: moodle.ntust.edu.tw\r\nReferer: http://moodle.ntust.edu.tw/\r\nContent-Type: application/x-www-form-urlencoded\r\nContent-Length: 56\r\nCookie: _ga=GA1.4.69562738 (略\r\n\r\nusername=B105XXXXX&password=p@55w0rd&rememberusername=1
Request實際上大概長這樣
![Page 17: 網站黑魔法:姆咪篇 Web security basics](https://reader036.vdocuments.net/reader036/viewer/2022082204/5a6d25f47f8b9a10428b4db1/html5/thumbnails/17.jpg)
POST /login/index.php HTTP/1.1\r\nHost: moodle.ntust.edu.tw\r\nReferer: http://moodle.ntust.edu.tw/\r\nContent-Type: application/x-www-form-urlencoded\r\nContent-Length: 56\r\nCookie: _ga=GA1.4.69562738 (略\r\n\r\nusername=B105XXXXX&password=p@55w0rd&rememberusername=1
Request實際上大概長這樣
Request Header
Request Method
![Page 18: 網站黑魔法:姆咪篇 Web security basics](https://reader036.vdocuments.net/reader036/viewer/2022082204/5a6d25f47f8b9a10428b4db1/html5/thumbnails/18.jpg)
POST /login/index.php HTTP/1.1\r\nHost: moodle.ntust.edu.tw\r\nReferer: http://moodle.ntust.edu.tw/\r\nContent-Type: application/x-www-form-urlencoded\r\nContent-Length: 56\r\nCookie: _ga=GA1.4.69562738 (略\r\n\r\nusername=B105XXXXX&password=p@55w0rd&rememberusername=1
Request實際上大概長這樣
Request Body
![Page 19: 網站黑魔法:姆咪篇 Web security basics](https://reader036.vdocuments.net/reader036/viewer/2022082204/5a6d25f47f8b9a10428b4db1/html5/thumbnails/19.jpg)
HTTP/1.1 200 OK\r\nDate: Thu, 05 Oct 2017 18:44:14 GMT\r\nServer: Apache\r\nContent-Length: 82\r\nContent-Type: text/html\r\nConnection: keep-alive\r\n\r\n<html><head></head>….</html>
Response實際上大概長這樣
![Page 20: 網站黑魔法:姆咪篇 Web security basics](https://reader036.vdocuments.net/reader036/viewer/2022082204/5a6d25f47f8b9a10428b4db1/html5/thumbnails/20.jpg)
HTTP/1.1 200 OK\r\nDate: Thu, 05 Oct 2017 18:44:14 GMT\r\nServer: Apache\r\nContent-Length: 82\r\nContent-Type: text/html\r\nConnection: keep-alive\r\n\r\n<html><head></head>….</html>
Response實際上大概長這樣
Status Code
![Page 21: 網站黑魔法:姆咪篇 Web security basics](https://reader036.vdocuments.net/reader036/viewer/2022082204/5a6d25f47f8b9a10428b4db1/html5/thumbnails/21.jpg)
HTTP/1.1 200 OK\r\nDate: Thu, 05 Oct 2017 18:44:14 GMT\r\nServer: Apache\r\nContent-Length: 82\r\nContent-Type: text/html\r\nConnection: keep-alive\r\n\r\n<html><head></head>….</html>
Response實際上大概長這樣
Response Header
![Page 22: 網站黑魔法:姆咪篇 Web security basics](https://reader036.vdocuments.net/reader036/viewer/2022082204/5a6d25f47f8b9a10428b4db1/html5/thumbnails/22.jpg)
HTTP/1.1 200 OK\r\nDate: Thu, 05 Oct 2017 18:44:14 GMT\r\nServer: Apache\r\nContent-Length: 82\r\nContent-Type: text/html\r\nConnection: keep-alive\r\n\r\n<html><head></head>….</html>
Response實際上大概長這樣
Response Body
(Content)
![Page 23: 網站黑魔法:姆咪篇 Web security basics](https://reader036.vdocuments.net/reader036/viewer/2022082204/5a6d25f47f8b9a10428b4db1/html5/thumbnails/23.jpg)
HTTP Status Code 伺服器想告訴你什麼?
● 2xx Success:好,可以,蚌。
● 3xx Redirection:我把東西都搬到那邊了,過去找ㄅ
● 4xx Client Error:你他媽到底在衝三小
● 5xx Server Error:我他媽到底發生了三小
![Page 24: 網站黑魔法:姆咪篇 Web security basics](https://reader036.vdocuments.net/reader036/viewer/2022082204/5a6d25f47f8b9a10428b4db1/html5/thumbnails/24.jpg)
然後你可以自己試試看
$ nc www.google.com 80
GET / HTTP/1.1
Host:www.google.com
[enter]
[enter]
![Page 25: 網站黑魔法:姆咪篇 Web security basics](https://reader036.vdocuments.net/reader036/viewer/2022082204/5a6d25f47f8b9a10428b4db1/html5/thumbnails/25.jpg)
欸來看看好ㄘ的Coookies
![Page 26: 網站黑魔法:姆咪篇 Web security basics](https://reader036.vdocuments.net/reader036/viewer/2022082204/5a6d25f47f8b9a10428b4db1/html5/thumbnails/26.jpg)
Cookie就是
存在使用者端的小東西。
一個Cookie包含了:
● Name
● Value
● Domain
● Path
● Max-Age
● HTTP-Only Flag
![Page 27: 網站黑魔法:姆咪篇 Web security basics](https://reader036.vdocuments.net/reader036/viewer/2022082204/5a6d25f47f8b9a10428b4db1/html5/thumbnails/27.jpg)
來F12一下ㄅ
![Page 28: 網站黑魔法:姆咪篇 Web security basics](https://reader036.vdocuments.net/reader036/viewer/2022082204/5a6d25f47f8b9a10428b4db1/html5/thumbnails/28.jpg)
順便說一下SESSION
● 使用者的Cookie存著SESSION id
● 伺服器存著SESSION id對應的詳細資料
Name Value
SESSION qwertyuiopasd
使用者的Cookies
Server的資料庫
id Data
mkwqwdvimiia ...
qwertyuiopasd username=123&gender=male
imnybehdbjsls ...
sauduahuivas ...
![Page 29: 網站黑魔法:姆咪篇 Web security basics](https://reader036.vdocuments.net/reader036/viewer/2022082204/5a6d25f47f8b9a10428b4db1/html5/thumbnails/29.jpg)
順便說一下SESSION
● 使用者的Cookie存著SESSION id
● 伺服器存著SESSION id對應的詳細資料
Name Value
SESSION qwertyuiopasd
使用者的Cookies
Server的資料庫
id Data
mkwqwdvimiia ...
qwertyuiopasd username=123&gender=male
imnybehdbjsls ...
sauduahuivas ...
![Page 30: 網站黑魔法:姆咪篇 Web security basics](https://reader036.vdocuments.net/reader036/viewer/2022082204/5a6d25f47f8b9a10428b4db1/html5/thumbnails/30.jpg)
PHP語法隨便的簡介
● echo <字串/變數>; //印出文字
● $i=1; //int i = 1; php宣告時不用宣告型別
● $_GET、$_POST、$_COOKIE、$_SESSION
● 其他大部分都很普通,有不知道的function再Google就好
![Page 31: 網站黑魔法:姆咪篇 Web security basics](https://reader036.vdocuments.net/reader036/viewer/2022082204/5a6d25f47f8b9a10428b4db1/html5/thumbnails/31.jpg)
基礎大概有帶到了(吧
談談各種神奇漏洞。
![Page 32: 網站黑魔法:姆咪篇 Web security basics](https://reader036.vdocuments.net/reader036/viewer/2022082204/5a6d25f47f8b9a10428b4db1/html5/thumbnails/32.jpg)
OWASP Top 10十個可愛的洞!
![Page 33: 網站黑魔法:姆咪篇 Web security basics](https://reader036.vdocuments.net/reader036/viewer/2022082204/5a6d25f47f8b9a10428b4db1/html5/thumbnails/33.jpg)
OWASP Top 10十個可愛的洞!
Open Web Application Security Project
![Page 34: 網站黑魔法:姆咪篇 Web security basics](https://reader036.vdocuments.net/reader036/viewer/2022082204/5a6d25f47f8b9a10428b4db1/html5/thumbnails/34.jpg)
總之大guy4這樣 ● A1-Injection
● A2-Broken Authentication and Session
Management
● A3-Cross-Site Scripting (XSS)
● A4-Broken Access Control
● A5-Security Misconfiguration
● A6-Sensitive Data Exposure
● A7-Insufficient Attack Protection
● A8-Cross-Site Request Forgery (CSRF)
● A9-Using Components with Known
Vulnerabilities
● A10-Underprotected APIs
![Page 35: 網站黑魔法:姆咪篇 Web security basics](https://reader036.vdocuments.net/reader036/viewer/2022082204/5a6d25f47f8b9a10428b4db1/html5/thumbnails/35.jpg)
A10
Underprotected
APIs
● 在這個時代到處都要Call API
● 前端有防護,API端卻沒做資安QQ
![Page 36: 網站黑魔法:姆咪篇 Web security basics](https://reader036.vdocuments.net/reader036/viewer/2022082204/5a6d25f47f8b9a10428b4db1/html5/thumbnails/36.jpg)
A9
Using
Components with
Known
Vulnerabilities● 套件框架很好用對八
● 可是用了就不管,沒及時更新QQ
● 幫別人開後門 _(: 3
![Page 37: 網站黑魔法:姆咪篇 Web security basics](https://reader036.vdocuments.net/reader036/viewer/2022082204/5a6d25f47f8b9a10428b4db1/html5/thumbnails/37.jpg)
A8
Cross-Site
Request Forgery
(CSRF)● 從另外一個domain送出request
● 搭配XSS很好用
● Demo!
![Page 38: 網站黑魔法:姆咪篇 Web security basics](https://reader036.vdocuments.net/reader036/viewer/2022082204/5a6d25f47f8b9a10428b4db1/html5/thumbnails/38.jpg)
A7
Insufficient Attack
Protection
● 沒有檢測、預防、應對攻擊的能力
![Page 39: 網站黑魔法:姆咪篇 Web security basics](https://reader036.vdocuments.net/reader036/viewer/2022082204/5a6d25f47f8b9a10428b4db1/html5/thumbnails/39.jpg)
A6
Sensitive Data
Exposure
● 不該被看到的檔案被看到了
● http://vulnerable.site/config.inc
● Google Hacking Database(GHDB)
![Page 40: 網站黑魔法:姆咪篇 Web security basics](https://reader036.vdocuments.net/reader036/viewer/2022082204/5a6d25f47f8b9a10428b4db1/html5/thumbnails/40.jpg)
A5
Security
Misconfiguration
● 權限、Debug模式之類的設定不好
● 可能洩漏重要資訊
● "Index of"
![Page 41: 網站黑魔法:姆咪篇 Web security basics](https://reader036.vdocuments.net/reader036/viewer/2022082204/5a6d25f47f8b9a10428b4db1/html5/thumbnails/41.jpg)
A4
Broken Access
Control
● 我可以做我這個user不該做到的事!
![Page 42: 網站黑魔法:姆咪篇 Web security basics](https://reader036.vdocuments.net/reader036/viewer/2022082204/5a6d25f47f8b9a10428b4db1/html5/thumbnails/42.jpg)
A4
Broken Access
Control
● 我可以做我這個user不該做到的事!
![Page 43: 網站黑魔法:姆咪篇 Web security basics](https://reader036.vdocuments.net/reader036/viewer/2022082204/5a6d25f47f8b9a10428b4db1/html5/thumbnails/43.jpg)
A4
Broken Access
Control
● 我可以做我這個user不該做到的事!
● Demo!
![Page 44: 網站黑魔法:姆咪篇 Web security basics](https://reader036.vdocuments.net/reader036/viewer/2022082204/5a6d25f47f8b9a10428b4db1/html5/thumbnails/44.jpg)
A3
Cross-Site
Scripting (XSS)
「<script> alert("XSS")</script>」
● Demo!
![Page 45: 網站黑魔法:姆咪篇 Web security basics](https://reader036.vdocuments.net/reader036/viewer/2022082204/5a6d25f47f8b9a10428b4db1/html5/thumbnails/45.jpg)
A2
Broken
Authentication
and Session
Management● 我做了權限設置,可是其實有Bug
● Demo!
![Page 46: 網站黑魔法:姆咪篇 Web security basics](https://reader036.vdocuments.net/reader036/viewer/2022082204/5a6d25f47f8b9a10428b4db1/html5/thumbnails/46.jpg)
A1
Injection
● 注入攻擊
● 如果:(管理員有「」) 是成立的,
➡那麼就顯示資料
![Page 47: 網站黑魔法:姆咪篇 Web security basics](https://reader036.vdocuments.net/reader036/viewer/2022082204/5a6d25f47f8b9a10428b4db1/html5/thumbnails/47.jpg)
A1
Injection
● 注入攻擊
● 如果:(管理員有「姆咪」) 是成立的,
➡那麼就顯示資料
![Page 48: 網站黑魔法:姆咪篇 Web security basics](https://reader036.vdocuments.net/reader036/viewer/2022082204/5a6d25f47f8b9a10428b4db1/html5/thumbnails/48.jpg)
A1
Injection
● 注入攻擊
● 如果:(管理員有「姆咪」) 是成立的,
➡那麼就顯示資料
![Page 49: 網站黑魔法:姆咪篇 Web security basics](https://reader036.vdocuments.net/reader036/viewer/2022082204/5a6d25f47f8b9a10428b4db1/html5/thumbnails/49.jpg)
A1
Injection
● 注入攻擊
● 如果:
(管理員有「姆咪」或是「姆咪」是「姆咪」)
是成立的,
➡那麼就顯示資料
![Page 50: 網站黑魔法:姆咪篇 Web security basics](https://reader036.vdocuments.net/reader036/viewer/2022082204/5a6d25f47f8b9a10428b4db1/html5/thumbnails/50.jpg)
A1
Injection
● 注入攻擊
● 如果:
(管理員有「姆咪」或是「姆咪」是「姆咪」)
是成立的,
➡那麼就顯示資料
![Page 51: 網站黑魔法:姆咪篇 Web security basics](https://reader036.vdocuments.net/reader036/viewer/2022082204/5a6d25f47f8b9a10428b4db1/html5/thumbnails/51.jpg)
A1
Injection
● 注入攻擊
● ' or ''='
● ' or 1=1#
● Demo!
![Page 52: 網站黑魔法:姆咪篇 Web security basics](https://reader036.vdocuments.net/reader036/viewer/2022082204/5a6d25f47f8b9a10428b4db1/html5/thumbnails/52.jpg)
最後的Q&A
![Page 53: 網站黑魔法:姆咪篇 Web security basics](https://reader036.vdocuments.net/reader036/viewer/2022082204/5a6d25f47f8b9a10428b4db1/html5/thumbnails/53.jpg)
沒了,掰掰,謝謝大家
順帶一提,還有下次ㄛowo)/