Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Web Security - The Basics
Search
Inndy
October 07, 2016
Technology
0
600
Web Security - The Basics
2016/Computer Security at National Taiwan University of Science and Technology (NTUST)
Inndy
October 07, 2016
Tweet
Share
More Decks by Inndy
See All by Inndy
工程師一定要懂的 Text Encoding
inndy
1
570
資訊安全:麻瓜的黑魔法防禦術
inndy
3
2.7k
HackmeCTF 平台背後的心酸血淚史
inndy
2
780
COSCUP 2018 Lightning Talk - 審稿好難,所以我們來寫程式吧
inndy
0
390
逆向工程:從入門到放棄
inndy
7
3.4k
HITCON 2017 Zeroday 發表會
inndy
0
1.3k
No More Crypto Fails
inndy
33
7.8k
你再共用密碼啊
inndy
1
700
CTF From Zero To One
inndy
5
4.8k
Other Decks in Technology
See All in Technology
「自動テストのプラクティスを効果的に学ぶためのカードゲーム」 ( #sqip2024 )
teyamagu
PRO
2
180
CRTO/CRTL/OSEPの比較・勉強法とAV/EDRの検知実験
chayakonanaika
1
1.1k
四国クラウドお遍路 2024 in 高知 オープニング
yukataoka
0
200
サーバレスでモバイルアプリ開発! NTTコム「ビジネスdアプリ」のアーキテクチャ / The architecture of business d app
nttcom
12
240
技術的負債解消の取り組みと専門チームのお話
bengo4com
0
330
サプライチェーン攻撃に備える
ryunen344
0
270
Functional TypeScript
naoya
11
4.8k
「認証認可」という体験をデザインする ~Nekko Cloud認証認可基盤計画
logica0419
2
430
不動産 x AIことはじめ~データの真価を拓くために
estie
0
110
eBPFのこれまでとこれから
yutarohayakawa
9
3.1k
Next.js のページ遷移を全力で止める
ypresto
3
1.6k
Creative UIs with Compose: DroidKaigi 2024
chrishorner
1
480
Featured
See All Featured
Docker and Python
trallard
39
3k
Building Applications with DynamoDB
mza
90
6k
Statistics for Hackers
jakevdp
794
220k
Why Our Code Smells
bkeepers
PRO
334
56k
Music & Morning Musume
bryan
46
6k
YesSQL, Process and Tooling at Scale
rocio
167
14k
GitHub's CSS Performance
jonrohan
1029
450k
Rails Girls Zürich Keynote
gr2m
93
13k
Keith and Marios Guide to Fast Websites
keithpitt
408
22k
Ruby is Unlike a Banana
tanoku
96
11k
Visualization
eitanlees
142
15k
Save Time (by Creating Custom Rails Generators)
garrettdimon
PRO
24
610
Transcript
$PNQVUFS4FDVSJUZBU/5645 *OOEZJOOEZUX!HNBJMDPN 8FC4FDVSJUZ5IF#BTJDT
4PVSDFDPEFPGIUUQTWVMTFDVSJUZOUVTUJTBWBJMBCMFBU IUUQTHJUIVCDPNJOOEZXFCTFD
XIPBNJ ˙ *OOEZ加啄 ˙ 1MBZ$5' ˙ 3FWFSTF&OHJOFFSJOH ˙ (BNF)BDLJOH ˙
JOOEZUX!HNBJMDPN
0VUMJOF ˙ *OUFSOFUBOE/FUXPSL ˙ 'SPOUFOE#BDLFOE ˙ )551 ˙ $PNNPO)551)FBEFST ˙
$PPLJF ˙ &ODPEJOH ˙ 44-5-4 ˙ 08"415PQ
*OUFSOFUBOE/FUXPSL
*OUFSOFUBOE/FUXPSL 1PSUPG,BPITJVOH
*OUFSOFUBOE/FUXPSL XXXOUVTUFEVUX
*OUFSOFUBOE/FUXPSL '51 44) 5FMOFU 155 )551
)5514 .Z42- 3%1 7/$ 3FEJT
8FC"SDIJUFDUVSF
4FSWFS $MJFOU Ճ)551PWFS*OUFSOFUՃ
#BDLFOE 'SPOUFOE Ճ)551PWFS*OUFSOFUՃ
OHJOYBQBDIFMJHIUUQE 1)1QZUIPOSVCZ )5.-$44 +BWB4DSJQU Ճ)551PWFS*OUFSOFUՃ
8FC'SPOUFOE
)5.-
)5.- $44
)5.- $44 +BWB4DSJQU
8FC#BDLFOE
)5513FRVFTU
8IBUIBQQFOFEBGUFS&OUFS $MJFOU ˙ %/4MPPLVQ *GOFFEFE ˙ $SFBUF5$1DPOOFDUJPO ˙
44-IBOETIBLF *GOFFEFE ˙ $PNQPTFBOETFOE)551SFRVFTU
8IBUIBQQFOFEBGUFS&OUFS 4FSWFS ˙ "DDFQU5$1DPOOFDUJPO ˙ 1BSTFSFRVFTUIFBEFST ˙ $IFDLSPVUFSVMFT ˙
'JMFPS3FWFSTFQSPYZ
8IBUIBQQFOFEBGUFS&OUFS 'JMFCBTFE ˙ $IFDLJGMFFYJTUT ˙ *GOPU SFTQPOTFXJUIFSSPS ˙
*TJUBTUBUJDMF ˙ *GTP TFOEJUUPDMJFOU ˙ 0UIFSXJTF DBMMSFTQPOEJOHQSPDFTTPS ˙ .BZCFBDHJ QIQ QFSMTDSJQU ˙ 4FOESFTQPOTFUPDMJFOU
8IBUIBQQFOFEBGUFS&OUFS 4PGUXBSFSVMFT ˙ 1BSTFSFRVFTUGSPN)551TFSWFS ˙ 3PVUF ˙ %JTQBUDIDPOUSPMMFS ˙
1SPDFTTSFRVFTUBOE3FOEFSSFTQPOTFEBUB ˙ 4FOEJUCBDLUP)551TFSWFS ˙ 4FSWFSTFOESFTQPOTFEBUBUPDMJFOU
8IBUIBQQFOFEBGUFS&OUFS $MJFOU ˙ (PUSFTQPOTFEBUB .BZCFB)5.-EPDVNFOU ˙ 1BSTF)5.-BOE%PXOMPBESFMBUFEBTTFUT ˙
$44 *NBHF +BWB4DSJQU 'MBTI PS0UIFSNFEJBDPOUFOU ˙ 3FOEFSFOHJOFTUBSUXPSLJOHXJUI$44BOE)5.- ˙ 8FCLJU (FDLP #MJOL 5SJEFOU &EHF)5.- ˙ +BWB4DSJQUFOHJOFSVOUIFTDSJQUT ˙ 7 4QJEFS.POLFZ $BSBLBO $IBLSB 3IJOP
)551
)5513FRVFTU$PNQPTJUJPO POST /sqlinj/ HTTP/1.1<CRLF> Host: vul.security.ntu.st<CRLF> Content-Length: 45<CRLF> Content-Type: application/x-www-form-urlencoded<CRLF>
<CRLF> title=title+text&msg=This+is+message+content. .FUIPE 1BUI 1SPUPDPM7FSTJPO "\r\n"JO$
)5513FRVFTU$PNQPTJUJPO POST /sqlinj/ HTTP/1.1<CRLF> Host: vul.security.ntu.st<CRLF> Content-Length: 45<CRLF> Content-Type: application/x-www-form-urlencoded<CRLF>
<CRLF> title=title+text&msg=This+is+message+content. 3FRVFTU)FBEFST 3FRVFTU#PEZ .BZCFCJOBSZEBUB
)5513FTQPOTF$PNQPTJUJPO HTTP/1.1 200 OK<CRLF> Server: nginx<CRLF> Date: Thu, 06 Oct
2016 15:03:36 GMT<CRLF> Content-Type: text/html; charset=UTF-8<CRLF> Content-Length: 1973<CRLF> Connection: keep-alive<CRLF> <CRLF> <!DOCTYPE html>..... )5517FSTJPO 3FTQPOTF4UBUVT
)5513FTQPOTF$PNQPTJUJPO HTTP/1.1 200 OK<CRLF> Server: nginx<CRLF> Date: Thu, 06 Oct
2016 15:03:36 GMT<CRLF> Content-Type: text/html; charset=UTF-8<CRLF> Content-Length: 1973<CRLF> Connection: keep-alive<CRLF> <CRLF> <!DOCTYPE html>..... (1973 bytes) 3FTQPOTF)FBEFST 3FTQPOTF#PEZ .BZCFCJOBSZEBUB
-FUTUSZOD $ nc www.ntust.edu.tw 80 GET / HTTP/1.1 Host: www.ntust.edu.tw
<Enter> <Enter>
)5514UBUVT$PEF ˙ 99 ˙ *UTOF ˙ 99 ˙ 3FEJSFDUJPO ˙
99 ˙ *UTZPVSGBVMU ˙ 99 ˙ *UTNZGBVMU
)5514UBUVT$PEF ˙ 0, ˙ *UTBMMHPPE ˙ /P$POUFOU ˙ 3FRVFTUJTOFCVU*IBWFOPUIJOHUPUBML ˙
1BSJUBM$POUFOU ˙ *IBWFQBSUPGEBUBGPSZPV
)5514UBUVT$PEF ˙ .PWFE1FSNBOFOUMZ ˙ 'PVOE ˙ 7FSZDPNNPOGPSSFEJSFDUJPO ˙ /PU.PEJFE ˙
$BDIFJTOF ˙ 5FNQPSBSZ3FEJSFDU
)5514UBUVT$PEF ˙ #BE3FRVFTU ˙ :PVKVTUHBWFNFXSPOHUIJOHT ˙ 6OBVUIPSJ[FE ˙ 'PSCJEEFO ˙
:PVBSFOPUBMMPXFEIFSF ˙ /PU'PVOE ˙ .FUIPE/PU"MMPXFE ˙ *NBUFBQPU ˙ 6OBWBJMBCMF'PS-FHBM3FBTPOT
)5514UBUVT$PEF ˙ *OUFSOBM4FSWFS&SSPS ˙ &YDFQUJPOSBJTFEJOZPVSDPEF ˙ #BE(BUFXBZ ˙ 6QTUSFBNPGSFWFSTFQSPYZJTEFBE ˙
4FSWJDF6OBWBJMBCMF ˙ .BJOUFOBODFNPEF ˙ (BUFXBZ5JNFPVU ˙ 6QTUSFBNPGSFWFSTFQSPYZUJNFPVU
8IBUTUIFEJFSFODF
)551.FUIPE (&5 1045 165 1"5$) %&-&5& 015*0/4 )&"% $0//&$5 53"$&
$034 "QBDIFEFCVHQVSQPTF )551QSPYZ /PSFTQPOTFCPEZ
)551.FUIPE ˙ (&5 ˙ %PXOMPBETPNFUIJOHGSPNXFCTJUF ˙ 1045 ˙ 4FOETPNFUIJOHUPXFCTJUF ˙
)&"% ˙ +VTUHJWFNFSFTQPOTFIFBEFST CVU*EPOUXBOUCPEZ ˙ 53"$& ˙ "QBDIFXJMMSFUVSOXIPMFSFRVFTUBTQMBJOUFYUUPZPV ˙ $0//&$5 ˙ 4QFDJBMNFUIPEGPSQSPYZUPEFBMXJUI)5514SFRVFTU
)551.FUIPE 3&45GVM"1* ˙ (&5 ˙ (FUMJTUBSFTPVSDF ˙ 1045 ˙ $SFBUFBOFXSFTPVSDF
˙ 165 ˙ 3FQMBDFBOFYJTUFESFTPVSDF ˙ 1"5$) ˙ 1BSUJBMVQEBUFBOFYJTUFESFTPVSDF ˙ %&-&5& ˙ %FMFUFBOFYJTUFESFTPVSDF
$PNNPO3FRVFTU)FBEFST&TTFOUJBM ˙ )PTUOUVTU ˙ 3FRVJSFE ˙ :PVDBOIBWFNVMUJQMFXFCTJUFPOPOF*1IPTU
$PNNPO3FRVFTU)FBEFST$PNNPO ˙ "DDFQUUFYUIUNMUFYUQMBJO ˙ 8IJDIUZQFPGDPOUFOUEPFTDMJFOUBDDFQU ˙ "DDFQU&ODPEJOH H[JQ]EFBUF]TEDI]C[JQ]Y[
˙ )PXUPDPNQSFTTEBUB ˙ "DDFQU-BOHVBHF[IUXFO ˙ 8IBUMBOHVBHFEPZPVQSFGFS ˙ "MPUPGXFCTJUFDPOTJEFS[IUXBT[I
$PNNPO3FRVFTU)FBEFST$PNNPO ˙ 3FGFSFS63- ˙ 8IFSFEJEZPVGSPN ˙ 8FCQBHFBDPNCIUNMIBWF<img src="b.com/a.jpg"> ˙
3FRVFTUUPCDPNBKQHDPOUBJOTIFBEFS • Referer: http://a.com/b.html ˙ 1SJWBDZJTTVF ˙ KNQESPQCPYSFGFSFSWVM
$PNNPO3FRVFTU)FBEFST$PNNPO ˙ 6TFS"HFOU.P[JMMB .BDJOUPTI*OUFM.BD049SW (FDLP'JSFGPY ˙ *UUFMMTTFSWFSXIJDICSPXTFS041MBUGPSNBSFZPVVTJOH ˙ 3FEJSFDUHPHPPHMFDPNDISPNFJG*&EFUFDUFE
˙ 5FMMTTFSWFSXIJDIFYQMPJUQBZMPBEUPTFOE ˙ #BEGPSQSJWBDZ UPP
$PNNPO3FRVFTU)FBEFST"VUIFOUJDBUJPO ˙ "VUIFOUJDBUJPO #BTJD]#FBSFS "65)@50,&/ ˙ "VUIUPLFOJTVTVBMMZCBTFTUSJOH ˙ CBTF 64&3/".&1"44803%
GPS)551 CBTJDBVUIFOUJDBUJPO ˙ 0"VUIVTFT#FBSFS
$PNNPO3FRVFTU)FBEFST$POOFDUJPO ˙ $POOFDUJPOLFFQBMJWF ˙ 5$1IBOETIBLFJTFYQFOTJWF TPXFXBOUUPSFVTFFYJTUFEDPOOFDUJPO ˙ "TLTFSWFSOPUUPTIVUEPXO5$1DPOOFDUJPOBGUFSUIJTSFTQPOTF ˙ 4VQQPSUFETJODF)551
˙ 3FTQPOTFIFBEFSTXJMMDPOUBJOTBNFIFBEFSJGTFSWFSTVQQPSUTJU ˙ *UTVTFGVMBOEJNQPSUBOUUPFYQMPJUTPNFCVH FY"4-3QSPUFDUJPO
$PNNPO3FRVFTU)FBEFST3FRVFTU#PEZ ˙ $POUFOU-FOHUI ˙ *UNFBOTXFIBWFCZUFTPGCPEZDPOUFOUBGUFSSFRVFTUIFBEFST ˙ $POUFOU5ZQF.*.& • application/x-www-form-urlencoded ˙
/PSNBMGPSNQPTU • multipart/form-data; boundary=$RANDOM_STRING ˙ 4UBOEBSEMFVQMPBEUBLFTUIJT ˙ UZQJDBMCPVOEBSZGPSXFCLJU----WebKitFormBoundaryo3CVe... ˙ application/jsonGPS8FC"1*
$PNNPO3FRVFTU)FBEFST.JTD ˙ %/5 ˙ %P/PU5SBDL ˙ 93FRVFTUFE8JUI9.-)UUQ3FRVFTU ˙ 'PS"+"9SFRVFTUT ˙
3BOHFCZUFT ˙ 3FRVFTUQBSUJBMDPOUFOU %PZPVLOPX'MBTI(FU ˙ .VMUJUISFBEFEMFEPXOMPBE ˙ 9'PSXBSEFE'PS ˙ 1SPYZNBZBEEUIJTIFBEFSXIJMFGPSXBSEJOHSFRVFTUUPUBSHFUTFSWFS
$PNNPO3FTQPOTF)FBEFST3FTQPOTF#PEZ ˙ $POUFOU-FOHUI ˙ 5IJT)551SFTQPOTFIBTCZUFTPGCPEZDPOUFOU ˙ $POUFOU&ODPEJOH H[JQ]EFBUF]TEDI]C[JQ]Y[ ˙
*OEJDBUFXIBUDPNQSFTTJPONFUIPEXBTVTFEXJUISFTQPOTFEBUB ˙ $POUFOU5ZQF.*.& ˙ text/html; charset=utf-8JTWFSZDPNNPOJONPEFSOXFCQBHFT ˙ &5BH)"4) ˙ )BTIWBMVFGPSDBDIFEBUB
$PNNPO3FTQPOTF)FBEFST3FEJSFDU ˙ -PDBUJPOIUUQTHPPHMFDPN ˙ 3FEJSFDUJNNFEJBUFMZ ˙ 3FGSFTIVSMIUUQTTFDVSJUZOUVTU ˙ 3FEJSFDUCVUEFMBZGPSTFDPOET VTFGVMUPTIPXTPNFNFTTBHF
$PNNPO3FTQPOTF)FBEFST.JTD ˙ 4FSWFSOHJOY ˙ )BDLFSTXJMMCFIBQQZUPLOPXXIJDI)551TFSWFSZPVBSFVTJOH ˙ 91PXFSFE#Z1)1 ˙ )BDLFSTXJMMCFIBQQZUPLOPXXIBUMBOHVBHFZPVBSFVTJOH UPP
˙ %BUF5IV 0DU(.5 ˙ 4PNFTFSWFSTFOETEBUF JUTBHPPEXBZUPPCUBJOEBUF
$PNNPO3FTQPOTF)FBEFST4FDVSJUZ ˙ 99441SPUFDUJPONPEFCMPDL ˙ #BTJD944QSPUFDUJPO EFGBVMUFOBCMFEJO(PPHMF$ISPNF ˙ 3FGVTFUPFYFDVUF+4XIJDIBQQFBS ˙ 9'SBNF0QUJPOTEFOZ
˙ $BOUIJTXFCQBHFQVUUFEJOBJGSBNF ˙ $POUFOU4FDVSJUZ1PMJDZ ˙ *UTDPNQMJDBUFE JUQSPWJEFEBCVODIPGTFDVSJUZQSPUFDUJPO
$PPLJFT
ˊ8JLJQFEJB չ$PPLJFJTBTNBMMQJFDFPGEBUBTFOUGSPNB XFCLJUBOETUPSFEJOUIFVTFSTXFCCSPXTFS XIJMFUIFVTFSJTCSPXTJOHպ
$PPLJF ˙ "DPPLJFDPOUBJOT ˙ /BNF ˙ 7BMVF ˙ %PNBJO ˙
1BUI ˙ .BY"HF ˙ )5510OMZ'MBH ˙ 4FDVSF'MBH
$PPLJF ˙ IUUQTWVMTFDVSJUZOUVTUDPPLJF ˙ IUUQTWVMTFDVSJUZOUVTUDPPLJFTJOHMFQIQ ˙ 4FU$PPLJFTJOHMF@DPPLJFEBUB PG TJOHMF DPPLJF
˙ -FUTPCTFSWFJUJO$ISPNFTEFWFMPQFSUPPMT
$PPLJFBOE4FTTJPO ˙ 4FTTJPOJOEJFSFOUGSBNFXPSLNBZIBWFUIFJSJNQMFNFOUBUJPO ˙ #VUUIFZIBWFTBNFJEFB ˙ 4UPSFEBUBJOTPNFXIFSFTBGFUZBOEHJWFZPVUIFLFZ TFTJTPOJE ˙
&ODSZQUFEDPPLJF ˙ $BDIFTFSWJDF 3FEJT .FNDBDIFE ˙ 5FNQPSBSZMF 1)1TEFGBVMUTFTTJPO ˙ 4UPSFEJOEBUBCBTF
&ODPEJOH5FYU&ODPEJOH
&ODPEJOH ˙ )PXUPFYQSFTTBOVNCFS ˙ CJO#JOBSZ ˙ PJO0DUBM ˙ JO%FDJNBM
˙ YBDJO)FY ˙ =YD=YB=Y=YJOCZUFTMJUUMFFOEJBOJOUFHFS
5FYU&ODPEJOH ˙ )PXUPFYQSFTTBDIBSBDUFS" ˙ STUBMQIBCFUJOVQQFSDBTF ˙ " ˙ BTDJJDPEFY
5FYU&ODPEJOH ˙ )PXUPFYQSFTTBDIBSBDUFS꽺 ˙ 꽺 ˙ 6OJDPEFYFE ˙ #JH&ODPEJOH=YD=Y ˙
4UBUJDNBQQJOH ˙ 65'&ODPEJOH=YF=YB=YBE ˙ 8FIBWFBSVMFUPUSBOTGPSNCFUXFFOVOJDPEFBOE65'
&ODPEJOH 4(7TC(T*'EWDNYL*2
&ODPEJOH ˙ 8FBMTPIBWFPUIFSFODPEJOH ˙ )FYFODPEF ˙ CBTF ]] FODPEF ˙
63-&ODPEF
44-5-4
44-5VOOFM GET /user/login.php HTTP/1.1.... $MJFOU 4FSWFS
openssl s_client -host google.com -port 443
08"415PQ
08"41 0QFO8FC"QQMJDBUJPO4FDVSJUZ1SPKFDU
"6OWBMJEBUFE3FEJSFDUTBOE'PSXBSET ˙ 4PNFUJNFTZPVOETPNFUIJOHJO63- ˙ FYBNQMFDPNMPHJOQIQ SFEJSFDUIPNFQIQ ˙ 8FDIBOHFSFEJSFDUUPBQIJTIJOHTJUF BOETFOEJUUPTPNFPOF ˙
FYBNQMFDPNMPHJOQIQ SFEJSFDUNBMXBSFDPNIPNFQIQ
"6TJOH$PNQPOFOUTXJUI,OPXO7VMOFSBCJMJUJFT ˙ 7VMOFSBCJMJUJFTJOUIJSEQBSUZMJCSBSZ ˙ &YDLFEJUPS
"$SPTT4JUF3FRVFTU'PSHFSZ $43' ˙ 4FOESFRVFTUGSPNBOPUIFSEPNBJO ˙ JNHTSDFYBQMFDPNMPHPVUQIQ ˙ IUUQTVQFSMPHPVUDPN ˙ &YQMPJU944CVHUPNBLFBGPSNBOEQPTUJU
".JTTJOH'VODUJPO-FWFM"DDFTT$POUSPM ˙ *DBODIBOHFPUIFSVTFSTQBTTXPSECVU*NOPUBENJO • curl https://vul.security.ntu.st/sqlinj/ --data 'truncate_confirm=1'
"4FOTJUJWF%BUB&YQPTVSF ˙ IUUQTWVMTFDVSJUZOUVTUTRMJOKDPOHJOD
"4FDVSJUZ.JTDPOHVSBUJPO • google('"index of"') ˙ 4PNFUJNFT JUMFBLTTPNFVTFGVMJOGPSNBUJPOUPIBDLFST
"*OTFDVSF%JSFDU0CKFDU3FGFSFODFT ˙ *VQMPBEFENZQSJWBUFQIPUPTUPTPNFXFCEJTL CVUBOZPOFDBO EPXOMPBEJUXJUIMFBLFE63-/PBDDFTTDPOUSPMPOUIBUMF
"$SPTT4JUF4DSJQUJOH 944 • "><script>alert(1)</script><br " ˙ %FNP
"#SPLFO"VUIFOUJDBUJPOBOE4FTTJPO.BOBHFNFOU • function is_admin() { return $_COOKIE['role'] == 'admin; }
˙ %FNP
"*OKFDUJPO • ' or '' = ' ˙ %FNP
4PNF6TFGVM5PPMT
#VSQ4VJUF
)BDLCBS
$PPLJF.BOBHFS
.PEJGZ)FBEFST
6TFS"HFOU4XJUDIFS
8BQQBMZ[FS