Web Security - The Basics

$PNQVUFS4FDVSJUZBU/5645 *OOEZJOOEZUX!HNBJMDPN 8FC4FDVSJUZ5IF#BTJDT

4PVSDFDPEFPGIUUQTWVMTFDVSJUZOUVTUJTBWBJMBCMFBU IUUQTHJUIVCDPNJOOEZXFCTFD

XIPBNJ ˙ *OOEZ加啄 ˙ 1MBZ$5' ˙ 3FWFSTF&OHJOFFSJOH ˙ (BNF)BDLJOH ˙
JOOEZUX!HNBJMDPN

0VUMJOF ˙ *OUFSOFUBOE/FUXPSL ˙ 'SPOUFOE#BDLFOE ˙ )551 ˙ $PNNPO)551)FBEFST ˙
$PPLJF ˙ &ODPEJOH ˙ 44-5-4 ˙ 08"415PQ

*OUFSOFUBOE/FUXPSL

*OUFSOFUBOE/FUXPSL 1PSUPG,BPITJVOH

*OUFSOFUBOE/FUXPSL XXXOUVTUFEVUX

*OUFSOFUBOE/FUXPSL '51 44) 5FMOFU 155 )551
)5514 .Z42- 3%1 7/$ 3FEJT

8FC"SDIJUFDUVSF

4FSWFS $MJFOU Ճ)551PWFS*OUFSOFUՃ

#BDLFOE 'SPOUFOE Ճ)551PWFS*OUFSOFUՃ

OHJOYBQBDIFMJHIUUQE 1)1QZUIPOSVCZ )5.-$44 +BWB4DSJQU Ճ)551PWFS*OUFSOFUՃ

8FC'SPOUFOE

)5.- $44

)5.- $44 +BWB4DSJQU

8FC#BDLFOE

)5513FRVFTU

8IBUIBQQFOFEBGUFS&OUFS $MJFOU ˙ %/4MPPLVQ *GOFFEFE ˙ $SFBUF5$1DPOOFDUJPO ˙
44-IBOETIBLF *GOFFEFE ˙ $PNQPTFBOETFOE)551SFRVFTU

8IBUIBQQFOFEBGUFS&OUFS 4FSWFS ˙ "DDFQU5$1DPOOFDUJPO ˙ 1BSTFSFRVFTUIFBEFST ˙ $IFDLSPVUFSVMFT ˙
'JMFPS3FWFSTFQSPYZ

8IBUIBQQFOFEBGUFS&OUFS 'JMFCBTFE ˙ $IFDLJGMFFYJTUT ˙ *GOPU SFTQPOTFXJUIFSSPS ˙
*TJUBTUBUJDMF ˙ *GTP TFOEJUUPDMJFOU ˙ 0UIFSXJTF DBMMSFTQPOEJOHQSPDFTTPS ˙ .BZCFBDHJ QIQ QFSMTDSJQU ˙ 4FOESFTQPOTFUPDMJFOU

8IBUIBQQFOFEBGUFS&OUFS 4PGUXBSFSVMFT ˙ 1BSTFSFRVFTUGSPN)551TFSWFS ˙ 3PVUF ˙ %JTQBUDIDPOUSPMMFS ˙
1SPDFTTSFRVFTUBOE3FOEFSSFTQPOTFEBUB ˙ 4FOEJUCBDLUP)551TFSWFS ˙ 4FSWFSTFOESFTQPOTFEBUBUPDMJFOU

8IBUIBQQFOFEBGUFS&OUFS $MJFOU ˙ (PUSFTQPOTFEBUB .BZCFB)5.-EPDVNFOU ˙ 1BSTF)5.-BOE%PXOMPBESFMBUFEBTTFUT ˙
$44 *NBHF +BWB4DSJQU 'MBTI PS0UIFSNFEJBDPOUFOU ˙ 3FOEFSFOHJOFTUBSUXPSLJOHXJUI$44BOE)5.- ˙ 8FCLJU (FDLP #MJOL 5SJEFOU &EHF)5.- ˙ +BWB4DSJQUFOHJOFSVOUIFTDSJQUT ˙ 7 4QJEFS.POLFZ $BSBLBO $IBLSB 3IJOP

)5513FRVFTU$PNQPTJUJPO POST /sqlinj/ HTTP/1.1<CRLF> Host: vul.security.ntu.st<CRLF> Content-Length: 45<CRLF> Content-Type: application/x-www-form-urlencoded<CRLF>
<CRLF> title=title+text&msg=This+is+message+content. .FUIPE 1BUI 1SPUPDPM7FSTJPO "\r\n"JO$

)5513FRVFTU$PNQPTJUJPO POST /sqlinj/ HTTP/1.1<CRLF> Host: vul.security.ntu.st<CRLF> Content-Length: 45<CRLF> Content-Type: application/x-www-form-urlencoded<CRLF>
<CRLF> title=title+text&msg=This+is+message+content. 3FRVFTU)FBEFST 3FRVFTU#PEZ .BZCFCJOBSZEBUB

)5513FTQPOTF$PNQPTJUJPO HTTP/1.1 200 OK<CRLF> Server: nginx<CRLF> Date: Thu, 06 Oct
2016 15:03:36 GMT<CRLF> Content-Type: text/html; charset=UTF-8<CRLF> Content-Length: 1973<CRLF> Connection: keep-alive<CRLF> <CRLF> <!DOCTYPE html>..... )5517FSTJPO 3FTQPOTF4UBUVT

)5513FTQPOTF$PNQPTJUJPO HTTP/1.1 200 OK<CRLF> Server: nginx<CRLF> Date: Thu, 06 Oct
2016 15:03:36 GMT<CRLF> Content-Type: text/html; charset=UTF-8<CRLF> Content-Length: 1973<CRLF> Connection: keep-alive<CRLF> <CRLF> <!DOCTYPE html>..... (1973 bytes) 3FTQPOTF)FBEFST 3FTQPOTF#PEZ .BZCFCJOBSZEBUB

-FUTUSZOD $ nc www.ntust.edu.tw 80 GET / HTTP/1.1 Host: www.ntust.edu.tw
<Enter> <Enter>

)5514UBUVT$PEF ˙ 99 ˙ *UTOF ˙ 99 ˙ 3FEJSFDUJPO ˙
99 ˙ *UTZPVSGBVMU ˙ 99 ˙ *UTNZGBVMU

)5514UBUVT$PEF ˙ 0, ˙ *UTBMMHPPE ˙ /P$POUFOU ˙ 3FRVFTUJTOFCVU*IBWFOPUIJOHUPUBML ˙
1BSJUBM$POUFOU ˙ *IBWFQBSUPGEBUBGPSZPV

)5514UBUVT$PEF ˙ .PWFE1FSNBOFOUMZ ˙ 'PVOE ˙ 7FSZDPNNPOGPSSFEJSFDUJPO ˙ /PU.PEJFE ˙
$BDIFJTOF ˙ 5FNQPSBSZ3FEJSFDU

)5514UBUVT$PEF ˙ #BE3FRVFTU ˙ :PVKVTUHBWFNFXSPOHUIJOHT ˙ 6OBVUIPSJ[FE ˙ 'PSCJEEFO ˙
:PVBSFOPUBMMPXFEIFSF ˙ /PU'PVOE ˙ .FUIPE/PU"MMPXFE ˙ *NBUFBQPU ˙ 6OBWBJMBCMF'PS-FHBM3FBTPOT

)5514UBUVT$PEF ˙ *OUFSOBM4FSWFS&SSPS ˙ &YDFQUJPOSBJTFEJOZPVSDPEF ˙ #BE(BUFXBZ ˙ 6QTUSFBNPGSFWFSTFQSPYZJTEFBE ˙
4FSWJDF6OBWBJMBCMF ˙ .BJOUFOBODFNPEF ˙ (BUFXBZ5JNFPVU ˙ 6QTUSFBNPGSFWFSTFQSPYZUJNFPVU

8IBUTUIFEJFSFODF

)551.FUIPE (&5 1045 165 1"5$) %&-&5& 015*0/4 )&"% $0//&$5 53"$&
$034 "QBDIFEFCVHQVSQPTF )551QSPYZ /PSFTQPOTFCPEZ

)551.FUIPE ˙ (&5 ˙ %PXOMPBETPNFUIJOHGSPNXFCTJUF ˙ 1045 ˙ 4FOETPNFUIJOHUPXFCTJUF ˙
)&"% ˙ +VTUHJWFNFSFTQPOTFIFBEFST CVU*EPOUXBOUCPEZ ˙ 53"$& ˙ "QBDIFXJMMSFUVSOXIPMFSFRVFTUBTQMBJOUFYUUPZPV ˙ $0//&$5 ˙ 4QFDJBMNFUIPEGPSQSPYZUPEFBMXJUI)5514SFRVFTU

)551.FUIPE 3&45GVM"1* ˙ (&5 ˙ (FUMJTUBSFTPVSDF ˙ 1045 ˙ $SFBUFBOFXSFTPVSDF
˙ 165 ˙ 3FQMBDFBOFYJTUFESFTPVSDF ˙ 1"5$) ˙ 1BSUJBMVQEBUFBOFYJTUFESFTPVSDF ˙ %&-&5& ˙ %FMFUFBOFYJTUFESFTPVSDF

$PNNPO3FRVFTU)FBEFST&TTFOUJBM ˙ )PTUOUVTU ˙ 3FRVJSFE ˙ :PVDBOIBWFNVMUJQMFXFCTJUFPOPOF*1IPTU

$PNNPO3FRVFTU)FBEFST$PNNPO ˙ "DDFQUUFYUIUNMUFYUQMBJO ˙ 8IJDIUZQFPGDPOUFOUEPFTDMJFOUBDDFQU ˙ "DDFQU&ODPEJOH H[JQ]EFBUF]TEDI]C[JQ]Y[
˙ )PXUPDPNQSFTTEBUB ˙ "DDFQU-BOHVBHF[IUXFO ˙ 8IBUMBOHVBHFEPZPVQSFGFS ˙ "MPUPGXFCTJUFDPOTJEFS[IUXBT[I

$PNNPO3FRVFTU)FBEFST$PNNPO ˙ 3FGFSFS63- ˙ 8IFSFEJEZPVGSPN ˙ 8FCQBHFBDPNCIUNMIBWF<img src="b.com/a.jpg"> ˙
3FRVFTUUPCDPNBKQHDPOUBJOTIFBEFS • Referer: http://a.com/b.html ˙ 1SJWBDZJTTVF ˙ KNQESPQCPYSFGFSFSWVM

$PNNPO3FRVFTU)FBEFST$PNNPO ˙ 6TFS"HFOU.P[JMMB .BDJOUPTI*OUFM.BD049SW (FDLP'JSFGPY ˙ *UUFMMTTFSWFSXIJDICSPXTFS041MBUGPSNBSFZPVVTJOH ˙ 3FEJSFDUHPHPPHMFDPNDISPNFJG*&EFUFDUFE
˙ 5FMMTTFSWFSXIJDIFYQMPJUQBZMPBEUPTFOE ˙ #BEGPSQSJWBDZ UPP

$PNNPO3FRVFTU)FBEFST"VUIFOUJDBUJPO ˙ "VUIFOUJDBUJPO #BTJD]#FBSFS "65)@50,&/ ˙ "VUIUPLFOJTVTVBMMZCBTFTUSJOH ˙ CBTF 64&3/".&1"44803%
GPS)551 CBTJDBVUIFOUJDBUJPO ˙ 0"VUIVTFT#FBSFS

$PNNPO3FRVFTU)FBEFST$POOFDUJPO ˙ $POOFDUJPOLFFQBMJWF ˙ 5$1IBOETIBLFJTFYQFOTJWF TPXFXBOUUPSFVTFFYJTUFEDPOOFDUJPO ˙ "TLTFSWFSOPUUPTIVUEPXO5$1DPOOFDUJPOBGUFSUIJTSFTQPOTF ˙ 4VQQPSUFETJODF)551
˙ 3FTQPOTFIFBEFSTXJMMDPOUBJOTBNFIFBEFSJGTFSWFSTVQQPSUTJU ˙ *UTVTFGVMBOEJNQPSUBOUUPFYQMPJUTPNFCVH FY"4-3QSPUFDUJPO

$PNNPO3FRVFTU)FBEFST3FRVFTU#PEZ ˙ $POUFOU-FOHUI ˙ *UNFBOTXFIBWFCZUFTPGCPEZDPOUFOUBGUFSSFRVFTUIFBEFST ˙ $POUFOU5ZQF.*.& • application/x-www-form-urlencoded ˙
/PSNBMGPSNQPTU • multipart/form-data; boundary=$RANDOM_STRING ˙ 4UBOEBSEMFVQMPBEUBLFTUIJT ˙ UZQJDBMCPVOEBSZGPSXFCLJU----WebKitFormBoundaryo3CVe... ˙ application/jsonGPS8FC"1*

$PNNPO3FRVFTU)FBEFST.JTD ˙ %/5 ˙ %P/PU5SBDL ˙ 93FRVFTUFE8JUI9.-)UUQ3FRVFTU ˙ 'PS"+"9SFRVFTUT ˙
3BOHFCZUFT ˙ 3FRVFTUQBSUJBMDPOUFOU %PZPVLOPX'MBTI(FU ˙ .VMUJUISFBEFEMFEPXOMPBE ˙ 9'PSXBSEFE'PS ˙ 1SPYZNBZBEEUIJTIFBEFSXIJMFGPSXBSEJOHSFRVFTUUPUBSHFUTFSWFS

$PNNPO3FTQPOTF)FBEFST3FTQPOTF#PEZ ˙ $POUFOU-FOHUI ˙ 5IJT)551SFTQPOTFIBTCZUFTPGCPEZDPOUFOU ˙ $POUFOU&ODPEJOH H[JQ]EFBUF]TEDI]C[JQ]Y[ ˙
*OEJDBUFXIBUDPNQSFTTJPONFUIPEXBTVTFEXJUISFTQPOTFEBUB ˙ $POUFOU5ZQF.*.& ˙ text/html; charset=utf-8JTWFSZDPNNPOJONPEFSOXFCQBHFT ˙ &5BH)"4) ˙ )BTIWBMVFGPSDBDIFEBUB

$PNNPO3FTQPOTF)FBEFST3FEJSFDU ˙ -PDBUJPOIUUQTHPPHMFDPN ˙ 3FEJSFDUJNNFEJBUFMZ ˙ 3FGSFTIVSMIUUQTTFDVSJUZOUVTU ˙ 3FEJSFDUCVUEFMBZGPSTFDPOET VTFGVMUPTIPXTPNFNFTTBHF

$PNNPO3FTQPOTF)FBEFST.JTD ˙ 4FSWFSOHJOY ˙ )BDLFSTXJMMCFIBQQZUPLOPXXIJDI)551TFSWFSZPVBSFVTJOH ˙ 91PXFSFE#Z1)1 ˙ )BDLFSTXJMMCFIBQQZUPLOPXXIBUMBOHVBHFZPVBSFVTJOH UPP
˙ %BUF5IV 0DU(.5 ˙ 4PNFTFSWFSTFOETEBUF JUTBHPPEXBZUPPCUBJOEBUF

$PNNPO3FTQPOTF)FBEFST4FDVSJUZ ˙ 99441SPUFDUJPONPEFCMPDL ˙ #BTJD944QSPUFDUJPO EFGBVMUFOBCMFEJO(PPHMF$ISPNF ˙ 3FGVTFUPFYFDVUF+4XIJDIBQQFBS ˙ 9'SBNF0QUJPOTEFOZ
˙ $BOUIJTXFCQBHFQVUUFEJOBJGSBNF ˙ $POUFOU4FDVSJUZ1PMJDZ ˙ *UTDPNQMJDBUFE JUQSPWJEFEBCVODIPGTFDVSJUZQSPUFDUJPO

$PPLJFT

ˊ8JLJQFEJB չ$PPLJFJTBTNBMMQJFDFPGEBUBTFOUGSPNB XFCLJUBOETUPSFEJOUIFVTFSTXFCCSPXTFS XIJMFUIFVTFSJTCSPXTJOHպ

$PPLJF ˙ "DPPLJFDPOUBJOT ˙ /BNF ˙ 7BMVF ˙ %PNBJO ˙
1BUI ˙ .BY"HF ˙ )5510OMZ'MBH ˙ 4FDVSF'MBH

$PPLJF ˙ IUUQTWVMTFDVSJUZOUVTUDPPLJF ˙ IUUQTWVMTFDVSJUZOUVTUDPPLJFTJOHMFQIQ ˙ 4FU$PPLJFTJOHMF@DPPLJFEBUB PG TJOHMF DPPLJF
˙ -FUTPCTFSWFJUJO$ISPNFTEFWFMPQFSUPPMT

$PPLJFBOE4FTTJPO ˙ 4FTTJPOJOEJFSFOUGSBNFXPSLNBZIBWFUIFJSJNQMFNFOUBUJPO ˙ #VUUIFZIBWFTBNFJEFB ˙ 4UPSFEBUBJOTPNFXIFSFTBGFUZBOEHJWFZPVUIFLFZ TFTJTPOJE ˙
&ODSZQUFEDPPLJF ˙ $BDIFTFSWJDF 3FEJT .FNDBDIFE ˙ 5FNQPSBSZMF 1)1TEFGBVMUTFTTJPO ˙ 4UPSFEJOEBUBCBTF

&ODPEJOH5FYU&ODPEJOH

&ODPEJOH ˙ )PXUPFYQSFTTBOVNCFS ˙ CJO#JOBSZ ˙ PJO0DUBM ˙ JO%FDJNBM
˙ YBDJO)FY ˙ =YD=YB=Y=YJOCZUFTMJUUMFFOEJBOJOUFHFS

5FYU&ODPEJOH ˙ )PXUPFYQSFTTBDIBSBDUFS" ˙ STUBMQIBCFUJOVQQFSDBTF ˙ " ˙ BTDJJDPEFY

5FYU&ODPEJOH ˙ )PXUPFYQSFTTBDIBSBDUFS꽺 ˙ 꽺 ˙ 6OJDPEFYFE ˙ #JH&ODPEJOH=YD=Y ˙
4UBUJDNBQQJOH ˙ 65'&ODPEJOH=YF=YB=YBE ˙ 8FIBWFBSVMFUPUSBOTGPSNCFUXFFOVOJDPEFBOE65'

&ODPEJOH 4(7TC(T*'EWDNYL*2

&ODPEJOH ˙ 8FBMTPIBWFPUIFSFODPEJOH ˙ )FYFODPEF ˙ CBTF ]] FODPEF ˙
63-&ODPEF

44-5-4

44-5VOOFM GET /user/login.php HTTP/1.1.... $MJFOU 4FSWFS

openssl s_client -host google.com -port 443

08"415PQ

08"41 0QFO8FC"QQMJDBUJPO4FDVSJUZ1SPKFDU

"6OWBMJEBUFE3FEJSFDUTBOE'PSXBSET ˙ 4PNFUJNFTZPVOETPNFUIJOHJO63- ˙ FYBNQMFDPNMPHJOQIQ SFEJSFDUIPNFQIQ ˙ 8FDIBOHFSFEJSFDUUPBQIJTIJOHTJUF BOETFOEJUUPTPNFPOF ˙
FYBNQMFDPNMPHJOQIQ SFEJSFDUNBMXBSFDPNIPNFQIQ

"6TJOH$PNQPOFOUTXJUI,OPXO7VMOFSBCJMJUJFT ˙ 7VMOFSBCJMJUJFTJOUIJSEQBSUZMJCSBSZ ˙ &YDLFEJUPS

"$SPTT4JUF3FRVFTU'PSHFSZ $43' ˙ 4FOESFRVFTUGSPNBOPUIFSEPNBJO ˙ JNHTSDFYBQMFDPNMPHPVUQIQ ˙ IUUQTVQFSMPHPVUDPN ˙ &YQMPJU944CVHUPNBLFBGPSNBOEQPTUJU

".JTTJOH'VODUJPO-FWFM"DDFTT$POUSPM ˙ *DBODIBOHFPUIFSVTFSTQBTTXPSECVU*NOPUBENJO • curl https://vul.security.ntu.st/sqlinj/ --data 'truncate_confirm=1'

"4FOTJUJWF%BUB&YQPTVSF ˙ IUUQTWVMTFDVSJUZOUVTUTRMJOKDPOHJOD

"4FDVSJUZ.JTDPOHVSBUJPO • google('"index of"') ˙ 4PNFUJNFT JUMFBLTTPNFVTFGVMJOGPSNBUJPOUPIBDLFST

"*OTFDVSF%JSFDU0CKFDU3FGFSFODFT ˙ *VQMPBEFENZQSJWBUFQIPUPTUPTPNFXFCEJTL CVUBOZPOFDBO EPXOMPBEJUXJUIMFBLFE63-/PBDDFTTDPOUSPMPOUIBUMF

"$SPTT4JUF4DSJQUJOH 944 • "><script>alert(1)</script><br " ˙ %FNP

"#SPLFO"VUIFOUJDBUJPOBOE4FTTJPO.BOBHFNFOU • function is_admin() {  return $_COOKIE['role'] == 'admin;  }
˙ %FNP

"*OKFDUJPO • ' or '' = ' ˙ %FNP

4PNF6TFGVM5PPMT

#VSQ4VJUF

)BDLCBS

$PPLJF.BOBHFS

.PEJGZ)FBEFST

6TFS"HFOU4XJUDIFS

8BQQBMZ[FS

Web Security - The Basics

Web Security - The Basics

More Decks by Inndy

Other Decks in Technology

Featured

Transcript