Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
HTTP协议相关的若干安全问题
Search
LI Daobing
August 09, 2013
Programming
1.2k
9
Share
Embed
Copy iframe code
Copy JS code
Copy link
Start on current slide
HTTP协议相关的若干安全问题
LI Daobing
August 09, 2013
More Decks by LI Daobing
See All by LI Daobing
How to attack TLS in PQC decade, part I
lidaobing
0
52
出了问题不要靠猜
lidaobing
40
4.1k
Debian & Packaging
lidaobing
1
580
Java 质量保障
lidaobing
3
310
OAuth: How and Why?
lidaobing
1
160
从 Struts 迁移到 Spring MVC,以及为什么?
lidaobing
2
670
glusterfs 文件系统
lidaobing
2
210
如何学习 Shell
lidaobing
3
340
Other Decks in Programming
See All in Programming
なぜ型を書くのか? TSKaigi2026で改めて考える #tskaigi_smarthr
kajitack
0
340
Embedded SREと共に達成した会員管理システムのAWS移行 - SRE NEXT 2026 ランチスポンサーセッション
niftycorp
PRO
1
2.3k
【やさしく解説 設計編・中級 #1】一つの車に、運転手は一人 ~ある倉庫システムの事例から~
panda728
PRO
0
170
LaravelLive Japan の裏方のすべて — 第188回 PHP勉強会@東京 (2026-06-24)
suguruooki
2
150
AI時代、エンジニアはどう育つのか -未経験エンジニアの成長を間近で見て考えたこと-
thasu0123
0
100
Snowflake Summitでの新機能 CoCo / CoWork / snowflake-summit-2026-overall-what-new-coco
tatsuhiro
1
220
任せる範囲はこう広がった / How the Scope of AI Delegation Has Expanded
nrslib
1
250
AI がコードを書く時代における新卒エンジニアの仕事風景 (2026) / New Graduate Engineers in the Era of AI Coding (2026)
sushichan044
0
220
Vue × Nuxt × Oxc どこまで使える?実運用の現在地
andpad
0
370
その問い、本当に正しいですか?AI時代のエンジニアに必要な哲学と認知科学 / ai-philosophy-cognitive-science
minodriven
14
6.8k
Generative UI & AI-Assistants for Your Angular Solutions
manfredsteyer
PRO
1
160
吝嗇家のためのAI活用 / AI development for miser - ChatGPT + Issue Driven Development
tooppoo
0
180
Featured
See All Featured
Building an army of robots
kneath
306
46k
Designing Experiences People Love
moore
143
24k
The Web Performance Landscape in 2024 [PerfNow 2024]
tammyeverts
12
1.2k
Paper Plane
katiecoart
PRO
2
52k
Efficient Content Optimization with Google Search Console & Apps Script
katarinadahlin
PRO
1
690
Stop Working from a Prison Cell
hatefulcrawdad
274
21k
Future Trends and Review - Lecture 12 - Web Technologies (1019888BNR)
signer
PRO
0
3.6k
The SEO identity crisis: Don't let AI make you average
varn
0
510
Save Time (by Creating Custom Rails Generators)
garrettdimon
PRO
32
3.7k
Hiding What from Whom? A Critical Review of the History of Programming languages for Music
tomoyanonymous
3
920
Test your architecture with Archunit
thirion
1
2.3k
How STYLIGHT went responsive
nonsquared
100
6.2k
Transcript
HTTP协议相关的若干安全问 题 LI Daobing <
[email protected]
> https:/ /github.com/lidaobing Friday, August 9,
13
194011݄7 http:/ /en.wikipedia.org/wiki/Tacoma_Narrows_Bridge_(1940) Friday, August 9, 13
19884݄28 http:/ /en.wikipedia.org/wiki/Aloha_Airlines_Flight_243 Friday, August 9, 13
20022݄? http:/ /en.wikipedia.org/wiki/SQL_injection Friday, August 9, 13
问题 㟬 现 ࡏࡏ 过桥 త 时 ީձ୲৺ 这
问题 㜮ʁ ʢҼ 为桥 తݐஜ 设计师 ੋ༗ 证 తʁʣ 㟬 现 ࡏࡏ࠱ 飞 صత 时 ީձ୲৺ 这 问题 㜮ʁ ʢҼ 为飞 صత 设计师 ੋ༗ 证 తʁʣ Friday, August 9, 13
问题 㟬্᠓త 时 ީ୲৺㟬తີ 码 /㟨҆શ㜮ʁ զ 还 ୲৺ɼݪҼ 这
࿙ಎग़ 现 త 时间还 ෆ䭧 长 ʁ 㟬㣛తɼ䇖 发 ᠓తੋᏠ 证 ఔং 员 ීวෆࡏҙ҆શ 问题 Friday, August 9, 13
HTTP 协议 ૬䎔తएׯ҆ ॄ㜮ੋ HTTP 协议 GET ܕ CSRF POST
ܕ CSRF ۲߸ 问题 SSL Same Origin Policy ༩ ލҬ௨৴ HTTP Headers Friday, August 9, 13
ෆ 讲 ॄ㜮 DDoS DoS: લऀ䳭ྲྀᔁ, ऀ䳭Ꮰ 赖 软
݅࿙ಎ: 紧盯 CVE 发 ߦ൛త҆શ௨ࠂ XSS: ଖ 实这 ࠽ੋେ 头 SQL Inject: 这 2013ྃ, 㟬ཁল HTTP Cache: 细节 ଠଟɼ 还 ࢉ҆શ Friday, August 9, 13
访问 Ұ᠓ 页 Friday, August 9, 13
༻HTTP 协议 ၏ॄ㜮ʁ Լ 载 ᠓ 页 Լ 载图 ย
Լ 载 CSS Լ 载 JS Լ 载 ࣈମ AJAX Լ 载 swf, ... Friday, August 9, 13
HTTP 协议 ᣂྫ $ curl -v http:/ /www.google.com.hk/ > GET
/ HTTP/1.1 > User-Agent: curl/7.24.0 (x86_64-apple-darwin12.0) libcurl/7.24.0 OpenSSL/0.9.8r zlib/1.2.5 > Host: www.google.com.hk > Accept: */* > < HTTP/1.1 200 OK < Date: Wed, 24 Apr 2013 13:15:02 GMT < Expires: -1 < Cache-Control: private, max-age=0 < Content-Type: text/html; charset=Big5 < Set-Cookie: PREF=ID=5dee4c0efb2fd080:FF=0:NW=1:TM=136680[snip] < Set-Cookie: NID=67=DyKygko82Qz6Xxjed6pZEZvekjy6YFHRAEh[snip] < Server: gws < X-XSS-Protection: 1; mode=block < X-Frame-Options: SAMEORIGIN < Transfer-Encoding: chunked < <!doctype html><html><head>...</head><body>...</body></html> Friday, August 9, 13
telnet 拟 HTTP 请 ٻ Friday, August 9, 13
CSRF ੋॄ㜮ʁ Cross-site request forgery (ލ 请 ٻ 伪 )
༻ 户 ظҰߦ 为 ʢൺ 转账 ɼථɼ䎔 闭 bug, ...ʣੋࡏ 对应 త᠓্ 发 ੜɼୠࡏ 访问 Ұ ෆ૬䎔త᠓ 时 ٫৮ 发 ྃ 该 ߦ 为 ൺզࡏ䶯ḦɼᏠᡅ 图 ɼ 结 Ռ৮ 发 ྃզ ࡏ 17startup ্ 给 ᠓ྃ5 Friday, August 9, 13
GET ܕ CSRF Friday, August 9, 13
GET ܕ CSRF 17startup తථ 请 ٻ: http:/ /17startup.com/ startup/vote/9439/5
߈ 击 ख๏1: 发 ૹurl 给 डਓɼՌड ਓቮ 经 ొ 录 17startup ኂ 击 ྃ url, बೳ 㢦㟬ථ Friday, August 9, 13
伪 图 ย http:/ /is.gd/eGsWc7.jpg વ 发 ౸䬟ࠣࢧ࣋֎ 链
త 论坛 , डਓՌቮ 经 ొ 录过 17startup, ಹ㜮 访问这 论坛时 बՄҎ 㢦㟬ථ ߋత 伪 : ߈ 击图 ย์ࡏ႓ 张 ਖ਼ৗ 图 ยத 间 Friday, August 9, 13
ޚ GET ܕ CSRF ຌੋधཁߋվ 务 ثঢ় 态 త 请
ٻɼෆಘ༻ GET, ՄҎ༻ POST, PUT, DELETE Friday, August 9, 13
ٕ 术时间 : Request Method ҆શ 幂 HEAD √
√ GET √ √ POST × × PUT × √ DELETE × √ PATCH × × TRACE, OPTIONS, CONNECT (TRACK, DEBUG) Friday, August 9, 13
POST ܕ CSRF Friday, August 9, 13
POST ܕత CSRF Friday, August 9, 13
۩ମԿૢ࡞ ࡏࣗݾత 页 ໘ 设 ஔҰiframe, iframe ཬ 边 ༗
Ұ form, ࢦඃ߈ 击 ɼኂ༻ JS ৮ 发 ࣗ 动 ఏަ (҃ऀ 诱导 डਓఏަ) Ҿ 导 डਓ 访问 㟬త 页 ໘ Friday, August 9, 13
ҙࣄ 项 iframe શՄҎੋ 隐 ܗతɼॴҎडਓՄೳ શ༗ 觉 ౸ቮ 经
ड౸߈ 击 ྃ 验证码对这 䝅߈ 击 ޚᏈՌࠩɼҼ 为 զՄҎ 验证码 过 དྷ 诱导 ༻ 户 రࣸɻ Friday, August 9, 13
Կޚ form ཬ 边 ՃCSRF TOKENʢ፺ࡧ㟬తᐽՍ໊শ +CSRFबೳፙ౸େྔతจᑆʣ ༻ෆؚ form త
AJAX 时 , ဓ HTML தఏऔ CSRF TOKEN Ճೖ㟬తࢀɻ 䐾 查 ᠓తAPI: 㟬త API Մೳձඃ༻ဋ POST CSRF ߈ 击 ɻ Friday, August 9, 13
۲߸ 问题 这问题 ্զ൜ 过错误 EverBox 项 测时 ग़
过 ۲߸ 问题 Friday, August 9, 13
۲߸ݪཧ sinatra ᐽՍ᠍ল༻ rack-session rack-session ༻ Kernel.rand དྷੜ session id
memcache session storage ༗၏ session id ੋ൱ଘࡏత 检验 unicorn ༻ fork དྷੜଟ 进 ఔ(䫩গ 启动时 Friday, August 9, 13
ٕ 术时间 : Session อଘ 问题 优 ᠍ Cookie
Session ߱ 务 压 ྗ䐾 杂 ੑ ਾᔔ࿐, େখݶ੍, ࿘ 费 ྲྀ ྔɼᏠ๏㖘੍ొग़ Memcache Session ෆґ 赖 ဋਾ 库 ༻ 户 मվີ 码 ొग़༻ 户 ຑ 烦 ɼਗ਼ཧ cache 时 ձ 导 க༻ 户 ొग़ Database Session ޭೳ㖘େ ফਾ 库资 ݯ Friday, August 9, 13
Session ߷࣋ޚ Session Id Ӭ 远 ෆཁग़ 现 ࡏ HTML
த Session Id త Cookie Ӭ 远 ཁ HttpOnly 记录浏览 ثগ 变 Խత HTTP 头 User Agent Accept Encoding Accept Language IP(?) Friday, August 9, 13
SSL 历 ࢙༩ 现 ঢ় SSL 2.0 త҆શ࿙ಎ ଖଞ߈ 击
ํࣜ SSL 3.0 / TLS 1.0 త҆શ࿙ಎ Friday, August 9, 13
SSLత 历 ࢙ SSL 1.0, Netscape 䇖 发 ɼະެ䇖 SSL
2.0, 19952݄ SSL 3.0, 1996 TLS 1.0(RFC2246) ≈ SSL 3.0, 1999 TLS 1.1(RFC 4346), 20064݄ Friday, August 9, 13
SSL ࢧ࣋ႎ [ې༻] SSL 2.0, 19952݄ [OK] SSL 3.0, 1996
[OK] TLS 1.0(RFC2246) ≈ SSL 3.0, 1999 [ෆࢧ࣋] TLS 1.1(RFC 4346), 20064݄ [ෆࢧ࣋] TLS 1.2(RFC 5246, 6176), 20088݄ Friday, August 9, 13
SSL 2.0 ଘࡏత 问题 1. 长 扩 ల߈ 击
(Length extension attack) MAC = MD5(secret + content) MAC2 = MD5(secret + content+ attack_suffix) Friday, August 9, 13
SSL 2.0 ଘࡏత 问题 1. 长 扩 ల߈ 击
(Length extension attack) 2. ҆શ߱ 级 ߈ 击 ༻໌จ 协 ௨৴ࣜɼத 间 ՄҎ 篡 վ௨৴ ߱Ճີ 级 䫲 Friday, August 9, 13
SSL 2.0 ଘࡏత 问题 1. 长 扩 ల߈ 击
(Length extension attack) 2. ҆શ߱ 级 ߈ 击 3. TCP 䎔 闭 ߈ 击 SSL ༻ TCP FIN དྷ 结 ଋɼத 间 ਓՄҎ௨ 过 发 ૹ TCP FIN དྷׯ 扰 SSL 连 (٬ 户 ෆ ձҙ 识 ౸ඃ߈ 击 ) Friday, August 9, 13
SSL తଖଞ҆શ 问题 证书问题 ෆཁ༻ࣗ 签 ໊త 证书 ෆཁ 让
༻ 户 ҆ࠜ 证书 䇖௨ެڞ 邮 ശతޭೳతҬ্໊࠷ෆཁਃ 请 证书 (sohu 邮 ശத 过 ট) Friday, August 9, 13
SSLStrip େ෦ https 请 ٻདྷࣗ http త 转 恶 ҙத
间 ਓՄҎ 拦 ፊ 请 ٻɼ 导 கத 间 ਓ༩ 浏览 ثత௨৴ 为 ໌จ Friday, August 9, 13
SSLStrip తޚ HTTP Header: Strict-Transport-Security 预 ஔधཁ https త᠓ྻද: chrome
ࢧ࣋ Friday, August 9, 13
SSL 3.0 / TLS 1.0 త 风险 BEAST ߈ 击
: ར༻ CBC(Cipher-block chaining) తҰ᠍᮷ CRIME ߈ 击 : 构 䉰ኂ 观 压缩 RC4 ߈ 击 : 长时间 ༻ಉҰ key 导 கඃ߈ 击 Friday, August 9, 13
CRIME ߈ 击 ၊ఆ㟬త session id 为 a1b2c3d4 ಹ㜮Ռ 请
ٻࢀؚ༗ a1b ҃ऀ 1b2 ҃ऀ b2c 时 ɼ 请 ٻత 压缩 ՄҎఏߴ(SSL ҃ ऀ SPDY ձ 启 ༻ 压缩 ) ༻ sniffer 监 ჶ㑌 请 ٻత 长 ɼፙ౸ 压缩 ภߴతแɼࡏࠜਾยஈॏ৽㣥䫪ग़ cookie Friday, August 9, 13
Same Origin Policy ༩ ލ Same Origin Policy 对 ෆಉҬݶ੍:
frame ೭ 间 ෆೳޓ૬ 访问 发 ىత GET 请 ٻᏠ๏ 获 औ༰ Ꮰ๏ 发 ى POST ܕ AJAX 请 ٻ(ୠՄҎ POST FORM) Ꮰ๏༻ࣈମ/Flash/Java Applet ɻɻɻ Friday, August 9, 13
ղႊํҊ1 JSONP ೳੋ GET 请 ٻ Ꮰ๏্ 传 จ݅ ഁᆀ
语义 /CSRF߈ 击 长 ݶ੍ Friday, August 9, 13
ղႊํҊ2 CORS (Cross-origin resource sharing) Access-Control-Allow-Origin: * ༻ AJAX ্
传 จ݅ (ൺ S3 बࢧ࣋) Ҹ 许 ލҾ༻ font, swf(?) খܕ 应 ༻ ݐ 议 ༻ಠཱҬ໊ɼආ໔ඃ߈ 击 Friday, August 9, 13
ղႊํҊ3 Cross-document messaging window.postMessage(‘hello’, ‘http:/ / example.com`) IEࢧ࣋ෆଠ: IE8 Ҏલෆࢧ࣋,
IE8 ෦ࢧ ࣋(ࢧ࣋iframe), IE10 શ෦ࢧ࣋ Friday, August 9, 13
HTTP Headers Cookie HttpOnly: ආ໔ session id ඃ Secure: ආ໔
session id ඃჶ Strict-Transport-Security: max-age=16070400; includeSubDomains Clickjacking X-Frame-Options: deny X-Frame-Options: sameorigin Friday, August 9, 13
HTTP Headers X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block P3P: ... Friday,
August 9, 13
Sponsored by Friday, August 9, 13
Q & A Thanks for your attention Friday, August 9,
13
Friday, August 9, 13
Friday, August 9, 13
Friday, August 9, 13