Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
HTTP协议相关的若干安全问题
Search
Sponsored
·
Your Podcast. Everywhere. Effortlessly.
Share. Educate. Inspire. Entertain. You do you. We'll handle the rest.
→
LI Daobing
August 09, 2013
Programming
1.2k
9
Share
Embed
Copy iframe code
Copy JS code
Copy link
Start on current slide
HTTP协议相关的若干安全问题
LI Daobing
August 09, 2013
More Decks by LI Daobing
See All by LI Daobing
How to attack TLS in PQC decade, part I
lidaobing
0
52
出了问题不要靠猜
lidaobing
40
4.1k
Debian & Packaging
lidaobing
1
580
Java 质量保障
lidaobing
3
310
OAuth: How and Why?
lidaobing
1
160
从 Struts 迁移到 Spring MVC,以及为什么?
lidaobing
2
670
glusterfs 文件系统
lidaobing
2
210
如何学习 Shell
lidaobing
3
340
Other Decks in Programming
See All in Programming
AI時代、エンジニアはどう育つのか -未経験エンジニアの成長を間近で見て考えたこと-
thasu0123
0
110
Contextとはなにか
chiroruxx
1
390
言語を使う側から、作る側へ。 自作 Lisp で得た新たな気づき。
andpad
0
110
AIを活用したE2Eテスト実装効率化のあゆみ / ebisu-mobile-14-kotetu
kotetuco
0
170
その問い、本当に正しいですか?AI時代のエンジニアに必要な哲学と認知科学 / ai-philosophy-cognitive-science
minodriven
14
6.8k
吝嗇家のためのAI活用 / AI development for miser - ChatGPT + Issue Driven Development
tooppoo
0
180
Performance Engineering for Everyone
elenatanasoiu
0
270
The Bowling Game- From Imperative to Functional Programming - Part 1
philipschwarz
PRO
0
310
OS アップデート対応の取り組み方がもっと共有されてほしい
andpad
0
110
霧の中の代数的エフェクト
funnyycat
1
340
【やさしく解説 設計編・中級 #4】ルールの寿命と、システムの年輪
panda728
PRO
2
120
SREの積み重ねがAI駆動開発のガードレールになった ― 7つの実践/SRE Guardrails The 7
tomoyakitaura
8
4k
Featured
See All Featured
Building a Modern Day E-commerce SEO Strategy
aleyda
45
9.1k
Git: the NoSQL Database
bkeepers
PRO
432
67k
Exploring the Power of Turbo Streams & Action Cable | RailsConf2023
kevinliebholz
37
6.5k
Data-driven link building: lessons from a $708K investment (BrightonSEO talk)
szymonslowik
1
1.2k
The State of eCommerce SEO: How to Win in Today's Products SERPs - #SEOweek
aleyda
2
11k
How to build an LLM SEO readiness audit: a practical framework
nmsamuel
1
800
Responsive Adventures: Dirty Tricks From The Dark Corners of Front-End
smashingmag
254
22k
Designing for Performance
lara
611
70k
Intergalactic Javascript Robots from Outer Space
tanoku
273
27k
Effective software design: The role of men in debugging patriarchy in IT @ Voxxed Days AMS
baasie
0
450
Sam Torres - BigQuery for SEOs
techseoconnect
PRO
0
300
Skip the Path - Find Your Career Trail
mkilby
1
160
Transcript
HTTP协议相关的若干安全问 题 LI Daobing <
[email protected]
> https:/ /github.com/lidaobing Friday, August 9,
13
194011݄7 http:/ /en.wikipedia.org/wiki/Tacoma_Narrows_Bridge_(1940) Friday, August 9, 13
19884݄28 http:/ /en.wikipedia.org/wiki/Aloha_Airlines_Flight_243 Friday, August 9, 13
20022݄? http:/ /en.wikipedia.org/wiki/SQL_injection Friday, August 9, 13
问题 㟬 现 ࡏࡏ 过桥 త 时 ީձ୲৺ 这
问题 㜮ʁ ʢҼ 为桥 తݐஜ 设计师 ੋ༗ 证 తʁʣ 㟬 现 ࡏࡏ࠱ 飞 صత 时 ީձ୲৺ 这 问题 㜮ʁ ʢҼ 为飞 صత 设计师 ੋ༗ 证 తʁʣ Friday, August 9, 13
问题 㟬্᠓త 时 ީ୲৺㟬తີ 码 /㟨҆શ㜮ʁ զ 还 ୲৺ɼݪҼ 这
࿙ಎग़ 现 త 时间还 ෆ䭧 长 ʁ 㟬㣛తɼ䇖 发 ᠓తੋᏠ 证 ఔং 员 ීวෆࡏҙ҆શ 问题 Friday, August 9, 13
HTTP 协议 ૬䎔తएׯ҆ ॄ㜮ੋ HTTP 协议 GET ܕ CSRF POST
ܕ CSRF ۲߸ 问题 SSL Same Origin Policy ༩ ލҬ௨৴ HTTP Headers Friday, August 9, 13
ෆ 讲 ॄ㜮 DDoS DoS: લऀ䳭ྲྀᔁ, ऀ䳭Ꮰ 赖 软
݅࿙ಎ: 紧盯 CVE 发 ߦ൛త҆શ௨ࠂ XSS: ଖ 实这 ࠽ੋେ 头 SQL Inject: 这 2013ྃ, 㟬ཁল HTTP Cache: 细节 ଠଟɼ 还 ࢉ҆શ Friday, August 9, 13
访问 Ұ᠓ 页 Friday, August 9, 13
༻HTTP 协议 ၏ॄ㜮ʁ Լ 载 ᠓ 页 Լ 载图 ย
Լ 载 CSS Լ 载 JS Լ 载 ࣈମ AJAX Լ 载 swf, ... Friday, August 9, 13
HTTP 协议 ᣂྫ $ curl -v http:/ /www.google.com.hk/ > GET
/ HTTP/1.1 > User-Agent: curl/7.24.0 (x86_64-apple-darwin12.0) libcurl/7.24.0 OpenSSL/0.9.8r zlib/1.2.5 > Host: www.google.com.hk > Accept: */* > < HTTP/1.1 200 OK < Date: Wed, 24 Apr 2013 13:15:02 GMT < Expires: -1 < Cache-Control: private, max-age=0 < Content-Type: text/html; charset=Big5 < Set-Cookie: PREF=ID=5dee4c0efb2fd080:FF=0:NW=1:TM=136680[snip] < Set-Cookie: NID=67=DyKygko82Qz6Xxjed6pZEZvekjy6YFHRAEh[snip] < Server: gws < X-XSS-Protection: 1; mode=block < X-Frame-Options: SAMEORIGIN < Transfer-Encoding: chunked < <!doctype html><html><head>...</head><body>...</body></html> Friday, August 9, 13
telnet 拟 HTTP 请 ٻ Friday, August 9, 13
CSRF ੋॄ㜮ʁ Cross-site request forgery (ލ 请 ٻ 伪 )
༻ 户 ظҰߦ 为 ʢൺ 转账 ɼථɼ䎔 闭 bug, ...ʣੋࡏ 对应 త᠓্ 发 ੜɼୠࡏ 访问 Ұ ෆ૬䎔త᠓ 时 ٫৮ 发 ྃ 该 ߦ 为 ൺզࡏ䶯ḦɼᏠᡅ 图 ɼ 结 Ռ৮ 发 ྃզ ࡏ 17startup ্ 给 ᠓ྃ5 Friday, August 9, 13
GET ܕ CSRF Friday, August 9, 13
GET ܕ CSRF 17startup తථ 请 ٻ: http:/ /17startup.com/ startup/vote/9439/5
߈ 击 ख๏1: 发 ૹurl 给 डਓɼՌड ਓቮ 经 ొ 录 17startup ኂ 击 ྃ url, बೳ 㢦㟬ථ Friday, August 9, 13
伪 图 ย http:/ /is.gd/eGsWc7.jpg વ 发 ౸䬟ࠣࢧ࣋֎ 链
త 论坛 , डਓՌቮ 经 ొ 录过 17startup, ಹ㜮 访问这 论坛时 बՄҎ 㢦㟬ථ ߋత 伪 : ߈ 击图 ย์ࡏ႓ 张 ਖ਼ৗ 图 ยத 间 Friday, August 9, 13
ޚ GET ܕ CSRF ຌੋधཁߋվ 务 ثঢ় 态 త 请
ٻɼෆಘ༻ GET, ՄҎ༻ POST, PUT, DELETE Friday, August 9, 13
ٕ 术时间 : Request Method ҆શ 幂 HEAD √
√ GET √ √ POST × × PUT × √ DELETE × √ PATCH × × TRACE, OPTIONS, CONNECT (TRACK, DEBUG) Friday, August 9, 13
POST ܕ CSRF Friday, August 9, 13
POST ܕత CSRF Friday, August 9, 13
۩ମԿૢ࡞ ࡏࣗݾత 页 ໘ 设 ஔҰiframe, iframe ཬ 边 ༗
Ұ form, ࢦඃ߈ 击 ɼኂ༻ JS ৮ 发 ࣗ 动 ఏަ (҃ऀ 诱导 डਓఏަ) Ҿ 导 डਓ 访问 㟬త 页 ໘ Friday, August 9, 13
ҙࣄ 项 iframe શՄҎੋ 隐 ܗతɼॴҎडਓՄೳ શ༗ 觉 ౸ቮ 经
ड౸߈ 击 ྃ 验证码对这 䝅߈ 击 ޚᏈՌࠩɼҼ 为 զՄҎ 验证码 过 དྷ 诱导 ༻ 户 రࣸɻ Friday, August 9, 13
Կޚ form ཬ 边 ՃCSRF TOKENʢ፺ࡧ㟬తᐽՍ໊শ +CSRFबೳፙ౸େྔతจᑆʣ ༻ෆؚ form త
AJAX 时 , ဓ HTML தఏऔ CSRF TOKEN Ճೖ㟬తࢀɻ 䐾 查 ᠓తAPI: 㟬త API Մೳձඃ༻ဋ POST CSRF ߈ 击 ɻ Friday, August 9, 13
۲߸ 问题 这问题 ্զ൜ 过错误 EverBox 项 测时 ग़
过 ۲߸ 问题 Friday, August 9, 13
۲߸ݪཧ sinatra ᐽՍ᠍ল༻ rack-session rack-session ༻ Kernel.rand དྷੜ session id
memcache session storage ༗၏ session id ੋ൱ଘࡏత 检验 unicorn ༻ fork དྷੜଟ 进 ఔ(䫩গ 启动时 Friday, August 9, 13
ٕ 术时间 : Session อଘ 问题 优 ᠍ Cookie
Session ߱ 务 压 ྗ䐾 杂 ੑ ਾᔔ࿐, େখݶ੍, ࿘ 费 ྲྀ ྔɼᏠ๏㖘੍ొग़ Memcache Session ෆґ 赖 ဋਾ 库 ༻ 户 मվີ 码 ొग़༻ 户 ຑ 烦 ɼਗ਼ཧ cache 时 ձ 导 க༻ 户 ొग़ Database Session ޭೳ㖘େ ফਾ 库资 ݯ Friday, August 9, 13
Session ߷࣋ޚ Session Id Ӭ 远 ෆཁग़ 现 ࡏ HTML
த Session Id త Cookie Ӭ 远 ཁ HttpOnly 记录浏览 ثগ 变 Խత HTTP 头 User Agent Accept Encoding Accept Language IP(?) Friday, August 9, 13
SSL 历 ࢙༩ 现 ঢ় SSL 2.0 త҆શ࿙ಎ ଖଞ߈ 击
ํࣜ SSL 3.0 / TLS 1.0 త҆શ࿙ಎ Friday, August 9, 13
SSLత 历 ࢙ SSL 1.0, Netscape 䇖 发 ɼະެ䇖 SSL
2.0, 19952݄ SSL 3.0, 1996 TLS 1.0(RFC2246) ≈ SSL 3.0, 1999 TLS 1.1(RFC 4346), 20064݄ Friday, August 9, 13
SSL ࢧ࣋ႎ [ې༻] SSL 2.0, 19952݄ [OK] SSL 3.0, 1996
[OK] TLS 1.0(RFC2246) ≈ SSL 3.0, 1999 [ෆࢧ࣋] TLS 1.1(RFC 4346), 20064݄ [ෆࢧ࣋] TLS 1.2(RFC 5246, 6176), 20088݄ Friday, August 9, 13
SSL 2.0 ଘࡏత 问题 1. 长 扩 ల߈ 击
(Length extension attack) MAC = MD5(secret + content) MAC2 = MD5(secret + content+ attack_suffix) Friday, August 9, 13
SSL 2.0 ଘࡏత 问题 1. 长 扩 ల߈ 击
(Length extension attack) 2. ҆શ߱ 级 ߈ 击 ༻໌จ 协 ௨৴ࣜɼத 间 ՄҎ 篡 վ௨৴ ߱Ճີ 级 䫲 Friday, August 9, 13
SSL 2.0 ଘࡏత 问题 1. 长 扩 ల߈ 击
(Length extension attack) 2. ҆શ߱ 级 ߈ 击 3. TCP 䎔 闭 ߈ 击 SSL ༻ TCP FIN དྷ 结 ଋɼத 间 ਓՄҎ௨ 过 发 ૹ TCP FIN དྷׯ 扰 SSL 连 (٬ 户 ෆ ձҙ 识 ౸ඃ߈ 击 ) Friday, August 9, 13
SSL తଖଞ҆શ 问题 证书问题 ෆཁ༻ࣗ 签 ໊త 证书 ෆཁ 让
༻ 户 ҆ࠜ 证书 䇖௨ެڞ 邮 ശతޭೳతҬ্໊࠷ෆཁਃ 请 证书 (sohu 邮 ശத 过 ট) Friday, August 9, 13
SSLStrip େ෦ https 请 ٻདྷࣗ http త 转 恶 ҙத
间 ਓՄҎ 拦 ፊ 请 ٻɼ 导 கத 间 ਓ༩ 浏览 ثత௨৴ 为 ໌จ Friday, August 9, 13
SSLStrip తޚ HTTP Header: Strict-Transport-Security 预 ஔधཁ https త᠓ྻද: chrome
ࢧ࣋ Friday, August 9, 13
SSL 3.0 / TLS 1.0 త 风险 BEAST ߈ 击
: ར༻ CBC(Cipher-block chaining) తҰ᠍᮷ CRIME ߈ 击 : 构 䉰ኂ 观 压缩 RC4 ߈ 击 : 长时间 ༻ಉҰ key 导 கඃ߈ 击 Friday, August 9, 13
CRIME ߈ 击 ၊ఆ㟬త session id 为 a1b2c3d4 ಹ㜮Ռ 请
ٻࢀؚ༗ a1b ҃ऀ 1b2 ҃ऀ b2c 时 ɼ 请 ٻత 压缩 ՄҎఏߴ(SSL ҃ ऀ SPDY ձ 启 ༻ 压缩 ) ༻ sniffer 监 ჶ㑌 请 ٻత 长 ɼፙ౸ 压缩 ภߴతแɼࡏࠜਾยஈॏ৽㣥䫪ग़ cookie Friday, August 9, 13
Same Origin Policy ༩ ލ Same Origin Policy 对 ෆಉҬݶ੍:
frame ೭ 间 ෆೳޓ૬ 访问 发 ىత GET 请 ٻᏠ๏ 获 औ༰ Ꮰ๏ 发 ى POST ܕ AJAX 请 ٻ(ୠՄҎ POST FORM) Ꮰ๏༻ࣈମ/Flash/Java Applet ɻɻɻ Friday, August 9, 13
ղႊํҊ1 JSONP ೳੋ GET 请 ٻ Ꮰ๏্ 传 จ݅ ഁᆀ
语义 /CSRF߈ 击 长 ݶ੍ Friday, August 9, 13
ղႊํҊ2 CORS (Cross-origin resource sharing) Access-Control-Allow-Origin: * ༻ AJAX ্
传 จ݅ (ൺ S3 बࢧ࣋) Ҹ 许 ލҾ༻ font, swf(?) খܕ 应 ༻ ݐ 议 ༻ಠཱҬ໊ɼආ໔ඃ߈ 击 Friday, August 9, 13
ղႊํҊ3 Cross-document messaging window.postMessage(‘hello’, ‘http:/ / example.com`) IEࢧ࣋ෆଠ: IE8 Ҏલෆࢧ࣋,
IE8 ෦ࢧ ࣋(ࢧ࣋iframe), IE10 શ෦ࢧ࣋ Friday, August 9, 13
HTTP Headers Cookie HttpOnly: ආ໔ session id ඃ Secure: ආ໔
session id ඃჶ Strict-Transport-Security: max-age=16070400; includeSubDomains Clickjacking X-Frame-Options: deny X-Frame-Options: sameorigin Friday, August 9, 13
HTTP Headers X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block P3P: ... Friday,
August 9, 13
Sponsored by Friday, August 9, 13
Q & A Thanks for your attention Friday, August 9,
13
Friday, August 9, 13
Friday, August 9, 13
Friday, August 9, 13