web安全基礎(chǔ)(優(yōu)揚(yáng)科技)

1、Why- Search, Dig , and Hack !ContentWhy WEB?1HTTP2Hacking3Hardening4ContentWhy WEB?1HTTP2Hacking3Hardening4Why WEB ?vWEB奮起 瘦客戶端 瀏覽器能做什么？還有什么瀏覽器不能做？ 沒(méi)有瀏覽器的電腦？ Internet的新泡沫時(shí)代Why WEB ?v為什么 WEB 是非多 威脅的可疊加特性 Internet 爆炸 二把刀程序員 個(gè)人站點(diǎn)：臭美 可用 安全Why WEB ?v令人絕望的 WEB 2.0 善用？濫用？Why WEB ?vWEB安全大事記1999 XSS was reco

2、gnisedwhisker 1.0 released next-generation CGI scanner 1998 Phrack 54 NT Web Technology VulnerabilitiesSQL Injection2001OWASP StartedNikto 1.0 released2003SQL Slammer OWASP Testing guideWebInspect 3.02004OWASP TOP 10 released2005Samy WormAcunetix scanner releasedWhy WEB ?vWEB安全的一點(diǎn)數(shù)據(jù)Source : IBM X-Fo

3、rce 2010 Trend and Risk ReportWhy WEB ?vWEB安全的一點(diǎn)數(shù)據(jù)Source : IBM X-Force 2010 Trend and Risk ReportContentWhy WEB?1HTTP2Hacking3Hardening4HTTPv版本與歷史HTTP/0.9HTTP/1.0HTTP/1.1Year : 1990-1991簡(jiǎn)單但不大方簡(jiǎn)單但不大方Y(jié)ear : 1996RFC 1945過(guò)渡版本過(guò)渡版本持續(xù)完善持續(xù)完善至今仍被兼容至今仍被兼容Year : 1997RFC 2068目前最完善版本目前最完善版本持續(xù)改進(jìn)與發(fā)展持續(xù)改進(jìn)與發(fā)展Source:

4、RFC 2616v 結(jié)構(gòu) (HTTP Request)GET / HTTP/1.1Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/xaml+xml, application/vnd.ms-xpsdocument, application/x-ms-xbap, application/x-ms-application, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, app

5、lication/msword, application/QVOD, application/QVOD, */*Accept-Language: zh-cnUA-CPU: x86Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.2; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30; InfoPath.2; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)H

6、ost: Connection: Keep-AliveCookie: PREF=ID=ab655c79fc00eca5:U=1da01670686c1b4a:FF=0:LD=en:NW=1:CR=2:TM=1258614972:LM=1310117743:GM=1:S=3dm6LuBXWmGJn68p; NID=48=FYQN5JhSwChd_pgXNBw9-u6xMkefYb23gg6b24tApMve2lVAdBzX6xVSgeXFhdQM9DtKnHda7Kh_v6WAG_y0QtOukKDuBXOrH7psDHjV31NnI9-Pu8sNcLOHVjGWGhJc; rememberme

7、=falseHTTPv結(jié)構(gòu) (HTTP Request) HTTP Request數(shù)據(jù)結(jié)構(gòu)概述METHOD /PATH HTTP/VERISIONHEADER1: ContentHEADER2: ContentHEADER3: ContentHEADER4: ContentPOST DATAsHTTPv結(jié)構(gòu) (HTTP Request) HTTP Request數(shù)據(jù)結(jié)構(gòu)概述GET / HTTP/1.1Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/xaml+xml, application/vnd

8、.ms-xpsdocument, application/x-ms-xbap, application/x-ms-application, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, application/QVOD, application/QVOD, */*Accept-Language: zh-cnUA-CPU: x86Accept-Encoding: gzip, deflateUser-Agent: Mozilla/

9、4.0 (compatible; MSIE 7.0; Windows NT 5.2; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30; InfoPath.2; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)Host: Connection: Keep-AliveCookie: PREF=ID=ab655c79fc00eca5:U=1da01670686c1b4a:FF=0:LD=en:NW=1:CR=2:TM=1258614972:LM=1310117743:GM=1:S=3dm6

10、LuBXWmGJn68p; NID=48=FYQN5JhSwChd_pgXNBw9-u6xMkefYb23gg6b24tApMve2lVAdBzX6xVSgeXFhdQM9DtKnHda7Kh_v6WAG_y0QtOukKDuBXOrH7psDHjV31NnI9-Pu8sNcLOHVjGWGhJc; rememberme=false我要干什么我能識(shí)別什么我說(shuō)什么話我用什么工具我要找誰(shuí)對(duì)了！忘了告訴你我是誰(shuí)HTTPv結(jié)構(gòu) (HTTP Request) HTTP Method常見(jiàn)的：GET、POST偶爾見(jiàn)到的：HEAD, RACE, LOCK,OPTIONS,PUT, MOVE, COPY, DE

11、LETE, CONNECTv結(jié)構(gòu) (HTTP Response)HTTP/1.1 200 OKDate: Fri, 08 Jul 2011 14:35:23 GMTExpires: -1Cache-Control: private, max-age=0Content-Type: text/html; charset=UTF-8Content-Encoding: gzipServer: gwsContent-Length: 11746X-XSS-Protection: 1; mode=blockxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

12、xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxHTTP Response in the realworld HTTPv結(jié)構(gòu) (HTTP Response) HTTP Response數(shù)據(jù)結(jié)構(gòu)概述HTTP/VERSION Status_Code Status_Code_descH

13、EADER1: ContentHEADER2: ContentHEADER3: ContentX-HEADER: ContentRESPONSE DATAsRESPONSE DATAs.HTTPv結(jié)構(gòu) (HTTP Response) HTTP Response數(shù)據(jù)結(jié)構(gòu)概述HTTP/1.1 200 OKDate: Fri, 08 Jul 2011 14:35:23 GMTExpires: -1Cache-Control: private, max-age=0Content-Type: text/html; charset=UTF-8Content-Encoding: gzipServer: gw

14、sContent-Length: 11746X-XSS-Protection: 1; mode=blockxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx成功返回?cái)?shù)據(jù)立刻過(guò)期緩存

15、控制。Private: 訪問(wèn)服務(wù)器而非緩存；Max-age=0 : 0秒內(nèi)使用緩存數(shù)據(jù)內(nèi)容類(lèi)型服務(wù)器類(lèi)型返回長(zhǎng)度擴(kuò)展（預(yù)留）字段此處意為支持瀏覽器的XSS過(guò)濾器時(shí)間（GMT）HTTPv結(jié)構(gòu) (HTTP Response) HTTP Response數(shù)據(jù)結(jié)構(gòu)概述HTTP/1.1 200 OKDate: Fri, 08 Jul 2011 14:35:23 GMTExpires: -1Cache-Control: private, max-age=0Content-Type: text/html; charset=UTF-8Content-Encoding: gzipServer: gwsConte

16、nt-Length: 11746X-XSS-Protection: 1; mode=blockxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxEntity HeaderEntit

17、y BodyHTTPv結(jié)構(gòu) (HTTP Response) Status Code常見(jiàn)： 200 , OK 201 , Create 301 , Moved Permanently 302 , Found (temporarily) 400 , Bad Request 401 , Unauthorized 404 , Not Found 500 , Internal Server ErrorHTTPv典型 GET vs POSTGET 方法方法 1、提交內(nèi)容在URL中 2、RFC 2616 未限制URL長(zhǎng)度 3、IE限制URL長(zhǎng)度為2083個(gè)字符 4、Firefox限制URL長(zhǎng)度65536個(gè)字

18、符POST 方法方法 1、提交內(nèi)容置于請(qǐng)求實(shí)體中 2、以修改服務(wù)端內(nèi)容為設(shè)計(jì)目的（RFC2616 /9.5） 3、長(zhǎng)度無(wú)限制HTTPv典型 GET vs POSTGET/POST的安全問(wèn)題的安全問(wèn)題 1、360泄露用戶信息事件 2、代碼混淆GET與POST請(qǐng)求HTTPv典型 HEAD vs GETHEAD 獲取Entity HeaderGET 獲取全部responseHTTPv典型 HEAD vs GETGET 獲取全部responseHEAD 獲取Entity HeaderHTTPv典型 HEAD vs GETHEAD 用途用途 1、Scanner 版本信息 2、下載工具 文件長(zhǎng)度預(yù)載HTT

19、Pv典型 REFERER 字段用途Referer 告訴WEB程序 ：我從哪里來(lái)HTTPv典型 REFERER 字段用途Referer 告訴WEB程序 ：我從哪里來(lái)HTTPv典型 REFERER 字段用途Referer 的用途的用途 1、防止盜鏈 2、CSRF防護(hù) 3、Google hacking與入侵分析HTTPv典型 HOST字段用途HTTPv典型 HOST字段用途ContentWhy WEB?1HTTP2Hacking3Hardening4Hackingv7類(lèi)常見(jiàn)漏洞示例 配置錯(cuò)誤 注入漏洞 跨站腳本 認(rèn)證錯(cuò)誤 錯(cuò)誤信息 參數(shù)錯(cuò)誤 邏輯錯(cuò)誤Hackingv配置錯(cuò)誤 indexesHacki

20、ngv配置錯(cuò)誤 indexesHackingv配置錯(cuò)誤 indexes DirectoryIndex index.html index.cgi index.pl index.php index.xhtml index.htm. Options Indexes FollowSymLinks AllowOverride None Order allow,deny allow from allHackingv配置錯(cuò)誤 HTTP PUTPUT /test.txt HTTP/1.1Host: Content-Length: 1220% if Trim(request(syfdpath) then %Ha

21、ckingv配置錯(cuò)誤 HTTP PUTHTTP OPTIONS方法方法Hackingv配置錯(cuò)誤 HTTP PUTWindows 2000 + IIS 5.0 的某些必然性的某些必然性本地權(quán)限IIS權(quán)限Hackingv配置錯(cuò)誤 HTTP PUTWindows 2000 權(quán)限特性及繼承方式權(quán)限特性及繼承方式根目錄：Everyone:F異曲同工之妙：Windows 2000 下的FrontPageHackingv配置錯(cuò)誤 backup 永遠(yuǎn)不要直接在永遠(yuǎn)不要直接在WEB目錄中編輯程序目錄中編輯程序哪怕你知道你在做什么，但不一定知道你的編輯器在做什么哪怕你知道你在做什么，但不一定知道你的編輯器在做什么

22、 ！Hackingv注入漏洞 SQL注入Select * from table_name where id=1Select * from table_name where id=1Select * from table_name where id=1 and 1=1Select * from table_name where id=1 and 1=2Select * from table_name where id=1 and (select )Injection Tools: 1、SQL Helper 2、SQLMAP (v0.9)Hackingv注入漏洞 JS下的SQL注入用戶注冊(cè)時(shí)觸發(fā)用

23、戶注冊(cè)時(shí)觸發(fā)JS腳本對(duì)用戶名自動(dòng)檢查可用性腳本對(duì)用戶名自動(dòng)檢查可用性Hackingv注入漏洞 命令注入Apache Log:/s_tar.php?S_sid=79d18ddc9&http:/ Keyword:1. cc.tar2. ;（分號(hào)）（分號(hào)）3. wgettar 命令：命令：tar cvf somefile.tar dir1 dir2 .Linux多命令方式：多命令方式：Command1; Command2; Command3; .Linux多命令錯(cuò)誤機(jī)制：多命令錯(cuò)誤機(jī)制：前一條命令錯(cuò)誤，下一條繼續(xù)執(zhí)行前一條命令錯(cuò)誤，下一條繼續(xù)執(zhí)行調(diào)用：調(diào)用：tar cf cc.tar;wge

24、t ;dir1 dir2 Hackingv跨站腳本 存儲(chǔ)型 反射型 DOM型Hackingv跨站腳本 原理簡(jiǎn)單，利用卻不簡(jiǎn)單WEB 2.0 是是XSS的新溫床的新溫床XSS/CSRF WORM ： Samy worm & Sina weibo worm1、跨站URL：http:/ a、發(fā)微博 b、加關(guān)注 c、發(fā)私信About Samy Worm:/wiki/Samy_(XSS)http:/namb.la/popular/Hackingv認(rèn)證錯(cuò)誤 無(wú)認(rèn)證頁(yè)面Hackingv認(rèn)證錯(cuò)誤 無(wú)認(rèn)證頁(yè)面Hackingv認(rèn)證錯(cuò)誤 原始信息的校驗(yàn)方式1、不校驗(yàn)、不校驗(yàn) 直接構(gòu)造惡意數(shù)據(jù)修改密碼直接構(gòu)造惡意數(shù)據(jù)修改密碼2、校驗(yàn)、校驗(yàn)COOKIE CSRFHackingv