M BO AN TON M NGUN

Nhm 10
1
Ni dung chnh
L do cn m bo an ton cho m ngun?
Cc dng tn cng thng gp:
Buffer Overflow
SQL Injection
XSS (Cross Site Scripting)
CRSS (Cross Site Request Forgery)
Session fixation
Session poisoning
Cc cng c h tr

2
Bo mt?
Bo mt - cp n cc k thut m bo rng
d liu c lu tr trong mt my tnh khng th
c hoc b tn hi do bt k c nhn m khng
c php.
3
L do cn m bo an ton m ngun
m bo tnh tin cy: thng tin khng th b truy
cp tri php
m bo tnh nguyn vn: thng tin ko b sa
i tri php
Tnh sn sng: thng tin lun sn sng p ng
yu cu ca ngi c thm quyn
4
Cc dng tn cng thng gp
5
Buffer OverFlow
6
What:
Buffer Overflow: Mt khi lng d liu c gi cho
ng dng vt qu lng d liu c cp pht khin
cho ng dng khng thc thi c cu lnh d nh k
tip m thay vo phi thc thi mt on m bt k do
hacker a vo h thng.
Buffer: l 1 vng nh c cp pht k nhau:
array, pointer trong C
int main () {
int buffer[10];
buffer[20] = 10;
}
Buffer OverFlow
7
When:
Khi b m lu tr d liu trong b nh khng kim
sot vic ghi gi tr:
Dn n trn stack
Ghi a ch tr v ca hm
7
Buffer OverFlow
8
Stack
L mt khi b nh lin tc cha d liu

8
Buffer OverFlow
9
Stack
void function (int a, int b, int c) {
char buffer1[5];
char buffer2[10];
}
int main() {
function(1,2,3);
}
9
Buffer OverFlow
10
void function (char *str) {
char buffer[16];
strcpy (buffer, str);
}
int main () {
char *str = "I am greater than 16 bytes"; // length of str = 27 bytes
function (str);
}
10
Buffer OverFlow
11
Bin php:
Vit m mt cch an ton an ton
V hiu ha stack
S dng cc cng c bin dch
Kim tra run-time ch ng: libsafe(tool)
int main () {
char *str = (char *)malloc(10);// allocate 10 bytes for str
gets (str); // reads input from stdin and store into str
}
/tmp/cc203ViF.o: In function "main":
/tmp/cc203ViF.o(.text+0x1f): the "gets" function is dangerous and should not be
used.
11
SQL INJECTION
12
What:
L 1 k thut cho php li dng
L hng trong kim tra d liu nhp trong cc ng
dng web
Cc thng bo li ca h qun tr c s d liu
Mc ch: a vo v thc thi cc cu lnh SQL
bt hp php
12
SQL INJECTION
13
CC DNG TN CNG THNG GP:
Vt qua kim tra ng nhp
SELECT * FROM T_USERS WHERE USR_NAME = and USR_PASSWORD=
username : ' OR ' ' = '
password : ' OR ' ' = ' '
SELECT * FROM T_USERS WHERE USR_NAME = '' OR ''='' and USR_PASSWORD=
'' OR ''=''
13
SQL INJECTION
14
CC DNG TN CNG THNG GP:
SELECT
strSQL = "SELECT * FROM T_NEWS WHERE NEWS_ID =" & vNewsID
ID : 0 OR 1=1
SELECT * FROM T_NEWS WHERE NEWS_ID=0 or 1=1
14
SQL INJECTION
15
CC DNG TN CNG THNG GP:
INSERT
strSQL = "INSERT INTO TableName VALUES(' " & strValueOne & " ', ' " _&trValueTwo
& " ', ' " & strValueThree & " ') "
VALUE 1: ' + (SELECT TOP 1 FieldName FROM TableName) + '
INSERT INTO TableName VALUES(' ' + (SELECT TOP 1 FieldName FROM TableName)
+ ' ', 'abc', 'def')
15
SQL INJECTION
16
CC DNG TN CNG THNG GP:
STORED - PROCEDURES
Vic tn cng bng stored-procedures s gy tc hi rt ln nu ng dng
c thc thi vi quyn qun tr h thng 'sa'. V d, nu ta thay on m
tim vo dng: ' ; EXEC xp_cmdshell cmd.exe dir C: '. Lc ny h thng
s thc hin lnh lit k th mc trn a C:\ ci t server. Vic ph hoi
kiu no tu thuc vo cu lnh ng sau cmd.exe
16
SQL INJECTION
17
CCH PHNG TRNH
Kim sot cht ch d liu u vo
Thit lp cu hnh an ton cho h qun tr CSDL
17
K thut tn cng XSS
XSS l t vit tt ca Cross-Site Scripting l mt
k thut tn cng bng cch chn vo cc website
ng (ASP, PHP, CGI, JSP ...) nhng th HTML hay
nhng on m script nguy him.
Trong nhng on m nguy him c chn
vo hu ht c vit bng Client-Site Script
nh javascript, Jscript, DHTML v cng c th l
cc th HTML.
XSS l mt li ph bin, c rt nhiu trang web b
mc phi li ny, chnh v th ngy cng c nhiu
ngi quan tm n li ny.

18
Truy tm l hng XSS ca web
Cch 1: S dng nhiu chng trnh d qut li
ca ng dng web, v d nh chng trnh Web
Vulnerability Scanner d qut li XSS.
Cch 2: Thc hin 5 bc:
Bc 1: M website cn kim tra
Bc 2: Xc nh cc ch (phn) cn kim tra
Bc 3: Xc minh kh nng site c b li XSS hay
khng bng cch xem cc thng tin tr v
Bc 4: Chn nhng on code ca chng ta vo
th tip
Bc 5: Ln k hoch kch bn tn cng

19
Cch phng chng
Lc: Lun lun lc cc d liu nhp t pha ngi dng bng
cch lc cc k t meta (k t c bit) c nh ngha trong
c t ca HTML pht hin cc th script.
M ha: M ha pha my ch l mt tin trnh m tt c ni
dung pht sinh ng s i qua mt hm m ha ni m cc th
script s c thay th bi m ca n.

Ni chung, vic m ha c khuyn khch s dng v n
khng yu cu bn phi a ra quyt nh nhng k t no l
hp l hoc khng hp l. Tuy nhin vic m ha c th tn
ti nguyn v nh hng n kh nng thc thi ca mt s
my ch

20
Phm vi v tnh kh thi ca
phng php tn cng bng XSS
M JavaScript c c th truy cp bt c thng
tin no sau y:
Cookie c nh (ca site b li XSS) c duy tr
bi trnh duyt.
RAM Cookie (ca site b li XSS)
Tn ca tt c cc ca s c m t site b li
XSS
Bt c thng tin m c th truy cp c t
DOM hin ti (nh value, m HTML)

21
K thut tn cng CRSS
L k thut tn cng bng cch s dng quyn
chng thc ca ngi s dng i vi 1 website
khc
Cc ng dng web hot ng theo c ch nhn
cc cu lnh http t ngi dng, sau thc thi
cc cu lnh ny
CRSS s la trnh duyt ca ngi s dng gi i
cc cu lnh http n cc ng dng web v cc
cu lnh s c thc hin di quyn chng
thc ca ngi s dng
22
Phng chng tn cng CRSS
Da trn nguyn tc ca CRSS: la trnh duyt
ca ngi dng (hoc ngi dng) gi cc cu
lnh http, cc k thut phng trnh tp trung
vo vic phn bit cc cu lnh gi mo
Hin ti c nhiu li khuyn c a ra, nhng
cha c bin php no c th phng trnh CRSS
1 cch trit

23
Cc k thut phng trnh CRSS
Hn ch thi gian hiu lc ca Session
S dng Get v Post hp l
S dng Captcha, s dng thng bo xc nhn
S dng Token
S dng cookie ring bit cho phn qun tr
Thit k h thng log
Kim tra Referfer
Kim tra IP

24
n nh phin lm vic SESSION FIXATION
L k thut tn cng cho php hacker mo danh
ngi dng hp l bng cch gi mt session ID
hp l n ngi dng, sau khi ngi dng ng
nhp vo h thng thnh cng, hacker s dng li
session ID v nghim nhin tr thnh ngi
dng hp l.

25
Qu trnh tn cng
Thng qua 3 bc:
Setup session: thit lp mt by session trn 1 server ch
v chn la 1 session id s dng tn cng.
Session fixation: Hacker s dng session ca mnh gn
vo trnh duyt ca ngi dng
Session entrance:Hacker ch ngi dng ng nhp vo
sever dng sn bng session gi (c t sn) , sau
ngi dng ng nhp bng session ca mnh.

26
Tn cng trn URL
Hacker s s dng cc mnh la ngi dng
ng nhp ti khon thng qua trang web m ngi
dng sn VD nh :
http://online.worldbank.dom/login.jsp?session=1234.
Hacker s c ti khon ca ngi dng v s thc hin cc
hnh vi khai thc bt hp php trn ti khon ngi dng
ng nhp nh ti khon ngn hng.
27
Tn cng trong bin n form
Tng t nh URL, bin n form ngha l sau khi
hacker xem m HTML ca trang web, nhn thy
session ID c t trong bin n ca form,
hacker s gi 1 session ID cng trn URL n
ngi dng hoc 1 trang web ging trang ch
nhng vi bin n form mang gi tr n nh sn.

28
Tn cng trong cookie
Bng vic li dng cookie, hacker c 3 cch
a 1 session ID n trnh duyt ca nn nhn :
S dng ngn ng kch bn (javascrip ,vbscrip)
thit lp 1 cookie trong trnh duyt ca nn
nhn bng cch thit lp gi tr document
.cookie= sessionid=1234;domain =
.worldbank.com . Bn cnh hacker cn c
th thit lp thi gian sng cho cookie, domain
cookie.

29
Cch phng chng :
Chng vic ng nhp vi 1 session ID c sn bng cch hy b
session ID c cung cp bi trnh duyt ca ngi dng khi
ng nhp v lun to 1 session ID mi khi ngi dng ng
nhp thnh cng .
Chng nhng hacker bn ngoi h thng :to ng dng trn h
thng theo hng gii hn (ch to session ID mi cho ngi
dng sau khi h thnh cng )
Gii hn phm vi ng dng ca sessionID : Kt hp session ID
vi a ch ca trnh duyt ,kt hp session ID vi thng tin
chng thc c m ha ssl, xa b session khi ngi dng
thot khi h thng hay ht hiu lc, thit lp thi gian ht hiu
lc ca session trnh trng hp hacker c th duy trnh
session v s dng n lu di .


30
Session poisoning :

Session poisoning l vic li dng nhng l hng
ca vic qun l nhng session trn cc ng
dng my ch copy (n cp) nhng session
ca ngi dng bng nhng on script .

31
Cch phng chng

To ra danh sch nhng th HTML c php s
dng.
Xa b th script hay lc ra bt k 1 on m
javascript /java/vbscript
Lc du nhy n ,nhy kp (v c du nhy n,
nhy kp c th chn on script trong URL) ,v
k t null(v kh nng thm 1 on m bt k sau
k t null khin cho ng dng d lc b th
script vn khng nhn ra, do ng dng ngh rng
chui kt thc t k t null ny.)

32
CC CNG C H TR
33
Acunetix Web Vulnerability Scanner
Yasca
PEPacker
Dofuscater
Skater .NET Obfuscator
Zend Guard