GNTech Seminar

Nhng li bo mt web thng gp

phn application

Mc ch bui seminar
Nhng phn khc application th
c th gii u dng chung nn
c th gii u ra sc bt li bo
mt.
Cn phn application lp trnh
vin t vit nn phi t gii quyt.
=> Chng ta l lp trnh vin web.
Bui seminar ny nng cao hiu
bit v cc li bo mt thng
gp phn application, phn do
chnh chng ta t tay to ra!

Load balancer

Web server

...

Application

MySQL

Memcached

GNT s trin khai sang mng

web cho PC. Web cho PC phc
tp hn, d b l hng bo mt
hn.
(Cng phc tp cng d b l
hng Mt trong nhiu l do
nn dng framework v n gip
gim phc tp!)
=> Chng ta cn:

Nng cao kin thc v lp

trnh web cho PC
( vit c + vit vi nng
sut cao)

Tm hiu cc li bo mt v
cch trnh

...

Trit l trnh li bo mt

L hng chng qua l do lng tin b li dng m

thi
Input (bo v mnh): khng c tin tng
100% thng tin n t ngun khng tin cy m
khng c bc kim tra
Output (bo v nhng ngi khc): khi xut
thng tin cho user, cn kim tra xem thng tin
xut ra c gy tn hi cho user hay khng

Input:
Li dng lng tin ca
server dnh cho user

Output:
Li dng lng tin ca
user dnh cho server

Cn bn v session

Nhiu l hng lin quan n session

=> Trc ht chng ta n li v session

WHAT: Session l g?

Client

Server

Request
Server nhn nhiu
request c lp
Cng 1 client

Request

Request

Vn l server phi
lm sao nhn bit
chng cng thuc v 1
user
=> Khi nim session

V d thc t
Mi ln Trn Quang n my ATM
rt tin,
lm sao my ATM bit
Trn Quang ng l Trn Quang ?

HOW: Cc cch lu session

Vn :
Giao thc ca web l HTTP. HTTP l stateless
protocol, ngha l bn thn chun HTTP khng
qui nh sn 1 cch lu session no c, b
con c th m theo. => C nhiu cch!
Chc chn phi lu ci g client
Nhm 2: Lu c client v
server

Nhm 1: Ch lu client
* Nhng vo URL
(href ca link hoc
action ca form)
* Cookie
Session thng c biu din
di dng hash (key-value)

* Client: ch lu key (lu URL

hoc cookie)
* Server: lu key v value (lu
file, memory, my khc
(DB, memcached v.v.))

Demo
Cch lu session ca:
* Java Servlet 2.5: adon.jp
* Rails 3

Q: Cookie l g?

A:
Client

Header
Key Value
Key Value

Server

Request

Body

Response

Cookie l opaque data:

server set ci g trong
response th
client ln request sau
s tr v nguyn xi

Header
Key Value
Set-Cookie Value
Key Value
Body

Header
Key Value
Cookie Value
Key Value
Body

Request

Q: Lm th no thc hin
tnh nng login cho trang web?

Li khuyn v session

Session khng l ni lu tr tm, lp trnh vin mun lu

ci g th lu. Khi thit k chng trnh, cn qui nh sn
trong ti liu thit k l session s lu ci g.
Khi x l form, khng lu d liu tm ( chuyn gia cc
mn hnh) trong session. V d logic s sai nu 2 lp trnh
vin dng cng key hoc cc form dng chung key
=> adon.jp ang b, sa ch c cch vit li ton b
Lu vo <input type=hidden... />
Khng lu value ln trn client (URL: 1KB, cookie: 4KB)
Lu trn server
Khng lu d liu quan trng, mang tnh persistent trong
session (v d lu trong memory + server down l mt ht)
Lu trong DB

Mc lc
SQL injection
CSRF
Redirection (mt trong nhiu cch phishing)
Cookie replay
XSS
Session fixation
Cc li c th:
* Lin quan vi nhau, v d XSS v session fixation, XSS v
CSRF
* B nhm vi nhau, v d XSS hay b nhm vi CSRF

SQL injection
Cch trnh:
* Dng prepared statement u tin s 2
* Dng hm tin ch SQL escape tham s
Hu ht cc framework v th vin u gip
escape sn u tin s 1

CSRF
Q: 2 screenshot ging nhau im no?

Trn blog ca mnh, nn nhn

Camanh vit:
Khc... nh mt a tr b ngi khc
git ly 200 trang nht k... x tan...

http://vnexpress.net/Vietnam/Vitinh/Hacker-Virus/2007/03/3B9F3B21/
http://vnexpress.net/Vietnam/Vitinh/2007/03/3B9F3BF1/

Nguyn nhn:
Lp trnh vin (v designer!) ln ln GET v
POST, dng GET sa, xa, to v.v. d liu
<a>, <img>, <form method=get> GET
(<a> c th l POST nu dng Ajax, lc ny <a>
ch dng to event)
Cch nh: GET = ly = copy d liu t server v,
nn khng c lm thay i d liu trn server

Thm ch khng cn la user phi click,

ch cn xem ni dung trang web l cht ngay:
<img
src=http://vn.blog.yahoo.com/setup/profile_phot
o.php?act=del&prf_photo=1 />

Cch trnh:
* Dng POST khi khng phi l GET (link c th l POST nu dng
Ajax)
* Form phi dng POST tr form c bit, v d form search
* Thm ch dng POST cng vn cht nh thng (xem XSS)
=> Cn dng km token (m user ny khng th on ra c
token ca user kia, v d session ID)
* C th dng GET, nhng URL phi cha token
<img src=http://...?
act=del&prf_photo=1&token=16d5b78abb28e3d6206b60f22a03
c8d9 />

Redirection
(mt trong nhiu cch phising)
Khi user vo trang http://mobion/abc no ,
server kim tra nu user cha login th s
redirect user n /login?url=http://mobion/abc
Sau khi user login thnh cng, server s redirect
user n url trn

Cookie replay
Trang web lu session client only (URL hoc
cookie Li thng gp vi cookie hn)

S tin trong ti khon load t DB hoc u

lu tm session
User mua => b tr tin trong session
User set li session => s tin ban u c
phc hi

Cch trnh: Lu session server, hoc khng lu

ti khon trong session

XSS
B li ny l thi ri, hacker coi nh ton quyn iu khin
trang web (c th lm gi mi user khi h truy cp vo
trang cha ni dung do hacker post). Hacker c th li
dng tn cng chnh site ny v nhng site khc (nu
chng b li bo mt khc nh CSRF)
<script>$.post(/delete_article/1)</script>
<script>$.post(http://mobion.com/delete_article/1)</script>

Cch trnh:
* Nu trang web ch cho user nhp plain text:
HTML escape (HTML escape ch khng phi
SQL escape) chui khi xut ra cho user
* Nu trang web cho php user nhp HTML:
Cn qui nh ch nhng tag no mi hp l
(white list) + sanitize input Ch : dng white
list, khng dng black list v black list c
chng minh l khng an ton

Session fixation
Hacker bng cch no c nh (fix) c
session ID ca user
V d: n my ca Nhi, copy tp tin cookie
V d:
<script>
document.cookie="_session_id=16d5b78abb28e
3d6206b60f22a03c8d9";
</script>

Cch trnh:
* Trnh XSS
* Reset session ngay khi user login
Trnh session fixation ch cn 1 cu lnh:
(1 cu lnh cu c th gii )
reset_session

Tham kho

Ruby on Rails Security Guide:

http://guides.rubyonrails.org/security.html
Cn bn v web:
http://redmine.gnt.co.jp/documents/show/48