DauHoang-WebSecurity-Chuong 1 - Tong Quan Ve Bao Mat UD Web

HC VIN CNG NGH BU CHNH VIN THNG
BI GING MN
AN TON NG DNG WEB

CHNG 1 TNG QUAN V
BO MT NG DNG WEB
Ging vin:
TS. Hong Xun Du
in thoi/E-mail:
dauhx@ptit.edu.vn
B mn:
An ton thng tin - Khoa CNTT1
BI GING MN AN TON NG DNG WEB
CHNG 1 TNG QUAN V BO MT NG DNG WEB
TI LIU THAM KHO

1. Bryan Sullivan, Vincent Liu, Web Application Security,
A Beginner's Guide, McGraw-Hill, 2012.
2. Mike Shema, Hacking Web Apps: Detecting and Preventing Web
Application Security Problems, Elsevier Inc., 2012.
3. Dafydd Stuttard, Marcus Pinto, The Web Application Hacker's
Handbook: Finding and Exploiting Security Flaws, John Wiley & Sons,
2011.
4. Steve Silva, Web Server Administration, Course Technology,
Cengage Learning, 2007.
5. Roberta Bragg, Mark Rhodes-Ousley and Keith Strassberg, Network
Security: The Complete Reference, McGraw-Hill Osborne Media,
2013.
6. Michael E. Whitman, Herbert J. Mattord, Principles of information
security, 4th edition, Course Technology, Cengage Learning, 2012.
www.ptit.edu.vn
GING VIN: TS. HONG XUN DU

B MN: AN TON THNG TIN - KHOA CNTT1
Trang 2
NH GI MN HC
Cc im thnh phn:
www.ptit.edu.vn
Chuyn cn: 10%

Kim tra: 10%
Bi tp/tho lun: 20%
Thi cui k: 60%

Trang 3
NI DUNG MN HC
1. Tng quan v bo mt cc ng
dng Web
2. Cc dng tn cng ln cc ng
dng Web
3. Cc bin php bo mt my ch v
ng dng web
4. Cc bin php bo mt trnh duyt web
5. Bo mt trong pht trin v trin khai
ng dng web
www.ptit.edu.vn

Trang 4
NI DUNG CHNG 1
1. Gii thiu v dch v web v kin

trc cc ng dng web
2. Cc yu cu bo mt cc ng
dng Web
3. Cc nguy c v l hng bo mt
trong cc ng dng Web
4. Cc phng php tip cn bo mt
cc ng dng Web.
www.ptit.edu.vn

Trang 5
1.1 Gii thiu v dch v web v kin trc cc UD web
1. Giao thc HTTP

2. Cc thnh phn ca ng dng web
3. Kin trc ng dng web
www.ptit.edu.vn

Trang 6
1.1 DV web & KT UD web Giao thc HTTP

Cc ng dng web hot ng da trn giao thc HTTP
(Hyper-Text Transfer Protocol):
HTTP l giao thc thuc tng ng dng ca b giao thc
TCP/IP chuyn dng cho truyn siu vn bn;
Cng dch v chun ca HTTP l 80;
Ngoi HTTP, HTTPS (Secure HTTP) cn c s dng cho
cc ng dng web c yu cu m bo an ton thng tin truyn
gia my khch (Client) v my ch (Server);
Cng dch v chun ca HTTPS l 443.
HTTP hot ng theo kiu yu cu p ng (request response) trong m hnh khch ch (client server).
www.ptit.edu.vn

Trang 7
www.ptit.edu.vn

Trang 8

Giao tip gia HTTP Client (Web Browser) v HTTP Server
(Web Server): Client gi yu cu (Request)
www.ptit.edu.vn

Trang 9

(Web Server): Server gi p ng (Response)
www.ptit.edu.vn

Trang 10

(Web Server) c s tham gia ca cc chng trnh chy trn
my ch (CGI) truy nhp c s d liu
www.ptit.edu.vn

Trang 11
1.1 DV web & KT UD web Cc thnh phn ca UD web

Cc thnh phn ca ng dng web:
My khch web/trnh duyt web (Web client/web browser)

My ch web (web server)
URL/URI
Web session v cookies
B din dch v thc hin cc server scripts
Cc server scripts (CGI Common Gateway Interface)
My ch CSDL
H tng mng TCP/IP kt ni gia my khch v my ch web.
www.ptit.edu.vn

Trang 12

Trnh duyt web:
L b phn mm chy trn my khch c chc nng to yu
cu, gi yu cu v hin th kt qu tr v t my ch web;
Cc phng thc yu cu: GET, HEAD, POST
C kh nng hin th nhiu loi d liu ca trang web: vn bn,
hnh nh, m thanh, video,...
H tr kh nng lp trnh bng cc ngn ng script (nh
javascript), x l cc ngn ng HTML, XML, CSS,...
Mt s trnh duyt thng dng: MS Internet Explorer, Google
Chrome, Mozilla Firefox, Opera, Apple Safari,...
www.ptit.edu.vn

Trang 13

My ch web:
Tip nhn yu cu t trnh duyt web, x l yu cu v tr v p ng
(thng l trang web);
Nu l yu cu truy nhp cc file tnh, my ch web truy nhp h thng file
cc b v gi kt qu cho trnh duyt;
Nu l yu cu truy nhp cc file scripts, my ch web chuyn cc scripts
cho b x l scripts. Scripts c th bao gm cc lnh truy cp CSDL x
l d liu. Kt qu thc hin scripts c chuyn li cho my ch web
gi cho trnh duyt.
Mt s m trng thi p ng:
200: thnh cng

404: li khng tm thy file/d liu
403: li cm truy nhp
500: li x l scripts trn my ch.
www.ptit.edu.vn

Trang 14

My ch web:
Mt s my ch web thng dng:
Mozilla Apache web server

Microsoft Internet Information Services (IIS)
nginx (NGINX, Inc)
Google web services
IBM Websphere
Oracle web services
Cc ngn ng server scripts:

asp, asp.net
Java Servlet, JavaServer Pages
php, perl, python,
www.ptit.edu.vn

Trang 15

URL (Uniform Resource Locator):
Cn gi l a ch web, l mt chui k t cho php tham chiu n
mt ti nguyn;
Dng thng dng:
scheme://domain:port/path?query_string#fragment_id
scheme: ch giao thc truy cp (http, https, ftp,...)
domain: tn min, v d www.google.com
port: s hiu cng dch v; vi cng chun (http 80 hoc https 443) th
khng cn ch ra s hiu cng
path: ng dn n tn file/trang
?query_string: chui truy vn, gm mt hoc mt s cp tn bin=gi tr. K
t v (&) c dng ngn cch cc cp
fragment_id: mt tn lin kt nh v on trong trang.
www.ptit.edu.vn

Trang 16

URI (Uniform Resource Identifier):
L mt chui k t dng nhn dng mt a ch web hoc mt tn;
URI c th l URL hoc URN (Uniform Resource Name)
URN c dng nhn dng tn ca ti nguyn
URL c dng tm a ch/v tr ca ti nguyn
www.ptit.edu.vn

Trang 17

Web session (phin lm vic) l mt k thut cho php to
ra ng dng web c trng thi (stateful) trn giao thc http
khng trng thi (stateless);
My ch web to ra v lu mt ID cho mi Session theo yu cu
ca my khch;
Thi gian mi phin ty thuc vo cu hnh my ch web.
V d: Sau ng nhp thnh cng, my ch web to mt phin lm
vic cho ngi dng v khng yu cu thng tin ng nhp vi cc
yu cu truy nhp tip theo cho n khi kt thc phin lm vic.
www.ptit.edu.vn

Trang 18

Cookie (cn gi l HTTP cookie, hay Browser cookie):
L mt mu thng tin do website gi v c lu trn trnh duyt
ca ngi dng, khi ngi dng thm website;
Khi ngi dng thm website trong tng lai, website c th c li
thng tin trong cookie bit cc hot ng trc ca ngi
dng;
Cookie thng c s dng lu thng tin phin lm vic v
duy tr trng thi phin lm vic.
www.ptit.edu.vn

Trang 19

Cc b din dch v thc hin cc server scripts l cc engine
c nhim v np, dch v thc hin tng dng lnh scripts trn
my ch web;
Do chng lm vic theo ch thng dch (interpretation) nn
tc thng chm so vi cc ng dng c bin dch ra
m thc hin;
Nhiu b din dch v thc hin cc server scripts c th c
ci t v lm vic vi mt my ch web.
Mt script engine thng dng:
Microsoft ASP, ASP.NET
PHP engine
Perl, Python engine, JVM/JSP
www.ptit.edu.vn

Trang 20
www.ptit.edu.vn

Trang 21

Cc server scripts (CGI Common Gateway Interface)
Cc server scripts l cc on m c nhng vo cc trang web
HTML thc hin cc cng vic x l d liu v tr v kt qu
to ni dung cho trang web;
Cc server scripts c web server chuyn cho cc script engine
dch v thc hin. Kt qu thc hin scripts c chuyn li cho web
server;
Mt s ngn ng lp trnh cho server scripts:
ASP (VBScript), ASP.NET (C#)

PHP
Perl
Python
JSP (Java),
www.ptit.edu.vn

Trang 22

My ch CSDL
My ch CSDL thng c s dng cha d liu to cc trang
web ng;
Khi c yu cu truy vn ca ngi dng, my ch web thc hin cc
server scripts truy cp v x l d liu t CSDL. Kt qu thc hin
scripts c chuyn li cho web server to ni dung trang web.
www.ptit.edu.vn

Trang 23
H tng mng TCP/IP kt ni gia my khch v my

ch web
Gm tt c cc thit b to thnh h thng truyn thng kt
ni my ch web vi my khch web:
Switch
Router
Firewall
Cables,
www.ptit.edu.vn

Trang 24
1.1 DV web & KT UD web Kin trc ca UD web

Kin trc chun ca ng dng web
www.ptit.edu.vn

Trang 25

Kin trc 3 lp (3-tier) ca ng dng web: Lp trnh din
(Presentation Layer), lp Business Logic v lp truy nhp d
liu (Data Access Layer)
www.ptit.edu.vn

Trang 26
Cc dng kin trc ng dng web
www.ptit.edu.vn

Trang 27
1.2 Cc yu cu bo mt cc ng dng Web
p dng nguyn tc phng v nhiu lp, c chiu

su (Defence in depth):
Lp bo mt mng (Network)
Lp bo mt my ch (Host)
Lp bo mt ng dng (Application)
www.ptit.edu.vn

Trang 28
www.ptit.edu.vn

Trang 29
Lp bo mt mng (Network)
Cc ng dng web cn h tng mng an ton cho giao
tip gia my ch v my khch;
Cc thit b mng cn c ci t v cu hnh theo
chun, m bo an ton:
Switch: b chuyn mch

Router: b nh tuyn
Firewall: tng la
IPS/IDS: h thng ngn chn/pht hin t nhp
www.ptit.edu.vn

Trang 30
Lp bo mt my
ch (Host)
Bo mt h iu
hnh
Bo mt CSDL
Bo mt cc phn
mm/dch v h
thng
www.ptit.edu.vn

Trang 31
Lp bo mt ng dng (Application)
Xc thc/trao quyn
Cu hnh
Kim tra d liu u vo
Qun l phin lm vic
M ha d liu
Qun l cc ngoi l
Ghi logs
www.ptit.edu.vn

Trang 32
1.3 Cc nguy c v l hng bo mt trong cc UD Web
Top 10 l hng bo mt ng dng web

theo OWASP (2013) (Ting Anh)
www.ptit.edu.vn

Trang 33

10 nguy c v l hng bo mt hng u trong cc ng
dng Web theo OWASP (2013):
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
Injection (Chn m)
XSS Cross-Site Scripting
Xc thc yu v vn trong qun l phin
Tham chiu cc i tng trc tip khng an ton
CSRF Cross-Site Request Fogery
Li cu hnh an ninh
Lu tr cc tham s m ha khng an ton
Khng hn ch truy nhp cc URL ni b
Thiu c ch bo v tng vn chuyn
Khng kim tra cc a ch URL redirect v chuyn tip.
www.ptit.edu.vn

Trang 34

Injection (Chn m):
Buffer overflow
SQL injection
XPath/XQuery injection
LDAP lookups / injection
Shell command injection
www.ptit.edu.vn

Trang 35

XSS Cross-Site Scripting:
L dng tn cng trnh duyt ngi dng
K tn cng chn m script (thng l javascript) vo cc trang web
c li XSS
Khi ngi dng m cc trang ny th m script ca k tn cng c
thc hin gip nh cp thng tin lu trong trnh duyt ngi dng.
www.ptit.edu.vn

Trang 36

XSS Cross-Site Scripting:
www.ptit.edu.vn

Trang 37

Xc thc yu v vn trong qun l phin:
Khu xc thc (authentication) v trao quyn (authorisation) c s
dng kh ph bin trong cc ng dng web;
Nu cc khu xc thc khng mnh l l hng k tn cng
truy nhp nh cp thng tin.
Phin lm vic (session) cng cn c qun l cht ch;
Nu khng k tn cng c th li dng chim v iu khin phin
lm vic ca ngi dng.
VD: a ID ca phin ln URL m khng c m ha, kim tra:
http://www.error-site.com/test.aspx?session_id=12345
www.ptit.edu.vn

Trang 38

Xc thc yu v vn trong qun l phin:
Khu xc thc (authentication) v trao quyn (authorisation) c s
dng kh ph bin trong cc ng dng web;
Nu cc khu xc thc khng mnh l l hng k tn cng
truy nhp nh cp thng tin.
Phin lm vic (session) cng cn c qun l cht ch;
Nu khng k tn cng c th li dng chim v iu khin phin
lm vic ca ngi dng.
VD: a ID ca phin ln URL m khng c m ha, kim tra:
http://www.error-site.com/test.aspx?session_id=12345
www.ptit.edu.vn

Trang 39

Tham chiu cc i tng trc tip khng an ton:
Vic tham chiu cc i tng, cc files cn c thc hin gin tip
v thng tin nhy cm cn c che du;
VD: tham chiu khng an ton:
http://www.error-site.com/download.aspx?filename=/docs/12345.pdf
k tn cng c th g tn file theo quy lut v ti cc files khng
c php.
www.ptit.edu.vn

Trang 40

CSRF Cross-Site Request Fogery:
L dng tn cng ngi dng web, li dng c ch t ng ng
nhp ca mt s website.
K tn cng la ngi dng thc hin cc on m c, nhng trong
cc trang web bnh thng trong ng cnh ngi dng ang trong
phin lm vic vi website.
M c chy trn trn trnh duyt ca ngi dng ang trong phin
lm vic c th gip hacker thc hin cc giao dch hoc nh cp
thng tin.
www.ptit.edu.vn

Trang 41

Li cu hnh an ninh my ch web:
Li quyn truy nhp files

Li thc hin cc trang
Li lit k cc files
Li cho php ti ln v thc hin cc file m
www.ptit.edu.vn

Trang 42

Lu tr cc tham s m ha khng an ton:
Cc d liu nhy cm nh mt khu cn c lu di dng m ha;
Nn dng cc hm bm 1 chiu (SHA)
Hn ch quyn truy nhp vo cc files cha thng tin nhy cm (lu
mt khu,)
www.ptit.edu.vn

Trang 43

Khng thc s hn ch truy nhp cc URL ni b:
Cc trang ring/trang qun tr cn c c ch hn ch truy nhp
mnh;
Hn ch s dng a ch IP
Hn ch s dng phn quyn
VD hn ch yu: h thng phn quyn dng c ch n hin cc links
theo quyn truy nhp m khng thc s kim tra nu g link bng
tay th vn truy nhp c.
www.ptit.edu.vn

Trang 44

Thiu c ch bo v tng vn chuyn:
Cn s dng cc c ch bo v thng tin nhy cm tng vn
chuyn (TCP/UDP):
SSL/TLS
VPN
Khng gi cc thng tin nhy cm m khng m ha.
www.ptit.edu.vn

Trang 45

Khng kim tra cc a ch URL redirect v chuyn tip:
Cc a ch URL redirect v chuyn tip cn c kim tra, trnh
k tn cng li dng a a ch website gi mo vo.
VD: trang ng nhp:
http://www.error-site.com/logon.aspx?url=/member/home.aspx
c th b sa thnh
http://www.error-site.com/logon.aspx?url=http://hacker-site.com
v la ngi dng click.
www.ptit.edu.vn

Trang 46
1.4 Cc phng php tip cn bo mt cc ng dng Web

Lun thc hin kim tra d liu u vo
Khng bao gi tin ngi dng
Kim tra kch thc, nh dng v ni dung d liu
S dng cc b lc
Gim thiu cc giao din c th b tn cng

Hn ch ngi dng truy nhp trc tip vo cc h thng CSDL
Phn quyn truy nhp mc "va " cho cng vic.
Phng v c chiu su.
www.ptit.edu.vn

Trang 47

DauHoang-WebSecurity-Chuong 1 - Tong Quan Ve Bao Mat UD Web

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

DauHoang-WebSecurity-Chuong 1 - Tong Quan Ve Bao Mat UD Web

Uploaded by

Copyright:

Available Formats

HC VIN CNG NGH BU CHNH VIN THNG

AN TON NG DNG WEB

TS. Hong Xun Du

An ton thng tin - Khoa CNTT1

BI GING MN AN TON NG DNG WEB

CHNG 1 TNG QUAN V BO MT NG DNG WEB

TI LIU THAM KHO

GING VIN: TS. HONG XUN DU

BI GING MN AN TON NG DNG WEB

CHNG 1 TNG QUAN V BO MT NG DNG WEB

Chuyn cn: 10%

GING VIN: TS. HONG XUN DU

BI GING MN AN TON NG DNG WEB

CHNG 1 TNG QUAN V BO MT NG DNG WEB

GING VIN: TS. HONG XUN DU

BI GING MN AN TON NG DNG WEB

CHNG 1 TNG QUAN V BO MT NG DNG WEB

1. Gii thiu v dch v web v kin

GING VIN: TS. HONG XUN DU

BI GING MN AN TON NG DNG WEB

CHNG 1 TNG QUAN V BO MT NG DNG WEB

1.1 Gii thiu v dch v web v kin trc cc UD web

1. Giao thc HTTP

GING VIN: TS. HONG XUN DU

BI GING MN AN TON NG DNG WEB

CHNG 1 TNG QUAN V BO MT NG DNG WEB

1.1 DV web & KT UD web Giao thc HTTP

GING VIN: TS. HONG XUN DU

BI GING MN AN TON NG DNG WEB

CHNG 1 TNG QUAN V BO MT NG DNG WEB

1.1 DV web & KT UD web Giao thc HTTP

GING VIN: TS. HONG XUN DU

BI GING MN AN TON NG DNG WEB

CHNG 1 TNG QUAN V BO MT NG DNG WEB

1.1 DV web & KT UD web Giao thc HTTP

GING VIN: TS. HONG XUN DU

BI GING MN AN TON NG DNG WEB

CHNG 1 TNG QUAN V BO MT NG DNG WEB

1.1 DV web & KT UD web Giao thc HTTP

GING VIN: TS. HONG XUN DU

BI GING MN AN TON NG DNG WEB

CHNG 1 TNG QUAN V BO MT NG DNG WEB

1.1 DV web & KT UD web Giao thc HTTP

GING VIN: TS. HONG XUN DU

BI GING MN AN TON NG DNG WEB

CHNG 1 TNG QUAN V BO MT NG DNG WEB

1.1 DV web & KT UD web Cc thnh phn ca UD web

My khch web/trnh duyt web (Web client/web browser)

GING VIN: TS. HONG XUN DU

BI GING MN AN TON NG DNG WEB

CHNG 1 TNG QUAN V BO MT NG DNG WEB

1.1 DV web & KT UD web Cc thnh phn ca UD web

GING VIN: TS. HONG XUN DU

BI GING MN AN TON NG DNG WEB

CHNG 1 TNG QUAN V BO MT NG DNG WEB

1.1 DV web & KT UD web Cc thnh phn ca UD web

Mt s m trng thi p ng:

200: thnh cng

GING VIN: TS. HONG XUN DU

BI GING MN AN TON NG DNG WEB

CHNG 1 TNG QUAN V BO MT NG DNG WEB

1.1 DV web & KT UD web Cc thnh phn ca UD web

Mozilla Apache web server

Cc ngn ng server scripts: