Professional Documents
Culture Documents
com
Bn mt nhp mn Phm Huy Hong 1
Li ta
Bo mt l mt vn rt tn km v phc tp. Gn nh h thng no cng c l hng (c
phn mm ln phn cng), cc hacker c th thng qua cc l hng ny tn cng h thng.
Vic m bo h thng bo mt l trch nhim ca rt nhiu bn: Sysadmin, network,
manager v developer. Trong phm vi sch, mnh s cng cc bn tip cn kha cnh bo
mt di gc nhn ca mt developer.
Nhng kin thc trong ebook ny c cng c bn, d hc, nhng chng s v cng hu ch,
gip bn trnh phi nhng sai lm bo mt ng ngn, c bn khi code. D cho bn code C
hay C++, Java C# hay PHP, bn cng s hc c vi iu b ch qua series ny.
Trch nhim ca developer l phi m bo rng code mnh vit ra s khng c li bo mt.
Trong ebook ny, chng ta ng vai hacker tn cng h thng mnh vit. Thng qua ,
chng ta s cng tm hiu v nhng l hng bo mt thng thy khi code v tm cch v li.
a phn cc li bo mt c bn c ngn chn trong cc framework. Tuy vy, nhiu trang
web vn b dinh mt s li v s ng ngn hoc s sut ca chnh developer. Do , hy c
k ebook v c gng p dng nhng kin thc ny vo code trnh dnh cc li ny nh.
y l series hng dn bo mt cho developer, khng phi l hng dn lm hacker. Kin
thc trong ebook gip bn code, gip bn v li ch khng gip bn tn cng h thng khc
hay la o ngi dng. Bn no nghim tc mun tm s hc o v bo mt c th tm
thnh bo mt Juno_okyo nh.
Cnh bo
Trc khi dy v, s ph lun dn cc rng: Hc v l cng thn kin th, hnh
hip gip i, khng phi i bt nt k yu. Trc khi bt u sch, mnh cng mun
khuyn cc bn iu tng t: Hc v security xy dng h thng bo mt tt hn,
gip h thng khc, ch khng phi i hack hay ph hoi.
V l do o c, nu pht hin li trong cc h thng khc, cc bn nn thng bo cho qun
tr ch ng nn ph hoi. Ranh gii gia tm hiu l hng v ph hoi h thng n mong
manh lm. Vi cc h thng quan trng. bn c th b truy t vo t bc lch cho l ass n
hoa ch chng chi.
Bn quyn ti toidicodedao.com
Bo mt nhp mn Phm Huy Hong
Mc lc
PHN 1 BO MT NHP MN
Kin thc c bn v bo mt v mt s l hng bo mt thng gp
Kin thc ny thuc dng v cng c bn, nhiu ngi ni ri nn mnh s khng gii thch
k v kha cnh k thut. Cc bn c th t tm Google tm hiu them.
Cch phng chng
Cc gii php chng MITM trong mng LAN thng do SysAdmin hoc cc bn chuyn bo
mt lo, thng qua vic ci t thit lp h thng. L developer, cch phng chng c bn nht
chng ta c th lm l s dng giao thc HTTPS cho ng dng, bng cch thm SSL Certificate.
D liu giao tip qua HTTPS c m ho nn ngi ngoi khng th c trm hay chnh
sa c. Cch ny tng t nh vic bn v Linh vit mail cho nhau bng teencode, thng
Hong c h kia c c trm mail cng khng hiu hay sa th c.
Tuy bo mt ca HTTPS vn cha phi l tuyt i, n vn cao hn nhiu so vi ch dng
HTTP thun. Ngoi ra, nu trang web ca bn cha th tch hp https, bn c th tch hp
chc nng ng nhp thng qua Facebook, Google. Tuy hacker vn c th chm cookie ca
ngi dng, nhng t ra h khng b l username v password.
Lu
Hin ti nhiu trang web vn s dng https gi cy ch s dng https nhng trang log-
in v nhng trang c d liu nhy cm. Cch lm ny vn tn ti kh nhiu nguy him. Hin
ti, mnh s dng Fiddler demo local. Tuy nhin, hacker c th lm cc tr ny khi dng
chung LAN/WLAN vi bn. Do , cn ht sc cn thn khi dng wifi cha/wifi cng cng nh.
V d 1 Lazada
Phn ng nhp ca trang ny dng https, do vy mnh khng th sniff c username,
password.
Tuy nhin, cc trang khc ca lazada vn dng http. Khi ngi dng vo cc trang ny mnh
c th chm c cookie, s dng cookie ny ng nhp nh thng.
Ngy xa, khi Facebook cha dng https, ti mnh cng dng cch ny sniff v ng nhp
account facebook ca ngi khc.
Mt s trng hp khc, trang web dng HTTPS nhng vn ti hnh nh, javascript, css qua
http. Hacker vn c th d dng sa ni dung javascript, trm cookie nh thng. Do ,
Google khuyn co s dng https cho ton b cc trang v cc link ch ng kiu gi cy
nh th ny nh.
Tng kt
Hin ti Chrome cng ang c k hoch th cc trang HTTP l khng an ton cnh bo cho
ngi dng. nhng phin bn sau, bn s thy ch Not secure trn thanh a ch nu
trang web ch s dng HTTP.
" th nghe cng c v nguy him y, nhng sao ti thy ng hay vit v
XSS th? Rnh qu h!?"
Tuy nhin, Khoa li khng hin lnh nh th. Do mi hc v XSS, Khoa khng nhp text m
nhp nguyn on script alert(XXX) vo khung comment. Lc ny, HTML ca trang web s
tr thnh:
Trnh duyt s chy on script ny, hin th ca s alert ln. Khoa chn c m c vo
thi*ndia, thc hin tn cng XSS thnh cng. (Lu : Mnh ch v d thi, thi*ndia khng b li
XSS u nh, cc bn khng nn th).
Trong kiu tn cng ny, m c c lu trong database trn server, hin th ra vi ton b
ngi dng, do ta gi n l Persistance XSS. Bt k ai thy comment ca Khoa u b dnh
m c ny, do kiu tn cng ny c tm nh hng ln, kh nguy him.
2. Reflected XSS
Vi cch tn cng ny, hacker chn m c vo URL di dng query string. Khi ngi dng
ngo ng nhp vo URL ny, trang web s c query string, render m c vo HTML v ngi
dng dnh by.
Quay li vi Khoa. Do xin a ch mt xa hoi nhng khng c share, Khoa cay c, quyt
nh tr th cc n anh. Khoa bn gi ng mt ng link gi JAV vo mail cc n anh.
Ni dung ng link: http://thi*ndia.com?q=<script>deleteAccount();</script>. Khi cc n
anh click link ny, h s vo trang thiendia. Sau server s render <script>deleteAccount();
</script>, gi hm deleteAccount trong JavaScript xo account ca h.
Tm nh hng ca ReflectedXSS khng rng bng Persistance XSS, nhng mc nguy him
l tng ng. Hacker thng gi link c m c qua email, tin nhn, v d d ngi
dng click vo. Do cc bn ng v ham JAV m click link by b nh,
3. Client XSS
Gn y, khi JavaScript dn c s dng nhiu hn, cc li Client XSS cng b li dng nhiu
hn. Do JavaScript c s dng x l DOM, m c c chn thng vo trong JavaScript.
Li XSS ny cng kh d fix, quan trng l li ny thng gp nhiu trang, d st, do sau
khi fix ta phi verify cn thn. C 3 phng php thng dng fix li ny:
1. Encoding
Khng c tin tng bt k th g ngi dng nhp vo!! Hy s dng hm encode c sn
trong ngn ng/framework chuyn cc k t < > thnh < %gt;.
2. Validation/Sanitize
Mt cch chng XSS khc l validation: loi b hon ton cc k t kh nghi trong input ca
ngi dng, hoc thng bo li nu trong input c cc k t ny.
Ngoi ra, nu mun cho php ngi dng nhp vo HTML, hy s dng cc th vin sanitize.
Cc th vin ny s lc cc th HTML, CSS, JS nguy him chng XSS. Ngi dng vn c th
s dng cc th <p>, <span>, <ul> trnh by vn bn.
Lm n, xin nhc li, lm n dng cc th vin sn c ch ng h bo vit li th hin
trnh . c rt nhiu trng hp dnh li XSS v developer t tin v t vit code loi b
k t c bit v st.
3. CSP (Content Security Policy)
Hin ti, ta c th dng chun CSP chng XSS. Vi CSP, trnh duyt ch chy JavaScript t
nhng domain c ch nh. Gi s thiendia.com c s dng CSP, ch chy JavaScript c
ngun gc thiendia.com. V Khoa m c trn khoatran.com nn on JavaScipt sau s
khng c thc thi.
Li kt
Ni hi ch quan t (do mnh ko a PHP), s lng trang web xy dng bng PHP b li XSS l
nhiu nht. L do th nht l do s lng web vit bng PHP cc nhiu. L do th hai l mc
nh PHP khng encode cc k t l. Cc CMS ca PHP nh WordPress, Joomla rt mnh vi
v s plug-in. Tuy nhin nhiu plug-in vit u l nguyn nhn dn n li bo mt ny.
Hin ti, s lng website b li XSS l kh nhiu, cc bn ch cn lang thang trn mng l s
gp. Nh mnh ni, XSS l mt li rt c bn, hu nh hacker no cng bit. Trang web b
li ny rt d thnh mi ngon cho hacker. Do vy, cc bn developer nh cn thn, ng
web ca mnh b dnh li ny.
Mt s link tham kho:
http://excess-xss.com/
https://www.owasp.org/index.php/Cross-site_Scripting_(XSS)
Chm cookie (Cookie thief) bng XSS: Vi l hng XSS, hacker c th chy m c (JavaScript)
pha ngi dng. JS c th c gi tr t cookie vi hm document.cookie. Hacker c th gi
cookie ny ti server ca mnh. Cookie ny s c dng mo danh ngi dng.
Thc hin tn cng kiu CSRF (Cross-site request forgery). Hacker c th post mt link nh
nh sau:
<img src="http://bank.example.com/withdraw?account=bob&amount=1000000&for=mallory">
Trnh duyt s t ng load link trong nh, d nhin l c km theo cookie. ng link trong
nh s c cookie t request, xc nhn ngi dng, rt sch tin m ngi dng khng h
hay bit. Cch tn cng ny c rt nhiu bin th, mnh s ni r phn sau.
Cch phng chng
C th p dng mt s phng php sau:
Set Expired v Max-Age: gim thiu thit hi khi cookie b trm, ta khng nn
cookie sng qu lu. Nn set thi gian sng ca cookie trong khong 1 ngy ti 3
thng, tu theo yu cu ca application.
S dng Flag HTTP Only: Cookie c flag ny s khng th truy cp thng qua
hm document.cookie. Do , d web c b li XSS th hacker khng th nh cp c
n.
S dng Flag Secure: Cookie c flag ny ch c gi qua giao thc HTTPS, hacker s
khng th sniff c.
V cookie d b tn cng, tuyt i khng cha nhng thng tin quan trng trong cookie (Mt
khu, s ti khon, ). Nu bt buc phi lu th cn m ho cn thn.
Lu : Nu website ca bn s dng RESTful API, ng s dng cookie authorize ngi
dng m hy dng OAuth hoc WebToken. Token ny c vo Header ca mi request nn
s khng b dnh li CSRF.
Cc bn c th tm hiu thm v cookie v cc li bo mt lin quan y:
http://resources.infosecinstitute.com/securing-cookies-httponly-secure-flags/
http://www.ibm.com/support/knowledgecenter/SSZLC2_7.0.0/com.ibm.commerce.
admin.doc/concepts/csesmsession_mgmt.htm
https://www.nczonline.net/blog/2009/05/05/http-cookies-explained/
https://en.wikipedia.org/wiki/HTTP_cookie#Secure_and_HttpOnly
http://programmers.stackexchange.com/questions/298973/rest-api-security-stored-
token-vs-jwt-vs-oauth
Hu qu ca SQL Injection
Hu qu ln nht m SQL Injection gy ra l: Lm l d liu trong database. Tu vo tm quan
trng ca d liu m hu qu dao ng mc nh cho n v cng nghim trng. Nu l d
liu credit card, hacker c th dng credit card mua sm h hoc chm tin ca ngi
dng.
Hng triu Credit Card cha tn ti trn mng, do hacker chm t cc trang bn hng thng
qua SQL Injection. L d liu khch hng c th nh hng rt nghim trng n cng ty.
Hnh nh cng ty c th b nh hng, khch hng chuyn qua s dng dch v khc, dn n
ph sn vv
L hng ny cng nh hng ln n khch hng. Do h thng dng chung mt mt khu
cho nhiu ti khon, ch cn l mt khu mt ti khon th cc ti khon khc cng l theo.
y cng l l do mnh nhc nh phi m ho mt khu, nu database c b tn cng th ngi
on code trn c thng tin nhp vo t user v cng chui thnh cu lnh SQL. thc
hin tn cng, Hacker c th thay i thng tin nhp vo, t thay i cu lnh SQL.
Hoc nu ght, hacker c th drop lun table Users, xo ton b ngi dng trong database.
ng s cha no?
Hacker c th thng qua SQL Injection d tm cu trc d liu (Gm nhng table no, c
nhng column g), sau bt u khai thc d liu bng cch s dng cc cu lnh
nh UNION, SELECT TOP 1
Nh mnh ni SQL Injection rt ph bin, bn c th d dng google tm kim nhng
bi vit lin quan ti n. Do vy, mnh ch tm tt s v c ch tn cng. Cc bn t tm hiu
thm qua cc v d bi vit ny nh: http://expressmagazine.net/development/1512/tan-
cong-kieu-sql-injection-va-cac-phong-chong-trong-aspnet.
Cch phng chng
May thay, mc d SQL rt nguy hi nhng cng d phng chng. Gn y, hu nh chng ta
t vit SQL thun m ton s dng ORM (Object-Relational Mapping) framework. Cc
framework web ny s t to cu lnh SQL nn hacker cng kh tn cng hn.
Tuy nhin, c rt nhiu site vn s dng SQL thun truy cp d liu. y chnh l mi ngon
cho hacker. bo v bn thn trc SQL Injection, ta c th thc hin cc bin php sau.
Lc d liu t ngi dng: Cch phng chng ny tng t nh XSS. Ta s dng filter
lc cc k t c bit (; ) hoc cc t kho (SELECT, UNION) do ngi dng nhp
vo. Nn s dng th vin/function c cung cp bi framework. Vit li t u va
tn thi gian va d s st.
Khng cng chui to SQL: S dng parameter thay v cng chui. Nu d liu
truyn vo khng hp php, SQL Engine s t ng bo li, ta khng cn dng code
check.
Khng hin th exception, message li: Hacker da vo message li tm ra cu trc
database. Khi c li, ta ch hin thng bo li ch ng hin th y thng tin v
li, trnh hacker li dng.
Phn quyn r rng trong DB: Nu ch truy cp d liu t mt s bng, hy to mt
account trong DB, gn quyn truy cp cho account ch ng dng account root
hay sa. Lc ny, d hacker c inject c sql cng khng th c d liu t cc bng
chnh, sa hay xo d liu.
Backup d liu thng xuyn: Cc c c cu cn tc v y ny. D liu phi thng
xuyn c backup nu c b hacker xo th ta vn c th khi phc c. Cn nu
c d liu backup cng b xo lun th chc mng bn, update CV ri tm cch chuyn
cng ty thi!
Kt lun
D liu l mt trong nhng th ng tin nht trong website ca bn. Sau khi c xong
chng ny, hy kim tra li xem trang ca mnh c th b tn cng SQL Injection hay khng,
sau p dng nhng phng php mnh hng dn fix.
Ngun tham kho thm
http://www.w3schools.com/sql/sql_injection.asp
http://expressmagazine.net/development/1512/tan-cong-kieu-sql-injection-va-cac-
phong-chong-trong-aspnet
http://freetuts.net/ky-thuat-tan-cong-sql-injection-va-cach-phong-chong-trong-php-
107.html
http://kienthucweb.net/sql-injection-la-gi.html
L hng y chnh l: chng trnh cho php mnh truy cp ti nguyn (n hng ca ngi
khc) bt hp php, thng qua d liu (ID) m mnh cung cp qua URL. L ra, chng trnh
phi check xem mnh c quyn truy cp cc d liu ny hay khng.
Trong thc t, hacker c th dng nhiu chiu tr nh: thay i URL, thay i param trong
API, s dng tool scan nhng ti nguyn khng c bo mt. Chiu hack lotte
cinema ngy xa ca mnh cng na n nh th, thay id trong URL bng username trong
cookie.
Cch y khong 1-2 thng, c 1 v lm xm lin quan ti cng ty X (Hnh nh l CGV), l ti
khon ca 3 triu ngi dng. Chnh l hng Insecure Direct Object References ny gip
hacker ( y l thnh bo mt Juno_okyo) li dng v d ra thng tin ca 3 triu ngi dng
.
D thy, tiki id ca n hng trong URL. tuy nhin, khi mnh th thay i id ca n hng
th tiki redirect mnh li trang https://tiki.vn/sales/order/history. Bo mt c tm l phi nh
th!
Trnh l key ca i tng Trong cc trng hp nu, id ca i tng l s int, do
hacker c th on ra id ca cc i tng khc. Nhm phng trnh vit ny, ta c th m
ho id, dng GUID lm id. Hacker khng th no d ra ID ca i tng khc c.
u tin, ngi dng phi ng nhp vo trang mnh cn (Tm gi l trang A).
d d ngi dng, hacker s to ra mt trang web c.
Khi ngi dng truy cp vo web c ny, mt request s c gi n trang A m
hacker mun tn cng (thng qua form, img, ).
Do trong request ny c nh km cookie ca ngi dng, trang web A ch s nhm
rng y l request do ngi dng thc hin.
Hacker c th mo danh ngi dng lm cc hnh ng nh i mt khu, chuyn
tin, .
d hiu hn, bn hy c phn v d pha di nh.
Cc kiu tn cng thng gp
Kiu 1. Dng form
Ngy xa ngy xa, c hai anh em nh n tn l Tng v Tn. Tng, ngi anh, chm lo hc
hnh, ch th lm n nui v con. Ngi em, Tn th ngi li, sut ngy ln thin a share
hng v tm a im mt xa.
Tng b url ny vo 1 th img. Khi Tn truy cp trang, trnh duyt s t gi GET request, gn
km vi cookie trn JAVBank ca Tng. Thng qua cookie, ngn hng xc nhn l Tn,
chuyn tin qua cho Tng.
Tuy nhin, ngy xa, khi cc l hng bo mt cn cha ph bin th y l chnh l cch m
hacker s dng. Ch cn post 1 tm nh cha ng dn nh trn ln 1 forum no , s
c v s ngi dnh by khi truy cp vo forum .
Hin th r phin bn .NET, Exception khi b li. y l mi ngon cho tn cng SQL
Injection
Khi tnh nng ny hot ng n nh, khng ai khen n ly mt cu. Tuy nhin, ch cn n gp
phi cht vn , cam oan bn s hng chu v s cn thnh n t khch hng.
Quan trng nht Khng lu mt khu!
Developer phi thuc nm lng cu ni sau: Tuyt i khng bao gi lu mt khu khch
hng, d sp c ni g i na! L mt developer c tm, bn khng bao gi c lu mt khu
ca khch hng vo database (nhc li ln th ba cho nh).
Hn ch s ln ng nhp khi nhp mt khu sai. V d sau 3 ln nhp pass sai th kho
account trong 10 pht. Hacker c th dng cch ny kho ti khon ngi dng,
nn cn thn. C th kt hp thm capcha.
Lu : Nhng cch cch ny c th gy kh chu cho ngi dng, nu d liu khng qu quan
trng (game, web hi p, giao lu, gii tr ) th c th ni lng mt s yu t.
y l cch c chui nht v ngu nht. Database l mt trong nhng ni hay b tn cng, d
lm tht thot d liu. Trong qu kh, li SQL Injection tng lm tht thot hng triu thng
tin khch hng v thng tin credit card. Cha tnh n chuyn hacker bn ngoi, nhiu khi
thng Database Admin hng ln, n c th m c mt khu ca khch hng, ln chuyn
cha?
Cch lu tr mt khu ng phi l lm sao ch ngi dng mi bit c mt khu ca
h. Lm sao ? Hy c phn di nh.
Vy m ha l c ch g, lm tr!!
, cch gii quyt cng kh n gin. Bn c th dng hm hash m ha mt khu nh
sau:
1. S dng hm hash (hm bm) m ha mt khu ca ngi dng.
2. Lu tr mt khu ny di database.
3. Khi ngi dng ng nhp, hash mt khu nhp, so snh vi mt khu lu di
database.
Hm hash ny phi l hm hash mt chiu, khng th da theo mt khu hash suy
ngc ra u vo.
Vi cch ny, khi ngi dng qun mt khu, h thng khng ti no m ra mt khu gi
cho h. Cch gii quyt duy nht l reset mt khu, random ra mt mt khu mi ri gi cho
ngi dng.
i gii phc tp th, cng lm th l password trn trang ca mnh thi m
Ni nh mt b mt (m chc ai cng bit) cho cc bn nghe n: Hu nh ngi dng ch s
dng 1 username/mt khu duy nht cho ton b cc ti khon trn mng. Nu hacker tm
c mt khu t trang ca bn, chng s th vi cc account facebook, gmail, ti khon
ngn hng, ca ngi .
Mt 1 account l xem nh mt sch snh sanh. Kinh khng cha! Khng tin , bn th ngm
li xem, bn c dng chung 1 email/mt khu cho Gmail, Facebook, Evernote, v nhiu
trang khc khng?
L hng bo mt khng khip ca Lotte Cinema
Mt ngy p tri n, mnh nh dn gu i xem phim, n ung ri *beep*. nh t v online
m qun mt mt khu lottecinema.com, mnh m mm phn ng nhp, tm hoi mi thy
mc Qun mt khu. Nhp a ch mail v chng minh nhn dn, mnh mau chng nhn
c mt email gi t lottecinema, trong c c username v mt khu ca mnh.
Tht l tin qu i mt, khi phi reset mt khu. Khoan, c ci g sai sai y!! Vy l bn
lotte lu thng mt khu ca mnh thng di database . L database b tht thot d liu
l ton b cc ti khon khc ca mnh (V cc thnh vin lotte cinema khc) cng i tong
theo.
Tht l ng s!! Li ny mnh pht hin nm ngoi, n cch y my ngy vn cn y nguyn.
Th mi bit b phn IT ca lottecinema gii giang th no. Cc bn c ti khon lotte cinema
th nh cn thn nghe.
Tip theo, ta bt u v i vic kim tra cookie. Cac ban tai addon EditThisCookie v la m
vic nhe. Th ng nhp va xem lotte cinema lu gi trong cookie na o.
Cac ban khng nhin lm u, chi nh la username cu a cac ban y? Thi, chu ng ta c cu tr i
la ho lu username nhc ban khi ban cn ng nhp lai thui ha. Th i sang gia tri khac
ri refresh trang xem no.
CA I L GI THN!!! Minh bi chuyn sang nick khac mt ri. Tht khng th tin ni. Mt li bao
mt to nh banh xe bo a bi l chi sau 5p nghin c u. 1-0 cho Lotte Cinema. (Li ny c tn
gi l impersonation).
Cu nhm ca mp
Nh i cookie, minh a hack c vao ta i khoan ng i khac. Ok ngon, co thng tin ng i
du ng lun! Gi minh th i thng tin xem nao, c lun. Th t ve xem na o, cu ng c
nt!
, nhn c mt khu hin ti lun, mail ca Lotte nhanh tht! Vi m t user th ng tai s
nhiu trang, minh co th th dng username va mt khu na y m t s
du ng mt khu
trang khac m account. Thy cht ng i cha??
Th i mt khu hin ti xem, c lun. Gi minh a co th ng nhp v i mt khu m i
i. y la li th 2: Khi thay i mt khu, bt bu c ng i du ng phai i mt khu cu . Ti s
gi a la 2-0 cho Lotte Cinema.
Bonus thm ca voi
Hai li trn u lam ti ta toan b h thng. Chi cn vit mt con bot nho nho , ln l t thay
gia tri membername trong cookie (t a t i zzzzzzz) la co th ly gn nh toan b thng tin
khach hang, hoc i ton b password lm ngi dng khng ng nhp c. (Cc bn
khc dng username di qu th chu).
Th nhng mo i chuyn cha d ng y. Minh tip tu c th nghim in tin va o khung H
tn. Lotte tip tc lo i ra li XSS (Tn cng bng cch chn script vo trang chnh).
Li XSS nay chi hin ra mi trang cu a user nn khng th du ng deface website. Tuy nhin,
minh vn co th hin pop-up gia mao ng i du ng tai virus nh hinh d i. Dng JS, mnh c
th ly s th, s CMND ngi dng tin tng rng message l ca lotte.
L i khuyn cui cu ng: cac ban vn co th xem phim Lotte, nhng ng in bt ki thng tin
ca nhn gi vao cai h thng tr i anh cua no nhe! Thn chao.
Cc bn c th xem video tm tt bi vit y:
https://www.youtube.com/watch?v=CtnfOZmKR3A. Nh like v subscribe trong link ny
nh: https://www.youtube.com/c/toidicodedaoblog?sub_confirmation=1. Mnh ang cn
100 sub xin Custom URL cho Channel Ti i Code do.
Update (30/08/2016)
Sau khi bai vit c cng b r ng rai trn MXH thi bn chi u trach nhim xy d ng website
cho Lotte Cinema a lin h tr c tip v i minh minh. n nga y 1/9/2016 thi cac li bao mt
trong bai a tam c fix ri nhe.
Mnh bit mnh p trai, nhng cc bn ng nhn mnh m hy nhn vng khoanh
Mt lot hm AJAX dng get, truyn vo username v ly thng tin user. c bit hn, trong
JSON hm ny tr v bao gm c thng tin nhy cm nh a ch c nhn, ngy thng nm
sinh, e-mail.
Hm GET ny khng c authentication, nn mnh hon ton c th ln lt thay username
vo v ly thng tin ca ton b user. Tuy nhin, vic test ln lt tng username kh lu,
nn cch ny khng kh thi lm.
Lm sao tip tc? Mnh bt u chuyn qua nghch ng dng mobile ca lozi.
n app mobile
C mt s tht nho nh m t bn bit l: Mc d mnh hay vit bi v C# v JavaScript
nhng tht ra mnh cng kh rnh Java v Android y nh. Thi khng khoe na, quay li
ch chnh no. Vic nghch ng dng cng khng qu phc tp. Mnh ch cn
ln apkpure.com ti file apk, sau dng tool decompile l c source code ng dng
android ca lozi ri.
C v lc publish, team lozi cha obfuscate code nn code vn y nguyn. Do team code rt
ng chun OOP v SOLID nn cng khng qu kh khn mnh lc tm on code gi API
ca lozi. on code khin mnh ch chnh l on gi API SearchUser.
API ny c dng GET nn mnh khng cn thm thng tin g. Bt Postman ln, nhp url ca
API vo v bingo. Thng tin 2 triu ngi dng y ri.
C c link paging nh
Qu trnh x l li
Ti th 4 ngy 16/11, mnh tm ra li ny, bt u lin h vi lozi.vn.
Chiu th 6 ngy 18/11, mnh nhn c reply t fanpage ca lozi. Khong 5 pht sau khi
mnh gi mail cho team lozi th li c fix ngay lp tc.
Ngay sng th 7 ngy 19/11, mnh nhn c mail reply rt tn tnh ca ngi chu trch
nhim d ang l th 7. Hoan h lozi. Thi lm vic khc hn vi bn lotte cinema, b
mnh hn na thng tri.
Khong 4,5 ngy sau khi mnh bo co li th lozi cng cp nht https v thm token cho
cc API ri nh.
Nhn xt
Trong suy ngh chung ca developer, cc RestAPI ny thng b n i, ngi dng khng
thy nn khng th nghch c. Tic thay, developer v hacker c th d dng decompiler
app v nghch ngm cc API ny.
Tht ra, khng ch c team lozi m a phn cc team khc cng kh thiu cnh gic v vic
bo mt API. in hnh l v CGV l 3 triu ngi dng cng do API mobile. Tuy nhin, team
Foody v Lozi bo mt API kh tt, mnh nghch th m khng thu c kt qu g.
Thay li kt
y cng l phn cui cng ca cun sch. Chn thnh cm n cc bn b thi gian c v
ng h!
Mt iu mnh s nhc i nhc li trong sut series l: ng bao gi tin tng ngi dng!!
ng bao gi tin tng nhng th ngi dng nhp vo, ng ngh ng ngi dng khng
bit sa javascript, khng bit nghch lung tung. Di danh ngha ngi dng, hacker c
mi phng cch tn cng h thng. Nh y nh!
Vic post bi ca mnh cng ch mang tnh cht v cnh tnh ch khng c khoe khoang hy
g khc. Vi cc hacker "c tm", h phi ln k hoch tn cng, hoc phi tn cng sc nghin
cu tm c l hng cha ai tm ra. Hnh ng ca mnh ch l i my m, nghch ngm
cc li s ng ca developer, tnh ra cng chng c g t ho phi khoe c ;)). Bt k mt
hnh ng tn cng, ph hoi h thng no nhm "th hin" u l nhng hnh ng tr
tru, thiu suy ngh, c th dn n "tnh tin t ti". Cc bn nh suy ngh cn thn trc khi
hnh ng.
Mnh ch c mt hi vng nh nhoi l cun ebook ny c nhiu ngi bit ti hn. Nu
lp trnh vin no cng bit nhng li bo mt c bn th ny, ta s khng phi gp nhng l
hng ng ngn kiu lottecinema hay vietnamwork na. Cng gip mnh chia s n ti nhiu
bn c hn nh!
Hy nh rng, bo mt l mt chuyn ngnh rt ln, th gii bo mt rt bao la. Nhng li
bo mt mi xut hin tng ngy, khng thua g cng ngh mi trong lp trnh. Quyn ebook
nhp mn ny ch cover c mt phn rt nh trong y (Cn v s iu hay ho nh: social
engineering, row hammering khng c nhc ti trong sch). Do vy, ng ngh rng c
xong series l mnh bit tut tun tut nhng iu cn bit v bo mt. Hy t trau di
thm kin thc bo mt, p dng vo code v thit k nh.
Ni dung sch tham kho theo course Hack Yourself First, Web Security OWASP Top 10 trn
pluralsight v mt s ngun khc. Series ny c ph nn kh d hc, cc bn kh ting Anh
c th hc th.
V tc gi