An ton ng dng web

Ni dung
Cc cng ngh s dng Cu trc ng dng web

Thu thp thng tin ng dng web

Tng quan v cc li bo mt

Cng ngh s dng

Giao thc HTTP Chc nng web

 Giao thc HTTP

http request Laptop w/ Netscape http request

http response
Server w/ Apache

http response
Desktop w/ Explorer

Hypertext Transfer Protocol

L giao thc tng ng dng , m nhim vic giao tip trn mi trng web

 Hot ng theo m hnh client/server:

Clients gi requests, ch nhn kt qu, trnh by kt qu Server nhn requests, tr v responses

L mt stateless protocol, server khng lu gi thng tin trng thi v phin lm vic ca clients.
Port mc nh: 80

 Hot ng da trn giao thc TCP

SYN SYN/ACK GET URL ACK

Web Server YOUR DATA HERE

FIN ACK
6

FIN/ACK

Client TCP SYN

Server

G
page.html TCP FIN TCP SYN G HTTP/1.0 s dng mt HTTP Request trn mi TCP connection

hpface.jpg
TCP FIN TCP SYN G castle.gif TCP FIN
7

Client TCP SYN

Server

G
page.html G hpface.jpg G HTTP/1.1 a ra khi nim persistent HTTP, cch tip cn l s dng nhiu HTTP transfer trn mt TCP connection

castle.gif

Timeout

TCP FIN
8

 HTTP Requests
Method URL Protocol Version

Headers

GET /index.html HTTP/1.1 Host: www.example.com User-Agent: Mozilla/5.0 Accept: text/html, */* Accept-Language: en-us Accept-Charset: ISO-8859-1,utf-8 Connection: keep-alive

Body (optional)

blank line

 Dng u tin (Request line) bao gm 3 phn, phn cch bi du cch: HTTP method

URL truy xut

Phin bn HTTP ngha mt s trng trong Headers: Referer: ch nh v tr bt ngun ca URL

User-agent: thng tin v client

Host: thng tin v hostname ca server Cookie: gi tr cookie m client gi ln server Thc hnh: S dng addon Live HTTP headers xem ni dung Header mt gi HTTP Request

10

 HTTP Responses
Version Status Status Message

Headers

HTTP/1.1 200 OK Date: Thu, 24 Jul 2008 17:36:27 GMT Server: Apache-Coyote/1.1 Content-Type: text/html;charset=UTF-8 Content-Length: 1846

blank line
Body <html> ... </html>
11

 Dng u tin (Request line) bao gm 3 phn, phn cch bi du cch: Phin bn HTTP

M trng thi: m kt qu ca request

Thng tin gii thch m trng thi ngha mt s trng trong Headers: Server: web server banner

Set-cookie: pht sinh vic lu tr cookie xung client

Content-Type: loi d liu ca phn ni dung HTTP Response Content-Length: chiu di ca phn ni dung HTTP Response theo bytes Thc hnh: S dng addon Live HTTP headers xem ni dung header mt gi HTTP Response

12

 HTTP methods:
L cc hnh ng m client c th thc hin trn mt URL server. HTTP 1.0: GET, POST, HEAD

HTTP 1.1: thm 5 methods: OPTIONS, PUT, DELETE, TRACE v CONNECT

13

 GET Method dng ly resource t server C th gi tham s n resource server thng qua chui truy vn trong URL C th bookmark Cc URL th hin trn mn hnh, c th c log trong cc lch s trnh duyt (browser history), hoc trong log truy cp (access log) ca cc web server Khng nn s dng chui truy vn truyn ti cc thng tin, d liu quan trng

14

 POST Gi d liu n resource Tham s nm phn body ca gi tin HTTP Request => Khng th bookmark, khng lu tr trong lch s trnh duyt cng nh log truy cp ca web server

15

 URLs:
Uniform Resource Locator nh danh cho mt web resource

Cu trc mt URL:
protocol://hostname[:port]/[path/]file[?param=value]

16

 M trng thi (status codes):

L mt con s, cho bit kt qu ca mt HTTP request Gm 5 nhm:

1xxThng tin.
2xx Request thnh cng. 3xx Client c chuyn hng n mt resource khc. 4xx Request li. 5xx Server li.

17

 200 OK 201 created 202 accepted 204 no content

401 unauthorized 403 forbidden 404 not found 500 int. server error

301 moved perm.

302 moved temp 304 not modified

501 not impl.

502 bad gateway 503 svc not avail

400 bad request

18

 Cookies:
L k thut trong server gi d liu xung client, client lu tr v t ng gi li d liu ny trong mi request k tip n server Server pht sinh mt cookie cho clinet bng cch s dng header Set-Cookie trong gi HTTP response Set-Cookie: tracking=tI8rk7joMx44S2Uu85nSWc Client gi li d liu cookie n server thng qua header Cookie trong gi HTTP request Cookie: tracking=tI8rk7joMx44S2Uu85nSWc Cookie thng tn ti dng cc cp gi tr Name=value hoc c th l mt chui

19

 Mt s ty chn thuc tnh trong header Set-Cookie : Expires: thit lp thi im cookie ht hiu lc Domain: thit lp tn min cookie c hiu lc

Path: thit lp ng dn URL cookie c hiu lc

Secure: cookie ch c gi trong cc HTTPs request HttpOnly: cookie khng th truy cp t cc client-side script nh JavaScript

Thc hnh:
S dng addon Live HTTP header xem cc ni dung cookie gi v nhn gia server v client S dng addon Cookie Manager xem v chnh sa cc gi tr cookie lu trn my

20

 HTTP Authentication:
Bo v ti nguyn, gii hn truy cp ng dng 3 Loi:

Basic:
Khng m ha Ti khon chng thc encode Base64, nm trong HTTP header gi n server C ch Challenge-response Giao thc Windows NTLM C ch Challenge-response MD5 checksum

NTLM:

Digest:

21

 Chc nng Web

Bn cnh giao thc HTTP, ng dng web cn s dng rt nhiu cng ngh Phn loi nhm chc nng:
Nhm chc nng pha server (server-side) Nhm chc nng pha client (client-side)

22

 Nhm chc nng pha server

Xut pht t nhu cu d liu ng (dynamic content) D liu ng sinh ra t cc script hoc cc m ngun thc thi trn server. Chng tip nhn cc input khc nhau, x l, v tr kt qu v cho ngi dng Khi client truy xut mt d liu ng, client s gi km cc tham s. Chnh nhng tham s ny l thnh phn gip server pht sinh d liu tr v ph hp vi yu cu truy xut t client Thng thng, client c th gi tham s n server thng qua 3 con ng chnh: Trong chui truy vn URL Trong cookie Trong ni dung thn gi HTTP Request s dng method POST

23

 Mt s cng ngh s dng pha server: Java ASP.NET

PHP
Ruby on Rails SQL XML

24

 Nhm chc nng pha client (client-side)

ng dng pha server nhn input, x l v trnh by kt qu n ngi dng, cn c giao din ngi dng pha client. Mt s cng ngh, chc nng s dng pha client: HTML Form CSS

Javascript
Ajax JSON

25

Kin trc ng dng web

Mt kin trc ng dng web n gin gm 3 tng chnh: tng trnh by (presentation), logic v lu tr (storage)

26

 Kin trc 3 tng tr nn khng ph hp khi ng dng web ngy cng m rng, pht trin Kin trc mi ra i, vi s xut hin ca mt tng trung gian gia web server v database: application server

27

28

Thu thp thng tin

Bc u tin qu trnh tn cng mt ng dng Gm hai cng vic:
Thu thp thng tin v ni dung v chc nng ca ng dng
Phn tch ng dng

29

 Thu thp ni dung v chc nng

V mt th cng, c th thc hin bng cc thao tc:
Bt u t trang ch, duyt qua tt c cc URL ca trang, lc qua tt c cc chc nng ca ng dng Kt hp vi site map ca ng dng

trnh thiu st, cng nh tng tnh hiu qu, c th s dng mt s k thut, cng c :
Web spidering Suy lun t cc thng tin c S dng cc thng tin cng khai

Thc hnh: tin hnh thu thp ni dung v chc nng ca mt ng dng theo 2 cch: th cng v s dng cng c (BurpSuite)
30

 Phn tch ng dng

Phn tch cc chc nng, cch hnh x, cng nh cc cng ngh s dng ca ng dng -> xc nh cc phng thc tn cng c th s dng, tip cn qu trnh khai thc l hng ng dng Mt s cng vic chnh:
Xc nh cc c ch bo mt hin hnh ca ng dng Xc nh cc li vo ng dng ca d liu u vo Xc nh cc cng ngh s dng pha client Xc nh cc cng ngh s dng pha server

Xc nh cc phng thc tn cng c th s dng

31

 Xc nh cc li vo ng dng
Xem cc gi HTTP Request Cc v tr cn ch :

Tham s trong chui truy vn URL

Tham s trong thn gi HTTP Request (POST method) Cookie HTTP Header (User-Agent, Referer, Host, ) Thc hnh: chn mt ng dng web, tin hnh xc nh cc li vo ng dng

32

 Xc nh cc cng ngh s dng pha server

Bt banner, s dng thng tin trong header Server gi HTTP Response HTTP Fingerprinting Da vo phn m rng tn file (asp, aspx, php, jsp, pl, py, ) Da vo tn th mc: mt s cng ngh s dng tn th mc c trng

Da v session tokens: mt s cng ngh s dng session tokens vi tn c trng

Thc hnh: chn mt ng dng web, tin hnh xc nh cc cng ngh s dng pha server

33

 Xc nh cc phng thc tn cng c th s dng

Tng tc database: SQL injection Trnh by d liu ngi dng: Cross site Scripting (XSS)

Login: Thu thp username, password yu, Bruteforce

Thng bo li: khai thc thng tin S dng cc knh truyn khng m ha: session hijacking, sniff d liu trn ng truyn

34

Tng quan cc phng thc tn cng

SQL Injection Cross site scripting (XSS)

Cross site request forgery (CSRF)

Session Hijacking Authentication

35

 SQL Injection
Xp th nht trong OWASP Top 10 L l hng ng dng web, khng phi li do database hay webserver L l hng lin quan n kh nng thc thi cc lnh SQL trn database thng qua ng dng web

36

37

 Cc hnh thc tn cng ca SQL injection:

Vt qua kim tra ng nhp (authentication bypass) Khai thc thng tin

Thay i ni dung thng tin

Chim quyn iu khin my ch

38

 Cross Site Scripting

Xp th hai trong OWASP Top 10 i tng tn cng l cc client L l hng lin quan kh nng chn cc client-side script vo cc trang web, cc script ny s c thc thi trn cc client khc

39

 Cross Site Request Forgery (CSRF)

Xp th 5 trong OWASP Top 10 L kiu tn cng m trong k tn cng c th bt p ngi dng gi nhng request mang tnh cht nguy hi m ngi dng khng hay bit

40

41

 Session hijacking
Xp th 3 trong OWASP Top 10 L mt k thut tn cng m trong k tn cng li dng nhng im yu qu trnh qun l session ca ng dng web chim hu phin lm vic ca ngi dng khc Gy tc hi nghim trng khi k tn cng c th thc hin thnh cng trn cc ti khon qun tr

42

 Nhng k thut s dng trong vic khai thc li:

43

 Authentication:
Xp th 3 theo OWASP Top 10 K tn cng c th tn dng nhng im yu trong thit k v vn hnh ca h thng kim tra ng nhp, t c kh nng vt qua h thng kim tra m khng cn ti khon. Cc phng thc tn cng li Authentication
Bruteforce
on username, password Sniff d liu ng nhp trn ng truyn

44

Question & Answer

45