Internet Week 2002 tutorial - T6 http://techstyle.jp/ riotaro@techstyle.jp
about Speaker 1989 1999 Linux 2001 Allabout Linux http://allabout.co.jp/computer/linux/ 2002 PHP 2002 CISA http://okdt.org/ riotaro@techstyle.jp
Web
cf.
:STRIDE Spoofing identity Tampering with data Repudiation Information disclosure Denial of Service attack Elevation of Privilege
IDC: HW: CPU ISP DNS ip FTP www smtp configuration logrotate ssh
1. Port Scan 20,22,80,8080, 2. Exploit Linux(ICMP), telnet, OpenSSH, Apache, DoS/DDoS, / HEAD GET 3. HTTP/HTTPS FORM FORM URL ( ) WWW DNS DB Admin
1. DNS JPNIC DNS DNS A 2. Cookie Cookie (/ ) XSS Cookie WWW DNS DB Admin
FORM URL ex. http://www.yahooo.co.jp?cmd=jump&url=http://foo.com&... (D)DoS DB 2 WWW DNS DB Admin
strcpy nervous
strcpy(d,s); if(strlen(s)< sizeof(d)){ strcpy(s, d); } strcpy/strncpy strncpy(d,s,n); s NULL d[sizeof(d)-1] = 0 ; strncpy(d, s, sizeof(d)); // s if(d[sizeof(d)-1]!= 0 ){ // s }
CR/LF gets/fgets
format string printf(inputbuf); // inputbuf prinft(%s, inputbuf); // sprintf
strcpy strcat strncpy strncat memcpy sprintf printf strlen gets, scanf, include, readfile, fopen, file, link, unlink, symlink, rename, rmdir, chmod, chown, chgrp, exec, system, passthru, popen ( ) p TechStyle WEB 2002
FORM WEB SQL include URL HTML Referer
XSS JavaScriptCookie Not Found SQL Error HTML exploit Cookie disable Cookie input validation
Cookie Spoofing Cookie RFC2965 7.2 Cookie Spoofing 1. victim.cracker.edu victim.cracker.edu session_id= 1234 2. spoof.cracker.edu session-id= 1111 Domain=.cracker.edu 3. victim.cracker.edu Cookie: $Version="1"; session_id="1234", $Version="1"; session_id="1111"; $Domain=".cracker.edu" victim.cracker.edu Cookie
input validation input validation, data cleaning URL HTML
%( ) GET URL %HH(H: ) URL ex. URL validation 1 ex. %00 (NULL), %0A( ), %20( ), %25( ) %2500 %00 NULL cf.url
(bang) ; (semi-colon) backslash) (colon), (comma) (minus) ex.!/bin/bash -f /etc/passwd ex.../../../../ *.png
<(lesser than) >(grater than) (double quote) (single quote) exploit Cookie ex. ex. ><script>alert(window.location);</script> ;alert(document.cookie); onmouseover= alert(document.cookie); ><script> alert(document.cookie);</script> ></a> <script> alert(document.cookie);</script> ;cat /etc/passwd >>/home/html/htdocs/index.html
HTML <p>,<bold>,<i>,<em>,<strong>,<pre>,<br> Well-formed exploit Javascript ex. <b onmouseover=[code]> </b> <img src= javascript:[code]> <style type= text/javascript >[code]</style>
PHP ereg_replace( [^0-9],,$data) addslashes($data) addcslashes (string str, string charlist) single,double, NULL slashing( ) quotemeta($data).+?[^](*)$ quote escapeshellcmd($data) escape nl2br ( $str ) <br /> htmlspecialchars ("<a href='test'>test</a>", ENT_QUOTES); HTML
WEB apache DB mysql / postgresql DB ID ACL IP
ID / Password hash hash DB ID WEB invisible /tmp/ WEB pay SQL DELETE unlink
XOR rand MD5 /
DoS DoS CPU WEB slashdot/ec NAT
Lim, John, Tuning Apache and PHP for Speed on Unix
...
... TCP/IP, Intel DoS ipchains Apache, SSH
OS UNIX, Linux (Debian,RedHat,Turbo,Miracle)
7.2? 7.3? rpm rebuilddb rpm -qa CVS, RCS
VMware
ab webalizer...
ML WEB TechStyle
WEB
Saltzer, J.H., and M.D. Schroeder, "The Protection of Information in Computer Systems," Proc. IEEE, Vol. 63, No. 9, Sept. 1975, pp. 1278-1308. Wall, Larry and Schwartz, Randal L. "Programming Perl" : Sebastopol, California : O'Reilly And Associates, 1992. Al-Herbish, Thamer, Secure UNIX Programming FAQ,1999 Wheeler, David A. Secure Programming for Linux and Unix HOWTO, 2002 Howard, M. and LeBlanc, David, WRITING SECURE CODE, 2002 RFC 2396, 2965 Lim, John, Tuning Apache and PHP for Speed on Unix,2001( http://php.weblogs.com/tuning_apache_unix )
Sier PR TechStyle Linux UNIX PHP Apache Postgres MySQL Linux Apache PHP MySQL PostgreSQL Ruby PHP Perl JavaScript HTML Flash IT RFC Ietf-draft W3C ODL BS7799...
Thank You Please feel free to mail me riotaro@techstyle.jp