Upload
codemotion
View
2.343
Download
1
Embed Size (px)
DESCRIPTION
Le due vulnerabilità più diffuse sul web. Perché vengono così sottovalutate? Sono davvero così pericolose? Si può contrastarle efficacemente? Simuliamo degli attachi analizzandone potenzialità e possibili soluzioni
Citation preview
Stefano [email protected]
• Hacker? Macché• Security engineer? Non so cosa sia
• Appassionato? Forse
• Esperto? Magari!
• ???
Chi sono
Stefano [email protected]
Perché questo talk
• Sappiamo da cosa proteggerci?
• Conosciamo il modo in cui difenderci?
• Perché difenderci?
• Quanto costa?
• …
Stefano [email protected]
Le vulnerabilità più diffuse sul WEB
OWASP Top Ten Project•A1 - Injection (SQLi e XPATHi)•A2 - Cross Site Scripting (XSS)•A3: Broken Authentication and Session Management•A4: Insecure Direct Object References•A5: Cross-Site Request Forgery (CSRF)•A6: Security Misconfiguration•A7: Insecure Cryptographic Storage•A8: Failure to Restrict URL Access•A9: Insufficient Transport Layer Protection•A10: Unvalidated Redirects and Forwards
Stefano [email protected]
SQL Injection: cos’è
«A SQL injection attack consists of insertion or "injection" of a SQL query via the input data from the client to the application»
Fonte OWASP
https://www.owasp.org/index.php/SQL_Injection
Stefano [email protected]
SQL Injection: come (1/2)
String username = request.getParameter("username");
String password = request.getParameter("password");
String sql = "select * from users where username = '" +username+"' and password = md5('" +password+"')";
Stefano [email protected]
SQL Injection: come (2/2)
select * from users where username = ‘tiziousr’ and password = md5(‘tiziopwd’)
select * from users where username =
‘xxx’ or 1=1 --’ and password = md5(‘tiziopwd’)
SQL eseguita
select * from users where username = ‘xxx’ or 1=1
Commento MySQL
Stefano [email protected]
SQL Injection: potenzialità
«A successful SQL injection exploit can read sensitive data from the database, modify database data (Insert/Update/Delete), execute administration operations on the database (such as shutdown the DBMS), recover the content of a given file present on the DBMS file system and in some cases issue commands to the operating system»
Fonte OWASP
https://www.owasp.org/index.php/SQL_Injection
Stefano [email protected]
Cross Site Scripting: cos’è
«XSS attacks are a type of injection problem, in which malicious scripts are injected into the otherwise benign and trusted web sites. XSS attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end user»
Fonte OWASP
https://www.owasp.org/index.php/Cross-site_Scripting_(XSS)
Stefano [email protected]
Cross Site Scripting: come
JSP input
<input type="text" name="username"/>
Servlet
String username = request.getParameter("username");
request.setAttribute("username", username);
JSP output
<span><%=request.getAttribute("username")%></span>
HTML output
<span><script>alert(123)</script></span>
Stefano [email protected]
Cross Site Scripting: potenzialità
«[…] the malicious script can access any cookies, session tokens, or other sensitive information retained by your browser and used with that site. These scripts can even rewrite the content of the HTML page»
Fonte OWASP
https://www.owasp.org/index.php/Cross-site_Scripting_(XSS)
Stefano [email protected]
DIMOSTRAZIONE…
Stefano [email protected]
La dimostrazione continua… a casa
Adesso sta a voi condurre un attacco di tipo XSS.
Scaricate il progetto al link che
trovate nei Riferimenti e, dopo
aver seguito le istruzioni, provate
a trovare le vostre varianti!
Stefano [email protected]
Conclusioni (1/4)
La nostra è stata soltanto una semplice “simulazione” di un caso reale…
Stefano [email protected]
Conclusioni (2/4)
…ma se anche non volete credere a me, spero crediate a questo…
Stefano [email protected]
Conclusioni (3/4)
Stefano [email protected]
Conclusioni (4/4)
Stefano [email protected]
Riferimenti
• OWASP (https://www.owasp.org/index.php/Main_Page)• md5decrypter (http://www.md5decrypter.co.uk)• Notizia dell’attacco alla SONY (http://www.itwire.com/business-it-news/security/47605-sony-falls-victim-to-another-simple-sql-injection-attack)• Notizia dell’attacco a Skype (https://superevr.com/blog/2011/xss-in-skype-for-ios/)• OWASP WebGoat (https://www.owasp.org/index.php/Category:OWASP_WebGoat_Project)• DOWNLOAD progetto dimostrativo (http://www.divshare.com/download/17108200-6e1)