secure code
DESCRIPTION
Security CodeTRANSCRIPT
m bo an ton m ngun
m bo an tonm ngunNhm thc hin: B2L do cn m bo an ton m ngunm bo chng trnh thc thi ng v y cc chc nng yu cu.Hn ch ti a cc truy cp khng mong mun t bn ngoi, nhm trnh tht thot d liu quan trong ca ngi dng.Gim chi ph cho vic phi khc phc nhng hu qu t cc cuc tn cng nh vo khu bo mt ca ng dng.Nhng hu qu thng rt nghim trng, tn thi gian v chi ph khc phc.m bo tnh ton vn cho ton b ng dng.Chy n nh, ng yu cu,
Cc dng tn cng thng gpBuffer overflowSQL InjectionXSS (Cross Site Scripting)CRSS (Cross Site Request Forgery)Session fixationSession poisoning
Buffer overflowTng quan buffer overflow - 1B m (BUFFER) hay b nh m l vng nh tm trong khi ch n lt v CPU v cc thit b khc khng lm vic cng tc , HH th x l cc tin trnh c chia thi gian. Do cn c b m cha tm thi. B m hot ng theo c ch FIFO.Trn b m (Buffer Overflow): l s bt thng xut hin trong chng trnh khi vic khi d liu n buffer vt ngoi ranh gii ca buffer, dn n ghi ln b nh lin k.D liu b ghi c th bao gm cc b nh m khc, cc bin v d liu iu khin lung chy ca chng trnh (program flow control).Da vo vic ghi ny tn cng h thng !Tng quan buffer overflow - 2Khi chng trnh b buffer overflow, cc trng hp sau c th xy ra:Chng trnh vn tip tc lm vic nhng theo mt hng khng mong mun ca lp trnh vin. (hng nguy him)Chng trnh thot ngay lp tc v thng bo li.Nhng ngn ng lp trnh lm vic thng xuyn vi buffer nh C, C++ khng cung cp c ch bo v vic truy xut hay ghi d liu v khng t ng kim tra d liu c vit n mng c thuc phm vi ca mng hay khng ? S dng bounds checking c th ngn chn c buffer overflow.Mt s hm trong C,C++ c th gy buffer overflow
Tham kho: Buffer Overflow Exploits - Dick SteflikV d buffer overflowMt chng trnh c 2 phn t d liu k nhau:A l b nh m xu k t c di 8 byte. K t kch thc 1 byte.B l s nguyn kch thc 2 byte c cha gi tr 3.
Chng tnh ghi d liu cho buffer A xu c gi tr excessive. Do khng kim tra di chui trc khi ghi nn bin B b ghi , thay i gi tr B:
Hng tn cng stack overflowVic khai thc l hng stack buffer overflow c thc hin qua nhng cch sau:Ghi bin local gn buffer trn stack thay i hnh vi ca chng trnh theo ch ca k tn cng.Thay i a ch tr v trong stack frame. Khi hm tr v, vic thc thi s tip tc a ch tr v c ch nh bi k tn cng.Ghi con tr hm, thay i lung x l c li cho k tn cng.V d:V d l hng stack buffer overflowC on chng trnh sau:#include void foo (char *bar) { char c[12]; strcpy(c, bar); // khng kim tra gii hn chui bar} int main (int argc, char **argv) { foo(argv[1]); } Nu argv[1] nhiu hn 11 k t ???V d l hng stack overflowMinh ha chng trnh vi nhiu d liu nhp khc nhau:
Trng hp C: ghi ln bin bar trn stack, frame pointer v quan trng l c a ch tr v (ch nh n 1 a ch khng mong i).
Hng tn cng heap overflowL mt loi buffer overflow xy ra trong khu vc heap.Vng nh trn heap c cp pht ng bi ng dng ti thi im run-time v thng cha d liu chng trnh.Vic khai thc c thc hin bng vic lm h hng d liu lu trn heap theo nhng cch khc nhau nhm ghi ln cu trc ni b ca ng dng (danh sch lin kt).Hng c in: ghi cc lin kt cp pht ng v s dng con tr kt qu ghi ln con tr hm ca chng trnhMt s cch phng trnhS dng ngn ng lp trnh an ton (java, .NET)Lun s dng kim tra gii hn khi vit chng trnh.Xem xt li tnh bo mt ca m ngun cc phn mm k tha.Trnh s dng cc hm khng cung cp kim tra gii hn trong ngn ng C, thay vo l cc hm tng ng. Thay cc hm gets, strcpy, strcat, sprintf, scanf, sscanf bng cc hm tng ng fgets, strncpy, strncat, bcopy, bzero, memcpy.S dng cc vng nh c cp pht ng.S dng cc tin ch nh StackGuard, StackShield bo v vng b nh stack khi trn b m. S dng cc cng c v hng dn nh gi mc an ton ca chng trnh nh Slint, rats, its, flawfinder. Ci t ngay cc bn sa li.
SQL injectionSQL injection l g ?SQL injection l mt k thut cho php nhng k tn cng li dng l hng trong vic kim tra d liu nhp trong cc ng dng v cc thng bo li ca h qun tr c s d liu "tim (inject) v thi hnh cc cu lnh SQL bt hp php.Nu l hng ny c khai thc s dn n hu qu nghim trng cho ng dng (mt d liu, mt quyn kim sot, ). Li ny xy ra trn cc ng dng web c d liu c qun l bng cc h qun tr c s d liu nh SQL Server, MySQL, Oracle, DB2, Sysbase.Mt s dng dng liX l khng ng kiuKhng kim tra k t thot truy vnLi bo mt bn trong my ch c s d liu
Khng kim tra k t thot truy vnDng li ny xy ra khi thiu on m x l d liu u vo trong cu truy vn SQL. Kt qu l k tn cng c th thc hin mt s truy vn khng mong i.V d 1:C cu lnh ly v nhng user c name ch nh:String query = SELECT * FROM users WHERE name = + userName + ;Gi tr bin userName c nhp t ngi dng. iu g xy ra nu ngi dng nhp gi tr l: x or t = t or 1=1--Khi cu truy vn thc thi s l:SELECT * FROM users WHERE name = x or t = tSELECT * FROM users WHERE name = or 1=1 -- iu kin Where lun ng. Kt qu tr v tt c cc user hin c trong database.Khng kim tra k t thot truy vnV d 2: Cng c cu lnh ly v nhng user c name ch nh:String query = SELECT * FROM users WHERE name = + userName + ;iu g xy ra nu ngi dng nhp gi tr l:x';DROP TABLE users; SELECT * FROM data WHERE 't' = 'tKhi cu truy vn thc thi s l:SELECT * FROM users WHERE name = x; DROP TABLE users; SELECT * FROM data WHERE 't' = 'tThc hin mt lot cc truy vn khng mong i.X l khng ng kiuXy ra khi ngi dng nhp vo kiu d liu khng ng v khng c phng thc kim tra lc kiu d liu. V d: vi mt trng d liu l s c s dng trong cu lnh SQL v lp trnh vin khng x l kim tra d liu nhp vo c phi kim s hay khng ?String query = SELECT * FROM data WHERE id = + iMa +;Bin iMa mong i l kiu INT ng vi trng id.iu g xy ra nu ngi dng nhp vo l:1;DROP TABLE usersCu lnh SQL thc thi l: SELECT * FROM data WHERE id =1;DROP TABLE users Xa bng users (!)Cc dng tn cng trn ng dng WebVt qua lc ng nhpChui truy vn kim tra ng nhp ca ngi dng: String query = SELECT * FROM users WHERE username= + txt_UserName + AND password = + txt_Pass + ;;K tn cng in vo username v password u l: OR = SELECT * FROM users WHERE username=OR = AND password= OR = ;Hin nhin ng nhp thnh cng !
S dng lnh select thc hin c kiu tn cng ny, k tn cng phi c kh nng hiu v li dng cc s h trong cc thng bo li t h thng d tm cc im yu khi u cho vic tn cng.Cc website c chc nng tm kim rt d b tn cng bi dng ny.V d: thay v nhp t kha tm kim k tn cng tim vo on m sau:' DROP TABLE users-- Xa bng users.S dng lnh insertXt cu lnh INSERT:INSERT INTO TableName VALUES(Value1, Value2, Value3)Code xy dng cu lnh:String query = INSERT INTO TableName VALUES( + strValue1 & , + strValue3 & , + strValue3 + ') Khai thc li ny bng cch nhp vo trng th nht gi tr: ' + (SELECT TOP 1 FieldName FROM TableName) + Ngoi vic thc hin cu lnh INSERT cn thc hin thm cu lnh SELECT.s dng stored-proceduresRt nguy him nu c thc thi di quyn qun tr h thng sa.V d, nu ta thay on m tim vo dng: '; EXEC xp_cmdshell cmd.exe dir C: 'Lit k cc th mc C trn ServerC th thay th lnh thc hin bng lnh khc (thay th lnh dir C: ).Cch phng trnh SQL injectionKim sot cht ch d liu nhp voGii hn chiu di chui nhp liu v nh ngha gi tr nhp vo.Thay th cc k t nhy n () bng nhy kp ()Kim tra ng kiu d liu nhp trc khi thc thi xung c s d liu.Loi b nhng k t v t kha nguy him: ;, --, select, insert, xp_, khong trng, ra khi d liu nhp.
Cch phng trnh SQL injectionTham s ha cc cu lnh truy vnJava:
.Net:
S dng cc th vin kt ni ORM (object-relational mapping) trnh phi vit code lin quan n kt ni SQL.Thit lp cu hnh an ton cho h QTCSDL, hn ch phn phi quyn.
XSS (Cross Site Scripting)nh nghaCross-Site Scripting (gi tt l XSS) l mt k thut tn cng bng cch chn vo cc website ng (ASP, PHP, JSP ...) nhng th HTML hay nhng on m script nguy him c th gy nguy hi cho nhng ngi s dng khc. Nhng on m nguy him c chn vo hu ht c vit bng cc Client-Site Script nh JavaScript, JScript, DHTML v cng c th l c cc th HTML.K thut tn cng XSS nhanh chng tr thnh mt trong nhng li ph bin nht ca Web Applications v mi e do ca chng i vi ngi s dng ngy cng ln.Hu qu: n cp thng tin ngi dng, chim quyn iu khin,Khai thc li XSS - 1Nguyn tc hot ng: gi cc yu cu t client ti sever nhm chn cc thng tin vt qua tm kim sot ca server.iu kin c th khai thc c XSS:Web App chp nhp input t ngi dngNi dung input to ra ni dung ng.Ni dung input ny khng c kim tra ng cch.Khai thc li XSS - 2
Khai thc li XSS - 3V d ly cookie khi c mail: