Безопасность сессий в веб-приложениях: практическое применение

  • Published on
    16-Jun-2015

  • View
    3.034

  • Download
    19

Embed Size (px)

DESCRIPTION

SQA Days-15. 18-19 , 2014, . www.sqadays.com

Transcript

  • 1. - : . Itera Consulting

2. 1. - 2. Session Hijacking ( ) 3. Session Fixation ( ) 4. Cross-Site Request Forgery ( ) 5. Phishing () 6. 7. ? 4/20/2014 / 2 3. 1. - 2. Session Hijacking ( ) 3. Session Fixation ( ) 4. Cross-Site Request Forgery ( ) 5. Phishing () 6. 7. ? 4/20/2014 / 4 4. -? HTTP - . . - , , , . 4/20/2014 / 5 5. ID ID, . : PHPSESSID=a2pdlk7jreml0u1m3bccd12551; (Expiry date) . : (logout) - : EXPIRES 18.03.2014 16:52:22 4/20/2014 / 6 6. ID 4/20/2014 / 7 http://www.example.com/index.php?PHPSESSID=a2pdlk7jre ml0u1m3bccd12551 http://www.example.com/s(lit3py55t21z5v55vlm 25s55)/orderform.aspx URL Session-token: SID=lit3py55t21z5v55vlm25s55 Cookies: PHPSESSID=a2pdlk7jreml0u13bccd12551 (header) Login=Username&password=Password& SessionID=12345678 POST 7. ID 4/20/2014 / 8 cookies (HTML ) ID . ... 8. "64% , . (Microsoft Developer Research) "60% -. (Gartner) " 2 TOP-10 ." (OWASP) 4/20/2014 / 9 9. ? ( / ) , 4/20/2014/ 10 10. , -. 4/20/2014/ 11 11. 1. - 2. Session Hijacking ( ) 3. Session Fixation ( ) 4. Cross-Site Request Forgery ( ) 5. Phishing () 6. 7. ? 4/20/2014/ 12 12. Session Hijacking : (Sniffing); (XSS, JavaScript , , etc); 4/20/2014/ 13 13. ID . : / IP 4/20/2014/ 14 14. ID : Burp Sequencer ID . SessionID Analysis - WebScarab, ID . Crowbar - - ID . 4/20/2014/ 15 15. . 4/20/2014/ 16 ID - Webgoat Test123 65432ubphcfx 10/7/2005-10:10 65432ubphcfx 10/7/2005-10:11 Aspect 987654qwerty 65432udfqtb 10/7/2005-10:12 65432udfqtb 10/7/2005-10:13 alice Alice ???? 16. . 4/20/2014/ 17 ID - Webgoat Test123 65432ubphcfx 10/7/2005-10:10 65432ubphcfx 10/7/2005-10:11 Aspect 987654qwerty 65432udfqtb 10/7/2005-10:12 65432udfqtb 10/7/2005-10:13 alice Alice ???? 17. . 4/20/2014/ 18 ID - Webgoat Test123 65432ubphcfx Aspect 987654qwerty 65432udfqtb alice Alice ???? 18. . 4/20/2014/ 19 ID - Webgoat Test123 65432ubphcfx Aspect 987654qwerty 65432udfqtb alice Alice ???? W x e f b g h o p a b t u = xfchpbu A b s t p q e f d t u = btqfdu 19. . 4/20/2014/ 20 ID - Webgoat Test123 65432ubphcfx Aspect 987654qwerty 65432udfqtb alice Alice A b l m i j c d e f = bmjdf 65432fdjmb 20. . 4/20/2014/ 21 21. . 4/20/2014/ 22 Burp - Sequencer OWASP WebScarab SessionID Analyser 22. , . . , . , ID , URL . 4/20/2014/ 23 23. : Wireshark Microsoft Network Monitor CommView for WiFi 4/20/2014/ 24 Wireshark 24. ID , (). Cross-Site Scripting (XSS) . 4/20/2014/ 25 : 25. Session Hijacking. 4/20/2014/ 26 26. Session Hijacking. (logout) . : ( User-agent) , ID . (https ). ID 4/20/2014/ 27 27. 1. - 2. Session Hijacking ( ) 3. Session Fixation ( ) 4. Cross-Site Request Forgery ( ) 5. Phishing () 6. 7. ? 4/20/2014/ 28 28. Session Fixation , ID , ID . . 4/20/2014/ 29 : OWASP WebScarab Fiddler 29. Session Fixation. 4/20/2014/ 30 30. Session Fixation. ID , IP User-Agent - 4/20/2014/ 31 31. 1. - 2. Session Hijacking ( ) 3. Session Fixation ( ) 4. Cross-Site Request Forgery ( ) 5. Phishing () 6. 7. ? 4/20/2014/ 32 32. Cross-Site Request Forgery (Cross-Site Request Forgery) 8 TOP-10 Open Web-Application Security Project (OWASP). , . 4/20/2014/ 33 33. CSRF. 4/20/2014/ 34 watch-later https://player.vimeo.com/watch_later/ID?callback=cb& status=1 http://www.kinopoisk.ru/vote.php?film=FILM_ID&film_ vote=VOTE_VALUE GET http://www.slideshare.net/main/delete/PRESENTATION ID?ajax=false&redirect=mypage e-mail Facebook document.submit(' ') 34. CSRF. : -CSRF -CSRF , ID ( , POST ) 4/20/2014/ 35 POST https://www.facebook.com:443/ajax/timeline/nav_dropdown_menu/?profileid=100001537070731 HTTP/1.1 Host: www.facebook.com Cookie: datr=xL8hU29G1O2TCE2-E90mpjIO; lu=SgppRetPNnE8PasL9k-pF62A; fr=0adgb9NSy3JmTXAGc.AWWijC40TCnAprMHFxmeUZIW1DA.BTIb_Q.EK.FMh.AWUHMOUT; locale=en_US; c_user=100001537070731; __user=100001537070731&__dyn=7n8a9EAMCBCFUSt2ugByVbGAFpaGEVF4WpUpBw&fb_dtsg=AQDrRHrN&tt stamp=2658168114827211478&__rev=1162685 35. CSRF. (cont.) : (actions) POST , GET . / CAPTCHA . 4/20/2014/ 36 Confluence Wiki http://wiki.itera.no/pages/ removepage.action?page Id=41779352 36. CSRF. (cont.) : (logout) / ( remember me) 4/20/2014/ 37 37. 1. - 2. Session Hijacking ( ) 3. Session Fixation ( ) 4. Cross-Site Request Forgery ( ) 5. Phishing () 6. 7. ? 4/20/2014/ 38 38. Phishing 4/20/2014/ 39 Phishing - , , , .., (-, ..). . : OWASP Xenotix -. SpearPhisher e-mail 39. Phishing. . . 4/20/2014/ 40 40. Phishing. (cont.) , (Referer website). Google Safe Browsing API . c . 4/20/2014/ 41 41. 1. - 2. Session Hijacking ( ) 3. Session Fixation ( ) 4. Cross-Site Request Forgery ( ) 5. Phishing () 6. 7. ? 4/20/2014/ 42 42. , -: cookies CookiesManager+ (FireFox) Cookie Manager (Chrome) OWASP WebScarab, Burp Suite Fiddler Wireshark, CommView for WiFi session tokens Burp OWASP WebScarab Session ID Analysis module - Netcraft Toolbar / Netcraft Extension (Firefox / Chrome) FB Phishing Protector (Firefox) Facebook Anti-Phishing & Authenticity Checker (Chrome) Facebook, Twitter, Youtube and Google 4/20/2014/ 43 43. 1. - 2. Session Hijacking ( ) 3. Session Fixation ( ) 4. Cross-Site Request Forgery ( ) 5. Phishing () 6. 7. ? 4/20/2014/ 44 44. ? 4/20/2014/ 45 Open Web Application Security Testing Guide Web Security Testing Cookbook : OWASP Mozilla security check-list : OWASP WebGoat OWASP Hackademic Challenge : ISTQB Security Testing Expert level ( 2015 ) Certified Information Systems Professional (CISSP) Certified Ethical Hacker (CEH) 45. kateryna.ovechenko@iteraconsulting.com 4/20/2014/ 46 kateryna.ovechenko Ekaterina Ovechenko kateryna.ovechenko@owasp.org

Recommended

View more >