This blog post is about server-side security application security knowledge. The learning content comes from "White Hat Talking about Web Security."
After receiving from a client on security, including injection attacks, authentication and session management and access control, access control, encryption algorithm and a random number, Web security framework, application-layer denial of service attacks DDOS, Web Server security and other aspects .
@
Injection attack
Because the application violates the "principle of data and code separation." Two conditions: 1. The user can control the input of data; 2. The code pieced together the data entered by the user.
SQL injection
Blind note
Complete the injection attack when the server has no error echo. Verification method: construct a simple conditional statement to judge whether the SQL statement is executed according to whether the page has changed.
Timing Attack
The use of some special functions in the database can cause delays conditionally.
For example, in MySQL, the BENCHMARK () function can be used to execute the same function several times, so that the returned result is longer than the average time. Through the change of the length of time, you can determine whether the injection statement was successfully executed. This is a side-channel attacks .
eg:
1170 UNION SELECT IF(SUBSTRING(current,1,1) =
CHAR(119),BENCHMARK(5000000,ENCODE('MSG','by
5 seconds')),null) FROM (Select Database()
as current) as tbl;
This paragraph of Payload determines whether the first letter of the library name is CHAR (119), which is lowercase w. If the judgment result is true,
a long delay will be caused by the BENCHMARK () function; if it is not true, the statement will be executed quickly. The attacker
traverses all letters until the entire database name is verified.
In addition, for example, such means can also obtain a lot of information about the database.
Database attack skills
Common attack ingenuity
SQL injection can guess the version of the database. There are automated tools to complete guessing username and password. . (Guess the solution ... brute force), you can get the current user's identity to perform further file operations, read through LOAD_FILE, then write INTODUMOFILE to the system, and finally import the file into the table through LOAD DATA INFILE. This technique can export Web-shell to prepare for further attacks.
Automated injection tool: sqlmap
Command execution
In MySQL, in addition to directly exporting Web-shell to execute commands indirectly, you can also use UDF (USER-Defined-Functions) to execute commands. If the current user is root, you can directly obtain root permissions.
Attack stored procedures
The stored procedure provides powerful functions for the database, but it must be executed with CALL or EXECUTE. During the injection process, the storage can only provide great convenience for the attacker. For example, in MS SQL Server, "xp_cmd-shell" executes system commands.
Coding problem
Inject special characters such as single and double quotes that are often used in attacks. When the data set uses the "wide character set", there will be some loopholes, such as several codes representing a character, for example.
0xbf27 or 1 = 1 After being escaped, it becomes 0xbf5c27 (the ASCII code of "\" is 0x5c), but 0xbf5c is another character. Therefore, the original escape character \ will "eat up".
Uniform setting to UTF-8 is a good way, that is, to set the charset attribute of the page meta tag.
SQL Column Truncation
In MySQL database, if the strict mode is not turned on, it will cause duplicate data insertion or other illegal data insertion, which may obtain unauthorized access.
Properly defend against SQL injection
-
Find all SQL injection vulnerabilities
-
Patch these vulnerabilities
Use prepared statements : The best way is to use prepared statements, bind variables, and user input cannot change the structure and semantics of the statement.
Use stored procedures : Define SQL statements in the database, avoid using dynamic SQL statements.
Check data type , use safety function
From a database perspective, the principle of least privilege should be used.
Other injection attacks
- XML injection : very similar to HTML injection
- Code injection : Indirectly execute commands through some functions that execute commands, such as eval (), system ()
- CRLF injection : Two characters \ n \ t means line breaks, injecting line breaks changes the semantics. eg: rewrite the log file, inject HTTP header (Http Response Splitting), because the HTTP header is \ n \ t line breaks, which may lead to security risks and can form XSS attacks.
File upload vulnerability
File upload vulnerability overview
File upload vulnerability refers to the user uploading an executable script file, and through this script file to obtain the ability to execute server-side commands.
Common security vulnerabilities
-
The uploaded file is a web scripting language
-
The uploaded file is the cross-main.xml of Flash ’s strategy, and hackers can control the behavior of Flash under this domain.
-
The uploaded file is a virus, Trojan horse file, to induce users or administrators to download and execute
-
The uploaded file is a phishing picture or a picture containing a script, used for phishing and fraud
Forming conditions: 1. The uploaded file can be interpreted and executed by the Web container. 2. The user can access this file from the Web. 3. The file uploaded by the user has not been security checked and formatted
eg: File upload function of open source rich text editor.
Bypass file upload check function :
1. The attacker manually modified the POST package during the upload process, adding% 00 characters, which can truncate the judgment of certain functions on the file name.
2. Forge a legal file header and place the real script file behind it.
Function or loophole
- Apache file parsing problem : Apache resolves the file name from back to front until it encounters a file type recognized by Apache. Defined in Apache's mime.types file.
- IIS file parsing problem : 1.; Becomes a truncated character. If the file name is evil.asp; xx.jpg, IIS 6 will parse this file as evil.asp to execute. 2. Error handling folder extension name, files in /*.asp/ folder are treated as asp
- PHP CGI path resolution problem : When PHP is used as a Web Server in Nginx, fastcgi is generally used as a script interpreter. In fastcgi mode, PHP has access to environment variables. If it cannot be resolved, the path will go forward to seek environmental resolution.
- Phishing with uploaded file vulnerabilities : Jumping from a normal domain name to a phishing website. Through the analysis of different file types, the domain name still looks like a trusted domain name, but the html file runs through * .html.jpg resolution.
Design safe file upload function
- The file upload directory is set to not executable
- Determine the file type, use whitelist strategy, do not use blacklist strategy
- Use random numbers to rewrite the file name and file path
- Set the domain name of the file server separately
Authentication and session management
- " Authentication " and "Authorization" concepts, single-factor authentication and multi-factor authentication
- Password : The most basic authentication method. OWASP has recommended best practices.
OWASP:The Open Web Application Security Project (OWASP), an online community, produces freely-available articles, methodologies, documentation, tools, and technologies in the field of web application security.
Using weak password attacks is much more effective than brute force cracking. Don't save the password in plain text, use irreversible encryption algorithm or single hash function algorithm.
-
Multi-factor authentication : raise the threshold of attack
-
Session and authentication : The Session ID is encrypted and stored in a cookie. The cookie is protected by the browser's same-origin policy. Session hijacking means that the Session ID is stolen in the life cycle, which is equivalent to the account stolen. If the Session ID is stored in the cookie, then It can be called cookie hijacking.
- Session leakage methods: XSS attacks, network sniff, and local Trojan theft.
-
Session Fixation Attack : During the user's login to the website, if the user's Session ID does not change before and after login, there will be a Session Fixation problem.
- The specific attack process is that user X (attacker) first obtains an unauthenticated SessionID, and then
hands this SessionID to user Y for authentication. After Y completes the authentication, the server does not update the value of this SessionID (note that Change the
SessionID instead of not changing the Session), so X can directly log into Y's account with this SessionID.
- The specific attack process is that user X (attacker) first obtains an unauthenticated SessionID, and then
-
Session hold attack : After the user has not been active for a long time or the user clicks to exit, the server will destroy the session. If the Session has not been invalidated, it will cause a session hijacking attack.
Some websites have a large number of visits, so the server does not maintain the session. The session is encrypted and stored in the cookie. The cookie is sent with the cookie. The Expire tag of the cookie is used to control the expiration time of the session. This can use XSS to attack the client cookie. Time to hijack Session.
- Regularly forcibly destroy cookies, a user can have several sessions at the same time
-
SSO single sign-on : Users can access all systems once they log in. The risk concentration up. The most used is OpenID, which uses URL for user authentication and redirects back to the website after successful verification.
Access control
-
What Can I Do?
Authorization issues : permission control, access control. A certain subject needs to perform some operation on a certain object, and the system's restriction on this operation is permission control. The network request is restricted by the firewall ACL policy. Coupled with page-based access control can solve the problem of unauthorized access to the page.
-
Vertical rights management
RBAC (Role-Based Access Control): Role-based access control. Use the principle of least privilege.
-
Horizontal authority management
The data of the same user cannot be accessed directly, that is, the problem lies in the same role, and it is still a problem.
eg:来伊份购物网站没有对用户进行权限控制,通过变化URL中的id参数即可查看对应id的个人Private information such as name and address.
-
Introduction to OAuth
A security protocol that authorizes third-party applications to access Web resources without providing a username and password. OpenID solves the authentication problem, and OAuth solves the authorization problem.
有三个角色: -
User: User
-
Resource Owner: Resource provider, users accessing other web applications require data support from the resource provider
-
Client: consumer, the web application the user is visiting
The process steps are not repeated here, understand.
Encryption algorithm and random number
Overview
Encryption algorithm is divided into block cipher and stream cipher encryption algorithm .
Packet encryption method : DES, 3-DES, Blowfish , IDEA, AES and the like.
Stream cipher encryption algorithm : RC4, ORYX, SEAL.
According to the information available to the attacker, it can be divided into: ciphertext only attack, known plaintext attack, select plaintext attack, select ciphertext attack.
Stream Cipher Attack
A commonly used encryption algorithm for stream ciphers, based on XOR operation, only one byte is operated at a time, but the performance is very good.
-
Reused Key Attack : Use the same key to encrypt multiple times. Because it is based on XOR operation, so as long as you know four data, you only need to know three to derive the remaining one.
E(A) = A xor C
E(B) = B xor CE(A) xor E(B) = A xor B;
-
Bit-flipping Attack : In cryptography, an attacker changes the ciphertext without knowing the plaintext, so that the plaintext changes the attack method according to the way it needs. That is, when we know the plain text of A and B, and the cipher text of A, we can derive the cipher text of B.
Solve Bit-flipping attacks and verify the integrity of ciphertext.
-
Weak random IV problem : In the authcode () function, it uses a 4-byte IV by default (that is, the keyc in the function), making the cracking more difficult
. But in fact, the 4-byte IV is very fragile, it is not random enough, we can find the repeated IV by "brute force cracking".
WEP crack
WEP is a wireless encryption transmission protocol that cracks the WEP key and connects to the Access Point.
Two key factors:
- Initialization vector IV: sent in plain text, repetition occurs in a relatively short time, you can use Reused Key Attack. At the same time, if the same IV is found, the same CRC-32 check value can be constructed, and Bit-flipping can be successfully implemented.
- CRC-32 check of the message
Security of the WEP algorithm puts forward the theory of WEP cracking.
Defects of the ECB model
The packets are independently encrypted, and the ciphertext of any packet is exchanged, then the decrypted plaintext is also swapped. Therefore, chain encryption should be used.
Padding Oracle Attack
In the process of block encryption, padding is used for padding if there are not enough digits. The key to Padding Oracle Attack is that the attacker can know whether the decrypted result is compatible with padding. Pay attention to this when implementing and using the CBC mode block encryption algorithm.
Key management
A principle of cryptography: the security of the cryptosystem should depend on the complexity of the key, not on
the confidentiality of the algorithm.
Prevent key leakage from abnormal channels. Don't hard code the private key in the code, you should use public or private key management or improve key management. Centralized key management reduces the coupling of the system to the keys and facilitates periodic key replacement.
Pseudo-random number problem
Pseudo-random numbers are not random enough.
- The timestamp is not random enough to be used directly for random number generation.
- Crack the pseudo-random number seed to crack, eg: PHP's rand () function, mt_rand () function.
- Use secure random number algorithm, java.security.SecureRandom and so on.
Web framework security
-
MVC framework security
MVC framework in modern development. From the direction of data inflow, the data has passed through the View layer, Controller layer, and Model layer. When designing a security solution, you must grasp the key factor of data. Solve related problems at each layer, and do n’t leave problems that do n’t belong to that layer to that layer.
Template engine and XSS defense
Solve the XSS problem in the View layer. In the View layer, the template engine is used to render the page. The template engine may provide some coding methods.
Eg eg: htmlEncode () is used in auto-escape in Django, which can ensure safety, and sometimes shutdown may cause problems.
-
Web framework and CSRF defense
You can use security tokens to solve CSRF attacks, separate read and write operations, and use POST submission for all "write operations". At the same time, you must ensure the privacy of security tokens and automatically add tokens to POST.
1.在Session中绑定Token。 2.在form表单中自动添加token字段。 3.在Ajax请求中自动添加token。 4.在服务端对比POST中提交的Token和Session中绑定的Token是否一致。 -
HTTP headers management
In the framework, the HTTP header is processed globally. eg: CSRF attack against HTTP headers. For the jump of the HTTP response returned by 30X-a unified jump function (white list) is provided.
-
Data persistence layer and SQL injection
Using the ORM framework is good for preventing SQL injection.
Application layer denial of service attack DDOS
DDOS : distributed denial of service, normal service will be magnified several times, while the attack by several network nodes, to achieve economies of scale.
Common DDOS attacks: SYN flood, UDP flood, ICMP flood.
在很多对抗DDOS的产品中,一般会综合使用各种算法,结合一些DDOS攻击的特征,对流
Amount of cleaning. The network equipment against DDOS can be connected in series or in parallel at the exit of the network.
Application layer DDOS
Occurred at the application layer, the TCP three-way handshake has been completed, the connection has been established, and the IP address that initiated the attack is real. This attack is an attack on the performance of the server, and the method of optimizing the performance of the server can mitigate this attack.
- CC attack : Continuously initiate normal requests to application pages that consume large resources to achieve the purpose of consuming server resources.
- Limit request frequency : Make a request frequency limit for each client.
Captcha
CAPTCHA : the difference between automatic computer and human Turing test.
Possible vulnerabilities: 1. Identify the verification code directly using image-related algorithms 2. The SessionID is not updated after the verification code is consumed, resulting in the use of the original SessionID can always repeat the same verification code 3. Generate all the verification code pictures in advance , Use the hashed string as the verification code
File name of the picture-it can be cracked by enumeration.
Defense application layer DDOS
The core of the verification code is to identify people and machines. In general, determine the User-Agent field in the HTTP header to identify the client.
Another credible method is to let the client parse a piece of JS and give the correct operation result, because most of the automation process is directly constructed by HTTP packets to complete, and is not in the browser environment.
Web Server can also be used for defense.
Resource exhaustion attack
- Slow Loris attack : HTTP requests are sent to the server at a very low speed. Since the number of concurrent connections of the Web Server has a certain upper limit, all connections are eventually maliciously occupied.
- HTTP POST DOS : The principle is to specify a very large Content-Length value when sending an HTTP POST packet, and then send the packet at a very low speed
, such as sending a byte from 10 to 100s, to keep this connection unbroken. - Server Limit DOS : Cookies cause a denial of service. The Web Server has a length limit on the size of the HTTP header. If an attacker maliciously writes a long cookie to the client through an XSS attack, the client will no longer be able to access the domain of the cookie before clearing the cookie Any page.
Problems caused by ReDOS regular
When the regular expression is not well written, it may be used by malicious input and consume a lot of resources, resulting in DOS. This attack is called Re-DOS. This is a loophole in a code defect.
Eg: ^ (a +) + $, when entering aaaax normally, there are 16 possible paths, but when entering aaaaaaaaaaaaaaaaX, there are 65536 paths, which greatly increases the speed of regular engine resolution. When the user maliciously constructs the input, there is a defect. Regular expression efficiency is greatly reduced.
PHP Security
Skip this chapter for the time being and look back when you write the POC.
Web Server Security
- Apache security : 1. The Module module of Apache is most prone to security vulnerabilities, so check the installation status of the Module
- Specifying the Apache process to run as a separate user usually requires a separate user / group for Apache; running as root is a very bad habit.
- Apache has some configuration parameters that can optimize the performance of the server and improve the ability to resist DDOS attacks.
- Protect the Apache log. After the attacker successfully invades, the log will be modified and cleared.
- Nginx security : Pay attention to the security of the software itself and configure the parameters.
- jBoss remote command execution : JMX-Console manages the background, provides administrators with many powerful functions, and also facilitates hacking. Load war package remotely.
- Tomcat remote command execution : Tomcat manager background is prone to vulnerabilities.
Safe operation of Internet companies
This is mainly about the safety of Internet companies. Here are some important points excerpted, which will not be discussed in detail.
- Safety is a characteristic of the product.
- Good security plan
- Good user experience
- Excellent performance