Sangfor Campus Recruitment Security Offense and Defense Volume A
1. Talk about the idea of web log traceability attack path in the process of emergency handling of WEB security issues?
When analyzing the security of the WEB log, you can expand it step by step according to the following two ideas, and restore the entire attack process.
First determine the time range of the attack, use this as a clue to find suspicious logs in this time range, and further investigate according to suspicious IP, attack characteristics, etc. (WEB logs will record the client's access requests to WEB applications, including normal users Access requests and malicious behavior of the attacker. Through a lot of analysis, we found that when the attacker invaded the website, the request to the website will contain specific attack characteristics, such as the use of WEB scanners to scan the website for vulnerabilities A large number of 404 error logs are often generated at times. When an attacker detects a website for SQL injection vulnerabilities, the words and 1=1 will usually appear in the WEB access log), and finally lock the attacker, confirm the attack method, and restore the attack process.
2. What are the causes and hazards of heart drip leaks?
Answer: Heartbleedt vulnerability. This serious flaw (VE-204-0160) is caused by failing to perform boundary check correctly before calling the victim user to input content as the length parameter in mencpy(). Attackers can track the 64KB cache allocated by OperSSL. , Copy the byte information beyond the necessary range to the cache and then return the cache content, so that the victim's memory content will be leaked at a rate of 64KB each time. By reading the network server memory, an attacker can access sensitive data, thereby endangering the security of the server and users. Sensitive security data, such as the dedicated master key of the server, enables an attacker to decrypt the current or stored transmission data through passive man-in-the-middle attacks when the server and the client are not using full forward secrecy, or use full data on the communicating party. In the case of forward secrecy, launch an active man-in-the-middle attack. The attacker cannot control the data returned by the server because the server responds to random blocks of memory.
Vulnerabilities may also expose sensitive requests and responses of other users, including any form of POST request data, session cookies and passwords, which can enable attackers to hijack other users' service identities. At the time of its disclosure, about 17% or 500,000 Internet security network servers certified by certification bodies were considered vulnerable. The Electronic Frontier Foundation, ArsTechnica and Bruce Schnell all considered the heart bleeding vulnerability to be "catastrophic." The specific version of operSSL can be turned into a "disused lock" that can be opened without a key. The intruder can check the 54K information of the head of the household every time. As long as he has enough patience and time, he can check enough data to piece together the bank of the head of the household. Sensitive data such as passwords and private messages.
3. How are the file parsing vulnerabilities of Apache, IIS, and Nginx analyzed and exploited?
Answer: Apache parsing vulnerability. It starts from right to left to judge the analysis, if it is unrecognizable, then go to the left to judge. For
example, upupimage.php.owf.rar ".owf" and ".rar"? These two suffixes are apache unrecognizable analysis, Apache will parse upupimage.php.owf.rar into php.
IIS parsing vulnerabilities:
one is /xx.asp/xx.jpg in IIS5.x/6.0, the names of the folders created under the website are .asp, .asa The file with any extension in its directory is parsed and executed as an asp file by IIS.
The second is 123.asp; .jpg will be regarded by the server as 123.asp, and the default executable file of IIS6.0 besides asp also contains these three types of /upupimage.asa/upupimage.cer /upupimage.cdx
nginx parsing vulnerabilities:
one When Fast-CGI is turned on by default in nginx, Heikuo uploads a name as upupimage.jpg and the content is <?PHPfputs(fopen('shell.php','w'),'<?php eval($_POST[cmd] )?>');?>, and then visit upupimage.jpg/.php, a word Trojan shell.php will be generated in this directory.
The second is that Nginx embeds the PHP code in the picture and then executes the code by visiting xxx.jpg%00.php, which affects the version: 0.5., 0.6., 0.7 <= 0.7.65, 0.8 <= 0.8.37
4. From what aspects can CSRF vulnerability defense be implemented?
Answer: CSRF vulnerability defense can be carried out from three levels, namely, server-side defense, user-side defense, and security equipment defense.
(1) Check that the HTTPreferer field is the same domain. According to the HTTP protocol, there is a field called Referer in the HTTP header, which records the source address of the HTTP request. Under normal circumstances, requests to access a secure restricted page must come from the same website. For example, a bank transfer is completed by the user visiting the http://bank.test/test?page=10&userID=101&money=10000 page. The user must first log in to bank.test, and then click the button on the page to trigger the transfer event. When a user submits a request, the Referer value of the transfer request will be the URL of the page where the transfer button is located (in this example, it is usually an address beginning with the bank. test domain name). If an attacker wants to implement a CSRF attack on a bank website, he can only construct a request on his own website. When a user sends a request to the bank through the attacker's website, the Referer of the request points to the attacker's website. Therefore, to defend against CSRF attacks, the bank website only needs to verify the Referer value for each transfer request. If it is a domain name starting with bank. test, it means that the request comes from the bank website itself and is legitimate. If Referer is another website, it may be a CSRF attack, and then reject the request
(2) Limit the life cycle of session cookie. The CSRF attack is conditional. When the user visits the malicious link, the authentication cookie is still valid, so when the user closes the page, the authentication cookie must be cleared in time
(3) Use the verification code. Although the attacker has obtained the user's identity by obtaining the cookie, by including the verification code in your form, the website has in fact eliminated the risk of cross-site request forgery attacks. You can use this process in any form where you need to perform an action.
(4) Set the HttpOnly attribute in the cookie key field. It can defend against CSRF to a certain extent.