securitatea in aplicatiile web
DESCRIPTION
Securitatea in aplicatiile web. Bogdan Brinzarea- Iamandi Banca Romaneasca. Agenda. Securitatea in lumea de azi Mituri Injectare SQL XSS CSRF Fortare JSON Unelte ajutatoare. Securitatea in lumea de azi. Care este miza ?. Top 10 riscuri. - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: Securitatea in aplicatiile web](https://reader036.vdocuments.us/reader036/viewer/2022081505/568165b3550346895dd8a9ea/html5/thumbnails/1.jpg)
Securitatea in aplicatiile webBogdan Brinzarea-IamandiBanca Romaneasca
![Page 2: Securitatea in aplicatiile web](https://reader036.vdocuments.us/reader036/viewer/2022081505/568165b3550346895dd8a9ea/html5/thumbnails/2.jpg)
Agenda• Securitatea in lumea de azi• Mituri• Injectare SQL• XSS• CSRF• Fortare JSON• Unelte ajutatoare
![Page 3: Securitatea in aplicatiile web](https://reader036.vdocuments.us/reader036/viewer/2022081505/568165b3550346895dd8a9ea/html5/thumbnails/3.jpg)
SECURITATEA IN LUMEA DE AZI
![Page 4: Securitatea in aplicatiile web](https://reader036.vdocuments.us/reader036/viewer/2022081505/568165b3550346895dd8a9ea/html5/thumbnails/4.jpg)
Care este miza?
Bani
Date
Reputatie
![Page 5: Securitatea in aplicatiile web](https://reader036.vdocuments.us/reader036/viewer/2022081505/568165b3550346895dd8a9ea/html5/thumbnails/5.jpg)
Top 10 riscuriOpen Web Application Security Project (OWASP)
![Page 6: Securitatea in aplicatiile web](https://reader036.vdocuments.us/reader036/viewer/2022081505/568165b3550346895dd8a9ea/html5/thumbnails/6.jpg)
MITURI
![Page 7: Securitatea in aplicatiile web](https://reader036.vdocuments.us/reader036/viewer/2022081505/568165b3550346895dd8a9ea/html5/thumbnails/7.jpg)
SSL (Secure Socket Layer)• Daca folosesc SSL sunt protejat!• FALS: Atacurile se pot intampla la fel si
peste SSL!
![Page 8: Securitatea in aplicatiile web](https://reader036.vdocuments.us/reader036/viewer/2022081505/568165b3550346895dd8a9ea/html5/thumbnails/8.jpg)
Firewall• Daca folosesc un firewall sunt protejat!• FALS: Firewall-ul protejeaza accesul web la
site si nu protejeaza aplicatia de atacuri rau-intentionate
![Page 9: Securitatea in aplicatiile web](https://reader036.vdocuments.us/reader036/viewer/2022081505/568165b3550346895dd8a9ea/html5/thumbnails/9.jpg)
Dezvoltatori• Securitatea aplicatiei este problema
dezvoltatorilor!• FALS: Mai multi factori care nu tin de
dezvoltatori influenteaza securitatea aplicatiei!
![Page 10: Securitatea in aplicatiile web](https://reader036.vdocuments.us/reader036/viewer/2022081505/568165b3550346895dd8a9ea/html5/thumbnails/10.jpg)
INJECTARE SQLSQL Injection
![Page 11: Securitatea in aplicatiile web](https://reader036.vdocuments.us/reader036/viewer/2022081505/568165b3550346895dd8a9ea/html5/thumbnails/11.jpg)
Injectare SQL - Definitie• Atac prin care date nevalidate ajung sa faca
parte dintr-o comanda sau query• Impact
– Se obtine acces cu roluri necuvenite– Se obtin date sensibile– Se distrug date sensibile
![Page 12: Securitatea in aplicatiile web](https://reader036.vdocuments.us/reader036/viewer/2022081505/568165b3550346895dd8a9ea/html5/thumbnails/12.jpg)
Injectare SQL - ScenariuAcces
neautorizat
Preluare date sensibile
Acordare drepturi
necuvenite
![Page 13: Securitatea in aplicatiile web](https://reader036.vdocuments.us/reader036/viewer/2022081505/568165b3550346895dd8a9ea/html5/thumbnails/13.jpg)
Injectare SQL - Scenariu
Sursa: http://xkcd.com/327/
![Page 14: Securitatea in aplicatiile web](https://reader036.vdocuments.us/reader036/viewer/2022081505/568165b3550346895dd8a9ea/html5/thumbnails/14.jpg)
Injectare SQL – Solutii• Folosirea query-urilor dinamice doar cu
parametri SQL siguri• Proceduri stocate• Eliminarea caracterelor speciale • Validarea datelor de input• Folosirea listelor albe si nu a celor negre
![Page 15: Securitatea in aplicatiile web](https://reader036.vdocuments.us/reader036/viewer/2022081505/568165b3550346895dd8a9ea/html5/thumbnails/15.jpg)
Injectare SQL - Solutii• Protejarea datelor sensibile prin criptare• Eliminarea erorilor SQL explicite din output• Limitarea informatiilor despre baza de date• Folosirea de conturi cu drepturi limitate• Folosirea librariei AntiXSS
(http://antixss.codeplex.com)
![Page 16: Securitatea in aplicatiile web](https://reader036.vdocuments.us/reader036/viewer/2022081505/568165b3550346895dd8a9ea/html5/thumbnails/16.jpg)
XSSCross-Site Scripting
![Page 17: Securitatea in aplicatiile web](https://reader036.vdocuments.us/reader036/viewer/2022081505/568165b3550346895dd8a9ea/html5/thumbnails/17.jpg)
XSS - Definitie• Atac prin care o aplicatie preia date si le
trimite catre browser fara o validare si o encodare corecta
• Permite executia de scripturi rau intentionate pe browserul clientului
• 2 tipuri– Reflectat – scriptul este inclus in cerere si este
reflectat in pagina– Persistat – scriptul este inclus in cerere, este
salvat si apoi afisat in pagini ulterioare
![Page 18: Securitatea in aplicatiile web](https://reader036.vdocuments.us/reader036/viewer/2022081505/568165b3550346895dd8a9ea/html5/thumbnails/18.jpg)
XSS – Scenariu reflectat
![Page 19: Securitatea in aplicatiile web](https://reader036.vdocuments.us/reader036/viewer/2022081505/568165b3550346895dd8a9ea/html5/thumbnails/19.jpg)
XSS – Scenariu reflectat
![Page 20: Securitatea in aplicatiile web](https://reader036.vdocuments.us/reader036/viewer/2022081505/568165b3550346895dd8a9ea/html5/thumbnails/20.jpg)
XSS – Scenariu reflectat
![Page 21: Securitatea in aplicatiile web](https://reader036.vdocuments.us/reader036/viewer/2022081505/568165b3550346895dd8a9ea/html5/thumbnails/21.jpg)
XSS – Scenariu persistat
![Page 22: Securitatea in aplicatiile web](https://reader036.vdocuments.us/reader036/viewer/2022081505/568165b3550346895dd8a9ea/html5/thumbnails/22.jpg)
XSS - Solutii• Folosirea encodarii outputului HTML
![Page 23: Securitatea in aplicatiile web](https://reader036.vdocuments.us/reader036/viewer/2022081505/568165b3550346895dd8a9ea/html5/thumbnails/23.jpg)
XSS - Solutii• Nu numai HTML-ul trebuie validat!• Encodare atribute tag-urilor • Encodare atribute de tip URL
• Validarea CSS-ului cu expresii regulate• Encodare JavaScript
![Page 24: Securitatea in aplicatiile web](https://reader036.vdocuments.us/reader036/viewer/2022081505/568165b3550346895dd8a9ea/html5/thumbnails/24.jpg)
XSS – Solutii• Validarea datelor pe client cat si pe server
Machine.config
Web.config
![Page 25: Securitatea in aplicatiile web](https://reader036.vdocuments.us/reader036/viewer/2022081505/568165b3550346895dd8a9ea/html5/thumbnails/25.jpg)
XSS - Solutii• Validarea in MVC se face la nivel de
controller
![Page 26: Securitatea in aplicatiile web](https://reader036.vdocuments.us/reader036/viewer/2022081505/568165b3550346895dd8a9ea/html5/thumbnails/26.jpg)
XSS - Solutii• Folosirea librariei AntiXSS
(http://antixss.codeplex.com/)
Sursa: antixss.codeplex.com
![Page 27: Securitatea in aplicatiile web](https://reader036.vdocuments.us/reader036/viewer/2022081505/568165b3550346895dd8a9ea/html5/thumbnails/27.jpg)
XSS - Solutii• Phil Haack – AntiXssEncoder
http://haacked.com/archive/2010/04/06/using-antixss-as-the-default-encoder-for-asp-net.aspx
![Page 28: Securitatea in aplicatiile web](https://reader036.vdocuments.us/reader036/viewer/2022081505/568165b3550346895dd8a9ea/html5/thumbnails/28.jpg)
XSS - Solutii• Cookie HttpOnly – se previne accesarea cu document.cookie
![Page 29: Securitatea in aplicatiile web](https://reader036.vdocuments.us/reader036/viewer/2022081505/568165b3550346895dd8a9ea/html5/thumbnails/29.jpg)
XSS – Solutii• innerHtml trebuie folosit doar cu HMTL
encodat• innerText nu executa scripturile
![Page 30: Securitatea in aplicatiile web](https://reader036.vdocuments.us/reader036/viewer/2022081505/568165b3550346895dd8a9ea/html5/thumbnails/30.jpg)
CSRFCross-Site Request Forgery
![Page 31: Securitatea in aplicatiile web](https://reader036.vdocuments.us/reader036/viewer/2022081505/568165b3550346895dd8a9ea/html5/thumbnails/31.jpg)
CSRF - Definitie• Atac ce forteaza o victima autentificata sa
trimita o cerere HTTP falsa• Pentru ca cererea provine de la victima,
masurile de securitate traditionale sunt ocolite
![Page 32: Securitatea in aplicatiile web](https://reader036.vdocuments.us/reader036/viewer/2022081505/568165b3550346895dd8a9ea/html5/thumbnails/32.jpg)
CSRF - Scenariu
![Page 33: Securitatea in aplicatiile web](https://reader036.vdocuments.us/reader036/viewer/2022081505/568165b3550346895dd8a9ea/html5/thumbnails/33.jpg)
CSRF - Solutii• Includerea in cookie si in pagina a unui jeton
de securitate• La postarea datelor pe server se verifica
jetonul din cookie cu cel din pagina • Doar daca cele doua coincid actiunea se
efectueaza
![Page 34: Securitatea in aplicatiile web](https://reader036.vdocuments.us/reader036/viewer/2022081505/568165b3550346895dd8a9ea/html5/thumbnails/34.jpg)
CSRF - Solutii
![Page 35: Securitatea in aplicatiile web](https://reader036.vdocuments.us/reader036/viewer/2022081505/568165b3550346895dd8a9ea/html5/thumbnails/35.jpg)
FORTARE JSONJSON Hijacking
![Page 36: Securitatea in aplicatiile web](https://reader036.vdocuments.us/reader036/viewer/2022081505/568165b3550346895dd8a9ea/html5/thumbnails/36.jpg)
Fortare JSON - Definitie • Atac de tip CSRF care implica efectuarea de
catre victima autentificata unei cereri pentru obtinerea unor date confidentiale de tip JSON
• Un array JSON este considerat un JavaScript valid si este executat
![Page 37: Securitatea in aplicatiile web](https://reader036.vdocuments.us/reader036/viewer/2022081505/568165b3550346895dd8a9ea/html5/thumbnails/37.jpg)
Fortare JSON - Definitie• Urmatoarele cerinte trebuie indeplinite
– Browserul victimei suporta __defineSetter__– Serviciul JSON intoarce date confidentiale– Serviciul JSON intoarce datele la GET– Serviciul JSON intoarce datele sub forma unui
array
![Page 38: Securitatea in aplicatiile web](https://reader036.vdocuments.us/reader036/viewer/2022081505/568165b3550346895dd8a9ea/html5/thumbnails/38.jpg)
Fortare JSON - Scenariu
![Page 39: Securitatea in aplicatiile web](https://reader036.vdocuments.us/reader036/viewer/2022081505/568165b3550346895dd8a9ea/html5/thumbnails/39.jpg)
Fortare JSON - Solutii• In MVC 2, doar requesturi POST pentru
JSON• Nu trebuie luate actiuni la GET• Folosirea unui jeton de securitate
![Page 40: Securitatea in aplicatiile web](https://reader036.vdocuments.us/reader036/viewer/2022081505/568165b3550346895dd8a9ea/html5/thumbnails/40.jpg)
Fortare JSON – Solutii• Un JsonResult sigur care sa modifice
output-ul default de array• Ne putem inspira din AJAX-enabled WCF
Service
![Page 41: Securitatea in aplicatiile web](https://reader036.vdocuments.us/reader036/viewer/2022081505/568165b3550346895dd8a9ea/html5/thumbnails/41.jpg)
Fortare JSON - Solutii
System.Web.Mvc.JsonResult.cs
![Page 42: Securitatea in aplicatiile web](https://reader036.vdocuments.us/reader036/viewer/2022081505/568165b3550346895dd8a9ea/html5/thumbnails/42.jpg)
Unelte• URL Scan• URL Rewrite • Fiddler• IIS Log Analyzer• Log Parser 2.2
![Page 43: Securitatea in aplicatiile web](https://reader036.vdocuments.us/reader036/viewer/2022081505/568165b3550346895dd8a9ea/html5/thumbnails/43.jpg)
Concluzii
![Page 44: Securitatea in aplicatiile web](https://reader036.vdocuments.us/reader036/viewer/2022081505/568165b3550346895dd8a9ea/html5/thumbnails/44.jpg)
VA MULTUMESC!