App과 Server의 은밀한 대화
Upcoming SlideShare
Loading in...5
×
 

App과 Server의 은밀한 대화

on

  • 1,299 views

7/17 세션발표 자료

7/17 세션발표 자료

Statistics

Views

Total Views
1,299
Views on SlideShare
1,269
Embed Views
30

Actions

Likes
1
Downloads
5
Comments
0

1 Embed 30

http://rockk.egloos.com 30

Accessibility

Categories

Upload Details

Uploaded via as Apple Keynote

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment
  • <br />
  • <br />
  • <br />
  • <br />
  • <br />
  • <br />
  • <br />
  • <br />
  • <br />
  • <br />
  • <br />
  • <br />

App과 Server의 은밀한 대화 App과 Server의 은밀한 대화 Presentation Transcript

  • !? [App Server ] 2010. 7. 17 ( )
  • ! • /( ) CTO • 2005~2010 : SK - / - ( , , , ) • contact : @cserock | http://rockk.egloos.com blueonion • : • 2010. 4 • 24 ( :3 ) • http://blueonionsoft.com blueonion
  • http://www.test.com/getUserInfo.php?id=234 XML or JSON blueonion View slide
  • ! • http://test.com/savePoint.php?id=2&point=450 • http://test.com/updateUserInfo.php?id=2&password=teertfdsa • http://test.com/getUserInfo.php?id=2 blueonion View slide
  • ; • endpoint : savePoint.php, updateUserInfo.php ! • data : id, point, password ! • Abusing ! savePoint.php id=3&point=500000 ? blueonion
  • ,‘ ’ . • - App “ ” • . • - • - . blueonion
  • http://www.test.com?st=xndje3e2j3%dws3olnf XML or JSON blueonion
  • • AES-128 • CryptoHelper ( ) • CommonCrypto / Security framework • st(security token) • libmcrypt • php mcrypt function • st blueonion
  • : // make parameter NSString *param = [[NSString stringWithFormat:@"id=2&point=450&nonce=%d", rand()] stringByAddingPercentEscapesUsingEncoding:NSUTF8StringEncoding]; // make st (key is ‘123456789abcdef’) NSString *st = [[CryptoHelper sharedInstance] encryptString:param]; // now lets create the body of the post NSMutableData *body = [NSMutableData data]; [body appendData:[[NSString stringWithFormat:@"rn--%@rn",boundary] dataUsingEncoding:NSUTF8StringEncoding]]; [body appendData:[[NSString stringWithFormat:@"Content-Disposition: form-data; name="st"rnrn%@", st] dataUsingEncoding:NSUTF8StringEncoding]]; [body appendData:[[NSString stringWithFormat:@"rn--%@--rn",boundary] dataUsingEncoding:NSUTF8StringEncoding]]; [request setHTTPBody:body]; blueonion
  • : <?php // base64 decode st $tmp_st = base64_decode($_POST[‘st’]); // decrypt st (key is ‘123456789abcdef’) $st = urldecode(trim(mcrypt_decrypt(MCRYPT_RIJNDAEL_128, ‘123456789abcdef’, $tmp_st, MCRYPT_MODE_ECB, mcrypt_create_iv(mcrypt_get_iv_size(MCRYPT_RIJNDAEL_128, MCRYPT_MODE_ECB), MCRYPT_RAND)))); // st is ‘id=2&point=450&nonce=12342234’ ?> blueonion
  • • HTTP_USER_AGENT => App • framework => => endpoint • st(security token) timestamp • blueonion
  • Thanks for attention