decuong web mail v2

B mn mng my tnh v truyn thng

TRNG I HC S PHM K THUT HNG YN KHOA CNG NGH THNG TIN

CNG MN HC

THIT LP XY DNG V QUN TR H THNG MAIL SERVER V WEBSERVER

HNG YN, THNG 2-1011

1


CHNG 1: GII THIU V INTERNET

1.1. Tng quan v Internet v lch s pht trin ca Internet1.1.1. Khi nim v InternetInternet l mt tp hp ca cc my tnh c lin kt ni li vi nhau thng qua h thng dy cp mng v ng in thoi trn ton th gii vi mc ch trao i, chia s d liu v thng tin. Bt c ngui no trn h thng cng c th tip cn v i vo xem thng tin t bt c mt my tnh no trn h thng ny hay h thng khc. Trc y mng Internet c s dng ch yu cc t chc chnh ph v trong cc trng hc. Ngy nay mng Internet c s dng bi hng t ngi bao gm c c nhn cc doanh nghip ln, nh, cc trng hc v tt nhin l nh nc v cc t chc chnh ph. Phn ch yu nht ca mng Internet l World Wide Web. Mng Internet l ca chung iu c ngha l khng ai thc s s hu n vi t cch c nhn. Mi phn nh ca mng c qun l bi cc t chc khc nhau nhng khng ai khng mt thc th no cng nh khng mt trung tm my tnh no nm quyn iu khin mng. Mi phn ca mng c lin kt vi nhau theo mt cch thc nhm to nn mt mng ton cu. Internet l mt mng ton cu bao gm nhiu mng LAN (Local Area Network), MAN (Metropolitan Area Network) v WAN (Wide Area Network) trn th gii kt ni vi nhau. Mi mng thnh vin ny c kt ni vo Internet thng qua mt router.

Hnh 1.1: Tng quan v Internet

2


1.1.2. Lch s pht trin ca InternetVo cui nm 1960 B Quc phng M tin hnh xy dng mt mng my tnh din rng trn ton nc M. Mng my tnh ny c tn gi l ARPANET (Advanced Research Project Agency Network), mc tiu xy dng ca mng my tnh ny l cho php cc t chc chnh ph M chia s ti nguyn nh my in, my ch, c s d liu trn mng. Vo u nm 1980 giao thc TCP/IP c pht trin v nhanh chng tr thnh giao thc mng chun c dng trn mng ARPANET. H iu hnh c dng trn mng lc ny l BSD UNIX cng c tch hp s dng giao thc TCP/IP. H iu hnh ny nhanh chng tr thnh mt cng c hu hiu pht trin mng my tnh. Vi cc cng ngh mi ny s lng mng my tnh pht trin nhanh chng. Mng ARPANET ban u tr thnh mng ng trc (backbone) cho mng my tnh chy trn giao thc TCP/IP gm hang ngn my thuc cc mng cc b khc nhau. Mng my tnh ny chnh l mng Internet. Tuy nhin vo nm 1988, DARPA quyt nh tin hnh cc th nghim khc, B Quc phng M bt u hy b mng ARPANET v thay vo bng mng my tnh NSFNET. Pht trin t mng ARPANET, ngy nay mng Internet gm hng trm ngn my tnh c ni vi nhau trn ton th gii. Mng ng trc hin ti c th ti c lu lng ln gp hng ngn ln so vi mng ARPANET trc .

1.2 T chc ca InternetInternet l mt lin mng, tc l mng ca cc mng con, kt ni cc mng con vi nhau, c hai vn cn gii quyt. V mt vt l, cc mng con ch c th kt ni vi nhau khi c my tnh c th kt ni vi cc mng ny. Vic kt ni n thun v vt l cha th lm cho cc mng con c th trao i thng tin vi nhau. Vn th hai l my tnh kt ni c v mt vt l vi cc mng con phi hiu c c hai giao thc truyn tin c s dng trn cc mng con ny v cc gi thng tin ca cc mng con s c gi qua nhau thng qua . Thit b ny c gi l Internet gateway hay router.

Vi kch thc ln nh mng Internet, vic cc routers lm sao c th quyt nh v vic chuyn cc gi thng tin cho cc my nm trong cc mng s tr nn phc tp hn. cc routers c th thc hin c cng vic chuyn mt s ln cc gi thng tin thuc cc mng khc nhau ngi ta ra quy tc l: Cc routers chuyn cc gi thng tin da trn a ch mng ca ni n, ch khng phi da trn a ch mng ca my nhn. Nh vy da trn a ch mng nn tng s thng tin m Router phi lu tr v s kin trc mng s tun theo s mng trn Internet ch khng phi l s my trn Internet. Trn Internet tt c cc mng u c quyn bnh ng cho d chng c t chc hay3


s lng my rt chnh lch nhau. Giao thc TCP/IP ca Internet hot ng tun theo quan im sau: Tt cc cc mng con trong Internet nh l Ethernet, mt mng din rng nh NSFNET back bone hay mt lin kt im-im gia hai my duy nht u c coi nh l mt mng. iu ny xut pht t quan im u tin khi thit k giao thc TCP/IP l c th lin kt gia cc mng c kin trc hon ton khc nhau, khi nim "mng" i vi TCP/IP b n i phn kin trc vt l ca mng. y chnh l im gip cho giao thc TCP/IP t ra rt mnh. Nh vy, ngi dng trong Internet hnh dung Internet l mt mng thng nht v bt k. Mng Internet di con mt ngi s dng. Cc my c ni vi nhau thng qua mt mng duy nht.

H n h 1 . 2: M n g In t e r n e t d i m t n g i s d n g

4


Hnh 1.3 M hnh h thng mng Internet chi tit 1.2.1 Vn qun l mng Internet Thc cht Internet khng thuc quyn qun l ca bt k ai. N khng c gim c, khng c ban qun tr. Mi thnh vin u c th tham gia hoc khng tham gia vo Internet, l quyn ca mi thnh vin. Mi mng thnh phn s c mt gim c hay ch tch, mt c quan chnh ph hoc mt hng iu hnh, nhng khng c mt t chc no chu trch nhim v ton b Internet. T chc Internet Internet society - gi tt l ISOC l mt t chc nguyn c trch nhim hon ton v Internet v y l tr s chnh ca Internet, t chc ny c mc ch pht trin kh nng trao i thng tin da vo cng ngh Internet. tng c bn ca t chc ny l khuyn khch s trao i thng tin ton cu thng qua Internet. T chc Internet l mt y ban vi nhng thnh vin t nguyn chnh nhng thnh vin ny l ngi quyt nh hng tin ln pha trc ca Internet v cng chnh h l ngi qun l k thut v quy nh cc chc nng thch hp ca Internet. T chc ISOC bu ra Internet Architecture Board IAB Internet (The internet architecture board (y ban5


Kin trc mng). y ban ny c trch nhim a ra cc hng dn v k thut cng nh phng hng pht trin Internet. Nhim v ca IAB l ra cc nguyn tc, quy nh tiu chun ho v phn chia cc ngun d liu nh l: nhng a ch ca nhng trang Web hoc v tr ca ngun d liu. Internet lm vic rt n gin bi v nhng my vi tnh trn th gii c th tr chuyn qua li trong mt s ng li chun v IAB c nhim v qun l cc ng li tiu chun ny cng nh IAB s ra quyt nh khi thy tiu chun l cp thit v quyt nh ban tiu chun nn lm g 1.2.2 Ti sao li cn Internet v Internet c th lm g gip cho chng ta Mt nguyn nhn quan trng l nhng ngi s dng Internet mc trung bnh s tm ra mt con s thng tin khng l ngoi s tng tng thng qua vic tm kim, chia s d liu, thng tin trn Internet. Khc xa vi vic truyn thng tin truyn thng bng th tay, bng in thoi.., Internet lin kt nhng ngi ang sng cch xa hng trm ngn kilomet li vi nhau gip hc hi kinh nghim, tng thm ngun kin thc y l mt nguyn l c bn v nn tng ca Internet. Quan nim thi i Internet by gi l khng c gii hn v khong cch a l cng nh l thi gian. Internet c th lm g gip cho chng ta Internet gip cho chng ta nhiu vic nh: L mt bc s, bn c th tm mt h thng a dch v: nh l bo ch y khoa, tin tc v cp nht trn cng ngh k thut y khoa mi nht. Nhng tho lun nghin cu y khoa, nhng phng n v thuc, v s tr liu v nhng lnh vc khc. V d : Bn ang Vit Nam, bn c th xem mt qu trnh din ra mt ca phu thut phc tp ti M, hoc l gia nh bn ang nc ngoi th bn cng c th cng gia nh ca mnh tham d mt cuc hi ngh y khoa. Khng ch c th, thm ch bn c th tho lun, ngh c cung cp nhng ti liu v y khoa c lin quan v cc cng c h tr cho cng vic ca mt bc s. Bn c th tm nhng thng tin ht v nhng liu thuc hin i nht, cng nh s cu thnh ca chng, v mt cng c, hiu qu hay nhng chi tit khc. Hay l thng tin v th nghim lm sng v s pht trin mang tm vc quc t trong khu vc c bit ca bn. Nhng chuyn gia trong lnh vc khc nhau ca thuc thng l nhng thnh vin trong cng ng y khoa. H san s kin thc v kinh nghim ca h vi nhau v vi nhng ngi khc, bi vy vic cng gip ngi khc hc v nghin cu cng nhau trn phm vi ton th gii, khng cn gii hn trong tng quc gia ring l. Th in t hay cn gi l Email c th gip chng ta gi i nhng li nhn . Ngi nhn d bt k u trn th gii ny u c th nhn th trong vng 2 giy ng h, vy nn email l mt cch truyn t thng tin mt cch nhanh chng, gn nh v d dng. Bn cng c th ni chuyn vi mt ngi khc trn mng bng cch s dng phn mm truyn tin hoc chng trnh c lt trn mng tm thng tin tng th. Mt sinh vin ngnh y khoa c th tm nhng li ghi ch v cng c tr l hc tp trong lp hoc trong sch v. Mt ngi ging vin cng c th s dng n lm tng thm6


ngun kin thc cho mnh v hc hi nhng kinh nghim thng qua nhng trang Web.

7


Chng 2: Tng quan v mt h thng Web

2.1 Gii thiuMt h thng Web l mt h thng cung cp thng tin trn mng Internet thng qua cc thnh phn My ch, trnh duyt v ni dung thng tin. Trong chng ny s gii thiu mt cch c bn nguyn l hot ng ca mt h thng Web cng nh cc thng tin lin quan ti cc cch thc xc nh v tr ngun thng tin, cch thc trao i d liu gia my ch vi trnh duyt v cch thc th hin thng tin.

2.2 M hnh h thng Web ni chung

Mng dch v Web l mng cc my tnh lin quan n dch v Web bao gm cc my ch dch v, cc my tnh v thit b phc v cho vic cung cp dch v Web. H thng bao gm: - ng kt ni vi mng cung cp dch v InternetCc my ch cung cp dch v Web: cung cp cc dch8


v web hosting, cha cc phn mm Application Server m bo vic pht trin cc dch v trn web, kt ni n cc c s d liu trn cc my tnh khc, mng khc - Cc my ch c s d liu, my ch chng thc, my ch tm kim ... - H thng tng la (c phn cng v phn mm) m bo an ton cho h thng my ch vi mi trng Internet. - H thng my trm iu hnh, cp nht thng tin cho my ch Web...

2.3. Nguyn tc hot ng

Internethttp://home.v nn.vnBrows

http://home.vnn.vnServer answer Server answer

Server answer Server answer

Clien HTM HTMWeb Server Web Server

Server

Greeting!Well come to Our site VNN Web Site on the Net We hope that you will find every thing you are looking for

CGI API . .

Greeting! Greeting! Well come to our site We hop that you will find every thing you are looking for

Database

9


Khi my client kt ni vo Internet (thng qua h thng mng LAN hay cc ng dial up..), ngi s dng dng trnh duyt web (web browser) g a ch tn min cn truy nhp (v d: http://home.vnn.vn) gi yu cu n my ch Web. Web Server xem xt v thc hin ht nhng yu cu t pha Web browser gi n. Kt qu l mt trang "thun HTML" c a ra Browser. Ngi s dng s hon ton trong sut vi nhng g ng sau ca mt Web server nh CGI Script, cc ng dng c s d liu. Trng hp l web tnh th web server s ly thng tin lu sn trn my ch dng th mc, file gi li theo yu cu ca client. Trng hp web ng (dng cc ngn ng lp trnh web nh ASP, PHP, JSP, CGI ... kt ni v khai thc c s d liu. Mt v d: Khi c k hoch i cng tc ti H ni, A bit c th tm c cc thng tin lin quan ti thi tit H ni ti a ch Web "http://hanoi.vnn.vn" a ch ny chnh l mt URI (Uniform Resource Identifier - world wide web address) . Khi A nhp URI trn vo trnh duyt th: 1. Trnh duyt s thc hin gi yu cu ly thng tin ti a ch xc nh trong URL thng qua giao thc truyn d liu c tn l http. 2. My ch ni cha thng tin s xc nh nhng thng tin cn thit theo yu cu da trn URI ca ngi s dng gi ti. Truyn thng tin lin qua ti yu cu ti ngi s dng thng qua giao thc truyn thng http. 3. Trnh duyt sau khi nhn c kt qu tr li ca my ch s tin hnh trnh by d liu kt qu nhn c theo khun dng nht nh. Bn thn trong kt qu nhn c cng bao gm cc lin kt ti thng tin v tr khc trn Web v cc v tr ny cng c xc nh bi cc URI. Trong v d trn gii thiu cho chng ta ba cu trc ca Web gm: Xc nh v tr thng tin, Trao i v cch th hin thng tin: 1. Xc nh v tr thng tin: Mi resource trong Web s c xc nh bi Uniform Resource Identifier (URI). Trong v d trn, resource dng ly tng tin v thi tit H ni c xc nh bi URI: "http://hanoi.vnn.vn". 2. Trao i thng tin: Cc tc nhn ca Web (trnh duyt browser, web server, ) thc hin trao i thng tin thng qua cc message, cc message ny c hnh thnh khi c yu cu ca ngi s dng hoc khi thc hin cc tin trnh x l d liu. Cc giao thc (Protocols) s nh ngha cch thc trao i d liu gia cc tc nhn trong Web, trong v d ny l giao thc HTTP. Th hin thng tin: Cc message c hnh thnh khi trao i thng tin gia cc tc nhn trong web cha cc nh dng d liu. Ty thuc vo tng10


yu cu c th m cc inh dng th hin d liu s khc nhau. Trong trng hp khi nhn kt qu tr li t cc web server, cc nh dng c th l: HTML, XML, d liu nh, Da trn cc nh dng c nh ngha ny, trnh duyt s trnh by li sao cho d liu c th gip ngi s dng khai thc thng tin mt cch d dng.

11


Bi 3. Cc phng php cp nht thng tin ln web

FTP l g? FTP (File Transfer Protocol) l mt giao thc chun c nh ngha trn Internet. N l giao thc client/server, y client l mt h thng (thng l my tnh ca bn) gi cc yu cu n server(my ch cung cp dch v) hoc mt h thng khc (FTP site) v nhn c tr li t site .

3.1 FTP di dng dng lnhT du nhc DOS nhp vo : ftp Trong : FTP server/tn host : l my ch hoc host cung cp dch v ftp m bn ng k (m account) ti . FTP bt u kt ni vi my ny, nu thnh cng ngi s dng c yu cu nhp vo tn login v mt khu. Khi mn hnh nh sau : login : password : Sau th tc kt ni, bn c th thc hin 1 s lnh sau : a) Nhng lnh c bn quit : ng kt ni n host t xa, ngng chng trnh ftp. ? (hoc help) : hin th danh sch tt c cc lnh ftp. ?command (hoc help command) : hin th bng tm tt trc tip lnh c m t. b) Lnh v kt ni open [host] : thit lp kt ni n my tnh xc nh (vi [host] l tn my). close : ng s kt ni n host t xa, tr li ftp. use [name(password)] : thit lp tn User. c) Lnh v th mc cd [directory] : chuyn n th mc c xc nh trn host xa. cdup : chuyn v th mc gc trn my xa. dir [directory] [tn file cc b] : lit k th mc xc nh trn my xa, ni dung c a vo tp tin trn my cc b. lcd [directory] : chuyn n th mc cc b. ls [directory] : lit k danh sch file trong th mc c th. pwd : xem th mc hin hnh ca my xa. d) Lnh truyn nhn file get : ly tp tin t my xa v my coc b. put : chuyn tp tin t my my coc b ti my xa vi : : l ng dn tn tp tin trn host xa bn mun ly v12


: l ng dn v tn file ti my cc b ly hoc truyn i mt nhm tp tin dng lnh : mput v mget vi danh sch tn c th dng cc k t i din nh *, ? mput mget

3.2 FTP di dng truyn file thng qua cc chng trnh3.2.1 Gii thiu mt s chng trnh FTP Client WS_FTP Pro c th kt ni ti bt k h thng no vi iu kin h thng c a ch IP chnh xc v ci ng dng FTP server. N cng cho php truyn cc file gia cc h iu hnh khc nhau bao gm c Windows, OS/2 v UNIX. 3.2.2 To kt ni bng WS_FTP Pro client - Trc khi s dng WS_FTP Pro truyn file, bn phi a vo cc thng tin v site m bn mun kt ni ti. Qu trnh ny c gi l qu trnh to Site profile. - Site profile lu tr cc thng tin ca FTP site nh a ch IP, Tn truy nhp (Username) v Mt khu (Password) m bn s dng kt ni. - to Site profile bn lm theo cc bc sau: Nu hp thoi Connect to Remote Host cha m ti ca s WS_FTP Pro, hy nhn chut vo Connect m ra. 1. Ti hp thoi Connect to Remote Host, nhn chut vo Create Site. Hp thoi to Site Profile xut hin

2. Vo tn m bn mun gi cho site mi ca bn trong Name 3. Trong Create In, nhn chut vo nt Browse v chn th mc m bn mun lu site ca bn vo . Nu bn mun lu n vo th mc gc, hy chn th mc Sites. 4. Nhn Next > 5. Trong Host Name or IP Address, vo a ch ca FTP site hoc tn ca FTP site. VD:203.162.1.44 hoc ftp.Ipswitch.com 6. Nhn Next >13


7. Trong User ID, vo tn truy nhp (username) (y l tn m c ng k khi to account ftp ca bn) 8. Trong Password, vo mt khu (password) ca account ftp trn (Mt khu ny cng c ng k khi to account ftp ca bn) 9. Chn Save Password 5. Nhn Finish Sau khi bn kt thc qu trnh trn bn s nhn thy site ca bn trong th mc(folder) m bn chn. Qu trnh to Site profile hon tt, by gi bn c th kt ni ti site : 1. Chn site profile cn kt ni 2. Nhn chut vo nt Connect - Hp thoi Connect to Remote Host ng li v chng trnh WS_FTP Pro s to mt kt ni FTP. Nu kt ni thnh cng, ca s bn tay phi s hin th tt c cc th mc v file uc lu tr ti site m bn kt ni ti. Nu khng th ca s bn tay phi s trng, bn hy xem li cc thng s ca site profile. 3.2.3 Truyn file - Sau khi kt ni ti FTP site, bn sn sng truyn cc file gia my tnh ca bn v FTP c chia lm 2 loi: site m bn ang kt ni. Qu trnh truyn file ny Upload: truyn cc file t my tnh ca bn ln FTP site Download: truyn cc file t FTP site v my ca bn. Gia hai ca s ln l 2 mi tn iu khin truyn file Chn file ti ca s bn phi (trn FTP site) v nhn chut vo nt Chn file ti ca s bn tri (My ca bn) v nhn chut vo nt upload file ln th mc hin hnh ca FTP site (hin th ti ca s bn phi)

Downloa

14


BI 4. CC L HNG BO MT WEB THNG GP

4.1 L HNG BO MT CA NG DNG WEBMc d khng th ph nhn nhng ci tin nng cao ng k hin nay, nhng vn v bo mt trong ng dng Web vn khng ngng tng ln. Nguyn nhn c th xut pht t cc on m khng ph hp, my ch dch v Web cu hnh b li. Nhiu im yu nghim trng hay cc l hng cho php hacker xm nhp thng v truy cp vo c s d liu tch ly d liu nhy cm. Nhiu c s d liu cha thng tin gi tr (nh chi tit c nhn, thng tin ti chnh) khin chng tr thnh ch nhm thng xuyn ca hu ht hacker. Mc d hot ng tn cng ph hoi website doanh nghip vn din ra thng xuyn, nhng by gi tin tc thch tng cng kh nng truy cp d liu nhy cm nm trn trnh ch cha database hn v li nhun khng l t cc v mua bn d liu em li. Trong khung hot ng m t trn, bn c th thy tht d dng cho mt hacker truy cp nhanh chng thng tin nm trn c s d liu ch vi mt cht sng to. Nu may mn hn chng c th gp l hng xut pht t s cu th hay li ngi dng trn cc ng dng Web. Nh ni, website ph thuc vo c s d liu phn phi thng tin c yu cu cho ngi dng. Nu ng dng Web khng an ton (nh c l hng, gp phi mt kiu k thut hacking no ), ton b c s d liu cha thng tin nhy cm s gp nguy him nghim trng. Mt s hacker c th chn m c hi vo ng dng Web c l hng la o ngi dng v dn h ti website phishing. K thut ny c gi l Cross-site Scripting, c th c dng ngay c khi bn thn Web Server v ni cha c s d liu khng c l hng no. Mt cuc nghin cu gn y ch ra rng 75% cc cuc tn cng mng c thc hin mc ng dng Web.

15


Hnh 0.1: L hng bo mt Web Website v cc ng dng Web lin quan lun phi sn sng 24/7 cung cp dch v theo yu cu khch hng, yu cu t pha nhn vin, nh cung cp v nhiu ngi lin quan khc. Tng la, SSL khng th bo v ng dng Web trc mi hot ng hacking, n gin v truy cp vo website phi ch public bt k ai cng c th gh thm website c. Tt c h thng c s d liu hin i (nh Microsoft SQL Server, Oracle, MySQL) u c th truy cp qua mt s cng c th (nh cng 80, 443). Nu mun, mt ngi no c th kt ni trc tip ti c s d liu mt cch hiu qu khi vt qua c ch bo mt ca h iu hnh. Cc cng ny m nhm cho php lin lc vi hot ng giao thng mng hp php, v do cng hnh thnh nn nhng l hng ln nguy him. Cc ng dng Web thng truy cp d liu cui nh c s d liu khch hng, iu khin d liu c gi tr v do rt kh c th tuyt i an ton. Lc ny truy cp d liu thng khng km script cho php16


ng gi v truyn ti d liu. Nu mt hacker nhn ra im yu trong mt script, anh ta c th d dng m li lu lng sang khu vc khc v chia l bt hp php chi tit c nhn ngi dng, d i khi khng h ch tm lm iu . Hu ht ng dng Web u l t to, do t c c cc kim tra trnh hn so vi phn mm cng loi. Do cc ng dng ty bin thng d b tn cng hn. C th ni ng dng Web l mt cng vo (gateway) ca c s d liu, nht l cc ng dng ty bin. Chng khng c pht trin vi mc bo mt tt nht v khng phi qua cc kim tra bo mt thng thng. Ni chung, bn cn tr li cu hi: Phn no trn website chng ta ngh l an ton nhng li m ca cho cc cuc tn cng? v D liu no chng ta em vo mt ng dng khin n thc hin mt s iu khng nn lm?.

4.2 CC L HNG BO MT WEB THNG GP4.2.1 Nhng l hng khng nghim trng L nhng li ca ng dng Web v my ch dch v Web. Tuy nhin nhng li ny thng khng th khai thc hoc nu khai thc c th cng khng nh hng nhiu n cc ng dng Website. Tuy nhin n vn c gi v c lit k vo trong nhng l hng bo mt Web bi v t hay nhiu n vn c th b li dng hoc nh hng n ng dng v ngi dng Web .

a, Mt khu a vo t ng hon thnhM t: Khi mt ti khon mi(gm tn username v mt khu password) c to ra t mt form v form c trnh(gi d liu l tn v mt khu ln server) khi trnh duyt s hi nu mt khu c lu. Sau khi form c hin th, tn v mt khu y s c t ng c a vo ng nhp. Mt k tn cng vi vic truy nhp trc tip vo my tnh c th ly c mt khu khng m ha b nh m ca trang Web. nh hng: Thng tin nhy cm(tn v mt khu)c th b l. Cch khc phc: Mt khu a vo t ng hon thnh c th tt trong cc ng dng nhy cm. tt ch t ng hon thnh c th s dng m ging nh:

b, ng lin kt b hng - Broken LinkM t: Mt ng lin kt hng s a ta ti mt mt s ti liu, hnh nh hoc trang Web m trn thc t n hin ra kt qu l trang web khng tm thy the17


page cannot be found. i khi trang ny c lin kt vi mt trang khc nhng khng th tip cn c. nh hng: Trong trng hp ny, khng c k tn cng no c th li dng c li ny nhng n lm cho nh hng ti vn iu hng trang Web. Cc ng link hng i khi s lm cho ngi dng tng trang Web khng tn ti hoc b li khng truy nhp c Cch khc phc: Xa nhng ng lin kt hng hoc lm cho cc ti liu, hnh nh, trang Web m lin kt ch n cth truy nhp c.

c, Windows Terminal Service chy trn WebserverM t: Mt dch v Windows Terminal Service ang chy trn host. Terminal Services l mt trong nhng thnh phn ca Microsoft Windows(c phin bn my ch v my khch) m cho php ngi dng truy nhp vo ng dng v d liu trn mt my tnh t xa. L hng ny c th b tn cng bi kiu tn cng ngi n ng gia(MITM). nh hng: Thng tin nhy cm c th s b l Cch khc phc: Hn ch truy nhp ti ngi dng v host.

d, a ch th in t(email) c tm thy trn trang WebM t: Mt hay nhiu a ch email c tm thy trn trang Web. Spam-boots l mt chng trnh r sot cc a ch email trn mt s website m chng c ch nh hoc i qua. Chng trnh Spamboot tm kim cc chui k t ging nh tnbn@tn_min_ca_bn.com v chng s ghi li tn cc a ch email m chng tm thy c. nh hng: C th l nn nhn ca cc chng trnh spam. Hoc i khi c th l mc tiu ca phishing.

Cch khc phc: S dng javascript che giu a ch mail. S dng form lin h thay cho ghi trc tip thng tin a ch email.

4.2.2 Nhng l hng mc bnh thng Cc l hng mc ny cng c nh hng trc tip n my ch Web hoc my ch ng dng Web. Tuy nhin kh nng b khai thc v mc nguy him trc tip ti Website l cha cao.18


a, FTP ng nhp di quyn nc danhM t: My ch tp(FPT Server ) cho php ngi nc danh ng nhp. Cho php ngi dng khng cn ti khon c th truy nhp vo nhng th mc quan trng ca h thng(nh cc th mc gc Web). nh hng: C th b mt nhng thng tin nhy cm. Cch khc phc: Nu khng cn thit phi s dng dch v ny hy tt n i hoc nu cn dng th nn tt ti khon nc danh. Gn quyn truy nhp cho mi th mc mt cch chi tit.

b, Dch v telnet c bt (Telnet service running)M t: Dch v ng nhp t xa ang chy trn host. Telnet cho php ngi dng ng nhp thng qua mng, nh l trc tip ti my tnh. Tt c thng tin, trong bao gm c tn ng nhp, mt khu u truyn i trn mng di dng vn bn thng thng khng c m ha nh hng: C th s b mt nhng thng tin nhy cm. Cch khc phc: Nu bn khng s dng dch v ny tt nht nn tt n i. Nu cn phi s dng mt dch v iu khin t xa nn thay th telnet bng SSH.

c, Cc thng bo li ng dng(Application Error Message)M t: Trang Web cha cc thng ip li/cnh bo m c th l ra cc thng tin nhy cm nh: Cng ngh s dng trong ng dng Web. Pht hin c tn cng c gng thnh cng.

Nhn c cc gi thc hin bc tn cng tip theo M da vo thng bo li ny cc k tn cng c th bit c qu trnh x l d liu v cc ngoi l ca h thng. nh hng: L nhng thng tin nhy cm c th rt hu ch cho k tn cng. Cch khc phc: Kim tra li m ngun hn ch cc thng bo li ca h thng, hoc chuyn thnh cc thng bo khc nh la k tn cng.

d, Nhng th mc c th nhy cm b l - Possible sensitive directoriesM t: Mt th mc c th nhy cm b tm thy. Nhng th mc ny khng c ng lin kt trc tip t trang Web. Nhng th mc ny c th l: th mc sao19


lu d liu ca trang Web, c s d liu rc, trang qun tr, cc th mc tm. Mi th mc ny c th gip cho k tn cng c th tm hiu thm v mc tiu tn cng ca hn. nh hng: Cc th mc ny c th b l ra nhng thng tin m c th gip cho mt ngi dng xu chun b thc hin tn cng trang Web. Cch khc phc: Hn ch truy nhp ti cc th mc ny hoc di chuyn chng khi Website.

e, Cc tp nhy cm c th b lM t: Mt tp c th nhy cm b tm thy. Nhng tp ny khng c ng lin kt t trang Web ti. Nhng tp ny ging nh nhng tp nhy cm nh: cc tp mt khu, tp cu hnh, cc tp ghi li(logs files), d liu tnh Mi tp ny u c th rt c ch cho k tn cng. nh hng: Cc tp ny c th b l ra nhng thng tin m c th gip cho mt ngi dng xu chun b thc hin tn cng trang Web. Cch khc phc: Hn ch truy nhp ti cc tp ny hoc di chuyn chng khi Website.

f, Chng nhn ngi dng c gi i di dng vn bn d hiuM t: Chng nhn ngi dng(thng thng l tn ng nhp username v mt khu password) khng c m ha c truyn i trn mng. nh hng: Bn th 3 c th c c cc chng nhn ngi dng bng cch chn mt kt ni khng m ha HHTP. S dng kiu tn cng sniffing trn mng chn cc gi tin HTTP v sau d dng(do thng tin ngi dng khng c m ha) ly c nhng thng tin cn thit. Cch khc phc: S dng mt phng thc m ha(thng l SSL) m ha cc thng tin, chng nhn ngi dng trong khi gi n my ch.

g, Tm thy danh sch cc th mcM t: My ch ng dng Web c cu hnh hin th danh sch tt c cc tp cha trong th mc. y khng phi l mt khuyn co tt v cc th mc c th cha nhng tp m thng thng chng khng b l thng qua cc ng lin kt trn trang Web. nh hng:Ngi dng c th xem danh sch tt c cc tp cha trong th mc cha nhng thng tin nhy cm.20


Cch khc phc: Bn phi chc chn rng khng th mc khng cha nhng thng tin quan trng v thc s bn mun l nhng danh sch t cu hnh my ch dch v Web. Phng thc n gin nht tt danh sch cc th mc l to ra mt tp index. Tn ca tp index ph thuc vo cu hnh my ch dch v Web. trn Apache th c gi l index.html. Trn IIS th tn l defaul.asp, default.aspx, defaul.htm. Mc nh trn IIS danh sch cc th mc b tt b. trong Apache bn phi chnh sa li tp cu hnh ca

Apache(thng l tp httpd.conf) hay to ra mt tp .htaccess. trong tp cu hnh bn s nh ngha th mc. Ging nh: Options Indexes FollowSymLinks ... tt lit k th mc cho th mc bn cn xa b la chn Indexes.

h, WebDAV(Web-based Distributed Authoring and Versioning) c cho phpM t: Web-based Distributed Authoring and Versioning (hay WebDAV) l thnh phn m rng ca IIS cho php ngi s dng c th qun l tp File (xa, chnh sa, ) trn my ch web. L hng ny xy ra trong qu trnh x l k t unicode %c0%af (Unicode / character). Cho php k tn cng c th vt qua c ch bo v lit k th mc, file; c file, to file,... nh hng: Nu WebDAV khng c cu hnh ng n c th cho php ngi dng t xa sa cha ni dung ca Website. (ngy 18-05-2009 Microsoft a ra mt cnh bo ni v mt li ca WebDAV v ngy 9-06-2009 a ra bn v MS09-020 trong IIS6 m cho php k tn cng t xa c th vt qua s hn ch truy nhp nng quyn v c php xem, to, v chnh sa ni dung, th mc Website ) Cch khc phc: Cp nht cc bn v li mi nht ca Microsoft cho IIS. Nu m khng s dng thnh phn m rng ny cch tt nht l tt21


n i. 4.2.3 Nhng l hng mc nghim trng Nhng l hng c xp mc ny l nhng l hng c mc nghim trng cao, d b li dng khai thc bi k tn cng. Khi b khai thc s c tc ng trc tip ti my ch dch v Web, my ch ng dng Web hoc c s d liu ca trang Web do vy nh hng xu ti trang Web.

a, Tim cu lnh SQL (SQL Injection)M t: Nhng nm v trc khi Hu ht cc ng dng web ng ngy nay, u c xy dng da trn mt c s d liu Database. Phn ln cc c s d liu c s dng hin nay l MSSQL , MYSQL, OCRACLE. Tuy nhin do chi ph s dng OCRACLE qu cao nn hu ht cc web thng s dng MSSQL v MYSQL. Trong , phn ln cc script pha server hot ng phn ln da v cc cu truy vn (query) ti database. SQL Injection chnh l mt cch tn cng ca hacker bng cch inject(tim) cc truy vn SQL vo cc u vo Input trc khi d liu c chuyn cho ng dng web x l. Bng cch tim trc tip cc truy vn vo trong u vo d liu hoc trn thanh a ch URL, hacker c th ng nhp (login) vo h thng m khng cn Username v Password hoc c th truy vn ly c ti khon admin, hay thao tc trc tip vi c s d liu ca trang Web. nh hng: Nu khai thc thnh cng li SQL Injection ca site mc li, k tn cng s chim c quyn admin ca trang Web, do , k tn cng hon ton c th thay i database, chnh sa ni dung, xa ton b database. Nh vy hacker l lm ch hon ton website. Cch khc phc: Kim tra d liu ca ngi dng a vo trc khi x l.Kim sot cht ch tt c cc d liu nhp nhn c t i tng Request (Request, Request.QueryString, Request.Form, Request.Cookies, and Request.ServerVariables). S dng cu trc lp trnh 3 lp tch bit hn lp x l d liu ring. Thay i "Startup and run SQL Server" dng mc low privilege user trong tab SQL Server Security. Xa b cc stored procedure m bn khng dng nh:

master..Xp_cmdshell, xp_startmail, xp_sendmail, sp_makewebtask Dng cng ngh Rewrite URL(Tuy nhin ch hn ch c vic chn trc tip d liu trn URL)22


b, Kch bn lin trang XSS(Cross Site Scripting)M t: L mt l hng m cho php k tn cng c th gi nhng on m c(thng c vit bng javascript) thng qua cc ng lin kt(thng l cc ng lin kt c chuyn i thnh mt dng HEX nh la ngi dng), hoc thng qua email, ti mt ngi dng khc. Bi v mt trnh duyt khng bit c on script c tin tng hay khng, n s thc thi cc script v khi thc thi cc script ny, k tn cng c th ly c cookie hay chim c phin lm vic hin thi ca ngi dng .

Hnh 0.2: Tn cng XSS nh hng: K tn cng c th tim JavaScript, VB Script, ActiveX, HTML, hay Flash vo trong mt l hng ng dng Web XSS la ngi dng ly nhng thng tin cn thit ca ngi dng. K tn cng c th n trm cookie, tip qun ti khon, v mo danh l ngi dng. Cch khc phc: Lc cc k t a vo t ngi dng(c gi tr ASCII va HEX).23


i vi ngi dng phi cn thn ch trc khi bm vo cc

ng link.

c, u c cookie/session(Cookie/session Poisoning)M t: Cookie l mt b nhc (reminder) nh m web site lu tr my tnh ca khch hng c th nh danh khch hng. Cookie c xem l nhng tin nhn n gin c my ch ang qun l mt website, ch ng gi n trnh duyt web ang dng lt trang web , nhm mc ch theo di cc hot ng ca ngi ang xem website. Tin nhn ny c nh dng mo u (header) HTTP ch l mt chui vn bn. Chui vn bn ny s c a vo trong b nh ca trnh duyt web. Trnh duyt web s ln lt lu gi cc thng tin cookie ln a cng, v th khi trnh duyt tt i v bt tr li th cc thng tin cookie vn c th c dng tip. Tin nhn ny c nh dng l mt chui vn bn n gin, n s c a vo th mc lu tr tm Temp ca trnh duyt web v trnh duyt web s t ng lu tr mi thng tin cookie vo a cng. Cc thng tin ny s phn nh thi quen ca ngi dng khi vo trang web , chng hn nh chuyn mc no thch xem nht v sau s t ng gi cc thng tin thu thp c v cho ch nhn ca trang web. Khi tt i trnh duyt th cookie vn cn lu tr trong my v vn s tip tc hot ng cc ln gh thm sau. Da vo cc thng tin m cookie gi v, ch nhn trang web c th bit c khch lt web ang quan tm v nhng vn g sau tung qung co ph hp bn sn phm. u c cookie/session cho php k tn cng chn ni dung cc on m c, chnh sa cc thng tin trong cookie ca ngi dng. Mt proxy c th c s dng vit li cc d liu ca phin(session), hin th d liu ca cookie v c th ghi nh danh(ID)ca mt ngi dng mi hay mt phin(session) khc vo trong cookie. nh hng: Khi cookie/session b u c cc thng tin ca ngi dng trong cookie s b xem, thay i. Cch khc phc: Khng lu tr di dng vn bn bnh thng hoc m ha mt khu yu trong cookie. IP. Lm chc nng ng xut c hiu lc(xa b mi cookie nu thng tin tng tc vi Website l quan trng).24

Thc thi thi gian c hiu lc cho cookie. Cc chng thc s dng cookie phi c lin kt vi mt a ch


d, Th mc giao nhau (Directory Traversal)M t: Directory Traversal cn c mt s tn gi khc na nh Path Traversal , dot-dot-slash, Directory Clumbing v Backtracking l l hng m cho php k tn cng truy cp n nhng file v th mc m c lu bn ngoi th mc webroot. Hnh thc tn cng ny khng cn s dng mt cng c no m ch n thun thao tc cc bin vi ../ (dot-dot-slash) truy cp n file, th mc, bao gm c source code, nhng file h thng, nhn bit kh nng khai thc li ny, cc k tn cng thng quan st kt qu c c t spider hoc crawler mang li (Spider v crawler gi l b tm kim. N c thit kt thu thp ti nguyn Internet (trang Web, hnh nh, video, ti liu Word, PDF hay PostScrips) , cho php my tm kim nh ch s. nh ch s cc ti nguyn Web, mi b tm kim (robot) s i theo cc lin kt m n tm thy ti mt trang trung tm. Sau , mi trang duyt s c ghi nh li v gn cho tn s nh li ch s da vo mc cp nht thng xuyn hay khng ca trang). nh hng: Da vo thng bo li t Website k tn cng bit c ng dn thc s trn WebServer, t c th kt hp vi ../ (dot-dot-slash) truy cp n nhng file quan trong ca Website nh database, file cu hnh, Lu rng Path Traversal khng ch xy ra i vi cc bin trong phng thc GET m cn c th xut hin trong cc phng thc POST hoc bin COOKIE. Cch khc phc: nh ngha v gn quyn cc vng truy nhp trn Website S dng b lc lc thng tin ngi dng. Cp nht cc bn v li cho my ch Web.

e, H qun tr c s d liu MySQL Enterprise Server v.5.0.52 cha nhiu l hngM t: MySQL Enterprise Server b nh hng bi nhiu l hng bo mt. Do phin bn c v tim n nhiu li. nh hng: nh hng trc tip n h thng c s d liu k tn cng c th truy nhp c vo my ch. Cch khc phc: Ci cc bn v li nhng tt nht l nng cp ln phin bn mi nht.

f, S dng SSL2M t: M ha lu lng dch v truy cp t xa s dng mt giao thc c l SSL2 vi nhiu im yu v li.

25


nh hng: Mt k tn cng c th khai thc li ny bng cch s dng kiu tn cng MITM hay gii m d liu gia my ch dch v v cc my khch. Cch khc phc: S dng phin bn SSL3 hoc TLS1 thay th cho SSL2.

g, Vng chuyn i DNS(DNS Zone Transfer)M t: DNS Domain Name System l h thng qun l vic nh x gia a ch ca my tnh trn Internet vi tn ca chng. Trn Internet, mi my tnh u c cp mt a ch ring bit, thng c gi l IP address, tm dch l a ch IP (IP vit tt ca Internet Protocol, giao thc iu khin vic trao i thng tin lin lc gia hai my tnh trn Internet). a ch IP thng di v kh nh, ph hp vi my tnh, khng ph hp vi tr nh ca con ngi (thng ch c kh nng nh c ti a 7 s ti mt thi im), do ngi ta mi t cho mi my tnh mt ci tn d nh, chng hn nh www.vnexpress.net, www.yahoo.com, www.tuoitre.com.vn..., ri s dng h thng DNS ni trn nh x nhng tn ny vo cc a ch IP thc s ca chng. Zone Transfer (vng chuyn i) nm gia my ch DNS chnh v my ch DNS ph. Nhng my ch DNS chnh c phn quyn cho nhng min c th cha vng file DNS c th ghi v cp nht khi cn thit. My ch DNS ph nhn mt bn sao ch c ca nhng vng file ny t my ch DNS chnh. My ch DNS ph c s dng tng kh nng thc thi truy vn DNS trong mt t chc hay trn Internet. Tuy nhin, Zone Transfer khng gii hn my ch DNS ph. Bt c ai cng c th chy mt truy vn DNS cu hnh my ch DNS cho php Zone Transfer kt xut ton b vng file c s d liu. Ngi dng xu c th s dng thng tin ny thm d gin tn trong cng ty v danh sch tt c cc hosts trong min ca bn t ngi dng su c th tn cng dch v cu trc h tng ch cht. nh hng: Thng tin nhy cm c th b l Khc phc: Bn c th ngn chn iu ny bng cch cu hnh my ch DNS t chi Zone Transfer thc hin yu cu, hay cu hnh my ch DNS cho php Zone Transfer ch t chi yu cu ca mt s my ch nht nh

26


BI 5. QUN TR MY CH WEB TRN WINDOWS SERVER 2003

5.1. Giao thc HTTPHTTP l mt giao thc cho php Web Browser v Web Server c th giao tip vi nhau. HTTP bt u l 1 giao thc n gin ging nh vi cc giao thc chun khc trn Internet, thng tin iu khin c truyn di dng vn bn th thng qua kt ni TCP. Do , kt ni HTTP c th thay th bng cch dng lnh telnet chun. V d: -> telnet www.extropia 80 GET /index.html HTTP/1.0

decuong web mail v2

Documents