defense in depth web inkognito 12/2013
TRANSCRIPT
![Page 1: Defense in Depth Web Inkognito 12/2013](https://reader035.vdocuments.pub/reader035/viewer/2022081511/55843ed6d8b42a77068b5113/html5/thumbnails/1.jpg)
DEFENSE IN DEPTHTisíc a jeden tip pro webovou bezpečnost
Slajdy jsou bez mých poznámek,nedávají tedy moc smysl pro toho, kdo na semináři nebyl.
Michal Špaček @spazef0rze www.michalspacek.cz
Web Inkognito VŠE @iz228 prosinec 2013
![Page 3: Defense in Depth Web Inkognito 12/2013](https://reader035.vdocuments.pub/reader035/viewer/2022081511/55843ed6d8b42a77068b5113/html5/thumbnails/3.jpg)
Říjen 2013
3 miliony karet + 38 milionů účtůNebo 150 milionů?
Zdrojové kódy
![Page 4: Defense in Depth Web Inkognito 12/2013](https://reader035.vdocuments.pub/reader035/viewer/2022081511/55843ed6d8b42a77068b5113/html5/thumbnails/4.jpg)
Michal Špaček www.michalspacek.cz
# Count Ciphertext Plaintext
--------------------------------------------------------------
1. 1911938 EQ7fIpT7i/Q= 123456
2. 446162 j9p+HwtWWT86aMjgZFLzYg== 123456789
3. 345834 L8qbAD3jl3jioxG6CatHBw== password
4. 211659 BB4e6X+b2xLioxG6CatHBw== adobe123
5. 201580 j9p+HwtWWT/ioxG6CatHBw== 12345678
6. 130832 5djv7ZCI2ws= qwerty
7. 124253 dQi0asWPYvQ= 1234567
8. 113884 7LqYzKVeq8I= 111111
9. 83411 PMDTbP0LZxu03SwrFUvYGA== photoshop
10. 82694 e6MPXQ5G6a8= 123123
Zdroj: http://stricture-group.com/files/adobe-top100.txt
![Page 5: Defense in Depth Web Inkognito 12/2013](https://reader035.vdocuments.pub/reader035/viewer/2022081511/55843ed6d8b42a77068b5113/html5/thumbnails/5.jpg)
Michal Špaček www.michalspacek.cz
Zdroj: http://nakedsecurity.sophos.com/2013/11/04/anatomy-of-a-password-disaster-adobes-giant-sized-cryptographic-blunder/
![Page 6: Defense in Depth Web Inkognito 12/2013](https://reader035.vdocuments.pub/reader035/viewer/2022081511/55843ed6d8b42a77068b5113/html5/thumbnails/6.jpg)
Michal Špaček www.michalspacek.cz
Hesla špatně zašifrovaná
Hesla v nápovědě v čitelné podobě
LOL
![Page 9: Defense in Depth Web Inkognito 12/2013](https://reader035.vdocuments.pub/reader035/viewer/2022081511/55843ed6d8b42a77068b5113/html5/thumbnails/9.jpg)
Michal Špaček www.michalspacek.cz
SQL Injection
Útočník modifikuje SQL dotaz
![Page 10: Defense in Depth Web Inkognito 12/2013](https://reader035.vdocuments.pub/reader035/viewer/2022081511/55843ed6d8b42a77068b5113/html5/thumbnails/10.jpg)
Michal Špaček www.michalspacek.cz
![Page 11: Defense in Depth Web Inkognito 12/2013](https://reader035.vdocuments.pub/reader035/viewer/2022081511/55843ed6d8b42a77068b5113/html5/thumbnails/11.jpg)
Michal Špaček www.michalspacek.cz
![Page 12: Defense in Depth Web Inkognito 12/2013](https://reader035.vdocuments.pub/reader035/viewer/2022081511/55843ed6d8b42a77068b5113/html5/thumbnails/12.jpg)
Michal Špaček www.michalspacek.cz
"… WHERE znacka = '{$_GET['znacka']}'"
![Page 13: Defense in Depth Web Inkognito 12/2013](https://reader035.vdocuments.pub/reader035/viewer/2022081511/55843ed6d8b42a77068b5113/html5/thumbnails/13.jpg)
Michal Špaček www.michalspacek.cz
![Page 14: Defense in Depth Web Inkognito 12/2013](https://reader035.vdocuments.pub/reader035/viewer/2022081511/55843ed6d8b42a77068b5113/html5/thumbnails/14.jpg)
Michal Špaček www.michalspacek.cz
'… WHERE id = ' . $_GET['id']
![Page 15: Defense in Depth Web Inkognito 12/2013](https://reader035.vdocuments.pub/reader035/viewer/2022081511/55843ed6d8b42a77068b5113/html5/thumbnails/15.jpg)
Michal Špaček www.michalspacek.cz
' OR 1=1; --
![Page 16: Defense in Depth Web Inkognito 12/2013](https://reader035.vdocuments.pub/reader035/viewer/2022081511/55843ed6d8b42a77068b5113/html5/thumbnails/16.jpg)
Michal Špaček www.michalspacek.cz
SELECT jmeno, adresa FROM vozidla
WHERE rz =
'$prectena';
![Page 17: Defense in Depth Web Inkognito 12/2013](https://reader035.vdocuments.pub/reader035/viewer/2022081511/55843ed6d8b42a77068b5113/html5/thumbnails/17.jpg)
Michal Špaček www.michalspacek.cz
SELECT jmeno, adresa FROM vozidla
WHERE rz = '1AM 1337';
1AM 1337
![Page 18: Defense in Depth Web Inkognito 12/2013](https://reader035.vdocuments.pub/reader035/viewer/2022081511/55843ed6d8b42a77068b5113/html5/thumbnails/18.jpg)
Michal Špaček www.michalspacek.cz
SELECT jmeno, adresa
FROM vozidla
WHERE rz = '' OR 1=1;
--';
' OR 1=1; --
![Page 19: Defense in Depth Web Inkognito 12/2013](https://reader035.vdocuments.pub/reader035/viewer/2022081511/55843ed6d8b42a77068b5113/html5/thumbnails/19.jpg)
![Page 20: Defense in Depth Web Inkognito 12/2013](https://reader035.vdocuments.pub/reader035/viewer/2022081511/55843ed6d8b42a77068b5113/html5/thumbnails/20.jpg)
Michal Špaček www.michalspacek.cz
Řešení?
Prepared statements (PDO)
![Page 21: Defense in Depth Web Inkognito 12/2013](https://reader035.vdocuments.pub/reader035/viewer/2022081511/55843ed6d8b42a77068b5113/html5/thumbnails/21.jpg)
Michal Špaček www.michalspacek.cz
SELECT jmeno, adresa
FROM vozidla
WHERE rz = ?;
' OR 1=1; --
![Page 22: Defense in Depth Web Inkognito 12/2013](https://reader035.vdocuments.pub/reader035/viewer/2022081511/55843ed6d8b42a77068b5113/html5/thumbnails/22.jpg)
Michal Špaček www.michalspacek.cz
![Page 23: Defense in Depth Web Inkognito 12/2013](https://reader035.vdocuments.pub/reader035/viewer/2022081511/55843ed6d8b42a77068b5113/html5/thumbnails/23.jpg)
Michal Špaček www.michalspacek.cz
mysql_set_charset()
mysql_real_escape_string()
![Page 24: Defense in Depth Web Inkognito 12/2013](https://reader035.vdocuments.pub/reader035/viewer/2022081511/55843ed6d8b42a77068b5113/html5/thumbnails/24.jpg)
Michal Špaček www.michalspacek.cz
Nepoužívat
addslashes()
proti SQLIA
![Page 25: Defense in Depth Web Inkognito 12/2013](https://reader035.vdocuments.pub/reader035/viewer/2022081511/55843ed6d8b42a77068b5113/html5/thumbnails/25.jpg)
Michal Špaček www.michalspacek.cz
Defense in Depth Fail=
SQL Injection+
Špatně uložená hesla
![Page 26: Defense in Depth Web Inkognito 12/2013](https://reader035.vdocuments.pub/reader035/viewer/2022081511/55843ed6d8b42a77068b5113/html5/thumbnails/26.jpg)
Michal Špaček www.michalspacek.cz
323 loginů+
SHA-1 hashů hesel
crackstation.net
![Page 27: Defense in Depth Web Inkognito 12/2013](https://reader035.vdocuments.pub/reader035/viewer/2022081511/55843ed6d8b42a77068b5113/html5/thumbnails/27.jpg)
Michal Špaček www.michalspacek.cz
crackstation.net
111 cracknutých hesel
![Page 28: Defense in Depth Web Inkognito 12/2013](https://reader035.vdocuments.pub/reader035/viewer/2022081511/55843ed6d8b42a77068b5113/html5/thumbnails/28.jpg)
Michal Špaček www.michalspacek.cz
exoddus
Tbvfs1
9plams
P1ll3d
Neznašov
![Page 29: Defense in Depth Web Inkognito 12/2013](https://reader035.vdocuments.pub/reader035/viewer/2022081511/55843ed6d8b42a77068b5113/html5/thumbnails/29.jpg)
Michal Špaček www.michalspacek.cz
111 cracknutých hesel
52 k loginu…@seznam.cz
![Page 30: Defense in Depth Web Inkognito 12/2013](https://reader035.vdocuments.pub/reader035/viewer/2022081511/55843ed6d8b42a77068b5113/html5/thumbnails/30.jpg)
Michal Špaček www.michalspacek.cz
52 loginů …@seznam.cz
Kolik stejných hesel jakona Seznam?
![Page 31: Defense in Depth Web Inkognito 12/2013](https://reader035.vdocuments.pub/reader035/viewer/2022081511/55843ed6d8b42a77068b5113/html5/thumbnails/31.jpg)
Zdroj: http://www.flickr.com/photos/77939791@N00/5721058729/
![Page 32: Defense in Depth Web Inkognito 12/2013](https://reader035.vdocuments.pub/reader035/viewer/2022081511/55843ed6d8b42a77068b5113/html5/thumbnails/32.jpg)
Michal Špaček www.michalspacek.cz
…@email.cz 2 z 8
…@centrum.cz 3 z 9
…@gmail.com 1 z 15
![Page 33: Defense in Depth Web Inkognito 12/2013](https://reader035.vdocuments.pub/reader035/viewer/2022081511/55843ed6d8b42a77068b5113/html5/thumbnails/33.jpg)
Michal Špaček www.michalspacek.cz
hashcat
164 dalších cracknutých hesel
![Page 34: Defense in Depth Web Inkognito 12/2013](https://reader035.vdocuments.pub/reader035/viewer/2022081511/55843ed6d8b42a77068b5113/html5/thumbnails/34.jpg)
Michal Špaček www.michalspacek.cz
164 dalších cracknutých hesel
2 také použita pro mailbox
![Page 36: Defense in Depth Web Inkognito 12/2013](https://reader035.vdocuments.pub/reader035/viewer/2022081511/55843ed6d8b42a77068b5113/html5/thumbnails/36.jpg)
Michal Špaček www.michalspacek.cz
v čitelné podobě (v plaintextu)
![Page 37: Defense in Depth Web Inkognito 12/2013](https://reader035.vdocuments.pub/reader035/viewer/2022081511/55843ed6d8b42a77068b5113/html5/thumbnails/37.jpg)
![Page 38: Defense in Depth Web Inkognito 12/2013](https://reader035.vdocuments.pub/reader035/viewer/2022081511/55843ed6d8b42a77068b5113/html5/thumbnails/38.jpg)
Michal Špaček www.michalspacek.cz
MD5(heslo)
SHA1(heslo)
CRC32(heslo)
![Page 39: Defense in Depth Web Inkognito 12/2013](https://reader035.vdocuments.pub/reader035/viewer/2022081511/55843ed6d8b42a77068b5113/html5/thumbnails/39.jpg)
![Page 40: Defense in Depth Web Inkognito 12/2013](https://reader035.vdocuments.pub/reader035/viewer/2022081511/55843ed6d8b42a77068b5113/html5/thumbnails/40.jpg)
![Page 41: Defense in Depth Web Inkognito 12/2013](https://reader035.vdocuments.pub/reader035/viewer/2022081511/55843ed6d8b42a77068b5113/html5/thumbnails/41.jpg)
Zdroj: http://arstechnica.com/security/2012/12/25-gpu-cluster-cracks-every-standard-windows-password-in-6-hours/
![Page 42: Defense in Depth Web Inkognito 12/2013](https://reader035.vdocuments.pub/reader035/viewer/2022081511/55843ed6d8b42a77068b5113/html5/thumbnails/42.jpg)
Michal Špaček www.michalspacek.cz
MD5(MD5(MD5(MD5(MD5(MD5(MD5(MD5(MD5(MD5(MD5(MD5(MD5(MD5(MD5(MD5(MD5(MD5(MD5(MD5(MD5(MD5(MD5(MD5(MD5(MD5(MD5(MD5(
heslo))))))))))))))))))))))))))))))))
![Page 43: Defense in Depth Web Inkognito 12/2013](https://reader035.vdocuments.pub/reader035/viewer/2022081511/55843ed6d8b42a77068b5113/html5/thumbnails/43.jpg)
![Page 44: Defense in Depth Web Inkognito 12/2013](https://reader035.vdocuments.pub/reader035/viewer/2022081511/55843ed6d8b42a77068b5113/html5/thumbnails/44.jpg)
Zdroj: http://www.flickr.com/photos/92154034@N00/440515255/
![Page 45: Defense in Depth Web Inkognito 12/2013](https://reader035.vdocuments.pub/reader035/viewer/2022081511/55843ed6d8b42a77068b5113/html5/thumbnails/45.jpg)
Michal Špaček www.michalspacek.cz
MD5(heslo + salt)
SHA1(heslo + salt)
![Page 46: Defense in Depth Web Inkognito 12/2013](https://reader035.vdocuments.pub/reader035/viewer/2022081511/55843ed6d8b42a77068b5113/html5/thumbnails/46.jpg)
![Page 47: Defense in Depth Web Inkognito 12/2013](https://reader035.vdocuments.pub/reader035/viewer/2022081511/55843ed6d8b42a77068b5113/html5/thumbnails/47.jpg)
Michal Špaček www.michalspacek.cz
bcrypt!
Blowfish hashing
![Page 48: Defense in Depth Web Inkognito 12/2013](https://reader035.vdocuments.pub/reader035/viewer/2022081511/55843ed6d8b42a77068b5113/html5/thumbnails/48.jpg)
Michal Špaček www.michalspacek.cz
crypt() salt=$2y$…
password_hash()password_verify()
![Page 49: Defense in Depth Web Inkognito 12/2013](https://reader035.vdocuments.pub/reader035/viewer/2022081511/55843ed6d8b42a77068b5113/html5/thumbnails/49.jpg)
Michal Špaček www.michalspacek.cz
scryptPBKDF2
![Page 50: Defense in Depth Web Inkognito 12/2013](https://reader035.vdocuments.pub/reader035/viewer/2022081511/55843ed6d8b42a77068b5113/html5/thumbnails/50.jpg)
Zdroj: http://www.flickr.com/photos/40852961@N04/5439723004/
![Page 51: Defense in Depth Web Inkognito 12/2013](https://reader035.vdocuments.pub/reader035/viewer/2022081511/55843ed6d8b42a77068b5113/html5/thumbnails/51.jpg)
Zdroj: http://www.flickr.com/photos/59730822@N08/5701097734/
![Page 52: Defense in Depth Web Inkognito 12/2013](https://reader035.vdocuments.pub/reader035/viewer/2022081511/55843ed6d8b42a77068b5113/html5/thumbnails/52.jpg)
Zdroj: http://www.flickr.com/photos/reidrac/4696900602/
![Page 53: Defense in Depth Web Inkognito 12/2013](https://reader035.vdocuments.pub/reader035/viewer/2022081511/55843ed6d8b42a77068b5113/html5/thumbnails/53.jpg)
Michal Špaček www.michalspacek.cz
Cross-Site Scripting (XSS)
Útočník vloží na naši stránkuvlastní HTML nebo JS kód
![Page 54: Defense in Depth Web Inkognito 12/2013](https://reader035.vdocuments.pub/reader035/viewer/2022081511/55843ed6d8b42a77068b5113/html5/thumbnails/54.jpg)
Michal Špaček www.michalspacek.cz
![Page 55: Defense in Depth Web Inkognito 12/2013](https://reader035.vdocuments.pub/reader035/viewer/2022081511/55843ed6d8b42a77068b5113/html5/thumbnails/55.jpg)
Michal Špaček www.michalspacek.cz
![Page 56: Defense in Depth Web Inkognito 12/2013](https://reader035.vdocuments.pub/reader035/viewer/2022081511/55843ed6d8b42a77068b5113/html5/thumbnails/56.jpg)
Michal Špaček www.michalspacek.cz
![Page 57: Defense in Depth Web Inkognito 12/2013](https://reader035.vdocuments.pub/reader035/viewer/2022081511/55843ed6d8b42a77068b5113/html5/thumbnails/57.jpg)
Michal Špaček www.michalspacek.cz
Řešení?
htmlspecialchars($string)
![Page 58: Defense in Depth Web Inkognito 12/2013](https://reader035.vdocuments.pub/reader035/viewer/2022081511/55843ed6d8b42a77068b5113/html5/thumbnails/58.jpg)
Michal Špaček www.michalspacek.cz
htmlspecialchars($string, ENT_QUOTES)
![Page 59: Defense in Depth Web Inkognito 12/2013](https://reader035.vdocuments.pub/reader035/viewer/2022081511/55843ed6d8b42a77068b5113/html5/thumbnails/59.jpg)
Michal Špaček www.michalspacek.cz
Nepoužívat
strip_tags()
proti XSS
![Page 60: Defense in Depth Web Inkognito 12/2013](https://reader035.vdocuments.pub/reader035/viewer/2022081511/55843ed6d8b42a77068b5113/html5/thumbnails/60.jpg)
Michal Špaček www.michalspacek.cz
X-XSS-Protection: 0X-XSS-Protection: 1
X-XSS-Protection: 1; mode=block
Cross-Site Scripting
![Page 61: Defense in Depth Web Inkognito 12/2013](https://reader035.vdocuments.pub/reader035/viewer/2022081511/55843ed6d8b42a77068b5113/html5/thumbnails/61.jpg)
Michal Špaček www.michalspacek.cz
IE 8+
Chrome
Safari 4+
X-XSS-Protection
![Page 62: Defense in Depth Web Inkognito 12/2013](https://reader035.vdocuments.pub/reader035/viewer/2022081511/55843ed6d8b42a77068b5113/html5/thumbnails/62.jpg)
Michal Špaček www.michalspacek.cz
![Page 63: Defense in Depth Web Inkognito 12/2013](https://reader035.vdocuments.pub/reader035/viewer/2022081511/55843ed6d8b42a77068b5113/html5/thumbnails/63.jpg)
Michal Špaček www.michalspacek.cz
session.cookie_httponly: true
session.cookie_secure: true
HTTP-Only cookies
![Page 64: Defense in Depth Web Inkognito 12/2013](https://reader035.vdocuments.pub/reader035/viewer/2022081511/55843ed6d8b42a77068b5113/html5/thumbnails/64.jpg)
Michal Špaček www.michalspacek.cz
HttpOnly flag
IE 6 SP1+
a všechny další
![Page 65: Defense in Depth Web Inkognito 12/2013](https://reader035.vdocuments.pub/reader035/viewer/2022081511/55843ed6d8b42a77068b5113/html5/thumbnails/65.jpg)
Michal Špaček www.michalspacek.cz
default-src 'none'
script-src 'unsafe-inline'
script-src ajax.googleapis.com
Content-Security-Policy
![Page 66: Defense in Depth Web Inkognito 12/2013](https://reader035.vdocuments.pub/reader035/viewer/2022081511/55843ed6d8b42a77068b5113/html5/thumbnails/66.jpg)
Michal Špaček www.michalspacek.cz
Firefox 4+X-Content-Security-Policy
Chrome 25+, Firefox 23+, Opera 15+Content-Security-Policy
IE 10+X-Content-Security-Policy
Content-Security-Policy
![Page 67: Defense in Depth Web Inkognito 12/2013](https://reader035.vdocuments.pub/reader035/viewer/2022081511/55843ed6d8b42a77068b5113/html5/thumbnails/67.jpg)
I vaši aplikacinapadnouzlí útočníci
Jste připraveni?