• Tidak ada hasil yang ditemukan

HONG I

N/A
N/A
Info
Unduh - Bebas
Protected

Academic year: 2024

Membagikan "HONG I"

Copied!
7
0
0

Memuat.... (Lihat teks lengkap sekarang)

Unduh sekarang ( 7 Halaman )

Teks penuh

(1)

HONG

KS. Nguyen Ngoe Quan

XSS (Cross site seriptmg) li mdt 16 hdng iing dung web trong dd mdt ngud dung cudi ed thebi tan edng bing cich chen vio cie website ddng (ASP, PHP, CGI JSP...) nhOng the HTML hay nhirng doan ma scnpt nguy hidm. Lo hdng XSS di tdn tai tu liu nhung kich ban hien nay vin cd the thue hidn vd nhirng kieu tin cdng md trong tuang lai.

Bii vidt niy trinh biy nghidn euu vd nhiing nguy hiem cua Id hdng XSS, cich khai thac Id hdng va eic bidn phap khic phuc cic cudc tan cdng XSS.

G I O I THIEU

Vol su ra ddi cua cdng nghd phdt tndn web ddng, ciing vdi vide sii dung ngdy cdng nhidu cac img dung web gdy ra nhieu lo hdng hon cho web. Cross Site Scripting (ggi tat la CSS hay XSS) Id mdt Id hdng dua ttdn vide tidm ma - (Injection) duac tim tiidy ttong cac ung dung web, ttong dd cdc md ddc hai duac ttdm nhu cac bien ddu vdo vdo payload. Khi ngudi dimg tmy cap mdt ting dung web bi Idy nhidm, cdc ma ddc hai dugc Idp lai cho trinh duydt cua ngudi dung. Ma tidm cd kha nang dgc, thay ddi vd tmydn tai dii Ueu duac phdn loai tmy cdp bang trinh duydt nhu cooMes, session tokens.

I

:Wgai

1 ^ Ulbelvkiid«'IMi«>M«i«fth«4^

;mi|iinifc|iiptiiWiWU.i*M*iiJ^

-n

4^ tan-jua ^ 1^ IN uu. cte M

CAC LOAI TAN CONG XSS

Nhiing lo hdng XSS tdn tai ttdn nhiing website

Hinh 1: Tan cflng phan h6i (Reflected) hoac XSS Ithflng lign tuc.

(2)

-Tsasli J'

vd iing dung web khac nhau, nhimg nhin ehung cd thd phdn Uianh 3 lo^i tdn cdng XSS phd bidn: Tdn cdng khdng Udn mc hodc tan cdng phan hdi (Non- Persistent or Reflected VuUierabiUty); Tdn cdng luu tru XSS (Stored or Persistent vuUierabUity); Tdn cdng dua tten DOM hodc XSS ndi bO (DOM-based XSS or Local XSS).

Cac cu$c tcin cdng phan hoi ho$c XSS khdng lien t v c

Cdc cudc tan cdng khdng Udn tuc (Hinh 1) dugc thuc hidn khi dfl Udu duoc cung cdp bdi mdt khach hang web su dung ngay lap hie bdng Mch ban server-side scnpt di tao ra mdt ttang ket qua cho ngudi dimg. Neu dii Udu ngudi dimg cung edp khdng cdn gid tq vd duoc bao gdm ttong cac ttang kdt qua md khdng cdn ma hda HTML, vide ndy cho phep ma phia may khdch dupe tiem vdo ttang mOt cdch chu ddng. Ma tidm cd thd dupe phan hdi tten may

chu web nhu trong kdt qua tim Mdm hodc nhu mdt thdng bdo ldi, hope bdt ^ thdng didp trd lai nhu vdy ma bao gdm mdt phdn cua ddu vdo gui ddn mdy chu nhu mdt phan cua ydu cdu. Cac cudc tdn edng phan hdi cd thd dugc giti ddn ngudi diing thdng qua mdt con dudng khac nhu ttong mdt e-mail thdng bdo hoac cd thd ttdn mdt sd may chu web khac. Khi mdt ngudi dimg bi lua cUek vdo mdt hdn kdt ddc hgi ho^c submit mdt form dac biet, ma tidm di den may chu web cd lo hdng, phan hdi cudc tdn edng nguac ttd lai trinh duyet cua nan nhdn. Cac trinh duydt sau dd thuc till md vl nd ddn tii mdt mdy ehi thuc.

Tan cong diia trin cac l3 h6ng XSS Tan cdng dua ttdn cdc Id hdng XSS (Hmh 2) cho phdp thuc hidn nhung tdn cdng mgnh nhdt, ttong dd cdc md ddc hai dupe gm ddn mdt ttang web, noi nd dugc luu trii ttong thdi gian nhdt dinh (ttong mdt CO sd dfl hdu, he thdng tdp tm, hodc bdt ky dau) vd

t^ngd^ngw^

j ^ mfaca«dtriihQiiitJalifticAcli^i»V«mM4flolMl

y, ;N»nWjaMBOT Bill toa dma

3

3 y a r t i d f t n t M m d & m n c f l t m b o

\

41 BfciVM P U B hoi W vM jivucrJpt ete U tin c«o|(

naMccAiii

""^A

dapc Oj ttte n U i Aqrtt nriM d t a i

&;-Miih ( h M e A i n i a U I U D S | U NMkm tDkif dM U OB e t a s

Hinh 2 : Tdn cilng dya trfin cdc 16 hdng XSS.

4 4 I TAP CHI CNTT&TT KY 1 (6.2014)

(3)

c^S ^ N f u M dAng m ^ o|p v l dine nhip

^ • fcti JPc tape tM Hn nmfci diki« fcha am UM.

^

^ N i u a i dtag Rqaed URL cAa U dn otas

r T]

^ Senm 4% fo( vAi t m s d u t chte ml h6i javucfipt 0

. ^

j l ^ UIU, c b U t b Eteg duyc zfl l ^ h ) ^ jivMcripl dJ Ucfa bckftt piykH^

r

^ 1Ht[^AiyyH\.n[pii> i,rW-™''"'«i™-*i.l«*tjU'*"t{)

; ^ I U tfe otni dii£m doit pUbi diiu kUto cAt Dgiriri diks.

Hinh 3: Tan cong diB trfen [X3M hoac Local XSS. I

sau dd hidn thi cho ngudi su dung ttong mdt ttang web md khdng duoc ma hda bang each sii dung cac thue thd HTML (vi du bang tin trac tuydn, noi ma ngudi dimg duoc phep ddng bai dinh dang HTML de ngudi dimg khac cd thd dpc nd).

T a n cdng du'a t r i n DOM

Dua ttdn DOM (Document Object Model) (Huih 3) hodc Local XSS, ke tdn cdng nhiing dii Udu tan cdng ttong cae side client tir bdn ttong mdt vdi ttang trdn may chu web. Vi du, ndu mot phdn cua JavaScnpt tmy cap mdt URL ydu cdu cac tham sd vd vidt mdt vdi HTML tten ttang ridng cua minh. viec su dung tiidng tin ndy md khdng dugc md hda bdng cdch su dung cdc thuc thd HTML, thi cd the se xuat hidn Id hdng XSS khi cdc van ban dir lidu ndy dugc trmh didn lai bdng cac trinh duyet HTML va cd the bao gdm them cac script phia may tiam.

CAC T A N C O N G K H A I T H A C X S S Du" lieu t r e n Android co nhieu lo hong Cac Id hdng chi ra d day tdn tai ttong framework Android 2.2. Nd cd thd dugc khai thde dd tray cap cdc tap tm dugc luu trii ttong SDcard cua cdc thidt hi chay Android. Cdc trinh duyet ttdn Android khdng nhdc nhd ngudi dimg khi tai vd mdt tap tin, vi du mdt tdp tm "payload.html" dupe tu dpng tai vd / sdcard / dowrlload / payload.htmI. Mdt JavaScript cd thd dugc sii dung dd md Ule "payload" mdt each tu ddng md nguydn nhdn la trinh duyet dd hidn thi cdc file local vd cho phep cac each thiic de ed thd tray cap vdo SDcard va cac tap tm duac luu trfl bdn ttong dd.

Sau dd, nd cd the gm ndi dung cua cac tap tm tmy cap ttd lai ttang web cd Id hdng. Viec khai thde don 0 a n la su dung JavaScript vd chuyen hudng, nd cd the dugc sit dung tten nhidu tiiidt bi cdm tay va cac phidn ban khac nhau ciia Android. Nhung nd cung

(4)

cd mdt vai ban ehd nhu ten vd dudng dan cua tap ttn dupe tray cap da dugc biet den tmdc dd. Vi nd khdng phai la mdt Id hdng root ndn khdng tiid tiny cap tat ca cae tap tin, ma chi rihiing 0 dugc luu trii trdn SDcard.

Thuat toan U R I cai tien cua Skype hoac trinh duy^t nhijng W e b k i t t r e n I O S

Ld hdng nay tdn tai ttong framework cua lOS.

Nd cd thd bi khai thac bdi mdt ke tan cdng nhdm tmy cap vao ca sd dii Ueu SQLLite Address Book cita ngudi dimg va cflng dd ddt cupc gpi true tidp su dung Skype. Ung dung Skype dugc phat trien cho lOS sii dung mpt tap tin HTML luu tiii local dd hien thi tin nhdn chat tii ngudi dimg Skype khac, nhung nd that bai trong vide ma hda "Full Name" cua ngudi dimg ddn (mcomlng users). Didu ndy cho phep ke tdn cdng thuc thi ma JavaScript ddc hai khi nan nhan xem ttn nhdn.

Vdn de d day la thuc hien khai thac bdng each su dung trinh duyet nhiing WebMt. Ngoai ra, cac nhd phdt tridn Skype da thidt lap cac chuang trinh URI cho trinh duyet nhung "file :/ /" cho phdp ke tan cdng tmy cdp hd thdng tap tm vd dpc bdt ky tap tin bdi cdc img dung iOS sandbox.

Trong tuong lai, can han ehd cdc img dung cua ben thii ba de thuc hidn cac hdnh ddng dugc xac dmh bdi URL ciing nhu URI cho phep cac ttang web nhimg mdt iframe ma bude Skype mo ra (ndu nd duoc cdi ddt) va ggi tdi mdt sd dien thoai cu thd.

JavaScript <lframe src="skype://1900expensivepre miumnumber?call"> </ iframe>.

HTML5 A P I cho cac cuoc goi lien mien Ld hdng ndy chi cd thd dugc khai thde ttdn cac hd thdng Windows. HTML5 cd hai API dd thuc hidn cudc ggi lien midn - Cross Origm Requests va WebSockets. Bdng each su dung chimg, JavaScript cd the tao ra cac kdt ndi tdi IP hoac cdng bat ky (ngoai cdng hi chan), lam eho chimg ttd thanh mpt

ddi tugng Iy tuong cho tan cdng port scanning. Cdc API cd md bl khai thac de xdc dinh xem ttang thai cac cdng dang duac kdt ndi Id md hay ddng hay Ipc. Didu ndy dugc thuc hien nho su guip da cua hai thupc tinh: 'ready state' (eho bidt tinh ttang cua cdc kdt ndi tai mdt tiidi didm nhdt dmh) va "'time duration' md mdi "leadyState" la 0 d tri cudi.

Do dd bdng cdch quan sat su khdc bipt ttong hdnh vi cd the xdc dinh ban chdt ciia cac cdng. Ld mdt cdp dd img dung nen vide qudt thanh cdng ciing phu thudc vao ban chdt cila cac img dung dang chay tten cdc cdng muc tieu. Khi mot ydu cau duoc gui ddn img dung, chung dpc ydu cdu vd giii nguyen ttang thai de socket 6 ttang thai ma, cd the cd mpt bo^c nhidu ddu vdo ttong mdt dinh dang cu thd.

Ndu muc tidu dang chay mpt iing dung nhu vdy thi tinh ttang cua nd khdng thd duge xdc dmh. Chiing ta cd the md rpng ky thudt nay dd thue hidn cac chitc ndng qudt mang cung nhu phdt hidn cac dia chi IP ttong npi bd.

HTML5 thu'c hien du'a t r e n Ijch siiTcua AJAX HTML5 cd mot tinh nang cho phdp ngudi dimg tmy cap cdc ttang web khac nhau va Udn ket mpt ttang web ma khong thay ddi URL. Nd duoc thuc hien vdi su 0up dd cua chirc nang window.history.

pushState (). HTML5 dugc tao ra cho cac ttang web AJAX dd sua ddi dd dang ttong thanh dia chi cua sd va Uch sit thao tac. Dd la mdt tirih ndng tuydt vdi va thuan tidn cho cac nhd phdt tndn - vi du, cdc img dung AJAX cd the de ddng hd tta trd lai va mit bdm phia trade md khdng can den URI dinh danh doan (#). Nhung nd cung cd the duac khai thde cho mdt ttang web cd Id hdng XSS vi nd cho phdp ke tdn cdng chuyen hudng ngudi dimg den Uen ket bdt ky ma khdng thay ddi URL ttong thanh dia ehi.

Truy c | p tdi dieu khien WScript ActiveX t r o n g t r i n h duy^t I E

Cac tiiidt Idp bao mat ttong trinh duydt IE [fritemet

4 6 I TAP CHI CNTT&TT KY 1 (6.2014)

(5)

WScript thdng qua ngdn ngu scnpt nhu JavaScript vd VBScript. Cac mdu img dung cho thay lam thd nao de sit dimg ddi mong ActiveX "WScnpt.shell"

dd tuong tdc vdi mdy cua khdch hdng. Vol vlee Mdm sodt al cd thd thuc hidn cdc lenh tuong tu nhu mdt ddu nhdc trinh bao md khdng thdng bao cho ngudi su dung. Sit dung SheU ngudi ta cflng ed thd tao, xda vd sua ddi cac tap tin van ban thdng qua WScnpt.

FUeSystemObject. IE7 da dua vdo mdt didu khien bao mat mdi dugc gpi la "ngudn dfl Ueu tray cap tten tpdn mien", ma bdy 0 d bang each mac dmh dupe thidt idp dd nhae nhd ngudi dimg ndu hp mudn cho phdp Mch ban cua ban dd ndi chuyen vdi "domams"

khac (nd xem xet he thdng tap tin nhu la mdt mien ridng biet) nhung ngudi ta cd the vidt mdt Mch ban tdp tm trac tidp vao dia vd sau dd thue hidn nd.

File API trong HTML5

Ld hdng ndy hidn dang dugc thue thi ttong WebMt (mdi nhat eiia Google Chrome) vd cd thd bi khai thac de chuydn ddi trinh duypt chrome Google vdo mdt file server. File API ttong HTML5 cho phdp cac JavaScript tmy cdp cdc file khi nd dugc lua chpn bdi ngudi su dung (tiic la tmdc khi tai ldn nd). Ngodi vide cung cap Mnh nghidm dd cac file upload tdt hon, nd Cling cd thd dugc sii dung mdt each ddc hai nhu dn cdp cac file cua ban ttong tan cdng XSS. Vdi each thiic thdng minh ban ed the an mputtype=file dieu khidn dd ngudi dflng khdng hd biet vide tai len cac tdp tm. Trong tmdng hgp ndy, cac tap tin duge lua chgn bdi ngudi su dung ttong hdp tiioai 'Open File' la ngudi duy nhat cd thd dugc tray cap. Tuy nhien, inputtype=diiectory file la mdt tuih nang tuydt vdi cho phep ngudi dimg tai ldn ndi dung eua mdt tiiu mue dupe lua chpn, do dd ke tan cdng cd the dugc phdp tmy cap vdo toan bd thu muc.

Ban do XSS

Google ttong khi thu thdp dii Udu cho cac Xem

mang khong ddy ttong vimg Ian cdn va dia ehi vpt Iy (MAC) cua cdc router, sau dd phdi hop dnh xa chimg vdo GPS. 0 ddy, mdt XSS khai thac cd the dugc su dung dd lap ban dd vi tti cua ngudi dimg.

Viec khai thac XSS cd the lay dia chi vat l;;? (MAC) cua router muc tidu vd sau dd phdi hop sit dung Google Maps dd xdc dinh GPS. Mdt ttang ddc hai ban dang tray cdp cd thd thuc hien mdt XSS dd khai tilde vd phuc hdi toa dd GPS tu Google Maps. Cac bp dinh tuydn va trinh duydt web tu chimg khdng chiia bat ky du hdu vi tri dia ly/GPS. Nd hoat ddng thong qua Router XSS ma cd dugc dia chi MAC ciia router thdng qua AJAX. Dia chi MAC sau do duoc gid ddn ke tdn cdng va chuydn nd ddn dia diem dua vdo dich vu cua Google, tir dd cd thd bidt dugc toa dd gdn diing cua ngudi su dung.

NAT P I N N I N G - IRC Over HTTP Trong mpt cudc tan cdng XSS, mpt ttang web bude router cua ngudi dimg hoac tuong lua giii ddn cdng bdt ky sd cdng ciia may ngudi dimg thdng qua co ehd dich dia chi (NAT). Khi nan nhdn nhdp chudt vao mdt URL XSS cd Id hdng cd mpt hmh thitc dn kdt ndi vdi http://attacker.com;6667 (port IRC), ngudi dimg submit form md khdng biet Mdt kdt ndi HTTP duac tao ra bdi ke tan cdng tdi mdy chu IRC (kdt ndi 0a) clu don gian la lang nghe. Router cua nan nhan nhin thdy mdt "kdt ndi IRC" (mac du khach hdng cua minh dang ndi trong HTTP) va mdt nd luc tai mdt 'DCC Chat". Dttect CUent- to-CUent (DCC) la mdt 0ao thiic IRC nhd cho phep ttao ddi cdc tg.p tm vd thuc hidn cac cudc ttd chuydn khdng chuyen tidp bdng each cho phep cdc Peers kdt ndi vdi nhau bdng cdch sii dung mdt mdy chu IRC cho tin hieu bat tay. Chat DCC ydu cdu md mdt cdng local tten may ttam ma dugc kdt ndi nguge. Khi router ngan chan tat ca cac kdt ndi tir bdn ttong. nd quydt dinh chuyen tidp luu lugng ddn edng Chat DCC ngupc

(6)

. a i i ^ ^

vd may cua ngn nhdn cho phep NAT ttaversal cho nhflng ke tan edng de ket ndi tta lal vd ttd chuydn vol anh ta. Tuy nhidn, kd tdn cdng cd chi dmh cdng;

Vi du cdng 21 (FTP), cdc cdng router chuydn tidp 21 ttd lai hd tiidng npi bd cua nan nhdn. Ke tan cdng cd mdt con dudng rd rang de kdt ndi vdi cdc nan nhdn trdn cdng 21 va khoi ddng mdt cudc tan cdng.

Cac khai thac trin trinh duyit

Bat ky ai cung cd the khai thde cdc ngdn xdp iing dung trinh duyet va thuc hidn mdt ma sheU hoac md mdt phien Meteipreter bang each su dung l6i bp nhd Udn quan ddn id hdng XSS. Nhflng Id hdng khdc cflng cd thd tta vd phien Meteipieter md khdng tdn cdng cdc itng dung stack mdt each tmc tidp. Vi du nhu Java applet cua ky tu cd thd dugc su dung de download cac ma ddc vd thuc hidn mdt tdp tin exe.

BIEN PHAP KHAC PHUC XSS Hien nay, cdc iing dung web dang dugc phd bidn rdng rdi de cung cap cdc dich vu true tuydn khac nhau. Nhung ddng thdi Id hdng iing dung dang dugc phdt hidn va cdng bd vdi tdc dd dang bao ddng.

Trdn the 0di, bao mdt web cd the de ddng bi xdm nhdp. Do dd, bao mat tta thdnh bdt bude dd bao

vd ngudi dimg tiudc cdc cudc tdn cdng. Cdc bidn phdp khdc nhau ed tiie duoc dp dung dd ttdnh bi tiidnh npn nhdn cua XSS. Cac ca che ngdn ngfl;a (XSS Cheat Sheet - OWASP, 2013) cd tile dugc thyc hidn dphia may chu hoac phia khach hdng.

Bao v$ may chu

De bao ve khdi cae Id hdng XSS, cdc bidn phdp sau day cd the dugc thuc hidn boi nhd phdt tridn tai phia may chu. Cdc khuyen nghi ca ban dd Id; Khdng ndn qua tin tudng vdo nhung 0 server yeu cdu cung cap (bao gdm ca cdc tdp tm eooMe) cua ngudi dimg;

Ngudi su dung can dugc xdc nhdn vd xac nhdn trade khi cho phdp tmy cdp vdo nd; Bao ve cd the dugc thuc hien bdng each han che cdc mien vd dudng dan dd ehdp nhdn cooMe, thidt lap chimg nhu HttpOnly, su dung SSL vd khdng bao 0 d luu trii du Udu bi mat ttong cdc cooMe; Cd thd vd hidu hda vide sii dung cac Scnpt mdt each an todn tir cac ttang web khach hdng.

Cac Header ndi dung Chinh sdch An ninh cung cd thd dupe sit dung de bao m^t chdng lai vide khai thde Id hdng XSS. Ngoai ra, ma hda mdt cdch thich hgp cac ky tu didu khien HTML, JavaScript, CSS vd URL ndn duoc thuc hien de lam cho chiing vd hai trudc khi chiing dugc hien thi ttong ttinh duydt. Sii dyng cdc bd Ipc dd 1dm sach dau vao ngudi dimg: filter_

sanitize_encoded (dd ma hda URL), htmlentities (loc HTML), Uter_saiiitize_ma0c_quotes (dp dung addslashes ()). Cac bd Ipc ndy 0fl mdt chide ddng hd ddu vao ngudi sii dung va Mem tta javascnpt hcdc HTTP POST ttong cac ddu vdo vd sau dd ngdn chan cdc scnpt dugc thuc thi. Ngodi ra cd the su dung mdt sd thu vi$n bao mat ed sSn dd md hda ngudi dimg nhdp vao nhu "Project OWASP Encodmg" tai Google Code, loc HTML hoac Htinlawed cho PHP Anti-XSS Class, ede iing dung thudn AntiSamy API cho Net

II 4 8 I TAP CHI CNTT&TT KY 1 (6.2014)

(7)

Bao ve diem cuoi

Ngudi dimg cd the thuc hidn cac bude ngan c h ^ de khdng ttd thdnh nan nhan ciia XSS bdng each cai dat cac tidn ich trinh duydt hoac su dung cdc bp Ipc XSS dd ngan chan vlee thuc iildn cac script.

Vi du, cdc tien ich bao gdm NoScript cho FueFox;

NotSenpts cho Chrome vd Opera ttong khi IE 8 da ed sdn cdc add-ons nay.

KET LUAN

Hien tai, iing dung web da ttd thanh mpt phan khdng the thidu ttong cudc sdng cua chimg ta.

Nhung cac ttang web nay thudng tdn tai nhieu Id hdng va dd bi tdn cdng. Trong dd Id hdng XSS dang la mot ttong nhiing Id hdng gay ra cac cudc tan cdng tiem ma tidn chi phdi lam ca sd de khai thde ede Id hdng rat maiih me. Nd cd thd duoc kdt

cdng quan ttgng hon nu;a. Vi thd can cd ca ehd bao ve ttdn server hoac client dd han che cac cupc tdn cdng XSS.

Tai lieu tham khao

[ 1 ] . httpy/santoshdudhade.btogspot.in/2012/07/x s s f - v 2 2 - cross-site-scripting-frameworl<.html\.

[21. ABRAHAN, A., Detecting and Exploiting XSS with Xenotix XSS Exploit Fravework. 2 0 1 2 .

[3].CANNON, T.,AndroidDataStealing VulnerMity.nowmber 2 3 , thomascannon.net.

[41. Cross-site Scripting (XSS)- OWASP.(n.d.), Retrieved Fd)!iiary 2 0 1 3 , from www.owasp.tyg

[51. KUIVIAR, M., iPhone Sk)^ XSS Vulnerd)ility Lets Hackers Steal Phon^xxik, november,2011.

m

i

1

1

1 ' ! = •

El ; ' 1 i

jf

Referensi

Unduh sekarang ( PDF - 7 Halaman - 380.33 KB )

Dokumen terkait