Computer Security
NTU CSIE CSCAMP-2019
About me
- James@M30W
- NTU CSIE
- Baby Pwner
- github : https://github.com/jwang-a
What is Computer Security?
CIA
Confidentiality
Things don't get exposed
- password
- messages
Integrity
Things don't get modified
- bank account balance
Availability
Things / Service are accessible
- stock market
- github server
Web Security
Overview
What is web
Server
Client
The website you see
- HTML
- CSS
- javascript
Things going behind
- database
- authentication
- php/ruby/python/nodejs (basically no limits)
request
response
How do webs work?
<scheme>://<netloc>/<path>?<query>
URL
https://M30W.tw/search?q=ctf
<scheme>://<netloc>/<path>?<query>
URL
https://M30W.tw/search?q=ctf
https : Hypertext Transfer Protocol Secure
- define methods of communication
- s stands for secure(?)
- still vulnerable to phishing/MitM attacks under certain scenario
<scheme>://<netloc>/<path>?<query>
URL
https://M30W.tw/search?q=ctf
M30W.tw : domain name
- used to identify the server location
- DNS translates domain name to IP
<scheme>://<netloc>/<path>?<query>
URL
https://M30W.tw/search?q=ctf
search : path of the document
- the location of the file you requested on the server
<scheme>://<netloc>/<path>?<query>
URL
https://M30W.tw/search?q=ctf
q=ctf : purpose of request
- what you want the server to do for you
- in example, q=ctf means query for ctf
the two most common methods are
HTTP methods
GET :
- demand data from the server
- parameters are shown in url
POST :
- send data to the server
- parameters are NOT shown in URL
- commonly used in login / file upload
Other stuff worth knowing
HTTP request header
GET /query?q=ctf HTTP/1.1
Host: M30W.tw
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:56.0)
Gecko/20100101 Firefox/56.0
Accept: text/html,application/xhtml+xml,application/xml;
Connection: keep-alive
HTTP response header
HTTP/1.1 200 OK
Date: Sat, 23 March 2019 20:00:00 GMT
Server: Apache/2.4.18 (Ubuntu)
Last-Modified: Sat, 23 March 2019 21:00:00 GMT
ETag: "69fe-56ce289380252"
Accept-Ranges: bytes
Content-Length: 27134
Vary: Accept-Encoding
Connection: close
Content-Type: text/plain
status codes
Other stuff worth knowing
HTTP vs HTTPS
Other stuff worth knowing
Cookie
Logged in ...
or not?
- HTTP is stateless
- Need to somehow maintain information about client
- Store a piece of string on the client browser
- commonly used in identity/login checks
What is a cookie
- Right Click
- Inspect
- Application
- Cookies
Where to find cookie
HTTP request headers
Lab 1
Welcome to M30W
All problems can be found at 139.162.125.106:4000
Javascript
What if client wants to run something?
What is javascript
- Focus on client side javascript now (neglect nodejs)
- A piece of code that runs on client side
- Can directly access client-side data, but not server-side ones
- Perfectly viewable by client
- Useful, but also dangerous
- You can always write your own script in console
XSS
- Cross Site Scripting
- Executing javascript from malicious source
- used to steal cookie or other client-side data
XSS types
- Reflected XSS
- Stored XSS
- DOM based XSS
Reflected XSS
- Tricks client to send request to server
- Server responses with XSS payload, which will be executed
- Often disguised as URLs or forms
- Ex.
- xss.php?payload=<script>alert('XSS')</script>
Stored XSS
- malicious javascript stored on server
- triggered upon load by client
DOM Based XSS
- triggered at client-side DOM resolve
- XSS payload does not pass server
- Server side protection doesn't work!!
XSS prevention
- input sanitizing
- be careful what you parse in html
- disable CORS
- modern browsers
- client awareness!
Lab 2
Ultra Spiritual Cats
PHP
What if server needs to run something?
Prelude : Basic bash
- ls : list all files in a current directory
- cat $file : show the contents of $file
- cd $dir : go to $dir
- man $cmd : see manual of $cmd
- commands can be found online or in /usr/bin
bash is a widely used shell
Common Vulnerabilities
- functions such as exec(), shell_exec(), system() runs commands
- if user input is directly used as argument, terrible things can happen
Running code that comes from user
Common Vulnerabilities
- Input sanitizing
- preg_match() is useful
- whitelist? blacklist?
- Misconfigurations
How to deal with it
Lab 3
meet my cat;
SQL
What if server needs to store something?
What is SQL
- Structured Query Language
- Used in database management
- MySQL, PostgreSQL, etc.
SQL Commands
- SELECT
- DROP
- UNION
- OR
- AND
ref :
https://www.codecademy.com/articles/sql-commands
SQL Injections
- original command :
- SELECT * FROM user WHERE name=' + $name + '
- $name = ' OR 1=1 OR '
- injected command :
- SELECT * FROM user WHERE name='' OR 1=1 OR ''
- result :
- dump the entire user table
SQL Injections Types
- Union-Based
- Blind-Based
- Time-Based
- Boolean-Based
- Error-Based
How to deal with it
- Input sanitizing
- Prepared statements
Lab 4
to M30W or not to M30W
Information Leak
What?
My password is leaked?
Rule of least privilege
- Users don't need to know more they ought to know
Information leakage
- Extremely common in real life
- well-known leaks :
- robots.txt (not really a leak...)
- .git / .svn
- .DS_Store
- .xxx.php.swp
- xxx.php~
Robots.txt
- tells search engine what should be found
- stores information about server file hierarchy
- reveals directory/file names
git/svn
- version control tools
- developers forgets to clean up
- may be used to reconstruct source code
.DS_Store
- hidden file in Mac
- holds information about file hierarchy
.swp / ~
- temporary files created automatically
- developers tend to forget about them
github
- Version control again
- all kinds of stuff up there, code, tutorials, tools, passwords, accounts, etc.
- Example :
- Huawei
Lab 5
R. Daneel Olivaw
CTF Games!
- Pwn
- Reverse
- Web
- Crypto
- Stego
- Forensics
- ...
Pwn
Finding and leveraging Vulnerabilities in executables
- Buffer overflow
- Format String Attack
- Heap/Stack
Reverse
Interpreting executable and gaining useful information
Web
Website Vulnerabilities
- cookie stealing
- XSS
- SQL injection
- code injection
- php, html, js, ...
Crypto
Cryptography
- RSA
- AES
- Hash
** modern cryptography relies heavily on math
Stego
The art of hiding message
- Text in image
- File in image
- Image in audio
- ...
Forensics
Recovering digital trail
- File format
- Packet sniffing
- Disk image
CTF Challenge
Computer Security
By james01
Computer Security
NTU CSCamp 2019 toy course
- 822