Computer Security

NTU CSIE CSCAMP-2019

About me

What is Computer Security?

CIA

Confidentiality

Things don't get exposed

  • password
  • messages

Integrity

Things don't get modified

  • email
  • bank account balance

Availability

Things / Service are accessible

  • stock market
  • github server

Web Security

Overview

What is web

Server

Client

The website you see

  • HTML
  • CSS
  • javascript

Things going behind

  • database
  • authentication
  • php/ruby/python/nodejs   (basically no limits)

request

response

How do webs work?

<scheme>://<netloc>/<path>?<query>

URL

https://M30W.tw/search?q=ctf

<scheme>://<netloc>/<path>?<query>

URL

https://M30W.tw/search?q=ctf

https : Hypertext Transfer Protocol Secure

  • define methods of communication
  • s stands for secure(?)
  • still vulnerable to phishing/MitM attacks under certain scenario

<scheme>://<netloc>/<path>?<query>

URL

https://M30W.tw/search?q=ctf

M30W.tw : domain name

  • used to identify the server location
  • DNS translates domain name to IP

<scheme>://<netloc>/<path>?<query>

URL

https://M30W.tw/search?q=ctf

search : path of the document 

  • the location of the file you requested on the server

<scheme>://<netloc>/<path>?<query>

URL

https://M30W.tw/search?q=ctf

q=ctf : purpose of request

  • what you want the server to do for you
  • in example, q=ctf means query for ctf

 

the two most common methods are 

HTTP methods

GET :

  • demand data from the server
  • parameters are shown in url

POST :

  • send data to the server
  • parameters are NOT shown in URL
  • commonly used in login / file upload

Other stuff worth knowing

HTTP request header

GET /query?q=ctf HTTP/1.1
   Host: M30W.tw
   User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:56.0)
   Gecko/20100101 Firefox/56.0
   Accept: text/html,application/xhtml+xml,application/xml;
   Connection: keep-alive

HTTP response header

HTTP/1.1 200 OK
    Date: Sat, 23 March 2019 20:00:00 GMT
    Server: Apache/2.4.18 (Ubuntu)
    Last-Modified: Sat, 23 March 2019 21:00:00 GMT
    ETag: "69fe-56ce289380252"
    Accept-Ranges: bytes
    Content-Length: 27134
    Vary: Accept-Encoding
    Connection: close
    Content-Type: text/plain

status codes

Other stuff worth knowing

HTTP vs HTTPS

Other stuff worth knowing

Cookie

Logged in ...

or not?

  • HTTP is stateless
  • Need to somehow maintain information about client
  • Store a piece of string on the client browser
  • commonly used in identity/login checks

What is a cookie

  1. Right Click
  2. Inspect
  3. Application
  4. Cookies

Where to find cookie

HTTP request headers

Lab 1

Welcome to M30W

 

 

All problems can be found at 139.162.125.106:4000

Javascript

What if client wants to run something?

What is javascript

  • Focus on client side javascript now (neglect nodejs)
  • A piece of code that runs on client side
  • Can directly access client-side data, but not server-side ones
  • Perfectly viewable by client
  • Useful, but also dangerous
  • You can always write your own script in console

XSS

  • Cross Site Scripting
  • Executing javascript from malicious source
  • used to steal cookie or other client-side data

XSS types

  • Reflected XSS
  • Stored XSS
  • DOM based XSS

Reflected XSS

  • Tricks client to send request to server
  • Server responses with XSS payload, which will be executed
  • Often disguised as URLs or forms
  • Ex.
    • xss.php?payload=<script>alert('XSS')</script>

Stored XSS

  • malicious javascript stored on server
  • triggered upon load by client

DOM Based XSS

  • triggered at client-side DOM resolve 
  • XSS payload does not pass server
  • Server side protection doesn't work!! 

XSS prevention

  • input sanitizing
  • be careful what you parse in html
  • disable CORS
  • modern browsers
  • client awareness!

Lab 2

Ultra Spiritual Cats

PHP

What if server needs to run something?

Prelude : Basic bash

  • ls : list all files in a current directory
  • cat $file : show the contents of $file
  • cd $dir :  go to $dir
  • man $cmd : see manual of $cmd
  • commands can be found online or in /usr/bin

bash is a widely used shell

Common Vulnerabilities

  • functions such as exec(), shell_exec(), system() runs commands
  • if user input is directly used as argument, terrible things can happen

Running code that comes from user

Common Vulnerabilities

  • Input sanitizing
  • preg_match() is useful
  • whitelist? blacklist?
  • Misconfigurations

How to deal with it

Lab 3

meet my cat;

SQL

What if server needs to store something?

What is SQL

  • Structured Query Language
  • Used in database management
  • MySQL, PostgreSQL, etc.

SQL Commands

  • SELECT
  • DROP
  • UNION
  • OR
  • AND

 

ref : 

https://www.codecademy.com/articles/sql-commands

SQL Injections

  • original command :
    • SELECT * FROM user WHERE name=' + $name + '
  • $name = ' OR 1=1 OR '
  • injected command :
    • SELECT * FROM user WHERE name='' OR 1=1 OR ''
  • result : 
    • dump the entire user table

SQL Injections Types

  • Union-Based
  • Blind-Based
    • Time-Based
    • Boolean-Based
  • Error-Based

How to deal with it

  • Input sanitizing
  • Prepared statements

Lab 4

to M30W or not to M30W

Information Leak

What?

My password is leaked?

Rule of least privilege

  • Users don't need to know more they ought to know

Information leakage

  • Extremely common in real life
  • well-known leaks :
    • robots.txt (not really a leak...)
    • .git / .svn
    • .DS_Store
    • .xxx.php.swp
    • xxx.php~

Robots.txt

  • tells search engine what should be found
  • stores information about server file hierarchy
  • reveals directory/file names

git/svn

  • version control tools
  • developers forgets to clean up
  • may be used to reconstruct source code

.DS_Store

  • hidden file in Mac
  • holds information about file hierarchy

.swp / ~

  • temporary files created automatically
  • developers tend to forget about them

github

  • Version control again
  • all kinds of stuff up there, code, tutorials, tools, passwords, accounts, etc. 
  • Example :
    • Huawei

Lab 5

R. Daneel Olivaw

CTF Games!

  • Pwn
  • Reverse
  • Web
  • Crypto
  • Stego
  • Forensics
  • ...

Pwn

Finding and leveraging Vulnerabilities in executables

  • Buffer overflow
  • Format String Attack
  • Heap/Stack

Reverse

Interpreting executable and gaining useful information

Web

Website Vulnerabilities

  • cookie stealing
  • XSS
  • SQL injection
  • code injection
  • php, html, js, ...

Crypto

Cryptography

  • RSA
  • AES
  • Hash

 

** modern cryptography         relies heavily on math

Stego

The art of hiding message

  • Text in image
  • File in image
  • Image in audio
  • ...

Forensics

Recovering digital trail

  • File format
  • Packet sniffing
  • Disk image

CTF Challenge

Made with Slides.com