Microsoft PowerPoint - 程式碼安全_Java_1126.ppt

Size: px

Start display at page:

Download "Microsoft PowerPoint - 程式碼安全_Java_1126.ppt"

灰逸暨
5 years ago
Views:

1 如何開發更安全的程式碼楊熒駿 Edwin Yang 楊熒駿 Agenda 資訊安全現況常見的程式碼問題 Break 如何開發更安全的程式碼 Fortify Solution COB 2 1

2 國內案例購物網站個資外洩事件 3 3 被抓的駭客集團成員( 2008/8/27) 4 2

2008 /11/19 台北地方法院判賠案例 2007 發生個資洩漏事件此案例沒有人入侵, 是程式撰寫者沒有安全撰寫觀念 5 新版個資法對企業的衝擊立法院審議中的個人資料保護法修正草案內容, 個資外洩賠償上限從現行法二千萬元提高到五千萬元 ( 單筆資料二萬五千元 ) 員工洩漏個資若屬營利行為, 則從現行兩年有期徒刑提高到五年有期徒刑 ;

3 2008 /11/19 台北地方法院判賠案例 2007 發生個資洩漏事件此案例沒有人入侵, 是程式撰寫者沒有安全撰寫觀念 5 新版個資法對企業的衝擊立法院審議中的個人資料保護法修正草案內容, 個資外洩賠償上限從現行法二千萬元提高到五千萬元 ( 單筆資料二萬五千元 ) 員工洩漏個資若屬營利行為, 則從現行兩年有期徒刑提高到五年有期徒刑 ; 如無營利行為則從原先的免罰修正為兩年以下有期徒刑草案第二十九條規定, 受害民眾索賠時, 不須負舉證責任, 但非公務機關要證明無故意或過失責任才能免責 ; 公務機關則須負無過失責任第十二條規定公務機關或非公務機關於個資料被竊或外洩後, 應以適當方式迅速通知當事人第三十二條同時增訂團體訴訟相關規定草案同時取消現行法令須告訴乃論的規定, 檢警能主動偵辦 6 3

4 新版個資法對企業與軟體開發人員的衝擊第二十九條規定, 受害民眾索賠時, 不須負舉證責任, 但非公務機關要證明無故意或過失責任才能免責 ; 公務機關則須負無過失責任企業要舉證有定期安全檢測的報告 : 1. 網路弱點掃描 2. 網站滲透測試 3. 程式碼安全檢測 4... 企業防禦駭客的證據您或委外廠商撰寫的程式碼, 不要成為公司的地雷 7 駭客眼中有安全漏洞的應用系統當您的應用系統有駭客可以進出的漏洞

5 重視程式碼安全設計 : 避免風險發生 9 Agenda 資訊安全現況常見的程式碼問題 Break 如何開發更安全的程式碼 10 5

CERT/CC 軟體安全漏洞統計 Total vulnerabilities reported(1995-2008):44,074 9000 8064 8000 7236 安全漏洞數 7000 6058 5990 6000 5000 4129 4000 2437 3000 2000 1000 3784 3780 1090 171 345 311 262 417 0 1995 1996 1997

6 CERT/CC 軟體安全漏洞統計 Total vulnerabilities reported( ):44, 安全漏洞數 Q3 年度 CERT/CC:Computer Emergency Response Team / Coordination Center 網路危機處理暨協調中心 11 應用程式層缺少安全防護 Gartner - 75% of breaches due to security flaws in software Protected by Firewall VPN 12 6

7 XSS 植入惡意圖片連結手法目標 : 破壞網站形象第一步使用人頭身份資料申請一個合法帳號第二步登入系統測試有無可植入惡意連結的欄位第三步使用惡意連結指令樣版貼上破壞網站形象的圖片 XSS : Cross-Site Scripting 跨網站指令碼攻擊因為可以撰寫指令碼,此類攻擊手法變化無窮! 13 SQL Injection 偷取資料的手法目標 : 竊取網站相關資料第一步使用人頭身份證字號申請一個合法帳號人頭身份證字號如何來? 慣用手法: 市場問卷調查填個人資料送各種小贈品第二步登入系統逐一測試各項功能,有無漏洞可竊取資料第三步複製貼上取得的資料 14 7

SQL Injection 進階攻擊手法演變 : 自動化攻擊 2008/6 新聞 15 15 OWASP Open Web Application Security Project 是一個開放社群非營利性組織目前全球有82個分會近萬名會員其主要目標是研議協助解決Web軟體安全之標準工具與技術文件

8 SQL Injection 進階攻擊手法演變 : 自動化攻擊 2008/6 新聞 OWASP Open Web Application Security Project 是一個開放社群非營利性組織目前全球有82個分會近萬名會員其主要目標是研議協助解決Web軟體安全之標準工具與技術文件長期致力於協助政府或企業瞭解並改善網頁應用程式與網頁服務的安全性由於應用範圍日廣網頁應用安全已經逐漸的受到重視並漸漸成為在安全領域的一個熱門話題在此同時駭客們也悄悄的將焦點轉移到網頁應用程式開發時所會產生的弱點來進行攻擊與破壞網址 :

9 常見程式碼漏洞的參考網址 17 常見程式碼漏洞的參考網址

10 OWASP Top Ten 2007 A1. 跨網站的入侵字串(Cross Site Scripting 簡稱XSS) A2. 注入缺失(Injection Flaw) A3. 惡意檔案執行(Malicious File Execution) A4. 不安全的物件參考(Insecure Direct Object Reference) A5. 跨網站的偽造要求 (Cross-Site Request Forgery 簡稱CSRF 19 OWASP Top Ten 2007 A6. 資訊揭露與不適當錯誤處置(Information Leakage and Improper Error Handling) A7. 遭破壞的鑑別與連線管理(Broken Authentication and Session Management) Web應用程式中自行撰寫的身分驗證相關功能有缺陷 A8. 不安全的密碼儲存器 (Insecure Cryptographic Storage) A9. 不安全的通訊(Insecure Communication) A10. 疏於限制URL存取(Failure to Restrict URL Access) 20 10

11 2009 CWE Top 休息一下 22 11

12 Agenda 資訊安全現況常見的程式碼問題 Break 如何開發更安全的程式碼 23 Security Touchpoints in SDLC (Gary McGraw) 24 Ref: Eoin Keary, Integrating into the SDLC; Gary McGraw, Software Security 12

13 Common Flaws In Web Applications SQL Injection Cross Site Scripting (XSS) HTTP Response Splitting Command Injection Path Manipulation Cross Site Request Forgery (CSRF) Access Control Insecure Randomness Password Management Race Conditions Error Handling Code Quality Left Over Debug Code: Encapsulation Misconfiguration: Environment Improper Input Validation SQL Injection Instructor will demonstrate SQL Injection Attack 26 13

14 1. SQL Injection name Æ gary sku Æ S select * from item where account = $name' and sku = $sku SQL Injection select * from item where account = gary' and sku = S

15 1. SQL Injection name Æ gary sku Æ foo bar select * from item where account = $name' and sku = $sku SQL Injection select * from item where account = gary' and sku = foo bar This is a string This is a string 30 15

16 1. SQL Injection Another part of a SQL query select * from item where account = gary' and sku = foo This is a string bar This is a string SQL Injection name Æ gary sku Æ or 1=1 -- select * from item where account = $name' and sku = $sku 32 16

17 1. SQL Injection Injected SQL Part select * from item where account = gary' and sku = or 1= 利用 SQL Injection 漏洞 Insert XSS 語法到 DB varchar(255),@c varchar(255) DECLARE Table_Cursor CURSOR FOR select a.name,b.name from sysobjects a,syscolumns b where a.id = b.id and a.xtype = 'u' and ( b.xtype = 99 or b.xtype = 35 or b.xtype = 231 or b.xtype = 167) OPEN Table_Cursor FETCH NEXT FROM = 0) BEGIN Exec ( update [ + ] set [ + ]=rtrim(convert(varchar,[ + ]))+ ''<script src= ) FETCH NEXT FROM END CLOSE Table_Cursor DEALLOCATE Table_Cursor US 2008/1 案例語法

台灣 2009/7 發生類似的攻擊案例 35 35 SQL Injection 漏洞攻擊語法一般攻擊字串輸入的內容 ( >> 取得資料) 字串欄位 : ' or '1' = '1 數字欄位 : or 1=1, or 101 > 100, or 2 >

18 台灣 2009/7 發生類似的攻擊案例 SQL Injection 漏洞攻擊語法一般攻擊字串輸入的內容 ( >> 取得資料) 字串欄位 : ' or '1' = '1 數字欄位 : or 1=1, or 101 > 100, or 2 > 1 更猛的就是類似以下的攻擊語法組合 ( >> 破壞資料 ) abc' ; [簡報的Stored Procedure語法] ; select * from item where sku = 'abc 竄改資料庫所有資料表的文字欄位內容

19 破壞資料的 SQL Injection 攻擊案例研究特徵 : (1) 利用 AP Connect DB 的 UserID 可以讀取 sysobjects syscolumns 的權限進行攻擊 (2) 使用MS SQL 特定語法不用知道系統的資料表或欄位的名稱就可以進行資料破壞竄改導致系統顯示異常或系統功能停擺 ( Q? ) 答:系統功能參數資料表參數值都被竄改了! 預防的安全設計之道 : (1) AP 連線資料庫的使用者,不要有存取 System Table 的權限 (2) MS SQL DB 的 sa 密碼設複雜點例!sa123AS! 易猜中 : 沒密碼 sa sasa sa mssql sql2000 sql2005 sql2008 mis admin gss 公司或客戶英文名稱 How to fix SQL injection Escaping data 2. Parameter Binding 3. Input validation 4. Use better Framework

20 SQL Injection: Original Code String name = request.getparameter( name ); String sku = request.getparameter( sku ); String sql = select * from item where account = + name + ' and sku = + sku + ; Connection conn = getconnection(); Statement stmt = conn.createstatement() ; ResultSet rs = stmt.executequery( sql ) ; 39 Fixing SQL Injection: Escaping String name = request.getparameter( name ); String sku = request.getparameter( sku ); // escape apostrophe to double apostrophe if (null!= sku) sku = sku.replaceall(, ); String sql = select * from item where account = + name + ' and sku = + sku + ; Connection conn = getconnection(); Statement stmt = conn.createstatement() ; ResultSet rs = stmt.executequery( sql ) ; 40 20

21 Fixing SQL Injection: Escaping name Æ gary sku Æ or 1=1 -- name Æ gary sku Æ or 1=1 -- select * from item where account = $name' and sku = $sku 41 Fixing SQL Injection: Escaping Double apostrophes inside a quoted string means a single apostrophe select * from item where account = gary' and sku = or 1=1 -- This is a string This is a string 42 21

22 Numeric Field Injection select * from item where account = gary' and sku_id = 1234 No need to quote numbers 43 Fixing SQL Injection: Escaping name Æ gary sku_id Æ 1234 or 1=1 After escaped, no change name Æ gary sku_id Æ 1234 or 1=1 select * from item where account = $name' and sku_id = $sku_id 44 22

23 Numeric Field Injection select * from item where account = gary' and sku_id = 1234 or 1=1 No need to have apostrophe 45 Fixing Numeric Field SQL Injection String name = request.getparameter( name ); String sku_id = request.getparameter( sku_id ); // throw an NumberFormatExeption if sku_id // is Note: not a sometimes number you may need to use String sql = select * from item where account = + name +Float.parseFloat(number) ' and sku_id = + Integer.parseInt(sku_id); Connection conn = getconnection(); Statement stmt = conn.createstatement() ; ResultSet rs = stmt.executequery( sql ) ; 46 23

24 Fixing SQL Injection: Parameter Binding select * from item where account = gary' and sku = or 1=1 -- We have SQL injection problem because hacker can change our SQL string Solution: use static/constant query string 47 Fixing SQL Injection: Parameter Binding 1. Query string is always static/constant String name = request.getparameter( name ); 2. You don t need to do any escaping, DB String sku = request.getparameter( sku ); knows the datatype anyway String sql = select * from item where account =? and sku =? ; Connection conn = getconnection(); PreparedStatement pstmt = JDBC Driver send sql conn.preparestatement(sql); to DB in here, DB analyzes the query pstmt.setstring(1, name); string, calculate the Pstmt.setString(2, sku); query plan, and DB ResultSet rs = pstmt.execute(); knows you need to provide two parameters later 48 24

25 Fixing SQL Injection: Parameter Binding select * from item where account = $name' and sku = $sku order by $colname You can t parameterize column name select * from item where account =? and sku =? order by? 49 Fixing SQL Injection: Input Validation String colname = request.getparameter( colname ); if ( colname.matches( ^[a-za-z][0-9a-za-z\_]*$ ) ) { String sql = select * from item + order by + colname;

26 Fixing SQL Injection: Input Validation Microsoft SQL Server: SELECT * FROM user_tbl ORDER BY [my user name] Oracle Server SELECT * FROM user_tbl ORDER BY my user name 51 More about Input Validation If this is a bug, fix it. Don t rely on frontend to protect you! In1/In2 - Can t be longer than 10 bytes - Can t be negative Validation should be Age > 0 and Age < 120 Add2age.jsp Age 1: In1 In2 Addition Out Age 2: Calculate Total: Syntactic Check Semantic Check 52 26

27 Don t do input validation at client side Instructor will demonstrate how to by-pass client side JavaScript validation 53 Don t do black listing Two type of input validation Black listing everything is ok, except for those specified in here White listing nothing is allowed, except for those specified in here 54 27

$gopher telnet nntp)://) (mailto: news:))(%[0-9a-fa-f]{2} [()_.!~*';/?:@&=+$,A-Za-z0-9])+)([).!';/?:,]blank:)?$ Email: ^[\w\-\+\&\*]+(?:\.[\w\-\_\+\&\*]+)*@(?:[\w-]+\.$

28 Not everything can be validated Refer to OWASP validation Repository URL ^((((https? ftps? gopher telnet nntp)://) (mailto: news:))(%[0-9a-fa-f]{2} Username: alphanumeric, no space Password!!?? Webmail application Æ body?? 55 Fixing SQL Injection: Use better framework There are many frameworks allowing you don t even need to write JDBC or query string in your code Usually map a POJO (plain old Java object) to a Database table class user String String String } { id; name; phone; 56 28

29 Summary: How to fix SQL injection Mainly 3 Types of SQL Injection - String Field - Numeric Field - Column Name Mainly 4 Types of solutions: Escaping data Parameter Binding Input validation Use better Framework Cross-site scripting (XSS) Instructor will demonstrate XSS Attack 58 29

30 Cross-site scripting (XSS) HTTP Request 2 types of XSS - Reflective XSS - Persistent XSS Business Logic Database HTTP Response 59 Display Logic 攻擊語法直接輸入攻擊語法內嵌在竄改的網頁攻擊語法常駐在資料庫的字串欄位 & on i t a lid tion a V ta ut sen p I n pr e Re XSS: Original Code while(rs.next()) { String subject = rs.getstring( subject ); String question = rs.getstring( queustion ); %> <tr> <td><a href="/splc/listhelp.do">gary</a></td> <td class=newscell><%= subject %></td> <td class=newscell><%= question %></td> <td class=newscell>null</td> </tr> 60 30

31 HTML Basic 61 HTML Basic 62 31

32 XSS: Original Code while(rs.next()) { String subject = rs.getstring( subject ); String question = rs.getstring( queustion ); subject = subject.replaceall( <, < ); subject = subject.replaceall( >, > ); %> <tr> <td><a href="/splc/listhelp.do">gary</a></td> <td class=newscell><%= subject %></td> <td class=newscell><%= question %></td> <td class=newscell>null</td> </tr> But there are more than just < and > to escape 63 3 types of XSS 1. Inside HTML <p><%= data %></p> hacker: <script>alert('hi')</script> 2. HTML tag attribute <a href="<%= url %>">click me</a> hacker: javascript:alert('hi') hacker: page.html" onmouseover= alert('hi') 3. Inside Javascript <script>var x = <%= xvalue %></script> hacker: 123;... <input type= text onmouseover= <%= data %> /> 64 hacker: alert( hi ) 32

33 Fixing XSS: Escaping Put apache-commons.jar into your classpath import org.apache.commons.lang.stringescapeutils; while(rs.next()) { String subject = rs.getstring( subject ); String question = rs.getstring( queustion ); subject = StringEscapeUtils.escapeHtml(subject); %> <tr> <td><a href="/splc/listhelp.do">gary</a></td> <td class=newscell><%= subject %></td> <td class=newscell><%= question %></td> <td class=newscell>null</td> </tr> 65 Fixing XSS: Use Taglib while(rs.next()) { String subject = rs.getstring( subject ); String question = rs.getstring( queustion ); request.setattribute( subject, subject); request.setattribute( question, question); %> <tr> <td><a href="/splc/listhelp.do">gary</a></td> <td class=newscell><c:out var= subject /c:out></td> <td class=newscell><c:out var= question /c:out></td> <td class=newscell>null</td> </tr> 66 33

34 3 types of XSS Inside HTML There are no cross HTML <p><%= data %></p> boundaries input in hacker: <script>alert('hi')</script> HTML tag attribute these input. You can t solve the problem by HTML escaping <a href="<%= url %>">click me</a> hacker: javascript:alert('hi') hacker: page.html" onmouseover= alert('hi') 3. Inside Javascript <script>var x = <%= xvalue %></script> hacker: 123;... <input type= text onmouseover= <%= data %> /> 67 hacker: alert( hi ) IE will run the following scripts <a href= javascript:alert( hi )">click me</a> <a href= javascript:alert('hi'&#x2 9;">click me</a> HTML escaping is not a magic, it will not solve non- <input type= text onmouseover= alert( hi ) /> HTML related problem <input type= text onmouseover= alert('h i') /> But not too worry, IE won t run these as scripts <a href= /abc.jsp?name=javascript:alert( hi )">click me</a> <input type= text value= alert( hi ) /> 68 34

35 XSS Improper Input Validation Variations of javascript (used in the MySpace worm). Java script JaVaScRiPt java jav ascript jav\asc\r\ipt Many many more The MySpace server side code was doing incomplete blacklisting. Cross-Site Scripting (XSS) can be very difficult to filter out. More info about XSS attack : 69 XSS Black Listing Question: What s wrong with this code? String name = request.getparameter("name"); if (null!= name) name = name.replaceall("<script>", ""); out.println(name); 70 35

36 XSS Black Listing Answer: Hackers will Hack <script>alert( hi )</script> 71.NET bonus: Request Validator By default,.net will perform basic/generic request validation, unless you explicitly turn it off.net request validator should be able to protect Type I XSS (inside HTML) <%@ Page Language="C#" AutoEventWireup="true" CodeFile="Default.aspx.cs" Inherits="_Default" ValidateRequest= true" %> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" " <html xmlns=" > <head runat="server"> <title>untitled Page</title> </head> <body> <form id="form1" runat="server"> 72 <div> 36

37 Summary: How to fix XSS Escaping data: escapehtml() 2. Input validation 3. Use better Framework (Taglib) How to fix XSS (cont) What if I need to allow user to input HTML tags? Simple tag can be handled by Escape all the data, then change <b> back to <b> Use a different language, e.g. use [b] to represent <b>, change [b] back to <b> when display to HTML For more complex tags like <a> <input> <img>, you will have to parse the data, and then make sure there is no executable scripts 74 37

38 3. HTTP Response Splitting Addition of unvalidated data to the HTTP header Could result in XSS vulnerability Browser cache poisoning Server cache poisoning Consider : <% response.sendredirect("/region.jsp? regioncode="+ request.getparameter("regioncode")); %> HTTP Response Splitting An HTTP response would look like : HTTP/ Moved Temporarily Date: Wed, 24 Dec :53:28 GMT Location: Server: Apache Fri Jan 2 13:15:34 PDT Content-Type: text/html Set-Cookie: JSESSIONID=alkjwerf345sdf0sd9f8; path=/ Connection: Close <html><head><title>302 Moved Temporarily</title></head> <body bgcolor="#ffffff"> <p>this document you requested has moved temporarily.</p> </body></html>

39 HTTP Response Splitting Since input for region is not validated Attacker could supply /region.jsp?regioncode=us%0d%0acontentlength:%200%0d%0a%0d%0ahttp/1.1%20200%20ok%0d%0acontenttype:%20text/html%0d%0acontentlength:%2019%0d%0a%0d%0a<html>got you hacked mate!</html> HTTP Response Splitting Since input for region is not validated Attacker could supply HTTP/ Moved Temporarily Date: Wed, 20 Jan :26:41 GMT Location: /region.jsp?regionCode=us 1st Response Content-Length: 0 1 Request, 2 Responses (Response Splitting) Hacker provided data <html>got you hacked mate!</html> 2nd Response Server: Apache Fri Jan 20 15:26:41 PDT with (Controlled Content-Type: text/html by Hacker) HTTP/ OK Content-Type: text/html Content-Length: 19 Set-Cookie: JSESSIONID=123wertyu567345; path=/ Connection: Close

HTTP Response Splitting Proxy Server Normal User Hacker 79 Hacker send 2 requests to HTTP Server Proxy server see 2 requests and 3 responses, dropped the last

$0 will return 500 and throw exception when there is "\r\n" in methods that involve HTTP response headers You can set enableheaderchecking to false in web.$ config in order to disable this protection But our recommendation is developer should get use to write program in a Please apply ASP.NET SP1 secure way.

config in order to disable this protection But our recommendation is developer should get use to write program in a Please apply ASP.NET SP1 secure way.

40 HTTP Response Splitting Proxy Server Normal User Hacker 79 Hacker send 2 requests to HTTP Server Proxy server see 2 requests and 3 responses, dropped the last response and cached the hacker controlled response as the valid response for 2nd request The 2nd request is due to HTTP Response Splitting and is controlled by hacker Good news for HTTP Response Splitting ASP.NET 2.0 By default,.net 2.0 will return 500 and throw exception when there is "\r\n" in methods that involve HTTP response headers You can set enableheaderchecking to false in web.config in order to disable this protection But our recommendation is developer should get use to write program in a Please apply ASP.NET SP1 secure way. And develop applications that To disable, <httpwebrequest useunsafeheaderparsing= true /> will be able to protect itself and be able to run on any platforms Tomcat 5.0 ASP.NET 1.1 Tomcat will escape \r\n you try to add extra HTTP header Tomcat 4.x is vulnerable

41 4. Command Injection $ip -> # ping $ip 81 Command Injection # ping

42 Command Injection $ip -> ; rm rf / # ping $ip 83 Command Injection Injected extra command # ping ; rm rf / Meta-character in command line Other meta-chars: ; && > < 84 42

43 Types of Command Injection 1. Executable name exec( c:\my_prog\ + execname) 2. Executable Path String path = GetEnvironment( PROG_PATH ); exec(path + prog.exe ); 3. Command line arguments exec( /bin/ping + ip); 85 How to fix: Executable name Usually a design error Allow user to execute arbitrary command in a directory is generally a bad idea You may want to limited to execute a command from a allowed list String[] allowedcommand = { list, read, update } if ( Util.inList(command, allowedcommand) ). A special type of validation: referential check Input is one of the item in a allowed list 86 43

44 Real case to share On a C/C++ project, the program create some file in the beginning of a progress, and then tries to run the following command to delete a file, SCA report command injection at the following line system( del + filename); Solution: change it to But you may have Path Manipulation and File Race Condition in here as well unlink(filename) Lesson learn: think twice before you run an external command 87 How to fix: Executable path Depends on if you trust the source of the path From Request.getParameter(..) Read from Environment Variable Read from Property file ServletContext().getRealPath() 88 44

45 How to fix: Command Line Argument May be able to solve by, depending on the command Input validation Command Switch: only allow -p, or -c, etc A PDF filename: ^[a-za-z][0-9a-za-z\_]{0,32}.pdf$ Escaping Escape with double quote, and make sure there is no double quote inside But the following won t work sudo -u www $sudo_opt touch /data/myfile.dat And $sudo_opt can be rm -rf / Passing the argument as String[] rather than String Runtime.exec(String[]) will always execute String[0] ONLY But if you run with /bin/sh or the command you run will run /bin/sh Path Manipulation Hacker can control which file to be opened Filename: c:\data\ + filename filename Æ../boot.ini Can be solved by validation check Filepath: path + myprog.dll Path can be c:\tmp\hacker_upload\ 90 45

46 Windows Special Bonus./ Current Path Unix & Windows../ Parent Path Unix & Windows.../ 2 Level Up of Parent Path Windows Only.../ 3 Level Up of Parent Path Windows Only 91 Summary: Improper Input Validation Design Phase Issues (use good framework) Use Safe API - Plan for systematic input validation System of the meta characters - Don t evensome need to call the API Database single quote (apostrophe), numbers HTML angle brackets HTTP Input Shell Command Application \r\n (Java/.NET/etc..) File system Input Validation ; && < > Other Systems (Database, HTML, HTTP, etc)../ Encoding/Decoding 92 46

6. Cross-site request forgery (CSRF) Logged into a online bank, at the same time, browsing some other web sites 93 Cross-site request forgery The online bank Another Website The bank sends the money

47 6. Cross-site request forgery (CSRF) Logged into a online bank, at the same time, browsing some other web sites 93 Cross-site request forgery The online bank Another Website The bank sends the money since this is a valid request Inside in the page, there is a image <img src=" account=victim&amount= &for=hacker"> The browser will send the request to the bank with a valid cookie

48 How to fix <form method= transfer_money > <input type= text name= from /> <input type= text name= to /> <input type= text name= amount /> <input type= hidden name= secret value= <%= a_dynamic_value %> /> </form> When you send the HTML page (the web form) to the user, add a secret value in the form. When user send the request to you, check if the secret value exists and matches. Since the secret value is dynamic, the hacker will not be able to guess this value. 95 程式碼安全設計基本原則了解目前已知的程式碼撰寫漏洞有哪些了解各種應用系統安全設計應該注意的要點要矯正開發人員有漏洞的程式撰寫習慣使用程式碼安全檢測工具定期檢測程式碼安全及早發現程式碼安全漏洞問題及早矯正 96 48

49 意見討論 97 49

6-1 Table Column Data Type Row Record 1. DBMS 2. DBMS MySQL Microsoft Access SQL Server Oracle 3. ODBC SQL 1. Structured Query Language 2. IBM

CHAPTER 6 SQL SQL SQL 6-1 Table Column Data Type Row Record 1. DBMS 2. DBMS MySQL Microsoft Access SQL Server Oracle 3. ODBC SQL 1. Structured Query Language 2. IBM 3. 1986 10 ANSI SQL ANSI X3. 135-1986