Beruflich Dokumente
Kultur Dokumente
com
Li ta
Bo mt l mt vn rt tn km v phc tp. Gn nh h thng no cng c l hng (c
phn mm ln phn cng), cc hacker c th thng qua cc l hng ny tn cng h thng.
Vic m bo h thng bo mt l trch nhim ca rt nhiu bn: Sysadmin, network,
manager v developer. Trong phm vi sch, mnh s cng cc bn tip cn kha cnh bo
mt di gc nhn ca mt developer.
Nhng kin thc trong ebook ny c cng c bn, d hc, nhng chng s v cng hu ch,
gip bn trnh phi nhng sai lm bo mt ng ngn, c bn khi code. D cho bn code C
hay C++, Java C# hay PHP, bn cng s hc c vi iu b ch qua series ny.
Trch nhim ca developer l phi m bo rng code mnh vit ra s khng c li bo mt.
Trong ebook ny, chng ta ng vai hacker tn cng h thng mnh vit. Thng qua ,
chng ta s cng tm hiu v nhng l hng bo mt thng thy khi code v tm cch v li.
a phn cc li bo mt c bn c ngn chn trong cc framework. Tuy vy, nhiu trang
web vn b dinh mt s li v s ng ngn hoc s sut ca chnh developer. Do , hy c
k ebook v c gng p dng nhng kin thc ny vo code trnh dnh cc li ny nh.
y l series hng dn bo mt cho developer, khng phi l hng dn lm hacker. Kin
thc trong ebook gip bn code, gip bn v li ch khng gip bn tn cng h thng khc
hay la o ngi dng. Bn no nghim tc mun tm s hc o v bo mt c th tm
thnh bo mt Juno_okyo nh.
Cnh bo
Trc khi dy v, s ph lun dn cc rng: Hc v l cng thn kin th, hnh
hip gip i, khng phi i bt nt k yu. Trc khi bt u sch, mnh cng mun
khuyn cc bn iu tng t: Hc v security xy dng h thng bo mt tt hn,
gip h thng khc, ch khng phi i hack hay ph hoi.
V l do o c, nu pht hin li trong cc h thng khc, cc bn nn thng bo cho qun
tr ch ng nn ph hoi. Ranh gii gia tm hiu l hng v ph hoi h thng n mong
manh lm. Vi cc h thng quan trng. bn c th b truy t vo t bc lch cho l ass n
hoa ch chng chi.
Bn quyn ti toidicodedao.com
Mc lc
PHN 1 BO MT NHP MN
Kin thc c bn v bo mt v mt s l hng bo mt thng gp
S lc v Man-in-the-middle attack
Hy tng tng bn ang tn tnh mt em gi d thng mt cute ngc to dnh khng tn
Linh. tng tnh lng mn, bn khng nhn tin m trc tip vit th gi cho nng. Lc ny,
bn l client, b Linh l server, vic gi th l giao thc HTTP.
ng nhin, hoa p th lm rui bu. C mt thng hacker xu xa b i tm cch ph ri bn,
ta tm gi thng ny l Hong c h.
Kin thc ny thuc dng v cng c bn, nhiu ngi ni ri nn mnh s khng gii thch
k v kha cnh k thut. Cc bn c th t tm Google tm hiu them.
Lu
Hin ti nhiu trang web vn s dng https gi cy ch s dng https nhng trang login v nhng trang c d liu nhy cm. Cch lm ny vn tn ti kh nhiu nguy him. Hin
ti, mnh s dng Fiddler demo local. Tuy nhin, hacker c th lm cc tr ny khi dng
chung LAN/WLAN vi bn. Do , cn ht sc cn thn khi dng wifi cha/wifi cng cng nh.
V d 1 Lazada
Phn ng nhp ca trang ny dng https, do vy mnh khng th sniff c username,
password.
Ngy xa, khi Facebook cha dng https, ti mnh cng dng cch ny sniff v ng nhp
account facebook ca ngi khc.
Mt s trng hp khc, trang web dng HTTPS nhng vn ti hnh nh, javascript, css qua
http. Hacker vn c th d dng sa ni dung javascript, trm cookie nh thng. Do ,
Google khuyn co s dng https cho ton b cc trang v cc link ch ng kiu gi cy
nh th ny nh.
Tng kt
Hin ti Chrome cng ang c k hoch th cc trang HTTP l khng an ton cnh bo cho
ngi dng. nhng phin bn sau, bn s thy ch Not secure trn thanh a ch nu
trang web ch s dng HTTP.
HTTP khng an ton hay bo mt. Tuyt i khng bao gi submit thng tin quan trng
(mt khu, s th ngn hng) qua HTTP!
S dng http d duyt web cng ging nh nn gi m khng cn BCS. Nhiu khi dnh
bnh cht lc no chng bit y!
10
11
Tuy nhin, Khoa li khng hin lnh nh th. Do mi hc v XSS, Khoa khng nhp text m
nhp nguyn on script alert(XXX) vo khung comment. Lc ny, HTML ca trang web s
tr thnh:
Trnh duyt s chy on script ny, hin th ca s alert ln. Khoa chn c m c vo
thi*ndia, thc hin tn cng XSS thnh cng. (Lu : Mnh ch v d thi, thi*ndia khng b li
XSS u nh, cc bn khng nn th).
Trong kiu tn cng ny, m c c lu trong database trn server, hin th ra vi ton b
ngi dng, do ta gi n l Persistance XSS. Bt k ai thy comment ca Khoa u b dnh
m c ny, do kiu tn cng ny c tm nh hng ln, kh nguy him.
2. Reflected XSS
Vi cch tn cng ny, hacker chn m c vo URL di dng query string. Khi ngi dng
ngo ng nhp vo URL ny, trang web s c query string, render m c vo HTML v ngi
dng dnh by.
Quay li vi Khoa. Do xin a ch mt xa hoi nhng khng c share, Khoa cay c, quyt
nh tr th cc n anh. Khoa bn gi ng mt ng link gi JAV vo mail cc n anh.
Ni dung ng link: http://thi*ndia.com?q=<script>deleteAccount();</script>. Khi cc n
anh click link ny, h s vo trang thiendia. Sau server s render <script>deleteAccount();
</script>, gi hm deleteAccount trong JavaScript xo account ca h.
Tm nh hng ca ReflectedXSS khng rng bng Persistance XSS, nhng mc nguy him
l tng ng. Hacker thng gi link c m c qua email, tin nhn, v d d ngi
dng click vo. Do cc bn ng v ham JAV m click link by b nh,
3. Client XSS
Gn y, khi JavaScript dn c s dng nhiu hn, cc li Client XSS cng b li dng nhiu
hn. Do JavaScript c s dng x l DOM, m c c chn thng vo trong JavaScript.
12
Li XSS ny cng kh d fix, quan trng l li ny thng gp nhiu trang, d st, do sau
khi fix ta phi verify cn thn. C 3 phng php thng dng fix li ny:
1. Encoding
Khng c tin tng bt k th g ngi dng nhp vo!! Hy s dng hm encode c sn
trong ngn ng/framework chuyn cc k t < > thnh < %gt;.
13
Li kt
Ni hi ch quan t (do mnh ko a PHP), s lng trang web xy dng bng PHP b li XSS l
nhiu nht. L do th nht l do s lng web vit bng PHP cc nhiu. L do th hai l mc
nh PHP khng encode cc k t l. Cc CMS ca PHP nh WordPress, Joomla rt mnh vi
v s plug-in. Tuy nhin nhiu plug-in vit u l nguyn nhn dn n li bo mt ny.
Hin ti, s lng website b li XSS l kh nhiu, cc bn ch cn lang thang trn mng l s
gp. Nh mnh ni, XSS l mt li rt c bn, hu nh hacker no cng bit. Trang web b
li ny rt d thnh mi ngon cho hacker. Do vy, cc bn developer nh cn thn, ng
web ca mnh b dnh li ny.
Mt s link tham kho:
http://excess-xss.com/
https://www.owasp.org/index.php/Cross-site_Scripting_(XSS)
14
15
Thc hin tn cng kiu CSRF (Cross-site request forgery). Hacker c th post mt link nh
nh sau:
<img src="http://bank.example.com/withdraw?account=bob&amount=1000000&for=mallory">
Trnh duyt s t ng load link trong nh, d nhin l c km theo cookie. ng link trong
nh s c cookie t request, xc nhn ngi dng, rt sch tin m ngi dng khng h
hay bit. Cch tn cng ny c rt nhiu bin th, mnh s ni r phn sau.
Set Expired v Max-Age: gim thiu thit hi khi cookie b trm, ta khng nn
cookie sng qu lu. Nn set thi gian sng ca cookie trong khong 1 ngy ti 3
thng, tu theo yu cu ca application.
S dng Flag HTTP Only: Cookie c flag ny s khng th truy cp thng qua
hm document.cookie. Do , d web c b li XSS th hacker khng th nh cp c
n.
S dng Flag Secure: Cookie c flag ny ch c gi qua giao thc HTTPS, hacker s
khng th sniff c.
V cookie d b tn cng, tuyt i khng cha nhng thng tin quan trng trong cookie (Mt
khu, s ti khon, ). Nu bt buc phi lu th cn m ho cn thn.
Lu : Nu website ca bn s dng RESTful API, ng s dng cookie authorize ngi
dng m hy dng OAuth hoc WebToken. Token ny c vo Header ca mi request nn
s khng b dnh li CSRF.
Cc bn c th tm hiu thm v cookie v cc li bo mt lin quan y:
http://resources.infosecinstitute.com/securing-cookies-httponly-secure-flags/
http://www.ibm.com/support/knowledgecenter/SSZLC2_7.0.0/com.ibm.commerce.
admin.doc/concepts/csesmsession_mgmt.htm
https://www.nczonline.net/blog/2009/05/05/http-cookies-explained/
https://en.wikipedia.org/wiki/HTTP_cookie#Secure_and_HttpOnly
http://programmers.stackexchange.com/questions/298973/rest-api-security-storedtoken-vs-jwt-vs-oauth
16
Hu qu ca SQL Injection
Hu qu ln nht m SQL Injection gy ra l: Lm l d liu trong database. Tu vo tm quan
trng ca d liu m hu qu dao ng mc nh cho n v cng nghim trng. Nu l d
liu credit card, hacker c th dng credit card mua sm h hoc chm tin ca ngi
dng.
Hng triu Credit Card cha tn ti trn mng, do hacker chm t cc trang bn hng thng
qua SQL Injection. L d liu khch hng c th nh hng rt nghim trng n cng ty.
Hnh nh cng ty c th b nh hng, khch hng chuyn qua s dng dch v khc, dn n
ph sn vv
L hng ny cng nh hng ln n khch hng. Do h thng dng chung mt mt khu
cho nhiu ti khon, ch cn l mt khu mt ti khon th cc ti khon khc cng l theo.
y cng l l do mnh nhc nh phi m ho mt khu, nu database c b tn cng th ngi
17
on code trn c thng tin nhp vo t user v cng chui thnh cu lnh SQL. thc
hin tn cng, Hacker c th thay i thng tin nhp vo, t thay i cu lnh SQL.
Hoc nu ght, hacker c th drop lun table Users, xo ton b ngi dng trong database.
ng s cha no?
Hacker c th thng qua SQL Injection d tm cu trc d liu (Gm nhng table no, c
nhng column g), sau bt u khai thc d liu bng cch s dng cc cu lnh
nh UNION, SELECT TOP 1
Nh mnh ni SQL Injection rt ph bin, bn c th d dng google tm kim nhng
bi vit lin quan ti n. Do vy, mnh ch tm tt s v c ch tn cng. Cc bn t tm hiu
thm qua cc v d bi vit ny nh: http://expressmagazine.net/development/1512/tancong-kieu-sql-injection-va-cac-phong-chong-trong-aspnet.
18
Lc d liu t ngi dng: Cch phng chng ny tng t nh XSS. Ta s dng filter
lc cc k t c bit (; ) hoc cc t kho (SELECT, UNION) do ngi dng nhp
vo. Nn s dng th vin/function c cung cp bi framework. Vit li t u va
tn thi gian va d s st.
Khng cng chui to SQL: S dng parameter thay v cng chui. Nu d liu
truyn vo khng hp php, SQL Engine s t ng bo li, ta khng cn dng code
check.
Khng hin th exception, message li: Hacker da vo message li tm ra cu trc
database. Khi c li, ta ch hin thng bo li ch ng hin th y thng tin v
li, trnh hacker li dng.
Phn quyn r rng trong DB: Nu ch truy cp d liu t mt s bng, hy to mt
account trong DB, gn quyn truy cp cho account ch ng dng account root
hay sa. Lc ny, d hacker c inject c sql cng khng th c d liu t cc bng
chnh, sa hay xo d liu.
Backup d liu thng xuyn: Cc c c cu cn tc v y ny. D liu phi thng
xuyn c backup nu c b hacker xo th ta vn c th khi phc c. Cn nu
c d liu backup cng b xo lun th chc mng bn, update CV ri tm cch chuyn
cng ty thi!
Kt lun
D liu l mt trong nhng th ng tin nht trong website ca bn. Sau khi c xong
chng ny, hy kim tra li xem trang ca mnh c th b tn cng SQL Injection hay khng,
sau p dng nhng phng php mnh hng dn fix.
Ngun tham kho thm
http://www.w3schools.com/sql/sql_injection.asp
http://expressmagazine.net/development/1512/tan-cong-kieu-sql-injection-va-cacphong-chong-trong-aspnet
http://freetuts.net/ky-thuat-tan-cong-sql-injection-va-cach-phong-chong-trong-php107.html
http://kienthucweb.net/sql-injection-la-gi.html
19
Li g m tn di ra??
Li ny l ch n nm trong top 4 OWASP nhng li c rt t ti liu v n. N cng khng
ni ting nh XSS hay CSRF hay SQL Injection (D rank OWASP ca n cao hn XSS hay CSRF
nhiu). Bn thn mnh trc y cng cha h nghe bo ch hay tin tc g nhc ti li ny. C
th l do cha c v n ni ting no lin quan n n, hoc do li ny c nhiu bin th phc
tp chng?
Nguyn nhn chnh gy ra l hng ny l s bt cn ca developer hoc sysadmin (Gp li ny
l phi li thng dev ra chm trc, sau chm tester). L hng ny xy ra khi chng trnh
cho php ngi dng truy cp ti nguyn (d liu, file, th mc, database) mt cch bt hp
php, thng qua d liu do ngi dng cung cp. d hiu hn, hy c v d pha di
nh.
20
21
D thy, tiki id ca n hng trong URL. tuy nhin, khi mnh th thay i id ca n hng
th tiki redirect mnh li trang https://tiki.vn/sales/order/history. Bo mt c tm l phi nh
th!
Trnh l key ca i tng Trong cc trng hp nu, id ca i tng l s int, do
hacker c th on ra id ca cc i tng khc. Nhm phng trnh vit ny, ta c th m
ho id, dng GUID lm id. Hacker khng th no d ra ID ca i tng khc c.
https://www.owasp.org/index.php/Top_10_2013-A4Insecure_Direct_Object_References
http://lockmedown.com/secure-from-insecure-direct-object-reference/
https://codedx.com/insecure-direct-object-references/
22
C bn v CSRF
CSRF c tn y l Cross Site Request Forgery (Tn khc l XSRF). L hng ny kh ph
bin, Netflix v Youtube cng tng l nn nhn ca l hng n. Hu qu do n gy ra cng
hi nghim trng nn CRSF hn hnh c nm trong top 10 l hng bo mt ca OWASP.
Nguyn tc hot ng ca CRSF rt n gin. bi trc, chng ta bit rng server s lu tr
cookie pha ngi dng phn bit ngi dng. Mi khi ngi dng gi mt request ti
mt domain no , cookie s c gi km theo.
u tin, ngi dng phi ng nhp vo trang mnh cn (Tm gi l trang A).
d d ngi dng, hacker s to ra mt trang web c.
Khi ngi dng truy cp vo web c ny, mt request s c gi n trang A m
hacker mun tn cng (thng qua form, img, ).
Do trong request ny c nh km cookie ca ngi dng, trang web A ch s nhm
rng y l request do ngi dng thc hin.
Hacker c th mo danh ngi dng lm cc hnh ng nh i mt khu, chuyn
tin, .
23
24
Lu
Tt nhin, trong bi ch l v d. Theo nguyn tc, request GET ch c dng truy cp d
liu, khng c dng thc hin cc hot ng thay i d liu nh edit/delete. Cc ngn
hng thng bo mt rt k bng cch set cookie c thi gian sng kh ngn, khng cho php
chuyn tin m khng c code OTP vv.
Ngoi ra, thi*ndia cng c cc bin php bo mt kh tt (xem pha di) nn cc bn khng
dng cch ny chm account ca bn b c u, ng th nh!
Tuy nhin, ngy xa, khi cc l hng bo mt cn cha ph bin th y l chnh l cch m
hacker s dng. Ch cn post 1 tm nh cha ng dn nh trn ln 1 forum no , s
c v s ngi dnh by khi truy cp vo forum .
Bn quyn thuc v http://toidicodedao.com/
25
S dng CSRF Token: Trong mi form hay request, ta nh km mt CSRF token. Token
ny c to ra da theo session ca user. Khi gi v server, ta kim tra xc thc
ca session ny. Do token ny c to ngu nhin da theo session nn hacker
khng th lm gi c (Cc framework nh RoR, CodeIgniter, ASP.NET MVC u h
tr CSRF token).
Kim tra gi tr Referer v Origin trong header: Origin cho ta bit trang web gi
request ny. Gi tr ny c nh km trong mi request, hacker khng chnh sa
c. Kim tra gi tr ny, nu n l trang l th khng x l request.
Kim tra header X-Requested-With: Request cha header ny l request an ton, v
header ny ngn khng cho ta gi request n domain khc (chi tit).
Cn cn thn phng li XSS: Vi XSS, hacker c th ci m c trn chnh trang
web cn tn cng. Lc ny, mi phng php phng chng CSRF nh token,
referrer u b v hiu ho. Bn thn bc juno_okyo tng p dng li CSS kt hp
CSRF tn cng sinhvienit.net (Chi tit).
Tng kt
Ngy trc li ny kh nghim trng v ph bin. Gn y cc framework hu nh u mc
nh chng li ny nn tn sut gp cng t i. Tuy vy ta vn phi phng, nht l cc
website t code nh (c bit l code bng PHP, ahihi).
Ngoi ra, l mt user, bn cn bit t bo v mnh theo nhiu cch sau:
https://en.wikipedia.org/wiki/Cross-site_request_forgery
https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)
http://stackoverflow.com/questions/17478731/whats-the-point-of-the-x-requestedwith-header
https://www.youtube.com/watch?v=m0EHlfTgGUU
26
27
Hin th r phin bn .NET, Exception khi b li. y l mi ngon cho tn cng SQL
Injection
28
Config server hoc vit code loi b nhng HTTP header d tha.
Khi deploy, ta obfustace hoc uglify code code tr nn kh c. trnh vic
hacker bit cc th vin JS s dng th ta c th bundle ton b th vin v code thnh
1 file lun.
Khi h thng b thng, hin th custom Error Page. Li trong trang ny nn gii thch r
rng cho ngi dng hiu. Nhng tuyt i khng hin th trc tip
error/exception trnh hacker tn cng.
Thng xuyn cp nht/nng cp framework ln phin bn mi nht v cc l
hng, trnh vic hacker li dng nhng l hng pht hin phin bn c.
29
Khi tnh nng ny hot ng n nh, khng ai khen n ly mt cu. Tuy nhin, ch cn n gp
phi cht vn , cam oan bn s hng chu v s cn thnh n t khch hng.
30
vo
Ngi dng s dng link ny reset mt khu. Vi cch ny, d hacker c request reset th
mt khu ngi dng vn gi nguyn, khng b nh hng. Nh ni pha trn, do email
khng an ton nn token ny nn c expired ngay sau khi dng, hoc sau 24-48 ting ng
h sau khi email c gi i.
Khi ngi dng ng nhp sai, ng bo l sai username hay sai password. Ch cn
bo username hay password khng match, hacker s gp kh khn hn.
Hacker li dng chc nng reset mt khu d xem ngi dng c email trn trang
hay khng. D account c tn ti hay khng, ta vn ch hin thng bo: gi
message.
31
Hn ch s ln ng nhp khi nhp mt khu sai. V d sau 3 ln nhp pass sai th kho
account trong 10 pht. Hacker c th dng cch ny kho ti khon ngi dng,
nn cn thn. C th kt hp thm capcha.
Lu : Nhng cch cch ny c th gy kh chu cho ngi dng, nu d liu khng qu quan
trng (game, web hi p, giao lu, gii tr ) th c th ni lng mt s yu t.
32
33
y l cch c chui nht v ngu nht. Database l mt trong nhng ni hay b tn cng, d
lm tht thot d liu. Trong qu kh, li SQL Injection tng lm tht thot hng triu thng
tin khch hng v thng tin credit card. Cha tnh n chuyn hacker bn ngoi, nhiu khi
thng Database Admin hng ln, n c th m c mt khu ca khch hng, ln chuyn
cha?
Cch lu tr mt khu ng phi l lm sao ch ngi dng mi bit c mt khu ca
h. Lm sao ? Hy c phn di nh.
Vy m ha l c ch g, lm tr!!
, cch gii quyt cng kh n gin. Bn c th dng hm hash m ha mt khu nh
sau:
1. S dng hm hash (hm bm) m ha mt khu ca ngi dng.
2. Lu tr mt khu ny di database.
3. Khi ngi dng ng nhp, hash mt khu nhp, so snh vi mt khu lu di
database.
Hm hash ny phi l hm hash mt chiu, khng th da theo mt khu hash suy
ngc ra u vo.
34
Vi cch ny, khi ngi dng qun mt khu, h thng khng ti no m ra mt khu gi
cho h. Cch gii quyt duy nht l reset mt khu, random ra mt mt khu mi ri gi cho
ngi dng.
35
Tht l tin qu i mt, khi phi reset mt khu. Khoan, c ci g sai sai y!! Vy l bn
lotte lu thng mt khu ca mnh thng di database . L database b tht thot d liu
l ton b cc ti khon khc ca mnh (V cc thnh vin lotte cinema khc) cng i tong
theo.
Tht l ng s!! Li ny mnh pht hin nm ngoi, n cch y my ngy vn cn y nguyn.
Th mi bit b phn IT ca lottecinema gii giang th no. Cc bn c ti khon lotte cinema
th nh cn thn nghe.
36
Gi i thi u
,
Tai sao minh lai cho n Lotte Cinema? n gian la cach y my thang, khi nhc n mt khu
minh a nu ra m t l hng bao mt khu ng khip cua Lotte Cinema: Lu mt khu d i dang
text.
n nay, l hng na y vn cha c s a, iu na y ch ng to hai chuyn: i ngu lp trinh
web lotte cinema thiu kin th c c ban v lp trinh va cu ng khng the m quan tm gi n
vic bao tri s a li. iu ny ng ngha vi vic website s c nhiu l hng khai thc.
Vi logic , minh bt u tim l hng cu a lotte v i tm th ho c hoi. Tht khng ng , minh
tim c khng chi mt, ma n tn va i l hng c c ki cht ng i, co th la m toa n b h
thng ng ng hoat ng.
Bt u cu ca
u tin, hay nhin go c trn bn trai trinh duyt. M t website khng co https, ng nghi a v i
vic toan b thng tin ban in vao (username, password) hoa n toa n co th bi hacker
tr m nu ban du ng chung ng dy mang/chung wifi v i hacker o (Xem thm v sniffing).
o la ly do cac trang ngn hang, facebook, gmail, thanh toan in t u o i ho i phai
du ng https.
Tip theo, ta bt u v i vic kim tra cookie. Cac ban tai addon EditThisCookie v la m
vic nhe. Th ng nhp va xem lotte cinema lu gi trong cookie na o.
37
Cac ban khng nhin lm u, chi nh la username cu a cac ban y? Thi, chu ng ta c cu tr i
la ho lu username nhc ban khi ban cn ng nhp lai thui ha. Th i sang gia tri khac
ri refresh trang xem no.
CA I L GI THN!!! Minh bi chuyn sang nick khac mt ri. Tht khng th tin ni. Mt li bao
mt to nh banh xe bo a bi l chi sau 5p nghin c u. 1-0 cho Lotte Cinema. (Li ny c tn
gi l impersonation).
38
Cu nhm ca mp
Nh i cookie, minh a hack c vao ta i khoan ng i khac. Ok ngon, co thng tin ng i
du ng lun! Gi minh th i thng tin xem nao, c lun. Th t ve xem na o, cu ng c
nt!
, nhn c mt khu hin ti lun, mail ca Lotte nhanh tht! Vi m t user th ng tai s
nhiu trang, minh co th th dng username va mt khu na y m t s
du ng mt khu
trang khac m account. Thy cht ng i cha??
Th i mt khu hin ti xem, c lun. Gi minh a co th ng nhp v i mt khu m i
i. y la li th 2: Khi thay i mt khu, bt bu c ng i du ng phai i mt khu cu . Ti s
gi a la 2-0 cho Lotte Cinema.
39
40
Kt lun
Nh ng li bao mt minh chi ra khng co gi cao siu! Do minh khng phai dn chuyn v bao
cu a
mt nn nh ng ki thut tn cng cu a minh cu ng chi dng m c v cu ng c ban. Vn
Lotte Cinema la ch ho khng bit ti gi v bao mt, dn n chuyn h thng bao mt qua
kem.
Nh cac ban a thy, hanh vi nay la s thiu tn tro ng khach ha ng v co n co th gy nguy hai
cho ng i du ng. Tuy nhin, co ve Lotte Cinema a rt khn ngoan trong khu phap ly khi ru
bo mo i trach nhim trong phn Tho a Thun. Tuy thua 3-0 nhng vn khng phai chi u trach
nhim gi, hoan h Lotte Cinema.
41
y:
https://www.youtube.com/watch?v=CtnfOZmKR3A. Nh like v subscribe trong link ny
nh: https://www.youtube.com/c/toidicodedaoblog?sub_confirmation=1. Mnh ang cn
100 sub xin Custom URL cho Channel Ti i Code do.
Update (30/08/2016)
Sau khi bai vit c cng b r ng rai trn MXH thi bn chi u trach nhim xy d ng website
cho Lotte Cinema a lin h tr c tip v i minh minh. n nga y 1/9/2016 thi cac li bao mt
trong bai a tam c fix ri nhe.
42
43
D tm t web
Khi vo giao din lozi.vn, p vo mt mnh l li b nht: khng c HTTPS! Ni n gin, lt
web c thng tin quan trng m khng c HTTP cng ging nh cc bn i mt xa, nhm, i
chch m khng dng BCS vy. Hacker c th chm d liu ca bn trong nhy mt khi bn
khng hay bit g. (Xem thm v bo mt ca giao thc HTTP).
Tip theo, mnh bt u nghch ngm bng cch m Chrome Developer Tool. ng coi
thng n nh, cng c ny b o lm y. Ch, th xem ta c g no?
Mnh bit mnh p trai, nhng cc bn ng nhn mnh m hy nhn vng khoanh
44
n app mobile
C mt s tht nho nh m t bn bit l: Mc d mnh hay vit bi v C# v JavaScript
nhng tht ra mnh cng kh rnh Java v Android y nh. Thi khng khoe na, quay li
ch chnh no. Vic nghch ng dng cng khng qu phc tp. Mnh ch cn
ln apkpure.com ti file apk, sau dng tool decompile l c source code ng dng
android ca lozi ri.
C v lc publish, team lozi cha obfuscate code nn code vn y nguyn. Do team code rt
ng chun OOP v SOLID nn cng khng qu kh khn mnh lc tm on code gi API
ca lozi. on code khin mnh ch chnh l on gi API SearchUser.
45
C c link paging nh
46
Qu trnh x l li
Ti th 4 ngy 16/11, mnh tm ra li ny, bt u lin h vi lozi.vn.
Chiu th 6 ngy 18/11, mnh nhn c reply t fanpage ca lozi. Khong 5 pht sau khi
mnh gi mail cho team lozi th li c fix ngay lp tc.
Ngay sng th 7 ngy 19/11, mnh nhn c mail reply rt tn tnh ca ngi chu trch
nhim d ang l th 7. Hoan h lozi. Thi lm vic khc hn vi bn lotte cinema, b
mnh hn na thng tri.
Khong 4,5 ngy sau khi mnh bo co li th lozi cng cp nht https v thm token cho
cc API ri nh.
Nhn xt
Trong suy ngh chung ca developer, cc RestAPI ny thng b n i, ngi dng khng
thy nn khng th nghch c. Tic thay, developer v hacker c th d dng decompiler
app v nghch ngm cc API ny.
Tht ra, khng ch c team lozi m a phn cc team khc cng kh thiu cnh gic v vic
bo mt API. in hnh l v CGV l 3 triu ngi dng cng do API mobile. Tuy nhin, team
Foody v Lozi bo mt API kh tt, mnh nghch th m khng thu c kt qu g.
47
48
Thay li kt
y cng l phn cui cng ca cun sch. Chn thnh cm n cc bn b thi gian c v
ng h!
Mt iu mnh s nhc i nhc li trong sut series l: ng bao gi tin tng ngi dng!!
ng bao gi tin tng nhng th ngi dng nhp vo, ng ngh ng ngi dng khng
bit sa javascript, khng bit nghch lung tung. Di danh ngha ngi dng, hacker c
mi phng cch tn cng h thng. Nh y nh!
Vic post bi ca mnh cng ch mang tnh cht v cnh tnh ch khng c khoe khoang hy
g khc. Vi cc hacker "c tm", h phi ln k hoch tn cng, hoc phi tn cng sc nghin
cu tm c l hng cha ai tm ra. Hnh ng ca mnh ch l i my m, nghch ngm
cc li s ng ca developer, tnh ra cng chng c g t ho phi khoe c ;)). Bt k mt
hnh ng tn cng, ph hoi h thng no nhm "th hin" u l nhng hnh ng tr
tru, thiu suy ngh, c th dn n "tnh tin t ti". Cc bn nh suy ngh cn thn trc khi
hnh ng.
Mnh ch c mt hi vng nh nhoi l cun ebook ny c nhiu ngi bit ti hn. Nu
lp trnh vin no cng bit nhng li bo mt c bn th ny, ta s khng phi gp nhng l
hng ng ngn kiu lottecinema hay vietnamwork na. Cng gip mnh chia s n ti nhiu
bn c hn nh!
Hy nh rng, bo mt l mt chuyn ngnh rt ln, th gii bo mt rt bao la. Nhng li
bo mt mi xut hin tng ngy, khng thua g cng ngh mi trong lp trnh. Quyn ebook
nhp mn ny ch cover c mt phn rt nh trong y (Cn v s iu hay ho nh: social
engineering, row hammering khng c nhc ti trong sch). Do vy, ng ngh rng c
xong series l mnh bit tut tun tut nhng iu cn bit v bo mt. Hy t trau di
thm kin thc bo mt, p dng vo code v thit k nh.
Ni dung sch tham kho theo course Hack Yourself First, Web Security OWASP Top 10 trn
pluralsight v mt s ngun khc. Series ny c ph nn kh d hc, cc bn kh ting Anh
c th hc th.
49
V tc gi
Anh Phm Huy Hong hin ang theo hc ti Thc s v Khoa
Hc My Tnh (Computer Science) ti i hc Lancaster, Anh. Ti
Anh, Hong cng lm Full-stack Developer cho trng. Anh tng
pht hin v cng b l hng bo mt ca Lotte Cinema v
Lozi.vn
Hong cng l ch blog Ti i Code Do kh ni ting ti Vit
Nam. Anh c hn 4 nm kinh nghim trong lnh vc phn mm
v rt am m nghin cu v bo mt, cng ngh web, cc cng
ngh mi nh Machine Learning, Cognitive.
50