Web. WebAP. WebAP. WebAP 2.1 [7][8] OWASP *2 [1] OWASP. Skrupsky

Size: px

Start display at page:

Download "Web. WebAP. WebAP. WebAP 2.1 [7][8] OWASP *2 [1] OWASP. Skrupsky"

Noreen Porter
5 years ago
Views:

1 Web 1,a) 1 Web WebAP WebAP WebAP WebAP Java WebAP WebAP 1. WebAP WebAP WebAP WebAP Skrupsky [7][8] Skrupsky PHP CMS *1 PHP CMS Java WebAP Java WebAP WebAP 1 INSTITUTE of INFORMATION SECURITY a) mgs124503@iisec.ac.jp *1 Content Management System WebAP WebAP OWASP *2 [1] OWASP 2013 Top10[2] A1 A4 CWE *3 CWE-472 External Control of Assumed-Immutable Web Parameter [3] CWE-639 Authorization Bypass Through User-Controlled [4] Parameter TamperingParameter Manipulation *2 The Open Web Application Security Project *3 Common Weakness Enumeration c 1959 Information Processing Society of Japan 1

2 Parameter Pollution [5] Taint Analysis [6] [9] Web URL AP WebAP 2.2 Skrupsky [8] Basic Parameter Tampering Attack maxlength, Negative Parameter Tampering Attack Tampering based Sequencing Attack WebAP CSRF * CMS Joomla! *4 Cross Site Request Forgeries 2.3 SQL CSRF Prithvi 2011, WAPTEC[7] PHP CMS DCP-Portal Skrupsky 2013 WAF *5 HTTP TamperProof[8] TamperProof HTTP ID CSRF HTTP Ajax ( 1 ) WebAP WebAP *5 Web Application Firewall c 1959 Information Processing Society of Japan 2

3 ( 2 ) Ajax HTML5 WebAP WebAP ( 3 ) HTTP WebAP HTTP WebAP WebAP 3. WebAP WebAP WebAP 3.1 WebAP WebAP WebAP WebAP WebAP WebAP DB WebAP TERASOLUNA FW *6 TERASOLUNA FW WebAP Struts1 MyBatis Spring framework WebAP WebAP *6 NTT TERASOLUNA Server Framework for Java Web Java WebAP JSP HTML WebAP *7 HTML input CSS id class form ( 1 ) ( 2 ) ( 3 ) *7 kazina.com, c 1959 Information Processing Society of Japan 3

4 ( 4 ) ( 5 ) DB 4 AP 5 WebAP WebAP * WebAP WebAP *8 Salseforce.com PaaS Force.com WebAP WebAP Data Transfer Object HTTP Struts1 TERASOLUNA FW AP * 9 WebAP WebAP 3 Java WebAP 3 WebAP Struts1 RequestProcessor ActionForm TERASOLUNA RequestProcessorEX ActionForm Struts2 ActionInvocation ValueStack SpringMVC 2.5- DispacherSevlet Session Session DispacherSevlet POJO Controller HTTP ID ID *9 Struts WAS ActionForm c 1959 Information Processing Society of Japan 4

3 3.4 Web URL Web AP URL ID WebAP 4. 4.1 WAF WebAP 4 4.1.1 OWASP Stinger OWASP Stinger * 10 OWASP WAF SQL Java ServletFilter WebAP *10 OWASP Stinger Project, https://www.owasp.org/index.

5 3 3.4 Web URL Web AP URL ID WebAP WAF WebAP OWASP Stinger OWASP Stinger * 10 OWASP WAF SQL Java ServletFilter WebAP *10 OWASP Stinger Project, OWASP Stinger Project Struts1 Struts Java WebAP Java WebAP WebAP Struts1 WebAP WebAP WebAP WebAP WebAP Sruts1 WebAP Struts1 WebAP TERASOLUNA FW Struts1 TERASOLUNA FW WebAP SpringMVC SpringMVC Spring Framework MVC DI WebAP Struts1 WebAP [10] SpringMVC HTTP [11] c 1959 Information Processing Society of Japan 5

6 4 TamperProof HTTP OWASP Stinger ServletFilter Struts1 TERASOLUNA SpringMVC A ServletFilter B ServletFilter C ServletFilter HTTP Stinger TamperProof HTTP WebAP. OWASP Stinger ServletFilter WebAP TERASOLUNA FW SpringMVC Struts1 TERASOLNA FW SpringMVC WebAP WebAP WebAP 4.2 WebAP * 11 *11 ( 1 ) ( 2 ) ( 3 ) (URL) 2 HTTP WAF WAF WebAP WebAP AP Servlet ServletFilter HTTP c 1959 Information Processing Society of Japan 6

1 2 3 TamperProof ID WebAP 4.2.3 3 A) Java Java B) C) HTTP HTTP HTTP TamperProof 4.

7 1 2 3 TamperProof ID WebAP A) Java Java B) C) HTTP HTTP HTTP TamperProof ) MVC ) ) ) TamperProof JavaScript URL 5 5 A B C A A Java c 1959 Information Processing Society of Japan 7

8 A B B B C WebAP WebAP WebAP WebAP C 5. WebAP Java WebAP WebAP WebAP WebAP WebAP Java PHP SpringMVC RESTfulWeb WebAP WebAP SpringWebFlow SpringMVC [1] OWASP: Web Parameter Tampering. (online), Web Parameter Tampering, ( ). [2] OWASP: Top (online), Top 10, ( ). [3] CWE: CWE-472: External Control of Assumed- Immutable Web Parameter. (online), ( ). [4] CWE: CWE-639: Authorization Bypass Through User-Controlled Key. (online), ( ). [5] Marco Balduzzi: HTTP Parameter Pollution Vulnerabilities in Web Applications, Black Hat Europe 2011 (2011). [6] David Brumley: Taint Analysis. (online), dbrumley/courses/ f10/files/taint-analysis-overview.pdf, ( ). [7] Prithvi Bisht, Timothy Hinrichs, Nazari Skrupsky, V.N. Venkatakrishnan.: WAPTEC: Whitebox Analysis of Web Applications for Parameter Tampering Exploit Construction, CCS 2011 (2011). [8] Nazari Skrupsky, Prithvi Bisht, Timothy Hinrichs, V. N. Venkatakrishnan, Lenore Zuck.: TamperProof: A Server-Agnostic Defense for Parameter Tampering Attacks on Web Applications, CODASPY 2013 (2013). [9] : Joomla (online), ( ). [10] : Eclipse Java 4, (2013). [11] soracane: 03 Binder (online), springnitsuite/spring-mvc/04-ji-ben-gai-niancontrollerno-chu-lifuro, ( ). c 1959 Information Processing Society of Japan 8

Q Web Attack Analysis Report

Q Web Attack Analysis Report Security Level Public CDNetworks Q4 2016 Web Attack Analysis Report 2017. 2. Security Service Team Table of Contents Introduction... 3 Web Attack Analysis... 3 Part I. Web Hacking Statistics... 3 Part