title: authentication
date: 2016-01-13 14:33:22
categories: information-security
tags: authentication
- Exercise1
- There are many bugs and vulnerabilities in the current utility for transferring money.
Find as many bugs as you can. For now, just focus on bugs that an adversary can trigger
by giving unanticipated values to the transfer page.
Think carefully about what kinds of inputs an attacker might provide,
and try them out by entering them on the transfer page.
Please write down detail descriptions of your observation in bugs.txt.
(You should find at least 4 different bugs.)这个网站存在以下漏洞: (1)没有判断转账金额和自己余额的大小 (2)没有判断转账金额是否为负数 (3)没有判断被转入用户的余额上界 (4)没有判断转出用户的余额下界 (5)没有判断被转账用户是否存在
- Exercise2
- Fix as many bugs as you can
在handle.c文件中的handlePostTransfer函数中
我们添加一条判断输入是否合法的语句
来控制是否修改数据库里面的金额。
if(money<0 || !Db_checkUser(to) || strcmp(from, to) == 0
||(money > fromBalace) || (toBalace + money <0))
{
handlePostLogin (fd, from, 0, 0);
return;
}
实验结果显示:能成功阻止E1中的漏洞。
-
Exercise3
-
Read the source code of the login web page (in your browser),and the server's source code.
Make sure that you make it clear that how the server identify who is transferring.首先,一个新的用户登录 server将会接收fd 发送给httpd进程 然后httpd进程开始发分析客户请求 GET请求将会发送给filesv进程 POST请求将会发给banksv进程 在交易之前 banksv进程处理request请求的body部分 得到交易金额、人员等信息 然后开始更新数据库 我们可以发送POST请求 伪装request请求的body部分 就可以达到偷偷转账的目的
-
Exercise4
-
Try to construct a POST request about the money transferring,
which steal money from some account if you know the victim’s account.
You can use browser.c or some tools, such as firebug to construct the request.Char *req="POST / HTTP/1.1 Host: 127.0.0.1 Content-Type: application/x-www-form-urlencoded Content-Length: 72 transfer_from=a&transfer_to=b&transfer_money=20&submit_transfer=Transfer ";
- Exercise5
用户登录时候生成cookie,
用户操作账户金额时验证cookie的机制来保护信息不被恶意操作,
为了每次cookie的值都不是固定的,我们可以通过登录时间和用户名的组合产生cookie。
产生cookie之后,服务器发送cookie给浏览器,
进行转账交易之前,将post请求中的cookie与服务器中的cookie做比较,
相同则进行转账,不同则拒绝转账。
现在我们进行转账的时候,抓包工具就可以抓取到cookie字段了
其中:
服务器在用户登录时候产生cookie并发送至浏览器:
productCookie(name,logintime);
strcpy(cookieGet,cookie);
write(fd,cookieGet,strlen(cookieGet));
从浏览器中获取cookie:
Header_t head=tree->headers;
while(head)
{
if(strcmp(head->key,"Cookie:")==0)
strcat(cookieGet,head->value);
head=head->next;
}
验证请求:
if(validCookie(cookieGet,from))
{
handlePostLogin(fd,from,0,0);
return;
}
生成cookie函数:
char cookie[100]="Set-cookie:mycookie=";
static char cookieGet[100]="";
//product cookie
void productCookie(char *name,char *time)
{
int len=strlen(time);
char cookie1[100]="�";
char cookie2[200]="�";
strcat(cookie2,name);
strcat(cookie2,"#");
strncpy(cookie1,time,len-1);
strcat(cookie2,cookie1);
strcat(cookie,cookie2);
strcat(cookie,";path=/;domain=127.0.0.1
");
}
验证cookie函数:
int validCookie(char *parameter,char *name)
{
char cookie1[100]="";
char cookie2[100]="";
int i=0;
int k=0;
int flag=0;
if(parameter[0]=='�')
return 1;
for(;i<strlen(parameter);i++)
{
if(flag)
{
cookie1[k]=parameter[i];
k++;
}
if(parameter[i]=='=')
flag=1;
}
i=0;
while(cookie1[i]=='#'&&i<strlen(cookie1))
{
cookie2[i]=cookie1[i];
i++;
}
return strcmp(cookie2,name);
}
- Exercise6
- Using the Wireshark to steal the cookie,
and then use the cookie to make fake POST request.
Send the request to the server and transfer some one else's money.- 抓包偷cookie
char *req="POST /index.html HTTP/1.1 Host: 127.0.0.1 User-Agent: Mozilla/5.0 Firefox/43.0 Cookie: mycookie=a#Sun Dec 27 22:20:52 2015 Connection: keep-alive Content-Type: application/x-www-form-urlencoded Content-Length: 72 transfer_from=a&transfer_to=b&transfer_money=20&submit_transfer=Transfer ";
- Exercise7
- Encrypt the cookie
Cookie加密:我们的cookie是明文传输的,现在通过简单的加密函数,让其以密文的形式在网络中传输。 生成cookie的时候加密: key(cookie2); 验证cookie的时候解密: unkey(cookie1); void key(char *test) { int i; int count=strlen(test); for(i=0;i<count;i++) { test[i]=test[i]+i+5; if((int)test[i]>126) test[i]='~'; } test[i]='�'; } void unkey(char *test) { int count=strlen(test); int i; for(i=0;i<count;i++) test[i]=test[i]-i-5; test[i]='�'; }