用mod_security保障Web Services的安全二(2)
在上面的指令中,正则表达式<s*id[^>]*>.{6,}</s*ids*>限制缓冲变量的长度为5个字符。为了检查上面的代码块是否起作用,blue银行可以发送两个请求,一个请求符合约束,另一个越界。
post /axis/getbalance.jws http/1.0content-type: text/xml; charset=utf-8soapaction: ""content-length: 576expect: 100-continuehost: www.bluebank.example.com<?xml version="1.0" encoding="utf-8"?><soap:envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/"xmlns:tns="http://www.bluebank.example.com/axis/getbalance.jws" xmlns:types="http://www.bluebank.example.com/axis/getbalance.jws/encodedtypes"xmlns:xsi="http://www.w3.org/2001/xmlschema-instance"xmlns:xsd="http://www.w3.org/2001/xmlschema">
<soap:bodysoap:encodingstyle="http://schemas.xmlsoap.org/soap/encoding/">
<q1:getinput xmlns:q1="http://defaultnamespace">
<id xsi:type="xsd:string">12123</id>
</q1:getinput>
</soap:body></soap:envelope>...http/1.1 200 okdate: mon, 03 jan 2005 19:24:10 gmtserver: apache/2.0.50 (unix) mod_ssl/2.0.50 openssl/0.9.7d mod_jk2/2.0.4set-cookie: jsessionid=69c6540cc427a8b064c0795addfc20ea; path=/axiscontent-type: text/xml;charset=utf-8connection: close<?xml version="1.0" encoding="utf-8"?><soapenv:envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsd="http://www.w3.org/2001/xmlschema" xmlns:xsi="http://www.w3.org/2001/xmlschema-instance">
<soapenv:body>
<ns1:getinputresponsesoapenv:encodingstyle="http://schemas.xmlsoap.org/soap/encoding/"
xmlns:ns1="http://defaultnamespace">
<ns1:getinputreturnxsi:type="xsd:string">$2500</ns1:getinputreturn>
</ns1:getinputresponse>
</soapenv:body></soapenv:envelope>
在上面的例子中,将一个包含5个字符的缓冲数据传给web服务,服务收到后发回一个响应值为$2500。下面的例子将更改12123这个数据为121234,新的数据有6个字符,将得到一个新的响应信息,如下:
post /axis/getblalance.jws http/1.0content-type: text/xml; charset=utf-8soapaction: ""content-length: 577expect: 100-continuehost: www.bluebank.example.com<?xml version="1.0" encoding="utf-8"?><soap:envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/"xmlns:tns="http://www.bluebank.example.com/axis/getbalance.jws" xmlns:types="http://www.bluebank.example.com/axis/getbalance.jws/encodedtypes"xmlns:xsi="http://www.w3.org/2001/xmlschema-instance"xmlns:xsd="http://www.w3.org/2001/xmlschema"> <soap:bodysoap:encodingstyle="http://schemas.xmlsoap.org/soap/encoding/">
<q1:getinput xmlns:q1="http://defaultnamespace">
<id xsi:type="xsd:string">121234</id>
</q1:getinput>
</soap:body></soap:envelope>...http/1.1 500 internal server errordate: mon, 03 jan 2005 22:00:33 gmtserver: apache/2.0.50 (unix) mod_ssl/2.0.50 openssl/0.9.7d mod_jk2/2.0.4content-length: 657connection: closecontent-type: text/html; charset=iso-8859-1<!doctype html public "-//ietf//dtd html 2.0//en"><html><head> <title>500 internal server error</title> </head><body> <h1>internal server error</h1> <p>the server encountered an internal error or misconfiguration and was unable to complete your request.</p> <p>please contact the server administrator, you@example.com and inform them of the time the error occurred, and anything you might have done that may have caused the error.</p>
<p>more information about this error may be available in the servererror log.</p> <hr />
<address>apache/2.0.50 (unix) mod_ssl/2.0.50 openssl/0.9.7dmod_jk2/2.0.4 server at 192.168.7.50 port 80</address></body></html>
mod_security模块拒绝了该请求。返回500状态。这说明请求根本没有到达web服务层。blue 银行成功地防范了最常见和常常被忽略的缓冲区溢出攻击。(译者注:http定义的500状态是服务器执行错误)
第二种攻击:元字符注入
另外一个主要的针对输入变量的威胁来自于使用像%,单引号(’),双引号(”)。这些字符会导致sql注入攻击,并且可能会导致不必要的信息泄漏。采用下面的策略将保护web服务防范此类攻击。
(www.iocblog.net 文章来源)
文章整理:iocblog
版权申明:本站文章均来自网络,如有侵权,请联系我们,我们收到后立即删除,谢谢!
特别注意:本站所有转载文章言论不代表本站观点,本站所提供的摄影照片,插画,设计作品,如需使用,请与原作者联系,版权归原作者所有。