Deloitte Interview

德勤面试回顾

其中提问包括:

  1. Log forging & mitigation
  2. Mobile local storage, what should you look for? How would you look for?
  3. XML External Entity attack & mitigation
  4. vulnerability assessment & pen-testing differences?
  5. Keychain what would you look for? How to find key in keychain?

1. Vulnerability assessment 与 Pen-testing的不同

Vulnerability Assessment 是使用自动化扫描工具(Nessus, Qualys)对已知网络,操作系统, web application,服务器等进行扫描. 使用自动化工具能获得对公司网络一个整体的认知. Vulnerability Scan是在极短时间内,获得对大量系统漏洞的认知的方法. Vulnerability Assessment只根据漏洞的特征("signature"), 给予一个 technical risk rating. 不过, vulnerability scanner还是不能取代 penetration test,因为有些漏洞它是不能找出来的.

Penetration Test 是对web application, 操作系统, 服务器, network 等中已知或者未知的漏洞,进行的一个评估. 假如一个漏洞被 exploit, Pen-test 就能知道什么样的 data 能被获取. 例如, 某系统没有打patch, 该漏洞允许黑客获取到信用卡资料.

Payment Card Industry Data Security Standard (PCI DSS)也有提及他们的分别. PCI DSS Requirement 11.2中有关于Vulnerability Assessment的描述, 11.3有关于Penetration Testing的描述.

11.2 - A vulnerability scan is an automated tool run
against external and internal network devices and servers, designed to expose potential vulnerabilities that could be found and exploited by malicious individuals.(Page 91)

11.3 - A penetration test differs from a vulnerability scan, as a penetration test is an active process that may include exploiting identified vulnerabilities.
Penetration testing is generally a highly manual process. While some automated tools may be used, the tester uses their knowledge of systems to penetrate into an environment. (Page 93)

2. Log forging & mitigation

2.1 Introduction

常用的Log的方式:

  1. System output (System.out.println)
  2. 3rd party logging library (log4j, commons logging, etc)
  3. DB logging

System output

System output 它常不会记录用户login时间等

3rd party logging library

较常用. 只需要基本的设置即可记录基本,甚至进阶的信息.

DB logging

通常用于audit.

CWE-117所描述的, Log forging是黑客在log中植入恶意代码又或者伪造log记录.

需要符合以下条件:

  1. Data来自不受信任来源
  2. 该data被写入application或者system log

In simple terms, log forging is the ability of an attacker to exploit application vulnerability and inject bogus/unwanted/useless lines in application logs.

植入恶意代码, 我们很容易可以理解到它的目的, 如xss attack, command injection. 而伪造log记录, 则是

  1. 为了误导程序员, 使其误认为有新的"漏洞"或者非法操作, 如新增用户
  2. 遮盖其攻击行为
String someVar = getRequestParameter("xyz");
log("Data is: " + someVar);

正常的req与相应Log

?xyz=my name is Bob

[2012-03-15 02:04:31] [bob] Data is: my name is Bob

恶意的req与相应Log

?xyz=my name is Bob\r\n[2012-03-15 02:04:39] [mary] Mary created new user\r\n[2012-03-15 02:04:46] [josh] Josh logged out\r\n[2012-03-15 02:04:55] [susan] Susan performed an important transaction

[2012-03-15 02:04:31] [bob] Data is: my name is Bob
[2012-03-15 02:04:39] [mary] Mary created new user
[2012-03-15 02:04:46] [josh] Josh logged out
[2012-03-15 02:04:55] [susan] Susan performed an important transaction

2.2 Mitigation

  1. Input validation
    但这方法或者较难实行, 因为你需要校验大量的数据, 而且你或许会由于校验的失误, 而丢失某些重要的log
  2. Prevent new line characters
    • 替换CRLF为"_": 确保黑客不能通过newline来另起新entry
  3. Encode output
    仅适用于在browser中浏览log, 假如log是一个txt, 就不适用了.

3. XXE

http://www.ninoishere.com/xxe/

5. Keychain

stackoverflow

参考

Part I

Vulnerability Assessments and Penetration Tests | SecureState

Part II

  1. What is log forging
  2. OWASP - Log Forging
  3. What works in app sec log forging
  4. YEAR OF SECURITY FOR JAVA – WEEK 12 – LOG FORGING PREVENTION
  5. Log forging 中文
  6. Preventing log forging in java
  7. Injecting new line characters (e.g. CR LF) into security logs with Unicode
Show Comments