- Cac ham dual day cho phep chi:mg ta thay the cau lenh SELECT.
b. Ca the cis Paypal
Ta c6 cac buoy sau day de thoc hien viec thanh toan bang citing thanh toan Paypal. Biz& 1:
+ Sau khi quy& dinh ehon mua san pharn/dich vu tai mot website c6 tich hop
ding thanh toan trot tuyEn PayPal va chap nhan thanh toan bang tai khoan
PayPal cua mirth, ban se duqc diEu huang vE trang (tang nhap PayPal.
+ Nhap dia chi email va password sir dung cho tai khoan PayPal ctla ban; bAm Login de dang nhap vao tai khoan.
+ Trong buck nay, he thOng se sinh ra met ma (secure code) vi km trong Ca dft lieụ
Buck 2:
+ Kiem tra gib ca (Price), so ltrong (Quantity), tong tien (Total) ciut giao dich bon can thanh total sau khi dang nhip vito PayPal. Neu mqi thong tin dell chinh xac, chqn Continue a tiep tuc quit trinh thanh tom hing.
- Buck 3:
+ Sau khi An Continue, Paypal se dieu hut:mg bin ve thong qua tham so
return url ma chung ta di config a file
systemnibraries /Payment_pp . php 6 tren.
+ H .O thong se kiem tra de lieu tra ye thong qua ma secure code 6 ten, neu chInh xac thi se tien himh cap nhat hob don len thanh Pending (dang xfr 15r). Sau khi chit so hut cua tai khoin kiem tra don hang trong If0 thOng va tai khoin ctia minh trong Paypal, nett chinh xac thi se clap nhit Wong thai hob don thinh Complete (thanh cong) va ties hAnh chuyen hang cho khach hang.
6.2. Rio mit cho ung dyng website
Ngay nay, bao mat website IA melt van de thi quan trong dei von ck nhA phat
tries web. Tat ca ck (mg dung web deu c6 the a ding 1)1 tit' I cong bang ck each khk nhau chin ban nhu cross site scripting (gib ma° cbc you eau) XSS va cross site request forgery (tAn cong sir dung guy& chimg thuc cua ngtrtri quart hi website) CSRF. Ngoli ra met each Mn cong elk biet nguy hiem khbc lb SQL injection. Nhung cluing ta c6 the gibm thieu toi da ck cbch ten cong vi nang cao duqc tinh bao mat cho website coa chfing ta neu chimg ta hieu ve ne va tim each gibi quyet chung. Sau day chimg ta se tim hieu ye met so cach thfrc tan cling va !chic phuc chimg.
6.2.1. HTML injection vb Cross site scripting
Cross-Site Scripting (XSS) lit met trong nhang kg thu4t Mn cling ph6 bien nhat hien nay, dOng thai cling IA met trong nhing van de bao mat toi quan trong dOi veri cbc nhb phat tries web va ca nhang ngutri sir dung websitẹ BAt k5r met website nio cho phep ngutri sir dung dang th8ng tin ma khong c6 sit kitm tra chit the cic doan ma nguy hiem thi deu dr the tiem An cbc loi XSS.
Cross-Site Scripting hay con duqc goi tit IA XSS (thay vi pi tat IA CSS de tranh nhAm Ian voi CSS — Cascading Style Sheet dm HTML) IA met kg thuót tan cong bang each chen vio cbc website dOng (ASP, PEW, JSP ...) nhang the HTML hay nhCmg doan ma script nguy hiem c6 the gay nguy hal cho nhUng ngutri sir dung khk. Trong de, nhang doan ma nguy hiem duqc chen vim hau het duqc viet bang ck Client — Site Script nhu JavaScript, Jscript, DHTML va cling co the IA cac the HTML. Kg thúot ten
Ong XSS da nhanh cheng tra thanh mOt trong nhung 16i ph6 bien nhit cua Web Applications va mid de doa cua chiing deli vat nguai sir dung ngiy cang Ian. Ngubi chien thing trong cuOc thi eWeek OpenHack 2012 la ngutri da tim ra 2 XSS maị Phiti chang mit nguy hiem to XSS ngay can duqc m9i ngtrtri chit y hot ?
6.2.1.1 Hogt &Ong cua XSS
Ve co ban XSS ding nhu SQL Injection hay Source Injection, n6 cling la cac yeu can request duqc giri tir cac may client toi server nhlm chen vao do cac thong tin vtrqt qua lam kiem xoat dm server. NO c6 the la mOt request duqc giri tir cac form da lieu hoc cling co the do chi li cac URL nhu:
ihttp://www.examplẹcom/search.cgỉquery= <script>alert('XSS was
(found !');</script>
Vi eat co the trinh duyet cua ban se hien len mOt thong bdo "XSS was found !". Cac doan ma trong the script khong he bi giai han bai chang hoan town co the thay the bing mOt file ngutin tren mOt server khdc th8ng qua thuOc tinh src da the script. Cling chinh vi le da ma chimg to chum the luting het duqc do nguy hiem cfia cac loi XSS.
Nhung neu nhu cac thuot tan cong khac co the lam thay doi duqc da lieu nguan cua web server (ma ngtain, eau true, co s6 dli lieu) thi XSS chi gay Mn hai d6i vai website 6 phia client ma nan than trqc tiep la nhCmg ngutri khach duyet site dọ Tit nhien doi khi cac hacker ding sir dung ki thuat nay de deface cac website nhung d6 vin chi tin cong vao be mat cua websitẹ That Nifty, XSS 11 nhung Client-Side Script, nhang doan ma nay se chi chay b6i trinh duyet phia client do d6 XSS khong lam anh huting den he th6ng website nim tat server. Mpc tieu tan cong cua XSS khong ai !chic chinh la nh&ng ngtrai sir dung !chic cua website, khi ho vo tinh vao cac trang co china cac doan ma nguy hiem do cac hacker de lai h9 c6 the bi chuyen tai cac website khk, cldt lai homepage, hay nang hon la mat mat khau, mat cookie tham chi may tinh ban co the se bi di dc loai virus, backdoor, worm ...
6.2.1.2 Gifu phcip
Nhu da de cap 6 tren, mOt tin cong XSS chi thqc hien duqc khi gui mOt trang web cho trinh duyet web dm nan than c6 ken .' theo ma script dOc cua ke tan cong. Vi vay nhCmg nguai phat trien web c6 the bao 4 website cua minh kh6i bi Ica dung thong qua nhung tan cong XSS nay, dam bao nhang trang phit sinh dOng kh8ng china cac tag cua script bing each 19c va xac nhan hqp ly cac dli lieu dau vao tir phia ngueri dung hodc ma hea (endcoding) va 19c dc gid tri xuat cho ngueri dung. Neu nhu ban dang sir dung PHP thi co the tan dung mOt so ham c6 sin cua PHP nhu htmlspecialchars,
htmlenti ties de ma hod Ur d'Ong (enconding) hoc st rip_tags nen khong muon co
6.2.2. SQL Injection
6.2.2.1 SQL Injection lit gi ?
Khi trien khai cac img dung web tren Internet, nhieu nguari van nghi rang viec dam bao an town, bao mat nhitm giam thieu t6i da kha nang bi tar' t ding tir cac tin tic chi dun thuan tip trung vao cac van de nhu chip he dieu hanh, he quart tri cu so du
lieu, img dung nao cho may chit Web,... ma quen mat rang ngay ca ban than img dung chay tren 46 cling tiem an mOt 16 hong bao mil rat Tern. Mqt trong se) cac 16 hOng nay, d6 la SQL injection. Trong than gian vita qua, kW:mg it website tai Viet Nam da bi tan
ding vi da s6 deu la 18i SQL injection. Valy SQL injection la gi ?
SQL injection la min kyr thuat cho phep nhemg ke tan ding lqi dung 16 Wing trong viec kiem tra du lieu nhap trong cac Ung dung web va cac thong bao 16i dm he quart tri cu sir du lieu de tiem vao va thi hanh cac au lenh SQL bit hop phip (khong duqc nguai phat trien img dung !Ong three). Hau qua coa no rat tai hai vi no cho phep nhcmg Ice tan cling co the thoc hien thao tic xoa, hieu chinh, ... do co town quyen tren cc sir dir lieu cern img dung, thann chi server ma img dung 46 dang chaỵ
L6i nay thutmg xay ra tren cac img dung web co du lieu duerc quan 19 bang cac
he quan tri cu so du lieu nhu SQL Server, MySQL, Oracle, DB2, Sysbase
6.2.2.2 Cgc dung tiro tong SQL Injection
Co b6n clang thong darting bao g6m: vuqt qua kiem tra luc dang nhap, sir dung cau lenh SELECT, sir dung tau lenh INSERT, sir dung cac stored - procedures.
De biet cac website co bi tan c8ng SQL injection hay khong, ta sir dung cac soft hok the c8ng et; tim kiem 161.
ạ Mpg tan cling kiem tra lie ding nh$p
Veri dung tan cling nay, tin tic co the dé clang vuqt qua cac trang (Icing nhap niter vao 16i khi dung the eau lenh SQL thao tic tren cu sir du lieu cita img dung web.
Xet mOt vi du dien hinh, thong thuerng de cho phep ngueri dung truy cap vao cac trang web duqc bio mot, he tilting thuong xay dung trang dang nhap de yeu áu ngtred dung nhap th8ng tin ve ten dang nh#p hok mat khan. Sau khi ngueri dung nh#p thong tin vac', he thong se kiem tra ten (tang nhap va mat khau co hop le hay 'thong
quyet Binh cho phep hay tir choi thut hien tíep. Trong truing hop nay, nguoi ta ce the ding hai trang, mOt trang HTML dé hien thi form nhap lieu va mOt trang PHP (hthc ASP, JSP ...) dimg de xir ly th8ng tin nhap tir phia ngtrai dung.
Neu ta viet code theo each thong thuemg 6 trang xir 19 thong tin thi dtrerng nhu Trang 145
khong china bat k9 met 18 hOng bao mat nit). Ngueri dung kh8ng the clang nhap neu ten Clang nhap host mat khAu kh8ng hqp lẹ Tuy nhien, QS the doan ma nay khong thuc str an toan va la tien de cho met lei SQL injection. Dac biet, chi; so her (neu c6) nam o chE nhap lieu vio tir ngtrtri dung de xay dung true tiep nen cau truy Van SQL. Chinh dieu nay cho phep nhtmg ke tan cong co the dieu khien cau truy vAn se &gm thuc hien. Vi du, neu ngueri dung nhap chugi sau vao ca trong 2 o nhap lieu username/password cua trang HTML la: OR " = " Lac nay cau truy vAn se duqc thud hien nhu sau:
SELECT * FROM T USERS WHERE USR NAME - " OR "=" AND USR PASSWORD= " OR "=" USR PASSWORD= " OR "="
Cau truy van nay la hqp le va se tri ye tit ca da lieu cita bang T_USERS va doan ma fiep theo x6 19 ngtr6i dung ding nhap bAt hqp phap nay nhu met ngurn dung hqp lẹ