Iindaba zisandula ukukhutshwa ngu iqela labaphandi abavela kwiiyunivesithi ezahlukeneyo eJamani, abos iphuhlise indlela entsha yokuhlaselwa kweMITM ngokuchasene ne-HTTPS, evumela ukukhupha ii-cookies ngeesazisi zeseshoni kunye nolunye ulwazi olunobuzaza, kunye nokwenza ikhowudi yeJavaScript engenakuphikiswa kwimeko yenye indawo.
Uhlaselo lubizwa ALPACA kwaye inokusetyenziswa kwiiseva ze-TLS Basebenzisa iinkqubo ezahlukeneyo zenkqubo yokufaka (HTTPS, SFTP, SMTP, IMAP, POP3), kodwa sebenzisa izatifikethi eziqhelekileyo ze-TLS.
Umongo wolu hlaselo kukuba xa kukho ulawulo kwisango inethiwekhi okanye indawo yokungena ngaphandle kwamacingo, umhlaseli angathumela ukugcwala kwabantu kwizibuko lenethiwekhi eyahlukileyo kwaye wenze amalungiselelo okumisela uqhagamshelo hayi kwiseva ye-HTTP, kodwa kwi-FTP okanye kwiseva yeposi exhasa ukubethela kwe-TLS.
Ukusukela umthetho olandelwayo I-TLS iphelele kwaye ayibophelelwanga kumgaqo-nkqubo wenqanaba lesiceloUkusekwa konxibelelwano olufihliweyo lwazo zonke iinkonzo kuyafana kwaye impazamo xa uthumela isicelo kwinkonzo engeyiyo inokufunyanwa kuphela emva kokusekwa kweseshoni ebhaliweyo ngexesha lokuqhutywa. ukusuka kwimiyalelo yesicelo esithunyelweyo.
Ngokuhambelana ukuba, umzekelo, phinda uqhagamshele umsebenzisi, ekuqaleni ibhekiswe kwi-HTTPS, kwiseva yeposi isebenzisa isatifikethi esiqhelekileyo kunye neseva ye-HTTPS, uqhagamshelo lwe-TLS luya kusekwa ngempumelelo, kodwa iseva yeposi ayinakukwazi ukuqhubekekisa imiyalelo ye-HTTP ehanjisiweyo kwaye iya kubuyisa impendulo ngekhowudi yempazamo . Le mpendulo iya kuqhutyelwa ngumkhangeli njengempendulo evela kwisiza esiceliweyo, sidluliselwe kwisiteshi sonxibelelwano esifihliweyo.
Kukhethwe iindlela ezintathu zokuhlasela:
- «Layisha» ukufumana i-Cookie eneeparameter zokungqinisisa: Indlela iyasebenza ukuba umncedisi we-FTP ogqunywe sisatifikethi se-TLS ukuvumela ukuba ukhuphele kwaye ufumane idatha yakho. Kolu luhlu lohlaselo, umhlaseli angalufezekisa ulondolozo lwenxalenye yesicelo soqobo se-HTTP somsebenzisi, njengomxholo wentloko yeCookie, umzekelo, ukuba umncedisi we-FTP usitolika isicelo njengefayile ukusigcina okanye ukusibhalisa igcwele. izicelo ezingenayo. Kuhlaselo oluyimpumelelo, umhlaseli kufuneka ngandlela thile afumane umxholo ogciniweyo. Uhlaselo lusebenza kwiProftpd, iMicrosoft IIS, vsftpd, filezilla, kunye serv-u.
- Khuphela isikripthi esinqamlezayo (XSS): Indlela ichaza ukuba umhlaseli, ngenxa yezinye iindlela ezizimeleyo zokuziphatha, unokufaka idatha kwinkonzo esebenzisa isatifikethi esiqhelekileyo se-TLS, esinokuthi emva koko sikhutshwe ngokuphendula isicelo esivela kumsebenzisi. Olu hlaselo lusebenza kwezi seva zikhankanyiweyo ze-FTP, iiseva ze-IMAP kunye neeseva ze-POP3 (i-courier, i-cyrus, i-kerio-connect kunye ne-zimbra).
- Ukubonakalisa ukuqhuba iJavaScript kwimeko yomnye isiza: Indlela isekwe ekubuyiseleni inxenye yesicelo kumthengi, enekhowudi yeJavaScript ethunyelwe ngumhlaseli. Olu hlaselo lusebenza kwezi seva zikhankanyiweyo ze-FTP, i-cyrus, kerio-connect kunye ne-zimbra IMAP server, kunye ne-sendmail SMTP server.
Ngokomzekelo, xa umsebenzisi evula iphepha elilawulwa ngumhlaseli, isicelo sobutyebi sinokuqaliswa ukusuka kwindawo apho umsebenzisi aneakhawunti esebenzayo kweli phepha. Kuhlaselo lweMITM, Esi sicelo kwiwebhusayithi sinokuhanjiswa kwiserver yeposi ekwabelana ngesatifikethi se-TLS.
Ukusukela ukuba iseva yeposi ayiphumeli emva kwempazamo yokuqala, iintloko zemiyalezo kunye nemiyalelo ziya kulungiswa njengemiyalelo engaziwayo.
Iseva yeposi ayizichazi iinkcukacha zomgaqo olandelwayo we-HTTP kwaye ngenxa yoku iintloko zenkonzo kunye nebhloko yedatha yesicelo se-POST ziqhutywa ngendlela efanayo, ke emzimbeni wesicelo se-POST ungachaza umgca kunye nomyalelo umncedisi weposi.
Umthombo: https://alpaca-attack.com/