????Rational AppScan??????????????????????

?????IBM ???????[ 2017/2/9 10:01:35 ] ?????????????????? ?????????? ???????

???????
????2010 ?? IBM X-Force ??????????????????????? Web ??e???????????Σ???????? Web ??e?????????????з????????????????????????????????????????С????????????У??????????????????????????????????????????? Sprint ??????????????????????????????????? Sprint ????????? Sprint ???????????????????????????????????????????????
??????????????????? Web ????????????????????????????????????????????????????????????????????е? URL????????????????????????? HTTP ??????????????????????????÷??????????? Web ??÷??????? HTTP ???????ж??????????????????????????????????“???”??????????????????????????????????????? HTTP ???????Ч???????????????????????????????
?????????????????????? Web ?????????????????????????????????????????????2?????? URL???????????????????????????????????????????????????????檔???Web?????????????????????? Cookie ????????????????????? Hash ?У?????????????????????????? Cookie ???????????????????????Щ??????????? Hash ????? Hash ????????????????????????????????????????????????????????????Щ?????????μ? Hash ???????ж??? Hash ????????????????? Hash ????????????????????????? ?????????????????????????????? Web ???????????????α??CSRF???????????? HTTP ????ж?????????????????????????????α????Щ???????????????α??????? HTTP ??????????????????? Web ???????????????????????????????????????????????????????????????? Web ?????????????????????????????????????????? Web ????????????????????á?
????IBM Rational AppScan ????棨??????? AppScan??????????? Web ??e????????????????????????????????????????????????????? HTTP ?????????????????????????????????????????????????????????????AppScan ???????????????????仯???????μ????????μ?????? HTTP ?????С???????? AppScan ?????????????????????????????? Hash ??????Token ?????仯??????????μ??????? HTTP ?????С?????ζ???????????????????е? HTTP ?????????????е?????????????Ч??????????? Web ????д????Щ???????????????????????????????????????????á????????????????? AppScan ?????????????????????????????????????????????????????????????????
?????????????????
????AppScan ???????????? Web ????????????????? Cookie?????????￡?AppScan ???????λ???? ?????????????????????? Cookie ?????????????е??????????????????￡?AppScan ???????????????????????л????? Cookie ????????????????? AppScan ???? Cookie ???????????????????? HTTP ?????????????????
????HTTP ???????????????????У?Request Line?????????Headers?????????壨Body???????У?????????????????Method??????????? Request-URI ??Э?饗Protocol???????????????????????????????????????????????????????????????????????HTTP ???????????????????????У??????????????塣?????????????????? HTTP POST ????????? Cookie ???????
?????嵥 1. HTTP POST ???????
POST /examples/servlets/servlet/SessionExample;jsessionid=
0ABAA3CD7E6538C52FEF00729E673C3D HTTP/1.0
Cookie: JSESSIONID=0ABAA3CD7E6538C52FEF00729E673C3D;
UnicaNIODID=wbXVlLVSIiK-W76vO58;
ePassLanguage=Localeen_US&CharsetUTF-8
Content-Length: 30
Accept: image/gif?? image/jpeg?? image/pjpeg?? image/pjpeg?? application/x-shockwave-flash??
application/x-ms-application?? application/x-ms-xbap?? application/vnd.ms-xpsdocument??
application/xaml+xml?? application/msword?? */*
Referer: http://localhost:8080/examples/servlets/servlet/SessionExample
Content-Type: application/x-www-form-urlencoded
Host: localhost:8080
Pragma: no-cache
Connection: Keep-Alive
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Win32)
Accept-Language: en-US
dataname=name&datavalue=jeremy
????????? HTTP POST ?????????????HTTP ??????? Cookie ???? JSESSIONID??UnicaUIODID??ePassLanguage??HTTP ?????????а??????????? dataname ?? datavalue?????????￡???????????????????λ???HTTP ???????壨Request Body?????HTTP ????????Request URI Query???????? HTTP ????·????Request URI Path????????????в??????????????HTTP GET ??????????????????????????????磺
????/examples/servlets/servlet/SessionExample?dataname=name&datavalue=jeremy
????????·???????????????????Щ??????????????????????????????? URL Rewrite ????????????????????·???У?????????????? Web ???????????????? Cookie????Щ??÷??????? jsessionid ??? URI ??????????? HTTP POST ????????
????/examples/servlets/servlet/SessionExample;jsessionid=0ABAA3CD7E6538C52FEF00729E673C3D

????
? 1. Rational AppScan ?????????? JSESSIONID

?????????????????????????????蹤????????????????AppScan ??????????????????????????????????????????????????? AppScan ???????????????????????????? URI ?е? Session ID??????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????λ????????????λ???????????/????·??/?????????????????п????趨?????ò????????壨????????/????·??/?????????????????????????????????AppScan ??????????????????п?????????? HTTP ????е????????????????????????? HTTP ?????е?????????????????????? HTTP ????е???????????????????????????? AppScan ???????????????????磬??? HTTP ?????и???????????? <SessionID>value</SessionID> ???? HTTP ????е?????????????? <Jsessionid>value</Jsessionid> ??????????????????? HTTP ????е? Session ID??
???????????
????????????????????????????????????? AppScan ????????????????汾???????????????????????? AppScan ???????????????????????????
??????????????????????????????????????δ?????????????????????????????????????????????????????????????????????????????????????????????????????????????????????? ID???????????? ID???????????????У??????????????????????????????????????????????????????????????з??????????????????????????????????????????????????黹δ??????????????????????????????????????????????????????????????????????????е????????
????????????????е???????????????????????????????????????????????????????????????????AppScan ????????????????????????嵥???????δ??????????????????ù?????棬??????????????δ??????????????????????????????н??е?????????????????????????????????滻???е???????????????μ??????????????????????????????ι?????飬?????????????????????????????????????????嵥??????μ?δ????????????????????? AppScan ????????????????嵥???????????????е?????????????Щ?????????Ч??????????????????????????????? AppScan ????????顣???????????????????????? AppScan ??????????????????????????????
?????嵥 2. ????????????? HTTP ????
POST /selfservices/passcode HTTP/1.1
Accept: image/gif?? image/jpeg?? image/pjpeg?? image/pjpeg?? application/x-shockwave-flash??
application/x-ms-application?? application/x-ms-xbap?? application/vnd.ms-xpsdocument??
application/xaml+xml?? application/msword?? */*
Content-Type: application/x-www-form-urlencoded
Host: demo
Connection: Keep-Alive
Cache-Control: no-cache
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Win32)
Accept-Language: en-US
Cookie: ...
Content-Length: 131
action=REQUEST_PASSCODE&resourceid=0003273610&userid=2700005805&curtime=
1305183922792&ADCE4375=da2a8144c72054f6a932230c86bd0988
??????????resourceid??userid??curtime ???????????????????????λ??????????????????????????????? ADCE4375 ???????????????????? HTTP ???????????????????????????
?????嵥 3. ????????????? Form ???
<form method="post" action="/selfservices/passcode" id="REQUEST_PASSCODE_FORM">
<input type="hidden" name="action" value="REQUEST_PASSCODE" />
<input type="hidden" name="resourceid" value="0003273610" />
<input type="hidden" name="userid" value="2700005805" />
<input type="hidden" name="curtime" value="1305183919218" />
<input type="hidden" name="ADCE4375" value="d4be19775b0f346c32453c8be95d39c4" />
...
</form>
??????????????????resourceid ????????????? id??userid ????????? id??curtime ??????ADCE4375 ??????????????????÷?????????? resourceid??userid????? curtime ?????????????У????? ADCE4375 ?????????????????? resourceid ??????????????У????????????????????????????? CSRF ???????????÷?????????У??????????????????????????
????????????????????????????????÷?????????У?????????????????????????????????????????????????????嵥????????á????????????? HTTP ?????в????????????????? resourceid ?? userid ???????????????curtime ????????????仯?????У??????????????????????仯????????????? AppScan ???ò?????????????????? HTTP ????е??????????????????????μ????????μ? HTTP ?????С??????????????????????????????HTTP ?????е??????????????????? HTTP ????????Ч??????????????С?