This is a shameless information gathering exercise for my own book.
这是我自己的书中无耻的信息收集练习。
One of the talks I give in the community is an introduction to web site vulnerabilities. Usually during the talk I can see at least two members of the audience go very pale; and this is basic stuff, Cross Site Scripting, SQL Injection, Information Leakage, Cross Site Form Requests and so on.
我在社区中提出的一个演讲是对网站漏洞的介绍。通常在谈话中我可以看到至少有两名观众非常苍白;这是基本的东西,跨站点脚本,SQL注入,信息泄漏,跨站点表单请求等。
So, if you can think back to being one, as a beginning web developer (be it ASP.NET or not) what do you feel would be useful information about web security and how to develop securely? I will already be covering the OWASP Top Ten
那么,如果你可以回想一个人,作为一个开始的Web开发人员(无论是否是ASP.NET),您认为有关Web安全性以及如何安全开发的有用信息是什么?我已经涵盖了OWASP十强
(And yes this means * will be in the acknowledgements list if someone comes up with something I haven't thought of yet!)
(是的,这意味着如果有人提出我还没有想到的东西,*将会出现在确认列表中!)
It's all done now, and published, thank you all for your responses
这一切都已完成,并已发布,感谢大家的回复
8 个解决方案
#1
6
First, I would point out the insecurities of the web in a way that makes them accesible to people for whom developing with security in mind may (unfortunately) be a new concept. For example, show them how to intercept an HTTP header and implement an XSS attack. The reason you want to show them the attacks is so they themselves have a better idea of what they're defending against. Talking about security beyond that is great, but without understanding the type of attack they're meant to thwart, it will be hard for them to accurately "test" their systems for security. Once they can test for security by trying to intercept messages, spoof headers, etc. then they at least know if whatever security they're trying to implement is working or not. You can teach them whatever methods you want for implementing that security with confidence, knowing if they get it wrong, they will actually know about it because it will fail the security tests you showed them to try.
首先,我要指出网络的不安全感,使得人们可以访问那些以安全为中心开发的人(不幸的是)可能是一个新概念。例如,向他们展示如何拦截HTTP标头并实施XSS攻击。你想向他们展示攻击的原因是他们自己更好地了解他们正在防御什么。谈论超出这个范围的安全性是很好的,但是如果不了解他们想要阻止的攻击类型,他们就很难准确地“测试”他们的系统以确保安全。一旦他们可以通过试图拦截消息,欺骗标题等来测试安全性,那么他们至少知道他们试图实现的安全性是否有效。你可以教他们你想要的任何方法来自信地实现安全性,知道他们是否弄错了,他们实际上会知道它,因为它会使你展示的安全测试失败。
#2
1
Defensive programming as an archetypal topic which covers all the particular attacks, as most, if not all, of them are caused by not thinking defensively enough.
防御性编程作为一个涵盖所有特定攻击的典型主题,因为大多数(如果不是全部)攻击都是由于没有足够的防御性思维造成的。
Make that subject the central column of the book . What would've served me well back then was knowing about techniques to never trust anything, not just one stop tips, like "do not allow SQL comments or special chars in your input".
将该主题作为本书的中心专栏。那时候对我有用的是知道什么技术永远不会信任任何东西,而不仅仅是一站式技巧,比如“不要在输入中允许SQL注释或特殊字符”。
Another interesting thing I'd love to have learned earlier is how to actually test for them.
我之前想要学到的另一个有趣的事情是如何实际测试它们。
#3
1
I think all vulnerabilities are based off of programmers not thinking, either momentary lapses of judgement, or something they haven't thought of. One big vulnerability that was in an application that I was tasked to "fix up", was the fact that they had returned 0 (Zero) from the authentication method when the user that was logging in was an administrator. Because of the fact that the variable was initialized originally as 0, if any issues happened such as the database being down, which caused it to throw an exception. The variable would never be set to the proper "security code" and the user would then have admin access to the site. Absolutely horrible thought went into that process. So, that brings me to a major security concept; Never set the initial value of a variable representing a "security level" or anything of that sort, to something that represents total god control of the site. Better yet, use existing libraries out there that have gone through the fire of being used in massive amounts of production environments for a long period of time.
我认为所有的漏洞都是基于程序员没有思考的,无论是暂时失误的判断,还是他们没有想到的东西。我负责“修复”的应用程序中的一个大漏洞是,当登录的用户是管理员时,他们从身份验证方法返回0(零)。由于变量最初初始化为0,如果发生任何问题,例如数据库关闭,导致它抛出异常。该变量永远不会被设置为正确的“安全代码”,然后用户将具有该站点的管理员访问权限。绝对可怕的想法进入了这个过程。所以,这带给我一个重要的安全概念;永远不要将表示“安全级别”的变量的初始值或任何类型的变量设置为表示站点的完全上帝控制的东西。更好的是,使用现有的库已经经历了长时间在大量生产环境中使用的火。
#4
1
I would like to see how ASP.NET security is different from ASP Classic security.
我想看看ASP.NET安全性与ASP Classic安全性的区别。
#6
0
Good to hear that you will have the OWASP Top Ten. Why not also include coverage of the SANS/CWE Top 25 Programming mistakes.
很高兴听到你将获得OWASP十强。为什么不包括对SANS / CWE Top 25编程错误的报道。
#7
0
How to make sure your security method is scalable with SQL Server. Especially how to avoid having SQL Server serialize requests from multiple users because they all connect with the same ID...
如何确保您的安全方法可以使用SQL Server进行扩展。特别是如何避免让SQL Server序列化来自多个用户的请求,因为它们都使用相同的ID连接...
#8
0
I always try to show the worst-case scenario on things that might go wrong. For instance on how a cross-site script injection can work as a black-box attack that even works on pages in the application that a hacker can’t access himself or how even an SQL injection can work as a black box and how a hacker can steal your sensitive business data, even when your website connects to your database with a normal non-privileged login account.
我总是试图在可能出错的事情上展示最糟糕的情况。例如,跨站点脚本注入如何作为黑盒攻击工作,甚至可以在应用程序中的页面上工作,黑客无法访问自己,或者甚至SQL注入如何可以作为黑盒子以及黑客如何工作即使您的网站使用普通的非特权登录帐户连接到您的数据库,也可以窃取您的敏感业务数据。
#1
6
First, I would point out the insecurities of the web in a way that makes them accesible to people for whom developing with security in mind may (unfortunately) be a new concept. For example, show them how to intercept an HTTP header and implement an XSS attack. The reason you want to show them the attacks is so they themselves have a better idea of what they're defending against. Talking about security beyond that is great, but without understanding the type of attack they're meant to thwart, it will be hard for them to accurately "test" their systems for security. Once they can test for security by trying to intercept messages, spoof headers, etc. then they at least know if whatever security they're trying to implement is working or not. You can teach them whatever methods you want for implementing that security with confidence, knowing if they get it wrong, they will actually know about it because it will fail the security tests you showed them to try.
首先,我要指出网络的不安全感,使得人们可以访问那些以安全为中心开发的人(不幸的是)可能是一个新概念。例如,向他们展示如何拦截HTTP标头并实施XSS攻击。你想向他们展示攻击的原因是他们自己更好地了解他们正在防御什么。谈论超出这个范围的安全性是很好的,但是如果不了解他们想要阻止的攻击类型,他们就很难准确地“测试”他们的系统以确保安全。一旦他们可以通过试图拦截消息,欺骗标题等来测试安全性,那么他们至少知道他们试图实现的安全性是否有效。你可以教他们你想要的任何方法来自信地实现安全性,知道他们是否弄错了,他们实际上会知道它,因为它会使你展示的安全测试失败。
#2
1
Defensive programming as an archetypal topic which covers all the particular attacks, as most, if not all, of them are caused by not thinking defensively enough.
防御性编程作为一个涵盖所有特定攻击的典型主题,因为大多数(如果不是全部)攻击都是由于没有足够的防御性思维造成的。
Make that subject the central column of the book . What would've served me well back then was knowing about techniques to never trust anything, not just one stop tips, like "do not allow SQL comments or special chars in your input".
将该主题作为本书的中心专栏。那时候对我有用的是知道什么技术永远不会信任任何东西,而不仅仅是一站式技巧,比如“不要在输入中允许SQL注释或特殊字符”。
Another interesting thing I'd love to have learned earlier is how to actually test for them.
我之前想要学到的另一个有趣的事情是如何实际测试它们。
#3
1
I think all vulnerabilities are based off of programmers not thinking, either momentary lapses of judgement, or something they haven't thought of. One big vulnerability that was in an application that I was tasked to "fix up", was the fact that they had returned 0 (Zero) from the authentication method when the user that was logging in was an administrator. Because of the fact that the variable was initialized originally as 0, if any issues happened such as the database being down, which caused it to throw an exception. The variable would never be set to the proper "security code" and the user would then have admin access to the site. Absolutely horrible thought went into that process. So, that brings me to a major security concept; Never set the initial value of a variable representing a "security level" or anything of that sort, to something that represents total god control of the site. Better yet, use existing libraries out there that have gone through the fire of being used in massive amounts of production environments for a long period of time.
我认为所有的漏洞都是基于程序员没有思考的,无论是暂时失误的判断,还是他们没有想到的东西。我负责“修复”的应用程序中的一个大漏洞是,当登录的用户是管理员时,他们从身份验证方法返回0(零)。由于变量最初初始化为0,如果发生任何问题,例如数据库关闭,导致它抛出异常。该变量永远不会被设置为正确的“安全代码”,然后用户将具有该站点的管理员访问权限。绝对可怕的想法进入了这个过程。所以,这带给我一个重要的安全概念;永远不要将表示“安全级别”的变量的初始值或任何类型的变量设置为表示站点的完全上帝控制的东西。更好的是,使用现有的库已经经历了长时间在大量生产环境中使用的火。
#4
1
I would like to see how ASP.NET security is different from ASP Classic security.
我想看看ASP.NET安全性与ASP Classic安全性的区别。
#5
0
#6
0
Good to hear that you will have the OWASP Top Ten. Why not also include coverage of the SANS/CWE Top 25 Programming mistakes.
很高兴听到你将获得OWASP十强。为什么不包括对SANS / CWE Top 25编程错误的报道。
#7
0
How to make sure your security method is scalable with SQL Server. Especially how to avoid having SQL Server serialize requests from multiple users because they all connect with the same ID...
如何确保您的安全方法可以使用SQL Server进行扩展。特别是如何避免让SQL Server序列化来自多个用户的请求,因为它们都使用相同的ID连接...
#8
0
I always try to show the worst-case scenario on things that might go wrong. For instance on how a cross-site script injection can work as a black-box attack that even works on pages in the application that a hacker can’t access himself or how even an SQL injection can work as a black box and how a hacker can steal your sensitive business data, even when your website connects to your database with a normal non-privileged login account.
我总是试图在可能出错的事情上展示最糟糕的情况。例如,跨站点脚本注入如何作为黑盒攻击工作,甚至可以在应用程序中的页面上工作,黑客无法访问自己,或者甚至SQL注入如何可以作为黑盒子以及黑客如何工作即使您的网站使用普通的非特权登录帐户连接到您的数据库,也可以窃取您的敏感业务数据。