Notes on Authoritative Web Application Security Guide and authoritative web application guide

Source: Internet
Author: User

Notes on Authoritative Web Application Security Guide and authoritative web application guide
The Authoritative Web Application Security Guide jumps to: navigation, search

  • Same-origin policy: External webpage JS cannot access the internal content of iframe
  • XSS: inject external JS into iframe for internal execution (you can also execute it without iframe)
  • Cross-origin access other than JS:
  • CSS: link element/@ import/JS addImport
  • Form. action
  • PHP mb_check_encoding, mb_convert_encoding
  • Binary security and Null Byte attack (% 00)
  • P88 XST: Disable the TRACE method:
  • JS string literal in p90 script element: cannot appear </tag>! (The Syntax Parsing of JS is not completely Turing !)
  • URL: allow http: https: //, disable javascript :?
  • P94 data is literally escaped by JS strings (\ --> \), and then escaped by HTML ('--> & amp; #39 ;)
  • DOM based XSS (JS Code will not appear in the HTML generated by the server, but will be executed in the context of the client browser)
  • Blog system/SNS: allows users to use html tags and custom CSS
  • SQL Injection
  • Static placeholder vs dynamic placeholder (?)
  • CSRF
  • Incomplete session management
  • Save session ID to Cookie? (Disabling third-party cookies causes advertising websites to track users)
  • Session fixed attacks (if a session is generated by a server, how can a malicious attacker know this information in advance ?)
  • Redirection-related security risks
  • HTTP message header Injection Vulnerability (Message Response Header generated based on external input ???)
  • Security risks related to Cookie output
  • Email sending (not very important, omitted)
  • File processing problems
  • OS command injection
  • File Upload Problems
  • Unauthorized download
  • Include-related issues (this is also a PHP vulnerability, omitted)
  • Eval
  • Shared resources
  • Typical security features
  • Account Management
  • Authorization
  • Character encoding(The content in this section is very detailed !!!)
  • EUC_JP: US-ASCII + 2 bytes 0xA1 ~ 0xFE
  • ISO-2022-JP: 7-bit + escape sequence, does not support halfwidth katakana?
  • UTF-16: The USC-2 at the beginning, but later the Unicode range is extended and supports characters other than BMP
  • UTF-8
  • GB2312: omitted
  • GBK
  • GB18030
  • 'Tail sacran' test to avoid automatic code detection

  • I want to compete first

    You can't do it anymore. You only have to fight for the third place.

    Concepts and differences between web documents and web applications

    Web generally refers to static

    WEB applications are mostly dynamic
     

    Contact Us

    The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

    If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

    A Free Trial That Lets You Build Big!

    Start building with 50+ products and up to 12 months usage for Elastic Compute Service

    • Sales Support

      1 on 1 presale consultation

    • After-Sales Support

      24/7 Technical Support 6 Free Tickets per Quarter Faster Response

    • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.