What have the white hat dug this year? Count the vulnerabilities that affect the world in 2015.
2015 is a year of cyber security: countless critical vulnerabilities are discovered, repaired, or exploited... Fortunately, with the efforts of White Hat hackers around the world, many fatal vulnerabilities have been fixed b
White hat hacker: refers to the people who defend the network technology. There are some other things that are highly accomplished with computer systems such as languages, TCP protocols, and so on. They are proficient in attack and defense, while the mind has a macro-awareness of the information security system.
Most of the time, hackers and their destructive behavior are antisocial. After the cult of the
White hat hacker: refers to the people who defend the network technology. There are some other things that are highly accomplished with computer systems such as languages, TCP protocols, and so on. They are proficient in attack and defense, while the mind has a macro-awareness of the information security system.
Most of the time, hackers and their destructive behavior are antisocial. After the cult of the
The 1th chapter of my Security Worldview 1.1 WebA brief History of security1.1.1A brief history of Chinese hackersNow hackers in China and around the world, or hackers, have entered the "Dark Ages" because the Internet has a lot of interest.1.1.2The development course of hacker technology1.1.3 WebThe rise of securityWeb Security is an important branch in the field of information security, but China's current emphasis on Web security is far from enough. Why are you attacking Web applications, I t
Well, this seems to be my first blog in the name, but I don't seem to be the first to write him, okay, all the same. (I'll pretend it's the first blog in my Life)After college, a long time later found that they listen to like Linux, because the feeling is very tall, so I self-taught a lot about Linux, but I am not a big God, I just a little white, writing technology may be for some great God is so easy, but I believe there is always like me to learn,
building a security system.
3. Data and Code separation principles 4. The principle of unpredictability
Even if code cannot be repaired, it can be considered a successful defense if it can invalidate the method of attack.
The implementation of unpredictability often requires the use of encryption algorithm, random number algorithm, hashing algorithm, good use of this principle, in the design of security programs tend to do more with less.
The four Principl
a page in the same session and destroyed when the session ends. So Sessionstorage is not a persistent local store, only session-level storage. localstorage is used for persistent local storage, and the data is never expired unless the data is actively deleted. Advantage:q storage space: storage space Larger : each individual storage space under IE8 is 10M, and other browsers are slightly different, but much larger than cookies . q server: The stored content is not sent to the server: When s
The three white hat challenges, the third phase, are simple ideas (the first touch with php deserialization), and the third phase, three white hats. for some reason, I will only talk about the general ideas, so I will not talk about them in detail. This is the first time that deserialization is involved. I feel that I have learned a new posture. Haha
1. the int
the session on the server side.
Iv. HTTP Headers ManagementIn the web framework, HTTP headers can be processed globally, so some HTTP header-based security schemes can be implemented well.For example, CRLF injection for HTTP return headers.Similarly, for 30X to return a good HTTP Response, the browser will jump to the URL specified by the location, attackers often use such features to implement phishing or scams.http/1.1 302 Moved temporarily (...) Location:http://www.phishing.tldfor the f
corresponding to the session Url jsession session Id session for this customer Session session Id this Session ID will be returned to the client in this response to save. Save Session ID in several ways :q Save The Session ID can be in the form of a Cookie, so that during theinteraction the browser can automatically follow the rules to send this identity to the server. q because of the cookie can be artificially banned, There must be other mechanisms in place to cookie A technique th
anything under the/www directory. AddUser--home/www-c "Web application" wwwJsessionidModify Cookie variable jsessionid, This cookie is used to maintain the Session relationship. I suggest you change to Phpsessid. 15.5 Http Parameter PollutionSubmit two identical parameters, different server will have different processing.650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M02/88/76/wKioL1f4-fXhU3PrAAI8C1cED3M649.jpg "title=" 155. JPG "alt=" wkiol1f4-fxhu3praai8c1ced3m649.jpg "/>This article
method is not very practical. if (top!==window)Top.location = window.location.href;ClickJacking is a visual deception, so how to defend it? For traditional ClickJacking, it is generally forbidden to avoid cross-domain iframe5.6.2 X-frame-optionsadd x-frame-options sameorigin to the header. It has three optional values:q DENYq Sameoriginq Allow-from originDuty is Deny , the browser rejects the current page to load any frame page, and if the value is Sameorigin, the address of the frame pag
7.1 SQL injectionSQL injection first appeared in the "Phrack" phase 54 in 98.Injection attacks have two key conditions, the first is that the user can control the input, the second is the original program to execute the code stitching the user input data.If the web site turns on false echo, it will provide great convenience to the attackers.7.1.1 Blind NoteA "blind" is an attack done when the server does not have an error echo.The most common blind method is to construct a simple conditional sta
1. New tags in xss NBSP;H5 define class many new tags, new events may bring XSS (to study the changes in XSS attack H5 set up a Project----HTML 5 Security cheatsheet) eg: 1) White hat speaks Web security sixth Chapter HTML 5 Security
the vast number of SEO practitioners should have found whether Baidu or Google or other commercial search engines, they will require seoer not to care about the algorithm, not to care about the search engine, but to pay more attention to the user experience. Here we can understand that as a metaphor, search engine is to buy watermelon people, and SEO are the people of watermelon, buy watermelon people ask us these kinds of watermelon do not care about their selection of watermelon standards, bu
Construct get and POST requests
Example of a GET request: if there is an XSS vulnerability on the Sohu blog and you know the article ID, then delete the Sohu blog post, just adjust:IMG.SRC = "http://blog.sohu.com/manage/entry.do?m=deleteid=1234567Example of a POST request: using XSS to speak on the watercress, you can construct a form or XMLHttpRequest two ways to initiate the post request, the code is longer, see the book p48-49. The book also has a more complex example of readin
, which poses a serious threat to the cryptographic devices. database attack Skill webshell: Is the ASP, PHP, JSP program file that the attacker implanted on the attacked website, the attacker after invading a web system, often in these asp, PHP, The JSP Trojan backdoor file is placed in the Web server's web directory, mixed with normal web site files. Then the attacker can access the ASP, PHP, JSP program Trojan backdoor control Web server through normal Web Access, including creating, modifyi
Web site is not uncommon, although using stored procedures can improve execution efficiency. However, there are migration problems.database characters need to be uniformly encoded, preferably for UTF-87.3defend correctlySqlinjectedDefense methods:q using pre-compiled statementsq Using Stored Proceduresq Check Data typeq using Security Functions7.4Other injection attacksXML injectedXML injection is implemented by rewriting the XML's data content. XML is typically used to store data, and
, and easy standard for the authorization of user resources. Unlike previous licensing methods , OAuth 's authorization does not allow a third party to touch the user's account information (such as a user name and password), which means that the third party can request authorization for the user's resources without using the user's username and password, so OAuth is secure. Features: (1). simple: both OAUTH service providers and application developers are easy to understand and use;(2). Security
The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion;
products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the
content of the page makes you feel confusing, please write us an email, we will handle the problem
within 5 days after receiving your email.
If you find any instances of plagiarism from the community, please send an email to:
info-contact@alibabacloud.com
and provide relevant evidence. A staff member will contact you within 5 working days.