0 How does the foundation Learn Web security?

a . first you have to understand Web

The Web is divided into several layers, a picture wins thousands of words:

650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M01/4C/65/wKiom1Q8nU7xTTerAAJP-L5D6wo721.jpg "title=" Brother Lian. jpg "alt=" wkiom1q8nu7xtteraajp-l5d6wo721.jpg "/>

The truth is this: it's impossible to do safety research if you don't understand these subjects.

so it seems, The Web has eight layers (if the browser is counted in, on the nine floor, nine Yang Martial ... ）！！！ There are dozens of main components on each floor!!! What's the deal?

Don't worry, a general rule Lawspirit pass, this is the horizontal layer, vertical is the data flow! Take care of the data flow: from the horizontal layer, top to bottom → from bottom to top, take a serious look at how the data is handled at each layer.

in the data flow, one of the key HTTP protocol, from top to bottom → from bottom to top end (i.e. request response), straightened out! Is it difficult? "HTTP authoritative guide"720 page!!! The pit father, is very difficult!!!

What to do?

the horizontal, so complex, vertical data flow HTTP protocol on the 720 page of the book!!! Give up the good ...

No, please don't do that.

give you some confidence is: " HTTP Authoritative guide I haven't seen this book at all. But through Baidu /google Some of the introductory HTTP Protocol, I did a general understanding, and then the Chrome browser F12 actually look at the "Network" tag HTTP Request response, in a few hours, you probably know the HTTP protocol this thing. (This is the essence of fast research.)

Figure it out. After the HTTP protocol, you will understand the "input and output" of the security terminology.

The hacker submits the "special data" through the input, the special data is processed at each layer of the data stream, if a layer is not handled well, in the output, there will be the corresponding layer of security issues.

Wonderful examples:

1. If you are not working on the OS layer, such as the Linux Bash environment that treats "special data" as an instruction execution, it creates security issues with OS command execution, and this "special data" may look like this:

; RM-RF/;

2. If the database in the storage layer is not handled well, the SQL parsing engine of the databases as the "special data" as the instruction execution, the SQL injection is a security issue, this "special data" may grow as follows:

' Union Select User, PWD, 1, 2, 3, 4 fromusers--

3. if the Web container layer, such as Nginx is not handled well,nginx "Special data" as the instruction execution, may produce remote overflow,DoS and other security issues, this paragraph " Special data "may look like this:

%c0.%c0./%c0.%c0./%c0.%c0./%c0.%c0./%20

4. if the Web Development Framework or the Web application layer is not handled well, the "special data" as the instruction execution, may produce a security issue for remote command execution, this "special data" may look like this:

Eval ($_request[' x ']);

5. if the Web front-end layer is not handled well, the browser's JS engine as the "special data" as the instruction execution, may produce the XSS cross-site scripting security issues, this "special data" may grow as follows:

' "><script>alert (/cos is myhero./) </script>

...

What's the thrill? Understand this, even if you get started.

Remember: All the security issues are reflected in the "input and output", all the security issues are in the "Data flow" throughout the process.

Remember: The two key points of "data flow", "input and output".

You seem to have realized something, let's go on ...

It says: It's impossible to do safety research if you don't understand these subjects.

Take in the case of XSS, there was a question: What should I learn before I learn about XSS? You can refer to the following.

If I had not been more familiar JavaScript,ActionScript,html/css words, I guess I have to study the XSS is very difficult, I am familiar with these languages at the beginning of the starting point is to "create", I did better Flash Animation, made a number of sites, including their own from the back-end to the front-end independent implementation of a blog system, in order to solve the front-end in the browser compatibility issues (at that time is IE6 at the time), I chewed several books, such as theCSS Website layout record,JavaScript DOM programming art,AJAX Hacks,Flash since 6 to CS2 All kinds of books I have seen a lot, but also in combat. Post-Sprint Web Security (long-time hacker sentiment)

Speaking of which, it's clear: it's impossible to do safety research if you don't understand these subjects.

Let's continue:)

two . Weapon Spectrum

Beginners are always looking for good tools to improve their efficiency.

工欲善其事 its prerequisite, and the new man with a good weapon will be more fulfilling.

Remember: These weapons, you must not only know its why, don't degenerate oh.

three . understand the principle of "being proficient in one's enlightenment"

Not much to say, please look at this my answer: to aspire to the field of network security development, how should the system learn security knowledge?

Four . Join the Circle

Make more friends, Weibo , QQ,, know, blog, such as good at follow-up, not only learn, but also to share, let everyone know your existence, more conducive to communication and growth.

refuse to be a waste wood, I will do genius! receive PHP Tutorials!

0 How does the foundation Learn Web security?