Home > Developer > Web Develop

Notes on Authoritative Web Application Security Guide and authoritative web application guide

Source: Internet
Author: User
Developer on Alibaba Coud: Build your first app with APIs, SDKs, and tutorials on the Alibaba Cloud. Read more >

Notes on Authoritative Web Application Security Guide and authoritative web application guide
The Authoritative Web Application Security Guide jumps to: navigation, search

  • Same-origin policy: External webpage JS cannot access the internal content of iframe
  • XSS: inject external JS into iframe for internal execution (you can also execute it without iframe)
  • Cross-origin access other than JS:
  • CSS: link element/@ import/JS addImport
  • Form. action
  • PHP mb_check_encoding, mb_convert_encoding
  • Binary security and Null Byte attack (% 00)
  • P88 XST: Disable the TRACE method:
  • JS string literal in p90 script element: cannot appear </tag>! (The Syntax Parsing of JS is not completely Turing !)
  • URL: allow http: https: //, disable javascript :?
  • P94 data is literally escaped by JS strings (\ --> \), and then escaped by HTML ('--> & amp; #39 ;)
  • DOM based XSS (JS Code will not appear in the HTML generated by the server, but will be executed in the context of the client browser)
  • Blog system/SNS: allows users to use html tags and custom CSS
  • SQL Injection
  • Static placeholder vs dynamic placeholder (?)
  • CSRF
  • Incomplete session management
  • Save session ID to Cookie? (Disabling third-party cookies causes advertising websites to track users)
  • Session fixed attacks (if a session is generated by a server, how can a malicious attacker know this information in advance ?)
  • Redirection-related security risks
  • HTTP message header Injection Vulnerability (Message Response Header generated based on external input ???)
  • Security risks related to Cookie output
  • Email sending (not very important, omitted)
  • File processing problems
  • OS command injection
  • File Upload Problems
  • Unauthorized download
  • Include-related issues (this is also a PHP vulnerability, omitted)
  • Eval
  • Shared resources
  • Typical security features
  • Account Management
  • Authorization
  • Character encoding(The content in this section is very detailed !!!)
  • EUC_JP: US-ASCII + 2 bytes 0xA1 ~ 0xFE
  • ISO-2022-JP: 7-bit + escape sequence, does not support halfwidth katakana?
  • UTF-16: The USC-2 at the beginning, but later the Unicode range is extended and supports characters other than BMP
  • UTF-8
  • GB2312: omitted
  • GBK
  • GB18030
  • 'Tail sacran' test to avoid automatic code detection

    • I want to compete first

    You can't do it anymore. You only have to fight for the third place.

    Concepts and differences between web documents and web applications

    Web generally refers to static

    WEB applications are mostly dynamic
     

    This article is an English version of an article which is originally in the Chinese language on aliyun.com and is provided for information purposes only. This website makes no representation or warranty of any kind, either expressed or implied, as to the accuracy, completeness ownership or reliability of the article or any translations thereof. If you have any concerns or complaints relating to the article, please send an email, providing a detailed description of the concern or complaint, to info-contact@alibabacloud.com. A staff member will contact you within 5 working days. Once verified, infringing content will be removed immediately.

    Related Keywords:
    mq application programming guide application architecture guide host windows application on web authoritative website open web application security project owasp mobil 1 filter application guide mobil 1 filter application guide

    Contact Us

    The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

    If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

    What's Trending
    Top 10 Tags
    datastax versions naming convention zookeeper client class definition md5 microsoft sql server 2005 data structures exception handling error handling
    Top 10 Keywords
    microsoft download center down wordpress address url site address url wordpress address url windows installer 4 0 download 302 not found web address url definition site address url wordpress db2 integer mac os installation step by step pdf abbreviation for return

    A Free Trial That Lets You Build Big!

    Start building with 50+ products and up to 12 months usage for Elastic Compute Service

    Get Started for Free

    • Sales Support

      1 on 1 presale consultation

      Chat Contact Sales

    • After-Sales Support

      24/7 Technical Support 6 Free Tickets per Quarter Faster Response

      Open a Ticket

    • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.

      Learn More