owasp top ten

20155208 Xu Zihan "Cyber Confrontation" EXP9 Web Security Basic experiment requirementsThe objective of this practice is to understand the basic principles of commonly used network attack techniques. Webgoat the experiment in practice.Experimental processFor the last time, I did not choose to try the program for the last time I did this exciting activity.WebGoatWebgoat is a web-based vulnerability experiment developed by the OWASP organization, which

EXP9 the basic practice of Web security Fundamentals Answer 1, SQL injection attack principle, how to defend?1.对用户的输入进行校验，可以通过正则表达式，双"-"进行转换等。2.不要使用动态拼装sql，可以使用参数化的sql或者直接使用存储过程进行数据查询存取。3.不要使用管理员权限的数据库连接，为每个应用使用单独的权限有限的数据库连接。4.不要把机密信息直接存放，加密或者hash掉密码和敏感的信息。5.应用的异常信息应该给出尽可能少的提示。6.采取辅助软件或网站平台来检测sql注入。2, how to defend the principle of XSS attack?在表单提交或者url参数传递前，对需要的参数进行过滤；检查用户输入的内容中是否有非法内容，如尖括号、引号等，严格控制输出。3, CSRF attack principle, how to defend?通过referer、token或者验证码来检测用户提交；尽量不要在页面的链接中暴露用户隐私信息，对于用户修改

because the request is not intended by the user, so it is called "cross-site request forgery".Defensive measures:① through Referer, token or verification code to detect user submissions;② try not to expose the user's privacy information in the link of the page, and it is best to use post operation for the user to modify and delete the operation;③ avoids the whole-site generic cookie and strictly sets the domain of the cookie.Second, the experimental process 1. Installing WebgoatWebgoat is an ap

, Subversion, Git, and so on) and a data backup mechanism. 1.4 Do not let the user see those unfriendly error prompts. 1.5 Do not display the user's email address directly, at least not in plain text. 1.6 Set up some reasonable usage limits for your website, and stop the service automatically once the threshold is exceeded. (This is also related to Web site security.) ） 1.7 Know how to implement incremental enhancements to your Web page (progressive enhancement). 1.8 Once a user makes

OWASP Rules:Part I: Base rule setMODSECURITY_CRS_20_PROTOCOL_VIOLATIONS.CONF HTTP protocol specification related rulesMODSECURITY_CRS_21_PROTOCOL_ANOMALIES.CONF HTTP protocol specification related rulesmodsecurity_crs_23_request_limits.conf HTTP protocol size length limits related rulesmodsecurity_crs_30_http_policy.conf HTTP protocol White list related rulesModsecurity_crs_35_bad_robots.conf malicious scanners and crawler rulesModsecurity_crs_40_gene

developer's point of view. From the owasp of application Security International, the best protection against XSS should be combined with the following two methods: validating all input data, effectively detecting attacks, and encoding all output data appropriately to prevent any successfully injected script from running on the browser side. Specifically as follows: Input validation: A standard input validation mechanism is used to validate the lengt

a suitable form, but thanks to JavaScript, it does manage XML objects very well under some very typical constraints and a lot of annoying IE bug environments. To help you understand some of the Ajax problems, I'm here to introduce you to a hypothetical travel company-"time-Advanced travel company". Driven by Ajax bugs, their main web developer, Max Uptime, decided to mix Ajax in order to create an application that he was at the forefront of the times. Problems with Ajax More than half of the A

Demand is the most important thing, lose the function, lose the value of the customer, the software will be worthless.However, the implementation of functionality is just the beginning of the architecture. Architecture first comes from demand, demand-driven architecture, and then non-functional requirements reflect service level, in the face of the constraints of the objective environment, the introduction of the framework to achieve the principle, is at a higher level of demand, constraints,

general company does is that the mobile app sends the instructions to the cloud, and then the gateway gets the instructions from the cloud. Conclusions People always want to give everything to the Internet, but there are often serious security errors. Most of the errors are due to ambiguous security objectives, lack of experience and awareness. Instead of expecting them to give us security, we must adopt a secure networking strategy. Some things networking Secure Solutions Reference: GSMA IoT s

interpret the XML data in a suitable form, but thanks to JavaScript, it does manage XML objects very well under some very typical constraints and a lot of annoying IE bug environments. To help you understand some of the Ajax problems, I'm here to introduce you to a hypothetical travel company-"time-Advanced travel company". Driven by Ajax bugs, their main web developer, Max Uptime, decided to mix Ajax in order to create an application that he was at the forefront of the times. Problems with A

This article summarizes a comprehensive variety of PHP learning resources, including books, websites, articles, etc., to help you improve PHP development capabilities, consolidate PHP knowledge. Combined with the previous article "heavy material." GitHub on the PHP resources summary, you will be able to make your PHP technology up a step. Welcome to the vast number of PHP enthusiasts collection and learning. PHP Site --php related to helpful websitesPHP Right Way: A quick reference guide to PHP

Dos is one of these possible DOS evolution directions in the future. At the 2009 "Open WEB Application Security Project (OWASP)" Meeting in Israel, Checkmarx chief architect Alex Roichman and senior programmer Adar Weidman did a thorough study of regular expression DoS (also known as "Redos") Research reports. Their research suggests that writing an imprecise regular expression can be attacked so that a relatively short attack string (less than 50 ch

In general, web developers are aware of regular web security vulnerabilities during development. But there are also some dangerous and obscure vulnerabilities that are widely present in Web applications. Most developers do not take any account of these vulnerabilities, leaving the Web application still in jeopardy. Failure authentication and session management is one such vulnerability. According to the latest owasp top 10, it ranks third in the 10-st

Tags: security test SQL injection1: What is SQL injectionSQL injection is an attack that inserts or adds SQL code to the input parameters of an application (user) and then passes those parameters to the SQL Server behind the scenes for parsing and execution.Www.xx.com/news.php?id=1Www.xx.com/news.php?id=1 and 1=1Here, let's take a look at SQL injectionFirst of all, SQL injection perennial owasp ranked first ~What is the process of SQL injection? SeeWh

if the target host has the vulnerability)"Meterpreter >" appears to be connected to the target host Meterpreter >getuid view login account information Meterpreter >ps view processMeterpreter >sysinfo Viewing System InformationMeterpreter >getpid view injected with which IDMeterpreter >getsystem Elevation of privilegeMeterpreter >hashdump view local account and hash passwordNew file to save the contents of Hashdump, ready to do password crackingMeterpreter >screenshot screenshot Target host desk