这本道哥的《白帽子讲Web安全》算是我向白帽子迈出的第一步,它覆盖的内容很广,而且带有许多现实漏洞的示例讲解,不过对于没有安全经验的小白(比如我)来说还是很难完全吸收其精华,理解各种漏洞的概念和原理才是初学者的首要任务。个人建议可以结合DVWA和FreeBuf上的相应教程来学习会更有Hands-on的感觉。
安全世界观
安全的本质是信任问题
Factors of Security: Confidentiality, Integrity, Availability
Attack: DATA are treated as CODE
安全评估:资产等级划分,威胁分析,风险分析,确认解决方案
互联网安全的核心问题是数据安全
安全策略
- Secure by Default:黑名单(blacklist)/白名单(whitelist),最小权限原则
- Defense in Depth
- 数据与代码分离
- 不可预测性防御攻击
ZoomEye: 公网设备指纹检索和Web指纹检索
CVE: Common Vulnerabilities and Exposures
POC: Proof of Concept
CAPTCHA: 计算机通过扭曲的字符图片来区分人类和计算机(逆图灵测试)
Client
浏览器安全
Same Origin Policy(同源策略): Cookie, DOM, AJAX
多进程浏览器
浏览器沙箱(sandbox):不信任代码隔离运行
跨站脚本攻击XSS(Cross Site Script)
Code injection attack that allows an attacker to execute malicious JavaScript in another user’s browser
Reflected XSS: Trick victim to send script(query)
Persistent XSS: Store script in website’s database(comment)
DOM-based XSS: executed at some point after the page has loaded by changing DOM with JS, however the others are executed when the page is loaded
Danger: Cookie, Ajax request, Modify HTML
XSS Payload
Preventing XSS: Context matters
Encoding: escape input, code -> data
Validation: filter input
Content Security Policy (CSP): only use resources from trusted sources, enabled by http response header<script>alert('/XSS/');</script><sc<script>ript>alert('/XSS/');</script><img src=1 onerror=alert('/XSS/')>
跨站请求伪造CSRF(Cross Site Request Forgery)
victim visits malicious site and is sent state-changing request to target site by victim’s browser which is authenticated<img src="target.com/do?method=delete" />
both GET and POST can work
session cookie: in the process of browser; third-party cookie: in local disk with expire time
Prevent: verification code, referrer header, token
点击劫持(ClickJacking)
Transparent iframe is covered on the original content
图片覆盖,拖拽劫持,触屏劫持(TapJacking)
HTML5安全
新标签: <video>, <audio>, <canvas>
Server
SQL注入(SQL Injection)
Inject SQL commands which DB will executeSELECT * FROM table WHERE column = xxx OR 1 = 1
测试是否存在注入 -> 获取SQL语句格式 -> 获取数据库名,表名,字段名
Blind Injection: No result of query from DB, brute force to validate DB information(布尔判断或时间延迟)
存储过程(Stored Procedure): User-defined function
Prevent: parameterized(PreparedStatement), PDO(PHP Data Object), check data type
文件上传(File Upload)
Upload web script which is resolved by server and get webshell authority
%00截断: file.php%00.jpg
Prevent: non-executable upload directory, check file type and header
文件包含(File Inclusion)
include(); require();
包含的文件直接显示或作为代码执行: 本地文件包含(LFI),远程文件包含(RFI)
变量覆盖漏洞
认证(Authentication)与授权(Authorization)
认证作为授权的根据
多因素认证
Rainbow Table: MD5 -> 明文,使用md5(password + salt)防御
Session(会话) ID加密后保存在cookie中
垂直权限管理: Role Based Access Control; 水平权限管理: Same Role
加密
分组加密: 分组(ECB模式)或迭代(CBC模式)
流加密: 每个字节操作
密钥不要硬编码在代码里,应保存在配置文件或数据库中
不要使用弱伪随机数
分布式拒绝服务(Distributed Denial of Service, DDoS)
网络层DDOS: 伪造IP地址发送大量SYN包,服务器不断对这些IP重发SYN+ACK,消耗资源
应用层DDOS: 对消耗资源的页面发起大量正常请求
解析正则表达式也可能会消耗大量资源
Prevent: 性能优化,限制请求频率,验证码
Web Server
独立低权限用户,及时同步访问日志
产品、业务与运营
安全是产品的一个特性
钓鱼(Phishing): 高仿网站,骗取用户账户密码
发件人邮箱可以被伪造
黑色产业链: 挂马钓鱼盗取游戏、网银账号,垃圾注册,利用用户隐私诈骗
安全开发流程(Security Development Lifecycle)
立项阶段与项目经理充分沟通,将安全方案写入开发规范
模糊测试(Fuzzing Test): 输入随机数据检测程序漏洞
安全是一个持续的过程: 漏洞修补,安全监控,入侵检测,应急响应(Security Response Center)