??ν???Web???????
???????????? ???????[ 2014/10/27 14:42:23 ] ??????????????? WEB???? SQL
???????γ????????????????????????????
??????????????????????????????(???????????????? ??:?????????????????????????У??)???м??????????????Σ??????? ?????????????????????????й???????????.
??????????????????????????????(????????)????????????????????????????????????У??????????????????м?????????????????????????????:
?????????????????????FIELD???????????????????Χ(?????????????????????)
?????????????????????????漲???????????????????Χ?????ó???????????????κδ????????????????????.
???????????в????????У?????????????????????????в???.
????2.Cross-site scritping(XSS):(???????????)
????(1)??ν???XSS?????
????<!--[if !supportLists]-->???????????в????????URL???? ?????棬??????棬??????????????? ??????
????<!--[if !supportLists]-->??Σ??????????????????????(??:Javascr??pt??VB scr??pt?? HTML??ActiveX?? Flash)?????в????
????<scr??pt>alert(document.cookie)</scr??pt>
?????????????? ??????????????????????????????????cookie??????????????????XSS?????
?????????????????????????????????????????????ξ?????????????????????????????????cookie???????????? ????????????????????????????????????????
????(2)??????XSS????
????????ó???????????????????????????:
??????Javascr??pt??VB scr??pt?? HTML??ActiveX?? Flash?? ?????????????.
?????? ?????????????????????????(??????????????????:?????????????????????????У??)???м??????????????Σ?????????????????????????? ??????й???????????.
??????????????????????????????????в??????????????????XSS???:
????????????????ж?????????????????????????????? ???Χ????????????????????HTML???????????????塣
??????в????????????????????м?顣
????3.CSRF:(?????α??????)
????CSRF???????????????????XSS??????????XSS??????????????????????????
????XSS???????????????????????CSRF?????α???????????????????????????????ε??????
????XSS????CSRF??????????????????????????????SESSION ?? COOKIES??
????(1)??ν???CSRF?????
????????????????????????????м?顣
????(2)??????CSRF?????
???????????????????
????4.Email Header Injection(?????????)
????Email Header Injection???????????????email??????п??????“subject”???????????????????????subject?????escape??“ ”?????
????<!--[if !supportLists]--><!--[endif]-->???“ ”?????У??????subject??????“hello cc:spamvictim@example.com”????????γ?????
????Subject: hello
????cc: spamvictim@example.com
????<!--[if !supportLists]--><!--[endif]-->???????????????????subject???????????????????????????????????????? ???????????????
????5.Directory Traversal(??????)
??????1????ν??????????????
??????????????????????????????й???????????“../”??“./”?????????????????????????????????????????????????????????????
???????????????URL???????????????“../”??“./”??????????ESCAPE??????Щ?????????
??????2????????????????
????????Web?????????????????
?????? ????????????????????????????·??
????6.exposed error messages(???????)
??????1????ν??в????
?????? ??????Щ??????棬????404????500??檔
????????????δ???????????£??????????????????????????“????????治?? ??”?????????????Щ???????
??????2??????????
??????????????????????????????????? ????????飬?????????????????????????????????????????
???????????????????????漰???????????????????SPASVOС??(021-61079698-8054)?????????????????????????
??????
Web?????????????????Web????????????????Docker Compose???????Web???????WEB?????ΧС??APP??????WEB????WEB???????????????WEB??????APP?????????Web??????????Web????????????Linux?????′?Java Web???????WEB?????ΧWeb?????Χ???Web??????????????HTTP(1)????Э??Web?????е?A/B?????????????????Web??????????Web??????ò?????????
???·???
??????????????????
2023/3/23 14:23:39???д?ò??????????
2023/3/22 16:17:39????????????????????Щ??
2022/6/14 16:14:27??????????????????????????
2021/10/18 15:37:44???????????????
2021/9/17 15:19:29???·???????·
2021/9/14 15:42:25?????????????
2021/5/28 17:25:47??????APP??????????
2021/5/8 17:01:11????????
?????????App Bug???????????????????????Jmeter?????????QC??????APP????????????????app?????е????????jenkins+testng+ant+webdriver??????????????JMeter????HTTP???????Selenium 2.0 WebDriver ??????
sales@spasvo.com