web 安全基础(优扬科技).pptxVIP

Why Search, Dig , and Hack ! Content Content Why WEB ? WEB奋起 瘦客户端 浏览器能做什么？还有什么浏览器不能做？ 没有浏览器的电脑？ Internet的新泡沫时代 Why WEB ? 为什么 WEB 是非多 威胁的可叠加特性 Internet 爆炸 二把刀程序员 个人站点：臭美 可用 安全 Why WEB ? 令人绝望的 WEB 2.0 善用？滥用？ Why WEB ? WEB安全大事记 1999 XSS was recognised whisker 1.0 released [ next-generation CGI scanner ] 1998 Phrack 54 NT Web Technology Vulnerabilities [SQL Injection] 2001 OWASP Started Nikto 1.0 released 2003 SQL Slammer OWASP Testing guide WebInspect 3.0 2004 OWASP TOP 10 released 2005 Samy Worm Acunetix scanner released Why WEB ? WEB安全的一点数据 Source : IBM X-Force? 2010 Trend and Risk Report Why WEB ? WEB安全的一点数据 Source : IBM X-Force? 2010 Trend and Risk Report Content HTTP 版本与历史 HTTP/0.9 HTTP/1.0 HTTP/1.1 Year : 1990-1991 简单但不大方 Year : 1996 RFC 1945 过渡版本 持续完善 至今仍被兼容 Year : 1997 RFC 2068 目前最完善版本 持续改进与发展 Source: RFC 2616 结构 (HTTP Request) GET / HTTP/1.1 Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/xaml+xml, application/vnd.ms-xpsdocument, application/x-ms-xbap, application/x-ms-application, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, application/QVOD, application/QVOD, */* Accept-Language: zh-cn UA-CPU: x86 Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.2; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30; InfoPath.2; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729) Host: Connection: Keep-Alive Cookie: PREF=ID=ab655c79fc00eca5:U=1d1b4a:FF=0:LD=en:NW=1:CR=2:TM=1258614972:LM=1310117743:GM=1:S=3dm6LuBXWmGJn68p; NID=48=FYQN5JhSwChd_pgXNBw9-u6xMkefYb23gg6b24tApMve2lVAdBzX6xVSgeXFhdQM9DtKnHda7Kh_v6WAG_y0QtOukKDuBXOrH7psDHjV31NnI9-Pu8sNcLOHVjGWGhJc; rememberme=false HTTP 结构 (HTTP Request) HTTP Request数据结构概述 METHOD /PATH HTTP/VERISION HEADER1: Content HEADER2: Content HEADER3: Content HEADER4: Content POST DATAs HTTP 结构 (HTTP Request) HTTP Request数据结构概述 GET / HTTP/1.1 Accept: image/gif, image/x-xbitmap, image/jpeg