zoukankan      html  css  js  c++  java
  • Penetration Test

    Code Vulnerabilities

    UNSECURE CODE PRACTICES
    • Comments in source code
      • Good for developers and technical personnel
      • Bad for keeping secrets
    • Lack of error handling
      • Bad things happen - developers don't think of everything
    • Overly verbose error handling
      • Error messages can give too much info
      • Bad error message:
        • "Password invalid for this user"
      • Better error message:
        • "User ID or password is invalid"
      • Hard-coded credentials
        • Happens often - compiled and interpreted(strings command)
        • Attackers can use login credentials
      • Race conditions
        • Resource should be validated before it's used
          • E.G. checking a file is in place
        • TOC(Time of Check)/TOU(Time of Use)
          • Gap between checking a condition and using that resource
          • Attackers can influence other events and affect operation
        • Unauthorized use of functions/unprotected APIs(Application Programming Interface)
        • Unintended API usage
        • Hidden elements
          • HIDDEN attribute in XML and HTML(doesn't hide data in the source code)
        • Code signing
          • Certificates can authenticate author's identity, ensure integrity
        • Lack of code signing
          • Lack of signing allows attackers to modify code between deployment and execution
    QUICK REVIEW
    • Source code comments can provide attackers with valuable insider information
    • Error messages can also provide attackers with guidance on how to proceed with an attack
    • Any software developer shortcuts (i.e. laziness) can make an attacker's job easier
    相信未来 - 该面对的绝不逃避,该执著的永不怨悔,该舍弃的不再留念,该珍惜的好好把握。
  • 相关阅读:
    34.页面刷新 Walker
    32.标题栏图标 Walker
    44.相对路径 Walker
    白乔原创:实战软件DIY
    白乔原创:VC之美化界面篇
    白乔原创:在公司里,你会是什么样的程序员?
    白乔原创:程序员的路该怎么走?
    白乔原创:VC之控件篇
    08年5月份培训的照片一张
    关于resin的认证框架
  • 原文地址:https://www.cnblogs.com/keepmoving1113/p/13893351.html
Copyright © 2011-2022 走看看