zoukankan      html  css  js  c++  java
  • Penetration Test

    Code Vulnerabilities

    UNSECURE CODE PRACTICES
    • Comments in source code
      • Good for developers and technical personnel
      • Bad for keeping secrets
    • Lack of error handling
      • Bad things happen - developers don't think of everything
    • Overly verbose error handling
      • Error messages can give too much info
      • Bad error message:
        • "Password invalid for this user"
      • Better error message:
        • "User ID or password is invalid"
      • Hard-coded credentials
        • Happens often - compiled and interpreted(strings command)
        • Attackers can use login credentials
      • Race conditions
        • Resource should be validated before it's used
          • E.G. checking a file is in place
        • TOC(Time of Check)/TOU(Time of Use)
          • Gap between checking a condition and using that resource
          • Attackers can influence other events and affect operation
        • Unauthorized use of functions/unprotected APIs(Application Programming Interface)
        • Unintended API usage
        • Hidden elements
          • HIDDEN attribute in XML and HTML(doesn't hide data in the source code)
        • Code signing
          • Certificates can authenticate author's identity, ensure integrity
        • Lack of code signing
          • Lack of signing allows attackers to modify code between deployment and execution
    QUICK REVIEW
    • Source code comments can provide attackers with valuable insider information
    • Error messages can also provide attackers with guidance on how to proceed with an attack
    • Any software developer shortcuts (i.e. laziness) can make an attacker's job easier
    相信未来 - 该面对的绝不逃避,该执著的永不怨悔,该舍弃的不再留念,该珍惜的好好把握。
  • 相关阅读:
    Android 使用MediaPlayer 播放 视频
    Android加载asset的db
    MAC SVN 基本设置 终端命令
    AFNetWork 简单实用demo
    IntelliJ IDEA导出Java 可执行Jar包
    Xcode快速排错
    Listview多tab上滑悬浮
    N最短路径分词
    进程监控工具supervisor
    nginx配置指南
  • 原文地址:https://www.cnblogs.com/keepmoving1113/p/13893351.html
Copyright © 2011-2022 走看看