zoukankan      html  css  js  c++  java
  • Penetration Test

    Code Vulnerabilities

    UNSECURE CODE PRACTICES
    • Comments in source code
      • Good for developers and technical personnel
      • Bad for keeping secrets
    • Lack of error handling
      • Bad things happen - developers don't think of everything
    • Overly verbose error handling
      • Error messages can give too much info
      • Bad error message:
        • "Password invalid for this user"
      • Better error message:
        • "User ID or password is invalid"
      • Hard-coded credentials
        • Happens often - compiled and interpreted(strings command)
        • Attackers can use login credentials
      • Race conditions
        • Resource should be validated before it's used
          • E.G. checking a file is in place
        • TOC(Time of Check)/TOU(Time of Use)
          • Gap between checking a condition and using that resource
          • Attackers can influence other events and affect operation
        • Unauthorized use of functions/unprotected APIs(Application Programming Interface)
        • Unintended API usage
        • Hidden elements
          • HIDDEN attribute in XML and HTML(doesn't hide data in the source code)
        • Code signing
          • Certificates can authenticate author's identity, ensure integrity
        • Lack of code signing
          • Lack of signing allows attackers to modify code between deployment and execution
    QUICK REVIEW
    • Source code comments can provide attackers with valuable insider information
    • Error messages can also provide attackers with guidance on how to proceed with an attack
    • Any software developer shortcuts (i.e. laziness) can make an attacker's job easier
    相信未来 - 该面对的绝不逃避,该执著的永不怨悔,该舍弃的不再留念,该珍惜的好好把握。
  • 相关阅读:
    组合模式扩展,有选择的递归
    SQL分页查询【转】
    facade外观模式
    C#:几种数据库的大数据批量插入 faib
    装饰模式的扩展
    yeild之我理解
    数据库操作 sqlserver查询存储过程+分页
    SQL Server 索引结构及其使用(二)[转]
    SQL索引使用初步,(转)
    解决多集成,多子类,扩展等 装饰模式
  • 原文地址:https://www.cnblogs.com/keepmoving1113/p/13893351.html
Copyright © 2011-2022 走看看