??谓???Web???????
???????????? ???????[ 2014/10/27 14:42:23 ] ??????????????? WEB???? SQL
???????纬????????????????????????????
??????????????????????????????(???????????????? ??:?????????????????????????校??)???屑??????????????危??????? ?????????????????????????泄???????????.
??????????????????????????????(????????)????????????????????????????????????校??????????????????屑?????????????????????????????:
?????????????????????FIELD???????????????????围(?????????????????????)
?????????????????????????婕�???????????????????围?????贸???????????????魏未????????????????????.
???????????胁????????校?????????????????????????胁???.
????2.Cross-site scritping(XSS):(???????????)
????(1)??谓???XSS?????
????<!--[if !supportLists]-->???????????胁????????URL???? ?????妫�??????妫�??????????????? ??????
????<!--[if !supportLists]-->??危??????????????????????(??:Javascr??pt??VB scr??pt?? HTML??ActiveX?? Flash)?????胁????
????<scr??pt>alert(document.cookie)</scr??pt>
?????????????? ??????????????????????????????????cookie??????????????????XSS?????
?????????????????????????????????????????????尉?????????????????????????????????cookie???????????? ????????????????????????????????????????
????(2)??????XSS????
????????贸???????????????????????????:
??????Javascr??pt??VB scr??pt?? HTML??ActiveX?? Flash?? ?????????????.
?????? ?????????????????????????(??????????????????:?????????????????????????校??)???屑??????????????危?????????????????????????? ??????泄???????????.
??????????????????????????????????胁??????????????????XSS???:
????????????????卸?????????????????????????????? ???围????????????????????HTML???????????????濉�
??????胁????????????????????屑?椤�
????3.CSRF:(?????伪??????)
????CSRF???????????????????XSS??????????XSS??????????????????????????
????XSS???????????????????????CSRF?????伪???????????????????????????????蔚??????
????XSS????CSRF??????????????????????????????SESSION ?? COOKIES??
????(1)??谓???CSRF?????
????????????????????????????屑?椤�
????(2)??????CSRF?????
???????????????????
????4.Email Header Injection(?????????)
????Email Header Injection???????????????email??????锌??????“subject”???????????????????????subject?????escape??“ ”?????
????<!--[if !supportLists]--><!--[endif]-->???“ ”?????校??????subject??????“hello cc:spamvictim@example.com”????????纬?????
????Subject: hello
????cc: spamvictim@example.com
????<!--[if !supportLists]--><!--[endif]-->???????????????????subject???????????????????????????????????????? ???????????????
????5.Directory Traversal(??????)
??????1????谓??????????????
??????????????????????????????泄???????????“../”??“./”?????????????????????????????????????????????????????????????
???????????????URL???????????????“../”??“./”??????????ESCAPE??????些?????????
??????2????????????????
????????Web?????????????????
?????? ????????????????????????????路??
????6.exposed error messages(???????)
??????1????谓??胁????
?????? ??????些??????妫�????404????500??妾�
????????????未???????????锟�??????????????????????????“????????娌�?? ??”?????????????些???????
??????2??????????
??????????????????????????????????? ????????椋�?????????????????????????????????????????
???????????????????????婕�???????????????????SPASVO小??(021-61079698-8054)?????????????????????????
??????
Web?????????????????Web????????????????Docker Compose???????Web???????WEB?????围小??APP??????WEB????WEB???????????????WEB??????APP?????????Web??????????Web????????????Linux?????鈥�?Java Web???????WEB?????围Web?????围???Web??????????????HTTP(1)????协??Web?????械?A/B?????????????????Web??????????Web??????貌?????????
???路???
??????????????????
2023/3/23 14:23:39???写?貌??????????
2023/3/22 16:17:39????????????????????些??
2022/6/14 16:14:27??????????????????????????
2021/10/18 15:37:44???????????????
2021/9/17 15:19:29???路???????路
2021/9/14 15:42:25?????????????
2021/5/28 17:25:47??????APP??????????
2021/5/8 17:01:11????????
?????????App Bug???????????????????????Jmeter?????????QC??????APP????????????????app?????械????????jenkins+testng+ant+webdriver??????????????JMeter????HTTP???????Selenium 2.0 WebDriver ??????
sales@spasvo.com
