如何扫描/模糊我的代码是否存在漏洞?
我正在寻找一种自动化的方法来模糊我的应用程序或扫描它是否存在漏洞。请假设我的黑客知识是 0。此外,源位于我的本地主机上,因此我需要一种方法在本地对其进行模糊测试,而不依赖于互联网连接。一些安全专家可以给我一些提示或建议吗?我不确定什么选择是最好的。
编辑:
感谢您的努力回答,但到目前为止似乎没有人明白这一点。我想更具体(因为它有助于解决问题),但没有影响意见或听起来像是我在为特定产品做广告。我正在寻找类似 wapiti 的东西(很抱歉提到名字,但不得不这样做,因为到目前为止的答案就像了解 sql 注入、xss 等显然不是这个问题的真正“专家”答案,我已经知道这些了(说真的,这个问题听起来像是一个不了解安全性的人会问的吗? )
我不是在问是否我应该测试,而是在问如何我已经决定进行合并。自动化(这个决定是没有回头路的,除非有人给我一个专家的答案,证明它毫无用处),所以请尊重我的决定,我不想经历每一个编译的xss、sql注入。等等。黑客列表并亲自在我的网站上尝试(即使黑客也不会以这种方式进行黑客攻击),对于任何收到此问题的人来说都是超级加分
有些人会问为什么不这样做 。只是学习。 最佳实践(我所知道的)与了解黑客攻击不同。有些人想争辩说它们是翻转硬币,但我绝对不同意:)因此我需要具有“黑客心态”的人提供的保护工具。这会有什么伤害,事实上,你也应该尝试一下;)请知道的专家解答。
I'm looking for an automated way to fuzz my app or scan it for vulnerabilities. Please assume that my hacking knowledge is 0. Also the source is on my localhost so I need a way to fuzz it locally without relying on an internet connection. Can some security experts give me some hints or recommendations? I'm not sure what options are best.
Edit:
Thanks for the effort to answer, but none so far seems to get the point. I'd like to be more specific (because it helps the question) but without influencing opinions or sounding like I'm advertising a specific product. I'm looking for something like wapiti (sorry to mention names, but had to, because answers so far like learn about sql injections, xss etc. are obviously not real "expert" answers to this question. I already know about these (seriously, does this question sound like it could asked by someone who doesn't know salt about security?)
I'm not asking whether I should test, I'm asking how I should test. I already decided to incorporate automation (and there's no turning back in this decision unless someone gives me an expert answer that proves it useless), so please respect my decision that I'd like to automate. I don't want to go through every compiled xss, sql injection, etc. hack list and try it manually myself against my site (even hackers don't hack that way). Super extra points to anyone who gets the question.
Some people are asking why not just learn.
Best practices (which I know) are not the same as knowing hacking. Some people want to argue they're a flip-coin, but I definitely don't agree :) hence I need a protection tool by someone with the "hacker mentality". How is that going to hurt, in fact, you should try it too ;) Expert answers please from those who know.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(7)
有服务可以自动扫描漏洞。他们不会抓住一切,但会帮助您发现问题。您最好的选择是使用其中一项服务并学习一些安全最佳实践。
开始了解 sql 注入 和 跨站点脚本。这些是最大且最容易修复的漏洞。
恕我直言,防御性编程是每个程序员都应该学习的技能。
没有什么可以替代您自己理解这些问题。
There are services that will do automated scans for vulnerabilities. They will not catch everything, but will help you identify problems. Your best bet is to use one of these services and LEARN SOME SECURITY best practices.
Start learning about sql injection and cross site scripting. these are the biggest and easiest to fix vulnerabilities.
Programming defensively is a skill that IMHO every programmer should learn.
There is no substitute for understanding these issues on your own.
要严格回答您的问题,您应该测试的方式是使用工具。您可以使用两种主要类型的工具:主动探测正在运行的网站的安全扫描器或在用于构建 Web 应用程序的源代码上运行的静态分析工具。
简而言之,您需要一个安全扫描工具,例如 wapiti 或 burp。这些工具可以为您的站点动态构建和执行独特的安全测试。您可以手动尝试利用您自己的网站,但这会花费大量时间并且不会提供任何价值。对您来说,查看已知的 xss 或 sql 注入问题列表是没有用的,因为每个问题对于它所适用的站点来说都是唯一的。此外,这些工具可以更好地攻击您的网站,然后您可以为您提供更严格的安全压力测试。
您可以使用两种主要工具:静态分析工具和动态分析工具。静态分析工具读取源代码,找出数据流经应用程序的方式并查找安全问题。从根本上讲,大多数安全问题是允许用户控制一些流入应用程序不适当部分的数据,因此即使应用程序没有运行并且您遇到了停止问题,“猜测”和尝试的静态分析方法每个代码路径都可以产生良好的结果。静态分析工具依赖于语言,而且大多数都很昂贵。一些免费的有 fxcop (C#)、PMD 和 findbugs (java),请参阅 http://en.wikipedia .org/wiki/List_of_tools_for_static_code_analysis
动态分析工具(通常称为“安全扫描器”)要求您设置 Web 应用程序,以便它可以针对它运行测试,这听起来更像您想要的。我最喜欢的工具是 burp,一些免费的工具包括 wapiti,它也很好。这些工具将查看您的应用程序如何处理数据,查找输入并用恶意数据填充它们以尝试触发漏洞。一个示例测试是测试反射的跨站点脚本,扫描仪将查看页面并将 javascript 插入到每个查询字符串值、cookie 值、表单值等中,然后渲染页面以查看恶意 javascript 是否回显到页。
您可能不需要或不想要模糊器。当有大量解析代码时,模糊测试工具通常会为您提供帮助,因此模糊测试器并不是最适合 Web 应用程序,但它非常适合您正在制定的协议。上面列出的安全扫描工具中的模糊测试功能有限,您可能不需要更多的功能。模糊测试器也需要时间来构建。模糊器经常在 C/C++ 代码中找到更多的东西,因为内置的库已经在做正确的事情了,可以说,在 Web 应用程序中,“模糊器发挥的空间”更少。
To strictly answer your question the way you should test is by using a tool. There are 2 main types of tools you can use, a security scanner which actively probes a running website or a static analysis tool which runs on the source code you use to build your webapp.
The short answer is you want a security scanning tool like wapiti or burp. Tools like these dynamically construct and execute security tests uniquely for your site. You could manually attempt to exploit your own site but that would take lots of time and not provide any value. It would be useless for you to go through a list of known xss or sql injection issues because each issue is unique to the site it applies to. Furthermore these tools can attack your site better then you can giving you a more rigorous security stress test.
There are 2 main tools you can use, static analysis tools and dynamic analysis tools. Static analysis tools read in your source code, figure out the way the data flows through the app and look for security issues. At their root most security issues are allowing a user to control some data that flows into an inappropriate part of an application so even though the app isn't running and you rub up against the halting problem, static analysis method of "guessing" and trying out each code path can yield good results. Static analysis tools are language dependent and most are expensive. Some free ones are fxcop (C#), PMD and findbugs (java), see http://en.wikipedia.org/wiki/List_of_tools_for_static_code_analysis
Dynamic analysis tools (more commonly just called "security scanner") require you setup your webapp so it can run tests against it, this sounds like more what you want. My favorite tool here is burp, some free ones include wapiti which is good as well. These tools will look at how your app handles data, look for inputs and fill them with malicious data in an attempt to trigger vulnerabilities. An example test would be for testing reflected cross-site scripting, the scanner would look at a page and insert javascript into every querystring value, cookie value, form value etc and then render the page to see if the malicious javascript was echod back to the page.
You likely don't need or want a fuzzer. Fuzzing tools mostly help you when there is a lot of parsing code so a fuzzer is not the best fit for a webapp whereas it would be a good fit for a protocol you are making. There is limited fuzzing capabilities in the security scanner tools listed above and you probably don't need more then this. Fuzzers also take time to build. Fuzzers often find more stuff in c/c++ code because there are less libraries built in already doing the right thing, in the webapp case there is less "room for fuzzers to play" so to speak.
在你疯狂地追求自动化之前(这可能会产生你可能无法理解的结果),我建议你阅读有关编写安全代码的文章,并学会识别你做错的事情。以下是一些入门教程:
http://php.net/manual/en/security .php
如果做不到这一点,我建议您将代码外包给安全公司(如果您能负担得起)。
祝你好运!
Before you go crazy on automation (which will likely yield results you probably won't understand), I'd suggest that you read up of writing secure code instead and learn to identify the things you are doing wrong. Here are some tutorials to get you started:
http://php.net/manual/en/security.php
Failing that, I'd suggest outsourcing your code to a security firm if you can afford it.
Good luck!
如果您了解 C,您可以使用尖峰,手动检查最终用户可能接触到的任何内容中的溢出总是好的,通常的 %x%x%x 测试格式字符串攻击,并且只是勤于静态分析。
PeachFuzz 和 SPIKE 都有详细记录。
如果做不到这一点,自己编写就很简单了。
Provided you know C, You can work with spike, Its always good to do a manual check for overflows in anything that could conceivably be touched by an end-user, The usual %x%x%x tests for format string attacks, and just to be diligent in your static analysis.
PeachFuzz and SPIKE are both well documented.
Failing that, writing your own is trivial.
了解什么是模糊测试以及您可能想要如何处理并不一定能够掌握彻底测试和评估软件漏洞和缺陷所需的技能。您需要使用自动化测试,但要以一种调整的方式,在发现新的输入路径、交互等时修改该工具正在执行的测试。
基本上,我的意思是,如果您希望这成为真正的增值,您需要知道自己在做什么。您不能只是选择一个工具,运行它,然后就期望得到好的结果。您需要有人与您一起或为您进行此类测试。工具是有用的,但只有当本领域技术人员使用时才能产生有用的结果。
Knowing what fuzzing is and how you may want to approach does not necessarily lead to the skills necessary to thoroughly test and evaluate your software for vulnerabilities and flaws. You need to use automated testing, but in a tuned manner where you modify the testing that the tool is doing as you find new input paths, interactions, and so on.
Basically, what I'm saying is that you need to know what you are doing if you want this to be a real value add. You cannot just pick a tool, run it, and expect to get good results. You need someone who does this type of testing to work either with or for you. Tools are useful, but can only produce useful results when used by someone skilled in this art.
我用过 Paros - http://www.parosproxy.org/ - 它免费、易于使用并且显示错误原因、可能的修复方法以及如何复制它(通常是链接)。
它可以轻松配置并抓取整个站点 - 它还可以抓取本地安装。
它也有一个 GUI。
它很旧,但它又好又容易。
我尝试配置 WAPITI,但这对我来说太难了。
I've used Paros - http://www.parosproxy.org/ - its free, easy to use and displays both the cause of the error, the possible fix and how to replicate it (usually a link).
It easy to configure and spiders your entire site - it can also spider local installations.
It has a gui as well.
Its old, but its good and easy.
I tried to configure WAPITI but it was simply too hard for me.
我多年来一直在为自己的应用程序研究这个主题,最近发现了一个很棒的工具,它基于 PAROS(请参阅上面我的其他答案),
它是来自 OWASP 的 ZAP,是鸭子坚果。
最好的之一您可以做的是将 ZAP 集成到您的项目自动化/构建中,以便每当您进行构建时都会运行测试。
更好的是,您可以将它放在 Selenium 自动化测试旁边来“收集”您测试的页面,然后......扫描它们!
它确实有很好的文档记录,但您需要一台快速的 PC,因为它每页运行数百个测试。如果您正在制作整个网站,则可能需要一些时间。
您可能还需要考虑一些其他工具
我发现了这个工具......非常容易使用,而且非常非常全面。
每当我得到我认为是 ZAP 的“误报”时,我都会使用 SQLmap 扫描页面(你必须弄清楚如何使用 Python - 这很简单,花了几个小时),SQLmap 要么验证误报或者找到漏洞。
I've been researching this topic for many years for my own application and found a fantastic tool recently which was based on PAROS (see my other answer above)
Its ZAP from OWASP and is the ducks nuts.
One of the best things you can do is integrate ZAP into your project automation / build so whenever you do a build the test runs.
Even better, you can sit it next to your selenium automated tests to 'collect' the pages you test, then......scan the hell out of them!
Its really well documented, but you'll need a fast PC as it runs hundreds of tests per page. If you're doing a whole site it can take some time.
There are some other tools you might want to consider
I found this tool....scarily easy to use and very very comprehensive.
Whenever I got what I thought was a 'false positive' with ZAP, I'd scan the page with SQLmap (you gotta figure out how to use Python - its easy, took a couple of hours) and SQLmap would either verify the false positive or find the vulnerability.