检测 Web 应用程序中的漏洞以及如何继续

发布于 2024-08-20 21:21:29 字数 324 浏览 7 评论 0原文

有哪些方法可以检测 PHP/MySQL Web 应用程序中的漏洞(检查 GET、POST、COOKIE 数组中的某些字符或代码片段/使用具有所有常见漏洞模式的数据库库(如果存在)? ),当检测到时我应该如何处理?

例如,如果有人试图使用 GET 请求方法在我的 PHP/MySQL Web 应用程序中查找 SQL 注入,我是否应该将用户执行的操作存储在数据库中,让应用程序向我发送电子邮件,IP 禁止用户并向他/她显示一条消息“抱歉,我们检测到您的帐户存在有害操作,我们将对其进行审核。您的帐户已被禁用,并且您的 IP 地址可能会禁用某些功能。如果这是一个错误,请-将所有详细信息邮寄给我们。”

谢谢。

What ways are there for detecting exploits in PHP/MySQL web applications (checking for certain characters or pieces of codes in the GET, POST, COOKIE arrays / using a library with a database that has all the patterns for common exploits, if any exist?) and how should I proceed when one is detected?

For example, if someone tried to find a SQL injection in my PHP/MySQL web application using the GET request method, should I store the action performed by the user in the database, have the application send me an e-mail, IP ban the user and display him/her a message "Sorry, but we have detected a harmful action from your account that will be reviewed. Your account has been disabled and certain features may be disabled from your IP address. If this is a mistake, please e-mail us with all the details."

Thanks.

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(5

孤独患者 2024-08-27 21:21:29

我想到三件事:

  1. 防御性编码、清理所有输入、准备 sql 语句并使用 Suhosin
  2. 通过使用 漏洞扫描器 闯入网站来提高网站的安全性,
  3. 使用 入侵检测系统

如果您觉得成熟的 IDS 太多了,请尝试 PHP IDS,因为它几乎可以满足您开箱即用的要求。请注意,在 PHP 级别检测入侵可能已经为时已晚,无法阻止攻击。

如果入侵成功,我想你最好的选择就是让服务器离线,看看造成了什么损害。如果您需要收集合法可用的证据,您可能必须考虑雇用某人对机器进行取证分析。

如果您觉得需要对不成功的入侵尝试做出反应并获取恶意用户的 IP,请找出 ISP 并告知他尽可能多的入侵尝试的详细信息。大多数 ISP 都有针对这些案件的滥用联系人。

Three things come to mind:

  1. defensive coding, sanitize all input, prepare sql statements and use Suhosin
  2. increase security of your site by breaking into it with a vulnerability scanner
  3. log hacking attemtps with an Intrusion Detection System

If you feel a full fledged IDS is too much, try PHP IDS, as it does pretty much what you are asking for out of the box. Note that detecting intrusions at the PHP level might already be too late though to prevent an attack.

In case of a successful intrusion, I guess your best bet is taking the server offline and see what damage was done. You might have to consider hiring someone to do a forensic analysis of the machine in case you need to collect legally usable evidence.

If you feel you need to react to unsuccessful intrusion attempts and got the malicious user's IP, find out the ISP and inform him with as much details of the intrusion attempt as possible. Most ISPs have an abuse contact for these cases.

ㄟ。诗瑗 2024-08-27 21:21:29

你的问题是双重的,我将回答第二部分。

记录所有内容,但不禁止或显示任何消息。万一误报,那就尴尬了。作为一般规则,尝试构建一个可以毫无问题地处理任何类型的用户输入的应用程序。

Your question is twofold and I'll answer the second part.

Log everything but do not ban or display any message. It will be embarrassing in case of a false positive. As a general rule, try to build an application that can deal with any sort of user input without a problem.

同展鸳鸯锦 2024-08-27 21:21:29

只需在所有 $_REQUEST 和 $_COOKIE 变量上使用 strip_tags() 来处理这些变量中显示的代码,至于 SQL,您可能必须编写类似查询的正则表达式或其他内容,但这不应该是一个问题,因为您应该始终 mysql_real_escape_string($str) 查询中的所有变量。不过尝试一下这样的事情。

function look_for_code_and_mail_admin($str) {
    $allowed_tags = "<a>,<br>,<p>";
    if($str != strip_tags($str, $allowed_tags)) {
        $send_email_to = "[email protected]";
        $subject = "some subject";
        $body = "email body";
        mail($send_email_to,$subject,$body);   
    }
    return($str);
}

just use strip_tags() on all $_REQUEST and $_COOKIE vars to take care of code showing up in these vars, as for SQL you would have to maybe write up a query-like regex or something, but this shouldnt be an issue as you should always mysql_real_escape_string($str) all variables in your queries. try something like this though.

function look_for_code_and_mail_admin($str) {
    $allowed_tags = "<a>,<br>,<p>";
    if($str != strip_tags($str, $allowed_tags)) {
        $send_email_to = "[email protected]";
        $subject = "some subject";
        $body = "email body";
        mail($send_email_to,$subject,$body);   
    }
    return($str);
}
最美不过初阳 2024-08-27 21:21:29

嗯,我不记得上次看到一个尝试记录我无法渗透的 SQL 注入攻击的网站是什么时候了。

您无需担心有人攻击该网站的天气,因为它充其量是主观的,关于是否遭受攻击。如果站点对某些值进行 Base64 编码并在使用之前对其进行解码会怎样?您的 IDS不会捕捉到这一点。如果用户想要发布一段代码,由于它包含 SQL 而被检测为漏洞怎么办?这太浪费时间了...如果您确实需要知道是否有人在攻击您,只需在一台单独的计算机上安装一些IDS,并对传入流量进行只读访问...我说的是单独的计算机,因为许多 IDS 本身就很脆弱,而且只会让情况变得更糟。

使用标准安全编程方法,使用参数化 SQL 查询或 ORM。

Um, I can't remember the last time I've seen a site that tries to log SQL injection attacks that I wasn't able to penetrate..

You don't need to worry about weather someone is attacking the site, as it is subjective at best as to weather something is an attack or not. What if the site base64 encodes some values and decodes them before it uses it? Your IDS is not going to catch that. What if a user wants to post a snippet of code, it gets detected as an exploit because it contains SQL? This is such a waste of time... If you really need to know if someone's attacking you, just install some IDS on a seperate machine with readonly access to the incoming traffic.. I say seperate machine, because many IDS are vulnerable themselves, and will only make the situation worse.

Use standard secure programming methodologies, use paramaterized SQL queries or an ORM.

初见 2024-08-27 21:21:29

对我来说,电子邮件和其他一切工作似乎太多了。除此之外,我喜欢在我常用的网站上跑来跑去,尝试找到可注入点,这样我就可以警告管理员。你会因此禁止我的 IP 吗?

我建议您自己寻找可利用的部分并在必要时进行消毒。 Acunetix 为此提供了一个非常非常好的程序。如果您不想花大价钱购买 Acunetix,您可能需要研究一些非常好的 Firefox 插件,称为 XSS Me 和 SQL Inject me。

Seems like too much work with the email bit and everything to me. Aside from that, I like to run around on sites I commonly use and try to find injectable points so I can warn the administrator about it. Would you IP ban me for that?

I suggest hunting down the exploitable parts yourself and sanitizing where necessary. Acunetix has a very very good program for that. If you don't feel like shelling out the giant price for Acunetix, there are some very good firefox addons called XSS Me and SQL Inject me you might want to look into.

~没有更多了~
我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
原文