测试 Web 应用程序中的安全漏洞:最佳实践?

发布于 2024-08-23 09:33:40 字数 1435 浏览 8 评论 0原文

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(4

梦在深巷 2024-08-30 09:33:40

SQL 注入和 XSS 是程序员最常犯的错误。好消息是,只要您拥有合适的软件,它们最容易自动测试。当我进行渗透测试时,我使用 SitewatchWapiti 用于查找 Web 应用程序漏洞。 Acunetix 价格过高。

但是,您不能只是启动一些自动化工具并期望一切正常。对于您选择的任何漏洞扫描程序,您必须采取一些预防措施。

1) 确保 php.ini 中的 display_errors=On Sql 注入测试依赖于能够在响应页面中看到 mysql 错误消息!没有错误,没有检测到漏洞!

2) 扫描应用程序的经过身份验证的区域。创建专门用于测试的用户帐户。 Acuentix 有一个简单的向导,您可以在其中创建登录序列。如果你使用的是马鹿,你可以给马鹿一个cookie,或者给马鹿一个发布请求来触发,但这有点棘手。

之后您测试了您的应用程序,然后测试您的服务器是否配置错误。
要测试您的服务器,您需要运行 OpenVAS,这是 Nessus 的新的更免费版本,现在是商业版产品。然后您应该使用 PhpSecInfo 来跟进。这些测试将通知您配置问题或您是否正在运行旧的易受攻击的软件。

没有什么是 100% 安全的,永远。无论你做什么,总会有漏洞被漏掉。所有开发平台中都存在漏洞,这些漏洞会导致任何工具都无法测试的妥协。您使用的测试工具也存在错误。存在虚假帖子和漏报,以及一些测试不起作用,这是一个很好的例子,我从未见过真正发现合法漏洞的自动化 CSRF 工具。 Acunetix 的 CSRF 测试完全是浪费时间。

还有 OWASP 测试指南,其中有更详细的信息。不要将其与 OWASP Top 10 混淆,后者是也是一个极好的资源。 PHP 安全指南 对于 PHP 程序员来说也是一个很好的资源。

SQL Injection and XSS are the most common mistakes that programmers make. The good news is that they are easiest to automatically test for, as long as you have the right software. When I am on a pentest I use Sitewatch or Wapiti for finding web application vulnerabilities. Acunetix is over priced.

But, you can't just fire off some automated tool and expect everything to work. There are a number of precautions you must take with ANY vulnerability scanner you choose.

1) make sure display_errors=On in your php.ini Sql Injection tests rely on being able to see mysql error messages in the response pages! No error, no vulnerability detected!

2) Scan the authenticated areas of your application. Create a user account specifically for testing. Acuentix has an easy wizard where you can create a login sequence. If you are using wapiti you can give a cookie to wapiti or give wapiti a post request to fire off but this is kind of tricky.

AFTER you have tested your application then test your server for misconfiguration.
To test your server then you need to run OpenVAS which is the new more free version of Nessus which is now a commercial product. Then you should follow this up with PhpSecInfo. These tests will notify you of problems with your configuration or if you are running old vulnerable software.

Nothing will ever be 100% secure, EVER. No matter what you do there are vulnerabilities that will slip though the cracks. There are vulnerabilities in all development platforms that lead a compromises that no tool can test for. There are also bugs in the testing tools you use. There are false posties and false negatives and some tests that just don't work, a good example i have never seen an automated CSRF tool that actually finds legit vulnerabilities. Acunetix's CSRF test is a complete waste of time.

There is also the OWASP testing guide which goes into greater detail. This is not to be confused with the OWASP Top 10 which is also an excellent resource. The PHP Security Guide is also a great resource for php programmers.

暮凉 2024-08-30 09:33:40

因为我只有 16 岁,所以没有钱聘请安全顾问
你 16 岁并不意味着你没有钱雇人 :D
你不需要雇用任何人。您可以使用许多免费的在线工具来测试 Web 应用程序的漏洞。

  1. 尝试使用http://www.zubrag.com/tools/sql -injection-test.php 测试 SQL 注入漏洞

  2. http://www.parosproxy.org :网络流量记录器、网络蜘蛛、哈希计算器和扫描仪用于测试常见的 Web 应用程序攻击,例如 SQL 注入和跨站脚本攻击

  3. HP WebInspect 软件 [不是免费的] 测试常见的 Web 攻击,例如参数注入、跨站点脚本、目录遍历,[尝试谷歌搜索]

  4. http:// /portswigger.net/suite/Burp Suite 是一个用于攻击 Web 应用程序的集成平台。它包含所有 Burp 工具,它们之间有许多接口,旨在促进和加速攻击应用程序的过程。所有工具共享相同的强大框架,用于处理 HTTP 请求、持久性、身份验证、上游代理、日志记录、警报和可扩展性。

I don't have the money to hire a security consultant since I'm only 16
You are 16 doesn't mean you don't have money to hire :D .
You don't need to hire anybody. There are many free online tools which you can use to test the vulnerability of your web application.

  1. Try using http://www.zubrag.com/tools/sql-injection-test.php to test SQL Injection vulnerability

  2. http://www.parosproxy.org : web traffic recorder, web spider, hash calculator, and a scanner for testing common web application attacks such as SQL injection and cross-site scripting

  3. HP WebInspect software [ not free ] tests common web attacks such as parameter injection, cross-site scripting, directory traversal, [ try googling it ]

  4. http://portswigger.net/suite/ : Burp Suite is an integrated platform for attacking web applications. It contains all of the Burp tools with numerous interfaces between them designed to facilitate and speed up the process of attacking an application. All tools share the same robust framework for handling HTTP requests, persistence, authentication, upstream proxies, logging, alerting and extensibility.

清欢 2024-08-30 09:33:40

你可以看看OWASP

you can take a look at OWASP.

咋地 2024-08-30 09:33:40

使用WebCruiser Web Vulnerability Scanner扫描SQL注入漏洞,WebCruiser不仅是一个Web安全扫描工具,而且还是一个自动SQL注入工具、XPath注入工具、XSS工具。

Use WebCruiser Web Vulnerability Scanner to scan SQL Injection Vulnerabilities, WebCruiser is not only a Web Security Scanning Tool, but also an automatic SQL Injection Tool, an XPath Injection Tool, a XSS Tool.

~没有更多了~
我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
原文