从头开始了解 CGI 和 SQL 安全性
这个问题是为了学习目的。假设我正在使用 CGI 和 Python 编写一个简单的 SQL 管理控制台。在 http://something.com/admin,此管理控制台应该允许我修改 SQL 数据库(即、创建和修改表以及创建和修改记录)使用普通的表单
。
- 在最不安全的情况下,任何人都可以访问 http://something.com/admin 并修改数据库。
- 您可以使用密码保护 http://something.com/admin。但是,一旦您开始使用管理控制台,信息仍然以纯文本形式传输。
- 因此,您可以使用 HTTPS 来保护传输的数据。
问题:
- 向学习者描述,您将如何逐步增加安全性到最不安全的环境中,以使其变得最安全?您将如何修改/增强我上面的三个(可能是错误的)步骤?
- Python 中的哪些基本工具使您的步骤成为可能?
- 可选:现在我了解了这个过程,复杂的库和框架如何内在地实现这种级别的安全性?
This question is for learning purposes. Suppose I am writing a simple SQL admin console using CGI and Python. At http://something.com/admin, this admin console should allow me to modify a SQL database (i.e., create and modify tables, and create and modify records) using an ordinary form
.
- In the least secure case, anybody can access http://something.com/admin and modify the database.
- You can password protect http://something.com/admin. But once you start using the admin console, information is still transmitted in plain text.
- So then you use HTTPS to secure the transmitted data.
Questions:
- To describe to a learner, how would you incrementally add security to the least secure environment in order to make it most secure? How would you modify/augment my three (possibly erroneous) steps above?
- What basic tools in Python make your steps possible?
- Optional: Now that I understand the process, how do sophisticated libraries and frameworks inherently achieve this level of security?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(3)
安全不是修补工作,而是整体方法。
逐步增加安全性不是一个好主意。您应该从头开始将安全性集成到您的应用程序中。
我能给你的最好建议是尝试像攻击者一样思考。想一想:“如果我想做一些我不应该做的事情,我会怎么做?”
如果您正在设计使用数据库的应用程序,我们会小心地不允许SQL 注入。如果您要进行以下操作,您还应该了解一些最常见的 Web 漏洞一个网络应用程序。
Security is not a patch job, it's a holistic approach.
Incrementally adding security is not a good idea. You should integrate security in your application from the ground up.
The best advice I can give you is to try to think like an attacker. Think to yourself: "If I wanted to do something I'm not supposed to be able to do, how would I do it?"
If you're designing an application which uses a database, we careful not to allow SQL Injections. You should also be aware of some of the most popular web vulnerabilities if you're making a web app.
非特定于 Python,但任何提供对系统的控制级别的管理功能都应该受到 SSL 以及身份验证和授权机制(登录)的保护,至少。
Non-specific to Python, but any administrative features that offer that level of control over a system should be protected with both SSL and an Authentication and Authorization mechanism (login) at the very least.
我首先关心的是防止 CSRF 漏洞。接下来我会关注损坏的身份验证和会话管理。最重要的是,为了维持安全会话,您必须在会话的整个生命周期中使用 https。如果你在哪里泄露了密码或会话 ID,甚至是纯文本的 SQL 查询,那将是一件坏事。
The very first concern I have is protecting against CSRF vulnerabilities. Next i would be concerned with Broken Authentication and Session Management. Most importantly in order to maintain a secure session you must use https throughout the entire life of the session. If you where to spill a password or session id or even a sql query in plain text that would be a bad thing.