WEB安全性-2010_OWASP_TOP10
OWASP 10要素增强Web应用程序安全
OWASP 10要素增强Web应用程序安全随着Web应用程序的增多,随之而来的就是这些Web应用程序所带来的安全漏洞。
不遵从规范化的编码指导,会使企业、员工以及企业的客户面对严重的安全风险,遭到各种恶意攻击。
我们将向大家介绍Open Web Application Security Project (开放式Web应用程序安全项目,OWASP) 10要素,以及OWASP建议大家在软件开发生命周期中应该嵌入的标准化方法。
商业风险现在的企业都在向客户提供通过浏览器访问企业信息的功能,同时集成Web服务的应用程序也越来越多,这些都导致企业所面临的风险不断增加。
这并不代表开发人员没有认真的对待程序开发工作,只是当Web应用程序的数量越来越多,其潜在的隐患也会越来越频繁的暴露在互联网下。
根据OWASP的观点:“当企业发布了一个Web应用程序,它们就是在邀请全球的网民向其发送HTTP请求。
而攻击内容也可以随着这些正常的HTTP请求穿过防火墙,过滤系统,系统平台上的安全措施以及网络中的入侵检测系统,而不被企业所发现。
这意味着企业的Web应用程序代码本身就是企业安全围墙的一部分。
随着企业所采用的Web应用程序数量和复杂度的增加,企业的安全围墙将更多的暴露在网络中。
”目前,企业所开发的很多新应用程序都是Web应用程序。
另外,Web服务也越来越频繁的被用来集成Web应用程序或与Web应用程序进行交互。
所带来的问题就是,Web应用程序和服务的增长已经超越了程序开发人员所接受的安全培训以及安全意识的范围。
随着存在安全隐患的Web应用程序数量的增长,OWASP也总结出了Web应用程序的十大脆弱点。
在这个10要素列表中,不但包括了Web应用程序的脆弱性介绍,还包括了OWASP的建议内容,帮助程序开发人员和企业尽量避免这些脆弱点给企业系统带来的风险。
OWASP 10要素中还包括了一个指南,帮助企业决定该如何向客户提供信息。
比如联邦贸易委员会(FTC)就在2003年1月的商业案例文档中将这个列表作为了信息安全的参考内容。
OWASP TOP 10
OWASP TOP 10 20201)注入2)失效身份认证和会话管理3)敏感信息泄露4)XML外部实体注入攻击(XXE)5)访问控制中断6)安全性错误配置7)跨站脚本攻击(XSS)8)不安全的反序列化9)使用具有已知漏洞的组件10)日志记录和监控不足注入当攻击者将无效的数据发送给web应用程序来让其执行为设计的操作,就会发生代码注入问题。
此安全漏洞最常见的示例便是使用不受信任数据的SQL查询,代码注入漏洞的核心是缺乏对web应用程序使用的数据的验证和清理。
任何接收参数作为输入的内容都可能受到代码注入攻击。
危害:注入可以使数据丢失或者被破坏掉,并且缺乏可审计性或者拒绝服务。
注入漏洞有时甚至可导致完全接管主机。
防御方法:1)首选方法是使用安全的API接口,该API避免完全使用解释器,或者说提供参数化的接口或迁移为使用对象关系映射工具(ORM)。
注意:即使说你参数化了,但是如果PL/SQL或者T-SQL连接查询和数据,或者说使用EXCLUTE IMMEDIATE 或者exec()执行恶意数据,则存储过程仍然可以引入SQL注入。
2)使用肯定或“白名单”服务器端输入验证,由于许多应用程序都需要特殊字符,例如文本区域或者移动应用程序的API,因此这并不是一个完整的防御措施3)对于任何残留的动态查询,请使用该解释程序的特定转义语义来转义特殊字符,注意,表名(table),列名(column)等SQL结构无法转义,因此用户提供的结构名很危险,这是报表编写软件中的常见问题4)在查询中使用limit和其他SQL控件可防止SQL注入的情况下大量泄露记录总结:数据和web引用程序逻辑要分离实施限制,以在成功进行注入攻击的情况下限制数据公开失效的身份验证和会话管理身份验证漏洞可能让攻击者能尝试控制他们在系统中想要的任何账户,甚至更遭的是,获得对系统的完全控制,身份验证和会话管理失效通常是指在应用程序身份验证机制上发生的逻辑问题,例如恶意行为者脑力破解系统中的有效用户。
十大web安全扫描工具
⼗⼤web安全扫描⼯具01 – UnhideUnhide 是⼀个查寻隐藏了进程和端⼝的Rootkits/LKMs或其它隐藏技术的探测鉴定⼯具。
Unhide可以运⾏于linux/Unix和windows系统。
评论:“⾮常完整好⽤的⼯具.轻松找到隐藏⽂件和端⼝等”“linux 系统⾥找容易程序的⼯具,怒赞!”“基于unix的系统⾥,查找rootkits的好⼯具”02 – OWASP ZAP – Zed Attack Proxy ProjectZed Attack Proxy (ZAP)是⼀个简单易⽤的集成渗透测试⼯具,专门扫描⽹站漏洞。
Zed Attack Proxy是⼀款⽹站应⽤程序漏洞扫描⼯具,它是专为有多年安全经验的⼈员来设计的,当然对于开发⼈员和功能性测试⼈员,Zed Attack Proxy也是不⼆之选。
设计的思路是不管安全从业经验深浅的⼈都可以⽤,并且这个产品的开发和测试都是渗透⾏业新⼈ZAP提供了⾃动化扫描的同时,也⽀持⼿动查找漏洞。
评论:“开源易⽤覆盖⼴”“每周更新,简单易⽤”“稳定,经常改进。
可视化好,并且⽀持WebSockets”3 – LynisLynis是⼀款安全审计⼯具,⽤来测试和收集基于Unix的系统的安全信息。
这款⼯具的使⽤者是安全和系统审计⼈员,⽹络专家和系统运维。
Lynis在系统上执⾏深度本地扫描,因此⽐基于⽹络的漏洞扫描更加深⼊。
通过bootloader开始,直到安装⽂件包。
分析之后,他向管理员展⽰扫描结果,包括系统加固⽅案。
评论:“帮我加固系统很多次,真爱!”“很棒的审计⼯具!简单且免费”“有助于快速达到安全”04 – BeEF – The Browser Exploitation FrameworkBeEF 是The Browser Exploitation Framework的简写。
他是⼀款针对web浏览器的渗透⼯具针对客户端的攻击与⽇俱增,包括移动客户端。
OWASPTOP10
OWASPTOP10学习备份TOP1-注⼊简单来说,注⼊往往是应⽤程序缺少对输⼊进⾏安全型检查所引起的,攻击者把⼀些包含指令的数据发送给解释器,解释器会把收到的数据转换成指令执⾏。
常见的注⼊包括sql注⼊,--os-shell,LDAP(轻量),xpath(XPath即为XML路径语⾔,它是⼀种⽤来确定(的⼦集)⽂档中某部分位置的语⾔),HQL注⼊等。
危害如下:注⼊可以导致数据丢失或被破坏,缺乏可审计性或拒绝服务。
注⼊漏洞有时甚⾄可导致完全接管主机如何防范:1.使⽤安全的API,避免使⽤解释器2.对输⼊的特殊的字符进⾏ESCAPE转义处理例⼦:LIKE '%M%' ESCAPE ‘M’使⽤ESCAPE关键字定义了转义字符“M”,告诉DBMS将搜索字符串“%M%”中的第⼆个百分符(%)作为实际值,⽽不是通配符3.使⽤⽩名单来规范化的输⼊验证⽅法TOP2-失效的⾝份认证和会话管理与认证和会话管理相关的应⽤程序功能往往得不到正确实施,导致了攻击者可以破坏密码,密钥,会话令牌或实施漏洞冒充其他⽤户⾝份危害如下:这些漏洞可能导致部分甚⾄全部账户遭受攻击,⼀旦攻击成功,攻击者就能执⾏合法的任何操作如何防范:1.使⽤内置的会话管理功能2.通过认证的问候3.使⽤单⼀的⼊⼝点4.确保在⼀开始登录SSL保护的⽹页TOP3-跨站XSS跨站脚本是最普遍的web应⽤安全漏洞。
当应⽤程序在发送给浏览器的页⾯中包含⽤户提供的数据,但没有经过适当验证和转义,就会导致跨站危害如下:攻击者在受害者浏览器中执⾏脚本以劫持⽤户会话,插⼊恶意内容,重定向⽤户,使⽤恶意软件劫持⽤户浏览器等种类:存储型,反射型,DOM型如何防范:1.验证输⼊2.编码输出(⽤来确保输⼊的字符被视为数据,⽽不是作为html被浏览器所解析)TOP4-不安全的对象直接引⽤意指⼀个已经授权的⽤户通过更改访问时的⼀个参数,从⽽访问到原本其并没有得到授权的对象危害如下:这种漏洞可以损坏参数所引⽤的所有数据如何防范:1.使⽤基于⽤户或会话的间接对象访问,这样可防⽌攻击者直接攻击为授权资源2.访问检查:对任何来⾃不受信源所使⽤的所有对象进⾏访问控制检查3.避免在url或⽹页中直接引⽤内部⽂件名或数据库关键字4.验证⽤户输⼊和url请求,拒绝包含./ ../的请求TOP5-伪造跨站请求(CSRF)跨站请求伪造,利⽤了⽹站允许攻击者预测特定操作所有细节这⼀特点。
WEB常见网络安全漏洞讲解
可以插入SQL语句并执行
TOP-1 注入
漏洞案例
应用程序在下面存在漏洞的 SQL语句的构造中使用不可信数据: String query = " SELECT * FROM accounts WHERE custID='" + request.getParameter("id") +"'";
TOP-1 注入 防范
1 参数校验:
传递的参数做校验,如果不合法,直接拒绝请求。 1.1 如果是数字类型,判断是否为数字,如果不是,直接拒绝请求 1.2 如果有格式的类型(比如 日期,email,电话,身份证号码等等),判断是非符合格式,如果不符合格式,拒绝请求。 1.3 如果是字符串类型,没有特殊的格式,需要对字符串长度做校验,如果长度大于数据库该字段的定义长度,直接拒绝请求。
3数据库权限做限制
3.1 不能对业务账号开 select information_schema 权限。因为一旦某个漏洞被成功注入,information_schema库暴露所有库, 所有表,字段的定义。给sql注入者提供了便利,,, 注入者不需要猜测表结构,就能轻松获取所有表的定义,进而轻松获取所有 表的数据
攻击者在浏览器中将“ id ”参数的值修改成 10000’ or ’1’=’1。 如: /app/accountView?id= 10000’ or ’1’=’1 这样查询语句的意义就变成了从 accounts表中返回所有的记录。
SELECT * FROM accounts WHERE custID‘= 1000‘0 ;
Web安全OWASP Top 10
A p p l i c a t i o n S e c u r i t y T r a i n i n g OWASP TOP 10 SECURITY ISSUESAgendaMost Common Application Security MistakesQ/AWhat’s OWASP ?The Open Web Application Security Project (OWASP) is a worldwide not-for-profit charitable organization focused on improving the security of softwareAll of their materials are available under a free and open software licenseOWASP TOP 10 SECURITY ISSUESA1InjectionA2Broken Authentication & Session Management A3Cross-Site Scripting (XSS)A4Insecure Direct Object ReferencesA5Security MisconfigurationA6Sensitive Data ExposureA7Missing Function Level Access ControlA8Cross-Site Request Forgery (CSRF)A9Using Components with Known Vulnerabilities A10Un-validated Redirects and Forwards▪What is it?-Untrusted data is sent to an interpreter-Headers-Cookies-command / query-{.. any other form of input ..}-Interpreter is tricked into executing unintended commands▪What all is susceptible?-SQL-SOAP-XML-{..Anything..}▪Why does it happen?-Use of interpreters doesn’t clearly separate untrusted data from commands-Lack of input validation▪How to prevent it?-Use APIs that provide parameterized/ sanitized interfaces-Validate input against whitelist-Escape special characters which you had to whitelist -DON’T use a blacklist#2 Broken Authentication & Session Management▪Weak Authentication logic▪Imperfect implementation▪Insufficient protection of session token▪Etc.#2 Broken Authentication & Session Management▪How to prevent it?▪Implement strong account management functions(e.g., account creation, login, change password, recover password, etc.)▪Consider having centralized authentication and session management APIs▪Use strong algorithms to generate (random) secrets▪Protect secrets throughout their lifecycle▪What is it?-Application takes untrusted data-Sends it to web browser without proper validation and encoding-Allows attackers to execute scripts in the victim’s browser-hijack user sessions-deface web sites-redirect user to malicious sites-etc.▪Types of XSS-Reflected-Stored#3 Reflected Cross-Site Scripting (XSS)▪Injected script is instantly reflected off the web server -error message-search result-any other response that includes some or all of the input sent▪Delivered via another route to the victim-email, other website, etc.#3 Stored Cross-Site Scripting (XSS)▪Injected script is permanently stored on target servers -Such as database▪Victim then retrieves malicious script from the server when he requests the stored information▪Example-Forums#3 Cross-Site Scripting (XSS)▪How to prevent XSS-Input validation-Context based output encodinghttps:///index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet -Content Security Policy ?▪Reference to internal implementation object is exposed▪ e.g., file, directory, database key, etc.▪Lack of access controls/ other protections▪Attackers can manipulate these references to access unauthorized data▪How to prevent it?▪Verify user is authorized to access the exact resource they have requested▪Enforce access control on both client side and server side.▪Can be anywhere in the tech stack-OS-web server-Database-Framework-etc.▪Collective effort between devs and Infrastructure engineering▪How to prevent it?-Security hardening throughout Application Stack-Unnecessary features enabled or installed?-Secure values not set?-Default accounts/ passwords still enabled or unchanged?-Overly informative error messages to users?-Software out of date?▪Client side-http headers,cache, error message or exceptions, ..▪In transit-Plain text http,SSL MITM, ..▪Server side-weak crypto/ keys/ hashes, insufficient DB protection, ..▪How to prevent it?-Determine which data needs to be protected and how much-Encrypt all sensitive data at rest and transit (internally & externally)-Don’t transfer data unnecessarily-Control access to sensitive data-Use strong crypto algorithm/ keys / passwords-Turn off autocomplete on forms and caching▪Making sure only the right people have access to the right functions ▪Functions may be called through such as-URL parameters-REST style URLs▪How to prevent it?-Hiding functionality from the UI won’t help-Server side Authentication and Access Control checks-Server side checks shouldn’t solely rely on information provided by client-Deny by default-Rate limiting?▪Attacker can formulate all HTTP parameters for a request▪Browsers send session cookies automatically▪Attacker tricks end user into executing unwanted actions on a web application in which he/she is currently authenticated▪Target: state changing functions▪How to prevent it?improve unpredictability such as-Unique random token-CAPTCHA- 2 factor confirmation, such as SMS▪There are OWASP libraries you can use e.g., CSRF Guard which provides various automated and manual ways to integrate per-session or pseudo-per-request tokens into HTML▪Application/Tech Stack uses vulnerable components -Frameworks-Libraries-Servers-OS-other components▪How to prevent it?-Keep a check on vulnerabilities that come out-CVE (https:///view/vuln/search)-Mailing lists-Regularly check vendor’s website, such ashttps:///security.html/security_report.htmlhttps:///news/vulnerabilities.htmlhttps:///en-us/library/security/dn610807.aspx -Upgrade vulnerable component#10 Unvalidated Redirects and Forwards▪Application takes input from user▪Uses it to formulate Redirect/ Forward location without input validation▪Attacker misuses this for malicious redirections/ forwarding#10 Unvalidated Redirects and Forwards▪How to prevent it?-Avoid using user input to determine destination URL -Whitelist allowed pages or external sites-Ensure URL is valid and authorized for the userTHANK YOUFor questions or suggestionsContact us via email:bsi@。
web安全知识点总结
web安全知识点总结⼀,解释什么是CSP为了让web应⽤程序分出哪些脚本是被第三⽅注⼊的,哪些脚本是程序⾃⾝的CSP定义了 Content-Security-Policy HTTP头但是现代浏览器已经通过前缀来提供了⽀持:Firefox使⽤x-Content-Security-Policy,WebKit使⽤X-WebKit-CSP。
未来会逐步过渡到统⼀的标准。
“none”:你可能期望不匹配任何内容“self”:与当前来源相同,但不包含⼦域“unsafe-inline”:允许内联Javascript和CSS“unsafe-eval”:允许⽂本到JS的机制例如eval⼆,什么是SSRF漏洞SSRF 服务端请求伪造存在的位置⽐如从指定URL地址获取⽹页⽂本内容,加载指定地址的图⽚,下载等等那么产⽣SSRF漏洞的环节在哪⾥呢?⽬标⽹站接受请求后在服务器端验证请求是否合法1)分享:通过URL地址分享⽹页内容2)转码服务3)在线翻译4)图⽚加载与下载:通过URL地址加载或下载图⽚5)图⽚、⽂章收藏功能6)未公开的api实现以及其他调⽤URL的功能7)从URL关键字中寻找PHP的常⽤实现1)php file_get_contents:2,php fsockopen():3,php curl_exec():读取本地⽂件file:///C:/Windows/win.ini探测内⽹应⽤三,session fixation漏洞⽤户登录前后的session_id没有变化则可能存在session fixation漏洞攻击者X先获取到⼀个未经认证的session_id ,将其发给⽤户Y认证,⽤户认证后服务器没有更新session_id的值,所以X可以凭借此session直接登录⽤户的账号四,phpcms两个漏洞1)getshellexp "info[content]": ""info[content] 为什么是content : content =》转到处理函数editor中php的处理函数preg_match_all("/(href|src)=([\"|']?)([^ \"'>]+\.($ext))\\2/i", $string, $matches)这⾥正则要求输⼊满⾜src/href=url.(gif|jpg|jpeg|bmp|png),我们的 payload ()符合这⼀格式(这也就是为什么后⾯要加.jpg的原因)。
OWASP Top 10 安全漏洞列表指南说明书
Who Needs OWASP? Create Your Own Top 10 ListIntroductionWhy is your vulnerability list so important?Follow these 4 steps to achieve your custom, comprehensive Top N list Step 1: Gather vulnerability dataStep 2: Normalize the vulnerability dataStep 3: Create a vulnerability frequency tableStep 4: Consider additional risk factorsMoving forward Page 3 Page 3 Page 3 Page 3 Page 4 Page 4 Page 4 Page 5IntroductionA list of critical web application security vulnerabilities is a necessary risk management tool.1 Equally true is that each organization has a different set of vulnerabilities plaguing their applications. To complete a trifectaof fundamental truths, crowdsourced lists such as the OWASP Top 10 rarely reflect an individual organization’s priorities. Given all that, many organizations continue to download the OWASP Top 10 and try to use it to guide their software security efforts. Since this likely won’t achieve the desired result, why not use it as inspiration to create your own evidence-based, customized list?This document guides you through the process of cataloging your firm’s most common web application security vulnerabilities. But, before identifying those vulnerabilities, we must answer one very important question. Why is your vulnerability list so important?Identifying the vulnerabilities most prevalent in your organization’s applications provides real data. Data that encourages your development and security teams to actively improve their skills and processes. However, creating a satisfactory Top N list requires more than simply sorting one day’s or one application’s bug data. Building a list from the results of code review, various security testing methods, and actual incidents experienced by your firm and/or industry allow you to craft a holistic vulnerability list. You’ll then be better prepared to drive change that reduces risk in your organization.Customize your own comprehensive Top N list in 4 stepsStep 1: Gather vulnerability dataTo understand what you’re up against, you’ll first need to gather web application vulnerability data for a given period. Go back as far as you can with the technologies you have. Six months of data should be a minimum benchmark. Obtaining such data is easier to gather if your firm tracks security bugs in a central repository.If no repository currently exists, identify sources that contain vulnerability data. Collect reports associated with these sources. Next, extract the vulnerabilities into a spreadsheet or another data store.1 By “critical” we mean “most undesirable.” By “vulnerabilities” we mean “vulnerability types,” not individual security defects.Step 2: Normalize the vulnerability dataNormalizing vulnerability data ensures that each vulnerability instance is only counted once per application. You don’t want one bug-filled application to skew your results. A step-by-step approach to achieve this involves the following steps:1. Remove all re-test data from the data set. If the first test identifies a vulnerability that is not fixed bythe time a re-test takes place, list the vulnerability only once.2. Correlate penetration testing, incident response, and code review findings to remove multiplevulnerability instances. The instances may have been identified using different methodologies even though the same bug caused them. For instance, a cross-site scripting (XSS) vulnerability could be discovered during source code review, exploited during penetration testing, and abused by a realattacker. You should still list this vulnerability only once.3. Normalize finding names. For instance, the findings identified as “Stored XSS on admin page”and “Stored XSS on help page” could be renamed to read “Stored XSS.” The granularity of nameidentification determines the results of your Top N list. Use your judgement to determine what works best for your organization.Combining and harmonizing results from many kinds of defect discovery methods results in a richer assessment data set. Thus, more accurately reflecting what might be present in production environments.Step 3: Create a vulnerability frequency tableUsing the normalized vulnerability data, create a frequency table to list the number of times a given vulnerability was identified. For example, unsafe use of user-supplied data was identified 100 times throughout 150 applications over the past six months. This frequency table can help predict the likelihood that similar applications have the same vulnerability.Again, simply sorting a day’s bug data by number of occurrences doesn’t produce a satisfactory Top N list. Data changes often due to different testers, tools, processes, and applications. A historical view is important. Even when you have good frequency data, the point is to enable good risk management decisions. That requires additional knowledge.Step 4: Consider additional risk factorsOnce you have vulnerability frequency data, add analysis for three important risk factors:1. Detectability. The likelihood an attacker can discover the vulnerability.2. Exploitability. The likelihood an attacker can exploit that vulnerability.3. Impact. The combined technical and business impact if the vulnerability is successfully exploited.For each vulnerability in your list, add a score for each risk factor on a scale from 1-3 (with 3 being the higher end of the scale).Determining values for these factors are often based on the discovery method of the vulnerabilities. For instance, a vulnerability exploited in the wild (e.g., originating from the incident response report) might merit a higher exploitability than a vulnerability discovered during code review. Likewise, a vulnerability detected during a penetration test likely merits a higher detectability than a vulnerability detected during code review. Don’t hesitate to make adjustments based on professional opinion. Network location (e.g., Internet-facing versus internal), architecture (e.g., mobile versus thick-client), and other such criteria may be useful when assigning risk factor values.Based on the scores from this exercise, you can prepare your Top N list. This list is now customized to fit your organization and its software portfolio. This is one of the most valuable tools your firm can have for software security risk management.Moving forwardYour organization’s software security group (SSG) should periodically update the list and publish a Most Wanted Report. This calls attention to the most vulnerable areas of your firm’s software and applications. Incorporate this list into internal training material.When shown organization-specific vulnerability data, developers are more likely to understand how the material is relevant to their work. They are also better prepared to know when and how to apply what they’ve learned from training.Your Top N list may also open the door to executive attention regarding your firm’s vulnerabilities. These questions will help your teams obtain the resources they need to close gaps and mature the existing software security strategy.Be sure to adapt your approach at regular intervals to keep your Top N list up-to-date. Don’t simply base your security program on a static list. Sample your own data and turn the results into a powerful risk management tool.Synopsys helps development teams build secure, high-quality software, minimizing risks while maximizing speed and productivity. Synopsys, a recognized leader in application security, provides static analysis, software composition analysis, and dynamic analysis solutions that enable teams to quickly find and fix vulnerabilities and defects in proprietary code, open source components, and application behavior. With a combination of industry-leading tools, services, and expertise, only Synopsys helps organizations optimize security and quality in DevSecOps and throughout the software development life cycle.For more information, go to /software.Synopsys, Inc.185 Berry Street, Suite 6500San Francisco, CA 94107 USAContact us:U.S. Sales: 800.873.8193International Sales: +1 415.321.5237Email: *********************。
2013 WEB十大安全问题OWASPTOP10解读
WEB安全性测试1. WEB安全漏洞 (1)2. 常见的10种安全漏洞(OWASPTOP10) (1)2.1 注入 (1)2.2 失效的身份认证和会话管理 (2)2.3 跨站脚本(XSS) (4)2.4 直接引用不安全的对象 (5)2.5 安全配置错误 (6)2.6 敏感信息泄漏 (7)2.7 缺少功能级访问控制 (8)2.8 跨站请求伪造(CSRF) (9)2.9 使用含有已知漏洞的组件 (11)2.10 未验证的重定向和转发 (11)3. Top10 风险因素总结 (13)4. 如何进行验证测试 (13)4.1 代码审查 (13)4.2 安全测试 (13)5. 实际测试工作............................................................................................ 错误!未定义书签。
5.1 QA测试............................................................................................ 错误!未定义书签。
5.2 Local测试......................................................................................... 错误!未定义书签。
1. WEB安全漏洞通常是指由于WEB程序本身体系结构、设计方法、开发编码的缺陷而造成的安全漏洞.2. 常见的10种安全漏洞(OWASPTOP10)OWASP(开放Web应用安全项目组-OpenWebApplicationSecurityProject)每隔数年会更新10个最关键的Web应用安全问题清单,即OWASPTOP10。
2.1 注入2.1.1描述注入攻击漏洞往往是应用程序缺少对输入进行安全性检查所引起的。
OWASP Top 10 应用安全威胁防范白皮书说明书
WHITE PAPERMitigating Application Security Threats OWASP Top 10The Open Web Application Security Project (OWASP) Top 10 identifies a set of common web application security flaws and provides a powerful tool for raising awareness about web application security issues. Produced by a community of security experts from around the world, the OWASP Top 10 represents a broad consensus about the most critical web application security flaws that should be addressed as part of an overall web application security program.The OWASP Top 10 influences and informs a wide array of industry standards and requirements, including the Payment Card Industry (PCI) DSS standard and many government regulations. There are multiple approaches to mitigating against the OWASP Top 10, including secure coding practices and code reviews, but deployment of a web application firewall (WAF) remains the primary tool for addressing requirements that reference the OWASP Top 10.Updating the Top 10 ListThe OWASP team updates the Top 10 list periodically as the threat landscape changes, new technologies are leased, andthe tactics of threat actors evolve. In 2021, changes included introducing new categories, renaming some, and consolidatingWeb Application Security ChallengesWeb applications continue to be attractive targets to threat actors. Public-facing web apps must be exposed to theinternet to deliver the line-of-business tools that modern organizations require. Those web apps connect to backenddatabases that can touch some of our most sensitive data—customer information, credit card data, employee information,and more—making these applications a prime target for threat actors.According to the 2021 Verizon Data Breach Report (VDBR), Basic Web Application Attacks (defined as “simple webapplication attacks with a small number of steps/additional actions after the initial web application compromise”) wereinvolved in more than 20% of breaches.1 Attackers continue to probe for web application vulnerabilities, as documentedby FortiGuard Labs in Global Threat Landscape Reports Q1 2022. (See figure on the next page, Prevalence of top IPSdetections by technology during 2H 2021.)Public-facing web applications require a different approach to security. Unlike applications and services that can be securely walled off from direct internet access, web applications must allow access to function effectively. How do you define security policies to allow/block traffic to/from multiple applications, each consisting of hundreds and sometimes thousands of different elements (URLs, parameters, and cookies)? Manually creating different policies for each element is unrealistic and does not scale as the number of web applications and their complexity grows. Web applications also change frequently—on average, companies publish 25 software updates into production per application every month (see Cybersecurity Insider’s 2021 Application Security Report).2FortiWeb Web Application and API Security: A Multilayered ApproachFortiWeb’s positive security model, multilayer approach provides two key benefits: 1) superior threat detection and 2) improved operational efficiency. FortiWeb’s ability to detect anomalous behavior, using sophisticated two-layer machine learning relative to the specific application being protected, enables the solution to block unknown, never-before-seen exploits. This provides the best protection against zero-day attacks targeting your application.By creating a comprehensive security model of the application, FortiWeb can defend against a full range of known or unknown vulnerabilities, including SQL Injection, cross-site scripting, and other application layer attacks. Operationally, FortiWeb machine learning relieves you of time-consuming tasks, such as remediating false positives or manually tuning WAF rules. FortiWeb continually updates the model of your application as it evolves, enabling you to get your code into production faster by eliminating the need for time-consuming manual WAF rules tuning and troubleshooting the false positives that plague less advanced WAF solutions.The FortiWeb product line protects against known and zero-day attacks using both positive and negative security models. FortiWeb enables enterprises to protect against application-level attacks, combining analytics derived from FortiGuard Labs threat intelligence with advanced machine-learning capabilities. The analytics use advanced techniques to protect against SQL injection, cross-site scripting, and a range of other attacks, while FortiWeb’s machine learning models your application’s actual usage and looks for malicious anomalies.Figure 1: Prevalence of top IPS detections by technology during 2H 2021FortiWeb protects sensitive data while ensuring application availability, providing flexible and reliable security to address theOWASP Top 10 by utilizing a range of in-depth security modules and technologies. Sophisticated attacks are blocked using a multilayered security approach. Incorporating a positive and a negative security module based on bidirectional traffic analysis and an embedded, machine-learning, behavioral-based anomaly detection engine, FortiWeb protects against a broad range of threats without the need for network re-architecture and application changes.Backed by FortiGuard LabsFortiWeb includes a full application signature dictionary to protect against known application layer attacks and application logic attacks. A sophisticated engine scans both inbound and outbound traffic, matching elements with pre-defined known exploits. Also, the solution provides an enhanced flexible engine that allows customers to write their own signatures using a regular expression engine which provides the ability to create new and customized signatures for every application and vulnerability. FortiWeb’s signature dictionary is updated regularly and automatically via FortiGuard Labs, a security subscription service that delivers continuous, automated updates and offers dynamic protection based on the work of Fortinet’s Global Security Research Team, which researches and develops protection against known and potential security threats.ReportingFortiWeb includes visual reporting tools that provide a detailed analyses of attack sources, types, and other elements, mapping specific incidents to the OWASP Top 10 categories (see figure 2) and providing a summary dashboard of OWASP TOP 10 dashboard reports (see figure 3).Figure 2: OWASP Top 10 Threats dashboard elementFigure 3: FortiWeb Cloud example alert for A03:2021 injectionData Leak Prevention and Information DisclosureWith predefined and custom policies for masking sensitive data, customers can be assured that sensitive data logged by FortiWeb is protected from unauthorized access. An important part of the OWASP Top 10, sensitive data masking is a critical task. Even when access to the system is authorized, the data itself is masked and valuable sensitive information cannot be read. Customers can use the predefined policy and have the option to create their own custom policies to automatically mask additional fields in logs.OWASP Top 10 and FortiWeb MitigationsThe table below lists the OWASP Top 10 for 2021 and the corresponding FortiWeb mitigation techniques.SummaryThe OWASP Top 10 provides a great starting point for customers to assess their current application security posture and prioritize their risk mitigation priorities. Widely adopted by many standards organizations as a baseline security metric, the OWASP Top 10 helps organizations refine their focus on application security.FortiWeb delivers the OWASP Top 10 security you need, along with API discovery and protection, bot mitigation, and advanced threat detection.12021 DBIR Summary of Findings, Verizon.2Application Security Report, Cybersecurity Insiders, 2021. Copyright © 2022 Fortinet, Inc. All rights reserved. Fortinet, FortiGate, FortiCare and FortiGuard, and certain other marks are registered trademarks of Fortinet, Inc., and other Fortinet names herein may also be registered and/or common law trademarks of Fortinet. All other product or company names may be trademarks of their respective owners. Performance and other metrics contained herein were attained in internal lab tests under ideal conditions, and actual performance and other results may vary. Network variables, different network environments and other conditions may affect performance results. Nothing herein represents any binding commitment by Fortinet, and Fortinet disclaims all warranties, whether express or implied, except to the extent Fortinet enters a binding written contract, signed by Fortinet’s General Counsel, with a purchaser that expressly warrants that the identified product will perform according to certain expressly-identified performance metrics and, in such event, only the specific performance metrics expressly identified in such binding written contract shall be binding on Fortinet. For absolute clarity, any such warranty will be limited to performance in the same ideal conditions as in Fortinet’s internal lab tests. Fortinet disclaims in full any covenants, representations, and guarantees pursuant hereto, whether express or implied. Fortinet reserves the right to change, modify, transfer, or otherwise revise this publication without notice, and the most current version of the publication shall be applicable.June 24, 2022 3:11 PM。
OWASP发布十大Web应用安全风险
^ i 注入
一 ■ H
_ _ 矗Ⅲ
注入
Ⅱ- _
A 2 ^ 3 M
失 效 的身 份 认证和舍话蕾理 辟 皓●车 直接 孳 l 一 苇安全曲对■ 安全 ■譬强 t● 信^t■
A 5 ^ 6
安全配置■误 赣毫僖 囊鼍■
^ 7
^ e ^ 9 A 1 O
缺步功H 诲商控一
I B t  ̄ m采曲鼍 使 甩台青已知的一■量件 来■ 证的t皂■和#采 肆蛄请 采伪避 使用音 青已知的■一蛆件
( ) WA S P在 发 布 2 0 1 7年 1 ( ) 大 安全风险 后表示 , “ 在 过 去 的 四 年 . 技 术 与 应 用 正 住加 速 变 化 , OW A S P T o p 1 0的 排 名
失 鼓 的身份认证和舍话■理 —站 一车
OW A S P 多年 来经 历 了几次 迭 代 。 ( ) WA S P T o p 1 0的版 本
分别在 2 o 0 4年 、 2 o ( J 7 年、 2 0 l 0年 、 2 f I 1 3 年和 2 0 1 7年 发 布 从2 O l 3 到2 0 1 7年 发 生 了 哪些 变化 ?
有 在 灶 区 进 行 调 查 排 名 。这 实 际 上是 个 成 功 的 际 志 、删除 ‘ 跨站请求伪造 ’ 这个事实是 ( ) WA S P T o p I O 成 功 完 战 使 命
的 一 个信号。” 2 0 1 7 O WA S P T o p 1 0 威胁解读 :
计 算 机 与 网 络
日前 ,非 营 利 性 组 织 开 放 式 We b 应 用 安 全 项 目 ( OW A S P) 正式发布了十大最关键 的 We b应 用 安 全 风 险 。这
【OWASPTOP10】2021年常见web安全漏洞TOP10排行
【OWASPTOP10】2021年常见web安全漏洞TOP10排⾏【2021】常见web安全漏洞TOP10排⾏应⽤程序安全风险攻击者可以通过应⽤程序中许多的不同的路径⽅式去危害企业业务。
每种路径⽅法都代表了⼀种风险,这些风险都值得关注。
什么是 OWASP TOP 10OWASP(开放式Web应⽤程序安全项⽬)是⼀个开放的社区,由⾮营利组织 OWASP基⾦会⽀持的项⽬。
对所有致⼒于改进应⽤程序安全的⼈⼠开放,旨在提⾼对应⽤程序安全性的认识。
其最具权威的就是“10项最严重的Web 应⽤程序安全风险列表” ,总结并更新Web应⽤程序中最可能、最常见、最危险的⼗⼤漏洞,是开发、测试、服务、咨询⼈员应知应会的知识。
OWASP Top 10 2021 是全新的,具有新的图形设计和⼀页有⽤的信息图。
2021 年前 10 名发⽣了什么变化有三个新类别,四个类别的命名和范围发⽣了变化,并且 2021 年的前 10 名中进⾏了⼀些合并。
A01:2021-Broken Access Control 失效的访问控制从第五位上升;94% 的应⽤程序都经过了某种形式的破坏访问控制的测试。
映射到 Broken Access Control 的 34 个 CWE 在应⽤程序中出现的次数⽐任何其他类别都多。
A02:2021-Cryptographic Failures 加密失败上移⼀位⾄ #2,以前称为敏感数据泄露,这是⼴泛的症状⽽不是根本原因。
此处重新关注与密码学相关的漏洞,这些漏洞通常会导致敏感数据泄露或系统受损。
A03:2021-Injection 注⼊下滑到第三位。
94% 的应⽤程序都针对某种形式的注⼊进⾏了测试,映射到此类别的 33 个 CWE 在应⽤程序中的出现次数排名第⼆。
跨站点脚本攻击现在是此版本中此类别的⼀部分。
A04:2021-不安全的设计是2021 年的⼀个新类别,重点关注与设计缺陷相关的风险。
如果我们真的想作为⼀个⾏业“安全左移”,就需要更多地使⽤威胁建模、安全设计模式和原则以及参考架构。
OWASPTOP10漏洞详解以及防护方案
OWASPTOP10漏洞详解以及防护⽅案OWASP TOP 10 漏洞详解以及防护⽅案OWASP介绍官⽹:OWASP TOP10 指出了 WEB 应⽤⾯临最⼤风险的 10 类问题,是⽬前 WEB 应⽤安全⽅⾯最权威的项⽬。
OWASP 是⼀个开源的、⾮盈利全球性安全组织,致⼒于应⽤软件的安全研究。
OWASP 的使命是应⽤软件更加安全,使企业和组织能够对应⽤安全风险作出更清晰的决策。
⽬前OWASP 全球拥有 140 个分会近四万名员,共同推动了安全标准、安全测试⼯具、安全指导⼿册等应⽤安全技术的发展。
OWASP TOP 10A1:2017 注⼊A2:2017 失效的⾝份认证A3:2017 敏感数据泄露A4:2017 XML外部实体A5:2017 失效的访问控制A6:2017 安全配置错误A7:2017 跨站请求脚本(XSS)A8:2013 跨站请求伪造(CSRF)A8:2017 不安全的反序列化A9:2017 使⽤含有已知漏洞的组件A10:2017 不⾜的⽇志记录和监控A1 2017注⼊injection注⼊:⽤户的输⼊被当成命令/代码执⾏或者解析了将不受信⽤的数据作为命令或查询的⼀部分发送到解析器时,会产⽣诸如SQL注⼊、NoSQL注⼊、OS注⼊(操作系统命令)和LDAP()注⼊的注⼊缺陷。
攻击者的恶意数据可以诱使解析器在没有适当授权的情况下执⾏⾮预期命令或访问数据。
⽤户的输⼊并⾮固定位置,可能存在于:输⼊框搜索栏提交表单URL链接所有的GET/POST请求的请求头和请求包头留⾔评论⼏乎任何数据源都有可能成为注⼊载体,只要是能被发出的数据位置可被执⾏的代码:SQLLDAPXpath or NoSQL系统命令XML语⾔SMTP包头表达式语句ORM查询语句危害:该代码能做什么即是危害注⼊的分类通常的注⼊有sql注⼊和命令注⼊SQL注⼊攻击动态页⾯有时会通过脚本引擎将⽤户输⼊的参数按照预先设定的规则构造成SQL语句来进⾏数据库操作。
最新十大安全隐患OWASP_TOP10_2013
OWASP Top 10 2013 RC1最新十大安全隐患Web应用中十个最严重的安全风险重要声明: (2)关于OWASP (2)A1-注入 (3)我会对于注入脆弱么? (4)我如何阻止注射 (4)攻击场景例子 (4)A2-错误的认证和会话管理 (5)我对劫持攻击脆弱么? (5)我如何阻止这些东西? (5)攻击场景例子 (6)A3-跨站脚本 (6)我容易受XSS攻击么? (6)我如何阻止XSS攻击 (7)攻击案例 (7)A4-不正确的直接对象引用 (8)我容易收到攻击么? (8)如何阻止攻击? (8)攻击案例 (9)A5-安全配置错误 (9)我容易受攻击? (9)如何阻止这些? (10)攻击场景事例 (10)A-6 敏感数据暴露 (11)我容易受到数据的暴露吗? (11)我应该如何防止这些问题? (11)攻击情形事例: (12)A-7 缺少功能层面的访问控制 (12)我易受强制访问吗? (12)我应该如何防止暴力访问? (13)攻击情形事例 (13)A-8 伪造跨站请求 (14)我容易受到CSRF吗? (14)我如何防止CSRF? (14)攻击情形事例 (15)A-9 应用已知脆弱性的组件 (15)我受到了已知漏洞的影响了吗? (16)我该如何阻止? (16)攻击情形事例 (16)A-10 未验证的重定向和传递 (17)我受到了重定向的影响了吗? (17)我该如何阻止? (17)攻击情形事例 (18)重要声明:OWASP计划在2013年3月30号结束的公共评论周期后,在2013年4月或5月发布最终的OWASP Top10最新公众版本。
OWASP Top10最新版本的的发行标志着这个用来提升应用安全风险的意识的工程已经走过了10年。
这个版本沿用了2010版的风格,将集中精力关注风险、细化威胁、攻击、弱点、安全控制、技术影响和商业影响与每一个风险结合起来。
通过这种方式,我们相信通过考虑这10个风险,能让组织在他们的商业应用中找出最严重的风险。
最受欢迎的十大WEB应用安全评估系统
最受欢迎的十大WEB应用安全评估系统在国内一些网站上经常看到文章说某某WEB应用安全评估工具排名,但是很可惜,绝大多数都是国外人搞的,界面是英文,操作也不方便,那游侠就在这里综合下,列举下国内WEB安全评估人员常用的一些工具。
当然,毫无疑问的,几乎都是商业软件,并且为了描述更准确,游侠尽量摘取其官方网站的说明:1.IBM Rational AppScanIBM公司推出的IBM Rational AppScan产品是业界领先的应用安全测试工具,曾以Watchfire AppScan 的名称享誉业界。
Rational AppScan 可自动化Web 应用的安全漏洞评估工作,能扫描和检测所有常见的Web 应用安全漏洞,例如SQL 注入(SQL—injection)、跨站点脚本攻击(cross-site scripting)及缓冲溢出(buffer overflow)等方面安全漏洞的扫描。
游侠标注:AppScan不但可以对WEB进行安全评估,更重要的是导出的报表相当实用,也是国外产品中唯一可以导出中文报告的产品,并且可以生成各种法规遵从报告,如ISO 27001、OWASP 2007等。
2。
HP WebInspect目前,许多复杂的Web 应用程序全都基于新兴的Web 2。
0 技术,HP WebInspect 可以对这些应用程序执行Web 应用程序安全测试和评估。
HP WebInspect 可提供快速扫描功能、广泛的安全评估范围及准确的Web 应用程序安全扫描结果。
它可以识别很多传统扫描程序检测不到的安全漏洞。
利用创新的评估技术,例如同步扫描和审核(simultaneous crawl and audit,SCA)及并发应用程序扫描,您可以快速而准确地自动执行Web 应用程序安全测试和Web 服务安全测试。
主要功能:·利用创新的评估技术检查Web 服务及Web 应用程序的安全·自动执行Web 应用程序安全测试和评估·在整个生命周期中执行应用程序安全测试和协作·通过最先进的用户界面轻松运行交互式扫描·满足法律和规章符合性要求·利用高级工具(HP Security Toolkit)执行渗透测试·配置以支持任何Web 应用程序环境游侠标注:毫无疑问的,WebInspect的扫描速度相当让人满意。
- 1、下载文档前请自行甄别文档内容的完整性,平台不提供额外的编辑、内容补充、找答案等附加服务。
- 2、"仅部分预览"的文档,不可在线预览部分如存在完整性等问题,可反馈申请退款(可完整预览的文档不适用该条件!)。
- 3、如文档侵犯您的权益,请联系客服反馈,我们会尽快为您处理(人工客服工作时间:9:00-18:30)。
OWASP TOP 10-2010开放式Web应用程序安全项目(OWASP,Open Web Application Security Project)是一个组织,它提供有关计算机和互联网应用程序的公正、实际、有成本效益的信息。
其目的是协助个人、企业和机构来发现和使用可信赖软件。
OWASP发布了最新的Web应用脆弱性的top 10,这是继2007年OWASP对TOP10进行修订后进行的又一次更改,该版本暂定为OWASP TOP 10- 2010。
在新版本的OWASP TOP10中主要由以下变化:1. Top10的命名发生了变化。
原先的Top10全称为“The top 10 most critical web application security vulnerabilities”,即“Web应用的十大关键脆弱性”,现在Top10的全称为“The top 10 most critical web application security risks”,即“Web应用的十大关键风险”2. OWASP Top 10的风险评估方法此次Top 10的评估是依据OWASP的风险评估方法来对OWASP TOP10排序的。
3. 替换了2个风险此次Top 10与2007年的Top 10相比,在内容上去掉了“Malicious File Execution”(恶意文件执行)和“Information leakage and improper error handling”(信息泄露及不恰当的错误处理),增加了“Security misconfiguration”(错误安全配置)和“Unv alidated redirects and forwards”(未验证的重定向和传递)。
OWASP TOP10 2007 OWASP TOP10 2010A2-注入 A1-注入A1-跨站脚本(XSS) A2-跨站脚本(XSS)A7-错误的认证和会话管理 A3-错误的认证和会话管理A4-不正确的直接对象引用 A4-不正确的直接对象引用A5-伪造跨站请求(CSRF) A5-伪造跨站请求(CSRF)A6-安全性误配置A10-限制远程访问失败 A7-限制远程访问失败A8-未验证的重定向和传递A8-不安全的加密存储 A9-不安全的加密存储A9-不足的传输层保护 A10-不足的传输层保护A3-恶意文件执行A6-不安全的通讯OWASP风险评估方法OW ASP所选取的10大风险是依据OW ASP的风险评估方法,我们从标准的风险模型开始,即风险=可能性*后果,下面我们以以下步骤来说明某个风险的严重程度:第一步:识别风险识别风险作为评估的第一步,我们必须找到与这个风险相关的威胁、相应的攻击方法、隐含在里面的脆弱性以及最终可能造成的后果,当然可能存在多种攻击方法和多种后果,在评估时我们往往会采用最坏选择,这样就能更客观的反应该风险的最终评级;第二步:考虑影响可能性的因素通常,我们不可能很精准的说出某个风险的可能性数值,所以我们一般用高、中、低来表示,而且影响某个风险的可能性的因素有很多,对于每个因素我们用0到9的数值来表示。
类别因素分项分值威胁技能要求无需技能1需要一些技术3高级的计算机用户4需要网络和编程技术6安全渗透技术9成功攻击后攻击者的益处很低或无益1可能会有回报4高回报9所需资源或机会需要很大资源或高权限访问0需要特定的访问权限和特定的资源4需要一些访问权限和资源7无需权限或资源9所需的攻击者的角色开发者2系统管理员2内部用户4合作伙伴5认证用户6匿名Internet用户9脆弱性发现该弱点的难易度技术上不可行1困难3容易7可用自动化工具发现9利用该弱点的难易度只是理论上的1困难3容易5可用自动化工具实现9该弱点的流行度不为人知1隐藏4明显6公众皆知9入侵被察觉的可能性应用程序主动检测1记录日志并审核3记录日志未审核8无日志9第三步:考虑影响后果的因素在考虑攻击后果的时候,我们会考虑两种后果,一种是应用的“技术后果”,它所使用的数据,提供的功能等等,另一种就是它的“商业后果”,显然后者则更为重要,但往往后者难以估量,所以我们需要尽可能从技术上去考虑,进而来估计后者的数据。
类别因素分项分值技术后果保密性损失很少的非敏感的数据泄漏 2很少的敏感数据泄漏 6大量的非敏感数据泄漏 6大量的敏感数据泄漏9A1-注入注入往往是应用程序缺少对输入进行安全性检查所引起的,攻击者把一些包含指令的数据发送给解释器,解释器会把收到的数据转换成指令执行。
常见的注入包括SQL注入,OS Shell,LDAP,Xpath,Hibernate等等,而其中SQL注入尤为常见。
这种攻击所造成的后果往往很大,一般整个数据库的信息都能被读取或篡改,通过SQL注入,攻击者甚至能够获得更多的包括管理员的权限。
防范SQL注入——编程篇SQL注入往往是在程序员编写包含用户输入的动态数据库查询时产生的,但其实防范SQL注入的方法非常简单。
程序员只要a)不再写动态查询,或b)防止用户输入包含能够破坏查询逻辑的恶意SQL语句,就能够防范SQL注入。
在这篇文章中,我们将会说明一些非常简单的防止SQL注入的方法。
我们用以下Java代码作为示例:String query ="SELECT account_balance FROM user_data WHERE user_name ="+ request.getParameter("customerName");try { Statement statement = connection.createStatement( …); ResultSet results = Statement.executeQuery(query);}在以上代码中,我们可以看到并未对变量customerName做验证,customerName的值可以直接附在query语句的后面传送到数据库执行,则攻击者可以将任意的sql语句注入。
防范方法1:参数化查询参数化查询是所有开发人员在做数据库查询时首先需要学习的,参数化查询迫使所有开发者首先要定义好所有的SQL代码,然后再将每个参数逐个传入,这种编码风格就能够让数据库辨明代码和数据。
参数化查询能够确保攻击者无法改变查询的内容,在下面修正过的例子中,如果攻击者输入了UsrID是“’or ‘1 ‘=’1”,参数化查询会去查找一个完全满足名字为‘or ‘1 ‘=’ 1的用户。
对于不同编程语言,有一些不同的建议:Java EE——使用带绑定变量的PreparedStatement();.Net——使用带绑定变量的诸如SqlCommand()或OleDbCommand()的参数化查询;PHP——使用带强类型的参数化查询PDO(使用bindParam());Hibernate——使用带绑定变量的createQuery()。
Java示例:String custname = request.getParameter("customerName"); String query ="SELECT account_balance FROM user_data WHERE user_name= ?";PreparedStatement pstmt = connection.prepareStatement(query); Pstmt.setString1,custname();ResultSet results = pstmt.executeQuery();C# .Net示例:String query ="SELECT account_balance FROM user_data WHERE user_name = ?"; Try { OleDbCommand command = new OleDbCommand(query,connection);command.Parameters.Add(new OleDbParameter("customerName",CustomerName.Text));OleDbDataReader reader = command.ExecuteReader();} catch (OleDbException se){//error handling }防范方法二:存储过程存储过程和参数化查询的作用是一样的,唯一的不同在于存储过程是预先定义并存放在数据库中,从而被应用程序调用的。
Java存储过程示例:String custname = request.getParameter("customerName"); try { CallableStatement cs = connection.prepareCall("call sp_getAccountBalance(?)}");cs.setString(1,custname);Result results = cs.executeQuery(); }catch(SQLException se){ //error handling }VB .Net存储过程示例:TryDim command As SqlCommand = new SqlCommand("sp_getAccountBalance",connection) mandType = CommandType.StoredProcedure command.Parameters.Add(new SqlParameter("@CustomerName",CustomerName.Text)) Dim reader As SqlDataReader = command.ExecuteReader() ‘…Catch se As SqlException ‘error handling End Try防范方法三:对所有用户输入进行转义我们知道每个DBMS都有一个字符转义机制来告知DBMS输入的是数据而不是代码,如果我们将所有用户的输入都进行转义,那么DBMS就不会混淆数据和代码,也就不会出现SQL注入了。
当然,如果要采用这种方法,那么你就需要对所使用的数据库转义机制,也可以使用现存的诸如OWASP ESAPI的escaping routines。
ESAPI目前是基于MySQL和Oracle的转义机制的,使用起来也很方便。
一个Oracle的ESAPI的使用示例如下:ESAPI.encoder().encodeForSQL(new OracleCodec(),queryparam);那么,假设你有一个要访问Oracle数据库的动态查询代码如下:String query ="SELECT user_id FROM user_data WHERE user_name = ‘"+req.getParameter("userID")+"’ and user_password = ‘"+req.getParameter("pwd")+"’"; try { Statement statement = connection.createStatement(…);ResultSet results = statement.executeQuery(query) ; }那么,你就必须重写你的动态查询的第一行如下:Codec ORACLE_CODEC = new OracleCodec(); String query ="SELECT user_id FROM user_data WHERE user_name = ‘"+ ESAPI.encoder().encodeForSQL(ORACLE_CODEC,req.getParameter("userID"))+"’ and user_password = ‘"+ ESAPI.encoder().encodeForSQL(ORACLE_CODEC,req.getParameter("pwd"))+"’";当然,为了保证自己代码的可读性,我们也可以构建自己的OracleEncoder:Encoder e = new OracleEncoder(); String query ="SELECT user_id FROM user_data WHERE user_name = ‘"+ oe.encode(req.getParameter("userID")) +"’ and user_password = ‘"+ oe.encode(req.getParameter("pwd"))+"’";除了上面所说的三种防范方法以外,我们还建议可以用以下两种附加的方法来防范SQL 注入:最小权限法、输入验证白名单法。