Чести проблеми в сигурността на уеб проектите
-
Upload
veselin-nikolov -
Category
Documents
-
view
2.402 -
download
0
Transcript of Чести проблеми в сигурността на уеб проектите
@dzver
Automattic
WordPress.com
WordCamp Sofia
WordCamp Sofia
WordCamp Sofia
WordCamp Sofia
WordCamp Sofia
-
1. 2. XSS3. XSRF4. SQL Injection
>30% .
http://readwrite.com/2009/12/16/rockyou_hacker_30_of_sites_store_plain_text_passwords
... .
1. : ...SET pass='$pass' : md5( $pass )
: crypt , .
2. + md5 md5( $user . $password );Rainbow tablesGoogle attacks (Tonimir - @kisasondi)
3. md5 md5( $user_id )
4. debugserror_log( print_r( $_POST ) )wp_mail( ..., ..., print_r( $_POST ) )
md5( $password );
XSS
XSS
:
http://myproject.com/index.php?name=alert(1);
XSS
XSS
login cookies
Deface,
XSS
vs
XSS
WordPress:esc_html (~htmlspecialchars)
esc_url
esc_attr (~htmlspecialchars)
esc_js
XSS
:1. output2. 3. 4.
XSS
var a = ''
XSS
var a = ''
$a = '; alert(7) //;
XSS
XSS
http://h43z.blogspot.com/2012/06/phps-jsonencode-and-xss.html
XSS
esc_* :