黑客攻击和利用 - 您如何处理发现的任何安全漏洞? [英] Hacking and exploiting - How do you deal with any security holes you find?
问题描述
今天,在线安全是一个非常重要的因素.许多企业完全基于在线,并且有大量敏感数据可供仅使用您的网络浏览器查看.
Today online security is a very important factor. Many businesses are completely based online, and there is tons of sensitive data available to check out only by using your web browser.
寻求知识来保护我自己的应用程序 我发现我经常测试其他应用程序的漏洞和安全漏洞,也许只是出于好奇.随着我通过测试自己的应用程序、阅读零日漏洞利用以及阅读Web 应用程序黑客手册:发现和利用安全漏洞,我开始意识到大多数在线 Web 应用程序确实暴露在许多安全漏洞中.
Seeking knowledge to secure my own applications I've found that I'm often testing others applications for exploits and security holes, maybe just for curiosity. As my knowledge on this field has expanded by testing on own applications, reading zero day exploits and by reading the book The Web Application Hacker's Handbook: Discovering and Exploiting Security Flaws, I've come to realize that a majority of online web applications are really exposed to a lot of security holes.
那你怎么办?我无意破坏或毁坏任何东西,但我在黑客攻击方面最大的突破"我决定提醒页面的管理员.我的询问立即被忽略,安全漏洞尚未修复.为什么他们不想修复它?多久才能有心怀不轨的人闯入旅馆并选择摧毁一切?
So what do you do? I'm in no interest of destroying or ruining anything, but my biggest "break through" on hacking I decided to alert the administrators of the page. My inquiry was promptly ignored, and the security hole has yet not been fixed. Why wouldn't they wanna fix it? How long will it be before someone with bad intentions break inn and choose to destroy everything?
我想知道为什么现在没有更多地关注这一点,我认为在实际提供测试 Web 应用程序的安全漏洞方面会有很多商机.是只有我有太大的好奇心还是有其他人有同样的经历?在挪威,实际尝试闯入网页是会受到法律惩罚的,即使您只是查看源代码并在那里找到隐藏密码",然后使用它进行登录,您也已经触犯法律了.
I wonder why there's not more focus on this these days, and I would think there would be plenty of business opportunities in actually offering to test web applications for security flaws. Is it just me who have a too big curiosity or is there anyone else out there who experience the same? It is punishable by law in Norway to actually try break into a web page, even if you just check the source code and find the "hidden password" there, use it for login, you're already breaking the law.
推荐答案
我发现我经常测试其他应用程序的漏洞和安全漏洞,也许只是出于好奇".
"Ive found that Im often testing others applications for exploits and security holes, maybe just for curiosity".
在英国,我们有计算机滥用法案".现在,如果众所周知,您正在查看"的这些应用程序是基于 Internet 的,并且 ISP 的相关人员可能会费心去调查(纯粹出于政治动机),那么您就是在敞开心扉接受指责.除非你是 BBC,否则即使是最轻微的测试"也足以让你在这里被定罪.
In the UK, we have the "Computer Misuse Act". Now if these applications you're proverbially "looking at" are say Internet based and the ISP's concerned can be bothered to investigate (for purely political motivations) then you're opening yourself up getting fingered. Even doing the slightest "testing" unlesss you are the BBC is sufficient to get you convicted here.
即使是渗透测试机构也需要希望从事正式工作以为其系统提供安全保证的公司签字.
Even Penetration Test houses require Sign Off from companies who wish to undertake formal work to provide security assurance on their systems.
为了对报告漏洞的难度设定预期,我曾与实际雇主进行过这样的讨论,其中提出了一些非常严重的问题,人们已经坐了几个月,从品牌损害之类到甚至完全关闭运营以提供支持每年 1 亿英镑的电子商务环境.
To set expectations on the difficulty in reporting vulnerabilties, I have had this with actual employers where some pretty serious stuff has been raised and people have sat on it for months from the likes of brand damage to even completely shutting down operations to support an annual £100m E-Com environment.
这篇关于黑客攻击和利用 - 您如何处理发现的任何安全漏洞?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
