测试Web应用程序中的安全漏洞:最佳做法? [英] Testing for security vulnerabilities in web applications: Best practices?

问题描述

我正在开发一个Web应用程序.就像是一个合适的人，我过去曾经使用过诸如Joomla之类的东西来制作很棒的东西，但现在终于有了PHP，MySQL和CodeIgniter的手.

I'm developing a web application. Like, a proper one, I've used things like Joomla in the past to make awesome stuff but have now finally got my hands dirty with PHP, MySQL and CodeIgniter.

当您制作能够处理大量数据的严肃的Web应用程序时，我应该采取什么预防措施来彻底清除数据输入中的数据?我知道这里有明显的修饰，转义，xss清理等-但是我还应该结合其他哪些技术来停止注入数据库?

When you're making serious web apps that'll handle large amounts of data, what precautions should I take against my data inputs to fully sanitise it? I know there's the obvious trim, escaping, xss cleaning, etc - but what other techniques should I incorporate to stop injections into the database?

不仅如此，还有什么非破坏性的数据库注入代码可用来测试我的所有输入?像这样，它将注入一些可见的东西，但实际上对我的测试数据库没有任何危害吗?我不是一个真正的黑客，因此需要一些指导.

Not only that, but is there any non-destructive database injection code I can test all my inputs with? As in, it'll inject something visibile, but not actually do any harm to my test database? I'm not exactly a hacker and need a bit of guidance on this.

黑客还使用其他哪些常用方法来销毁或读取用户的数据，我该如何自己检查呢?我年仅16岁，但没有足够的钱来聘请安全顾问，但我在计算机方面拥有丰富的经验，而且我敢肯定，如果能给出一些提示，我可以借鉴一些技巧.

What other common methods do hackers use to either destroy or read user's data, and how can I check for this myself? I don't have the money to hire a security consultant since I'm only 16 but have good experience with computers and I'm sure I could pull off a few tricks if given some hints as to what they are.

我知道这是一大堆问题，但总而言之，您要怎么做才能确保所有内容都是100％安全的?

I know that's a whole load of questions but to summarise, what do you do to make sure everything is 100% secure?

推荐答案

SQL注入和XSS是程序员最常见的错误.好消息是，只要您拥有合适的软件，它们最容易自动测试.当我进行笔试时，我使用 Sitewatch 或 Wapiti 来查找Web应用程序漏洞. Acunetix价格过高.

SQL Injection and XSS are the most common mistakes that programmers make. The good news is that they are easiest to automatically test for, as long as you have the right software. When I am on a pentest I use Sitewatch or Wapiti for finding web application vulnerabilities. Acunetix is over priced.

但是，您不能只是解雇一些自动化工具并期望一切正常.您选择的 ANY 漏洞扫描程序必须采取多种预防措施.

But, you can't just fire off some automated tool and expect everything to work. There are a number of precautions you must take with ANY vulnerability scanner you choose.

1)确保php.ini中的display_errors = On SQL注入测试依赖于能够在响应页面中看到mysql错误消息！没有错误，没有检测到漏洞！

1) make sure display_errors=On in your php.ini Sql Injection tests rely on being able to see mysql error messages in the response pages! No error, no vulnerability detected!

2)扫描应用程序中已通过身份验证的区域.创建一个专门用于测试的用户帐户. Acuentix有一个简单的向导，您可以在其中创建登录序列.如果您使用的是wapiti，则可以为wapiti提供一个cookie或为wapiti发出启动后发出的启动请求，但这有点棘手.

2) Scan the authenticated areas of your application. Create a user account specifically for testing. Acuentix has an easy wizard where you can create a login sequence. If you are using wapiti you can give a cookie to wapiti or give wapiti a post request to fire off but this is kind of tricky.

之后，您已经测试了应用程序，然后测试服务器是否配置错误. 要测试您的服务器，则需要运行 OpenVAS ，它是Nessus的新的更免费的版本，现已成为商业版.产品.然后，您应该使用 PhpSecInfo 进行后续操作.这些测试将通知您配置问题或运行的旧漏洞软件.

AFTER you have tested your application then test your server for misconfiguration. To test your server then you need to run OpenVAS which is the new more free version of Nessus which is now a commercial product. Then you should follow this up with PhpSecInfo. These tests will notify you of problems with your configuration or if you are running old vulnerable software.

永远是没有100％安全的.不管您做什么，都会存在一些漏洞，尽管这些漏洞会不断蔓延.所有开发平台中都有一些漏洞，这些漏洞导致无法使用任何工具进行测试的折衷方案.您使用的测试工具中还存在一些错误.有错误的帖子和错误的否定词，还有一些不起作用的测试，这是一个很好的例子，我从未见过能真正发现合法漏洞的自动CSRF工具. Acunetix的CSRF测试完全浪费时间.

Nothing will ever be 100% secure, EVER. No matter what you do there are vulnerabilities that will slip though the cracks. There are vulnerabilities in all development platforms that lead a compromises that no tool can test for. There are also bugs in the testing tools you use. There are false posties and false negatives and some tests that just don't work, a good example i have never seen an automated CSRF tool that actually finds legit vulnerabilities. Acunetix's CSRF test is a complete waste of time.

还有 OWASP测试指南，其中有更详细的说明.请勿将此与 OWASP Top 10 混淆.也是极好的资源.对于PHP程序员来说， PHP安全指南也是一个很好的资源.

There is also the OWASP testing guide which goes into greater detail. This is not to be confused with the OWASP Top 10 which is also an excellent resource. The PHP Security Guide is also a great resource for php programmers.

这篇关于测试Web应用程序中的安全漏洞:最佳做法?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！