除XSS和Sql注入外,我还可以保护我的网站吗? [英] Ways I can protect my site excluding XSS and Sql injection?
问题描述
因此,我网站的成员可以发布主题,回复,评论,对其进行编辑等.我始终对HTML输入使用htmlspecialchars
和addslashes
来保护我的站点免受XSS和SQL注入攻击.够了还是我想念的更多吗?
谢谢.
So, members of my website can post topics, replies, comments, edit them and so on. I always use htmlspecialchars
and addslashes
for html inputs to protect my site against XSS and SQL injection attacks. Is it enough or is there something more I miss?
Thanks.
推荐答案
Web应用程序可能会出错.除了XSS和SQLi,还有:
There is a lot that can go wrong with a web application. Other than XSS and SQLi, there is:
- CSRF-跨站点请求伪造
- LFI/RFI-由
include()
,require()
... 引起的本地文件包含/远程文件包含
- 在
mail()
中进行CRLF注射
- 全局变量命名空间通常由
register_globals
,extract()
,import_request_variables()
引起
- 遍历目录:
fopen()
,file_get_contents()
,file_put_conents()
- 使用
eval()
或preg_replace()
和/e
的远程代码执行 - 具有
passthru()
,exec()
,system()
和`` 的远程代码执行
- CSRF - Cross Site Request Forgery
- LFI/RFI - Local File Include/Remote File Include caused by
include()
,require()
... - CRLF injection in
mail()
- Global Variable Namespace Poising commonly caused by
register_globals
,extract()
,import_request_variables()
- Directory Traversal:
fopen()
,file_get_contents()
,file_put_conents()
- Remote Code Execution with
eval()
orpreg_replace()
with/e
- Remote Code Execution with
passthru()
,exec()
,system()
and ``
关于损坏的身份验证和会话管理,存在一整套漏洞每个Web应用程序程序员必须 OWASP排名前10 的一部分/strong>阅读.
There is a whole family of vulnerabilities regarding Broken Authentication and Session Management which is apart of the OWASP Top 10 that every web app programmer must read.
《猩红色的研究》 是一本很好的黑皮书,涵盖了许多这些方面我列出的漏洞.
A Study In Scarlet is a good black paper that goes over many of these vulnerabilities that I have listed.
但是,在 Wordpress .关于什么是漏洞的绝对权威是 CWE系统,它对 HUNDREDS 进行了分类漏洞,其中许多漏洞都可能影响Web应用程序.
However, there are also strange vulnerabilities like this one in Wordpress. The definitive authority on what is a vulnerability is the CWE system which classifies HUNDREDS of vulnerabilities, many of which can affect web applications.
这篇关于除XSS和Sql注入外,我还可以保护我的网站吗?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!