PHP - 安全性最好的方法是什么? [英] PHP - Security what is best way?

问题描述

保护使用 PHP 开发的 Intranet 网站免受外部攻击的最佳方法是什么?

What is the best way to secure an intranet website developed using PHP from outside attacks?

推荐答案

这是一个非常发人深省的问题，我很惊讶您没有得到更好的答案.

That's a stunningly thought-provoking question, and I'm surprised that you haven't received better answers.

您为面向外部的应用程序所做的一切，然后是一些.

Everything you would do for an external-facing application, and then some.

如果我对您的理解正确，那么您提出的问题很少会问自己.大多数公司的纵深防御都很差，一旦攻击者进入，他就会进入.很明显，你想把它提升一个层次.

If I'm understanding you correctly, then you are asking a question which very few developers are asking themselves. Most companies have poor defence in depth, and once an attacker is in, he's in. Clearly you want to take it up a level.

那么，我们在考虑什么样的攻击?
如果我是攻击者并且我正在攻击您的 Intranet 应用程序，那么我必须以某种方式访问​​您的网络.这可能并不像听起来那么困难 - 我可能会尝试鱼叉式网络钓鱼(将电子邮件定位到您组织中的个人，包含恶意软件附件或指向安装恶意软件的站点的链接)以在内部机器上安装木马.

So, what kind of attack are we thinking about?
If I'm the attacker and I'm attacking your intranet application, then I must have got access to your network somehow. This may not be as difficult as it sounds - I might try spearphishing (targetting email to individuals in your organisation, containing either malware attachements or links to sites which install malware) to get a trojan installed on an internal machine.

完成此操作(并控制内部 PC)后，我将尝试针对任何 Internet 应用程序尝试的所有攻击.

Once I've done this (and got control of an internal PC), I'll try all the same attacks I would try against any internet application.

然而，这并不是故事的结局.我有更多选择:如果我有您用户的一台 PC，那么我很可能可以使用键盘记录器来收集用户名和密码，以及查看您所有电子邮件中的姓名和电话号码.
有了这些，我就可以直接登录您的应用程序了.我什至可以学习管理员用户名/密码.即使我没有，一份姓名和电话号码列表以及对公司行话的感觉让我有机会通过社会工程进入贵公司的更广泛访问.

However, that's not the end of the story. I've got more options: if I've got one of your user's PCs, then I might well be able to use a keylogger to gather usernames and passwords, as well as watching all your email for names and phone numbers.
Armed with these, I may be able to log into your application directly. I may even learn an admin username/password. Even if I don't, a list of names and phone numbers along with a feel for company lingo gives me a decent shot at socially engineering my way into wider access within your company.

• 首先，在所有技术解决方案之前:在安全方面培训您的用户

保护网络应用程序的常见答案:

The common answers to securing a web app:

• 使用多重身份验证
  • 例如用户名/密码和某种伪随机数小工具.
  • 防止跨站点脚本和 SQL 注入.
  • 设置起来很麻烦(实际上正在改进)，但它可以提高安全性.
  • 换句话说，通过确保所有用户只拥有他们完成工作所需的权限(而不是其他人的工作)，您可以确保他们具有绝对最低限度的破坏能力.

  这篇关于PHP - 安全性最好的方法是什么?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！