Training - USTC web security technology courseware

Others 2019-12-26 14:36:59 views: null

Training - USTC web security technology courseware

1 Course Introduction

1 Basics

1.1 On Chu

1.2 web concise history

1.3 origin policy

1.4 http与cookie

2 web client security

2.1 owasp top ten

2.2 xss and csrf

2.3 clickjacking

2.4 browser with the Extended Security

2.5 web client tracking

2.6 Case series analysis

3.web server-side security

3.1 sql injection

3.2 file upload

3.3 file contains

3.4 Identity and Access Control

3.5 Case Study

4.web security practices

4.1 ctf mid-term assessment of web security

4.2 ctf rhythm of the web is not the assessment

4.3 Outstanding share large classroom work

4.4 Course Review

4.5 exam Q & A

 

1.1 On Chu

1.1.1 Network Security Situation

1.1.2 web security architecture

1.1.1 Network Security Situation

1.1.1.1 network security penetration, from the size and growth rate of Internet users to illustrate

Some write the final report of recommendations

1. Read a vibrato video above summary report quite interesting, see vibrato No.

1.1.1.2 from the mobile side, the size and growth rate of mobile Internet users

1.1.1.3 from an application to divide instant messaging, search engines, online news, online video, online takeout, online education, forum / bbs

                     Internet banking, online stock trading or speculation fund, webcast services, online government services

1.1.1.4 originator Turkey clashes: July 15, 2016, part of the Turkish military in Ankara, the capital and largest city of Iraq coup

Sri Lanka but Boolean launch, control stations, networks.

                        Should the other party: Erdogan Ads by facetime

1.1.1.5 network security threats

2004 worms viruses 2017 spyware/bots 2011 advance persistent threats  zero days target attacks

Dynamic trojans stealth bots

Features: more diverse and more difficult to guard

1.1.1.6 apt number of reports

It peaked in 2014, after declining

1.1.1.7 Aurora

Time January 12, 2010, incident google's gmail service under attack from China

Step 1. Information Internet search Google employee posted facebook, Twitter and other social networking software

2. The attacker set up their own web server attacks

3. The attacker sends to Google links they click on, run shellcode overflow resulting in ie browser, remote download and run

4. Establish a secure tunnel through ssl connection with the victim, continuously monitoring, access account password information google employees

The successful attack google mail server

1.1.1.8 apt1

Mandiant security firm reported that the company took six years to track 141 attacks on corporate attack clues, confirmed the organization and implementation attacks fall within the Shanghai Pudong, a 12-storey building of PLA Unit 61398

Apt1 information;

1 Intrusion objects tend to be English-speaking countries this attack 2. Survey 1905, 95% of the initiator used is registered in Shanghai's ip address, the system uses simplified Chinese character system 3. task uglygorilla / dota / supperhard

1.1.1.9 Si Luodeng

Time in June 2013

1.1.1.10 nsa toolset leak

August 13, 2016, the shadow brokers hacker organization released a statement, get a set of tools used by its invasion of hackers equation

Toolset presentation, and download it, use

1.1.1.11 apt trends of

Global: mainly for government and Chinese energy: Government and research institutes

1.1.1.12 360 apt research report released

1.1.1.13 apt to China aimed Case

Maha grass, Eye of Sauron, Sea Lotus

 

1.1.2 web security architecture

1.1.2.1 cyberspace theoretical system security

Safety systems include theoretical system theory and application of theoretical system based on technical and theoretical system

Base: cryptography and network space theory, cryptography symmetric encryption, public key encryption, cryptanalysis, side-channel analysis

Space Theory security architecture, big data analytics, and other combat game

Technology: Systems Theory and Technology chip security, operating system security, database security, middleware security

      Network security theory and technology, communications security / Internet security, network confrontation, network security management

Applications: e-commerce security, e-government security, the security of Things, cloud computing security

 

1.1.2.2 Password Security

There is a problem, guy courtship, the result of five times decrypt the password out answers before agreeing to a date, the decrypted four-step human every day use

topic:

 

amplification:

 

Morse code:

 

Decrypted:

4194418141634192622374

Wrote:

41 94 41 81 41 63 41 92 62 23 74

Wherein: 1.41 times always occur digit 2. 1-4 3. In addition to a ten-digit numbers 7 and 9, these two are not the other after 4 4

The 26 letters of the alphabet

Mobile Input: 41 represents G, there are 4 GHI, the first representative G

 

In order to decrypt:

G Z G T G O G X N C S

Comparison with the keyboard:

 

解密为: O T O E O I O U Y V L

6 before the line, after the line feed 5 written as:

O T O E O I

O U Y V L

Arrangement again:

O O T U O Y E V O L I

In reverse order:

I L O V E Y O U T O O

1.1.2.3 APT directed attacks

Spear phishing: in front of google's gmail attack, after obtaining some information about the customer, to attack through the erection of phishing sites

Puddle: Custom erection or intrusion by a web server, insert malicious code, victims access to the site to execute malicious code, such as storage type xss

1.1.2.4 Web development language

.net java php asp coldfusion perl python jsp

1.1.2.5 owasp top 10

As 2013 is injected, the failure of authentication and session management, cross-site scripting, insecure direct object references, security configuration errors, sensitive information leakage, loss of function-level access control, cross-site request forgery, containing known vulnerabilities components, unverified redirects and forwards

1.1.2.5 hacking time distribution

1.1.2.6 2015 Nian major data leak

1.1.2.7 2016 years of information security slot cake

1.dropbox disclose user information

2.last.fm disclose user information

3.leakedsource statistics stupid user password

123456/password/lastfm/123456789/qwerty/abc123/abcdefg/12345/1234/music

1.1.2.8 drag library use process

 

1.1.2.8 information disclosure and online fraud

 

1.1.2.9 Internet fraud division of labor system

 

1.1.2.10 invasion teacher to get papers

1. The use of telephone voice cracked 360 president Zhou Hongyi phone

2. How to get the papers and did not modify the results of the invasion by the teacher mailboxes

1.1.2.11 exploit lifecycle

1.1.2.12 loophole example

1.dececms sql injection vulnerability exists in /plus/recommend.php page

2. clouds event

1.1.2.13

Market share of chrome ie firefox browser safari edge

 

A brief history of the development of 2Web

A Brief History 2.1 web development

 

3. Same Origin Policy

Browser 3.1 browser kernel browser security

Access to mutual agreement between the same origin policy 3.2 host port homology page

Dom origin policy

1. The limitations of the various sources of document

2. <script> <img> <iframe> limit <link> from the same origin policy

3.javascript not at liberty to cross-domain operations other pages dom

4. <iframe> Sons interactive pages bound by the same-origin policy

5. <script> js introducing external file, the source of the current page js

Http和cookie

1 Overview

2. Historical background

3. workflow position, operating mode, typically three-way handshake process 1. - initiation request - response to a request - Repeat steps - Four Wave

           Request packet

4.http security issue classic attack data transmitted in the clear, lack of identity verification

4.1. Sniffing and man in the middle attacks

4.2 Tools mitmproxy / mitdump / burpsuite

4.3 The difficulty is how malicious device into the communication link

 Wireless network monitoring network set arp spoofing malicious hijack fishing equipment dns hijacking

5.https agreement

5.1 Historical background work processes

5.2 Important use of certificates confirm the identity of the site, distribute symmetric key based on asymmetric keys, symmetric key communication

5.3 rsa asymmetric encryption algorithm public and private keys

Digital certificate trust chain certificate -ca-

5.4 browser root certificate

5.5 https inadequate

1. Security also has minor flaws

2. Performance and speed

3. costs

6 cookie

6.1 Historical background

6.2 work process lasting memory cookie and cookie

Cookie three stages of generation stage setup phase, using stage

Cookie attribute domain, path, expire, secure, httponly

Security Policy: cookie homology

Cookie theft: HTTP protocol transmitted in the clear

Xss script by using the stolen

Cookie guess: cookie simple to set up, violence guess solution

Privacy Information Disclosure: cookie stored privacy information

Guess you like

Origin www.cnblogs.com/qzdlp/p/12101694.html
Recommended
Ranking
A quick primer on numpy basics
Two sister tease python project
Java | Multiple keywords in the replacement content are returned to the front end in red style
C ++: references
The string leetcood 1018 is a binary prefix divisible by 5
Flutter 布局组件
Java combat spingboot-redis
PMP pre-exam sprint and wrong questions sorting
ActiveMq C# Message Features: Delayed and Timed Message Delivery
DSP28377S_ copy a program from the RAM to FLASH portion DETAILS
Daily
More
2024-05-16(23)
2024-05-15(5)
2024-05-14(9)
2024-05-13(8)
2024-05-12(28)
2024-05-11(32)
2024-05-10(34)
2024-05-09(32)
2024-05-08(18)
2024-05-07(34)

Code World

© 2018 codetd.com