Website security

什么是網(wǎng)站安全？

互聯(lián)網(wǎng)是一個(gè)危險(xiǎn)的地方！ 我們非常規(guī)律地聽說由于拒絕服務(wù)攻擊或在其主頁上顯示修改(和經(jīng)常損壞)的信息，網(wǎng)站不可用。 在其他高調(diào)案例中，數(shù)百萬個(gè)密碼，電子郵件地址和信用卡詳細(xì)信息已泄漏到公共領(lǐng)域，從而使網(wǎng)站用戶面臨個(gè)人尷尬和財(cái)務(wù)風(fēng)險(xiǎn)。

網(wǎng)站安全的目的是防止這些(或任何)類型的攻擊。 更正式地，網(wǎng)站安全是保護(hù)網(wǎng)站免受未經(jīng)授權(quán)的訪問，使用，修改，破壞或中斷的行為/實(shí)踐。

有效的網(wǎng)站安全性需要整個(gè)網(wǎng)站的設(shè)計(jì)工作:在您的Web應(yīng)用程序中，在Web服務(wù)器的配置中，在您的策略中創(chuàng)建和更新密碼，以及在客戶端代碼。 雖然這一切聽起來很不祥，但好消息是，如果你使用的是服務(wù)器端的網(wǎng)絡(luò)框架，它幾乎肯定已經(jīng)啟用了健壯和周密的防御機(jī)制來對抗一些更常見的攻擊"默認(rèn) "。 可以通過Web服務(wù)器配置減輕其他攻擊，例如啟用HTTPS。 最后，有公共可用的漏洞掃描程序工具，可以幫助你找出是否你犯了任何明顯的錯(cuò)誤。

本文的其余部分提供了有關(guān)一些常見威脅的更多詳細(xì)信息，以及您可以采取的一些簡單步驟來保護(hù)您的網(wǎng)站。

網(wǎng)站安全威脅

本節(jié)列出了幾個(gè)最常見的網(wǎng)站威脅以及如何緩解這些威脅。 在閱讀時(shí)，請注意，當(dāng)Web應(yīng)用程序信任或?qū)g覽器發(fā)送的數(shù)據(jù)不夠偏執(zhí)時(shí)，威脅是如何成功的！

跨站腳本(XSS)

XSS是用于描述允許攻擊者通過網(wǎng)站將客戶端腳本注入到其他用戶的瀏覽器中的一類攻擊的術(shù)語。 由于注入的代碼從站點(diǎn)到瀏覽器是可信的，因此可以進(jìn)行諸如將用戶的站點(diǎn)授權(quán)cookie發(fā)送給攻擊者的事情。 一旦攻擊者有cookie，他們可以登錄到一個(gè)網(wǎng)站，就像他們是用戶，并做任何用戶可以。 根據(jù)網(wǎng)站的不同，這可能包括訪問其信用卡詳細(xì)信息，查看聯(lián)系方式，更改密碼等。

有兩種主要方法讓網(wǎng)站將注入的腳本返回到瀏覽器 - 這些被稱為反映的 和持久性 XSS漏洞。

• A reflected XSS vulnerability occurs when user content that is passed to the server is returned immediately and unmodified for display in the browser — any scripts in the original user content will be run when the new page is loaded!
  For example, consider a site search function where the search terms are encoded as URL parameters, and these terms are displayed along with the results. An attacker can construct a search link containing a malicious script as a parameter (e.g. http://mysite.com?q=beer<script%20src="http://evilsite.com/tricky.js" rel="external nofollow" ></script>) and email it to another user. If the target user clicks this "interesting link", the script will be executed when the search results are?displayed. As discussed above, this gives the?attacker all the information they need?to enter the site as the target user?— potentially making purchases as the user or sharing their contact information.
• A persistent XSS vulnerability is one where the malicious script is stored by the website and then later redisplayed unmodified for other users to unwittingly execute.
  For example, a discussion board that accepts comments containing unmodified HTML could store a?malicious script from an attacker. When the comments are displayed the script is executed and can then send the attacker information required to access the user's account. This sort of attack is extremely popular and powerful, because the attacker doesn't have to have any direct engagement with the victims.
  
  While POST or GET data is the most common source of XSS vulnerabilities, any data from the browser is potentially vulnerable (including?cookie data rendered by the browser, or user files that are uploaded and displayed).

對XSS漏洞的最好防御是刪除或禁用任何可能包含運(yùn)行代碼的指令的標(biāo)記。 對于HTML，包括< script> ，< object> ，< embed> ，< link> 。

SQL注入

SQL注入漏洞使惡意用戶可以在數(shù)據(jù)庫上執(zhí)行任意SQL代碼，從而允許無論用戶權(quán)限如何訪問，修改或刪除數(shù)據(jù)。 成功的注入攻擊可能欺騙身份，創(chuàng)建具有管理權(quán)限的新身份，訪問服務(wù)器上的所有數(shù)據(jù)，或銷毀/修改數(shù)據(jù)以使其不可用。

如果傳遞給基礎(chǔ)SQL語句的用戶輸入可能更改語句的含義，則會(huì)出現(xiàn)此漏洞。 例如，考慮下面的代碼，用于列出從HTML表單提供的具有特定名稱( userName )的所有用戶:

statement = "SELECT * FROM users WHERE name = '" + userName + "';"

如果用戶輸入真實(shí)姓名，這將按預(yù)期工作。 但是，惡意用戶可以通過為 userName 指定"粗體"文本，將此SQL語句的行為完全更改為以下新語句。 修改語句創(chuàng)建一個(gè)有效的SQL語句，刪除 users 表，并從 userinfo 表中選擇所有數(shù)據(jù)(顯示每個(gè)用戶的信息)。 這是因?yàn)樽⑷氲奈谋镜牡谝徊糠? a\'; )完成原始語句(\'是在SQL中分隔字符串文字的符號)。

SELECT * FROM users WHERE name = 'a';DROP TABLE users; SELECT * FROM userinfo WHERE 't' = 't';

避免此類攻擊的方法是確保傳遞到SQL查詢的任何用戶數(shù)據(jù)不會(huì)更改查詢的性質(zhì)。 要實(shí)現(xiàn)此目的，一種方法是對用戶輸入中具有特殊含義的所有字符轉(zhuǎn)義 SQL。

在下面的語句中，我們轉(zhuǎn)義了\'字符。 SQL現(xiàn)在會(huì)將該名稱解釋為以粗體顯示的整個(gè)字符串(確實(shí)是一個(gè)非常奇怪的名稱，但不是有害的！)

SELECT * FROM users WHERE name = 'a\';DROP TABLE users; SELECT * FROM userinfo WHERE \'t\' = \'t';

Web框架通常會(huì)為您處理這種轉(zhuǎn)義。 例如，Django確保傳遞到查詢集(模型查詢)的任何用戶數(shù)據(jù)都被轉(zhuǎn)義。

跨站點(diǎn)請求偽造(CSRF)

CSRF攻擊允許惡意用戶在沒有該用戶的知識或同意的情況下使用另一用戶的憑證來執(zhí)行動(dòng)作。

這種類型的攻擊最好由例子解釋。 John是一位惡意用戶，他知道某個(gè)網(wǎng)站允許已登錄的用戶使用包含帳戶名稱和金額的HTTP POST 請求將款項(xiàng)匯入指定的帳戶。 John構(gòu)建了一個(gè)表單，其中包含其銀行詳細(xì)信息和一筆金額作為隱藏字段，并通過電子郵件將其發(fā)送給其他網(wǎng)站用戶(將提交按鈕偽裝為"快速致富"網(wǎng)站的鏈接) 。

如果用戶點(diǎn)擊提交按鈕，系統(tǒng)會(huì)向服務(wù)器發(fā)送HTTP POST 請求，其中包含交易詳情和瀏覽器與網(wǎng)站相關(guān)聯(lián)的任何客戶端Cookie ( 將相關(guān)網(wǎng)站Cookie添加到請求是瀏覽器的正常行為)。 服務(wù)器將檢查cookie，并使用它們來確定用戶是否登錄并且有權(quán)進(jìn)行事務(wù)。

結(jié)果是，當(dāng)用戶在登錄到交易站點(diǎn)時(shí)點(diǎn)擊提交按鈕的將進(jìn)行交易。 約翰變得富有！

防止這種類型的攻擊的一種方式是服務(wù)器要求 POST 請求包括用戶特定的網(wǎng)站生成的秘密(該秘密將由服務(wù)器在發(fā)送用于制作的網(wǎng)絡(luò)表單時(shí)提供 轉(zhuǎn)移)。 這種方法阻止John創(chuàng)建自己的表單，因?yàn)樗仨氈婪?wù)器為用戶提供的秘密。 即使他發(fā)現(xiàn)了秘密并為特定用戶創(chuàng)建了一個(gè)表單，他也不能再使用該表單來攻擊每個(gè)用戶。

Web框架通常包括這樣的CSRF預(yù)防機(jī)制。

其他威脅

其他常見的攻擊/漏洞包括:

• Clickjacking. In this attack a malicious user hijacks clicks meant for a visible top level site and routes them to a hidden page beneath. This technique might be used, for example, to display a legitimate bank site but capture the login credentials into an invisible <iframe> controlled by the attacker. It could alternatively be used to get the user to click a button on a visible site, but in doing so actually unwittingly click a completely different button. As a defence your site can prevent itself from being embedded in an iframe in another site by setting appropriate HTTP headers.
• Denial of Service (DoS). DoS is usually achieved by flooding a target site with spurious requests so that access to a site is disrupted for legitimate users. The requests may simply be numerous, or they may individually consume large amounts of resource (e.g. slow reads, uploading of large files, etc.) DoS defences usually work by identifying and blocking "bad" traffic while allowing legitimate messages through. These defences are typically within or before the web server (they are not part of the web application itself).
• Directory Traversal/File and disclosure. In this type of attack a malicious user attempts to access parts of the web server file system that they should not be able to access. This vulnerability occurs when the user is able to pass filenames that include file system navigation characters (e.g. ../../). The solution is to sanitize input before using it.
• File Inclusion. In this attack a user is able to specify an "unintended" file for display or execution in data passed to the server. Once loaded this file might be executed on the web server or in the client-side (leading to an XSS attack). The solution is to sanitize input before using it.
• Command Injection. Command injection attacks allow a malicious user to execute arbitrary system commands on the host operating system. The solution is to sanitize user input before it might be used in system calls.

還有更多。 有關(guān)完整的列表，請參閱類別:Web安全漏洞(維基百科)和 external">類別:攻擊(打開Web應(yīng)用程序安全項(xiàng)目)。

一些關(guān)鍵消息

當(dāng)Web應(yīng)用程序從瀏覽器信任數(shù)據(jù)時(shí)，前面幾節(jié)中的幾乎所有漏洞都會(huì)成功。 無論您為提高網(wǎng)站安全性做了什么，您都應(yīng)該清理所有用戶發(fā)起的數(shù)據(jù)，然后在瀏覽器中顯示，在SQL查詢中使用，或傳遞到操作系統(tǒng)或文件系統(tǒng)調(diào)用。

您可以采取的其他一些具體步驟有:

• Use more effective password management. Encourage strong passwords that are changed regularly. Consider two-factor authentication for your site, so that in addition to a password the user must enter another authentication code (usually one that is delivered via some physical hardware that only the user will have, such as a code in an SMS sent to their phone).
• Configure your web server to use HTTPS and HTTP Strict Transport Security (HSTS). HTTPS encrypts data sent between your client and server. This ensures that login credentials, cookies, POST data and header information are all much less available to attackers.
• Keep track of the most popular threats (the current OWASP list is here) and address the most common vulnerabilities first.
• Use vulnerability scanning tools to peform automated security testing on your site (later on, your very successful website may also find bugs by offering a bug bounty like Mozilla does here).
• Only store and display data that you need to. For example, if your users must store sensitive information like credit card details, only display enough of the card number that it can be identified by the user, and not enough that it can be copied by an attacker and used on another site. The most common pattern these days is to only display the last 4 digits of a credit card number.

Web框架可以幫助減輕許多更常見的漏洞。

概要

本文已解釋了網(wǎng)絡(luò)安全的概念，以及您的網(wǎng)站應(yīng)該嘗試保護(hù)的一些更常見的威脅。 最重要的是，您應(yīng)該明白，Web應(yīng)用程序不能信任來自Web瀏覽器的任何數(shù)據(jù)！ 所有用戶數(shù)據(jù)應(yīng)在顯示之前進(jìn)行清理，或在SQL查詢或文件系統(tǒng)調(diào)用中使用。

這是此模塊的結(jié)束，涵蓋您在服務(wù)器端網(wǎng)站編程中的第一步。 我們希望您喜歡學(xué)習(xí)基本概念，現(xiàn)在您可以選擇一個(gè)Web框架并開始編程。