, khoa
-
Cô
-
i, ngày
pháp.
.................................................................................... 1
................................................................................................ 1
..................................................................... 1
3.
.......................................................................................... 2
.................................................. 2
.............................. 2
......................................................................................... 3
.. 3
........................................................................ 3
.................................................................................................... 3
web ....................................................... 4
.......................................................................... 5
................................................................. 5
.................................................................... 7
........................................... 10
website.............................. 10
2.2. Broken Authentication and Session Management ....................................... 11
................................................................................................... 11
2.2.2.
................................................................................................... 12
2.2.3.
...................................................................................... 13
.............................................................................................. 13
2.3. Insecure Direct Object References............................................................... 13
................................................................................................... 13
.................................................................................................. 14
2.3.3. Các
...................................................................................... 14
.............................................................................................. 15
2.4. Cross Site Request Forgery .......................................................................... 15
2.5. Security Misconfíguration............................................................................ 15
2.6. Insecure Cryptographic Storage................................................................... 16
2.7. Failure to Restrict URL Access.................................................................... 16
2.8. Insufficient Transport Layer Protection ....................................................... 17
................................................................................................... 17
.................................................................................................. 17
.............................................................................................. 18
2.9. Unvalidated Redirects and Forwards ........................................................... 18
................................................................................................... 18
2.9.2.
.................................................................................................. 18
.............................................................................................. 19
2.10. Local Attack ............................................................................................... 19
Local Attack........................................................................ 19
Local Attack ................................................. 20
Local Attack....................................................................... 21
2.10.4. Cách phòng chong................................................................................... 23
2.10
................................................................................... 24
(Denial of Sever)............................................... 25
2.11.1. DOS ......................................................................................................... 25
2.11.2. DDOS (Distributed Denial of Service) ................................................... 30
............................................................................................... 33
2.12.2. Cá
In jection .......................................................... 33
.................................................................................. 36
2.12.4. Các phòng tránh SQL Injection .............................................................. 37
........................................................................................... 37
.......................................................................................... 38
2.13.4
.................................................................................................. 38
............................................................................................ 40
Phishing.......................................... 41
................................................................................. 43
2.14.5.
- Man in the middle attacks:........................................ 43
............................................................................................ 45
..................................................... 47
........................................................................................................... 47
............................................................................................. 47
................................................................................... 48
1.
web cá
website
web,
công Website
2.
-
web.
website
Cross Site Scripting, SQL
Injection, Broken Authentication and Session Management, Insecure Direct
Object References, Insecure Cryptographic Storage, Failfure to Restrict URL
Access, Insufficient Transport Layer Protection, Unvalidates Redirects and
Forwards, Phishing, Local Attack, Autocomplete, DOS.
-
website, áp
website.
1
3.
:
4.
website.
website.
5.
website
2
A.
WEBSITE
1.1.
1.1.1.
World Wide Web
Berners -
rang World Wide
Web
Website
các trang web (web pages)
video, flash,...
(domain name)
(subdomain). Website
(web hosting) trên Webserver có
Website
internet website
Website
(Dynamic website) là website
website (admin tool).
website
website
website
ASP.NET, JSP,
MYSQL...
Website
tin website.
website
Frontpage, Dreamwaver...
website
3
website
website
là web 2.0, web
là web office.
Tên
(domain):
website,
.com, .net, .biz, .info,
website:
website
website,
website
cho website.
host:
website
MB
MB
website,
MB/tháng.
1.1.2.
-
web
nay, website
web
4
website
web.
web
-
google documents,
email,...
web:
-
desktop.
web,
máy tính.
1.2.
1.2.1.
Kaspersky
website
5
virus
virus
Ông Lewis
site ngân
Baltic này.
Carl
Radware,
site
Bank of America,
Citigroup, Wells Fargp, U.S.Bancrop, PNC, Captital One,...
6
Forrester
John
Radware
web
(hosting)
virus. Các botnet,
Robots.
1.2.2.
ý
Microsoft
website
website
ông theo
-
không có nh
7
(malware)
do Trojan hay Rootkit, 30% là do virut và worm.
website
website
website
dung website.
h doanh và uy tín
website.
web
khó
web.
90%...
trên 90%...
8
áng có
net, Unikey...
9
website
web
web
Broken Authentication (6
brute-force
Broken Access Control
SQL Injection
logic
.
Cross Site Scripting (94%):
Information Leakage
10
vi khác.
Cross Site Request Forgery (92%):
web
web
công web
web
- SQL Injection
- Cross Site Scripting
- Broken Authentication and Session Management
- Cross Site Resquest Forquery (CSRF)
- Security Misconfiguration
- Insecure Direct Object References
- Insecure Cryptographic Storage
- Failfure to Restrict URL Access.
- Insufficient Transport Layer Protection.
2.2. Broken Authentication and Session Management
2.2.1. Gi
Broken Authentication and Session Management
11
tat
khía
web
web
theo
web
web
web.
2.2.2.
- Tác nhân
-
-
nhau.
-
12
2.2.3.
-
-
-
không?
2.2.4. Phòng
web
2.3. Insecure Direct Object References
2.3.1. Gi
String query =
*
preparedStatement pstmt = connection.prepareStatement (query,...);
ResultSet results = pstmt.executeQuery ();
tan
13
2.3.2.
-
-
-
web.
ây
không.
-
2.3.3.
-
-
14
2.3.4. Phòng
-
-
2.4. Cross Site Request Forgery
web
web
web
cookie
web
2.5. Security Misconfíguration
t
web,
15
2.6. Insecure Cryptographic Storage
web
web bên ngoài.
2.7. Failure to Restrict URL Access
web
2 URL sau
getapplnfo
16
2.8. Insufficient Transport Layer Protection
2.8.1.
web
cookie phiên
session
cookie
session
2.8.2.
-
-
web không
an toàn.
-
web.
website
17
2.8.3. Phòng
web.
Secure Socket Layer
web.
web
khác.
.
cookie
web.
khác.
2.9. Unvalidated Redirects and Forwards
2.9.1.
web
website
web
"redirect.jsp"
web
/>2.9.2.
-
web
web
-
18
duy
web
-
-
2.9.3.
-
-
dùng.
2.10. Local Attack
2.10.1.
Local Attack
Local Attack
website
website
sang website
local.
web
site
script,
19
site
sang site
admin,
trang index
site
Local Attack.
Local:
Tim file config.
Thu
tin
Crack
2.10.2.
Local Attack
website
website
-
website
website
-
website
local attack.
website
-
website
trang web />
website
website
rong các website
website
-
webshell
shell.
website
-
website
website
website này
shell lên website
webshell,
shell trên website
-
safe - mode thì shell
20