Lunski's Clutter

This is a place to put my clutters, no matter you like it or not, welcome here.

0%

OWASP

Posted on Edited on In
Symbols count in article: 1.2k Reading time ≈ 1 mins.

Open Web Application Security Project top 10.

Attack:4

  • XSS: Cross-site scripting, injecting client-side scripts into web pages viewed by other users.
  • CSRF: Cross-Site Request Forgery(偽造), forces authenticated users to submit a request to a Web application.
  • Injection Attack:
    • SQL Injection(Execute administration operations on the database)
    • Command Injection(Attacker’s malicious input is mistaken for operating system instructions)
  • User attached dangerous files

APT(Advanced Persistent Threat)

Invade, Lurk, Steal

Leak: 4

img

  • Developer leaks private URL
  • Developer leaks URL parameter
  • Developer leaks backend structure (AI)
  • User leak access token

Not encrypted: 2

img

  • Data didn’t encrypt in storage
  • Data didn’t encrypt in Internet transferring

Symmetric encryption algorithm (DES/Triple DES, AES)

Both the transmitter and the receiver use the same key for encryption and decryption.

Key is easy to be intercepted and copied by the middleman.

Asymmetric encryption algorithm (RSA)

Use public key encryption, private key decryption, vice versa.

Public key (Public key) and private key (Private key), public key can be widely released and circulated.

How to confirm that the message is really sent by the sender?

Digital Signature (MD5, SHA-1)

Use your own private key to sign the Hash of the encrypted message.

MD5 can't prevent collision attack.

SHA-2

如果你覺得這篇文章很棒,請你不吝點讚 (゚∀゚)

Welcome to my other publishing channels