web安全复习笔记

EXAMPAPER(1)DataIntegrityIntegrityisviolatedwhenamessageisactivelymodifiedintransit.Informationsecuritysystemstypicallyprovidemessageintegrityinadditiontodataconfidentiality(2)InformationSecurityAuditAninformationsecurityauditisanauditonthelevelofinformationsecurityinanorganization(3)PKIPKIprovideswell-conceivedinfrastructurestodeliversecurityservicesinanefficientandunifiedstyle.PKIisalong-termsolutionthatcanbeusedtoprovidealargespectrumofsecurityprotection.(4)X.509TheITU-TrecommendationX.509definesadirectoryservicethatmaintainsadatabaseofinformationaboutusersfortheprovisionofauthenticationservices...(5)Denial-of-ServiceAttackDoS(DenialofService)isanattemptbyattackerstomakeacomputerresourceunavailabletoitsintendedusers.(6)SOA(Service-OrientedArchitecture)isasetofprinciplesandmethodologiesfordesigninganddevelopingsoftwareintheformofinteroperableservices.Theseservicesarewell-definedbusinessfunctionalitiesthatarebuiltassoftwarecomponents(discretepiecesofcodeand/ordatastructures)thatcanbereusedfordifferentpurposes.SOAdesignprinciplesareusedduringthephasesofsystemsdevelopmentandintegration(7)ARPPoisoningHowtocarryoutanARPCachePoisoningAttack.ARP协议包分为ARP请求和ARP回复，当发送ARP请求的时候，符合对应IP地址的电脑发送ARP回复包。但是如果有一台黑客的电脑也发送经过伪装之后的ARP回复包，那么之后数据就会发送给这台黑客的电脑。由于ARP的表经常需要更新，所以很容易遭到攻击。(8)VulnerabilitiesofFirewall:Howtopenetrateafirewall,illustratedwithatleast3examples.•AttackingPacketFilteringFirewallIPAddressSpoofingAttackIP地址欺骗修改数据包的源、目的地址和端口,模仿一些合法的数据包来骗过防火墙的检测。例如:外部攻击者将他的数据报源地址改为内部网络地址,获得防火墙的放行。防火墙结合接口、地址进行匹配可以防范这类攻击。Denial-of-serviceAttack简单的包过滤防火墙不能跟踪TCP的状态,很容易受到拒绝服务攻击。受到DoS攻击的防火墙一直处于繁忙状态,规则选择不当的话有可能被绕过。TinyFragmentAttack攻击者可以通过先发送第一个合法的IP分片,骗过防火墙的检测,接着封装了恶意数据的后续分片包就可以穿透防火墙,直接到达内部网络主机,从而威胁网络和主机的安全。TrojanAttack包过滤防火墙一般只过滤低端口(1-1024),高端口因为一些服务需要必须打开,因此无法过滤。预先植入的木马会在高端打开等待。•AttackingStatefulInspectionFirewallProtocolTunneling（工具Loki）协议隧道的攻击思想类似于VPN的实现原理,攻击者将一些恶意的攻击数据包隐藏在一些协议分组的头部,从而穿透防火墙系统对内部网络进行攻击。TrojansRebound攻击者内部网络安装的反弹木马定时地连接外部攻击者控制主机,由于连接是从内部发起的,防火墙不能区分木的连接,而都认为是一个合法的连接,因此可以实现透。•AttackingProxyUnauthorizedWebAccess早期WinGate版本误配置情况下,允许外部主机完全匿名访问因特网。外部攻击者可以利用WinGate主机对Web服务器发动各种Web攻击。攻击报文都从80号TCP端口穿过,难追踪攻击者来源。UnauthorizedSocksAccessWinGate缺省配置中,Socks代理(1080号TCP端口)存在漏洞。与打开Web代理(80端口)一样,外部攻击者可以利用Socks代理访问因特网。UnauthorizedTelnetAccess通过连接到一个误配置的WinGate服务器的Telnet服务,攻击者可以使用别人的主机隐藏自己的踪迹,随意地发动攻击。(9)SecurityinCloudComputing:HowtodiscerntheSecurityinCloudComputinginyourpointofview.example.Theresponsibilitygoesbothways,however:theprovidermustensurethattheirinfrastructureissecureandthattheirclients’dataandapplicationsareprotectedwhiletheusermusttakemeasurestofortifytheirapplicationandusestrongpasswordsandauthenticationmeasures.IdentitymanagementPhysicalsecurityPersonnelsecurityAvailabilityApplicationsecurity(10)DiscusssomePORTSCANSoftwareyoueverused,includingtheusageandtherunningresultanalysis.NMap是主流OS下的网络扫描和嗅探工具包。其基本功能包括:•探测一组主机是否在线;•扫描主机端口,嗅探所提供的网络服务;•推断主机所用的操作系统。命令行：nmap-PN-sS-OScanme.Nmap.Org结果：常用端口是否开放，操作系统的类型甚至内核版本范围，设备种类，显示扫描时间(11)SelectonefromtheOWASP’sTopTenThreatensofWebApplications2010anddiscussthemechanisms,citinginillustration.NOTES(1)WhatisAuthentication(认证)?WhataboutIdentification(身份识别)andAuthorization(授权)?•Identificationaimsatdeterminingwhetheranindividualisknowntothesystem.•Authorizationistheprocessofgrantingtheuseraccesstospecificsystemresourcesbasedonhis/herprofileandlocal/globalpolicycontrollingtheresourceaccess.•Authenticationistoproveorshow(something,especiallyaclaimoranartisticwork)tobetrueorgenuine.(2)KerberosKerberosisanauthenticationservicedevelopedatMITwhichallowsadistributedsystemtobeabletoauthenticaterequestsforservicegeneratedfromworkstations.(3))TheAttacktoAuthenticationImpersonationattacks(假冒攻击)Replayattacks(重放攻击)Forceddelayattacks(强迫延时攻击)Interleavingattacks(交错攻击)Oraclesessionattack(Oracle会话攻击)Parallelsessionattack(并行会话攻击)(4)WhatPKIcandogeneratedigitalcertificates.managethecertificates,certificatestatuses,andthebusinesselement.involvesymmetrickeycryptographyfordifferentpurposesothersecuritypurposes.(5)WhatisKerberosKerberos(ITU‐T)isacomputernetworkauthenticationprotocolwhichworksonthebasisof“tickets”(票据)toallownodescommunicatingoveranon‐securenetworktoprovetheiridentitytooneanotherinasecuremanner.(6)Kerberos的局限性1.单点失败2.Kerberos要求参与通信的主机的时钟同步3.管理协议未标准化(RFC3244描述了一些更改)。4.所有用户使用的主密钥都存储于中心服务器(KDC)中,危及服务器的安全的行为将危及所有用户的密钥。5.一个危险客户机将可能危及用户密码安全。(7)X.509Securityproblems•Specification:Complexityandlackofquality•Architecturalflaw•Commercialcertificateauthorities•ImplementationApplicationsS/MIME(MultipurposeInternetMailExtensions)SSL(SecureSocketLayer)TLS(TransportLayerSecurity)SET(SecureElectronicTrade)PKI(PublicKeyInfrastructure)......