读书笔记--《白帽子讲WEB安全》
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">第1</span>章:我的安全世界观</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">1.1web安全简史:启蒙(90年代崇尚开放、分享、自由),黄金(中美黑客大战),<span style="color: black;">暗中</span>时代(黑色产业链)的变革;技术的变革、</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">1.2白帽子和帽子:白帽子要客服某种攻击<span style="color: black;">办法</span>而不是抵御单次的攻击</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">1.3安全问题的本质:是信任的问题</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">1.4安全是个<span style="color: black;">连续</span>的过程,<span style="color: black;">无</span>银弹</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">1.5安全三要素:机密性、完整性、可用性</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">1.6安全<span style="color: black;">评定</span>过程:资产等级划分-威胁分析-<span style="color: black;">危害</span>分析-确认<span style="color: black;">处理</span><span style="color: black;">方法</span></p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">1.7白帽子兵法:</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">secure by default</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">纵深防御:更全面,更正确的看待问题</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">数据与代码分离原则</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">不可预测性原则</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">1.8小结:安全是一门朴素的学问<span style="color: black;">亦</span>是一种平衡的艺术</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">第2章:浏览器安全</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">2.1同源策略</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">2.2沙箱</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">2.3恶意网站</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">2.4高速发展的浏览器安全</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">2.5小结:浏览器的安全越来越<span style="color: black;">要紧</span></p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">第3章:跨站脚本攻击(xss)</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">3.1简介:反射型xss;存储型xss;dom based xss;</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">3.2xss进阶</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">xss攻击平台:Attack API BeEF XSS-Proxy </p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">调试javascript: Firebug IE内置<span style="color: black;">工具</span> Fiddler HttpWatch</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">xss构造技巧:1利用字符编码2绕过长度限制3<span style="color: black;">运用</span><base><a style="color: black;">标签4window.name</a></p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">3.3xss防御:正确的<span style="color: black;">地区</span><span style="color: black;">运用</span>正确的编码方式</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">3.3.1httponly</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">3.3.2输入<span style="color: black;">检测</span></p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">3.3.3输出<span style="color: black;">检测</span>:1安全的编码函数2正确的编码</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">3.3.4正确防御xss</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">第4章:跨站点请求伪造(csrf)</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">4.1简介:a站利用用户的身份在b站执行命令操作b站的内容;本质是<span style="color: black;">要紧</span>操作的某些参数<span style="color: black;">能够</span>被猜测到</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">4.3CSRF防御:验证码;Referer Check;CSRF Token;</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">第5章:点击劫持</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">5.1简介:视觉<span style="color: black;">诈骗</span>用户在网页上覆盖一层看不见的网页进行操作</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">5.2flash点击劫持:</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">5.3<span style="color: black;">照片</span>覆盖攻击:</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">5.4拖拽劫持已数据窃取</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">5.5触屏劫持</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">5.6防御:</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">5.6.1frame busting(禁止跨域的iframe)</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">5.6.2x-Frame-Options:</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">第6章:html5安全</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">6.1HTML5新标签</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">6.1.1新标签的xss:<span style="color: black;">例如</span><video><audio></p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">6.1.2 iframe的sandbox</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">6.1.3Link Types:noreferrer</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">6.1.4Canvas</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">6.2其他安全问题</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">6.2.1Cross-Origin Resource Sharing</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">6.2.2postMessage-跨窗口传递信息</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">6.2.3Web Storage:分为session storage和local storage</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">6.3小结:html5的应用会使战场往移动互联网上发展</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">第2章:浏览器安全</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">2.1同源策略</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">2.2沙箱</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">2.3恶意网站</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">2.4高速发展的浏览器安全</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">2.5小结:浏览器的安全越来越<span style="color: black;">要紧</span></p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">第3章:跨站脚本攻击(xss)</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">3.1简介:反射型xss;存储型xss;dom based xss;</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">3.2xss进阶</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">xss攻击平台:Attack API BeEF XSS-Proxy </p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">调试javascript: Firebug IE内置<span style="color: black;">工具</span> Fiddler HttpWatch</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">xss构造技巧:1利用字符编码2绕过长度限制3<span style="color: black;">运用</span><base><a style="color: black;">标签4window.name</a></p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">3.3xss防御:正确的<span style="color: black;">地区</span><span style="color: black;">运用</span>正确的编码方式</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">3.3.1httponly</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">3.3.2输入<span style="color: black;">检测</span></p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">3.3.3输出<span style="color: black;">检测</span>:1安全的编码函数2正确的编码</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">3.3.4正确防御xss</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">第4章:跨站点请求伪造(csrf)</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">4.1简介:a站利用用户的身份在b站执行命令操作b站的内容;本质是<span style="color: black;">要紧</span>操作的某些参数<span style="color: black;">能够</span>被猜测到</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">4.3CSRF防御:验证码;Referer Check;CSRF Token;</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">第5章:点击劫持</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">5.1简介:视觉<span style="color: black;">诈骗</span>用户在网页上覆盖一层看不见的网页进行操作</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">5.2flash点击劫持:</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">5.3<span style="color: black;">照片</span>覆盖攻击:</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">5.4拖拽劫持已数据窃取</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">5.5触屏劫持</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">5.6防御:</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">5.6.1frame busting(禁止跨域的iframe)</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">5.6.2x-Fra</p>
外贸网站建设方法 http://www.fok120.com/ 回顾过去一年,是艰难的一年;展望未来,是辉煌的一年。
页:
[1]