|
|
(32 intermediate revisions by 7 users not shown) |
Line 1: |
Line 1: |
− | http://www.textletoeltd.com
| + | {{Inactive Chapter}} |
− | [[Image:OWASP_TW_Banner.png]]
| |
| | | |
− | æ¡è¿å å
¥OWASPå°ç£åæï¼ã網ç«å®å
¨ç第ä¸æ¥ï¼å¾å å
¥OWASPå°ç£åæéå§ãã
| + | {{Chapter Template|chaptername=Taiwan|extra=The chapter leader position is '''OPEN'''. |
| + | |meetupurl=CHANGEME|region=Asia/Pacific/Middle East}} |
| | | |
− | <paypal>Taiwan</paypal>
| + | == Local News == |
| | | |
− | å°ç£åææé·[mailto:[email protected] é»èæå
çï¼Wayne Huangï¼]æ¨åæå·¥ä½åä»è¡·å¿è¯å®æ¨çåèï¼ä¸ç®¡æ¨å¨ä½èï¼çè³æ¨å
æ¾çä¸ç¶²è·¯è¶³è·¡æ¼å°ç£ï¼æè¬æ¨é¡æè·å¤§å®¶ä¸èµ·å享ï¼è®æåç¨æ´å¤ä¸åçè§åº¦ä¾æª¢è¦Webå®å
¨ç趨å¢ãå¨è
ãåé¡è解決æ¹æ¡ã | + | '''Meeting Location''' |
| | | |
− | == æ¡è¿å
è¨ OWASP å°ç£åæ ==
| + | Everyone is welcome to join us at our chapter meetings. |
| | | |
− | == ææ°æ´»å ==
| + | [[Category:OWASP Chapter]] |
− | === [[OWASP_AppSec_Asia_2007|第ä¸å±OWASPå®æ¹äºæ´²å¹´æ(OWASP Asia 2007)]] ===
| |
− | '''Security 3.0 in Web 2.0 Age â Practices and Challenges of Web 2.0 Security'''
| |
− | | |
− | [OWASP_AppSec_Asia_2007 http://www.owasp.org/images/f/f7/Owasp_taiwan_2007small.png]
| |
− | | |
− | Whitehat Securityãç¾åéé(American Express)ãé¿ç¢¼ç§æ(Armorize)ãQualysçè·¨åä¼æ¥èè³å®å
¬å¸çé«é主管èé¦å¸ç 究å¡é½èå°ç£ï¼æ¨ç¥éä»åå¦ä½çå¾
Web 2.0æä»£ä¹ Security 3.0åï¼å°å°ç£èå
¨ççå«ææ¯ä»éº¼ï¼ææ¿åºãä¼æ¥èä¸è¬ä½¿ç¨è
å該å¦ä½å æï¼å¾ä¸é¢éäº2007å¹´çè³å®ç大æ°èï¼éé²èæ樣çè¨æ¯ï¼
| |
− | * 5æ11æ¥èµ·ï¼Googleéå§ç£æ§éé§ç¶²ç«ï¼ä¸¦è²¼ä¸å±éªç¶²ç«ä¹æ¨ç±¤!
| |
− | * 5æ15æ¥æOWASPå
¬ä½2007å¹´ææ°çå大Webå¼±é»ï¼è·¨ç«è
³æ¬æ»æ(XSS)ç»ä¸æ¦é¦!
| |
− | * 6æ6æ¥IBM購併Watchfireï¼HPé¨å³æ¼6æ19æ¥è³¼ä½µSPI Dynamics!èå
åçCenzic以滲é測試æè¡æ¼6æ18æ¥ç²å¾ç¾åå°å©!
| |
− | * Web 2.0çè³å®å¨è
ï¼å æä¹éï¼Security 3.0ï¼æåç實åæ¡ä¾ï¼
| |
− | [[OWASP_AppSec_Asia_2007|第ä¸å±OWASPå®æ¹äºæ´²å¹´æ]]å°æ¼9æ27æ¥(é±å)ä¸å1é»æ¼å°å¤§é«é¢åéæè°ä¸å¿201室(å°åå¸ä¸æ£åå¾å·è·¯äºè)'''è辦ï¼æ¡è¿æ¨ä¾å
±è¥çèï¼æ»¿è¼èæ¸![[OWASP_AppSec_Asia_2007|éææ´å¤...]]
| |
− | | |
− | === [http://hitcon.org 第ä¸å±å°ç£é§å®¢å¹´æ(HIT 2007)] ===
| |
− | | |
− | [http://hitcon.org 第ä¸å±å°ç£é§å®¢å¹´æ(HIT 2007)]å·²æ¼2007å¹´7æ21æ¥(é±å
)è³22æ¥(é±æ¥)å¨åç«èºç£ç§æ大å¸å
¬é¤¨æ ¡åå滿è½å¹ï¼æ´»åçæ³ç©ºåï¼è©³æ
è«è¦ HIT 2007 å®æ¹ç¶²ç«:
| |
− | [http://hitcon.org http://www.owasp.org/images/b/b5/Owasp_taiwan_HIT-linkLOGO.gif] http://hitcon.org
| |
− | | |
− | == æ¡è¿æ¨çåè ==
| |
− | å å
¥OWASPå°ç£åæä¸éä»»ä½è²»ç¨ï¼æå¡è³æ ¼å®å
¨éæ¾çµ¦ä»»ä½å°æ¼æç¨ç¨å¼å®å
¨æè趣ç人士ï¼
| |
− | æåé¼åµæå¡æ¼OWASPå°ç£åæå享ä»åçç¥è並æä¾å°é¡æ¼è¬ï¼
| |
− | èå¨å å
¥æå¡åï¼è«æ¨ä»ç´°é±è®[https://www.owasp.org/index.php/Chapter_Rules åææå¡æå]ã
| |
− | è¥è¦å å
¥æ¬åæçmailing listï¼è«é£çµå°[http://lists.owasp.org/mailman/listinfo/owasp-taiwan mailing list]網é ï¼
| |
− | ææçæ´»åè¨è«èæ´»åå°é»å°éééåæ¸
å®ä¾è¨è«ï¼
| |
− | æ¨ä¹å¯ä»¥å¾[http://lists.owasp.org/pipermail/owasp-taiwan/ email è¨è«å份]ä¸æ¾å°æåä¹åè¨è«çå份ã
| |
− | æå¾æéæ¨ï¼åå æ´»ååï¼è«å次檢æ¥æ¨mailing listç信件以確å®æ´»åå°é»èæéï¼ææ¯ä»»ä½æéæ´»åè¨éçäºé
ã
| |
− | | |
− | == æéOWASP (About OWASP) ==
| |
− | OWASP(éæ¾Webè»é«å®å
¨è¨ç« - Open Web Application Security Project)æ¯ä¸åéæ¾ç¤¾ç¾¤ãéçå©æ§çµç¹ï¼ç®åå
¨çæ82ååæè¿è¬åæå¡ï¼å
¶ä¸»è¦ç®æ¨æ¯ç è°åå©è§£æ±ºWebè»é«å®å
¨ä¹æ¨æºãå·¥å
·èæè¡æ件ï¼é·æè´åæ¼åå©æ¿åºæä¼æ¥ç解並æ¹å網é æç¨ç¨å¼è網é æåçå®å
¨æ§ãç±æ¼æç¨ç¯åæ¥å»£ï¼ç¶²é æç¨å®å
¨å·²ç¶é漸çåå°éè¦ï¼ä¸¦æ¼¸æ¼¸æçºå¨å®å
¨é åçä¸åç±é話é¡ï¼å¨æ¤åæï¼é§å®¢åä¹ææçå°ç¦é»è½ç§»å°ç¶²é æç¨ç¨å¼éç¼æææç¢ççå¼±é»ä¾é²è¡æ»æèç ´å£ã
| |
− | | |
− | ç¾åè¯é¦è²¿æå§å¡æ(FTC)å¼·ç建è°ææä¼æ¥ééµå¾ªOWASPæç¼ä½çå大Webå¼±é»é²è·å®åãç¾ååé²é¨äº¦åçºæ佳實åï¼åéä¿¡ç¨å¡è³æå®å
¨æè¡PCIæ¨æºæ´å°å
¶åçºå¿
è¦å
件ãç®åOWASPæ30å¤åé²è¡ä¸çè¨ç«ï¼å
æ¬æç¥åçOWASP Top 10(å大Webå¼±é»)ãWebGoat(代罪ç¾ç¾)ç·´ç¿å¹³å°ãå®å
¨PHP/Java/ASP.Netçè¨ç«ï¼éå°ä¸åçè»é«å®å
¨åé¡å¨é²è¡è¨è«èç 究ã
| |
− | | |
− | ç¶è²´å®ä½æ±ºå®éæ¾ç¶²é æåæï¼å°±å¿
é è®ä¾èªæ¼å
¨çç網é è«æ±é²å
¥å®ä½å
§é¨ç網é 伺æå¨ãé§å®¢å¯ä»¥èç±é±èå¨åæ³ç網é è«æ±å
§ï¼ééé²ç«çãå
¥ä¾µåµæ¸¬ç³»çµ±æå
¶ä»é²ç¦¦ç³»çµ±çåµæ¸¬ï¼å èçä¹çé²å
¥å®ä½å
§é¨æèç±å®ä½ç¶²ç«å
ç¶è·³æ¿èä¸ç¹¼ç«èåå
¶ä»å害è
ç¼åæ»æãéæå³èä¼æ¥ç網é ç¨å¼ç¢¼ä¹å¿
é æçºæ©é(æ§)å®ä½å¨éçå®å
¨é²è·ä¹ä¸ï¼ç¶å®ä½ç¶²é æåçè¦æ¨¡èè¤éæ§å¢å æï¼å®ä½æ´é²æ¼å¤ç風éªä¹é漸å¢å ã
| |
− | | |
− | == OWASP å°ç£åæ (OWASP Taiwan Chapter) ==
| |
− | *網é :http://www.owasp.org.tw
| |
− | | |
− | | |
− | *ä½å:å°åå¸115å港åä¸éè·¯19-13è(å港è»é«åå)Eæ£5æ¨554室
| |
− | | |
− | {{Chapter Template|chaptername=Taiwan|extra=The chapter leader is [mailto:[email protected] Wayne Huang]|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-taiwan|emailarchives=http://lists.owasp.org/pipermail/owasp-taiwan}} | |
− | | |
− | Chapter meetings are held several times a year, typically in the offices of our sponsor.
| |
− | | |
− | Please subscribe to the mailing list for meeting announcements.
| |
− | | |
− | == å
è²»å å
¥OWASPå°ç£åæ ==
| |
− | | |
− | <font color="#FF0000">
| |
− | | |
− | | |
− | '''å å
¥OWASPå°ç£åæä¸éä»»ä½è²»ç¨'''
| |
− | '''å å
¥æå¡æ¹æ³è«è¦æ¬é ä¸æ¹'''</font> '''[[#å¦ä½å å
¥æå¡|å¦ä½å å
¥æå¡]]'''
| |
− | | |
− | å å
¥OWASPå°ç£åæä¸éä»»ä½è²»ç¨ï¼æå¡è³æ ¼å®å
¨éæ¾çµ¦ä»»ä½å°æ¼æç¨ç¨å¼å®å
¨æè趣ç人士ï¼<br>
| |
− | æåé¼åµæå¡æ¼OWASPå°ç£åæå享ä»åçç¥è並æä¾å°é¡æ¼è¬ï¼<br>
| |
− | èå¨å å
¥æå¡åï¼è«æ¨ä»ç´°é±è®[https://www.owasp.org/index.php/Chapter_Rules åææå¡æå]ã
| |
− | | |
− | è¥è¦å å
¥æ¬åæçmailing listï¼è«é£çµå°[http://lists.owasp.org/mailman/listinfo/owasp-taiwan mailing list]網é ï¼<br>
| |
− | ææçæ´»åè¨è«èæ´»åå°é»å°éééåæ¸
å®ä¾è¨è«ï¼<br>
| |
− | æ¨ä¹å¯ä»¥å¾[http://lists.owasp.org/pipermail/owasp-taiwan/ email è¨è«å份]ä¸æ¾å°æåä¹åè¨è«çå份ã
| |
− | | |
− | æå¾æéæ¨ï¼åå æ´»ååï¼è«å次檢æ¥æ¨mailing listç信件以確å®æ´»åå°é»èæéï¼ææ¯ä»»ä½æéæ´»åè¨éçäºé
ã
| |
− | | |
− | == OWASPå°ç£åæ é¨è½æ ¼ blog ==
| |
− | <font color="#FF0000">éè¦ä¸æè³å®æ
å ±ï¼æè¡åæï¼å¸å ´è³è¨åï¼
| |
− | | |
− | æ¡è¿å¸¸ä¾ [http://www.owasp.org.tw/blog OWASPå°ç£åæ é¨è½æ ¼ blog]
| |
− | | |
− | [http://www.owasp.org.tw/blog http://www.owasp.org/images/d/da/OWASP_Banner_Blog.png]
| |
− | </font>
| |
− | | |
− | == å¦ä½å å
¥æå¡ ==
| |
− | æ¡è¿å
è²»å å
¥OWASP Taiwanå°ç£åæï¼å å
¥æ¹å¼æä¸ç¨®ï¼ç·ä¸å ±åï¼emailå ±å以åå³çå ±åï¼
| |
− | å·¥ä½åä»ææçºéç¥æææå¡æéOWASPææ°æ´»åè³è¨è座è«æè°ç¨.
| |
− | | |
− | | |
− | === ç·ä¸å ±å ===
| |
− | è«[http://www.owasp.org.tw/member/registration.php ææ¤å¡«å¯«ç·ä¸å ±åå®]
| |
− | | |
− | === Emailå ±å ===
| |
− | | |
− | #å§å
| |
− | #å®ä½
| |
− | #è·ç¨±
| |
− | #é»åéµä»¶
| |
− | #è¯çµ¡é»è©±
| |
− | | |
− | === å³çå ±å ===
| |
− | è«åå°æ¤å ±å表,填寫å¾å³çè³(02)6616-1100å³å¯.
| |
− | | |
− | [[Image:owasp_taiwan_opening.jpg|800px]]
| |
− | | |
− | == è¿ææ¶æ¯ ==
| |
− | | |
− | *Webæç¨ç¨å¼å®å
¨ç è¨æ:å¨2008å¹´7æ22æ¥èµ·ï¼è¡æ¿é¢ç èæèè³éå®å
¨æå ±ææä¸å¿è辦ä¹[http://www.icst.org.tw/content/application/icst2005/a1001001100110151/guest-cnt-browse.php?var=0,1001,111,100100110017,3353,plan&PHPSESSID=d4815b38629332871cf75bb829fd5546 æ¿åºæ©éè»é«å®å
¨æè¡ç è¨æ]ï¼ééWeb æç¨ç¨å¼å®å
¨åèæå¼å°å
¥æ¡ä¾ï¼ç解Webæç¨ç¨å¼å¯è½å¼±é»ï¼æä¾åæ©é(æ§)å§å¤ç®¡çåèã
| |
− | | |
− | *Webå®å
¨æ°è:å¨2007å¹´6æ11æ¥ï¼iThomeå ±å°ã[http://www.ithome.com.tw/itadm/article.php?c=43813 網ç«å®å
¨æ½°å ¤ï¼ä¸å®å
¨å°±æ²é¡§å®¢]ãï¼æ·±å
¥è¿½è¹¤Googleæå°å¼æå ææ¡æ網ç«ä¹æ°æªæ½ï¼å
¶æå°çµææçºæè³å®åé¡ç網ç«è²¼ä¸è¦åæ¨ç±¤ï¼ä¸¦é»æ¢ä½¿ç¨è
ç´æ¥ç覽ã
| |
− | | |
− | *OWASPå°ç£åæåå±:å¨2007å¹´4æ16è³18æ¥ï¼å°ååéè³å®å±(http://www.secutech.com/tw/is/index.asp) ééç»å ´ï¼OWASPå°ç£åæéæ¨èè¨æ¤ä½A402èA404ï¼å³å¯ç²å¾Webè³å®å
ç¢ä¸å¼µï¼ä¸¦è¦ªèªåæé«é©æ¯æ»²é測試ãå¼±é»ç¨½æ ¸çå³çµ±è³å®æª¢æ¸¬æ¹å¼æ´çºåªç°çèªåæºç¢¼æª¢æ¸¬æè¡ã
| |
− | | |
− | *Webå®å
¨æ°è:å¨2007å¹´4æ11æ¥ï¼iThomeå ±å°ã[http://www.ithome.com.tw/itadm/article.php?c=42866 OWASPå°ç£åææç«æå¡å
è²»æåä¸ï¼ç¼å©æåWebå®å
¨é²è·è·ä¸åé趨å¢]ãã
| |
− | | |
− | *Webå®å
¨æ°è:å¨2007å¹´4æ9æ¥ï¼èææ¥å ±å ±å°å°ç£å·²æESPNé«è²å°ç許å¤èæ°ç¾çæ´»æ¯æ¯ç¸éçäºåä¸åå®ç¶²ï¼ä¸æ以ä¾é¸çºéé§å®¢æ¤å
¥æ¨é¦¬å¾éï¼èç±è»é«å» åå°ç¡ä¿®è£ç¨å¼çãé¶æå·®æ»æãï¼Zero-Day Attackï¼ï¼ç¡è¾ä½¿ç¨è
åªè¦é£ä¸ç¶²ç覽ï¼é»è
¦å°±ä¸çï¼è¼è
帳èãå¯ç¢¼éç«ï¼èº«å被çç¨ï¼éè
æ©æè³æå¤æ´©æ財ç©æ失ã
| |
− | | |
− | *Webæç¨ç¨å¼å®å
¨ç è¨æ:å¨2007å¹´3æ27è³4æ11æ¥ï¼è¡æ¿é¢ç èæèè³éå®å
¨æå ±ææä¸å¿è辦ä¹[http://sid.iii.org.tw/96Q1_ISMS/ æ¿åºè³éå®å
¨é²è·å·¡è¿´ç è¨æï¼è³å®ç¼å±è¶¨å¢å網路æç¨æåè³è¨å®å
¨]ï¼æ¡è¿æ¿åºæ©é(æ§)è² è²¬è³éå®å
¨ç¸é人å¡è¸´èºåå ãNEW![https://www.owasp.org/images/b/b1/%E5%B7%A1%E8%BF%B4%E7%A0%94%E8%A8%8E%E6%9C%83%E8%AC%9B%E7%BE%A9_Web.pdf ç è¨æè¬ç¾©ä¸è¼]
| |
− | | |
− | *Webå®å
¨æ°è:å¨2007å¹´3æ21æ¥ï¼ä¸åæå ±å ±å°ãä¸ç¶²æä¸å®å
¨å家ï¼å°ç£é«å±
第äºãï¼ç±æ³åé¨èª¿æ¥å±ãåäºå±çå®ä½å
±åéå°å°ç£ç¶²è·¯å®å
¨é²è¡è§å¯ç¼ç¾ï¼å°ç£ç¶²è·¯çè³è¨å®å
¨å¨è
ï¼é«å±
äºæ´²ç¬¬äºï¼å
次æ¼ä¸åã2007å¹´åè³ä»ï¼å¹³åæ¯å¤©é½æç¼ç5件é§å®¢å
¥ä¾µäºä»¶ã
| |
− | | |
− | *Webå®å
¨æ°è:å¨2007å¹´3æ8æ¥ï¼æ±æ£®æ°èå ±å°ãå°ç£é§å®¢æ»æäºä»¶åå°é¾ä¹å ï¼90ï¼
éè¡æ¾éå
¥ä¾µãï¼ç¶è許å¤ä¼æ¥é½ä»¥æ²æé ç®çºç±ï¼ä¸é¡æå¢å é²è·è¨åè人åï¼è¢«é§å®¢ç«æ¹å
¥ä¾µç¶²é ï¼ä¸ç解èå¾å´éçæ義ï¼ç¶²é æ¹åå¾ï¼ä¸¦æ²æå¢å é²è·è¨åï¼çè³éæå®ä¸ä¼æ¥è¢«é§é£çºé«é82次ã[http://www.ettoday.com/2007/03/08/339-2063921.htm åæ°èé£çµ]
| |
− | | |
− | | |
− | | |
− | [[Image:Owasp taiwan first gathering.png]]
| |
− | | |
− | == 網ç«èWebæåçäºå¤§è³å®å°å¢ ==
| |
− | #IT人å¡ä¸è¶³
| |
− | #缺ä¹è³å®é åå°æ¥ç¥è
| |
− | #åè½æ§é©æ¶çºä¸»
| |
− | #缺ä¹èªååå·¥å
·
| |
− | #ææ¬ãæçå°åå°æ¡æ¨¡å¼ä¸å©ç¢ºä¿å°æ¡å質
| |
− | | |
− | ==ææ°2007å¹´OWASPå大Webè³å®æ¼æ´ (2007 OWASP Top 10)==
| |
− | ===å大Webè³å®æ¼æ´å表===
| |
− | *A1. 跨網ç«çå
¥ä¾µå串(Cross Site Scriptingï¼ç°¡ç¨±XSSï¼äº¦ç¨±çºè·¨ç«è
³æ¬æ»æ)ï¼Webæç¨ç¨å¼ç´æ¥å°ä¾èªä½¿ç¨è
çå·è¡è«æ±éåç覽å¨å·è¡ï¼ä½¿å¾æ»æè
å¯æ·å使ç¨è
çCookieæSessionè³æèè½ååç´æ¥ç»å
¥çºåæ³ä½¿ç¨è
ã
| |
− | *A2. 注å
¥ç¼ºå¤±(Injection Flaw)ï¼Webæç¨ç¨å¼å·è¡ä¾èªå¤é¨å
æ¬è³æ庫å¨å
§çæ¡ææ令ï¼SQL InjectionèCommand Injectionçæ»æå
æ¬å¨å
§ã
| |
− | *A3. æ¡ææªæ¡å·è¡(Malicious File Execution)ï¼Webæç¨ç¨å¼å¼å
¥ä¾èªå¤é¨çæ¡ææªæ¡ä¸¦å·è¡æªæ¡å
§å®¹ã
| |
− | *A4. ä¸å®å
¨çç©ä»¶åè(Insecure Direct Object Reference)ï¼æ»æè
å©ç¨Webæç¨ç¨å¼æ¬èº«çæªæ¡è®ååè½ä»»æååæªæ¡æéè¦è³æï¼æ¡ä¾å
æ¬http://example/read.php?file=../../../../../../../c:\boot.iniã
| |
− | *A5. 跨網ç«çå½é è¦æ± (Cross-Site Request Forgeryï¼ç°¡ç¨±CSRF): å·²ç»å
¥Webæç¨ç¨å¼çåæ³ä½¿ç¨è
å·è¡å°æ¡æçHTTPæ令ï¼ä½Webæç¨ç¨å¼å»ç¶æåæ³éæ±èçï¼ä½¿å¾æ¡ææ令被æ£å¸¸å·è¡ï¼æ¡ä¾å
æ¬ç¤¾äº¤ç¶²ç«å享ç QuickTimeãFlashå½±çä¸èææ¡æçHTTPè«æ±ã
| |
− | *A6. è³è¨æé²èä¸é©ç¶é¯èª¤èç½® (Information Leakage and Improper Error Handling)ï¼Webæç¨ç¨å¼çå·è¡é¯èª¤è¨æ¯å
å«ææè³æï¼æ¡ä¾å
æ¬:系統æªæ¡è·¯å¾çæé²æè³æ庫æ¬ä½å稱ã
| |
− | *A7. éç ´å£çéå¥èé£ç·ç®¡ç(Broken Authentication and Session Management)ï¼Webæç¨ç¨å¼ä¸èªè¡æ°å¯«ç身åé©èç¸éåè½æ缺é·ã
| |
− | *A8. ä¸å®å
¨çå¯ç¢¼å²åå¨ (Insecure Cryptographic Storage)ï¼Webæç¨ç¨å¼æ²æå°æææ§è³æ使ç¨å å¯ã使ç¨è¼å¼±çå å¯æ¼ç®æ³æå°éé°å²åæ¼å®¹æ被åå¾ä¹èã
| |
− | *A9. ä¸å®å
¨çéè¨(Insecure Communication)ï¼å³éæææ§è³ææ並æªä½¿ç¨HTTPSæå
¶ä»å å¯æ¹å¼ã
| |
− | *A10. çæ¼éå¶URLåå(Failure to Restrict URL Access)ï¼æäºç¶²é å çºæ²ææ¬éæ§å¶ï¼ä½¿å¾æ»æè
å¯éé網åç´æ¥ååï¼æ¡ä¾å
æ¬å
許ç´æ¥ä¿®æ¹WikiæBlog網é å
§å®¹ã
| |
− | | |
− | é次OWASPå
¬å¸æ°çTop 10åæ åºç®åçæ»æç¾æ³ï¼ä»¥ä»å¹´çºä¾ï¼Cross-Site Scripting(XSS)調æ´çº10大æ»æä¹é¦ï¼ç實çåæ åºç®å網路é£éèè©æ¬ºçæ»ææ¿«ç¨XSSçæ
å½¢ï¼äºå¯¦ä¸ï¼ç¾ååé²é¨çBSIè¨ç«(Build-Security In,https://buildsecurityin.us-cert.gov/) åMitreç 究æ©æ§çCVEè³å®èå¼±æ§å表(http://cve.mitre.org/) 亦顯示1)Cross Site Scriptingè2)SQL Injectionå·²é£çºå
©å¹´åçºå
¨çé èå´éè³å®å¼±é».
| |
− | | |
− | ===ç´æ¥èç¨å¼ç¢¼å®å
¨å質æé===
| |
− | *[å¿
è¦*]A1. 跨網ç«å
¥ä¾µå串(Cross Site Scripting)
| |
− | *[å¿
è¦*]A2. 注å
¥ç¼ºå¤±(Injection Flaw)
| |
− | *[建è°*]A3. æ¡ææªæ¡å·è¡(Malicious File Execution)
| |
− | *[建è°*]A4. ä¸å®å
¨çç©ä»¶åè(Insecure Direct Object Reference)
| |
− | *[é¸æ*]A5. 跨網ç«è¦æ±å½é (Cross-Site Request Forgery)
| |
− | | |
− | | |
− | <nowiki>*</nowiki>OWASPå°ç£åæå¼·ç建è°åå®ä½å¨é²è¡æºç¢¼æª¢æ¸¬æï¼å°¤ä»¥æ¿åºæ©é(æ§)ï¼æéµå¾ªæ¿åºè³éå®å
¨ä½æ¥è¦ç¯(http://www.giscc.org.tw) ä¹ãWebæç¨ç¨å¼å®å
¨åèæå¼ãï¼ä¸¦å°1è2åçºå¿
è¦æª¢æ¸¬é
ç®ï¼3è4åçºå»ºè°æª¢æ¸¬é
ç®ï¼è5åçºé¸æ檢測é
ç®ã
| |
− | | |
− | ï¼å¨å¯¦åæ¡ä¾ä¸ï¼æª¢æ¸¬ä¸¦ä¿®æ£1è2å³å¯é¿å
çµå¤§å¤æ¸çWebè³å®å¨è
ã
| |
− | | |
− | ===å ä¸è¿°æ¼æ´éæ¥é ææèWeb伺æå¨åå¤é¨è¨å®æé===
| |
− | *Information Leakage and Improper Error Handling
| |
− | *Broken Authentication and Session Management
| |
− | *Insecure Cryptographic Storage
| |
− | *Insecure Communications
| |
− | *Failure to Restrict URL Access
| |
− | | |
− | == æå¡å表 (Member List) ==
| |
− | Coming up soon!
| |
− | | |
− | [http://www.owasp.org.tw http://www.owasp.org.tw/dot.png]
| |
Welcome to the Taiwan chapter homepage. The chapter leader position is OPEN.
Everyone is welcome to join us at our chapter meetings.