This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Taiwan
æ¡è¿å å ¥OWASPå°ç£åæï¼ã網ç«å®å ¨ç第ä¸æ¥ï¼å¾å å ¥OWASPå°ç£åæéå§ãã
<paypal>Taiwan</paypal>
å°ç£åææé·é»èæå çï¼Wayne Huangï¼æ¨åæå·¥ä½åä»è¡·å¿è¯å®æ¨çåèï¼ä¸ç®¡æ¨å¨ä½èï¼çè³æ¨å æ¾çä¸ç¶²è·¯è¶³è·¡æ¼å°ç£ï¼æè¬æ¨é¡æè·å¤§å®¶ä¸èµ·å享ï¼è®æåç¨æ´å¤ä¸åçè§åº¦ä¾æª¢è¦Webå®å ¨ç趨å¢ãå¨è ãåé¡è解決æ¹æ¡ã
- 1 æ¡è¿å è¨ OWASP å°ç£åæ
- 2 ææ°æ´»å
- 3 æ¡è¿æ¨çåè
- 4 æéOWASP (About OWASP)
- 5 OWASP å°ç£åæ (OWASP Taiwan Chapter)
- 6 OWASP Taiwan
- 7 Participation
- 8 Sponsorship/Membership
- 9 å è²»å å ¥OWASPå°ç£åæ
- 10 OWASPå°ç£åæ é¨è½æ ¼ blog
- 11 å¦ä½å å ¥æå¡
- 12 è¿ææ¶æ¯
- 13 網ç«èWebæåçäºå¤§è³å®å°å¢
- 14 ææ°2007å¹´OWASPå大Webè³å®æ¼æ´ (2007 OWASP Top 10)
- 15 æå¡å表 (Member List)
æ¡è¿å è¨ OWASP å°ç£åæ
ææ°æ´»å
第ä¸å±OWASPå®æ¹äºæ´²å¹´æ(OWASP Asia 2007)
Security 3.0 in Web 2.0 Age â Practices and Challenges of Web 2.0 Security
[OWASP_AppSec_Asia_2007 ]
Whitehat Securityãç¾åéé(American Express)ãé¿ç¢¼ç§æ(Armorize)ãQualysçè·¨åä¼æ¥èè³å®å ¬å¸çé«é主管èé¦å¸ç 究å¡é½èå°ç£ï¼æ¨ç¥éä»åå¦ä½çå¾ Web 2.0æä»£ä¹ Security 3.0åï¼å°å°ç£èå ¨ççå«ææ¯ä»éº¼ï¼ææ¿åºãä¼æ¥èä¸è¬ä½¿ç¨è å該å¦ä½å æï¼å¾ä¸é¢éäº2007å¹´çè³å®ç大æ°èï¼éé²èæ樣çè¨æ¯ï¼
- 5æ11æ¥èµ·ï¼Googleéå§ç£æ§éé§ç¶²ç«ï¼ä¸¦è²¼ä¸å±éªç¶²ç«ä¹æ¨ç±¤!
- 5æ15æ¥æOWASPå ¬ä½2007å¹´ææ°çå大Webå¼±é»ï¼è·¨ç«è ³æ¬æ»æ(XSS)ç»ä¸æ¦é¦!
- 6æ6æ¥IBM購併Watchfireï¼HPé¨å³æ¼6æ19æ¥è³¼ä½µSPI Dynamics!èå åçCenzic以滲é測試æè¡æ¼6æ18æ¥ç²å¾ç¾åå°å©!
- Web 2.0çè³å®å¨è ï¼å æä¹éï¼Security 3.0ï¼æåç實åæ¡ä¾ï¼
第ä¸å±OWASPå®æ¹äºæ´²å¹´æå°æ¼9æ27æ¥(é±å)ä¸å1é»æ¼å°å¤§é«é¢åéæè°ä¸å¿201室(å°åå¸ä¸æ£åå¾å·è·¯äºè)è辦ï¼æ¡è¿æ¨ä¾å ±è¥çèï¼æ»¿è¼èæ¸!éææ´å¤...
第ä¸å±å°ç£é§å®¢å¹´æ(HIT 2007)
第ä¸å±å°ç£é§å®¢å¹´æ(HIT 2007)å·²æ¼2007å¹´7æ21æ¥(é±å )è³22æ¥(é±æ¥)å¨åç«èºç£ç§æ大å¸å ¬é¤¨æ ¡åå滿è½å¹ï¼æ´»åçæ³ç©ºåï¼è©³æ è«è¦ HIT 2007 å®æ¹ç¶²ç«: http://hitcon.org
æ¡è¿æ¨çåè
å å ¥OWASPå°ç£åæä¸éä»»ä½è²»ç¨ï¼æå¡è³æ ¼å®å ¨éæ¾çµ¦ä»»ä½å°æ¼æç¨ç¨å¼å®å ¨æè趣çäººå£«ï¼ æåé¼åµæå¡æ¼OWASPå°ç£åæå享ä»åçç¥è並æä¾å°é¡æ¼è¬ï¼ èå¨å å ¥æå¡åï¼è«æ¨ä»ç´°é±è®åææå¡æåã è¥è¦å å ¥æ¬åæçmailing listï¼è«é£çµå°mailing list網é ï¼ ææçæ´»åè¨è«èæ´»åå°é»å°éééåæ¸ å®ä¾è¨è«ï¼ æ¨ä¹å¯ä»¥å¾email è¨è«å份ä¸æ¾å°æåä¹åè¨è«çå份ã æå¾æéæ¨ï¼åå æ´»ååï¼è«å次檢æ¥æ¨mailing listç信件以確å®æ´»åå°é»èæéï¼ææ¯ä»»ä½æéæ´»åè¨éçäºé ã
æéOWASP (About OWASP)
OWASP(éæ¾Webè»é«å®å ¨è¨ç« - Open Web Application Security Project)æ¯ä¸åéæ¾ç¤¾ç¾¤ãéçå©æ§çµç¹ï¼ç®åå ¨çæ82ååæè¿è¬åæå¡ï¼å ¶ä¸»è¦ç®æ¨æ¯ç è°åå©è§£æ±ºWebè»é«å®å ¨ä¹æ¨æºãå·¥å ·èæè¡æ件ï¼é·æè´åæ¼åå©æ¿åºæä¼æ¥ç解並æ¹å網é æç¨ç¨å¼è網é æåçå®å ¨æ§ãç±æ¼æç¨ç¯åæ¥å»£ï¼ç¶²é æç¨å®å ¨å·²ç¶é漸çåå°éè¦ï¼ä¸¦æ¼¸æ¼¸æçºå¨å®å ¨é åçä¸åç±é話é¡ï¼å¨æ¤åæï¼é§å®¢åä¹ææçå°ç¦é»è½ç§»å°ç¶²é æç¨ç¨å¼éç¼æææç¢ççå¼±é»ä¾é²è¡æ»æèç ´å£ã
ç¾åè¯é¦è²¿æå§å¡æ(FTC)å¼·ç建è°ææä¼æ¥ééµå¾ªOWASPæç¼ä½çå大Webå¼±é»é²è·å®åãç¾ååé²é¨äº¦åçºæ佳實åï¼åéä¿¡ç¨å¡è³æå®å ¨æè¡PCIæ¨æºæ´å°å ¶åçºå¿ è¦å 件ãç®åOWASPæ30å¤åé²è¡ä¸çè¨ç«ï¼å æ¬æç¥åçOWASP Top 10(å大Webå¼±é»)ãWebGoat(代罪ç¾ç¾)ç·´ç¿å¹³å°ãå®å ¨PHP/Java/ASP.Netçè¨ç«ï¼éå°ä¸åçè»é«å®å ¨åé¡å¨é²è¡è¨è«èç 究ã
ç¶è²´å®ä½æ±ºå®éæ¾ç¶²é æåæï¼å°±å¿ é è®ä¾èªæ¼å ¨çç網é è«æ±é²å ¥å®ä½å §é¨ç網é 伺æå¨ãé§å®¢å¯ä»¥èç±é±èå¨åæ³ç網é è«æ±å §ï¼ééé²ç«çãå ¥ä¾µåµæ¸¬ç³»çµ±æå ¶ä»é²ç¦¦ç³»çµ±çåµæ¸¬ï¼å èçä¹çé²å ¥å®ä½å §é¨æèç±å®ä½ç¶²ç«å ç¶è·³æ¿èä¸ç¹¼ç«èåå ¶ä»å害è ç¼åæ»æãéæå³èä¼æ¥ç網é ç¨å¼ç¢¼ä¹å¿ é æçºæ©é(æ§)å®ä½å¨éçå®å ¨é²è·ä¹ä¸ï¼ç¶å®ä½ç¶²é æåçè¦æ¨¡èè¤éæ§å¢å æï¼å®ä½æ´é²æ¼å¤ç風éªä¹é漸å¢å ã
OWASP å°ç£åæ (OWASP Taiwan Chapter)
- 網é :http://www.owasp.org.tw
- é»éµ:[email protected]
- 群çµ:[email protected]
- ä½å:å°åå¸115å港åä¸éè·¯19-13è(å港è»é«åå)Eæ£5æ¨554室
OWASP Taiwan
Welcome to the Taiwan chapter homepage. The chapter leader is Wayne Huang
Participation
OWASP Foundation (Overview Slides) is a professional association of global members and is open to anyone interested in learning more about software security. Local chapters are run independently and guided by the Chapter_Leader_Handbook. As a 501(c)(3) non-profit professional association your support and sponsorship of any meeting venue and/or refreshments is tax-deductible. Financial contributions should only be made online using the authorized online chapter donation button. To be a SPEAKER at ANY OWASP Chapter in the world simply review the speaker agreement and then contact the local chapter leader with details of what OWASP PROJECT, independent research or related software security topic you would like to present on.
Sponsorship/Membership
to this chapter or become a local chapter supporter. Or consider the value of Individual, Corporate, or Academic Supporter membership. Ready to become a member?
Chapter meetings are held several times a year, typically in the offices of our sponsor.
Please subscribe to the mailing list for meeting announcements.
å è²»å å ¥OWASPå°ç£åæ
å å
¥OWASPå°ç£åæä¸éä»»ä½è²»ç¨
å å
¥æå¡æ¹æ³è«è¦æ¬é ä¸æ¹ å¦ä½å å
¥æå¡
å å
¥OWASPå°ç£åæä¸éä»»ä½è²»ç¨ï¼æå¡è³æ ¼å®å
¨éæ¾çµ¦ä»»ä½å°æ¼æç¨ç¨å¼å®å
¨æè趣ç人士ï¼
æåé¼åµæå¡æ¼OWASPå°ç£åæå享ä»åçç¥è並æä¾å°é¡æ¼è¬ï¼
èå¨å å
¥æå¡åï¼è«æ¨ä»ç´°é±è®åææå¡æåã
è¥è¦å å
¥æ¬åæçmailing listï¼è«é£çµå°mailing list網é ï¼
ææçæ´»åè¨è«èæ´»åå°é»å°éééåæ¸
å®ä¾è¨è«ï¼
æ¨ä¹å¯ä»¥å¾email è¨è«å份ä¸æ¾å°æåä¹åè¨è«çå份ã
æå¾æéæ¨ï¼åå æ´»ååï¼è«å次檢æ¥æ¨mailing listç信件以確å®æ´»åå°é»èæéï¼ææ¯ä»»ä½æéæ´»åè¨éçäºé ã
OWASPå°ç£åæ é¨è½æ ¼ blog
éè¦ä¸æè³å®æ å ±ï¼æè¡åæï¼å¸å ´è³è¨åï¼
æ¡è¿å¸¸ä¾ OWASPå°ç£åæ é¨è½æ ¼ blog
å¦ä½å å ¥æå¡
æ¡è¿å è²»å å ¥OWASP Taiwanå°ç£åæï¼å å ¥æ¹å¼æä¸ç¨®ï¼ç·ä¸å ±åï¼emailå ±å以åå³çå ±åï¼ å·¥ä½åä»ææçºéç¥æææå¡æéOWASPææ°æ´»åè³è¨è座è«æè°ç¨.
ç·ä¸å ±å
è«ææ¤å¡«å¯«ç·ä¸å ±åå®
Emailå ±å
è«emailï¼[email protected]å å ¥å°ç£åæ,è«è¨»æä¸åè³è¨.
- å§å
- å®ä½
- è·ç¨±
- é»åéµä»¶
- è¯çµ¡é»è©±
å³çå ±å
è«åå°æ¤å ±å表,填寫å¾å³çè³(02)6616-1100å³å¯.
è¿ææ¶æ¯
- Webæç¨ç¨å¼å®å ¨ç è¨æ:å¨2008å¹´7æ22æ¥èµ·ï¼è¡æ¿é¢ç èæèè³éå®å ¨æå ±ææä¸å¿è辦ä¹æ¿åºæ©éè»é«å®å ¨æè¡ç è¨æï¼ééWeb æç¨ç¨å¼å®å ¨åèæå¼å°å ¥æ¡ä¾ï¼ç解Webæç¨ç¨å¼å¯è½å¼±é»ï¼æä¾åæ©é(æ§)å§å¤ç®¡çåèã
- Webå®å ¨æ°è:å¨2007å¹´6æ11æ¥ï¼iThomeå ±å°ã網ç«å®å ¨æ½°å ¤ï¼ä¸å®å ¨å°±æ²é¡§å®¢ãï¼æ·±å ¥è¿½è¹¤Googleæå°å¼æå ææ¡æ網ç«ä¹æ°æªæ½ï¼å ¶æå°çµææçºæè³å®åé¡ç網ç«è²¼ä¸è¦åæ¨ç±¤ï¼ä¸¦é»æ¢ä½¿ç¨è ç´æ¥ç覽ã
- OWASPå°ç£åæåå±:å¨2007å¹´4æ16è³18æ¥ï¼å°ååéè³å®å±(http://www.secutech.com/tw/is/index.asp) ééç»å ´ï¼OWASPå°ç£åæéæ¨èè¨æ¤ä½A402èA404ï¼å³å¯ç²å¾Webè³å®å ç¢ä¸å¼µï¼ä¸¦è¦ªèªåæé«é©æ¯æ»²é測試ãå¼±é»ç¨½æ ¸çå³çµ±è³å®æª¢æ¸¬æ¹å¼æ´çºåªç°çèªåæºç¢¼æª¢æ¸¬æè¡ã
- Webå®å ¨æ°è:å¨2007å¹´4æ11æ¥ï¼iThomeå ±å°ãOWASPå°ç£åææç«æå¡å è²»æåä¸ï¼ç¼å©æåWebå®å ¨é²è·è·ä¸åé趨å¢ãã
- Webå®å ¨æ°è:å¨2007å¹´4æ9æ¥ï¼èææ¥å ±å ±å°å°ç£å·²æESPNé«è²å°ç許å¤èæ°ç¾çæ´»æ¯æ¯ç¸éçäºåä¸åå®ç¶²ï¼ä¸æ以ä¾é¸çºéé§å®¢æ¤å ¥æ¨é¦¬å¾éï¼èç±è»é«å» åå°ç¡ä¿®è£ç¨å¼çãé¶æå·®æ»æãï¼Zero-Day Attackï¼ï¼ç¡è¾ä½¿ç¨è åªè¦é£ä¸ç¶²ç覽ï¼é»è ¦å°±ä¸çï¼è¼è 帳èãå¯ç¢¼éç«ï¼èº«å被çç¨ï¼éè æ©æè³æå¤æ´©æ財ç©æ失ã
- Webæç¨ç¨å¼å®å ¨ç è¨æ:å¨2007å¹´3æ27è³4æ11æ¥ï¼è¡æ¿é¢ç èæèè³éå®å ¨æå ±ææä¸å¿è辦ä¹æ¿åºè³éå®å ¨é²è·å·¡è¿´ç è¨æï¼è³å®ç¼å±è¶¨å¢å網路æç¨æåè³è¨å®å ¨ï¼æ¡è¿æ¿åºæ©é(æ§)è² è²¬è³éå®å ¨ç¸é人å¡è¸´èºåå ãNEW!ç è¨æè¬ç¾©ä¸è¼
- Webå®å ¨æ°è:å¨2007å¹´3æ21æ¥ï¼ä¸åæå ±å ±å°ãä¸ç¶²æä¸å®å ¨å家ï¼å°ç£é«å± 第äºãï¼ç±æ³åé¨èª¿æ¥å±ãåäºå±çå®ä½å ±åéå°å°ç£ç¶²è·¯å®å ¨é²è¡è§å¯ç¼ç¾ï¼å°ç£ç¶²è·¯çè³è¨å®å ¨å¨è ï¼é«å± äºæ´²ç¬¬äºï¼å 次æ¼ä¸åã2007å¹´åè³ä»ï¼å¹³åæ¯å¤©é½æç¼ç5件é§å®¢å ¥ä¾µäºä»¶ã
- Webå®å ¨æ°è:å¨2007å¹´3æ8æ¥ï¼æ±æ£®æ°èå ±å°ãå°ç£é§å®¢æ»æäºä»¶åå°é¾ä¹å ï¼90ï¼ éè¡æ¾éå ¥ä¾µãï¼ç¶è許å¤ä¼æ¥é½ä»¥æ²æé ç®çºç±ï¼ä¸é¡æå¢å é²è·è¨åè人åï¼è¢«é§å®¢ç«æ¹å ¥ä¾µç¶²é ï¼ä¸ç解èå¾å´éçæ義ï¼ç¶²é æ¹åå¾ï¼ä¸¦æ²æå¢å é²è·è¨åï¼çè³éæå®ä¸ä¼æ¥è¢«é§é£çºé«é82次ãåæ°èé£çµ
網ç«èWebæåçäºå¤§è³å®å°å¢
- IT人å¡ä¸è¶³
- 缺ä¹è³å®é åå°æ¥ç¥è
- åè½æ§é©æ¶çºä¸»
- 缺ä¹èªååå·¥å ·
- ææ¬ãæçå°åå°æ¡æ¨¡å¼ä¸å©ç¢ºä¿å°æ¡å質
ææ°2007å¹´OWASPå大Webè³å®æ¼æ´ (2007 OWASP Top 10)
å大Webè³å®æ¼æ´å表
- A1. 跨網ç«çå ¥ä¾µå串(Cross Site Scriptingï¼ç°¡ç¨±XSSï¼äº¦ç¨±çºè·¨ç«è ³æ¬æ»æ)ï¼Webæç¨ç¨å¼ç´æ¥å°ä¾èªä½¿ç¨è çå·è¡è«æ±éåç覽å¨å·è¡ï¼ä½¿å¾æ»æè å¯æ·å使ç¨è çCookieæSessionè³æèè½ååç´æ¥ç»å ¥çºåæ³ä½¿ç¨è ã
- A2. æ³¨å ¥ç¼ºå¤±(Injection Flaw)ï¼Webæç¨ç¨å¼å·è¡ä¾èªå¤é¨å æ¬è³æ庫å¨å §çæ¡ææ令ï¼SQL InjectionèCommand Injectionçæ»æå æ¬å¨å §ã
- A3. æ¡ææªæ¡å·è¡(Malicious File Execution)ï¼Webæç¨ç¨å¼å¼å ¥ä¾èªå¤é¨çæ¡ææªæ¡ä¸¦å·è¡æªæ¡å §å®¹ã
- A4. ä¸å®å ¨çç©ä»¶åè(Insecure Direct Object Reference)ï¼æ»æè å©ç¨Webæç¨ç¨å¼æ¬èº«çæªæ¡è®ååè½ä»»æååæªæ¡æéè¦è³æï¼æ¡ä¾å æ¬http://example/read.php?file=../../../../../../../c:\boot.iniã
- A5. 跨網ç«çå½é è¦æ± (Cross-Site Request Forgeryï¼ç°¡ç¨±CSRF): å·²ç»å ¥Webæç¨ç¨å¼çåæ³ä½¿ç¨è å·è¡å°æ¡æçHTTPæ令ï¼ä½Webæç¨ç¨å¼å»ç¶æåæ³éæ±èçï¼ä½¿å¾æ¡ææ令被æ£å¸¸å·è¡ï¼æ¡ä¾å æ¬ç¤¾äº¤ç¶²ç«å享ç QuickTimeãFlashå½±çä¸èææ¡æçHTTPè«æ±ã
- A6. è³è¨æé²èä¸é©ç¶é¯èª¤èç½® (Information Leakage and Improper Error Handling)ï¼Webæç¨ç¨å¼çå·è¡é¯èª¤è¨æ¯å å«ææè³æï¼æ¡ä¾å æ¬:系統æªæ¡è·¯å¾çæé²æè³æ庫æ¬ä½å稱ã
- A7. éç ´å£çéå¥èé£ç·ç®¡ç(Broken Authentication and Session Management)ï¼Webæç¨ç¨å¼ä¸èªè¡æ°å¯«ç身åé©èç¸éåè½æ缺é·ã
- A8. ä¸å®å ¨çå¯ç¢¼å²åå¨ (Insecure Cryptographic Storage)ï¼Webæç¨ç¨å¼æ²æå°æææ§è³æ使ç¨å å¯ã使ç¨è¼å¼±çå å¯æ¼ç®æ³æå°éé°å²åæ¼å®¹æ被åå¾ä¹èã
- A9. ä¸å®å ¨çéè¨(Insecure Communication)ï¼å³éæææ§è³ææ並æªä½¿ç¨HTTPSæå ¶ä»å å¯æ¹å¼ã
- A10. çæ¼éå¶URLåå(Failure to Restrict URL Access)ï¼æäºç¶²é å çºæ²ææ¬éæ§å¶ï¼ä½¿å¾æ»æè å¯éé網åç´æ¥ååï¼æ¡ä¾å æ¬å 許ç´æ¥ä¿®æ¹WikiæBlog網é å §å®¹ã
é次OWASPå ¬å¸æ°çTop 10åæ åºç®åçæ»æç¾æ³ï¼ä»¥ä»å¹´çºä¾ï¼Cross-Site Scripting(XSS)調æ´çº10大æ»æä¹é¦ï¼ç實çåæ åºç®å網路é£éèè©æ¬ºçæ»ææ¿«ç¨XSSçæ å½¢ï¼äºå¯¦ä¸ï¼ç¾ååé²é¨çBSIè¨ç«(Build-Security In,https://buildsecurityin.us-cert.gov/) åMitreç 究æ©æ§çCVEè³å®èå¼±æ§å表(http://cve.mitre.org/) 亦顯示1)Cross Site Scriptingè2)SQL Injectionå·²é£çºå ©å¹´åçºå ¨çé èå´éè³å®å¼±é».
ç´æ¥èç¨å¼ç¢¼å®å ¨å質æé
- [å¿ è¦*]A1. 跨網ç«å ¥ä¾µå串(Cross Site Scripting)
- [å¿ è¦*]A2. æ³¨å ¥ç¼ºå¤±(Injection Flaw)
- [建è°*]A3. æ¡ææªæ¡å·è¡(Malicious File Execution)
- [建è°*]A4. ä¸å®å ¨çç©ä»¶åè(Insecure Direct Object Reference)
- [é¸æ*]A5. 跨網ç«è¦æ±å½é (Cross-Site Request Forgery)
*OWASPå°ç£åæå¼·ç建è°åå®ä½å¨é²è¡æºç¢¼æª¢æ¸¬æï¼å°¤ä»¥æ¿åºæ©é(æ§)ï¼æéµå¾ªæ¿åºè³éå®å
¨ä½æ¥è¦ç¯(http://www.giscc.org.tw) ä¹ãWebæç¨ç¨å¼å®å
¨åèæå¼ãï¼ä¸¦å°1è2åçºå¿
è¦æª¢æ¸¬é
ç®ï¼3è4åçºå»ºè°æª¢æ¸¬é
ç®ï¼è5åçºé¸æ檢測é
ç®ã
ï¼å¨å¯¦åæ¡ä¾ä¸ï¼æª¢æ¸¬ä¸¦ä¿®æ£1è2å³å¯é¿å çµå¤§å¤æ¸çWebè³å®å¨è ã
å ä¸è¿°æ¼æ´éæ¥é ææèWeb伺æå¨åå¤é¨è¨å®æé
- Information Leakage and Improper Error Handling
- Broken Authentication and Session Management
- Insecure Cryptographic Storage
- Insecure Communications
- Failure to Restrict URL Access
æå¡å表 (Member List)
Coming up soon!