Open Web Application Security Project top 10.
Attack:4
- XSS: Cross-site scripting, injecting client-side scripts into web pages viewed by other users.
- CSRF: Cross-Site Request Forgery(偽造), forces authenticated users to submit a request to a Web application.
- Injection Attack:
- SQL Injection(Execute administration operations on the database)
- Command Injection(Attacker’s malicious input is mistaken for operating system instructions)
- User attached dangerous files
APT(Advanced Persistent Threat)
Invade, Lurk, Steal
Leak: 4
- Developer leaks private URL
- Developer leaks URL parameter
- Developer leaks backend structure (AI)
- User leak access token
Not encrypted: 2
- Data didn’t encrypt in storage
- Data didn’t encrypt in Internet transferring
Symmetric encryption algorithm (DES/Triple DES, AES)
Both the transmitter and the receiver use the same key for encryption and decryption.
Key is easy to be intercepted and copied by the middleman.
Asymmetric encryption algorithm (RSA)
Use public key encryption, private key decryption, vice versa.
Public key (Public key) and private key (Private key), public key can be widely released and circulated.
How to confirm that the message is really sent by the sender?
Digital Signature (MD5, SHA-1)
Use your own private key to sign the Hash of the encrypted message.
MD5 can't prevent
collision attack.
SHA-2
如果你覺得這篇文章很棒,請你不吝點讚 (゚∀゚)