White hat ore pool
White hat adheres to three principles:
1. When single point security loopholes in important information systems and government websites are found, they should be reported to government departments in a timely manner, and government departments should organize important instry departments and responsible units of government websites to carry out verification and rectification
2. For the common security loopholes in important information systems and government websites, if they really need to be published, relevant units and indivials should objectively and accurately describe the loopholes and avoid excessive speculation
3. The relevant vulnerability publishing platform should strengthen the management of vulnerability reporting personnel, improve the vulnerability registration system, and establish the file of reporting personnel, so as to prevent the potential vulnerability from being spread at will and used maliciously
extended materials:
white hat is a programmer who attacks his own system from the standpoint of hackers to check security vulnerabilities. They use the usual method of sabotage attack used by hackers (generally referred to as "black hat hackers"), but they are doing things to maintain security. They can identify the security vulnerabilities in the computer system or network system, but they will not use them maliciously, but publish their vulnerabilities
in this way, the system can fix the vulnerability before being exploited by others (such as black hat)“ White hat hackers are the network security talents trained by universities, and are known as "information security defenders". They are the "guardians" of the Internet world and the indispensable backbone of the Internet plus. p>
source of reference:
network white hat
network white hat hacker
white hat on Web security is written based on the author's rich experience accumulated in several years of practical work. It has strong operability in the solution, and deeply analyzes various wrong solutions and misunderstandings, which has a good reference value for security workers. The introction of security development process and operation has guiding significance for the work of the same instry<
editor's recommendation
"security is the life of Internet companies and the most basic needs of every netizen
a white hat who hears gunfire every day shares with you how to care for life and meet the most basic needs. It's a book that can smell smoke. "< Wu Hanqing graated from the junior class of Xi'an Jiaotong University and began to study network attack and Defense Technology in 2000. During his college years, he founded "mirage", an influential organization in China's security circle
joined in 2005 to be responsible for network security. During the working period, he has made outstanding contributions to the security development process and application security construction of the company, and has been praised by the company for many times. It has helped Taobao and Alipay set up an application security system to ensure rapid and safe development of the company's business.
since 2009, he joined the branch computing Co., Ltd., responsible for cloud computing security and anti network fraud, and is the most valuable security expert of the group. Long term focus on innovation and practice of safety technology, many achievements. At the same time, he is also one of the regional leaders of OWASP in China, and has extremely rich experience in the field of Internet security. Usually happy to share, personal blog visits so far more than 2 million. It has been active in the safe community for many years and has great influence. He has been invited to speak at domestic and international security conferences for many times and is one of the leading figures in China's security instry<
white hat talks about web security Directory:
first world view security
Chapter 1 my security world view 2
1.1 brief history of web security 2
1.1.1 brief history of Chinese hackers 2
1.1.2 development history of hacker technology 3
1.1.3 rise of web security 5
1.2 black hat, white hat 6
1.3 return to nature, Uncover the essence of safety, No silver bullet 9
1.5 three elements of security 10
1.6 how to implement security assessment 11
1.6.1 asset classification 12
1.6.2 threat analysis 13
1.6.3 risk analysis 14
1.6.4 design security scheme 15
1.7 white hat art of war 16
1.7.1 security by default principle 16
1.7.2 Defense in depth principle 18
1.7.3 data and code separation principle 19
. 1.7.4 unpredictability Principle 21
1.8 summary 22
(attached) who will pay for the vulnerability? 23
Chapter 2 client script security
Chapter 2 browser security 26
2.1 homologous strategy 26
2.2 browser sandbox 30
2.3 malicious URL interception 33
2.4 fast developing browser security 36
2.5 summary 39
Chapter 3 cross site script attack (XSS) 40
3.1 introction to XSS 40
3.2 XSS attack advanced 43
3.2.1 XSS payload 43
3.2.2 powerful XSS payload 46
3.2.3 XSS attack platform 62
3.2.4 ultimate weapon: XSS worm 64
3.2.5 debugging JavaScript 73
3.2.6 XSS construction skills 76
3.2.7 turning waste into treasure: mission impossible 82
3.2.8 Easy to be ignored corner: Flash XSS 85
3.2.9 really relax: Javascript development framework 87
3.3 XSS defense 89
3.3.1 four two pull a thousand catties: httponly 89
3.3.2 input check 93
3.3.3 output check 95
3.3.4 correctly defense XSS 99
3.3.5 processing rich text 102
3.3.6 defending DOM based XSS 103
3.3.7 looking at the risk of XSS from another perspective 107
3.4 summary 107
Chapter 4 Cross Site Request Forgery (CSRF) 109
4.1 introction to CSRF 109
4.2 CSRF advanced 111
4.2.1 browser's cookie policy 111
4.2.2 side effects of P3P header 113
4.2.3 get? post? 116
4.2.4 flash CSRF 118
4.2.5 CSRF worm 119
4.3 CSRF defense 120
4.3.1 verification code 120
4.3.2 reference check 120
4.3.3 anti CSRF token 121
4.4 summary 124
Chapter 5 Click hijacking 125
5.1 what is click hijacking 125
5.1 . 2 Flash click hijacking 127
5.3 image coverage attack 129
5.4 drag hijacking and data theft 131
5.5 clickjacking 3.0: touch screen hijacking 134
5.6 defense clickjacking 136
5.6.1 frame boosting 136
5.6.2 X-frame options 137
5.7 summary 138
Chapter 6 HTML 5 Security 139
6.1 HTML 5 new tag 139
6.1.1 XSS 139 of new tag
6.1.2 sandbox 140 of iframe
6.1.3 link types: noreferrer 141
6.1.4 magical use of canvas 141
6.2 other security issues 144
6.2.1 cross origin resource sharing 144
6.2.2 PostMessage Information 146
6.2.3 web storage 147
6.3 summary 150
Chapter 3 server application security
Chapter 7 injection attack 152
7.1 SQL injection 152
7.1.1 blind injection 153
7.1.2 timing attack 155
7.2 database attack skill 157
7.2.1 common attack skill Skillfully 157
7.2.2 command execution 158
7.2.3 attacking stored procere 164
7.2.4 encoding problem 165
7.2.5 SQL column alignment 167
7.3 correctly defending SQL injection 170
7.3.1 using precompiled statement 171
7.3.2 using stored procere 172
7.3.3 checking data type 172
7.3.4 using security function 172
7.4 other injection attacks 173
7.4.1 XML injection 173
7.4.2 code injection 174
7.4.3 CRF injection 176
7.5 summary 179
Chapter 8 file upload vulnerability 180
8.1 file upload vulnerability overview 180
8.1.1 file upload vulnerability from FCKeditor 181
8.1.2 bypass file upload check function 182
8.2 function or vulnerability 183
8.2.1 Apache file parsing 184
8.2.2 IIS file parsing 185
8.2.3 PHP CGI path parsing 187
8.2.4 design secure file upload function by using upload file phishing 189
8.3 190
8.4 summary 191
Chapter 9 authentication and session management 192
9.1 who AMI? 192
9.2 password 193
9.3 multi factor authentication 195
9.4 session and authentication 196
9.5 session fixation attack 198
9.6 session persistence attack 199
9.7 single sign on (SSO) 201
9.8 summary 203
Chapter 10 access control 205
10.1 what can I do? 205
10.2 vertical privilege management 208
10.3 horizontal privilege management 211
10.4 OAuth introction 213
10.5 summary 219
Chapter 11 encryption algorithm and random number 220
11.1 overview 220
11.2 stream cipher attack 222
11.2.1 reused key attack 222
11.2.2 bit flipping attack 228
11.2.3 weak random IV problem 230
11.3 WEP cracking 232
11.4 defect of ECB mode 236
11.5 padding Oracle attack 239
11.6 key management 251
11.7 pseudo random number problem 253
11.7.1 trouble of weak pseudo random number 253
11.7.2 is time really random 256
11.7.2 7.3 breaking the seed of pseudo random number algorithm 257
11.7.4 using secure random number 265
11.8 summary 265
(attached) understanding MD5 length extension attack 267
Chapter 12 web framework security 280
12.1 MVC framework security 280
12.2 template engine and XSS defense 282
12.3 web framework and CSRF Defense 285
12.4 HTTP headers management 287
12.5 data persistence layer and SQL injection 288
12.6 what else can you think of 289
12.7 web framework self security 289
12.7.1 struts 2 Command Execution Vulnerability 290
12.7.2 struts 2 problem patch 291
12.7.3 spring MVC Command Execution Vulnerability 292
12.7.3 />12.7.4 Django Command Execution Vulnerability 293
12.8 summary 294
Chapter 13 application layer denial of service attack 295
13.1 DDoS introction 295
13.2 application layer DDoS 297
13.2.1 CC attack 297
13.2.2 limit request frequency 298
13.2.3, What happened to mogaoyizhang 300
13.3 captcha 301
13.4 defense application layer DDoS 304
13.5 resource exhaustion attack 306
13.5.1 slowloris attack 306
13.5.2 HTTP post DOS 309
13.5.3 server limit DOS 310
13.6 a blood case caused by regularization: summary of redos 311
13.7 315
Chapter 14 PHP security 317
14.1 File Inclusion Vulnerability 317
14.1.1 local file inclusion 319
14.1.2 remote file inclusion 323
14.1.3 local file inclusion techniques 323
14.2 variable overlay vulnerability 331
14.2.1 global variable overlay 331
14.2.2 extract() variable overlay Cover 334
14.2.3 traverse initialization variable 334
14.2.4 import_ request_ Variables covered 335
14.2.5 parse_ Str() variable covers 335
14.3 Code Execution Vulnerability 336
14.3.1 "dangerous function" execution code 336
14.3.2 "file write" execution
1. When single point security vulnerabilities in important information systems and government websites are found, they should be reported to government departments in time, and government departments should organize important instry departments and responsible units of government websites to carry out verification and rectification
2. For the common security loopholes in important information systems and government websites, if they really need to be published, relevant units and indivials should objectively and accurately describe the loopholes and avoid excessive speculation
3. The relevant vulnerability publishing platform should strengthen the management of vulnerability reporting personnel, improve the vulnerability registration system, and establish the file of reporting personnel, so as to prevent the potential vulnerability from being spread at will and used maliciously< br />
<
extended materials:
white hat is a programmer who attacks his own system from the standpoint of hackers to check security vulnerabilities. They use the usual method of sabotage attack used by hackers (generally referred to as "black hat hackers"), but they are doing things to maintain security. They can identify the security vulnerabilities in the computer system or network system, but they will not use them maliciously, but publish their vulnerabilities
in this way, the system can fix the vulnerability before being exploited by others (such as black hat)“ White hat hackers are the network security talents trained by universities, and are known as "information security defenders". They are the "guardians" of the Internet world and the indispensable backbone of the Internet plus context.
The white hat is the traffic police, the black hat is the security police
the clothing of Chinese traffic police is no different from that of other police. They all have the same uniform and color, but the working environment is different. From the early days of the founding of the people's Republic of China, traffic police and other police are the same uniform, there was no difference at that time
in the late 1970s, our police once changed into white uniforms. As the police uniform is white, so the hat is naturally white. At that time, it was difficult to distinguish between the police and the Navy. The only difference was the badge on the hat
Maybe you have the impression that in the late 1980s, the police uniform changed to army green. It is very close to the uniform of that time, but there is still no white hat. At that stage, all police services were still a stranger. In the 1990s, that changedin the early 1990s, when the police changed their uniforms, the traffic police began to have white hats. First of all, it's to be eye-catching, because on the street, white is the most eye-catching. The traffic police's belt is also white. That's the consideration. And white than other dark reflection, in the summer work, not so sultry. In fact, throughout the world, the hats of traffic police in most countries are white. For example, Germany, Vietnam and so on. This shows that this is also a popular trend
extended information:
generally, the hats of ordinary police are black. The hat of ordinary police is only black, and that of traffic police is really white, but it's just a white hat cover. White is just for the sake of being more conspicuous and convenient to direct traffic. There is no hard and fast rule to wear. Of course, some traffic police wear it, some don't, but those with white caps must be traffic police
white hat is the traffic police in charge of traffic. Black hat is a criminal policeman. Sometimes he doesn't ask much about traffic when standing on the road. His main purpose is to maintain public order, such as robbing by speeding cars, stealing by ordinary people, or checking special vehicles
but when leaders or foreign guests visit, black and white hats will come out. The more black hats you see, the higher the level of police. Of course, the three cap police are also equipped with swing sticks, flashlight and other weapons for use from time to time
The white hat police are traffic police and the black hat police are security police
1. Different responsibilities
traffic police should investigate and deal with road traffic violations and traffic accidents according to law; Maintain urban and rural road traffic order and road security order; Carry out vehicle safety inspection, license plate issuance and driver assessment and certification; Carry out road traffic safety publicity and ecation activities; Road traffic management research work; Participate in the planning of urban construction, road traffic and safety facilities. In order to maintain normal traffic order and ensure smooth and safe transportation, we should organize publicity of traffic regulations, manage road traffic order according to law, manage vehicles, drivers and pedestrians, ecate traffic violators, investigate and deal with traffic accidents
Public security police should prevent, discover and stop crimes; Maintaining public order in public places; Manage special instries; Management of dangerous goods; Dealing with general illegal cases, etc. To manage public security and maintain public order in accordance with the relevant laws and regulations of the state; Handling public security cases; Management of prohibited articles; Crime prevention; Understand and grasp the social security trends; To prevent and deal with public security disasters and accidents; Conct public security patrol; Mobilize the masses to participate in the maintenance of public order and other work The concept of traffic police is different.Traffic Police refers to the people's police who work in the traffic management police brigade. It is a kind of police, whose main responsibilities are to maintain traffic order, deal with traffic accidents, check and correct road traffic violations, and be responsible for the registration and management of motor vehicles
Public security police, in a broad sense, are the police who maintain social order and ensure public security. In a narrow sense, it refers to the police who are in charge of investigating and dealing with public security cases / incidents. Generally speaking, it refers to the security police in a narrow sense
extended information:
no matter what kind of alarm bell, it belongs to the category of the people's police. It must take the Constitution and the law as the activity criterion, be loyal to ty, honest and clean, have strict discipline, obey orders and strictly enforce the law; The traffic police must enforce the law impartially, and shall not engage in malpractices for personal gain, ask for or accept bribes, or bend the law in making decisions
when it is 1 or 5, it is easy to judge the color of one's hat. On the same day, someone will go to the king to get freedom, so it is not 1 or 5
then an analysis in 2,3,4 will find that when red is 2 or 4, no one can determine the color of one's hat on the first day, And the next day to determine the situation
so the answer is: there are two or four red hats
if someone gets free on the third day, it is three
in medieval Greece, there were frequent disturbances. Every time there was a war, the city people took refuge in monasteries. Once, several famous chefs fled to the monastery. For the sake of safety, they dressed like monks in black clothes and hats. Chefs get along well with monks. Every day, they take out their books to collect money for their families. As time went on, they felt that they should distinguish themselves from monks in their clothes, so they changed the black hat they wore to white. Because they were cooks, cooks from other monasteries followed suit. Today, almost all chefs around the world wear this kind of hat
the relevant departments have also formulated the standards for wearing hats: according to the technical level of the chef and the length of service of the chef, the height of the hat worn by the chef is specified respectively, so that people can know the cooking level of the chef by looking at the hat. The higher the hat, the higher the skill
the top hat that chefs often wear is as high as 35cm. Therefore, in France, people always use the title of "big hat" to refer to old cooks with high technical level and reputation. Later, an international organization of chef's hat association was established, and its headquarters was located in Paris, France, the birthplace of chef's high hat.
according to historical records, at the end of the 18th century, there was a famous senior chef named Antoine Clem in a big restaurant in Paris, France. He is humorous. One day, he saw a customer wearing a high white hat. He thought it was very unique, so he imitated one, which was higher than the customer's hat. He went in and out wearing this hat, which attracted people's attention and made them laugh. First, customers came in droves
later, chefs in other restaurants and restaurants followed suit, and all wore high white hats. Over time, wearing high white hats became chefs' decorations. What's more interesting is that the relevant departments have also formulated the standards for hats. According to the technical level and length of service of chefs, the level of hats worn by chefs is specified, so that people can know the cooking level of the chef by looking at the hats. The higher the hat, the higher the skill. The highest hat that chefs often wear is 35cm. Therefore, in France, people always use "big hat" to call those skilled and famous old cooks. Later, an international organization of cooks' hat association was established, and its headquarters was in Paris, France, the birthplace of cooks' high hats
there is another saying: the first chef to wear this kind of hat is not from the perspective of hygiene, but as a sign. In the middle ages of Greece, there were frequent disturbances. Every time there was a war, the Greeks in the city fled to the monastery for refuge. Once, several famous chefs fled to the monastery. For the sake of safety, they dressed like monks in black clothes and hats. They get along well with the monks of the monastery, and every day they bring out their skills to cook for the monks. As time went on, they thought they should distinguish themselves from monks in their clothes, so they changed the black hat they wore to white. Because they were cooks, cooks from other monasteries followed suit. Today, almost all chefs around the world wear this kind of hat
chefs can distinguish the technical level by the height of the working hat they wear. The more experienced and high-level chefs have, the higher the height of the hat, which can be divided into chef's hat, chef's hat and chef's hat. The number of cap pleats is also particular, which is proportional to the height of the hat
the chef's cap is generally about 29.5cm high. Chefs and chefs wear this hat
the chef's cap is basically the same as the chef's cap, but the height is much lower and the pleats are less. A hat worn by a general chef
the chef's hat has no height and less pleats. A hat for a kitchen boy.
later, chefs in other restaurants and restaurants followed suit, and all wore high white hats. Over time, wearing high white hats became chefs' decorations. What's more interesting is that the relevant departments have also formulated the standards for hats. According to the technical level and length of service of chefs, the level of hats worn by chefs is specified, so that people can know the cooking level of the chef by looking at the hats. The higher the hat, the higher the skill. The highest hat that chefs often wear is 35cm. Therefore, in France, people always use "big hat" to call those skilled and famous old cooks. Later, an international organization of cooks' hat association was established, and its headquarters was in Paris, France, the birthplace of cooks' high hats.