drupal top 10 危险检查
2017-07-03 13:58
302 查看
1 SQL Injection
推荐:
就是等号也有可能有问题,还有db_like, db_escape_table 函数.
2. Cross Site Scripting (XSS)
文章的标题也可能是<script>alert('abc');</script>比较危险
输出一般可以加上check_plain() -->
<h1 id="page-title" class="title"> <script>alert('abc');</script> </h1> '<script>alert('abc');</script>' 原封不动的保存在数据表node和field_data_comment里
JS code to a page是不允许到页面中的。 页面中含有JS代码
Use placeholders in functions like t() or format_plural(): %name, @url, !insecure:
Use Drupal.t() , Drupal.formatPlural() in JavaScript
3. Authentications and sessions
Drupal has good solutions for that, so don't need to worry too much about these:
当权限改变的时候SESSION_id也会变动的
4. Insecure direct object references
One common issue is forget to add "published = Yes" to the view filters. 别忘了
有权限设置的地方都尽量设置考虑一下权限
5. Cross Site Request Forgery (CSRF)
这个就是说从别的站点放进来一个段代码,里面包含一个URL,如果用户加载含有这个URL的页面或者点击某个连接,则会被伪造了一个请求,但这个请求会发生意向不到的结果。
[b]6: Security misconfiguration[/b]
服务器和系统软件的安全隐患
security_review模块
网站用户权限设置 特别是administer *** 之类的权限 要谨慎
Update 这个模块其实很有用的 可以不时查看是否有安全级别的软件更新
7. Insecure cryptographic storage
还可以人为的去增加密码的难度
8. Failure to restrict URL access
Drupal approach:
Menu system uses access callback and access arguments
Continually review permissions
如果忘了写 那就是大家都有权限 这样是比较危险的
9. Insufficient transport protection
尽量使用SSL
[b]10. Unvalidated redirects[/b]
Look for use of drupal_goto() and Form API #redirect instances in your modules to validate their compliance
当说要跳转到某个地方,这是要注意安全性
http://www.cameronandwilding.com/blog/pablo/10-most-critical-drupal-security-risks
index.php?id=12
mysql_query("UPDATE mytable SET value = '". $value ."' WHERE id = ". $_GET['id']);
推荐:
db_query("UPDATE {mytable} SET value = :value WHERE id = :id", array(':value' => $value, ':id' => $id);
就是等号也有可能有问题,还有db_like, db_escape_table 函数.
2. Cross Site Scripting (XSS)
文章的标题也可能是<script>alert('abc');</script>比较危险
输出一般可以加上check_plain() -->
<h1 id="page-title" class="title"> <script>alert('abc');</script> </h1> '<script>alert('abc');</script>' 原封不动的保存在数据表node和field_data_comment里
JS code to a page是不允许到页面中的。 页面中含有JS代码
Use placeholders in functions like t() or format_plural(): %name, @url, !insecure:
t('%name has a blog at <a href=" @url " _fcksavedurl=" @url " _fcksavedurl=" @url " _fcksavedurl=" @url "> @url </a>', array('@url' => valid_url($user->profile_blog), '%name' => $user->name));
Use Drupal.t() , Drupal.formatPlural() in JavaScript
3. Authentications and sessions
Drupal has good solutions for that, so don't need to worry too much about these:
当权限改变的时候SESSION_id也会变动的
4. Insecure direct object references
index.php?id=12
db_query("SELECT * FROM {node} WHERE nid = :id", array(':id' => $_GET['id'] ));
$select->addtag('node_access');这种就是不对的,最好是加些TAG
One common issue is forget to add "published = Yes" to the view filters. 别忘了
有权限设置的地方都尽量设置考虑一下权限
5. Cross Site Request Forgery (CSRF)
这个就是说从别的站点放进来一个段代码,里面包含一个URL,如果用户加载含有这个URL的页面或者点击某个连接,则会被伪造了一个请求,但这个请求会发生意向不到的结果。
[b]6: Security misconfiguration[/b]
服务器和系统软件的安全隐患
security_review模块
网站用户权限设置 特别是administer *** 之类的权限 要谨慎
Update 这个模块其实很有用的 可以不时查看是否有安全级别的软件更新
7. Insecure cryptographic storage
还可以人为的去增加密码的难度
8. Failure to restrict URL access
Drupal approach:
Menu system uses access callback and access arguments
Continually review permissions
如果忘了写 那就是大家都有权限 这样是比较危险的
9. Insufficient transport protection
尽量使用SSL
[b]10. Unvalidated redirects[/b]
Look for use of drupal_goto() and Form API #redirect instances in your modules to validate their compliance
当说要跳转到某个地方,这是要注意安全性
http://www.cameronandwilding.com/blog/pablo/10-most-critical-drupal-security-risks
相关文章推荐
- Drupal 7教程Top 10前瞻
- Java书籍Top 10
- Java程序员最常犯的错误盘点之Top 10
- Oracle EBS-SQL (WIP-10):检查车间任务状态“完成”但未发料数据.sql
- 10 examples to help you understand top command usage in Unix/Linux
- 思维导图软件MindManager实用功能TOP 10(二)
- 世界豪车 TOP 10
- Top 10 Things Customers Don't Want to Hear And What You Should Say Instead
- TOP 10开源的推荐系统简介
- 数据挖掘:Top 10 Algorithms in Data Mining(六)PageRank
- Top 10 Java Serialization Interview Questions and Answers
- 【Data Algorithms_Recipes for Scaling up with Hadoop and Spark】Chapter3 Top 10 NonUniqueList
- ASP.NET Core中的OWASP Top 10 十大风险-SQL注入
- 2016 TOP 10 ANDROID LIBRARY
- 2016 TOP 10 ANDROID LIBRARY 转自stormzhang
- top 10 algorithms in data mining
- Top 10 Security Issue Solution十大安全隐患解决办法...(转)
- 数据库常规Top 10
- 找top 10信息
- •Top 10 Challenges in Search Engine