OWASP TOP 10
小筆記
本來ㄋ
想要大膽的延伸 SSR 這個主題
做了點功課
開了一個名為 feature/hydration 的 branch 想要做做看
但比我想象中ㄉ難做
而且發現 open graph 其實不用這麼費事
Injection
SELECT * FROM users WHERE username = 'wiener' AND password = 'bluecheese'
SELECT * FROM users WHERE username = 'administrator'--' AND password = ''
SQL 註解為 --
/login
Injection
ORM/REGEX
Input Validation
Register
account: Jay chou
password: QAQ
Client
http -> https (TLS/SSL)
form
/register
/login
Application
Server
bcrypt.hash(password, 10)
DataBase
JWT token
Server
account: Jay chou
password: Q0ASD88AQ
bcrypt.compare(pwd, _pwd)
Success Page
/verify
Application Server
querystring
/verify
- check JWT
- insert info into DataBase
XSS
stored/reflected/DOM
function isSafe(url) {
if (url.protocol === 'javascript:') return false;
return true;
}
blacklist (not recommend)
function isSafe(url) {
if (url.protocol === 'http:') return true;
if (url.protocol === 'https:') return true;
return false;
}
whitelist ( recommend)
Input Validation
Output Encoding
File Upload
OTHER
- .gitignore (db connection info/secret keys )
- token store in-memory, not in localStorage
- Never trust data from the browser
OWASP TOP 10
By Jay Chou
OWASP TOP 10
- 300