How to Secure Your Web Site Picked up SQL Injection and Cross-Site Scripting As Sample Cases of Failure Because These Two Are the Two Most Reported Vulnerabilities

Total Page:16

File Type:pdf, Size:1020Kb

Load more

How to Secure your Website

3rd Edition

Approaches to Improve
Web Application and Web Site Security

June 2008

IT SECURITY CENTER (ISEC) INFORMATION-TECHNOLOGY PROMOTION AGENCY, JAPAN

This document is a translation of the original Japanese edition. Please be advises that most of the references referred in this book are offered in Japanese only. Both English and Japanese edition are available for download at:

http://www.ipa.go.jp/security/english/third.html http://www.ipa.go.jp/security/vuln/websecurity.html

(English web page) (Japanese web page)

Translated by Hiroko Okashita (IPA), June 11 2008

Contents

Contents .........................................................................................................................................1 Preface...........................................................................................................................................2
Organization of This Book...........................................................................................................3 Intended Reader .........................................................................................................................3 Fixing Vulnerabilities Fundamental Solution and Mitigation Measure - ....................................3
1. Web Application Security Implementation ...............................................................................5
1.1 1.2 1.3 1.4 1.5 1.6 1.7 1.8 1.9
SQL Injection....................................................................................................................6 OS Command Injection ..................................................................................................10 Unchecked PathName Parameter / Directory Traversal.................................................13 Improper Session Management .....................................................................................16 Cross-Site Scripting........................................................................................................22 CSRF(Cross-Site Request Forgery)...............................................................................30 HTTP Header Injection...................................................................................................34 Third Party Mail Relay....................................................................................................38 Lack of Authentication and Authorization........................................................................41
2. Approaches to Improve Web Site Security............................................................................43
2.1 2.2 2.3 2.4 2.5
Secure Web Server........................................................................................................43 Configure DNS Securely ................................................................................................45 Protect against Network Sniffing ....................................................................................46 Strengthen Password .....................................................................................................48 Mitigate Phishing Attacks ...............................................................................................50
3. Case Studies .........................................................................................................................53
3.1 3.2
SQL Injection..................................................................................................................53 Cross-Site Scripting........................................................................................................60
Postface........................................................................................................................................73 References ...................................................................................................................................74 Terminology ..................................................................................................................................76 Checklist.......................................................................................................................................77
Preface

Preface

Various web sites provide a variety of services on the Internet. According to “WHITE PAPER

Information and Communications in Japan”1, as of 2007, it is estimated that more than 87 million people use the Internet in Japan and social interaction through the web sites is expected to keep developing.

Meanwhile, the number of security incidents exploiting “security holes” (vulnerabilities) in the web sites

is also on the rise. Recently, they have become for-profit and are getting more vicious. More than one thousand web site vulnerability information has been reported2 to Information-technology Promotion

Agency (IPA) since it started receiving the reports in 2005. “SQL Injection” is one of the most popular

vulnerabilities reported and seen as a cause of personal information leakage via web sites and virus infection of web pages.

To maintain the safety of your web site, you need to take appropriate security measures on each web site component. For operating systems or software, you could refer to the security practices common to all users provided by the vendors and make sure to securely configure the settings or apply security patches. Web applications, however, tend to be uniquely customized for each web site and you need to secure each web application accordingly. If any security problems are found in a web application already in operation, it is usually difficult to fix them at the design level and you may need to settle for ad-hoc solutions. Nevertheless, remember that the best solution is try not to create security holes when developing a web

application in the first place and achieve the fundamental solution of “vulnerability-free” as much as

possible.
This book makes use of vulnerability information on the software products and web applications reported to IPA, picking up the vulnerabilities frequently called to attention or with serious impact, and suggests the fundamental solutions and mitigation measures against them. In addition, it provides some references on how to improve the security of the web sites and a few case studies to illustrate where developers may fail to secure web applications.

We hope this book will help you secure your web site.

1

WHITE PAPER Information and Communications in Japan 2007, Ministry of Internal Affairs and Communications (MIC),

http://www.johotsusintokei.soumu.go.jp/whitepaper/eng/WP2007/2007-index.html

2

Appointed by the Ministry of Economy, Trade and Industry (METI), IPA serves as a national contact to receive reports on security vulnerabilities from the vendors and the general public. For more information, please visit:

http://www.ipa.go.jp/security/vuln/report/index.html (Japanese Only)

2

Preface

Organization of This Book

This book mainly covers the computer software security flaws that IPA, as the reporting point and analyzing agency designated in the Information Security Early Warning Partnership framework, has

regarded as “vulnerability”.

This book consists of three chapters.

Chapter 1 “Web Application Security Implementation” addresses nine topics, including SQL injection,

OS command injection and cross-site scripting, and discusses threats these vulnerabilities may pose and what types of web sites might be most susceptible to them. It also provides fundamental solutions that aim to eliminate the vulnerability altogether, mainly from programming perspective, and mitigation measures that try to mitigate the damage of attacks exploiting the vulnerability, mainly from operational perspective.

Chapter 2 “Approaches to Improve Web Site Security” addresses five topics, including web server

security and anti-phishing measures, and discusses how to improve the security of the web sites mainly from operational perspective.
Chapter 3 presents two case studies of failure covering the SQL injection and the cross-site scripting vulnerability and illustrates what may happen to the vulnerable web sites, code examples, what is wrong with them and how to fix the problems.
In the appendix of this book, you will find a checklist you could use to assess the security of your web site.

Please note that each solution shown in this book is one example of many other possible solutions and we do not mean to force the use of them. We have performed the simple tests to evaluate the effectiveness of the solutions we provided in this book but we do not guarantee that they produce no side effects in your environment. Please use this book as a reference to solve the security problems and take appropriate action accordingly.

Intended Reader

The intended reader of this book is all of those who involved in web site operation, such as web application developers or server administrators, regardless of whether one is individual or organization.

Fixing Vulnerabilities – Fundamental Solution and Mitigation Measure –

The outcome and the effect of security measures differ depending on what you do and what you try to achieve. You could focus on the methods to eliminate the cause of vulnerability aiming at fundamental solution, or you could focus on the attacking methods and try to mitigate the damage of attacks. Either way, what is important is that you correctly understand the nature of the measure you have chosen to take and whether the expected result can be achieved with it.
In this book, we divided the web application security measures into two categories based on their nature:

3

Preface

“fundamental solution” and “mitigation measure”.

Fundamental Solution

Fundamental Solutions discuss the methods to “realize vulnerability-free implementation”. By

taking fundamental solutions, you could eliminate vulnerabilities and thus expect to nullify the attacks exploiting them3. For a long time the security measures for web application have tended to be add-on

feature aiming at avoiding attacks, which we categorize as “mitigation measure” below, and the

problem with this approach is that the causes of vulnerabilities still remain right there. Developers should consider security as a design feature and implement fundamental solutions as much as possible when developing web applications.

Mitigation Measure

Mitigation measures discuss the methods to “mitigate the damage of attacks”. This is different from

fundamental solutions because they do not eliminate the cause of vulnerability. For that reason, relying solely on mitigation measures cannot be recommended. If you have time or operational constraints and cannot readily implement fundamental solutions, however, mitigation measures could offer you “safety

net”. By combining them with fundamental solutions, higher security can be achieved, but it may

produce some inconvenience, such as restriction on the use of certain characters or the normal behavior of the functions. When applying mitigation measures, you should take into account those possible side effects.

IPA offers some guidelines on web application vulnerabilities and secure programming on its web site. Please refer to these documents as well as this book.

References

IPA: 知っていますか?脆弱性(ぜいじゃくせい)

http://www.ipa.go.jp/security/vuln/vuln_contents/ (Japanese Only)

IPA: セキュア・プログラミング講座 Web アプリケーション編(新版)

http://www.ipa.go.jp/security/awareness/vendor/programmingv2/web.html (Japanese Only)

3

New and unknown attacking methods may emerge and exploit the same vulnerability in a different way.

4

1.1 SQL Injection

1. Web Application Security Implementation

This chapter discusses the implementation of web application security, picking up the following nine vulnerabilities4, and shows threats each vulnerability may pose, what types of web sites might be most vulnerable, possible fundamental solutions and mitigation measures.

1) SQL Injection 2) OS Command Injection 3) Unchecked PathName Parameter / Directory Traversal 4) Improper Session Management 5) Cross-Site Scripting 6) CSRF (Cross-Site Request Forgery) 7) HTTP Header Injection 8) Third Party Mail Relay 9) Lack of Authentication and Authorization

4

The numbering of the vulnerabilities reflects their severity or impact of possible attacks but does not indicate the priority you should work on to secure your web site. The priority should be examined based on the environment and status of the web site in question.

5

1.1 SQL Injection

1.1 SQL Injection

Most of web applications that use a database build a command to operate the database based on user input. This means if the command-building process is not securely guarded, attacking and manipulating

the database would become possible. The attack exploiting this vulnerability is called “SQL Injection”.

SQL Injection

SQL injection allows an attacker to manipulate the database with maliciously-crafted requests.
Malicious Attacker
Web site

Send input that would result in building a malicious SQL command
Send the command

Deletion

Database

Falsification
Information
Leak

Web application vulnerable to SQL injection

■ Possible Threats

This vulnerability could allow malicious attackers to:

- View sensitive data stored in the database

・ Ex. Disclosure of personal information

- Falsify and/or delete data stored in the database

・ Ex. Falsification of web pages, password change, system shutdown

- Bypass login authentication5

・ All the operations permitted under the privileges of a login account become unauthorizedly possible.

- Execute OS commands using stored procedures

・ Ex. System hijacking, making the target PC a bot (launching point) to attack others

■ Web Sites That Need Special Attention

Regardless of what kind of web site it is or who operates it, special attention is needed if a web site runs web applications that interact with database6. If the web site uses the database that stores highly sensitive data, such as personal information, extreme caution is called for.

5

It will be discussed also in “1.3 Improper Session Management”.

6

Commonly used database engines are: MySQL, PostgreSQL, Oracle, Microsoft SQL Server and DB2.

6

1.1 SQL Injection

■ Reported Vulnerabilities7

SQL injection is more popular than other vulnerabilities and accounts for about 30 percents of web site-related vulnerabilities reported to IPA during from the time it started receiving the reports to the end of 2007. Software products, albeit fewer than web sites, are also vulnerable to SQL injection and have been reported to IPA as well. The following are some of those software products, which are now fixed against this vulnerability.

・ Owl SQL Injection Vulnerability

http://jvndb.jvn.jp/contents/en/2006/JVNDB-2006-000646.html

・ Acollab SQL Injection Vulnerability

http://jvndb.jvn.jp/contents/en/2006/JVNDB-2006-000631.html

・ eBASEweb SQL Injection Vulnerability

http://jvndb.jvn.jp/contents/en/2005/JVNDB-2005-000792.html

■ Fundamental Solutions

1)-1 Use the binding mechanism to build SQL statements

What does it mean?

This aims at eliminating a cause of SQL injection. Binding mechanism is a database function that provides placeholders (bind variables) which do not have an actual value to fill out an SQL statement template and are later replaced with the actual values (bind values) to complete the SQL statement. The bind values are „escaped‟ (checked and specially processed if problematic) before replacing their corresponding placeholders, which prevents a malicious attacker from building and executing an ill-intended command. Use prepared statements and you could also eliminate the vulnerability since it will result in using binding mechanism as well. Even if you cannot use prepared statements for some reason, sometimes binding mechanisms are offered as an API and available for use.

1)-2 If binding mechanism is not supported, perform escaping for everything that makes up SQL statements

What does it mean?

7

For the latest information, please refer to: http://www.ipa.go.jp/security/vuln/report/press.html (Japanese Only)

7

1.1 SQL Injection

This is a secondary solution that should be applied if binding mechanism suggested in 1)-1 is not available for use. You should perform escaping for everything that makes up SQL statements, from user input and database values to every single variable and arithmetic operation outcomes. You should escape the characters that have a special meaning to SQL statements. For example, replace

„ (single quote) with „ „ (two single quotes) and ╲ (backslash) with ╲╲ (two backslashes) .

You need to escape the SQL special characters appropriate for database engine you use since they differ for each database engine. Some database engines provide the specific APIs that offer the escape function. For example, you could use the quote() function in the DBI8 module with Perl.

2) Do not write SQL statement directly in the parameter to be passed to the web application

What does it mean?

This may sound absurd but it did happen nevertheless and we feel we should warn you not to directly write an SQL statement into the parameters, such as hidden, that are to be passed to the web application. Specifying an SQL statement in a web application parameter directly could lead to a risk of someone falsifying the value of the parameter and manipulating the database.

Mitigation Measures

3) Limit information to display in error message on the web browser

What does it mean?

This prevents giving information to users needlessly. If an error message contains the information about database engine name or SQL statements which have caused the error, then malicious users could get useful information for attacking the web site. Error massages can be used not only to give tips for attacking but also to show the result of an attack. It is recommended not to show error messages related to the database

operation on the user‟s web browser.

4) Grant minimum privileges to database accounts

What does it mean?

8

Database BI : A popular database module of Perl to access database.

8

1.1 SQL Injection

It aims at reducing the damage of SQL injection attacks. If the privileges of the database account that a web application uses to access to the database is higher than necessary, the damage the attack could inflict becomes more serious. Examine the commands the web application needs to interact with the database and give the access account the minimum privileges just enough to execute those commands.

By implementing these measures, security against SQL injection is expected to improve. For more information on SQL injection and developing web applications that use database, you could refer to the following documents as well.

References

IPA: 知っていますか?脆弱性(ぜいじゃくせい) 1. SQL インジェクション

http://www.ipa.go.jp/security/vuln/vuln_contents/sql.html (Japanese Only) http://www.ipa.go.jp/security/vuln/vuln_contents/sql_flash.html (Japanese Only)

IPA: セキュア・プログラミング講座 「より良い Web アプリケーション設計のヒント」

http://www.ipa.go.jp/security/awareness/vendor/programmingv2/contents/003.html (Japanese Only)

IPA: セキュア・プログラミング講座 「SQL 注入: #1 実装における対策」

http://www.ipa.go.jp/security/awareness/vendor/programmingv2/contents/502.html (Japanese Only)

Recommended publications
  • Learning to Program in Perl

    Learning to Program in Perl

    Learning to Program in Perl by Graham J Ellis Languages of the Web Learning to Program in Perl version 1.7 Written by Graham Ellis [email protected] Design by Lisa Ellis Well House Consultants, Ltd. 404, The Spa, Melksham, Wiltshire SN12 6QL England +44 (0) 1225 708 225 (phone) +44 (0) 1225 707 126 (fax) Find us on the World Wide Web at: http://www.wellho.net Or contact us at: [email protected] Copyright © 2003 by Well House Consultants, Ltd. Printed in Great Britain. Printing History May 1999 1.0 First Edition February 2000 1.1 Minor additions June 2000 1.2 Compliation of modules October 2000 1.3 Name change, revisions April 2002 1.4 Added modules September 2002 1.5 Added modules January 2003 1.6 Updated modules February 2003 1.7 Updated modules This manual was printed on 21 May 2003. Notice of Rights All rights reserved. No part of this manual, including interior design, may be reproduced or translated into any language in any form, or transmitted in any form or by any means electronic, mechanical, photocopying, recording or otherwise, without prior written permission of Well House Consultants except in the case of brief quotations embodied in critical articles and reviews. For more information on getting permission for reprints and excerpts, contact Graham Ellis at Well House Consultants. This manual is subject to the condition that it shall not, by way of trade or otherwise, be lent, sold, hired out or otherwise circulated without the publisher's prior consent, incomplete nor in any form of binding or cover other than in which it is published and without a similar condition including this condition being imposed on the subsequent receiver.
  • Red Hat Enterprise Linux 8 Installing, Managing, and Removing User-Space Components

    Red Hat Enterprise Linux 8 Installing, Managing, and Removing User-Space Components

    Red Hat Enterprise Linux 8 Installing, managing, and removing user-space components An introduction to AppStream and BaseOS in Red Hat Enterprise Linux 8 Last Updated: 2021-06-25 Red Hat Enterprise Linux 8 Installing, managing, and removing user-space components An introduction to AppStream and BaseOS in Red Hat Enterprise Linux 8 Legal Notice Copyright © 2021 Red Hat, Inc. The text of and illustrations in this document are licensed by Red Hat under a Creative Commons Attribution–Share Alike 3.0 Unported license ("CC-BY-SA"). An explanation of CC-BY-SA is available at http://creativecommons.org/licenses/by-sa/3.0/ . In accordance with CC-BY-SA, if you distribute this document or an adaptation of it, you must provide the URL for the original version. Red Hat, as the licensor of this document, waives the right to enforce, and agrees not to assert, Section 4d of CC-BY-SA to the fullest extent permitted by applicable law. Red Hat, Red Hat Enterprise Linux, the Shadowman logo, the Red Hat logo, JBoss, OpenShift, Fedora, the Infinity logo, and RHCE are trademarks of Red Hat, Inc., registered in the United States and other countries. Linux ® is the registered trademark of Linus Torvalds in the United States and other countries. Java ® is a registered trademark of Oracle and/or its affiliates. XFS ® is a trademark of Silicon Graphics International Corp. or its subsidiaries in the United States and/or other countries. MySQL ® is a registered trademark of MySQL AB in the United States, the European Union and other countries.
  • Perl DBI API Reference

    Perl DBI API Reference

    H Perl DBI API Reference This appendix describes the Perl DBI application programming interface. The API consists of a set of methods and attributes for communicating with database servers and accessing databases from Perl scripts. The appendix also describes MySQL-specific extensions to DBI provided by DBD::mysql, the MySQL database driver. I assume here a minimum version of DBI 1.50, although most of the material applies to earlier versions as well. DBI 1.50 requires at least Perl 5.6.0 (with 5.6.1 preferred). As of DBI 1.611, the minimum Perl version is 5.8.1. I also assume a minimum version of DBD::mysql 4.00. To determine your versions of DBI and DBD::mysql (assuming that they are installed), run this program: #!/usr/bin/perl # dbi-version.pl - display DBI and DBD::mysql versions use DBI; print "DBI::VERSION: $DBI::VERSION\n"; use DBD::mysql; print "DBD::mysql::VERSION: $DBD::mysql::VERSION\n"; If you need to install the DBI software, see Appendix A , “Software Required to Use This Book.” Some DBI methods and attributes are not discussed here, either because they do not apply to MySQL or because they are experimental methods that may change as they are developed or may even be dropped. Some MySQL-specific DBD methods are not discussed because they are obsolete. For more information about new or obsolete methods, see the DBI or DBD::mysql documentation, available at http://dbi.perl.org or by running the following commands: % perldoc DBI % perldoc DBI::FAQ % perldoc DBD::mysql The examples in this appendix are only brief code fragments.
  • Perl Variables Scalar ($) Array (@) Hash (%)

    Perl Variables Scalar ($) Array (@) Hash (%)

    Practical Extraction and Report Language « Perl is a language of getting your job done » « There is more than one way to do it » Larry Wall VI, October 2006 Page 1 Perl Outline : History Structure of a simple Perl script Perl variables scalar ($) array (@) hash (%) Operators (numeric, string & logical) Statement modifiers (if/elsif/else, for/foreach, while) VI, October 2006 Page 2 Practical Extraction and Report Language http://perl.oreilly.com " Perl is both a programming language and an application on your computer that runs those programs " VI, October 2006 Page 3 Perl history A few dates: 1969 UNIX was born at Bell Labs. 1970 Brian Kernighan suggested the name "Unix" and the operating system we know today was born. 1972 The programming language C is born at the Bell Labs (C is one of Perl's ancestors). 1973 “grep” is introduced by Ken Thompson as an external utility: Global REgular expression Print. 1976 Steven Jobs and Steven Wozniak found Apple Computer (1 April). 1977 The computer language awk is designed by Alfred V. Aho, Peter J. Weinberger, and Brian W. Kernighan (awk is one of Perl's ancestors). VI, October 2006 Page 4 Perl history 1987 Perl 1.000 is unleashed upon the world NAME perl | Practical Extraction and Report Language SYNOPSIS perl [options] filename args DESCRIPTION Perl is a interpreted language optimized for scanning arbitrary text files, extracting information from those text files, and printing reports based on that information. It's also a good language for many system management tasks. The language is intended to be practical (easy to use, efficient, complete) rather than beautiful (tiny, elegant, minimal).
  • OTRS Developer Manual Release 8.0

    OTRS Developer Manual Release 8.0

    OTRS Developer Manual Release 8.0 OTRS AG Jul 08, 2020 Contents 1 Getting Started 3 1.1 Development Environment ..................................... 3 1.1.1 Obtain the Source Code .................................. 3 1.1.2 Useful Tools ......................................... 3 1.1.3 Linking Expansion Modules ................................ 4 1.2 Architecture Overview ........................................ 4 1.2.1 Directories .......................................... 7 1.2.2 Files ............................................. 7 1.2.3 Core Modules ........................................ 7 1.2.4 Front End Handle ...................................... 8 1.2.5 Front End Modules ..................................... 8 1.2.6 CMD Front End ....................................... 8 1.2.7 Generic Interface Modules ................................. 8 1.2.8 Scheduler Task Handler Modules ............................. 9 1.2.9 Database .......................................... 10 2 OTRS Internals - How it Works 11 2.1 Config Mechanism .......................................... 11 2.1.1 Defaults.pm: OTRS Default Configuration ...................... 11 2.1.2 Automatically Generated Configuration Files ....................... 11 2.1.3 XML Configuration Files .................................. 11 2.1.4 Accessing Config Options at Runtime .......................... 20 2.2 Database Mechanism ........................................ 21 2.2.1 SQL ............................................. 21 2.2.2 XML ............................................
  • The Perl Review

    The Perl Review

    The Perl Review Volume 0 Issue 6 November 1, 2002 Like this issue? Support The Perl Review with a donation! http://www.ThePerlReview.com/ Letters i Community News ii Short Notes iii Simple RSS with Perl 1 brian d foy Delightful Languages: Ruby 7 Mike Stok Who’s Doing What? Analyzing Ethernet LAN Traffic 18 Paul Barry Book Reviews 24 Staff Like this issue? Support The Perl Review with a donation! http://www.ThePerlReview.com/ Web Access http://www.ThePerlReview.com/ Email [email protected] Publisher brian d foy Editor Andy Lester Technical Editors Kurt Starsinic, Adam Turoff Copy Editors Beth Linker, Glenn Maciag, Chris Nandor Contributors David H. Adler, Paul Barry, Neil Bauman, brian d foy, Andy Lester, Mike Stok, Betsy Waliszewski The Perl Review print $_ $_[0] for @$self;. We incorrectly used Letters $_[1] and apologize for the confusion. Send your letters, comments, and suggestions to [email protected] Write for TPR TPR Subscriptions Have something to say about Perl? The Perl Re- view wants first person accounts about using Perl. If I’d like to subscribe to The Perl Review. However, you cannot write a complete article you can write a I prefer not to use PayPal. If you tell me where to “Short Note”. Want to tell everyone about a book send a check or cash, I’d be happy to do so. you have read? Write a book review! Were you at a Perl function? Give us a trip report! – Gregor Dodson We would like to get articles or “Short Notes” on brian writes: A lot of people have said something similar, and at the moment we do not have a better way to take money.
  • Tiketöintijärjestelmän Käyttöönotto

    Tiketöintijärjestelmän Käyttöönotto

    TIKETÖINTIJÄRJESTELMÄN KÄYTTÖÖNOTTO LAHDEN AMMATTIKORKEAKOULU Tekniikan ala Tietotekniikka Tietoliikennetekniikka Opinnäytetyö Kevät 2013 Janne Nummela Lahden ammattikorkeakoulu Tietotekniikan koulutusohjelma NUMMELA, JANNE: Tiketöintijärjestelmän käyttöönotto Tietoliikennetekniikan opinnäytetyö, 41 sivua Kevät 2013 TIIVISTELMÄ Tämän opinnäytetyön tavoitteena oli kartoittaa, valita ja asentaa avoimeen lähdekoodiin perustuva palvelupyyntöjen kirjausjärjestelmä eli tiketöintipalvelu. Tämän lisäksi työssä alustettiin ITIL-viitekehyksen käyttöönottoa yrityksessä. Työn toimeksiantajana oli LahtiNetwork Oy, joka on lahtelainen ict-palveluja tarjoava yritys. Työssä pyrittiin ottamaan huomioon LahtiNetworkin tarpeet ohjelmiston suhteen. Aikaisemmin yrityksen käytössä ei ollut tiketöintijärjestelmää, joten tulleita palvelupyyntöjä ei kirjattu järjestelmällisesti. Tiketöintijärjestelmä mahdollistaa palvelupyyntöjen järjestelmällisen kirjaamisen ja hallinnan. Tiketöintijärjestelmä tarjoaa palvelupyyntöjen vastaanotto-, kirjaus-, hallinta- ja muokkauspalvelut. Tiketöintijärjestelmä koostuu palvelimesta ja siihen asennettavasta ohjelmistosta. Ohjelmistot jakautuvat ilmaisiin avoimen lähdekoodin ohjelmiin ja maksullisiin ohjelmistoihin. Ohjelmia löytyy markkinoilta lukuisia aina pienestä pelkästään tiketöintiin perustuvasta ohjelmasta isoon koko help desk -prosessin käsittävään ohjelmaan. Yhteistä kaikilla ohjelmilla on kuitenkin se, että ydinajatus on tallentaa ja seurata järjestelmään tullutta palvelupyyntöä. Palvelupyyntö voi olla virheilmoitus,
  • The Bugzilla Guide

    The Bugzilla Guide

    The Bugzilla Guide Matthew P. Barnson [email protected] This is the documentation for Bugzilla, the Mozilla bug−tracking system. The Bugzilla Guide Table of Contents Chapter 1. About This Guide.............................................................................................................................1 1.1. Purpose and Scope of this Guide......................................................................................................1 1.2. Copyright Information......................................................................................................................1 1.3. Disclaimer.........................................................................................................................................2 1.4. New Versions....................................................................................................................................2 1.5. Credits...............................................................................................................................................2 1.6. Contributors......................................................................................................................................3 1.7. Feedback...........................................................................................................................................3 1.8. Translations.......................................................................................................................................3 1.9. Document Conventions.....................................................................................................................3
  • Perl Baseless Myths & Startling Realities

    Perl Baseless Myths & Startling Realities

    http://xkcd.com/224/ Perl Baseless Myths & Startling Realities by Tim Bunce, July 2008 Prefer ‘Good Developers’ over ‘Good Languages’ “For all program aspects investigated, the performance variability that derives from differences among programmers of the same language—as described by the bad-to-good ratios—is on average as large or larger than the variability found among the different languages.” — An empirical comparison of C, C++, Java, Perl, Python, Rexx, and Tcl. IEEE Computer Journal October 2000 Who am I? - Tim Bunce - Author of the Perl DBI module - Using Perl since 1991 - Involved in the development of Perl 5 - “Pumpkin” for 5.4.x maintenance releases - http://blog.timbunce.org ~ Myths ~ ~ Myths ~ - Perl is dead - Perl is hard to read / test / maintain - Perl 6 is killing Perl 5 ~ Myths ~ - Perl is dead - Perl is hard to read / test / maintain - Perl 6 is killing Perl 5 Perl 5 - Perl 5 isn’t the new kid on the block - Perl is 21 years old - Perl 5 is 14 years old - A mature language with a mature culture Buzz != Jobs - Perl5 hasn’t been generating buzz recently - It’s just getting on with the job - Lots of jobs - - just not all in web development Guess the Languages “web developer” Yes, Perl is growing more slowly than others but these are just “web developer” jobs “software engineer” Perl is mentioned in many more software engineer/developer jobs. “foo developer” Perl is the primary focus of more developer jobs. Want a fun new job? Become a Perl developer! Massive Module Market - Large and vibrant developer community - Over 15,000 distributions (58,000 modules) - Over 6,700 ‘authors’ (who make releases) - One quarter of all CPAN distributions have been updated in the last 4 months! - Half of all updated in the last 17 months! Top Modules -Many gems, including..
  • Learning Perl. 5Th Edition [PDF]

    Learning Perl. 5Th Edition [PDF]

    Learning Perl ,perlroadmap.24755 Page ii Tuesday, June 17, 2008 8:15 AM Other Perl resources from O’Reilly Related titles Advanced Perl Programming Perl Debugger Pocket Intermediate Perl Reference Mastering Perl Perl in a Nutshell Perl 6 and Parrot Essentials Perl Testing: A Developer’s Perl Best Practices Notebook Perl Cookbook Practical mod-perl Perl Books perl.oreilly.com is a complete catalog of O’Reilly’s books on Perl Resource Center and related technologies, including sample chapters and code examples. Perl.com is the central web site for the Perl community. It is the perfect starting place for finding out everything there is to know about Perl. Conferences O’Reilly brings diverse innovators together to nurture the ideas that spark revolutionary industries. We specialize in document- ing the latest tools and systems, translating the innovator’s knowledge into useful skills for those in the trenches. Visit conferences.oreilly.com for our upcoming events. Safari Bookshelf (safari.oreilly.com) is the premier online refer- ence library for programmers and ITprofessionals. Conduct searches across more than 1,000 books. Subscribers can zero in on answers to time-critical questions in a matter of seconds. Read the books on your Bookshelf from cover to cover or sim- ply flip to the page you need. Try it today with a free trial. main.title Page iii Monday, May 19, 2008 11:21 AM FIFTH EDITION LearningTomcat Perl™ The Definitive Guide Randal L. Schwartz,Jason Tom Brittain Phoenix, and and Ian brian F. Darwin d foy Beijing • Cambridge • Farnham • Köln • Sebastopol • Taipei • Tokyo Learning Perl, Fifth Edition by Randal L.
  • Ch 13: Attacking Users: Other Techniques (Part 2) Other Client-Side Injection Attacks HTTP Header Injection

    Ch 13: Attacking Users: Other Techniques (Part 2) Other Client-Side Injection Attacks HTTP Header Injection

    CNIT 129S: Securing Web Applications Ch 13: Attacking Users: Other Techniques (Part 2) Other Client-Side Injection Attacks HTTP Header Injection • User-controlled data in an HTTP header • Most commonly the Location and Set-Cookie headers Injecting Another Header Exploiting Header Injection • See if %0d and %0a return decoded as carriage- return and line-feed • If only one works, you may still be able to exploit it • If they are blocked or sanitized, try these bypasses Injecting Cookies • Cookies may persist across browser sessions Delivering Other Attacks • HTTP header injection allows an attacker to control the entire body of a response • Can deliver almost any attack • Virtual website defacement • Script injection • Redirection HTTP Response Splitting • Inject a second complete page into the headers • Must inject carriage returns and line feeds • Fixed in modern servers (link Ch 13d) Poisoning the Cache on a Proxy Server Preventing Header Injection • Don't insert user-controllable input into headers • If you must, use • Input validation (context-dependent) • Output validation: block all ASCII characters below 0x20 Cookie Injection • Attacker sets or modifies a cookie in the victim user's browser • This may be possible if: • App has functionality that takes a name and value from parameters and sets those within a cookie, such as "Save user preferences" • HTTP header injection vulnerability Cookie Injection • Setting a malicious cookie via XSS • XSS in related domains can be leveraged to set a cookie on the targeted domain, from any of
  • Alibaba Cloud Alibaba Cloud CDN

    Alibaba Cloud Alibaba Cloud CDN

    Alibaba Cloud Alibaba Cloud CDN Domain Management Issue: 20190815 Alibaba Cloud CDN Domain Management / Legal disclaimer Legal disclaimer Alibaba Cloud reminds you to carefully read and fully understand the terms and conditions of this legal disclaimer before you read or use this document. If you have read or used this document, it shall be deemed as your total acceptance of this legal disclaimer. 1. You shall download and obtain this document from the Alibaba Cloud website or other Alibaba Cloud-authorized channels, and use this document for your own legal business activities only. The content of this document is considered confidential information of Alibaba Cloud. You shall strictly abide by the confidentiality obligations. No part of this document shall be disclosed or provided to any third party for use without the prior written consent of Alibaba Cloud. 2. No part of this document shall be excerpted, translated, reproduced, transmitted, or disseminated by any organization, company, or individual in any form or by any means without the prior written consent of Alibaba Cloud. 3. The content of this document may be changed due to product version upgrades , adjustments, or other reasons. Alibaba Cloud reserves the right to modify the content of this document without notice and the updated versions of this document will be occasionally released through Alibaba Cloud-authorized channels. You shall pay attention to the version changes of this document as they occur and download and obtain the most up-to-date version of this document from Alibaba Cloud-authorized channels. 4. This document serves only as a reference guide for your use of Alibaba Cloud products and services.