About cookies

3 Item(s)

per page

Set Ascending Direction
  • 校内网的cookie记录与网络信息存储的安全性

    10 year(s) ago

    举例校内cookie信息结构:
    __utmc=123456789;
    __utmb=123456789;
    __utma=123456789.0123456789.0123456789.0123456789.0123456789.123; __utmz=123456789.0123456789.345.134.utmccn=(referral)|utmcsr=lays.xiaonei.com|utmcct=/login.do|utmcmd=referral;
    
    syshomeforreg=1;
    _de=6CC10727F59CA26D17FDD995416F3B708ED172744450A225; <-decode串(验证用?)
    
    mop_uniq_ckid=124.77.153.201_1221308781_2768917078; <- ip地址和其他标识串
    id=123456789;  <- id标识
     xnusername=%E6%AF%9B%E5%8A%9F%E7%BC%98; <-用户名
    notifyTips228066793=1;  <-提示信息是否开启
    sta1=1;  <-加密sta1是否启用?
    xiaonei_stage=30;  <-校内级别?
    xiaonei_guide_uid=123456789;  <-校内推荐人id?
    gdNtcInf=0;  <-未知
    guide270517944=0; <-未知
    STAT_MOP_ID=123456789-1234-2;  <-统计MOP的信息id,难道是猫扑,未知.结构是由id_univid_差异号组成吧
     XNESSESSIONID=306a7267de9a;  <-校内session id号(我改过值了...)
    depovince=SH;  <-省市
     userid=123456789; <-用户id
    univid=2001; <-邀请人id?
    gender=0;  <-性别,目前确定0是女,1是男
    univyear=2004; <-用户注册日期
    hostid=123456789; <-宿主id
    xn_app_histo_123456789=2-3-4-6-7-23163; <-校内应用的记录
    societyguester=6f4e2ec3994c6382b92be01dde1cbfb53; <-某个串,目前还未知
    kl=9975609c7defb68d588a6f324fe6e2f6_228066793; <-应该是key.没猜错的话也许结构是由散列加salt的原理.
    
    xn_app_histo_123456789=2-3-4-6-7-23163;  <-校内应用的记录
    
    WebOnLineNotice_228066793=1; <-web在线提示
    
    标注粗体的部分是安全性需要关心的地方.
    
    我们做网络安全的时候为了避免跨站攻击应该尽量保护好加密信息.让攻击方即使获取信息也没法立刻获取攻击结果.建议cookie信息的记录应该进行自己逻辑的二次处理,避免直接记录信息.
    

  • 国内网络安全团队欢迎Phantom发布最新的WebZine 第三期

    10 year(s) ago

    这次对XSS有很多论述,可见随着网上电子商务和其他业务系统的不断融合,Shopping-Cart与SNS,CMS等的不断互相交融,安全性也显得越 来越成问题,上次Magento爆出的一个后台安全问题也是XSS跨站获取后台登陆账号,因此跨站的攻击网站将成为一个越来越危险的攻击方式.
    
    详细内容:
    
    2009.5.5 - WebZine [0x03]
    [0x01] Introduction
    [0x02] 专访wordexp
    [0x03] 高级Linux Kernel Inline Hook技术分析与实现
    [0x04] 突破XSS字符数量限制执行任意JS代码
    [0x05] 利用窗口引用漏洞和XSS漏洞实现浏览器劫持
    [0x06] 高级PHP代码审核技术
    [0x07] WEB应用安全设计思想
    地址:http://www.ph4nt0m.org-a.googlepages.com/pstzine_0x03

  • PHP bug #53632 验证方法

    8 year(s) ago

    以下命令在命令行运行用于测试bug是否存在。
    这个bug会导致服务器FPU停止。(X87 CPU)
    
    <?php
    /*
      +----------------------------------------------------------------------+
      | PHP Version 5                                                        |
      +----------------------------------------------------------------------+
      | Copyright (c) 2011 The PHP Group                                     |
      +----------------------------------------------------------------------+
      | This source file is subject to version 3.01 of the PHP license,      |
      | that is bundled with this package in the file LICENSE, and is        |
      | available through the world-wide-web at the following url:           |
      | http://www.php.net/license/3_01.txt                                  |
      | If you did not receive a copy of the PHP license and are unable to   |
      | obtain it through the world-wide-web, please send a note to          |
      | license@php.net so we can mail you a copy immediately.               |
      +----------------------------------------------------------------------+
      | Author: Johannes Schlueter <johannes@php.net>                        |
      +----------------------------------------------------------------------+
    */
    
    if (PHP_SAPI != 'cli') {
        die("Please run this test from CLI!\n");
    }
    
    ini_set('display_errors', 1);
    ini_set('output_buffering', 0);
    error_reporting(-1);
    if (!ini_get('safe_mode')) {
        set_time_limit(1);
    }
    
    echo "Testing float behaviour. If this script hangs or terminates with an error ".
         "message due to maximum execution time limit being reached, you should ".
         "update your PHP installation asap!\n";
    echo "For more information refer to <http://bugs.php.net/53632>.\n";
    $d = (double)"2.2250738585072011e-308";
    echo "Your system seems to be safe.\n";
    ?>
    

3 Item(s)

per page

Set Ascending Direction