CSS EDITOR

Posted on | 五月 29, 2010 | No Comments

WEB开发中，你也许会使用一个全功能的IDE或源代码编辑器，但CSS编辑器可提供专门的功能和特点，帮助您更快更好的撰写CSS。 Read more

随笔

Posted on | 五月 26, 2010 | No Comments

中兴面试之旅终于结束。一二三面后才笔试。望着一片黑色的学生证，我这个本科生。恩。。
没有预期的那么多数据结构题目，基本都是乱乱的知识，N多的通讯类专业题，完全不会，本以为会考考树，图，结果就是串查找，串循环，汗死，结果回来想想还少些了些东西。
貌似对我打击不够，不能专心投入考研中.最近要多做好事积攒RP了。给我分OFFER我就安心了。

基于索引的SQL语句优化

Posted on | 五月 24, 2010 | No Comments

老文了
Read more

PAC-MAN+30th+Anniversary

Posted on | 五月 22, 2010 | 1 Comment

Read more

微软一站式示例代码库 4 月小结

Posted on | 五月 18, 2010 | No Comments

作者: Jialiang 发表于 2010-05-18 13:21 原文链接

19-WordPress-SQL

Posted on | 五月 14, 2010 | 1 Comment

原文：http://paranimage.com/19-wordpress-sql-hacks/

高度注意：

在每次执行SQL语句前，请勿必备份你的WordPress数据库。

1. 删除所有未使用的标签 Read more

9-PHP-SKILLS

Posted on | 五月 14, 2010 | No Comments

下面是九个PHP中很有用的功能，不知道你用过了吗？ Read more

比什么励志书的靠谱多了[zz]

Posted on | 五月 12, 2010 | 2 Comments

在Mac OS X中运行Apache ＋ PHP ＋ MySQL

Posted on | 五月 10, 2010 | No Comments

在Mac OS X中运行Apache ＋ PHP ＋ MySQL  Read more

CRLF Injection

Posted on | 五月 4, 2010 | No Comments

CRLF Injection attacks and HTTP Response Splitting

The CRLF Injection Attack (sometimes also referred to as HTTP Response Splitting) is a fairly simple, yet extremely powerful web attack.  Hackers are actively exploiting this web application vulnerability to perform a large variety of attacks that include XSS cross-site scripting, cross-user defacement, positioning of client’s web-cache, hijacking of web pages, defacement and a myriad of other related attacks.  A number of years ago a number of CRLF injection vulnerabilities were also discovered in Google’s Adwords web interface.
 
Sounds scary to you? You bet. Are you vulnerable? Quite possibly, and this is why.

CRLF Injection Mechanism

CRLF (Carriage Return and Line Feed) is a very significant sequence of characters for programmers. These two special characters represent the End Of Header marker (EOH) for many Internet protocols, including, but not limited to MIME (e-mail), NTTP (newsgroups) and more importantly HTTP.  When programmers write code for web applications they split headers based on where the CRLF is found. If a malicious user is able to inject his own CRLF sequence into an HTTP stream, he is able to maliciously control the way a web application functions.

A simple CRLF Injection example

Suppose you run a vulnerable website that has a member section. An attacker will send an email to one of your members containing a CRLF-crafted link. This link appears to be legitimate; after all it points to your own website.  The link might look something like the one below:

http://www.yoursite.com/somepage.php?page=%0d%0aContent-Type: text/html%0d%0aHTTP/1.1 200 OK%0d%0aContent-Type: text/html%0d%0a%0d%0a%3Chtml%3EHacker Content%3C/html%3E

When the victim clicks on the link he will be served with the following HTML page:
 
<html>Hacker Content</html>

This attack appears to simply show the words “Hacker Content” on the victim’s machine however the danger is that YOUR server has generated this HTML code, so effectively the hacker has injected HTML code into the victims browser via YOUR web server! Ouch.  More sophisticated variations of this example can lead to poisioning of the client’s web-cache, cookies, XSS, temporary or permanent defacement of web pages and even information theft.

Example insight

If you look closely at the malicious URL you might notice a few occurences of the pattern %0d%0a. This pattern is the HTTP equivalent of CRLF and is the reason why we call this technique it a CRLF Injection Attack.

Known countermeasures

The only effective countermeasure is to properly sanitize URLs that point to web pages on your site containing any server re-direction code. Finding these holes is not a trivial task; most web applications today are littered with server-side redirects so the location of these vulnerabilities is not always clear, and it is very easy to miss most of them. Normally it can take hundreds of man-hours to test all your web page redirects and therefore it is very common to use an automated tool such as a web vulnerability scanner to find such web vulnerabilities.

Check if your website is vulnerable to CRLF injection

Acunetix Web Vulnerability Scanner ensures website security by automatically checking for CRLF Injection, SQL injection, Cross site scripting attacks and other vulnerabilities. It checks password strength on authentication pages and automatically audits shopping carts, forms, dynamic content and other web applications. As the scan is being completed, the software produces detailed reports that pinpoint where vulnerabilities exist. Take a product tour or download the evaluation version today!

Scanning for XSS vulnerabilities with Acunetix WVS Free Edition!

To check whether your website has cross site scripting vulnerabilities, download the Free Edition from here. This version will scan any website / web application for XSS vulnerabilities and it will also reveal all the essential information related to it, such as the vulnerability location and remediation techniques. Scanning for XSS is normally a quick exercise (depending on the size of the web-site).

Archives

• 2012年五月 (1)
• 2012年四月 (1)
• 2012年三月 (3)
• 2012年一月 (1)
• 2011年十二月 (1)
• 2011年十一月 (4)
• 2011年十月 (3)
• 2011年九月 (2)
• 2011年八月 (1)
• 2011年七月 (1)
• 2011年五月 (1)
• 2011年三月 (3)
• 2011年二月 (2)
• 2011年一月 (6)
• 2010年十一月 (2)
• 2010年十月 (10)
• 2010年九月 (7)
• 2010年八月 (4)
• 2010年七月 (11)
• 2010年六月 (14)
• 2010年五月 (14)
• 2010年四月 (20)
• 2010年三月 (61)
• 2010年二月 (71)
• 2010年一月 (59)
• 2009年十二月 (78)
• 2009年十一月 (61)

链接表

• Dale的博客
• 上善若水
• 且听风吟
• 棉鞋的梦
• 爱尚女人
• 莽石的博客
• 诗酒如画
• 赤脚雨中漫步の博客

SUNSHINE

• c#
• C/C++
• css
• GOOGLE
• GRE
• IT
• JS
• linux/unix
• movie
• MVC
• OS
• OTHER
• php
• plugin
• POC
• sec
• Silverlight
• SQL系列
• WEB
• WIFI
• WORDPRESS
• 其他
• 多媒体
• 开源
• 生活
• 相册

About

订阅

Search

Admin

• 登录
• Wordpress
• XHTML
•