A6 - Sensitive Data Exposure敏感数据泄露
Base64 Encoding (Secret)
low
抓包找到secret=QW55IGJ1Z3M%2F
先进行url解码,再base64解码
medium&high
if($row)
{
$secret = $row->secret;
if($_COOKIE["security_level"] == "1" or $_COOKIE["security_level"] == "2")
{
$secret = sha1($secret);
}
else
{
$secret = base64_encode($secret);
}
均使用了sha1
加密
BEAST/CRIME/BREACH Attacks
呃。。还是不行
Clear Text HTTP (Credentials)
明文传输用户凭证
switch($_COOKIE["security_level"])
{
case "0" :
$url = $_SERVER["SCRIPT_NAME"];
break;
case "1" :
$message = "A certificate must be configured to fully function!";
$url = "https://" . $_SERVER["HTTP_HOST"] . $_SERVER["SCRIPT_NAME"];
break;
case "2" :
$message = "A certificate must be configured to fully function!";
$url = "https://" . $_SERVER["HTTP_HOST"] . $_SERVER["SCRIPT_NAME"];
break;
default :
$url = $_SERVER["SCRIPT_NAME"];
break;
}
low中使用http进行账户密码明文传输,medium和high中使用https进行加密传输
Heartbleed Vulnerability
这关还是不行。。
Host Header Attack (Reset Poisoning)
抓包看一下
传递主机头的方法是使用
X-Forwarded-Host
头
HTML5 Web Storage (Secret)
师傅的博客
HTML5 Web 存储
POODLE Vulnerability
不行。。
SSL 2.0 Deprecated Protocol
。。。
Text Files (Accounts)
switch($_COOKIE["security_level"])
{
case "0" :
$line = "'" . $username . "', '" . $password . "'" . "\r\n";
break;
case "1" :
$username = xss_check_3($username);
$password = sha1($password, false);
$line = "'" . $username . "', '" . $password . "'" . "\r\n";
break;
case "2" :
$username = xss_check_3($username);
$salt = md5(uniqid());
// $password = sha1($salt . $password, false);
//$password = hash("sha512", $salt . $password, false);
$password = hash("sha256", $salt . $password, false);
$line = "'" . $username . "', '" . $password . "', 'salt:" . $salt . "'" . "\r\n";
break;
default :
$line = "'" . $username . "', '" . $password . "'" . "\r\n";
break;
}
low是明文运输,medium将密码进行了sha1加密,high级别的用的是hash加密