- 博客(33)
- 收藏
- 关注
RSS订阅原创 base64的天坑
base64编码补位的坑,导致数据验证被绕过,也绕过了系统黑名单的检测。背景突然,测试人员找上我,说篡改某对象ID的值会绕过系统的黑名单检测!我非常不相信,因为该对象ID生成有随机因素,而且它的校验也有hash判断,只要校验不通过,立马会拒绝。他把那个对象ID发给我,是这样的NWE3MGQzMTBhYWYyODUxZTFlN2QwOWY2OWFmOGE5ZjMtMmUzOGIxZWNlZTVkNDUzNjkyYTg2NDAxYTVhZjk0MzUwMDAyLUx3QTF1OGpXW.
2021-03-30 00:22:39
190
原创 CISSP考试指南笔记:8.7 安全编码
Secure codingis the process of developing software that is free from defects, particularly those that could be exploited by an adversary to cause us harm or loss.Source Code VulnerabilitiesTheOpen Web Application Security Project (OWASP)is an organi...
2021-03-30 00:19:52
156
原创 CISSP考试指南笔记:8.9 分布式计算
A distributed object computing model needs toregisterthe client and server components, which means to find out here they live on the network, what their names or IDs are, and what type of functionality the different components carry out.Distributed Com..
2021-03-30 00:19:32
104
原创 CISSP考试指南笔记:8.8 编程语言和概念
Machine languageis in a format that the computer’s processor can understand and work with directly.Anassembly languageis considered a low-level programming language and is the symbolic representation of machine-level instructions.Third-generation pr...
2021-03-30 00:18:45
194
原创 CISSP考试指南笔记:8.6 开发环境的安全
there are three major elements we should stress when it comes to security of development environments: the development platforms, the code repositories, and the software configurations.Security of Development Platformsthe first step in ensuring the sec
2021-03-30 00:16:43
181
原创 CISSP考试指南笔记:8.4 能力成熟度模型
Capability Maturity Model Integration (CMMI)is a comprehensive, integrated set of guidelines for developing products and software.CMMI describes procedures, principles, and practices that underlie software development process maturity.The five maturit.
2021-03-30 00:15:51
289
原创 CISSP考试指南笔记:8.5 变更控制
Change managementis a systematic approach to deliberately regulating the changing nature of projects, including software development projects.Change ControlChange controlis the process of controlling the specific changes that take place during the li..
2021-03-30 00:15:18
298
原创 CISSP考试指南笔记:8.3 软件开发模型
Waterfall MethodologyThe Waterfall methodology uses a linear-sequential life-cycle approach,Each phase must be completed in its entirety before the next phase can begin. At the end of each phase, a review takes place to make sure the project is on the co
2021-03-30 00:13:29
127
原创 CISSP考试指南笔记:8.2 软件开发生命周期
There have been several software development life cycle (SDLC) models developed over the years, the crux of each model deals with the following phases: Requirements gathering Design Development Testing Operations and maintenance Pr
2021-03-30 00:12:40
201
原创 CISSP考试指南笔记:8.1 创建好的代码
Quality can be defined as fitness for purpose.Code reviews and interface testing, are key elements in ensuring software quality.Software controls come in various flavors and have many different goals. They can control input, encryption, logic process..
2021-03-30 00:11:53
159
原创 最后防线:字节跳动HIDS分析
AgentSmith HIDS是字节跳动开源的HIDS,采用内核驱动方式进行入侵检测,可以检测各种rootkit/bootkit,具有实时,高性能,无感知的优势。由于它是基于内核,只对2.6.32+内核支持,且rootkit的检测必须要在3.10.0+内核才支持。同时,由于它是监控内核函数的调用,事件和消息,并不提供软件管理,用户管理,系统管理,网络管理之类的基线。虽然目前总体代码只是2500行左右,但实现功能却非常多,多得作者Will大佬的指点,在撸一把5.12.0内核的代码,才勉强清楚这些检测.
2021-03-17 11:42:39
1875
1
原创 CISSP考试指南笔记:7.14 快速提示
Facilities that house systems that process sensitive information should have physical access controls to limit access to authorized personnel only. Clipping levels should be implemented to establish a baseline of user activity and acceptable errors...
2021-03-17 00:28:12
218
原创 CISSP考试指南笔记:7.13 个人安全问题
The single most valuable asset for an organization, and the one that involves the highest moral and ethical standards, is its people.Emergency ManagementA common tool for ensuring the safety of personnel during emergencies is the occupant emergency pla
2021-03-14 16:21:41
181
原创 CISSP考试指南笔记:7.12 实施灾难恢复
Recovering from a disaster begins way before the event occurs. It starts by anticipating threats and developing goals that support the business’s continuity of operations.A goal must contain certain key information, such as the following: Responsibili
2021-03-14 16:20:53
183
原创 CISSP考试指南笔记:7.11 保险
The BCP team should work with management to understand what the current coverage is, the various insurance options, and the limits of each option. The goal here is to make sure the insurance coverage fills in the gap of what the current preventive counterm
2021-03-12 23:40:47
141
原创 CISSP考试指南笔记:7.10 义务及其后果
In the context of security,due caremeans that a company did all it could have reasonably done, under the circumstances, to prevent security breaches, and also took reasonable steps to ensure that if a security breach did take place, proper controls or co..
2021-03-12 00:24:12
151
原创 CISSP考试指南笔记:7.9 灾难恢复
Therecovery time objective (RTO)is the maximum time period within which a business process must be restored to a designated service level after a disaster to avoid unacceptable consequences associated with a break in business continuity.Thework recove...
2021-03-12 00:23:27
215
原创 CISSP考试指南笔记:7.8 调查
When a potential computer crime takes place, it is critical that the investigation steps are carried out properly to ensure that the evidence will be admissible to the court if things go that far and that it can stand up under the cross-examination and scr
2021-03-12 00:22:38
144
原创 CISSP考试指南笔记:7.7 事故管理流程
There are many incident management models, but all share some basic characteristics. They all require that we identify the event, analyze it to determine the appropriate counteractions, correct the problem(s), and, finally, keep the event from happening ag
2021-03-12 00:21:58
309
原创 最后防线:osquery功能与实现
开源HIDS osquery的主机监控功能和实现原理。osquery代码链接:osqueryosquery表结构:表结构本文是在安装它之后,从osqueryi中的表再调研代码来获取它的实现设备基线对系统使用的设备建立基线,从而发现故障的设备,用于IDC机房。不足之处:这些功能用于传统机房。对于云时代并不适用功能 实现原理 acpi设备 读取/sys/firmware/acpi/tables目录 块设备 通过调用udev库API读取 设备信息(设备...
2021-03-07 23:15:14
841
原创 CISSP考试指南笔记:7.6 预防和检测
The steps of this generalized process are described here: Understand the risk. Use the right controls. Use the controls correctly. Manage your configuration. Assess your operation. Continuous MonitoringNIST Special Publication 80
2021-03-07 23:13:35
257
原创 CISSP考试指南笔记:7.5 网络和资源可用性
Another key component of security operations is planning for and dealing with the inevitable failures of the component parts of our information systems.The network needs to be properly maintained to make sure the network and its resources will always be
2021-03-07 01:08:50
99
原创 CISSP考试指南笔记:7.4 安全资源配置
provisioning is the set of all activities required to provide one or more new information services to a user or group of users.At the heart of provisioning is the imperative to provide these services in a secure manner.Asset Inventorythe most essenti
2021-03-06 00:09:54
181
原创 CISSP考试指南笔记:7.3 物理安全
As any other defensive technique, physical security should be implemented by using a layered approach.It is also important to have a diversity of controls.This defense model should work in two main modes: one mode during normal facility operations and
2021-03-06 00:07:52
138
原创 CISSP考试指南笔记:7.2 行政管理
Administrative management is a very important piece of operational security. One aspect of administrative management is dealing with personnel issues. This includes separation of duties and job rotation. The objective of separation of duties is to ensure t
2021-03-06 00:06:50
143
原创 CISSP考试指南笔记:7.1 运营部门的角色
The continual effort to make sure the correct policies, procedures, standards, and guidelines are in place and being followed is an important piece of the due care and due diligence efforts that companies need to perform.Security operations is all abou.
2021-03-06 00:06:04
158
原创 CISSP考试指南笔记:6.6 快速提示
An audit is a systematic assessment of the security controls of an information system. Setting a clear set of goals is probably the most important step of planning a security audit. Internal audits benefit from the auditors’ familiarity with th..
2021-03-06 00:05:23
297
原创 CISSP考试指南笔记:6.5 管理评审
A management review is a formal meeting of senior organizational leaders to determine whether the management systems are effectively accomplishing their goals.While management reviews have been around for a very long time, the modern use of the term is p
2021-03-06 00:04:34
240
原创 CISSP考试指南笔记:6.4 报告
Analyzing ResultsOnly after analyzing the results can you provide insights and recommendations that will be valuable to senior decision-makers.First you gather all your data, organize it, and study it carefully.The second step in your analysis is to
2021-03-06 00:03:19
146
原创 CISSP考试指南笔记:6.3 审计管理控制
Account ManagementA preferred technique of attackers is to become “normal” privileged users of the systems they compromise as soon as possible. They can accomplish this in at least three ways: compromise an existing privileged account, create a new privi
2021-03-06 00:02:25
195
原创 CISSP考试指南笔记:6.2 审计技术控制
Atechnical controlis a security control implemented through the use of an IT asset.Vulnerability TestingVulnerability testing requires staff and/or consultants with a deep security background and the highest level of trustworthiness.The goals of th..
2021-03-06 00:01:15
228
原创 CISSP考试指南笔记:6.1 评估、测试和审计策略
Atestis a procedure that records some set of properties or behaviors in a system being tested and compares them against predetermined standards.Anassessmentis a series of planned tests that are somehow related to each other.Anauditis a systematic...
2021-03-06 00:00:17
153
原创 CISSP考试指南笔记:5.12 快速提示
Access is a flow of information between a subject and an object. A subject is an active entity that requests access to an object, which is a passive entity. A subject can be a user, program, or process. Some security mechanisms that provid..
2021-03-05 23:53:05
272
空空如也
空空如也
TA创建的收藏夹 TA关注的收藏夹
TA关注的人