- 空白目录
- 基本知识
- 数据与指令
- 漏洞扫描
- Coverity Scan
- 常见漏洞与处理措施
- Presentation Topic 1
- Preface
- 常见的软件缺陷与风险
- 安全漏洞相关概念(CVE,CNA, CWE,CVSS,OWASP)
- Web 安全漏洞发生的原因
- XSS(跨站脚本)攻击与预防
- CSRF-跨站点请求伪造
- SQL Inject
- 软件弱点预防之 —— Filesystem path, filename, or URI manipulation - 操控文件系统路径、文件名或 URI
- Improper Limitation of a Pathname to a Restricted Directory
- 点击劫持漏洞 Clickjacking
- Java Web安全风险应对
- Concludes
- SQL注入风险与防范措施
- SQL注入类型
- Sample
- XSS - 跨站脚本攻击
- 宽字节编码引发的XSS血案
- HTML与JavaScript 的自解码
- XSS Sample
- XSS 攻击载荷
- Cross-Site Scripting: 跨站脚本攻击 XSS
- XSS 与 CSRF
- 参考
- 解决示例
- CSRF-跨站请求伪造
- 基于Servlet 的Java Web项目的CSRF防御概念
- 基于JSP的Java Web项目的CSRF防御示例
- CSRF-跨站点请求伪造
- CSRF(跨站请求伪造)漏洞及解决方法
- Java Web应用CSRF防御攻略
- Spring Boot 项目使用Spring Security防护CSRF攻击实战
- 一次基于Coverity 扫描Spring Boot项目的CSRF弱点解决的探索之旅
- Coverity + CSRF
- Spring Boot CSRF攻击防御
- 文件上传漏洞
- 敏感信息泄露
- Filesystem path, filename, or URI manipulation -
- PATH_MANIPULATION+Coverity
- 防御方法
- Java漏洞及修复
- Java高风险弱点
- Java 防御XSS攻击实战与示例代码
- Java防御路径操作(Path Manipulation) 的正确姿势
- 示例
- 示例2
- Java之路径操纵解决的误区
- 结合Coverity扫描Spring Boot项目进行Path Manipulation漏洞修复
- Spring Boot实战项目之CSRF防御处理
- Java高风险弱点与修复之——SQL injection(SQL注入)
- Very weak password hashing (WEAK_PASSWORD_HASH)
- Insecure SSL/TLS: bad HostnameVerifier (BAD_CERT_VERIFICATION)
- 主机验证示例1
- Resource Leak
- Java中风险弱点
- Java代码弱点与修复之——Arguments in wrong order(参数顺序错误)
- Java代码弱点与修复之——ORM persistence error(对象关系映射持久错误)
- Java代码弱点与修复之——Logically dead code-逻辑死代码
- 示例1
- Java代码弱点与修复之——URL manipulation(URL操纵)
- Java代码弱点与修复之——Open redirect(开放式重定向)
- Spring项目Open Redirect漏洞解决
- Java代码弱点与修复之——Dereference null return value(间接引用空返回值)
- Java代码弱点与修复之——Dereference before null check 非空检查前间接引用
- Java代码弱点与修复之——Dereference after null check-空检查后间接引用
- Java代码弱点与修复之——Explicit null dereferenced(显式空间接引用)
- Java非空判断相关的弱点类型汇总与比较
- Java代码弱点与修复之——Copy-paste error(复制粘贴错误)
- Java代码弱点与修复之——Suspicious calls to generic collection methods
- Java代码弱点与修复之——Repeated conditional test(重复的条件测试)
- Java代码弱点与修复之——Masked Field(掩码字段)
- Spring Boot项目之伪Masked Field弱点解决
- Java代码弱点与修复之——STCAL: Static use of type Calendar or DateFormat
- Java代码弱点与修复之——RC: Questionable use of reference equality rather than calling equals
- Java代码弱点与修复之——Unintended regular expression(非期望的正则表达式)
- Java代码弱点与修复之——LI: Unsynchronized Lazy Initialization
- Java代码弱点与修复之——Risky cryptographic hashing function (RISKY_CRYPTO)
- 加密散列示例
- Java代码弱点与修复之——INT: Suspicious integer expression
- NP: Null pointer dereference
- SA: Useless self-operation
- Unguarded read
- SWL: Sleep with lock held
- Use of freed resources
- Stray semicolon
- UG: Unsynchronized get method, synchronized set method (FB.UG_SYNC_SET_UNSYNC_GET)
- Identical code for different branches
- RANGE: Range checks
- Infinite Loop
- Missing authorization check
- Java低风险弱点
- Java代码弱点与修复之——WMI: Inefficient Map Iterator(低效的Map迭代器)
- Java代码弱点与修复之——Dead local store(本地变量存储了闲置不用的对象)
- Java代码弱点与修复之——BC: Bad casts of object references(错误的强制类型转换)
- Java代码弱点与修复之——'Constant' variable guards dead code
- Java代码弱点与修复之——DE: Dropped or ignored exception(无视或忽略异常)
- Useless code - 无用的代码
- Dm: Dubious method used
- 字节转换
- Java代码弱点与修复之——Se: Incorrect definition of Serializable class(可序列化类的定义不正确)
- FS: Format string problem
- IM: Questionable integer math
- Information exposure to log file
- Insecure HTTP firewall
- NS: Suspicious use of non-short-circuit boolean operator
- REC: RuntimeException capture
- Resource leak on an exceptional path
- RV: Bad use of return value
- SBSC: String concatenation in loop using + operator
- SIC: Inner class could be made static
- SS: Unread field should be static
- UC: Useless code
- Unnecessary call to org.hibernate.Session.get method
- Unused value
- UPM: Private method is never called
- UrF: Unread field
- UuF: Unused field
- UwF: Unwritten field
- Audit
- Non-constant SQL
- Log injection (LOG_INJECTION)
- 日志漏洞示例1
- 实际场景
- URL
- 模板
- Web漏洞及修复
- Web开发
- 客户端请求地址
- Medium
- [Web缺陷与修复之]Property access or function call before check for null or undefined
- Bad use of null-like value
- Missing break in switch
- Logically dead code-JavaScript
- Identical code for different branches
- Expression with no effect
- Missing parentheses
- High
- Web之DOM-based cross-site scripting漏洞处理
- Summary
- Web基本知识
- 字符转义
- 工具
- Java静态分析工具之——SpogBugs
- FindBugs
- Synopsys Code Sight
- 使用Eclipse +SpotBugs 检测代码弱点