- Brain Informatics 腦資訊學
- Go Programming Language
- Python
- Web 攻防技術
- 0. Google Hacking
- 1. Network Security
- 1.1 密碼學: PKI, RSA
- 1.2 Message Integrity/Authentication(訊息完整性/訊息認證)
- 1.3 End-point Authentication (端點認證)
- 1.4 Key Distribution: KDC, Certification, CA
- 1.5 PGP (Pretty Good Privacy)
- 1.6 安全的TCP連結: SSL
- 1.7 網路層安全: IPsec
- 1.8 無線區網安全: WEP, IEEE802.11i(WPA)
- 1.90 Firewall(防火牆)
- 1.91 IDS (Intrusion Detection System, 入侵偵測系統)
- 1.92 緩衝區溢位(Buffer Overflow)
- 1.93 軟體安全(Software Security)
- 1.95 Onion Routing (洋蔥路由)
- 1.96 Anonymous Authentication (匿名認證)
- 2. Web2.0 安全衝擊與評估
- 3. Footpringting, Discovery, Profiling, and Crawling
- 4. XSS and CSRF
- 5. RSS, Meshup, Widget安全, 掃描方法
- 6. SOA安全與攻擊向量(Attack Vector)
- 7. 防禦方法
- 8 PHP駭客攻防
- 9 Botnet (殭屍網路)
- A. Web2.0 安全工具與參考資料
- Web基本原理與技術
- Web新興技術
- XML技術與應用
- 1. XML 基本語法(Syntax)
- 2. W3C XML Schema
- 3. XPath
- 4. XSLT
- 5. XML應用標準
- 5.0 Business: BPEL, ebXML
- 5.1 Context-aware: iCalendar, iCard, GML, KML
- 5.2 Document: ODF, OOXML
- 5.3 Feed: Atom, RSS
- 5.4 Medical: HL7/CD, TMT
- 5.5 Multimedia: MusicXML, SMIL, SVG, VoiceXML, X3D
- 5.6 Security: SAML, XACML
- 5.7 Semantic Web (Ontology): RDF, OWL
- 5.8 Web View: MXML, XAXML
- 5.9 Misc: JSON, MathML, SyncML, XMPP
- 健康宅急便(SHS)
- 分散式系統
- 深網(Deep Web)智慧
- 無線行動軟體技術
- 第二人生 (Second Life)
- 1. Hello! Second Life
- 2. 使用者觀點 (User's Perspectives)
- 3. 經營者觀點 (Business's Perspective)
- 4. 發展者觀點 (Developer's Perspective)
- 4.0 內容製作(Content Creation)
- 4.1 LSL 語法
- 4.2 Communication (Dialogs, Messsging, HTTP, XML-RPC)
- 4.3 Object Rezzing and Moving
- 4.4 Sensing (Sensor, Collision, Greeter)
- 4.5 Physics and Vehicles
- 4.6 Special Effects (Particle, Texture animation, Light)
- 4.7 Environment (Time, Air, Earth, Water, Weather)
- 4.8 Multimedia (Sound, Streaming media)
- 4.9 Money (Transaction, Tip jar, Vendor)
- 5. IT系統觀點 (System Perspectives)
- 6. 知識庫(Knowledge Base)
- 網路技術
- 1. 網路基本介紹
- 2. Application Layer (應用層)
- 3. Transport Layer(傳輸層)
- 4. Network Layer(網路層)
- 5. Link Layer (鏈結層) and LAN (區域網路)
- 6. 無線行動網路
- 6.1 Wireless Characteristics: Link, Network
- 6.2 Wireless LAN: WiFi (IEEE 802.11)
- 6.3 Wireless MAN: WiMax (802.16)
- 6.4 Wirelss WAN (Cellular Intenet Access): 2G(GSM), 2.5G(GPRS), 3G(CDMA), 3.5G(HSPDA)
- 6.5 Wireless PAN (WPAN): Bluetooth, NFC, Zigbee
- 6.6 Mobility management: Handoff
- 6.7 Mobile IP
- 6.8 Cellullar Network Mobility
- 6.9 TCP over Wireless Link
- 7. 多媒體網路
- 9. 網路管理
- 雲端運算(Cloud Computing)
- 筆記撰寫規格範例
6.1 SOA and Web Service 安全
一, 2009-05-18 23:27 — mei
- SOA Layered Architecture
- Presentation Stack : Provide meaning to information going across network.
- Security Stack : Provide security to information embedded in XML format
- Discovery Stack : Provide information about the location of Web services to Web services users
- Access Stack : Provide the means and tools for accessing various Web service oe SOA
- Transport Stack : Provide a way to share and transport information from one part of the network with another
- SOA threat Framework
- Layer 1: Web Services in Transit
- •In Transit Sniffing or Spoofing
ex.用Wireshark來sniffing(監聽)
•WS-routing Security Concern
在程式中間加入SOAP的指令讓特定的人知道,容易造成MITM(man-in-the-middle)的attack
MITM:就是對receiver假冒sender
對sender假冒receiver
•Replay attacks
Layer 2: Web Services Engine(系統or應用)
- •Buffer overflow
造成程式容易當掉
•XML parsing(解析) attacks
Web services沒辦法解析XML的架構,而造成駭客的攻擊
•Spoiling(搞壞) schema/DTD
•Complex or recursive structure as payload
schema或DTD沒有寫好,而使得long loop and DoS,造成payload增加,而系統shutdown
•Denial of services (CPU usage)
•Large payload
•Specially crafted requests
Inject some code in an HTTP header or XML body
Layer 3: Web Services Deployment
- •Fault code leaks
產生出Error Message
•Permissions and access issues
Access control要做好
Access control就是作為"使用者"和"資源"的橋梁
•Poor policies
代理的權限要做好管理
•Customized error leakage
為了讓使用者有更大的彈性可以使用程式,便把使用者的更改限制縮小,而造成使用者因對程式的不熟悉,讓informantion被揭露出來
•Authentication and certification=>OpenID, OAuth
ID/Password的重要性
有些ID/Password是透過pass或dictionary的方式來取得,進入系統;也有可能從後方直接進入
Layer 4: Web Services User Code:Threats and Attacks
- •Parameter tampering(最多)
用不同的參數放進去,去得到一些資料
•WSDL probing
WSDLu也是一個web service的schema,而開發者不該讓他暴露在網路上
•SQL/LDAP/XPATH/OS command injection
•Virus/spyware/malware injection
•Brute force
使用Dictionary attack來get id/password
•Data type mismatch
被hacker發現Error string
•Content spoofing
•Session tampering/hijacking
•Format string
•Information leakage
•Authorization (Access Control Mechanism)
