2020-4-24 Open Web Application Security Project (OWASP)
英文
中文
The Open Web Application Security Project (OWASP) is a nonprofit foundation that works to improve the security of software. Through community-led open source software projects, hundreds of local chapters worldwide, tens of thousands of members, and leading educational and training conferences, the OWASP Foundation is the source for developers and technologists to secure the web.
OWASP是一个开源的、非盈利的全球性安全组织,致力于应用软件的安全研究。我们的使命是使应用软件更加安全,使企业和组织能够对应用安全风险做出更清晰的决策。目前OWASP全球拥有250个分部近7万名会员,共同推动了安全标准、安全测试工具、安全指导手册等应用安全技术的发展。
【移动应用安全性检测】
英文
中文
Our Vision
“Define the industry standard for mobile application security.”
We are writing a security standard for mobile apps and a comprehensive testing guide that covers the processes, techniques, and tools used during a mobile app security test, as well as an exhaustive set of test cases that enables testers to deliver consistent and complete results.
Main Deliverables
Mobile Security Testing Guide–测试案例 (MSTG)
MSTG手册-在线
MSTG英文手册-github
MSTG英文手册-CSDN
The MSTG is a comprehensive manual for mobile app security testing and reverse engineering for iOS and Android mobile security testers with the following content:
- Mobile platform internals
- Security testing in the mobile app development lifecycle
- Basic static and dynamic security testing
- Mobile app reverse engineering and tampering
- Assessing software protections
- Detailed test cases that map to the requirements in the MASVS.
OWASP MSTG是用于测试移动应用程序安全性的手册。它描述了验证MASVS中列出的相关安全准则的技术过程。MSTG提供了一个测试案例的列表,每个测试案例都映射到MASVS中的一个安全准则。相比MASVS对于安全准则的通用性和一般性的描述,MSTG提供了基于不同移动操作系统的详细建议以及测试流程。
MASVS–标准
Mobile App Security Requirements and Verification
The OWASP Mobile Application Security Verification Standard (MASVS) is, as the name implies, a standard for mobile app security. It can be used by mobile software architects and developers seeking to develop secure mobile applications, as well as security testers to ensure completeness and consistency of test results.
MASVS中文版在线
MASVS中文版1.2pdf-github
MASVS中文版1.2pdf-csdn
MASVS文英版1.2pdf-csdn
1-MASVS的总体目标
是为移动应用程序安全提供基础需求(MASVS-L1),同时包括了额外的纵深防御措施(MASVS-L2) 和针对移动应用程序客户端威胁的保护(MASVS-R)。MASVS旨在实现以下目标:
- 罗列出移动应用安全开发的需求以供软件架构师和开发人员使用;
- 提供可用于移动应用安全测试的行业标准;
- 阐明软件保护机制在移动安全中的作用,并提供验证其有效性的要求;
- 提出针对不同用例的安全级别的具体建议。
Verification Levels in Detail 安全验证等级
- MASVS-L1: Standard Security标准安全等级
A mobile app that achieves MASVS-L1 adheres to mobile application security best practices. It fulfills basic requirements in terms of code quality, handling of sensitive data, and interaction with the mobile environment. A testing process must be in place to verify the security controls. This level is appropriate for all mobile applications.
实现MASVS-L1的移动应用程序需要遵循移动应用程序安全的最佳实践方法。它包含了代码的质量,敏感数据的处理以及与移动环境交互的基本安全准则。此外,MASVS-L1必须有一个测试流程来验证安全管控。MASVS-L1适用于所有的移动应用程序。
- MASVS-L2: Defense-in-Depth
MASVS-L2 introduces advanced security controls that go beyond the standard requirements. To fulfill MASVS-L2, a threat model must exist, and security must be an integral part of the app’s architecture and design. Based on the threat model, the right MASVS-L2 controls should have been selected and implemented successfully. This level is appropriate for apps that handle highly sensitive data, such as mobile banking apps.
MASVS-L2引入了高于标准要求的高级安全管控方法。为了实现MASVS-L2,首先需要有一个威胁模型,并且把安全视为应用程序的一部分,加入到应用程序的架构和设计之中。MASVS-L2适用于处理高度敏感数据的应用程序,例如手机银行应用程序。
- MASVS-R: Resiliency Against Reverse Engineering and Tampering
The app has state-of-the-art security, and is also resilient against specific, clearly defined client-side attacks, such as tampering, modding, or reverse engineering to extract sensitive code or data. Such an app either leverages hardware security features or sufficiently strong and verifiable software protection techniques. MASVS-R is applicable to apps that handle highly sensitive data and may serve as a means of protecting intellectual property or tamper-proofing an app.
符合MASVS-R的应用程序需具有最先进的安全性,并且可以抵抗有明确定义的特定客户端攻击,例如:篡改,程序修改或者逆向工程提取敏感代码或数据。这样的应用程序需要使用硬件安全模块或者是使用足够强大且经过验证的软件保护技术。MASVS-R适用于处理高度敏感数据的应用程序,并且可以用作保护知识产权或防篡改应用程序的一种方式。
L1适用于所有移动应用程序,而L2通常建议用于处理更敏感数据或功能的应用程序。 MASVS-R(或其中的一部分)可以用于验证应用程序抵抗特定威胁的韧性。例如:重新封装或提取敏感数据。另外,也可以被用于更严谨的安全验证。
2-安全验证
2-1.V1: Architecture, Design and Threat Modeling Requirements架构,设计和威胁建模要求
The category “V1” lists requirements pertaining to architecture and design of the app. As such, this is the only category that does not map to technical test cases in the OWASP Mobile Testing Guide.
“V1”这个类别罗列了应用程序的架构和设计相关的需求。这是唯一没有对应到OWASP移动测试指南(MSTG)的技术测试类别。
安全验证要求
MSTG-ID Description L1 L2
1.1 MSTG-ARCH-1 All app components are identified and known to be needed. ✓ ✓
所有应用程序组件都须标注出来,并且确定它们全部是必需的。
1.2 MSTG-ARCH-2 Security controls are never enforced only on the client side, but on the respective remote endpoints. ✓ ✓
所有安全控制都必须在客户端与各个远程端点被强制执行。
1.3 MSTG-ARCH-3 A high-level architecture for the mobile app and all connected remote services has been defined and security has been addressed in that architecture. ✓ ✓
该移动应用程序的高级架构与所有的远程服务都应该被定义,并且该设计解决了所有安全的相关问题。
1.4 MSTG-ARCH-4 Data considered sensitive in the context of the mobile app is clearly identified. ✓ ✓
在移动应用程序环境下敏感的数据应该被清楚的标识出来。
1.5 MSTG-ARCH-5 All app components are defined in terms of the business functions and/or security functions they provide. ✓
1.6 MSTG-ARCH-6 A threat model for the mobile app and the associated remote services has been produced that identifies potential threats and countermeasures. ✓
1.7 MSTG-ARCH-7 All security controls have a centralized implementation. ✓
1.8 MSTG-ARCH-8 There is an explicit policy for how cryptographic keys (if any) are managed, and the lifecycle of cryptographic keys is enforced. Ideally, follow a key management standard such as NIST SP 800-57. ✓
1.9 MSTG-ARCH-9 A mechanism for enforcing updates of the mobile app exists. ✓
1.10 MSTG-ARCH-10 Security is addressed within all parts of the software development lifecycle. ✓
1.11 MSTG-ARCH-11 A responsible disclosure policy is in place and effectively applied. ✓
1.12 MSTG-ARCH-12 The app should comply with privacy laws and regulations. ✓ ✓
2-2.V2: Data Storage and Privacy Requirements 数据存储和隐私要求
安全验证要求
MSTG-ID Description L1 L2
2.1 MSTG-STORAGE-1 System credential storage facilities need to be used to store sensitive data, such as PII, user credentials or cryptographic keys. ✓ ✓
如必须存储敏感信息(诸如PII,用户登录数据,加密密钥等),必须使用操作系统所提供的安全存储机制。
2.2 MSTG-STORAGE-2 No sensitive data should be stored outside of the app container or system credential storage facilities. ✓ ✓
敏感数据不应存储在应用程序容器或者系统凭据存储功能以外的地方。
2.3 MSTG-STORAGE-3 No sensitive data is written to application logs. ✓ ✓
敏感数据不应被写入应用程序日志。
2.4 MSTG-STORAGE-4 No sensitive data is shared with third parties unless it is a necessary part of the architecture. ✓ ✓
如非绝对必要,敏感数据不能与第三方共享。
2.5 MSTG-STORAGE-5 The keyboard cache is disabled on text inputs that process sensitive data. ✓ ✓
键盘缓存应当在处理敏感数据的文本输入上被禁用。
2.6 MSTG-STORAGE-6 No sensitive data is exposed via IPC mechanisms. ✓ ✓
该应用程序使用的IPC机制不应泄露任何敏感数据。
2.7 MSTG-STORAGE-7 No sensitive data, such as passwords or pins, is exposed through the user interface. ✓ ✓
该应用程序用户界面不应泄露任何敏感数据,如密码或密码。
2.8 MSTG-STORAGE-8 No sensitive data is included in backups generated by the mobile operating system. ✓
2.9 MSTG-STORAGE-9 The app removes sensitive data from views when moved to the background. ✓
2.10 MSTG-STORAGE-10 The app does not hold sensitive data in memory longer than necessary, and memory is cleared explicitly after use. ✓
2.11 MSTG-STORAGE-11 The app enforces a minimum device-access-security policy, such as requiring the user to set a device passcode. ✓
2.12 MSTG-STORAGE-12 The app educates the user about the types of personally identifiable information processed, as well as security best practices the user should follow in using the app. ✓
2.13 MSTG-STORAGE-13 No sensitive data should be stored locally on the mobile device. Instead, data should be retrieved from a remote endpoint when needed and only be kept in memory. ✓
2.14 MSTG-STORAGE-14 If sensitive data is still required to be stored locally, it should be encrypted using a key derived from hardware backed storage which requires authentication. ✓
2.15 MSTG-STORAGE-15 The app’s local storage should be wiped after an excessive number of failed authentication attempts. ✓
2-3. V3: Cryptography Requirements 加密要求
安全验证要求
MSTG-ID Description L1 L2
3.1 MSTG-CRYPTO-1 The app does not rely on symmetric cryptography with hardcoded keys as a sole method of encryption. ✓ ✓
该应用程序不依赖带有硬编码密钥的对称加密方式作为唯一的加密方法。
3.2 MSTG-CRYPTO-2 The app uses proven implementations of cryptographic primitives. ✓ ✓
该应用程序使用经过实现验证的密码基元。
3.3 MSTG-CRYPTO-3 The app uses cryptographic primitives that are appropriate for the particular use-case, configured with parameters that adhere to industry best practices. ✓ ✓
该应用在特定的案例下使用了合适的加密基元,参数配置符合行业最佳实践。
3.4 MSTG-CRYPTO-4 The app does not use cryptographic protocols or algorithms that are widely considered deprecated for security purposes. ✓ ✓
该应用不使用基于安全目的而被广泛认为已经淘汰的加密协议或者算法。
3.5 MSTG-CRYPTO-5 The app doesn’t re-use the same cryptographic key for multiple purposes. ✓ ✓
该应用不会将相同的秘钥重复用于多种途径。
3.6 MSTG-CRYPTO-6 All random values are generated using a sufficiently secure random number generator. ✓ ✓
所有的随机数都被一个足够安全的随机数生成器生成。
2-4. V4: Authentication and Session Management Requirements 身份验证 和 会话管理
安全验证要求
MSTG-ID Description L1 L2
4.1 MSTG-AUTH-1 If the app provides users access to a remote service, some form of authentication, such as username/password authentication, is performed at the remote endpoint. ✓ ✓
如果该应用提供给用户访问远程服务,某些形式的认证,例如用户名/密码认证,都应在远程终端施行。
4.2 MSTG-AUTH-2 If stateful session management is used, the remote endpoint uses randomly generated session identifiers to authenticate client requests without sending the user’s credentials. ✓ ✓
如果状态会话管理被使用,则远程端点使用随机生成的会话标识符来认证客户端请求,而不会发送用户的凭证。
4.3 MSTG-AUTH-3 If stateless token-based authentication is used, the server provides a token that has been signed using a secure algorithm. ✓ ✓
如果无状态的基于令牌认证机制被使用,该服务器所提供的令牌应用安全算法签名。
4.4 MSTG-AUTH-4 The remote endpoint terminates the existing session when the user logs out. ✓ ✓
当用户注销时,远程端点应终止已经存在的会话。
4.5 MSTG-AUTH-5 A password policy exists and is enforced at the remote endpoint. ✓ ✓
一套密码策略存在并且被强制执行在远程端点上。
4.6 MSTG-AUTH-6 The remote endpoint implements a mechanism to protect against the submission of credentials an excessive number of times. ✓ ✓
该远程终端执行一种机制来对抗提交凭据的次数过多。
4.7 MSTG-AUTH-7 Sessions are invalidated at the remote endpoint after a predefined period of inactivity and access tokens expire. ✓ ✓
在预设不活动时间和访问令牌到期之后,在远程端点的会话将无效。
4.8 MSTG-AUTH-8 Biometric authentication, if any, is not event-bound (i.e. using an API that simply returns “true” or “false”). Instead, it is based on unlocking the keychain/keystore. ✓
4.9 MSTG-AUTH-9 A second factor of authentication exists at the remote endpoint and the 2FA requirement is consistently enforced. ✓
4.10 MSTG-AUTH-10 Sensitive transactions require step-up authentication. ✓
4.11 MSTG-AUTH-11 The app informs the user of all sensitive activities with their account. Users are able to view a list of devices, view contextual information (IP address, location, etc.), and to block specific devices. ✓
4.12 MSTG-AUTH-12 Authorization models should be defined and enforced at the remote endpoint. ✓ ✓
授权模型应该在远程端点被定义和被强制执行。
2-5. V5: Network Communication Requirements 网络通信要求
安全验证要求
MSTG-ID Description L1 L2
5.1 MSTG-NETWORK-1 Data is encrypted on the network using TLS. The secure channel is used consistently throughout the app. ✓ ✓
在网络传输中使用TLS对数据加密。整个应用程序始终使用安全加密通道。
5.2 MSTG-NETWORK-2 The TLS settings are in line with current best practices, or as close as possible if the mobile operating system does not support the recommended standards. ✓ ✓
此TLS设置符合当前的最佳实践,当移动操作系统不支持推荐的标准时,则设置为最接近的标准。
5.3 MSTG-NETWORK-3 The app verifies the X.509 certificate of the remote endpoint when the secure channel is established. Only certificates signed by a trusted CA are accepted. ✓ ✓
当安全通道被建立后,该应用程序将验证远程端点的X.509证书。 并且仅接受由受信任的CA签名的证书。
5.4 MSTG-NETWORK-4 The app either uses its own certificate store, or pins the endpoint certificate or public key, and subsequently does not establish connections with endpoints that offer a different certificate or key, even if signed by a trusted CA. ✓
5.5 MSTG-NETWORK-5 The app doesn’t rely on a single insecure communication channel (email or SMS) for critical operations, such as enrollments and account recovery. ✓
5.6 MSTG-NETWORK-6 The app only depends on up-to-date connectivity and security libraries. ✓
2-6. V6: Platform Interaction Requirements 平台交互要求
安全验证要求
MSTG-ID Description L1 L2
6.1 MSTG-PLATFORM-1 The app only requests the minimum set of permissions necessary. ✓ ✓
该应用程序仅仅请求最少且必要的权限。
6.2 MSTG-PLATFORM-2 All inputs from external sources and the user are validated and if necessary sanitized. This includes data received via the UI, IPC mechanisms such as intents, custom URLs, and network sources. ✓ ✓
所有外部以及用户输入都需要经过验证,并在必要时进行安全检查和过滤。所有通过用户界面,IPC 机制导入的数据,比如Intent、自定义的URL和来自网络的数据,都在此范畴内。
6.3 MSTG-PLATFORM-3 The app does not export sensitive functionality via custom URL schemes, unless these mechanisms are properly protected. ✓ ✓
除非这些机制得到正确的保护,否则应用程序不应通过自定义URL导出敏感数据。
6.4 MSTG-PLATFORM-4 The app does not export sensitive functionality through IPC facilities, unless these mechanisms are properly protected. ✓ ✓
除非这些机制得到正确的保护,否则应用程序不应通过IPC导出敏感数据。
6.5 MSTG-PLATFORM-5 JavaScript is disabled in WebViews unless explicitly required. ✓ ✓
除非明确要求,否则在WebViews中禁用JavaScript。
6.6 MSTG-PLATFORM-6 WebViews are configured to allow only the minimum set of protocol handlers required (ideally, only https is supported). Potentially dangerous handlers, such as file, tel and app-id, are disabled. ✓ ✓
设置WebViews只允许使用所需的最小协议处理程序集(比如,仅支持https)。具有潜在危险的处理程序,如文件存储、电话和应用程序id,应该被禁用。
6.7 MSTG-PLATFORM-7 If native methods of the app are exposed to a WebView, verify that the WebView only renders JavaScript contained within the app package. ✓ ✓
如果WebView可以调用应用程序的native方法,应确保WebView仅执行应用程序中的JavaScript。
6.8 MSTG-PLATFORM-8 Object deserialization, if any, is implemented using safe serialization APIs. ✓ ✓
仅使用安全序列化API实现对象的反序列化。
6.9 MSTG-PLATFORM-9 The app protects itself against screen overlay attacks. (Android only) ✓
6.10 MSTG-PLATFORM-10 A WebView’s cache, storage, and loaded resources (JavaScript, etc.) should be cleared before the WebView is destroyed. ✓
6.11 MSTG-PLATFORM-11 Verify that the app prevents usage of custom third-party keyboards whenever sensitive data is entered. ✓
2-7. V7: Code Quality and Build Setting Requirements 代码质量和编译要求
安全验证要求
MSTG-ID Description L1 L2
7.1 MSTG-CODE-1 The app is signed and provisioned with a valid certificate, of which the private key is properly protected. ✓ ✓
该应用程序使用有效的证书进行签名,且私钥受到足够保护。
7.2 MSTG-CODE-2 The app has been built in release mode, with settings appropriate for a release build (e.g. non-debuggable). ✓ ✓
该应用程序以发布模式进行编译,并配有适合发布版本的设置(例如不可调试模式)。
7.3 MSTG-CODE-3 Debugging symbols have been removed from native binaries. ✓ ✓
调试符号已从二进制文件中删除。
7.4 MSTG-CODE-4 Debugging code and developer assistance code (e.g. test code, backdoors, hidden settings) have been removed. The app does not log verbose errors or debugging messages. ✓ ✓
调试代码以及开发人员协助代码(例如程序后门、隐藏设置)已被删除。应用程序不应记录详细错误或调试消息。
7.5 MSTG-CODE-5 All third party components used by the mobile app, such as libraries and frameworks, are identified, and checked for known vulnerabilities. ✓ ✓
检查所有应用程序使用的第三方组件,库以及框架,并检查其已知漏洞。
7.6 MSTG-CODE-6 The app catches and handles possible exceptions. ✓ ✓
该应用程序需能捕获并处理程序异常。
7.7 MSTG-CODE-7 Error handling logic in security controls denies access by default. ✓ ✓
默认情况下,安全控制中的错误处理逻辑拒绝访问。
7.8 MSTG-CODE-8 In unmanaged code, memory is allocated, freed and used securely. ✓ ✓
对于没有自动进行内存管理的程序语言,内存的分配,释放及使用需要被妥当地处理。
7.9 MSTG-CODE-9 Free security features offered by the toolchain, such as byte-code minification, stack protection, PIE support and automatic reference counting, are activated. ✓ ✓
编译器提供的免费内置的二进制安全保护机制,例如代码缩小化,堆栈保护,PIE支持和自动引用计数,已经开启。
2-8. V8: Resilience Requirements 韧性要求
- Impede Dynamic Analysis and Tampering 阻碍动态分析与篡改
安全验证要求
MSTG-ID Description R
8.1 MSTG-RESILIENCE-1 The app detects, and responds to, the presence of a rooted or jailbroken device either by alerting the user or terminating the app. ✓
该应用程序具有检测移动设备越狱(iOS)或rooted(安卓)的功能。在检测到时,必须提醒用户或终止应用程序。
8.2 MSTG-RESILIENCE-2 The app prevents debugging and/or detects, and responds to, a debugger being attached. All available debugging protocols must be covered. ✓
该应用程序具有检测和防御调试器的功能。必须涵盖所有相关的调试协议。
8.3 MSTG-RESILIENCE-3 The app detects, and responds to, tampering with executable files and critical data within its own sandbox. ✓
该应用程序具有检测和防御对于其可执行文件和对于其沙盒中关键数据篡改的机制。
8.4 MSTG-RESILIENCE-4 The app detects, and responds to, the presence of widely used reverse engineering tools and frameworks on the device. ✓
该应用程序具有检测和防御逆向工程工具与框架的机制。
8.5 MSTG-RESILIENCE-5 The app detects, and responds to, being run in an emulator. ✓
该应用程序具有检测和防御模拟器的使用。
8.6 MSTG-RESILIENCE-6 The app detects, and responds to, tampering the code and data in its own memory space. ✓
该应用程序具有检测和防御对于其内存空间中代码和数据篡改的机制。
8.7 MSTG-RESILIENCE-7 The app implements multiple mechanisms in each defense category (8.1 to 8.6). Note that resiliency scales with the amount, diversity of the originality of the mechanisms used. ✓
该应用程序在每个防御类别中实现多个机制(8.1~8.6)。请注意,应用程序的韧性会随所用机制的原创性和多样性而增强。
8.8 MSTG-RESILIENCE-8 The detection mechanisms trigger responses of different types, including delayed and stealthy responses. ✓
检测机制应触发不同类型的(例如延迟的或隐避的)响应和防御机制。
8.9 MSTG-RESILIENCE-9 Obfuscation is applied to programmatic defenses, which in turn impede de-obfuscation via dynamic analysis. ✓
代码混淆须应用于程序性的防御,这反过来又阻碍了通过动态分析攻击。
- Device Binding 设备绑定
8.10 MSTG-RESILIENCE-10 The app implements a ‘device binding’ functionality using a device fingerprint derived from multiple properties unique to the device. ✓
该应用程序使用从多个设备特有的属性中派生的设备指纹实现设备绑定功能。
- Impede Comprehension 阻碍理解
8.11 MSTG-RESILIENCE-11 All executable files and libraries belonging to the app are either encrypted on the file level and/or important code and data segments inside the executables are encrypted or packed. Trivial static analysis does not reveal important code or data. ✓
应用程序须对所有可执行文件和库进行文件级加密。必须对其中重要代码和数据段进行加密或加壳。普通的静态分析不应获取重要的代码或数据。
8.12 MSTG-RESILIENCE-12 If the goal of obfuscation is to protect sensitive computations, an obfuscation scheme is used that is both appropriate for the particular task and robust against manual and automated de-obfuscation methods, considering currently published research. The effectiveness of the obfuscation scheme must be verified through manual testing. Note that hardware-based isolation features are preferred over obfuscation whenever possible. ✓
如果应用程序使用代码混淆来保护敏感的数据运算,则代码混淆须使用最新的方法及研究成果,以防御自动与手动反混淆。 如有可能,相对于硬件级别,尽可能使用硬件级别的代码隔离。
- Impede Eavesdropping 阻碍窃听
8.13 MSTG-RESILIENCE-13 As a defense in depth, next to having solid hardening of the communicating parties, application level payload encryption can be applied to further impede eavesdropping. ✓
作为深度防御的一项措施,除了对网络通信,对于应用程序级的通信加密可进一步阻止窃听。
Checklist
A checklist is available for use in security assessments that is based on the MASVS and MSTG and contains links to the MSTG test case for each requirement.
附
移动应用安全控制和设计原则TOP 10 _Beta_V2
2020-4-24 Open Web Application Security Project (OWASP)相关推荐
- Web Application Security 网络应用程序安全 - (二)2010年网络安全威胁排行榜TOP 10...
貌似距离我的上一篇关于Web Application Security的文章(Web Application Security 网络应用程序安全 - (一)启航)已经过了很久很久了,这段时间主要都在忙 ...
- Spring Web Application Security
为什么80%的码农都做不了架构师?>>> 基本流程 Spring Security认证过程的发起 (引用 http://blog.csdn.net/kaikai8552/art ...
- [Web 安全] WASC 和 OWASP两个web安全方面组织机构介绍
copy from : http://blog.sina.com.cn/s/blog_70b7aab9010126mn.html WASC 和 OWASP.这两个组织在呼吁企业加强应用安全意识和指导 ...
- PP团队圣经巨著《Application Architecture Guide2.0》24章-Web程式开发向导
- 第二十四章 Web程式原型 目标 l 学习Web程式的通常设计考虑点. l 学习Web程式的主要原则. l 学习Web程式的层指导原则. l ...
- ModSecurity web application firewall (WAF) Research - .Little Hann
转载地址:http://bluereader.org/article/97681813 catalog 引言 OWASP ModSecurity Core Rule Set (CRS) Project ...
- ModSecurity web application firewall (WAF) Research
catalog 0. 引言1. OWASP ModSecurity Core Rule Set (CRS) Project2. Installation mod_security forApache3 ...
- VS2005 Web Application Project启用WSE(Ver 3.0)的方法
使用过WSE的朋友都知道,若要启用Server端Projects的WSE功能,需要选中如下所示的两个单选框:Enable this project for Web Services Enhanceme ...
- Visual Studio中Website和Web Application Project的区别
Visual Studio 2005/2008/2010中均有两种Web开发模型,分别是Website(网站)和Web Application Project(Web应用程序项目),许多初学者都不是很 ...
- 【文献翻译】Web应用防火墙:网络安全模型和配置-Web Application Firewall: Network Security Models and Configuration
Web应用防火墙:网络安全模型和配置 Web Application Firewall: Network Security Models and Configuration 摘要 部署Web应用程序防 ...
最新文章
- 刻意练习摆脱简单重复
- ArcGIS Server 9.3 beta 体验一 -- 安装
- web测试的平台的开发
- [Oracle] “表中有数据,但select count(*)的结果为0”问题的解决办法
- SQLyog连接虚拟机中docker中的mysql过程详解,并解决2003错误
- 致刚入门的Web前端小伙伴,这些知识你了解吗?
- 11.1.1 JavaScript基本语法
- vsftpd安装包下载
- sql server分组排序
- OSChina 周五乱弹 —— 有一个朝代红薯不能去
- ringbuffer java例子_Java RingBuffer.publish方法代碼示例
- 西部陆海新通道海铁联运通达中国六省市
- Android 实现Home按键功能的两种方式
- python之pyautogui实现鼠标键盘控制
- oho,找工作有点难度
- MySQL优化之执行计划
- 超市进销存之openGauss数据库的应用与实践
- oracle numa map size mismatch,Oracle启动时提示map size mismatch; abort
- JS-变量提升与暂时性死区概念
- java-Scaner和Console类对象