What can hackers teach web developers in one minute to change the way they are thinking?


  1. Use Clean URL's: https://www.site.com/news.php?id=1337 is way more tempting than https://www.site.com/news/some-news-or-today
  2. Sanitize Inputs: The first thing a hacker will try on seing a search box is " <script>alert(/0/)</script>". If no sanitization is done, you are done. You've just given a hacker access to a very famous low hanging fruit called XSS.
  3. Controlling Access Control: I've seen cases where a simple http://www.site.com/phpmyadmin gave us access to complete database! No injection, nothing. Only a silly mistake of not giving appropriate permissions.
  4. Errors Say a Lot: Even an error page can give a lot of information about web server, folder structure of webserver, version and other technologies being used in the site. So, make sure only pretty looking custom error pages are shown which do not show any internal information about web app. Many times I've seen where a developer forgot to switch off php errors and an attacker got a lot of information about site structure from errors.
  5. Forget GET: Please do not submit sensitive information from forms, sign-up pages, login areas using GET parameter. Its very easy to exploit that using a combination of CSRF or other ways.


1使用干净的url https://www.site.com/news.php?id=1337 这样的网站比 tempting than https://www.site.com/news/some-news-or-today 这样的网站更加有诱惑力

2 清理用户的输入 黑客的第一件事情就是会在搜索的框里面输入 <script>alert(/0/)</script> 如果没有清理用户的输入 那么你刚刚给了黑客一个可以轻易拿到的有名的水果叫做xss

3控制刚问权限 我见过一个简单的http://www.site.com/phpmyadmin让我们访问完整数据库的情况!没有注射,没有。只是一个没有给予适当权限的愚蠢错误

4报错也可以道出很多 即使是一个报错的页面也可以给出很多关于web服务器 web服务器文件夹 版本或很多网站上的信息 所以 要确保只显示漂亮的自定义错误页面 这些页面不会显示有关web应用程序的内部信息 有的时候 我看到一些程序员忘记关掉php的报错 这使得攻击者从报错中获取了很多与网站相关的信息

5 忘记GET 请不要在提交表单的时候使用get的请求方法 这样很容易以csrf 或别的形式来利用



电子邮件地址不会被公开。必填项已用 * 标注