Web应用程序安全外文翻译参考文献.docx
《Web应用程序安全外文翻译参考文献.docx》由会员分享,可在线阅读,更多相关《Web应用程序安全外文翻译参考文献.docx(9页珍藏版)》请在冰豆网上搜索。
Web应用程序安全外文翻译参考文献
Web应用程序安全外文翻译参考文献
(文档含中英文对照即英文原文和中文翻译)
原文:
BasicSecurityPracticesforWebApplications
Evenifyouhavelimitedexperiencewithandknowledgeofapplicationsecurity,therearebasicmeasuresthatyoushouldtaketohelpprotectyourWebapplications.Thefollowingsectionsinthistopicprovideminimum-securityguidelinesthatapplytoallWebapplications.GeneralWebApplicationSecurityRecommendations;RunApplicationswithMinimumPrivileges;KnowYourUsers;GuardAgainstMaliciousUserInput;AccessDatabasesSecurely;CreateSafeErrorMessages;KeepSensitiveInformationSafely;UseCookiesSecurely;GuardAgainstDenial-of-ServiceThreats.
1.GeneralWebApplicationSecurityRecommendations
Eventhemostelaborateapplicationsecuritycanfailifamalicioususercanusesimplewaystogainaccesstoyourcomputers.GeneralWebapplicationsecurityrecommendationsincludethefollowing:
Backupdataoftenandkeepyourbackupsphysicallysecure.KeepyourWebserverphysicallysecuresothatunauthorizeduserscannotgainaccesstoit,turnitoff,physicallystealit,andsoon.UsetheWindowsNTFSfilesystem,notFAT32.NTFSofferssubstantiallymoresecuritythanFAT32.ProtecttheWebserverandallofthecomputersonthesamenetworkwithstrongpasswords.FollowbestpracticesforsecuringInternetInformationServices(IIS).Closeanyunusedportsandturnoffunusedservices.Runaviruscheckerthatmonitorssitetraffic.Useafirewall.LearnaboutandinstallthelatestsecurityupdatesfromMicrosoftandothervendors.UseWindowseventloggingandexaminethelogsfrequentlyforsuspiciousactivity.ThisincludesrepeatedattemptstologontoyoursystemandexcessiverequestsagainstyourWebserver.
2.RunApplicationswithMinimumPrivileges
Whenyourapplicationruns,itrunswithinacontextthathasspecificprivilegesonthelocalcomputerandpotentiallyonremotecomputers.Forinformationaboutconfiguringapplicationidentity,seeConfiguringASP.NETProcessIdentity.Torunwiththeminimumnumberofprivilegesneeded,followtheseguidelines:
Donotrunyourapplicationwiththeidentityofasystemuser(administrator).Runtheapplicationinthecontextofauserwiththeminimumpracticalprivileges.Setpermissions(ACLs,orAccessControlLists)onalltheresourcesrequiredforyourapplication.Usethemostrestrictivesetting.Forexample,ifpracticalinyourapplication,setfilestoberead-only.ForalistoftheminimumACLpermissionsrequiredfortheidentityofyourASP.NETapplication,seeASP.NETRequiredAccessControlLists(ACLs).KeepfilesforyourWebapplicationinafolderbelowtheapplicationroot.Donotallowuserstheoptionofspecifyingapathforanyfileaccessinyourapplication.Thishelpspreventusersfromgettingaccesstotherootofyourserver.
3.KnowYourUsers
Inmanyapplications,itispossibleforuserstoaccessthesitewithouthavingtoprovidecredentials.Ifso,yourapplicationaccessesresourcesbyrunninginthecontextofapredefineduser.Bydefault,thiscontextisthelocalASPNETuser(Windows2000orWindowsXP)orNETWORKSERVICEuser(WindowsServer2003)ontheWebserver.Torestrictaccesstouserswhoareauthenticated,followtheseguidelines:
Ifyourapplicationisanintranetapplication,configureittouseWindowsIntegratedsecurity.Thisway,theuser'slogincredentialscanbeusedtoaccessresources.Ifyouneedtogathercredentialsfromtheuser,useoneoftheASP.NETauthenticationstrategies.Foranexample,seetheASP.NETFormsAuthenticationOverview.
4.GuardagainstMaliciousUserInput
Asageneralrule,neverassumethatinputyougetfromusersissafe.Itiseasyformalicioususerstosendpotentiallydangerousinformationfromtheclienttoyourapplication.Tohelpguardagainstmaliciousinput,followtheseguidelines:
Informs,filteruserinputtocheckforHTMLtags,whichmightcontainscript.Fordetails,seeHowto:
ProtectAgainstScriptExploitsinaWebApplicationbyApplyingHTMLEncodingtoStrings.Neverecho(display)unfiltereduserinput.Beforedisplayinguntrustedinformation,encodeHTMLtoturnpotentiallyharmfulscriptintodisplaystrings.Similarly,neverstoreunfiltereduserinputinadatabase.IfyouwanttoacceptsomeHTMLfromauser,filteritmanually.Inyourfilter,explicitlydefinewhatyouwillaccept.Donotcreateafilterthattriestofilteroutmaliciousinput;itisverydifficulttoanticipateallpossiblemaliciousinput.Donotassumethatinformationyougetfromtheheader(usuallyviatheRequestobject)issafe.Usesafeguardsforquerystrings,cookies,andsoon.Beawarethatinformationthatthebrowserreportstotheserver(useragentinformation)canbespoofed,incasethatisimportantinyourapplication.Ifpossible,donotstoresensitiveinformationinaplacethatisaccessiblefromthebrowser,suchashiddenfieldsorcookies.
5.AccessDatabasesSecurely
Databasestypicallyhavetheirownsecurity.AnimportantaspectWebapplicationsecurityisdesigningawayfortheapplicationtoaccessthedatabasesecurely.Followtheseguidelines:
Usetheinherentsecurityofyourdatabasetolimitwhocanaccessdatabaseresources.Theexactstrategydependsonyourdatabaseandyourapplication:
Ifpracticalinyourapplication,useWindowsIntegratedsecuritysothatonlyWindows-authenticateduserscanaccessthedatabase.IntegratedsecurityismoresecurethanusingSQLServerstandardsecurity.Ifyourapplicationusesanonymousaccess,createasingleuserwithverylimitedpermissions,andperformqueriesbyconnectingasthisuser.DonotcreateSQLstatementsbyconcatenatingstringsthatinvolveuserinput.Instead,createaparameterizedqueryanduseuserinputtosetparametervalues.Ifyoumuststoreausernameandpasswordsomewheretouseasthedatabaselogincredential,storethemsecurely.Ifpractical,encryptorhashthem.Fordetails,seeEncryptingandDecryptingData.
6.CreateSafeErrorMessages
Ifyouarenotcareful,amalicioususercandeduceimportantinformationaboutyourapplicationfromtheerrormessagesitdisplays.Followtheseguidelines:
Donotwriteerrormessagesthatechoinformationthatmightbeusefultomalicioususers,suchasausername.Configuretheapplicationnottoshowdetailederrorstousers.Ifyouwanttodisplaydetailederrormessagesfordebugging,checkfirstthattheuserislocaltotheWebserver.Fordetails,seeHowto:
DisplaySafeErrorMessages.UsethecustomErrorsconfigurationelementtocontrolwhocanviewexceptionsfromtheserver.Createcustomerrorhandlingforsituationsthatarepronetoerror,suchasdatabaseaccess.
7.KeepSensitiveInformationSafely
Sensitiveinformationisanyinformationthatyouneedtokeepprivate.Atypicalpieceofsensitiveinformationisapasswordoranencryptionkey.Ifamalicioususercangettothesensitiveinformation,thenthedataprotectedbythesecretiscompromised.Followtheseguidelines:
Ifyourapplicationtransmitssensitiveinformationbetweenthebrowserandtheserver,considerusingSecureSocketsLayer(SSL).UseProtectedConfigurationtosecuresensitiveinformationinconfigurationfilessuchastheWeb.configorMachine.configfiles.Formoreinformation,seeEncryptingConfigurationInformationUsingProtectedConfiguration.Ifyoumuststoresensitiveinformation,donotkeepitinaWebpage,eveninaformthatyouthinkpeoplewillnotbeabletoview(suchasinservercode).UsethestrongencryptionalgorithmssuppliedintheSystemSecurityCryptographynamespace.
8.UseCookiesSecurely
Cookiesareaneasyandusefulwaytokeepuser-specificinformationavailable.However,becausecookiesaresenttothebrowser'scomputer,theyarevulnerabletospoofingorothermalicioususe.Followtheseguidelines:
Donotstoreanycriticalinformationincookies.Forexample,donotstoreauser'spasswordinacookie,eventemporarily.Asarule,donotstoreanysensitiveinformationinacookiethat.Instead,keepareferenceinthecookietoalocationontheserverwheretheinformationislocated.Setexpirationdatesoncookiestotheshortestpracticaltimeyoucan.Avoidpermanentcookiesifpossible.Considerencryptinginformationincookies.ConsidersettingtheSecureandHttpOnlypropertiesonyourcookiestotrue.
9.GuardagainstDenial-of-ServiceThreats
Anindirectwaythatamalicioususercancompromiseyourapplicationisbymakingitunavailable.Themalicioususercankeeptheapplicationtoobusytoserviceotherusers,orifnothingelsecansimplycrashtheapplication.Followtheseguidelines:
Closeorreleaseanyresourceyouuse.Forexample,alwaysclosedataconnectionsanddatareaders,andalwaysclosefileswhenyouaredoneusingthem.Useerrorhandling(forexample,try/catchblocks).Includeafinallyblockinwhichyoureleaseresourcesincaseoffailure.ConfigureIIStousethrottling,whichpreventsanapplicationfromusingadisproportionateamountofCPU.Testsizelimitsofuserinputbeforeusingorstoringit.Putsizesafeguardsondatabasequeriestohelpguardagainstlargequeriesusingupsystemresources.YoucanalsousetheRequestLengthDiskThresholdpropertyintoreducethememoryoverheadoflargeuploadsandformposts.
译文:
Web应用程序的基本安全做法
即使您对应用程序安全性的体验和了解非常有限,也应采取一些基本措施来保护您的Web应用程序。
以下各部分提供了适用于所有Web应用程序的最低安全性准则。
常规Web应用程序安全性建议;使用最少特权运行应用程序;了解您的用户;防止恶意用户的输入;安全地访问数据库;创建安全的错误消息;保证敏感信息的安全;安全地使用Cookie;防止拒绝服务威胁。
1.常规Web应用程序安全性建议;
如果恶意用户可以使用简单方法进入您的计算机,即使是最精心设计的应用程序安全性也会失败。
常规Web应用程序安全性建议包括以下内容:
经常备份数据,并将备份存放在安全的场所;将您的Web服务器放置在安全的场所,使XX的用户无法访问它、关闭它、带走它,等等。
使用WindowsNTFS文件系统,不使用FAT32。
NTFS的安全性比FAT32高得多。
使用不易破解的密码,保护Web服务器和同一网络上的所有计算机的安全。
遵循用于确保Internet信息服务(IIS)安全的最佳做法。
关