Taiwan

http://www.textletoeltd.com

æ­¡è¿å å¥OWASPå°ç£åæï¼ãç¶²ç«å®å¨çç¬¬ä¸æ­¥ï¼å¾å å¥OWASPå°ç£åæéå§ãã

Taiwan

å°ç£åææé·[mailto:wayne@owasp.org.tw é»èæåçï¼Wayne Huangï¼]æ¨åæå·¥ä½åä»è¡·å¿è¯å®æ¨çåèï¼ä¸ç®¡æ¨å¨ä½èï¼çè³æ¨åæ¾çä¸ç¶²è·¯è¶³è·¡æ¼å°ç£ï¼æè¬æ¨é¡æè·å¤§å®¶ä¸èµ·åäº«ï¼è®æåç¨æ´å¤ä¸åçè§åº¦ä¾æª¢è¦Webå®å¨çè¶¨å¢ãå¨èãåé¡èè§£æ±ºæ¹æ¡ã

ç¬¬ä¸å±OWASPå®æ¹äºæ´²å¹´æ(OWASP Asia 2007)
Security 3.0 in Web 2.0 Age â Practices and Challenges of Web 2.0 Security

[OWASP_AppSec_Asia_2007 http://www.owasp.org/images/f/f7/Owasp_taiwan_2007small.png]

Whitehat Securityãç¾åéé(American Express)ãé¿ç¢¼ç§æ(Armorize)ãQualysç­è·¨åä¼æ¥­èè³å®å¬å¸çé«éä¸»ç®¡èé¦å¸­ç ç©¶å¡é½èå°ç£ï¼æ¨ç¥éä»åå¦ä½çå¾Web 2.0æä»£ä¹ Security 3.0åï¼å°å°ç£èå¨ççå«ææ¯ä»éº¼ï¼ææ¿åºãä¼æ¥­èä¸è¬ä½¿ç¨èåè©²å¦ä½å æï¼å¾ä¸é¢éäº2007å¹´çè³å®çå¤§æ°èï¼éé²èææ¨£çè¨æ¯ï¼ ç¬¬ä¸å±OWASPå®æ¹äºæ´²å¹´æå°æ¼9æ27æ¥(é±å)ä¸å1é»æ¼å°å¤§é«é¢åéæè­°ä¸­å¿201å®¤(å°åå¸ä¸­æ­£åå¾å·è·¯äºè)'''èè¾¦ï¼æ­¡è¿æ¨ä¾å±è¥çèï¼æ»¿è¼èæ­¸!éææ´å¤...
 * 5æ11æ¥èµ·ï¼Googleéå§ç£æ§é­é§­ç¶²ç«ï¼ä¸¦è²¼ä¸å±éªç¶²ç«ä¹æ¨ç±¤!
 * 5æ15æ¥æOWASPå¬ä½2007å¹´ææ°çåå¤§Webå¼±é»ï¼è·¨ç«è³æ¬æ»æ(XSS)ç»ä¸æ¦é¦!
 * 6æ6æ¥IBMè³¼ä½µWatchfireï¼HPé¨å³æ¼6æ19æ¥è³¼ä½µSPI Dynamics!èåå­çCenzicä»¥æ»²éæ¸¬è©¦æè¡æ¼6æ18æ¥ç²å¾ç¾åå°å©!
 * Web 2.0çè³å®å¨èï¼å æä¹éï¼Security 3.0ï¼æåçå¯¦åæ¡ä¾ï¼

ç¬¬ä¸å±å°ç£é§­å®¢å¹´æ(HIT 2007)
ç¬¬ä¸å±å°ç£é§­å®¢å¹´æ(HIT 2007)å·²æ¼2007å¹´7æ21æ¥(é±å­)è³22æ¥(é±æ¥)å¨åç«èºç£ç§æå¤§å­¸å¬é¤¨æ ¡ååæ»¿è½å¹ï¼æ´»åçæ³ç©ºåï¼è©³æè«è¦ HIT 2007 å®æ¹ç¶²ç«: http://www.owasp.org/images/b/b5/Owasp_taiwan_HIT-linkLOGO.gif http://hitcon.org

æ­¡è¿æ¨çåè
å å¥OWASPå°ç£åæä¸éä»»ä½è²»ç¨ï¼æå¡è³æ ¼å®å¨éæ¾çµ¦ä»»ä½å°æ¼æç¨ç¨å¼å®å¨æèè¶£çäººå£«ï¼ æåé¼åµæå¡æ¼OWASPå°ç£åæåäº«ä»åçç¥è­ä¸¦æä¾å°é¡æ¼è¬ï¼ èå¨å å¥æå¡åï¼è«æ¨ä»ç´°é±è®åææå¡æåã è¥è¦å å¥æ¬åæçmailing listï¼è«é£çµå°mailing listç¶²é ï¼ ææçæ´»åè¨è«èæ´»åå°é»å°éééåæ¸å®ä¾è¨è«ï¼ æ¨ä¹å¯ä»¥å¾email è¨è«åä»½ä¸­æ¾å°æåä¹åè¨è«çåä»½ã æå¾æéæ¨ï¼åå æ´»ååï¼è«åæ¬¡æª¢æ¥æ¨mailing listçä¿¡ä»¶ä»¥ç¢ºå®æ´»åå°é»èæéï¼ææ¯ä»»ä½æéæ´»åè¨éçäºé ã

æéOWASP (About OWASP)
OWASP(éæ¾Webè»é«å®å¨è¨ç« - Open Web Application Security Project)æ¯ä¸åéæ¾ç¤¾ç¾¤ãéçå©æ§çµç¹ï¼ç®åå¨çæ82ååæè¿è¬åæå¡ï¼å¶ä¸»è¦ç®æ¨æ¯ç è­°åå©è§£æ±ºWebè»é«å®å¨ä¹æ¨æºãå·¥å·èæè¡æä»¶ï¼é·æè´åæ¼åå©æ¿åºæä¼æ¥­ç­è§£ä¸¦æ¹åç¶²é æç¨ç¨å¼èç¶²é æåçå®å¨æ§ãç±æ¼æç¨ç¯åæ¥å»£ï¼ç¶²é æç¨å®å¨å·²ç¶éæ¼¸çåå°éè¦ï¼ä¸¦æ¼¸æ¼¸æçºå¨å®å¨é åçä¸åç±éè©±é¡ï¼å¨æ­¤åæï¼é§­å®¢åä¹ææçå°ç¦é»è½ç§»å°ç¶²é æç¨ç¨å¼éç¼æææç¢ççå¼±é»ä¾é²è¡æ»æèç ´å£ã

ç¾åè¯é¦è²¿æå§å¡æ(FTC)å¼·çå»ºè­°ææä¼æ¥­ééµå¾ªOWASPæç¼ä½çåå¤§Webå¼±é»é²è­·å®åãç¾ååé²é¨äº¦åçºæä½³å¯¦åï¼åéä¿¡ç¨å¡è³æå®å¨æè¡PCIæ¨æºæ´å°å¶åçºå¿è¦åä»¶ãç®åOWASPæ30å¤åé²è¡ä¸­çè¨ç«ï¼åæ¬æç¥åçOWASP Top 10(åå¤§Webå¼±é»)ãWebGoat(ä»£ç½ªç¾ç¾)ç·´ç¿å¹³å°ãå®å¨PHP/Java/ASP.Netç­è¨ç«ï¼éå°ä¸åçè»é«å®å¨åé¡å¨é²è¡è¨è«èç ç©¶ã

ç¶è²´å®ä½æ±ºå®éæ¾ç¶²é æåæï¼å°±å¿é è®ä¾èªæ¼å¨ççç¶²é è«æ±é²å¥å®ä½å§é¨çç¶²é ä¼ºæå¨ãé§­å®¢å¯ä»¥èç±é±èå¨åæ³çç¶²é è«æ±å§ï¼ééé²ç«çãå¥ä¾µåµæ¸¬ç³»çµ±æå¶ä»é²ç¦¦ç³»çµ±çåµæ¸¬ï¼å èçä¹çé²å¥å®ä½å§é¨æèç±å®ä½ç¶²ç«åç¶è·³æ¿èä¸­ç¹¼ç«èåå¶ä»åå®³èç¼åæ»æãéæå³èä¼æ¥­çç¶²é ç¨å¼ç¢¼ä¹å¿é æçºæ©é(æ§)å®ä½å¨éçå®å¨é²è­·ä¹ä¸ï¼ç¶å®ä½ç¶²é æåçè¦æ¨¡èè¤éæ§å¢å æï¼å®ä½æ´é²æ¼å¤çé¢¨éªä¹éæ¼¸å¢å ã

OWASP å°ç£åæ (OWASP Taiwan Chapter)

 * ç¶²é :http://www.owasp.org.tw
 * é»éµ:info@owasp.org.tw
 * ç¾¤çµ:owasp-taiwan@lists.owasp.org
 * ä½å:å°åå¸115åæ¸¯åä¸éè·¯19-13è(åæ¸¯è»é«åå)Eæ£5æ¨554å®¤

Chapter meetings are held several times a year, typically in the offices of our sponsor.

Please subscribe to the mailing list for meeting announcements.

åè²»å å¥OWASPå°ç£åæ


å å¥OWASPå°ç£åæä¸éä»»ä½è²»ç¨ å å¥æå¡æ¹æ³è«è¦æ¬é ä¸æ¹ å¦ä½å å¥æå¡

å å¥OWASPå°ç£åæä¸éä»»ä½è²»ç¨ï¼æå¡è³æ ¼å®å¨éæ¾çµ¦ä»»ä½å°æ¼æç¨ç¨å¼å®å¨æèè¶£çäººå£«ï¼ æåé¼åµæå¡æ¼OWASPå°ç£åæåäº«ä»åçç¥è­ä¸¦æä¾å°é¡æ¼è¬ï¼ èå¨å å¥æå¡åï¼è«æ¨ä»ç´°é±è®åææå¡æåã

è¥è¦å å¥æ¬åæçmailing listï¼è«é£çµå°mailing listç¶²é ï¼ ææçæ´»åè¨è«èæ´»åå°é»å°éééåæ¸å®ä¾è¨è«ï¼ æ¨ä¹å¯ä»¥å¾email è¨è«åä»½ä¸­æ¾å°æåä¹åè¨è«çåä»½ã

æå¾æéæ¨ï¼åå æ´»ååï¼è«åæ¬¡æª¢æ¥æ¨mailing listçä¿¡ä»¶ä»¥ç¢ºå®æ´»åå°é»èæéï¼ææ¯ä»»ä½æéæ´»åè¨éçäºé ã

OWASPå°ç£åæ é¨è½æ ¼ blog
éè¦ä¸æè³å®æå ±ï¼æè¡åæï¼å¸å ´è³è¨åï¼

æ­¡è¿å¸¸ä¾ OWASPå°ç£åæ é¨è½æ ¼ blog

http://www.owasp.org/images/d/da/OWASP_Banner_Blog.png

å¦ä½å å¥æå¡
æ­¡è¿åè²»å å¥OWASP Taiwanå°ç£åæï¼å å¥æ¹å¼æä¸ç¨®ï¼ç·ä¸å ±åï¼emailå ±åä»¥åå³çå ±åï¼ å·¥ä½åä»ææçºéç¥æææå¡æéOWASPææ°æ´»åè³è¨èåº§è«æè­°ç¨.

ç·ä¸å ±å
è«ææ­¤å¡«å¯«ç·ä¸å ±åå®

Emailå ±å
è«emailï¼[mailto:info@owasp.org.tw info@owasp.org.tw]å å¥å°ç£åæ,è«è¨»æä¸åè³è¨.
 * 1) å§å
 * 2) å®ä½
 * 3) è·ç¨±
 * 4) é»å­éµä»¶
 * 5) è¯çµ¡é»è©±

å³çå ±å
è«åå°æ­¤å ±åè¡¨,å¡«å¯«å¾å³çè³(02)6616-1100å³å¯.



è¿ææ¶æ¯

 * Webæç¨ç¨å¼å®å¨ç è¨æ:å¨2008å¹´7æ22æ¥èµ·ï¼è¡æ¿é¢ç èæèè³éå®å¨æå ±ææä¸­å¿èè¾¦ä¹æ¿åºæ©éè»é«å®å¨æè¡ç è¨æï¼ééWeb æç¨ç¨å¼å®å¨åèæå¼å°å¥æ¡ä¾ï¼ç­è§£Webæç¨ç¨å¼å¯è½å¼±é»ï¼æä¾åæ©é(æ§)å§å¤ç®¡çåèã


 * Webå®å¨æ°è:å¨2007å¹´6æ11æ¥ï¼iThomeå ±å°ãç¶²ç«å®å¨æ½°å ¤ï¼ä¸å®å¨å°±æ²é¡§å®¢ãï¼æ·±å¥è¿½è¹¤Googleæå°å¼æå ææ¡æç¶²ç«ä¹æ°æªæ½ï¼å¶æå°çµææçºæè³å®åé¡çç¶²ç«è²¼ä¸è­¦åæ¨ç±¤ï¼ä¸¦é»æ­¢ä½¿ç¨èç´æ¥çè¦½ã


 * OWASPå°ç£åæåå±:å¨2007å¹´4æ16è³18æ¥ï¼å°ååéè³å®å±(http://www.secutech.com/tw/is/index.asp) ééç»å ´ï¼OWASPå°ç£åæéæ¨èè¨æ¤ä½A402èA404ï¼å³å¯ç²å¾Webè³å®åç¢ä¸å¼µï¼ä¸¦è¦ªèªåæé«é©æ¯æ»²éæ¸¬è©¦ãå¼±é»ç¨½æ ¸ç­å³çµ±è³å®æª¢æ¸¬æ¹å¼æ´çºåªç°çèªåæºç¢¼æª¢æ¸¬æè¡ã


 * Webå®å¨æ°è:å¨2007å¹´4æ11æ¥ï¼iThomeå ±å°ãOWASPå°ç£åææç«æå¡åè²»æåä¸­ï¼ç¼å©æåWebå®å¨é²è­·è·ä¸åéè¶¨å¢ãã


 * Webå®å¨æ°è:å¨2007å¹´4æ9æ¥ï¼èææ¥å ±å ±å°å°ç£å·²æESPNé«è²å°ç­è¨±å¤èæ°ç¾çæ´»æ¯æ¯ç¸éçäºåä¸åå®ç¶²ï¼ä¸æä»¥ä¾é¸çºé­é§­å®¢æ¤å¥æ¨é¦¬å¾éï¼èç±è»é«å» åå°ç¡ä¿®è£ç¨å¼çãé¶æå·®æ»æãï¼Zero-Day Attackï¼ï¼ç¡è¾ä½¿ç¨èåªè¦é£ä¸ç¶²çè¦½ï¼é»è¦å°±ä¸­çï¼è¼èå¸³èãå¯ç¢¼é­ç«ï¼èº«åè¢«çç¨ï¼éèæ©æè³æå¤æ´©æè²¡ç©æå¤±ã


 * Webæç¨ç¨å¼å®å¨ç è¨æ:å¨2007å¹´3æ27è³4æ11æ¥ï¼è¡æ¿é¢ç èæèè³éå®å¨æå ±ææä¸­å¿èè¾¦ä¹æ¿åºè³éå®å¨é²è­·å·¡è¿´ç è¨æï¼è³å®ç¼å±è¶¨å¢åç¶²è·¯æç¨æåè³è¨å®å¨ï¼æ­¡è¿æ¿åºæ©é(æ§)è² è²¬è³éå®å¨ç¸éäººå¡è¸´èºåå ãNEW!ç è¨æè¬ç¾©ä¸è¼


 * Webå®å¨æ°è:å¨2007å¹´3æ21æ¥ï¼ä¸­åæå ±å ±å°ãä¸ç¶²æä¸å®å¨åå®¶ï¼å°ç£é«å±ç¬¬äºãï¼ç±æ³åé¨èª¿æ¥å±ãåäºå±ç­å®ä½å±åéå°å°ç£ç¶²è·¯å®å¨é²è¡è§å¯ç¼ç¾ï¼å°ç£ç¶²è·¯çè³è¨å®å¨å¨èï¼é«å±äºæ´²ç¬¬äºï¼åæ¬¡æ¼ä¸­åã2007å¹´åè³ä»ï¼å¹³åæ¯å¤©é½æç¼ç5ä»¶é§­å®¢å¥ä¾µäºä»¶ã


 * Webå®å¨æ°è:å¨2007å¹´3æ8æ¥ï¼æ±æ£®æ°èå ±å°ãå°ç£é§­å®¢æ»æäºä»¶åå°é¾ä¹å ï¼90ï¼éè¡æ¾é­å¥ä¾µãï¼ç¶èè¨±å¤ä¼æ¥­é½ä»¥æ²æé ç®çºç±ï¼ä¸é¡æå¢å é²è­·è¨­åèäººåï¼è¢«é§­å®¢ç«æ¹å¥ä¾µç¶²é ï¼ä¸ç­è§£èå¾å´éçæç¾©ï¼ç¶²é æ¹åå¾ï¼ä¸¦æ²æå¢å é²è­·è¨­åï¼çè³éæå®ä¸ä¼æ¥­è¢«é§­é£çºé«é82æ¬¡ãåæ°èé£çµ



ç¶²ç«èWebæåçäºå¤§è³å®å°å¢

 * 1) ITäººå¡ä¸è¶³
 * 2) ç¼ºä¹è³å®é åå°æ¥­ç¥è­
 * 3) åè½æ§é©æ¶çºä¸»
 * 4) ç¼ºä¹èªååå·¥å·
 * 5) ææ¬ãæçå°åå°æ¡æ¨¡å¼ä¸å©ç¢ºä¿å°æ¡åè³ª

åå¤§Webè³å®æ¼æ´åè¡¨

 * A1. è·¨ç¶²ç«çå¥ä¾µå­ä¸²(Cross Site Scriptingï¼ç°¡ç¨±XSSï¼äº¦ç¨±çºè·¨ç«è³æ¬æ»æ)ï¼Webæç¨ç¨å¼ç´æ¥å°ä¾èªä½¿ç¨èçå·è¡è«æ±éåçè¦½å¨å·è¡ï¼ä½¿å¾æ»æèå¯æ·åä½¿ç¨èçCookieæSessionè³æèè½ååç´æ¥ç»å¥çºåæ³ä½¿ç¨èã
 * A2. æ³¨å¥ç¼ºå¤±(Injection Flaw)ï¼Webæç¨ç¨å¼å·è¡ä¾èªå¤é¨åæ¬è³æåº«å¨å§çæ¡ææä»¤ï¼SQL InjectionèCommand Injectionç­æ»æåæ¬å¨å§ã
 * A3. æ¡ææªæ¡å·è¡(Malicious File Execution)ï¼Webæç¨ç¨å¼å¼å¥ä¾èªå¤é¨çæ¡ææªæ¡ä¸¦å·è¡æªæ¡å§å®¹ã
 * A4. ä¸å®å¨çç©ä»¶åè(Insecure Direct Object Reference)ï¼æ»æèå©ç¨Webæç¨ç¨å¼æ¬èº«çæªæ¡è®ååè½ä»»æå­åæªæ¡æéè¦è³æï¼æ¡ä¾åæ¬http://example/read.php?file=../../../../../../../c:\boot.iniã
 * A5. è·¨ç¶²ç«çå½é è¦æ± (Cross-Site Request Forgeryï¼ç°¡ç¨±CSRF): å·²ç»å¥Webæç¨ç¨å¼çåæ³ä½¿ç¨èå·è¡å°æ¡æçHTTPæä»¤ï¼ä½Webæç¨ç¨å¼å»ç¶æåæ³éæ±èçï¼ä½¿å¾æ¡ææä»¤è¢«æ­£å¸¸å·è¡ï¼æ¡ä¾åæ¬ç¤¾äº¤ç¶²ç«åäº«ç QuickTimeãFlashå½±çä¸­èææ¡æçHTTPè«æ±ã
 * A6. è³è¨æ­é²èä¸é©ç¶é¯èª¤èç½® (Information Leakage and Improper Error Handling)ï¼Webæç¨ç¨å¼çå·è¡é¯èª¤è¨æ¯åå«ææè³æï¼æ¡ä¾åæ¬:ç³»çµ±æªæ¡è·¯å¾çæ­é²æè³æåº«æ¬ä½åç¨±ã
 * A7. é­ç ´å£çéå¥èé£ç·ç®¡ç(Broken Authentication and Session Management)ï¼Webæç¨ç¨å¼ä¸­èªè¡æ°å¯«çèº«åé©è­ç¸éåè½æç¼ºé·ã
 * A8. ä¸å®å¨çå¯ç¢¼å²å­å¨ (Insecure Cryptographic Storage)ï¼Webæç¨ç¨å¼æ²æå°æææ§è³æä½¿ç¨å å¯ãä½¿ç¨è¼å¼±çå å¯æ¼ç®æ³æå°éé°å²å­æ¼å®¹æè¢«åå¾ä¹èã
 * A9. ä¸å®å¨çéè¨(Insecure Communication)ï¼å³éæææ§è³ææä¸¦æªä½¿ç¨HTTPSæå¶ä»å å¯æ¹å¼ã
 * A10. çæ¼éå¶URLå­å(Failure to Restrict URL Access)ï¼æäºç¶²é å çºæ²ææ¬éæ§å¶ï¼ä½¿å¾æ»æèå¯ééç¶²åç´æ¥å­åï¼æ¡ä¾åæ¬åè¨±ç´æ¥ä¿®æ¹WikiæBlogç¶²é å§å®¹ã

éæ¬¡OWASPå¬å¸æ°çTop 10åæ åºç®åçæ»æç¾æ³ï¼ä»¥ä»å¹´çºä¾ï¼Cross-Site Scripting(XSS)èª¿æ´çº10å¤§æ»æä¹é¦ï¼çå¯¦çåæ åºç®åç¶²è·¯é£é­èè©æ¬ºçæ»ææ¿«ç¨XSSçæå½¢ï¼äºå¯¦ä¸ï¼ç¾ååé²é¨çBSIè¨ç«(Build-Security In,https://buildsecurityin.us-cert.gov/) åMitreç ç©¶æ©æ§çCVEè³å®èå¼±æ§åè¡¨(http://cve.mitre.org/) äº¦é¡¯ç¤º1)Cross Site Scriptingè2)SQL Injectionå·²é£çºå©å¹´åçºå¨çé ­èå´éè³å®å¼±é».

ç´æ¥èç¨å¼ç¢¼å®å¨åè³ªæé

 * [å¿è¦*]A1. è·¨ç¶²ç«å¥ä¾µå­ä¸²(Cross Site Scripting)
 * [å¿è¦*]A2. æ³¨å¥ç¼ºå¤±(Injection Flaw)
 * [å»ºè­°*]A3. æ¡ææªæ¡å·è¡(Malicious File Execution)
 * [å»ºè­°*]A4. ä¸å®å¨çç©ä»¶åè(Insecure Direct Object Reference)
 * [é¸æ*]A5. è·¨ç¶²ç«è¦æ±å½é  (Cross-Site Request Forgery)

* OWASPå°ç£åæå¼·çå»ºè­°åå®ä½å¨é²è¡æºç¢¼æª¢æ¸¬æï¼å°¤ä»¥æ¿åºæ©é(æ§)ï¼æéµå¾ªæ¿åºè³éå®å¨ä½æ¥­è¦ç¯(http://www.giscc.org.tw) ä¹ãWebæç¨ç¨å¼å®å¨åèæå¼ãï¼ä¸¦å°1è2åçºå¿è¦æª¢æ¸¬é ç®ï¼3è4åçºå»ºè­°æª¢æ¸¬é ç®ï¼è5åçºé¸ææª¢æ¸¬é ç®ã

ï¼å¨å¯¦åæ¡ä¾ä¸ï¼æª¢æ¸¬ä¸¦ä¿®æ­£1è2å³å¯é¿åçµå¤§å¤æ¸çWebè³å®å¨èã

å ä¸è¿°æ¼æ´éæ¥é ææèWebä¼ºæå¨åå¤é¨è¨­å®æé

 * Information Leakage and Improper Error Handling
 * Broken Authentication and Session Management
 * Insecure Cryptographic Storage
 * Insecure Communications
 * Failure to Restrict URL Access

æå¡åè¡¨ (Member List)
Coming up soon!

http://www.owasp.org.tw/dot.png