駭客脈動中心網站弱點掃描服務

Real World CSP Evaluation | CyberSecurityTV

🌟Content Security Policy provides defense in depth against XSS and other injection vulnerabilities. Let's look through the Facebook CSP policy for evaluation. This tool is a very easy way to review and evaluate CSP.

OWASP Top10

Documento de concientización y seguridad de aplicaciones web.

Representa un amplio consenso sobre los riesgos de seguridad más críticos para las aplicaciones web.

Reconocido mundialmente por los desarrolladores como el primer paso hacia una codificación más segura.

Las empresas deberían adoptar este documento e iniciar el proceso para garantizar que sus aplicaciones web minimicen riesgos. Usar OWASP Top 10 es quizá el primer paso más efectivo para cambiar la cultura de desarrollo de software de una organización hacia otra que produzca código más seguro.

How To Generate Secure PGP Keys | CyberSecurityTV

🌟In the previous episodes we learned about encryption and decryption. Today, I will show you a couple methods to generate PGP keys and we will also see some of the attributes that we need to configure in order to generate a secure key. Once you have the key, we will also see how to use them to securely exchange the information.

CDN07免备案高防CDN：9 年实战经验构筑全球安全加速壁垒

在网络安全威胁与全球化业务需求同步激增的今天，如何兼顾“快速上线”“安全防护”与“全球加速”成为企业的核心课题。作为深耕行业9年的技术先驱，CDN07自2014年起便以“技术创新+实战打磨”为双引擎，打造出兼具免备案便捷性与企业级防护力的高防CDN解决方案。截至2023年，已累计为5000余家企业拦截超10万次DDoS攻击，其“全球节点+T级防护+AI智能”的三位一体架构，正重新定义跨境网络基建的安全标准。 一、9年技术深耕：从亚洲到全球的安全版图扩张 CDN07的技术进化史，始终与行业痛点深度绑定： 2017年：自主研发BGP智能防御体系，突破亚太地区备案与防护瓶颈，为跨境电商、流媒体平台提供首个“免备案+高防”一体化方案； 2020年：完成全球30+核心节点布局（覆盖亚太、欧美、中东等8大区域），同步启用加密货币支付生态，支持USDT等主流代币匿名结算，首年即服务超2000家Web3.0企业； 2022-2023年：技术再升级——AI驱动流量清洗系统实现单点峰值防御1.5Tbps，联合AWS、Cloudflare构建“边缘计算+深度威胁分析”混合架构，日均处理1500+跨国攻击，防护精度提升至99.99%。 数据印证：某金融科技公司接入CDN07后，因备案流程耗时缩短80%，新产品上线周期从30天压缩至1天；同时，DDoS攻击导致的交易中断次数从月均12次降至0次，业务稳定性获国际监管机构认证。 二、七大核心优势：重新定义高防CDN价值标杆 1.全球节点战略：亚太覆盖之王，实时协同加速 节点密度领先：亚太地区部署15+节点（香港、新加坡、东京等），覆盖80%的亚洲用户，比同类型CDN节点数多30%，本地访问延迟低至20ms； 分布式智能调度：通过Anycast技术实现跨区域流量无缝协同，静态资源缓存命中率达92%，动态内容路由效率提升40%，全球用户均享“本地服务器”级访问体验； 高可用保障：多点冗余架构确保节点故障时自动切换，网络可用性达99.99%，彻底告别“单点崩溃”风险。 2.T级分布式防护：从流量洪水到精准拦截 多层过滤体系：融合网络层BGP流量清洗（50G-1.5Tbps弹性带宽）、应用层WAF规则（防御OWASPTop10漏洞）、数据层IP隐身技术，形成立体防御矩阵； 零中断体验：某游戏厂商在峰值攻击期间（流量超800Gbps），API接口响应延迟仅增加5ms，用户几乎无感知，彻底颠覆“攻击必断网”的行业痛点； 弹性扩展能力：支持按需升级防护带宽，从小型博客的50Gbps基础防护到企业级1T+定制方案，适配全规模业务需求。 3.AI智能防御体系：让防护策略“自我进化” 实时动态清洗：AI引擎基于20万+攻击样本持续学习，自动识别新型CC攻击（如变异指纹攻击），清洗策略更新速度从人工调整的24小时缩短至30秒； 毫秒级响应机制：通过机器学习预测攻击峰值，提前5秒启动带宽扩容与节点负载均衡，拦截效率比传统规则引擎提升70%； 自适应调优：针对金融交易、直播推流等不同场景，自动匹配防护强度（如交易页面开启严格人机验证，静态页面放宽访问限制），在安全与体验间找到最优解。 4.实时大数据监控：让安全状态“全程可视” 全链路数据追踪：提供实时流量监控仪表盘，支持查看各节点带宽使用率、攻击类型分布、页面加载速度等20+核心指标，异常流量波动自动触发邮件/短信预警； 智能策略调优：基于每日10TB+流量数据分析，动态调整节点缓存策略与防护阈值，某电商平台通过数据调优，首页加载速度提升35%，攻击误判率降至0.05%； 决策支持工具：导出PDF版安全报告，包含攻击拦截记录、性能优化建议，助力企业通过ISO27001等合规认证。 5.全场景适配解决方案：不止通用防护，更懂行业痛点 金融行业：定制“交易链路加密+API精准防护”方案，支持PCI-DSS合规，防御针对支付接口的撞库攻击与数据窃取； Web3.0领域：兼容区块链节点部署，提供USDT匿名支付对接API，防护智能合约平台免受DDoS+DNS劫持双重攻击； 游戏直播：推出“实时推流加速+防作弊SDK”，移动端延迟降低至150ms，同时拦截外挂程序的流量伪装攻击。 6.全匿名支付生态：隐私保护与全球结算双赋能 加密货币友好：支持USDT（ERC-20/TRC-20）、BTC等主流代币支付，去中心化结算无需绑定银行账户，交易记录上链存证不可篡改； 匿名化部署：用户注册仅需邮箱，无需提交企业资质或个人身份信息，从接入到支付全程保护数据隐私，特别适配敏感内容平台； 开放生态架构：不限制域名内容类型（如论坛、UGC社区），打破传统CDN的“内容审查”枷锁，构建安全开放的网络环境。 7.成熟定价与服务体系：从初创到企业的全周期陪伴 弹性套餐设计：基础版800美元/月（50Gbps防护+15+亚太节点），企业版最高5000美元/月（1.5Tbps防护+全节点覆盖），支持按流量计费与带宽峰值预警，避免资源浪费； 全链条服务保障：提供7×24小时多语言技术支持（中英日+技术文档），平均响应时间8分钟；专属客户经理协助方案定制，从域名解析到攻防演练全程托管； 持续迭代承诺：每季度更新防护算法与节点配置，2023年累计发布12次重大升级，确保客户始终使用行业领先的防护技术。 三、三大明星产品：精准匹配不同业务场景 1.高防服务器：香港/内地免备案，高并发场景首选 硬件配置：搭载最新IntelXeon处理器+企业级SSD，单节点IOPS达50万+，支持10Gbps端口突发流量； 场景适配： 游戏服：香港节点低延迟适配东南亚玩家，内置防CC攻击模块保障登录服务器稳定； 金融交易：内地免备案服务器支持沪深港通数据交互，硬件级加密保护用户交易数据； 差异化优势：相比传统服务器，部署时间从3天缩短至2小时，攻击响应速度提升60%。 2.高防CDN：安全与速度的“双引擎” 核心能力：全球节点加速+T级流量清洗二合一，支持HTTP/2、QUIC协议，页面加载速度平均提升65%； 技术亮点：智能DNS解析系统自动识别用户地域，优先分配同洲节点；动态内容通过EdgeComputing边缘处理，减少源站压力70%； 典型案例：某跨境电商使用后，欧美用户订单页加载时间从4秒降至1.5秒，促销期流量攻击拦截率达100%，GMV同比提升22%。 3.APP防护解决方案：移动时代的安全铠甲 产品矩阵： APP盾：SDK轻量化集成，提供数据加密、设备指纹识别，防御恶意抓包与程序逆向； 游戏盾：针对手游实时对战场景，优化UDP协议传输效率，同时拦截DDoS导致的断线重连问题； 技术优势：支持iOS/Android双平台，接入成本比传统安全方案降低40%，某现象级手游通过防护后，外挂程序检测率提升至98%，用户留存率提高15%。 四、选择CDN07的三大理由：不止是产品，更是安全伙伴 实战经验背书：9年累计处理超10万次攻击，防护过金融、游戏、Web3.0等8大领域头部客户，攻防策略经过真实战场验证； 技术自主可控：核心引擎100%自研，拒绝第三方插件依赖，从流量清洗到AI算法均具备独立知识产权； 全球化合规：服务器部署于塞舌尔、美国等数据隐私保护法地区，支持GDPR、CCPA等国际合规要求，助力企业出海零障碍。 结语 在“备案繁琐、攻击频发、跨境低效”的三大挑战下，CDN07免备案高防CDN以“技术深耕+场景定制”给出最优解——从亚太节点密度之王到T级防护技术先驱，从AI智能防御到全匿名支付生态，每一项创新都直击行业痛点。无论您是需要快速上线的初创团队，还是追求极致安全的跨国企业，CDN07都能为您构筑“安全无死角、加速无延迟、合规无担忧”的全球网络防线。

Content Security Policy provides defense in depth against XSS and other injection vulnerabilities. Let's look through the Facebook CSP policy for evaluation. This tool is a very easy way to review and evaluate CSP.

How to find SSRF? #bugbountytips #bountyhunters #bughead #owasptop10 #api #hackerspace #hackerone #bugcrowd #intigriti https://www.instagram.com/p/CldQYIhtDKb/?igshid=NGJjMDIxMWI=

A Good eCommerce Solution is measurable: 1. It should perform outside of a test environment. 2. It should abide by the rules and principles of web security. 3. It should provide the perfect solutions that can facilitate eCommerce business needs. 4. It should have the best UI through which the Users can thoroughly interact with the eCommerce Portal. The journey of Spurtcommerce from V.1.0 to V.4.5 has been fruitful that has brought our solution into a Good shape to meet the highly demanding eCommerce industry. For more information on our V.4.5 release, please refer to https://www.spurtcommerce.com/nodejs-shoppingcart-ecommerce-whatsnew #ecommerce #security #owasp #owasptop10 #websecurity #websecuritysolutions #websecurityservices #b2b #b2becommerce #b2c #b2cecommerce #opensourcesoftware #opensourcedevelopment #onlineecommerce #ecommercemarketplace #ecommercesolutions #opensourcecommunity #opensource #nodejsecommerce #spurtcommerce #ecommercefeatures #ecommercetrends #ecommercenews https://www.instagram.com/p/CQYTvV3j-M3/?utm_medium=tumblr

#owasp #owasptop10 #iot https://www.instagram.com/p/B0RbGsaoLjl/?igshid=y650pfxc7ebk

The rise of Stored XSS - an OWASP Application Security Threat! What precautionary measures are you taking? #owasp #owasptop10 #owaspeaker #owasplatamtour #owaspkyiv #owaspmanizales #owaspa #owaspzap #owasplatamtour2018 #owaspseasides #owasp2017 #owasplondon #owaspmemphis #owasplatamtour2017 #owaspnagoya #owaspicy #owaspbsb #owasphotography #owaspthailand #owaspday2016 #owaspjuiceshop #owaspht #owasp758 #owaspseguridadcodigolibre #owaspjapan #owaspbayarea #owaspindonesiaday2017 #owasprivieramaya #owasplatamtour2016 #owaspnagpur https://www.instagram.com/p/BwpOLs1nIqH/?utm_source=ig_tumblr_share&igshid=1bocegazc8kkn

OWASP Top10 2017の日本語版公開！

先日公開されたOWASP Top10 2017の日本語版を公開しました。公開した資料はOWASP JapanのHPからダウンロードいただけます。

前回バージョンのOWASP Top10 2013からの変更点は下図のとおりです。

2013年版からの変更点

2017年版では、2013年版からA8−CSRFとA10−未検証のリダイレクトと転送がランキング外となっており、一方でA4:2017−XXE、A8:2017−安全でないデシリアライゼーション、A10:2017−不十分なロギングとモニタリングが新たにランキング入りしています。特に新たにランキング入りしたリスクに関し���は、その内容についてご確認いただき、考慮・評価していっていただければと思います。もっとも、本文に記載のとおり10まででやめずに、上記ランキング外となったリスクを一例とした他のリスクについても考慮・評価していく必要があります。また2017年版では「ウェブアプリケーションと”API”」という記載がなされており、時代と合わせてリスクの対象が拡張、強調されていたり、なぜこのような結果になったのかといった補足情報が盛り込まれていたりします。

OWASP Top10といえば、これまで述べてきたTop10のリスクに注目が集まるかと思いますが、後半部の「開発者のための次のステップ」や「組��のための次のステップ」なども見どころ満載です。2017年版では「セキュリティテスト担当者のための次のステップ」や「アプリケーションマネージャのための次のステップ」が新規追加されており、それぞれの立場の方が今後どのようなことをやるべきなのかをより幅広く理解することができるようになっています。

また、OWASP Top10の記載からOWASP Software Assurance Maturity Model (SAMM)やOWASP Application Security Verification Standard(ASVS)等の他のOWASP PJへのリファレンスも取られています。そのため、OWASP PJの導入書的な存在としてもOWASP Top10をご活用いただけます。

OWASP Top10や各OWASP PJを参考にしつつ、ウェブセキュリティの強化につなげていただけますと幸いです。

Difference and Advantages of VPC, ACL and SG | CyberSecurityTV

We have heard these terms many times but probably not clearly understood and their security benefits. In this episode, we will cover the differences between these tools, their security features, and what protection they provide against different types of threats.

What’s New in the OWASP Top 10 2021, after several years without change? Latest list with major step forward.

https://secure-devs.net/whats-new-in-the-owasp-top-10-2021-douglas-bernardini/

Real World CSP Evaluation | CyberSecurityTV

🌟Content Security Policy provides defense in depth against XSS and other injection vulnerabilities. Let's look through the Facebook CSP policy for evaluation. This tool is a very easy way to review and evaluate CSP.

Listening to Reiners talking about security state of open source applications at phpworld #phpworld #security #owasptop10 #php (at Sheraton Tysons Hotel)

[Wk7] Lectures

Mid-Sem Exam: - Q5. President of country - think about perspective [F] Type I or Type II Error - Q10. What are the properties of Merkle Puzzles? -> easy for good, hard for bad - Proof of liveness (Challenge/Responsibility) -> stops against replay attacks, someone on the other end not just a message

Diffie Hellman: - How to do things without a pre-shared secret? Solution: not for encryption a message but for sharing a secret (5^3)^7 = ...125                        (a^b)^c = a^(bcc)                       (5^7)^3 = ...125 - Conversation:

“Let’s use 5 as the base” “You think of a number S (e.g. 3) and I’ll pick a number R (e.g. 7)” “The base of my number is 78125 (5^7)″ “The base of your number is 125 (5^3)” “I’m going to raise your number to mine (125^7)” “You raise your number to my base (78125^3)” Others can see a^b and a^c but can’t figure out (a^b)^c or (a^c)^b.

- Kras Des Chavelier -> defence in depth. Social engineering -> posed as leader and told them to surrender

1. Cyber Literacy - Vulnerability

Vulnerability - something you can exploit Software Bug - sometimes a vulnerability

TYPES: - Memory corruption (as a user should not be able to change) - Buffer Overflow - Stack “first in, last out” all your frozen programs - Heap when the amount of space you need isn’t known at compile time e.g. opening multiple tabs - Function in C ends and has a return address which tells the system where to jump to next function - Format String:

- Integer Overflow -> wraps around and tricks the system any code was vulnerable but then patched it. -> Googling Hacking Analogy - Format sting vulnerabilities are making a comeback    - e.g. printf(”%s\n”, “Hello World!”);             printf(”Hello World!\n”);    name -> printer input name, printf(name);    - prints from the stack          - printf (”Richard %s”); OR          - name = “%x%x%x%x%x...%x”    - %n -> writes to memory - Swiss cheese analogy of the holes lining up

EXPLOIT: - Shell code -> private shell with commands (remote shell) -> can do privilege escalation in the shell - NOP sled -> Before you’re code do a whole lot of do nothings (nop) and then it will eventually get to your malware -> Protectors started looking for nops so did other random instructions such as adding one to a register and then minus one from the same register

Responsible Disclosure -> Vendor -> CERT (e.g. CERT Australia) -> Most common vulnerabilities but every year the Top 10 are the same because no one fixes them. Web: OWASPTop10 Book: Mark Dowd - AOSSA

2. Security Engineering - Assets

-> Work out what all the things you should be protecting and their relative value to you. Strategies for Identifying Assets (Enumerating): - Regularly surveying the values of people of the involved in what you are protecting    -> Multiple pairs of eyes is a good asset, limiting the blindspots - Develop a sensible plan - well designed to tease this information out of them. Humans are generally poor at regurgitating everything they know, however they are generally very good critics - Periodically revise current list of assets    -> Don’t set and forget. Values and assets of an organisation can drift Examples: 1. Team America 2. Richard’s Wallet vs Richard with AIDS 3. Car doorbell 4. Leaving window open? - Because the asset is the window not the money inside the car 5. Share registry - no more paper trails, everything is recorded electronically 6. HOMEWORK: read up about the NSWLPI and think about what assets they have and what risks arise from them having been privatised 7. Coke 8. Parliament - a collection of people that hold particular importance together.

VALUING THE ASSETS

Categorising Types of Assets - Tangible Assets: Those that are easily given a value      - A gold chain valued at some relatively static amount     - The jewellery in a jewellery store - Intangible Assets: These cannot be easily and objectively be valued.     - Employee morale and security     - Customer information     - Company secrets     - Availability of services - Monetary + psychological/emotional costs - Difficult <> Don’t Do Examples: - Company secret - what is at stake? - QOS Guarantees

Strategies for Assigning Values to Assets: -> Survey what many people think - No single person/group should be solely evaluating the assets - Examples of the information that should be gathered are as follows:    - “How much money would you lose where this data centre to go down for 24       hours?”    - “How much will you lose if your company is disconnected from the internet       for 3 hours?” - Examples:    - In assessing the value of a park    - Picasso

Bug Bounty

- Crowd source Bug Bounty Websites (e.g. Hacker101) - Tips:     - Stay in scope     - Look for assets that have changed recently     - Look for publicly disclosed reports Process:    1. Find a program    2. Review scope    3. Find target via recon    4. Hit and find vulnerabilities    5. Write a report    6. Submit it Bug Puzzles  - Example 1: length is unsigned  - Example 2: lack of brackets so always does the memcpy Fuzzing is a quality assurance technique used to discover coding errors and security loopholes in software, operating systems or networks. Different types of fixers:    1. A fuzzer can be generation-based or mutation-based depending on whether inputs are generated from scratch or by modifying existing inputs,     2. A fuzzer can be dumb or smart depending on whether it is aware of input structure, and    3. A fuzzer can be white-, grey-, or black-box, depending on whether it is aware of program structure. Why is fuzzing effective? -> capable of generating many test Heart-bleed Bug -> handshake.cc

Pen Testing

-> Authorised stimulated cyberattack on a computer system to evaluate security risks. Repercussions:    - Data breach    - Ransomware Why?    - Allows to discover vulnerabilities before malicious attackers do    - Think like an attacker Practical    - Predict future attacks    - Provides coverage Steps:    1. Recon    2. Planning    3. Exploitation    4. Post-Exploitation Additional certification -> see slide Tools:    - Metasploit -> Antivirus will go nuts!    - NMAP -> beginners guide YouTube video    - Burp    - WireShark    - Kali -> A lot of tools available (download link)    - GoBuster CTF Websites:    - pwnable    - hackthebox    - root-me    - overthewire

Evening Lecture

Homework: - Work out the current state of Biometrics as an authentication strategy - Read about Transport for NSW idea of using facial recognition rather than opal cards - Read about the San Francisco ban on biometrics - Read about the uni research allegedly helping Chinese security forces use to track and detain Muslim Uyghur citizens in Xinjiang https://www.abc.net.au/news/2019-07-16/australian-unis-to-review-links-to-chinese-surveillance-tech/11309598 - Think about: https://www.sixthtone.com/news/1003400/five-ways-china-used-facial-recognition-in-2018

Diffie Hellman -> Confidentiality and Integrity sort of authentication    -> Problem of Authentication Solution? - Asymmetric ciphers RSA -> What about the man in the middle? Try and detect the man in the middle

PGP -> web of trust -> establish the authenticity of the binding between a public key and its owner

Public Key Infrastructure (PKI) -> Solves the man in the middle problem - SSL/TLS (handshake) -> standard security technology for establishing an encrypted link between a web server and a browser - Bruce Schneir’s paper https://www.schneier.com/academic/paperfiles/paper-pki.pdf - Similar to a passport (links photo with name, certified by office) - Using x509 certificates links public key with domain (and maybe some other information) -> information is “signed” - Padlock in the https:// bar - Certificate authorities tie the certificate to the domain - Root certificate, RAs (registration authority), pay money to browser manufacturer - Conflicts of interest - Most pages on SSL written by vendors - Self-signed, domain verification, organisational verification, extended verification - Safety vs identity - Session keys - the TLS handshake (4 keys) - Three main authorities:    1. Symantec    2. Gomodo    3. GoDaddy

TLS Handshake Example: 1. A client contacts the server. 2. The client and server exchange information about the communications they intend to perform, such as the ciphers to use (SSL handshake) 3. The server transmits its certificate to the client 4. The client checks that is trusts the certification authority that issued the certificate. If it does not recognise the CA and does not get an override, the communication ends. 5. The client checks for revocation information on the certificate. If the certificate is revoked or revocation information is unavailable, then the client might attempt to obtain an override. Implementations vary on how they deal with null or unreachable CRL information, but almost all will refuse to communicate with any entity using a revoked certificate. 6. Both client and server send each other random data, which they use to make calculations separately and the derive the same session keys. Three kinds of randomly generated data are sent from one side to another:

- The “client random”: This is a random string of bytes that the client sends to the server - The “server random”: This is similar to the client random, except that the server sends it to the client - The “premaster secret”: This is yet another string of data. In some versions of the TSL handshake, the client generates this and sends it to the server encrypted with the public key; in other versions, the client and server generate the premaster secret on their own, using agreed-upon algorithm parameters to arrive at the same result.

7. Both parties generate 4 session keys using this data 8. All communications in the same conversation are encrypted with that set of keys.