Web应用程序安全外文翻译参考文献.docx

Web应用程序安全外文翻译参考文献.docx

《Web应用程序安全外文翻译参考文献.docx》由会员分享，可在线阅读，更多相关《Web应用程序安全外文翻译参考文献.docx（9页珍藏版）》请在冰点文库上搜索。

Web应用程序安全外文翻译参考文献

Web应用程序安全外文翻译参考文献

（文档含中英文对照即英文原文和中文翻译）

原文：

BasicSecurityPracticesforWebApplications

Evenifyouhavelimitedexperiencewithandknowledgeofapplicationsecurity,therearebasicmeasuresthatyoushouldtaketohelpprotectyourWebapplications.Thefollowingsectionsinthistopicprovideminimum-securityguidelinesthatapplytoallWebapplications.GeneralWebApplicationSecurityRecommendations;RunApplicationswithMinimumPrivileges;KnowYourUsers;GuardAgainstMaliciousUserInput;AccessDatabasesSecurely;CreateSafeErrorMessages;KeepSensitiveInformationSafely;UseCookiesSecurely;GuardAgainstDenial-of-ServiceThreats.

1.GeneralWebApplicationSecurityRecommendations

Eventhemostelaborateapplicationsecuritycanfailifamalicioususercanusesimplewaystogainaccesstoyourcomputers.GeneralWebapplicationsecurityrecommendationsincludethefollowing:

Backupdataoftenandkeepyourbackupsphysicallysecure.KeepyourWebserverphysicallysecuresothatunauthorizeduserscannotgainaccesstoit,turnitoff,physicallystealit,andsoon.UsetheWindowsNTFSfilesystem,notFAT32.NTFSofferssubstantiallymoresecuritythanFAT32.ProtecttheWebserverandallofthecomputersonthesamenetworkwithstrongpasswords.FollowbestpracticesforsecuringInternetInformationServices（IIS）.Closeanyunusedportsandturnoffunusedservices.Runaviruscheckerthatmonitorssitetraffic.Useafirewall.LearnaboutandinstallthelatestsecurityupdatesfromMicrosoftandothervendors.UseWindowseventloggingandexaminethelogsfrequentlyforsuspiciousactivity.ThisincludesrepeatedattemptstologontoyoursystemandexcessiverequestsagainstyourWebserver.

2.RunApplicationswithMinimumPrivileges

Whenyourapplicationruns,itrunswithinacontextthathasspecificprivilegesonthelocalcomputerandpotentiallyonremotecomputers.Forinformationaboutconfiguringapplicationidentity,seeConfiguringASP.NETProcessIdentity.Torunwiththeminimumnumberofprivilegesneeded,followtheseguidelines:

Donotrunyourapplicationwiththeidentityofasystemuser（administrator）.Runtheapplicationinthecontextofauserwiththeminimumpracticalprivileges.Setpermissions（ACLs,orAccessControlLists）onalltheresourcesrequiredforyourapplication.Usethemostrestrictivesetting.Forexample,ifpracticalinyourapplication,setfilestoberead-only.ForalistoftheminimumACLpermissionsrequiredfortheidentityofyourASP.NETapplication,seeASP.NETRequiredAccessControlLists（ACLs）.KeepfilesforyourWebapplicationinafolderbelowtheapplicationroot.Donotallowuserstheoptionofspecifyingapathforanyfileaccessinyourapplication.Thishelpspreventusersfromgettingaccesstotherootofyourserver.

3.KnowYourUsers

Inmanyapplications,itispossibleforuserstoaccessthesitewithouthavingtoprovidecredentials.Ifso,yourapplicationaccessesresourcesbyrunninginthecontextofapredefineduser.Bydefault,thiscontextisthelocalASPNETuser（Windows2000orWindowsXP）orNETWORKSERVICEuser（WindowsServer2003）ontheWebserver.Torestrictaccesstouserswhoareauthenticated,followtheseguidelines:

Ifyourapplicationisanintranetapplication,configureittouseWindowsIntegratedsecurity.Thisway,theuser'slogincredentialscanbeusedtoaccessresources.Ifyouneedtogathercredentialsfromtheuser,useoneoftheASP.NETauthenticationstrategies.Foranexample,seetheASP.NETFormsAuthenticationOverview.

4.GuardagainstMaliciousUserInput

Asageneralrule,neverassumethatinputyougetfromusersissafe.Itiseasyformalicioususerstosendpotentiallydangerousinformationfromtheclienttoyourapplication.Tohelpguardagainstmaliciousinput,followtheseguidelines:

Informs,filteruserinputtocheckforHTMLtags,whichmightcontainscript.Fordetails,seeHowto:

ProtectAgainstScriptExploitsinaWebApplicationbyApplyingHTMLEncodingtoStrings.Neverecho（display）unfiltereduserinput.Beforedisplayinguntrustedinformation,encodeHTMLtoturnpotentiallyharmfulscriptintodisplaystrings.Similarly,neverstoreunfiltereduserinputinadatabase.IfyouwanttoacceptsomeHTMLfromauser,filteritmanually.Inyourfilter,explicitlydefinewhatyouwillaccept.Donotcreateafilterthattriestofilteroutmaliciousinput;itisverydifficulttoanticipateallpossiblemaliciousinput.Donotassumethatinformationyougetfromtheheader（usuallyviatheRequestobject）issafe.Usesafeguardsforquerystrings,cookies,andsoon.Beawarethatinformationthatthebrowserreportstotheserver（useragentinformation）canbespoofed,incasethatisimportantinyourapplication.Ifpossible,donotstoresensitiveinformationinaplacethatisaccessiblefromthebrowser,suchashiddenfieldsorcookies.

5.AccessDatabasesSecurely

Databasestypicallyhavetheirownsecurity.AnimportantaspectWebapplicationsecurityisdesigningawayfortheapplicationtoaccessthedatabasesecurely.Followtheseguidelines:

Usetheinherentsecurityofyourdatabasetolimitwhocanaccessdatabaseresources.Theexactstrategydependsonyourdatabaseandyourapplication:

Ifpracticalinyourapplication,useWindowsIntegratedsecuritysothatonlyWindows-authenticateduserscanaccessthedatabase.IntegratedsecurityismoresecurethanusingSQLServerstandardsecurity.Ifyourapplicationusesanonymousaccess,createasingleuserwithverylimitedpermissions,andperformqueriesbyconnectingasthisuser.DonotcreateSQLstatementsbyconcatenatingstringsthatinvolveuserinput.Instead,createaparameterizedqueryanduseuserinputtosetparametervalues.Ifyoumuststoreausernameandpasswordsomewheretouseasthedatabaselogincredential,storethemsecurely.Ifpractical,encryptorhashthem.Fordetails,seeEncryptingandDecryptingData.

6.CreateSafeErrorMessages

Ifyouarenotcareful,amalicioususercandeduceimportantinformationaboutyourapplicationfromtheerrormessagesitdisplays.Followtheseguidelines:

Donotwriteerrormessagesthatechoinformationthatmightbeusefultomalicioususers,suchasausername.Configuretheapplicationnottoshowdetailederrorstousers.Ifyouwanttodisplaydetailederrormessagesfordebugging,checkfirstthattheuserislocaltotheWebserver.Fordetails,seeHowto:

DisplaySafeErrorMessages.UsethecustomErrorsconfigurationelementtocontrolwhocanviewexceptionsfromtheserver.Createcustomerrorhandlingforsituationsthatarepronetoerror,suchasdatabaseaccess.

7.KeepSensitiveInformationSafely

Sensitiveinformationisanyinformationthatyouneedtokeepprivate.Atypicalpieceofsensitiveinformationisapasswordoranencryptionkey.Ifamalicioususercangettothesensitiveinformation,thenthedataprotectedbythesecretiscompromised.Followtheseguidelines:

Ifyourapplicationtransmitssensitiveinformationbetweenthebrowserandtheserver,considerusingSecureSocketsLayer（SSL）.UseProtectedConfigurationtosecuresensitiveinformationinconfigurationfilessuchastheWeb.configorMachine.configfiles.Formoreinformation,seeEncryptingConfigurationInformationUsingProtectedConfiguration.Ifyoumuststoresensitiveinformation,donotkeepitinaWebpage,eveninaformthatyouthinkpeoplewillnotbeabletoview（suchasinservercode）.UsethestrongencryptionalgorithmssuppliedintheSystemSecurityCryptographynamespace.

8.UseCookiesSecurely

Cookiesareaneasyandusefulwaytokeepuser-specificinformationavailable.However,becausecookiesaresenttothebrowser'scomputer,theyarevulnerabletospoofingorothermalicioususe.Followtheseguidelines:

Donotstoreanycriticalinformationincookies.Forexample,donotstoreauser'spasswordinacookie,eventemporarily.Asarule,donotstoreanysensitiveinformationinacookiethat.Instead,keepareferenceinthecookietoalocationontheserverwheretheinformationislocated.Setexpirationdatesoncookiestotheshortestpracticaltimeyoucan.Avoidpermanentcookiesifpossible.Considerencryptinginformationincookies.ConsidersettingtheSecureandHttpOnlypropertiesonyourcookiestotrue.

9.GuardagainstDenial-of-ServiceThreats

Anindirectwaythatamalicioususercancompromiseyourapplicationisbymakingitunavailable.Themalicioususercankeeptheapplicationtoobusytoserviceotherusers,orifnothingelsecansimplycrashtheapplication.Followtheseguidelines:

Closeorreleaseanyresourceyouuse.Forexample,alwaysclosedataconnectionsanddatareaders,andalwaysclosefileswhenyouaredoneusingthem.Useerrorhandling（forexample,try/catchblocks）.Includeafinallyblockinwhichyoureleaseresourcesincaseoffailure.ConfigureIIStousethrottling,whichpreventsanapplicationfromusingadisproportionateamountofCPU.Testsizelimitsofuserinputbeforeusingorstoringit.Putsizesafeguardsondatabasequeriestohelpguardagainstlargequeriesusingupsystemresources.YoucanalsousetheRequestLengthDiskThresholdpropertyintoreducethememoryoverheadoflargeuploadsandformposts.

译文：

Web应用程序的基本安全做法

即使您对应用程序安全性的体验和了解非常有限，也应采取一些基本措施来保护您的Web应用程序。

以下各部分提供了适用于所有Web应用程序的最低安全性准则。

常规Web应用程序安全性建议；使用最少特权运行应用程序；了解您的用户；防止恶意用户的输入；安全地访问数据库；创建安全的错误消息；保证敏感信息的安全；安全地使用Cookie；防止拒绝服务威胁。

1.常规Web应用程序安全性建议；

如果恶意用户可以使用简单方法进入您的计算机，即使是最精心设计的应用程序安全性也会失败。

常规Web应用程序安全性建议包括以下内容：

经常备份数据，并将备份存放在安全的场所；将您的Web服务器放置在安全的场所，使XX的用户无法访问它、关闭它、带走它，等等。

使用WindowsNTFS文件系统，不使用FAT32。

NTFS的安全性比FAT32高得多。

使用不易破解的密码，保护Web服务器和同一网络上的所有计算机的安全。

遵循用于确保Internet信息服务（IIS）安全的最佳做法。

关