问题描述
一个新项目需要一个简单的面板(页面)供管理员和工作人员使用:
A new project requires a simple panel (page) for admin and staff members that:
- 最好不要使用 SSL 或任何数字认证的东西,通过 http 简单登录就可以了.
- 具有基本身份验证,仅允许管理员以管理员身份登录,以及员工"组中的任何工作人员.理想情况下,凭据(用户名-哈希密码对)"将存储在 MySQL 中.
- 如果有包,配置很简单,或者策略很容易编码.
- 某处(PHP 会话?)不知何故(在每个页面的开头包含一个脚本以在执行任何操作之前检查用户组?),它将检测任何无效用户尝试访问受保护页面并将他/她重定向到登录表单.
- 虽然仍然保持高质量的安全性,但这是我最担心的.
坦率地说,我对互联网安全以及现代 CMS(如 WordPress/Joomla)如何处理这一点知之甚少.
Frankly I have little knowledge about Internet security, and how modern CMS such as WordPress/Joomla handle this.
我脑子里只有一件事:我需要使用盐来散列密码(SHA1?)以确保任何通过网络获取用户名和密码对的黑客都无法使用它登录系统.而这正是客户想要确保的.
I only have one thing in my mind: that I need to use a salt to hash the password (SHA1?) to make sure any hacker who gets the username and password pair across the net cannot use that to log into the system. And that is what the client wants to make sure.
但我真的不知道从哪里开始,有什么想法吗?
But I am really not sure where to start, any ideas?
推荐答案
HTTPS 的使用是绝对必要的,并且必须在会话的整个生命周期中使用.请记住,会话 ID 用于对浏览器进行身份验证,如果攻击者可以获得(嗅探或 xss),则他不需要用户名/密码.这是由 OWASP Top 10 2010 A3 Broken Authentication and Session Management 列出的一>.如果您想实现安全会话,您必须阅读该链接.
The use of HTTPS is an absolute requirement, and must be used for the entire life of the session. Keep in mind that session id's are used to authenticate browsers and if an attacker can obtain one (sniffing or xss), then he doesn't need a username/password. This is laid out by The OWASP Top 10 2010 A3 Broken Authentication and Session Management. If you want to implement secure session you must read that link.
md4,md5 sh0 和 sha1 都是损坏的消息摘要函数,永远不能用于密码.sha-2 系列的任何成员都是不错的选择,sha256 非常大,是密码的绝佳选择.
md4,md5 sh0 and sha1 are all a broken message digest functions and can never be used for passwords. Any member of the sha-2 family is a good choice, sha256 is very large and is a great choice for passwords.
您应该绝对不要通过网络传输密码哈希或将其泄露给用户/攻击者.如果您向服务器发送哈希值以进行身份验证,那么您在系统中引入了一个非常严重的漏洞.使用sql注入可以从数据库中获取密码hash,然后可以简单地重放这个hash进行身份验证,绕过破解密码hash的需要.这就像您以明文形式存储密码一样.
You should absolutely never transfer a password hash across the network or spill it to a user/attacker. If you are sending a hash to the server to authenticate then you have introduced a very serious vulnerability into your system. Using sql injection the password hash can be obtained from the database, then this hash can be simply replayed to authenticate, bypassing the need to crack the password hash. This is as if you are storing passwords in clear text.
使用 $_SESSION 超全局变量和 session_start() 来维护您的会话状态,永远不要重新发明风团.默认的 PHP 会话处理程序是安全的,可以满足您的需求.
Use the $_SESSION superglobal and session_start() to maintain your session state, never re-invent the wheal. The default PHP session handler is secure and will do what you need.
session_start();
if(!$_SESSION['logged_in']){
die("Authentication required!");
}
还要确保在您的系统中实施 CSRF 保护.使用 CSRF,攻击者可以通过强制浏览器发送请求来访问管理面板.确保针对 XSS 测试您的应用程序,这是一个很好的免费 xss 扫描程序 再次,xss 可用于通过使用 XHR 或通过获取 document.cookie
的值来劫持经过身份验证的会话.测试 SQL 注入和其他漏洞也是一个好主意,wapiti 可以解决这个问题.
Also make sure to implement CSRF protection into your system. Using CSRF an attacker can access the administrative panel by forcing your browser to send requests. Make sure to test your application for XSS this is a good free xss scanner, again xss can be used to hijack an authenticated session by using XHR or by obtaining the value of document.cookie
. It is also a good idea to test for SQL Injection and other vulnerabilities, wapiti will do the trick.
这篇关于管理/员工面板的简单实现?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!