- html - 出于某种原因,IE8 对我的 Sass 文件中继承的 html5 CSS 不友好?
- JMeter 在响应断言中使用 span 标签的问题
- html - 在 :hover and :active? 上具有不同效果的 CSS 动画
- html - 相对于居中的 html 内容固定的 CSS 重复背景?
关闭。这个问题不符合Stack Overflow guidelines .它目前不接受答案。
想改进这个问题?将问题更新为 on-topic对于堆栈溢出。
8年前关闭。
Improve this question
我从未尝试破解网站。我刚刚遵循了安全准则。现在我想尝试开发更多的安全性。
是否有任何“培训站点”有漏洞和“练习”,有 SQL 注入(inject)、重新定义全局变量、XSS 和其他类型的漏洞。一种黑客沙箱。
最佳答案
跳到 this question on vulnerable Operating Systems在安全堆栈交换或 this one on vulnerable servers for penetration testing (尤其是 this answer 有一个很棒的列表)
我们有一些关于这个主题的问题或 Security Education一般来说,作为 IT 和信息安全的不断增长的资源,它可能非常值得您关注。
那里的内容片段:
http://www.irongeek.com/i.php?page=security/wargames
WebGoat. WebGoat is a set of deliberately insecure Java server pages
http://www.smashthestack.org/wargames.php
from their FAQ
The Smash the Stack Wargaming Network hosts several Wargames. A
Wargame in our context can be described as an ethical hacking environment that supports the simulation of real world software vulnerability theories or concepts and allows for the legal execution of exploitation techniques. Software can be an Operating System, network protocol, or any userland application. Blockquote
http://www.astalavista.com/page/wargames.html
http://www.governmentsecurity.org/forum/index.php?showtopic=15442
http://www.overthewire.org/wargames/
the list is long... some are up, some not...
Update 26 Feb 2011, i found a nice post from http://r00tsec.blogspot.com/2011/02/pentest-lab-vulnerable-servers.html . Some links might be broken. I copy from there:
Holynix Similar to the de-ice Cd’s and pWnOS, holynix is an ubuntu server vmware image that was deliberately built to have security holes for the purposes of penetration testing. More of an obstacle course than a real world example. http://pynstrom.net/index.php?page=holynix.php
WackoPicko WackoPicko is a website that contains known vulnerabilities. It was first used for the paper Why Johnny Can’t Pentest: An Analysis of Black-box Web Vulnerability Scanners found: http://cs.ucsb.edu/~adoupe/static/black-box-scanners-dimva2010.pdf https://github.com/adamdoupe/WackoPicko
De-ICE PenTest LiveCDs The PenTest LiveCDs are the creation of Thomas Wilhelm, who was transferred to a penetration test team at the company he worked for. Needing to learn as much about penetration testing as quickly as possible, Thomas began looking for both tools and targets. He found a number of tools, but no usable targets to practice against. Eventually, in an attempt to narrow the learning gap, Thomas created PenTest scenarios using LiveCDs. http://de-ice.net/hackerpedia/index.php/De-ICE.net_PenTest_Disks
Metasploitable Metasploitable is an Ubuntu 8.04 server install on a VMWare 6.5 image. A number of vulnerable packages are included, including an install of tomcat 5.5 (with weak credentials), distcc, tikiwiki, twiki, and an older mysql. http://blog.metasploit.com/2010/05/introducing-metasploitable.html
Owaspbwa Open Web Application Security Project (OWASP) Broken Web Applications Project, a collection of vulnerable web applications. http://code.google.com/p/owaspbwa/
Web Security Dojo A free open-source self-contained training environment for Web Application Security penetration testing. Tools + Targets = Dojo http://www.mavensecurity.com/web_security_dojo/
Lampsecurity LAMPSecurity training is designed to be a series of vunlerable virtual machine images along with complementary documentation designed to teach linux,apache,php,mysql security. http://sourceforge.net/projects/lampsecurity/files/
Damn Vulnerable Web App (DVWA) Damn Vulnerable Web App is a PHP/MySQL web application that is damn vulnerable. Its main goals are to be an aid for security professionals to test their skills and tools in a legal environment, help web developers better understand the processes of securing web applications and aid teachers/students to teach/learn web application security in a class room environment. www.dvwa.co.uk/
Hacking-Lab This is the Hacking-Lab LiveCD project. It is currently in beta stadium. The live-cd is a standardized client environment for solving our Hacking-Lab wargame challenges from remote. http://www.hacking-lab.com/hl_livecd/
Moth Moth is a VMware image with a set of vulnerable Web Applications and scripts, that you may use for: http://www.bonsai-sec.com/en/research/moth.php
Damn Vulnerable Linux (DVL) Damn Vulnerable Linux is everything a good Linux distribution isn’t. Its developers have spent hours stuffing it with broken, ill-configured, outdated, and exploitable software that makes it vulnerable to attacks. DVL isn’t built to run on your desktop – it’s a learning tool for security students. http://www.damnvulnerablelinux.org
pWnOS pWnOS is on a “VM Image”, that creates a target on which to practice penetration testing; with the “end goal” is to get root. It was designed to practice using exploits, with multiple entry points http://www.backtrack-linux.org/forums/backtrack-videos/2748-%5Bvideo%5D-attacking-pwnos.html http://www.krash.in/bond00/pWnOS%20v1.0.zip
Virtual Hacking Lab A mirror of deliberately insecure applications and old softwares with known vulnerabilities. Used for proof-of-concept /security training/learning purposes. Available in either virtual images or live iso or standalone formats. http://sourceforge.net/projects/virtualhacking/files/
Badstore Badstore.net is dedicated to helping you understand how hackers prey on Web application vulnerabilities, and to showing you how to reduce your exposure. http://www.badstore.net/
Katana Katana is a portable multi-boot security suite which brings together many of today’s best security distributions and portable applications to run off a single Flash Drive. It includes distributions which focus on Pen-Testing, Auditing, Forensics, System Recovery, Network Analysis, and Malware Removal. Katana also comes with over 100 portable Windows applications; such as Wireshark, Metasploit, NMAP, Cain & Able, and many more. www.hackfromacave.com/katana.html
关于security - 黑客训练模拟器,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/5588067/
请帮助我的建议。 我需要通过 xml 文件中的某个变量在我的应用程序上禁用/启用 spring 安全性。 我的 spring-security.xml 文件
我做了很多研究,对我来说一切看起来都是正确的......但我无法让它发挥作用!有人有什么想法吗? 无论我做什么,相关映射仍然对任何人公开(匿名或登录,无论他们具有什么角色)。 理想情况下,我希望所有请
我们正在考虑为我们网站的一部分启用 SSL,但某些页面包含来自第三方供应商(如 Google AdSense)的广告。 我认为这会给我们的用户带来一个恼人的问题,因为他们在查看带有广告的页面时会看到类
我正在开发一个休息服务,它将通过浏览器提供 浏览器单页应用程序和移动应用程序。目前我的服务正在运行 根本没有 Spring 。 oauth2 客户端是在过滤器内部实现的,所以可以说是“手动”。 我正在
我正在为我公司的网站添加 Content-Security-Policy-Report-Only 标题。在我研究它时,我发现一些页面已经设置了 Content-Security-Policy head
在 XML 配置中,我可以使用 security 命名空间来启用对安全性的支持,例如: 我尝试使用没有 XML 的 Spring,只有 @Configuration 类。与上述 XM
我正在使用 Spring Security 3.0.2,但找不到从数据库加载匿名用户角色的方法(我有动态角色,可以将角色分配给每个人)。 我尝试使用自定义的anonymousAuthenticatio
我有那个代码。但是当我在浏览器中进入 app_dev.php/login浏览器说:该页面进行了太多重定向 安全.yml安全: 编码器: Symfony\Component\Security\Core\
我正在使用SSH Secure Shell客户端,这是一个连接服务器的好工具。 但是,我想知道是否可以记录通过SSH Secure Shell客户端运行的程序中所有即将出现的消息。例如:./ test
我有那个代码。但是当我在浏览器中进入 app_dev.php/login浏览器说:该页面进行了太多重定向 安全.yml安全: 编码器: Symfony\Component\Security\Core\
如何为表单例份验证提供程序设置 success_handler(和 failure_handler)? Silex 使用此配置忽略我: register(new Silex\Provider\Secu
新手问题...我已成功实现自定义处理程序和服务(自定义用户详细信息服务、身份验证成功、身份验证失败)并且一切正常。我现在还实现了如果 3 次并发身份验证失败将锁定帐户(一定时间)的功能。 我现在继续处
我正在使用 Spring security java 配置,我想知道一种实现多个 url 注销的方法。即 logout().logoutRequestMatcher(new AntPathReques
我正在为我的 SP 使用 Spring Security SAML 扩展。用户通过 IDP 身份验证后,SP 使用某种方法允许后续调用不必通过 IDP 重新进行身份验证。这是如何在 Spring Se
spring security 有没有办法防止下面的最后一点?我正在使用 3.0.5 - 用户登录我的网站 - 用户转到网站中的任何页面并单击注销 -注销链接使用户 session 无效并将它们发送到
要么我迟到了,要么我做错了什么。我正在使用 Visual Studio 2013,但是我试图使用 Membership 类,using System.Web.Security;我的程序集中不存在命名空
我有一个具有依赖性的oauth2客户端spring-boot应用程序: - Spring 靴1.2.0.RC1 -spring-security-oauth2 2.0.4.RELEASE - Spri
我想在控制台应用程序中生成 HashPasswordForStoringInConfigFile。 它是在 Web 应用程序中使用以下类完成的 System.Web.Security.FormsAut
我需要有多个 PRE_AUTH Spring 安全过滤器。特别是我需要使用 PRE_AUTH除了配置为 PRE_AUTH 的两个过滤器之外的过滤器在 Spring Security 3.0 的 SAM
我猜这里没有答案,但我想知道是否有办法创建这样的自定义注释: @Documented @Inherited @Retention(RetentionPolicy.RUNTIME) @Target({E
我是一名优秀的程序员,十分优秀!