��Ʒ��

2009��μ�

aullik5 — 2009-11-24 17:03

��ȥ��ǲ��outing��ڵ��ǻ��䡣

��һ��ס��ƾƵ꣬��ǣ�Ҳ��ǻ�û��ǡ�harry˵��һ��ī��ݣ��޴�֤ʵ�ˡ�

�Ƶ��

��ĺ��ԡ��

��й��ҵ��Ϊ�й��ʮ�� ------ ֮��

��Ƕ��º��Σ��Ҳ��ˮ��ֻ�Ҳ��̲��ˮ��ڵĺ�ˮ��Ĳ��ɽ��ܡ�

�о��ɳ̲��̩��İŶ�Ҫ��΢�õ㣬�ɾ�Щ��

��˽�Һ�̲��Ҳû��ô�ࡣ

��ʵ��嵥�ͺ�̲�۲��һ��ǳ��ɫ��ɽ�溣��羰��ĺþƵ�ǳ��࣬��Ҳ�ǳ��á�

�ڶ��ǰ��֧�޵��С��ˮ��ġ�С��Ϊ��Ͽ��Ķ�� ֧��˵��ȫ��Ϊ1.4ƽ��

ˮ��Ȼ�ܲ��

��һ��ȴ��⣬��з��Ŀ�ȸ��ȸ��һȺС��ȸ��·��Ҷ��

��д��Ϊ �� Ұ�ǳ��ǿ��ճ��õĵط��վ�ڹ��ϣ��̲�ס��쳤Х��е��ȡ�

��һ�ߣ��Բ�İɣ��

��Ψһ��ˮ��ԡ��ɳ�ӷǳ��֣��ܶ��ɺ��ˮ�ĺ�̲��ɳ��ǳ�ϸ��ǳ��Ҳ��˵��ְ��ۡ��

ˮ��ɫȷʵ��Ư��

��ڵ��סһ��󣬵ڶ��ص��壬��ס�ڽ��鵾Ƶ꣬��ǵģ�Ҳ��ǲ��

ǰ��ٺ��濿��ޱ��

��󽲵��ҵ��ᣬ��С��ʿ��
1��40��ӵĳ��
2��ﶫ��ܹ󣬶��Ǯû�ط��򣬱��궼û�У�Ҫȥ��ڴ�Ҫ��ʮ��
3��Ժ��Ҫȥ��ڵĴ�԰��ʹ㳡�ԣ��԰�󣬵��Ǹ��ܶ�Ժ��ʵĵ꣬ζ��
4��֧�޵��ס�ޡ�Ǳˮ��ܹ󣬶��ÿɶ��Ҫ��һ��ꡣ��ǿ��ճ��ס��
�Ķ�ȫ��
����κ� �鿴��

�Ա��ֱͨ��

aullik5 — 2009-11-18 11:47

��첻д��ȫ��ˣ�Ϲ��ģ�˵�Ĳ��֡�

��ĩȥ��ת��һȦ��в��ٽ��ο��飬��ȴû�п��ڡ��Ա�ֱͨ��κ��鼮��ϵ��ţ��ƺ�Ҳδ��ע��һ��Ա��˵��ش�Ĳ�Ʒ��

֮��˵��ش��Ϊֱͨ��ģʽ�Ѿ��ȶ��г��ӯ��ܳ�Ϊ��ʹ�Ա��е��

�Ա��ֱͨ��ʵ��Ͼ��һ��ؼ��ʵľ��û��Ա��һЩ��Ʒ��ֱͨ��ҹ��˹ؼ��ʵı��Ӧչʾ��ͬ��ҿ��Բ�ͬ�ؼ��ʽ��о��ۣ��۸��ߵá�

��Ա��ô��أ��ͨ�û�ÿ��һ��ֱͨ��չʾ��ı��Ҿ�Ҫ��Ӧ��Ѹ��Ա��û�гɽ��

��ҵõ��ʲô�أ��õ��˱��չʾ��û��Ļ��ᣬһ��һ��ֱͨ��Ƚϳɹ��ң��м��ߣ��Ӷ��Ͷ��ʽ��ؼ��ʵľ��ۣ��ȡ��չʾ��ᣬ�г��ѭ��

��ͼ�� "��Զ�� ҹ�� ߱�"�� ұߺ��߿�ס�Ĳ��֣��ͨ��ֱͨ��ؼ��ʵõ��Ľ��м䲿�ֵ��û�м��κ��ҵԪ�ص�һ��

��־��չʾ��ʽ��google��һ�µġ��й��мҹ�˾�аٶȣ��ǰ��ҵ��ǻ��ģ��µĺ��û��ѳ��ĵ�һҳ��ܶ��̼��Ľ��ȫ��Ž��

��аٶȵĹ�˾��˸��ﳲ��Ŀ��ǰ��ҵ��Ľ��googleһ��Ƶ��ұߣ��ҵ��۽��Ӱ��Ľ��Ŀ��ɱ��Ļ�԰ٶȵĸ��û��һЩӰ�죬��񵴷��ȵĴ�С��Ͳ��Ϊ��˵��ˡ�

��google��һ��ʼ��ʹ��һ��ںţ��񡱣��Ϊ��֪��Ҫ��Ǻ��׵�һ��顣

��ң��ڹ��ؼ��棬��ʵ�Ƿǳ��н��ġ�

һ��˵��˼·��һ�ǳ��߼ۣ��ؼ��ʣ��ø��չʾ��ᡣ
��׷��β��ͼ۵ģ��Ǽ��侫׼�Ĺؼ��ʣ��ȡ��׼��չʾ��ᣬ��û��ǳ��ߣ��Ҳ��ǳ��ߡ�

��ͼƬ��

�û�ֱ�ӹ��Զ��ʣ��ܻ�ǳ��Ҫ��1��2��Ǯ��˵��۳ɹ��ô��ͨ�û��Ա��Զ��ʵ�ʱ��ұ��ͻ�չʾ��ҵı��ͨ��ȥ��ôÿ�ε��Ҿ��Ҫ֧��Ա�2��Ǯ��

��׷��β��ʣ��ֱ��:"��Զ�� ҹ�� ߱�"��Ҫ��ȷ��ܻ��ټ��Զ��ӡ��ô��Щ�ʵ��û��̫�࣬��ǵ��Ի�ǳ�ǿ��зǳ�ǿ�Ĺ��ڸ��û��ͬʱ��ۣ��۸��ǳ��ˣ��ҵĳɱ��

�ٻص��ͼƬ��һ��Columbia��Ь��ң��"��Զ��"�Ĺؼ��ʣ��Ϊ��Զ��û��ܿ��ǻ��˶��ߣ��ô�ܿ��Ҳ�й��Ь��Ǻܴ��ġ�

��򾺼۴ʣ�Ҳ��һ��ѧ�ʣ��Խ��Խ�á�

Ҫ˵�Ա��г��ж��Ҳ��֪��и�ģ��ĸо��ǹ��Ա�ֱͨ��г��ģ��ܾ��аٶ��ڵľ��ô�󣬵��Ϊ��г�Ǳ��Ҳֻ��ڰ��ڵļ��𣬲��Ϊǧ�ڼ��ǧ�ڼ��г��Ա��ҪѰ��µ�ӯ��ģʽ��

PS: ��ǰ��Ƕɼ٣��ĩ�Ż�� Ķ�ȫ��
����а� �鿴��

OWASP TOP 10 2010 RC

aullik5 — 2009-11-16 11:34

��ǿ��Ǵ��һ��ĳǽ�� appspot ��Ϊ��Ӽ��롰��˵�Ƥ��ǰ��ֻ�ֿ��Ϊ��һ�ޡ�ͬʱ��ǿ��ĳǽ��ִ�б��У��Ƿ��ĳЩ��ҵ��ĳЩ��Ŵ��ڻ�ɫ��ף�ǿ��Ҫ��Ϣ�Ĺ��͸��

OWASP �Ѿ��ʼ�ƶ��µ� TOP 10

http://www.owasp.org/index.php/File:OWASP_T10_-_2010_rc1.pdf

Ŀǰ��ֻ�Ǻ�ѡ��û��ʽ��

�м��Ƚϴ�ı仯��Ǵ� 07�� TOP 10 Weakness ��Ϊ��ڵ� TOP 10 Risk

��Ҽ��յ�ģ��Ҳ��ˣ��©��ɢ��Σ��ȵ��أ��ӿ�ѧ��е��SDL�� DREAD ģ��

��µķ��ռ��㷽ʽ

��µ�TOP 10�У��м��ѡ���˱仯
��07��һ�� XSS �͵ڶ�� Injection ��໻��һ��λ�ã��Ӧ��塣

��04��ġ��á��ٴλع�

��һ��url��ת��ڽ��url��ת�ĵ��㡢�߼�©��Խ��Խ�࣬��ξͷ��˽��

�Ķ�ȫ��
���� 鿴��

ǳ̸��˾��ȫ�ķ�չ��

aullik5 — 2009-11-11 11:36

��дblog�ļ��Խ��Խ��ˣ��Ҫ��æ��͹�˾��ϵ�ȽϽ��ܣ��д��blog�ϣ��Ժ��ܻ�Խ��Խ�࣬��룬ֻ�ǡ�ǳ̸��Ϊ��̸��̸��

��۷�Χ�޶��ڻ��˾��Ϊ�˱��һЩ��ȫ��˾��ˮս��Ϊ��һ��Ϊ��˾�İ�ȫ��º��ǲ�̫��Ҫ��ʲô��ȫ��ģ��Ϊһ��Ļ��˾��չ��һ��̶Ⱥ��ģ�͸��ӳ̶Ⱦ��û��һ�Ұ�ȫ��˾�ܹ��ṩ��Ľ��ˣ�һ�ж��Ȼ��仰Ҳ��Ǿ��Եģ�һЩ�ǹؼ��ǻ��ȫ��򣬻��Ҫ��ȫ��̵�֧�֣��ǽ�豸��氲ȫ�豸��DDOS�豸�ȡ�

��ҽ��Ҫ˵��ǻ��˾��ȫ�ķ��ҵ��ǣ���ǽ��ʲô��Ĺ��ǻ��Ҫ��Щʲô��

�ڹ�ȥ�ĺܳ�ʱ��ڣ��©��ھ��߻��ǰ�ȫר��ǣ��о��ָ��©��Դ�Ϊ�� OWASP ÿ��ͻṫ�� Top 10 ��вList��ںܳ�һ��ʱ��ڣ��˾�İ�ȫר��ǣ��ȫ��̵Ĳ�Ʒר��ǣ��һ��飺��ǲ�Ʒ��Ƿ��ܵ��Щ©��

��ˣ��Ұѻ��˾��ȫ����һ��Ŀ�꣬��Ϊ��ù��ʦд��ÿһ�д��붼�ǰ�ȫ�ģ�

Ϊ�˴ﵽ��Ŀ�꣬΢��SDL��ڶ��̵ĸ��죬SDL��԰��ʦ��д��ȫ�Ĵ��롣΢��SDL��ˡ��΢��Ĺ��ʦд��Ĵ󲿷ִ��붼�ǰ�ȫ�ġ��һĿ�ꡣ��ΪSDL��ΰ��Ĵ��죬��޽ӽ��ռ�Ŀ�ꡣ

��SDL�У��Ǿ��кܶණ��Ҫȥ��ƣ�Ҳ�ٽ��൱��о��ͼ��Ʒ��밲ȫɨ�蹤�ߵ��о��һ���漰��﷨��ʷ��ݹ��ͳ��ѧ��⣬�ٱ��fuzzing��漰��Э��ļ��ʽ��ͳ��ѧ��ݴ��ݡ��õĲ��Ի��ิ��⡣��ÿһ��ô��׵��顣

��SDL��һ��Ҫ��ڼ�ֺͲ��ƵĹ��ǹ��޷�100%��֤��ְ�ȫ��⣬��Ҷ��廥��˾��ȫ���ڶ��Ŀ�꣺��֪�ġ�δ֪�Ĺ��ڵ�һʱ�䷢�֣��Ѹ�ٱ��׷�١�

��ڶ��Ŀ��Ҳͦ��ΰ�ģ��漰��IDS��IPS��۹޷��о��е��Щ��ԶԶ�޷��Ŀ��ģ��Ϊ��е��ҵ�ġ��Դ��IDS��IPS��־��ԣ��˾�ĺ��ݺ͸��Ҳ��Щ��в�Ʒ��Ͼ��ս��ֻ�н��ģ��ǿ�ļ��ʵʩ��Ч��ھ��ݹ��ǽ��廯��ģ�ͣ��𽥱ƽ��һĿ�ꡣ

��Ŀ��Ҳ��Ҫ��ޱƽ��ȥ��ɵ�һ��ΰĿ�ꡣ��Ŀǰ�ڹ�˾��Ĳ��飬��Ŀ��Ŭ��޷��̸��̸��

��ǰ��Ŀ�꣬�Ͳ�֪��ҪͶ��ʱ��Ŭ��һ��е㲻��㣬��Ҷ��˵��Ŀ�ꡣ

��Ŀ�꣺�ð�ȫ��Ϊ��˾�ĺ��ľ��뵽ÿһ��Ʒ��У��ܹ��õ��û�ʹ�û��ϰ�ߡ�

��һ��ʼ��ʹ�õ��Ե�ʱ��ǲ��Ҫ��װ�κ�ɱ��ġ��ǵ��˽��죬��һ��ͨ�û��˵��ԣ�ȴû�а�װ�κε�ɱ��汣��ô��Ҷ��ᵣ��᲻��в��ľ��г��ȫ�ǲ��ɱ��Ѭ�ճ��ġ��ڽ��죬�ܶ��ڵ��Գ��ʱ��ͻ�Ԥװһ��ɱ��

ǰ��ȥ��У��µ��Ƭ��һ��С�ķ��ѽ��뵽�˿ϵ»��͡��Ҳ�֪��֮ǰ�Ƿ��б��ʳƷ�ǰ��ͷ��ѽ��һ��۵ģ��Ϊ�ϵ»��͸ı��ǳ��ϰ�ߣ��Ҫպ�ŷ��ѽ��Եġ��µ��Ƭ��۷��ѽ��Ҳ��Կ��Ǳ��ϵ»��г��

��ԣ��Ϊ��˾��ȫ��Ҫ��ɵ�һ��Ŀ��ð�ȫ��Ϊ��ֲ��Ʒ��һ��ܺ��ԣ��û�ʹ�û��ϰ�ߣ��г��һ��Ҫ��Ͷ��ͼ�ֵ��顣

�һ����һ��Ŀ�꣺�ܹ��۲⵽��ȫ��Ƶı仯��δ��һ��ʱ��ڵķ��Ԥ��

��Ԥ��Ŀ��Ҳ��ǲ��ŵ��ݴ�ʱ��Ŀ��֮һ��û�кܺõ�ͷ��Щ��⡣��Ŀ�귴��ǽ��оٵ��ЩĿ��״ﵽ��һ��Ϊ�Ѿ��й�˾��ˣ��ұȽϳɹ��McAFee ��ˣ�ÿ��ʱ�䶼��л��в��棬��һЩ��֯��SANS��Ҳ��Ƶı��档��Ѷ�⼸��һֱ��ⷽ��Ĺ��Ҳ��һ��̶��Ԥ��ơ�

��ǰ�˵İ��ٽ��ģ�Ŀͻ��˻��ǿ��ĺ��ݣ�Ҫ��·�ߺͷ��Ƿǳ��ģ�ֻ��Ҫ��ã��û��Ϻܶ��ʱ��;��

��ȫ��һֱ��ڼ��չ�ģ��Ǽ��չ��µ��Ҫ��ȫ��򣬼��չҲ�ܸ��ȫ��һЩ��ռ䡣

��10��ǰ��5��ǰ��Ƕ��Ҫȥ��ֻ��Ƿ��Ҫ��ȫ��飬��ڽ��죬�ֻ��ȫ�Ѿ��˿̲��ݻ��һ��ս��ǰ��챨��ڰ��޴��iphone��棬��Щ�Ѿ��ʵʵ��ڵ��в��

��ֻ��Ҳ�ٽ��һЩ�µİ�ȫ��ֻ��֤�ܹ��ͻ��֤��Ƶ��ã��ȿͻ��֤��һ��Ϊ�ֻ��װ�ڵ��ϵģ��Ƿ��û��Ŀ㶵��ġ��ƵĻ��ż��Ѿ��ܹ��ģ��ݣ��Ӷ�ʹ�ð�ȫ��һЩ�µķ�չ�ͱ仯��Щ��ڹ�ȥ��ġ�

�ڻ��˾��ȫһ��Ҫ��ͬʱ��Ҫ��ܹ�ע��ķ�չ��Ͳ��ֹ��ڼ��©��о��ᷢ��зǳ��Ȥ��ȥ��һ��ǳ��ΰ��ͼ�� Ķ�ȫ��
���� 鿴��

��̸��

aullik5 — 2009-11-04 16:10

��ʳ��ԡ�ׯ�ӡ� ��ܡ��움��ѧ��֧��棬��ǧ��֮�ң��꼼�ɶ��ɡ�

��˼��и�� 움��˵֧��֮��ܸ��Ȥ��ɢ��Ҳƣ��ѧ��ֺ�ţB��ѧ�ɳ�ɽ��Ҳ��һ��

��ȥУ԰��Ƹ��շת��ĸ��У��ջ�

�и��о��ڴ�ѧ��̵Ķ��ѽ�̫��أ��ǻ��ҵ��

��ڴ�ѧ��ģ��Ź��ޣ��ڵ�ѧ��󲿷�Ҳ��ģ��ܱ��磬��Ϊ��ٽ��ҵ�ҹ��ʱ��ּ��ϳ��ѧ��ʲô�Σ��ʲô��ҵ��μ��ʲô��⣬��ҳ�һ��ʵĵط��

�ٲ��ѧ��ϰ��ɹ��ι��ģ��磬��Ϊ��ҹ��ʱ�򣬼��ϳ��˳ɼ��ͽ�ѧ��⣬��ҳ�һ��ʵĵط��ѧ��ٻ��̸��4��಻ֵ��

ֻ�м��ѧ��ϵľ��ܹ��ǰһ��Ŀһ�µĸо��

�ȱ��Ǻܶ಩ʿ��ò��׶��ʿ��ŵ�ʦҲ��˺ܶ��Ŀ��ֵ��˾ֻ��Ĺ��ǲ�ʿ��첩ʿ��нˮѽ��ô��أ��Ǹ��ı��ˡ�

ԭ��һ�ж��ǡ��ǵĻ��

��ӵ��𣬵��5000w�û��50��ʱ�䣬��Ӵӵ��𣬵��չ��5000w�û��տ��ӣ��17��ʱ�䡣Ψ�л��ӵ��ڣ��ڶ̶̵�3��ڣ��չ��5000w�û��Ĺ�ģ��

3��ζ��ʲô��ζ��ϴ�ѧ��ʼ��û��ҵ��Ѿ�ȫ��ˣ�

��ǵĽ̲��ʲôʱ��д�ģ��̲ĵĸ��ٶ��Ƕ�죿

��ԣ��ѧ��̫��̫��

�е��˻�˵��Щ�ǻ��Ҫ��Ҳ�û˵��Щ��Ҫ��һ��Ҫ��ף��кܶණ��Ҫ��ֻ��ѧУ��α��ǵ㶫��û�õġ�

��ǻ��ҵ��һ��Ҫ��У԰��۹��ҵ��棬��ע��һ�У��Ų��ã��

��У԰��Ƹ��ʱ��ע�ص��ǿ��passion��Ѱ�Ҹ��һ��ˡ�

��򵥵ı��⣬��Ȼ�ѵ��˾��ߣ��ʵ��Ҵ��һ��

��ε��󲿷��ҳ��ģ��ǻ��ֻ��⣬��Ϊ�Ѿ��̫��ˡ��ü��͹��ĺܲ��ѧ��һ��Ϳ��Ե�ʱ��һ�ʣ�ȫ��ɳ��ġ��й��ѧ��͹��һ��Ƿǳ�֮��

�ҳ��⣬�ǿ��ѧ��Ƿ��ע��ҵ��Ҳ��ǿ��Ƿ�passion��Ϊ��һ��˾��ж��ҵ��飬�Ȱ��Լ��רҵ��Ǿ��Ǳ��ġ�

��һ��ǣ�0day��ʲô��ù��Щ0day��

��ǧ��ٹ֣��лش�0day��һ�ְ�ȫ��ģ�˵Ӧ��ù��ǵ��ˡ��Щ��ԵĻ��϶��Ϣ��ȫרҵ�ģ��Լ��Ҫ��ʲô��һ��ҵ��

�ںϷʵ�ʱ��һ��Ů��ӣ��ǰ׾��δ��Ϣ��ȫ�е��һ�飿��˰��˵��ѧ�ɡ��ֻѧ��ѧ��Ҽ��׷�ʣ��о��ѧ��ʲô��أ��һ��µļ��㷨�𣿻��о��㷨�е�©��˾��Ҫ��о����ᶼ��ˡ�

��˾��ʲô��Ҫ�о��Լ��ѧ��Լ��Ҫʵ��һ��ȫ��Э��ʱ�򡣿�ϧ��Ļ��˾�ڵ��ָͷ�ܹ��ꡣ

��ڴ�ѧ��Ϣ��ȫרҵ��Ǳ��ƻ��о��ʿ��󲿷ֶ��ѧ��֤ɶ�ģ��˳ɹ��ҿ��һд�ʹ��չ��ܷ��õ��ϲŲ��Щ��ڡ��ĵ��顣

��ԣ��ע��Ǽ��飬��鲻��ƾ��޹��ģ��ǿ��¥��Ҫ��̤ʵ�أ��͵�ס��į��ֻ��ѧУ��Χǽ��磬�Ż᲻��ã��֪��Լ��Ҫʲô��ѧ��ź��û�м��ߣ�ȴð��Ƿ��ȥ�˺ܶ�offer��ϰ��еط��ܣ��ѹأ��и�ȫ�ֵĿ��졣

��ĸУ��д����˷��ˡ��뿪ѧУʱ��޺޵�˵��һ��Ҫ��ȥ��ѧԺ�¸ǵĴ�¥��˻�ȥ��Թ��Ѿ��ˡ� �Ķ�ȫ��
����а� �鿴��

У԰��Ƹ��ʱ

aullik5 — 2009-10-21 17:36

09��У԰��Ƹ��ݱ��չ��һЩͬ��Ѿ��˺�Щ�ط��ˣ��ֵ��ҵǳ��ˣ�

��쿪ʼ��10��Ҫշת�Ϸʡ��ݡ��ϵ�5��У��ȱ鲼��й��

ϣ��ܷ��һЩ��Ǳ��ˣ�Ҳϣ��־��ϰ�ȫ��·�Ĵ�ѧ��Ͷ��ǵļ��

��Ͱͣ��й��Ƽ��޹�˾��Ϣ��ȫ��ְλ��ǵ��Ŷ�Խ��Խ׳��!

�᳡��λ��ڣ�

�й��Ƽ��ѧ
��ͨ��ѧ
��ɽ��ѧ
��ҵ��ѧ
ɽ��ѧ
�Ķ�ȫ��
����а� �鿴��

�Ƽ� OWASP - Transport Layer Protection Cheat Sheet

aullik5 — 2009-10-20 13:28

��һ�ݴ��㱣��Cheat Sheet

ʵ��Ҫ�� TLS ��ȷ��ָ��ԭ��ϸ�Ķ��һ�飬�ǳ��(ע��TLS 1.0 �� SSL 3.0 ��С)

Transport Layer Protection Cheat Sheet

�� SSL��ķǳ��࣬ǰ��õ�blackhat��Ͼ��ǳ��ʵ�talk��ⷽ��ҲԽ��Խ��ǵĹ�ע��Ԥ��ǣ��δ��ܳ�һ��ʱ��ڣ�SSL©��¡�

��ǽ��webӦ��У��ܶ༴�㲿��SSL��ڲ��Ա��SSL��TLS��ʶ�ϵĲ��㣬��˺ܶ�ȱ�ݣ��Ӷ��ڿ͹��Ŀ��ܡ��Cheat Sheet ��󣬴�ָ��Ե��˵����һ��հס�

��SSL��о��𲽽׶Σ��ܹ��ҵ��ĵ��󲿷ֶ��ǹ��ģ��ڵľ��д��Ե��о��ĵ��۹��û�п��

��OWASP�� Cheat Sheet д��Ƚ�ȫ�棬��Ǿ��ϸ�ڷ��滹�ǱȽ�Ƿȱ��ܶ��Կ��вֻ��Ե��һ�ʴ��Ҫ֪��ᵽ�ĺܶණ��Ҷ��ƪ��۵�paper��ָ��ԵĶ��վ�İ�ȫ��Ա��˵��Ƚ��в��Ҳ��Դ�Ϊƾ��ȥ˵��Ա�ı䰲ȫ��ԡ�

��Ϊ�˷��ʹ�ã��Ҽ�ע��һ��ƪCheat Sheet �ļ��rule��

Secure Server Design

Rule - Use TLS for All Login Pages and All Authenticated Pages

��TLS��е�¼��֤ҳ�棬��Ӧ�úܺ��⡣��rule�н��login��landing pageҲҪ��Ŀǰ�ܶ��վ��û��ġ�

�� http://login.xxx.com/login.html ��ҳ�棬��һ��ύ�� https://login.xxx.com/authCheck ȥ��֤�û��롣�� http://login.xxx.com/login.html Ҳ��Ҫ�ĳ� https://login.xxx.com/login.html ��Ϊ��ǶԿ��ߴ��login�� landing page ��𹥻�(��۸ĵ�)��Ӷ��ȡ��롣

Rule - Use TLS on Any Networks (External and Internal) Transmitting Sensitive Data

��Ϣ��ʹ��TLS��ܱ��
��ᵽ��Ҳһ��Ҫ��ܶలȫ�¼��Ǵ��ڲ��ġ�

Rule - Do Not Provide Non-TLS Pages for Secure Content

��ȫ��ݲ�Ҫ�ṩ�ǰ�ȫ��ҳ��
�� https://www.xxx.com/userdata ��һ��ҳ�棬��ҳ��Ӧ��Ϊֻ�� https��ʣ�� http://www.xxx.com/userdata��ô�Ϳ��ܱ��÷�httpsҳ��ȡ��ʵ��ݡ�

Ŀǰ��W3C�±�׼��ͨ��һ��HTTPͷ��ʽǿ�ƿͻ��ʹ��https��ĳ��µ��ҳ�棬�ܹ��𵽸��õı��ƹ��һ��׼��Ҫʱ�䣨��֧��¡��ռ��ʱ��ɱ��

��Բο�: ForceHTTPS �ı�׼

Rule - Do Not Perform Redirects from Non-TLS Page to TLS Login Page

�ض��м��˹��Ҳû��̫�õĽ��ڵ��վ��˵��ڿ��ԵĿ��ǣ�һЩ��Ҫҳ��δ��ܳ�һ��ʱ��ڻ��Ҫʹ��ض��ķ�ʽ.

�ο��һ��ļ��ɣ�Surf Jacking

Rule - Do Not Mix TLS and Non-TLS Content

ҳ��л��˷�https��ݵĻ��ܻ��DOMע��Ӷ�ʹ��https��ҳ��ܵ��в
��ֹ��Խ� mixed content ��

Rule - Use "Secure" Cookie Flag

cookie �� secure flag��Ա�֤��cookieֻ��https�·��͡��https��վ��cookieû�м��־��http��й¶��cookie��

ע�⹥��ֻ��Ҫ��Ϳ��ˣ��վ�㲻�ṩ��http��ʣ��Ҳ��cookie��ͳ��Ӷ��ܱ�sniffer��

Rule - Keep Sensitive Data Out of the URL

��Ϣ��Ҫ��url��
��Ҫ��һЩreferer�а��Ϣ��ܻ�й¶��Ϣ��
��֮ǰ��һƪblog��⣺anti-CSRF Token��ʱ��Ҫע��һ��
ֵ��ע��ǣ�� https ��http��referer�ǲ��ᷢ�͵ģ��ڰ�ȫԭ��referer�ķ��͡�
�� https �� https��Ȼ�ᷢ��referer

Server Certificate & Protocol Configuration

Rule - Use an Appropriate Certificate Authority for the Application's User Base

ʹ��һ��ҵ֤�飨��Ҫ��CAǩ��򣬱��VeriSign��Լ��ɵ��ᵯ��˵��ʶ��Ȼ֤��Ҳ��ã��֤��֮һ��֤��ܾͲ��ˡ��Ӷ�ʹ�õ��м��˹��л��ɳˡ�

Rule - Only Support Strong Cryptographic Ciphers

��ںܶ��վ�õ�֤�黹֧��㷨
��ķ��Բο��֮ǰд�ģ� SSL ��ǵ��
��200̨PS3�ƽ�MD5Ҳ��SSL�Ĺ��Ȥ�Ŀ��googleһ��

Rule - Only Support Strong Protocols

SSL 2.0 �Ѿ��α�֤��ȱ�ݣ��κ��¶��Ӧ��֧�֡�
�Ƽ�ʹ��TLS��Ƕ��汾��һ��Ҫ��

Rule - Use Strong Keys & Protect Them

��Ƽ�ʹ��2048bit��key

Rule - Use a Certificate That Supports All Available Domain Names

֤��Ҫ֧��е��Ϊ��ںܶ�CA��ǩ��֤��ʿ��˲��Ͻ��ֻҪ��ܹ�ǩ��֤��ˣ�ֱ��˹��ܹ��CA��һ�źϷ��֤�顣��ʹ��0�ֽڵȼ��ɸ��ǿ��ƭ��

�ο��BlackHat ��

Ŀǰ��Щ��Ҳ��ˡ�ͬʱ�Ƽ�ʹ�� EV ֤�飬��𵽸��õ�Ч��( ��ȻҲ�� )��

��Ƽ��ϸ�Ķ��ĵ��ָ��ԭ��ʵʩ��İ컵�£��ɱ��硣 �Ķ�ȫ��
���� 鿴��

��ĩȥ��˽��ҵ

aullik5 — 2009-10-19 12:13

MM��Ÿ���Ҳ��Ʊ��ȥ��ģ��ѵ�Ӱ��Ǻܸ��˵�ȥ��

��󣬷ǳ�ʧ��

�ⲿƬ�ĵĲ��һ��

��˵��ģ�

��쵼�˵��Ա��ݵķǳ��λ�ģ��ԡ��̬��

��ģ�
1. ӰƬ��ζŨ��
��ϵ�Ӱ��ǿ��ɡ��ʿ��һ�£�ӰƬ��֮һ��ʱ�䶼�ڳ����ص��飬��ô��ô�Ĳ��ס�

��ҵ��ͽ��ˣ��ô��ΪʲôҪѡȡ��أ�Ϊʲô��ٽ��ĸ��أ��뵽��ڵ�̨��ƣ��ζ���

2. ��ϸ�ڿ̻��Ĳ��λ��ζ��Ũ��벿�ֻ��ǲ��¼Ƭ��Сѧ��ˮ��
��ǰ�ĵ�Ӱ��䡷��Լ��ս�۵Ⱦ��ӰƬ��в��簡��

һ��ϸ�ڵ��ӣ��ʱ��ʯ��κ��ʵ��ͳ��ͳ��ͷǰ�и��֣��Ǵ��ͳ��ʵ�ʱ��Բ�˳��ʯ��Ļ��һ�С��ϸ��ڡ��䡷��֣��ֺ��Ҫϸ��ڡ��ҵ��ȱʧ��̫�࣬ʹ��Ӱ��

�Ҿ��ò��á��Ѹ��ǵ�ϸ�ڡ��Ϊ��ڡ��Ĵ��ĵ�Ӱ��ˣ�Ҳ�б��ֵĺܺõģ��ǡ��ҵ��ȫ�ĳ��һ��¼Ƭ��˺�벿��ִ��ֵĸ��԰ף��ϡȱ��

3. ��ҵ��ͷ
��ȷʵ�ܶ࣬�ܶ��׵Ĵ��󣬵�ҲΪ�˶��Ƴ��˺ܶ��ν��ڡ�

��˵��ΰ�ĳ�ʦ��ȥ��ɱ��е�ɿ�飬��һ��Ǹ��ɶ��빮�Ƕ��أ��˷�ʱ��.

�ܶ��ڶ��Ϊ��ĳ��¶��ƣ��û��ʲô��

��һ��϶��ǳ��ſ��ȥ�ģ��ӰƬ��Ҳ��ûʲô��ȥ��ע�ˡ�

�ӵ�Ӱ��˵��һ��Ǻܲ��ڳ��ϣ��ɹ��
�Ķ�ȫ��
����а� �鿴��

2009��ɽ��μ� -- ��ٲ�

aullik5 — 2009-10-10 11:17

�ڶ��ӽ��ݸ��ٷڡ�Ҫ��סһ��ڶ��ȥ��ٲ��

�ٷ��˼��ٽ��ˮ��˼��Ҳ��һ��ʷ�Ļ��̵ĳ��С��л�ͦ��ģ��о��̫ԭ��С��ࡣ��̫ԭ��Ҽ��ʡ��ڱȽ�С��ˣ�Ӧ�ú����С��

�ھ��ٷڲ�Զ��к鶴�أ��ʱ��Ǩ��Ǵ��ģ��Ϊ��Ԫ��ܶ�ʡ��˿�ϡ�٣��û��ˣ��ʱ��Ⱥ�ۼ��鶴��һ�ô��£�Ȼ��г�;Ǩ�㡣��˵��ںδ��ɽ��鶴��

��ǿŴ��ˣ��µ��ǵ��Щ��ȥ��档�Ҿ��ûɶ�ÿ��ģ��û��ȥ�ˡ�

�ٷ��б��ֻ��һ��Ң��Կ��Ң��ϻ�Ū�˸��л��ţ��Ҿ��ûɶ��˼��

Ң��Ǽ��л��Ң��ģ��Ϊ�ഫҢ�Ĳ��䵱��ٷڸ��ʼ��ʱ�ڣ��δ��ޡ�

�ҽ�ȥ��󻹰��˰ݡ��Ҳ��𣬲��ݷ��Ƕ��л��ȣ��ǻ��һ�ݾ��⡣

Ң��ļ��ͦ�ÿ��ģ��Ͷ��

�ڶ��ǰ��ٲ��ٲ��ٷ�170���뼪��45����ȥ��ٲ�Ҫ4��Сʱ��ң��ؾ�Ҫ��8��Сʱ��ֻ��һ��㡣��ٷ��˸��ٲ�һ��ε��ţ��ڶ��һ��

ǧ��ƺ�һ��գ��Ǻ��ڵ��ں��ٲ��ӵ�ͻȻ��խ��ͬʱ�γ�һ��ӽ�68�׵��ʹ�ú�ˮ��׳�ۡ��Ϊ��й����ŭ��ٲ��ˡ�

ɽ��Իƺ�Ϊ�ֽ��ߣ��Թۿ��ٲ�Ҳ��ԴӺ��ɽ��ߵľ�ɫҪ�ù��ġ��ǰ��Щ��˵ɽ��ȥ��ڵ�·��ߣ��Щ��ε��г̿��·��޵�ͦ�õģ��ǹ��ʡ��ܺ��·�Ѿ��޺��˰ɡ�

��ĺӹ�

��Ĺȵ��У�ˮ��Ʈ��һ��һ��ʱ��ܿ��ʺ�

�ƺ��

��ŭ�Ļƺ�

��˵��ȥ��ë��ʣ

�ƺ�Я��˴��ɳ��

��ҵĽ��

ǧ��ƺ�һ��գ�׳�գ�

�˵��ȥ��κ��Ŀ��

��һ��

��Ǵ��ջ��Ȼȥ��ں��ۣ�8��Сʱ�ĳ��̣��Ƕ��ú�ֵ��

�ڶ��ջ�̫ԭ�ú��Ϣ��׼��ȥ��ģ��Ʊ�̶�ʱ��ڴ�40�ǵ��70��ͬʱ��⻹�кܶ��Կ��ŷ��˽��ǣ��Ӱ��ǵ��ˣ�MMһŭ֮�£��;��ȥ��ˣ��Ҳû��ȥ�ɡ�

�ع��ɽ��У�շת��ǧ���о��ͦ�۵ġ�MM��α�Թ��ⲻ��Σ��Ҿ��´δ��ȥһ��ط��Ų��˯��졣

ȫ��Ž��70%��ɽ��ɽ��Դ��Ǻܷḻ�ġ��ɽ��Ǳ��ұ��֮�أ��˴��õĶദ�ż��ȱ��һ��⻷��ǳ��ʵ��Ϊ��л��ʵ�ľ��⣬�ǳ�ֵ��ϸϸƷζ��

��ɽ��ʡ��εĲ��ӣ��ܱ��ʩ��Ƿȱ��̵��Ӱ��ˡ��ֻ�ܰ�̾��̵ĻԻͺͷ�ǣ��Ѿ�һȥ��ˣ�

��ξֶ��״�в��ж��Ρ�ͬʱ��Ҷ��Ľ��Գ��Ϊ��ҵ��ı�Ҫ��µ��ʶ��

�Ķ�ȫ��
����κ� �鿴��

2009��ɽ��μ� -- ˫��£��Ҵ�Ժ

aullik5 — 2009-10-09 16:57

�ڶ��һ�磬��ƽң�ų�ȥ˫��¡�

��˵��ǣ��ƽң��ȥ˫��£��û��˫��¾��ų�ֻ��5���򳵻��ֳ��ȥ��

��Ǳ��˸��⳵��˾��˵��ȥ˫��²��˵��ģ�̫��ˣ��

��ز��ֻ�ó��Ҫ��20�飬5��

��˫��²�û��ʧ��ǹ��4A��ǹ�ģ��Ļ��Ҿ��Ϊ��н��5A��ʸ�

��ȥ�ĺ��磬��˺��٣��Ҳ��ˬ

˫��µ��֮��ĵ��ܣ��Ͷػ�Ī�߿��ơ��û�жػ��ϣ��͵��˼��š�

��ŭĿ

��ĸ��

��ǻ��

�йٺ�ʮ��

��

�ز��

��޺�

��޺�

��ɲ

��˫��³��׼��ȥ��Ҵ�Ժ

��ƽң��վ��ݡ�

��Ҵ�Ժ�ڽ��ݺ��ʯ��֮�䣬��ﶼ��ԡ��Ǻ��ǳ��û��ֱ��ʯ��

ɽ��Ҫ��˲ſ��ġ��ӳ�վ׼�㷢��˾��Ȼ��ͣ��һ��С��ϣ��ʼ��ͣ��ˣ��˲��ߡ�

��Ϊ�ⲿ��룬��˾��Ļ�ɫ��롣

�ò��ˣ��ˣ��ʡ��û�߶�ã��Ȼ�ᴩ��һ�κܲ��ߵ��·��ܵ��һ��ƽ�е�ͬ��ʡ��ϣ��ƶ��ҵ��뷨��ⲿ��ǲ��Ҫ��˰�ģ��Ѿ��ɽ��ͨ��һ��Ǳ��ˣ�

�Ƚ��ҳԾ��ǣ��;��ʿ��˸��ٺ󣬾�Ȼ��ͣ��¿͡��е��˾�վ�ڸ��ӱ��ϵȳ��飺�Ͻ��ڸ��ͣ��¿͡� ��̫��ˣ�

�ò��ܵ��˽��ݣ��˼ұ��ס��Ȼ��׼��ȥ��Ҵ�Ժ��й��ȥ��4��Ǯ��

̫ԭ��ҷǳ��һ��˵��ҳ�̫ԭ��峯��й��ٵģ��Բ��Ǽ��̼��ܱȣ�Ժ��ҲҪ��Щ��޵��С�Ǳ��

�Ҹ��˾��Ҵ�Ժ��ǼҴ�Ժ��ֵ��һ��

��Ժ��кܶ��棬��Σ��ȥ��䵼�Ρ��

��

ɽ��Ҥ��

�о��û��κ��ݻ��ʡ��̻��ɹ�ĸ����֮��ļ��ǳ��խ��Ĺ��Ҳ�ǳ����춼Ҫ��

��С��¥

��Ԣ��һЩʯ�̣��Ҿ�ѡһ��

��Ǹ�ǽ�ǣ��걳��ף�Ԣ�ⳤ�٣��й��˵ĵ��

��ڼ�

��й۾�̨��Զ��ɽ

��µĵ��űߵĸ�̨��̤��ʯ

Сͤ��Ի��հ��

��Ҵ�Ժ��Ҫ�ɸ߼��ºͺ��ű��ɣ��ͨ��ߣ��Ǹ�С�Ǳ�

��Ժ

��Һ��˼

��լ

̨��Ҳ��ô��£�Ԣ��ʲô�أ�

�ĺ�Ժ

�м��ǣ��

��

��в�θе�Ժ�䣬��ҽ��

��ǼҴ�Ժ��ˣ�

��Ҵ�Ժ��Ǻܲ�ˬ��顣

�ڴ�Ժ�ſ��ͻؽ��ݡ�һ�ѹ��ǣ��ų��Բ�ѷ��ɣ��ѹ�ο͡�

��ǲ��ǳ��ֵȹ��Ϊ��ʱ��ʹ��ˣ�˵��6�㡣

��Ǵ��뿪ʼ�ȣ�һֱ�ȵ��࣬��๫��˵��ˣ�Ҫ�ع�˾��

��ò��סһ��˾��ȥ��Ȼ˵��˽��۸�Ҫ��MM��ȥ��ۣ�6��Ž��࣬Ҫ��˾�ĵ绰Ͷ�ߣ��˾��Ȼ��ϸĿ�˵��ˣ��Ǻ��һЩ�˿Ͷ��³��MM��ͱ��ˣ�

��Ѱ˼�ţ��϶��Ǹ��˾˵��ù�˾�ĳ��˽�

��Щ��һ�ѹ��Ͷ��ģ��ͣ��̼��ǡ��Ҳ��ӵ�һ��¼��ֱ��Ӱ��Ǻ��ˡ�
�Ķ�ȫ��
����κ� �鿴��

2009��ɽ��μ� -- �ǼҴ�Ժ��ƽң�ų�

aullik5 — 2009-10-09 14:29

ɽ��Դ��ʵ��ͦ�ḻ�ģ��ϧʡ�ﲻ��ӣ��Ƕ�ȥ��ú�ˣ��ҵ��Щ��о��ģ��һ�½��д��

��ǰɽ��й��ʡ��Դϡȱ��ɽ��ú��˼ң�Ҳ��ԭ��ɡ�

��ι��Һ�MM�ٳ�δ�ܾ��ص㣬��Ϊ�մ�̩��˼��û�ջ��پ��ǲ��ȥ��ŵĵط��εĻ��ǩ֤Ҳ��ˡ��ڼ��ѡ�ĵط��棬��ȥѡ��ɽ��Ϊ��ų��Ҫ��ߵġ�

��֤��ɽ��ε��ȷʵҪ�õ㣬·�Ͻ�ͨ��ӵ��Ƶ�ҲԶû��ɡ��Ǿ��Ȼ�࣬��ɽ��ͺӱ��ˣ��Ϊ��

ɽ��Ҫ��ξ��ô��
��̨ɽ��ɽ��Ƿ��ʤ�ء��ɽ��и��ͦ��˼�ġ�

��Źأ�Ӧ��ľ��

�Ƹ�ʯ�� -- ��Ļ��Ų�

̫ԭ�Ľ��

�ǼҴ�Ժ��Ҵ�Ժ��ׯ԰��ء�ƽң��լ��й��Ŵ��լ�Ļ�걾��

ƽң�ų� -- �й��һ��ųǣ��Ƕ��Ŷ��Ļ��Ų�

��ٲ� -- ��

̫��ɽ��Ͽ�� -- ��Ϲ��й��ҵ��Ϊ�й��ʮ��Ͽ��֮һ

��ʱ��ϵ��ֻѡ��ߣ��˱��ߡ��Ƹ�ʯ�ߡ��̨ɽ��ɽ��ר��լ��ųǡ��ڡ�

��˰��ػ�Ʊ��л��5000��ҡ�

10.1��Ϊ��Ҫ��ı�ʽ��Զ��Ļ�Ʊ��ϵ�̫ԭ��Ѿ��ˡ��ھƵ긽��С�͹ݺ��ǳ��㰡��ǿ��Ƽ�֮��

��ڵ��ҷ��ô�Ƽ��ǰ�ڱ��ѧ��ʳҲ�Եúܶ࣬��򵥣��ѣ��ҳԹߴ��׵��Ϸ��һ�㲻��ϰ�ߵģ�

�ڶ��ֱ��ǰ��ǼҴ�Ժ��̫ԭ�Ľ��վ��;��ͣ��ص�Ʊ��˾��˵��ǼҴ�Ժ��ˡ��ǼҴ�Ժ��·�ߣ��ǳ��Ǹ��ط��Ǽұ��

��ǼҴ�ԺҲ��ɽ�˺��Ͼ��Ƚϳ��Ϊ��ı��ˡ��߸߹ҡ��ȡ�⾰��硶��С��޸��վ��Ժ��һĻ��Ҳ��ĵġ�

�Ǽ��ɽ��Ĵ󸻻��ǹ��ڳ�ȥ��⿪ʼ��ǰ��ˣ��ȫ��

��Ϫ̫��뱱��ʱ��·��ɽ��Ǽҽ�Ǯ��һ��30��Ҳû��͸��յ�ƵƵ�ծ��

��ǵ�Ļ�Ŷ��ʱ�Ǽҵ��ѧ��Ϊ�˽��Ҫ�Ͻ��۽磬��˸��й��ʱû�еĻ��

��Ǻܶ�Ϸ��õ��˵��⾰��

��һ��

��ǼҴ�Ժ��˸��һ�ѹ��ϸ�ƽң�ųǡ�

��ڱ��ƽң�ųǣ��Ҫ��Ľ��Ҫ��ĳ�ǽ��á��й��һ��Ʊ�ţ��ھֲ��ݵȵȡ�

��һ��ŵĹųǣ��Ϊ��滹ס�ˣ�

��Ҫ��ڳ��ĵļ��ϡ�

��Ľ��ȷʵ��ţ��鲼ȫ��˵��й���ĵط��̻��壬���صġ��ϧ��춼�Ѿ�û��ˡ��Ȥ�Ŀ��Կ��ɢ�ġ��ɽ��

�ھ�Ŷ��ָ��ֳ�û��䣡��

��䳡

�ųǵĽֵ��ѽ��

¥��

��￴Ϸ

��ú�Ժ��Ĵ��

��

��̫ү�Է��ĵط��Ҥ��湩��ӡ��

�ų�

��Ľֵ�

�ϳ�ǽ(Ϊ�˻�ԭ��ɫ��΢��£��)

��ڳ�ǽ�ϣ��ϡ

Ϧ��޺ã��

��ں��Ǿͻص��ùݡ��ùݾ��ƽң��С��Ŀ�ջû��ô�࣬�۸�ҲҪ��ܶ࣬MMһֱΪ��߷߲�ƽ�� Ķ�ȫ��
����κ� �鿴��

�Ҽ��õĹ��Linux Kernel��ָ��õķ��(CVE-2009-2695)

aullik5 — 2009-09-30 10:26

CVE-2009-2695
��ʵӦ��ָһЩ��ÿ�ָ��ķ��ƹ�SELinux��SELinuxû��

The Linux kernel before 2.6.31-rc7 does not properly prevent mmap operations that target page zero and other low memory addresses, which allows local users to gain privileges by exploiting NULL pointer dereference vulnerabilities, related to (1) the default configuration of the allow_unconfined_mmap_low boolean in SELinux on Red Hat Enterprise Linux (RHEL) 5, (2) an error that causes allow_unconfined_mmap_low to be ignored in the unconfined_t domain, (3) lack of a requirement for the CAP_SYS_RAWIO capability for these mmap operations, and (4) interaction between the mmap_min_addr protection mechanism and certain application programs.

ǰ��ʱ��Ǹ��з��linux kernel null pointer©��˺�һ��ʱ�䡣

��쿴��cnbeta��һƪ�ܲ��ķ��

��һ�£�ԭ��Ƿ��Ӣ�İ汾

Fun with NULL pointers, part 1

Fun with NULL pointers, part 2

��й��GCC��Ƕ�˵��ܹ��ĳ��ţ��blog��д��ת�۾͸�ɾ�ˣ��ǵ�planet��ץ��ͷ��ϧһֱ��Ե�ÿ��ݵ��ƪ��Ҫ�ᵽ��⡣

"This is where the next interesting step in the chain of failures happens: the GCC compiler will, by default, optimize the NULL test out. The reasoning is that, since the pointer has already been dereferenced (and has not been changed), it cannot be NULL. So there is no point in checking it. "

��İ棺
"��һϵ�д��е��һ��GCC��ȱʡ��Ż�� NULL �ĳ��׼��顣ԭ��ڣ��Ϊ��ָ��Ѿ��ù��ˣ��Ҳʲô��û�� NULL��ԣ�û��ȥ��ˡ�"
�Ķ�ȫ��
���� 鿴��

2009�ռ��μ� -- Phi Phi Islands

aullik5 — 2009-09-28 10:55

��һ��ռ��(Phuket)��ò��h��ǲ��ġ�

��ڶ��ȥ��Phi Phi Islands, �� "ƤƤ��"��˽��ϲ��ƨƨ��

Phi Phi Islands ��Ҫ��С��ɣ��Ľ� Phi Phi Don, С�Ľ� Phi Phi Ley

��ɶ�ĵ�Ӱ��The Beach��СPP��ĵġ�

��Phuket��Phi Phi��ͧ��Ҫ��һ��Сʱ��˽��Сʱ

�ڴ�ͷ�˷��ˣ�Զ��Phi Phi Islands

��Ƿǳ��ΰ��ͧ��Ƕ��£��Ի��Ժõ㡣

��ǽ��Phi Phi Don��סһ��

�ȳ˴��Phi Phi Ley��ת��ת��Ȼ��С��ǰ��Phi Phi Don

һ·�Ͽ��Խ��Ӵ��Phi Phi Islands ��ã��Ŵ��ԭʼɭ�֡�

С��˰��ߵĺ�̫ǳ�ˣ��ٻ�һ�γ�β��long tail boat��ܵ��ȥ

�쵽��ǵľƵ��ˣ��!

��ڳ�β��ʻ��Ƶ꣬ע�⣬��ĺ�ˮ��Ϊ��ǳ��Ǳ��̣��峺��ף��

�ȵ��ˣ��̲�ס��е��ȿ�ʼ��С��ĺ��ɳ̲��ֻ�ڵ�Ӱ�м��ģ��

�ޱ��峺�ĺ�ˮ��ϸϸ�İ�ɳ��ʵ�Ҭ��а��Ǳ��Ĳ��ݣ��Զ��С��ϣ�һ�ж��ô��г��

�ϵ��ߵľƵ�check in��΢Ц�Ÿ��ǵ��һ��ˬ�ڵ�Ҭ��ɳ��

�˿��õ�һ��patong��ֱ��˷�ʱ�䣬��Ҫ�ĺ�̲��ǵļ��ڣ��

ɳ̲��Ҭ��β��~!

��΢��ڵ㻹��ɳ̲��ĳ��Ŷ

��еĲ��

��׼��ֱ�ӳ��ȥ��Ǳ��⼸��Phi Phi Islands�ı�ѡ��Ŀ

��Ǹ��ˮ�ϣ��Ǳˮ��ܣ��׵�ɺ��㡣

�кܶมǱ�ص�ɹ�ѡ��ð�һ��β��ȥ�棬��ÿ��6��

ȥ��Ǳ�ˣ��

�Ӵ��ˮ��ģ��峺��װ��

��һ��

��кܶ��ɫ�ĳ��̵ĺ��˿ɲ��Ǻ��ģ��ô��롣

ĳ��ڸ�Ǳ

�㲻��Χ��ת��һȺһȺ��㣬��ʱ��ҧ��Ŷ��

�ƻ裬�˳��ĺ�̲��

��ס��Ŷ��һ��סһ��ӣ��ٺ٣��ݻ��ʰ��

��ȥ��˼�ֻTiger Prawns, �о��Ϻζ��ã��̩��ʺϳ�Prawns(��Ϻ)

��극��ں�̲��׽�з�棬��ö��з��Ϻ�ˮһ�ǳ��Ͷ��ϰ��ˣ��ܵ��졣

��ǻ��˺ü�ֻ�ľ�з��д��С��ǳ��˼��ϧ��ĵĺܲ��

��죬�ȴ��糿

��ڵ��ϵ��Ӿ��ˮ��һ��ĺ�ˮŶ��ݵ�ˮ

��Ǻܱ��ţ�ϲ��ɹ�չ�ԡ��۸��

֮��ڴ��ñ��ϵĿ��ȹ��˱��ȣ��check out

��һ·��patong��patong�ٴ�һ��󣬾��̻ع��ˡ�

�ع��thailand֮�У��ӡ��ģ��Phi Phi Islands �ϵĺ�ˮ��Ҭ��ɳ��ݣ��Զ��ɳ̲ʱ�ļ��顣

Ҳ��ź��Phi Phi Ley��Maya Bay�ǳ��Ҳ��ʱ��ϵ��Ծ�ûȥ�ˡ�

Ҳ��ڴ��ڴ�δ��֮�У��ڴ��޵�Ǳˮ֮�ã�

Phuket, һ��ĵط��һ��ٴ��ģ�� Ķ�ȫ��
����κ� �鿴��

2009�ռ��μ� -- patong

aullik5 — 2009-09-27 22:33

��γ��ڲ��outing��ʣ��ɲ��ŵĻ�ѳ�һ��֣�ʣ�µ��Լ��

��Я��϶��˸��ռ��У��Ҫ�ǰ��˻�Ʊ��Ƶꡢ�Լ��;��һЩ��ͣ��Ʊ�ȡ�

Я�̵��ģʽ��Ǻܲ��ģ��Ƶꡢ·;��Щ��鷳�İ��ʣ�µľ��ǹ��ͳԵĻ��ˣ��ǳ��ɡ�

9.19�ţ��Ǵ��Ϻ��ֶ��ʻ��ֱ��ȣ�Ȼ��ת��ռ��

��ǵķɻ��̩��ĺ��࣬˫��

�·ɻ��Ȼ��жһ��ĳ��RMB�Ļ��ֻ��4��Ҫ֪��ڹ��й��п��Զһ��4.9��Ժܲ��㡣��ʵ�ϣ��̩��Ľ��Ҳ��ܶһ��4.2��4.3��ң��ܹ��ҵ�Щ��С�

��ڹ��ڵ��й��а�RMB�һ��Ԫ��Ԫ�һ��̩��Ծͺܻ��ˡ��Ԫ��32�࣬��33��ˮ�ֲ��

̩��ų��800��ڶ��ҲΨһû��ֳ��Ĺ��ҡ��ҵĸо��Ӣ��Ӱ�컹�Ƿǳ��ġ�Ӣ��ǳ�ͨ�ã��˵Ӣ��ˡ��Ҳ��˵��ġ�

��Ĺ�·��ǿ��еģ��ķ��Ҳ��ұߣ��Ӣ��һ��

��ǵ��ռ��ľƵ�ס��ʱ�Ѿ��賿2��~~~

��ס�� Surin Beach �� Courtyard Hotel��֪��Ǽ��Ǻܲ��ġ�

�Ժ��˯��һ��ڶ��һ��ȥ��Ƶ�һ��·�� Surin Beach �ˣ��һ��С��̲��˲��~~

ת��ת�ͻؾƵ��緹�ˡ�

��һ��ģ��Ϊ��ĺ��࣬�еĻ��в�007��Ӱ��⸽��ĵģ��и��ͱ��Ϊ��µ��

��Ҫ��ǰԤ��ǵ��г��е��ͻ��ûȥ�ˣ��ȥ�Ͷ��̲�档

˵��ռ����ľ��ǰͶ��̲�� (Patong)

��кܶ�ͬ��ưɣ��Ҳ�ܶ࣬��һ�ȳ��Ҫ��Щ�ˡ�

��˸��ص��ཱི��С��װ6-7��˵ģ�ֱ��ص��patong��

��˾��̫��ˣ��˶��һ��ҵ��ƺ��ѣ�

��ǻ��400̩��surin��patong��˾��ô�뺷��ٶȣ��Ȼ��˲��Сʱ��۸񲻵�RMB100��Թ��ڲ�ࡣ

��ĵ�

��ǵ��patong��ֱ��̲��ĺ�̲��㲻��ܶ�ŷ��ˮ��չ�ԡ��

��̲��Ӻ�ɡֻҪ50̩��ʲôʱ��뿪�Է��Ҫ��˻��Լ��ǵ�ʱ��ˣ��100̩��֪��Ҳ��10��RMB��20��RMB��Ҳû̫��ȥ��

��Ϸˮ��ã��ܺȵ��ʵ�Ҭ�ӣ��Ұ��ˮ��ˣ�̫��ˣ�fresh coconut!

�ţ��м��һ�һֱ��͵�ĸ��ڵ�һ��ʵ��Ů��gf��ž�Ȼ��𾢵ġ�Ů�˶��ŮҲ��Ȥ�ܴ󰡣��˵��Ż��Ǹ��Ů��·�ȫ��̸��ˣ�

�ٿ��û��һ��

��ڸ��shopping mall��˼�̩ʽ�͹ݣ��MK�ģ��۸��Ըߡ�

��ĵ��ͦ��˼��

��larry��suddyȥ��spa��̩ʽ��Ħ�ˣ��Ǿ�ȥ��˹�֣�Ȼ��ȥpatong beach��˯��ˮȥ�ˡ�

��Ͽ��Ҭ��~~

�ܶ��߿ջ��ˮ��Ħ�У��һ��˯��һ�߿��õ�һ��

ҹ��patong��Ŀ�ʼ

��˼ҳԺ��ʵĵط��ں�̲��ϣ��patong seafood��ڴ��˺þõ��Ϻ

��Ϻ��Ǻܹ�~~~#_#

��yikai˵̩��ůˮ��Ϻ,��,Ҫ��ˮ��Ϻ�Ŵ�ÿ�굽�˲��񼾽ں�ȥ��г��ϺӦ��˵ġ�

��Է��̩��һ�㶼��ǧ�ģ��

̩��ܶ��̣��Ҳ��ϲ��ǹ��˹��ͽ��Ҳ��¡�

˫�ֺ�ʲ��ʾ�ʺã�̩��һ�㶼��к��̩��΢Ц֮��˶��΢Ц��ˣ�Ц��Ҳ�ܺÿ��ˡ�ȭ�ԡ��ɵС��Ц��ԭ��ˣ�

��ҲҪ��ˣ�

Ȼ��Ǿͻص��˾Ƶ��Ϣ��׼��ʼ�ڶ��г�~~~

ע��
��ɹ��һ��Ҫ50��ϵĲ��ã��򵽵Ļ��̩��صı��ꡢ��ж��
�ȴ��Ǳȹ��ˣ��ǿ��ر��һ��Ҫ��ɹ�ͣ��Ҫ�г�ǿ��Ҹо��ȸ�ԭ��ɹ��

�Ķ�ȫ��
����κ� �鿴��

ForceHTTPS �ı�׼

aullik5 — 2009-09-25 14:10

ǰ��harry��ҽ�paypal��ƶ�һ��һ��http��header��ĳ��վֻ��https��ʣ��http��ʡ�

��ȼٻ��һ��Ѿ��

http://lists.w3.org/Archives/Public/www-archive/2009Sep/att-0051/draft-hodges-strict-transport-sec-05.plain.html#strict-transport-security-http-response-header-field

paypal �ƶ��ʼ��

http://www.webappsec.org/lists/websecurity/archive/2009-09/msg00060.html

Ŀǰnoscript��Ѿ��˶Դ˵�֧�֣�chrome��֧�ֺ��Ҳ��ˡ�

ʵ��ϣ��response��һ��ͷ

The ABNF [RFC2616] syntax for the Strict-Transport-Security HTTP Response Header field is:

Strict-Transport-Security = 
        "Strict-Transport-Security" ":" "max-age" "=" delta-seconds [ ";" "includeSubDomains" ]

max-age specifies the number of seconds the UA should remember receipt of this header field from this server. The delta-seconds production is specified in [RFC2616].

includeSubDomains is a flag which, if present, signals to the UA that the STS Policy applies to this STS Server as well as any subdomains of the server's FQDN.

֧��ܵĿͻ��˾�֪��վ��ֻ��https��ˡ��κ�http�ķ��ʶ��ᱻת��https��

��ܶ԰�ȫҪ��ߵ�վ�㣬��к�֧��վ��˵��Ƿǳ��

��Ϊ֮ǰ�ܶ��https�Ĺ��ͬ��https��ҳ��http��һ�� mixed content �Ĺ�� Բο� blackhat2009 �� alex androv ��ƪ��£��Ӷ��һЩ��в��ʹ��httpͷ֮�󣬾Ϳ��Զž��๥��ˡ��ȻҪ��֧�ֲ��С�

�մ�̩��ȼٹ��Ƚ϶࣬�һᾡ��μǲ��˵�Ķԣ��ҿ϶��д�μǵģ�
�Ķ�ȫ��
���� 鿴��

��������Ʒ���

2009�����μ�

�Ա���ֱͨ��