你见过的最糟糕的安全漏洞是什么?为了保护罪犯,限制细节可能是个好主意。

不管怎样,这里有一个关于如果你发现了安全漏洞该怎么办的问题,还有一个关于如果公司(似乎)没有回应该怎么办的问题。


当前回答

In the 1970's Stanford had IBM 2741 hardcopy terminals spread around campus networked to an IBM 360/67. Account passwords were three characters. During logon, the password prompt would overprint a three-position blob of about nine random uppercase characters, so the subsequently-typed password would supposedly be masked by the blob. However, everyone typed their passwords in lowercase, which were trivial to discern against the uppercase background blob. That meant you could usually walk up to any terminal, peruse the hardcopy typically left behind by the previous user, and easily logon with their account and password.

其他回答

一个在线文档管理器怎么样,它允许设置你能记住的所有安全权限……

直到你进入下载页面……download.aspx吗?documentId = 12345

是的,documentId是数据库ID(自动递增),您可以循环每个数字,任何人都可以获得所有公司文档。

当这个问题被提醒时,项目经理的回答是:好的,谢谢。但之前没有人注意到这一点,所以就让它保持现状吧。

前一段时间,JPG图像加载库的窗口存在安全漏洞。被电子邮件中的图像感染。消

Right at the start of the .com era, I was working for a large retailer overseas. We watched with great interest as our competitors launched an online store months before us. Of course, we went to try it out... and quickly realized that our shopping carts were getting mixed up. After playing with the query string a bit, we realized we could hijack each other's sessions. With good timing, you could change the delivery address but leave the payment method alone... all that after having filled the cart with your favorite items.

我所见过的最糟糕的漏洞是web应用程序中的一个漏洞,即提供空用户名和密码将以管理员身份登录。

曾经看到一扇门有人忘记锁门……

或者,看到一些JavaScript通过Ajax调用执行一些SQL。唯一的问题是,要运行的SQL与页面一起呈现,然后传递给服务…