Quali aspetti di sicurezza devono considerare i siti di valutazione online? [chiuso]

1

Quando costruisci un sito di valutazione online che consente agli studenti di sostenere l'esame tramite i propri dispositivi (ma sono tutti nella stessa stanza durante l'esame), che tipo di vulnerabilità di sicurezza deve considerare il sito di valutazione online?

Ho bisogno di un elenco di alcuni possibili problemi di sicurezza, atti di truffa, ecc. da considerare. Ad esempio, per motivi di denaro, uno studente A viene pagato da un altro studente B per accedere con le credenziali di B e per fare l'esame.

Anche come evitare che ogni problema accada!

    
posta Artificial Stupidity 08.07.2017 - 10:03
fonte

1 risposta

1

I need a list of some possible security issues

Potrebbe essere quasi qualsiasi cosa su questo elenco . Solo per selezionare alcuni dalla lista dei dieci migliori su owasp:

  • Injection -

    Injection flaws occur when untrusted data is sent to an interpreter as part of a command or query. The attacker’s hostile data can trick the interpreter into executing unintended commands or accessing data without proper authorization.

  • Autenticazione e gestione delle sessioni interrotte -

    Application functions related to authentication and session management are often implemented incorrectly, allowing attackers to compromise passwords, keys, or session tokens, or to exploit other implementation flaws.

  • Cross-Site Scripting (XSS) -

    XSS can occur whenever an application accepts untrusted data in a new web page without proper validation or escaping, or updates an existing web page with user supplied data. XSS allows attackers to execute scripts in the victim’s browser which can hijack user sessions, deface web sites, or redirect the user to malicious sites.

  • Controllo accesso interrotto -

    Restrictions on what authenticated users are allowed to do are not always properly enforced. Attackers can exploit these flaws to access unauthorized functionality and data, such as access other users' accounts, view sensitive files, modify other users’ data, change access rights, etc.

  • Configurazione errata della sicurezza -

    Good security requires having a secure configuration defined and deployed for the application, frameworks, application server, web server, database server, platform, etc. Secure settings should be defined, implemented, and maintained, as defaults are often insecure. Additionally, software should be kept up to date.

  • Esposizione dati sensibili -

    Many web applications and APIs do not properly protect sensitive data. Attackers may steal or modify such weakly protected data to conduct credit card fraud, identity theft, or other crimes. Sensitive data deserves extra protection such as encryption at rest or in transit, as well as special precautions when exchanged with the browser.

  • Protezione da attacchi insufficienti -

    The majority of applications and APIs lack the basic ability to detect, prevent, and respond to both manual and automated attacks. Attack protection goes far beyond basic input validation and involves automatically detecting, logging, responding, and even blocking exploit attempts. Application owners also need to be able to deploy patches quickly to protect against attacks.

  • Falsificazione richiesta tra siti (CSRF) -

    A CSRF attack forces a logged-on victim’s browser to send a forged HTTP request, including the victim’s session cookie and any other automatically included authentication information, to a vulnerable web application. Such an attack allows the attacker to force a victim’s browser to generate requests the vulnerable application thinks are legitimate requests from the victim.

  • Utilizzo di componenti con vulnerabilità note -

    Components, such as libraries, frameworks, and other software modules, run with the same privileges as the application. If a vulnerable component is exploited, such an attack can facilitate serious data loss or server takeover. Applications and APIs using components with known vulnerabilities may undermine application defenses and enable various attacks and impacts.

  • API Underprotected -

    Modern applications often involve rich client applications and APIs, such as JavaScript in the browser and mobile apps, that connect to an API of some kind (SOAP/XML, REST/JSON, RPC, GWT, etc.). These APIs are often unprotected and contain numerous vulnerabilities.

Penso che i principali su cui dovresti concentrarti siano injection e cross site scripting .

    
risposta data 08.07.2017 - 18:34
fonte

Leggi altre domande sui tag