命令行奇技淫巧一则 - 查找超大文件
查找某个目录下的超大文件
dir /S /-C /A | ggrep " \d{9,} (?!bytes)"
这一个命令会输出当前目录及其子目录下所有大于100M的文件
参见:
ggrep: http://dir.filewatcher.com/d/OpenBSD/3.4/powerpc/ggrep-2.5.1.tgz.124943.html
正则表达式:Regular Expression
七月, 2009 的文章
Web Security Training notes / 网络漏洞与攻击防范笔记
做了一个online training,随手记了一些notes:
Security Attacks(网络漏洞)
Cross-site scripting
Name=what
任意执行js代码
获取另一个受限网页
获取cookie
Javascript(ajax) could also cause the problem
Canonicalization
Damage: ././TEST, TEST::$DATA
If you only judge “TEST” then you lose
SQL Injection
Name=what’ or 1, then xxx
Name=’;'drop xxx;shutdown’;
HTTP response splitting
Item=3120%0d%0atest
Cross-site request forgery
http://twitter.com/sendmessage/{{msg}}
ActiveX
No security at all, could damage the computer itself!
Mitigating(攻击防范)
Limitations:
HTTP Referrer Validation: block normal use, modify the referer header
ASP.NET ValidateRequest: MS07-040
Client-side Validation: by-pass
String Replacement:
HTTP POST: simulate post on another webpage
Best Practice:
Input Validation: Allow lists instead of Block lists(django url mapping)
Authenticate and Authorize
Trusted IP filtering
HTML Encoding(escaping)
AntiXSS
CSRF: Include a unique page-specific token that is included in all url links and forms sent to the use
http://www.securiteam.com/securityreviews/5WP0E2KFGK.html
http://www.owasp.org/index.php/Cross-site-scripting
http://www.webappsec.org/projects/whid/
http://www.cgisecurity.com/csrf-faq.html
最近访问Twitter的方法
Twitter 最近无法直接访问了,修改hosts也不行,但如果早有准备,访问Twitter仍然可以非常简单和直接。
1. 尝试:http://dabr.co.uk ,界面友好,
2. 上面提到的Dabr其实是开放源码的,自己有服务器的都可以搭建,比如:
@scavin(小众软件) 的 http://t.appinn.com/
@Sofish 的 http://g.happinesz.cn/
另1:使用Dabr架设私人Twitter手机版
另2:现在怎样访问Twitter?
3. 还可以在Gmail里使用直接推 ,具体用法参见望月的blog:简单几步,将你的Gmail变成Twitter
PS: 最近小宝宝来到身边,天天都要陪着玩儿,乐不思博了…
