用河流和各方解释安全漏洞 (Security Vulnerabilities Explained with Rivers and Parties)

Security vulnerabilities can be boring to learn. But you still need to learn them, unless you want some hacker to delete all your production databases. To make it a bit more entertaining, I tried to explain 3 major vulnerabilities in terms of every day life. So without further delay let’s begin.

安全漏洞可能很无聊。但是，除非您希望某些黑客删除所有生产数据库，否则您仍然需要学习它们。为了使它更具娱乐性，我尝试从日常生活的角度来解释3个主要漏洞。因此，让我们立即开始吧。

中间人攻击 (Man-in-the-middle attack)

When you open a website you are connecting to a server. You can imagine this connection like a river and the data (for example Tweets in Twitter) are messages in bottles that float down the river.

当您打开网站时，您正在连接到服务器。您可以想象这种连接就像一条河，而数据(例如Twitter中的Tweets)是漂浮在河中的瓶子中的消息。

If Alex (the server) wants to send you a dinner invitation he has to put it in a bottle and send it down the stream. But what if John (the attacker) takes the bottle out of the river and changes the message into an insult, then puts it back in the river? You will have no way of recognizing that the message you received hadn’t been sent by the Alex!

如果Alex(服务器)想要向您发送晚餐邀请，则必须将其放入瓶中并沿流发送。但是，如果约翰(攻击者)将瓶子从河里拿出来并将消息变成侮辱，然后又把它放回河里怎么办？您将无法识别Alex并未发送您收到的消息！

This is called a Man-in-the-middle attack.

这称为中间人攻击 。

To solve this you and Alex can decide that you will write your messages reversing the order of the characters. For example, secret message becomes egassem terces.

为了解决这个问题，您和Alex可以决定您将反转字符顺序编写消息。例如， 秘密消息变成egassem字符串 。

John doesn’t know the method you used to generate the secret code, so he can’t understand what the message says nor change what’s written on it without you noticing.

John不知道您用来生成密码的方法，因此，在您不注意的情况下，他无法理解消息内容，也无法更改消息内容。

This is what the HTTPS protocol does, just with a fancier method.

这就是HTTPS协议所做的，只是采用了一种更高级的方法。

DoS和DDoS (DoS and DDoS)

Another way you can see a server is like your home’s Inbox. You receive mail, read them and reply.

您可以看到服务器的另一种方式是在家中的收件箱。您收到邮件，阅读并回复。

What if John starts to write you a ton of mail? You wouldn’t be able to respond to Alex’s dinner invitation in time, because you would be too busy replying to all the other Spam messages sent by John.

如果约翰开始给您写很多邮件怎么办？您将无法及时回复Alex的晚餐邀请，因为您将太忙于答复John发送的所有其他垃圾邮件。

This is called a Denial-of-service attack, DoS in short.

简称为拒绝服务攻击 (DoS)。

A way to mitigate this is reading the sender on top of the mail before opening it. If it’s John then don’t bother opening the mail. This way you don’t need to reply to John and can focus on handling serious stuff, like Alex’s dinner invitation.

减轻这种情况的一种方法是在打开邮件之前先在邮件顶部阅读发件人。如果是约翰，那就不用费心打开邮件了。这样，您无需回复John，而可以专注于处理严肃的事情，例如Alex的晚餐邀请。

This is IP Blacklisting in a nutshell, only with digital sender internet protocol addresses.

简而言之，这是IP黑名单 ，仅包含数字发送者Internet协议地址。

Unfortunately John convinced a lot of other evil people to send you Spam mails. So now you can’t simply discard John’s mails, because there are lots of people writing you.

不幸的是，约翰说服了许多其他邪恶的人向您发送垃圾邮件。因此，现在您不能简单地丢弃John的邮件，因为有很多人在给您写信。

This is a Distributed Denial of Service (DDoS) and it’s very hard to deal with.

这是一种分布式拒绝服务(DDoS) ，很难处理。

One way to handle this is to receive mail only from Alex. It’s unfortunate that your other friends won’t be able to write you, because you will discard their emails too. But desperate times call for desperate measures. But gradually, you can increase the number of legitimate people you’d like to receive mail from.

一种解决方法是仅接收来自Alex的邮件。不幸的是您的其他朋友无法写信给您，因为您也将丢弃他们的电子邮件。但是，绝望的时代要求采取绝望的措施。但逐渐地，您可以增加想要接收邮件的合法人员的数量。

This is called IP Whitelisting and can be used to mitigate the impact of a DDoS attack, but it’s not a perfect solution.

这称为IP白名单 ，可用于减轻DDoS攻击的影响，但这不是一个完美的解决方案。

DDoS attacks are hard to deal with, luckily they are also hard to organize, because you need a lot of people helping you. But with attackers leveraging vulnerable IOT devices, misconfigured servers and DDoS-for-hire services to launch DDoS attacks, it is becoming very easy to launch such attacks.

DDoS攻击难以应对，幸运的是，它们也难以组织，因为您需要很多人的帮助。但是，随着攻击者利用易受攻击的物联网设备，配置错误的服务器和DDoS租用服务发起DDoS攻击，发起此类攻击变得非常容易。

注射 (Injection)

Let’s say that Alex decided that he will organize a party with some friends. He prepared a template invitation:

假设亚历克斯决定与一些朋友一起组织一个聚会。他准备了一个模板邀请：

Next Saturday I’m throwing a party, wanna come? If possible bring some [blank space left for food item here].
下周六我要举行一个聚会，想参加吗？如果可能的话，请带些[在此处留出空白的食物]。

He also decided to take suggestions for the food, so he left a suggestion box in the school’s cafeteria. Then he mindlessly copied one suggestion from the box in the blank space left on each invitation.

他还决定对食物提出建议，因此他在学校食堂里放了一个建议箱。然后，他无意中从每个邀请的空白处的框中复制了一个建议。

These were the suggestions:

这些是建议：

coke
可乐
chips
筹码
pasta
意大利面
oranges. I also wanted to tell you that Rick is dumb
橘子。我也想告诉你里克很笨

You see what’s going on here? A friend of Tom’s will receive this message

你知道这里发生了什么吗？汤姆的朋友将收到此消息

Next Saturday I’m throwing a party, wanna come? If possible bring some oranges. I also wanted to tell you that Rick is dumb.
下周六我要举行一个聚会，想参加吗？如果可能，带些橘子。我还想告诉你里克很蠢。

Tom’s friend will think that the whole message was written by Tom including the part regarding Rick! The guy who left the food suggestion (I think we know his name) just injected a message in Alex’s invitation.

汤姆的朋友会认为整个消息是汤姆写的，包括有关里克的部分！谁留下的食物的建议(我想我们知道他的名字)那家伙就注入亚历克斯的邀请的消息。

To avoid injection all together simply validate (in technical lingo escape) what you are accepting from a user when it doesn’t come from a trusted source.

要避免一起注入，只需验证(以技术术语逃逸为准)当您从用户那里接受的内容不是来自可信来源时。