Web Application Security 网络应用程序安全 - (二)2010年网络安全威胁排行榜TOP 10

TOP 1:A1 –Injection 注入攻击

Injection flaws, such as SQL, OS, and LDAP injection, occur when untrusteddata is sent to an interpreter as part of a command or query. The attacker’s hostile data can trick the interpreter into executing unintended commands or accessing unauthorized data.

注入攻击,例如SQL, OS 以及 LDAP注入,会在不可信的数据作为命令或者查询语句的一部分被发送给处理程序的时候发生。攻击者发送的恶意数据可以欺骗处理程序,以执行计划外的命令或者访问未被授权的数据。


TOP 2: A2 –Cross Site Scripting (XSS) 跨站点脚本攻击

XSS flaws occur whenever an application takes untrusteddata and sends it to a web browser without proper validation and escaping. XSS allows attackers to execute script in the victim’s browser which can hijack user sessions, deface web sites, or redirect the user to malicious sites.

当应用程序包含或者携带不可信的数据,并且没有进行合适的验证就将它发送给浏览器的时候,跨站点脚本攻击(简称XSS)就会产生了。XSS 允许攻击者在受害者的浏览器上执行脚本,于是攻击者可以劫持用户会话,顺坏网站,或者将用户转向至恶意站点。


TOP 3: A3 –Broken Authentication and Session Management 越权及会话管理

Application functions related to authentication and session management are often not implemented correctly, allowing attackers to compromise passwords, keys, session tokens, or exploit implementation flaws to assume other users’ identities.

通常,应用程序的功能往往和权限管理、会话管理相关,但是却经常没有被正确的实现。以至于让攻击者可以窃取到密码,密钥,session tokens,或者冒充其他用户身份。


附OWASP TOP 10 for 2010:
A1 –Injection
A2 –Cross Site Scripting (XSS)
A3 –Broken Authentication and Session Management
A4 –Insecure Direct Object References
A5 –Cross Site Request Forgery (CSRF)
A6 –Security Misconfiguration(NEW)
A7 –Failure to Restrict URL Access
A8 –UnvalidatedRedirects and Forwards (NEW)
A9 –Insecure Cryptographic Storage
A10 -Insufficient Transport Layer Protection


