應用程式風險分類 (Threats by Application Vulnerability Category)

2020-10-09

筆記整理 MSDN 經典資安教材Improving Web Application Security: Threats and Countermeasures中關於「應用程式風險分類」內容。

logo

(Threats by Application Vulnerability Category)

輸入驗Input Validation

  • 緩衝區溢位 Buffer overflow
  • XSS, Cross-site scripting
  • SQL injection
  • 典範化問題 Canonicalization

身分驗Authentication

  • 網路竊聽 Network eavesdropping
  • 暴力破解 Brute force attacks
  • 字典窮舉 Dictionary attacks
  • Cookie 重放攻擊 Cookie replay attacks
  • 憑證竊取 Credential theft

Authorization

  • Elevation of privilege
  • Disclosure of confidential data
  • Data tampering
  • 引誘攻擊 Luring attacks

組態管Configuration Management

  • Unauthorized access to administration interfaces
  • Unauthorized access to configuration stores (config)
  • Retrieval of plaintext configuration secrets (config secrets)
  • 缺乏個人歸責 Lack of individual accountability
  • Over-privileged process and service accounts

機敏資Sensitive Data

  • Access to sensitive data in storage
  • 網路竊聽 Network Eavesdropping
  • Data Tampering

會話管Session Management

  • 會話劫持攻擊 Session hijacking
  • 會話重放攻擊 Session replay
  • 中間人攻擊 Man in the middle

加解Cryptography

  • Poor key generation or key management
  • Weak or custom encryption
  • Checksum spoofing

參數竄Parameter Manipulation

  • Query string manipulation
  • Form field manipulation
  • Cookie manipulation
  • HTTP header manipulation

例外處Exception Management

  • Attacker reveals implementation details
  • DOS, Denial of service

稽核紀Auditing and Logging

  • User denies performing an operation
  • 未就攻擊者留下行為軌跡 Attackers exploit an application without leaving a trace
  • 攻擊者可以清除行為軌跡 Attackers cover their tracks

參考資料

MSDN - Application Threats and Countermeasures