應用程式風險分類 (Threats by Application Vulnerability Category)
2020-10-09
筆記整理 MSDN 經典資安教材Improving Web Application Security: Threats and Countermeasures中關於「應用程式風險分類」內容。
(Threats by Application Vulnerability Category)
輸入驗證
- 緩衝區溢位 Buffer overflow
- XSS, Cross-site scripting
- SQL injection
- 典範化問題 Canonicalization
身分驗證
- 網路竊聽 Network eavesdropping
- 暴力破解 Brute force attacks
- 字典窮舉 Dictionary attacks
- Cookie 重放攻擊 Cookie replay attacks
- 憑證竊取 Credential theft
授權
- Elevation of privilege
- Disclosure of confidential data
- Data tampering
- 引誘攻擊 Luring attacks
組態管理
- Unauthorized access to administration interfaces
- Unauthorized access to configuration stores (config)
- Retrieval of plaintext configuration secrets (config secrets)
- 缺乏個人歸責 Lack of individual accountability
- Over-privileged process and service accounts
機敏資料
- Access to sensitive data in storage
- 網路竊聽 Network Eavesdropping
- Data Tampering
會話管理
- 會話劫持攻擊 Session hijacking
- 會話重放攻擊 Session replay
- 中間人攻擊 Man in the middle
加解密
- Poor key generation or key management
- Weak or custom encryption
- Checksum spoofing
參數竄改
- Query string manipulation
- Form field manipulation
- Cookie manipulation
- HTTP header manipulation
例外處理
- Attacker reveals implementation details
- DOS, Denial of service
稽核紀錄
- User denies performing an operation
- 未就攻擊者留下行為軌跡 Attackers exploit an application without leaving a trace
- 攻擊者可以清除行為軌跡 Attackers cover their tracks