筆記整理 MSDN 經典資安教材Improving Web Application Security: Threats and Countermeasures中關於「應用程式風險分類」內容。
(Threats by Application Vulnerability Category)
輸入驗證(Input Validation)
- 緩衝區溢位 Buffer overflow
- XSS, Cross-site scripting
- SQL injection
- 典範化問題 Canonicalization
身分驗證(Authentication)
- 網路竊聽 Network eavesdropping
- 暴力破解 Brute force attacks
- 字典窮舉 Dictionary attacks
- Cookie 重放攻擊 Cookie replay attacks
- 憑證竊取 Credential theft
授權(Authorization)
- Elevation of privilege
- Disclosure of confidential data
- Data tampering
- 引誘攻擊 Luring attacks
組態管理(Configuration Management)
- Unauthorized access to administration interfaces
- Unauthorized access to configuration stores (config)
- Retrieval of plaintext configuration secrets (config secrets)
- 缺乏個人歸責 Lack of individual accountability
- Over-privileged process and service accounts
機敏資料(Sensitive Data)
- Access to sensitive data in storage
- 網路竊聽 Network Eavesdropping
- Data Tampering
會話管理(Session Management)
- 會話劫持攻擊 Session hijacking
- 會話重放攻擊 Session replay
- 中間人攻擊 Man in the middle
加解密(Cryptography)
- Poor key generation or key management
- Weak or custom encryption
- Checksum spoofing
參數竄改(Parameter Manipulation)
- Query string manipulation
- Form field manipulation
- Cookie manipulation
- HTTP header manipulation
例外處理(Exception Management)
- Attacker reveals implementation details
- DOS, Denial of service
稽核紀錄(Auditing and Logging)
- User denies performing an operation
- 未就攻擊者留下行為軌跡 Attackers exploit an application without leaving a trace
- 攻擊者可以清除行為軌跡 Attackers cover their tracks