Web安全漏洞大全：前100名关键漏洞参考、评估与修复指南

Top 100 Web Vulnerabilities Reference by claudiodearaujo/izacenter

1 GitHub Stars

GitHub

安装命令

npx skills add https://github.com/claudiodearaujo/izacenter --skill 'Top 100 Web Vulnerabilities Reference'

Web应用测试安全

🇨🇳中文介绍

前 100 名 Web 漏洞参考

目的

提供一个全面的、结构化的参考，涵盖按类别组织的 100 个最关键的 Web 应用程序漏洞。此技能支持跨整个 Web 安全威胁谱系进行系统性的漏洞识别、影响评估和修复指导。内容按照行业标准和现实世界攻击模式，组织成 15 个主要漏洞类别。

先决条件

对 Web 应用程序架构的基本理解（客户端-服务器模型，HTTP 协议）
熟悉常见的 Web 技术（HTML、JavaScript、SQL、XML、API）
理解身份验证和授权概念
能够访问 Web 应用程序安全测试工具（Burp Suite、OWASP ZAP）
了解推荐的安全编码原则

输出和交付物

包含定义、根本原因、影响和缓解措施的完整漏洞目录
基于类别的漏洞分组，用于系统化评估
安全测试和修复的快速参考
漏洞评估清单和安全策略的基础

核心工作流程

阶段 1：注入漏洞评估

评估针对数据处理组件的注入攻击向量：

SQL 注入 (1)

定义：将恶意 SQL 代码插入输入字段以操纵数据库查询
根本原因：缺乏输入验证，不当使用参数化查询
影响：未经授权的数据访问、数据操纵、数据库泄露
缓解措施：使用参数化查询/预处理语句、输入验证、最小权限数据库账户

跨站脚本攻击 - XSS (2)

定义：向其他用户查看的网页中注入恶意脚本
根本原因：输出编码不足，缺乏输入净化
影响：会话劫持、凭据窃取、网站篡改
缓解措施：输出编码、内容安全策略 (CSP)、输入净化

命令注入 (5, 11)

定义：通过易受攻击的应用程序执行任意系统命令
根本原因：未净化的用户输入传递给系统 shell
影响：完全系统泄露、数据外泄、横向移动
缓解措施：避免 shell 执行、白名单有效命令、严格的输入验证

广告位招租

在这里展示您的产品或服务

触达数万 AI 开发者，精准高效

联系我们

阶段 2：身份验证和会话安全

评估身份验证机制的弱点：

会话固定 (14)

定义：攻击者在身份验证前设置受害者的会话 ID
根本原因：登录后未重新生成会话 ID
影响：会话劫持、未经授权的账户访问
缓解措施：在身份验证时重新生成会话 ID，使用安全的会话管理

暴力破解攻击 (15)

定义：使用自动化工具系统性地猜测密码
根本原因：缺乏账户锁定、速率限制或 CAPTCHA
影响：未经授权的访问、凭据泄露
缓解措施：账户锁定策略、速率限制、多因素身份验证 (MFA)、CAPTCHA

会话劫持 (16)

定义：攻击者窃取或预测有效的会话令牌
根本原因：会话令牌生成弱、传输不安全
影响：账户接管、未经授权的访问
缓解措施：安全的随机令牌生成、HTTPS、HttpOnly/Secure cookie 标志

凭据填充和重用 (22)

定义：使用泄露的凭据跨服务访问账户
根本原因：用户重复使用密码，无泄露检测
影响：大规模账户泄露、数据泄露
缓解措施：MFA、泄露密码检查、唯一凭据要求

不安全的“记住我”功能 (85)

定义：持久性身份验证令牌实现薄弱
根本原因：可预测的令牌、过期控制不足
影响：未经授权的持久访问、会话泄露
缓解措施：强令牌生成、适当的过期时间、安全存储

CAPTCHA 绕过 (86)

定义：规避机器人检测机制
根本原因：CAPTCHA 算法弱、验证不当
影响：自动化攻击、凭据填充、垃圾信息
缓解措施：reCAPTCHA v3、分层机器人检测、速率限制

阶段 3：敏感数据暴露

识别数据保护失败：

IDOR - 不安全的直接对象引用 (23, 42)

定义：通过用户提供的引用直接访问内部对象
根本原因：对象访问缺少授权检查
影响：未经授权的数据访问、隐私泄露
缓解措施：访问控制验证、间接引用映射、授权检查

数据泄露 (24)

定义：无意中泄露敏感信息
根本原因：数据保护不足、访问控制薄弱
影响：隐私泄露、监管处罚、声誉损害
缓解措施：数据防泄露 (DLP) 解决方案、加密、访问控制、安全培训

未加密的数据存储 (25)

定义：存储敏感数据而未加密
根本原因：未实现静态数据加密
影响：如果存储被泄露则导致数据泄露
缓解措施：全盘加密、数据库加密、安全的密钥管理

信息泄露 (33)

定义：通过错误消息或响应暴露系统详细信息
根本原因：详细的错误处理、生产环境中的调试信息
影响：为后续攻击进行侦察、凭据暴露
缓解措施：通用错误消息、禁用调试模式、安全日志记录

阶段 4：安全配置错误

评估配置弱点：

缺少安全标头 (26)

定义：缺少保护性 HTTP 标头（CSP、X-Frame-Options、HSTS）
根本原因：服务器配置不足
影响：XSS 攻击、点击劫持、协议降级
缓解措施：实施 CSP、X-Content-Type-Options、X-Frame-Options、HSTS

默认密码 (28)

定义：系统/应用程序上未更改的默认凭据
根本原因：未更改供应商默认设置
影响：未经授权的访问、系统泄露
缓解措施：强制密码更改、强密码策略

目录列表 (29)

定义：Web 服务器暴露目录内容
根本原因：服务器配置不当
影响：信息泄露、敏感文件暴露
缓解措施：禁用目录索引、使用默认索引文件

未受保护的 API 端点 (30)

定义：缺少身份验证或授权的 API
根本原因：API 路由缺少安全控制
影响：未经授权的数据访问、API 滥用
缓解措施：OAuth/API 密钥、访问控制、速率限制

开放端口和服务 (31)

定义：暴露不必要的网络服务
根本原因：未能最小化攻击面
影响：利用易受攻击的服务
缓解措施：端口扫描审计、防火墙规则、服务最小化

配置错误的 CORS (35)

定义：过于宽松的跨源资源共享策略
根本原因：通配符来源、CORS 配置不当
影响：跨站请求攻击、数据窃取
缓解措施：白名单受信任的来源、验证 CORS 标头

未打补丁的软件 (34)

定义：系统运行过时的易受攻击软件
根本原因：忽视补丁管理
影响：利用已知漏洞
缓解措施：补丁管理程序、漏洞扫描、自动更新

阶段 5：XML 相关漏洞

评估 XML 处理安全性：

XXE - XML 外部实体注入 (37)

定义：利用 XML 解析器访问文件或内部系统
根本原因：启用了外部实体处理
影响：文件泄露、SSRF、拒绝服务
缓解措施：禁用外部实体、使用安全的 XML 解析器

XEE - XML 实体扩展 (38)

定义：过多的实体扩展导致资源耗尽
根本原因：允许无限制的实体扩展
影响：拒绝服务、解析器崩溃
缓解措施：限制实体扩展、配置解析器限制

XML 炸弹（十亿次大笑攻击） (39)

定义：精心构造的包含嵌套实体以消耗资源的 XML
根本原因：递归实体定义
影响：内存耗尽、拒绝服务
缓解措施：实体扩展限制、输入大小限制

XML 拒绝服务 (65)

定义：特制的 XML 导致过度处理
根本原因：复杂的文档结构没有限制
影响：CPU/内存耗尽、服务不可用
缓解措施：模式验证、大小限制、处理超时

阶段 6：失效的访问控制

评估授权执行：

授权不足 (40)

定义：未能正确执行访问控制
根本原因：授权策略薄弱、缺少检查
影响：未经授权访问敏感资源
缓解措施：基于角色的访问控制 (RBAC)、集中式身份和访问管理 (IAM)、定期访问审查

权限提升 (41)

定义：获得超出预期权限的提升访问权限
根本原因：权限配置错误、系统漏洞
影响：完全系统泄露、数据操纵
缓解措施：最小权限、定期打补丁、权限监控

强制浏览 (43)

定义：直接操纵 URL 以访问受限资源
根本原因：访问控制薄弱、URL 可预测
影响：未经授权的文件/目录访问
缓解措施：服务器端访问控制、不可预测的资源路径

缺少功能级访问控制 (44)

定义：未受保护的管理或特权功能
根本原因：仅在 UI 级别进行授权
影响：未经授权的功能执行
缓解措施：所有功能的服务器端授权、RBAC

阶段 7：不安全的反序列化

评估对象序列化安全性：

通过反序列化实现远程代码执行 (45)

定义：通过恶意序列化对象执行任意代码
根本原因：未经验证的反序列化不受信任的数据
影响：完全系统泄露、代码执行
缓解措施：避免反序列化不受信任的数据、完整性检查、类型验证

数据篡改 (46)

定义：未经授权修改序列化数据
根本原因：缺少完整性验证
影响：数据损坏、权限操纵
缓解措施：数字签名、HMAC 验证、加密

对象注入 (47)

定义：在反序列化期间实例化恶意对象
根本原因：不安全的反序列化实践
影响：代码执行、未经授权的访问
缓解措施：类型限制、类白名单、安全库

阶段 8：API 安全评估

评估 API 特定漏洞：

不安全的 API 端点 (48)

定义：缺少适当安全控制的 API
根本原因：API 设计不佳、缺少身份验证
影响：数据泄露、未经授权的访问
缓解措施：OAuth/JWT、HTTPS、输入验证、速率限制

API 密钥暴露 (49)

定义：泄露或暴露的 API 凭据
根本原因：硬编码密钥、存储不安全
影响：未经授权的 API 访问、滥用
缓解措施：安全的密钥存储、轮换、环境变量

缺少速率限制 (50)

定义：对 API 请求频率没有控制
根本原因：缺少节流机制
影响：拒绝服务 (DoS)、API 滥用、资源耗尽
缓解措施：按用户/IP 的速率限制、节流、DDoS 防护

输入验证不足 (51)

定义：API 接受未经验证的用户输入
根本原因：缺少服务器端验证
影响：注入攻击、数据损坏
缓解措施：严格的验证、参数化查询、Web 应用防火墙 (WAF)

定义：利用 API 功能进行恶意目的
根本原因：过度信任客户端输入
影响：数据窃取、账户接管、服务滥用
缓解措施：强身份验证、行为分析、异常检测

阶段 9：通信安全

评估传输层保护：

中间人攻击 (52)

定义：拦截双方之间的通信
根本原因：未加密的通道、网络被泄露
影响：数据窃取、会话劫持、冒充
缓解措施：TLS/SSL、证书固定、相互身份验证

传输层安全性不足 (53)

定义：传输中数据的加密弱或过时
根本原因：过时的协议（SSLv2/3）、弱密码套件
影响：流量拦截、凭据窃取
缓解措施：TLS 1.2+、强密码套件、HSTS

不安全的 SSL/TLS 配置 (54)

定义：加密配置设置不当
根本原因：弱密码套件、缺少前向保密
影响：流量解密、MITM 攻击
缓解措施：现代密码套件、前向保密 (PFS)、证书验证

不安全的通信协议 (55)

定义：使用未加密的协议（HTTP、Telnet、FTP）
根本原因：遗留系统、安全意识不足
影响：流量嗅探、凭据暴露
缓解措施：HTTPS、SSH、SFTP、VPN 隧道

阶段 10：客户端漏洞

评估浏览器端安全性：

基于 DOM 的 XSS (56)

定义：通过客户端 JavaScript 操作实现的 XSS
根本原因：使用用户输入进行不安全的 DOM 操作
影响：会话窃取、凭据收集
缓解措施：安全的 DOM API、CSP、输入净化

不安全的跨源通信 (57)

定义：跨源请求处理不当
根本原因：宽松的 CORS/同源策略 (SOP)
影响：数据泄露、CSRF 攻击
缓解措施：严格的 CORS、CSRF 令牌、来源验证

浏览器缓存投毒 (58)

定义：操纵缓存内容
根本原因：缓存验证薄弱
影响：恶意内容交付
缓解措施：Cache-Control 标头、HTTPS、完整性检查

点击劫持 (59, 71)

定义：UI 伪装攻击，诱骗用户点击隐藏元素
根本原因：缺少框架保护
影响：意外操作、凭据窃取
缓解措施：X-Frame-Options、CSP frame-ancestors、框架破坏

HTML5 安全问题 (60)

定义：HTML5 API 中的漏洞（WebSockets、Storage、Geolocation）
根本原因：API 使用不当、验证不足
影响：数据泄露、XSS、隐私侵犯
缓解措施：安全的 API 使用、输入验证、沙盒化

阶段 11：拒绝服务评估

评估可用性威胁：

DDoS - 分布式拒绝服务 (61)

定义：用来自多个来源的流量淹没系统
根本原因：僵尸网络、放大攻击
影响：服务不可用、收入损失
缓解措施：DDoS 防护服务、速率限制、内容分发网络 (CDN)

应用层 DoS (62)

定义：针对应用逻辑以耗尽资源
根本原因：低效的代码、资源密集型操作
影响：应用程序不可用、性能下降
缓解措施：速率限制、缓存、WAF、代码优化

资源耗尽 (63)

定义：耗尽 CPU、内存、磁盘或网络资源
根本原因：资源管理效率低下
影响：系统崩溃、服务降级
缓解措施：资源配额、监控、负载均衡

Slowloris 攻击 (64)

定义：通过部分 HTTP 请求保持连接打开
根本原因：没有连接超时
影响：Web 服务器资源耗尽
缓解措施：连接超时、请求限制、反向代理

阶段 12：服务器端请求伪造

评估 SSRF 漏洞：

SSRF - 服务器端请求伪造 (66)

定义：操纵服务器向内部资源发出请求
根本原因：未验证的用户控制 URL
影响：内部网络访问、数据窃取、云元数据访问
缓解措施：URL 白名单、网络分段、出口过滤

定义：没有直接响应可见性的 SSRF
根本原因：类似于 SSRF，更难检测
影响：数据外泄、内部侦察
缓解措施：允许列表、WAF、网络限制

基于时间的盲 SSRF (88)

定义：通过响应时间推断 SSRF 成功
根本原因：处理延迟表明请求结果
影响：长期利用、检测规避
缓解措施：请求超时、异常检测、时间监控

阶段 13：其他 Web 漏洞

| 漏洞 | 根本原因 | 影响 | 缓解措施

---|---|---|---|---
67 | HTTP 参数污染 | 解析不一致 | 注入、访问控制列表 (ACL) 绕过 | 严格解析、验证
68 | 不安全的重定向 | 未验证的目标 | 网络钓鱼、恶意软件 | 白名单目标
69 | 文件包含 (LFI/RFI) | 未验证的路径 | 代码执行、泄露 | 白名单文件、禁用 RFI
70 | 安全标头绕过 | 配置错误的标头 | XSS、点击劫持 | 正确的标头、审计
72 | 会话超时不足 | 超时时间过长 | 会话劫持 | 空闲终止、超时
73 | 日志记录不足 | 缺少基础设施 | 检测缺口 | 安全信息和事件管理 (SIEM)、告警
74 | 业务逻辑缺陷 | 不安全的设计 | 欺诈、未经授权的操作 | 威胁建模、测试

阶段 14：移动和物联网安全

| 漏洞 | 根本原因 | 影响 | 缓解措施

---|---|---|---|---
76 | 不安全的移动存储 | 明文、弱加密 | 数据窃取 | Keychain/Keystore、加密
77 | 不安全的移动传输 | HTTP、证书失败 | 流量拦截 | TLS、证书固定
78 | 不安全的移动 API | 缺少身份验证/验证 | 数据暴露 | OAuth/JWT、验证
79 | 应用程序逆向工程 | 硬编码凭据 | 凭据窃取 | 混淆、运行时应用程序自我保护 (RASP)
80 | IoT 管理问题 | 弱身份验证、无 TLS | 设备接管 | 强身份验证、TLS
81 | 弱 IoT 身份验证 | 默认密码 | 未经授权的访问 | 唯一凭据、MFA
82 | IoT 漏洞 | 设计缺陷、旧固件 | 僵尸网络招募 | 更新、分段
83 | 智能家居访问 | 不安全的默认设置 | 隐私侵犯 | MFA、分段
84 | IoT 隐私问题 | 过度收集 | 监控 | 数据最小化

阶段 15：高级和零日威胁

| 漏洞 | 根本原因 | 影响 | 缓解措施

---|---|---|---|---
89 | MIME 嗅探 | 缺少标头 | XSS、欺骗 | X-Content-Type-Options
91 | CSP 绕过 | 配置弱 | 尽管有 CSP 仍发生 XSS | 严格的 CSP、随机数
92 | 验证不一致 | 分散的逻辑 | 控制绕过 | 集中式验证
93 | 竞争条件 | 缺少同步 | 权限提升 | 适当的锁定
94-95 | 业务逻辑缺陷 | 缺少验证 | 金融欺诈 | 服务器端验证
96 | 账户枚举 | 不同的响应 | 针对性攻击 | 统一的响应
98-99 | 未修补的漏洞 | 补丁延迟 | 零日利用 | 补丁管理
100 | 零日利用 | 未知漏洞 | 未缓解的攻击 | 纵深防御

类别	漏洞编号	关键控制措施
注入	1-13	参数化查询、输入验证、输出编码
身份验证	14-23, 85-86	MFA、会话管理、账户锁定
数据暴露	24-27	静态/传输中加密、访问控制、DLP
配置错误	28-36	安全默认设置、强化、打补丁
XML	37-39, 65	禁用外部实体、限制扩展
访问控制	40-44	RBAC、最小权限、授权检查
反序列化	45-47	避免不受信任的数据、完整性验证
API 安全	48-51, 75	OAuth、速率限制、输入验证
通信	52-55	TLS 1.2+、证书验证、HTTPS
客户端	56-60	CSP、X-Frame-Options、安全的 DOM
DoS	61-65	速率限制、DDoS 防护、资源限制
SSRF	66, 87-88	URL 白名单、出口过滤
移动/IoT	76-84	加密、身份验证、安全存储
业务逻辑	74, 92-97	威胁建模、逻辑测试
零日	98-100	纵深防御、威胁情报

Content-Security-Policy: default-src 'self'; script-src 'self'
X-Content-Type-Options: nosniff
X-Frame-Options: DENY
X-XSS-Protection: 1; mode=block
Strict-Transport-Security: max-age=31536000; includeSubDomains
Referrer-Policy: strict-origin-when-cross-origin
Permissions-Policy: geolocation=(), microphone=()

OWASP 2021	相关漏洞
A01: 失效的访问控制	40-44, 23, 74
A02: 加密机制失效	24-25, 53-55
A03: 注入	1-13, 37-39
A04: 不安全的设计	74, 92-97
A05: 安全配置错误	26-36
A06: 易受攻击的组件	34, 98-100
A07: 身份验证失败	14-23, 85-86
A08: 数据完整性失效	45-47
A09: 日志记录和监控不足	73
A10: 服务器端请求伪造	66, 87-88

漏洞定义代表常见模式；具体实现各不相同
缓解措施必须适应技术栈和架构
新漏洞不断出现；应更新此参考
某些漏洞在多个类别中重叠（例如，IDOR 出现在多个上下文中）
缓解措施的有效性取决于正确的实施
自动化扫描器无法检测所有漏洞类型（尤其是业务逻辑漏洞）

挑战	解决方案
扫描中的误报	手动验证、上下文分析
遗漏的业务逻辑缺陷	手动测试、威胁建模、滥用案例分析
加密流量分析	代理配置、证书安装
WAF 阻止测试	速率调整、IP 轮换、负载编码
会话处理问题	Cookie 管理、身份验证状态跟踪
API 发现	Swagger/OpenAPI 枚举、流量分析

漏洞类型	验证方法
注入	使用编码变体进行负载测试
XSS	警告框、Cookie 访问、DOM 检查
CSRF	跨源表单提交测试
SSRF	带外 DNS/HTTP 回调
XXE	使用受控服务器的外部实体
访问控制	水平/垂直权限测试
身份验证	凭据轮换、会话分析

OWASP Top 10 Web 应用程序安全风险
CWE/SANS 25 个最危险的软件错误
OWASP 测试指南
OWASP 应用程序安全验证标准 (ASVS)
NIST 网络安全框架
来源：Kumar MS - Top 100 Web Vulnerabilities

🇺🇸English

Top 100 Web Vulnerabilities Reference

Purpose

Provide a comprehensive, structured reference for the 100 most critical web application vulnerabilities organized by category. This skill enables systematic vulnerability identification, impact assessment, and remediation guidance across the full spectrum of web security threats. Content organized into 15 major vulnerability categories aligned with industry standards and real-world attack patterns.

Prerequisites

Basic understanding of web application architecture (client-server model, HTTP protocol)
Familiarity with common web technologies (HTML, JavaScript, SQL, XML, APIs)
Understanding of authentication and authorization concepts
Access to web application security testing tools (Burp Suite, OWASP ZAP)
Knowledge of secure coding principles recommended

Outputs and Deliverables

Complete vulnerability catalog with definitions, root causes, impacts, and mitigations
Category-based vulnerability groupings for systematic assessment
Quick reference for security testing and remediation
Foundation for vulnerability assessment checklists and security policies

Core Workflow

Phase 1: Injection Vulnerabilities Assessment

Evaluate injection attack vectors targeting data processing components:

SQL Injection (1)

Definition: Malicious SQL code inserted into input fields to manipulate database queries
Root Cause: Lack of input validation, improper use of parameterized queries
Impact: Unauthorized data access, data manipulation, database compromise
Mitigation: Use parameterized queries/prepared statements, input validation, least privilege database accounts

Cross-Site Scripting - XSS (2)

Definition: Injection of malicious scripts into web pages viewed by other users
Root Cause: Insufficient output encoding, lack of input sanitization
Impact: Session hijacking, credential theft, website defacement
Mitigation: Output encoding, Content Security Policy (CSP), input sanitization

Command Injection (5, 11)

Definition: Execution of arbitrary system commands through vulnerable applications
Root Cause: Unsanitized user input passed to system shells
Impact: Full system compromise, data exfiltration, lateral movement
Mitigation: Avoid shell execution, whitelist valid commands, strict input validation

XML Injection (6), LDAP Injection (7), XPath Injection (8)

Definition: Manipulation of XML/LDAP/XPath queries through malicious input
Root Cause: Improper input handling in query construction
Impact: Data exposure, authentication bypass, information disclosure
Mitigation: Input validation, parameterized queries, escape special characters

Server-Side Template Injection - SSTI (13)

Definition: Injection of malicious code into template engines
Root Cause: User input embedded directly in template expressions
Impact: Remote code execution, server compromise
Mitigation: Sandbox template engines, avoid user input in templates, strict input validation

Phase 2: Authentication and Session Security

Assess authentication mechanism weaknesses:

Session Fixation (14)

Definition: Attacker sets victim's session ID before authentication
Root Cause: Session ID not regenerated after login
Impact: Session hijacking, unauthorized account access
Mitigation: Regenerate session ID on authentication, use secure session management

Brute Force Attack (15)

Definition: Systematic password guessing using automated tools
Root Cause: Lack of account lockout, rate limiting, or CAPTCHA
Impact: Unauthorized access, credential compromise
Mitigation: Account lockout policies, rate limiting, MFA, CAPTCHA

Session Hijacking (16)

Definition: Attacker steals or predicts valid session tokens
Root Cause: Weak session token generation, insecure transmission
Impact: Account takeover, unauthorized access
Mitigation: Secure random token generation, HTTPS, HttpOnly/Secure cookie flags

Credential Stuffing and Reuse (22)

Definition: Using leaked credentials to access accounts across services
Root Cause: Users reusing passwords, no breach detection
Impact: Mass account compromise, data breaches
Mitigation: MFA, breach password checks, unique credential requirements

Insecure "Remember Me" Functionality (85)

Definition: Weak persistent authentication token implementation
Root Cause: Predictable tokens, inadequate expiration controls
Impact: Unauthorized persistent access, session compromise
Mitigation: Strong token generation, proper expiration, secure storage

CAPTCHA Bypass (86)

Definition: Circumventing bot detection mechanisms
Root Cause: Weak CAPTCHA algorithms, improper validation
Impact: Automated attacks, credential stuffing, spam
Mitigation: reCAPTCHA v3, layered bot detection, rate limiting

Phase 3: Sensitive Data Exposure

Identify data protection failures:

IDOR - Insecure Direct Object References (23, 42)

Definition: Direct access to internal objects via user-supplied references
Root Cause: Missing authorization checks on object access
Impact: Unauthorized data access, privacy breaches
Mitigation: Access control validation, indirect reference maps, authorization checks

Data Leakage (24)

Definition: Inadvertent disclosure of sensitive information
Root Cause: Inadequate data protection, weak access controls
Impact: Privacy breaches, regulatory penalties, reputation damage
Mitigation: DLP solutions, encryption, access controls, security training

Unencrypted Data Storage (25)

Definition: Storing sensitive data without encryption
Root Cause: Failure to implement encryption at rest
Impact: Data breaches if storage compromised
Mitigation: Full-disk encryption, database encryption, secure key management

Information Disclosure (33)

Definition: Exposure of system details through error messages or responses
Root Cause: Verbose error handling, debug information in production
Impact: Reconnaissance for further attacks, credential exposure
Mitigation: Generic error messages, disable debug mode, secure logging

Phase 4: Security Misconfiguration

Assess configuration weaknesses:

Missing Security Headers (26)

Definition: Absence of protective HTTP headers (CSP, X-Frame-Options, HSTS)
Root Cause: Inadequate server configuration
Impact: XSS attacks, clickjacking, protocol downgrade
Mitigation: Implement CSP, X-Content-Type-Options, X-Frame-Options, HSTS

Default Passwords (28)

Definition: Unchanged default credentials on systems/applications
Root Cause: Failure to change vendor defaults
Impact: Unauthorized access, system compromise
Mitigation: Mandatory password changes, strong password policies

Directory Listing (29)

Definition: Web server exposes directory contents
Root Cause: Improper server configuration
Impact: Information disclosure, sensitive file exposure
Mitigation: Disable directory indexing, use default index files

Unprotected API Endpoints (30)

Definition: APIs lacking authentication or authorization
Root Cause: Missing security controls on API routes
Impact: Unauthorized data access, API abuse
Mitigation: OAuth/API keys, access controls, rate limiting

Open Ports and Services (31)

Definition: Unnecessary network services exposed
Root Cause: Failure to minimize attack surface
Impact: Exploitation of vulnerable services
Mitigation: Port scanning audits, firewall rules, service minimization

Misconfigured CORS (35)

Definition: Overly permissive Cross-Origin Resource Sharing policies
Root Cause: Wildcard origins, improper CORS configuration
Impact: Cross-site request attacks, data theft
Mitigation: Whitelist trusted origins, validate CORS headers

Unpatched Software (34)

Definition: Systems running outdated vulnerable software
Root Cause: Neglected patch management
Impact: Exploitation of known vulnerabilities
Mitigation: Patch management program, vulnerability scanning, automated updates

Phase 5: XML-Related Vulnerabilities

Evaluate XML processing security:

XXE - XML External Entity Injection (37)

Definition: Exploitation of XML parsers to access files or internal systems
Root Cause: External entity processing enabled
Impact: File disclosure, SSRF, denial of service
Mitigation: Disable external entities, use safe XML parsers

XEE - XML Entity Expansion (38)

Definition: Excessive entity expansion causing resource exhaustion
Root Cause: Unlimited entity expansion allowed
Impact: Denial of service, parser crashes
Mitigation: Limit entity expansion, configure parser restrictions

XML Bomb (Billion Laughs) (39)

Definition: Crafted XML with nested entities consuming resources
Root Cause: Recursive entity definitions
Impact: Memory exhaustion, denial of service
Mitigation: Entity expansion limits, input size restrictions

XML Denial of Service (65)

Definition: Specially crafted XML causing excessive processing
Root Cause: Complex document structures without limits
Impact: CPU/memory exhaustion, service unavailability
Mitigation: Schema validation, size limits, processing timeouts

Phase 6: Broken Access Control

Assess authorization enforcement:

Inadequate Authorization (40)

Definition: Failure to properly enforce access controls
Root Cause: Weak authorization policies, missing checks
Impact: Unauthorized access to sensitive resources
Mitigation: RBAC, centralized IAM, regular access reviews

Privilege Escalation (41)

Definition: Gaining elevated access beyond intended permissions
Root Cause: Misconfigured permissions, system vulnerabilities
Impact: Full system compromise, data manipulation
Mitigation: Least privilege, regular patching, privilege monitoring

Forceful Browsing (43)

Definition: Direct URL manipulation to access restricted resources
Root Cause: Weak access controls, predictable URLs
Impact: Unauthorized file/directory access
Mitigation: Server-side access controls, unpredictable resource paths

Missing Function-Level Access Control (44)

Definition: Unprotected administrative or privileged functions
Root Cause: Authorization only at UI level
Impact: Unauthorized function execution
Mitigation: Server-side authorization for all functions, RBAC

Phase 7: Insecure Deserialization

Evaluate object serialization security:

Remote Code Execution via Deserialization (45)

Definition: Arbitrary code execution through malicious serialized objects
Root Cause: Untrusted data deserialized without validation
Impact: Complete system compromise, code execution
Mitigation: Avoid deserializing untrusted data, integrity checks, type validation

Data Tampering (46)

Definition: Unauthorized modification of serialized data
Root Cause: Missing integrity verification
Impact: Data corruption, privilege manipulation
Mitigation: Digital signatures, HMAC validation, encryption

Object Injection (47)

Definition: Malicious object instantiation during deserialization
Root Cause: Unsafe deserialization practices
Impact: Code execution, unauthorized access
Mitigation: Type restrictions, class whitelisting, secure libraries

Phase 8: API Security Assessment

Evaluate API-specific vulnerabilities:

Insecure API Endpoints (48)

Definition: APIs without proper security controls
Root Cause: Poor API design, missing authentication
Impact: Data breaches, unauthorized access
Mitigation: OAuth/JWT, HTTPS, input validation, rate limiting

API Key Exposure (49)

Definition: Leaked or exposed API credentials
Root Cause: Hardcoded keys, insecure storage
Impact: Unauthorized API access, abuse
Mitigation: Secure key storage, rotation, environment variables

Lack of Rate Limiting (50)

Definition: No controls on API request frequency
Root Cause: Missing throttling mechanisms
Impact: DoS, API abuse, resource exhaustion
Mitigation: Rate limits per user/IP, throttling, DDoS protection

Inadequate Input Validation (51)

Definition: APIs accepting unvalidated user input
Root Cause: Missing server-side validation
Impact: Injection attacks, data corruption
Mitigation: Strict validation, parameterized queries, WAF

API Abuse (75)

Definition: Exploiting API functionality for malicious purposes
Root Cause: Excessive trust in client input
Impact: Data theft, account takeover, service abuse
Mitigation: Strong authentication, behavior analysis, anomaly detection

Phase 9: Communication Security

Assess transport layer protections:

Man-in-the-Middle Attack (52)

Definition: Interception of communication between parties
Root Cause: Unencrypted channels, compromised networks
Impact: Data theft, session hijacking, impersonation
Mitigation: TLS/SSL, certificate pinning, mutual authentication

Insufficient Transport Layer Security (53)

Definition: Weak or outdated encryption for data in transit
Root Cause: Outdated protocols (SSLv2/3), weak ciphers
Impact: Traffic interception, credential theft
Mitigation: TLS 1.2+, strong cipher suites, HSTS

Insecure SSL/TLS Configuration (54)

Definition: Improperly configured encryption settings
Root Cause: Weak ciphers, missing forward secrecy
Impact: Traffic decryption, MITM attacks
Mitigation: Modern cipher suites, PFS, certificate validation

Insecure Communication Protocols (55)

Definition: Use of unencrypted protocols (HTTP, Telnet, FTP)
Root Cause: Legacy systems, security unawareness
Impact: Traffic sniffing, credential exposure
Mitigation: HTTPS, SSH, SFTP, VPN tunnels

Phase 10: Client-Side Vulnerabilities

Evaluate browser-side security:

DOM-based XSS (56)

Definition: XSS through client-side JavaScript manipulation
Root Cause: Unsafe DOM manipulation with user input
Impact: Session theft, credential harvesting
Mitigation: Safe DOM APIs, CSP, input sanitization

Insecure Cross-Origin Communication (57)

Definition: Improper handling of cross-origin requests
Root Cause: Relaxed CORS/SOP policies
Impact: Data leakage, CSRF attacks
Mitigation: Strict CORS, CSRF tokens, origin validation

Browser Cache Poisoning (58)

Definition: Manipulation of cached content
Root Cause: Weak cache validation
Impact: Malicious content delivery
Mitigation: Cache-Control headers, HTTPS, integrity checks

Clickjacking (59, 71)

Definition: UI redress attack tricking users into clicking hidden elements
Root Cause: Missing frame protection
Impact: Unintended actions, credential theft
Mitigation: X-Frame-Options, CSP frame-ancestors, frame-busting

HTML5 Security Issues (60)

Definition: Vulnerabilities in HTML5 APIs (WebSockets, Storage, Geolocation)
Root Cause: Improper API usage, insufficient validation
Impact: Data leakage, XSS, privacy violations
Mitigation: Secure API usage, input validation, sandboxing

Phase 11: Denial of Service Assessment

Evaluate availability threats:

DDoS - Distributed Denial of Service (61)

Definition: Overwhelming systems with traffic from multiple sources
Root Cause: Botnets, amplification attacks
Impact: Service unavailability, revenue loss
Mitigation: DDoS protection services, rate limiting, CDN

Application Layer DoS (62)

Definition: Targeting application logic to exhaust resources
Root Cause: Inefficient code, resource-intensive operations
Impact: Application unavailability, degraded performance
Mitigation: Rate limiting, caching, WAF, code optimization

Resource Exhaustion (63)

Definition: Depleting CPU, memory, disk, or network resources
Root Cause: Inefficient resource management
Impact: System crashes, service degradation
Mitigation: Resource quotas, monitoring, load balancing

Slowloris Attack (64)

Definition: Keeping connections open with partial HTTP requests
Root Cause: No connection timeouts
Impact: Web server resource exhaustion
Mitigation: Connection timeouts, request limits, reverse proxy

Phase 12: Server-Side Request Forgery

Assess SSRF vulnerabilities:

SSRF - Server-Side Request Forgery (66)

Definition: Manipulating server to make requests to internal resources
Root Cause: Unvalidated user-controlled URLs
Impact: Internal network access, data theft, cloud metadata access
Mitigation: URL whitelisting, network segmentation, egress filtering

Blind SSRF (87)

Definition: SSRF without direct response visibility
Root Cause: Similar to SSRF, harder to detect
Impact: Data exfiltration, internal reconnaissance
Mitigation: Allowlists, WAF, network restrictions

Time-Based Blind SSRF (88)

Definition: Inferring SSRF success through response timing
Root Cause: Processing delays indicating request outcomes
Impact: Prolonged exploitation, detection evasion
Mitigation: Request timeouts, anomaly detection, timing monitoring

Phase 13: Additional Web Vulnerabilities

| Vulnerability | Root Cause | Impact | Mitigation

---|---|---|---|---
67 | HTTP Parameter Pollution | Inconsistent parsing | Injection, ACL bypass | Strict parsing, validation
68 | Insecure Redirects | Unvalidated targets | Phishing, malware | Whitelist destinations
69 | File Inclusion (LFI/RFI) | Unvalidated paths | Code exec, disclosure | Whitelist files, disable RFI
70 | Security Header Bypass | Misconfigured headers | XSS, clickjacking | Proper headers, audits
72 | Inadequate Session Timeout | Excessive timeouts | Session hijacking | Idle termination, timeouts
73 | Insufficient Logging | Missing infrastructure | Detection gaps | SIEM, alerting
74 | Business Logic Flaws | Insecure design | Fraud, unauthorized ops | Threat modeling, testing

Phase 14: Mobile and IoT Security

| Vulnerability | Root Cause | Impact | Mitigation

---|---|---|---|---
76 | Insecure Mobile Storage | Plain text, weak crypto | Data theft | Keychain/Keystore, encrypt
77 | Insecure Mobile Transmission | HTTP, cert failures | Traffic interception | TLS, cert pinning
78 | Insecure Mobile APIs | Missing auth/validation | Data exposure | OAuth/JWT, validation
79 | App Reverse Engineering | Hardcoded creds | Credential theft | Obfuscation, RASP
80 | IoT Management Issues | Weak auth, no TLS | Device takeover | Strong auth, TLS
81 | Weak IoT Authentication | Default passwords | Unauthorized access | Unique creds, MFA
82 | IoT Vulnerabilities | Design flaws, old firmware | Botnet recruitment | Updates, segmentation
83 | Smart Home Access | Insecure defaults | Privacy invasion | MFA, segmentation
84 | IoT Privacy Issues | Excessive collection | Surveillance | Data minimization

Phase 15: Advanced and Zero-Day Threats

| Vulnerability | Root Cause | Impact | Mitigation

---|---|---|---|---
89 | MIME Sniffing | Missing headers | XSS, spoofing | X-Content-Type-Options
91 | CSP Bypass | Weak config | XSS despite CSP | Strict CSP, nonces
92 | Inconsistent Validation | Decentralized logic | Control bypass | Centralized validation
93 | Race Conditions | Missing sync | Privilege escalation | Proper locking
94-95 | Business Logic Flaws | Missing validation | Financial fraud | Server-side validation
96 | Account Enumeration | Different responses | Targeted attacks | Uniform responses
98-99 | Unpatched Vulnerabilities | Patch delays | Zero-day exploitation | Patch management
100 | Zero-Day Exploits | Unknown vulns | Unmitigated attacks | Defense in depth

Quick Reference

Vulnerability Categories Summary

Category	Vulnerability Numbers	Key Controls
Injection	1-13	Parameterized queries, input validation, output encoding
Authentication	14-23, 85-86	MFA, session management, account lockout
Data Exposure	24-27	Encryption at rest/transit, access controls, DLP
Misconfiguration	28-36	Secure defaults, hardening, patching
XML	37-39, 65	Disable external entities, limit expansion
Access Control	40-44	RBAC, least privilege, authorization checks
Deserialization	45-47	Avoid untrusted data, integrity validation
API Security	48-51, 75	OAuth, rate limiting, input validation
Communication	52-55

Critical Security Headers

Content-Security-Policy: default-src 'self'; script-src 'self'
X-Content-Type-Options: nosniff
X-Frame-Options: DENY
X-XSS-Protection: 1; mode=block
Strict-Transport-Security: max-age=31536000; includeSubDomains
Referrer-Policy: strict-origin-when-cross-origin
Permissions-Policy: geolocation=(), microphone=()

OWASP Top 10 Mapping

OWASP 2021	Related Vulnerabilities
A01: Broken Access Control	40-44, 23, 74
A02: Cryptographic Failures	24-25, 53-55
A03: Injection	1-13, 37-39
A04: Insecure Design	74, 92-97
A05: Security Misconfiguration	26-36
A06: Vulnerable Components	34, 98-100
A07: Auth Failures	14-23, 85-86
A08: Data Integrity	45-47
A09: Logging Failures	73
A10: SSRF	66, 87-88

Constraints and Limitations

Vulnerability definitions represent common patterns; specific implementations vary
Mitigations must be adapted to technology stack and architecture
New vulnerabilities emerge continuously; reference should be updated
Some vulnerabilities overlap across categories (e.g., IDOR appears in multiple contexts)
Effectiveness of mitigations depends on proper implementation
Automated scanners cannot detect all vulnerability types (especially business logic)

Troubleshooting

Common Assessment Challenges

Challenge	Solution
False positives in scanning	Manual verification, contextual analysis
Business logic flaws missed	Manual testing, threat modeling, abuse case analysis
Encrypted traffic analysis	Proxy configuration, certificate installation
WAF blocking tests	Rate adjustment, IP rotation, payload encoding
Session handling issues	Cookie management, authentication state tracking
API discovery	Swagger/OpenAPI enumeration, traffic analysis

Vulnerability Verification Techniques

Vulnerability Type	Verification Approach
Injection	Payload testing with encoded variants
XSS	Alert boxes, cookie access, DOM inspection
CSRF	Cross-origin form submission testing
SSRF	Out-of-band DNS/HTTP callbacks
XXE	External entity with controlled server
Access Control	Horizontal/vertical privilege testing
Authentication	Credential rotation, session analysis

References

OWASP Top 10 Web Application Security Risks
CWE/SANS Top 25 Most Dangerous Software Errors
OWASP Testing Guide
OWASP Application Security Verification Standard (ASVS)
NIST Cybersecurity Framework
Source: Kumar MS - Top 100 Web Vulnerabilities

Weekly Installs

Repository

claudiodearaujo…zacenter

GitHub Stars

First Seen

Jan 1, 1970

Security Audits

Gen Agent Trust HubPass SocketPass SnykPass

xdrop 文件传输脚本：Bun 环境下安全上传下载工具，支持加密分享

24,700 周安装

Web安全漏洞大全：前100名关键漏洞参考、评估与修复指南

🇨🇳中文介绍

前 100 名 Web 漏洞参考

目的

先决条件

输出和交付物

核心工作流程

阶段 1：注入漏洞评估

相关 Skills

阶段 2：身份验证和会话安全

阶段 3：敏感数据暴露

阶段 4：安全配置错误

阶段 5：XML 相关漏洞

阶段 6：失效的访问控制

阶段 7：不安全的反序列化

阶段 8：API 安全评估

阶段 9：通信安全

阶段 10：客户端漏洞

阶段 11：拒绝服务评估

阶段 12：服务器端请求伪造

阶段 13：其他 Web 漏洞

| 漏洞 | 根本原因 | 影响 | 缓解措施

阶段 14：移动和物联网安全

| 漏洞 | 根本原因 | 影响 | 缓解措施

阶段 15：高级和零日威胁

| 漏洞 | 根本原因 | 影响 | 缓解措施

快速参考

漏洞类别摘要

关键安全标头

OWASP Top 10 映射

约束和限制

故障排除

常见评估挑战

漏洞验证技术

参考资料

🇺🇸English

Top 100 Web Vulnerabilities Reference

Purpose

Prerequisites

Outputs and Deliverables

Core Workflow

Phase 1: Injection Vulnerabilities Assessment

Phase 2: Authentication and Session Security

Phase 3: Sensitive Data Exposure

Phase 4: Security Misconfiguration

Phase 5: XML-Related Vulnerabilities

Phase 6: Broken Access Control

Phase 7: Insecure Deserialization

Phase 8: API Security Assessment

Phase 9: Communication Security

Phase 10: Client-Side Vulnerabilities

Phase 11: Denial of Service Assessment

Phase 12: Server-Side Request Forgery

Phase 13: Additional Web Vulnerabilities

| Vulnerability | Root Cause | Impact | Mitigation

Phase 14: Mobile and IoT Security

| Vulnerability | Root Cause | Impact | Mitigation

Phase 15: Advanced and Zero-Day Threats

| Vulnerability | Root Cause | Impact | Mitigation

Quick Reference

Vulnerability Categories Summary

Critical Security Headers

OWASP Top 10 Mapping

Constraints and Limitations

Troubleshooting

Common Assessment Challenges

Vulnerability Verification Techniques

References

最新 Skills