S
SkillsMD 发现、学习和掌握最新的 AI 技术 Skills。基于真实社区数据,为开发者提供最权威的 AI 工具导航。
关于 聚焦 AI 技术 Skills 每周数据更新 中英双语文档 © 2026 SkillsMD. All rights reserved.
Web安全漏洞Top 100参考指南 | 涵盖SQL注入、XSS、身份验证等关键漏洞与修复方案 | SkillsMD
首页 / Skills / top-100-web-vulnerabilities-reference Web安全漏洞Top 100参考指南 | 涵盖SQL注入、XSS、身份验证等关键漏洞与修复方案 Top 100 Web Vulnerabilities Reference by automindtechnologie-jpg/ultimate-skill.md
npx skills add https://github.com/automindtechnologie-jpg/ultimate-skill.md --skill 'Top 100 Web Vulnerabilities Reference'🇨🇳 中文介绍 前 100 项 Web 漏洞参考
目的
提供一个全面的、结构化的参考,涵盖按类别组织的 100 个最关键的 Web 应用程序漏洞。此技能支持系统性地进行漏洞识别、影响评估和修复指导,覆盖全面的 Web 安全威胁。内容按 15 个主要漏洞类别组织,与行业标准和现实世界攻击模式保持一致。
先决条件
对 Web 应用程序架构的基本理解(客户端-服务器模型、HTTP 协议)
熟悉常见的 Web 技术(HTML、JavaScript、SQL、XML、API)
理解身份验证和授权概念
能够访问 Web 应用程序安全测试工具(Burp Suite、OWASP ZAP)
了解推荐的安全编码原则
输出和交付物
包含定义、根本原因、影响和缓解措施的完整漏洞目录
基于类别的漏洞分组,用于系统性评估
安全测试和修复的快速参考
漏洞评估清单和安全策略的基础
核心工作流程
阶段 1:注入漏洞评估
评估针对数据处理组件的注入攻击向量:
SQL 注入 (1)
定义:将恶意 SQL 代码插入输入字段以操纵数据库查询
根本原因:缺乏输入验证,不当使用参数化查询
影响:未经授权的数据访问、数据操纵、数据库泄露
缓解措施:使用参数化查询/预处理语句、输入验证、最小权限数据库账户
跨站脚本攻击 - XSS (2)
定义:向其他用户查看的网页中注入恶意脚本
根本原因:输出编码不足,缺乏输入净化
影响:会话劫持、凭据窃取、网站篡改
缓解措施:输出编码、内容安全策略 (CSP)、输入净化
命令注入 (5, 11)
定义:通过易受攻击的应用程序执行任意系统命令
根本原因:未经净化的用户输入传递给系统 shell
影响:完全系统泄露、数据外泄、横向移动
缓解措施:避免 shell 执行、白名单有效命令、严格的输入验证
XML 注入 (6)、LDAP 注入 (7)、XPath 注入 (8)
定义:通过恶意输入操纵 XML/LDAP/XPath 查询
🇺🇸 English Top 100 Web Vulnerabilities Reference
Purpose
Provide a comprehensive, structured reference for the 100 most critical web application vulnerabilities organized by category. This skill enables systematic vulnerability identification, impact assessment, and remediation guidance across the full spectrum of web security threats. Content organized into 15 major vulnerability categories aligned with industry standards and real-world attack patterns.
Prerequisites
Basic understanding of web application architecture (client-server model, HTTP protocol)
Familiarity with common web technologies (HTML, JavaScript, SQL, XML, APIs)
Understanding of authentication and authorization concepts
Access to web application security testing tools (Burp Suite, OWASP ZAP)
Knowledge of secure coding principles recommended
Outputs and Deliverables
Complete vulnerability catalog with definitions, root causes, impacts, and mitigations
Category-based vulnerability groupings for systematic assessment
Quick reference for security testing and remediation
Foundation for vulnerability assessment checklists and security policies
Core Workflow
Phase 1: Injection Vulnerabilities Assessment
Evaluate injection attack vectors targeting data processing components:
SQL Injection (1)
Definition: Malicious SQL code inserted into input fields to manipulate database queries
Root Cause: Lack of input validation, improper use of parameterized queries
Impact: Unauthorized data access, data manipulation, database compromise
Mitigation: Use parameterized queries/prepared statements, input validation, least privilege database accounts
广告位招租
在这里展示您的产品或服务
触达数万 AI 开发者,精准高效
联系我们
根本原因:查询构建中的输入处理不当
影响:数据暴露、身份验证绕过、信息泄露
缓解措施:输入验证、参数化查询、转义特殊字符
定义:向模板引擎中注入恶意代码
根本原因:用户输入直接嵌入到模板表达式中
影响:远程代码执行、服务器泄露
缓解措施:沙箱化模板引擎、避免在模板中使用用户输入、严格的输入验证
阶段 2:身份验证和会话安全
定义:攻击者在身份验证前设置受害者的会话 ID
根本原因:登录后未重新生成会话 ID
影响:会话劫持、未经授权的账户访问
缓解措施:在身份验证时重新生成会话 ID,使用安全的会话管理
定义:使用自动化工具系统性地猜测密码
根本原因:缺乏账户锁定、速率限制或 CAPTCHA
影响:未经授权的访问、凭据泄露
缓解措施:账户锁定策略、速率限制、多因素认证 (MFA)、CAPTCHA
定义:攻击者窃取或预测有效的会话令牌
根本原因:弱会话令牌生成、不安全的传输
影响:账户接管、未经授权的访问
缓解措施:安全的随机令牌生成、HTTPS、HttpOnly/Secure cookie 标志
定义:使用泄露的凭据访问跨服务的账户
根本原因:用户重复使用密码,缺乏泄露检测
影响:大规模账户泄露、数据泄露
缓解措施:多因素认证 (MFA)、泄露密码检查、唯一凭据要求
定义:弱持久性身份验证令牌实现
根本原因:可预测的令牌、过期控制不足
影响:未经授权的持久性访问、会话泄露
缓解措施:强令牌生成、适当的过期时间、安全存储
定义:规避机器人检测机制
根本原因:弱 CAPTCHA 算法、验证不当
影响:自动化攻击、凭据填充、垃圾信息
缓解措施:reCAPTCHA v3、分层机器人检测、速率限制
阶段 3:敏感数据暴露 IDOR - 不安全的直接对象引用 (23, 42)
定义:通过用户提供的引用直接访问内部对象
根本原因:对象访问缺少授权检查
影响:未经授权的数据访问、隐私泄露
缓解措施:访问控制验证、间接引用映射、授权检查
定义:无意中泄露敏感信息
根本原因:数据保护不足、弱访问控制
影响:隐私泄露、监管处罚、声誉损害
缓解措施:数据防泄露 (DLP) 解决方案、加密、访问控制、安全培训
定义:存储敏感数据而未加密
根本原因:未实施静态数据加密
影响:如果存储被泄露则导致数据泄露
缓解措施:全盘加密、数据库加密、安全的密钥管理
定义:通过错误消息或响应暴露系统详细信息
根本原因:冗长的错误处理、生产环境中的调试信息
影响:为后续攻击进行侦察、凭据暴露
缓解措施:通用错误消息、禁用调试模式、安全日志记录
阶段 4:安全配置错误
定义:缺少保护性 HTTP 头部(CSP、X-Frame-Options、HSTS)
根本原因:服务器配置不足
影响:XSS 攻击、点击劫持、协议降级
缓解措施:实施 CSP、X-Content-Type-Options、X-Frame-Options、HSTS
定义:系统/应用程序上未更改的默认凭据
根本原因:未更改供应商默认设置
影响:未经授权的访问、系统泄露
缓解措施:强制密码更改、强密码策略
定义:Web 服务器暴露目录内容
根本原因:服务器配置不当
影响:信息泄露、敏感文件暴露
缓解措施:禁用目录索引、使用默认索引文件
定义:缺少身份验证或授权的 API
根本原因:API 路由缺少安全控制
影响:未经授权的数据访问、API 滥用
缓解措施:OAuth/API 密钥、访问控制、速率限制
定义:暴露不必要的网络服务
根本原因:未能最小化攻击面
影响:利用易受攻击的服务
缓解措施:端口扫描审计、防火墙规则、服务最小化
定义:过于宽松的跨源资源共享策略
根本原因:通配符来源、CORS 配置不当
影响:跨站请求攻击、数据窃取
缓解措施:白名单受信任的来源、验证 CORS 头部
定义:系统运行过时的易受攻击软件
根本原因:忽视补丁管理
影响:利用已知漏洞
缓解措施:补丁管理程序、漏洞扫描、自动更新
阶段 5:XML 相关漏洞
定义:利用 XML 解析器访问文件或内部系统
根本原因:启用了外部实体处理
影响:文件泄露、SSRF、拒绝服务
缓解措施:禁用外部实体、使用安全的 XML 解析器
定义:过度实体扩展导致资源耗尽
根本原因:允许无限制的实体扩展
影响:拒绝服务、解析器崩溃
缓解措施:限制实体扩展、配置解析器限制
定义:精心构造的包含嵌套实体以消耗资源的 XML
根本原因:递归实体定义
影响:内存耗尽、拒绝服务
缓解措施:实体扩展限制、输入大小限制
定义:特制的 XML 导致过度处理
根本原因:复杂的文档结构没有限制
影响:CPU/内存耗尽、服务不可用
缓解措施:模式验证、大小限制、处理超时
阶段 6:失效的访问控制
定义:未能正确执行访问控制
根本原因:弱授权策略、缺少检查
影响:未经授权访问敏感资源
缓解措施:基于角色的访问控制 (RBAC)、集中式身份和访问管理 (IAM)、定期访问审查
定义:获得超出预期权限的提升访问权限
根本原因:权限配置错误、系统漏洞
影响:完全系统泄露、数据操纵
缓解措施:最小权限原则、定期打补丁、权限监控
定义:直接操纵 URL 以访问受限资源
根本原因:弱访问控制、可预测的 URL
影响:未经授权的文件/目录访问
缓解措施:服务器端访问控制、不可预测的资源路径
定义:未受保护的管理或特权功能
根本原因:仅在 UI 级别进行授权
影响:未经授权的功能执行
缓解措施:所有功能的服务器端授权、基于角色的访问控制 (RBAC)
阶段 7:不安全的反序列化
定义:通过恶意序列化对象执行任意代码
根本原因:未经验证的反序列化不受信任的数据
影响:完全系统泄露、代码执行
缓解措施:避免反序列化不受信任的数据、完整性检查、类型验证
定义:未经授权修改序列化数据
根本原因:缺少完整性验证
影响:数据损坏、权限操纵
缓解措施:数字签名、HMAC 验证、加密
定义:反序列化期间恶意对象实例化
根本原因:不安全的反序列化实践
影响:代码执行、未经授权的访问
缓解措施:类型限制、类白名单、安全库
阶段 8:API 安全评估
定义:缺少适当安全控制的 API
根本原因:API 设计不佳、缺少身份验证
影响:数据泄露、未经授权的访问
缓解措施:OAuth/JWT、HTTPS、输入验证、速率限制
定义:泄露或暴露的 API 凭据
根本原因:硬编码密钥、不安全存储
影响:未经授权的 API 访问、滥用
缓解措施:安全的密钥存储、轮换、环境变量
定义:对 API 请求频率没有控制
根本原因:缺少节流机制
影响:拒绝服务 (DoS)、API 滥用、资源耗尽
缓解措施:按用户/IP 的速率限制、节流、DDoS 防护
定义:API 接受未经验证的用户输入
根本原因:缺少服务器端验证
影响:注入攻击、数据损坏
缓解措施:严格的验证、参数化查询、Web 应用防火墙 (WAF)
定义:利用 API 功能进行恶意目的
根本原因:过度信任客户端输入
影响:数据窃取、账户接管、服务滥用
缓解措施:强身份验证、行为分析、异常检测
阶段 9:通信安全
定义:拦截双方之间的通信
根本原因:未加密的通道、受损的网络
影响:数据窃取、会话劫持、冒充
缓解措施:TLS/SSL、证书固定、相互身份验证
定义:传输中数据的加密弱或过时
根本原因:过时的协议(SSLv2/3)、弱密码套件
影响:流量拦截、凭据窃取
缓解措施:TLS 1.2+、强密码套件、HSTS
定义:加密配置不当
根本原因:弱密码套件、缺少前向保密
影响:流量解密、中间人攻击
缓解措施:现代密码套件、前向保密 (PFS)、证书验证
定义:使用未加密的协议(HTTP、Telnet、FTP)
根本原因:遗留系统、安全意识不足
影响:流量嗅探、凭据暴露
缓解措施:HTTPS、SSH、SFTP、VPN 隧道
阶段 10:客户端漏洞
定义:通过客户端 JavaScript 操作进行的 XSS
根本原因:使用用户输入进行不安全的 DOM 操作
影响:会话窃取、凭据收集
缓解措施:安全的 DOM API、内容安全策略 (CSP)、输入净化
定义:跨源请求处理不当
根本原因:宽松的 CORS/同源策略 (SOP)
影响:数据泄露、CSRF 攻击
缓解措施:严格的 CORS、CSRF 令牌、来源验证
定义:操纵缓存内容
根本原因:弱缓存验证
影响:恶意内容分发
缓解措施:Cache-Control 头部、HTTPS、完整性检查
定义:UI 伪装攻击,诱骗用户点击隐藏元素
根本原因:缺少框架保护
影响:意外操作、凭据窃取
缓解措施:X-Frame-Options、CSP frame-ancestors、框架破坏
定义:HTML5 API 中的漏洞(WebSockets、Storage、Geolocation)
根本原因:API 使用不当、验证不足
影响:数据泄露、XSS、隐私侵犯
缓解措施:安全的 API 使用、输入验证、沙箱化
阶段 11:拒绝服务评估
定义:用来自多个来源的流量淹没系统
根本原因:僵尸网络、放大攻击
影响:服务不可用、收入损失
缓解措施:DDoS 防护服务、速率限制、内容分发网络 (CDN)
定义:针对应用逻辑以耗尽资源
根本原因:低效代码、资源密集型操作
影响:应用程序不可用、性能下降
缓解措施:速率限制、缓存、Web 应用防火墙 (WAF)、代码优化
定义:耗尽 CPU、内存、磁盘或网络资源
根本原因:低效的资源管理
影响:系统崩溃、服务降级
缓解措施:资源配额、监控、负载均衡
定义:通过部分 HTTP 请求保持连接开放
根本原因:没有连接超时
影响:Web 服务器资源耗尽
缓解措施:连接超时、请求限制、反向代理
阶段 12:服务器端请求伪造
定义:操纵服务器向内部资源发出请求
根本原因:未验证的用户控制 URL
影响:内部网络访问、数据窃取、云元数据访问
缓解措施:URL 白名单、网络分段、出口过滤
定义:没有直接响应可见性的 SSRF
根本原因:与 SSRF 类似,但更难检测
影响:数据外泄、内部侦察
缓解措施:允许列表、Web 应用防火墙 (WAF)、网络限制
定义:通过响应时间推断 SSRF 成功
根本原因:处理延迟表明请求结果
影响:长期利用、检测规避
缓解措施:请求超时、异常检测、时间监控
阶段 13:其他 Web 漏洞
| 漏洞 | 根本原因 | 影响 | 缓解措施 ---|---|---|---|---
阶段 14:移动和物联网安全
| 漏洞 | 根本原因 | 影响 | 缓解措施 ---|---|---|---|---
阶段 15:高级和零日威胁
| 漏洞 | 根本原因 | 影响 | 缓解措施 ---|---|---|---|---
快速参考
漏洞类别摘要 类别 漏洞编号 关键控制措施 注入 1-13 参数化查询、输入验证、输出编码 身份验证 14-23, 85-86 多因素认证 (MFA)、会话管理、账户锁定 数据暴露 24-27 静态/传输中加密、访问控制、数据防泄露 (DLP) 配置错误 28-36 安全默认值、加固、打补丁 XML 37-39, 65 禁用外部实体、限制扩展 访问控制 40-44 基于角色的访问控制 (RBAC)、最小权限原则、授权检查 反序列化 45-47 避免不受信任的数据、完整性验证 API 安全 48-51, 75 OAuth、速率限制、输入验证 通信 52-55 TLS 1.2+、证书验证、HTTPS 客户端 56-60 内容安全策略 (CSP)、X-Frame-Options、安全的 DOM 拒绝服务 61-65 速率限制、DDoS 防护、资源限制 服务器端请求伪造 66, 87-88 URL 白名单、出口过滤 移动/物联网 76-84 加密、身份验证、安全存储 业务逻辑 74, 92-97 威胁建模、逻辑测试 零日 98-100 纵深防御、威胁情报
关键安全头部 Content-Security-Policy: default-src 'self'; script-src 'self'
X-Content-Type-Options: nosniff
X-Frame-Options: DENY
X-XSS-Protection: 1; mode=block
Strict-Transport-Security: max-age=31536000; includeSubDomains
Referrer-Policy: strict-origin-when-cross-origin
Permissions-Policy: geolocation=(), microphone=()
OWASP Top 10 映射 OWASP 2021 相关漏洞 A01: 失效的访问控制 40-44, 23, 74 A02: 加密机制失效 24-25, 53-55 A03: 注入 1-13, 37-39 A04: 不安全设计 74, 92-97 A05: 安全配置错误 26-36 A06: 易受攻击的组件 34, 98-100 A07: 身份验证失败 14-23, 85-86 A08: 数据完整性失效 45-47 A09: 日志记录和监控不足 73 A10: 服务器端请求伪造 66, 87-88
约束和限制
漏洞定义代表常见模式;具体实现各不相同
缓解措施必须适应技术栈和架构
新漏洞不断出现;应更新此参考
某些漏洞在多个类别中重叠(例如,IDOR 出现在多个上下文中)
缓解措施的有效性取决于正确的实施
自动化扫描器无法检测所有漏洞类型(尤其是业务逻辑漏洞)
故障排除
常见评估挑战 挑战 解决方案 扫描中的误报 手动验证、上下文分析 遗漏的业务逻辑缺陷 手动测试、威胁建模、滥用案例分析 加密流量分析 代理配置、证书安装 WAF 阻止测试 速率调整、IP 轮换、负载编码 会话处理问题 Cookie 管理、身份验证状态跟踪 API 发现 Swagger/OpenAPI 枚举、流量分析
漏洞验证技术 漏洞类型 验证方法 注入 使用编码变体进行负载测试 XSS 告警框、Cookie 访问、DOM 检查 CSRF 跨源表单提交测试 SSRF 带外 DNS/HTTP 回调 XXE 带有受控服务器的外部实体 访问控制 水平/垂直权限测试 身份验证 凭据轮换、会话分析
参考资料
OWASP Top 10 Web 应用程序安全风险
CWE/SANS 25 个最危险的软件错误
OWASP 测试指南
OWASP 应用程序安全验证标准 (ASVS)
NIST 网络安全框架
来源:Kumar MS - 前 100 项 Web 漏洞
Cross-Site Scripting - XSS (2)
Definition: Injection of malicious scripts into web pages viewed by other users
Root Cause: Insufficient output encoding, lack of input sanitization
Impact: Session hijacking, credential theft, website defacement
Mitigation: Output encoding, Content Security Policy (CSP), input sanitization
Command Injection (5, 11)
Definition: Execution of arbitrary system commands through vulnerable applications
Root Cause: Unsanitized user input passed to system shells
Impact: Full system compromise, data exfiltration, lateral movement
Mitigation: Avoid shell execution, whitelist valid commands, strict input validation
XML Injection (6), LDAP Injection (7), XPath Injection (8)
Definition: Manipulation of XML/LDAP/XPath queries through malicious input
Root Cause: Improper input handling in query construction
Impact: Data exposure, authentication bypass, information disclosure
Mitigation: Input validation, parameterized queries, escape special characters
Server-Side Template Injection - SSTI (13)
Definition: Injection of malicious code into template engines
Root Cause: User input embedded directly in template expressions
Impact: Remote code execution, server compromise
Mitigation: Sandbox template engines, avoid user input in templates, strict input validation
Phase 2: Authentication and Session Security Assess authentication mechanism weaknesses:
Definition: Attacker sets victim's session ID before authentication
Root Cause: Session ID not regenerated after login
Impact: Session hijacking, unauthorized account access
Mitigation: Regenerate session ID on authentication, use secure session management
Definition: Systematic password guessing using automated tools
Root Cause: Lack of account lockout, rate limiting, or CAPTCHA
Impact: Unauthorized access, credential compromise
Mitigation: Account lockout policies, rate limiting, MFA, CAPTCHA
Definition: Attacker steals or predicts valid session tokens
Root Cause: Weak session token generation, insecure transmission
Impact: Account takeover, unauthorized access
Mitigation: Secure random token generation, HTTPS, HttpOnly/Secure cookie flags
Credential Stuffing and Reuse (22)
Definition: Using leaked credentials to access accounts across services
Root Cause: Users reusing passwords, no breach detection
Impact: Mass account compromise, data breaches
Mitigation: MFA, breach password checks, unique credential requirements
Insecure "Remember Me" Functionality (85)
Definition: Weak persistent authentication token implementation
Root Cause: Predictable tokens, inadequate expiration controls
Impact: Unauthorized persistent access, session compromise
Mitigation: Strong token generation, proper expiration, secure storage
Definition: Circumventing bot detection mechanisms
Root Cause: Weak CAPTCHA algorithms, improper validation
Impact: Automated attacks, credential stuffing, spam
Mitigation: reCAPTCHA v3, layered bot detection, rate limiting
Phase 3: Sensitive Data Exposure Identify data protection failures:
IDOR - Insecure Direct Object References (23, 42)
Definition: Direct access to internal objects via user-supplied references
Root Cause: Missing authorization checks on object access
Impact: Unauthorized data access, privacy breaches
Mitigation: Access control validation, indirect reference maps, authorization checks
Definition: Inadvertent disclosure of sensitive information
Root Cause: Inadequate data protection, weak access controls
Impact: Privacy breaches, regulatory penalties, reputation damage
Mitigation: DLP solutions, encryption, access controls, security training
Unencrypted Data Storage (25)
Definition: Storing sensitive data without encryption
Root Cause: Failure to implement encryption at rest
Impact: Data breaches if storage compromised
Mitigation: Full-disk encryption, database encryption, secure key management
Information Disclosure (33)
Definition: Exposure of system details through error messages or responses
Root Cause: Verbose error handling, debug information in production
Impact: Reconnaissance for further attacks, credential exposure
Mitigation: Generic error messages, disable debug mode, secure logging
Phase 4: Security Misconfiguration Assess configuration weaknesses:
Missing Security Headers (26)
Definition: Absence of protective HTTP headers (CSP, X-Frame-Options, HSTS)
Root Cause: Inadequate server configuration
Impact: XSS attacks, clickjacking, protocol downgrade
Mitigation: Implement CSP, X-Content-Type-Options, X-Frame-Options, HSTS
Definition: Unchanged default credentials on systems/applications
Root Cause: Failure to change vendor defaults
Impact: Unauthorized access, system compromise
Mitigation: Mandatory password changes, strong password policies
Definition: Web server exposes directory contents
Root Cause: Improper server configuration
Impact: Information disclosure, sensitive file exposure
Mitigation: Disable directory indexing, use default index files
Unprotected API Endpoints (30)
Definition: APIs lacking authentication or authorization
Root Cause: Missing security controls on API routes
Impact: Unauthorized data access, API abuse
Mitigation: OAuth/API keys, access controls, rate limiting
Open Ports and Services (31)
Definition: Unnecessary network services exposed
Root Cause: Failure to minimize attack surface
Impact: Exploitation of vulnerable services
Mitigation: Port scanning audits, firewall rules, service minimization
Definition: Overly permissive Cross-Origin Resource Sharing policies
Root Cause: Wildcard origins, improper CORS configuration
Impact: Cross-site request attacks, data theft
Mitigation: Whitelist trusted origins, validate CORS headers
Definition: Systems running outdated vulnerable software
Root Cause: Neglected patch management
Impact: Exploitation of known vulnerabilities
Mitigation: Patch management program, vulnerability scanning, automated updates
Phase 5: XML-Related Vulnerabilities Evaluate XML processing security:
XXE - XML External Entity Injection (37)
Definition: Exploitation of XML parsers to access files or internal systems
Root Cause: External entity processing enabled
Impact: File disclosure, SSRF, denial of service
Mitigation: Disable external entities, use safe XML parsers
XEE - XML Entity Expansion (38)
Definition: Excessive entity expansion causing resource exhaustion
Root Cause: Unlimited entity expansion allowed
Impact: Denial of service, parser crashes
Mitigation: Limit entity expansion, configure parser restrictions
XML Bomb (Billion Laughs) (39)
Definition: Crafted XML with nested entities consuming resources
Root Cause: Recursive entity definitions
Impact: Memory exhaustion, denial of service
Mitigation: Entity expansion limits, input size restrictions
XML Denial of Service (65)
Definition: Specially crafted XML causing excessive processing
Root Cause: Complex document structures without limits
Impact: CPU/memory exhaustion, service unavailability
Mitigation: Schema validation, size limits, processing timeouts
Phase 6: Broken Access Control Assess authorization enforcement:
Inadequate Authorization (40)
Definition: Failure to properly enforce access controls
Root Cause: Weak authorization policies, missing checks
Impact: Unauthorized access to sensitive resources
Mitigation: RBAC, centralized IAM, regular access reviews
Privilege Escalation (41)
Definition: Gaining elevated access beyond intended permissions
Root Cause: Misconfigured permissions, system vulnerabilities
Impact: Full system compromise, data manipulation
Mitigation: Least privilege, regular patching, privilege monitoring
Definition: Direct URL manipulation to access restricted resources
Root Cause: Weak access controls, predictable URLs
Impact: Unauthorized file/directory access
Mitigation: Server-side access controls, unpredictable resource paths
Missing Function-Level Access Control (44)
Definition: Unprotected administrative or privileged functions
Root Cause: Authorization only at UI level
Impact: Unauthorized function execution
Mitigation: Server-side authorization for all functions, RBAC
Phase 7: Insecure Deserialization Evaluate object serialization security:
Remote Code Execution via Deserialization (45)
Definition: Arbitrary code execution through malicious serialized objects
Root Cause: Untrusted data deserialized without validation
Impact: Complete system compromise, code execution
Mitigation: Avoid deserializing untrusted data, integrity checks, type validation
Definition: Unauthorized modification of serialized data
Root Cause: Missing integrity verification
Impact: Data corruption, privilege manipulation
Mitigation: Digital signatures, HMAC validation, encryption
Definition: Malicious object instantiation during deserialization
Root Cause: Unsafe deserialization practices
Impact: Code execution, unauthorized access
Mitigation: Type restrictions, class whitelisting, secure libraries
Phase 8: API Security Assessment Evaluate API-specific vulnerabilities:
Insecure API Endpoints (48)
Definition: APIs without proper security controls
Root Cause: Poor API design, missing authentication
Impact: Data breaches, unauthorized access
Mitigation: OAuth/JWT, HTTPS, input validation, rate limiting
Definition: Leaked or exposed API credentials
Root Cause: Hardcoded keys, insecure storage
Impact: Unauthorized API access, abuse
Mitigation: Secure key storage, rotation, environment variables
Lack of Rate Limiting (50)
Definition: No controls on API request frequency
Root Cause: Missing throttling mechanisms
Impact: DoS, API abuse, resource exhaustion
Mitigation: Rate limits per user/IP, throttling, DDoS protection
Inadequate Input Validation (51)
Definition: APIs accepting unvalidated user input
Root Cause: Missing server-side validation
Impact: Injection attacks, data corruption
Mitigation: Strict validation, parameterized queries, WAF
Definition: Exploiting API functionality for malicious purposes
Root Cause: Excessive trust in client input
Impact: Data theft, account takeover, service abuse
Mitigation: Strong authentication, behavior analysis, anomaly detection
Phase 9: Communication Security Assess transport layer protections:
Man-in-the-Middle Attack (52)
Definition: Interception of communication between parties
Root Cause: Unencrypted channels, compromised networks
Impact: Data theft, session hijacking, impersonation
Mitigation: TLS/SSL, certificate pinning, mutual authentication
Insufficient Transport Layer Security (53)
Definition: Weak or outdated encryption for data in transit
Root Cause: Outdated protocols (SSLv2/3), weak ciphers
Impact: Traffic interception, credential theft
Mitigation: TLS 1.2+, strong cipher suites, HSTS
Insecure SSL/TLS Configuration (54)
Definition: Improperly configured encryption settings
Root Cause: Weak ciphers, missing forward secrecy
Impact: Traffic decryption, MITM attacks
Mitigation: Modern cipher suites, PFS, certificate validation
Insecure Communication Protocols (55)
Definition: Use of unencrypted protocols (HTTP, Telnet, FTP)
Root Cause: Legacy systems, security unawareness
Impact: Traffic sniffing, credential exposure
Mitigation: HTTPS, SSH, SFTP, VPN tunnels
Phase 10: Client-Side Vulnerabilities Evaluate browser-side security:
Definition: XSS through client-side JavaScript manipulation
Root Cause: Unsafe DOM manipulation with user input
Impact: Session theft, credential harvesting
Mitigation: Safe DOM APIs, CSP, input sanitization
Insecure Cross-Origin Communication (57)
Definition: Improper handling of cross-origin requests
Root Cause: Relaxed CORS/SOP policies
Impact: Data leakage, CSRF attacks
Mitigation: Strict CORS, CSRF tokens, origin validation
Browser Cache Poisoning (58)
Definition: Manipulation of cached content
Root Cause: Weak cache validation
Impact: Malicious content delivery
Mitigation: Cache-Control headers, HTTPS, integrity checks
Definition: UI redress attack tricking users into clicking hidden elements
Root Cause: Missing frame protection
Impact: Unintended actions, credential theft
Mitigation: X-Frame-Options, CSP frame-ancestors, frame-busting
HTML5 Security Issues (60)
Definition: Vulnerabilities in HTML5 APIs (WebSockets, Storage, Geolocation)
Root Cause: Improper API usage, insufficient validation
Impact: Data leakage, XSS, privacy violations
Mitigation: Secure API usage, input validation, sandboxing
Phase 11: Denial of Service Assessment Evaluate availability threats:
DDoS - Distributed Denial of Service (61)
Definition: Overwhelming systems with traffic from multiple sources
Root Cause: Botnets, amplification attacks
Impact: Service unavailability, revenue loss
Mitigation: DDoS protection services, rate limiting, CDN
Application Layer DoS (62)
Definition: Targeting application logic to exhaust resources
Root Cause: Inefficient code, resource-intensive operations
Impact: Application unavailability, degraded performance
Mitigation: Rate limiting, caching, WAF, code optimization
Definition: Depleting CPU, memory, disk, or network resources
Root Cause: Inefficient resource management
Impact: System crashes, service degradation
Mitigation: Resource quotas, monitoring, load balancing
Definition: Keeping connections open with partial HTTP requests
Root Cause: No connection timeouts
Impact: Web server resource exhaustion
Mitigation: Connection timeouts, request limits, reverse proxy
Phase 12: Server-Side Request Forgery Assess SSRF vulnerabilities:
SSRF - Server-Side Request Forgery (66)
Definition: Manipulating server to make requests to internal resources
Root Cause: Unvalidated user-controlled URLs
Impact: Internal network access, data theft, cloud metadata access
Mitigation: URL whitelisting, network segmentation, egress filtering
Definition: SSRF without direct response visibility
Root Cause: Similar to SSRF, harder to detect
Impact: Data exfiltration, internal reconnaissance
Mitigation: Allowlists, WAF, network restrictions
Time-Based Blind SSRF (88)
Definition: Inferring SSRF success through response timing
Root Cause: Processing delays indicating request outcomes
Impact: Prolonged exploitation, detection evasion
Mitigation: Request timeouts, anomaly detection, timing monitoring
Phase 13: Additional Web Vulnerabilities
| Vulnerability | Root Cause | Impact | Mitigation ---|---|---|---|---
Phase 14: Mobile and IoT Security
| Vulnerability | Root Cause | Impact | Mitigation ---|---|---|---|---
Phase 15: Advanced and Zero-Day Threats
| Vulnerability | Root Cause | Impact | Mitigation ---|---|---|---|---
Quick Reference
Vulnerability Categories Summary Category Vulnerability Numbers Key Controls Injection 1-13 Parameterized queries, input validation, output encoding Authentication 14-23, 85-86 MFA, session management, account lockout Data Exposure 24-27 Encryption at rest/transit, access controls, DLP Misconfiguration 28-36 Secure defaults, hardening, patching XML 37-39, 65 Disable external entities, limit expansion Access Control 40-44 RBAC, least privilege, authorization checks Deserialization 45-47 Avoid untrusted data, integrity validation API Security 48-51, 75 OAuth, rate limiting, input validation Communication 52-55 TLS 1.2+, certificate validation, HTTPS Client-Side 56-60 CSP, X-Frame-Options, safe DOM DoS 61-65 Rate limiting, DDoS protection, resource limits SSRF 66, 87-88 URL whitelisting, egress filtering Mobile/IoT 76-84 Encryption, authentication, secure storage Business Logic 74, 92-97 Threat modeling, logic testing Zero-Day 98-100 Defense in depth, threat intelligence
Critical Security Headers Content-Security-Policy: default-src 'self'; script-src 'self'
X-Content-Type-Options: nosniff
X-Frame-Options: DENY
X-XSS-Protection: 1; mode=block
Strict-Transport-Security: max-age=31536000; includeSubDomains
Referrer-Policy: strict-origin-when-cross-origin
Permissions-Policy: geolocation=(), microphone=()
OWASP Top 10 Mapping OWASP 2021 Related Vulnerabilities A01: Broken Access Control 40-44, 23, 74 A02: Cryptographic Failures 24-25, 53-55 A03: Injection 1-13, 37-39 A04: Insecure Design 74, 92-97 A05: Security Misconfiguration 26-36 A06: Vulnerable Components 34, 98-100 A07: Auth Failures 14-23, 85-86 A08: Data Integrity 45-47 A09: Logging Failures 73 A10: SSRF 66, 87-88
Constraints and Limitations
Vulnerability definitions represent common patterns; specific implementations vary
Mitigations must be adapted to technology stack and architecture
New vulnerabilities emerge continuously; reference should be updated
Some vulnerabilities overlap across categories (e.g., IDOR appears in multiple contexts)
Effectiveness of mitigations depends on proper implementation
Automated scanners cannot detect all vulnerability types (especially business logic)
Troubleshooting
Common Assessment Challenges Challenge Solution False positives in scanning Manual verification, contextual analysis Business logic flaws missed Manual testing, threat modeling, abuse case analysis Encrypted traffic analysis Proxy configuration, certificate installation WAF blocking tests Rate adjustment, IP rotation, payload encoding Session handling issues Cookie management, authentication state tracking API discovery Swagger/OpenAPI enumeration, traffic analysis
Vulnerability Verification Techniques Vulnerability Type Verification Approach Injection Payload testing with encoded variants XSS Alert boxes, cookie access, DOM inspection CSRF Cross-origin form submission testing SSRF Out-of-band DNS/HTTP callbacks XXE External entity with controlled server Access Control Horizontal/vertical privilege testing Authentication Credential rotation, session analysis
References
OWASP Top 10 Web Application Security Risks
CWE/SANS Top 25 Most Dangerous Software Errors
OWASP Testing Guide
OWASP Application Security Verification Standard (ASVS)
NIST Cybersecurity Framework
Source: Kumar MS - Top 100 Web Vulnerabilities
React 组合模式指南:Vercel 组件架构最佳实践,提升代码可维护性
103,800 周安装
