| vulnerable name | note | |
|---|---|---|
| A1-Injection | Injection flaws, such as SQL, OS, and LDAP injection occur when untrusted data is sent to an interpreter as part of a command or query. The attacker’s hostile data can trick the interpreter into executing unintended commands or accessing data without proper authorization. | |
| A2-Broken Authentication and Session Management | Application functions related to authentication and session management are often not implemented correctly, allowing attackers to compromise passwords, keys, or session tokens, or to exploit other implementation flaws to assume other users’ identities. | |
| A3-Cross-Site Scripting (XSS) | XSS flaws occur whenever an application takes untrusted data and sends it to a web browser without proper validation or escaping. XSS allows attackers to execute scripts in the victim’s browser which can hijack user sessions, deface web sites, or redirect the user to malicious sites. | |
| A4-Insecure Direct Object References | A direct object reference occurs when a developer exposes a reference to an internal implementation object, such as a file, directory, or database key. Without an access control check or other protection, attackers can manipulate these references to access unauthorized data. | |
| A5-Security Misconfiguration | Good security requires having a secure configuration defined and deployed for the application, frameworks, application server, web server, database server, and platform. Secure settings should be defined, implemented, and maintained, as defaults are often insecure. Additionally, software should be kept up to date. | |
| A6-Sensitive Data Exposure | Many web applications do not properly protect sensitive data, such as credit cards, tax IDs, and authentication credentials. Attackers may steal or modify such weakly protected data to conduct credit card fraud, identity theft, or other crimes. Sensitive data deserves extra protection such as encryption at rest or in transit, as well as special precautions when exchanged with the browser. | |
| A7-Missing Function Level Access Control | Most web applications verify function level access rights before making that functionality visible in the UI. However, applications need to perform the same access control checks on the server when each function is accessed. If requests are not verified, attackers will be able to forge requests in order to access functionality without proper authorization. | |
| A8-Cross-Site Request Forgery (CSRF) | A CSRF attack forces a logged-on victim’s browser to send a forged HTTP request, including the victim’s session cookie and any other automatically included authentication information, to a vulnerable web application. This allows the attacker to force the victim’s browser to generate requests the vulnerable application thinks are legitimate requests from the victim. | |
| A9-Using Components with Known Vulnerabilities | Components, such as libraries, frameworks, and other software modules, almost always run with full privileges. If a vulnerable component is exploited, such an attack can facilitate serious data loss or server takeover. Applications using components with known vulnerabilities may undermine application defenses and enable a range of possible attacks and impacts. | |
| A10-Unvalidated Redirects and Forwards | Web applications frequently redirect and forward users to other pages and websites, and use untrusted data to determine the destination pages. Without proper validation, attackers can redirect victims to phishing or malware sites, or use forwards to access unauthorized pages. |
A1-注入
A2-跨站脚本(XSS)
A3-错误的认证和会话管理
A4-不安全的直接对象引用
A5-伪造跨站请求(CSRF) – Cross-Site Request Forgery
A7-限制远程访问失败
A8-未验证的重定向和传递
A9-不安全的加密存储
A10-不足的传输层保护
CSRF攻击介绍与实施
二次确认提交
应用程序允许用户提交不包含任何保密字段的状态改变请求,如:
http://example.com/app/transferFunds?amount=1500&destinationAccount=4673243243
因此,攻击者构建一个请求,用于将受害用户账户中的现金转移到自己账户。然后攻击者在其控制的多个网站的图片请求或iframe中嵌入这种攻击。
<imgsrc=”http://example.com/app/transferFunds?amount=1500&destinationAccount=attackersAcct#“width=”0” height=”0” >
如果受害用户通过example.com认证后访问任何一个攻击者的网站,伪造的请求将自动包含用户的会话信息,授权执行攻击者的请求。
要取得这种成功,黑客必须正确地猜测出系统上另外一个文件名,但一个更合理的方法,是寻找系统上其它位置的特定内容,其使用的方法就是目录遍历攻击(目录遍历是Http的一个安全漏洞,它使得攻击者能够访问受限制的目录,并能够在Web服务器的根目录以外执行命令。)。从本质上讲,这意味着访问一个完全不同的目录,或者存在漏洞的应用程序的开发者所构建的任何方面。
安全配置错误
案例#1:应用程序服务器管理员控制台自动安装后没有被删除。而默认帐户也没有被改变。攻击者在你的服务器上发现了标准的管理员页面,通过默认密码登录,从而接管了你的服务器。
案例#2:目录列表在你的服务器上未被禁用。攻击者发现只需列出目录,她就可以找到你服务器上的任意文件。攻击者找到并下载所有已编译的Java类,她通过反编译获得了所有你的自定义代码。然后,她在你的应用程序中找到一个访问控制的严重漏洞。
案例#3:应用服务器配置允许堆栈跟踪返回给用户,这样就暴露了潜在的漏洞。攻击者热衷于收集错误消息里提供的额外信息。
案例#4:应用服务器自带的示例应用程序没有从您的生产服务器中删除。该示例应用有已知安全漏洞,攻击者可以利用这些漏洞破坏您的服务器。
这个领域的错误频繁影响那些本应该加密的数据。这些信息通常包括很多敏感数据,比如医疗记录,认证凭证,个人隐私数据,信用卡信息,等等。
禁止或者限制在错误处理中使用详细信息,不向用户显示调试信息。
首先你需要确认的是哪些数据是敏感数据而需要被加密。例如:密码、信用卡、医疗记录、个人信息应该被加密。
A6 – 敏感信息泄露
1、个人信息,如姓名,身份证ID,电话号码,银行账户,驾驶证号码,社保卡号,护照号码等都是敏感数据;
2、网站登录的用户名、密码,SSL证书,会话ID,加密使用的密钥等都属于敏感信息,这些信息一旦泄露,攻击者就可以以合法用户的身份访问Web系统,随意进行各种攻击操作;
3、Web服务器的OS类型,版本信息,Web容器的名称,版本号,数据库类型,版本号,应用软件使用开源软件信息都属于敏感信息,因为攻击者知道这些软件信息,就会利用这些软件存在的公开漏洞进行专门攻击,提升了系统被攻破的可能性。
功能级访问控制缺失
这种漏洞允许攻击者访问未经授权的功能。管理性的功能是这类攻击的主要目标。
检查应用程序是否正确的限制了功能级的访问的最好方法是验证每一个应用程序的功能。
1.用户界面(UI)是否存在到未授权功能的导航?
2.服务器端的身份认证或授权功能是否完善?
3.服务器端的检查是否仅仅依赖于攻击者提供的信息?
开启代理的情况下,先以特权用户身份浏览一遍您的功能,然后以普通用户身份再次访问受限页面。如果服务器的响应很类似,您的应用很可能容易受攻击。一些测试代理直接支持此种类型的分析。
案例1#:攻击者仅仅直接浏览目标网址。例如下面的两个网址都需要身份验证。同时访问“admin_getappInfo”页面还需要管理员权限。
http://example.com/app/getappInfo
http://example.com/app/admin_getappInfo
如果未认证的用户可以访问上述任一页面,这就是漏洞。如果通过验证的非管理员用户也能允许访问“admin_getappInfo”页面,这同样是个漏洞。这个漏洞可能会将攻击者引向更多保护不当的管理页面。
案例2#:一个页面提供了“action”参数给某个特定的功能调用,并且不同的操作需要不同的角色。如果没有进行角色检查,这也是漏洞。
使用含有已知漏洞的组件
事实上,大多数的应用都存在这些问题。因为大多数的开发团队并不会把及时更新组件/库作为他们的工作重心。在很多情况下,开发者都不了解他们所使用的全部组件,更不用说组件的版本了。组件的依赖性使情况更加糟糕。
判断您是否易于受到这类攻击,要求您不但要不停地搜索这些数据库,还要关注大量的邮件列表和可能包含漏洞发布的公告信息。如果您使用的组件之一存在漏洞,您应该仔细评估该漏洞是否给您的业务也带来了缺陷。此评估可以通过检查您的代码使用该组件的部分,以及该缺陷可能导致的您关心的结果来完成。
•Apache CXF认证绕过—未能提供身份令牌的情况下,攻击者可以以最高权限调用任意的web服务。(Apache CXF 是一个服务框架,不要与Apache应用服务器混淆。)
•Spring远程代码执行—滥用Spring中语言表达式的实现允许攻击者执行任意代码,有效的接管服务器。
A1 – Injection
Injection flaws, such as SQL, OS, and LDAP injection occur when untrusted data is sent to an interpreter as part of a command or query. The attacker’s hostile data can trick the interpreter into executing unintended commands or accessing data without proper authorization.
(A1 – 注入,注入缺陷,例如SQL注入、OS命令注入、LDAP注入等,会在攻击者向应用服务端发送以分隔符作为命令或者查询的一部分时就会发生。攻击者的有害数据中分隔符造成的陷阱,会执行攻击构造的未预知的命令或者访问未授权数据。)
A2 – Broken Authentication and Session Management
Application functions related to authentication and session management are often not implemented correctly, allowing attackers to compromise passwords, keys, or session tokens, or to exploit other implementation flaws to assume other users’ identities.
(A2 -失效的身份认证和会话管理,与身份认证和会话管理相关的应用功能经常实现的不正确,允许攻击者可以构造密码、密钥、或者会话令牌或者利用实现缺陷,假冒其他用户的身份。)
A3 – Cross-Site Scripting (XSS)
XSS flaws occur whenever an application takes untrusted data and sends it to a web browser without proper validation or escaping. XSS allows attackers to execute scripts in the victim’s browser which can hijack user sessions, deface web sites, or redirect the user to malicious sites.
(A3 – XSS,当应用服务接收不被信任的数据,并且将该数据不经过验证或者字符过滤,就发送给客户的Web浏览器,就会产生XSS攻击。XSS攻击允许攻击者在受害者的浏览器中执行脚本,用于劫持受害者用户的会话信息,伤害特定的网站,或者重定向用户到恶意站点。)
A4 – Insecure Direct Object References
A direct object reference occurs when a developer exposes a reference to an internal implementation object, such as a file, directory, or database key. Without an access control check or other protection, attackers can manipulate these references to access unauthorized data.
(A4 – 不安全的直接对象引用,应用开发者有时候可能会暴露应用内部实现对象的引用,例如文件、目录、或者数据库Key等。如果没有对这些的访问控制或者其他保护,攻击者就有可能利用这些暴露的引用访问未授权的数据。)
A5 – Security Misconfiguration
Good security requires having a secure configuration defined and deployed for the application, frameworks, application server, web server, database server, and platform. Secure settings should be defined, implemented, and maintained, as defaults are often insecure. Additionally, software should be kept up to date.
(A5 – 安全配置错误,应用、框架、Web服务器、数据库服务器、各种应用平台的良好的安全性需要一份定义好的、部署好的安全配置。安全配置必需进行良好的定义、实现、维护,默认配置通常情况下是不安全的,另外,软件应该及时更新。)
A6 – Sensitive Data Exposure
Many web applications do not properly protect sensitive data, such as credit cards, tax IDs, and authentication credentials. Attackers may steal or modify such weakly protected data to conduct credit card fraud, identity theft, or other crimes. Sensitive data deserves extra protection such as encryption at rest or in transit, as well as special precautions when exchanged with the browser.
(A6 – 敏感数据泄露,许多Web应用没有正确地保护敏感数据,例如信用卡卡号、税号、身份认证证书等。攻击者可以通过偷窃、更改这种弱保护的数据,以进行信用卡诈骗、身份窃取、或者其他犯罪。这类敏感数据值得进行额外的保护,例如,加密传输、在于客户端浏览器交换数据时进行的特殊保护。)
A7 – Missing Function Level Access Control
Most web applications verify function level access rights before making that functionality visible in the UI. However, applications need to perform the same access control checks on the server when each function is accessed. If requests are not verified, attackers will be able to forge requests in order to access functionality without proper authorization.
(A7 – 功能级访问控制缺失,大部分Web应用在界面上进行了应用级访问控制,但是应用服务器端也要进行响应的访问控制才行。如果请求没有验证,攻击者就能够构造请求访问未授权的功能。)
A8 – Cross-Site Request Forgery (CSRF)
A CSRF attack forces a logged-on victim’s browser to send a forged HTTP request, including the victim’s session cookie and any other automatically included authentication information, to a vulnerable web application. This allows the attacker to force the victim’s browser to generate requests the vulnerable application thinks are legitimate requests from the victim.
(A8 – 跨站请求伪造,CSRF攻击强制一个已经登入的受害者浏览器,向带漏洞的Web应用发送伪造的HTTP请求,但是使用的是受害者正确的会话Cookie,以及其他的认证信息,这样攻击者就可以让Web应用认为这是受害者自愿发送的请求。)
A9 – Using Components with Known Vulnerabilities
Components, such as libraries, frameworks, and other software modules, almost always run with full privileges. If a vulnerable component is exploited, such an attack can facilitate serious data loss or server takeover. Applications using components with known vulnerabilities may undermine application defenses and enable a range of possible attacks and impacts.
(A9 –使用已知易受攻击组件,组件,比如库、框架、或者其他的软件模块,通常运行在最高权限。如果一个有弱点的组件受到了利用,就可能被攻击者控制服务器或者造成严重数据损失。使用已知易受攻击组件的应用会造成应用整体安全性的降低,并且造成一定范围的攻击和影响。)
A10 – Unvalidated Redirects and Forwards
Web applications frequently redirect and forward users to other pages and websites, and use untrusted data to determine the destination pages. Without proper validation, attackers can redirect victims to phishing or malware sites, or use forwards to access unauthorized pages.
(A10 –未验证的重定向和转发,Web应用经常会将用户重定向到其他的页面或者站点,并且使用使用不可信的数据来确定目标页面,如果不进行正确的验证,攻击可以让受害者重定向到钓鱼或者挂马的网站,或者利用重定向访问未授权页面。)
REFERENCE
231
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
