web应用程序安全性测试

As developers, it’s not only our job to write code. We are responsible for delivering software that is tested, fully functional, and secure. All of these requirements are equally complex. But I feel these are not always treated equally.

作为开发人员，编写代码不仅是我们的工作。我们负责提供经过测试，功能齐全且安全的软件。所有这些要求都同样复杂。但是我觉得这些并不总是得到平等对待。

Application security is not always a first-class citizen. But it should be. Customers give us their data and expect us to keep it in a safe place. By leaving them vulnerable to exploitation, we risk losing our customers’ trust and their business.

应用程序安全性并不总是一流的公民。但这应该是。客户向我们提供他们的数据，并希望我们将其保存在安全的地方。使他们容易受到剥削，我们就有失去客户信任和业务的风险。

I write this story to help you improve your web app’s security. I will present mitigations that you can implement quickly in any web application. Therefore, I picked five of the ten most common security risks and added a dedicated chapter for Cross-Site-Request-Forgery. Each section consists of one or more vulnerabilities and multiple mitigations.

我写这个故事是为了帮助您提高Web应用程序的安全性。我将介绍一些缓解措施，您可以在任何Web应用程序中快速实施这些缓解措施。因此，我从十种最常见的安全风险中选择了五种，并为跨站点请求伪造添加了专门的章节。每个部分均包含一个或多个漏洞和多种缓解措施。

Cross-Site-Request-Forgery

跨站请求伪造
Cross-Site Scripting

跨站脚本
Security Misconfiguration

安全配置错误
Broken Authentication

认证失败
Sensitive Data Exposure

敏感数据暴露
Using Components with Known Vulnerabilities

使用具有已知漏洞的组件

跨站请求伪造 (Cross-Site-Request-Forgery)

Cross-Site Request Forgery (CSRF) is an attack that forces an end user to execute unwanted actions on a web application in which they’re currently authenticated.owasp.org/www-community/attacks/csrf/

跨站点请求伪造(CSRF)是一种攻击，它迫使最终用户在当前已通过身份验证的Web应用程序上执行不需要的操作。 owasp.org/www-community/attacks/csrf /

攻击 (Attack)

A CSRF attack happens if an attacker can execute actions on the user’s behalf without notice.

如果攻击者可以代表用户执行操作而无需另行通知，则CSRF攻击会发生。

Our user logs into trustful.site.com.

我们的用户登录到trustful.site.com。
trustful.site.com sets a session cookie.

trustful.site.com设置会话cookie。
The attacker tricks the user into navigating to evil.syte.com.

攻击者诱使用户导航到evil.syte.com。
evil.syte.com calls the backend of trustful.site.com.

evil.syte.com称为trustful.site.com的后端。
The backend application validates the session cookie and executes the request.

后端应用程序验证会话cookie并执行请求。

Scary, isn’t it? Why is this possible? Cookies, by default, are sent to hostnames that match their domain value. But not all browsers check if the current webpage matches the cookies’ domain value. They use the target host of an HTTP request to determine which cookies to attach.

吓人，不是吗？为什么会这样呢？默认情况下，Cookie将发送到与其域名匹配的主机名。但是，并非所有浏览器都会检查当前网页是否与Cookie的域名匹配。他们使用HTTP请求的目标主机来确定要附加的cookie。

The Domain attribute specifies those hosts to which the cookie will be sent. For example, if the value of the Domain attribute is “example.com”, the user agent will include the cookie in the Cookie header when making HTTP requests to example.com [..].tools.ietf.org/html/rfc6265#section-4.1.2

域属性指定将向其发送Cookie的那些主机。例如，如果“域”属性的值为“ example.com”，则在对example.com [..]进行HTTP请求时，用户代理会将cookie包含在Cookie标头中。 tools.ietf.org/html/rfc6265#section-4.1.2

Thus, as long as the session cookie is valid, evil.syte.com can perform actions on the user’s behalf.

因此，只要会话cookie有效， evil.syte.com就可以代表用户执行操作。

缓解措施 (Mitigations)

We can do three things to mitigate the risk of CSRF:

我们可以做三件事来减轻CSRF的风险：

Send cookies only over secure HTTPs connections,仅通过安全的HTTPs连接发送Cookie，
restrict access to cookies, and限制访问cookie，以及
prevent the browser from sending the cookie from 3rd party websites.阻止浏览器从第三方网站发送cookie。

To achieve this, set the following cookie attributes:

为此，请设置以下cookie属性：

Secure

Secure
HttpOnly

HttpOnly
SameSite=strict

SameSite=strict

跨站脚本 (Cross-Site Scripting)

Cross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted websites. XSS attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end user.owasp.org/www-community/attacks/xss/

跨站点脚本(XSS)攻击是一种注入，其中恶意脚本被注入到原本良性和可信任的网站中。当攻击者使用Web应用程序将恶意代码(通常以浏览器端脚本的形式)发送给其他最终用户时，就会发生XSS攻击。 owasp.org/www-community/attacks/xss/

攻击 (Attack)

An XSS attack needs two preconditions. First, the attacker must inject code into the web application. Second, the web application has to execute all scripts it gets blindly. In contrast to the CSRF attack, there’s not necessarily a third party website involved.

XSS攻击需要两个前提条件。首先，攻击者必须将代码注入Web应用程序。其次，Web应用程序必须执行盲目执行的所有脚本。与CSRF攻击相比，不一定要涉及第三方网站。

Cross-Site Scripting attacks can involve code persisted in a database, or code injected at runtime. For the following example, we will focus on the former.

跨站点脚本攻击可能涉及将代码保留在数据库中，或者涉及在运行时注入的代码。对于以下示例，我们将重点放在前一个示例上。

The attacker inserts a malicious script into our database through a field not validated by our server.攻击者通过未经服务器验证的字段将恶意脚本插入我们的数据库。
The attacker sends our user a link to trustful.site.com. He knows this page will return dangerous script.

攻击者向我们的用户发送一个链接到trustful.site.com。 他知道此页面将返回危险脚本。
Our user clicks on the link, and unknowingly receives the malicious code snippet.

我们的用户单击链接，在不知不觉中收到恶意代码段。
The browser executes our attacker’s prepared code. The script sends sensitive information to our attacker.

浏览器执行攻击者准备的代码。 该脚本会将敏感信息发送给我们的攻击者。

Are you interested in seeing an XSS vulnerability in action? Click the following link: Google XSS Game Demo. It will open a playground provided by Google and show a JavaScript alert. The text of the popup is in the URL parameter named query. We call this a reflected XSS attack because the server reflects the query parameter.

您是否有兴趣了解实际使用的XSS漏洞？单击以下链接： Google XSS Game Demo 。它将打开Google提供的游乐场，并显示JavaScript警报。弹出窗口的文本位于名为query的URL参数中。我们称其为反射XSS攻击，因为服务器反映了查询参数。

缓解措施 (Mitigations)

Validate all data twice. First, frontend applications need to validate all user input. Validation will decrease the risk of malicious data entering the app in the first place. Nevertheless, hackers can still call servers directly. Hence, second, we need to validate all data on the server-side, too. To mitigate the XSS risk, we need to verify every JSON or XML field’s value. These fields should only contain explicitly permitted characters and have an acceptable length.

验证所有数据两次 。首先，前端应用程序需要验证所有用户输入。验证将首先降低恶意数据进入应用程序的风险。尽管如此，黑客仍然可以直接呼叫服务器。因此，第二，我们也需要在服务器端验证所有数据。为了减轻XSS风险，我们需要验证每个JSON或XML字段的值。 这些字段应仅包含明确允许的字符，并且具有可接受的长度 。

Encode all data to prevent reflected XSS attacks. The OWASP® Foundation builds appropriate libraries for both NodeJS and Java. Encoding ensures that web browsers display code instead of executing it.

对所有数据进行编码，以防止反射的XSS攻击。该OWASP®基金会建立两个相应的库的NodeJS和Java的。编码可确保Web浏览器显示代码而不是执行代码。

Tell the browser which type of resources to fetch from third-party servers. Such a content policy is a significant security improvement, as it limits the scope of an XSS attack.

告诉浏览器要从第三方服务器获取哪种资源 。这样的内容策略是对安全性的重大改进，因为它限制了XSS攻击的范围。

If you use a CDN or load resources from other servers, use the appropriate content security policy with the expected domain. Such as Content-Security-Policy: font-src https://fonts.cdn.com.

如果您使用CDN或从其他服务器加载资源，请对预期的域使用适当的内容安全策略。例如Content-Security-Policy: font-src https://fonts.cdn.com 。
If you don’t use a CDN, set the response header Content-Security-Policy with value default-src ‘none'.

如果您不使用CDN，请设置响应标头Content-Security-Policy 有价值 default-src 'none' 。

安全配置错误 (Security Misconfiguration)

Security misconfiguration is the most commonly seen issue. This is commonly a result of insecure default configurations, incomplete or ad hoc configurations, open cloud storage, misconfigured HTTP headers, and verbose error messages containing sensitive information.owasp.org/www-project-top-ten/

安全配置错误是最常见的问题。这通常是由于不安全的默认配置，不完整或临时的配置，开放的云存储，错误配置的HTTP标头以及包含敏感信息的冗长错误消息的结果。 owasp.org/www-project-top-ten/

An improper configuration of any component can help attackers discover security holes and identify an attack surface. In the context of web application security, a properly configured system

任何组件的不正确配置都可以帮助攻击者发现安全漏洞并识别攻击面。在Web应用程序安全性的上下文中，一个正确配置的系统

hides information about used components and frameworks, and隐藏有关使用过的组件和框架的信息，以及
does not permit unauthenticated and unauthorized access.不允许未经身份验证和未经授权的访问。

The Attack Surface describes all of the different points where an attacker could get into a system, and where they could get data out.cheatsheetseries.owasp.org/cheatsheets/Attack_Surface_Analysis_Cheat_Sheet.html

攻击面描述了攻击者可以进入系统以及从何处获取数据的所有不同点。 cheatsheetseries.owasp.org/cheatsheets/Attack_Surface_Analysis_Cheat_Sheet.html

攻击 (Attack)

Information about a system can appear in HTTP headers and HTTP response bodies. Standard HTTP headers that contain server information are:

有关系统的信息可以显示在HTTP标头和HTTP响应正文中。包含服务器信息的标准HTTP标头是：

server (Apache, NGINX),

服务器(Apache，NGINX)，
x-powered-by (ExpressJS, PHP),

x-by-by(ExpressJS，PHP)，
x-application-context (Spring Boot),

x-application-context(Spring启动)，
via (varnish)

通过(清漆)

Frameworks like ExpressJS or Spring Boot provide a default error handling mechanism. By default, both return a stack trace, if they handle an uncaught error or exception. Stack traces give an attacker a detailed impression of an application. They reveal which types and instances are in use and processed the request. With this in-depth knowledge, an attacker can launch a more sophisticated attack.

诸如ExpressJS或Spring Boot之类的框架提供了默认的错误处理机制。默认情况下，如果它们都处理未捕获的错误或异常，则两者都将返回堆栈跟踪。 堆栈跟踪使攻击者对应用程序有详细的印象。 它们显示正在使用哪些类型和实例并处理了请求 。有了这些深入的知识，攻击者就可以发起更复杂的攻击。

Furthermore, if an application returns error messages and user input, it can be vulnerable to Reflected File Downloads (RFD). RFD will allow an attacker to build an URL to a web page, that when opened, will download a script to the user’s machine. Since the attacker controls the link, he is also in charge of the downloaded file’s content.

此外，如果应用程序返回错误消息和用户输入，则可能容易受到“ 反射文件下载(RFD)”的影响 。 RFD允许攻击者建立指向网页的URL，打开该URL后，会将脚本下载到用户的计算机上。由于攻击者控制链接，因此他也负责下载文件的内容。

How could such a link look like?

这样的链接看起来如何？

https://search.yoursite.com/;chrome.bat?q=<encoded bash script here>https://search.yoursite.com/;chrome.bat?q= <此处已编码bash脚本>

An incorrectly configured server would download the reflected parameter q to a file named chrome.cmd. What do you think, how likely is it for a non-technical user to run chrome.cmd in the downloads folder?

错误配置的服务器会将反射的参数q下载到名为chrome.cmd的文件中。您认为，非技术用户在downloads文件夹中运行chrome.cmd的可能性有多大？

减轻 (Mitigation)

Disable component and framework-specific HTTP headers. Make it harder for a hacker to launch specific attacks.

禁用组件和特定于框架的HTTP标头。 使黑客更难发动特定的攻击。

Do not expose detailed information or user info in error pages. Hide information about frameworks and application runtime and prevent reflected file downloads.

不要在错误页面中显示详细信息或用户信息。 隐藏有关框架和应用程序运行时的信息，并防止反映文件下载。

Disable HTTP path parameters. Path parameters are the part of an URL that comes after a semicolon: https://search.yoursite.com/;chrome.bat. They play a vital role in RFD attacks, as they can fool the browser into downloading a binary file. Reject requests containing a semicolon, by merely returning HTTP status 404.

禁用HTTP路径参数。 路径参数是分号后面的URL的一部分： https://search.yoursite.com/; chrome.bat : https://search.yoursite.com/; chrome.bat https://search.yoursite.com/; chrome.bat 。它们在RFD攻击中起着至关重要的作用，因为它们可以欺骗浏览器以下载二进制文件。仅返回HTTP状态404，以拒绝包含分号的请求。

Additionally, to limit the risk of RFDs, don’t let a browser guess the content type of an HTTP response. Always set the response header X-Content-Type-Options: nosniff.

另外，为了限制RFD的风险， 请不要让浏览器猜测HTTP响应的内容类型 。始终设置响应头X-Content-Type-Options: nosniff 。

认证失败 (Broken Authentication)

Restrictions on what authenticated users are allowed to do are often not properly enforced. Attackers can exploit these flaws to access unauthorized functionality and/or data, such as access other users’ accounts, view sensitive files, modify other users’ data, change access rights, etc.owasp.org/www-project-top-ten/

通常，对身份验证用户允许执行的操作的限制通常未得到正确执行。攻击者可以利用这些漏洞来访问未经授权的功能和/或数据，例如访问其他用户的帐户，查看敏感文件，修改其他用户的数据，更改访问权限等。owasp.org/www-project-top-ten/

攻击 (Attack)

A Cross-Origin Resource Sharing (CORS) policy defines which web pages are allowed to request resources from a server. Application servers determine allowance by inspecting the HTTP header Origin. This header is set by browsers and contains the current website’s domain.

跨域资源共享(CORS)策略定义了允许哪些网页从服务器请求资源。应用服务器通过检查HTTP标头Origin来确定配额。该标头由浏览器设置，并包含当前网站的域。

This means that a web application [..] can only request resources from the same origin the application was loaded from unless the response from other origins includes the right CORS headers.developer.mozilla.org/en-US/docs/Web/HTTP/CORS/

这意味着，除非来自其他来源的响应包括正确的CORS标头，否则Web应用程序[..]只能从加载该应用程序的相同来源请求资源。 developer.mozilla.org/zh-CN/docs/Web/HTTP/CORS /

In the image below, we can see multiple webpages sharing the same backend application. With enabled CORS policy, the server can allow requests from signup.mailinglist.com and signup.blogs.com and deny calls from signup.evil.com. These policies can also permit only a subset of HTTP methods for specific origins.

在下图中，我们可以看到多个网页共享同一个后端应用程序。使用启用的CORS策略，服务器可以允许来自signup.mailinglist.com和signup.blogs.com的请求，并拒绝来自signup.evil.com的呼叫。 这些策略也仅允许特定来源的HTTP方法的子集。

Please note: An attacker may simply call an application server directly, therefore bypassing the browser and circumventing CORS policies by not setting the Origin request header. Nevertheless, configured CORS rules prevent the attacker from, i.e., building a website that looks and feels like the target application and uses the same backend.

请注意：攻击者可能只是直接调用应用服务器，因此绕过浏览器并通过不设置Origin请求标头来绕开CORS策略。 但是，配置的CORS规则可以防止攻击者进行攻击，即，建立一个外观和感觉都类似于目标应用程序并使用相同后端的网站。

减轻 (Mitigation)

Configure CORS headers adequately. Even if an application does not share resources with other applications or domains, you should add CORS headers to every HTTP response.

充分配置CORS标头 。即使一个应用程序不与其他应用程序或域共享资源，您也应该在每个HTTP响应中添加CORS标头。

In a CORS configuration, do only grant access to well-known and trusted origins. Custom HTTP headers must be configured explicitly. Additionally, in the CORS context, the value of the Content-Type header is restricted. We can circumvent this by explicitly allowing the Content-Type header.

在CORS配置中，请仅授予对知名和可信来源的访问权限。自定义HTTP标头必须显式配置。此外，在CORS上下文中， Content-Type标头的值是limited 。我们可以通过显式允许Content-Type标头来避免这种情况。

CORS Policies are defined using these HTTP response headers:

使用以下HTTP响应标头定义CORS策略：

Access-Control-Allow-Origin

Access-Control-Allow-Origin
Access-Control-Allow-Methods

Access-Control-Allow-Methods
Access-Control-Allow-Headers: Content-Type

Access-Control-Allow-Headers: Content-Type
Access-Control-Max-Age

Access-Control-Max-Age

Please be careful adding these HTTP headers. Return them only if you trust the origin. I suggest using built-in CORS support of application frameworks instead of building it from the ground up.

请小心添加这些HTTP标头。仅当您信任来源时才退还它们。我建议使用对应用程序框架的内置CORS支持，而不是从头开始构建它。

敏感数据暴露 (Sensitive Data Exposure)

Rather than directly attacking crypto, attackers steal keys, execute man-in-the-middle attacks, or steal clear text data off the server, while in transit, or from the user’s client, e.g. browser. A manual attack is generally required.owasp.org/www-project-top-ten/OWASP_Top_Ten_2017/Top_10–2017_A3-Sensitive_Data_Exposure

攻击者不是在直接攻击加密货币，而是在传输过程中或从用户的客户端(例如浏览器)窃取密钥，执行中间人攻击或从服务器窃取明文数据。通常需要手动攻击。 owasp.org/www-project-top-ten/OWASP_Top_Ten_2017/Top_10–2017_A3-Sensitive_Data_Exposure

攻击 (Attack)

A classic man-in-the-middle-attack allows an attacker to intercept and manipulate unencrypted HTTP messages. Even easier, if customer data is stored or cached on a shared device, i.e., in a public library, it will be available to everyone having access to this device.

经典的中间人攻击允许攻击者拦截和操纵未加密的HTTP消息。更简单的是，如果客户数据存储或缓存在共享设备上(即公共图书馆中)，则所有访问此设备的人都可以使用。

减轻 (Mitigation)

Use HTTPS everywhere and all the time. Period.

随时随地使用HTTPS 。期。

Disable form autocompletion. On your smartphone, your browser has probably already cached your address. That is convenient because you don’t have to fill in your address all the time. But, if it would be a shared device, the automatic completion would expose your address. We can disable autocomplete by adding the attribute autocomplete=off to HTML forms or input tags.

禁用表单自动完成功能 。在智能手机上，您的浏览器可能已经缓存了您的地址。这很方便，因为您不必一直填写地址。但是，如果它将是共享设备，则自动完成将公开您的地址。我们可以通过添加属性autocomplete=off来禁用autocomplete autocomplete=off HTML表单或输入标签。

Disable resource caching by always setting these three response headers.

通过始终设置这三个响应头来禁用资源缓存 。

Cache-Control: no-cache, no-store, max-age=0, must-revalidate

Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Expires: 0

Expires: 0
Pragma: no-cache

Pragma: no-cache

Links to other web pages are a security risk and can leak customer data as well. To prevent this attack called Tabnapping, we need to add an attribute to all HTML links that open new tabs:

链接到其他网页存在安全风险，并且也可能泄露客户数据。 为了防止这种称为Tabnapping的攻击，我们需要向所有打开新标签页HTML链接添加一个属性 ：

rel="nofollow noreferrer"

rel="nofollow noreferrer"

使用具有已知漏洞的组件 (Using Components with Known Vulnerabilities)

Components, such as libraries, frameworks, and other software modules, run with the same privileges as the application. If a vulnerable component is exploited, such an attack can facilitate serious data loss or server takeover. Applications and APIs using components with known vulnerabilities may undermine application defenses and enable various attacks and impacts.https://owasp.org/www-project-top-ten/

库，框架和其他软件模块等组件以与应用程序相同的特权运行。如果利用了易受攻击的组件，则此类攻击可能会导致严重的数据丢失或服务器接管。使用具有已知漏洞的组件的应用程序和API可能破坏应用程序防御，并造成各种攻击和影响。 https://owasp.org/www-project-top-ten/

Last but not least, using outdated libraries, frameworks, and runtimes with well-known vulnerabilities is risky.

最后但并非最不重要的一点是，使用具有众所周知漏洞的过时库，框架和运行时是有风险的。

缓解措施 (Mitigations)

Keep all parts and dependencies of applications up to date. Package and dependency managers like npm or maven can check and show newer versions of application dependencies.

保持应用程序的所有部分和依赖项为最新 。软件包和依赖项管理器(例如npm或maven)可以检查并显示较新版本的应用程序依赖项。

结论 (Conclusion)

We do not only deliver value for our customers by adding functionality to our apps. We do also provide value by protecting our customer’s data. And although we have just scratched the surface of web application security, we have identified various ways to decrease risks and improve overall security.

我们不仅通过向我们的应用程序添加功能来为客户创造价值。我们也确实通过保护客户的数据来提供价值。而且，尽管我们刚刚触及了Web应用程序安全性的表面，但是我们已经找到了降低风险和提高整体安全性的各种方法。

For further information around web application vulnerabilities and more mitigations, please check out the OWASP Top Ten.

web应用程序安全性测试_立即提高Web应用安全性的6种方法相关推荐

web应用程序并发测试_测试并发应用
web应用程序并发测试本文是我们名为Java Concurrency Essentials的学院课程的一部分. 在本课程中,您将深入探讨并发的魔力. 将向您介绍并发和并发代码的基础知识,并学习诸如原 ...
appscan如何进行web端安全性测试_常用的软件测试工具有哪些？
写在开头:本文推荐的测试工具都是现在市场上比较常用的,并不是所有的软件测试工具都有. 软件测试按照工作岗位可以分为功能测试.性能测试.测试开发,不同的工作岗位会用到不同的软件测试工具: 一. 测试管理 ...
Web应用程序渗透测试你都知道这些吗？如何选择软件检测机构
软件渗透测试软件是Web 应用程序最常用的安全测试技术.Web 应用程序渗透测试是通过在内部或外部模拟未经授权的攻击以访问敏感数据来完成的. 网络渗透有助于最终用户发现黑客从互联网访问数据的可能性,了 ...
服务器应用程序不可用您试图在此 Web 服务器上访问的 Web 应用程序当前不可用。请点击 Web 浏览器中的“刷...
错误提示: 服务器应用程序不可用您试图在此 Web 服务器上访问的 Web 应用程序当前不可用.请点击 Web 浏览器中的"刷新"按钮重试您的请求. 管理员注意事项:详述此特定请求 ...
用php web编程作业,代做CSE2ISD作业、代做Web,php程序作业、代写Java/web编程作业、代写C/C++/Java留学生作业...
代做CSE2ISD作业.代做Web,php程序作业.代写Java/web编程作业.代写C/C++/Java留学生作业日期:2018-10-08 10:00 CSE2ISD – Information ...
mysql安全性_如何提高mysql的安全性
一作为最流行的开源数据库引擎,MySQL本身是非常安全的.即便如此,你仍然需要添加额外的安全层来保护你的MySQL数据库不受攻击,毕竟任何经营网上在线业务的人都不想冒数据库受到损坏的风险.接下来, ...
java 密码加密盐_有效提高java编程安全性的12条黄金法则
安全性是软件开发中最复杂,最广泛和最重要的考量之一.Java是具有许多内置安全性功能的开发平台,java在长期的发展过程中,已经经过了很多高强度的安全测试,并经常更新安全漏洞.并且Java生态系统还包 ...
Web应用程序压力测试
Web 应用程序是决定网站性能的关键,对其进行测试是网站测试的核心. 压力测试的目的是测试系统在各种负荷(由并发用户所产生的综合处理量)下的性能和稳定性. 为了保证Web 应用程序的压力测试能取得理 ...
2019测试指南-web应用程序安全测试（二）地图应用架构
2019独角兽企业重金招聘Python工程师标准>>> 互连和异构Web服务器基础架构的复杂性可包括数百个Web应用程序,并使配置管理和审查成为测试和部署每个应用程序的基本步骤.实际 ...
小程序前端性能测试_如何提高前端应用程序的性能
小程序前端性能测试 If your website takes longer than 3 seconds to load, you could already be losing nearly ha ...

web应用程序安全性测试_立即提高Web应用安全性的6种方法

跨站请求伪造 (Cross-Site-Request-Forgery)

攻击 (Attack)

缓解措施 (Mitigations)

跨站脚本 (Cross-Site Scripting)

攻击 (Attack)

缓解措施 (Mitigations)

安全配置错误 (Security Misconfiguration)

攻击 (Attack)

减轻 (Mitigation)

认证失败 (Broken Authentication)

攻击 (Attack)

减轻 (Mitigation)

敏感数据暴露 (Sensitive Data Exposure)

攻击 (Attack)

减轻 (Mitigation)

使用具有已知漏洞的组件 (Using Components with Known Vulnerabilities)

缓解措施 (Mitigations)

结论 (Conclusion)

web应用程序安全性测试_立即提高Web应用安全性的6种方法相关推荐

最新文章

热门文章