| vulnerable name | note | |
|---|---|---|
| A1-Injection | Injection flaws, such as SQL, OS, and LDAP injection occur when untrusted data is sent to an interpreter as part of a command or query. The attacker’s hostile data can trick the interpreter into executing unintended commands or accessing data without proper authorization. | |
| A2-Broken Authentication and Session Management | Application functions related to authentication and session management are often not implemented correctly, allowing attackers to compromise passwords, keys, or session tokens, or to exploit other implementation flaws to assume other users’ identities. | |
| A3-Cross-Site Scripting (XSS) | XSS flaws occur whenever an application takes untrusted data and sends it to a web browser without proper validation or escaping. XSS allows attackers to execute scripts in the victim’s browser which can hijack user sessions, deface web sites, or redirect the user to malicious sites. | |
| A4-Insecure Direct Object References | A direct object reference occurs when a developer exposes a reference to an internal implementation object, such as a file, directory, or database key. Without an access control check or other protection, attackers can manipulate these references to access unauthorized data. | |
| A5-Security Misconfiguration | Good security requires having a secure configuration defined and deployed for the application, frameworks, application server, web server, database server, and platform. Secure settings should be defined, implemented, and maintained, as defaults are often insecure. Additionally, software should be kept up to date. | |
| A6-Sensitive Data Exposure | Many web applications do not properly protect sensitive data, such as credit cards, tax IDs, and authentication credentials. Attackers may steal or modify such weakly protected data to conduct credit card fraud, identity theft, or other crimes. Sensitive data deserves extra protection such as encryption at rest or in transit, as well as special precautions when exchanged with the browser. | |
| A7-Missing Function Level Access Control | Most web applications verify function level access rights before making that functionality visible in the UI. However, applications need to perform the same access control checks on the server when each function is accessed. If requests are not verified, attackers will be able to forge requests in order to access functionality without proper authorization. | |
| A8-Cross-Site Request Forgery (CSRF) | A CSRF attack forces a logged-on victim’s browser to send a forged HTTP request, including the victim’s session cookie and any other automatically included authentication information, to a vulnerable web application. This allows the attacker to force the victim’s browser to generate requests the vulnerable application thinks are legitimate requests from the victim. | |
| A9-Using Components with Known Vulnerabilities | Components, such as libraries, frameworks, and other software modules, almost always run with full privileges. If a vulnerable component is exploited, such an attack can facilitate serious data loss or server takeover. Applications using components with known vulnerabilities may undermine application defenses and enable a range of possible attacks and impacts. | |
| A10-Unvalidated Redirects and Forwards | Web applications frequently redirect and forward users to other pages and websites, and use untrusted data to determine the destination pages. Without proper validation, attackers can redirect victims to phishing or malware sites, or use forwards to access unauthorized pages. |
A1-注入
A2-跨站腳本(XSS)
A3-錯誤的認證和會話管理
A4-不安全的直接對象引用
A5-僞造跨站請求(CSRF) – Cross-Site Request Forgery
A7-限制遠程訪問失敗
A8-未驗證的重定向和傳遞
A9-不安全的加密存儲
A10-不足的傳輸層保護
CSRF攻擊介紹與實施
二次確認提交
應用程序允許用戶提交不包含任何保密字段的狀態改變請求,如:
http://example.com/app/transferFunds?amount=1500&destinationAccount=4673243243
因此,攻擊者構建一個請求,用於將受害用戶賬戶中的現金轉移到自己賬戶。然後攻擊者在其控制的多個網站的圖片請求或iframe中嵌入這種攻擊。
<imgsrc=”http://example.com/app/transferFunds?amount=1500&destinationAccount=attackersAcct#“width=”0” height=”0” >
如果受害用戶通過example.com認證後訪問任何一個攻擊者的網站,僞造的請求將自動包含用戶的會話信息,授權執行攻擊者的請求。
要取得這種成功,黑客必須正確地猜測出系統上另外一個文件名,但一個更合理的方法,是尋找系統上其它位置的特定內容,其使用的方法就是目錄遍歷攻擊(目錄遍歷是Http的一個安全漏洞,它使得攻擊者能夠訪問受限制的目錄,並能夠在Web服務器的根目錄以外執行命令。)。從本質上講,這意味着訪問一個完全不同的目錄,或者存在漏洞的應用程序的開發者所構建的任何方面。
安全配置錯誤
案例#1:應用程序服務器管理員控制檯自動安裝後沒有被刪除。而默認帳戶也沒有被改變。攻擊者在你的服務器上發現了標準的管理員頁面,通過默認密碼登錄,從而接管了你的服務器。
案例#2:目錄列表在你的服務器上未被禁用。攻擊者發現只需列出目錄,她就可以找到你服務器上的任意文件。攻擊者找到並下載所有已編譯的Java類,她通過反編譯獲得了所有你的自定義代碼。然後,她在你的應用程序中找到一個訪問控制的嚴重漏洞。
案例#3:應用服務器配置允許堆棧跟蹤返回給用戶,這樣就暴露了潛在的漏洞。攻擊者熱衷於收集錯誤消息裏提供的額外信息。
案例#4:應用服務器自帶的示例應用程序沒有從您的生產服務器中刪除。該示例應用有已知安全漏洞,攻擊者可以利用這些漏洞破壞您的服務器。
這個領域的錯誤頻繁影響那些本應該加密的數據。這些信息通常包括很多敏感數據,比如醫療記錄,認證憑證,個人隱私數據,信用卡信息,等等。
禁止或者限制在錯誤處理中使用詳細信息,不向用戶顯示調試信息。
首先你需要確認的是哪些數據是敏感數據而需要被加密。例如:密碼、信用卡、醫療記錄、個人信息應該被加密。
A6 – 敏感信息泄露
1、個人信息,如姓名,身份證ID,電話號碼,銀行賬戶,駕駛證號碼,社保卡號,護照號碼等都是敏感數據;
2、網站登錄的用戶名、密碼,SSL證書,會話ID,加密使用的密鑰等都屬於敏感信息,這些信息一旦泄露,攻擊者就可以以合法用戶的身份訪問Web系統,隨意進行各種攻擊操作;
3、Web服務器的OS類型,版本信息,Web容器的名稱,版本號,數據庫類型,版本號,應用軟件使用開源軟件信息都屬於敏感信息,因爲攻擊者知道這些軟件信息,就會利用這些軟件存在的公開漏洞進行專門攻擊,提升了系統被攻破的可能性。
功能級訪問控制缺失
這種漏洞允許攻擊者訪問未經授權的功能。管理性的功能是這類攻擊的主要目標。
檢查應用程序是否正確的限制了功能級的訪問的最好方法是驗證每一個應用程序的功能。
1.用戶界面(UI)是否存在到未授權功能的導航?
2.服務器端的身份認證或授權功能是否完善?
3.服務器端的檢查是否僅僅依賴於攻擊者提供的信息?
開啓代理的情況下,先以特權用戶身份瀏覽一遍您的功能,然後以普通用戶身份再次訪問受限頁面。如果服務器的響應很類似,您的應用很可能容易受攻擊。一些測試代理直接支持此種類型的分析。
案例1#:攻擊者僅僅直接瀏覽目標網址。例如下面的兩個網址都需要身份驗證。同時訪問“admin_getappInfo”頁面還需要管理員權限。
http://example.com/app/getappInfo
http://example.com/app/admin_getappInfo
如果未認證的用戶可以訪問上述任一頁面,這就是漏洞。如果通過驗證的非管理員用戶也能允許訪問“admin_getappInfo”頁面,這同樣是個漏洞。這個漏洞可能會將攻擊者引向更多保護不當的管理頁面。
案例2#:一個頁面提供了“action”參數給某個特定的功能調用,並且不同的操作需要不同的角色。如果沒有進行角色檢查,這也是漏洞。
使用含有已知漏洞的組件
事實上,大多數的應用都存在這些問題。因爲大多數的開發團隊並不會把及時更新組件/庫作爲他們的工作重心。在很多情況下,開發者都不瞭解他們所使用的全部組件,更不用說組件的版本了。組件的依賴性使情況更加糟糕。
判斷您是否易於受到這類攻擊,要求您不但要不停地搜索這些數據庫,還要關注大量的郵件列表和可能包含漏洞發佈的公告信息。如果您使用的組件之一存在漏洞,您應該仔細評估該漏洞是否給您的業務也帶來了缺陷。此評估可以通過檢查您的代碼使用該組件的部分,以及該缺陷可能導致的您關心的結果來完成。
•Apache CXF認證繞過—未能提供身份令牌的情況下,攻擊者可以以最高權限調用任意的web服務。(Apache CXF 是一個服務框架,不要與Apache應用服務器混淆。)
•Spring遠程代碼執行—濫用Spring中語言表達式的實現允許攻擊者執行任意代碼,有效的接管服務器。
A1 – Injection
Injection flaws, such as SQL, OS, and LDAP injection occur when untrusted data is sent to an interpreter as part of a command or query. The attacker’s hostile data can trick the interpreter into executing unintended commands or accessing data without proper authorization.
(A1 – 注入,注入缺陷,例如SQL注入、OS命令注入、LDAP注入等,會在攻擊者嚮應用服務端發送以分隔符作爲命令或者查詢的一部分時就會發生。攻擊者的有害數據中分隔符造成的陷阱,會執行攻擊構造的未預知的命令或者訪問未授權數據。)
A2 – Broken Authentication and Session Management
Application functions related to authentication and session management are often not implemented correctly, allowing attackers to compromise passwords, keys, or session tokens, or to exploit other implementation flaws to assume other users’ identities.
(A2 -失效的身份認證和會話管理,與身份認證和會話管理相關的應用功能經常實現的不正確,允許攻擊者可以構造密碼、密鑰、或者會話令牌或者利用實現缺陷,假冒其他用戶的身份。)
A3 – Cross-Site Scripting (XSS)
XSS flaws occur whenever an application takes untrusted data and sends it to a web browser without proper validation or escaping. XSS allows attackers to execute scripts in the victim’s browser which can hijack user sessions, deface web sites, or redirect the user to malicious sites.
(A3 – XSS,當應用服務接收不被信任的數據,並且將該數據不經過驗證或者字符過濾,就發送給客戶的Web瀏覽器,就會產生XSS攻擊。XSS攻擊允許攻擊者在受害者的瀏覽器中執行腳本,用於劫持受害者用戶的會話信息,傷害特定的網站,或者重定向用戶到惡意站點。)
A4 – Insecure Direct Object References
A direct object reference occurs when a developer exposes a reference to an internal implementation object, such as a file, directory, or database key. Without an access control check or other protection, attackers can manipulate these references to access unauthorized data.
(A4 – 不安全的直接對象引用,應用開發者有時候可能會暴露應用內部實現對象的引用,例如文件、目錄、或者數據庫Key等。如果沒有對這些的訪問控制或者其他保護,攻擊者就有可能利用這些暴露的引用訪問未授權的數據。)
A5 – Security Misconfiguration
Good security requires having a secure configuration defined and deployed for the application, frameworks, application server, web server, database server, and platform. Secure settings should be defined, implemented, and maintained, as defaults are often insecure. Additionally, software should be kept up to date.
(A5 – 安全配置錯誤,應用、框架、Web服務器、數據庫服務器、各種應用平臺的良好的安全性需要一份定義好的、部署好的安全配置。安全配置必需進行良好的定義、實現、維護,默認配置通常情況下是不安全的,另外,軟件應該及時更新。)
A6 – Sensitive Data Exposure
Many web applications do not properly protect sensitive data, such as credit cards, tax IDs, and authentication credentials. Attackers may steal or modify such weakly protected data to conduct credit card fraud, identity theft, or other crimes. Sensitive data deserves extra protection such as encryption at rest or in transit, as well as special precautions when exchanged with the browser.
(A6 – 敏感數據泄露,許多Web應用沒有正確地保護敏感數據,例如信用卡卡號、稅號、身份認證證書等。攻擊者可以通過偷竊、更改這種弱保護的數據,以進行信用卡詐騙、身份竊取、或者其他犯罪。這類敏感數據值得進行額外的保護,例如,加密傳輸、在於客戶端瀏覽器交換數據時進行的特殊保護。)
A7 – Missing Function Level Access Control
Most web applications verify function level access rights before making that functionality visible in the UI. However, applications need to perform the same access control checks on the server when each function is accessed. If requests are not verified, attackers will be able to forge requests in order to access functionality without proper authorization.
(A7 – 功能級訪問控制缺失,大部分Web應用在界面上進行了應用級訪問控制,但是應用服務器端也要進行響應的訪問控制才行。如果請求沒有驗證,攻擊者就能夠構造請求訪問未授權的功能。)
A8 – Cross-Site Request Forgery (CSRF)
A CSRF attack forces a logged-on victim’s browser to send a forged HTTP request, including the victim’s session cookie and any other automatically included authentication information, to a vulnerable web application. This allows the attacker to force the victim’s browser to generate requests the vulnerable application thinks are legitimate requests from the victim.
(A8 – 跨站請求僞造,CSRF攻擊強制一個已經登入的受害者瀏覽器,向帶漏洞的Web應用發送僞造的HTTP請求,但是使用的是受害者正確的會話Cookie,以及其他的認證信息,這樣攻擊者就可以讓Web應用認爲這是受害者自願發送的請求。)
A9 – Using Components with Known Vulnerabilities
Components, such as libraries, frameworks, and other software modules, almost always run with full privileges. If a vulnerable component is exploited, such an attack can facilitate serious data loss or server takeover. Applications using components with known vulnerabilities may undermine application defenses and enable a range of possible attacks and impacts.
(A9 –使用已知易受攻擊組件,組件,比如庫、框架、或者其他的軟件模塊,通常運行在最高權限。如果一個有弱點的組件受到了利用,就可能被攻擊者控制服務器或者造成嚴重數據損失。使用已知易受攻擊組件的應用會造成應用整體安全性的降低,並且造成一定範圍的攻擊和影響。)
A10 – Unvalidated Redirects and Forwards
Web applications frequently redirect and forward users to other pages and websites, and use untrusted data to determine the destination pages. Without proper validation, attackers can redirect victims to phishing or malware sites, or use forwards to access unauthorized pages.
(A10 –未驗證的重定向和轉發,Web應用經常會將用戶重定向到其他的頁面或者站點,並且使用使用不可信的數據來確定目標頁面,如果不進行正確的驗證,攻擊可以讓受害者重定向到釣魚或者掛馬的網站,或者利用重定向訪問未授權頁面。)
REFERENCE