top-web-vulnerabilities

Compare original and translation side by side

🇺🇸

Original

English

🇨🇳

Translation

Chinese

Top 100 Web Vulnerabilities Reference

100大Web漏洞参考手册

Purpose

目的

Provide a comprehensive, structured reference for the 100 most critical web application vulnerabilities organized by category. This skill enables systematic vulnerability identification, impact assessment, and remediation guidance across the full spectrum of web security threats. Content organized into 15 major vulnerability categories aligned with industry standards and real-world attack patterns.

提供一份全面、结构化的参考手册，按类别整理了100个最关键的Web应用程序漏洞。此技能支持对全范围Web安全威胁进行系统化的漏洞识别、影响评估和修复指导。内容分为15个主要漏洞类别，与行业标准和真实攻击模式保持一致。

Prerequisites

前置要求

Basic understanding of web application architecture (client-server model, HTTP protocol)
Familiarity with common web technologies (HTML, JavaScript, SQL, XML, APIs)
Understanding of authentication and authorization concepts
Access to web application security testing tools (Burp Suite, OWASP ZAP)
Knowledge of secure coding principles recommended

基本了解Web应用程序架构（客户端-服务器模型、HTTP协议）
熟悉常见Web技术（HTML、JavaScript、SQL、XML、API）
理解身份验证与授权概念
可访问Web应用安全测试工具（Burp Suite、OWASP ZAP）
建议掌握安全编码原则

Outputs and Deliverables

输出与交付物

Complete vulnerability catalog with definitions, root causes, impacts, and mitigations
Category-based vulnerability groupings for systematic assessment
Quick reference for security testing and remediation
Foundation for vulnerability assessment checklists and security policies

完整的漏洞目录，包含定义、根本原因、影响及修复方案
按类别分组的漏洞集合，用于系统化评估
安全测试与修复快速参考手册
漏洞评估清单与安全策略的基础框架

Core Workflow

核心工作流程

Phase 1: Injection Vulnerabilities Assessment

阶段1：注入类漏洞评估

Evaluate injection attack vectors targeting data processing components:

SQL Injection (1)

Definition: Malicious SQL code inserted into input fields to manipulate database queries
Root Cause: Lack of input validation, improper use of parameterized queries
Impact: Unauthorized data access, data manipulation, database compromise
Mitigation: Use parameterized queries/prepared statements, input validation, least privilege database accounts

Cross-Site Scripting - XSS (2)

Definition: Injection of malicious scripts into web pages viewed by other users
Root Cause: Insufficient output encoding, lack of input sanitization
Impact: Session hijacking, credential theft, website defacement
Mitigation: Output encoding, Content Security Policy (CSP), input sanitization

Command Injection (5, 11)

Definition: Execution of arbitrary system commands through vulnerable applications
Root Cause: Unsanitized user input passed to system shells
Impact: Full system compromise, data exfiltration, lateral movement
Mitigation: Avoid shell execution, whitelist valid commands, strict input validation

XML Injection (6), LDAP Injection (7), XPath Injection (8)

Definition: Manipulation of XML/LDAP/XPath queries through malicious input
Root Cause: Improper input handling in query construction
Impact: Data exposure, authentication bypass, information disclosure
Mitigation: Input validation, parameterized queries, escape special characters

Server-Side Template Injection - SSTI (13)

Definition: Injection of malicious code into template engines
Root Cause: User input embedded directly in template expressions
Impact: Remote code execution, server compromise
Mitigation: Sandbox template engines, avoid user input in templates, strict input validation

评估针对数据处理组件的注入攻击向量：

SQL Injection (1)

定义：将恶意SQL代码插入输入字段以操纵数据库查询
根本原因：缺乏输入验证、未正确使用参数化查询
影响：未授权数据访问、数据篡改、数据库被攻陷
修复方案：使用参数化查询/预编译语句、输入验证、采用最小权限数据库账户

Cross-Site Scripting - XSS (2)

定义：将恶意脚本注入到其他用户查看的网页中
根本原因：输出编码不足、缺乏输入清理
影响：会话劫持、凭证窃取、网站篡改
修复方案：输出编码、配置Content Security Policy (CSP)、输入清理

Command Injection (5, 11)

定义：通过易受攻击的应用程序执行任意系统命令
根本原因：未清理的用户输入被传递给系统Shell
影响：系统完全被攻陷、数据泄露、横向移动
修复方案：避免执行Shell命令、白名单合法命令、严格输入验证

XML Injection (6), LDAP Injection (7), XPath Injection (8)

定义：通过恶意输入操纵XML/LDAP/XPath查询
根本原因：查询构造时未正确处理输入
影响：数据暴露、身份验证绕过、信息泄露
修复方案：输入验证、参数化查询、转义特殊字符

Server-Side Template Injection - SSTI (13)

定义：将恶意代码注入模板引擎
根本原因：用户输入直接嵌入模板表达式
影响：远程代码执行、服务器被攻陷
修复方案：沙箱化模板引擎、避免在模板中使用用户输入、严格输入验证

Phase 2: Authentication and Session Security

阶段2：身份验证与会话安全

Assess authentication mechanism weaknesses:

Session Fixation (14)

Definition: Attacker sets victim's session ID before authentication
Root Cause: Session ID not regenerated after login
Impact: Session hijacking, unauthorized account access
Mitigation: Regenerate session ID on authentication, use secure session management

Brute Force Attack (15)

Definition: Systematic password guessing using automated tools
Root Cause: Lack of account lockout, rate limiting, or CAPTCHA
Impact: Unauthorized access, credential compromise
Mitigation: Account lockout policies, rate limiting, MFA, CAPTCHA

Session Hijacking (16)

Definition: Attacker steals or predicts valid session tokens
Root Cause: Weak session token generation, insecure transmission
Impact: Account takeover, unauthorized access
Mitigation: Secure random token generation, HTTPS, HttpOnly/Secure cookie flags

Credential Stuffing and Reuse (22)

Definition: Using leaked credentials to access accounts across services
Root Cause: Users reusing passwords, no breach detection
Impact: Mass account compromise, data breaches
Mitigation: MFA, breach password checks, unique credential requirements

Insecure "Remember Me" Functionality (85)

Definition: Weak persistent authentication token implementation
Root Cause: Predictable tokens, inadequate expiration controls
Impact: Unauthorized persistent access, session compromise
Mitigation: Strong token generation, proper expiration, secure storage

CAPTCHA Bypass (86)

Definition: Circumventing bot detection mechanisms
Root Cause: Weak CAPTCHA algorithms, improper validation
Impact: Automated attacks, credential stuffing, spam
Mitigation: reCAPTCHA v3, layered bot detection, rate limiting

评估身份验证机制的弱点：

Session Fixation (14)

定义：攻击者在用户身份验证前设置其会话ID
根本原因：登录后未重新生成会话ID
影响：会话劫持、未授权账户访问
修复方案：身份验证时重新生成会话ID、使用安全会话管理

Brute Force Attack (15)

定义：使用自动化工具系统性猜测密码
根本原因：缺少账户锁定、速率限制或CAPTCHA机制
影响：未授权访问、凭证泄露
修复方案：账户锁定策略、速率限制、多因素认证（MFA）、CAPTCHA

Session Hijacking (16)

定义：攻击者窃取或预测有效的会话令牌
根本原因：会话令牌生成机制薄弱、传输不安全
影响：账户接管、未授权访问
修复方案：安全随机令牌生成、HTTPS、HttpOnly/Secure Cookie标记

Credential Stuffing and Reuse (22)

定义：使用泄露的凭证跨服务访问账户
根本原因：用户重复使用密码、无泄露检测机制
影响：大规模账户被攻陷、数据泄露
修复方案：MFA、泄露密码检查、强制使用唯一凭证

Insecure "Remember Me" Functionality (85)

定义：持久化身份验证令牌实现存在弱点
根本原因：令牌可预测、过期控制不足
影响：未授权持久化访问、会话被攻陷
修复方案：强令牌生成、合理过期策略、安全存储

CAPTCHA Bypass (86)

定义：绕过机器人检测机制
根本原因：CAPTCHA算法薄弱、验证不当
影响：自动化攻击、凭证填充、垃圾信息
修复方案：使用reCAPTCHA v3、分层机器人检测、速率限制

Phase 3: Sensitive Data Exposure

阶段3：敏感数据暴露

Identify data protection failures:

IDOR - Insecure Direct Object References (23, 42)

Definition: Direct access to internal objects via user-supplied references
Root Cause: Missing authorization checks on object access
Impact: Unauthorized data access, privacy breaches
Mitigation: Access control validation, indirect reference maps, authorization checks

Data Leakage (24)

Definition: Inadvertent disclosure of sensitive information
Root Cause: Inadequate data protection, weak access controls
Impact: Privacy breaches, regulatory penalties, reputation damage
Mitigation: DLP solutions, encryption, access controls, security training

Unencrypted Data Storage (25)

Definition: Storing sensitive data without encryption
Root Cause: Failure to implement encryption at rest
Impact: Data breaches if storage compromised
Mitigation: Full-disk encryption, database encryption, secure key management

Information Disclosure (33)

Definition: Exposure of system details through error messages or responses
Root Cause: Verbose error handling, debug information in production
Impact: Reconnaissance for further attacks, credential exposure
Mitigation: Generic error messages, disable debug mode, secure logging

识别数据保护失效问题：

IDOR - Insecure Direct Object References (23, 42)

定义：通过用户提供的引用直接访问内部对象
根本原因：对象访问时缺少授权检查
影响：未授权数据访问、隐私泄露
修复方案：访问控制验证、间接引用映射、授权检查

Data Leakage (24)

定义：敏感信息意外泄露
根本原因：数据保护不足、访问控制薄弱
影响：隐私泄露、合规处罚、声誉受损
修复方案：数据丢失防护（DLP）解决方案、加密、访问控制、安全培训

Unencrypted Data Storage (25)

定义：存储敏感数据时未加密
根本原因：未实现静态数据加密
影响：存储被攻陷时数据泄露
修复方案：全磁盘加密、数据库加密、安全密钥管理

Information Disclosure (33)

定义：通过错误消息或响应暴露系统细节
根本原因：详细错误处理、生产环境中保留调试信息
影响：为后续攻击提供侦察信息、凭证暴露
修复方案：通用错误消息、禁用调试模式、安全日志

Phase 4: Security Misconfiguration

阶段4：安全配置错误

Assess configuration weaknesses:

Missing Security Headers (26)

Definition: Absence of protective HTTP headers (CSP, X-Frame-Options, HSTS)
Root Cause: Inadequate server configuration
Impact: XSS attacks, clickjacking, protocol downgrade
Mitigation: Implement CSP, X-Content-Type-Options, X-Frame-Options, HSTS

Default Passwords (28)

Definition: Unchanged default credentials on systems/applications
Root Cause: Failure to change vendor defaults
Impact: Unauthorized access, system compromise
Mitigation: Mandatory password changes, strong password policies

Directory Listing (29)

Definition: Web server exposes directory contents
Root Cause: Improper server configuration
Impact: Information disclosure, sensitive file exposure
Mitigation: Disable directory indexing, use default index files

Unprotected API Endpoints (30)

Definition: APIs lacking authentication or authorization
Root Cause: Missing security controls on API routes
Impact: Unauthorized data access, API abuse
Mitigation: OAuth/API keys, access controls, rate limiting

Open Ports and Services (31)

Definition: Unnecessary network services exposed
Root Cause: Failure to minimize attack surface
Impact: Exploitation of vulnerable services
Mitigation: Port scanning audits, firewall rules, service minimization

Misconfigured CORS (35)

Definition: Overly permissive Cross-Origin Resource Sharing policies
Root Cause: Wildcard origins, improper CORS configuration
Impact: Cross-site request attacks, data theft
Mitigation: Whitelist trusted origins, validate CORS headers

Unpatched Software (34)

Definition: Systems running outdated vulnerable software
Root Cause: Neglected patch management
Impact: Exploitation of known vulnerabilities
Mitigation: Patch management program, vulnerability scanning, automated updates

评估配置弱点：

Missing Security Headers (26)

定义：缺少保护性HTTP头（CSP、X-Frame-Options、HSTS）
根本原因：服务器配置不足
影响：XSS攻击、点击劫持、协议降级
修复方案：部署CSP、X-Content-Type-Options、X-Frame-Options、HSTS

Default Passwords (28)

定义：系统/应用程序保留未修改的默认凭证
根本原因：未修改厂商默认设置
影响：未授权访问、系统被攻陷
修复方案：强制修改密码、强密码策略

Directory Listing (29)

定义：Web服务器暴露目录内容
根本原因：服务器配置不当
影响：信息泄露、敏感文件暴露
修复方案：禁用目录索引、使用默认索引文件

Unprotected API Endpoints (30)

定义：API缺少身份验证或授权机制
根本原因：API路由上缺少安全控制
影响：未授权数据访问、API滥用
修复方案：OAuth/API密钥、访问控制、速率限制

Open Ports and Services (31)

定义：暴露不必要的网络服务
根本原因：未最小化攻击面
影响：易受攻击的服务被利用
修复方案：端口扫描审计、防火墙规则、服务最小化

Misconfigured CORS (35)

定义：跨源资源共享（CORS）策略过于宽松
根本原因：通配符源、CORS配置不当
影响：跨站请求攻击、数据窃取
修复方案：白名单可信源、验证CORS头

Unpatched Software (34)

定义：系统运行过时的易受攻击软件
根本原因：补丁管理被忽视
影响：已知漏洞被利用
修复方案：补丁管理程序、漏洞扫描、自动更新

Phase 5: XML-Related Vulnerabilities

阶段5：XML相关漏洞

Evaluate XML processing security:

XXE - XML External Entity Injection (37)

Definition: Exploitation of XML parsers to access files or internal systems
Root Cause: External entity processing enabled
Impact: File disclosure, SSRF, denial of service
Mitigation: Disable external entities, use safe XML parsers

XEE - XML Entity Expansion (38)

Definition: Excessive entity expansion causing resource exhaustion
Root Cause: Unlimited entity expansion allowed
Impact: Denial of service, parser crashes
Mitigation: Limit entity expansion, configure parser restrictions

XML Bomb (Billion Laughs) (39)

Definition: Crafted XML with nested entities consuming resources
Root Cause: Recursive entity definitions
Impact: Memory exhaustion, denial of service
Mitigation: Entity expansion limits, input size restrictions

XML Denial of Service (65)

Definition: Specially crafted XML causing excessive processing
Root Cause: Complex document structures without limits
Impact: CPU/memory exhaustion, service unavailability
Mitigation: Schema validation, size limits, processing timeouts

评估XML处理安全：

XXE - XML External Entity Injection (37)

定义：利用XML解析器访问文件或内部系统
根本原因：启用了外部实体处理
影响：文件泄露、服务器端请求伪造（SSRF）、拒绝服务
修复方案：禁用外部实体、使用安全XML解析器

XEE - XML Entity Expansion (38)

定义：过度实体扩展导致资源耗尽
根本原因：允许无限制的实体扩展
影响：拒绝服务、解析器崩溃
修复方案：限制实体扩展、配置解析器限制

XML Bomb (Billion Laughs) (39)

定义：构造包含嵌套实体的XML以消耗资源
根本原因：递归实体定义
影响：内存耗尽、拒绝服务
修复方案：实体扩展限制、输入大小限制

XML Denial of Service (65)

定义：特殊构造的XML导致过度处理
根本原因：复杂文档结构无限制
影响：CPU/内存耗尽、服务不可用
修复方案：Schema验证、大小限制、处理超时

Phase 6: Broken Access Control

阶段6：访问控制失效

Assess authorization enforcement:

Inadequate Authorization (40)

Definition: Failure to properly enforce access controls
Root Cause: Weak authorization policies, missing checks
Impact: Unauthorized access to sensitive resources
Mitigation: RBAC, centralized IAM, regular access reviews

Privilege Escalation (41)

Definition: Gaining elevated access beyond intended permissions
Root Cause: Misconfigured permissions, system vulnerabilities
Impact: Full system compromise, data manipulation
Mitigation: Least privilege, regular patching, privilege monitoring

Forceful Browsing (43)

Definition: Direct URL manipulation to access restricted resources
Root Cause: Weak access controls, predictable URLs
Impact: Unauthorized file/directory access
Mitigation: Server-side access controls, unpredictable resource paths

Missing Function-Level Access Control (44)

Definition: Unprotected administrative or privileged functions
Root Cause: Authorization only at UI level
Impact: Unauthorized function execution
Mitigation: Server-side authorization for all functions, RBAC

评估授权执行情况：

Inadequate Authorization (40)

定义：未正确执行访问控制
根本原因：授权策略薄弱、缺少检查
影响：未授权访问敏感资源
修复方案：基于角色的访问控制（RBAC）、集中式身份与访问管理（IAM）、定期访问审查

Privilege Escalation (41)

定义：获得超出预期权限的提升访问权
根本原因：权限配置错误、系统漏洞
影响：系统完全被攻陷、数据篡改
修复方案：最小权限原则、定期补丁、权限监控

Forceful Browsing (43)

定义：通过直接操纵URL访问受限资源
根本原因：访问控制薄弱、URL可预测
影响：未授权文件/目录访问
修复方案：服务器端访问控制、不可预测的资源路径

Missing Function-Level Access Control (44)

定义：管理或特权功能未受保护
根本原因：仅在UI层面进行授权
影响：未授权功能执行
修复方案：所有功能的服务器端授权、RBAC

Phase 7: Insecure Deserialization

阶段7：不安全的反序列化

Evaluate object serialization security:

Remote Code Execution via Deserialization (45)

Definition: Arbitrary code execution through malicious serialized objects
Root Cause: Untrusted data deserialized without validation
Impact: Complete system compromise, code execution
Mitigation: Avoid deserializing untrusted data, integrity checks, type validation

Data Tampering (46)

Definition: Unauthorized modification of serialized data
Root Cause: Missing integrity verification
Impact: Data corruption, privilege manipulation
Mitigation: Digital signatures, HMAC validation, encryption

Object Injection (47)

Definition: Malicious object instantiation during deserialization
Root Cause: Unsafe deserialization practices
Impact: Code execution, unauthorized access
Mitigation: Type restrictions, class whitelisting, secure libraries

评估对象序列化安全：

Remote Code Execution via Deserialization (45)

定义：通过恶意序列化对象执行任意代码
根本原因：未验证的不可信数据被反序列化
影响：系统完全被攻陷、代码执行
修复方案：避免反序列化不可信数据、完整性检查、类型验证

Data Tampering (46)

定义：未授权修改序列化数据
根本原因：缺少完整性验证
影响：数据损坏、权限操纵
修复方案：数字签名、HMAC验证、加密

Object Injection (47)

定义：反序列化期间实例化恶意对象
根本原因：不安全的反序列化实践
影响：代码执行、未授权访问
修复方案：类型限制、类白名单、安全库

Phase 8: API Security Assessment

阶段8：API安全评估

Evaluate API-specific vulnerabilities:

Insecure API Endpoints (48)

Definition: APIs without proper security controls
Root Cause: Poor API design, missing authentication
Impact: Data breaches, unauthorized access
Mitigation: OAuth/JWT, HTTPS, input validation, rate limiting

API Key Exposure (49)

Definition: Leaked or exposed API credentials
Root Cause: Hardcoded keys, insecure storage
Impact: Unauthorized API access, abuse
Mitigation: Secure key storage, rotation, environment variables

Lack of Rate Limiting (50)

Definition: No controls on API request frequency
Root Cause: Missing throttling mechanisms
Impact: DoS, API abuse, resource exhaustion
Mitigation: Rate limits per user/IP, throttling, DDoS protection

Inadequate Input Validation (51)

Definition: APIs accepting unvalidated user input
Root Cause: Missing server-side validation
Impact: Injection attacks, data corruption
Mitigation: Strict validation, parameterized queries, WAF

API Abuse (75)

Definition: Exploiting API functionality for malicious purposes
Root Cause: Excessive trust in client input
Impact: Data theft, account takeover, service abuse
Mitigation: Strong authentication, behavior analysis, anomaly detection

评估特定于API的漏洞：

Insecure API Endpoints (48)

定义：API缺少适当的安全控制
根本原因：API设计不佳、缺少身份验证
影响：数据泄露、未授权访问
修复方案：OAuth/JWT、HTTPS、输入验证、速率限制

API Key Exposure (49)

定义：API凭证泄露或暴露
根本原因：硬编码密钥、存储不安全
影响：未授权API访问、滥用
修复方案：安全密钥存储、密钥轮换、环境变量

Lack of Rate Limiting (50)

定义：对API请求频率无控制
根本原因：缺少限流机制
影响：拒绝服务、API滥用、资源耗尽
修复方案：按用户/IP设置速率限制、限流、DDoS防护

Inadequate Input Validation (51)

定义：API接受未验证的用户输入
根本原因：缺少服务器端验证
影响：注入攻击、数据损坏
修复方案：严格验证、参数化查询、Web应用防火墙（WAF）

API Abuse (75)

定义：利用API功能进行恶意活动
根本原因：过度信任客户端输入
影响：数据窃取、账户接管、服务滥用
修复方案：强身份验证、行为分析、异常检测

Phase 9: Communication Security

阶段9：通信安全

Assess transport layer protections:

Man-in-the-Middle Attack (52)

Definition: Interception of communication between parties
Root Cause: Unencrypted channels, compromised networks
Impact: Data theft, session hijacking, impersonation
Mitigation: TLS/SSL, certificate pinning, mutual authentication

Insufficient Transport Layer Security (53)

Definition: Weak or outdated encryption for data in transit
Root Cause: Outdated protocols (SSLv2/3), weak ciphers
Impact: Traffic interception, credential theft
Mitigation: TLS 1.2+, strong cipher suites, HSTS

Insecure SSL/TLS Configuration (54)

Definition: Improperly configured encryption settings
Root Cause: Weak ciphers, missing forward secrecy
Impact: Traffic decryption, MITM attacks
Mitigation: Modern cipher suites, PFS, certificate validation

Insecure Communication Protocols (55)

Definition: Use of unencrypted protocols (HTTP, Telnet, FTP)
Root Cause: Legacy systems, security unawareness
Impact: Traffic sniffing, credential exposure
Mitigation: HTTPS, SSH, SFTP, VPN tunnels

评估传输层保护：

Man-in-the-Middle Attack (52)

定义：拦截双方之间的通信
根本原因：未加密通道、网络被攻陷
影响：数据窃取、会话劫持、冒充
修复方案：TLS/SSL、证书绑定、双向身份验证

Insufficient Transport Layer Security (53)

定义：数据传输时使用薄弱或过时的加密
根本原因：过时协议（SSLv2/3）、弱密码套件
影响：流量拦截、凭证窃取
修复方案：使用TLS 1.2+、强密码套件、HSTS

Insecure SSL/TLS Configuration (54)

定义：加密配置不当
根本原因：弱密码套件、缺少前向保密
影响：流量解密、中间人攻击
修复方案：现代密码套件、前向保密（PFS）、证书验证

Insecure Communication Protocols (55)

定义：使用未加密协议（HTTP、Telnet、FTP）
根本原因：遗留系统、安全意识不足
影响：流量嗅探、凭证暴露
修复方案：HTTPS、SSH、SFTP、VPN隧道

Phase 10: Client-Side Vulnerabilities

阶段10：客户端漏洞

Evaluate browser-side security:

DOM-based XSS (56)

Definition: XSS through client-side JavaScript manipulation
Root Cause: Unsafe DOM manipulation with user input
Impact: Session theft, credential harvesting
Mitigation: Safe DOM APIs, CSP, input sanitization

Insecure Cross-Origin Communication (57)

Definition: Improper handling of cross-origin requests
Root Cause: Relaxed CORS/SOP policies
Impact: Data leakage, CSRF attacks
Mitigation: Strict CORS, CSRF tokens, origin validation

Browser Cache Poisoning (58)

Definition: Manipulation of cached content
Root Cause: Weak cache validation
Impact: Malicious content delivery
Mitigation: Cache-Control headers, HTTPS, integrity checks

Clickjacking (59, 71)

Definition: UI redress attack tricking users into clicking hidden elements
Root Cause: Missing frame protection
Impact: Unintended actions, credential theft
Mitigation: X-Frame-Options, CSP frame-ancestors, frame-busting

HTML5 Security Issues (60)

Definition: Vulnerabilities in HTML5 APIs (WebSockets, Storage, Geolocation)
Root Cause: Improper API usage, insufficient validation
Impact: Data leakage, XSS, privacy violations
Mitigation: Secure API usage, input validation, sandboxing

评估浏览器端安全：

DOM-based XSS (56)

定义：通过客户端JavaScript操纵实现的XSS
根本原因：使用用户输入进行不安全的DOM操纵
影响：会话窃取、凭证收集
修复方案：安全DOM API、CSP、输入清理

Insecure Cross-Origin Communication (57)

定义：跨源请求处理不当
根本原因：CORS/SOP策略宽松
影响：数据泄露、CSRF攻击
修复方案：严格CORS、CSRF令牌、源验证

Browser Cache Poisoning (58)

定义：操纵缓存内容
根本原因：缓存验证薄弱
影响：恶意内容分发
修复方案：Cache-Control头、HTTPS、完整性检查

Clickjacking (59, 71)

定义：UI重定向攻击，诱使用户点击隐藏元素
根本原因：缺少框架保护
影响：意外操作、凭证窃取
修复方案：X-Frame-Options、CSP frame-ancestors、框架破坏脚本

HTML5 Security Issues (60)

定义：HTML5 API中的漏洞（WebSockets、Storage、Geolocation）
根本原因：API使用不当、验证不足
影响：数据泄露、XSS、隐私侵犯
修复方案：安全API使用、输入验证、沙箱化

Phase 11: Denial of Service Assessment

阶段11：拒绝服务评估

Evaluate availability threats:

DDoS - Distributed Denial of Service (61)

Definition: Overwhelming systems with traffic from multiple sources
Root Cause: Botnets, amplification attacks
Impact: Service unavailability, revenue loss
Mitigation: DDoS protection services, rate limiting, CDN

Application Layer DoS (62)

Definition: Targeting application logic to exhaust resources
Root Cause: Inefficient code, resource-intensive operations
Impact: Application unavailability, degraded performance
Mitigation: Rate limiting, caching, WAF, code optimization

Resource Exhaustion (63)

Definition: Depleting CPU, memory, disk, or network resources
Root Cause: Inefficient resource management
Impact: System crashes, service degradation
Mitigation: Resource quotas, monitoring, load balancing

Slowloris Attack (64)

Definition: Keeping connections open with partial HTTP requests
Root Cause: No connection timeouts
Impact: Web server resource exhaustion
Mitigation: Connection timeouts, request limits, reverse proxy

评估可用性威胁：

DDoS - Distributed Denial of Service (61)

定义：通过多来源流量 overwhelm 系统
根本原因：僵尸网络、放大攻击
影响：服务不可用、收入损失
修复方案：DDoS防护服务、速率限制、内容分发网络（CDN）

Application Layer DoS (62)

定义：针对应用逻辑以耗尽资源
根本原因：代码低效、资源密集型操作
影响：应用不可用、性能下降
修复方案：速率限制、缓存、WAF、代码优化

Resource Exhaustion (63)

定义：耗尽CPU、内存、磁盘或网络资源
根本原因：资源管理低效
影响：系统崩溃、服务降级
修复方案：资源配额、监控、负载均衡

Slowloris Attack (64)

定义：通过部分HTTP请求保持连接打开
根本原因：无连接超时
影响：Web服务器资源耗尽
修复方案：连接超时、请求限制、反向代理

Phase 12: Server-Side Request Forgery

阶段12：服务器端请求伪造

Assess SSRF vulnerabilities:

SSRF - Server-Side Request Forgery (66)

Definition: Manipulating server to make requests to internal resources
Root Cause: Unvalidated user-controlled URLs
Impact: Internal network access, data theft, cloud metadata access
Mitigation: URL whitelisting, network segmentation, egress filtering

Blind SSRF (87)

Definition: SSRF without direct response visibility
Root Cause: Similar to SSRF, harder to detect
Impact: Data exfiltration, internal reconnaissance
Mitigation: Allowlists, WAF, network restrictions

Time-Based Blind SSRF (88)

Definition: Inferring SSRF success through response timing
Root Cause: Processing delays indicating request outcomes
Impact: Prolonged exploitation, detection evasion
Mitigation: Request timeouts, anomaly detection, timing monitoring

评估SSRF漏洞：

SSRF - Server-Side Request Forgery (66)

定义：操纵服务器向内部资源发起请求
根本原因：未验证用户控制的URL
影响：内部网络访问、数据窃取、云元数据访问
修复方案：URL白名单、网络分段、出口过滤

Blind SSRF (87)

定义：无直接响应可见性的SSRF
根本原因：与SSRF类似，更难检测
影响：数据泄露、内部侦察
修复方案：允许列表、WAF、网络限制

Time-Based Blind SSRF (88)

定义：通过响应时间推断SSRF是否成功
根本原因：处理延迟指示请求结果
影响：长期利用、规避检测
修复方案：请求超时、异常检测、时间监控

Phase 13: Additional Web Vulnerabilities

阶段13：其他Web漏洞

#	Vulnerability	Root Cause	Impact	Mitigation
67	HTTP Parameter Pollution	Inconsistent parsing	Injection, ACL bypass	Strict parsing, validation
68	Insecure Redirects	Unvalidated targets	Phishing, malware	Whitelist destinations
69	File Inclusion (LFI/RFI)	Unvalidated paths	Code exec, disclosure	Whitelist files, disable RFI
70	Security Header Bypass	Misconfigured headers	XSS, clickjacking	Proper headers, audits
72	Inadequate Session Timeout	Excessive timeouts	Session hijacking	Idle termination, timeouts
73	Insufficient Logging	Missing infrastructure	Detection gaps	SIEM, alerting
74	Business Logic Flaws	Insecure design	Fraud, unauthorized ops	Threat modeling, testing

编号	漏洞	根本原因	影响	修复方案
67	HTTP参数污染	解析不一致	注入、访问控制列表绕过	严格解析、验证
68	不安全重定向	目标未验证	钓鱼、恶意软件	白名单目标地址
69	文件包含（LFI/RFI）	路径未验证	代码执行、信息泄露	文件白名单、禁用RFI
70	安全头绕过	头配置错误	XSS、点击劫持	正确配置头、审计
72	会话超时不足	超时时间过长	会话劫持	空闲终止、合理超时
73	日志记录不足	基础设施缺失	检测缺口	SIEM、告警
74	业务逻辑缺陷	设计不安全	欺诈、未授权操作	威胁建模、测试

Phase 14: Mobile and IoT Security

阶段14：移动与IoT安全

#	Vulnerability	Root Cause	Impact	Mitigation
76	Insecure Mobile Storage	Plain text, weak crypto	Data theft	Keychain/Keystore, encrypt
77	Insecure Mobile Transmission	HTTP, cert failures	Traffic interception	TLS, cert pinning
78	Insecure Mobile APIs	Missing auth/validation	Data exposure	OAuth/JWT, validation
79	App Reverse Engineering	Hardcoded creds	Credential theft	Obfuscation, RASP
80	IoT Management Issues	Weak auth, no TLS	Device takeover	Strong auth, TLS
81	Weak IoT Authentication	Default passwords	Unauthorized access	Unique creds, MFA
82	IoT Vulnerabilities	Design flaws, old firmware	Botnet recruitment	Updates, segmentation
83	Smart Home Access	Insecure defaults	Privacy invasion	MFA, segmentation
84	IoT Privacy Issues	Excessive collection	Surveillance	Data minimization

编号	漏洞	根本原因	影响	修复方案
76	不安全的移动存储	明文存储、弱加密	数据窃取	Keychain/Keystore、加密
77	不安全的移动传输	HTTP、证书失效	流量拦截	TLS、证书绑定
78	不安全的移动API	缺少身份验证/验证	数据暴露	OAuth/JWT、验证
79	应用逆向工程	硬编码凭证	凭证窃取	混淆、运行时应用自我保护（RASP）
80	IoT管理问题	弱身份验证、无TLS	设备接管	强身份验证、TLS
81	弱IoT身份验证	默认密码	未授权访问	唯一凭证、MFA
82	IoT漏洞	设计缺陷、旧固件	僵尸网络招募	更新、分段
83	智能家居访问	不安全默认设置	隐私侵犯	MFA、分段
84	IoT隐私问题	过度收集	监控	数据最小化

Phase 15: Advanced and Zero-Day Threats

阶段15：高级与零日威胁

#	Vulnerability	Root Cause	Impact	Mitigation
89	MIME Sniffing	Missing headers	XSS, spoofing	X-Content-Type-Options
91	CSP Bypass	Weak config	XSS despite CSP	Strict CSP, nonces
92	Inconsistent Validation	Decentralized logic	Control bypass	Centralized validation
93	Race Conditions	Missing sync	Privilege escalation	Proper locking
94-95	Business Logic Flaws	Missing validation	Financial fraud	Server-side validation
96	Account Enumeration	Different responses	Targeted attacks	Uniform responses
98-99	Unpatched Vulnerabilities	Patch delays	Zero-day exploitation	Patch management
100	Zero-Day Exploits	Unknown vulns	Unmitigated attacks	Defense in depth

编号	漏洞	根本原因	影响	修复方案
89	MIME嗅探	缺少头	XSS、欺骗	X-Content-Type-Options
91	CSP绕过	配置薄弱	虽有CSP仍发生XSS	严格CSP、随机数（nonces）
92	验证不一致	分散逻辑	控制绕过	集中式验证
93	竞争条件	缺少同步	权限提升	正确锁定
94-95	业务逻辑缺陷	缺少验证	财务欺诈	服务器端验证
96	账户枚举	响应不同	定向攻击	统一响应
98-99	未补丁漏洞	补丁延迟	零日利用	补丁管理
100	零日漏洞利用	未知漏洞	无缓解攻击	纵深防御

Quick Reference

快速参考

Vulnerability Categories Summary

漏洞类别汇总

Category	Vulnerability Numbers	Key Controls
Injection	1-13	Parameterized queries, input validation, output encoding
Authentication	14-23, 85-86	MFA, session management, account lockout
Data Exposure	24-27	Encryption at rest/transit, access controls, DLP
Misconfiguration	28-36	Secure defaults, hardening, patching
XML	37-39, 65	Disable external entities, limit expansion
Access Control	40-44	RBAC, least privilege, authorization checks
Deserialization	45-47	Avoid untrusted data, integrity validation
API Security	48-51, 75	OAuth, rate limiting, input validation
Communication	52-55	TLS 1.2+, certificate validation, HTTPS
Client-Side	56-60	CSP, X-Frame-Options, safe DOM
DoS	61-65	Rate limiting, DDoS protection, resource limits
SSRF	66, 87-88	URL whitelisting, egress filtering
Mobile/IoT	76-84	Encryption, authentication, secure storage
Business Logic	74, 92-97	Threat modeling, logic testing
Zero-Day	98-100	Defense in depth, threat intelligence

类别	漏洞编号	关键控制措施
注入类	1-13	参数化查询、输入验证、输出编码
身份验证	14-23, 85-86	MFA、会话管理、账户锁定
数据暴露	24-27	静态/传输数据加密、访问控制、DLP
配置错误	28-36	安全默认设置、系统加固、补丁
XML类	37-39, 65	禁用外部实体、限制扩展
访问控制	40-44	RBAC、最小权限、授权检查
反序列化	45-47	避免不可信数据、完整性验证
API安全	48-51, 75	OAuth、速率限制、输入验证
通信安全	52-55	TLS 1.2+、证书验证、HTTPS
客户端	56-60	CSP、X-Frame-Options、安全DOM
拒绝服务	61-65	速率限制、DDoS防护、资源限制
SSRF	66, 87-88	URL白名单、出口过滤
移动/IoT	76-84	加密、身份验证、安全存储
业务逻辑	74, 92-97	威胁建模、逻辑测试
零日威胁	98-100	纵深防御、威胁情报

Critical Security Headers

关键安全头

Content-Security-Policy: default-src 'self'; script-src 'self'
X-Content-Type-Options: nosniff
X-Frame-Options: DENY
X-XSS-Protection: 1; mode=block
Strict-Transport-Security: max-age=31536000; includeSubDomains
Referrer-Policy: strict-origin-when-cross-origin
Permissions-Policy: geolocation=(), microphone=()

Content-Security-Policy: default-src 'self'; script-src 'self'
X-Content-Type-Options: nosniff
X-Frame-Options: DENY
X-XSS-Protection: 1; mode=block
Strict-Transport-Security: max-age=31536000; includeSubDomains
Referrer-Policy: strict-origin-when-cross-origin
Permissions-Policy: geolocation=(), microphone=()

OWASP Top 10 Mapping

OWASP Top 10映射

OWASP 2021	Related Vulnerabilities
A01: Broken Access Control	40-44, 23, 74
A02: Cryptographic Failures	24-25, 53-55
A03: Injection	1-13, 37-39
A04: Insecure Design	74, 92-97
A05: Security Misconfiguration	26-36
A06: Vulnerable Components	34, 98-100
A07: Auth Failures	14-23, 85-86
A08: Data Integrity	45-47
A09: Logging Failures	73
A10: SSRF	66, 87-88

OWASP 2021	相关漏洞
A01: 访问控制失效	40-44, 23, 74
A02: 密码学失效	24-25, 53-55
A03: 注入	1-13, 37-39
A04: 不安全设计	74, 92-97
A05: 安全配置错误	26-36
A06: 易受攻击的组件	34, 98-100
A07: 身份验证失效	14-23, 85-86
A08: 数据完整性问题	45-47
A09: 日志记录与监控失效	73
A10: 服务器端请求伪造	66, 87-88

Constraints and Limitations

约束与限制

Vulnerability definitions represent common patterns; specific implementations vary
Mitigations must be adapted to technology stack and architecture
New vulnerabilities emerge continuously; reference should be updated
Some vulnerabilities overlap across categories (e.g., IDOR appears in multiple contexts)
Effectiveness of mitigations depends on proper implementation
Automated scanners cannot detect all vulnerability types (especially business logic)

漏洞定义代表常见模式，具体实现存在差异
修复方案必须适配技术栈与架构
新漏洞持续出现，参考手册需定期更新
部分漏洞跨类别重叠（如IDOR出现在多个场景）
修复方案的有效性取决于正确实现
自动化扫描器无法检测所有漏洞类型（尤其是业务逻辑类）

Troubleshooting

故障排除

Common Assessment Challenges

常见评估挑战

Challenge	Solution
False positives in scanning	Manual verification, contextual analysis
Business logic flaws missed	Manual testing, threat modeling, abuse case analysis
Encrypted traffic analysis	Proxy configuration, certificate installation
WAF blocking tests	Rate adjustment, IP rotation, payload encoding
Session handling issues	Cookie management, authentication state tracking
API discovery	Swagger/OpenAPI enumeration, traffic analysis

挑战	解决方案
扫描误报	手动验证、上下文分析
业务逻辑缺陷遗漏	手动测试、威胁建模、滥用案例分析
加密流量分析	代理配置、证书安装
WAF阻止测试	调整速率、IP轮换、 payload编码
会话处理问题	Cookie管理、身份验证状态跟踪
API发现	Swagger/OpenAPI枚举、流量分析

Vulnerability Verification Techniques

漏洞验证技术

Vulnerability Type	Verification Approach
Injection	Payload testing with encoded variants
XSS	Alert boxes, cookie access, DOM inspection
CSRF	Cross-origin form submission testing
SSRF	Out-of-band DNS/HTTP callbacks
XXE	External entity with controlled server
Access Control	Horizontal/vertical privilege testing
Authentication	Credential rotation, session analysis

漏洞类型	验证方法
注入类	使用编码变体进行Payload测试
XSS	弹窗、Cookie访问、DOM检查
CSRF	跨源表单提交测试
SSRF	带外DNS/HTTP回调
XXE	带受控服务器的外部实体
访问控制	水平/垂直权限测试
身份验证	凭证轮换、会话分析

References

参考资料

OWASP Top 10 Web Application Security Risks
CWE/SANS Top 25 Most Dangerous Software Errors
OWASP Testing Guide
OWASP Application Security Verification Standard (ASVS)
NIST Cybersecurity Framework
Source: Kumar MS - Top 100 Web Vulnerabilities

OWASP Top 10 Web应用程序安全风险
CWE/SANS Top 25最危险软件错误
OWASP测试指南
OWASP应用程序安全验证标准（ASVS）
NIST网络安全框架
来源：Kumar MS - Top 100 Web Vulnerabilities

When to Use

使用场景

This skill is applicable to execute the workflow or actions described in the overview.

当需要执行概述中描述的工作流程或操作时，适用此技能。