(1) - A1 - injection
Including but not limited to sql injection, cookie injection, xxe implantation, ignoring the hazards of such malicious code on the client database reads splicing caused by developers, can lead to illegal elements direct access to the database account and password to obtain administrator privileges. As shown below:
Defense programs:
PS: Probably the defense is waf, waf a strong defense is the best choice.
(2) - A2 - the failure of authentication and session management
SSO single sign-on, cookie-related information display some or all users can access information in a url or without permission, etc.
(3) - A3 - Cross Site
Cross-site scripting (XSS), a common occurrence in the search bar, input box, message boards, comment area; the presence of three categories: reflective type, DOM type, storage type; the latter two of which greater harm, often cross-site scripting It is used to obtain administrator account and password, making the Trojans, phishing, web page screenshots, etc.
Prevention program:
Annex: determining the allowed list of tags used to define a portion thereof disposed property
(4) - A4 - a direct reference to unsafe objects
Similar to the common business logic vulnerabilities, unauthorized access to others account information. As follows:
Prevention program:
Simply, it is: do not use plaintext input; do not use a single cookie validation; refuse access to the file operation up
(5) - A5 - cross-site request forgery (CSRF)
CSRF: by simulating a real web page asking the user to access information, the user can password or important documents were tampered with direct cross-site, steal operation, or without the user's permission to use the name of the user to spread bad information, steal money, etc.
Prevention program:
Attachment: simply, is: Since the cookie without making restrictions, resulting in a simple structure as long as the malicious page will be able to complete the illegal operation.
(6) - A6 - security misconfigurations
Administrator of the server configuration incorrectly, opened should not open configuration, resulting in the presence of the most sensitive information leaked or introduced as follows:
Defense programs:
(7) - A7-- restrict URL access failure
User access can be achieved by a parameter within a super simple modification url post or get requests. Its interpretation can be forged URL unauthorized access
Defense programs:
Attachment: simply, is a different user privileges with the appropriate access rights can not be any personnel direct access to super administrator privileges.
(8) - A8-- redirection and forwarding unverified
302 or 301 jump directly to a site they want to visit, such as site administrator banned 403 pages, jump function can be used for fishing
Defense programs:
(9) - A9-- components using known vulnerability
Carrying the vulnerability of plug-ins, such as wordpress plugins such as magic map. Briefly, namely: the use of known vulnerabilities are critical components of the plug-in or lead to unsafe. Such as:
Defense programs:
Attachment: the use of safety components or to update the security component, when in use need to be safety tested.
(10) - A10-- disclosure of sensitive information
This one is not too much to explain, 90% of the site there will be information disclosure. For example, a user ID or phone number, company website source code, etc., or account passwords, etc. displayed directly on the page.
Mainly talk about prevention:
Defense programs:
