![\"\"](\"https:\/\/cms.aaasec.com.tw\/wp-content\/uploads\/2018\/06\/27657422_495264980868252_3159953275337365925_n.jpg\")
<\/p>\n<\/p>\n
<\/p>\n
OWASP(The Open Web Application Security Project)TOP 10<\/strong>\uff0c\u662f\u5c07\u5e38\u898b\u7684\u7db2\u8def\u5b89\u5168\u5f31\u9ede\u9032\u884c\u6b78\u7d0d\u3001\u5206\u6790\uff0c\u64ec\u5b9a\u51fa\u5341\u5927\u7db2\u8def\u5b89\u5168\u4e0a\u7684\u98a8\u96aa\u4e26\u63d0\u4f9b\u57fa\u672c\u7684\u4fdd\u8b77\u53ca\u9810\u9632\u63aa\u65bd\uff0c\u76ee\u7684\u662f\u5354\u52a9\u7814\u64ec\u8edf\u9ad4\u5b89\u5168\u4e4b\u6a19\u6e96\u3001\u5de5\u5177\u8207\u6280\u8853\u6587\u4ef6\uff0c\u4e14\u9577\u671f\u81f4\u529b\u65bc\u5354\u52a9\u4f01\u696d\u55ae\u4f4d\u6df1\u5165\u77ad\u89e3\u4e26\u6539\u5584\u5404\u55ae\u4f4d\u7db2\u7ad9\u4e0a\u7684\u5b89\u5168\u6027\uff0c\u56e0\u6b64\u8a31\u591a\u653f\u5e9c\u55ae\u4f4d\u3001\u4f01\u696d\u516c\u53f8\u4e5f\u90fd\u6703\u95dc\u6ce8\uff0c\u751a\u81f3\u8996\u70ba\u6307\u6a19\u3002 \u3010\u6ce8\u5165\u653b\u64ca\u548c\u7121\u6548\u7684\u8eab\u5206\u9a57\u8b49\uff0c\u4ecd\u4f4d\u5c45\u7b2c\u4e00\u3001\u7b2c\u4e8c\u540d\u3011<\/strong><\/p>\n No.1\u662f\u6ce8\u5165\u653b\u64ca(Injection)\uff0c\u4e0d\u55ae\u55ae\u53ea\u662f\u6211\u5011\u719f\u77e5\u7684SQL Injection(\u96b1\u78bc\u653b\u64ca)\uff0c\u53ea\u8981\u5728\u8f38\u5165\u6b04\u4f4d\u7684\u6642\u5019\u6c92\u59a5\u5584\u9032\u884c\u6aa2\u67e5\u6216\u9a57\u8b49\uff0c\u5c31\u53ef\u80fd\u906d\u53d7\u6ce8\u5165\u653b\u64ca\u3002<\/p>\n No.2\u662f\u7121\u6548\u7684\u8eab\u5206\u9a57\u8b49(Broken Authentication)\uff0c\u5728\u7db2\u7ad9\u4e0a\u7d93\u5e38\u9700\u8981\u8655\u7406\u8eab\u5206\u9a57\u8b49\u53caSession\u7ba1\u7406\uff0c\u4f46\u82e5\u767c\u751f\u7f3a\u5931\u5c31\u53ef\u80fd\u5c0e\u81f4\u653b\u64ca\u8005\u53d6\u5f97\u66f4\u9ad8\u6b0a\u9650\u9032\u884c\u653b\u64ca\u884c\u70ba\u3002<\/p>\n No.3\u662f\u654f\u611f\u8cc7\u6599\u5916\u6d29(Sensitive Data Exposure)\uff0c\u7531\u539f\u5148\u7684\u7b2c\u516d\u540d\u9032\u6b65\u5230\u4e86\u7b2c\u4e09\u540d\uff0c\u82e5\u7db2\u7ad9\u7121\u6cd5\u6b63\u78ba\u4fdd\u8b77\u7a4d\u654f\u8cc7\u8a0a\u6642\uff0c\u6703\u8b93\u653b\u64ca\u8005\u80fd\u6709\u6a5f\u7aca\u53d6\u3001\u7ac4\u6539\u9019\u4e9b\u7a4d\u654f\u8cc7\u8a0a\u9032\u800c\u653b\u64ca\u3002<\/p>\n No.4\u662fXML\u5916\u90e8\u8655\u7406\u5668\u6f0f\u6d1e(XML External Entity, XXE)\uff0c\u5728\u4f7f\u7528\u6216\u8655\u7406XML\u8207\u6cd5\u6642\uff0c\u82e5\u7121\u6cd5\u6b63\u78ba\u5730\u505a\u597d\u529f\u80fd\u9650\u5236\uff0c\u53ef\u80fd\u6703\u5c0e\u81f4\u653b\u64ca\u8005\u9032\u884c\u8d8a\u6b0a\u4e26\u7aca\u53d6\u6a5f\u654f\u8cc7\u8a0a\u3002<\/p>\n No.5\u662f\u7121\u6548\u7684\u5b58\u53d6\u63a7\u7ba1(Broken Access Control)\uff0c\u800c\u6b64\u5f31\u9ede\u70ba\u539f\u51482013\u7248\u4e2d\u7684Inscure Direct Object Reference\u548cMissing Function Level Access Control\u6240\u5408\u4f75\u7684\u3002\u8a72\u5a01\u8105\u4e3b\u8981\u662f\u6307\u7cfb\u7d71\u958b\u767c\u6642\u82e5\u672a\u56b4\u683c\u7684\u505a\u597d\u5b58\u53d6\u63a7\u7ba1\uff0c\u53ef\u80fd\u6703\u5c0e\u81f4\u99ed\u5ba2\u5229\u7528\u6b64\u6f0f\u6d1e\u5b58\u53d6\u672a\u7d93\u6388\u6b0a\u7684\u529f\u80fd\u6216\u66f4\u6539\u8a2a\u554f\u6b0a\u9650\u3002<\/p>\n No.6\u662f\u4e0d\u5b89\u5168\u7684\u7d44\u614b\u8a2d\u5b9a(Security Misconfiguration)\uff0c\u7d93\u5e38\u4f7f\u7528\u4e0d\u5b89\u5168\u7684\u9810\u8a2d\u503c\uff0c\u50cf\u662f\u4f5c\u696d\u7cfb\u7d71\u3001\u6846\u67b6\u3001\u51fd\u5f0f\u5eab\u53ca\u61c9\u7528\u7a0b\u5f0f\uff0c\u907f\u514d\u4f7f\u7528\u9810\u8a2d\u503c\u8a2d\u5b9a\u4e26\u6642\u5e38\u5fc5\u9808\u505a\u5230\u7cfb\u7d71\u66f4\u65b0\u8207\u5347\u7d1a\uff0c\u78ba\u4fdd\u7cfb\u7d71\u5b89\u5168\u8207\u6642\u4e26\u9032\u3002<\/p>\n No.7\u662f\u8de8\u7ad9\u653b\u64ca(Cross-Site Scripting, XSS)\uff0c\u7db2\u9801\u8de8\u7ad9\u653b\u64ca\u662f\u5229\u7528\u52d5\u614b\u7db2\u9801\u7684\u7279\u6027\uff0c\u7576\u7db2\u7ad9\u7f3a\u4e4f\u9069\u7576\u7684\u9a57\u8b49\u6642\uff0c\u653b\u64ca\u8005\u5c31\u5229\u7528\u6b64\u5f31\u9ede\u5728\u700f\u89bd\u5668\u4e2d\u57f7\u884c\u60e1\u610f\u7a0b\u5f0f\u78bc\uff0c\u4e26\u633e\u6301\u4f7f\u7528\u7684Session\u9032\u884c\u9020\u6210\u653b\u64ca\u3002<\/p>\n No.8\u662f\u4e0d\u5b89\u5168\u7684\u53cd\u5e8f\u5217\u5316\u6f0f\u6d1e(Insecure Deserialization)\uff0c\u6b64\u5a01\u8105\u70ba\u4e0d\u5b89\u5168\u7684\u53cd\u5e8f\u5217\u5316\u6f0f\u6d1e\u53ef\u80fd\u5c0e\u81f4\u99ed\u5ba2\u5229\u7528\u9060\u7aef\u57f7\u884c\u4efb\u610f\u7a0b\u5f0f\u78bc\u9032\u884c\u91cd\u9001\u653b\u64ca\u3001\u6ce8\u5165\u653b\u64ca\u53ca\u6b0a\u9650\u63d0\u5347\u653b\u64ca\u3002<\/p>\n No.9\u662f\u4f7f\u7528\u5df2\u6709\u6f0f\u6d1e\u7684\u5143\u4ef6(Using Components with Known Vulnerabilities)\uff0c\u4f7f\u7528\u5177\u6709\u5df2\u77e5\u6f0f\u6d1e\u7684\u5143\u4ef6\u7522\u751f\u7684\u8106\u5f31\u9ede\uff0c\u99ed\u5ba2\u53ef\u900f\u904e\u6b64\u8106\u5f31\u9ede\u7834\u58de\u61c9\u7528\u7a0b\u5f0f\u4e2d\u7684\u9632\u79a6\u63aa\u65bd\uff0c\u4e26\u9032\u4e00\u6b65\u9020\u6210\u66f4\u56b4\u91cd\u7684\u50b7\u5bb3\u3002<\/p>\n No.10\u662f\u7d00\u9304\u8207\u76e3\u63a7\u4e0d\u8db3\u98a8\u96aa(Insufficient Logging&Monitoring)\uff0c\u7576\u8a18\u9304\u8207\u76e3\u63a7\u4e0d\u8db3\u6216\u4e0d\u6070\u7576\u6642\uff0c\u6703\u5c0e\u81f4\u5728\u767c\u751f\u8cc7\u5b89\u4e8b\u4ef6\u7684\u60c5\u6cc1\u4e0b\u7121\u6cd5\u6709\u8db3\u5920\u7684\u8cc7\u6599\u9032\u884c\u8655\u7406\uff0c\u4e5f\u4f7f\u653b\u64ca\u8005\u6709\u6a5f\u6703\u9032\u4e00\u6b65\u9032\u884c\u653b\u64ca\u7cfb\u7d71\uff0c\u9032\u800c\u9020\u6210\u640d\u5931\u3002<\/p>\n \u3010\u5c0f\u63d0\u9192\u3011<\/strong><\/p>\n \u6700\u5f8c\u63d0\u9192\u5927\u5bb6\uff0c\u7db2\u969b\u7db2\u8def\u8d8a\u4f86\u8d8a\u767c\u9054\uff0c\u9762\u5c0d\u8cc7\u5b89\u6f0f\u6d1e\u7684\u6642\u5019\u5fc5\u9808\u9451\u5f80\u77e5\u4f86\uff0c\u907f\u514d\u76f8\u540c\u7684\u8cc7\u5b89\u554f\u984c\u4e00\u518d\u767c\u751f\uff0c\u4e26\u96a8\u6642\u6ce8\u610f\u6700\u65b0\u7684\u8cc7\u5b89\u8a0a\u606f\u3002\u53e6\u4e00\u65b9\u9762\uff0c\u990a\u6210\u826f\u597d\u7684\u8cc7\u5b89\u7fd2\u6163\uff0c\u4e26\u5b9a\u671f\u57f7\u884c\u8cc7\u5b89\u6aa2\u6e2c\u3001\u6301\u7e8c\u4e14\u78ba\u5be6\u6539\u9032\uff0c\u7d55\u5c0d\u4e0d\u8981\u76f8\u4fe1\u6240\u8b02\u7684\u7d55\u5c0d\u5b89\u5168!<\/p>\n","protected":false},"excerpt":{"rendered":"","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[6],"tags":[],"_links":{"self":[{"href":"https:\/\/cms.aaasec.com.tw\/index.php\/wp-json\/wp\/v2\/posts\/141"}],"collection":[{"href":"https:\/\/cms.aaasec.com.tw\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cms.aaasec.com.tw\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/cms.aaasec.com.tw\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/cms.aaasec.com.tw\/index.php\/wp-json\/wp\/v2\/comments?post=141"}],"version-history":[{"count":4,"href":"https:\/\/cms.aaasec.com.tw\/index.php\/wp-json\/wp\/v2\/posts\/141\/revisions"}],"predecessor-version":[{"id":152,"href":"https:\/\/cms.aaasec.com.tw\/index.php\/wp-json\/wp\/v2\/posts\/141\/revisions\/152"}],"wp:attachment":[{"href":"https:\/\/cms.aaasec.com.tw\/index.php\/wp-json\/wp\/v2\/media?parent=141"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cms.aaasec.com.tw\/index.php\/wp-json\/wp\/v2\/categories?post=141"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cms.aaasec.com.tw\/index.php\/wp-json\/wp\/v2\/tags?post=141"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}
\n\u6700\u65e9\u57282003\u5e7412\u6708\u516c\u5e03\u4e86\u7b2c\u4e00\u7248\u7684OWASP TOP 10\uff0c\u5230\u4e862004\u30012007\u4e5f\u7d1b\u7d1b\u63a8\u51fa\u4e86\u6539\u7248\u3002\u76f4\u52302010\u5e74\uff0c\u9996\u5ea6\u5f9e\u98a8\u96aa\u89d2\u5ea6\u51fa\u767c\uff0c\u4e26\u6b78\u7d0d\u51fa\u7db2\u8def\u5a01\u8105\u524d\u5341\u540d\uff0c\u800c\u5b83\u7d42\u65bc\u4e5f\u57282017\u5e7411\u670820\u65e5\u63a8\u51fa\u4e862017\u5e74\u5341\u5927\u98a8\u96aa\u6b63\u5f0f\u7248\u3002
\n
\n\u800c\u57282017\u5e74\u516c\u5e03\u7684\u65b0\u7248\u672c\u53c8\u6709\u4e86\u65b0\u7684\u505a\u6cd5\uff0c\u672c\u6b21\u65b0\u7248\u7684\u5341\u5927\u98a8\u96aa\u4e2d\uff0c\u6709\u4e09\u500b\u5168\u65b0\u7684\u8cc7\u5b89\u98a8\u96aa\uff0c\u5206\u5225\u70baXML External Entity(XXE)\u3001Insecure Deserialization\u53caInsufficient Logging&Monitoring\u3002\u9019\u4e09\u500b\u5f31\u9ede\u8207\u8fd1\u671f\u8208\u8d77\u7684\u5fae\u670d\u52d9\u6709\u95dc\uff0c\u70ba\u4e86\u9054\u5230\u5feb\u901f\u63d0\u4f9b\u670d\u52d9\uff0c\u8a31\u591a\u5ee0\u5546\u53ef\u80fd\u5728\u958b\u767c\u904e\u7a0b\u4e2d\u907a\u6f0f\u56b4\u8b39\u7684\u8cc7\u5b89\u9a57\u8b49\u8207\u6388\u6b0a\u7684\u52d5\u4f5c\uff0c\u9020\u6210\u7cfb\u7d71\u5b58\u5728\u8cc7\u8a0a\u5916\u6d29\u7684\u98a8\u96aa\u3002<\/span><\/p>\n