Eavesdropping 窃听 Block Ciphers 分组密码 Stream Cipher 流式密码 Confidentiality 保密性 Message Integrity 消息完整性 Tamper-Resistance. 防篡改 Man-in-the-Middle Attack impersonate 扮演 Forward Secrecy 前向安全
- Preimage attack: Find a message for a given hash: 原像攻击
- Collision attack:Find two messages with the same hash.
- Prefix collision attack: A collision attack where the attacker can pick a prefix for the message. MAC/Message Authentication Codes Authenticated Encryption CCM
- Cookie 窃取
- Solution:使用 TLS
- 认证有误
- 未使用 Session(Cookie无过期时间)
- Solution:设置过期
- 密码未Hash
- 未使用 Session(Cookie无过期时间)
- Sensitive Data Exposure 敏感信息暴露
- 明文传输
- 明文储存
- 未Full TLS
- SQL Injection
- Solution:清理输入:
mysqli_real_escape_string(_db, string) - Solution:prepared statement
$conn->prepare("INSERT INTO People (firstname, lastname) VALUES (?, ?)"); $stmt->bind_param("ss", $firstname, $lastname);
- Solution:清理输入:
- Cross Site Script (XSS)
- Reflected XSS 反射型XSS
- Stored XSS 储存型XSS
- Solution: sanitisation
htmlspecialchars()
- Cross-site Request Forgery (CSRF)
- Solution: Referer Header
- 容易被伪造
- Solution: 添加 Token
- Solution: 使用 Nonce
- Solution: Referer Header
- XML External Entities (XXE)
- Broken Access Control
- Path Traversal