刘沛旻-Web应用安全的发展和未来（17页）.pdf

1、刘沛旻，Imperva资深技术专家，具有十多年安全行业的工作经验，参与过多个重大信息安全项目的规划、建设和实施，行业涉及金融、电信、制造、能源等多个行业。对于企业的关键信息和应用保护有着丰富的经验和独到的见解。Web应用安全的发展和未来应用安全的发展和未来刘沛旻刘沛旻中国区技术经理中国区技术经理Proprietary and confidential.Do not distribute.Proprietary and confidential.Do not distribute.Top 5 的Web应用攻击Imperva 2020年上半年分析了11.4亿客户请求，其中主要攻击类型分布如下从20

2、03版到2017版你想到的第一个关键字是什么？讲起Web应用安全您的Web应用 Web应用安全远不止OWASP TOP10 OWASP Top 10 AttacksOWASP Top 10 AttacksInjection Broken authentication Sensitive data exposure XML external entities(XXE)Broken access control Security misconfiguration Cross-site scripting(XSS)Insecure deserialization Using components w

3、ith known vulnerabilities Insufficient logging&monitoring OWASP Automated OWASP Automated ThreatsThreatsAccount Aggregation Account CreationAd FraudCAPTCHA Defeat Card Cracking CardingCashing Out Credential CrackingCredential Stuffing Denial of Inventory Denial of ServiceOWASP API Top 10 OWASP API T

4、op 10 AttacksAttacksBroken object level authorization Broken user authentication Excessive data exposure Lack of resources&rate limiting Broken function level authorization Mass assignment Security misconfiguration Injection Improper assets management Insufficient logging&monitoring DDoS AttacksDDoS

5、 AttacksLAYER 3/4LAYER 3/4UDP floods NTP amplification DNS amplification Tsunami SYN flood CharGEN amplification Memcache amplification SSDP amplification SNMP amplification GRE-IP UDP floods CLDAP attacks ARMS(ARD)Jenkins DNS Water Torture SYN floods TCP RST floods SSL Negotiation floods TCP connec

6、t floods Fragmented attacks TCP ACK floods CoAP WS-DD NetBIOS LAYER 7LAYER 7NS Query floods SlowLoris attack HTTP(S)GET request floods HTTP(S)POST request floods SMTP request flood Client-side AttacksClient-side AttacksFormjacking Credit card skimming Card skimming Digital Skimmers Magecart JavaScri