A1-Injection Injection flaws, such as SQL, OS, and LDAP injection occur when untrusted data is sent to an interpreter as part of a command or query. The attacker’s hostile data can trick the interpreter into executing unintended commands or accessing data without proper authorization.
A2-Broken Authentication and Session Management Application functions related to authentication and session management are often not implemented correctly, allowing attackers to compromise passwords, keys, or session tokens, or to exploit other implementation flaws to assume other users’ identities.
A3-Cross-Site Scripting (XSS) XSS flaws occur whenever an application takes untrusted data and sends it to a web browser without proper validation or escaping. XSS allows attackers to execute scripts in the victim’s browser which can hijack user sessions, deface web sites, or redirect the user to malicious sites.
A4-Insecure Direct Object References A direct object reference occurs when a developer exposes a reference to an internal implementation object, such as a file, directory, or database key. Without an access control check or other protection, attackers can manipulate these references to access unauthorized data.
A5-Security Misconfiguration Good security requires having a secure configuration defined and deployed for the application, frameworks, application server, web server, database server, and platform. Secure settings should be defined, implemented, and maintained, as defaults are often insecure. Additionally, software should be kept up to date.
A6-Sensitive Data Exposure Many web applications do not properly protect sensitive data, such as credit cards, tax IDs, and authentication credentials. Attackers may steal or modify such weakly protected data to conduct credit card fraud, identity theft, or other crimes. Sensitive data deserves extra protection such as encryption at rest or in transit, as well as special precautions when exchanged with the browser.
A7-Missing Function Level Access Control Most web applications verify function level access rights before making that functionality visible in the UI. However, applications need to perform the same access control checks on the server when each function is accessed. If requests are not verified, attackers will be able to forge requests in order to access functionality without proper authorization.
A8-Cross-Site Request Forgery (CSRF) A CSRF attack forces a logged-on victim’s browser to send a forged HTTP request, including the victim’s session cookie and any other automatically included authentication information, to a vulnerable web application. This allows the attacker to force the victim’s browser to generate requests the vulnerable application thinks are legitimate requests from the victim.
A9-Using Components with Known Vulnerabilities Components, such as libraries, frameworks, and other software modules, almost always run with full privileges. If a vulnerable component is exploited, such an attack can facilitate serious data loss or server takeover. Applications using components with known vulnerabilities may undermine application defenses and enable a range of possible attacks and impacts.
A10-Unvalidated Redirects and Forwards Web applications frequently redirect and forward users to other pages and websites, and use untrusted data to determine the destination pages. Without proper validation, attackers can redirect victims to phishing or malware sites, or use forwards to access unauthorized pages.





A1 – Injection

Injection flaws, such as SQL, OS, and LDAP injection occur when untrusted data is sent to an interpreter as part of a command or query. The attacker’s hostile data can trick the interpreter into executing unintended commands or accessing data without proper authorization.

(A1 – 注入,注入缺陷,例如SQL注入、OS命令注入、LDAP注入等,会在攻击者向应用服务端发送以分隔符作为命令或者查询的一部分时就会发生。攻击者的有害数据中分隔符造成的陷阱,会执行攻击构造的未预知的命令或者访问未授权数据。)

A2 – Broken Authentication and Session Management

Application functions related to authentication and session management are often not implemented correctly, allowing attackers to compromise passwords, keys, or session tokens, or to exploit other implementation flaws to assume other users’ identities.

(A2 -失效的身份认证和会话管理,与身份认证和会话管理相关的应用功能经常实现的不正确,允许攻击者可以构造密码、密钥、或者会话令牌或者利用实现缺陷,假冒其他用户的身份。)

A3 – Cross-Site Scripting (XSS)

XSS flaws occur whenever an application takes untrusted data and sends it to a web browser without proper validation or escaping. XSS allows attackers to execute scripts in the victim’s browser which can hijack user sessions, deface web sites, or redirect the user to malicious sites.

(A3 – XSS,当应用服务接收不被信任的数据,并且将该数据不经过验证或者字符过滤,就发送给客户的Web浏览器,就会产生XSS攻击。XSS攻击允许攻击者在受害者的浏览器中执行脚本,用于劫持受害者用户的会话信息,伤害特定的网站,或者重定向用户到恶意站点。)

A4 – Insecure Direct Object References

A direct object reference occurs when a developer exposes a reference to an internal implementation object, such as a file, directory, or database key. Without an access control check or other protection, attackers can manipulate these references to access unauthorized data.

(A4 – 不安全的直接对象引用,应用开发者有时候可能会暴露应用内部实现对象的引用,例如文件、目录、或者数据库Key等。如果没有对这些的访问控制或者其他保护,攻击者就有可能利用这些暴露的引用访问未授权的数据。)

A5 – Security Misconfiguration

Good security requires having a secure configuration defined and deployed for the application, frameworks, application server, web server, database server, and platform. Secure settings should be defined, implemented, and maintained, as defaults are often insecure. Additionally, software should be kept up to date.

(A5 – 安全配置错误,应用、框架、Web服务器、数据库服务器、各种应用平台的良好的安全性需要一份定义好的、部署好的安全配置。安全配置必需进行良好的定义、实现、维护,默认配置通常情况下是不安全的,另外,软件应该及时更新。)

A6 – Sensitive Data Exposure

Many web applications do not properly protect sensitive data, such as credit cards, tax IDs, and authentication credentials. Attackers may steal or modify such weakly protected data to conduct credit card fraud, identity theft, or other crimes. Sensitive data deserves extra protection such as encryption at rest or in transit, as well as special precautions when exchanged with the browser.

(A6 – 敏感数据泄露,许多Web应用没有正确地保护敏感数据,例如信用卡卡号、税号、身份认证证书等。攻击者可以通过偷窃、更改这种弱保护的数据,以进行信用卡诈骗、身份窃取、或者其他犯罪。这类敏感数据值得进行额外的保护,例如,加密传输、在于客户端浏览器交换数据时进行的特殊保护。)

A7 – Missing Function Level Access Control

Most web applications verify function level access rights before making that functionality visible in the UI. However, applications need to perform the same access control checks on the server when each function is accessed. If requests are not verified, attackers will be able to forge requests in order to access functionality without proper authorization.

(A7 – 功能级访问控制缺失,大部分Web应用在界面上进行了应用级访问控制,但是应用服务器端也要进行响应的访问控制才行。如果请求没有验证,攻击者就能够构造请求访问未授权的功能。)

A8 – Cross-Site Request Forgery (CSRF)

A CSRF attack forces a logged-on victim’s browser to send a forged HTTP request, including the victim’s session cookie and any other automatically included authentication information, to a vulnerable web application. This allows the attacker to force the victim’s browser to generate requests the vulnerable application thinks are legitimate requests from the victim.

(A8 – 跨站请求伪造,CSRF攻击强制一个已经登入的受害者浏览器,向带漏洞的Web应用发送伪造的HTTP请求,但是使用的是受害者正确的会话Cookie,以及其他的认证信息,这样攻击者就可以让Web应用认为这是受害者自愿发送的请求。)

A9 – Using Components with Known Vulnerabilities

Components, such as libraries, frameworks, and other software modules, almost always run with full privileges. If a vulnerable component is exploited, such an attack can facilitate serious data loss or server takeover. Applications using components with known vulnerabilities may undermine application defenses and enable a range of possible attacks and impacts.

(A9 –使用已知易受攻击组件,组件,比如库、框架、或者其他的软件模块,通常运行在最高权限。如果一个有弱点的组件受到了利用,就可能被攻击者控制服务器或者造成严重数据损失。使用已知易受攻击组件的应用会造成应用整体安全性的降低,并且造成一定范围的攻击和影响。)

A10 – Unvalidated Redirects and Forwards

Web applications frequently redirect and forward users to other pages and websites, and use untrusted data to determine the destination pages. Without proper validation, attackers can redirect victims to phishing or malware sites, or use forwards to access unauthorized pages.

(A10 –未验证的重定向和转发,Web应用经常会将用户重定向到其他的页面或者站点,并且使用使用不可信的数据来确定目标页面,如果不进行正确的验证,攻击可以让受害者重定向到钓鱼或者挂马的网站,或者利用重定向访问未授权页面。)


