应用程序所面临威胁.docVIP

IT类： 1. Threats faced by an application can be categorized based on the goals and purposes of the attacks: Spoofing is attempting to gain access to a system by using a false identity. This can be accomplished using stolen user credentials or a false IP address. After the attacker successfully gains access as a legitimate user or host, elevation of privileges or abuse using authorization can begin. Tampering is the unauthorized modification of data, for example as it flows over a network between two computers. Repudiation is the ability of users (legitimate or otherwise) to deny that they performed specific actions or transactions. Without adequate auditing, repudiation attacks are difficult to prove. Information disclosure is the unwanted exposure of private data. Some examples of information disclosure vulnerabilities include the use of hidden form fields, comments embedded in Web pages that contain database connection strings and connection details, and weak exception handling that can lead to internal system level details being revealed to the client. Denial of Service (DoS) is the process of making a system or application unavailable. For example, a DoS attack might be accomplished by bombarding a server with requests to consume all available system resources or by passing it malformed input data that can crash an application process. Elevation of privilege occurs when a user with limited privileges assumes the identity of a privileged user to gain privileged access to an application. 应用程序所面临的威胁，可以根据攻击的目标和意图进行分类： 欺骗是通过用一个假的ID来试图获取一个系统的访问。这可以通过偷盗用户的凭证或者用一个假的IP地址来实现。在攻击者伪装成一个合法使用者或者主人成功获取访问后， 他便可以拥有更多的特权或者滥用授权。 篡改是对数据的非授权修改。例如当数据在两计算机间的网络进行传输时。 否认是指使用者（合法或非法的）可以否认曾经采取过某种特殊行为或处理。没有足够的审核，否认攻击很难被证明。 信息泄露是指私人数据的非自愿暴露。信息泄露攻击包括运用那些包含数据库连接字符串以及连接信息的网页中的隐藏格式字段和嵌入式注释，以及轻微异常处理从而导致内部系统详细资料暴露给客户。 拒绝服务（DoS）是指能导致系统或者应用程序不可用的攻击。例如，一个DoS攻击的实现可以通过请求调用所有可用系统资源来使得服务器崩溃或者通过传送错误的输入（原始）数据从而破坏一个应用程序。 权限提升是指有限权限用户获取了特权用户的身份，进而可以对某个应用程序进行特许访问。 1. Because the information required