自营网站业务逻辑漏洞的检测与防范Detection and prevention of business logic vulnerabilities in self operated websites 本文主要介绍了对自营网站进行的检测技术,从当下常见的 web安全漏洞开始讲述,直到本文主题漏洞,同时分析了国内外 web 环境的安全性,阐明了对于 web 安全漏洞的防范意义以及一些基本的防范技术。叙述完 web 漏洞大家族后,单独对业务逻辑漏洞进行了介绍。从介绍业务逻辑漏洞开始到业务逻辑漏洞的特点,再到说明数据篡改型、暴力破解型、越权型业务逻辑漏洞所产生的原理,最后叙述了业务逻辑漏洞可能带来的危害。在阐明危害之后,介绍了对业务逻辑漏洞检测的常用方法及技术,而后介绍了本文所使用的检测方法的思路及相关技术,最后对各种类型的业务逻辑漏洞的防范方法进行阐述。文章末尾对本次研究做了总结和展望。关键词:web 安全漏洞;漏洞危害;业务逻辑漏洞AbstractThis paper introduces the detection technology of self-operated websites, from the current common web security vulnerabilities to the theme of this article. At the same time,the website security environment home and abroad is analysed, and the significance of preventing web security vulnerabilities and some basic prevention technologies are discussed. After describing the web vulnerability family, the business logic vulnerabilities are introduced separately. From the introduction of business logic vulnerability concept to the characteristics of business logic vulnerability and then to explain the principles of data tampering, password violence and overweightbusiness logic vulnerability, and then, the paper describes the possible harm of business logic vulnerability and introduces the general methods and technologies for detecting the vulnerabilities, then introduces the ideas and related technologies used in this paper, and finally the prevention methods for various types of business logic vulnerabilities are introduced. In the end, the research of the project and its f...
