???????纬????????????????????????????
??????????????????????????????(???????????????? ??:?????????????????????????校??)???屑??????????????危??????? ?????????????????????????泄???????????.
??????????????????????????????(????????)????????????????????????????????????校??????????????????屑?????????????????????????????:
?????????????????????FIELD???????????????????围(?????????????????????)
?????????????????????????婕�???????????????????围?????贸???????????????魏未????????????????????.
???????????胁????????校?????????????????????????胁???.
????2.Cross-site scritping(XSS):(???????????)
????(1)??谓???XSS?????
????<!--[if !supportLists]-->???????????胁????????URL???? ?????妫�??????妫�??????????????? ??????
????<!--[if !supportLists]-->??危??????????????????????(??:Javascr??pt??VB scr??pt?? HTML??ActiveX?? Flash)?????胁????
????<scr??pt>alert(document.cookie)</scr??pt>
?????????????? ??????????????????????????????????cookie??????????????????XSS?????
?????????????????????????????????????????????尉?????????????????????????????????cookie???????????? ????????????????????????????????????????
????(2)??????XSS????
????????贸???????????????????????????:
??????Javascr??pt??VB scr??pt?? HTML??ActiveX?? Flash?? ?????????????.
?????? ?????????????????????????(??????????????????:?????????????????????????校??)???屑??????????????危?????????????????????????? ??????泄???????????.
??????????????????????????????????胁??????????????????XSS???:
????????????????卸?????????????????????????????? ???围????????????????????HTML???????????????濉�
??????胁????????????????????屑?椤�
????3.CSRF:(?????伪??????)
????CSRF???????????????????XSS??????????XSS??????????????????????????
????XSS???????????????????????CSRF?????伪???????????????????????????????蔚??????
????XSS????CSRF??????????????????????????????SESSION ?? COOKIES??
????(1)??谓???CSRF?????
????????????????????????????屑?椤�
????(2)??????CSRF?????
???????????????????
????4.Email Header Injection(?????????)
????Email Header Injection???????????????email??????锌??????“subject”???????????????????????subject?????escape??“ ”?????
????<!--[if !supportLists]--><!--[endif]-->???“ ”?????校??????subject??????“hello cc:spamvictim@example.com”????????纬?????
????Subject: hello
????cc: spamvictim@example.com
????<!--[if !supportLists]--><!--[endif]-->???????????????????subject???????????????????????????????????????? ???????????????
????5.Directory Traversal(??????)
??????1????谓??????????????
??????????????????????????????泄???????????“../”??“./”?????????????????????????????????????????????????????????????
???????????????URL???????????????“../”??“./”??????????ESCAPE??????些?????????
??????2????????????????
????????Web?????????????????
?????? ????????????????????????????路??
????6.exposed error messages(???????)
??????1????谓??胁????
?????? ??????些??????妫�????404????500??妾�
????????????未???????????锟�??????????????????????????“????????娌�?? ??”?????????????些???????
??????2??????????
??????????????????????????????????? ????????椋�?????????????????????????????????????????