软件安全错误分类
- Input Validation and Representation: 输入验证和表示
- API Abuse: API滥用
- Security Features: 安全功能
- Time and State: 时间和国家
- Errors: 错误
- Code Quality: 代码质量
- Encapsulation: 封装
1 Input Validation and Representation(输入验证和表示)
输入验证和表示问题是由元字符,备用编码和数字表示引起的。 信任输入导致安全问题。 问题包括:缓冲区溢出,跨站点脚本***,SQL注入以及许多其他问题
功能模块 | 扫描项 |
---|---|
Input Validation and Representation | Buffer Overflow |
Input Validation and Representation | Command Injection |
Input Validation and Representation | Cross-Site Scripting |
Input Validation and Representation | Format String |
Input Validation and Representation | HTTP Response Splitting |
Input Validation and Representation | Illegal Pointer Value |
Input Validation and Representation | Integer Overflow |
Input Validation and Representation | Log Forging |
Input Validation and Representation | Path Manipulation |
Input Validation and Representation | Process Control |
Input Validation and Representation | Resource Injection |
Input Validation and Representation | Setting Manipulation |
Input Validation and Representation | SQL Injection |
Input Validation and Representation | String Termination Error |
Input Validation and Representation | Struts: Duplicate Validation Forms |
Input Validation and Representation | Struts: Form Bean Does Not Extend Validation Class |
Input Validation and Representation | Struts: Form Field Without Validator |
Input Validation and Representation | Struts: Plug-in Framework Not In Use |
Input Validation and Representation | Struts: Unused Validation Form |
Input Validation and Representation | Struts: Unvalidated Action Form |
Input Validation and Representation | Struts: Validator Turned Off |
Input Validation and Representation | Struts: Validator Without Form Field |
Input Validation and Representation | Unsafe JNI |
Input Validation and Representation | Unsafe Reflection |
Input Validation and Representation | XML Validation |
2 API Abuse
功能模块 | 扫描项 |
---|---|
API Abuse | Dangerous Function |
API Abuse | Directory Restriction |
API Abuse | Heap Inspection |
API Abuse | J2EE Bad Practices: getConnection() |
API Abuse | J2EE Bad Practices: Sockets |
API Abuse | Often Misused: Authentication |
API Abuse | Often Misused: Exception Handling |
API Abuse | Often Misused: File System |
API Abuse | Often Misused: Privilege Management |
API Abuse | Often Misused: Strings |
API Abuse | Unchecked Return Value |
3 Security Features
功能模块 | 扫描项 |
---|---|
Security Features | Insecure Randomness |
Security Features | Least Privilege Violation |
Security Features | Missing Access Control |
Security Features | Password Management |
Security Features | Password Management: Empty Password in Config File |
Security Features | Password Management: Hard-Coded Password |
Security Features | Password Management: Password in Config File |
Security Features | Password Management: Weak Cryptography |
Security Features | Privacy Violation |
4 Time and State
功能模块 | 扫描项 |
---|---|
Time and State | Deadlock |
Time and State | Failure to Begin a New Session upon Authentication |
Time and State | File Access Race Condition: TOCTOU |
Time and State | Insecure Temporary File |
Time and State | J2EE Bad Practices: System.exit() |
Time and State | J2EE Bad Practices: Threads |
Time and State | Signal Handling Race Conditions |
5 Errors
功能模块 | 扫描项 |
---|---|
Errors | Catch NullPointerException |
Errors | Empty Catch Block |
Errors | Overly-Broad Catch Block |
Errors | Overly-Broad Throws Declaration |
6 Code Quality
功能模块 | 扫描项 |
---|---|
Code Quality | Double Free |
Code Quality | Inconsistent Implementations |
Code Quality | Memory Leak |
Code Quality | Null Dereference |
Code Quality | Obsolete |
Code Quality | Undefined Behavior |
Code Quality | Uninitialized Variable |
Code Quality | Unreleased Resource |
Code Quality | Use After Free |
7 Encapsulation
功能模块 | 扫描项 |
---|---|
Encapsulation | Comparing Classes by Name |
Encapsulation | Data Leaking Between Users |
Encapsulation | Leftover Debug Code |
Encapsulation | Mobile Code: Object Hijack |
Encapsulation | Mobile Code: Use of Inner Class |
Encapsulation | Mobile Code: Non-Final Public Field |
Encapsulation | Private Array-Typed Field Returned From a Public Method |
Encapsulation | Public Data Assigned to Private Array-Typed Field |
Encapsulation | System Information Leak |
Encapsulation | Trust Boundary Violation |
转载于:https://blog.51cto/huaweicainiao/2328458
更多推荐
Fortify扫描 -- 软件安全错误的分类
发布评论