Application and Data Vulnerabilities and Attacks
Vocabulary
| English | Chinese | Pinyin |
|---|---|---|
| injection attack | 注入攻击 | zhù rù gōng jī |
| data validation | 数据验证 | shù jù yàn zhèng |
| SQL injection | 数据库注入 | shù jù kù zhù rù |
| cross-site scripting | 跨站脚本 | kuà zhàn jiǎo běn |
| buffer overflow | 缓冲区溢出 | huǎn chōng qū yì chū |
| buffer | 缓冲区 | huǎn chōng qū |
| directory traversal | 目录遍历 | mù lù biàn lì |
Bad input is the danger
- When a program does not check input, an adversary slips in commands — an injection attack 注入攻击.
- Data validation 数据验证 (checking input meets rules) is the defense.
- Unencrypted files and over-broad admin rights add more risk.
SQL injection and XSS
- SQL injection 数据库注入: SQL commands in an input field read or change a database.
- Cross-site scripting (XSS) 跨站脚本: injected script runs in another user's browser.
- Both come from trusting unchecked user input.
Explore
Identify the application attack from the evidence
SQL injection shows OR 1=1; XSS shows