前言
这里会持续更新学习过程中查阅的英语词句。 Web Security Academy上的
XXE
What is XXE (XML external entity) injection? Tutorial & Examples
What is a blind XXE attack? Tutorial & Examples
| |
|
| interfere |
干涉 |
| escalate |
升级,加剧 |
| underlying server |
底层服务器 |
| arbitrary |
任意的;武断的; |
| induced |
诱导 |
| input validation |
输入验证 |
| ampersand |
符号(* &(表示and的符号)) |
| newline characters |
换行符 |
| parsers |
解析器 |
| repurposing |
重新调整 |
| loophole |
漏洞 |
| language specification |
语言规范;规格;规范;明细单;说明书 |
| This is actually quite straightforward |
easy |
| enumerate |
枚举 |
| hidden attack surface |
隐藏攻击面 |
| PARAMETRIC ENTITIES |
参数化实体 |
SQL
What is SQL Injection? Tutorial & Examples
| |
|
| Subverting |
颠覆 |
| Retrieving |
检索 |
| double-dash |
双破折号 |
| comment indicator |
注释符 |
| sql clauses |
sql子句(from where这些) |
| incrementing |
递增 |
| order |
排序 |
| concatenating |
串联 |
| ideally |
最好 |
| permutations |
排列 |
| offsets |
偏移量 |
| Inducing |
诱导 |
| showing for |
显示 |
| asynchronously |
异步 |
| egress |
离开;外出 |
| more sophisticated than |
比…更复杂 |
| Batched |
批处理分析 |
| stacked |
堆叠 |
| feat |
壮举 |
| adamant |
坚定的 |
| unanimous |
一致的 |
| inherent vulnerabilities |
固有漏洞 |
| robust |
健壮的 |
| At least in part |
至少在某种程度上 |
| an integral aspect of |
一个重要方面 |
Authentication
Vulnerabilities in password-based login
| |
|
| system of trial |
试错系统 |
| dedicated tools |
专用工具 |
| fine-tune |
微调 |
| educated guesses |
有根据的猜测 |
| conform |
符合 |
| creep in |
悄然出现 |
| deviate |
背离;偏离;违背 |
| full stop |
句号 |
| in quick succession |
接二连三地 |
| at regular intervals |
定期 |
| macro |
宏 |
| credential stuffing attacks |
凭据填充攻击 |
| HSTS |
HTTP严格传输安全HTTP Strict Transport Security |
| As the token consists exclusively of static values |
完全 |
| mandatory |
强制性的 |
| two-factor authentication |
2FA |
| simultaneously |
同时 |
| fraudulently obtains a SIM |
骗取卡 |
| whatsoever |
不管怎样 |
| It is a given |
means that something is obvious |
| inboxes |
收件箱 |
| rendered version |
渲染版本 |
| from scratch |
从零开始 |
OAuth
OAuth 2.0 authentication vulnerabilities
| |
|
| ,namely a client application |
即,也就是 |
| The user is prompted to log in |
提示 |
| explicitly give their consent for the requested access. |
明确 ; 同意 |
| The OAuth grant type |
授权 |
| onward |
继续的 ; 向前的 |
| arguably |
可以说,可论证地,按理 |
| endpoint mapping |
端点映射 |
| Mandatory |
强制性的 |
| evolved into |
演变成 |
| a means of |
一种 |
| battle-hardened |
实战的 |
| discrepancies |
差异 |
| audit |
审计 |
| to elicit a redirect |
引出;探出;诱出 |
| In addition to open redirects |
除了 |
| but this isn’t always the case |
但情况并非总是如此 |
| OpenID Connect slots neatly into the normal OAuth flows |
插入 ; 塞进 ; 装入 干净地 ; 灵巧地;利索地 |
| Up to this point |
到目前为止 |
| elicit |
引出;探出;诱出 |
| Wherever possible |
尽可能地 |
| unwittingly |
不知不觉地 |
Directory traversal
What is directory traversal, and how to prevent it?
| |
|
| circumvent |
规避 |
| spell out how to prevent path traversal vulnerabilities. |
说明 |
| consecutive |
连续的 |
| step up |
增加 ; 提高 |
| nested traversal sequences |
嵌套 |
| superfluous |
多余的 |
| canonicalize |
规范化 |
Insecure deserialization
Insecure deserialization
| |
|
| into a “flatter” format |
更平坦 |
| eventuality |
(尤指令人不快的)可能发生的事情,可能出现的结果 |
| passing data into a sink |
接收器 |
| gadget chains |
小工具链 |
| tampering with the data |
篡改 |
| At no point |
绝不 |
| snippet |
代码段 一小条(消息);一则(新闻);一小段(谈话、音乐等) |
| Manually identifying gadget chains can be a fairly arduous process |
艰苦的 |
| off-the-shelf |
现成的 |
| cumbersome |
麻烦 |
| single apostrophe |
单撇号 |
| masquerading |
伪装 |
os-command-injection
os-command-injection
Business logic vulnerabilities
Business logic vulnerabilities
| |
|
| exploit behavioral quirks |
利用行为怪癖 |
| dictate |
规定,指使 |
| deviates |
偏离 |
| inadvertently |
疏忽地 |
| creep into an application |
潜入 |
| imposed |
推行,采用(规章制度) |
| lax |
松懈 |
| cautionary examples |
劝告的 ; 告诫的 ; 警告的 |
| Inconsistent |
不一致的 |
| When probing for logic flaws |
探索;追问 |
| bizarre application behavior |
极其怪诞的 ; 异乎寻常的 |
| hit the $1000 threshold |
门槛 |
| it no longer satisfies the intended criteria |
预期的标准 |
information-disclosure
| |
|
| in a normal fashion |
以正常的方式 |
| tunnel vision |
井底之蛙 |
| Verbose |
冗长的 |
| devised |
设计 |
| access controls are applied programmatically with reference to this matrix |
关于,根据 |
| Discretionary access control |
自由决定的;酌情行事的 |
| assign or delegate |
指派或委派 |
| This model is highly granular |
这个模型是高度细粒度(由颗粒构成的 ; 含颗粒的)的 |
| object subject |
对象;主体 |
| purchase clerk |
采购员(职员;簿记员;文书) |
| rigorous front-end controls |
严格的前端控制 |
| onward attacks |
(向前的)转发攻击 |
SSRF
What is SSRF (Server-side request forgery)?
Cracking the lens: targeting HTTP’s hidden attack-surface
| |
|
| security posture |
安全态 |
| final octet of the IP |
IP地址的最后八位 |
| case variation. |
大小写变化 |
| The URL specification contains a number of features that are liable to be overlooked when implementing ad hoc parsing and validation of URLs: |
特性,规格; 临时的,专门,特殊的( URL规范包含许多特性,这些特性在实现URL的特殊解析和验证时容易被忽略:) |
| one-way nature |
单向性 |
| trivially |
微不足道的,平凡地,平凡 |
| out-of-band (OAST) |
Out-of-band application security testing (OAST) |
| Another avenue for exploiting blind SSRF vulnerabilities |
大街 ; 林荫道 ; 选择 ; 途径 ; 手段 |
| a lens of |
|
| how to use malformed requests and esoteric headers to coax these systems |
畸形的;深奥,难领略的;哄劝 , 劝诱 |
| segregate |
隔离 |
| masquerade |
掩藏;掩饰 |
| Amongst other things |
除此之外 |
| impersonate |
冒充 |
| testing each permutation separately |
分别测试每个排列 |
XSS
What is cross-site scripting (XSS) and how to prevent it?
| |
|
| cursor |
光标 |
| hash |
# |
| angle brackets |
尖括号 |
| pseudo-protocol |
伪协议 |
| enclosing the existing JavaScript |
包含 |
| backslashes |
反斜杠 |
| single quotes escaped |
转义 |
| parentheses |
圆括号 |
| apostrophe |
撇号 |
JavaScript template literals are string literals that allow embedded JavaScript expressions. The embedded expressions are evaluated and are normally concatenated into the surrounding text. Template literals are encapsulated in backticks(****)** instead of normal **quotation marks(****‘****)**, and embedded expressions are identified using the ${...} syntax. | JavaScript模板**文本**是允许**嵌入**JavaScript表达式的**字符串文本**。嵌入的表达式将**被计算**并通常**连接(串联)**到周围的文本中。模板文本被**封装(概括** **;** **压缩)**在中而不是普通的引号**中,嵌入的表达式使用${…}语法进行标识 |
|
| into |
转换 |
| circumvented with sufficient ingenuity. |
独创力 ; 聪明才智 |
| colon |
冒号 |
| double curly braces |
双花括号 |
| arithmetic operator |
算术运算符 |
| subtraction operator |
减法运算符 |
| mitigate against some common attacks. |
减轻 |
| semicolons |
分号 |
| wildcards |
通配符 |
| Dangling markup injection |
挂起;垂悬;晃晃悠悠 |
| cutting-edge |
先进的 |
CSRF
What is CSRF (Cross-site request forgery)
| |
|
| caveats |
注意事项 |
| pseudo-random |
伪随机 |
| which is inadvertently misspelled in the HTTP specification |
无意地;拼错;规范 |
| prescribes |
规定; 给…开 |
| exacerbate |
加剧 |
| Intranets |
内部网 |
Clickjacking
What is Clickjacking? Tutorial & Examples
| |
|
| incorporation |
合并 |
| overlaid |
覆盖 |
| overlap |
重叠 |
| opacity |
不透明 |
DOM-based vulnerabilities
DOM-based vulnerabilities
| |
|
| hierarchical representation |
层次表示 |
| caveats |
注意事项 |
| defacement |
诽谤 |
| DOM clobbering |
狠击 ; 狠揍 ; 猛打 |
WebSockets security vulnerabilities
Testing for WebSockets security vulnerabilities
| |
|
| full duplex |
全双工 |
| stale |
请求过期,不新鲜的;(空气)污浊的;(烟味)难闻的 |
| masquerading |
伪装 |
Server-side template injection
Server-side template injection
| |
|
| volatile |
不稳定的 |
| template directives |
模板指令 |
| stumbled across |
偶然发现 |
| ruled out |
排除 |
Web cache poisoning
Web cache poisoning
| |
|
| fixed amount |
固定(额) |
| inextricably |
不可分开地;密不可分地 |
| indefinitely |
无限期地 |
| how often the cache is purged |
清除 |
| rudimentary way |
基本方法 |
| tailor the attack |
定制攻击 |
| discrepancy |
差异 |
| de facto standard |
事实上的标准 |
| delimiter |
分隔符 |
| gives precedence to |
优先考虑 |
| In select cases |
在某些情况下 |
| pseudo-POST |
虚假的 |
How to identify and exploit HTTP Host header vulnerabilities
| |
|
| indent |
缩进,订单 |
| intact |
完好无损;完整 |
| albeit |
尽管;虽然 |
request smuggling
What is HTTP request smuggling?
| |
|
| chunked encoding |
块编码 |
| departure |
离开;起程;出发 |