Web 安全漏洞学习指南
OWASP 十大漏洞原理、影响与修复方案,覆盖 Python/Java 场景
Invalid
This skill can't be scored yet
Validation errors are blocking scoring. Review and fix them to unlock Quality, Impact and Security scores. See what needs fixing →
Web 安全漏洞学习指南
⚠️ 核心规则
- 永不信任用户输入 - 所有外部数据必须校验、转义、参数化
- 最小权限原则 - 仅授予完成任务所需的最小权限
- 纵深防御 - 多层安全措施,不依赖单一防护
十大漏洞速查
| 漏洞 | 危害 | 核心防御 |
|---|---|---|
| 🔴 注入 | RCE/数据泄露 | 参数化查询 |
| 🔴 XSS | 会话劫持 | 转义输出 |
| 🔴 认证缺陷 | 账户接管 | 强Token+限速 |
| 🔴 敏感数据泄露 | 隐私泄露 | 加密+脱敏 |
| 🔴 访问控制缺失 | 越权操作 | 后端鉴权 |
| 🟡 安全配置错误 | 信息泄露 | 关闭Debug |
| 🟡 CSRF | 伪造操作 | Token验证 |
| 🟡 反序列化 | RCE | 禁用危险接口 |
| 🟡 SSRF | 内网探测 | 白名单URL |
| ⚪ 日志不足 | 无法溯源 | 完整审计 |
📦 按需加载资源
| 漏洞类型 | URI |
|---|---|
| 注入漏洞 | skill://web-security-guide/references/injection.md |
| XSS攻击 | skill://web-security-guide/references/xss.md |
| 认证会话 | skill://web-security-guide/references/auth-session.md |
| 数据泄露 | skill://web-security-guide/references/data-exposure.md |
| 访问控制 | skill://web-security-guide/references/access-control.md |
| 配置错误 | skill://web-security-guide/references/security-config.md |
| CSRF | skill://web-security-guide/references/csrf.md |
| 反序列化 | skill://web-security-guide/references/deserialization.md |
| SSRF | skill://web-security-guide/references/ssrf.md |
| 日志监控 | skill://web-security-guide/references/logging-monitoring.md |
💡 先用速查表定位问题,再按需加载详细文档
📦 可用资源
skill://web-security-guide/references/access-control.mdskill://web-security-guide/references/auth-session.mdskill://web-security-guide/references/csrf.mdskill://web-security-guide/references/data-exposure.mdskill://web-security-guide/references/deserialization.mdskill://web-security-guide/references/injection.mdskill://web-security-guide/references/logging-monitoring.mdskill://web-security-guide/references/security-config.mdskill://web-security-guide/references/ssrf.mdskill://web-security-guide/references/xss.md
根据 SKILL.md 中的 IF-THEN 规则判断是否需要加载
- Repository
- TencentBlueKing/bk-bcs
- Commit
b08ac38
- Last updated
- Created
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.