# 網頁資訊安全黑箱測試(Fortify)和白箱測試(Checkmarx) View the book with "<i class="fa fa-book fa-fw"></i> Book Mode". ## Severity Level: Critical - [SQL Injection](https://hackmd.io/BS09BO0fTa2Ny9M8-e6G6A#SQL-Injection) - [Poor Error Handling: Unhandled Exception](https://hackmd.io/BS09BO0fTa2Ny9M8-e6G6A#Poor-Error-Handling-Unhandled-Exception) ## Severity Level: High - [Cross-Site Scripting: Reflected](/) - [Reflected XSS All Clients](/) - [Stored XSS](/) - [Code Injection](/) ## Severity Level: Medium - [Cross-Frame Scripting](/) - [HTML5: Missing Content Security Policy](/) - [HTML5: Overly Permissive Message Posting Policy](/) - [HTML5: CORS Functionality Abuse](/) - [Web Server Misconfiguration: Insecure Content-Type Setting](/) - [Insecure Transport: HSTS not Set](/) - [ASP.NET Misconfiguration: Missing Error Handling](/) - [Compliance Failure: Missing Privacy Policy](/) - [Cache Management: Headers](/) - [Cache Management: Insecure Policy](/) - [HTML5: Cross-Site Scripting Protection](/) - [Web Server Misconfiguration: Server Error Message](/) - [CSRF](/) - [Reflected XSS Specific Clients](/) - [Data Filter Injection](/) - [Persistent Connection String](/) - [Client Potential XSS](/) - [Privacy Violation](/) - [Insufficient Connection String Encryption](/) - [Path Traversal](/) - [Missing HSTS Header](/) - [SSL Verification Bypass](/) - [Often Misused: File Upload](/) ## 必須瞭解 - [Content-Security-Policy (CSP) 內容安全策略](/gjTpzeq7RDayKfzkUzZsrw) - [同源政策 (Same Origin Policy) 與跨網域 (CORS)](https://medium.com/starbugs/%E5%BC%84%E6%87%82%E5%90%8C%E6%BA%90%E6%94%BF%E7%AD%96-same-origin-policy-%E8%88%87%E8%B7%A8%E7%B6%B2%E5%9F%9F-cors-e2e5c1a53a19) - [前端與後端開發都要懂得 HTTP 狀態碼](https://www.explainthis.io/zh-hant/swe/http-status-code) ## 參考 1. [OWASP Cheat Sheet Series](https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html) 2. [MDN - HTTP headers](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers) 3. [ChatGPT - Checkmarx](https://chatgpt.com/g/g-q2PPHZ0T0-checkai) 4. [亂馬克](https://rainmakerho.github.io/)