攻撃者がシステムを侵害しようとする方法である一般的な攻撃タイプを理解することは、それらに対する防御の基礎となります。主なカテゴリには、インジェクション、XSS、CSRF、ブルートフォース、ソーシャルエンジニアリング、DDoS、およびそれ以上のものが含まれます。
Webアプリケーション攻撃
text
INJECTION (SQL, command, etc.) → inject malicious code via input (manipulate queries/commands)
XSS (Cross-Site Scripting) → inject scripts that run in victims' browsers
CSRF (Cross-Site Request Forgery) → trick a logged-in user's browser into making unwanted
requests (perform actions as them without consent)
BROKEN ACCESS CONTROL → access/modify what you're not authorized to (e.g. IDOR)
SSRF → trick the server into making requests it shouldn't
認証/アクセス攻撃
text
BRUTE FORCE → try many passwords/keys until one works (rate-limit, lock out, MFA)
CREDENTIAL STUFFING → use leaked username/password pairs from other breaches
SESSION HIJACKING → steal session tokens/cookies to impersonate a user
PHISHING / SOCIAL ENGINEERING → trick people into revealing credentials/info (the human
is often the weakest link)