https://blog.xxchenchen.top/ Recent content on ChenOvo Hugo -- gohugo.io en-us ChenOvo Wed, 17 Jun 2026 12:21:29 +0800 https://blog.xxchenchen.top/wiki/web%E5%AE%89%E5%85%A8/owasp-top-10-2025/top1-broken-access-control%E8%AE%BF%E9%97%AE%E6%8E%A7%E5%88%B6%E5%A4%B1%E6%95%88/ Wed, 17 Jun 2026 12:21:29 +0800 https://blog.xxchenchen.top/wiki/web%E5%AE%89%E5%85%A8/owasp-top-10-2025/top1-broken-access-control%E8%AE%BF%E9%97%AE%E6%8E%A7%E5%88%B6%E5%A4%B1%E6%95%88/ <p>在 <strong>OWASP Top 10:2025</strong> 里，<strong>Broken Access Control（访问控制失效）</strong> 仍然排在 <strong>A01，也就是第 1 位</strong>。它的意思很直接：系统没有正确限制“谁能访问什么、谁能执行什么操作”，结果就是用户能看到、修改、删除本不属于自己的数据，甚至越权拿到管理员能力。OWASP 给出的 2025 数据里，这一类问题覆盖了 <strong>100% 被测试应用</strong>，而且总出现次数非常高，说明它不是“高级漏洞”，而是最常见、最容易被遗漏的基础性问题。<br> 来源：<a class="link" href="https://owasp.org/Top10/2025/A01_2025-Broken_Access_Control/" target="_blank" rel="noopener" >OWASP A01:2025 Broken Access Control</a></p> https://blog.xxchenchen.top/wiki/web%E5%AE%89%E5%85%A8/%E5%9F%BA%E7%A1%80%E4%B8%8E%E6%BC%8F%E6%B4%9E/01-%E4%BF%A1%E6%81%AF%E6%94%B6%E9%9B%86/01-%E8%8C%83%E5%9B%B4%E4%B8%8E%E6%8E%88%E6%9D%83/ Wed, 17 Jun 2026 11:35:32 +0800 https://blog.xxchenchen.top/wiki/web%E5%AE%89%E5%85%A8/%E5%9F%BA%E7%A1%80%E4%B8%8E%E6%BC%8F%E6%B4%9E/01-%E4%BF%A1%E6%81%AF%E6%94%B6%E9%9B%86/01-%E8%8C%83%E5%9B%B4%E4%B8%8E%E6%8E%88%E6%9D%83/ <h1 id="范围与授权">范围与授权 </h1><ul> <li>明确授权域名、IP、子域、环境、API、账号、测试时间窗、禁止动作。</li> <li>区分 <code>in-scope</code>、<code>out-of-scope</code>、第三方资源、CDN、云厂商托管资产。</li> <li>记录证据来源、时间、请求方式、是否主动触达目标。 范围与授权 定义： 范围与授权是 Web 安全信息收集开始前必须确认的边界规则，用来说明哪些资产、环境、接口、账号和操作被允许，哪些资产、环境、接口、账号和操作不被允许。 作用： 作用是保证信息收集行为合法、可控、可复盘，避免把未授权资产、第三方服务、真实生产数据或敏感业务系统误当作测试目标。 实践： 实践时先拿到明确的授权说明，再确认域名、IP、子域、环境、API、账号、测试时间窗和禁止动作，并在收集过程中持续区分 <code>in-scope</code>、<code>out-of-scope</code>、第三方资源、CDN 资源和云厂商托管资产。</li> </ul> <p>授权域名 定义： 授权域名是指在测试授权中明确允许进行信息收集和安全测试的主域名、业务域名或指定站点域名，例如 <code>example.com</code>、<code>www.example.com</code>、<code>shop.example.com</code>。 作用： 作用是确定 Web 信息收集的起始边界，避免因为域名相似、品牌相似、历史归属相似而误测不属于授权范围的站点。 实践： 实践时记录授权域名列表，确认是否包含泛域名 <code>*.example.com</code>，确认是否排除某些高敏感子域或第三方托管域名，并把后续发现的新域名标记为已授权、未授权或待确认。</p> https://blog.xxchenchen.top/wiki/web%E5%AE%89%E5%85%A8/%E5%9F%BA%E7%A1%80%E4%B8%8E%E6%BC%8F%E6%B4%9E/01-%E4%BF%A1%E6%81%AF%E6%94%B6%E9%9B%86/20-%E8%BE%93%E5%87%BA%E7%89%A9/ Wed, 17 Jun 2026 11:20:56 +0800 https://blog.xxchenchen.top/wiki/web%E5%AE%89%E5%85%A8/%E5%9F%BA%E7%A1%80%E4%B8%8E%E6%BC%8F%E6%B4%9E/01-%E4%BF%A1%E6%81%AF%E6%94%B6%E9%9B%86/20-%E8%BE%93%E5%87%BA%E7%89%A9/ <h1 id="输出物">输出物 </h1><ul> <li>资产表：域名、子域、IP、端口、服务、技术栈、环境、归属、状态。</li> <li>入口点表：URL、方法、参数、认证、角色、功能、风险备注。</li> <li>API 表：端点、版本、参数、认证、来源、是否文档化。</li> <li>架构图：用户端、CDN/WAF、反向代理、应用、API、存储、第三方。</li> <li>风险优先级：公开敏感信息、测试环境暴露、旧版本、管理后台、未授权 API、源码/配置泄露。</li> </ul> https://blog.xxchenchen.top/wiki/web%E5%AE%89%E5%85%A8/%E5%9F%BA%E7%A1%80%E4%B8%8E%E6%BC%8F%E6%B4%9E/01-%E4%BF%A1%E6%81%AF%E6%94%B6%E9%9B%86/12-api%E4%BF%A1%E6%81%AF%E6%94%B6%E9%9B%86/ Wed, 17 Jun 2026 11:20:55 +0800 https://blog.xxchenchen.top/wiki/web%E5%AE%89%E5%85%A8/%E5%9F%BA%E7%A1%80%E4%B8%8E%E6%BC%8F%E6%B4%9E/01-%E4%BF%A1%E6%81%AF%E6%94%B6%E9%9B%86/12-api%E4%BF%A1%E6%81%AF%E6%94%B6%E9%9B%86/ <h1 id="api-信息收集">API 信息收集 </h1><ul> <li>OpenAPI/Swagger：<code>/swagger</code>、<code>/swagger.json</code>、<code>/openapi.json</code>、<code>/api-docs</code>、<code>/.well-known/schema-discovery</code>。</li> <li>API 类型：公开 API、合作伙伴 API、内部 API、移动端 API、BFF、GraphQL。</li> <li>目标：找全端点、参数、版本、认证方式、旧版本、废弃但仍可用接口。</li> <li>来源：前端 JS、移动 App 包、Postman Collection、GitHub、API 目录、历史快照。</li> </ul> https://blog.xxchenchen.top/wiki/web%E5%AE%89%E5%85%A8/%E5%9F%BA%E7%A1%80%E4%B8%8E%E6%BC%8F%E6%B4%9E/01-%E4%BF%A1%E6%81%AF%E6%94%B6%E9%9B%86/16-%E9%94%99%E8%AF%AF%E4%BF%A1%E6%81%AF%E4%B8%8E%E8%B0%83%E8%AF%95%E9%9D%A2/ Wed, 17 Jun 2026 11:20:55 +0800 https://blog.xxchenchen.top/wiki/web%E5%AE%89%E5%85%A8/%E5%9F%BA%E7%A1%80%E4%B8%8E%E6%BC%8F%E6%B4%9E/01-%E4%BF%A1%E6%81%AF%E6%94%B6%E9%9B%86/16-%E9%94%99%E8%AF%AF%E4%BF%A1%E6%81%AF%E4%B8%8E%E8%B0%83%E8%AF%95%E9%9D%A2/ <h1 id="错误信息与调试面">错误信息与调试面 </h1><ul> <li>404/403/500 页面差异、栈追踪、调试页、SQL/NoSQL 错误、模板错误。</li> <li>框架默认错误页、请求 ID、Trace ID、内部主机名、内部路径、版本号。</li> <li>重定向响应体、异常 JSON、GraphQL Error、REST 错误格式。</li> </ul> https://blog.xxchenchen.top/wiki/web%E5%AE%89%E5%85%A8/%E5%9F%BA%E7%A1%80%E4%B8%8E%E6%BC%8F%E6%B4%9E/01-%E4%BF%A1%E6%81%AF%E6%94%B6%E9%9B%86/17-%E4%BB%A3%E7%A0%81%E4%BB%93%E5%BA%93%E4%B8%8E%E5%BC%80%E5%8F%91%E7%97%95%E8%BF%B9/ Wed, 17 Jun 2026 11:20:55 +0800 https://blog.xxchenchen.top/wiki/web%E5%AE%89%E5%85%A8/%E5%9F%BA%E7%A1%80%E4%B8%8E%E6%BC%8F%E6%B4%9E/01-%E4%BF%A1%E6%81%AF%E6%94%B6%E9%9B%86/17-%E4%BB%A3%E7%A0%81%E4%BB%93%E5%BA%93%E4%B8%8E%E5%BC%80%E5%8F%91%E7%97%95%E8%BF%B9/ <h1 id="代码仓库与开发痕迹">代码仓库与开发痕迹 </h1><ul> <li>GitHub/GitLab/Gitee 搜索组织、项目名、域名、API Key、环境名。</li> <li><code>.git</code> 暴露、<code>.svn</code>、<code>.hg</code>、CI 配置、Dockerfile、Compose、K8s YAML。</li> <li>包管理文件：<code>package.json</code>、<code>pom.xml</code>、<code>requirements.txt</code>、<code>go.mod</code>。</li> <li>GitDorking 可作为 API 和敏感信息线索来源。</li> </ul> https://blog.xxchenchen.top/wiki/web%E5%AE%89%E5%85%A8/%E5%9F%BA%E7%A1%80%E4%B8%8E%E6%BC%8F%E6%B4%9E/01-%E4%BF%A1%E6%81%AF%E6%94%B6%E9%9B%86/13-%E6%A1%86%E6%9E%B6cms%E4%B8%8E%E7%BB%84%E4%BB%B6%E6%8C%87%E7%BA%B9/ Wed, 17 Jun 2026 11:20:55 +0800 https://blog.xxchenchen.top/wiki/web%E5%AE%89%E5%85%A8/%E5%9F%BA%E7%A1%80%E4%B8%8E%E6%BC%8F%E6%B4%9E/01-%E4%BF%A1%E6%81%AF%E6%94%B6%E9%9B%86/13-%E6%A1%86%E6%9E%B6cms%E4%B8%8E%E7%BB%84%E4%BB%B6%E6%8C%87%E7%BA%B9/ <h1 id="框架cms-与组件指纹">框架、CMS 与组件指纹 </h1><ul> <li>Web 框架：Spring、Django、Flask、Laravel、Rails、Express、Next.js、Nuxt、ASP.NET。</li> <li>CMS：WordPress、Drupal、Joomla、Magento、Shopify、自研后台。</li> <li>指纹来源：HTTP 头、Cookie、HTML 源码、特定目录、文件扩展名、错误页。</li> <li>组件版本：JS 库、CSS 框架、后端框架、插件、主题、构建工具。</li> </ul> https://blog.xxchenchen.top/wiki/web%E5%AE%89%E5%85%A8/%E5%9F%BA%E7%A1%80%E4%B8%8E%E6%BC%8F%E6%B4%9E/01-%E4%BF%A1%E6%81%AF%E6%94%B6%E9%9B%86/19-%E7%A7%BB%E5%8A%A8%E7%AB%AF%E4%B8%8E%E5%AE%A2%E6%88%B7%E7%AB%AF%E8%A1%A5%E5%85%85/ Wed, 17 Jun 2026 11:20:55 +0800 https://blog.xxchenchen.top/wiki/web%E5%AE%89%E5%85%A8/%E5%9F%BA%E7%A1%80%E4%B8%8E%E6%BC%8F%E6%B4%9E/01-%E4%BF%A1%E6%81%AF%E6%94%B6%E9%9B%86/19-%E7%A7%BB%E5%8A%A8%E7%AB%AF%E4%B8%8E%E5%AE%A2%E6%88%B7%E7%AB%AF%E8%A1%A5%E5%85%85/ <h1 id="移动端与客户端补充">移动端与客户端补充 </h1><ul> <li>Android/iOS 包中的 API Base URL、证书 Pinning 配置、第三方 SDK Key。</li> <li>小程序、桌面客户端、浏览器插件、Electron 应用中的接口和配置。</li> <li>WebView 与 H5 页面、深链、Universal Link、App Link。</li> </ul> https://blog.xxchenchen.top/wiki/web%E5%AE%89%E5%85%A8/%E5%9F%BA%E7%A1%80%E4%B8%8E%E6%BC%8F%E6%B4%9E/01-%E4%BF%A1%E6%81%AF%E6%94%B6%E9%9B%86/15-%E5%BA%94%E7%94%A8%E6%9E%B6%E6%9E%84%E8%AF%86%E5%88%AB/ Wed, 17 Jun 2026 11:20:55 +0800 https://blog.xxchenchen.top/wiki/web%E5%AE%89%E5%85%A8/%E5%9F%BA%E7%A1%80%E4%B8%8E%E6%BC%8F%E6%B4%9E/01-%E4%BF%A1%E6%81%AF%E6%94%B6%E9%9B%86/15-%E5%BA%94%E7%94%A8%E6%9E%B6%E6%9E%84%E8%AF%86%E5%88%AB/ <h1 id="应用架构识别">应用架构识别 </h1><ul> <li>单体、微服务、Serverless、PaaS、容器、Kubernetes、API Gateway。</li> <li>静态资源存储：S3、Azure Blob、GCS、OSS、COS。</li> <li>第三方服务：支付、短信、邮件、风控、客服、统计、广告、地图、验证码。</li> <li>网络组件：反向代理、负载均衡、CDN、WAF、防火墙、IDS/IPS。</li> <li>架构映射覆盖 Web Server、PaaS、Serverless、微服务、静态存储、数据库、认证、第三方服务、反向代理、CDN、WAF 等。</li> </ul> https://blog.xxchenchen.top/wiki/web%E5%AE%89%E5%85%A8/%E5%9F%BA%E7%A1%80%E4%B8%8E%E6%BC%8F%E6%B4%9E/01-%E4%BF%A1%E6%81%AF%E6%94%B6%E9%9B%86/14-%E5%BA%94%E7%94%A8%E6%B5%81%E7%A8%8B%E4%B8%8E%E6%9D%83%E9%99%90%E9%9D%A2/ Wed, 17 Jun 2026 11:20:55 +0800 https://blog.xxchenchen.top/wiki/web%E5%AE%89%E5%85%A8/%E5%9F%BA%E7%A1%80%E4%B8%8E%E6%BC%8F%E6%B4%9E/01-%E4%BF%A1%E6%81%AF%E6%94%B6%E9%9B%86/14-%E5%BA%94%E7%94%A8%E6%B5%81%E7%A8%8B%E4%B8%8E%E6%9D%83%E9%99%90%E9%9D%A2/ <h1 id="应用流程与权限面">应用流程与权限面 </h1><ul> <li>登录、注册、找回密码、改密、绑定 MFA、OAuth/OIDC/SAML。</li> <li>普通用户、管理员、商户、运营、客服、审核员等角色。</li> <li>业务流程：下单、支付、退款、提现、审批、邀请、上传、导出、消息通知。</li> <li>在测试前映射主要工作流和执行路径，否则无法形成完整测试覆盖。</li> </ul> https://blog.xxchenchen.top/wiki/web%E5%AE%89%E5%85%A8/%E5%9F%BA%E7%A1%80%E4%B8%8E%E6%BC%8F%E6%B4%9E/01-%E4%BF%A1%E6%81%AF%E6%94%B6%E9%9B%86/18-%E4%BA%91%E4%B8%8E%E5%AD%98%E5%82%A8%E8%B5%84%E4%BA%A7/ Wed, 17 Jun 2026 11:20:55 +0800 https://blog.xxchenchen.top/wiki/web%E5%AE%89%E5%85%A8/%E5%9F%BA%E7%A1%80%E4%B8%8E%E6%BC%8F%E6%B4%9E/01-%E4%BF%A1%E6%81%AF%E6%94%B6%E9%9B%86/18-%E4%BA%91%E4%B8%8E%E5%AD%98%E5%82%A8%E8%B5%84%E4%BA%A7/ <h1 id="云与存储资产">云与存储资产 </h1><ul> <li>对象存储桶、CDN 源站、静态站点托管、镜像仓库、函数计算、API Gateway。</li> <li>云域名特征、Bucket 命名、公开读写、索引列表、备份文件、日志文件。</li> <li>IAM 线索、临时凭证、Access Key 暴露、预签名 URL。</li> </ul> https://blog.xxchenchen.top/wiki/web%E5%AE%89%E5%85%A8/%E5%9F%BA%E7%A1%80%E4%B8%8E%E6%BC%8F%E6%B4%9E/01-%E4%BF%A1%E6%81%AF%E6%94%B6%E9%9B%86/06-ip%E7%AB%AF%E5%8F%A3%E4%B8%8E%E6%9C%8D%E5%8A%A1/ Wed, 17 Jun 2026 11:20:54 +0800 https://blog.xxchenchen.top/wiki/web%E5%AE%89%E5%85%A8/%E5%9F%BA%E7%A1%80%E4%B8%8E%E6%BC%8F%E6%B4%9E/01-%E4%BF%A1%E6%81%AF%E6%94%B6%E9%9B%86/06-ip%E7%AB%AF%E5%8F%A3%E4%B8%8E%E6%9C%8D%E5%8A%A1/ <h1 id="ip端口与服务">IP、端口与服务 </h1><ul> <li>域名解析到 IP、历史解析 IP、同 IP 虚拟主机、反向 IP、旁站。</li> <li>标准端口：80、443。</li> <li>非标准 Web 端口：8080、8000、8443、9443、9000、5000、3000、7001、8081 等。</li> <li>Web 应用可能运行在任意 TCP 端口，服务识别可发现非标准 HTTP/HTTPS 服务。</li> <li>注意授权边界，端口扫描属于主动行为。</li> </ul> https://blog.xxchenchen.top/wiki/web%E5%AE%89%E5%85%A8/%E5%9F%BA%E7%A1%80%E4%B8%8E%E6%BC%8F%E6%B4%9E/01-%E4%BF%A1%E6%81%AF%E6%94%B6%E9%9B%86/07-webserver%E6%8C%87%E7%BA%B9/ Wed, 17 Jun 2026 11:20:54 +0800 https://blog.xxchenchen.top/wiki/web%E5%AE%89%E5%85%A8/%E5%9F%BA%E7%A1%80%E4%B8%8E%E6%BC%8F%E6%B4%9E/01-%E4%BF%A1%E6%81%AF%E6%94%B6%E9%9B%86/07-webserver%E6%8C%87%E7%BA%B9/ <h1 id="web-server-指纹">Web Server 指纹 </h1><ul> <li>识别 Nginx、Apache、IIS、Tomcat、Jetty、OpenResty、Caddy、Kestrel、Node.js 等。</li> <li>观察 <code>Server</code>、响应头顺序、默认错误页、状态码差异、TLS 行为。</li> <li>Web Server 指纹用于识别服务器类型和版本，从而判断是否存在已知版本风险。</li> </ul> https://blog.xxchenchen.top/wiki/web%E5%AE%89%E5%85%A8/%E5%9F%BA%E7%A1%80%E4%B8%8E%E6%BC%8F%E6%B4%9E/01-%E4%BF%A1%E6%81%AF%E6%94%B6%E9%9B%86/09-%E7%9B%AE%E5%BD%95%E8%B7%AF%E5%BE%84%E4%B8%8E%E6%96%87%E4%BB%B6%E6%9E%9A%E4%B8%BE/ Wed, 17 Jun 2026 11:20:54 +0800 https://blog.xxchenchen.top/wiki/web%E5%AE%89%E5%85%A8/%E5%9F%BA%E7%A1%80%E4%B8%8E%E6%BC%8F%E6%B4%9E/01-%E4%BF%A1%E6%81%AF%E6%94%B6%E9%9B%86/09-%E7%9B%AE%E5%BD%95%E8%B7%AF%E5%BE%84%E4%B8%8E%E6%96%87%E4%BB%B6%E6%9E%9A%E4%B8%BE/ <h1 id="目录路径与文件枚举">目录、路径与文件枚举 </h1><ul> <li>普通路径：<code>/admin</code>、<code>/login</code>、<code>/api</code>、<code>/upload</code>、<code>/backup</code>、<code>/debug</code>、<code>/test</code>。</li> <li>框架路径：<code>/wp-admin</code>、<code>/wp-content</code>、<code>/static</code>、<code>/assets</code>、<code>/vendor</code>。</li> <li>敏感文件：备份包、压缩包、日志、<code>.env</code>、配置文件、数据库导出、源码包。</li> <li>目录/文件结构、特定文件夹、文件扩展名、错误信息都可用于组件识别。</li> </ul> https://blog.xxchenchen.top/wiki/web%E5%AE%89%E5%85%A8/%E5%9F%BA%E7%A1%80%E4%B8%8E%E6%BC%8F%E6%B4%9E/01-%E4%BF%A1%E6%81%AF%E6%94%B6%E9%9B%86/03-%E6%90%9C%E7%B4%A2%E5%BC%95%E6%93%8E%E4%B8%8E%E5%85%AC%E5%BC%80%E7%B4%A2%E5%BC%95/ Wed, 17 Jun 2026 11:20:54 +0800 https://blog.xxchenchen.top/wiki/web%E5%AE%89%E5%85%A8/%E5%9F%BA%E7%A1%80%E4%B8%8E%E6%BC%8F%E6%B4%9E/01-%E4%BF%A1%E6%81%AF%E6%94%B6%E9%9B%86/03-%E6%90%9C%E7%B4%A2%E5%BC%95%E6%93%8E%E4%B8%8E%E5%85%AC%E5%BC%80%E7%B4%A2%E5%BC%95/ <h1 id="搜索引擎与公开索引">搜索引擎与公开索引 </h1><ul> <li>使用 Google、Bing、DuckDuckGo、Baidu、Common Crawl、Internet Archive、Censys、Shodan 等多个来源，因为不同搜索引擎索引结果不同。</li> <li>关注泄露类型：网络图、配置、管理员邮件、登录流程、用户名格式、密钥、云配置、错误信息、开发/测试/UAT/预发环境。</li> <li>常用搜索维度：<code>site:</code>、<code>inurl:</code>、<code>intitle:</code>、<code>intext:</code>、<code>filetype:</code>。</li> <li>历史页面：Wayback Machine、archive.ph、缓存页面、旧 sitemap、旧接口路径。</li> </ul> https://blog.xxchenchen.top/wiki/web%E5%AE%89%E5%85%A8/%E5%9F%BA%E7%A1%80%E4%B8%8E%E6%BC%8F%E6%B4%9E/01-%E4%BF%A1%E6%81%AF%E6%94%B6%E9%9B%86/10-%E9%A1%B5%E9%9D%A2%E6%BA%90%E7%A0%81%E4%B8%8E%E5%89%8D%E7%AB%AF%E6%B3%84%E9%9C%B2/ Wed, 17 Jun 2026 11:20:54 +0800 https://blog.xxchenchen.top/wiki/web%E5%AE%89%E5%85%A8/%E5%9F%BA%E7%A1%80%E4%B8%8E%E6%BC%8F%E6%B4%9E/01-%E4%BF%A1%E6%81%AF%E6%94%B6%E9%9B%86/10-%E9%A1%B5%E9%9D%A2%E6%BA%90%E7%A0%81%E4%B8%8E%E5%89%8D%E7%AB%AF%E6%B3%84%E9%9C%B2/ <h1 id="页面源码与前端泄露">页面源码与前端泄露 </h1><ul> <li>HTML 注释、隐藏字段、调试信息、SQL 片段、内部 IP、用户名、测试密码。</li> <li>JavaScript 中的 API 地址、GraphQL 地址、内部路由、云存储地址、API Key、Feature Flag。</li> <li>Source Map：<code>.js.map</code>、<code>.css.map</code>，可能还原前端源码和源码路径。</li> <li>审查 HTML 注释、元数据、JS 文件、Source Map、重定向响应体、生成文件元数据。</li> </ul> https://blog.xxchenchen.top/wiki/web%E5%AE%89%E5%85%A8/%E5%9F%BA%E7%A1%80%E4%B8%8E%E6%BC%8F%E6%B4%9E/01-%E4%BF%A1%E6%81%AF%E6%94%B6%E9%9B%86/11-%E5%BA%94%E7%94%A8%E5%85%A5%E5%8F%A3%E7%82%B9/ Wed, 17 Jun 2026 11:20:54 +0800 https://blog.xxchenchen.top/wiki/web%E5%AE%89%E5%85%A8/%E5%9F%BA%E7%A1%80%E4%B8%8E%E6%BC%8F%E6%B4%9E/01-%E4%BF%A1%E6%81%AF%E6%94%B6%E9%9B%86/11-%E5%BA%94%E7%94%A8%E5%85%A5%E5%8F%A3%E7%82%B9/ <h1 id="应用入口点">应用入口点 </h1><ul> <li>URL、路径参数、Query 参数、POST Body、JSON、XML、Multipart、Cookie、Header。</li> <li>隐藏表单字段、CSRF Token、状态字段、价格/数量字段、回调地址。</li> <li>HTTP 方法：GET、POST、PUT、PATCH、DELETE、OPTIONS。</li> <li>WebSocket、SSE、gRPC-Web、GraphQL、文件上传、下载、导出、导入。</li> <li>记录每个请求/响应、参数、认证状态、TLS、是否多步骤流程、是否 WebSocket。</li> </ul> https://blog.xxchenchen.top/wiki/web%E5%AE%89%E5%85%A8/%E5%9F%BA%E7%A1%80%E4%B8%8E%E6%BC%8F%E6%B4%9E/01-%E4%BF%A1%E6%81%AF%E6%94%B6%E9%9B%86/04-%E5%9F%9F%E5%90%8D%E4%B8%8Edns/ Wed, 17 Jun 2026 11:20:54 +0800 https://blog.xxchenchen.top/wiki/web%E5%AE%89%E5%85%A8/%E5%9F%BA%E7%A1%80%E4%B8%8E%E6%BC%8F%E6%B4%9E/01-%E4%BF%A1%E6%81%AF%E6%94%B6%E9%9B%86/04-%E5%9F%9F%E5%90%8D%E4%B8%8Edns/ <h1 id="域名与-dns">域名与 DNS </h1><ul> <li>根域、子域、泛解析、CNAME、A/AAAA、MX、TXT、NS、CAA、PTR。</li> <li>被动 DNS：公开 DNS、反查、搜索引擎、Passive DNS 数据库、证书透明度日志。</li> <li>主动 DNS：子域枚举、字典爆破、区域传送尝试、DNS 记录枚举。</li> <li>工具知识面：<code>dig</code>、<code>nslookup</code>、<code>host</code>、<code>amass</code>、<code>subfinder</code>、<code>dnsrecon</code>、<code>fierce</code>。</li> </ul> https://blog.xxchenchen.top/wiki/web%E5%AE%89%E5%85%A8/%E5%9F%BA%E7%A1%80%E4%B8%8E%E6%BC%8F%E6%B4%9E/01-%E4%BF%A1%E6%81%AF%E6%94%B6%E9%9B%86/08-%E5%85%83%E6%96%87%E4%BB%B6%E4%B8%8E%E7%88%AC%E8%99%AB%E6%96%87%E4%BB%B6/ Wed, 17 Jun 2026 11:20:54 +0800 https://blog.xxchenchen.top/wiki/web%E5%AE%89%E5%85%A8/%E5%9F%BA%E7%A1%80%E4%B8%8E%E6%BC%8F%E6%B4%9E/01-%E4%BF%A1%E6%81%AF%E6%94%B6%E9%9B%86/08-%E5%85%83%E6%96%87%E4%BB%B6%E4%B8%8E%E7%88%AC%E8%99%AB%E6%96%87%E4%BB%B6/ <h1 id="元文件与爬虫文件">元文件与爬虫文件 </h1><ul> <li><code>robots.txt</code>、<code>sitemap.xml</code>、<code>security.txt</code>、<code>humans.txt</code>、<code>.well-known/*</code>。</li> <li><code>robots.txt</code> 可能暴露隐藏路径，但不能当访问控制。</li> <li>页面 <code>meta</code> 标签、OpenGraph、Twitter Card、App ID、站点名、作者、生成器。</li> <li>公开 manifest：<code>manifest.json</code>、<code>asset-manifest.json</code>、<code>service-worker.js</code>。</li> </ul> https://blog.xxchenchen.top/wiki/web%E5%AE%89%E5%85%A8/%E5%9F%BA%E7%A1%80%E4%B8%8E%E6%BC%8F%E6%B4%9E/01-%E4%BF%A1%E6%81%AF%E6%94%B6%E9%9B%86/05-%E8%AF%81%E4%B9%A6%E4%B8%8Ect%E6%97%A5%E5%BF%97/ Wed, 17 Jun 2026 11:20:54 +0800 https://blog.xxchenchen.top/wiki/web%E5%AE%89%E5%85%A8/%E5%9F%BA%E7%A1%80%E4%B8%8E%E6%BC%8F%E6%B4%9E/01-%E4%BF%A1%E6%81%AF%E6%94%B6%E9%9B%86/05-%E8%AF%81%E4%B9%A6%E4%B8%8Ect%E6%97%A5%E5%BF%97/ <h1 id="证书与-ct-日志">证书与 CT 日志 </h1><ul> <li>检查 TLS 证书的 CN、SAN、颁发机构、有效期、通配符证书。</li> <li>查 CT 日志发现 <code>dev</code>、<code>staging</code>、<code>test</code>、<code>admin</code>、<code>legacy</code>、隐藏子域。</li> <li>CT 日志可发现 DNS 区域传送、反查、搜索引擎无法直接发现的主机名，并要求验证归属和范围。</li> <li>可用来源：<code>crt.sh</code>、Censys、Google CT、Cloudflare CT、Cert Spotter 等。</li> </ul> https://blog.xxchenchen.top/wiki/web%E5%AE%89%E5%85%A8/%E5%9F%BA%E7%A1%80%E4%B8%8E%E6%BC%8F%E6%B4%9E/01-%E4%BF%A1%E6%81%AF%E6%94%B6%E9%9B%86/02-%E7%BB%84%E7%BB%87%E4%B8%8E%E8%B5%84%E4%BA%A7%E7%94%BB%E5%83%8F/ Wed, 17 Jun 2026 11:20:53 +0800 https://blog.xxchenchen.top/wiki/web%E5%AE%89%E5%85%A8/%E5%9F%BA%E7%A1%80%E4%B8%8E%E6%BC%8F%E6%B4%9E/01-%E4%BF%A1%E6%81%AF%E6%94%B6%E9%9B%86/02-%E7%BB%84%E7%BB%87%E4%B8%8E%E8%B5%84%E4%BA%A7%E7%94%BB%E5%83%8F/ <h1 id="组织与资产画像">组织与资产画像 </h1><ul> <li>公司名、品牌、子公司、并购资产、旧品牌、海外站点。</li> <li>根域名、相关域名、拼写变体、国际化域名、历史域名。</li> <li>ASN、IP 段、云账号痕迹、CDN、托管平台、邮件服务、第三方 SaaS。</li> <li>公开文档、招聘 JD、技术博客、开发者文档、状态页、帮助中心、公告页。</li> </ul> https://blog.xxchenchen.top/wiki/web%E5%AE%89%E5%85%A8/%E5%9F%BA%E7%A1%80%E4%B8%8E%E6%BC%8F%E6%B4%9E/02-http%E8%AF%B7%E6%B1%82/ Tue, 16 Jun 2026 18:58:11 +0800 https://blog.xxchenchen.top/wiki/web%E5%AE%89%E5%85%A8/%E5%9F%BA%E7%A1%80%E4%B8%8E%E6%BC%8F%E6%B4%9E/02-http%E8%AF%B7%E6%B1%82/ https://blog.xxchenchen.top/wiki/web%E5%AE%89%E5%85%A8/%E5%9F%BA%E7%A1%80%E4%B8%8E%E6%BC%8F%E6%B4%9E/12-sql%E6%B3%A8%E5%85%A5/ Tue, 16 Jun 2026 18:58:11 +0800 https://blog.xxchenchen.top/wiki/web%E5%AE%89%E5%85%A8/%E5%9F%BA%E7%A1%80%E4%B8%8E%E6%BC%8F%E6%B4%9E/12-sql%E6%B3%A8%E5%85%A5/ https://blog.xxchenchen.top/wiki/web%E5%AE%89%E5%85%A8/%E5%9F%BA%E7%A1%80%E4%B8%8E%E6%BC%8F%E6%B4%9E/15-ssrf/ Tue, 16 Jun 2026 18:58:11 +0800 https://blog.xxchenchen.top/wiki/web%E5%AE%89%E5%85%A8/%E5%9F%BA%E7%A1%80%E4%B8%8E%E6%BC%8F%E6%B4%9E/15-ssrf/ https://blog.xxchenchen.top/wiki/web%E5%AE%89%E5%85%A8/%E5%9F%BA%E7%A1%80%E4%B8%8E%E6%BC%8F%E6%B4%9E/14-waf/ Tue, 16 Jun 2026 18:58:11 +0800 https://blog.xxchenchen.top/wiki/web%E5%AE%89%E5%85%A8/%E5%9F%BA%E7%A1%80%E4%B8%8E%E6%BC%8F%E6%B4%9E/14-waf/ https://blog.xxchenchen.top/wiki/web%E5%AE%89%E5%85%A8/%E5%9F%BA%E7%A1%80%E4%B8%8E%E6%BC%8F%E6%B4%9E/13-%E5%91%BD%E4%BB%A4%E6%89%A7%E8%A1%8C/ Tue, 16 Jun 2026 18:58:11 +0800 https://blog.xxchenchen.top/wiki/web%E5%AE%89%E5%85%A8/%E5%9F%BA%E7%A1%80%E4%B8%8E%E6%BC%8F%E6%B4%9E/13-%E5%91%BD%E4%BB%A4%E6%89%A7%E8%A1%8C/ https://blog.xxchenchen.top/wiki/web%E5%AE%89%E5%85%A8/%E5%9F%BA%E7%A1%80%E4%B8%8E%E6%BC%8F%E6%B4%9E/09-%E6%96%87%E4%BB%B6%E5%8C%85%E5%90%AB/ Tue, 16 Jun 2026 18:58:11 +0800 https://blog.xxchenchen.top/wiki/web%E5%AE%89%E5%85%A8/%E5%9F%BA%E7%A1%80%E4%B8%8E%E6%BC%8F%E6%B4%9E/09-%E6%96%87%E4%BB%B6%E5%8C%85%E5%90%AB/ https://blog.xxchenchen.top/wiki/web%E5%AE%89%E5%85%A8/%E5%9F%BA%E7%A1%80%E4%B8%8E%E6%BC%8F%E6%B4%9E/10-%E6%96%87%E4%BB%B6%E4%B8%8A%E4%BC%A0/ Tue, 16 Jun 2026 18:58:11 +0800 https://blog.xxchenchen.top/wiki/web%E5%AE%89%E5%85%A8/%E5%9F%BA%E7%A1%80%E4%B8%8E%E6%BC%8F%E6%B4%9E/10-%E6%96%87%E4%BB%B6%E4%B8%8A%E4%BC%A0/ https://blog.xxchenchen.top/wiki/web%E5%AE%89%E5%85%A8/%E5%9F%BA%E7%A1%80%E4%B8%8E%E6%BC%8F%E6%B4%9E/17-%E5%8F%8D%E5%BA%8F%E5%88%97%E5%8C%96/ Tue, 16 Jun 2026 18:56:20 +0800 https://blog.xxchenchen.top/wiki/web%E5%AE%89%E5%85%A8/%E5%9F%BA%E7%A1%80%E4%B8%8E%E6%BC%8F%E6%B4%9E/17-%E5%8F%8D%E5%BA%8F%E5%88%97%E5%8C%96/ https://blog.xxchenchen.top/wiki/web%E5%AE%89%E5%85%A8/%E5%9F%BA%E7%A1%80%E4%B8%8E%E6%BC%8F%E6%B4%9E/05-%E8%AE%A4%E8%AF%81%E4%B8%8E%E4%BC%9A%E8%AF%9D/ Tue, 16 Jun 2026 18:56:20 +0800 https://blog.xxchenchen.top/wiki/web%E5%AE%89%E5%85%A8/%E5%9F%BA%E7%A1%80%E4%B8%8E%E6%BC%8F%E6%B4%9E/05-%E8%AE%A4%E8%AF%81%E4%B8%8E%E4%BC%9A%E8%AF%9D/ https://blog.xxchenchen.top/wiki/web%E5%AE%89%E5%85%A8/%E5%9F%BA%E7%A1%80%E4%B8%8E%E6%BC%8F%E6%B4%9E/08-%E4%BB%BB%E6%84%8F%E6%96%87%E4%BB%B6%E8%AF%BB%E5%8F%96/ Tue, 16 Jun 2026 18:56:20 +0800 https://blog.xxchenchen.top/wiki/web%E5%AE%89%E5%85%A8/%E5%9F%BA%E7%A1%80%E4%B8%8E%E6%BC%8F%E6%B4%9E/08-%E4%BB%BB%E6%84%8F%E6%96%87%E4%BB%B6%E8%AF%BB%E5%8F%96/ https://blog.xxchenchen.top/wiki/web%E5%AE%89%E5%85%A8/%E5%9F%BA%E7%A1%80%E4%B8%8E%E6%BC%8F%E6%B4%9E/03-%E6%BA%90%E7%A0%81%E6%B3%84%E9%9C%B2%E4%B8%8E%E5%A4%87%E4%BB%BD%E6%96%87%E4%BB%B6/ Tue, 16 Jun 2026 18:56:20 +0800 https://blog.xxchenchen.top/wiki/web%E5%AE%89%E5%85%A8/%E5%9F%BA%E7%A1%80%E4%B8%8E%E6%BC%8F%E6%B4%9E/03-%E6%BA%90%E7%A0%81%E6%B3%84%E9%9C%B2%E4%B8%8E%E5%A4%87%E4%BB%BD%E6%96%87%E4%BB%B6/ https://blog.xxchenchen.top/wiki/web%E5%AE%89%E5%85%A8/%E5%9F%BA%E7%A1%80%E4%B8%8E%E6%BC%8F%E6%B4%9E/06-%E8%B6%8A%E6%9D%83%E4%B8%8E%E8%AE%BF%E9%97%AE%E6%8E%A7%E5%88%B6/ Tue, 16 Jun 2026 18:56:20 +0800 https://blog.xxchenchen.top/wiki/web%E5%AE%89%E5%85%A8/%E5%9F%BA%E7%A1%80%E4%B8%8E%E6%BC%8F%E6%B4%9E/06-%E8%B6%8A%E6%9D%83%E4%B8%8E%E8%AE%BF%E9%97%AE%E6%8E%A7%E5%88%B6/ https://blog.xxchenchen.top/wiki/ai%E5%AE%89%E5%85%A8/00-ai%E5%AE%89%E5%85%A8%E6%80%BB%E8%A7%88/ Tue, 16 Jun 2026 18:43:51 +0800 https://blog.xxchenchen.top/wiki/ai%E5%AE%89%E5%85%A8/00-ai%E5%AE%89%E5%85%A8%E6%80%BB%E8%A7%88/ <h1 id="ai安全总览">AI安全总览 </h1><p>当前 <code>AI安全</code> 作为一级分类，先收纳以下方向：</p> <ul> <li>大模型基础</li> <li>大模型攻击与防护</li> <li>RAG / MCP 安全</li> <li>LLM 应用安全</li> <li>Agent / Multi-Agent 安全相关</li> </ul> <h2 id="当前内容">当前内容 </h2><ul> <li><a class="link" href="%e5%9f%ba%e7%a1%80%e5%ad%a6%e4%b9%a0" >基础学习</a></li> <li><a class="link" href="https://blog.xxchenchen.top/wiki/AI%E5%AE%89%E5%85%A8/%E6%94%BB%E5%87%BB%E4%B8%8E%E5%8D%8F%E8%AE%AE%E5%AE%89%E5%85%A8/" >攻击与协议安全</a></li> <li><a class="link" href="%e5%ba%94%e7%94%a8%e5%ae%89%e5%85%a8" >应用安全</a></li> <li><a class="link" href="Agent" >Agent</a></li> </ul> <h2 id="后续可继续细分">后续可继续细分 </h2><p>你后面可以继续让我拆成例如：</p> https://blog.xxchenchen.top/wiki/web%E5%AE%89%E5%85%A8/00-web%E5%AE%89%E5%85%A8%E6%80%BB%E8%A7%88/ Tue, 16 Jun 2026 18:41:55 +0800 https://blog.xxchenchen.top/wiki/web%E5%AE%89%E5%85%A8/00-web%E5%AE%89%E5%85%A8%E6%80%BB%E8%A7%88/ <h1 id="web安全总览">Web安全总览 </h1><p>当前 <code>Web安全</code> 作为一级分类，先收纳以下方向：</p> <ul> <li>OWASP Top 10</li> <li>常见 Web 漏洞</li> <li>Web 语言与框架</li> <li>Web CTF / 靶场 / 题解</li> </ul> <h2 id="当前内容入口">当前内容入口 </h2><ul> <li><a class="link" href="https://blog.xxchenchen.top/wiki/Web%E5%AE%89%E5%85%A8/OWASP%20Top%2010%202025/" >OWASP Top 10 2025</a></li> <li><a class="link" href="https://blog.xxchenchen.top/wiki/Web%E5%AE%89%E5%85%A8/%E5%9F%BA%E7%A1%80%E4%B8%8E%E6%BC%8F%E6%B4%9E/" >基础与漏洞</a></li> <li><a class="link" href="https://blog.xxchenchen.top/wiki/Web%E5%AE%89%E5%85%A8/%E8%AF%AD%E8%A8%80%E7%89%B9%E6%80%A7/" >语言特性</a></li> <li><a class="link" href="%e4%b8%93%e9%a2%98%e6%a1%88%e4%be%8b" >专题案例</a></li> <li><a class="link" href="%e5%ae%9e%e6%88%98%e9%a2%98%e8%a7%a3" >实战题解</a></li> </ul> <h2 id="已明确归属到-web安全-的内容范围">已明确归属到 Web安全 的内容范围 </h2><ul> <li>SQL注入</li> <li>XSS</li> <li>SSRF</li> <li>XXE</li> <li>CSRF</li> <li>文件上传</li> <li>文件包含</li> <li>命令执行</li> <li>Webshell</li> <li>认证、鉴权、配置与日志问题</li> </ul> <h2 id="后续可继续细分">后续可继续细分 </h2><p>你后面可以继续让我拆成例如：</p> https://blog.xxchenchen.top/wiki/ai%E5%AE%89%E5%85%A8/%E6%94%BB%E5%87%BB%E4%B8%8E%E5%8D%8F%E8%AE%AE%E5%AE%89%E5%85%A8/rag%E6%8A%95%E6%AF%92%E4%B8%8Emcp%E5%8D%8F%E8%AE%AE%E5%AE%89%E5%85%A8/ Sun, 24 May 2026 16:04:45 +0800 https://blog.xxchenchen.top/wiki/ai%E5%AE%89%E5%85%A8/%E6%94%BB%E5%87%BB%E4%B8%8E%E5%8D%8F%E8%AE%AE%E5%AE%89%E5%85%A8/rag%E6%8A%95%E6%AF%92%E4%B8%8Emcp%E5%8D%8F%E8%AE%AE%E5%AE%89%E5%85%A8/ <h1 id="rag投毒与mcp协议安全">RAG投毒与MCP协议安全 </h1><blockquote> <p>适用范围：LLM 应用安全、Agent 安全、RAG 安全、工具调用安全<br> 整理日期：2026-05-24<br> 这篇笔记的目标：把 <strong>RAG投毒</strong> 和 <strong>MCP协议安全</strong> 这两个经常一起出现、但本质不同的概念彻底分开讲清楚。</p> https://blog.xxchenchen.top/wiki/web%E5%AE%89%E5%85%A8/owasp-top-10-2025/top10-mishandling-of-exceptional-conditions%E5%A4%84%E7%90%86%E5%BC%82%E5%B8%B8%E6%83%85%E5%86%B5%E4%B8%8D%E5%BD%93/ Wed, 20 May 2026 12:33:47 +0800 https://blog.xxchenchen.top/wiki/web%E5%AE%89%E5%85%A8/owasp-top-10-2025/top10-mishandling-of-exceptional-conditions%E5%A4%84%E7%90%86%E5%BC%82%E5%B8%B8%E6%83%85%E5%86%B5%E4%B8%8D%E5%BD%93/ <p>在 <strong>OWASP Top 10:2025</strong> 里，<strong>Mishandling of Exceptional Conditions</strong> 排在 <strong>A10，也就是第 10 位</strong>。这是 <strong>2025 新增的类别</strong>，它聚焦的是“异常条件处理不当”：系统在遇到缺参、空指针、权限不足、网络中断、资源耗尽、状态异常、事务中断、未预期输入时，没有正确地预防、识别和处理这些异常，最终进入不可预测状态，甚至直接 <strong>fail-open（失败时放行）</strong>。<br> 来源：<a class="link" href="https://owasp.org/Top10/2025/0x00_2025-Introduction/" target="_blank" rel="noopener" >OWASP Top 10:2025 Introduction</a><br> 来源：<a class="link" href="https://owasp.org/Top10/2025/A10_2025-Mishandling_of_Exceptional_Conditions/" target="_blank" rel="noopener" >A10:2025 Mishandling of Exceptional Conditions</a></p> https://blog.xxchenchen.top/wiki/web%E5%AE%89%E5%85%A8/owasp-top-10-2025/top7-authentication-failures%E8%BA%AB%E4%BB%BD%E9%AA%8C%E8%AF%81%E5%A4%B1%E8%B4%A5/ Wed, 20 May 2026 12:33:47 +0800 https://blog.xxchenchen.top/wiki/web%E5%AE%89%E5%85%A8/owasp-top-10-2025/top7-authentication-failures%E8%BA%AB%E4%BB%BD%E9%AA%8C%E8%AF%81%E5%A4%B1%E8%B4%A5/ <p>在 <strong>OWASP Top 10:2025</strong> 里，<strong>Authentication Failures</strong> 排在 <strong>A07，也就是第 7 位</strong>。它和 2021 一样保持在第 7 位，只是名字从 “Identification and Authentication Failures” 略微调整为更直接的 “Authentication Failures”。它关注的是：系统把<strong>不该被当成合法用户的人，当成了合法身份</strong>，或者让攻击者过于容易地猜解、复用、接管、绕过身份认证。<br> 来源：<a class="link" href="https://owasp.org/Top10/2025/0x00_2025-Introduction/" target="_blank" rel="noopener" >OWASP Top 10:2025 Introduction</a><br> 来源：<a class="link" href="https://owasp.org/Top10/2025/A07_2025-Authentication_Failures/" target="_blank" rel="noopener" >A07:2025 Authentication Failures</a></p> https://blog.xxchenchen.top/wiki/web%E5%AE%89%E5%85%A8/owasp-top-10-2025/top8-software-or-data-integrity-failures%E8%BD%AF%E4%BB%B6%E6%88%96%E6%95%B0%E6%8D%AE%E5%AE%8C%E6%95%B4%E6%80%A7%E6%95%85%E9%9A%9C/ Wed, 20 May 2026 12:33:47 +0800 https://blog.xxchenchen.top/wiki/web%E5%AE%89%E5%85%A8/owasp-top-10-2025/top8-software-or-data-integrity-failures%E8%BD%AF%E4%BB%B6%E6%88%96%E6%95%B0%E6%8D%AE%E5%AE%8C%E6%95%B4%E6%80%A7%E6%95%85%E9%9A%9C/ <p>在 <strong>OWASP Top 10:2025</strong> 里，<strong>Software or Data Integrity Failures</strong> 排在 <strong>A08，也就是第 8 位</strong>。它延续了 2021 的排名，只是名字做了轻微澄清。这个类别关注的是：系统<strong>没有验证软件、代码、更新包或数据对象的完整性，就直接把它们当成可信内容使用了</strong>。<br> 来源：<a class="link" href="https://owasp.org/Top10/2025/0x00_2025-Introduction/" target="_blank" rel="noopener" >OWASP Top 10:2025 Introduction</a><br> 来源：<a class="link" href="https://owasp.org/Top10/2025/A08_2025-Software_or_Data_Integrity_Failures/" target="_blank" rel="noopener" >A08:2025 Software or Data Integrity Failures</a></p> https://blog.xxchenchen.top/wiki/web%E5%AE%89%E5%85%A8/owasp-top-10-2025/top9-security-logging-and-alerting-failures%E5%AE%89%E5%85%A8%E6%97%A5%E5%BF%97%E8%AE%B0%E5%BD%95%E5%92%8C%E8%AD%A6%E6%8A%A5%E6%95%85%E9%9A%9C/ Wed, 20 May 2026 12:33:47 +0800 https://blog.xxchenchen.top/wiki/web%E5%AE%89%E5%85%A8/owasp-top-10-2025/top9-security-logging-and-alerting-failures%E5%AE%89%E5%85%A8%E6%97%A5%E5%BF%97%E8%AE%B0%E5%BD%95%E5%92%8C%E8%AD%A6%E6%8A%A5%E6%95%85%E9%9A%9C/ <p>在 <strong>OWASP Top 10:2025</strong> 里，<strong>Security Logging and Alerting Failures</strong> 排在 <strong>A09，也就是第 9 位</strong>。它延续了 2021 的位置，但名字从 “Logging and Monitoring Failures” 调整成了更强调行动性的 “Logging and Alerting Failures”。OWASP 的意思很明确：<strong>光有日志不够，日志如果不能触发正确告警和响应，价值是很有限的。</strong><br> 来源：<a class="link" href="https://owasp.org/Top10/2025/0x00_2025-Introduction/" target="_blank" rel="noopener" >OWASP Top 10:2025 Introduction</a><br> 来源：<a class="link" href="https://owasp.org/Top10/2025/A09_2025-Security_Logging_and_Alerting_Failures/" target="_blank" rel="noopener" >A09:2025 Security Logging and Alerting Failures</a></p> https://blog.xxchenchen.top/wiki/web%E5%AE%89%E5%85%A8/owasp-top-10-2025/top3-software-supply-chain-failureso%E8%BD%AF%E4%BB%B6%E4%BE%9B%E5%BA%94%E9%93%BE%E6%95%85%E9%9A%9C/ Wed, 20 May 2026 12:33:46 +0800 https://blog.xxchenchen.top/wiki/web%E5%AE%89%E5%85%A8/owasp-top-10-2025/top3-software-supply-chain-failureso%E8%BD%AF%E4%BB%B6%E4%BE%9B%E5%BA%94%E9%93%BE%E6%95%85%E9%9A%9C/ <p>在 <strong>OWASP Top 10:2025</strong> 里，<strong>Software Supply Chain Failures</strong> 排在 <strong>A03，也就是第 3 位</strong>。它可以理解成“软件供应链失效”：风险不再只是“依赖里有漏洞”，而是从依赖、构建、仓库、IDE、CI/CD、制品、更新发布到生产部署的整条链路，只要有一个环节被投毒、失管、篡改或长期裸奔，最后都会变成你的应用风险。OWASP 在 2025 版里明确把它从 2021 年的 “Vulnerable and Outdated Components” 扩展成了更大的风险类别，说明现代软件最危险的地方之一，已经不是你自己写的业务代码，而是你信任的那整条开发与交付链。<br> 来源：<a class="link" href="https://owasp.org/Top10/2025/0x00_2025-Introduction/" target="_blank" rel="noopener" >OWASP Top 10:2025 Introduction</a><br> 来源：<a class="link" href="https://owasp.org/Top10/2025/A03_2025-Software_Supply_Chain_Failures/" target="_blank" rel="noopener" >A03:2025 Software Supply Chain Failures</a></p> https://blog.xxchenchen.top/wiki/web%E5%AE%89%E5%85%A8/owasp-top-10-2025/top4-cryptographic-failures%E5%AF%86%E7%A0%81%E5%AD%A6%E6%95%85%E9%9A%9C/ Wed, 20 May 2026 12:33:46 +0800 https://blog.xxchenchen.top/wiki/web%E5%AE%89%E5%85%A8/owasp-top-10-2025/top4-cryptographic-failures%E5%AF%86%E7%A0%81%E5%AD%A6%E6%95%85%E9%9A%9C/ <p>在 <strong>OWASP Top 10:2025</strong> 里，<strong>Cryptographic Failures</strong> 排在 <strong>A04，也就是第 4 位</strong>。它从 2021 年的第 2 位下降到了第 4 位，但这不代表它不重要，而是说明其它系统性风险上升得更快。它关注的不是单纯“有没有加密”，而是更完整的一组问题：没加密、加密不够强、密钥管理差、随机数弱、证书校验错、模式用错、散列算法过时，都会落在这个类别里。<br> 来源：<a class="link" href="https://owasp.org/Top10/2025/0x00_2025-Introduction/" target="_blank" rel="noopener" >OWASP Top 10:2025 Introduction</a><br> 来源：<a class="link" href="https://owasp.org/Top10/2025/A04_2025-Cryptographic_Failures/" target="_blank" rel="noopener" >A04:2025 Cryptographic Failures</a></p> https://blog.xxchenchen.top/wiki/web%E5%AE%89%E5%85%A8/owasp-top-10-2025/top5-injection%E6%B3%A8%E5%85%A5/ Wed, 20 May 2026 12:33:46 +0800 https://blog.xxchenchen.top/wiki/web%E5%AE%89%E5%85%A8/owasp-top-10-2025/top5-injection%E6%B3%A8%E5%85%A5/ <p>在 <strong>OWASP Top 10:2025</strong> 里，<strong>Injection</strong> 排在 <strong>A05，也就是第 5 位</strong>。它从 2021 年的第 3 位下降到了第 5 位，但依然是最经典、最常见、也最容易造成高危后果的一类漏洞。它的核心很简单：<strong>不可信输入进入了解释器，并被当成命令、语句或结构的一部分执行了</strong>。<br> 来源：<a class="link" href="https://owasp.org/Top10/2025/0x00_2025-Introduction/" target="_blank" rel="noopener" >OWASP Top 10:2025 Introduction</a><br> 来源：<a class="link" href="https://owasp.org/Top10/2025/A05_2025-Injection/" target="_blank" rel="noopener" >A05:2025 Injection</a></p> https://blog.xxchenchen.top/wiki/web%E5%AE%89%E5%85%A8/owasp-top-10-2025/top6-insecure-design%E4%B8%8D%E5%AE%89%E5%85%A8%E8%AE%BE%E8%AE%A1/ Wed, 20 May 2026 12:33:46 +0800 https://blog.xxchenchen.top/wiki/web%E5%AE%89%E5%85%A8/owasp-top-10-2025/top6-insecure-design%E4%B8%8D%E5%AE%89%E5%85%A8%E8%AE%BE%E8%AE%A1/ <p>在 <strong>OWASP Top 10:2025</strong> 里，<strong>Insecure Design</strong> 排在 <strong>A06，也就是第 6 位</strong>。它从 2021 年的第 4 位降到了第 6 位，但这并不代表它不关键。相反，OWASP 把它保留在榜单里，就是因为很多严重安全问题并不是“代码写错了”，而是<strong>从需求、流程、权限模型、业务状态机、租户隔离到失败状态设计，一开始就没有把安全控制设计进去</strong>。<br> 来源：<a class="link" href="https://owasp.org/Top10/2025/0x00_2025-Introduction/" target="_blank" rel="noopener" >OWASP Top 10:2025 Introduction</a><br> 来源：<a class="link" href="https://owasp.org/Top10/2025/A06_2025-Insecure_Design/" target="_blank" rel="noopener" >A06:2025 Insecure Design</a></p> https://blog.xxchenchen.top/wiki/web%E5%AE%89%E5%85%A8/owasp-top-10-2025/00-owasp-top-10-2025-%E6%80%BB%E8%A7%88%E4%B8%8E%E5%88%86%E6%9E%90/ Wed, 20 May 2026 12:28:39 +0800 https://blog.xxchenchen.top/wiki/web%E5%AE%89%E5%85%A8/owasp-top-10-2025/00-owasp-top-10-2025-%E6%80%BB%E8%A7%88%E4%B8%8E%E5%88%86%E6%9E%90/ <h1 id="owasp-top-10-2025-总览与分析">OWASP Top 10 2025 总览与分析 </h1><h2 id="这份笔记适合怎么用">这份笔记适合怎么用 </h2><ul> <li>如果你是开发者：先看“怎么理解这份榜单”，再看每一项的“开发/排查重点”。</li> <li>如果你是安全测试人员：重点看每一项的“常见表现”和“检查点”。</li> <li>如果你是做安全治理：重点看“2025 版变化”和“落地建议”。</li> </ul> <hr> <h2 id="一owasp-top-10-2025-是什么">一、OWASP Top 10 2025 是什么 </h2><p>OWASP Top 10 是面向 Web 应用安全风险的高优先级清单。<br> 2025 版是第 8 次发布，官方说明它依旧是“数据驱动，但不盲从数据”的榜单：一部分来自大规模测试数据，一部分来自社区调查，用来补足那些“现实里很重要、但不容易被自动化工具统计出来”的风险。</p> https://blog.xxchenchen.top/p/qingcen%E9%9D%B6%E5%9C%BAweb%E5%85%A5%E9%97%A8wp-%E4%B8%8B/ Tue, 28 Apr 2026 15:34:32 +0800 https://blog.xxchenchen.top/p/qingcen%E9%9D%B6%E5%9C%BAweb%E5%85%A5%E9%97%A8wp-%E4%B8%8B/ <img src="https://blog.xxchenchen.top/img/qingcenctf-cover.svg" alt="Featured image of post QingCen靶场Web入门wp 下" /><h2 id="前言">前言 </h2><p>终于到最后了，累/(ㄒoㄒ)/~~</p> <h2 id="ezxss">EZXSS </h2><h3 id="ezxss-1">EZXSS </h3><h3 id="ezxss_1">EZXSS_1 </h3><h3 id="ezxss_2">EZXSS_2 </h3><h2 id="ezxxe">EZXXE </h2><h3 id="ezxxe-1">EZXXE </h3><h3 id="ezxxe_1">EZXXE_1 </h3><h3 id="ezxxe_2">EZXXE_2 </h3><h3 id="ezxxe_3">EZXXE_3 </h3><h2 id="ezssrf">EZSSRF </h2><h3 id="ezssrf-1">EZSSRF </h3><h3 id="ezssrf_1">EZSSRF_1 </h3><h3 id="ezssrf_2">EZSSRF_2 </h3><h3 id="ezssrf_3">EZSSRF_3 </h3><h3 id="ezssrf_4">EZSSRF_4 </h3><h3 id="ezssrf_5">EZSSRF_5 </h3><h3 id="ezssrf_6">EZSSRF_6 </h3><h2 id="ezjwt">EZJWT </h2><h3 id="ezjwt-1">EZJWT </h3><h3 id="ezjwt_1">EZJWT_1 </h3><h3 id="ezjwt_2">EZJWT_2 </h3><h2 id="ezpop">EZPOP </h2><h3 id="ezpop-1">EZPOP </h3><h3 id="ezpop_1">EZPOP_1 </h3><h3 id="ezpop_2">EZPOP_2 </h3><h3 id="ezpop_3">EZPOP_3 </h3><h3 id="ezpop_4">EZPOP_4 </h3><h3 id="ezpop_5">EZPOP_5 </h3><h3 id="ezpop_6">EZPOP_6 </h3><h3 id="ezpop_7">EZPOP_7 </h3><h3 id="ezpop_8">EZPOP_8 </h3> https://blog.xxchenchen.top/p/qingcen%E9%9D%B6%E5%9C%BAweb%E5%85%A5%E9%97%A8wp-%E4%B8%AD/ Tue, 28 Apr 2026 15:34:23 +0800 https://blog.xxchenchen.top/p/qingcen%E9%9D%B6%E5%9C%BAweb%E5%85%A5%E9%97%A8wp-%E4%B8%AD/ <img src="https://blog.xxchenchen.top/img/qingcenctf-cover.svg" alt="Featured image of post QingCen靶场Web入门wp-中" /><h2 id="前言">前言 </h2><p>继续~ 继续~ 鸽了好久</p> <h2 id="ezfl">EZFL </h2><h3 id="ezflphp-文件包含">EZFL(PHP 文件包含) </h3><p>访问靶机 <img src="https://cloudflare-imgbed.3285433461.workers.dev/file/1780064985077_fl_1.png" loading="lazy" decoding="async" alt="fl_1.png" > <br> 先随便点点，没有发现什么特殊交互和信息，看一下注释 发现两行特别注释</p> <p>第一条注释确认了后端使用 include($file) 进行文件包含<br> 第二条 Base64 解码后为：flag is in /flag.txt<br> <img src="https://cloudflare-imgbed.3285433461.workers.dev/file/1780064990744_fl_2.png" loading="lazy" decoding="async" alt="fl_2.png" > <br> <img src="https://cloudflare-imgbed.3285433461.workers.dev/file/1780064985043_fl_3.png" loading="lazy" decoding="async" alt="fl_3.png" > <br> 由于后端 include() 没有对 $file 做路径限制</p> https://blog.xxchenchen.top/wiki/web%E5%AE%89%E5%85%A8/owasp-top-10-2025/top2-security-misconfiguration-%E5%AE%89%E5%85%A8%E9%85%8D%E7%BD%AE%E9%94%99%E8%AF%AF/ Mon, 27 Apr 2026 16:32:19 +0800 https://blog.xxchenchen.top/wiki/web%E5%AE%89%E5%85%A8/owasp-top-10-2025/top2-security-misconfiguration-%E5%AE%89%E5%85%A8%E9%85%8D%E7%BD%AE%E9%94%99%E8%AF%AF/ <p>Security Misconfiguration 可以翻成“安全配置错误”或“安全配置不当”。它不是某一个单点漏洞，而是一类问题：系统、应用、框架、云服务、数据库、Web 服务器、中间件明明能配得更安全，但实际部署时配错了、漏配了、保留了默认值，结果给攻击者留下入口。</p> https://blog.xxchenchen.top/wiki/ai%E5%AE%89%E5%85%A8/%E6%94%BB%E5%87%BB%E4%B8%8E%E5%8D%8F%E8%AE%AE%E5%AE%89%E5%85%A8/%E5%A4%A7%E6%A8%A1%E5%9E%8B%E6%8F%90%E7%A4%BA%E8%AF%8D%E6%B3%A8%E5%85%A5/ Tue, 14 Apr 2026 09:48:40 +0800 https://blog.xxchenchen.top/wiki/ai%E5%AE%89%E5%85%A8/%E6%94%BB%E5%87%BB%E4%B8%8E%E5%8D%8F%E8%AE%AE%E5%AE%89%E5%85%A8/%E5%A4%A7%E6%A8%A1%E5%9E%8B%E6%8F%90%E7%A4%BA%E8%AF%8D%E6%B3%A8%E5%85%A5/ <h1 id="大模型提示词注入">大模型提示词注入 </h1><blockquote> <p>来源视频：B站《AI安全之大模型提示词注入》<br> 分享人：Zero<br> 发布方：SecureNexusLab<br> 时长：约 47 分钟<br> 笔记定位：用于建立“大模型提示词注入”这一类 AI 安全问题的完整知识框架，便于后续继续补充案例与防护方案。</p> https://blog.xxchenchen.top/wiki/web%E5%AE%89%E5%85%A8/%E8%AF%AD%E8%A8%80%E7%89%B9%E6%80%A7/php/%E5%87%BD%E6%95%B0%E5%AD%A6%E4%B9%A0/ Mon, 13 Apr 2026 08:48:31 +0800 https://blog.xxchenchen.top/wiki/web%E5%AE%89%E5%85%A8/%E8%AF%AD%E8%A8%80%E7%89%B9%E6%80%A7/php/%E5%87%BD%E6%95%B0%E5%AD%A6%E4%B9%A0/ <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-PHP" data-lang="PHP"><span class="line"><span class="cl"><span class="nx">函数学习————substr</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="nx">string</span> <span class="nx">substr</span> <span class="p">(</span> <span class="nx">string</span> <span class="nv">$string</span> <span class="p">,</span> <span class="nx">int</span> <span class="nv">$start</span> <span class="p">[,</span> <span class="nx">int</span> <span class="nv">$length</span> <span class="p">]</span> <span class="p">)</span> </span></span><span class="line"><span class="cl"><span class="nx">\</span><span class="c1">#返回字符串 string 由 start 和 length 参数指定的子字符串。 </span></span></span></code></pre></td></tr></table> </div> </div><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-PHP" data-lang="PHP"><span class="line"><span class="cl"><span class="nx">函数学习————intval</span> </span></span><span class="line"><span class="cl"><span class="nx">int</span> <span class="nx">intval</span><span class="p">(</span> <span class="nx">mixed</span> <span class="nv">$var</span><span class="p">[,</span> <span class="nx">int</span> <span class="nv">$base</span> <span class="o">=</span> <span class="mi">10</span><span class="p">]</span> <span class="p">)</span> </span></span><span class="line"><span class="cl"><span class="nx">\</span><span class="c1">#通过使用指定的进制 base 转换（默认是十进制），返回变量 var 的 integer 数值。 </span></span></span></code></pre></td></tr></table> </div> </div><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-PHP" data-lang="PHP"><span class="line"><span class="cl"><span class="nx">函数学习————mt_srand</span><span class="p">()</span> </span></span><span class="line"><span class="cl"><span class="nx">void</span> <span class="nx">mt_srand</span><span class="p">([</span> <span class="nx">int</span> <span class="nv">$seed</span><span class="p">]</span> <span class="p">)</span> </span></span><span class="line"><span class="cl"><span class="nx">\</span><span class="c1">#用 seed 来给随机数发生器播种。 没有设定 seed 参数时，会被设为随时数。 </span></span></span><span class="line"><span class="cl"><span class="nx">\</span><span class="c1">#Note: 自 PHP 4.2.0 起，不再需要用 srand() 或 mt_srand() 给随机数发生器播种 </span></span></span><span class="line"><span class="cl"><span class="nx">\</span><span class="c1">#因为现在是由系统自动完成的。 </span></span></span></code></pre></td></tr></table> </div> </div> https://blog.xxchenchen.top/wiki/web%E5%AE%89%E5%85%A8/%E5%9F%BA%E7%A1%80%E4%B8%8E%E6%BC%8F%E6%B4%9E/07-csrf/ Mon, 13 Apr 2026 08:48:30 +0800 https://blog.xxchenchen.top/wiki/web%E5%AE%89%E5%85%A8/%E5%9F%BA%E7%A1%80%E4%B8%8E%E6%BC%8F%E6%B4%9E/07-csrf/ https://blog.xxchenchen.top/wiki/web%E5%AE%89%E5%85%A8/%E8%AF%AD%E8%A8%80%E7%89%B9%E6%80%A7/golang/ Mon, 13 Apr 2026 08:48:30 +0800 https://blog.xxchenchen.top/wiki/web%E5%AE%89%E5%85%A8/%E8%AF%AD%E8%A8%80%E7%89%B9%E6%80%A7/golang/ https://blog.xxchenchen.top/wiki/web%E5%AE%89%E5%85%A8/%E8%AF%AD%E8%A8%80%E7%89%B9%E6%80%A7/java/ Mon, 13 Apr 2026 08:48:30 +0800 https://blog.xxchenchen.top/wiki/web%E5%AE%89%E5%85%A8/%E8%AF%AD%E8%A8%80%E7%89%B9%E6%80%A7/java/ https://blog.xxchenchen.top/wiki/web%E5%AE%89%E5%85%A8/%E8%AF%AD%E8%A8%80%E7%89%B9%E6%80%A7/nodejs/ Mon, 13 Apr 2026 08:48:30 +0800 https://blog.xxchenchen.top/wiki/web%E5%AE%89%E5%85%A8/%E8%AF%AD%E8%A8%80%E7%89%B9%E6%80%A7/nodejs/ https://blog.xxchenchen.top/wiki/web%E5%AE%89%E5%85%A8/%E8%AF%AD%E8%A8%80%E7%89%B9%E6%80%A7/python/ Mon, 13 Apr 2026 08:48:30 +0800 https://blog.xxchenchen.top/wiki/web%E5%AE%89%E5%85%A8/%E8%AF%AD%E8%A8%80%E7%89%B9%E6%80%A7/python/ https://blog.xxchenchen.top/wiki/web%E5%AE%89%E5%85%A8/%E5%9F%BA%E7%A1%80%E4%B8%8E%E6%BC%8F%E6%B4%9E/11-xss%E6%BC%8F%E6%B4%9E%E5%88%86%E6%9E%90/ Mon, 13 Apr 2026 08:48:30 +0800 https://blog.xxchenchen.top/wiki/web%E5%AE%89%E5%85%A8/%E5%9F%BA%E7%A1%80%E4%B8%8E%E6%BC%8F%E6%B4%9E/11-xss%E6%BC%8F%E6%B4%9E%E5%88%86%E6%9E%90/ https://blog.xxchenchen.top/wiki/web%E5%AE%89%E5%85%A8/%E5%9F%BA%E7%A1%80%E4%B8%8E%E6%BC%8F%E6%B4%9E/16-xxe/ Mon, 13 Apr 2026 08:48:30 +0800 https://blog.xxchenchen.top/wiki/web%E5%AE%89%E5%85%A8/%E5%9F%BA%E7%A1%80%E4%B8%8E%E6%BC%8F%E6%B4%9E/16-xxe/ https://blog.xxchenchen.top/wiki/web%E5%AE%89%E5%85%A8/%E5%9F%BA%E7%A1%80%E4%B8%8E%E6%BC%8F%E6%B4%9E/04-%E9%80%BB%E8%BE%91%E6%BC%8F%E6%B4%9E/ Mon, 13 Apr 2026 08:48:30 +0800 https://blog.xxchenchen.top/wiki/web%E5%AE%89%E5%85%A8/%E5%9F%BA%E7%A1%80%E4%B8%8E%E6%BC%8F%E6%B4%9E/04-%E9%80%BB%E8%BE%91%E6%BC%8F%E6%B4%9E/ https://blog.xxchenchen.top/p/qingcen%E9%9D%B6%E5%9C%BAweb%E5%85%A5%E9%97%A8wp-%E4%B8%8A/ Tue, 07 Apr 2026 08:52:16 +0800 https://blog.xxchenchen.top/p/qingcen%E9%9D%B6%E5%9C%BAweb%E5%85%A5%E9%97%A8wp-%E4%B8%8A/ <img src="https://blog.xxchenchen.top/img/qingcenctf-cover.svg" alt="Featured image of post QingCen靶场Web入门wp-上" /><h2 id="前言">前言 </h2><p>最近一直在青岑靶场做web入门(菜到只能做这个)，今天分享一下自己的wp。(含ai成分)</p> <p>靶场地址：https://ctf.qingcen.net/</p> https://blog.xxchenchen.top/archives/ Tue, 28 May 2019 00:00:00 +0000 https://blog.xxchenchen.top/archives/ https://blog.xxchenchen.top/links/ Mon, 01 Jan 0001 00:00:00 +0000 https://blog.xxchenchen.top/links/ <p>To use this feature, add <code>links</code> section to frontmatter.</p> <p>This page&rsquo;s frontmatter:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span><span class="lnt">7 </span><span class="lnt">8 </span><span class="lnt">9 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="cl"><span class="nt">links</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">title</span><span class="p">:</span><span class="w"> </span><span class="l">GitHub</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">description</span><span class="p">:</span><span class="w"> </span><span class="l">GitHub is the world&#39;s largest software development platform.</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">website</span><span class="p">:</span><span class="w"> </span><span class="l">https://github.com</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">image</span><span class="p">:</span><span class="w"> </span><span class="l">https://github.githubassets.com/images/modules/logos_page/GitHub-Mark.png</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">title</span><span class="p">:</span><span class="w"> </span><span class="l">TypeScript</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">description</span><span class="p">:</span><span class="w"> </span><span class="l">TypeScript is a typed superset of JavaScript that compiles to plain JavaScript.</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">website</span><span class="p">:</span><span class="w"> </span><span class="l">https://www.typescriptlang.org</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">image</span><span class="p">:</span><span class="w"> </span><span class="l">ts-logo-128.jpg</span><span class="w"> </span></span></span></code></pre></td></tr></table> </div> </div><p><code>image</code> field accepts both local and external images.</p> https://blog.xxchenchen.top/search/ Mon, 01 Jan 0001 00:00:00 +0000 https://blog.xxchenchen.top/search/ https://blog.xxchenchen.top/%E5%85%B3%E4%BA%8E/ Mon, 01 Jan 0001 00:00:00 +0000 https://blog.xxchenchen.top/%E5%85%B3%E4%BA%8E/ <p>This is a test page for i18n support.</p>