Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

chore: add 2023 top10 docs Chinese translation #64

Open
wants to merge 3 commits into
base: master
Choose a base branch
from
Open

chore: add 2023 top10 docs Chinese translation #64

wants to merge 3 commits into from

Conversation

hastings0714
Copy link

add Chinese translation for 2023 top10 docs

@hastings0714 hastings0714 reopened this Feb 15, 2023
@hastings0714
Copy link
Author

#46

donge
donge reviewed Feb 15, 2023
View reviewed changes
Copy link

@donge donge left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for contribution

2023/zhCN/API6:2023 服务器端请求伪造.md Outdated

| 威胁因素/攻击向量 | 安全弱点 | 影响 |
| ------------------------------------------------------------ | ------------------------------------------------------------ | ------------------------------------------------------------ |
| API特定:可利用性**2** | 普遍性**2**:可检测性**1** | 技术性**2**:业务特定 |
Copy link

@donge donge Feb 15, 2023
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Compared with the original version. I think from Chinese best-practice translation

Threat agents/Attack vectors --> 威胁因素/攻击向量 --> 威胁因素/攻击特征

API Specific --> API特定 -->API相关
Business Sepcific --> 业务特定 --> 业务相关

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

done

donge
donge reviewed Feb 15, 2023
View reviewed changes
2023/zhCN/API9:2023 库存管理不当.md Outdated
@@ -0,0 +1,64 @@
API9:2023 库存管理不当
Copy link

@donge donge Feb 15, 2023
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Improper Inventory Management 库存管理不当 --> 资产管理不当

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

done

donge
donge reviewed Feb 15, 2023
View reviewed changes
2023/zhCN/API9:2023 库存管理不当.md Outdated

| 威胁因素/攻击向量 | 安全漏洞 | 影响 |
| ------------------------------------------------------------ | ------------------------------------------------------------ | ------------------------------------------------------------ |
| API特定: Exploitability 3 | Prevalence 3: Detectability 2 | 技术2: 业务特定 |
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

untranslated

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

fixed

donge
donge reviewed Feb 15, 2023
View reviewed changes
2023/zhCN/API9:2023 库存管理不当.md
运行多个版本的API需要API提供者提供额外的管理资源,并扩展攻击面。

如果API具有“文档盲区”,则:

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

则: -> 例如:

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

done

donge
donge reviewed Feb 15, 2023
View reviewed changes
2023/zhCN/API9:2023 库存管理不当.md Outdated
- 谁应该访问API的网络(例如公共,内部,合作伙伴)?
- 运行哪个API版本?
- 没有文档或现有文档未更新。
- 没有每个API版本的退役计划。
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

退役计划 -> 下线计划

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

done

donge
donge reviewed Feb 15, 2023
View reviewed changes
2023/zhCN/API9:2023 库存管理不当.md Outdated
- 运行哪个API版本?
- 没有文档或现有文档未更新。
- 没有每个API版本的退役计划。
- 主机库存缺失或过时。
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

主机库存 -> 站点资产

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

done

donge
donge reviewed Feb 15, 2023
View reviewed changes
2023/zhCN/API9:2023 库存管理不当.md Outdated
- 没有每个API版本的退役计划。
- 主机库存缺失或过时。

在发生第三方侧的违规事件时,敏感数据流的可见性和清单起着重要作用。
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

在发生第三方侧的违规事件时 ->
在由第三方引起的违规事件时

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

done

donge
donge reviewed Feb 15, 2023
View reviewed changes
2023/zhCN/API8:2023 缺乏对自动化威胁的保护.md Outdated
| 威胁代理/攻击向量 | 安全漏洞 | 影响 |
| ------------------------------------------------------------ | ------------------------------------------------------------ | ------------------------------------------------------------ |
| API特定: 可利用性**3** | 普及率**3**: 可检测性**1** | 技术**1**: 特定于业务 |
| 攻击通常涉及理解API的业务模型,找到敏感的业务流程,自动访问这些流程,对业务造成伤害。 | 分解后,攻击的每个请求都代表完全合法的请求,无法被识别为攻击。只有在考虑服务/应用程序业务逻辑时,才能识别攻击。 | 一般不会出现技术方面的影响。攻击可能会以不同的方式损害业务,例如:1. 防止合法用户购买产品;2. 导致游戏内部经济通货膨胀;3. 允许攻击者发送过多的消息/评论,轻松传播假新闻。 |
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

分解后,攻击的每个请求都代表完全合法的请求,无法被识别为攻击。
-->
分解后的攻击,每个请求都代表完全合法的请求,无法被识别为攻击。

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

done

donge
donge reviewed Feb 15, 2023
View reviewed changes
2023/zhCN/API8:2023 缺乏对自动化威胁的保护.md Outdated
一些保护机制更简单,而另一些则更难以实现。以下方法用于减缓自动化威胁:

- 设备指纹识别:拒绝未预期的客户端设备服务(例如无头浏览器)往往会使威胁参与者使用更复杂的解决方案,因此成本更高
- 人员检测:使用captcha或更高级的生物识别解决方案(例如打字模式)
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

人员检测 -> 真人检测
captcha -> 验证码
打字模式 -> 输入模式

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

done

donge
donge reviewed Feb 15, 2023
View reviewed changes
2023/zhCN/API5:2023 破损的功能级别授权.md Outdated
@@ -0,0 +1,68 @@
API5:2023 破损的功能级别授权
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Borken Function -> 破损的功能 -> 损坏的功能

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

done

donge
donge reviewed Feb 15, 2023
View reviewed changes
2023/zhCN/API10:2023 不安全的API用法 .md Outdated

一个API依赖于第三方服务来丰富用户提供的业务地址。当最终用户提供地址时,它被发送到第三方服务,并返回的数据然后存储在本地SQL启用的数据库中。

攻击者使用第三方服务来存储与他们创建的业务相关的SQLi负载。然后,他们攻击易受攻击的API,提供特定的输入,使其从第三方服务中提取他们的“恶意业务”。 SQLi负载最终由数据库执行,将数据外传到攻击者控制的服务器。
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Chinese security engineer is not familiar SQLi instead of SQL injection

SQLi -> SQL注入

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

done

haoran-mc
haoran-mc reviewed Feb 17, 2023
View reviewed changes
2023/zhCN/API5:2023 破损的功能级别授权.md Outdated

查找破损的功能级别授权问题的最佳方法是对授权机制进行深入分析,同时考虑用户层次结构、应用程序中的不同角色或组,并提出以下问题:

- 普通用户是否可以访问行政端点?
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more. 

administrative endpoints --> 行政端点 --> 管理端点

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

done

2023/zhCN/API7:2023 安全配置错误.md
一个恶意的攻击者发出以下 API 请求,将其写入访问日志文件:

```
rubyCopy code
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

redundant text

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

How would you suggest we improve this?

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Discard rubyCopy code, it's not in the original text.

2023/zhCN/API8:2023 缺乏对自动化威胁的保护.md
- 业务 - 确定可能会损害业务的业务流程,如果这些流程过度使用会造成危害。
- 工程 - 选择适当的保护机制来减轻业务风险。

一些保护机制更简单,而另一些则更难以实现。以下方法用于减缓自动化威胁:
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lost indent

2023/zhCN/API8:2023 缺乏对自动化威胁的保护.md Outdated
- 人员检测:使用captcha或更高级的生物识别解决方案(例如打字模式)
- 非人类模式:分析用户流以检测非人类模式(例如用户在不到一秒钟的时间内访问“添加到购物车”和“完成购买”功能)
- 考虑阻止Tor出口节点和知名代理的IP地址
- 安全和限制直接被机器使用的API(例如开发人员和B2B API)的访问。它们往往是攻击者的易目标,因为它们经常没有实施所有所需的保护机制。
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

安全和限制 --> 保护和限制 is better

2023/zhCN/API9:2023 库存管理不当.md Outdated

| 威胁因素/攻击向量 | 安全漏洞 | 影响 |
| ------------------------------------------------------------ | ------------------------------------------------------------ | ------------------------------------------------------------ |
| API特定: Exploitability 3 | Prevalence 3: Detectability 2 | 技术2: 业务特定 |
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

translation loss

2023/zhCN/API9:2023 库存管理不当.md Outdated

运行多个版本的API需要API提供者提供额外的管理资源,并扩展攻击面。

如果API具有“文档盲区”,则:
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

logical error

2023/zhCN/API9:2023 库存管理不当.md Outdated

### 场景 #1

一家社交网络实施了一个限制频率机制,阻止攻击者使用暴力破解猜测重置密码令牌。这个机制不是作为 API 代码本身的一部分实现的,而是在客户端和官方 API ([www.socialnetwork.com](http://www.socialnetwork.com/)) 之间的一个独立组件中实现的。一位研究人员发现了一个运行相同 API 的 beta API 主机 ([www.mbasic.beta.socialnetwork.com),包括重置密码机制,但限制频率机制没有实施。研究人员能够通过简单的暴力破解来猜测](http://www.mbasic.beta.socialnetwork.xn--com)%2C%2C-1f2mq6vcaa00yt81c8qa582goukyzfp0aea8510a8u7a6rvrx4bj89fhsyafqn.xn--gmq77g6pl6az5ndywp9af70a4wmbjiuneglg4wrzdd91aur6aj6uxkb/) 6 位数令牌,重置任何用户的密码。
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

wrong link

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The second link is just an example and is not a real link. The link in the original text is also incorrect.

2023/zhCN/API9:2023 库存管理不当.md Outdated

## 如何预防

- 列出库存所有 API 主机并记录每个主机的重要方面,重点关注 API 环境 (例如生产、暂存、测试、开发)、谁应该访问主机 (例如公共、内部、合作伙伴) 和 API 版本。
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The original text is underlined here

2023/zhCN/API9:2023 库存管理不当.md
- 仅向有权使用 API 的人员提供 API 文档。
- 使用外部保护措施,例如针对所有公开版本的 API 的 API 安全专用解决方案,而不仅仅是当前的生产版本。
- 避免在非生产 API 部署中使用生产数据。如果无法避免,这些端点应该得到与生产端点相同的安全处理。

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

A list item is missing

@PauloASilva
Copy link
Collaborator

Hi folks,
the 2023 version is just a release candidate (RC) and it is expected to change until its final versions.

We should keep this PR on hold until we get the final 2023 version. Then you'll need to sync your branch with the source content. Only after that we can merge it.

Cheers,
Paulo A. Silva

@PauloASilva PauloASilva self-assigned this Feb 18, 2023
@hastings0714
Copy link
Author

Hi folks, the 2023 version is just a release candidate (RC) and it is expected to change until its final versions.

We should keep this PR on hold until we get the final 2023 version. Then you'll need to sync your branch with the source content. Only after that we can merge it.

Cheers, Paulo A. Silva

Hi Paulo A. Silva,

Thank you for your message and for letting us know about the 2023 version. We understand that it is currently a release candidate and subject to change until the final version is released.

We will keep this pull request on hold until we have access to the final version, and will ensure that our branch is synced with the latest source content before merging any changes. We appreciate your guidance on this matter.

Also, we want to assure you that we will keep a close eye on any updates or changes to the project, and will update our documentation accordingly.

Thank you again for your collaboration.

Best regards,
Servicewall.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@haoran-mc haoran-mc haoran-mc left review comments

@donge donge donge approved these changes

Assignees

@PauloASilva PauloASilva

Labels
2023RC translation
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@hastings0714 @PauloASilva @donge @haoran-mc