Abstract: This paper studies how the environmental fault and states fault cause the security problems of Web application，and describes a taxonomy model using analytic hierarchy process for classifying security flaws of Web application.Then design an experiment to apply the taxonomy model to classify 152 security flaws from the CVE security flaw database，and compare the classification results with that of using EAI model to classify security flaws.The results of the experiment reveals that the taxonomy model is effective and applicable to the security testing and defending of Web-based application.

Key words: Web-based application, security flaw, taxonomy model

摘要： 研究了环境错误与状态错误引发Web应用软件安全问题的途径，在此基础上提出了一种用于进行Web应用软件安全漏洞分类的层次分析模型。使用该模型对CVE漏洞数据库中抽取的Web软件安全漏洞进行了分类，并与使用EAI模型分类的结果做了对比。评估结果表明，该模型具备良好的漏洞分类能力，适用于指导Web应用软件的安全测试和安全防御工作。

关键词: Web应用软件, 安全漏洞, 分类模型