OWAP Top 10


2013 Top 10 List

 

A1-Injection

Injection flaws, such as SQL, OS, and LDAP injection occur when untrusted data is sent to an interpreter as part of a command or query. The attacker’s hostile
data can trick the interpreter into executing unintended commands or accessing data without proper authorization.

A2-Broken Authentication and Session Management

Application functions related to authentication and session management are often not implemented correctly, allowing attackers to compromise passwords, keys,
or session tokens, or to exploit other implementation flaws to assume other users’ identities.

A3-Cross-Site Scripting (XSS)

XSS flaws occur whenever an application takes untrusted data and sends it to a web browser without proper validation or escaping. XSS allows attackers to execute
scripts in the victim’s browser which can hijack user sessions, deface web sites, or redirect the user to malicious sites.

A4-Insecure Direct Object References

A direct object reference occurs when a developer exposes a reference to an internal implementation object, such as a file, directory, or database key. Without
an access control check or other protection, attackers can manipulate these references to access unauthorized data.

A5-Security Misconfiguration

Good security requires having a secure configuration defined and deployed for the application, frameworks, application server, web server, database server, and
platform. Secure settings should be defined, implemented, and maintained, as defaults are often insecure. Additionally, software should be kept up to date.

A6-Sensitive Data Exposure

Many web applications do not properly protect sensitive data, such as credit cards, tax IDs, and authentication credentials. Attackers may steal or modify such
weakly protected data to conduct credit card fraud, identity theft, or other crimes. Sensitive data deserves extra protection such as encryption at rest or in transit, as well as special precautions when exchanged with the browser.

A7-Missing Function Level Access Control

Most web applications verify function level access rights before making that functionality visible in the UI. However, applications need to perform the same access
control checks on the server when each function is accessed. If requests are not verified, attackers will be able to forge requests in order to access functionality without proper authorization.

A8-Cross-Site Request Forgery (CSRF)

A CSRF attack forces a logged-on victim’s browser to send a forged HTTP request, including the victim’s session cookie and any other automatically included authentication
information, to a vulnerable web application. This allows the attacker to force the victim’s browser to generate requests the vulnerable application thinks are legitimate requests from the victim.

A9-Using Components with Known Vulnerabilities

Components, such as libraries, frameworks, and other software modules, almost always run with full privileges. If a vulnerable component is exploited, such an
attack can facilitate serious data loss or server takeover. Applications using components with known vulnerabilities may undermine application defenses and enable a range of possible attacks and impacts.

A10-Unvalidated Redirects and Forwards

Web applications frequently redirect and forward users to other pages and websites, and use untrusted data to determine the destination pages. Without proper
validation, attackers can redirect victims to phishing or malware sites, or use forwards to access unauthorized pages.

A1–注入

注入攻击漏洞,例如SQL,OS以及 LDAP注入。这些攻击发生在当不可信的数据作为命令或

者查询语句的一部分,被发送给解释器的时候。攻击者发送的恶意数据可以欺骗解释器,

以执行计划外的命令或者在未被恰当授权时访问数据。

A2–失效的身份认证和会话管理

与身份认证和会话管理相关的应用程序功能往往得不到正确的实现,这就导致了攻击者破

坏密码、密匙、会话令牌或攻击其他的漏洞去冒充其他用户的身份。

A3–跨站脚本(XSS)

当应用程序收到含有不可信的数据,在没有进行适当的验证和转义的情况下,就将它发送

给一个网页浏览器,这就会产生跨站脚本攻击(简称XSS)。XSS允许攻击者在受害者的浏览

器上执行脚本,从而劫持用户会话、危害网站、或者将用户转向至恶意网站。

A4–
不安全的直接对象引用

?当开发人员暴露一个对内部实现对象的引用时,例如,一个文件、目录或者数据库密匙,

就会产生一个不安全的直接对象引用。在没有访问控制检测或其他保护时,攻击者会操控

这些引用去访问未授权数据。

A5–
安全配置错误

好的安全需要对应用程序、框架、应用程序服务器、web服务器、数据库服务器和平台定义

和执行安全配置。由于许多设置的默认值并不是安全的,因此,必须定义、实施和维护这

些设置。这包含了对所有的软件保持及时地更新,包括所有应用程序的库文件。

A6–
敏感信息泄漏

许多Web应用程序没有正确保护敏感数据,如信用卡,税务ID和身份验证凭据。攻击者可能

会窃取或篡改这些弱保护的数据以进行信用卡诈骗、身份窃取,或其他犯罪。敏感数据值

需额外的保护,比如在存放或在传输过程中的加密,以及在与浏览器交换时进行特殊的预

防措施。

A7–
功能级访问控制缺失

?大多数Web应用程序在功能在UI中可见以前,验证功能级别的访问权限。但是,应用程序需

要在每个功能被访问时在服务器端执行相同的访问控制检查。如果请求没有被验证,攻击

者能够伪造请求以在未经适当授权时访问功能。

A8–
跨站请求伪造 (CSRF)

一个跨站请求伪造攻击迫使登录用户的浏览器将伪造的HTTP请求,包括该用户的会话cookie

和其他认证信息,发送到一个存在漏洞的web应用程序。这就允许了攻击者迫使用户浏览器

向存在漏洞的应用程序发送请求,而这些请求会被应用程序认为是用户的合法请求。

A9–
使用含有已知漏洞的组件

组件,比如:库文件、框架和其它软件模块,几乎总是以全部的权限运行。如果一个带有

漏洞的组件被利用,这种攻击可以造成更为严重的数据丢失或服务器接管。应用程序使用

带有已知漏洞的组件会破坏应用程序防御系统,并使一系列可能的攻击和影响成为可能。

A10–
未验证的重定向和转发

Web应用程序经常将用户重定向和转发到其他网页和网站,并且利用不可信的数据去判定

目的页面。如果没有得到适当验证,攻击者可以重定向受害用户到钓鱼软件或恶意网站,

或者使用转发去访问未授权的页面。

时间: 2024-10-13 07:34:50

OWAP Top 10的相关文章

Top 10 Mistakes Java Developers Make(转)

文章列出了Java开发者最常犯的是个错误. 1.将数组转换为ArrayList 为了将数组转换为ArrayList,开发者经常会这样做: ? 1 List<String> list = Arrays.asList(arr); Arrays.asList()会返回一个ArrayList,但这个ArrayList是Arrays的私有静态类,不是java.util.ArrayList.java.util.Arrays.ArrayList有set(), get(), contains()方法,但没有任

Top 10 questions about Java Collections--reference

reference from:http://www.programcreek.com/2013/09/top-10-questions-for-java-collections/ The following are the most popular questions of Java collections asked and discussed on Stackoverflow. Before you look at those questions, it's a good idea to s

TOP 10开源的推荐系统简介

最近这两年推荐系统特别火,本文搜集整理了一些比较好的开源推荐系统,即有轻量级的适用于做研究的SVDFeature.LibMF.LibFM等,也有重量级的适用于工业系统的 Mahout.Oryx.EasyRecd等,供大家参考.PS:这里的top 10仅代表个人观点. #1.SVDFeature 主页:http://svdfeature.apexlab.org/wiki/Main_Page 语言:C++一个feature-based协同过滤和排序工具,由上海交大Apex实验室开发,代码质量较高.在

Top 10 Algorithms of 20th and 21st Century

Top 10 Algorithms of 20th and 21st Century MATH 595 (Section TTA) Fall 2014 TR 2:00 pm - 3:20 pm, Room 341 Altgeld HallUniversity of Illinois at Urbana-Champaign, Department of Mathematics Instructors : Yuliy Baryshnikov and Anil N. Hirani Schedule:I

Top 10 Mistakes Java Developers Make--reference

This list summarizes the top 10 mistakes that Java developers frequently make. #1. Convert Array to ArrayList To convert an array to an ArrayList, developers often do this: List<String> list = Arrays.asList(arr); Arrays.asList() will return an Array

Top 10 Methods for Java Arrays

作者:X Wang 出处:http://www.programcreek.com/2013/09/top-10-methods-for-java-arrays/ 转载文章,转载请注明作者和出处 The following are top 10 methods for Java Array. They are the most voted questions from stackoverflow. 0. Declare an array String[] aArray = new String[5

Top 10 Free Wireless Network hacking/monitoring tools for ethical hackers and businesses

There are lots of free tools available online to get easy access to the WiFi networks intended to help the network admins and the programmers working on the WiFi systems and we at Team Techworm have picked the top 10 of those for ethical hackers, pro

史上自定义 JavaScript 函数Top 10

史上自定义 JavaScript 函数Top 10 http://www.dustindiaz.com/top-ten-javascript/ 发布:wpulog | 发布时间: 2010年4月9日 10个被使用的最普遍的用户自定义函数,addEvent(),addLoadEvent(),getElementsByClass(),getCookie(),setCookie(), deleteCookie()等. 10) addEvent() function addEvent(elm, evTy

OWASP(Open Web Application Security Project) Top 10 for JavaScript

Injection Injection flaws, such as SQL, OS, and LDAP injection, occur when untrusted data is sent to an interpreter as part of a command or query. The attacker's hostile data can trick the interpreter into executing unintended commands or accessing u