OWASP(Open Web Application Security Project) Top 10 for JavaScript

































Injection
Injection flaws, such as SQL, OS, and LDAP injection, occur when
untrusted data is sent to an interpreter as part of a command or
query. The attacker’s hostile data can trick the interpreter into
executing unintended commands or accessing unauthorized data.

Cross Site Scripting (XSS)
XSS flaws occur whenever an application takes untrusted data and
sends it to a web browser without proper validation and escaping.
XSS allows attackers to execute scripts in the victim’s browser
which can hijack user sessions, deface web sites, or redirect the
user to malicious sites.

Broken Authentication and Session Management
Application functions related to authentication and session
management are often not implemented correctly, allowing attackers
to compromise passwords, keys, session tokens, or exploit other
implementation flaws to assume other users’ identities.

Insecure Direct Object References
A direct object reference occurs when a developer exposes a
reference to an internal implementation object, such as a file,
directory, or database key. Without an access control check or other
protection, attackers can manipulate these references to access
unauthorized data.

Cross Site Request Forgery (CSRF)
A CSRF attack forces a logged-on victim’s browser to send a
forged HTTP request, including the victim’s session cookie and any
other automatically included authentication information, to a
vulnerable web application. This allows the attacker to force the
victim’s browser to generate requests the vulnerable application
thinks are legitimate requests from the victim.

Security Misconfiguration
Good security requires having a secure configuration defined and
deployed for the application, frameworks, application server, web
server, database server, and platform. All these settings should be
defined, implemented, and maintained as many are not shipped with
secure defaults. This includes keeping all software up to date,
including all code libraries used by the application.

Insecure Cryptographic Storage
Many web applications do not properly protect sensitive data,
such as credit cards, SSNs, and authentication credentials, with
appropriate encryption or hashing. Attackers may steal or modify
such weakly protected data to conduct identity theft, credit card
fraud, or other crimes.

Failure to Restrict URL Access
Many web applications check URL access rights before rendering
protected links and buttons. However, applications need to perform
similar access control checks each time these pages are accessed, or
attackers will be able to forge URLs to access these hidden pages
anyway.

Insufficient Transport Layer Protection
Applications frequently fail to authenticate, encrypt, and
protect the confidentiality and integrity of sensitive network
traffic. When they do, they sometimes support weak algorithms, use
expired or invalid certificates, or do not use them correctly.

Unvalidated Redirects and Forwards
Web applications frequently redirect and forward users to other
pages and websites, and use untrusted data to determine the
destination pages. Without proper validation, attackers can redirect
victims to phishing or malware sites, or use forwards to access
unauthorized pages.

OWASP(Open Web Application Security Project) Top 10 for
JavaScript,布布扣,bubuko.com

OWASP(Open Web Application Security Project) Top 10 for
JavaScript

时间: 2024-12-26 20:19:26

OWASP(Open Web Application Security Project) Top 10 for JavaScript的相关文章

Web性能优化系列:10个JavaScript性能提升的技巧

由 伯乐在线 - Delostik 翻译,黄利民 校稿.未经许可,禁止转载!英文出处:jonraasch.com.欢迎加入翻译小组. Nicholas Zakas是一位 JS 大师,Yahoo! 首页的前端主程.他是<高性能 Javascript>的作者,这本书值得每个程序员去阅读. 当谈到 JS 性能的时候,Zakas差不多就是你要找的,2010年六月他在Google Tech Talk发表了名为<Speed Up Your Javascript>的演讲. 但 Javascrip

OWASP Broken Web Applications Project

找个靶机练练手 http://sourceforge.net/projects/owaspbwa/ Description Open Web Application Security Project (OWASP) Broken Web Applications Project, a collection of vulnerable web applications that is distributed on a Virtual Machine in VMware format compati

ModSecurity web application firewall (WAF) Research

catalog 0. 引言 1. OWASP ModSecurity Core Rule Set (CRS) Project 2. Installation mod_security for Apache 3. Installation mod_security for nginx 4. Installation mod_security for IIS 5. mod_security Configuration Directives 6. Processing Phases 7. Variab

What technical details should a programmer of a web application consider before making the site public?

What things should a programmer implementing the technical details of a web application consider before making the site public? If Jeff Atwood can forget about HttpOnly cookies, sitemaps, and cross-site request forgeries all in the same site, what im

OWASP Top 10移动安全漏洞

• 弱服务器端控件 在OWASP排第一的漏洞是“脆弱的服务器端控件”,顾名思义,就是没有以一个安全的方式从移动应用程序向服务器端发送数据,或在发送数据时暴露了一些敏感的API.例如,考虑对一个Android应用程序登录服务器的凭据进行身份验证,而没有对输入进行验证.攻击者可以以这样一种方式修改凭证来获得服务器敏感的或未经授权的区域.这是移动应用以及Web应用程序都存在的一个漏洞. • 不安全的数据存储 在设备上存储任意用户都可以访问的与应用相关的信息.许多Android应用在shared pre

Visual Studio Create Setup project to deploy web application in IIS

Introduction: In this article I will explain how to create setup file in visual studio 2008/2010 to deploy web application file directly in IIS or in client machine or how to place web application folder in c:\\inetpub\wwwroot folder by running setup

Web Application Project is configured to use IIS. Unable to access the IIS metabase.(配置为使用IIS Web应用程序xxxx项目。无法访问IIS元数据库。)

这几天重装系统,装了win10,居然用vs2013打开项目出现下面这个提示错误,搞了很久才知道原因: Even though I am an administrator on the machine, Visual Studio is not running as administrator so it does not have permission to the IIS metabase files.  One solution is to run Visual Studio as admi

Application Security Per-Engagement

1. an SQLi vulnerability will allow you  to do the  following query the database using select statement forezample users table. you might get the password or usersname Bypass the login page executing successfuly query results Execute system commands

OWAP Top 10

2013 Top 10 List   A1-Injection Injection flaws, such as SQL, OS, and LDAP injection occur when untrusted data is sent to an interpreter as part of a command or query. The attacker's hostile data can trick the interpreter into executing unintended co