如题,在2010年,会有如下几个方面需要非常关注:
•Injection flaws, such as SQL, OS, and LDAP injection, occur when untrusted data is
A1 – Injection interpreter as part of a command or query. The attacker’s hostile data can trick the interpreter
into executing unintended commands or accessing unauthorized data.
•XSS flaws occur whenever an application takes untrusted data and sends it to a web browser
A2 – Cross Site
without proper validation and escaping. XSS allows attackers to execute script in the victim’s
Scripting (XSS) browser which can hijack user sessions, deface web sites, or redirect the user to malicious sites.
A3 – Broken
Authentication and •Application functions related to authentication and session management are often not
implemented correctly, allowing attackers to compromise passwords, keys, session tokens, or
Session exploit implementation flaws to assume other users’ identities.
Management
A4 – Insecure •A direct object reference occurs when a developer exposes a reference to an internal
Direct Object implementation object, such as a file, directory, or database key. Without an access control check
or other protection, attackers can manipulate these references to access unauthorized data.
References
•A CSRF attack forces a logged-on victim’s browser to send a forged HTTP request, including the
A5 – Cross Site
victim’s session cookie and any other authentication information, to a vulnerable web
Request Forgery application. This allows the attacker to force the victim’s browser to generate requests the
(CSRF) vulnerable application thinks are legitimate requests from the victim.
•Security depends on having a secure configuration defined for the application, framework, web
A6 – Security
server, application server, and platform. All these settings should be defined, implemented, and
Misconfiguration maintained as many are not shipped with secure defaults.
•Many web applications check URL access rights before rendering protected links and buttons.
A7 - Failure to
However, applications need to perform similar access control checks when these pages are
Restrict URL Access accessed, or attackers will be able to forge URLs to access these hidden pages anyway.
A8 – Unvalidated •Web applications frequently redirect and forward users to other pages and websites, and use
Redirects and untrusted data to determine the destination pages. Without proper validation, attackers can
redirect victims to phishing or malware sites, or use forwards to access unauthorized pages.
Forwards
A9 – Insecure •Many web application do not properly protect sensitive data, such as credit cards, SSNs, and
Cryptographic authentication credentials, with appropriate encryption or hashing. Attackers may use this weakly
protected data to conduct identity theft, credit card fraud, or other crimes.
Storage
A10 - Insufficient •Applications frequently fail to encrypt network traffic when it is necessary to protect sensitive
Transport Layer communications. When they do, they sometimes support weak algorithms, use expired or invalid
certificates, or do not use them correctly.
Protection
OWASP Top 10 – 2007 (Previous) OWASP Top 10 – 2010 (New)
A2 – Injection Flaws A1 – Injection
A1 – Cross Site Scripting (XSS) A2 – Cross Site Scripting (XSS)
A7 – Broken Authentication and Session Management A3 – Broken Authentication and Session Management
A4 – Insecure Direct Object Reference A4 – Insecure Direct Object References
A5 – Cross Site Request Forgery (CSRF) A5 – Cross Site Request Forgery (CSRF)
<was T10 2004 A10 – Insecure Configuration Management> A6 – Security Misconfiguration (NEW)
A10 – Failure to Restrict URL Access A7 – Failure to Restrict URL Access
<not in T10 2007> A8 – Unvalidated Redirects and Forwards (NEW)
A8 – Insecure Cryptographic Storage A9 – Insecure Cryptographic Storage
A9 – Insecure Communications A10 - Insufficient Transport Layer Protection
A3 – Malicious File Execution <dropped from T10 2010>
A6 – Information Leakage and Improper Error Handling <dropped from T10 2010>
没有评论:
发表评论