Original address: https://owasp.org/www-project-top-ten/

The article directories

      • 1. The injection
      • Invalid authentication
      • 3. Sensitive data leakage
      • 4. XML External Entities (XXE)
      • 5. Invalid access control
      • 6. The security configuration is incorrect
      • 7. Cross-site scripting XSS
      • Unsafe deserialization
      • 9. Use components with known vulnerabilities
      • 10. Inadequate logging and monitoring
      • Detailed introduction and countermeasures download PDF Chinese version

1. The injection

Injection defects, such as SQL, NoSQL, OS, and LDAP injection, occur when untrusted data is sent to the interpreter as part of a command or query. Hostile data from an attacker may induce the interpreter to perform unanticipated commands or access data without proper authorization.

Invalid authentication

Application functions related to authentication and session management are often incorrectly implemented, allowing an attacker to destroy passwords, keys, or session tokens, or to take advantage of other implementation flaws to assume the identity of other users when approaching or permanently.

3. Sensitive data leakage

Many Web applications and apis fail to properly secure sensitive data, such as finance, healthcare, and PII. Attackers could steal or modify this less-protected data to commit credit card fraud, identity theft or other crimes. Sensitive data can be compromised without additional protection, such as static encryption or encryption in transit, and special precautions need to be taken when exchanging with browsers.

4. XML External Entities (XXE)

Many older or poorly configured XML processors evaluate external entity references in XML documents. External entities can use file URI handlers, internal file sharing, internal port scanning, remote code execution, and denial of service attacks to expose internal files.

5. Invalid access control

In general, restrictions on what authenticated users are allowed to do are often not properly enforced. Attackers can exploit these flaws to access unauthorized functions and/or data, such as accessing other users’ accounts, viewing sensitive files, modifying other users’ data, changing access rights, etc.

6. The security configuration is incorrect

Security configuration errors are the most common problem. This is often the result of insecure default configurations, incomplete or temporary configurations, open cloud storage, misconfigured HTTP headers, and lengthy error messages containing sensitive information. Not only must all operating systems, frameworks, libraries, and applications be securely configured, but they must also be patched/upgraded in a timely manner.

7. Cross-site scripting XSS

XSS vulnerabilities occur every time an application includes untrusted data in a new web page without proper validation or escape, or updates an existing web page with user-supplied data using a browser API that can create HTML or JavaScript. XSS allows an attacker to execute scripts in a victim’s browser that can hijack a user session, deface a website or redirect a user to a malicious site.

Unsafe deserialization

Unsafe deserialization often results in remote execution of code. Deserialization defects can be used for execution attacks, including replay attacks, injection attacks, and privilege promotion attacks, even if they do not result in remotely executing code.

9. Use components with known vulnerabilities

Components such as libraries, frameworks, and other software modules run with the same privileges as applications. Such attacks can result in serious data loss or server takeovers if vulnerable components are exploited. Applications and apis that use components with known vulnerabilities can compromise application defenses and cause a variety of attacks and impacts.

10. Inadequate logging and monitoring

Deficiencies in logging and monitoring, coupled with missing or ineffective integration of event responses, allow attackers to further attack systems, maintain persistence, move to more systems, and tamper with, extract, or corrupt data. Most studies of violations show that violations take more than 200 days to be detected and are usually detected by external parties rather than internal processes or monitoring.

Detailed introduction and countermeasures download PDF Chinese version

Follow my official account [Interviewer of Java Factory], reply:security, can be downloaded