zoukankan      html  css  js  c++  java
  • OWASP top 10

    OWASP Top 10

    A1: Injection
    Solution
    +Validate User Input
    +Never concatenate queries and date
    +Parameterized querying
    +Never use Administrator to connect database
    +Use LIMIT when possible to prevent mass lose
    +Encrypt confidential and sensitive information
    +Handles the exception properly

    A2: Broken Authentication
    Solution
    +Multiple factor authentication
    +Store password with modern one way hash function(Argon2, PBKDF2)
    +Strong password policy and checking
    +Well designed message for user registration, password forgot, login
    +Log authentication failure
    +Alert administrator when brute force detected
    +NO Default Password

    A3: Sensitive Date Exposure
    What
    +PCI DSS, yes
    +PII(personal Identifiable Information), yes
    +Password, yes
    +Local privacy law and regulations
    Solution
    +Review local privacy law, regulation
    +Classify data
    +Don't store sensitive data unnecessarily
    +Encrypt all sensitive data
    +Enforce HTTP strict transport security if possible
    +Disable caching for the response witch contain sensitive date

    A5: Broken Access Control
    Solution:
    +DENY by default, with exception public resource
    +Access control model should be shared throughout the application
    +Log failure access, and alter administrator when appropriate
    +Disable the list of web directory
    +Control Access to API
    Rest API: PUT, DELTE, POST, GET

    A7: Cross-Site Scripting
    Types
    + Reflected XSS
    +Present/Stored XSS
    +DOM XML
    User Input:
    +The URL
    +HTTP referrer objects
    +GET parameters from a from
    +POST parameters from a form
    +Window.location
    +Document.referrer
    +Document.location
    +Document.URL
    +Document.URLUnencoded
    +Cookie data
    +Headers data
    +Database data
    Solution
    +Use safe framework
    +Escaping untrusted HTTP request data
    +Reference: DOM based XSS Prevention Cheat Sheet

    Reference Link:
    https://www.owasp.org
    https://www.owasp.org/index.php/OWASP_Java_Encoder_Project
    https://www.owasp.org/index.php/Injection_Prevention_Cheat_Sheet_in_Java
    https://www.owasp.org/index.php/SQL_Injection_Prevention_Cheat_Sheet

  • 相关阅读:
    用pyinstaller打包一个exe程序
    Jmeter参数化(_csvread函数、CSV Data Set Config)
    mysql约束
    安全测试整理
    ultraedit 实际应用技巧
    python基础_mysql建表、编辑、删除、查询、更新
    UI测试用例设计,场景测试法
    场景法设计测试用例
    接口测试用例设计
    测试用例总结
  • 原文地址:https://www.cnblogs.com/coder211/p/7919749.html
Copyright © 2011-2022 走看看