OWAP Top 10

2013 Top 10 List

A1-Injection	Injection flaws, such as SQL, OS, and LDAP injection occur when untrusted data is sent to an interpreter as part of a command or query. The attacker’s hostile data can trick the interpreter into executing unintended commands or accessing data without proper authorization.
A2-Broken Authentication and Session Management	Application functions related to authentication and session management are often not implemented correctly, allowing attackers to compromise passwords, keys, or session tokens, or to exploit other implementation flaws to assume other users’ identities.
A3-Cross-Site Scripting (XSS)	XSS flaws occur whenever an application takes untrusted data and sends it to a web browser without proper validation or escaping. XSS allows attackers to execute scripts in the victim’s browser which can hijack user sessions, deface web sites, or redirect the user to malicious sites.
A4-Insecure Direct Object References	A direct object reference occurs when a developer exposes a reference to an internal implementation object, such as a file, directory, or database key. Without an access control check or other protection, attackers can manipulate these references to access unauthorized data.
A5-Security Misconfiguration	Good security requires having a secure configuration defined and deployed for the application, frameworks, application server, web server, database server, and platform. Secure settings should be defined, implemented, and maintained, as defaults are often insecure. Additionally, software should be kept up to date.
A6-Sensitive Data Exposure	Many web applications do not properly protect sensitive data, such as credit cards, tax IDs, and authentication credentials. Attackers may steal or modify such weakly protected data to conduct credit card fraud, identity theft, or other crimes. Sensitive data deserves extra protection such as encryption at rest or in transit, as well as special precautions when exchanged with the browser.
A7-Missing Function Level Access Control	Most web applications verify function level access rights before making that functionality visible in the UI. However, applications need to perform the same access control checks on the server when each function is accessed. If requests are not verified, attackers will be able to forge requests in order to access functionality without proper authorization.
A8-Cross-Site Request Forgery (CSRF)	A CSRF attack forces a logged-on victim’s browser to send a forged HTTP request, including the victim’s session cookie and any other automatically included authentication information, to a vulnerable web application. This allows the attacker to force the victim’s browser to generate requests the vulnerable application thinks are legitimate requests from the victim.
A9-Using Components with Known Vulnerabilities	Components, such as libraries, frameworks, and other software modules, almost always run with full privileges. If a vulnerable component is exploited, such an attack can facilitate serious data loss or server takeover. Applications using components with known vulnerabilities may undermine application defenses and enable a range of possible attacks and impacts.
A10-Unvalidated Redirects and Forwards	Web applications frequently redirect and forward users to other pages and websites, and use untrusted data to determine the destination pages. Without proper validation, attackers can redirect victims to phishing or malware sites, or use forwards to access unauthorized pages.

A1–注入 

注入攻擊漏洞。好比SQL，OS以及 LDAP注入。

這些攻擊發生在當不可信的數據做爲命令或

者查詢語句的一部分，被髮送給解釋器的時候。

攻擊者發送的惡意數據可以欺騙解釋器，

以運行計劃外的命令或者在未被恰當受權時訪問數據。

A2–失效的身份認證和會話管理

與身份認證和會話管理相關的應用程序功能每每得不到正確的實現。這就致使了攻擊者破
壞password、密匙、會話令牌或攻擊其它的漏洞去冒充其它用戶的身份。

A3–跨站腳本（XSS） 

當應用程序收到含有不可信的數據，在沒有進行適當的驗證和轉義的狀況下。就將它發送
給一個網頁瀏覽器，這就會產生跨站腳本攻擊（簡稱XSS）。

XSS贊成攻擊者在受害者的瀏覽
器上運行腳本，從而劫持用戶會話、危害站點、或者將用戶轉向至惡意站點。

A4– 不安全的直接對象引用

•當開發者暴露一個對內部實現對象的引用時。好比。一個文件、文件夾或者數據庫密匙，
就會產生一個不安全的直接對象引用。

在沒有訪問控制檢測或其它保護時，攻擊者會操控
這些引用去訪問未受權數據。

A5– 安全配置錯誤

好的安全需要相應用程序、框架、應用程序server、webserver、數據庫server和平臺定義
和運行安全配置。由於不少設置的默認值並不是安全的，所以，必須定義、實施和維護這
些設置。這包括了對所有的軟件保持及時地更新，包括所有應用程序的庫文件。

A6– 敏感信息泄漏

不少Web應用程序沒有正確保護敏感數據，如信用卡，稅務ID和身份驗證憑據。攻擊者可能
會竊取或篡改這些弱保護的數據以進行信用卡詐騙、身份竊取，或其它犯罪。

敏感數據值
需額外的保護。比方在存放或在傳輸過程當中的加密。以及在與瀏覽器交換時進行特殊的預
防措施。

A7– 功能級訪問控制缺失

•大多數Web應用程序在功能在UI中可見曾經，驗證功能級別的訪問權限。但是。應用程序需
要在每個功能被訪問時在server端運行一樣的訪問控制檢查。

假設請求沒有被驗證，攻擊
者能夠僞造請求以在未經適當受權時訪問功能。

A8– 跨站請求僞造 （CSRF）

一個跨站請求僞造攻擊迫使登陸用戶的瀏覽器將僞造的HTTP請求，包含該用戶的會話cookie
和其它認證信息。發送到一個存在漏洞的web應用程序。這就贊成了攻擊者迫使用戶瀏覽器
向存在漏洞的應用程序發送請求，而這些請求會被應用程序以爲是用戶的合法請求。

A9– 使用含有已知漏洞的組件

組件，比方：庫文件、框架和其餘軟件模塊，差點兒老是以全部的權限執行。假設一個帶有
漏洞的組件被利用。這樣的攻擊可以形成更爲嚴重的數據丟失或server接管。應用程序使用
帶有已知漏洞的組件會破壞應用程序防護系統。並使一系列可能的攻擊和影響成爲可能。

A10– 未驗證的重定向和轉發

Web應用程序經常將用戶重定向和轉發到其它網頁和站點，並且利用不可信的數據去斷定
目的頁面。

假設沒有獲得適當驗證，攻擊者可以重定向受害用戶到釣魚軟件或惡意站點。 或者使用轉發去訪問未受權的頁面。