OWASP Top 10 – 2013十大安全隐患

OWASP Top 10 – 2013 十大安全隐患

OWASP(开放Web软件安全项目- Open Web Application Security Project)是一个开放社群、非营利性组织，目前全球有130个分会近万名会员，其主要目标是研议协助解决Web软体安全标准、工具与技术，长期致力于协助政府或企业了解并改善Web应用与服务的安全性。

一．发布备注（Release Notes）

从2010到2013的改变：

The threat landscape for applications security constantly changes. Key factors in this evolution are advances made by attackers, the release of new technologies with new weaknesses as well as more built in defenses, and the deployment of increasingly complex systems. To keep pace, we periodically update the OWASP Top 10. In this 2013 release, we made the following changes:

（应用安全威胁的图景一直以来是在不断变化的。在这场安全革命中，推动其前进的关键因素是攻击者、新技术的发布、以及原来越复杂的系统的开发。为了跟上时代步伐，我们定期更新了Top10的安全隐患，在2013年的版本中，做出了如下的更改。）

1) Broken Authentication and Session Management moved up in prevalence based on our data set. We believe this is probably because this area is being looked at harder, not because these issues are actually more prevalent. This caused Risks A2 and A3 to switch places.

（失效的身份认证和会话管理，基于我们的数据集向上移动了一个位次，我们相信这是位次的提升，是因为这个问题被业界看的原来越严重，而不是该问题变的原来越普遍。这样，2010年的A2和A3就交换了位置。）

2) Cross-Site Request Forgery (CSRF) moved down in prevalence based on our data set from 2010-A5 to 2013-A8. We believe this is because CSRF has been in the OWASP Top 10 for 6 years, and organizations and framework developers have focused on it enough to significantly reduce the number of CSRF vulnerabilities in real world applications.

（跨站请求伪造CSRF从2010年的A5，下降到了2013的A8。我们相信，这是因为CSRF，已经在OWASP的Top10中存在了6年，各个组织和框架开发者已经着眼于解决这个问题，并且在很大程度上解决的不错，减少了真实应用的CSRF漏洞。）

3) We broadened Failure to Restrict URL Access from the 2010 OWASP Top 10 to be more inclusive:

+2010-A8: Failure to Restrict URL Access is now 2013-A7: Missing Function Level Access Control – to cover all of function level access control. There are many ways to specify which function is being accessed, not just the URL.

（我们扩展了2010年Top10中的不限制URL访问这一项，使其包含更多的内容：从2010年的A8，变成了2013年的A7，功能级别访问控制缺失，使其覆盖所有的功能级访问控制，因为访问控制不仅仅包含URL这种方式。）

4) We merged and broadened 2010-A7 & 2010-A9 to CREATE: 2013-A6: Sensitive Data Exposure:

–This new category was created by merging 2010-A7 – Insecure Cryptographic Storage & 2010-A9 – Insufficient Transport Layer Protection, plus adding browser side sensitive data risks as well. This new category covers sensitive data protection (other than access control which is covered by 2013-A4 and 2013-A7) from the moment sensitive data is provided by the user, sent to and stored within the application, and then sent back to the browser again.

（我们合并并且扩展了2010年的A7、A9，并且创建了2013年deA6，敏感数据泄露：这个新种类的创建是在合并A7不安全加密存储、A9不足的传输层保护的基础上，增加了浏览器端的敏感数据泄露风险。这个新种类涵盖了从客户端到应用服务端，再从应用服务端返回值客户端的敏感数据保护的整个过程，而不是访问控制。）

5) We added: 2013-A9: Using Known Vulnerable Components:

+This issue was mentioned as part of 2010-A6 – Security Misconfiguration, but now has a category of its own as the growth and depth of component based development has significantly increased the risk of using known vulnerable components.

（2013的Top10中，增加了使用已知易受攻击组件：这个问题作为2010Top10中A6安全配置错误的一部分，但是现在随着基于组件的开发的成长和深度大大增加了该种风险的滋生，使其成为一个独立的种类。）

下图是2010年和2013年十大安全隐患的对比。

 

二．应用安全风险

什么是应用安全风险？

 

Attackers can potentially use many different paths through your application to do harm to your business or organization. Each of these paths represents a risk that may, or may not, be serious enough to warrant attention..

（攻击者可以潜在地通过多种途径到达应用，对应用进行破坏，对组织和业务造成损害。这些攻击途径的每一种都有可能严重到引起更多的关注。）

Sometimes, these paths are trivial to find and exploit and sometimes they are extremely difficult. Similarly, the harm that is caused may be of no consequence, or it may put you out of business. To determine the risk to your organization, you can evaluate the likelihood associated with each threat agent, attack vector, and security weakness and combine it with an estimate of the technical and business impact to your organization. Together, these factors determine the overall risk.

（有时候这些攻击途径很容易找到并且进行利用，有时候非常难。同样，攻击带来的伤害有时无所谓，有时甚至造成应用服务的中断。要对组织进行安全风险的评估，就需要对各种安全威胁、攻击矩阵、安全弱点综合考察，评估这些因素对组织的技术和业务方面的影响，最终得到组织安全风险的评估结果）。

三. 安全风险Top10

A1 – Injection

Injection flaws, such as SQL, OS, and LDAP injection occur when untrusted data is sent to an interpreter as part of a command or query. The attacker’s hostile data can trick the interpreter into executing unintended commands or accessing data without proper authorization.

（A1 – 注入，注入缺陷，例如SQL注入、OS命令注入、LDAP注入等，会在攻击者向应用服务端发送以分隔符作为命令或者查询的一部分时就会发生。攻击者的有害数据中分隔符造成的陷阱，会执行攻击构造的未预知的命令或者访问未授权数据。）

A2 – Broken Authentication and Session Management

Application functions related to authentication and session management are often not implemented correctly, allowing attackers to compromise passwords, keys, or session tokens, or to exploit other implementation flaws to assume other users’ identities.

（A2 -失效的身份认证和会话管理，与身份认证和会话管理相关的应用功能经常实现的不正确，允许攻击者可以构造密码、密钥、或者会话令牌或者利用实现缺陷，假冒其他用户的身份。）

A3 – Cross-Site Scripting (XSS)

XSS flaws occur whenever an application takes untrusted data and sends it to a web browser without proper validation or escaping. XSS allows attackers to execute scripts in the victim’s browser which can hijack user sessions, deface web sites, or redirect the user to malicious sites.

（A3 – XSS，当应用服务接收不被信任的数据，并且将该数据不经过验证或者字符过滤，就发送给客户的Web浏览器，就会产生XSS攻击。XSS攻击允许攻击者在受害者的浏览器中执行脚本，用于劫持受害者用户的会话信息，伤害特定的网站，或者重定向用户到恶意站点。）

A4 – Insecure Direct Object References

A direct object reference occurs when a developer exposes a reference to an internal implementation object, such as a file, directory, or database key. Without an access control check or other protection, attackers can manipulate these references to access unauthorized data.

（A4 – 不安全的直接对象引用，应用开发者有时候可能会暴露应用内部实现对象的引用，例如文件、目录、或者数据库Key等。如果没有对这些的访问控制或者其他保护，攻击者就有可能利用这些暴露的引用访问未授权的数据。）

A5 – Security Misconfiguration

Good security requires having a secure configuration defined and deployed for the application, frameworks, application server, web server, database server, and platform. Secure settings should be defined, implemented, and maintained, as defaults are often insecure. Additionally, software should be kept up to date.

（A5 – 安全配置错误，应用、框架、Web服务器、数据库服务器、各种应用平台的良好的安全性需要一份定义好的、部署好的安全配置。安全配置必需进行良好的定义、实现、维护，默认配置通常情况下是不安全的，另外，软件应该及时更新。）

A6 – Sensitive Data Exposure

Many web applications do not properly protect sensitive data, such as credit cards, tax IDs, and authentication credentials. Attackers may steal or modify such weakly protected data to conduct credit card fraud, identity theft, or other crimes. Sensitive data deserves extra protection such as encryption at rest or in transit, as well as special precautions when exchanged with the browser.

（A6 – 敏感数据泄露，许多Web应用没有正确地保护敏感数据，例如信用卡卡号、税号、身份认证证书等。攻击者可以通过偷窃、更改这种弱保护的数据，以进行信用卡诈骗、身份窃取、或者其他犯罪。这类敏感数据值得进行额外的保护，例如，加密传输、在于客户端浏览器交换数据时进行的特殊保护。）

A7 – Missing Function Level Access Control

Most web applications verify function level access rights before making that functionality visible in the UI. However, applications need to perform the same access control checks on the server when each function is accessed. If requests are not verified, attackers will be able to forge requests in order to access functionality without proper authorization.

（A7 – 功能级访问控制缺失，大部分Web应用在界面上进行了应用级访问控制，但是应用服务器端也要进行响应的访问控制才行。如果请求没有验证，攻击者就能够构造请求访问未授权的功能。）

A8 – Cross-Site Request Forgery (CSRF)

A CSRF attack forces a logged-on victim’s browser to send a forged HTTP request, including the victim’s session cookie and any other automatically included authentication information, to a vulnerable web application. This allows the attacker to force the victim’s browser to generate requests the vulnerable application thinks are legitimate requests from the victim.

（A8 – 跨站请求伪造，CSRF攻击强制一个已经登入的受害者浏览器，向带漏洞的Web应用发送伪造的HTTP请求，但是使用的是受害者正确的会话Cookie，以及其他的认证信息，这样攻击者就可以让Web应用认为这是受害者自愿发送的请求。）

A9 – Using Components with Known Vulnerabilities

Components, such as libraries, frameworks, and other software modules, almost always run with full privileges. If a vulnerable component is exploited, such an attack can facilitate serious data loss or server takeover. Applications using components with known vulnerabilities may undermine application defenses and enable a range of possible attacks and impacts.

（A9 –使用已知易受攻击组件，组件，比如库、框架、或者其他的软件模块，通常运行在最高权限。如果一个有弱点的组件受到了利用，就可能被攻击者控制服务器或者造成严重数据损失。使用已知易受攻击组件的应用会造成应用整体安全性的降低，并且造成一定范围的攻击和影响。）

A10 – Unvalidated Redirects and Forwards

Web applications frequently redirect and forward users to other pages and websites, and use untrusted data to determine the destination pages. Without proper validation, attackers can redirect victims to phishing or malware sites, or use forwards to access unauthorized pages.

（A10 –未验证的重定向和转发，Web应用经常会将用户重定向到其他的页面或者站点，并且使用使用不可信的数据来确定目标页面，如果不进行正确的验证，攻击可以让受害者重定向到钓鱼或者挂马的网站，或者利用重定向访问未授权页面。）

四．其他

在关注上述十大安全风险之外，仍然还要关注其他的风险。例如：

Clickjacking

Concurrency Flaws

Denial of Service (Was 2004 Top 10 – Entry 2004-A9)

Expression Language Injection (CWE-917)

Information Leakage and Improper Error Handling (Was part of 2007 Top 10 – Entry 2007-A6)

Insufficient Anti-automation (CWE-799)

Insufficient Logging and Accountability (Related to 2007 Top 10 – Entry 2007-A6)

Lack of Intrusion Detection and Response

Malicious File Execution (Was 2007 Top 10 – Entry 2007-A3)

Mass Assignment (CWE-915)

User Privacy

 

该文章英文原文来源自https://www.owasp.org/index.php/Top_10_2013-Top_10