WEB安全性-2010_OWASP_TOP10

OWASP 10要素增强Web应用程序安全随着Web应用程序的增多，随之而来的就是这些Web应用程序所带来的安全漏洞。

不遵从规范化的编码指导，会使企业、员工以及企业的客户面对严重的安全风险，遭到各种恶意攻击。

我们将向大家介绍Open Web Application Security Project (开放式Web应用程序安全项目，OWASP) 10要素，以及OWASP建议大家在软件开发生命周期中应该嵌入的标准化方法。

商业风险现在的企业都在向客户提供通过浏览器访问企业信息的功能，同时集成Web服务的应用程序也越来越多，这些都导致企业所面临的风险不断增加。

这并不代表开发人员没有认真的对待程序开发工作，只是当Web应用程序的数量越来越多，其潜在的隐患也会越来越频繁的暴露在互联网下。

根据OWASP的观点：“当企业发布了一个Web应用程序，它们就是在邀请全球的网民向其发送HTTP请求。

而攻击内容也可以随着这些正常的HTTP请求穿过防火墙，过滤系统，系统平台上的安全措施以及网络中的入侵检测系统，而不被企业所发现。

这意味着企业的Web应用程序代码本身就是企业安全围墙的一部分。

随着企业所采用的Web应用程序数量和复杂度的增加，企业的安全围墙将更多的暴露在网络中。

”目前，企业所开发的很多新应用程序都是Web应用程序。

另外，Web服务也越来越频繁的被用来集成Web应用程序或与Web应用程序进行交互。

所带来的问题就是，Web应用程序和服务的增长已经超越了程序开发人员所接受的安全培训以及安全意识的范围。

随着存在安全隐患的Web应用程序数量的增长，OWASP也总结出了Web应用程序的十大脆弱点。

在这个10要素列表中，不但包括了Web应用程序的脆弱性介绍，还包括了OWASP的建议内容，帮助程序开发人员和企业尽量避免这些脆弱点给企业系统带来的风险。

OWASP 10要素中还包括了一个指南，帮助企业决定该如何向客户提供信息。

比如联邦贸易委员会（FTC）就在2003年1月的商业案例文档中将这个列表作为了信息安全的参考内容。

OWASP TOP 10 20201）注入2）失效身份认证和会话管理3）敏感信息泄露4）XML外部实体注入攻击（XXE）5）访问控制中断6）安全性错误配置7）跨站脚本攻击（XSS）8）不安全的反序列化9）使用具有已知漏洞的组件10）日志记录和监控不足注入当攻击者将无效的数据发送给web应用程序来让其执行为设计的操作，就会发生代码注入问题。

此安全漏洞最常见的示例便是使用不受信任数据的SQL查询，代码注入漏洞的核心是缺乏对web应用程序使用的数据的验证和清理。

任何接收参数作为输入的内容都可能受到代码注入攻击。

危害：注入可以使数据丢失或者被破坏掉，并且缺乏可审计性或者拒绝服务。

注入漏洞有时甚至可导致完全接管主机。

防御方法：1）首选方法是使用安全的API接口，该API避免完全使用解释器，或者说提供参数化的接口或迁移为使用对象关系映射工具（ORM）。

注意：即使说你参数化了，但是如果PL/SQL或者T-SQL连接查询和数据，或者说使用EXCLUTE IMMEDIATE 或者exec()执行恶意数据，则存储过程仍然可以引入SQL注入。

2）使用肯定或“白名单”服务器端输入验证，由于许多应用程序都需要特殊字符，例如文本区域或者移动应用程序的API，因此这并不是一个完整的防御措施3）对于任何残留的动态查询，请使用该解释程序的特定转义语义来转义特殊字符，注意，表名（table），列名（column）等SQL结构无法转义，因此用户提供的结构名很危险，这是报表编写软件中的常见问题4）在查询中使用limit和其他SQL控件可防止SQL注入的情况下大量泄露记录总结：数据和web引用程序逻辑要分离实施限制，以在成功进行注入攻击的情况下限制数据公开失效的身份验证和会话管理身份验证漏洞可能让攻击者能尝试控制他们在系统中想要的任何账户，甚至更遭的是，获得对系统的完全控制，身份验证和会话管理失效通常是指在应用程序身份验证机制上发生的逻辑问题，例如恶意行为者脑力破解系统中的有效用户。

⼗⼤web安全扫描⼯具01 – UnhideUnhide 是⼀个查寻隐藏了进程和端⼝的Rootkits/LKMs或其它隐藏技术的探测鉴定⼯具。

Unhide可以运⾏于linux/Unix和windows系统。

评论：“⾮常完整好⽤的⼯具.轻松找到隐藏⽂件和端⼝等”“linux 系统⾥找容易程序的⼯具，怒赞！”“基于unix的系统⾥，查找rootkits的好⼯具”02 – OWASP ZAP – Zed Attack Proxy ProjectZed Attack Proxy (ZAP)是⼀个简单易⽤的集成渗透测试⼯具，专门扫描⽹站漏洞。

Zed Attack Proxy是⼀款⽹站应⽤程序漏洞扫描⼯具，它是专为有多年安全经验的⼈员来设计的，当然对于开发⼈员和功能性测试⼈员，Zed Attack Proxy也是不⼆之选。

设计的思路是不管安全从业经验深浅的⼈都可以⽤，并且这个产品的开发和测试都是渗透⾏业新⼈ZAP提供了⾃动化扫描的同时，也⽀持⼿动查找漏洞。

评论:“开源易⽤覆盖⼴”“每周更新，简单易⽤”“稳定，经常改进。

可视化好，并且⽀持WebSockets”3 – LynisLynis是⼀款安全审计⼯具，⽤来测试和收集基于Unix的系统的安全信息。

这款⼯具的使⽤者是安全和系统审计⼈员,⽹络专家和系统运维。

Lynis在系统上执⾏深度本地扫描，因此⽐基于⽹络的漏洞扫描更加深⼊。

通过bootloader开始，直到安装⽂件包。

分析之后，他向管理员展⽰扫描结果，包括系统加固⽅案。

评论：“帮我加固系统很多次，真爱！”“很棒的审计⼯具!简单且免费”“有助于快速达到安全”04 – BeEF – The Browser Exploitation FrameworkBeEF 是The Browser Exploitation Framework的简写。

他是⼀款针对web浏览器的渗透⼯具针对客户端的攻击与⽇俱增，包括移动客户端。

OWASPTOP10学习备份TOP1-注⼊简单来说，注⼊往往是应⽤程序缺少对输⼊进⾏安全型检查所引起的，攻击者把⼀些包含指令的数据发送给解释器，解释器会把收到的数据转换成指令执⾏。

常见的注⼊包括sql注⼊，--os-shell，LDAP（轻量），xpath（XPath即为XML路径语⾔，它是⼀种⽤来确定（的⼦集）⽂档中某部分位置的语⾔），HQL注⼊等。

危害如下：注⼊可以导致数据丢失或被破坏，缺乏可审计性或拒绝服务。

注⼊漏洞有时甚⾄可导致完全接管主机如何防范：1.使⽤安全的API，避免使⽤解释器2.对输⼊的特殊的字符进⾏ESCAPE转义处理例⼦：LIKE '%M%' ESCAPE ‘M’使⽤ESCAPE关键字定义了转义字符“M”，告诉DBMS将搜索字符串“%M%”中的第⼆个百分符（%）作为实际值，⽽不是通配符3.使⽤⽩名单来规范化的输⼊验证⽅法TOP2-失效的⾝份认证和会话管理与认证和会话管理相关的应⽤程序功能往往得不到正确实施，导致了攻击者可以破坏密码，密钥，会话令牌或实施漏洞冒充其他⽤户⾝份危害如下：这些漏洞可能导致部分甚⾄全部账户遭受攻击，⼀旦攻击成功，攻击者就能执⾏合法的任何操作如何防范：1.使⽤内置的会话管理功能2.通过认证的问候3.使⽤单⼀的⼊⼝点4.确保在⼀开始登录SSL保护的⽹页TOP3-跨站XSS跨站脚本是最普遍的web应⽤安全漏洞。

当应⽤程序在发送给浏览器的页⾯中包含⽤户提供的数据，但没有经过适当验证和转义，就会导致跨站危害如下：攻击者在受害者浏览器中执⾏脚本以劫持⽤户会话，插⼊恶意内容，重定向⽤户，使⽤恶意软件劫持⽤户浏览器等种类：存储型，反射型，DOM型如何防范：1.验证输⼊2.编码输出（⽤来确保输⼊的字符被视为数据，⽽不是作为html被浏览器所解析）TOP4-不安全的对象直接引⽤意指⼀个已经授权的⽤户通过更改访问时的⼀个参数，从⽽访问到原本其并没有得到授权的对象危害如下：这种漏洞可以损坏参数所引⽤的所有数据如何防范：1.使⽤基于⽤户或会话的间接对象访问，这样可防⽌攻击者直接攻击为授权资源2.访问检查：对任何来⾃不受信源所使⽤的所有对象进⾏访问控制检查3.避免在url或⽹页中直接引⽤内部⽂件名或数据库关键字4.验证⽤户输⼊和url请求，拒绝包含./ ../的请求TOP5-伪造跨站请求（CSRF）跨站请求伪造，利⽤了⽹站允许攻击者预测特定操作所有细节这⼀特点。

A p p l i c a t i o n S e c u r i t y T r a i n i n g OWASP TOP 10 SECURITY ISSUESAgendaMost Common Application Security MistakesQ/AWhat’s OWASP ?The Open Web Application Security Project (OWASP) is a worldwide not-for-profit charitable organization focused on improving the security of softwareAll of their materials are available under a free and open software licenseOWASP TOP 10 SECURITY ISSUESA1InjectionA2Broken Authentication & Session Management A3Cross-Site Scripting (XSS)A4Insecure Direct Object ReferencesA5Security MisconfigurationA6Sensitive Data ExposureA7Missing Function Level Access ControlA8Cross-Site Request Forgery (CSRF)A9Using Components with Known Vulnerabilities A10Un-validated Redirects and Forwards▪What is it?-Untrusted data is sent to an interpreter-Headers-Cookies-command / query-{.. any other form of input ..}-Interpreter is tricked into executing unintended commands▪What all is susceptible?-SQL-SOAP-XML-{..Anything..}▪Why does it happen?-Use of interpreters doesn’t clearly separate untrusted data from commands-Lack of input validation▪How to prevent it?-Use APIs that provide parameterized/ sanitized interfaces-Validate input against whitelist-Escape special characters which you had to whitelist -DON’T use a blacklist#2 Broken Authentication & Session Management▪Weak Authentication logic▪Imperfect implementation▪Insufficient protection of session token▪Etc.#2 Broken Authentication & Session Management▪How to prevent it?▪Implement strong account management functions(e.g., account creation, login, change password, recover password, etc.)▪Consider having centralized authentication and session management APIs▪Use strong algorithms to generate (random) secrets▪Protect secrets throughout their lifecycle▪What is it?-Application takes untrusted data-Sends it to web browser without proper validation and encoding-Allows attackers to execute scripts in the victim’s browser-hijack user sessions-deface web sites-redirect user to malicious sites-etc.▪Types of XSS-Reflected-Stored#3 Reflected Cross-Site Scripting (XSS)▪Injected script is instantly reflected off the web server -error message-search result-any other response that includes some or all of the input sent▪Delivered via another route to the victim-email, other website, etc.#3 Stored Cross-Site Scripting (XSS)▪Injected script is permanently stored on target servers -Such as database▪Victim then retrieves malicious script from the server when he requests the stored information▪Example-Forums#3 Cross-Site Scripting (XSS)▪How to prevent XSS-Input validation-Context based output encodinghttps:///index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet -Content Security Policy ?▪Reference to internal implementation object is exposed▪ e.g., file, directory, database key, etc.▪Lack of access controls/ other protections▪Attackers can manipulate these references to access unauthorized data▪How to prevent it?▪Verify user is authorized to access the exact resource they have requested▪Enforce access control on both client side and server side.▪Can be anywhere in the tech stack-OS-web server-Database-Framework-etc.▪Collective effort between devs and Infrastructure engineering▪How to prevent it?-Security hardening throughout Application Stack-Unnecessary features enabled or installed?-Secure values not set?-Default accounts/ passwords still enabled or unchanged?-Overly informative error messages to users?-Software out of date?▪Client side-http headers,cache, error message or exceptions, ..▪In transit-Plain text http,SSL MITM, ..▪Server side-weak crypto/ keys/ hashes, insufficient DB protection, ..▪How to prevent it?-Determine which data needs to be protected and how much-Encrypt all sensitive data at rest and transit (internally & externally)-Don’t transfer data unnecessarily-Control access to sensitive data-Use strong crypto algorithm/ keys / passwords-Turn off autocomplete on forms and caching▪Making sure only the right people have access to the right functions ▪Functions may be called through such as-URL parameters-REST style URLs▪How to prevent it?-Hiding functionality from the UI won’t help-Server side Authentication and Access Control checks-Server side checks shouldn’t solely rely on information provided by client-Deny by default-Rate limiting?▪Attacker can formulate all HTTP parameters for a request▪Browsers send session cookies automatically▪Attacker tricks end user into executing unwanted actions on a web application in which he/she is currently authenticated▪Target: state changing functions▪How to prevent it?improve unpredictability such as-Unique random token-CAPTCHA- 2 factor confirmation, such as SMS▪There are OWASP libraries you can use e.g., CSRF Guard which provides various automated and manual ways to integrate per-session or pseudo-per-request tokens into HTML▪Application/Tech Stack uses vulnerable components -Frameworks-Libraries-Servers-OS-other components▪How to prevent it?-Keep a check on vulnerabilities that come out-CVE (https:///view/vuln/search)-Mailing lists-Regularly check vendor’s website, such ashttps:///security.html/security_report.htmlhttps:///news/vulnerabilities.htmlhttps:///en-us/library/security/dn610807.aspx -Upgrade vulnerable component#10 Unvalidated Redirects and Forwards▪Application takes input from user▪Uses it to formulate Redirect/ Forward location without input validation▪Attacker misuses this for malicious redirections/ forwarding#10 Unvalidated Redirects and Forwards▪How to prevent it?-Avoid using user input to determine destination URL -Whitelist allowed pages or external sites-Ensure URL is valid and authorized for the userTHANK YOUFor questions or suggestionsContact us via email:bsi@。

web安全知识点总结⼀，解释什么是CSP为了让web应⽤程序分出哪些脚本是被第三⽅注⼊的，哪些脚本是程序⾃⾝的CSP定义了 Content-Security-Policy HTTP头但是现代浏览器已经通过前缀来提供了⽀持：Firefox使⽤x-Content-Security-Policy，WebKit使⽤X-WebKit-CSP。

未来会逐步过渡到统⼀的标准。

“none”：你可能期望不匹配任何内容“self”：与当前来源相同，但不包含⼦域“unsafe-inline”：允许内联Javascript和CSS“unsafe-eval”：允许⽂本到JS的机制例如eval⼆，什么是SSRF漏洞SSRF 服务端请求伪造存在的位置⽐如从指定URL地址获取⽹页⽂本内容，加载指定地址的图⽚，下载等等那么产⽣SSRF漏洞的环节在哪⾥呢？⽬标⽹站接受请求后在服务器端验证请求是否合法1）分享：通过URL地址分享⽹页内容2）转码服务3）在线翻译4）图⽚加载与下载：通过URL地址加载或下载图⽚5）图⽚、⽂章收藏功能6）未公开的api实现以及其他调⽤URL的功能7）从URL关键字中寻找PHP的常⽤实现1）php file_get_contents:2,php fsockopen():3,php curl_exec():读取本地⽂件file:///C:/Windows/win.ini探测内⽹应⽤三，session fixation漏洞⽤户登录前后的session_id没有变化则可能存在session fixation漏洞攻击者X先获取到⼀个未经认证的session_id ，将其发给⽤户Y认证，⽤户认证后服务器没有更新session_id的值，所以X可以凭借此session直接登录⽤户的账号四，phpcms两个漏洞1）getshellexp "info[content]": ""info[content] 为什么是content ： content =》转到处理函数editor中php的处理函数preg_match_all("/(href|src)=([\"|']?)([^ \"'>]+\.($ext))\\2/i", $string, $matches)这⾥正则要求输⼊满⾜src/href=url.(gif|jpg|jpeg|bmp|png)，我们的 payload （）符合这⼀格式（这也就是为什么后⾯要加.jpg的原因）。

Who Needs OWASP? Create Your Own Top 10 ListIntroductionWhy is your vulnerability list so important?Follow these 4 steps to achieve your custom, comprehensive Top N list Step 1: Gather vulnerability dataStep 2: Normalize the vulnerability dataStep 3: Create a vulnerability frequency tableStep 4: Consider additional risk factorsMoving forward Page 3 Page 3 Page 3 Page 3 Page 4 Page 4 Page 4 Page 5IntroductionA list of critical web application security vulnerabilities is a necessary risk management tool.1 Equally true is that each organization has a different set of vulnerabilities plaguing their applications. To complete a trifectaof fundamental truths, crowdsourced lists such as the OWASP Top 10 rarely reflect an individual organization’s priorities. Given all that, many organizations continue to download the OWASP Top 10 and try to use it to guide their software security efforts. Since this likely won’t achieve the desired result, why not use it as inspiration to create your own evidence-based, customized list?This document guides you through the process of cataloging your firm’s most common web application security vulnerabilities. But, before identifying those vulnerabilities, we must answer one very important question. Why is your vulnerability list so important?Identifying the vulnerabilities most prevalent in your organization’s applications provides real data. Data that encourages your development and security teams to actively improve their skills and processes. However, creating a satisfactory Top N list requires more than simply sorting one day’s or one application’s bug data. Building a list from the results of code review, various security testing methods, and actual incidents experienced by your firm and/or industry allow you to craft a holistic vulnerability list. You’ll then be better prepared to drive change that reduces risk in your organization.Customize your own comprehensive Top N list in 4 stepsStep 1: Gather vulnerability dataTo understand what you’re up against, you’ll first need to gather web application vulnerability data for a given period. Go back as far as you can with the technologies you have. Six months of data should be a minimum benchmark. Obtaining such data is easier to gather if your firm tracks security bugs in a central repository.If no repository currently exists, identify sources that contain vulnerability data. Collect reports associated with these sources. Next, extract the vulnerabilities into a spreadsheet or another data store.1 By “critical” we mean “most undesirable.” By “vulnerabilities” we mean “vulnerability types,” not individual security defects.Step 2: Normalize the vulnerability dataNormalizing vulnerability data ensures that each vulnerability instance is only counted once per application. You don’t want one bug-filled application to skew your results. A step-by-step approach to achieve this involves the following steps:1. Remove all re-test data from the data set. If the first test identifies a vulnerability that is not fixed bythe time a re-test takes place, list the vulnerability only once.2. Correlate penetration testing, incident response, and code review findings to remove multiplevulnerability instances. The instances may have been identified using different methodologies even though the same bug caused them. For instance, a cross-site scripting (XSS) vulnerability could be discovered during source code review, exploited during penetration testing, and abused by a realattacker. You should still list this vulnerability only once.3. Normalize finding names. For instance, the findings identified as “Stored XSS on admin page”and “Stored XSS on help page” could be renamed to read “Stored XSS.” The granularity of nameidentification determines the results of your Top N list. Use your judgement to determine what works best for your organization.Combining and harmonizing results from many kinds of defect discovery methods results in a richer assessment data set. Thus, more accurately reflecting what might be present in production environments.Step 3: Create a vulnerability frequency tableUsing the normalized vulnerability data, create a frequency table to list the number of times a given vulnerability was identified. For example, unsafe use of user-supplied data was identified 100 times throughout 150 applications over the past six months. This frequency table can help predict the likelihood that similar applications have the same vulnerability.Again, simply sorting a day’s bug data by number of occurrences doesn’t produce a satisfactory Top N list. Data changes often due to different testers, tools, processes, and applications. A historical view is important. Even when you have good frequency data, the point is to enable good risk management decisions. That requires additional knowledge.Step 4: Consider additional risk factorsOnce you have vulnerability frequency data, add analysis for three important risk factors:1. Detectability. The likelihood an attacker can discover the vulnerability.2. Exploitability. The likelihood an attacker can exploit that vulnerability.3. Impact. The combined technical and business impact if the vulnerability is successfully exploited.For each vulnerability in your list, add a score for each risk factor on a scale from 1-3 (with 3 being the higher end of the scale).Determining values for these factors are often based on the discovery method of the vulnerabilities. For instance, a vulnerability exploited in the wild (e.g., originating from the incident response report) might merit a higher exploitability than a vulnerability discovered during code review. Likewise, a vulnerability detected during a penetration test likely merits a higher detectability than a vulnerability detected during code review. Don’t hesitate to make adjustments based on professional opinion. Network location (e.g., Internet-facing versus internal), architecture (e.g., mobile versus thick-client), and other such criteria may be useful when assigning risk factor values.Based on the scores from this exercise, you can prepare your Top N list. This list is now customized to fit your organization and its software portfolio. This is one of the most valuable tools your firm can have for software security risk management.Moving forwardYour organization’s software security group (SSG) should periodically update the list and publish a Most Wanted Report. This calls attention to the most vulnerable areas of your firm’s software and applications. Incorporate this list into internal training material.When shown organization-specific vulnerability data, developers are more likely to understand how the material is relevant to their work. They are also better prepared to know when and how to apply what they’ve learned from training.Your Top N list may also open the door to executive attention regarding your firm’s vulnerabilities. These questions will help your teams obtain the resources they need to close gaps and mature the existing software security strategy.Be sure to adapt your approach at regular intervals to keep your Top N list up-to-date. Don’t simply base your security program on a static list. Sample your own data and turn the results into a powerful risk management tool.Synopsys helps development teams build secure, high-quality software, minimizing risks while maximizing speed and productivity. Synopsys, a recognized leader in application security, provides static analysis, software composition analysis, and dynamic analysis solutions that enable teams to quickly find and fix vulnerabilities and defects in proprietary code, open source components, and application behavior. With a combination of industry-leading tools, services, and expertise, only Synopsys helps organizations optimize security and quality in DevSecOps and throughout the software development life cycle.For more information, go to /software.Synopsys, Inc.185 Berry Street, Suite 6500San Francisco, CA 94107 USAContact us:U.S. Sales: 800.873.8193International Sales: +1 415.321.5237Email: *********************。