As a developer, you’re the first line of defense against data breaches. You should know what to look out for, and you have a responsibility to your users to follow best practices.

作为开发人员,您是防御数据泄露的第一道防线。 您应该知道要寻找的内容,并且您有责任让用户遵循最佳做法。

Luckily, there’s an organization dedicated to providing you with up-to-date guidelines for how to secure your web applications. Every web developer should know about the OWASP Top Ten.

幸运的是,有一个专门致力于为您提供有关如何保护Web应用程序的最新准则的组织。 每个Web开发人员都应该了解OWASP的前十名。

OWASP十大应用程序安全风险 (The OWASP Top Ten Application Security Risks)

The Open Web Application Security Project (OWASP) is a nonprofit dedicated to promoting security on the web. They’re an awesome organization, and they do a lot of research into the threats and exploits facing modern applications.

开放Web应用程序安全项目(OWASP)是一个非营利性组织,致力于促进Web安全。 他们是一个了不起的组织,他们对现代应用程序所面临的威胁和利用进行了大量研究。

According to the experts:


Using the OWASP Top 10 is perhaps the most effective first step towards changing the software development culture within your organization into one that produces more secure code.

使用OWASP Top 10可能是将组织内的软件开发文化转变为产生更安全代码的文化的最有效的第一步。

Following OWASP’s recommendations is the gold standard for security. If you’re a web developer, you need to know about OWASP and understand their top recommendations.

遵循OWASP的建议是安全性的黄金标准。 如果您是Web开发人员,则需要了解OWASP并了解他们的重要建议。

So, what are the biggest threats to your application?


1.注射 (1. Injection)

Websites need to accept data from their users. They wouldn’t be very useful otherwise.

网站需要接受其用户的数据。 否则它们将不会非常有用。

However, before you do anything with that data (store it, execute code on it, use it to look something up, etc), you need to make sure it’s cleaned and escaped of special characters.


If you don’t, attackers can potentially run their own code on your servers.


A mom exploits a SQL injection against her son’s school

The best way to prevent injection is to use a library that sanitizes user entered data every time and as soon as user data hits your server. Every programming language for the web has tools & libraries to help sanitize inputs.

防止注入的最佳方法是使用一个库,该库每次用户数据访问您的服务器时都会对用户输入的数据进行清理。 Web的每种编程语言都有工具和库来帮助清理输入。

This is the #1 security risk because it’s the most severe (allows an attacker to run arbitrary code) and also still surprisingly common despite being a known exploit for decades.


Want to learn more about preventing injection? OWASP has you covered.

想更多地了解预防注射 ? OWASP为您服务。

2.身份验证失败 (2. Broken Authentication)

When an attacker can login as someone else, you’ve obviously got a problem.


This category of risk encompasses a lot of potential problems:


  • Storing passwords as plaintext in the database (NEVER, never, NEVER do this!) & then having your database compromised

  • Storing session tokens in insecure locations, allowing attackers to use the token to gain authorization

  • Allowing users to pick common or weak passwords that are easy for attackers to guess

  • Not expiring session or API tokens, meaning a token only needs to be exposed once & it’s valid forever

  • Sending back different and identifiable information based on failed requests. Bad: “No such username” (If an attacker keeps guessing long enough, they’ll find a valid username that returns a different response) Good: “Invalid credentials”

    根据失败的请求发送回不同且可识别的信息。 错误:“没有这样的用户名”(如果攻击者不断猜测足够长的时间,他们会找到一个有效的用户名,并返回不同的响应)。好:“无效的凭据”

The top ways to prevent these issues, according to OWASP:


  • Where possible, implement multi-factor authentication to prevent automated, credential stuffing, brute force, and stolen credential re-use attacks.

  • Do not deploy with any default credentials, particularly for admin users.

  • Implement weak-password checks, such as validating new or changed passwords against a list of the top 10,000 worst passwords and requiring passwords to be at least 8 characters.

  • Ensure registration, credential recovery, and API pathways are hardened against account enumeration attacks by using the same messages for all outcomes.

  • Limit or increasingly delay failed login attempts. Log all failures and alert administrators when credential stuffing, brute force, or other attacks are detected.

    限制或越来越多地延迟失败的登录尝试。 记录所有故障,并在检测到凭据填充,暴力破解或其他攻击时提醒管理员。
  • Use a server-side, secure, built-in session manager that generates a new random session ID with high entropy after login. Session IDs should not be in the URL, be securely stored and invalidated after logout, idle, and absolute timeouts.

    使用服务器端安全的内置会话管理器,该管理器在登录后生成具有较高熵的新随机会话ID。 会话ID不应位于U​​RL中,在注销,空闲和绝对超时后应安全地存储它们并使其无效。

3.敏感数据公开 (3. Sensitive Data Exposure)

Over the past few years, this is the most common attack vector.


Things start to get tricky, because attackers can exploit many types of man-in-the middle scenarios to steal data when it’s in transit or temporarily being stored in plaintext.


The attacks can take many forms, but the most common ways attackers steal information are:


  • Downgrading connections from HTTPS to HTTP to decrypt data in transit

  • Cracking a weaker encryption scheme that was used to store or transfer data

  • Pre-hashing popular passwords using unsalted and simpler encryption schemes then matching those hashes to stolen user tables

  • Using SQL injection to make the database engine fetch data into plaintext that was encrypted


To prevent these attacks:


  • All sensitive data should be encrypted with a modern encryption algorithm

  • If you don’t absolutely need to store some data, then discard it — if you don’t store it, attackers cant steal it

  • Store passwords using strong adaptive and salted hashing functions with a work factor (delay factor), such as Argon2, scrypt, bcrypt or PBKDF2.

    使用具有工作因数(延迟因数)的强大自适应和盐化哈希函数(例如Argon2 , scrypt , bcrypt或PBKDF2 )来存储密码。

  • Make sure session cookies and other sensitive browser data are only sent on HTTPS and that they’re not available in client-side javascript


4. XML外部实体 (4. XML External Entities)

XEE attacks allow an attacker to make your code evaluate an external URL when they upload an XML file to your application.


These types of attacks are especially prevalent and successful against older applications with dependencies that aren’t up to date to protect against XEE attacks.


The easiest way to prevent these attacks is not to use XML. Pick a stricter data format like JSON or YAML.

防止这些攻击的最简单方法是不使用XML。 选择更严格的数据格式,例如JSON或YAML。

If you have to use XML, make sure all your parsers, processors, and dependencies are up to date. Source Code Analysis Tools can help identify issues in existing applications.

如果必须使用XML,请确保所有解析器,处理器和依赖项都是最新的。 源代码分析工具可以帮助识别现有应用程序中的问题。

5.损坏的访问控制 (5. Broken Access Control)

This category is similar to #2 (Broken Authentication), but it applies when an attacker can access sensitive data without being logged in as the correct user.


For example, say an attacker logs in to your website and navigates to the billing history page at a URL like:




It’s a good guess that the 1809 part of the URL is the user ID.


If an attacker can change that ID and see other users’ billing data, then you have a broken access control attack.


Similarly, attackers can manipulate other IDs, tokens, or credentials to visit blocked URLs or elevate their privileges to admin.


Checklist to prevent these attacks:


  • Deny by default for all web requests and API endpoints — make authentication standardized and default across your application

  • Create, read, update, and delete access on data models should always be user-specific and managed with explicit model permissions

  • Disable web server directory listing and ensure file metadata (e.g. .git) and backup files are not present within web roots

  • Log access control failures, alert admins when appropriate (e.g. repeated failures)

  • Rate limit your API and URLs to prevent manipulation that comes from automated tools


6.安全配置错误 (6. Security Misconfiguration)

No matter how secure your server or client-side framework is, it means nothing if you have the security settings poorly configured.


For example, many frameworks include debug settings that are useful when developing but dangerous if released into production.


Other pitfalls:


  • Leaving default accounts active and/or with their default passwords unchanged

  • Having error messages that reveal stack traces or other info about configuration

  • Using out of date frameworks and libraries without the most recent security patches

  • Leaving environment variables or other secure keys in publicly accessible config files or source control


Luckily, remedying these problems is easy. Use the most up-to-date version of your framework & libraries. Then, learn about and follow security best practices for configuring your application for production.

幸运的是,解决这些问题很容易。 使用您的框架和库的最新版本。 然后,了解并遵循安全最佳实践来配置应用程序以进行生产。

Additionally, make sure the process for deploying to production always and predictably includes these security hardening steps.


7.跨站点脚本(XSS) (7. Cross-Site Scripting (XSS))

This is an increasingly popular (and dangerous) attack vector as client-side JavaScript has become more prevalent.


Basically, this attack involves running malicious JavaScript and HTML in the user’s browser. While the code appears to come from a verified site, it’s actually from a dangerous source.

基本上,这种攻击涉及在用户的浏览器中运行恶意JavaScript和HTML。 虽然代码似乎来自经过验证的站点,但实际上是来自危险来源。

For example, if a site you trusted opened a popup like this, would you fill it out?


Example XSS attack

While it looks trustworthy, it may also have come from an attacker spoofing the design and features of the target site.


Malicious XSS attacks come in 3 basic varieties:


  1. Reflected XSS: The application or API includes unvalidated and unescaped user input as part of HTML output.

    反映的XSS :应用程序或API包含未经验证和未转义的用户输入,作为HTML输出的一部分。

  2. Stored XSS: The application or API stores unsanitized user input that is viewed at a later time by another user or an administrator.

    已存储的XSS :应用程序或API存储未过滤的用户输入,稍后由其他用户或管理员查看。

  3. DOM XSS: JavaScript frameworks, single-page applications, and APIs that dynamically include attacker-controllable data to a page are vulnerable to DOM manipulation.

    DOM XSS :动态地将攻击者可控制的数据包含到页面JavaScript框架,单页应用程序和API容易受到DOM操作的攻击。

To protect against these attacks:


  • Use up-to-date frameworks that protect against XSS — Django, Rails, Spring, React, Angular, and all other major frameworks include provisions for XSS

  • Never put untrusted data inside a script, HTML comment, tags, tag attributes, or directly in CSS

  • Escape any untrusted data you do insert into the page:

 & --> &
< --> &lt;
> --> &gt;
" --> &quot;
' --> &#x27;
/ --> &#x2F;

8.不安全的反序列化 (8. Insecure Deserialization)

Complex applications often need to pass data models back and forth between services.


For example, a React app may need to talk to a Spring Boot backend. Since the requests can be complicated and based on a lot of conditions, the developers just serialize the React application’s state and then send that to the backend with every request.

例如,React应用可能需要与Spring Boot后端进行对话。 由于请求可能很复杂,并且基于很多条件,因此开发人员只需序列化React应用程序的状态,然后将其与每个请求一起发送到后端。

When an attacker notices that the Java objects are coming back with a certain signature, they can use tools like Java Serial Killer to infiltrate the server.

当攻击者注意到Java对象以特定签名返回时,他们可以使用Java Serial Killer之类的工具来渗透服务器。

Similarly, a PHP site might use PHP’s object serialization to save a cookie with the user’s session ID and privileges. Spoofing that serialization would allow an attacker to elevate their privileges or login as someone else.

同样,PHP站点可能使用PHP的对象序列化来保存具有用户会话ID和特权的cookie。 欺骗该序列化将使攻击者能够提升其特权或以其他人的身份登录。

What you can do about deserialization attacks:


  • Don’t serialize objects directly. Instead, use a data format that only allows for primitive types (e.g. — Use a JSON schema of your object)

    不要直接序列化对象。 相反,请使用仅允许原始类型的数据格式(例如,使用对象的JSON模式)
  • Add hashed signatures to serialized objects to make sure they haven’t been tampered with.

  • Only deserialize in isolated, low privilege situations & log all exceptions so you can disable or rate limit users that are deserializing too often


9.使用具有已知漏洞的组件 (9. Using Components with Known Vulnerabilities)

This one is also easy to avoid. If your third-party libraries are out of date, chances are you have a security vulnerability.

这也是很容易避免的。 如果您的第三方库已过期,则很可能存在安全漏洞。

Upgrading your dependencies will usually fix these vulnerabilities.


In fact, source control providers like GitHub can help you monitor and prioritize these issues:


Furthermore, GitHub can automatically create a pull request to upgrade your dependencies.


10.日志和监控不足 (10. Insufficient Logging & Monitoring)

What gets measured gets managed.


Nearly every major security incident would be mitigated with earlier warnings.


Logging and monitoring is the foundation of security, because it allows you to track, review, and blacklist suspicious requests.


According to OWASP:


MIn 2016, identifying a breach took an average of 191 days — plenty of time for damage to be inflicted.

MIn 2016年,识别违规行为平均需要191天 -造成损害的时间很多。

Things to start monitoring today:


  • Logins

  • Failed logins

  • Any high-value transactions

  • Request frequency by user


Once you have logs for these things:


  • Make sure there are alert thresholds for suspicious activity

  • Log this data to somewhere outside the local server

  • Preferably, use a third party monitoring service to consume and visualize your logs — raising alarms in real time

  • Run a penetration testing scan (using a tool like OWASP ZAP — see I told you OWASP is awesome) and make sure it triggers your alerts

    运行渗透测试扫描(使用OWASP ZAP之类的工具-看到我告诉您OWASP很棒),并确保它触发了警报

Since the variety of possible attacks is so wide, logging is your best bet to detect attacks when they come.


我从OWASP十大中学到的东西 (What I Learned from the OWASP Top Ten)

Discovering the OWASP top ten has changed the way I approach web development.


Of course, I’ve always known that security is important, and I’ve heard of the more common attacks in this list.


Thanks to OWASP, however, we now have a clear checklist of attack vectors and best practices to protect against them.


OWASP even has awesome open source projects to help test, harden, and analyze your application. Their Juice Shop example is especially helpful to train developers on the ways these attacks could take place.

OWASP甚至还提供了很棒的开源项目来帮助测试,强化和分析您的应用程序。 他们的Juice Shop示例对培训开发人员如何进行这些攻击的方式特别有用。

Every developer has a responsibility to protect user data. It’s critical that all developers know about the OWASP Top Ten security risks and how to address them.

每个开发人员都有责任保护用户数据。 所有开发人员都必须了解OWASP十大安全风险以及如何解决这些风险,这一点至关重要。

翻译自: https://medium/swlh/top-10-web-app-security-risks-how-to-stop-them-according-to-the-experts-at-owasp-f568b881f406




