OWASP Top 10 Application Security Risks 2010

crazy_pipi_lu

OWASP Top 10 Application Security Risks 2010

A1, Injection, 注入
Injection flaws, such as SQL, OS, and LDAP injection, occur when untrusteddata is sent to an interpreter as part of a command or query. The attacker’s hostile data can trick the interpreter into executing unintended commands or accessing unauthorized data.

注入漏洞, 如SQL注入, OS注入, LDAP注入, 通常发生在向解释器发送不可靠的数据时, 并且这些数据作为其执行的命令或者查询的一部分. 攻击者制造的恶意代码可以欺骗编译器, 让其执行非预想的指令, 或者得到没有权限获取的数据.



A2, Cross Site Scripting (XSS), 跨站点脚本执行
XSS flaws occur whenever an application takes untrusteddata and sends it to a web browser without proper validation and escaping. XSS allows attackers to execute script in the victim’s browser which can hijack user sessions, deface web sites, or redirect the user to malicious sites.

XSS漏洞, 通常发生在Web应用被携带了不可靠的数据, 并在发送给浏览器时, 没有适当的验证和注销过程. XSS漏洞允许攻击者在受害者的浏览器中执行脚本, 去劫持用户sessions, 修改Web站点, 或者把用户重定向到恶意网站.



A3, Broken Authentication and Session Management, 不完善的认证和session管理
Application functions related to authentication and session management are often not implemented correctly, allowing attackers to compromise passwords, keys, session tokens, or exploit implementation flaws to assume other users’ identities.

Web应用中, 和用户认证, 用户session管理相关功能, 在代码实现的时候, 通常都或多或少的存在漏洞, 能够允许攻击者去获取密码, 密匙, session令牌, 或者利用这些实现中的漏洞, 假装为其他用户的身份去登录应用.





A4, Insecure Direct Object References, 不安全的直接对象引用
A direct object reference occurs when a developer exposes a reference to an internal implementation object, such as a file, directory, or database key. Without an access control check or other protection, attackers can manipulate these references to access unauthorized data.

一个直接对象引用通常发生在开发者去调用一个内部实现对象的引用, 如一个文件, 目录, 和数据库. 由于没有进行权限控制检查, 或者有其他保护措施, 攻击者可以操纵这些引用去得到没有经过授权的数据.



A5, Cross Site Request Forgery (CSRF), 跨站点的伪造请求
A CSRF attack forces a logged-on victim’s browser to send a forged HTTP request, including the victim’s session cookie and any other authentication information, to a vulnerable web application. This allows the attacker to force the victim’s browser to generate requests the vulnerable application thinks are legitimate requests from the victim.

一次跨站点的伪造请求攻击, 会使得受害者的已经登录应用的浏览器发送伪造的HTTP请求, 到有漏洞的Web应用, 其中包含了受害者的session cookie和其他认证信息. 这样的行为会这些有漏洞的应用认为这些合法的请求是来着受害者, 但其实这些请求是由攻击者迫使受害者的浏览器发送的.



A6, Security Misconfiguration, 不完善的安全配置
Security depends on having a secure configuration defined for the application, framework, web server, application server, and platform. All these settings should be defined, implemented, and maintained as many are not shipped with secure defaults.

安全配置取决于一个安全的配置定义, 包括了Web应用的配置, framework配置, Web服务器配置, 应用服务器的配置, 和相关平台的配置. 这些和安全相关的设定需要被定义, 实现, 和维护, 而通常很多应用发布时, 默认都没有进行这些相关的安全配置.




A7, Failure to Restrict URL Access, 不严格的URL访问控制
Many web applications check URL access rights before rendering protected links and buttons. However, applications need to perform similar access control checks when these pages are accessed, or attackers will be able to forge URLs to access these hidden pages anyway.

很多Web应用会在转向被保护的连接和按钮之前, 检查URL访问权限. 然而, 这些应用仍然需要在这些页面被允许访问之后, 进行类似的访问控制检查, 否则攻击者就会伪造这些URL请求去或者他们没有权限访问的页面.



A8, Unvalidated Redirects and Forwards, 没有经过确认的重定向和跳转
Web applications frequently redirect and forward users to other pages and websites, and use untrusteddata to determine the destination pages. Without proper validation, attackers can redirect victims to phishing or malware sites, or use forwards to access unauthorized pages.

Web应用常常会重定向和跳转用户到其他页面或者Web站点, 并使用不可靠的数据来决定这些目标地址. 如果没有适当的确认, 攻击者就能够重定向这些受害者到钓鱼网站, 恶意网站, 或者用跳转的方式来访问未经授权的页面.




A9, Insecure Cryptographic Storage, 不安全的加密存储
Many web application do not properly protect sensitive data, such as credit cards, SSNs, and authentication credentials, with appropriate encryption or hashing. Attackers may use this weakly protected data to conduct identity theft, credit card fraud, or other crimes.

许多Web应用没有正确的进行加密, 以保护他们的敏感数据, 如信用卡信息, 身份证信息, 和认证的证书. 攻击者就可以用这些弱保护的数据来盗窃身份, 进行信用卡诈骗或者其他犯罪.




A10, Insufficient Transport Layer Protection, 不完善的传输层保护
Applications frequently fail to encrypt network traffic when it is necessary to protect sensitive communications. When they do, they sometimes support weak algorithms, use expired or invalid certificates, or do not use them correctly.

应用常常没有能够加密其网络流量数据, 尤其当需要进行敏感信息的通讯的时候. 而在有加密的情况下, 也会时常出现采用弱加密的算法, 使用超时或者无效的证书, 或者没有正确的使用加密保护的情况.