OWASP Sab saum toj 10 Kev Nyab Xeeb Risks | Txheej txheem cej luam
Table of Contents
OWASP yog dab tsi?
OWASP yog ib lub koom haum tsis muaj txiaj ntsig rau lub vev xaib app kev kawm kev ruaj ntseg.
Cov ntaub ntawv kawm OWASP tuaj yeem nkag mus rau ntawm lawv lub vev xaib. Lawv cov cuab yeej muaj txiaj ntsig zoo rau kev txhim kho kev ruaj ntseg ntawm cov ntawv thov web. Qhov no suav nrog cov ntaub ntawv, cov cuab yeej, cov yeeb yaj kiab, thiab cov rooj sib tham.
OWASP Sab saum toj 10 yog cov npe uas qhia txog kev txhawj xeeb txog kev nyab xeeb rau lub vev xaib niaj hnub no. Lawv pom zoo tias txhua lub tuam txhab suav nrog daim ntawv tshaj tawm no hauv lawv cov txheej txheem los txiav kev pheej hmoo kev nyab xeeb. Hauv qab no yog cov npe ntawm kev pheej hmoo kev nyab xeeb suav nrog hauv OWASP Top 10 2017 tsab ntawv ceeb toom.
SQL Txhaj
SQL txhaj tshuaj tshwm sim thaum tus neeg tawm tsam xa cov ntaub ntawv tsis tsim nyog rau lub vev xaib app los cuam tshuam cov kev pab cuam hauv daim ntawv thov.
Ib qho piv txwv ntawm SQL Injection:
Tus neeg tawm tsam tuaj yeem nkag mus rau cov lus nug SQL rau hauv daim ntawv sau npe uas yuav tsum muaj tus neeg siv lub npe plaintext. Yog tias daim ntawv nkag tsis ruaj ntseg, nws yuav ua rau kev ua tiav ntawm SQL lus nug. Qhov no yog xa mus ua SQL txhaj.
Txhawm rau tiv thaiv cov ntawv thov web los ntawm kev txhaj tshuaj, xyuas kom koj cov neeg tsim khoom siv cov ntaub ntawv siv tau ntawm cov neeg siv cov ntaub ntawv xa tuaj. Kev lees paub ntawm no yog hais txog kev tsis lees paub cov khoom siv tsis raug. Tus neeg saib xyuas cov ntaub ntawv tseem tuaj yeem teeb tsa kev tswj hwm kom txo tau tus nqi ntaub ntawv uas tau nthuav tawm hauv kev txhaj tshuaj.
Txhawm rau tiv thaiv SQL txhaj tshuaj, OWASP pom zoo kom khaws cov ntaub ntawv cais tawm ntawm cov lus txib thiab cov lus nug. Qhov kev xaiv zoo dua yog siv qhov ruaj ntseg API tiv thaiv kev siv tus neeg txhais lus, lossis tsiv mus rau Object Relational Mapping Tools (ORMs).
Broken Authentication
Authentication vulnerabilities tuaj yeem tso cai rau tus neeg tawm tsam nkag mus rau cov neeg siv nyiaj thiab cuam tshuam lub kaw lus siv tus account admin. cybercriminal tuaj yeem siv tsab ntawv los sim ntau txhiab tus password ua ke ntawm lub kaw lus kom pom qhov ua haujlwm. Thaum lub cybercriminal nyob rau hauv, lawv tuaj yeem fake tus kheej ntawm tus neeg siv, muab lawv nkag mus rau cov ntaub ntawv tsis pub lwm tus paub.
Ib qho kev lees paub qhov tseeb uas tawg tau muaj nyob hauv cov ntawv thov web uas tso cai rau kev nkag mus rau hauv lub tshuab. Ib txoj hauv kev nrov los kho qhov muaj qhov tsis zoo rau kev lees paub yog kev siv ntau qhov kev lees paub tseeb. Tsis tas li, qhov txwv tus lej nkag tuaj yeem suav nrog hauv web app los tiv thaiv brute quab yuam tawm tsam.
Cov ntaub ntawv muaj txiaj ntsig
Yog tias daim ntawv thov web tsis tiv thaiv cov neeg tawm tsam tuaj yeem nkag mus thiab siv lawv kom tau txais txiaj ntsig. Kev tawm tsam ntawm txoj kev yog ib txoj hauv kev nrov rau kev nyiag cov ntaub ntawv rhiab heev. Qhov kev pheej hmoo ntawm kev kis tau yog tsawg heev thaum tag nrho cov ntaub ntawv rhiab heev yog encrypted. Cov neeg tsim tawm lub vev xaib yuav tsum xyuas kom meej tias tsis muaj cov ntaub ntawv rhiab rau ntawm qhov browser lossis khaws cia yam tsis tsim nyog.
XML External Entities (XEE)
cybercriminal yuav tuaj yeem xa lossis suav nrog cov ntsiab lus tsis zoo XML, cov lus txib, lossis cov lej hauv ib daim ntawv XML. Qhov no tso cai rau lawv saib cov ntaub ntawv ntawm daim ntawv thov server file system. Thaum lawv muaj kev nkag mus, lawv tuaj yeem cuam tshuam nrog cov neeg rau zaub mov los ua qhov kev thov rau kev foob (SSRF) kev tawm tsam.
XML lwm qhov chaw tawm tsam tuaj yeem tiv thaiv los ntawm tso cai rau cov ntawv thov hauv web lees txais cov ntaub ntawv nyuaj tsawg xws li JSON. Disabling XML lwm qhov chaw ua hauj lwm kuj yuav txo tau qhov muaj feem ntawm XEE nres.
Txhaum Kev Tswj
Kev tswj hwm kev nkag mus yog ib txoj cai tswjfwm uas txwv tsis pub cov neeg siv tsis tau tso cai rau cov ntaub ntawv rhiab heev. Yog tias qhov system tswj kev nkag tau tawg, cov neeg tawm tsam tuaj yeem hla kev lees paub. Qhov no ua rau lawv nkag mus rau cov ntaub ntawv tseem ceeb xws li lawv muaj kev tso cai. Access Control tuaj yeem ruaj ntseg los ntawm kev siv cov ntawv tso cai tokens ntawm tus neeg siv nkag. Ntawm txhua qhov kev thov uas tus neeg siv ua thaum muaj kev lees paub, daim ntawv tso cai token nrog tus neeg siv raug txheeb xyuas, qhia tias tus neeg siv tau tso cai ua qhov kev thov ntawd.
Kev Ruaj Ntseg Misconfiguration
Kev ruaj ntseg misconfiguration yog ib qho teeb meem uas cybersecurity cov kws tshaj lij saib xyuas hauv web applications. Qhov no tshwm sim los ntawm kev teeb tsa HTTP headers tsis raug, kev tswj xyuas tsis raug, thiab cov zaub ntawm qhov tsis raug uas nthuav tawm cov ntaub ntawv hauv web app. Koj tuaj yeem kho qhov Kev Nyab Xeeb Misconfiguration los ntawm kev tshem tawm cov yam ntxwv tsis siv. Koj yuav tsum tau kho lossis hloov kho koj cov pob software.
Hla Chaw Scripting (XSS)
XSS qhov tsis zoo tshwm sim thaum tus neeg tawm tsam tswj hwm DOM API ntawm lub vev xaib ntseeg siab kom ua tiav cov lej tsis zoo hauv tus neeg siv lub browser. Kev ua tiav ntawm cov cai phem no feem ntau tshwm sim thaum tus neeg siv nyem rau ntawm qhov txuas uas zoo li los ntawm lub vev xaib ntseeg siab. Yog tias lub vev xaib tsis muaj kev tiv thaiv los ntawm XSS qhov tsis zoo, nws tuaj yeem ua tau tsis txaus siab. Lub siab phem code ntawd raug tua muab tus neeg tawm tsam nkag mus rau cov neeg siv cov kev sib tham nkag, cov ntsiab lus ntawm daim npav rho nyiaj, thiab lwm yam ntaub ntawv rhiab heev.
Txhawm rau tiv thaiv Cross-site Scripting (XSS), xyuas kom meej tias koj cov HTML yog huv si. Qhov no tau ua tiav los ntawm xaiv lub moj khaum uas ntseeg siab nyob ntawm hom lus xaiv. Koj tuaj yeem siv hom lus xws li .Net, Ruby ntawm Rails, thiab React JS raws li lawv yuav pab txheeb xyuas thiab ntxuav koj tus lej HTML. Kev kho tag nrho cov ntaub ntawv los ntawm cov neeg siv cov ntaub ntawv pov thawj lossis tsis muaj kev lees paub raws li tsis ntseeg tuaj yeem txo qhov kev pheej hmoo ntawm XSS tawm tsam.
Tsis ruaj ntseg Deserialization
Deserialization yog kev hloov pauv ntawm cov ntaub ntawv serialized los ntawm lub server mus rau ib qho khoom. Deserialization ntawm cov ntaub ntawv yog ib qho tshwm sim nyob rau hauv software tsim. Nws tsis muaj kev nyab xeeb thaum cov ntaub ntawv yog deserialized los ntawm qhov chaw tsis ntseeg. Qhov no ua tau qhov tseeb nthuav tawm koj daim ntawv thov rau kev tawm tsam. Insecure deserialization tshwm sim thaum cov ntaub ntawv deserialized los ntawm qhov chaw tsis ntseeg siab ua rau DDOS tawm tsam, kev tawm tsam tej thaj chaw deb code, lossis authentication bypasses.
Txhawm rau kom tsis txhob muaj kev ruaj ntseg deserialization, txoj cai ntawm tus ntiv tes xoo yog tsis txhob ntseeg cov neeg siv cov ntaub ntawv. Txhua tus neeg siv cov ntaub ntawv nkag yuav tsum kho as qhov tseeb siab phem. Tsis txhob deserialization ntawm cov ntaub ntawv los ntawm qhov chaw tsis ntseeg. Xyuas kom meej tias deserialization muaj nuj nqi siv hauv koj daim ntawv thov web muaj kev nyab xeeb.
Siv Cov Cheebtsam Nrog Paub Cov Vulnerabilities
Cov tsev qiv ntawv thiab Cov Txheej Txheem tau ua kom sai dua los tsim cov ntawv thov web yam tsis tas yuav rov tsim lub log. Qhov no txo qis redundancy nyob rau hauv kev ntsuam xyuas code. Lawv taug kev rau cov neeg tsim khoom kom tsom mus rau qhov tseem ceeb ntawm cov ntawv thov. Yog tias cov neeg tawm tsam nrhiav pom kev siv dag zog hauv cov qauv no, txhua tus codebase siv lub moj khaum yuav tsis txaus siab.
Component developers feem ntau muab kev ruaj ntseg thaj ua rau thaj thiab hloov tshiab rau cov tsev qiv ntawv tivthaiv. Txhawm rau kom tsis txhob muaj qhov cuam tshuam tsis zoo, koj yuav tsum kawm kom koj cov ntawv thov mus txog hnub tim nrog cov kev ruaj ntseg tshiab thiab hloov kho tshiab. Cov khoom siv tsis siv neeg yuav tsum muab tshem tawm los ntawm daim ntawv thov txiav tawm tsam vectors.
Tsis txaus txiav thiab saib xyuas
Kev sau npe thiab saib xyuas yog qhov tseem ceeb los qhia cov haujlwm hauv koj daim ntawv thov web. Logging ua rau nws yooj yim mus taug qab qhov yuam kev, saib cov neeg siv nkag mus, thiab cov haujlwm.
Kev txiav thiab saib xyuas tsis txaus tshwm sim thaum muaj kev ruaj ntseg-tseem ceeb tsis tau teev tseg kom zoo. Attackers nqis peev rau qhov no los ua kev tawm tsam ntawm koj daim ntawv thov ua ntej muaj cov lus teb pom tau.
Kev sau npe tuaj yeem pab koj lub tuam txhab txuag nyiaj thiab sijhawm vim tias koj cov neeg tsim khoom tuaj yeem ua tau yooj yim nrhiav kab. Qhov no tso cai rau lawv tsom mus rau kev daws cov kab ntau dua li nrhiav lawv. Nyob rau hauv qhov tseeb, kev txiav txim siab tuaj yeem pab ua kom koj cov chaw thiab cov servers nce thiab khiav txhua lub sijhawm yam tsis muaj lawv ntsib kev poob qis..
xaus
Zoo code tsis yog cia li hais txog kev ua haujlwm, nws yog hais txog kev ua kom koj cov neeg siv thiab daim ntawv thov muaj kev nyab xeeb. OWASP Sab saum toj 10 yog ib daim ntawv teev npe tseem ceeb tshaj plaws ntawm daim ntawv thov kev nyab xeeb kev pheej hmoo yog qhov chaw pub dawb zoo rau cov neeg tsim khoom los sau cov vev xaib ruaj ntseg thiab mobile apps. Kev cob qhia cov neeg tsim tawm ntawm koj pab neeg los ntsuas thiab ntsuas kev pheej hmoo tuaj yeem txuag koj pab neeg lub sijhawm thiab nyiaj txiag ntev. Yog koj xav tau kawm paub ntxiv txog kev cob qhia koj pab neeg ntawm OWASP Top 10 nyem qhov no.
