OWASP 2017 TOP 10

發(fā)布時間：2020-06-12 04:02:02 來源：網(wǎng)絡(luò) 閱讀：1198 作者：Bruce_F5 欄目：安全技術(shù)

OWASP 2017 TOP 10

And how BIG-IP ASM mitigates the vulnerabilities.

	Vulnerability	BIG-IP ASM Controls
A1	Injection Flaws	Attack signatures Meta character restrictions Parameter value length restrictions
A2	Broken Authentication and Session Management	Brute Force protection Credentials Stuffing protection Login Enforcement Session tracking HTTP cookie tampering protection Session hijacking protection
A3	Sensitive Data Exposure	Data Guard Attack signatures (“Predictable Resource Location” and “Information Leakage”)
A4	XML External Entities (XXE)	Attack signatures (“Other Application Attacks” - XXE) XML content profile (Disallow DTD) (Subset of API protection)
A5	Broken Access Control	File types Allowed/disallowed URLs Login Enforcement Session tracking Attack signatures (“Directory traversal”)
A6	Security Misconfiguration	Attack Signatures DAST integration Allowed Methods HTML5 Cross-Domain Request Enforcement
A7	Cross-site Scripting (XSS)	Attack signatures (“Cross Site Scripting (XSS)”) Parameter meta characters HttpOnly cookie attribute enforcement Parameter type definitions (such as integer)
A8	Insecure Deserialization	Attack Signatures (“Server Side Code Injection”)
A9	Using components with known vulnerabilities	Attack Signatures DAST integration
A10	Insufficient Logging and Monitoring	Request/response logging Attack alarm/block logging On-device logging and external logging to SIEM system Event Correlation

Specifically, we have attack signatures for “A4:2017-XML External Entities (XXE)”:

Also, XXE attack could be mitigated by XML profile, by disabling DTDs (and of course enabling the “Malformed XML data” violation):

OWASP 2017 TOP 10

向AI問一下細(xì)節(jié)

猜你喜歡