OWASP 2017 TOP 10

发布时间:2020-06-12 04:02:02 作者:Bruce_F5
来源:网络 阅读:1208

OWASP 2017 TOP 10


And how BIG-IP ASM mitigates the vulnerabilities.


Vulnerability

BIG-IP ASM Controls

A1

Injection Flaws

Attack signatures

Meta character restrictions

Parameter value length restrictions

A2

Broken Authentication and Session Management

Brute Force protection

Credentials Stuffing protection

Login Enforcement

Session tracking

HTTP cookie tampering protection

Session hijacking protection

A3

Sensitive Data Exposure

Data Guard

Attack signatures (“Predictable Resource Location” and “Information Leakage”)

A4

XML External Entities (XXE)

Attack signatures (“Other Application Attacks” - XXE)

XML content profile (Disallow DTD)

(Subset of API protection)

A5

Broken Access Control

File types

Allowed/disallowed URLs

Login Enforcement

Session tracking

Attack signatures (“Directory traversal”)

A6

Security Misconfiguration

Attack Signatures

DAST integration

Allowed Methods

HTML5 Cross-Domain Request Enforcement

A7

Cross-site Scripting (XSS)

Attack signatures (“Cross Site Scripting (XSS)”)

Parameter meta characters

HttpOnly cookie attribute enforcement

Parameter type definitions (such as integer)

A8

Insecure Deserialization

Attack Signatures (“Server Side Code Injection”)

A9

Using components with known vulnerabilities

Attack Signatures

DAST integration

A10

Insufficient Logging and Monitoring

Request/response logging

Attack alarm/block logging

On-device logging and external logging to SIEM system

Event Correlation

 

Specifically, we have attack signatures for “A4:2017-XML External Entities (XXE)”:

Also, XXE attack could be mitigated by XML profile, by disabling DTDs (and of course enabling the “Malformed XML data” violation):

OWASP 2017 TOP 10



推荐阅读:
  1. 从故障ASM磁盘组迁移数据库到新磁盘组
  2. 好程序员大数据学习路线分享Scala系列之基础篇

免责声明:本站发布的内容(图片、视频和文字)以原创、转载和分享为主,文章观点不代表本网站立场,如果涉及侵权请联系站长邮箱:is@yisu.com进行举报,并提供相关证据,一经查实,将立刻删除涉嫌侵权内容。

asm owasp wa

上一篇:阿里专家讲中台:技术中台-分布式架构在蚂蚁金服的实践

下一篇:根据日期计算星座

相关阅读

您好,登录后才能下订单哦!

密码登录
登录注册
其他方式登录
点击 登录注册 即表示同意《亿速云用户服务条款》