码迷,mamicode.com
首页 > Web开发 > 详细

OWASP 2017 TOP 10

时间:2017-12-13 00:00:43      阅读:303      评论:0      收藏:0      [点我收藏+]

标签:asm   owasp   

技术分享图片


And how BIG-IP ASM mitigates the vulnerabilities.


Vulnerability

BIG-IP ASM Controls

A1

Injection Flaws

Attack signatures

Meta character restrictions

Parameter value length restrictions

A2

Broken Authentication and Session Management

Brute Force protection

Credentials Stuffing protection

Login Enforcement

Session tracking

HTTP cookie tampering protection

Session hijacking protection

A3

Sensitive Data Exposure

Data Guard

Attack signatures (“Predictable Resource Location” and “Information Leakage”)

A4

XML External Entities (XXE)

Attack signatures (“Other Application Attacks” - XXE)

XML content profile (Disallow DTD)

(Subset of API protection)

A5

Broken Access Control

File types

Allowed/disallowed URLs

Login Enforcement

Session tracking

Attack signatures (“Directory traversal”)

A6

Security Misconfiguration

Attack Signatures

DAST integration

Allowed Methods

HTML5 Cross-Domain Request Enforcement

A7

Cross-site Scripting (XSS)

Attack signatures (“Cross Site Scripting (XSS)”)

Parameter meta characters

HttpOnly cookie attribute enforcement

Parameter type definitions (such as integer)

A8

Insecure Deserialization

Attack Signatures (“Server Side Code Injection”)

A9

Using components with known vulnerabilities

Attack Signatures

DAST integration

A10

Insufficient Logging and Monitoring

Request/response logging

Attack alarm/block logging

On-device logging and external logging to SIEM system

Event Correlation

 

Specifically, we have attack signatures for “A4:2017-XML External Entities (XXE)”:

  • 200018018           External entity injection attempt

  • 200018030           XML External Entity (XXE) injection attempt (Content)

Also, XXE attack could be mitigated by XML profile, by disabling DTDs (and of course enabling the “Malformed XML data” violation):

技术分享图片



OWASP 2017 TOP 10

标签:asm   owasp   

原文地址:http://blog.51cto.com/zenfei/2050010

(0)
(0)
   
举报
评论 一句话评论(0
登录后才能评论!
© 2014 mamicode.com 版权所有  联系我们:gaon5@hotmail.com
迷上了代码!