温馨提示×

温馨提示×

您好,登录后才能下订单哦!

密码登录×
登录注册×
其他方式登录
点击 登录注册 即表示同意《亿速云用户服务条款》

OWASP 2017 TOP 10

发布时间:2020-06-12 04:02:02 来源:网络 阅读:1208 作者:Bruce_F5 栏目:安全技术

OWASP 2017 TOP 10


And how BIG-IP ASM mitigates the vulnerabilities.


Vulnerability

BIG-IP ASM Controls

A1

Injection Flaws

Attack signatures

Meta character restrictions

Parameter value length restrictions

A2

Broken Authentication and Session Management

Brute Force protection

Credentials Stuffing protection

Login Enforcement

Session tracking

HTTP cookie tampering protection

Session hijacking protection

A3

Sensitive Data Exposure

Data Guard

Attack signatures (“Predictable Resource Location” and “Information Leakage”)

A4

XML External Entities (XXE)

Attack signatures (“Other Application Attacks” - XXE)

XML content profile (Disallow DTD)

(Subset of API protection)

A5

Broken Access Control

File types

Allowed/disallowed URLs

Login Enforcement

Session tracking

Attack signatures (“Directory traversal”)

A6

Security Misconfiguration

Attack Signatures

DAST integration

Allowed Methods

HTML5 Cross-Domain Request Enforcement

A7

Cross-site Scripting (XSS)

Attack signatures (“Cross Site Scripting (XSS)”)

Parameter meta characters

HttpOnly cookie attribute enforcement

Parameter type definitions (such as integer)

A8

Insecure Deserialization

Attack Signatures (“Server Side Code Injection”)

A9

Using components with known vulnerabilities

Attack Signatures

DAST integration

A10

Insufficient Logging and Monitoring

Request/response logging

Attack alarm/block logging

On-device logging and external logging to SIEM system

Event Correlation

 

Specifically, we have attack signatures for “A4:2017-XML External Entities (XXE)”:

  • 200018018           External entity injection attempt

  • 200018030           XML External Entity (XXE) injection attempt (Content)

Also, XXE attack could be mitigated by XML profile, by disabling DTDs (and of course enabling the “Malformed XML data” violation):

OWASP 2017 TOP 10



向AI问一下细节

免责声明:本站发布的内容(图片、视频和文字)以原创、转载和分享为主,文章观点不代表本网站立场,如果涉及侵权请联系站长邮箱:is@yisu.com进行举报,并提供相关证据,一经查实,将立刻删除涉嫌侵权内容。

AI