owasp-top-10
Compare original and translation side by side
🇺🇸
Original
English🇨🇳
Translation
ChineseOWASP Top 10 Security Vulnerabilities
OWASP Top 10安全漏洞
Expert guidance for identifying, preventing, and remediating the most critical web application security risks based on OWASP Top 10 2021.
基于OWASP Top 10 2021的专业指南,用于识别、预防和修复最关键的Web应用安全风险。
When to Use This Skill
何时使用该技能
- Conducting security audits and code reviews
- Implementing secure coding practices in new features
- Reviewing authentication and authorization systems
- Assessing input validation and sanitization
- Evaluating third-party dependencies for vulnerabilities
- Designing security controls and defense-in-depth strategies
- Preparing for security certifications or compliance audits
- Investigating security incidents or suspicious behavior
- 开展安全审计与代码审查
- 在新功能中实施安全编码实践
- 审查身份验证与授权系统
- 评估输入验证与清理机制
- 检查第三方依赖的安全漏洞
- 设计安全控制与纵深防御策略
- 准备安全认证或合规审计
- 调查安全事件或可疑行为
OWASP Top 10 2021 Overview
OWASP Top 10 2021概述
Ranked by Risk Severity:
- A01 - Broken Access Control (↑ from #5)
- A02 - Cryptographic Failures (formerly Sensitive Data Exposure)
- A03 - Injection (↓ from #1)
- A04 - Insecure Design (NEW)
- A05 - Security Misconfiguration
- A06 - Vulnerable and Outdated Components
- A07 - Identification and Authentication Failures
- A08 - Software and Data Integrity Failures (NEW)
- A09 - Security Logging and Monitoring Failures
- A10 - Server-Side Request Forgery (SSRF) (NEW)
按风险严重程度排名:
- A01 - 访问控制失效(从第5位上升)
- A02 - 加密失败(原敏感数据暴露)
- A03 - 注入攻击(从第1位下降)
- A04 - 不安全设计(新增)
- A05 - 安全配置错误
- A06 - 存在漏洞且过时的组件
- A07 - 身份识别与认证失败
- A08 - 软件与数据完整性失败(新增)
- A09 - 安全日志与监控失效
- A10 - 服务器端请求伪造(SSRF)(新增)
Quick Reference
快速参考
Load detailed guidance for each vulnerability:
| Vulnerability | Reference File |
|---|---|
| Broken Access Control | |
| Cryptographic Failures | |
| Injection | |
| Insecure Design | |
| Security Misconfiguration | |
| Vulnerable Components | |
| Authentication Failures | |
| Integrity Failures | |
| Logging & Monitoring | |
| SSRF | |
| Prevention Strategies | |
加载各漏洞的详细指南:
| 漏洞类型 | 参考文件 |
|---|---|
| 访问控制失效 | |
| 加密失败 | |
| 注入攻击 | |
| 不安全设计 | |
| 安全配置错误 | |
| 存在漏洞的组件 | |
| 认证失败 | |
| 完整性失败 | |
| 日志与监控 | |
| SSRF | |
| 预防策略 | |
Security Audit Workflow
安全审计工作流
- Identify Scope: Determine application components and attack surface
- Select Vulnerabilities: Choose relevant OWASP categories based on features
- Load Reference: Read appropriate reference file(s) for detailed patterns
- Analyze Code: Review code against vulnerable and secure patterns
- Document Findings: Record vulnerabilities with severity and remediation
- Verify Fixes: Test that remediations properly address issues
- Test Security: Run automated security testing (SAST, DAST, SCA)
- 确定范围:明确应用组件与攻击面
- 选择漏洞类型:根据功能选择相关的OWASP分类
- 加载参考文档:阅读对应的参考文件获取详细模式
- 代码分析:对照漏洞模式与安全模式审查代码
- 记录发现:记录漏洞及其严重程度与修复方案
- 验证修复:测试修复措施是否有效解决问题
- 安全测试:运行自动化安全测试(SAST、DAST、SCA)
Core Security Principles
核心安全原则
Defense in Depth
纵深防御
- Layer security controls at network, application, data, and monitoring levels
- Ensure failure of one control doesn't compromise entire system
- 在网络、应用、数据与监控层面分层部署安全控制
- 确保单一控制失效不会危及整个系统
Secure by Default
默认安全
- Deny all access by default, explicitly grant permissions
- Fail securely (errors don't expose sensitive information)
- Minimize attack surface (disable unused features)
- Apply least privilege to all accounts and services
- 默认拒绝所有访问,仅显式授予权限
- 安全失败(错误信息不会暴露敏感数据)
- 最小化攻击面(禁用未使用的功能)
- 对所有账户与服务应用最小权限原则
Input Validation
输入验证
- Validate type, length, format, and allowed values
- Use allow-lists over deny-lists
- Sanitize for specific context (SQL, HTML, shell, etc.)
- Never trust client input
- 验证类型、长度、格式与允许值
- 使用允许列表而非拒绝列表
- 根据具体场景(SQL、HTML、Shell等)进行清理
- 绝不信任客户端输入
Common Mistakes
常见错误
- Trusting User Input: Always validate and sanitize all user-supplied data
- Rolling Your Own Crypto: Use established libraries (bcrypt, AES-256)
- Exposing Errors: Log detailed errors internally, show generic messages to users
- Missing Authorization: Check permissions on every request, not just UI
- Weak Session Management: Use secure, httpOnly, sameSite cookies with HTTPS
- Ignoring Dependencies: Regularly audit and update third-party libraries
- No Logging: Log security events for detection and incident response
- Default Configurations: Harden all systems, disable defaults
- 信任用户输入:始终验证并清理所有用户提供的数据
- 自行实现加密:使用成熟的库(bcrypt、AES-256)
- 暴露错误信息:内部记录详细错误,向用户展示通用信息
- 缺失授权检查:对每个请求都检查权限,而非仅在UI层面
- 会话管理薄弱:使用安全的、httpOnly、sameSite的Cookie并配合HTTPS
- 忽略依赖项:定期审计并更新第三方库
- 无日志记录:记录安全事件以用于检测与响应
- 默认配置未修改:加固所有系统,禁用默认配置
Security Testing Tools
安全测试工具
SAST (Static): SonarQube, Semgrep, ESLint security plugins
DAST (Dynamic): OWASP ZAP, Burp Suite
SCA (Dependencies): npm audit, Snyk, Dependabot
Secrets Scanning: GitGuardian, TruffleHog
Penetration Testing: Metasploit, Kali Linux tools
SAST(静态测试):SonarQube、Semgrep、ESLint安全插件
DAST(动态测试):OWASP ZAP、Burp Suite
SCA(依赖项分析):npm audit、Snyk、Dependabot
密钥扫描:GitGuardian、TruffleHog
渗透测试:Metasploit、Kali Linux工具
Resources
资源
- OWASP Top 10 2021: https://owasp.org/Top10/
- OWASP Cheat Sheets: https://cheatsheetseries.owasp.org/
- OWASP ASVS: Application Security Verification Standard
- CWE Top 25: Common Weakness Enumeration
- NIST Cybersecurity Framework: https://www.nist.gov/cyberframework
- CVE Database: https://cve.mitre.org/
- Snyk Vulnerability DB: https://snyk.io/vuln/
- OWASP Top 10 2021:https://owasp.org/Top10/
- OWASP cheat sheets:https://cheatsheetseries.owasp.org/
- OWASP ASVS:应用安全验证标准
- CWE Top 25:常见弱点枚举
- NIST网络安全框架:https://www.nist.gov/cyberframework
- CVE数据库:https://cve.mitre.org/
- Snyk漏洞数据库:https://snyk.io/vuln/