OWASP Pamusoro gumi Chekuchengetedza Ngozi | Overview
Zviri Mukati
Chii chinonzi OWASP?
OWASP isangano risingaite purofiti rakazvipira kune webhu chengetedzo dzidzo.
Zvishandiso zveOWASP zvekudzidza zvinowanikwa pawebhusaiti yavo. Zvishandiso zvavo zvinobatsira pakuvandudza kuchengetedzwa kwewebhu application. Izvi zvinosanganisira zvinyorwa, zvishandiso, mavhidhiyo, uye maforamu.
Iyo OWASP Yepamusoro 10 rondedzero inotaridza iyo yepamusoro chengetedzo kunetseka kwewebhu maapplication nhasi. Vanokurudzira kuti makambani ese asanganise iyi shumo mumaitiro avo ekucheka njodzi dzekuchengetedza. Pazasi pane rondedzero yenjodzi yekuchengetedza inosanganisirwa muOWASP Pamusoro 10 2017 mushumo.
SQL Jekiseni
SQL jekiseni rinoitika kana munhu anorwisa achitumira data risingakodzeri kuwebhu app kuvhiringa chirongwa mukushandisa..
Muenzaniso weSQL Injection:
Anorwisa anogona kuisa mubvunzo weSQL mune fomu rekuisa iro rinoda zita rezita rakajeka. Kana iyo fomu yekuisa isina kuchengetedzwa, inozoguma nekuitwa kwemubvunzo weSQL. Izvi inotumirwa kune seSQL jekiseni.
Kuti udzivirire mawebhusaiti kubva kujekiseni rekodhi, ita shuwa kuti vagadziri vako vanoshandisa kuisirwa kwekuisa pane data rakatumirwa nemushandisi. Validation pano inoreva kurambwa kwezvisina basa. Maneja wedhatabhesi anogona zvakare kuseta zvinodzora kudzikisa huwandu hwe ruzivo izvo zvinogona kuziviswa mukubayiwa kwejekiseni.
Kuti udzivise jekiseni reSQL, OWASP inokurudzira kuchengetedza data rakaparadzana nemirairo uye mibvunzo. Iyo yakasarudzika sarudzo ndeye kushandisa yakachengeteka API kudzivirira kushandiswa kwemuturikiri, kana kutamira kuObject Relational Mapping Tools (ORMs).
Broken Authentication
Kukanganisa kwechokwadi kunogona kubvumira anorwisa kuwana maakaundi evashandisi uye kukanganisa sisitimu achishandisa admin account.. A cybercriminal anogona kushandisa chinyorwa kuyedza zviuru zvemisanganiswa yepassword pane system kuona inoshanda. Kana cybercriminal yangopinda, vanogona kunyepera kuzivikanwa kwemushandisi, vachivapa mukana kune ruzivo rwakavanzika..
Kukanganisa kwechokwadi kwakatyoka kuripo mumawebhusaiti anobvumira otomatiki kupinda. Nzira yakakurumbira yekugadzirisa kusadzivirirwa kwechokwadi ndeye kushandisa multifactor authentication. Zvakare, muganho wekupinda chiyero unogona kuverengerwa muwebhu app kudzivirira brute force kurwiswa.
Sensitive Data Exposure
Kana mawebhusaiti akasachengetedza vanorova vanonzwa vanogona kuwana uye kuvashandisa kuti vawane pfuma. Kurwisa-panzira inzira yakakurumbira yekuba ruzivo rwakadzama. Ngozi yekufumurwa inogona kushoma kana data rese rakavharika rakavharirwa. Vagadziri veWebhu vanofanirwa kuve nechokwadi chekuti hapana data rakavanzika rinoburitswa pabrowser kana kuchengetwa zvisina basa.
XML External Entities (XEE)
A cybercriminal anogona kukwanisa kurodha kana kusanganisira zvakaipa zveXML, mirairo, kana kodhi mukati megwaro reXML.. Izvi zvinovabvumira kuona mafaera pane application server faira system. Kana vachinge vawana mukana, vanogona kudyidzana nesevha kuita server-side application forgery (SSRF) kurwisa.
XML yekunze entity kurwisa inogona kudzivirirwa ne kubvumira maapplication ewebhu kugamuchira mashoma akaoma data mhando seJSON. Kudzima XML yekunze entity process zvakare inoderedza mikana yekurwiswa kweXEE.
Broken Access Control
Access control iprotocol system inobvumidza vashandisi vasina mvumo kune ruzivo rwakadzama. Kana iyo yekuwana control system ikaputswa, vanorwisa vanogona kunzvenga chokwadi. Izvi zvinovapa kuwana ruzivo rwakadzama sekunge vane mvumo. Kupinda Kudzora kunogona kuchengetedzwa nekushandisa mvumo tokeni pakupinda mushandisi. Pachikumbiro chega chega chinoitwa nemushandisi pachakatenderwa, chiratidzo chemvumo nemushandisi chinosimbiswa, zvichiratidza kuti mushandisi ane mvumo yekuita chikumbiro ichocho.
Chengetedzo Kusanzwisisika
Security misconfiguration inyaya yakajairika iyo Cybersecurity nyanzvi dzinocherechedza mumashandisirwo ewebhu. Izvi zvinoitika nekuda kwekusagadziriswa misoro yeHTTP, yakatyoka zvidhinha zvekupinda, uye kuratidzwa kwezvikanganiso zvinofumura ruzivo muwebhu app.. Iwe unogona kururamisa Chengetedzo Misfiguration nekubvisa zvinhu zvisina kushandiswa. Iwe unofanirwawo kupeta kana kukwidziridza software yako mapakeji.
Muchinjikwa-Saiti Kukanda (XSS)
Kusagadzikana kweXSS kunoitika kana munhu anorwisa achibata DOM API yewebhusaiti inovimbika kuita kodhi yakaipa mubrowser yemushandisi.. Kuitwa kwekodhi iyi yakaipa kunowanzoitika kana mushandisi akadzvanya pane chinongedzo chinoratidzika kunge chinobva kune yakavimbika webhusaiti.. Kana iyo webhusaiti isina kuchengetedzwa kubva kuXSS njodzi, inogona kuve panjodzi. Iyo yakaipa kodhi iyo inourayiwa inopa anorwisa mukana kune yevashandisi 'yekupinda chikamu, kiredhiti kadhi ruzivo, uye imwe data inonzwisisika.
Kudzivirira Cross-saiti Scripting (XSS), ita shuwa kuti HTML yako yakanyatsocheneswa. Izvi zvinogona kuwanikwa ne kusarudza misimboti yakavimbika zvichienderana nemutauro waunosarudza. Unogona kushandisa mitauro yakaita se.Net, Ruby on Rails, uye React JS sezvo ichibatsira kunzvera nekuchenesa HTML code yako. Kubata data rese kubva kune vakatendeseka kana vasina-vakatendeseka vashandisi sevasina kuvimbika kunogona kuderedza njodzi yekurwiswa kweXSS..
Kusachengeteka Deserialization
Deserialization iko kushandurwa kweseriized data kubva kune server kuenda kune chinhu. Deserialization yedata chinhu chinowanzoitika mukuvandudza software. Hazvina kuchengetedzeka kana data is deserialized kubva kumunhu asina kuvimbika. Izvi zvinogona zvingave fumura chikumbiro chako pakurwiswa. Kusachengeteka deserialization kunoitika kana deerialized data kubva kune isingavimbike sosi inotungamira kuDDOS kurwiswa, kure kure kodhi kuuraya kurwiswa, kana yechokwadi yekupfuura..
Kuti udzivise kusachengeteka deserialization, mutemo wechigunwe kusambovimba nemushandisi data. Wese mushandisi wekuisa data anofanirwa kurapwa as zvingave zvakashata. Dzivisa deserialization yedata kubva kune isingavimbwe masosi. Ita shuwa kuti iyo deerialization inoshanda kune kushandiswa muwebhu application yako yakachengeteka.
Kushandisa Zvikamu Zvine Kusagadzikana Kunozivikanwa
Maraibhurari uye Zvirongwa zvaita kuti ikurumidze kugadzira mawebhusaiti pasina kuda kudzoreredza vhiri. Izvi zvinoderedza redundancy mukuongororwa kwekodhi. Ivo vanogadzira nzira yekuti vanogadzira vatarise pane zvakanyanya kukosha maficha ekushandisa. Kana vanorwisa vakawana mabatiro mune aya masisitimu, yega yega codebase inoshandisa iyo chimiro kuve panjodzi.
Vagadziri vechikamu vanowanzopa zvigamba zvekuchengetedza uye zvigadziriso zvezvikamu zvemaraibhurari. Kuti udzivise kusasimba kwechikamu, iwe unofanirwa kudzidza kuchengeta maapplication ako ari emazuvano neazvino kuchengetedza zvigamba uye kukwidziridzwa.. Zvisina kushandiswa zvinofanirwa kubviswa kubva pachikumbiro chekucheka kurwisa mavector.
Insufficient Logging And Monitoring
Kutema nekutarisa kwakakosha kuratidza zviitiko muwebhu application yako. Kutema matanda kunoita kuti zvive nyore kutsvaga zvikanganiso, tarisisa user logins, uye zviitiko.
Kusakwana kutema matanda uye kutarisa kunoitika kana chengetedzo-yakakosha zviitiko zvisina kunyorwa zvakakodzera. Varwi vanotora mari pane izvi kuita kurwisa chikumbiro chako pasati pave nemhinduro inooneka.
Kutema matanda kunogona kubatsira kambani yako kuchengetedza mari uye nguva nekuti vagadziri vako vanogona nyore tsvaga tsikidzi. Izvi zvinovatendera kuti vatarise zvakanyanya pakugadzirisa tsikidzi pane kuzvitsvaga. Muchokwadi, kutema matanda kunogona kubatsira kuchengetedza masaiti ako nemasevha ari kumusoro uye achimhanya nguva dzese pasina ivo vachiona chero nguva yekuderera.
mhedziso
Kodhi yakanaka haisi chete nezvekushanda, ndezvekuchengetedza vashandisi vako uye application zvakachengeteka. Iyo OWASP Yepamusoro gumi rondedzero yeakanyanya kuomesesa application kuchengetedza njodzi ihuru huru yemahara sosi kune vanogadzira kunyora yakachengeteka webhu uye nharembozha.. Kudzidzisa vanogadzira pachikwata chako kuti vaongorore uye nekuisa njodzi dzinogona kuchengetedza timu yako nguva nemari mukufamba kwenguva. Kana muchida dzidza zvakawanda nezve maitiro ekudzidzisa timu yako paOWASP Pamusoro gumi tinya apa.
