Difference between revisions of "OWASP Top10:2021"
| (18 intermediate revisions by 2 users not shown) | |||
| Line 1: | Line 1: | ||
| − | = OWASP Top 10 Security Concerns 2021 = | + | = OWASP Top 10 Security Concerns In 2021 = |
| + | The Open Web Application Security Project (OWASP) is a global nonprofit organization dedicated to enhancing software security. Its OWASP Top 10 list serves as a crucial tool in raising awareness about web application security, highlighting the ten most significant risks. | ||
| − | == A04:2021 - Insecure Design == | + | This page details the [https://owasp.org/Top10/ OWASP Top 10 security risks for 2021] as they pertain to the ZK framework and offer insights into how developers can proactively address these threats. For risks that have been listed in the 2017 list, links are provided to the original explanations, with updates and new risks detailed directly on this page. |
| + | |||
| + | == [https://owasp.org/Top10/A01_2021-Broken_Access_Control/ A01:2021 - Broken Access Control] == | ||
| + | ZK Framework has strengthened its access control measures by enabling the InaccessibleWidgetBlockService by default since 10.0.0. This service enhances security by automatically blocking interactions with UI components that are not meant to be accessible, such as disabled or hidden components. This default setting helps prevent unauthorized access and ensures that access control policies are enforced consistently across the application. | ||
| + | |||
| + | See [[ZK_Developer's_Reference/Security_Tips/OWASP_Top_10_Security_Concerns_In_2017#A05-Broken_Access_Control|OWASP Top 10 Security Concerns In 2017#A05 - Broken Access Control]] | ||
| + | |||
| + | == [https://owasp.org/Top10/A02_2021-Cryptographic_Failures/ A02:2021 - Cryptographic Failures] == | ||
| + | See [[ZK_Developer's_Reference/Security_Tips/OWASP_Top_10_Security_Concerns_In_2017#A03-Sensitive_Data_Exposure|OWASP Top 10 Security Concerns In 2017#A03 - Sensitive Data Exposure]] | ||
| + | |||
| + | == [https://owasp.org/Top10/A03_2021-Injection/ A03:2021 - Injection] == | ||
| + | See both: | ||
| + | * [[ZK_Developer's_Reference/Security_Tips/OWASP_Top_10_Security_Concerns_In_2017#A01-Injection|OWASP Top 10 Security Concerns In 2017#A01 - Injection]] | ||
| + | * [[ZK_Developer's_Reference/Security_Tips/OWASP_Top_10_Security_Concerns_In_2017#A07-Cross-Site_Scripting_(XSS)|OWASP Top 10 Security Concerns In 2017#A07 - Cross-Site Scripting (XSS)]] | ||
| + | |||
| + | == [https://owasp.org/Top10/A04_2021-Insecure_Design/ A04:2021 - Insecure Design] == | ||
ZK 10.0.0 addresses insecure design through several security enhancements, reinforcing the framework's defense against potential threats: | ZK 10.0.0 addresses insecure design through several security enhancements, reinforcing the framework's defense against potential threats: | ||
* '''Stricter GET/POST Handling''': To prevent HTTP verb tampering attacks, ZK 10.0.0 has refined how GET and POST requests are processed. It now returns a 404 error if an Asynchronous Update (AU) request is incorrectly sent via GET, ensuring proper usage of HTTP methods. | * '''Stricter GET/POST Handling''': To prevent HTTP verb tampering attacks, ZK 10.0.0 has refined how GET and POST requests are processed. It now returns a 404 error if an Asynchronous Update (AU) request is incorrectly sent via GET, ensuring proper usage of HTTP methods. | ||
| − | * ''' | + | * '''Proactive Security Measures in CI/CD Process''': ZK 10.0.0 integrates three advanced security checks into our CI/CD process: |
** '''Synk Scanning''': This tool analyzes both source code and third-party dependencies for vulnerabilities. | ** '''Synk Scanning''': This tool analyzes both source code and third-party dependencies for vulnerabilities. | ||
** '''CodeQL PR Scanning''': It assesses pull requests for Java, JavaScript, and TypeScript to find security flaws before they are merged. | ** '''CodeQL PR Scanning''': It assesses pull requests for Java, JavaScript, and TypeScript to find security flaws before they are merged. | ||
** '''SonarCube''': It scans the source code comprehensively to identify bugs, vulnerabilities, and security risks. | ** '''SonarCube''': It scans the source code comprehensively to identify bugs, vulnerabilities, and security risks. | ||
| − | |||
| − | == A08:2021 - Software and Data Integrity Failures == | + | == [https://owasp.org/Top10/A05_2021-Security_Misconfiguration/ A05:2021 - Security Misconfiguration] == |
| − | While | + | |
| + | ZK Framework has enhanced its security measures to further protect against XML External Entities (XXE) attacks. As of ZK 10.0.0, the XML parsing configuration has been updated to disallow Doctype declarations, which are a common vector for XXE attacks. This change prevents the XML parser from processing XML documents that include external entities, thereby mitigating potential security risks. For further details, see [https://tracker.zkoss.org/browse/ZK-5622 ZK-5622 Disallow Doctype on parsed XML files in ZK to increase security]. | ||
| + | |||
| + | ZK Framework has taken steps to enhance security configurations to prevent common misconfigurations that could lead to security vulnerabilities. A significant enhancement, implemented as of ZK 9.5.0, is the [https://tracker.zkoss.org/browse/ZK-4564 splitting of the DHtmlUpdateServlet into two dedicated servlets]: one for handling dynamic AJAX updates (AU Servlet) and another for serving static resources (Resource Servlet). This separation enhances security by reducing the risk of misconfigurations that could expose sensitive data or functionality unintentionally. | ||
| + | |||
| + | See both: | ||
| + | * [[ZK_Developer's_Reference/Security_Tips/OWASP_Top_10_Security_Concerns_In_2017#A06-Security_Misconfiguration|OWASP Top 10 Security Concerns In 2017#A06 - Security Misconfiguration]] | ||
| + | * [[ZK_Developer's_Reference/Security_Tips/OWASP_Top_10_Security_Concerns_In_2017#A04-XML_External_Entities_(XXE)|OWASP Top 10 Security Concerns In 2017#A04 - XML External Entities (XXE)]] | ||
| + | |||
| + | == [https://owasp.org/Top10/A06_2021-Vulnerable_and_Outdated_Components/ A06:2021 - Vulnerable and Outdated Components] == | ||
| + | ZK has taken proactive steps to address the risks associated with using vulnerable and outdated components. As of ZK 9.5.0, the framework has [https://tracker.zkoss.org/browse/ZK-4562 integrated the OWASP Dependency Check into its build process]. This tool helps identify and mitigate security vulnerabilities in third-party libraries and dependencies by scanning them against known vulnerability databases. This measure significantly enhances security by ensuring that potential vulnerabilities are identified and addressed promptly before production deployment. | ||
| + | |||
| + | See also: | ||
| + | * [[ZK_Developer's_Reference/Security_Tips/OWASP_Top_10_Security_Concerns_In_2017#A09-Using_Components_with_Known_Vulnerabilities|OWASP Top 10 Security Concerns In 2017#A09 - Using Components with Known Vulnerabilities]] | ||
| + | |||
| + | == [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures/ A07:2021 - Identification and Authentication Failures] == | ||
| + | See [[ZK_Developer's_Reference/Security_Tips/OWASP_Top_10_Security_Concerns_In_2017#A02-Broken_Authentication|OWASP Top 10 Security Concerns In 2017#A02 - Broken Authentication]] | ||
| + | |||
| + | == [https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures/ A08:2021 - Software and Data Integrity Failures] == | ||
| + | See [[ZK_Developer's_Reference/Security_Tips/OWASP_Top_10_Security_Concerns_In_2017#A08-Insecure_Deserialization|OWASP Top 10 Security Concerns In 2017#A08 - Insecure Deserialization]] | ||
| + | |||
| + | == [https://owasp.org/Top10/A09_2021-Security_Logging_and_Monitoring_Failures/ A09:2021 - Security Logging and Monitoring Failures] == | ||
| + | See [[ZK_Developer's_Reference/Security_Tips/OWASP_Top_10_Security_Concerns_In_2017#A10-Insufficient_Logging_and_Monitoring|OWASP Top 10 Security Concerns In 2017#A10 - Insufficient Logging & Monitoring]] | ||
| + | |||
| + | == [https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29/ A10:2021 - Server-Side Request Forgery (SSRF)] == | ||
| + | While ZK Framework itself does not provide specific mechanisms for making server-side requests, app developers need to ensure the safe handling of URLs and external resources, employing strict input validation and allowing accessible internal systems. | ||
| − | == | + | = Summary = |
| − | + | Developers should understand that while a front-end framework like ZK plays a vital role in user interface development, it represents only a fraction of the entire application system. It's important to recognize that vulnerabilities within the UI layer are not the primary source of weaknesses that require fortification. Instead, developers must comprehensively assess all layers of their applications to identify potential vulnerabilities that attackers could exploit. With this holistic understanding, software developers can implement proactive measures across the entire system to mitigate these threats effectively. | |
Latest revision as of 16:35, 15 May 2024
OWASP Top 10 Security Concerns In 2021
The Open Web Application Security Project (OWASP) is a global nonprofit organization dedicated to enhancing software security. Its OWASP Top 10 list serves as a crucial tool in raising awareness about web application security, highlighting the ten most significant risks.
This page details the OWASP Top 10 security risks for 2021 as they pertain to the ZK framework and offer insights into how developers can proactively address these threats. For risks that have been listed in the 2017 list, links are provided to the original explanations, with updates and new risks detailed directly on this page.
A01:2021 - Broken Access Control
ZK Framework has strengthened its access control measures by enabling the InaccessibleWidgetBlockService by default since 10.0.0. This service enhances security by automatically blocking interactions with UI components that are not meant to be accessible, such as disabled or hidden components. This default setting helps prevent unauthorized access and ensures that access control policies are enforced consistently across the application.
See OWASP Top 10 Security Concerns In 2017#A05 - Broken Access Control
A02:2021 - Cryptographic Failures
See OWASP Top 10 Security Concerns In 2017#A03 - Sensitive Data Exposure
A03:2021 - Injection
See both:
- OWASP Top 10 Security Concerns In 2017#A01 - Injection
- OWASP Top 10 Security Concerns In 2017#A07 - Cross-Site Scripting (XSS)
A04:2021 - Insecure Design
ZK 10.0.0 addresses insecure design through several security enhancements, reinforcing the framework's defense against potential threats:
- Stricter GET/POST Handling: To prevent HTTP verb tampering attacks, ZK 10.0.0 has refined how GET and POST requests are processed. It now returns a 404 error if an Asynchronous Update (AU) request is incorrectly sent via GET, ensuring proper usage of HTTP methods.
- Proactive Security Measures in CI/CD Process: ZK 10.0.0 integrates three advanced security checks into our CI/CD process:
- Synk Scanning: This tool analyzes both source code and third-party dependencies for vulnerabilities.
- CodeQL PR Scanning: It assesses pull requests for Java, JavaScript, and TypeScript to find security flaws before they are merged.
- SonarCube: It scans the source code comprehensively to identify bugs, vulnerabilities, and security risks.
A05:2021 - Security Misconfiguration
ZK Framework has enhanced its security measures to further protect against XML External Entities (XXE) attacks. As of ZK 10.0.0, the XML parsing configuration has been updated to disallow Doctype declarations, which are a common vector for XXE attacks. This change prevents the XML parser from processing XML documents that include external entities, thereby mitigating potential security risks. For further details, see ZK-5622 Disallow Doctype on parsed XML files in ZK to increase security.
ZK Framework has taken steps to enhance security configurations to prevent common misconfigurations that could lead to security vulnerabilities. A significant enhancement, implemented as of ZK 9.5.0, is the splitting of the DHtmlUpdateServlet into two dedicated servlets: one for handling dynamic AJAX updates (AU Servlet) and another for serving static resources (Resource Servlet). This separation enhances security by reducing the risk of misconfigurations that could expose sensitive data or functionality unintentionally.
See both:
- OWASP Top 10 Security Concerns In 2017#A06 - Security Misconfiguration
- OWASP Top 10 Security Concerns In 2017#A04 - XML External Entities (XXE)
A06:2021 - Vulnerable and Outdated Components
ZK has taken proactive steps to address the risks associated with using vulnerable and outdated components. As of ZK 9.5.0, the framework has integrated the OWASP Dependency Check into its build process. This tool helps identify and mitigate security vulnerabilities in third-party libraries and dependencies by scanning them against known vulnerability databases. This measure significantly enhances security by ensuring that potential vulnerabilities are identified and addressed promptly before production deployment.
See also:
A07:2021 - Identification and Authentication Failures
See OWASP Top 10 Security Concerns In 2017#A02 - Broken Authentication
A08:2021 - Software and Data Integrity Failures
See OWASP Top 10 Security Concerns In 2017#A08 - Insecure Deserialization
A09:2021 - Security Logging and Monitoring Failures
See OWASP Top 10 Security Concerns In 2017#A10 - Insufficient Logging & Monitoring
A10:2021 - Server-Side Request Forgery (SSRF)
While ZK Framework itself does not provide specific mechanisms for making server-side requests, app developers need to ensure the safe handling of URLs and external resources, employing strict input validation and allowing accessible internal systems.
Summary
Developers should understand that while a front-end framework like ZK plays a vital role in user interface development, it represents only a fraction of the entire application system. It's important to recognize that vulnerabilities within the UI layer are not the primary source of weaknesses that require fortification. Instead, developers must comprehensively assess all layers of their applications to identify potential vulnerabilities that attackers could exploit. With this holistic understanding, software developers can implement proactive measures across the entire system to mitigate these threats effectively.