OWASP Top 10 是一个广泛认可的列表,列出了最关键的网络应用安全风险,由 OWASP(开放式Web应用安全项目)发布。这是帮助开发人员了解必须防御的常见漏洞的重要资源。
OWASP Top 10 是什么
A regularly-updated list of the TOP 10 most critical web app security risks:
→ based on real-world data and expert consensus
→ a standard AWARENESS document — the baseline of vulnerabilities to know and prevent
→ not exhaustive, but the most important/common risks to address first
类别(最近的 OWASP Top 10)
1. BROKEN ACCESS CONTROL → users accessing what they shouldn't (authorization flaws)
2. CRYPTOGRAPHIC FAILURES → weak/missing encryption; exposed sensitive data
3. INJECTION → SQL injection, command injection (untrusted input as code/queries)
4. INSECURE DESIGN → security flaws in the design itself
5. SECURITY MISCONFIGURATION → insecure defaults, exposed settings, verbose errors
6. VULNERABLE/OUTDATED COMPONENTS → using libraries with known vulnerabilities
7. AUTHENTICATION FAILURES → weak auth, broken session management
8. DATA INTEGRITY FAILURES → insecure deserialization, untrusted updates (supply chain)
9. LOGGING/MONITORING FAILURES → can't detect/respond to attacks
10. SSRF → server-side request forgery (server tricked into making requests)
