OWASP: Unterschied zwischen den Versionen
| Zeile 24: | Zeile 24: | ||
==A10:2017 Unzureichendes Logging und Monitoring== | ==A10:2017 Unzureichendes Logging und Monitoring== | ||
Kein Erkennen von Angriffen. | Kein Erkennen von Angriffen. | ||
| + | |||
| + | =25 SANS= | ||
| + | {| border="1" style="border-collapse:collapse" | ||
| + | |- | ||
| + | ! scope="col"| Rank | ||
| + | ! scope="col"| ID | ||
| + | ! scope="col"| Name | ||
| + | |- | ||
| + | |[1] || CWE-89 || Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') | ||
| + | |- | ||
| + | |[2] || CWE-78 || Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') | ||
| + | |- | ||
| + | |[3] || CWE-120 || Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') | ||
| + | |- | ||
| + | |[4] || CWE-79 || Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') | ||
| + | |- | ||
| + | |[5] || CWE-306 || Missing Authentication for Critical Function | ||
| + | |- | ||
| + | |[6] || CWE-862 || Missing Authorization | ||
| + | |- | ||
| + | |[7] || CWE-798 || Use of Hard-coded Credentials | ||
| + | |- | ||
| + | |[8] || CWE-311 || Missing Encryption of Sensitive Data | ||
| + | |- | ||
| + | |[9] || CWE-434 || Unrestricted Upload of File with Dangerous Type | ||
| + | |- | ||
| + | |[10] || CWE-807 || Reliance on Untrusted Inputs in a Security Decision | ||
| + | |- | ||
| + | |[11] || CWE-250 || Execution with Unnecessary Privileges | ||
| + | |- | ||
| + | |[12] || CWE-352 || Cross-Site Request Forgery (CSRF) | ||
| + | |- | ||
| + | |[13] || CWE-22 || Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') | ||
| + | |- | ||
| + | |[14] || CWE-494 || Download of Code Without Integrity Check | ||
| + | |- | ||
| + | |[15] || CWE-863 || Incorrect Authorization | ||
| + | |- | ||
| + | |[16] || CWE-829 || Inclusion of Functionality from Untrusted Control Sphere | ||
| + | |- | ||
| + | |[17] || CWE-732 || Incorrect Permission Assignment for Critical Resource | ||
| + | |- | ||
| + | |[18] || CWE-676 || Use of Potentially Dangerous Function | ||
| + | |- | ||
| + | |[19] || CWE-327 || Use of a Broken or Risky Cryptographic Algorithm | ||
| + | |- | ||
| + | |[20] || CWE-131 || Incorrect Calculation of Buffer Size | ||
| + | |- | ||
| + | |[21] || CWE-307 || Improper Restriction of Excessive Authentication Attempts | ||
| + | |- | ||
| + | |[22] || CWE-601 || URL Redirection to Untrusted Site ('Open Redirect') | ||
| + | |- | ||
| + | |[23] || CWE-134 || Uncontrolled Format String | ||
| + | |- | ||
| + | |[24] || CWE-190 || Integer Overflow or Wraparound | ||
| + | |- | ||
| + | |[25] || CWE-759 || Use of a One-Way Hash without a Salt | ||
| + | |} | ||
Version vom 11. März 2019, 07:22 Uhr
A1:2017 Injection
Z.Bsp. SQL-, OS- oder LDAP-Injection.Treten auf bei Verarbeitung von nicht vertrauenswuerdigen Daten als Teil eines Kommandos oder einer Abfrage.
A2:2017 Fehler in der Authetifizierung
Fehlerhafte Implementierung von Funktionen bei der Authentifizierung bzw. beim Session-Management.
A3:2017 Verlust der Vetraulichkeit sensibler Daten
Unzureichender Schutz von sensiblen Daten durch die Anwendung.
A4:2017 XML External Entities
Externe Entitäten innerhalb von XML-Dokumenten können bei Verwendung von alten oder schlecht konfigurierten XML Prozessoren mißbraucht werden
(Offenlegung interner Dateien oder File-Shares, Port Scans, Remote-Code-Executions, Denial-of-Service Angriffe).
A5:2017 Fehler in der Zugriffskontrolle
Fehler bei der Umsetzung oder Durchsetzung der Zugriffskontrolle authorisierter Benutzer.
A6:2017 Sicherheitsrelevante Fehlkonfiguration
Fehlkonfigurationen von Sicherheitseinstellungen, unsichere Standardkonfigurationen, etc.
A7:2017 Cross-Site Scripting (XSS)
Bei Verarbeitung nicht vertrauenswürdiger Daten durch Webserver
(Auslesen von Cookie-Informationen, Ausführen von Script Code im Browser).
A8:2017 Unsichere Deserialisierung
Serialisierung ist die Abbildung von strukturierten Daten in sequentieller Darstellungsform.
Eine unzureichend geprüfte Deserialisierung kann zum Ausführen fremder Befehle ausgenutzt werden.
A9:2017 Nutzung von Komponenten mit bekannten Schwachstellen
Verwendung unsicherer Bibliotheken, Frameworks, etc.
A10:2017 Unzureichendes Logging und Monitoring
Kein Erkennen von Angriffen.
25 SANS
| Rank | ID | Name |
|---|---|---|
| [1] | CWE-89 | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') |
| [2] | CWE-78 | Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') |
| [3] | CWE-120 | Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') |
| [4] | CWE-79 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') |
| [5] | CWE-306 | Missing Authentication for Critical Function |
| [6] | CWE-862 | Missing Authorization |
| [7] | CWE-798 | Use of Hard-coded Credentials |
| [8] | CWE-311 | Missing Encryption of Sensitive Data |
| [9] | CWE-434 | Unrestricted Upload of File with Dangerous Type |
| [10] | CWE-807 | Reliance on Untrusted Inputs in a Security Decision |
| [11] | CWE-250 | Execution with Unnecessary Privileges |
| [12] | CWE-352 | Cross-Site Request Forgery (CSRF) |
| [13] | CWE-22 | Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') |
| [14] | CWE-494 | Download of Code Without Integrity Check |
| [15] | CWE-863 | Incorrect Authorization |
| [16] | CWE-829 | Inclusion of Functionality from Untrusted Control Sphere |
| [17] | CWE-732 | Incorrect Permission Assignment for Critical Resource |
| [18] | CWE-676 | Use of Potentially Dangerous Function |
| [19] | CWE-327 | Use of a Broken or Risky Cryptographic Algorithm |
| [20] | CWE-131 | Incorrect Calculation of Buffer Size |
| [21] | CWE-307 | Improper Restriction of Excessive Authentication Attempts |
| [22] | CWE-601 | URL Redirection to Untrusted Site ('Open Redirect') |
| [23] | CWE-134 | Uncontrolled Format String |
| [24] | CWE-190 | Integer Overflow or Wraparound |
| [25] | CWE-759 | Use of a One-Way Hash without a Salt |