Difference between revisions of "OWASP Top10:2021"
| Line 3: | Line 3: | ||
This page details the [https://owasp.org/Top10/ OWASP Top 10 security risks for 2021] as they pertain to the ZK framework. For risks that continue from the 2017 list, links are provided to the original explanations, with updates and new risks detailed directly on this page. | This page details the [https://owasp.org/Top10/ OWASP Top 10 security risks for 2021] as they pertain to the ZK framework. For risks that continue from the 2017 list, links are provided to the original explanations, with updates and new risks detailed directly on this page. | ||
| − | == A01:2021 - | + | == A01:2021 - Broken Access Control == |
| − | See [[ZK_Developer's_Reference/Security_Tips/OWASP_Top_10_Security_Concerns_In_2017# | + | See [[ZK_Developer's_Reference/Security_Tips/OWASP_Top_10_Security_Concerns_In_2017#A05-Broken_Access_Control|OWASP Top 10 Security Concerns In 2017#A05 - Broken Access Control]] |
== A02:2021 - Cryptographic Failures == | == A02:2021 - Cryptographic Failures == | ||
| − | See [[ZK_Developer's_Reference/Security_Tips/OWASP_Top_10_Security_Concerns_In_2017# | + | See [[ZK_Developer's_Reference/Security_Tips/OWASP_Top_10_Security_Concerns_In_2017#A03-Sensitive_Data_Exposure|OWASP Top 10 Security Concerns In 2017#A03 - Sensitive Data Exposure]] |
| + | |||
== A03:2021 - Injection == | == A03:2021 - Injection == | ||
| − | See [[ZK_Developer's_Reference/Security_Tips/OWASP_Top_10_Security_Concerns_In_2017# | + | See [[ZK_Developer's_Reference/Security_Tips/OWASP_Top_10_Security_Concerns_In_2017#A01-Injection|OWASP Top 10 Security Concerns In 2017#A01 - Injection]] |
== A04:2021 - Insecure Design == | == A04:2021 - Insecure Design == | ||
| Line 26: | Line 27: | ||
For further details, see the issue tracker entry: [https://tracker.zkoss.org/browse/ZK-5622|ZK-5622: Disallow Doctype causes parsing error if xml config contains DOCTYPE]. | For further details, see the issue tracker entry: [https://tracker.zkoss.org/browse/ZK-5622|ZK-5622: Disallow Doctype causes parsing error if xml config contains DOCTYPE]. | ||
| − | See [[ZK_Developer | + | See both: |
| + | * [[ZK_Developer's_Reference/Security_Tips/OWASP_Top_10_Security_Concerns_In_2017#A06-Security_Misconfiguration|OWASP Top 10 Security Concerns In 2017#A06 - Security Misconfiguration]] | ||
| + | * [[ZK_Developer's_Reference/Security_Tips/OWASP_Top_10_Security_Concerns_In_2017#A04-XML_External_Entities_(XXE)|OWASP Top 10 Security Concerns In 2017#A04 - XML External Entities (XXE)]] | ||
| + | |||
== A06:2021 - Vulnerable and Outdated Components == | == A06:2021 - Vulnerable and Outdated Components == | ||
| − | See [[ZK_Developer's_Reference/Security_Tips/OWASP_Top_10_Security_Concerns_In_2017# | + | See [[ZK_Developer's_Reference/Security_Tips/OWASP_Top_10_Security_Concerns_In_2017#A09-Using_Components_with_Known_Vulnerabilities|OWASP Top 10 Security Concerns In 2017#A09 - Using Components with Known Vulnerabilities]] |
== A07:2021 - Identification and Authentication Failures == | == A07:2021 - Identification and Authentication Failures == | ||
| − | See [[ZK_Developer's_Reference/Security_Tips/OWASP_Top_10_Security_Concerns_In_2017# | + | See [[ZK_Developer's_Reference/Security_Tips/OWASP_Top_10_Security_Concerns_In_2017#A02-Broken_Authentication|OWASP Top 10 Security Concerns In 2017#A02 - Broken Authentication]] |
== A08:2021 - Software and Data Integrity Failures == | == A08:2021 - Software and Data Integrity Failures == | ||
| − | + | See [[ZK_Developer's_Reference/Security_Tips/OWASP_Top_10_Security_Concerns_In_2017#A08-Insecure_Deserialization|OWASP Top 10 Security Concerns In 2017#A08 - Insecure Deserialization]] | |
== A09:2021 - Security Logging and Monitoring Failures == | == A09:2021 - Security Logging and Monitoring Failures == | ||
| − | See [[ZK_Developer's_Reference/Security_Tips/OWASP_Top_10_Security_Concerns_In_2017# | + | See [[ZK_Developer's_Reference/Security_Tips/OWASP_Top_10_Security_Concerns_In_2017#A10-Insufficient_Logging_and_Monitoring|OWASP Top 10 Security Concerns In 2017#A10 - Insufficient Logging & Monitoring]] |
== A10:2021 - Server-Side Request Forgery (SSRF) == | == A10:2021 - Server-Side Request Forgery (SSRF) == | ||
| − | While ZK Framework itself does not provide specific mechanisms for making server-side requests, developers need to ensure safe handling of URLs and external resources, employing strict input validation and | + | While ZK Framework itself does not provide specific mechanisms for making server-side requests, app developers need to ensure the safe handling of URLs and external resources, employing strict input validation and allowing accessible internal systems. |
Revision as of 08:16, 14 May 2024
OWASP Top 10 Security Concerns In 2021
This page details the OWASP Top 10 security risks for 2021 as they pertain to the ZK framework. For risks that continue from the 2017 list, links are provided to the original explanations, with updates and new risks detailed directly on this page.
A01:2021 - Broken Access Control
See OWASP Top 10 Security Concerns In 2017#A05 - Broken Access Control
A02:2021 - Cryptographic Failures
See OWASP Top 10 Security Concerns In 2017#A03 - Sensitive Data Exposure
A03:2021 - Injection
See OWASP Top 10 Security Concerns In 2017#A01 - Injection
A04:2021 - Insecure Design
ZK 10.0.0 addresses insecure design through several security enhancements, reinforcing the framework's defense against potential threats:
- Stricter GET/POST Handling: ZK 10.0.0 has refined how GET and POST requests are processed to prevent HTTP verb tampering attacks.
- Enhanced Security Framework: Includes Synk Scanning, CodeQL PR Scanning, and SonarCube to analyze and protect the codebase.
- Enable InaccessibleWidgetBlockService by Default: Blocks requests from inaccessible widgets enhancing security by preventing interactions with UI components that should not be accessible.
A05:2021 - Security Misconfiguration
ZK Framework has enhanced its security measures to further protect against XML External Entities (XXE) attacks. As of ZK 10.0.0, the XML parsing configuration has been updated to disallow Doctype declarations, which are a common vector for XXE attacks. This change prevents the XML parser from processing XML documents that include external entities, thereby mitigating potential security risks.
This update involves setting the XML parser feature http://apache.org/xml/features/disallow-doctype-decl to true, effectively blocking Doctype declarations in XML configurations. This change enhances the security by preventing the XML parser from parsing and processing external entities referenced in Doctype Declarations, which can be exploited in XXE attacks.
For further details, see the issue tracker entry: Disallow Doctype causes parsing error if xml config contains DOCTYPE.
See both:
- OWASP Top 10 Security Concerns In 2017#A06 - Security Misconfiguration
- OWASP Top 10 Security Concerns In 2017#A04 - XML External Entities (XXE)
A06:2021 - Vulnerable and Outdated Components
See OWASP Top 10 Security Concerns In 2017#A09 - Using Components with Known Vulnerabilities
A07:2021 - Identification and Authentication Failures
See OWASP Top 10 Security Concerns In 2017#A02 - Broken Authentication
A08:2021 - Software and Data Integrity Failures
See OWASP Top 10 Security Concerns In 2017#A08 - Insecure Deserialization
A09:2021 - Security Logging and Monitoring Failures
See OWASP Top 10 Security Concerns In 2017#A10 - Insufficient Logging & Monitoring
A10:2021 - Server-Side Request Forgery (SSRF)
While ZK Framework itself does not provide specific mechanisms for making server-side requests, app developers need to ensure the safe handling of URLs and external resources, employing strict input validation and allowing accessible internal systems.