OWASP Top10:2021

From Documentation
Revision as of 05:15, 14 May 2024 by Hawk (talk | contribs)

OWASP Top 10 Security Concerns In 2021

This page details the OWASP Top 10 security risks for 2021 as they pertain to the ZK framework. For risks that continue from the 2017 list, links are provided to the original explanations, with updates and new risks detailed directly on this page.

A01:2021 - Injection

See OWASP Top 10 Security Concerns In 2017#A01 - Injection

A02:2021 - Cryptographic Failures

See OWASP Top 10 Security Concerns In 2017#A02 - Cryptographic Failures

A03:2021 - Injection

See OWASP Top 10 Security Concerns In 2017#A03 - Injection

A04:2021 - Insecure Design

ZK 10.0.0 addresses insecure design through several security enhancements, reinforcing the framework's defense against potential threats:

  • Stricter GET/POST Handling: ZK 10.0.0 has refined how GET and POST requests are processed to prevent HTTP verb tampering attacks.
  • Enhanced Security Framework: Includes Synk Scanning, CodeQL PR Scanning, and SonarCube to analyze and protect the codebase.
  • Enable InaccessibleWidgetBlockService by Default: Blocks requests from inaccessible widgets enhancing security by preventing interactions with UI components that should not be accessible.

A05:2021 - Security Misconfiguration

Previously known as XML External Entities (XXE) in A4:2017, security misconfiguration now includes risks from improperly configured systems and servers that could expose sensitive data. ZK Framework guides developers in configuring their applications properly to prevent such issues, emphasizing secure default settings and extensive documentation on configuration options.

A06:2021 - Vulnerable and Outdated Components

See OWASP Top 10 Security Concerns In 2017#A06 - Vulnerable and Outdated Components

A07:2021 - Identification and Authentication Failures

See OWASP Top 10 Security Concerns In 2017#A07 - Identification and Authentication Failures

A08:2021 - Software and Data Integrity Failures

Software and data integrity failures are not directly addressed by the ZK framework. Developers should implement secure build pipelines and runtime protections.

A09:2021 - Security Logging and Monitoring Failures

See OWASP Top 10 Security Concerns In 2017#A09 - Security Logging and Monitoring Failures

A10:2021 - Server-Side Request Forgery (SSRF)

While ZK Framework itself does not provide specific mechanisms for making server-side requests, developers need to ensure safe handling of URLs and external resources, employing strict input validation and allowlisting accessible internal systems.

Retrieved from "https://www.zkoss.org/_w/index.php?title=OWASP_Top10:2021&oldid=57161"