Revision as of 08:35, 14 May 2024

OWASP Top 10 Security Concerns In 2021

This page details the OWASP Top 10 security risks for 2021 as they pertain to the ZK framework. For risks that continue from the 2017 list, links are provided to the original explanations, with updates and new risks detailed directly on this page.

A01:2021 - Broken Access Control

See OWASP Top 10 Security Concerns In 2017#A05 - Broken Access Control

A02:2021 - Cryptographic Failures

See OWASP Top 10 Security Concerns In 2017#A03 - Sensitive Data Exposure

A03:2021 - Injection

See both:

A04:2021 - Insecure Design

ZK 10.0.0 addresses insecure design through several security enhancements, reinforcing the framework's defense against potential threats:

Stricter GET/POST Handling: ZK 10.0.0 has refined how GET and POST requests are processed to prevent HTTP verb tampering attacks.
Enhanced Security Framework: Includes Synk Scanning, CodeQL PR Scanning, and SonarCube to analyze and protect the codebase.
Enable InaccessibleWidgetBlockService by Default: Blocks requests from inaccessible widgets enhancing security by preventing interactions with UI components that should not be accessible.

A05:2021 - Security Misconfiguration

ZK Framework has enhanced its security measures to further protect against XML External Entities (XXE) attacks. As of ZK 10.0.0, the XML parsing configuration has been updated to disallow Doctype declarations, which are a common vector for XXE attacks. This change prevents the XML parser from processing XML documents that include external entities, thereby mitigating potential security risks.

For further details, see ZK-5622 Disallow Doctype on parsed XML files in ZK to increase security.

See both:

A06:2021 - Vulnerable and Outdated Components

ZK has taken proactive steps to address the risks associated with using vulnerable and outdated components. As of ZK 9.5.0, the framework has integrated the OWASP Dependency Check into its build process. This tool helps identify and mitigate security vulnerabilities in third-party libraries and dependencies by scanning them against known vulnerability databases. This measure significantly enhances security by ensuring that potential vulnerabilities are identified and addressed promptly before production deployment.

A07:2021 - Identification and Authentication Failures

See OWASP Top 10 Security Concerns In 2017#A02 - Broken Authentication

A08:2021 - Software and Data Integrity Failures

See OWASP Top 10 Security Concerns In 2017#A08 - Insecure Deserialization

A09:2021 - Security Logging and Monitoring Failures

See OWASP Top 10 Security Concerns In 2017#A10 - Insufficient Logging & Monitoring

A10:2021 - Server-Side Request Forgery (SSRF)

While ZK Framework itself does not provide specific mechanisms for making server-side requests, app developers need to ensure the safe handling of URLs and external resources, employing strict input validation and allowing accessible internal systems.

@@ Line 1: / Line 1: @@
-= OWASP Top 10 Security Concerns 2021 =
+= OWASP Top 10 Security Concerns In 2021 =
+This page details the [https://owasp.org/Top10/ OWASP Top 10 security risks for 2021] as they pertain to the ZK framework. For risks that continue from the 2017 list, links are provided to the original explanations, with updates and new risks detailed directly on this page.
+== A01:2021 - Broken Access Control ==
+See [[ZK_Developer's_Reference/Security_Tips/OWASP_Top_10_Security_Concerns_In_2017#A05-Broken_Access_Control|OWASP Top 10 Security Concerns In 2017#A05 - Broken Access Control]]
+== A02:2021 - Cryptographic Failures ==
+See [[ZK_Developer's_Reference/Security_Tips/OWASP_Top_10_Security_Concerns_In_2017#A03-Sensitive_Data_Exposure|OWASP Top 10 Security Concerns In 2017#A03 - Sensitive Data Exposure]]
+== A03:2021 - Injection ==
+See both:
+* [[ZK_Developer's_Reference/Security_Tips/OWASP_Top_10_Security_Concerns_In_2017#A01-Injection|OWASP Top 10 Security Concerns In 2017#A01 - Injection]]
+* [[ZK_Developer's_Reference/Security_Tips/OWASP_Top_10_Security_Concerns_In_2017#A07-Cross-Site_Scripting_(XSS)|OWASP Top 10 Security Concerns In 2017#A07 - Cross-Site Scripting (XSS)]]
 == A04:2021 - Insecure Design ==
 ZK 10.0.0 addresses insecure design through several security enhancements, reinforcing the framework's defense against potential threats:
-* '''Stricter GET/POST Handling''': To prevent HTTP verb tampering attacks, ZK 10.0.0 has refined how GET and POST requests are processed. It now returns a 404 error if an Asynchronous Update (AU) request is incorrectly sent via GET, ensuring proper usage of HTTP methods.
+* '''Stricter GET/POST Handling''': ZK 10.0.0 has refined how GET and POST requests are processed to prevent HTTP verb tampering attacks.
-* '''Enhanced Security Framework''': ZK 10.0.0 integrates three advanced security checks into our CI/CD process:
+* '''Enhanced Security Framework''': Includes Synk Scanning, CodeQL PR Scanning, and SonarCube to analyze and protect the codebase.
-** '''Synk Scanning''': This tool analyzes both source code and third-party dependencies for vulnerabilities.
+* '''Enable InaccessibleWidgetBlockService by Default''': Blocks requests from inaccessible widgets enhancing security by preventing interactions with UI components that should not be accessible.
-** '''CodeQL PR Scanning''': It assesses pull requests for Java, JavaScript, and TypeScript to find security flaws before they are merged.
-** '''SonarCube''': It scans the source code comprehensively to identify bugs, vulnerabilities, and security risks.
+== A05:2021 - Security Misconfiguration ==
-* '''Enable InaccessibleWidgetBlockService by Default''': In ZK 10.0.0, the InaccessibleWidgetBlockService, which blocks requests from inaccessible widgets, is enabled by default. This feature enhances security by preventing interactions with UI components that should not be accessible, such as disabled or hidden components.
+ZK Framework has enhanced its security measures to further protect against XML External Entities (XXE) attacks. As of ZK 10.0.0, the XML parsing configuration has been updated to disallow Doctype declarations, which are a common vector for XXE attacks. This change prevents the XML parser from processing XML documents that include external entities, thereby mitigating potential security risks.
+For further details, see [https://tracker.zkoss.org/browse/ZK-5622 ZK-5622 Disallow Doctype on parsed XML files in ZK to increase security].
+See both:
+* [[ZK_Developer's_Reference/Security_Tips/OWASP_Top_10_Security_Concerns_In_2017#A06-Security_Misconfiguration|OWASP Top 10 Security Concerns In 2017#A06 - Security Misconfiguration]]
+* [[ZK_Developer's_Reference/Security_Tips/OWASP_Top_10_Security_Concerns_In_2017#A04-XML_External_Entities_(XXE)|OWASP Top 10 Security Concerns In 2017#A04 - XML External Entities (XXE)]]
+== A06:2021 - Vulnerable and Outdated Components ==
+ZK has taken proactive steps to address the risks associated with using vulnerable and outdated components. As of ZK 9.5.0, the framework has [https://tracker.zkoss.org/browse/ZK-4562 integrated the OWASP Dependency Check into its build process]. This tool helps identify and mitigate security vulnerabilities in third-party libraries and dependencies by scanning them against known vulnerability databases. This measure significantly enhances security by ensuring that potential vulnerabilities are identified and addressed promptly before production deployment.
+See also:
+* [[ZK_Developer's_Reference/Security_Tips/OWASP_Top_10_Security_Concerns_In_2017#A09-Using_Components_with_Known_Vulnerabilities|OWASP Top 10 Security Concerns In 2017#A09 - Using Components with Known Vulnerabilities]]
+== A07:2021 - Identification and Authentication Failures ==
+See [[ZK_Developer's_Reference/Security_Tips/OWASP_Top_10_Security_Concerns_In_2017#A02-Broken_Authentication|OWASP Top 10 Security Concerns In 2017#A02 - Broken Authentication]]
 == A08:2021 - Software and Data Integrity Failures ==
-While the ZK Framework itself does not manage software and data integrity directly, it is recommended that applications leveraging ZK implement appropriate controls. This includes the use of secure build pipelines, artifact verification, and runtime protection mechanisms to ensure data integrity throughout the application lifecycle.
+See [[ZK_Developer's_Reference/Security_Tips/OWASP_Top_10_Security_Concerns_In_2017#A08-Insecure_Deserialization|OWASP Top 10 Security Concerns In 2017#A08 - Insecure Deserialization]]
+== A09:2021 - Security Logging and Monitoring Failures ==
+See [[ZK_Developer's_Reference/Security_Tips/OWASP_Top_10_Security_Concerns_In_2017#A10-Insufficient_Logging_and_Monitoring|OWASP Top 10 Security Concerns In 2017#A10 - Insufficient Logging & Monitoring]]
 == A10:2021 - Server-Side Request Forgery (SSRF) ==
-While ZK Framework itself does not provide specific mechanisms for making server-side requests, it is essential for developers using ZK to be vigilant about SSRF risks. The responsibility to prevent SSRF lies with application developers who must ensure safe handling of URLs and external resources. They should employ strict input validation, use allowlisting for accessible internal systems, and be cautious with the exposure of HTTP endpoints. Ensuring that all server-side requests, particularly those calling Java APIs directly, are secure against SSRF attacks is crucial for maintaining application security.
+While ZK Framework itself does not provide specific mechanisms for making server-side requests, app developers need to ensure the safe handling of URLs and external resources, employing strict input validation and allowing accessible internal systems.

Anonymous

Difference between revisions of "OWASP Top10:2021"

Namespaces

More

Page actions