OWASP Top 10 Security Concerns In 2013"
m (→Injection) |
m (→Injection) |
||
| Line 10: | Line 10: | ||
Injection flaws occur when an application sends untrusted data to an interpreter. For example, if the application uses untrusted data in the construction of a SQL command, then an attacker can send specially designed text strings that exploit the syntax of the SQL language to change the meaning of the original query. | Injection flaws occur when an application sends untrusted data to an interpreter. For example, if the application uses untrusted data in the construction of a SQL command, then an attacker can send specially designed text strings that exploit the syntax of the SQL language to change the meaning of the original query. | ||
| + | |||
| + | ZK has no assumption about any 3rd party technology, and cannot cover their required escaping syntax. This security risk needs to be addressed during application development where untrusted data were utilized in conjunction with an interpreter. For example, to prevent SQL injection, user data should not be used to construct SQL command directly; instead, parameterized queries should be used. | ||
== Broken Authentication and Session Management == | == Broken Authentication and Session Management == | ||
Revision as of 10:16, 24 March 2015
What is the OWASP Top 10?
The Open Web Application Security Project (OWASP) is a worldwide not-for-profit charitable organization focused on improving the security of software. The OWASP Top Ten is a powerful awareness document for web application security that provides a list of the 10 most critical web application security risks. The most recent version of this document was published in 2013.
OWASP Top 10 in 2013
In the subsections that follow, the top 10 security risks are summarized briefly. Interested parties are encouraged to visit OWASP, or other abundant web resources for more information on each security risks. Depending on the nature of security vulnerability, a front-end framework such as ZK is not the source of weaknesses that need to be strengthened. Application developers need to understand the vulnerabilities leading to the possible exploits attackers may choose to target your system. With that knowledge, software authors can take preventative measures to mitigate these threats.
Injection
Injection flaws occur when an application sends untrusted data to an interpreter. For example, if the application uses untrusted data in the construction of a SQL command, then an attacker can send specially designed text strings that exploit the syntax of the SQL language to change the meaning of the original query.
ZK has no assumption about any 3rd party technology, and cannot cover their required escaping syntax. This security risk needs to be addressed during application development where untrusted data were utilized in conjunction with an interpreter. For example, to prevent SQL injection, user data should not be used to construct SQL command directly; instead, parameterized queries should be used.