What is the OWASP Top 10?
The Open Web Application Security Project (OWASP) is a worldwide not-for-profit charitable organization focused on improving the security of software. The OWASP Top 10 is a powerful awareness document for web application security that presents a list of the 10 most critical web application security risks. The most recent edition of this document was published in 2013.
OWASP Top 10 in 2013
In the subsections that follow, we provide our statements against each of the top 10 security risks. Interested parties are encouraged to visit OWASP to see this document in full, or other abundant web resources for more information about each security risk. Depending on the nature of vulnerability, a front-end framework such as ZK is not the source of weaknesses that need to be strengthened. Application developers need to understand the vulnerabilities leading to the possible exploits attackers may choose to target your system. With that knowledge, software authors can take preventative measures to mitigate these threats.
ZK has no assumption about any 3rd party technologies, and cannot cover their required escaping syntax. This security risk needs to be addressed during application development where untrusted data were utilized in conjunction with an interpreter. For example, to prevent SQL injection, user data should not be used to construct SQL command directly; instead, parameterized queries should be used.
Since ZK does not provide any login mechanism, it is up to developers to choose and secure user authentication management mechanism on their own.
Please see our tips on how to deal with this security issue in ZK.
In ZK, developers have full control over which objects they want to make available on the client-side. Sensitive information does not require to be exposed to client-side manipulation by leaving it in the desktop or session scope. The indirection occurs through ZK components. The developer decides when to read values from input components, and save them on the server.
Security misconfiguration can happen at any level of an application stack, including the platform, web server, application server, database, framework, and custom code. Developers and system administrators need to work together to ensure that the entire stack is configured properly.
Developers have full control over which data is displayed in a zul page, and must avoid exposing sensitive data.
Since ZK is programmed in Java language, developers have full control over the availability of backend service functions.
Please refer to our document on this topic.
ZK addresses known vulnerabilities at high priority. Once identified, we provide updates and patches as soon as possible. Hence, it is recommended to upgrade to the latest version when it becomes available.
Since ZK is a web application running in a servlet container, the developer has control over forwards/redirects to external URLs.