🧽Pen Test
3 分钟阅读
Penetration Testing
渗透测试是一种模拟攻击,旨在识别和评估计算机系统、网络或Web应用程序的安全漏洞,以便在恶意攻击者可以利用这些漏洞之前进行修复。通过渗透测试,安全专家可以验证系统的防御措施和漏洞修复效果。
OWASP Top Ten 2021
https://owasp.org/www-project-top-ten/
A01:
A01:2021 - Broken Access Control moves up from the fifth position; 94% of applications were tested for some form of broken access control. The 34 Common Weakness Enumerations (CWEs) mapped to Broken Access Control had more occurrences in applications than any other category.
A01:2021 - 访问控制漏洞 从第五位上升;94%的应用程序经过了某种形式的访问控制漏洞测试。映射到访问控制漏洞的34个常见弱点枚举(CWE)在应用程序中的出现次数比任何其他类别都多。
A02:
A02:2021 - Cryptographic Failures shifts up one position to #2, previously known as Sensitive Data Exposure, which was a broad symptom rather than a root cause. The renewed focus here is on failures related to cryptography which often lead to sensitive data exposure or system compromise.
A02:2021 - 加密故障 上升一位至第二位,之前称为“敏感数据泄露”,这只是一个广泛的症状,而非根本原因。此次更新将关注点放在与加密相关的故障,这些故障常常导致敏感数据泄露或系统泄露。
A03:
A03:2021 - Injection slides down to the third position. 94% of the applications were tested for some form of injection, and the 33 CWEs mapped into this category have the second most occurrences in applications. Cross-site Scripting is now part of this category in this edition.
A03:2021 - 注入漏洞 下滑至第三位。94%的应用程序都经过了某种形式的注入漏洞测试,而映射到该类别的33个CWE在应用程序中的出现次数排第二。跨站脚本(XSS)现在已成为此版本的一部分。
A04:
A04:2021 - Insecure Design is a new category for 2021, with a focus on risks related to design flaws. If we genuinely want to “move left” as an industry, it calls for more use of threat modeling, secure design patterns and principles, and reference architectures.
A04:2021 - 不安全设计 是2021年的一个新类别,聚焦于与设计缺陷相关的风险。如果我们真想在行业中“向左移动”,就需要更多使用威胁建模、安全设计模式和原则以及参考架构。
A05:
A05:2021 - Security Misconfiguration moves up from #6 in the previous edition; 90% of applications were tested for some form of misconfiguration. With more shifts into highly configurable software, it’s not surprising to see this category move up. The former category for XML External Entities (XXE) is now part of this category.
A05:2021 - 安全配置错误 从上一版的第六位上升;90%的应用程序都经过了某种形式的配置错误测试。随着更多软件转向高度可配置,看到该类别上升并不令人意外。以前的XML外部实体(XXE)类别现在已经并入此类别。
A06:
A06:2021 - Vulnerable and Outdated Components was previously titled Using Components with Known Vulnerabilities and is #2 in the Top 10 community survey, but also had enough data to make the Top 10 via data analysis. This category moves up from #9 in 2017 and is a known issue that we struggle to test and assess risk. It is the only category not to have any Common Vulnerability and Exposures (CVEs) mapped to the included CWEs, so a default exploit and impact weights of 5.0 are factored into their scores.
A06:2021 - 易受攻击和过时的组件 之前被称为“使用已知漏洞的组件”,在Top 10社区调查中排名第二,并且通过数据分析也有足够的数据进入Top 10。该类别从2017年的第9位上升,是我们在测试和评估风险时遇到的一个已知问题。它是唯一没有将任何常见漏洞与披露(CVE)映射到所包含CWE的类别,因此其得分中默认包含5.0的漏洞利用和影响权重。
A07:
A07:2021 - Identification and Authentication Failures was previously Broken Authentication and is sliding down from the second position, and now includes CWEs that are more related to identification failures. This category is still an integral part of the Top 10, but the increased availability of standardized frameworks seems to be helping.
A07:2021 - 身份识别和认证失败 之前是“认证失败”,现在从第二位下滑,并且现在包括更多与身份识别失败相关的CWE。该类别仍然是Top 10中的重要组成部分,但标准化框架的普及似乎有所帮助。
生成 16 位复杂密码的 shell 命令:</dev/urandom tr -dc ‘A-Za-z0-9!@#$%^&*()’ | head -c16; echo
A08:
A08:2021 - Software and Data Integrity Failures is a new category for 2021, focusing on making assumptions related to software updates, critical data, and CI/CD pipelines without verifying integrity. One of the highest weighted impacts from Common Vulnerability and Exposures/Common Vulnerability Scoring System (CVE/CVSS) data mapped to the 10 CWEs in this category. Insecure Deserialization from 2017 is now a part of this larger category.
A08:2021 - 软件和数据完整性故障 是2021年的新类别,重点关注在没有验证完整性的情况下,做出与软件更新、关键信息和CI/CD管道相关的假设。此类别中的10个CWE映射到的常见漏洞和披露/通用漏洞评分系统(CVE/CVSS)数据中,具有最高的影响权重之一。2017年的不安全反序列化现已成为这一更大类别的一部分。
A09:
A09:2021 - Security Logging and Monitoring Failures was previously Insufficient Logging & Monitoring and is added from the industry survey (#3), moving up from #10 previously. This category is expanded to include more types of failures, is challenging to test for, and isn’t well represented in the CVE/CVSS data. However, failures in this category can directly impact visibility, incident alerting, and forensics.
A09:2021 - 安全日志记录和监控失败 以前是“不足的日志记录和监控”,现在从行业调查中新增(#3),从之前的第10位上升。此类别已扩展为包括更多类型的失败,测试较为困难,且在CVE/CVSS数据中没有得到很好的体现。然而,此类别中的失败可能会直接影响可见性、事件警报和取证。
A10:
A10:2021 - Server-Side Request Forgery is added from the Top 10 community survey (#1). The data shows a relatively low incidence rate with above average testing coverage, along with above-average ratings for Exploit and Impact potential. This category represents the scenario where the security community members are telling us this is important, even though it’s not illustrated in the data at this time.
A10:2021 - 服务器端请求伪造 是从Top 10社区调查(#1)中添加的。数据显示,发病率相对较低,测试覆盖率高于平均水平,并且漏洞利用和影响潜力的评级也高于平均水平。此类别代表了安全社区成员告诉我们这一问题非常重要的情景,尽管目前数据中并未体现这一点。