owasp-top-10
Compare original and translation side by side
🇺🇸
Original
English🇨🇳
Translation
ChineseOWASP Top 10:2025
OWASP Top 10:2025
When NOT to Use This Skill
何时不使用该技能
- OWASP Top 10:2021 - Use skill for 2021 version
owasp - Detailed secrets management - Use skill
secrets-management - Detailed supply chain security - Use skill for in-depth dependency management
supply-chain - License compliance - Use skill
license-compliance
Deep Knowledge: Usewith technology:mcp__documentation__fetch_docsfor comprehensive documentation.owasp
- OWASP Top 10:2021 - 2021版本相关问题请使用技能
owasp - 详细的密钥管理 - 请使用技能
secrets-management - 详细的供应链安全 - 深度依赖管理相关问题请使用技能
supply-chain - 许可证合规 - 请使用技能
license-compliance
深度知识获取:如需获取完整文档,请调用,指定technology参数为mcp__documentation__fetch_docs。owasp
Quick Reference
快速参考
| Rank | Category | Prevention |
|---|---|---|
| A01 | Broken Access Control | Authorization checks, deny by default |
| A02 | Security Misconfiguration | Hardening, security headers, no defaults |
| A03 | Supply Chain Failures | Dependency audits, lockfiles, SBOMs |
| A04 | Cryptographic Failures | Strong algorithms, proper key management |
| A05 | Injection | Parameterized queries, input validation |
| A06 | Insecure Design | Threat modeling, secure patterns |
| A07 | Authentication Failures | MFA, rate limiting, secure sessions |
| A08 | Integrity Failures | Signed updates, safe deserialization |
| A09 | Logging Failures | Audit logs, alerting, monitoring |
| A10 | Exception Handling | Graceful errors, no info leakage |
| 排名 | 分类 | 防护措施 |
|---|---|---|
| A01 | Broken Access Control | 授权校验、默认拒绝 |
| A02 | Security Misconfiguration | 安全加固、安全头配置、禁用默认配置 |
| A03 | Supply Chain Failures | 依赖审计、锁文件、SBOM |
| A04 | Cryptographic Failures | 强加密算法、规范的密钥管理 |
| A05 | Injection | 参数化查询、输入校验 |
| A06 | Insecure Design | 威胁建模、安全设计模式 |
| A07 | Authentication Failures | MFA、限流、安全会话 |
| A08 | Integrity Failures | 签名更新、安全反序列化 |
| A09 | Logging Failures | 审计日志、告警、监控 |
| A10 | Exception Handling | 优雅报错、无信息泄露 |
A01: Broken Access Control
A01: Broken Access Control
typescript
// Always verify ownership
if (resource.userId !== currentUser.id) {
throw new ForbiddenException();
}
// Deny by default
const allowed = permissions.includes(requiredPermission);
if (!allowed) throw new ForbiddenException();
// Rate limit sensitive endpoints
app.use('/api/admin/*', adminRateLimiter);typescript
// Always verify ownership
if (resource.userId !== currentUser.id) {
throw new ForbiddenException();
}
// Deny by default
const allowed = permissions.includes(requiredPermission);
if (!allowed) throw new ForbiddenException();
// Rate limit sensitive endpoints
app.use('/api/admin/*', adminRateLimiter);A02: Security Misconfiguration
A02: Security Misconfiguration
typescript
// Security headers
import helmet from 'helmet';
app.use(helmet());
// Strict CORS
app.use(cors({
origin: ['https://myapp.com'],
credentials: true
}));
// Hide errors in production
if (process.env.NODE_ENV === 'production') {
app.use((err, req, res, next) => {
res.status(500).json({ error: 'Internal error' });
});
}typescript
// Security headers
import helmet from 'helmet';
app.use(helmet());
// Strict CORS
app.use(cors({
origin: ['https://myapp.com'],
credentials: true
}));
// Hide errors in production
if (process.env.NODE_ENV === 'production') {
app.use((err, req, res, next) => {
res.status(500).json({ error: 'Internal error' });
});
}A03: Supply Chain Failures (NEW in 2025)
A03: Supply Chain Failures (2025新增)
bash
undefinedbash
undefinedAudit dependencies
Audit dependencies
npm audit
pip-audit
mvn dependency-check:check
npm audit
pip-audit
mvn dependency-check:check
Use lockfiles
Use lockfiles
npm ci # Instead of npm install
npm ci # Instead of npm install
Verify package integrity
Verify package integrity
npm install --ignore-scripts
npm config set ignore-scripts true
undefinednpm install --ignore-scripts
npm config set ignore-scripts true
undefinedA04: Cryptographic Failures
A04: Cryptographic Failures
typescript
// Strong password hashing
import { hash, verify } from 'argon2';
const hashed = await hash(password, { type: argon2id });
// Secure random
import { randomBytes, randomUUID } from 'crypto';
const token = randomBytes(32).toString('hex');
// AES-256-GCM for encryption (not CBC)typescript
// Strong password hashing
import { hash, verify } from 'argon2';
const hashed = await hash(password, { type: argon2id });
// Secure random
import { randomBytes, randomUUID } from 'crypto';
const token = randomBytes(32).toString('hex');
// AES-256-GCM for encryption (not CBC)A05: Injection
A05: Injection
typescript
// SQL - use parameterized queries
const user = await prisma.user.findUnique({ where: { id } });
await db.query('SELECT * FROM users WHERE id = $1', [id]);
// Command - use execFile, not exec
import { execFile } from 'child_process';
execFile('ls', ['-la', safeArg]);
// XSS - sanitize HTML
import DOMPurify from 'dompurify';
element.innerHTML = DOMPurify.sanitize(userInput);typescript
// SQL - use parameterized queries
const user = await prisma.user.findUnique({ where: { id } });
await db.query('SELECT * FROM users WHERE id = $1', [id]);
// Command - use execFile, not exec
import { execFile } from 'child_process';
execFile('ls', ['-la', safeArg]);
// XSS - sanitize HTML
import DOMPurify from 'dompurify';
element.innerHTML = DOMPurify.sanitize(userInput);A06: Insecure Design
A06: Insecure Design
Key practices:
- Threat modeling during design phase
- Secure design patterns (fail-safe, defense in depth)
- Security requirements in user stories
- Abuse case testing
核心实践:
- 设计阶段开展威胁建模
- 采用安全设计模式(故障安全、深度防御)
- 用户故事中包含安全需求
- 滥用场景测试
A07: Authentication Failures
A07: Authentication Failures
typescript
// Rate limiting
import rateLimit from 'express-rate-limit';
const loginLimiter = rateLimit({
windowMs: 15 * 60 * 1000,
max: 5
});
// Secure cookies
res.cookie('session', token, {
httpOnly: true,
secure: true,
sameSite: 'strict'
});
// Strong passwords (12+ chars, mixed)typescript
// Rate limiting
import rateLimit from 'express-rate-limit';
const loginLimiter = rateLimit({
windowMs: 15 * 60 * 1000,
max: 5
});
// Secure cookies
res.cookie('session', token, {
httpOnly: true,
secure: true,
sameSite: 'strict'
});
// Strong passwords (12+ chars, mixed)A08: Integrity Failures
A08: Integrity Failures
typescript
// Verify signatures on updates
// Use subresource integrity (SRI)
<script src="lib.js"
integrity="sha384-..."
crossorigin="anonymous">
</script>
// Safe deserialization
// Avoid: JSON.parse(untrusted)
// Use: zod/yup validationtypescript
// Verify signatures on updates
// Use subresource integrity (SRI)
<script src="lib.js"
integrity="sha384-..."
crossorigin="anonymous">
</script>
// Safe deserialization
// Avoid: JSON.parse(untrusted)
// Use: zod/yup validationA09: Logging & Alerting Failures
A09: Logging & Alerting Failures
typescript
// Log security events
logger.warn({
event: 'auth_failure',
userId: attemptedId,
ip: req.ip,
timestamp: new Date().toISOString()
});
// Events to log:
// - Login success/failure
// - Password changes
// - Permission denied
// - Rate limit exceededtypescript
// Log security events
logger.warn({
event: 'auth_failure',
userId: attemptedId,
ip: req.ip,
timestamp: new Date().toISOString()
});
// 需要记录的事件:
// - 登录成功/失败
// - 密码修改
// - 权限拒绝
// - 触发限流A10: Exception Handling (NEW in 2025)
A10: Exception Handling (2025新增)
typescript
// Graceful error handling
try {
await riskyOperation();
} catch (error) {
logger.error({ error, context });
// Generic response to user
throw new InternalServerException('Operation failed');
}
// Never expose stack traces
// Never expose internal paths
// Never expose SQL/DB errorstypescript
// Graceful error handling
try {
await riskyOperation();
} catch (error) {
logger.error({ error, context });
// Generic response to user
throw new InternalServerException('Operation failed');
}
// Never expose stack traces
// Never expose internal paths
// Never expose SQL/DB errorsSecurity Scanning Commands
安全扫描命令
bash
undefinedbash
undefinedDependencies
Dependencies
npm audit --json
snyk test
npm audit --json
snyk test
Secrets
Secrets
gitleaks detect
trufflehog git file://.
gitleaks detect
trufflehog git file://.
SAST
SAST
semgrep --config=p/security-audit .
semgrep --config=p/security-audit .
Docker
Docker
trivy image myimage:latest
undefinedtrivy image myimage:latest
undefinedChecklist
检查清单
| Risk | Prevention |
|---|---|
| SQL Injection | Parameterized queries, ORMs |
| XSS | Escape output, CSP headers |
| CSRF | CSRF tokens, SameSite cookies |
| Auth issues | MFA, rate limiting, secure sessions |
| Secrets | Environment variables, vaults |
| Supply chain | Audit, lockfiles, SBOMs |
| 风险 | 防护措施 |
|---|---|
| SQL注入 | 参数化查询、ORM |
| XSS | 输出转义、CSP头 |
| CSRF | CSRF令牌、SameSite cookie |
| 认证问题 | MFA、限流、安全会话 |
| 密钥泄露 | 环境变量、密钥 vault |
| 供应链风险 | 审计、锁文件、SBOM |
Anti-Patterns
反模式
| Anti-Pattern | Why It's Bad | Correct Approach |
|---|---|---|
| Checking permissions in frontend only | Client-side bypass (A01) | Always verify on backend |
| Using weak crypto (MD5, DES) | Easily broken (A04) | Use AES-256-GCM, argon2, SHA-256+ |
| Non-deterministic builds (A03) | Use |
| Catching all exceptions silently | Hides security issues (A10) | Log errors, fail gracefully |
| Trusting user input in queries | Injection attacks (A05) | Always use parameterized queries |
| No session timeout | Session hijacking (A07) | Implement idle + absolute timeout |
| 反模式 | 风险 | 正确方案 |
|---|---|---|
| 仅在前端校验权限 | 客户端可绕过(A01) | 后端始终做校验 |
| 使用弱加密算法(MD5、DES) | 极易被破解(A04) | 使用AES-256-GCM、argon2、SHA-256+ |
在CI/CD中使用 | 构建结果非确定(A03) | 结合锁文件使用 |
| 静默捕获所有异常 | 掩盖安全问题(A10) | 记录错误、优雅失败 |
| 查询中信任用户输入 | 注入攻击(A05) | 始终使用参数化查询 |
| 无会话超时机制 | 会话劫持(A07) | 实现闲置超时+绝对超时 |
Quick Troubleshooting
快速排查
| Issue | Likely Cause | Solution |
|---|---|---|
| npm audit shows vulnerabilities | Outdated dependencies (A03) | Run |
| Login always fails after 5 attempts | Rate limiter too strict (A07) | Review rate limit settings |
| Secrets leaked in git history | Committed .env file (A02) | Use BFG to clean history, rotate secrets |
| Database queries slow/failing | SQL injection attack (A05) | Review logs, switch to parameterized queries |
| Users accessing others' data | Missing authorization (A01) | Add ownership checks in all endpoints |
| Stack traces in production | Exception handling disabled (A10) | Enable production error handling |
| 问题 | 可能原因 | 解决方案 |
|---|---|---|
| npm audit检测出漏洞 | 依赖版本过旧(A03) | 运行 |
| 5次尝试后登录始终失败 | 限流规则过严(A07) | 调整限流配置 |
| Git历史中泄露密钥 | 误提交.env文件(A02) | 使用BFG清理历史、轮换密钥 |
| 数据库查询慢/失败 | SQL注入攻击(A05) | 核查日志、切换为参数化查询 |
| 用户可访问他人数据 | 缺少授权校验(A01) | 所有接口添加资源归属校验 |
| 生产环境返回堆栈信息 | 异常处理未开启生产模式(A10) | 启用生产环境错误处理配置 |
Related Skills
相关技能
- Supply Chain Security
- Secrets Management
- JWT Security
- 供应链安全
- 密钥管理
- JWT安全