Back to Details

owasp-checker

Compare original and translation side by side

🇺🇸

Original

English
🇨🇳

Translation

Chinese

OWASP Top 10 Checker Skill

OWASP Top 10 检查器Skill

Purpose

用途

This skill provides systematic verification of application compliance with the OWASP Top 10 2021 security standards, ensuring comprehensive security coverage across all critical categories.
本Skill可系统验证应用是否符合OWASP Top 10 2021安全标准,确保覆盖所有关键类别的全面安全检查。

When to Use

使用场景

  • Final security validation before deployment
  • Security certification and compliance
  • Security audit preparation
  • Post-remediation verification
  • Quarterly security reviews
  • Pre-release security checklist
  • 部署前的最终安全验证
  • 安全认证与合规性检查
  • 安全审计准备
  • 修复后的验证
  • 季度安全审查
  • 发布前的安全检查清单

OWASP Top 10 2021 Compliance Workflow

OWASP Top 10 2021合规工作流

A01:2021 - Broken Access Control

A01:2021 - 访问控制失效

Risk: Users can act outside of their intended permissions
Compliance Checks:
1. Authorization Enforcement:
bash
undefined
风险:用户可执行超出其权限范围的操作
合规检查:
1. 授权实施:
bash
undefined

Check for authorization decorators/middleware

Check for authorization decorators/middleware

grep -r "@requires_auth|@login_required|@permission_required" src/ grep -r "auth_required|check_permission" src/
grep -r "@requires_auth|@login_required|@permission_required" src/ grep -r "auth_required|check_permission" src/

Find routes without authorization

Find routes without authorization

grep -r "@app.route|@router.get|@router.post" src/ --include="*.py" -A 5

**Checklist:**
- [ ] Authorization enforced on every endpoint
- [ ] Default deny access control
- [ ] Server-side authorization (not client-side only)
- [ ] Authorization checked on every request
- [ ] Role-based access control (RBAC) implemented
- [ ] Ownership verified for object access

**2. Insecure Direct Object References (IDOR):**
```bash
grep -r "@app.route|@router.get|@router.post" src/ --include="*.py" -A 5

**检查清单:**
- [ ] 每个端点都强制实施授权
- [ ] 默认拒绝访问控制策略
- [ ] 服务端授权(不只是客户端)
- [ ] 每个请求都检查授权
- [ ] 实现了基于角色的访问控制(RBAC)
- [ ] 对象访问时验证所有权

**2. 不安全的直接对象引用(IDOR):**
```bash

Look for direct ID usage from requests

Look for direct ID usage from requests

grep -r "request.['id']|request..id|params['id']" src/

**Checklist:**
- [ ] No direct object references without validation
- [ ] Ownership verified before access
- [ ] Indirect references used (e.g., session-based)
- [ ] UUID instead of sequential IDs where applicable

**3. CORS Configuration:**
```bash
grep -r "request.['id']|request..id|params['id']" src/

**检查清单:**
- [ ] 无直接对象引用或引用前已验证
- [ ] 访问前验证所有权
- [ ] 使用间接引用(如基于会话的引用)
- [ ] 适用场景下使用UUID而非连续ID

**3. CORS配置:**
```bash

Check CORS settings

Check CORS settings

grep -r "Access-Control-Allow-Origin" src/ config/ grep -r "CORS.origin" src/ --include=".py" --include="*.js"

**Checklist:**
- [ ] No wildcard (*) CORS unless absolutely necessary
- [ ] Specific origin whitelist configured
- [ ] Credentials mode properly configured
- [ ] Preflight requests handled correctly

**4. Disable Directory Listing:**
```bash
grep -r "Access-Control-Allow-Origin" src/ config/ grep -r "CORS.origin" src/ --include=".py" --include="*.js"

**检查清单:**
- [ ] 除非绝对必要,否则不使用通配符(*)配置CORS
- [ ] 配置了特定源白名单
- [ ] 凭证模式配置正确
- [ ] 正确处理预检请求

**4. 禁用目录列表:**
```bash

Check web server config

Check web server config

grep -r "autoindex|directory.*listing" config/

**Checklist:**
- [ ] Directory listing disabled
- [ ] .git directory not accessible
- [ ] Backup files not accessible

**Status**: ☐ Pass ☐ Fail

---
grep -r "autoindex|directory.*listing" config/

**检查清单:**
- [ ] 禁用目录列表
- [ ] .git目录不可访问
- [ ] 备份文件不可访问

**状态**:☑️ 通过 ☐ 未通过

---

A02:2021 - Cryptographic Failures

A02:2021 - 加密失效

Risk: Sensitive data exposed due to weak or missing encryption
Compliance Checks:
1. Data in Transit:
bash
undefined
风险:由于加密薄弱或缺失导致敏感数据泄露
合规检查:
1. 传输中数据:
bash
undefined

Check TLS enforcement

Check TLS enforcement

grep -r "SECURE_SSL_REDIRECT|HTTPS_ONLY|ssl.*required" config/ src/ grep -r "tls.*version|ssl.*version" config/
grep -r "SECURE_SSL_REDIRECT|HTTPS_ONLY|ssl.*required" config/ src/ grep -r "tls.*version|ssl.*version" config/

Check for HTTP usage

Check for HTTP usage

grep -r "http://|ws://" src/ | grep -v "localhost|127.0.0.1"

**Checklist:**
- [ ] TLS 1.2+ enforced
- [ ] TLS 1.0/1.1 disabled
- [ ] HTTPS redirect configured
- [ ] HSTS header set (max-age >= 31536000)
- [ ] Secure WebSocket (wss://) for real-time
- [ ] Certificate validation enabled

**2. Data at Rest:**
```bash
grep -r "http://|ws://" src/ | grep -v "localhost|127.0.0.1"

**检查清单:**
- [ ] 强制使用TLS 1.2+版本
- [ ] 禁用TLS 1.0/1.1版本
- [ ] 配置HTTPS重定向
- [ ] 设置HSTS头(max-age >= 31536000)
- [ ] 实时通信使用安全WebSocket(wss://)
- [ ] 启用证书验证

**2. 静态数据:**
```bash

Check for encryption of sensitive data

Check for encryption of sensitive data

grep -r "encrypt|cipher|AES" src/ grep -r "password.*plain|password.*clear" src/

**Checklist:**
- [ ] Passwords hashed (bcrypt/argon2/scrypt)
- [ ] PII encrypted at rest
- [ ] Database encryption enabled for sensitive columns
- [ ] Backups encrypted
- [ ] Key management system used

**3. Weak Cryptography:**
```bash
grep -r "encrypt|cipher|AES" src/ grep -r "password.*plain|password.*clear" src/

**检查清单:**
- [ ] 密码已哈希(使用bcrypt/argon2/scrypt)
- [ ] 个人身份信息(PII)静态存储时已加密
- [ ] 敏感字段启用数据库加密
- [ ] 备份数据已加密
- [ ] 使用密钥管理系统

**3. 弱加密算法:**
```bash

Find weak algorithms

Find weak algorithms

grep -r "md5|sha1|DES|RC4" src/ --include=".py" --include=".js" grep -r "ECB.*mode" src/

**Checklist:**
- [ ] No MD5/SHA1 for security (only for checksums)
- [ ] AES-256-GCM or ChaCha20-Poly1305 for encryption
- [ ] Argon2id or bcrypt for passwords
- [ ] SHA-256/SHA-3 for hashing
- [ ] Proper IV/nonce generation
- [ ] No ECB mode

**4. Random Number Generation:**
```bash
grep -r "md5|sha1|DES|RC4" src/ --include=".py" --include=".js" grep -r "ECB.*mode" src/

**检查清单:**
- [ ] 安全场景下不使用MD5/SHA1(仅用于校验和)
- [ ] 加密使用AES-256-GCM或ChaCha20-Poly1305
- [ ] 密码哈希使用Argon2id或bcrypt
- [ ] 哈希使用SHA-256/SHA-3
- [ ] 正确生成IV/nonce
- [ ] 不使用ECB模式

**4. 随机数生成:**
```bash

Check RNG usage

Check RNG usage

grep -r "random.random|Math.random" src/ grep -r "secrets|os.urandom|crypto.randomBytes" src/

**Checklist:**
- [ ] Cryptographically secure RNG (secrets, os.urandom)
- [ ] No Math.random() or random.random() for security
- [ ] Sufficient entropy for keys/tokens

**Status**: ☐ Pass ☐ Fail

---
grep -r "random.random|Math.random" src/ grep -r "secrets|os.urandom|crypto.randomBytes" src/

**检查清单:**
- [ ] 使用加密安全的随机数生成器(secrets、os.urandom)
- [ ] 安全场景下不使用Math.random()或random.random()
- [ ] 密钥/令牌使用足够熵值

**状态**:☑️ 通过 ☐ 未通过

---

A03:2021 - Injection

A03:2021 - 注入攻击

Risk: Untrusted data sent to interpreter as command/query
Compliance Checks:
1. SQL Injection Prevention:
bash
undefined
风险:不可信数据作为命令/查询发送给解释器
合规检查:
1. SQL注入防护:
bash
undefined

Find string concatenation in SQL

Find string concatenation in SQL

grep -r "execute.%|execute.+|execute.format|execute.f"" src/ --include=".py" grep -r "SELECT.+|INSERT.+|UPDATE.+|DELETE.*+" src/

**Checklist:**
- [ ] Parameterized queries/prepared statements
- [ ] ORM used correctly (no raw SQL with user input)
- [ ] No string concatenation in SQL
- [ ] Input validation on all parameters
- [ ] Least privilege database accounts

**2. Command Injection Prevention:**
```bash
grep -r "execute.%|execute.+|execute.format|execute.f"" src/ --include=".py" grep -r "SELECT.+|INSERT.+|UPDATE.+|DELETE.*+" src/

**检查清单:**
- [ ] 使用参数化查询/预编译语句
- [ ] 正确使用ORM(不将用户输入直接拼接进原生SQL)
- [ ] SQL语句中无字符串拼接
- [ ] 所有参数都经过输入验证
- [ ] 数据库账号使用最小权限

**2. 命令注入防护:**
```bash

Find shell command execution

Find shell command execution

grep -r "subprocess.shell=True|os.system|os.popen" src/ --include=".py" grep -r "exec|eval|child_process" src/ --include="*.js"

**Checklist:**
- [ ] No shell=True with user input
- [ ] Command arguments as list, not string
- [ ] Input validation/sanitization
- [ ] Whitelist allowed commands
- [ ] No eval() or exec() with user input

**3. LDAP Injection:**
```bash
grep -r "ldap.*search\|ldap.*filter" src/
Checklist:
  • LDAP queries parameterized
  • Special characters escaped
  • Input validation
4. NoSQL Injection:
bash
grep -r "find.*\$where\|\.exec(" src/ --include="*.js"
Checklist:
  • MongoDB operators sanitized
  • $where clauses avoided or validated
  • Input type validation
5. Template Injection:
bash
grep -r "render_template_string\|Jinja2.*from_string" src/
grep -r "autoescape.*False" src/
Checklist:
  • No user input in template compilation
  • Auto-escaping enabled
  • Safe template rendering
Status: ☐ Pass ☐ Fail
grep -r "subprocess.shell=True|os.system|os.popen" src/ --include=".py" grep -r "exec|eval|child_process" src/ --include="*.js"

**检查清单:**
- [ ] 带用户输入的场景不使用shell=True
- [ ] 命令参数使用列表而非字符串
- [ ] 输入验证/清理
- [ ] 白名单允许的命令
- [ ] 不使用eval()或exec()处理用户输入

**3. LDAP注入防护:**
```bash
grep -r "ldap.*search\|ldap.*filter" src/
检查清单:
  • LDAP查询使用参数化
  • 特殊字符已转义
  • 输入验证
4. NoSQL注入防护:
bash
grep -r "find.*\$where\|\.exec(" src/ --include="*.js"
检查清单:
  • MongoDB操作符已清理
  • 避免或验证$where子句
  • 输入类型验证
5. 模板注入防护:
bash
grep -r "render_template_string\|Jinja2.*from_string" src/
grep -r "autoescape.*False" src/
检查清单:
  • 用户输入不参与模板编译
  • 启用自动转义
  • 安全的模板渲染
状态:☑️ 通过 ☐ 未通过

A04:2021 - Insecure Design

A04:2021 - 不安全设计

Risk: Missing or ineffective security controls in design
Compliance Checks:
1. Threat Modeling:
Checklist:
  • Threat model documented
  • Attack surface analyzed
  • Trust boundaries identified
  • Data flow diagrams created
  • Security requirements defined
2. Security Design Patterns:
Checklist:
  • Defense in depth implemented
  • Fail securely (errors don't expose data)
  • Least privilege principle
  • Separation of duties
  • Complete mediation (check every access)
3. Rate Limiting:
bash
grep -r "rate.*limit\|throttle" src/ config/
Checklist:
  • Rate limiting on authentication endpoints
  • Rate limiting on API endpoints
  • Account lockout after failed attempts
  • CAPTCHA for public forms
4. Business Logic:
Checklist:
  • Transaction integrity enforced
  • Workflow state validated
  • Resource limits defined
  • Input bounds checked
  • Edge cases handled
Status: ☐ Pass ☐ Fail
风险:设计中缺失或无效的安全控制
合规检查:
1. 威胁建模:
检查清单:
  • 威胁模型已文档化
  • 攻击面已分析
  • 信任边界已识别
  • 已创建数据流图
  • 已定义安全需求
2. 安全设计模式:
检查清单:
  • 实现纵深防御
  • 安全失败(错误不暴露数据)
  • 最小权限原则
  • 职责分离
  • 完全中介(每次访问都检查)
3. 速率限制:
bash
grep -r "rate.*limit\|throttle" src/ config/
检查清单:
  • 认证端点实施速率限制
  • API端点实施速率限制
  • 失败尝试后锁定账号
  • 公共表单使用CAPTCHA
4. 业务逻辑:
检查清单:
  • 强制事务完整性
  • 验证工作流状态
  • 定义资源限制
  • 检查输入边界
  • 处理边缘情况
状态:☑️ 通过 ☐ 未通过

A05:2021 - Security Misconfiguration

A05:2021 - 安全配置错误

Risk: Insecure default configurations, incomplete setups
Compliance Checks:
1. Security Headers:
bash
undefined
风险:不安全的默认配置、不完整的设置
合规检查:
1. 安全头:
bash
undefined

Check for security headers

Check for security headers

grep -r "X-Frame-Options|X-Content-Type-Options|Content-Security-Policy" src/ config/ grep -r "Strict-Transport-Security|X-XSS-Protection" src/ config/

**Checklist:**
- [ ] X-Frame-Options: DENY or SAMEORIGIN
- [ ] X-Content-Type-Options: nosniff
- [ ] Content-Security-Policy configured
- [ ] Strict-Transport-Security: max-age=31536000
- [ ] X-XSS-Protection: 1; mode=block
- [ ] Referrer-Policy: strict-origin-when-cross-origin

**2. Error Handling:**
```bash
grep -r "X-Frame-Options|X-Content-Type-Options|Content-Security-Policy" src/ config/ grep -r "Strict-Transport-Security|X-XSS-Protection" src/ config/

**检查清单:**
- [ ] X-Frame-Options: DENY或SAMEORIGIN
- [ ] X-Content-Type-Options: nosniff
- [ ] 配置Content-Security-Policy
- [ ] Strict-Transport-Security: max-age=31536000
- [ ] X-XSS-Protection: 1; mode=block
- [ ] Referrer-Policy: strict-origin-when-cross-origin

**2. 错误处理:**
```bash

Check debug mode

Check debug mode

grep -r "DEBUG.*True|development.*mode" config/ src/ grep -r "traceback|stack.*trace" src/

**Checklist:**
- [ ] Debug mode disabled in production
- [ ] Generic error messages to users
- [ ] Detailed errors logged, not displayed
- [ ] No stack traces exposed
- [ ] Custom error pages configured

**3. Default Credentials:**
```bash
grep -r "DEBUG.*True|development.*mode" config/ src/ grep -r "traceback|stack.*trace" src/

**检查清单:**
- [ ] 生产环境禁用调试模式
- [ ] 向用户返回通用错误信息
- [ ] 详细错误仅记录不展示
- [ ] 不暴露堆栈跟踪
- [ ] 配置自定义错误页面

**3. 默认凭证:**
```bash

Find hardcoded credentials

Find hardcoded credentials

grep -r "password.*=.admin|password.=.*password" src/ config/

**Checklist:**
- [ ] All default credentials changed
- [ ] No hardcoded passwords
- [ ] Credentials in environment variables
- [ ] Secrets management system used

**4. Unnecessary Features:**
```bash
grep -r "password.*=.admin|password.=.*password" src/ config/

**检查清单:**
- [ ] 所有默认凭证已修改
- [ ] 无硬编码密码
- [ ] 凭证存储在环境变量中
- [ ] 使用密钥管理系统

**4. 不必要的功能:**
```bash

Check for sample/test code

Check for sample/test code

find . -name "sample" -o -name "test" -o -name "demo" | grep -v node_modules

**Checklist:**
- [ ] Sample code removed
- [ ] Unused endpoints disabled
- [ ] Test accounts removed
- [ ] Development tools disabled in production
- [ ] Unnecessary services stopped

**5. Missing Patches:**
```bash
find . -name "sample" -o -name "test" -o -name "demo" | grep -v node_modules

**检查清单:**
- [ ] 移除示例代码
- [ ] 禁用未使用的端点
- [ ] 移除测试账号
- [ ] 生产环境禁用开发工具
- [ ] 停止不必要的服务

**5. 缺失补丁:**
```bash

Check dependency status

Check dependency status

pip list --outdated 2>/dev/null || npm outdated 2>/dev/null

**Checklist:**
- [ ] Dependencies up to date
- [ ] Security patches applied
- [ ] Regular update schedule
- [ ] Vulnerability monitoring enabled

**Status**: ☐ Pass ☐ Fail

---
pip list --outdated 2>/dev/null || npm outdated 2>/dev/null

**检查清单:**
- [ ] 依赖项已更新至最新版本
- [ ] 已应用安全补丁
- [ ] 定期更新计划
- [ ] 启用漏洞监控

**状态**:☑️ 通过 ☐ 未通过

---

A06:2021 - Vulnerable and Outdated Components

A06:2021 - 易受攻击和过时的组件

Risk: Using components with known vulnerabilities
Compliance Checks:
1. Dependency Inventory:
bash
undefined
风险:使用存在已知漏洞的组件
合规检查:
1. 依赖项清单:
bash
undefined

List all dependencies

List all dependencies

pip list --format=json > dependencies.json 2>/dev/null || npm list --json > dependencies.json 2>/dev/null

**Checklist:**
- [ ] Complete dependency inventory (SBOM)
- [ ] Direct and transitive dependencies tracked
- [ ] License compliance verified
- [ ] Dependency sources trusted

**2. Vulnerability Scanning:**
```bash
pip list --format=json > dependencies.json 2>/dev/null || npm list --json > dependencies.json 2>/dev/null

**检查清单:**
- [ ] 完整的依赖项清单(SBOM)
- [ ] 跟踪直接和间接依赖项
- [ ] 验证许可证合规性
- [ ] 依赖项来源可信

**2. 漏洞扫描:**
```bash

Scan for vulnerabilities

Scan for vulnerabilities

pip-audit --format json 2>/dev/null || npm audit --json 2>/dev/null safety check --json 2>/dev/null

**Checklist:**
- [ ] Regular vulnerability scans (weekly minimum)
- [ ] No critical vulnerabilities
- [ ] High vulnerabilities remediated
- [ ] Vulnerability remediation SLA defined

**3. Version Management:**
```bash
pip-audit --format json 2>/dev/null || npm audit --json 2>/dev/null safety check --json 2>/dev/null

**检查清单:**
- [ ] 定期漏洞扫描(至少每周一次)
- [ ] 无严重漏洞
- [ ] 高风险漏洞已修复
- [ ] 定义漏洞修复SLA

**3. 版本管理:**
```bash

Check for version pinning

Check for version pinning

cat requirements.txt setup.py package.json 2>/dev/null

**Checklist:**
- [ ] Versions pinned in lockfiles
- [ ] Compatible version ranges defined
- [ ] Regular updates scheduled
- [ ] Breaking changes reviewed before update

**4. Component Retirement:**

**Checklist:**
- [ ] No unmaintained dependencies
- [ ] EOL software replaced
- [ ] Deprecated features not used
- [ ] Migration plan for aging components

**Status**: ☐ Pass ☐ Fail

---
cat requirements.txt setup.py package.json 2>/dev/null

**检查清单:**
- [ ] 锁定文件中固定版本
- [ ] 定义兼容版本范围
- [ ] 定期更新计划
- [ ] 更新前审查破坏性变更

**4. 组件退役:**

**检查清单:**
- [ ] 无无人维护的依赖项
- [ ] 替换已终止支持(EOL)的软件
- [ ] 不使用已弃用的功能
- [ ] 为老化组件制定迁移计划

**状态**:☑️ 通过 ☐ 未通过

---

A07:2021 - Identification and Authentication Failures

A07:2021 - 身份识别与认证失效

Risk: Weak authentication allows impersonation
Compliance Checks:
1. Password Policy:
bash
undefined
风险:弱认证允许冒充
合规检查:
1. 密码策略:
bash
undefined

Check password requirements

Check password requirements

grep -r "password.*length|password.*complexity" src/ grep -r "MIN_PASSWORD_LENGTH|PASSWORD_VALIDATORS" config/ src/

**Checklist:**
- [ ] Minimum 8 characters (12+ recommended)
- [ ] Complexity requirements enforced
- [ ] Common passwords blocked
- [ ] Password strength meter implemented
- [ ] Password history (no reuse)

**2. Multi-Factor Authentication:**
```bash
grep -r "mfa\|2fa\|totp\|two.*factor" src/
Checklist:
  • MFA available for sensitive operations
  • MFA enforced for admin accounts
  • TOTP/hardware token support
  • Backup codes provided
3. Session Management:
bash
undefined
grep -r "password.*length|password.*complexity" src/ grep -r "MIN_PASSWORD_LENGTH|PASSWORD_VALIDATORS" config/ src/

**检查清单:**
- [ ] 最小长度8位(推荐12位以上)
- [ ] 强制实施复杂度要求
- [ ] 阻止常用密码
- [ ] 实现密码强度指示器
- [ ] 密码历史记录(禁止重复使用)

**2. 多因素认证:**
```bash
grep -r "mfa\|2fa\|totp\|two.*factor" src/
检查清单:
  • 敏感操作支持MFA
  • 管理员账号强制使用MFA
  • 支持TOTP/硬件令牌
  • 提供备份码
3. 会话管理:
bash
undefined

Check session configuration

Check session configuration

grep -r "SESSION.*TIMEOUT|session.*expir" config/ src/ grep -r "SESSION_COOKIE_SECURE|SESSION_COOKIE_HTTPONLY" config/ src/

**Checklist:**
- [ ] Session timeout configured (15-30 min idle)
- [ ] Absolute session timeout (e.g., 8 hours)
- [ ] Session invalidated on logout
- [ ] Secure session cookies (Secure, HttpOnly, SameSite)
- [ ] Session fixation prevented (regenerate on login)
- [ ] Concurrent session limits

**4. Credential Storage:**
```bash
grep -r "SESSION.*TIMEOUT|session.*expir" config/ src/ grep -r "SESSION_COOKIE_SECURE|SESSION_COOKIE_HTTPONLY" config/ src/

**检查清单:**
- [ ] 配置会话超时(闲置15-30分钟)
- [ ] 绝对会话超时(如8小时)
- [ ] 登出时使会话失效
- [ ] 安全会话Cookie(Secure、HttpOnly、SameSite)
- [ ] 防止会话固定(登录时重新生成会话)
- [ ] 并发会话限制

**4. 凭证存储:**
```bash

Check password hashing

Check password hashing

grep -r "bcrypt|argon2|scrypt|pbkdf2" src/ grep -r "hashlib.md5.*password|hashlib.sha1.*password" src/

**Checklist:**
- [ ] Passwords hashed with bcrypt/argon2/scrypt
- [ ] Salt unique per password
- [ ] Work factor appropriate (bcrypt: 12+, argon2: per OWASP)
- [ ] No reversible encryption for passwords

**5. Account Enumeration:**
```bash
grep -r "bcrypt|argon2|scrypt|pbkdf2" src/ grep -r "hashlib.md5.*password|hashlib.sha1.*password" src/

**检查清单:**
- [ ] 密码使用bcrypt/argon2/scrypt哈希
- [ ] 每个密码使用唯一盐值
- [ ] 工作因子合适(bcrypt: 12+,argon2: 符合OWASP标准)
- [ ] 密码不使用可逆加密

**5. 账号枚举:**
```bash

Check error messages

Check error messages

grep -r "user.*not.*found|invalid.*username" src/

**Checklist:**
- [ ] Generic authentication errors ("Invalid credentials")
- [ ] Same response time for valid/invalid users
- [ ] Password reset doesn't confirm email existence
- [ ] Registration doesn't confirm email existence

**6. Brute Force Protection:**
```bash
grep -r "login.*attempt\|failed.*attempt\|account.*lock" src/
Checklist:
  • Account lockout after N failed attempts (5-10)
  • Temporary lockout (not permanent)
  • Rate limiting on login endpoint
  • CAPTCHA after failed attempts
  • Login attempt logging
Status: ☐ Pass ☐ Fail
grep -r "user.*not.*found|invalid.*username" src/

**检查清单:**
- [ ] 通用认证错误信息(如“无效凭证”)
- [ ] 有效/无效用户的响应时间一致
- [ ] 密码重置不确认邮箱是否存在
- [ ] 注册不确认邮箱是否存在

**6. 暴力破解防护:**
```bash
grep -r "login.*attempt\|failed.*attempt\|account.*lock" src/
检查清单:
  • N次失败尝试后锁定账号(5-10次)
  • 临时锁定(非永久)
  • 登录端点实施速率限制
  • 失败尝试后使用CAPTCHA
  • 记录登录尝试
状态:☑️ 通过 ☐ 未通过

A08:2021 - Software and Data Integrity Failures

A08:2021 - 软件与数据完整性失效

Risk: Code and infrastructure not protected from integrity violations
Compliance Checks:
1. Insecure Deserialization:
bash
undefined
风险:代码和基础设施未受到完整性保护
合规检查:
1. 不安全的反序列化:
bash
undefined

Check for unsafe deserialization

Check for unsafe deserialization

grep -r "pickle.loads|yaml.load(" src/ --include="*.py" grep -r "eval|unserialize" src/

**Checklist:**
- [ ] No pickle with untrusted data
- [ ] yaml.safe_load() used (not yaml.load())
- [ ] JSON preferred over pickle
- [ ] Deserialization input validated
- [ ] No eval() with untrusted data

**2. CI/CD Pipeline Security:**

**Checklist:**
- [ ] Pipeline configuration in version control
- [ ] Code signing for releases
- [ ] Secret scanning in CI/CD
- [ ] Dependency verification
- [ ] Build reproducibility
- [ ] Artifact signing
- [ ] Deployment approval process

**3. Update Mechanism:**

**Checklist:**
- [ ] Updates delivered over HTTPS
- [ ] Update signatures verified
- [ ] Automatic updates signed
- [ ] Rollback mechanism available
- [ ] Update integrity checked

**4. Supply Chain Security:**

**Checklist:**
- [ ] Dependencies from trusted sources
- [ ] Dependency hash verification
- [ ] Software Bill of Materials (SBOM)
- [ ] Third-party code reviewed
- [ ] Vendor security assessment

**Status**: ☐ Pass ☐ Fail

---
grep -r "pickle.loads|yaml.load(" src/ --include="*.py" grep -r "eval|unserialize" src/

**检查清单:**
- [ ] 不使用pickle处理不可信数据
- [ ] 使用yaml.safe_load()(而非yaml.load())
- [ ] 优先使用JSON而非pickle
- [ ] 验证反序列化输入
- [ ] 不使用eval()处理不可信数据

**2. CI/CD流水线安全:**

**检查清单:**
- [ ] 流水线配置在版本控制中
- [ ] 发布版本进行代码签名
- [ ] CI/CD中进行密钥扫描
- [ ] 依赖项验证
- [ ] 构建可复现
- [ ] 制品签名
- [ ] 部署审批流程

**3. 更新机制:**

**检查清单:**
- [ ] 通过HTTPS交付更新
- [ ] 验证更新签名
- [ ] 自动更新已签名
- [ ] 可用回滚机制
- [ ] 检查更新完整性

**4. 供应链安全:**

**检查清单:**
- [ ] 依赖项来自可信源
- [ ] 验证依赖项哈希
- [ ] 软件物料清单(SBOM)
- [ ] 审查第三方代码
- [ ] 供应商安全评估

**状态**:☑️ 通过 ☐ 未通过

---

A09:2021 - Security Logging and Monitoring Failures

A09:2021 - 安全日志与监控失效

Risk: Breaches not detected, incidents not responded to
Compliance Checks:
1. Security Event Logging:
bash
undefined
风险:未检测到入侵,未响应事件
合规检查:
1. 安全事件日志:
bash
undefined

Check logging implementation

Check logging implementation

grep -r "logging|logger|log." src/ --include=".py" --include=".js" grep -r "audit.*log|security.*log" src/

**Checklist:**
- [ ] Authentication events logged (success/failure)
- [ ] Authorization failures logged
- [ ] Input validation failures logged
- [ ] Sensitive operations logged
- [ ] Administrative actions logged
- [ ] Access to sensitive data logged

**2. Log Content:**

**Checklist:**
- [ ] Timestamp (UTC)
- [ ] User/session identifier
- [ ] Action performed
- [ ] Resource accessed
- [ ] Source IP address
- [ ] Outcome (success/failure)
- [ ] No sensitive data in logs (passwords, tokens, PII)

**3. Log Protection:**
```bash
grep -r "logging|logger|log." src/ --include=".py" --include=".js" grep -r "audit.*log|security.*log" src/

**检查清单:**
- [ ] 记录认证事件(成功/失败)
- [ ] 记录授权失败
- [ ] 记录输入验证失败
- [ ] 记录敏感操作
- [ ] 记录管理操作
- [ ] 记录敏感数据访问

**2. 日志内容:**

**检查清单:**
- [ ] 时间戳(UTC)
- [ ] 用户/会话标识符
- [ ] 执行的操作
- [ ] 访问的资源
- [ ] 源IP地址
- [ ] 结果(成功/失败)
- [ ] 日志中无敏感数据(密码、令牌、PII)

**3. 日志保护:**
```bash

Check log file permissions

Check log file permissions

find . -name "*.log" -ls 2>/dev/null

**Checklist:**
- [ ] Log files write-only for application
- [ ] Logs protected from tampering
- [ ] Logs rotated regularly
- [ ] Log retention policy defined
- [ ] Logs backed up
- [ ] Centralized logging implemented

**4. Monitoring and Alerting:**

**Checklist:**
- [ ] Real-time security monitoring
- [ ] Automated alerting configured
- [ ] Failed login threshold alerts
- [ ] Unusual activity detection
- [ ] Anomaly detection
- [ ] Security dashboard available

**5. Incident Response:**

**Checklist:**
- [ ] Incident response plan documented
- [ ] Response team identified
- [ ] Alert escalation procedures
- [ ] Incident logging and tracking
- [ ] Post-incident review process

**Status**: ☐ Pass ☐ Fail

---
find . -name "*.log" -ls 2>/dev/null

**检查清单:**
- [ ] 日志文件仅允许应用写入
- [ ] 日志防篡改
- [ ] 定期轮转日志
- [ ] 定义日志保留策略
- [ ] 备份日志
- [ ] 实现集中式日志

**4. 监控与告警:**

**检查清单:**
- [ ] 实时安全监控
- [ ] 配置自动告警
- [ ] 失败登录阈值告警
- [ ] 异常活动检测
- [ ] 异常检测
- [ ] 安全仪表板可用

**5. 事件响应:**

**检查清单:**
- [ ] 事件响应计划已文档化
- [ ] 已确定响应团队
- [ ] 告警升级流程
- [ ] 事件记录与跟踪
- [ ] 事后审查流程

**状态**:☑️ 通过 ☐ 未通过

---

A10:2021 - Server-Side Request Forgery (SSRF)

A10:2021 - 服务端请求伪造(SSRF)

Risk: Application fetches remote resources without validating user-supplied URL
Compliance Checks:
1. URL Validation:
bash
undefined
风险:应用在未验证用户提供的URL的情况下获取远程资源
合规检查:
1. URL验证:
bash
undefined

Find URL fetching code

Find URL fetching code

grep -r "requests.get|urllib.request|fetch|axios.get" src/ grep -r "url.*request|user.*url" src/

**Checklist:**
- [ ] User-supplied URLs validated
- [ ] URL whitelist implemented
- [ ] Protocol whitelist (HTTP/HTTPS only)
- [ ] Private IP ranges blocked
- [ ] DNS rebinding protection
- [ ] URL redirection limited

**2. Network Segmentation:**

**Checklist:**
- [ ] Application in DMZ
- [ ] Internal services not accessible from app
- [ ] Firewall rules deny by default
- [ ] Outbound traffic restricted
- [ ] Service mesh/network policies configured

**3. Input Validation:**
```bash
grep -r "requests.get|urllib.request|fetch|axios.get" src/ grep -r "url.*request|user.*url" src/

**检查清单:**
- [ ] 验证用户提供的URL
- [ ] 实现URL白名单
- [ ] 协议白名单(仅HTTP/HTTPS)
- [ ] 阻止私有IP范围
- [ ] DNS重绑定防护
- [ ] 限制URL重定向

**2. 网络分段:**

**检查清单:**
- [ ] 应用位于DMZ
- [ ] 内部服务不可从应用访问
- [ ] 防火墙规则默认拒绝
- [ ] 限制出站流量
- [ ] 配置服务网格/网络策略

**3. 输入验证:**
```bash

Check for URL sanitization

Check for URL sanitization

grep -r "validate.*url|sanitize.*url|parse.*url" src/

**Checklist:**
- [ ] URL parsing and validation
- [ ] Hostname validation
- [ ] Port restrictions
- [ ] Path normalization
- [ ] No file:// protocol
- [ ] No access to metadata services (169.254.169.254)

**Status**: ☐ Pass ☐ Fail

---
grep -r "validate.*url|sanitize.*url|parse.*url" src/

**检查清单:**
- [ ] URL解析与验证
- [ ] 主机名验证
- [ ] 端口限制
- [ ] 路径规范化
- [ ] 不使用file://协议
- [ ] 不访问元数据服务(169.254.169.254)

**状态**:☑️ 通过 ☐ 未通过

---

Overall Compliance Report Format

整体合规报告格式

markdown
undefined
markdown
undefined

OWASP Top 10 2021 Compliance Report

OWASP Top 10 2021合规报告

Date: [YYYY-MM-DD] Application: [name] Assessed By: OWASP Checker
日期:[YYYY-MM-DD] 应用:[名称] 评估方:OWASP Checker

Compliance Summary

合规摘要

CategoryStatusCritical IssuesNotes
A01 - Broken Access Control✅/⚠️/❌[count][summary]
A02 - Cryptographic Failures✅/⚠️/❌[count][summary]
A03 - Injection✅/⚠️/❌[count][summary]
A04 - Insecure Design✅/⚠️/❌[count][summary]
A05 - Security Misconfiguration✅/⚠️/❌[count][summary]
A06 - Vulnerable Components✅/⚠️/❌[count][summary]
A07 - Auth Failures✅/⚠️/❌[count][summary]
A08 - Integrity Failures✅/⚠️/❌[count][summary]
A09 - Logging Failures✅/⚠️/❌[count][summary]
A10 - SSRF✅/⚠️/❌[count][summary]
Legend:
  • ✅ Pass: Fully compliant
  • ⚠️ Partial: Some issues, not critical
  • ❌ Fail: Critical issues found
Overall Compliance: [XX]% ([X]/10 categories passed)
类别状态严重问题备注
A01 - 访问控制失效✅/⚠️/❌[数量][摘要]
A02 - 加密失效✅/⚠️/❌[数量][摘要]
A03 - 注入攻击✅/⚠️/❌[数量][摘要]
A04 - 不安全设计✅/⚠️/❌[数量][摘要]
A05 - 安全配置错误✅/⚠️/❌[数量][摘要]
A06 - 易受攻击组件✅/⚠️/❌[数量][摘要]
A07 - 认证失效✅/⚠️/❌[数量][摘要]
A08 - 完整性失效✅/⚠️/❌[数量][摘要]
A09 - 日志失效✅/⚠️/❌[数量][摘要]
A10 - SSRF✅/⚠️/❌[数量][摘要]
图例:
  • ✅ 通过:完全合规
  • ⚠️ 部分合规:存在一些问题,但不严重
  • ❌ 未通过:发现严重问题
整体合规率:[XX]%([X]/10个类别通过)

Critical Findings

严重发现

[List all critical non-compliance items that must be fixed]
[列出所有必须修复的严重不合规项]

Recommendations

建议

Immediate (Critical)

立即修复(严重)

  1. [Item]
  1. [项]

Short-term (High)

短期修复(高优先级)

  1. [Item]
  1. [项]

Long-term (Medium)

长期修复(中优先级)

  1. [Item]
  1. [项]

Certification

认证

This application [IS / IS NOT] compliant with OWASP Top 10 2021 standards.
Assessor: [name] Date: [YYYY-MM-DD] Next Assessment: [YYYY-MM-DD]

---
本应用[符合/不符合]OWASP Top 10 2021标准。
评估人:[名称] 日期:[YYYY-MM-DD] 下次评估:[YYYY-MM-DD]

---

Best Practices

最佳实践

Assessment Process:
  • Complete all categories
  • Document evidence for each check
  • Retest after remediation
  • Keep assessment current (quarterly)
Compliance Tracking:
  • Track compliance over time
  • Maintain compliance dashboard
  • Regular reassessment (quarterly)
  • Update after major changes
Remediation:
  • Fix critical items immediately
  • Schedule high/medium items
  • Document compensating controls
  • Verify fixes effectiveness
Documentation:
  • Keep detailed compliance records
  • Document exceptions with justification
  • Track remediation progress
  • Maintain audit trail
评估流程:
  • 完成所有类别检查
  • 为每个检查项记录证据
  • 修复后重新测试
  • 保持评估最新(每季度一次)
合规跟踪:
  • 随时间跟踪合规性
  • 维护合规仪表板
  • 定期重新评估(每季度一次)
  • 重大变更后更新
修复:
  • 立即修复严重项
  • 安排高/中优先级项
  • 记录补偿控制措施
  • 验证修复效果
文档:
  • 保留详细的合规记录
  • 记录带理由的例外情况
  • 跟踪修复进度
  • 维护审计跟踪

Integration with Security Workflow

与安全工作流集成

Input: Implemented and tested application Process: Systematic OWASP Top 10 compliance verification Output: Compliance report with certification status Next Step: Security certification or deployment approval
输入:已实现并测试的应用 流程:系统的OWASP Top 10合规验证 输出:包含认证状态的合规报告 下一步:安全认证或部署审批

Remember

注意事项

  • Compliance is not security: OWASP Top 10 is baseline, not complete security
  • Context matters: Adapt checks to your application type
  • Defense in depth: Multiple layers of controls
  • Continuous compliance: Not a one-time check
  • Document everything: Maintain audit trail
  • Stay current: OWASP Top 10 updates periodically
Your goal is to ensure applications meet OWASP Top 10 security standards and maintain compliance over time.
  • 合规不等于安全:OWASP Top 10是基线,不是完整的安全方案
  • 上下文很重要:根据应用类型调整检查项
  • 纵深防御:多层控制措施
  • 持续合规:不是一次性检查
  • 记录所有内容:维护审计跟踪
  • 保持最新:OWASP Top 10会定期更新
你的目标是确保应用符合OWASP Top 10安全标准并长期保持合规。