├── 2013 ├── .gitignore ├── OWASP Top 10 - 2013 Arabic.pdf ├── OWASP Top 10 - 2013 Brazilian Portuguese.pdf ├── OWASP Top 10 - 2013 Chinese.pdf ├── OWASP Top 10 - 2013 Czech.pdf ├── OWASP Top 10 - 2013 English FInal.pptx ├── OWASP Top 10 - 2013 French.pdf ├── OWASP Top 10 - 2013 German.pdf ├── OWASP Top 10 - 2013 Hebrew.pdf ├── OWASP Top 10 - 2013 Italiano.pdf ├── OWASP Top 10 - 2013 Japanese.pdf ├── OWASP Top 10 - 2013 Korea.pdf ├── OWASP Top 10 - 2013 Spanish.pdf ├── OWASP Top 10 - 2013 Ukrainian.pdf ├── OWASP Top 10 - 2013.pdf ├── OWASP_Top_10_-_2013_Final_-_English.pptx ├── README.md ├── data │ └── WPstats_winter11_11th.pdf ├── drafts │ ├── FR2013 PPTX Version │ │ └── Top10 2013 v0.1.pptx │ ├── OWASP Top 10 - 2013 - RC1.pdf │ └── OWASP_Top_10_-_2013_Final_Release_-_Change_Log.docx └── presentations │ ├── OWASP_Top-10_2013 - Changes-from-2010.pptx │ └── OWASP_Top-10_2013 - Presentation.pptx ├── 2017 ├── .gitignore ├── OWASP Top 10 - 2017 - Icons.png ├── OWASP Top 10 - 2017 - Icons.psd ├── OWASP Top 10-2017 (en).pdf ├── OWASP Top 10-2017 (en).pptx ├── OWASP Top 10-2017-es.pdf ├── OWASP Top 10-2017-es.pptx ├── OWASP Top 10-2017-pt_pt.odp ├── OWASP Top 10-2017-pt_pt.pdf ├── OWASP Top 10-2017-ru.pdf ├── OWASP Top 10-2017-ru.pptx ├── OWASP-Top-10-2017-en.docx ├── OWASP-Top-10-2017-en.html ├── OWASP-Top-10-2017-fr.docx ├── OWASP-Top-10-2017-fr.html ├── OWASP-Top-10-2017-pt-br.html ├── OWASP-Top-10-2017-pt-br.pdf ├── README.md ├── archive │ ├── OWASP Top 10 2017 GM (en).pdf │ └── OWASP Top 10 2017 GM (en).pptx ├── datacall │ ├── OWASP Top 10 - 2017 Data Call-Public Release.xlsx │ ├── OWASP Top 10 - 2017 Data Call-Public Template.xlsx │ ├── analysis │ │ ├── OWASP Top 10 2017 GM Data Analysis.xlsx │ │ ├── OWASP Top 10 2017 RC2 Data Analysis.xlsx │ │ ├── README.MD │ │ └── Top 10-Data.docx │ └── submissions │ │ ├── Bugcrowd-OWASP_Top_10-2017_Datacall.xlsx │ │ ├── Checkmarx-OWASP_Top_10-2017_Datacall.xlsx │ │ ├── ContextIS-OWASP_Top_10-2017_Datacall.xlsx │ │ ├── Fortify-OWASP_Top_10-2017_Datacall.xlsx │ │ ├── OWASP Top 10 - 2017 Data Call-FormSubmissions.csv │ │ ├── OWASP Top 10 New Vulnerability Category.csv │ │ ├── README.md │ │ ├── Synopsys-OWASP_Top_10-2017_Datacall.xlsx │ │ └── Veracode-OWASP_Top_10-2017_Datacall.xlsx ├── de │ ├── OWASP Top 10-2017_de_V1.0.pdf │ ├── OWASP Top 10-2017_de_V1.0.pptx │ └── readme.md ├── drafts │ ├── OWASP Top 10 - 2017 RC1-English.pdf │ ├── OWASP Top 10 - 2017 RC1-English.pptx │ ├── OWASP Top 10 2017 RC2 Final.pdf │ └── OWASP Top 10 2017 RC2 Final.pptx ├── en │ ├── 0x00-header.md │ ├── 0x00-notice.md │ ├── 0x00-toc.md │ ├── 0x01-about-owasp.md │ ├── 0x02-foreword.md │ ├── 0x05-introduction.md │ ├── 0x06-release-notes.md │ ├── 0x10-app-security-risks.md │ ├── 0x11-t10.md │ ├── 0xa1-injection.md │ ├── 0xa2-broken-authentication.md │ ├── 0xa3-sensitive-data-disclosure.md │ ├── 0xa4-xxe.md │ ├── 0xa5-broken-access-control.md │ ├── 0xa6-security-misconfiguration.md │ ├── 0xa7-xss.md │ ├── 0xa8-insecure-deserialization.md │ ├── 0xa9-known-vulns.md │ ├── 0xaa-logging-detection-response.md │ ├── 0xb0-next-devs.md │ ├── 0xb1-next-testing.md │ ├── 0xb2-next-org.md │ ├── 0xb3-next-app-mgrs.md │ ├── 0xc0-note-about-risks.md │ ├── 0xc1-risk-factors.md │ ├── 0xd0-about-data.md │ ├── 0xd1-data-contributors.md │ └── images │ │ ├── 0x06-release-notes-1.png │ │ ├── 0x10-risk-1.png │ │ ├── 0xc0-risk-explanation.png │ │ ├── 0xc1-risk-factor-table.png │ │ ├── Autodesk-logo.png │ │ ├── LICENSE-FRONT-WASP.txt │ │ ├── OWASP_logo.png │ │ ├── front-cc.png │ │ ├── front-wasp.png │ │ ├── front-wasp_without-background.png │ │ └── license.png ├── es │ ├── .gitignore │ ├── 0x00-header.md │ ├── 0x00-notice.md │ ├── 0x00-toc.md │ ├── 0x01-about-owasp.md │ ├── 0x02-foreword.md │ ├── 0x05-introduccion.md │ ├── 0x06-release-notes.md │ ├── 0x10-app-security-risks.md │ ├── 0x11-t10.md │ ├── 0xa1-injection.md │ ├── 0xa2-broken-authentication.md │ ├── 0xa3-sensitive-data-disclosure.md │ ├── 0xa4-xxe.md │ ├── 0xa5-broken-access-control.md │ ├── 0xa6-security-misconfiguration.md │ ├── 0xa7-xss.md │ ├── 0xa8-insecure-deserialization.md │ ├── 0xa9-known-vulns.md │ ├── 0xaa-logging-detection-response.md │ ├── 0xb0-next-devs.md │ ├── 0xb1-next-testing.md │ ├── 0xb2-next-org.md │ ├── 0xb3-next-app-mgrs.md │ ├── 0xc0-note-about-risks.md │ ├── 0xc1-risk-factors.md │ ├── 0xd0-about-data.md │ ├── 0xd1-data-contributors.md │ └── images │ │ ├── 0x06-release-notes-1.png │ │ ├── 0x10-risk-1.png │ │ ├── 0xc0-risk-explanation.png │ │ ├── 0xc1-risk-factor-table.png │ │ ├── Autodesk-logo.png │ │ ├── LICENSE-FRONT-WASP.txt │ │ ├── OWASP_logo.png │ │ ├── front-cc.png │ │ ├── front-wasp.png │ │ ├── front-wasp_without-background.png │ │ └── license.png ├── fa │ ├── 0x00-header.md │ ├── 0x00-notice.md │ ├── 0x00-toc.md │ ├── 0x01-about-owasp.md │ ├── 0x02-foreword.md │ ├── 0x05-introduction.md │ ├── 0x06-release-notes.md │ ├── 0x10-app-security-risks.md │ ├── 0x11-t10.md │ ├── 0xa1-injection.md │ ├── 0xa2-broken-authentication.md │ ├── 0xa3-sensitive-data-disclosure.md │ ├── 0xa4-xxe.md │ ├── 0xa5-broken-access-control.md │ ├── 0xa6-security-misconfiguration.md │ ├── 0xa7-xss.md │ ├── 0xa8-insecure-deserialization.md │ ├── 0xa9-known-vulns.md │ ├── 0xaa-logging-detection-response.md │ ├── 0xb0-next-devs.md │ ├── 0xb1-next-testing.md │ ├── 0xb2-next-org.md │ ├── 0xb3-next-app-mgrs.md │ ├── 0xc0-note-about-risks.md │ ├── 0xc1-risk-factors.md │ ├── 0xd0-about-data.md │ ├── 0xd1-data-contributors.md │ ├── images │ │ ├── 0x06-release-notes-1.png │ │ ├── 0x10-risk-1.png │ │ ├── 0xc0-risk-explanation.png │ │ ├── 0xc1-risk-factor-table.png │ │ ├── Autodesk-logo.png │ │ ├── LICENSE-FRONT-WASP.txt │ │ ├── OWASP_logo.png │ │ ├── front-cc.png │ │ ├── front-wasp.png │ │ ├── front-wasp_without-background.png │ │ └── license.png │ ├── owasp top10 2017 fa.pdf │ └── owasp top10 2017 fa.pptx ├── fr │ ├── 0x00-header.md │ ├── 0x00-notice.md │ ├── 0x00-toc.md │ ├── 0x01-about-owasp.md │ ├── 0x02-foreword.md │ ├── 0x05-introduction.md │ ├── 0x06-release-notes.md │ ├── 0x10-app-security-risks.md │ ├── 0x11-t10.md │ ├── 0xa1-injection.md │ ├── 0xa2-broken-authentication.md │ ├── 0xa3-sensitive-data-disclosure.md │ ├── 0xa4-xxe.md │ ├── 0xa5-broken-access-control.md │ ├── 0xa6-security-misconfiguration.md │ ├── 0xa7-xss.md │ ├── 0xa8-insecure-deserialization.md │ ├── 0xa9-known-vulns.md │ ├── 0xaa-logging-detection-response.md │ ├── 0xb0-next-devs.md │ ├── 0xb1-next-testing.md │ ├── 0xb2-next-org.md │ ├── 0xb3-next-app-mgrs.md │ ├── 0xc0-note-about-risks.md │ ├── 0xc1-risk-factors.md │ ├── 0xd0-about-data.md │ ├── 0xd1-data-contributors.md │ ├── LISEZ MOI-FR.md │ ├── TRADUCTION.md │ ├── affectation-traduction.md │ ├── images │ │ ├── 0x06-release-notes-1-fr.png │ │ ├── 0x06-release-notes-1.png │ │ ├── 0x10-risk-1.png │ │ ├── 0xc0-risk-explanation.png │ │ ├── 0xc1-risk-factor-table.png │ │ ├── Autodesk-logo.png │ │ ├── LICENSE-FRONT-WASP.txt │ │ ├── OWASP_logo.png │ │ ├── front-cc.png │ │ ├── front-wasp.png │ │ ├── front-wasp_without-background.png │ │ └── license.png │ └── ko ├── generate_document.sh ├── he │ ├── 0x00-header.md │ ├── 0x00-notice.md │ ├── 0x00-toc.md │ ├── 0x01-about-owasp.md │ ├── 0x02-foreword.md │ ├── 0x05-introduction.md │ ├── 0x06-release-notes.md │ ├── 0x10-app-security-risks.md │ ├── 0x11-t10.md │ ├── 0xa1-injection.md │ ├── 0xa2-broken-authentication.md │ ├── 0xa3-sensitive-data-disclosure.md │ ├── 0xa4-xxe.md │ ├── 0xa5-broken-access-control.md │ ├── 0xa6-security-misconfiguration.md │ ├── 0xa7-xss.md │ ├── 0xa8-insecure-deserialization.md │ ├── 0xa9-known-vulns.md │ ├── 0xaa-logging-detection-response.md │ ├── 0xb0-next-devs.md │ ├── 0xb1-next-testing.md │ ├── 0xb2-next-org.md │ ├── 0xb3-next-app-mgrs.md │ ├── 0xc0-note-about-risks.md │ ├── 0xc1-risk-factors.md │ ├── 0xd0-about-data.md │ ├── 0xd1-data-contributors.md │ ├── OWASP-Top-10-2017-he.pdf │ ├── OWASP-Top-10-2017-he.pptx │ └── images │ │ ├── 0x06-release-notes-1.png │ │ ├── 0x10-risk-1.png │ │ ├── 0xc0-risk-explanation.png │ │ ├── 0xc1-risk-factor-table.png │ │ ├── Autodesk-logo.png │ │ ├── LICENSE-FRONT-WASP.txt │ │ ├── OWASP_logo.png │ │ ├── front-cc.png │ │ ├── front-wasp.png │ │ ├── front-wasp_without-background.png │ │ └── license.png ├── id │ ├── 0x00-header.md │ ├── 0x00-notice.md │ ├── 0x00-toc.md │ ├── 0x01-about-owasp.md │ ├── 0x02-foreword.md │ ├── 0x05-introduction.md │ ├── 0x06-release-notes.md │ ├── 0x10-app-security-risks.md │ ├── 0x11-t10.md │ ├── 0xa1-injection.md │ ├── 0xa2-broken-authentication.md │ ├── 0xa3-sensitive-data-disclosure.md │ ├── 0xa4-xxe.md │ ├── 0xa5-broken-access-control.md │ ├── 0xa6-security-misconfiguration.md │ ├── 0xa7-xss.md │ ├── 0xa8-insecure-deserialization.md │ ├── 0xa9-known-vulns.md │ ├── 0xaa-logging-detection-response.md │ ├── 0xb0-next-devs.md │ ├── 0xb1-next-testing.md │ ├── 0xb2-next-org.md │ ├── 0xb3-next-app-mgrs.md │ ├── 0xc0-note-about-risks.md │ ├── 0xc1-risk-factors.md │ ├── 0xd0-about-data.md │ ├── 0xd1-data-contributors.md │ └── images │ │ ├── 0x06-release-notes-1.png │ │ ├── 0x10-risk-1.png │ │ ├── 0xc0-risk-explanation.png │ │ ├── 0xc1-risk-factor-table.png │ │ ├── Autodesk-logo.png │ │ ├── LICENSE-FRONT-WASP.txt │ │ ├── OWASP_logo.png │ │ ├── front-cc.png │ │ ├── front-wasp.png │ │ ├── front-wasp_without-background.png │ │ └── license.png ├── images │ ├── OWASP-Top-10.png │ └── README ├── ja │ ├── 0x00-header.md │ ├── 0x00-notice.md │ ├── 0x00-toc.md │ ├── 0x01-about-owasp.md │ ├── 0x02-foreword.md │ ├── 0x05-introduction.md │ ├── 0x06-release-notes.md │ ├── 0x10-app-security-risks.md │ ├── 0x11-t10.md │ ├── 0xa1-injection.md │ ├── 0xa2-broken-authentication.md │ ├── 0xa3-sensitive-data-disclosure.md │ ├── 0xa4-xxe.md │ ├── 0xa5-broken-access-control.md │ ├── 0xa6-security-misconfiguration.md │ ├── 0xa7-xss.md │ ├── 0xa8-insecure-deserialization.md │ ├── 0xa9-known-vulns.md │ ├── 0xaa-logging-detection-response.md │ ├── 0xb0-next-devs.md │ ├── 0xb1-next-testing.md │ ├── 0xb2-next-org.md │ ├── 0xb3-next-app-mgrs.md │ ├── 0xc0-note-about-risks.md │ ├── 0xc1-risk-factors.md │ ├── 0xd0-about-data.md │ ├── 0xd1-data-contributors.md │ ├── OWASP Top 10-2017(ja).pdf │ ├── OWASP Top 10-2017(ja).pptx │ ├── OWASP-Top-10-2017-en.pdf │ ├── OWASP-Top-10-2017-ja.docx │ ├── OWASP-Top-10-2017-ja.html │ └── images │ │ ├── 0x06-release-notes-1.png │ │ ├── 0x10-risk-1.png │ │ ├── 0x10-risk-2.png │ │ ├── 0xc0-risk-explanation.png │ │ ├── 0xc1-risk-factor-table.png │ │ ├── Autodesk-logo.png │ │ ├── LICENSE-FRONT-WASP.txt │ │ ├── OWASP_logo.png │ │ ├── front-cc.png │ │ ├── front-wasp.png │ │ ├── front-wasp_without-background.png │ │ └── license.png ├── ko │ ├── OWASP Top 10-2017-ko.pdf │ ├── OWASP Top 10-2017-ko.pptx │ └── README.ko ├── pt-br │ ├── 0x00-header.md │ ├── 0x00-notice.md │ ├── 0x00-toc.md │ ├── 0x01-about-owasp.md │ ├── 0x02-foreword.md │ ├── 0x05-introduction.md │ ├── 0x06-release-notes.md │ ├── 0x10-app-security-risks.md │ ├── 0x11-t10.md │ ├── 0xa1-injection.md │ ├── 0xa2-broken-authentication.md │ ├── 0xa3-sensitive-data-disclosure.md │ ├── 0xa4-xxe.md │ ├── 0xa5-broken-access-control.md │ ├── 0xa6-security-misconfiguration.md │ ├── 0xa7-xss.md │ ├── 0xa8-insecure-deserialization.md │ ├── 0xa9-known-vulns.md │ ├── 0xaa-logging-detection-response.md │ ├── 0xb0-next-devs.md │ ├── 0xb1-next-testing.md │ ├── 0xb2-next-org.md │ ├── 0xb3-next-app-mgrs.md │ ├── 0xc0-note-about-risks.md │ ├── 0xc1-risk-factors.md │ ├── 0xd0-about-data.md │ ├── 0xd1-data-contributors.md │ └── images │ │ ├── 0x06-release-notes-1.png │ │ ├── 0x10-risk-1.png │ │ ├── 0xc0-risk-explanation.png │ │ ├── 0xc1-risk-factor-table.png │ │ ├── Autodesk-logo.png │ │ ├── LICENSE-FRONT-WASP.txt │ │ ├── OWASP_logo.png │ │ ├── front-cc.png │ │ ├── front-wasp.png │ │ ├── front-wasp_without-background.png │ │ └── license.png ├── pt-pt │ ├── 0x00-header.md │ ├── 0x00-notice.md │ ├── 0x00-toc.md │ ├── 0x01-about-owasp.md │ ├── 0x02-foreword.md │ ├── 0x05-introduction.md │ ├── 0x06-release-notes.md │ ├── 0x10-app-security-risks.md │ ├── 0x11-t10.md │ ├── 0xa1-injection.md │ ├── 0xa2-broken-authentication.md │ ├── 0xa3-sensitive-data-disclosure.md │ ├── 0xa4-xxe.md │ ├── 0xa5-broken-access-control.md │ ├── 0xa6-security-misconfiguration.md │ ├── 0xa7-xss.md │ ├── 0xa8-insecure-deserialization.md │ ├── 0xa9-known-vulns.md │ ├── 0xaa-logging-detection-response.md │ ├── 0xb0-next-devs.md │ ├── 0xb1-next-testing.md │ ├── 0xb2-next-org.md │ ├── 0xb3-next-app-mgrs.md │ ├── 0xc0-note-about-risks.md │ ├── 0xc1-risk-factors.md │ ├── 0xd0-about-data.md │ ├── 0xd1-data-contributors.md │ └── images │ │ ├── 0x06-release-notes-1.png │ │ ├── 0x10-risk-1.png │ │ ├── 0xc0-risk-explanation.png │ │ ├── 0xc1-risk-factor-table.png │ │ ├── LICENSE-FRONT-WASP.txt │ │ ├── OWASP_logo.png │ │ ├── front-cc.png │ │ ├── front-wasp.png │ │ ├── front-wasp_without-background.png │ │ └── license.png ├── ro │ ├── 0x00-header.md │ ├── 0x00-notice.md │ ├── 0x00-toc.md │ ├── 0x01-about-owasp.md │ ├── 0x02-foreword.md │ ├── 0x05-introduction.md │ ├── 0x06-release-notes.md │ ├── 0x10-app-security-risks.md │ ├── 0x11-t10.md │ ├── 0xa1-injection.md │ ├── 0xa2-broken-authentication.md │ ├── 0xa3-sensitive-data-disclosure.md │ ├── 0xa4-xxe.md │ ├── 0xa5-broken-access-control.md │ ├── 0xa6-security-misconfiguration.md │ ├── 0xa7-xss.md │ ├── 0xa8-insecure-deserialization.md │ ├── 0xa9-known-vulns.md │ ├── 0xaa-logging-detection-response.md │ ├── 0xb0-next-devs.md │ ├── 0xb1-next-testing.md │ ├── 0xb2-next-org.md │ ├── 0xb3-next-app-mgrs.md │ ├── 0xc0-note-about-risks.md │ ├── 0xc1-risk-factors.md │ ├── 0xd0-about-data.md │ ├── 0xd1-data-contributors.md │ ├── OWASP Top 10-2017_Template_DIN-A4_ro.pptx │ └── images │ │ ├── 0x06-release-notes-1.png │ │ ├── 0x10-risk-1.png │ │ ├── 0xc0-risk-explanation.png │ │ ├── 0xc1-risk-factor-table.png │ │ ├── Autodesk-logo.png │ │ ├── LICENSE-FRONT-WASP.txt │ │ ├── OWASP_logo.png │ │ ├── front-cc.png │ │ ├── front-wasp.png │ │ ├── front-wasp_without-background.png │ │ └── license.png ├── ru │ ├── 0x00-header.md │ ├── 0x00-notice.md │ ├── 0x00-toc.md │ ├── 0x01-about-owasp.md │ ├── 0x02-foreword.md │ ├── 0x05-introduction.md │ ├── 0x06-release-notes.md │ ├── 0x10-app-security-risks.md │ ├── 0x11-t10.md │ ├── 0xa1-injection.md │ ├── 0xa2-broken-authentication.md │ ├── 0xa3-sensitive-data-disclosure.md │ ├── 0xa4-xxe.md │ ├── 0xa5-broken-access-control.md │ ├── 0xa6-security-misconfiguration.md │ ├── 0xa7-xss.md │ ├── 0xa8-insecure-deserialization.md │ ├── 0xa9-known-vulns.md │ ├── 0xaa-logging-detection-response.md │ ├── 0xb0-next-devs.md │ ├── 0xb1-next-testing.md │ ├── 0xb2-next-org.md │ ├── 0xb3-next-app-mgrs.md │ ├── 0xc0-note-about-risks.md │ ├── 0xc1-risk-factors.md │ ├── 0xd0-about-data.md │ ├── 0xd1-data-contributors.md │ ├── README.md │ └── images │ │ ├── 0x06-release-notes-1.png │ │ ├── 0x10-risk-1.png │ │ ├── 0xc0-risk-explanation.png │ │ ├── 0xc1-risk-factor-table.png │ │ ├── Autodesk-logo.png │ │ ├── OWASP Top 10 - 2017 - Icons.png │ │ ├── OWASP Top 10 - 2017 - Icons.xcf │ │ ├── OWASP_logo.png │ │ ├── front-cc.png │ │ ├── front-wasp.png │ │ ├── front-wasp_without-background.png │ │ └── license.png ├── templates │ ├── reference.docx │ └── template.tex ├── tr │ ├── 0x00-header.md │ ├── 0x00-notice.md │ ├── 0x00-toc.md │ ├── 0x01-about-owasp.md │ ├── 0x02-foreword.md │ ├── 0x05-introduction.md │ ├── 0x06-release-notes.md │ ├── 0x10-app-security-risks.md │ ├── 0x11-t10.md │ ├── 0xa1-injection.md │ ├── 0xa2-broken-authentication.md │ ├── 0xa3-sensitive-data-disclosure.md │ ├── 0xa4-xxe.md │ ├── 0xa5-broken-access-control.md │ ├── 0xa6-security-misconfiguration.md │ ├── 0xa7-xss.md │ ├── 0xa8-insecure-deserialization.md │ ├── 0xa9-known-vulns.md │ ├── 0xaa-logging-detection-response.md │ ├── 0xb0-next-devs.md │ ├── 0xb1-next-testing.md │ ├── 0xb2-next-org.md │ ├── 0xb3-next-app-mgrs.md │ ├── 0xc0-note-about-risks.md │ ├── 0xc1-risk-factors.md │ ├── 0xd0-about-data.md │ ├── 0xd1-data-contributors.md │ ├── OWASP Top 10-2017_TR.pptx │ └── images │ │ ├── 0x06-release-notes-1.png │ │ ├── 0x10-risk-1.png │ │ ├── 0xc0-risk-explanation.png │ │ ├── 0xc1-risk-factor-table.png │ │ ├── Autodesk-logo.png │ │ ├── LICENSE-FRONT-WASP.txt │ │ ├── OWASP_logo.png │ │ ├── front-cc.png │ │ ├── front-wasp.png │ │ ├── front-wasp_without-background.png │ │ └── license.png └── translations │ ├── OWASP Top 10-2017_Template_DIN-A4.pptx │ └── README.TRANSLATIONS ├── 2021 ├── Data │ ├── CWE-Guidance.md │ ├── OWASP Top 10 2020 Data Analysis Plan.docx │ ├── README.md │ ├── owasp_top10_appsec_labs_2021_submission.csv │ ├── owasp_top10_gitlab_2020_submission.csv │ ├── owasp_top10_hcl_appscan_2021_submission.json │ ├── sample-data-submission.csv │ └── sample-data-submission.json ├── Presentations │ └── 20th Anniversary - OWASP Top 10 2021.pptx ├── README.md ├── docs │ ├── 0x00-notice.ar.md │ ├── 0x00-notice.es.md │ ├── 0x00-notice.fr.md │ ├── 0x00-notice.id.md │ ├── 0x00-notice.it.md │ ├── 0x00-notice.ja.md │ ├── 0x00-notice.md │ ├── 0x00-notice.pt_BR.md │ ├── 0x00-notice.zh_CN.md │ ├── 0x00-notice.zh_TW.md │ ├── A00-about-owasp.ar.md │ ├── A00-about-owasp.es.md │ ├── A00-about-owasp.fr.md │ ├── A00-about-owasp.id.md │ ├── A00-about-owasp.it.md │ ├── A00-about-owasp.ja.md │ ├── A00-about-owasp.md │ ├── A00-about-owasp.pt_BR.md │ ├── A00-about-owasp.zh_CN.md │ ├── A00-about-owasp.zh_TW.md │ ├── A00_2021-How_to_start_an_AppSec_program_with_the_OWASP_Top_10.ar.md │ ├── A00_2021-How_to_start_an_AppSec_program_with_the_OWASP_Top_10.es.md │ ├── A00_2021-How_to_start_an_AppSec_program_with_the_OWASP_Top_10.fr.md │ ├── A00_2021-How_to_start_an_AppSec_program_with_the_OWASP_Top_10.id.md │ ├── A00_2021-How_to_start_an_AppSec_program_with_the_OWASP_Top_10.it.md │ ├── A00_2021-How_to_start_an_AppSec_program_with_the_OWASP_Top_10.ja.md │ ├── A00_2021-How_to_start_an_AppSec_program_with_the_OWASP_Top_10.md │ ├── A00_2021-How_to_start_an_AppSec_program_with_the_OWASP_Top_10.pt_BR.md │ ├── A00_2021-How_to_start_an_AppSec_program_with_the_OWASP_Top_10.zh_CN.md │ ├── A00_2021-How_to_start_an_AppSec_program_with_the_OWASP_Top_10.zh_TW.md │ ├── A00_2021_How_to_use_the_OWASP_Top_10_as_a_standard.ar.md │ ├── A00_2021_How_to_use_the_OWASP_Top_10_as_a_standard.es.md │ ├── A00_2021_How_to_use_the_OWASP_Top_10_as_a_standard.fr.md │ ├── A00_2021_How_to_use_the_OWASP_Top_10_as_a_standard.id.md │ ├── A00_2021_How_to_use_the_OWASP_Top_10_as_a_standard.it.md │ ├── A00_2021_How_to_use_the_OWASP_Top_10_as_a_standard.ja.md │ ├── A00_2021_How_to_use_the_OWASP_Top_10_as_a_standard.md │ ├── A00_2021_How_to_use_the_OWASP_Top_10_as_a_standard.pt_BR.md │ ├── A00_2021_How_to_use_the_OWASP_Top_10_as_a_standard.zh_CN.md │ ├── A00_2021_How_to_use_the_OWASP_Top_10_as_a_standard.zh_TW.md │ ├── A00_2021_Introduction.ar.md │ ├── A00_2021_Introduction.es.md │ ├── A00_2021_Introduction.fr.md │ ├── A00_2021_Introduction.id.md │ ├── A00_2021_Introduction.it.md │ ├── A00_2021_Introduction.ja.md │ ├── A00_2021_Introduction.md │ ├── A00_2021_Introduction.pt_BR.md │ ├── A00_2021_Introduction.zh_CN.md │ ├── A00_2021_Introduction.zh_TW.md │ ├── A01_2021-Broken_Access_Control.ar.md │ ├── A01_2021-Broken_Access_Control.es.md │ ├── A01_2021-Broken_Access_Control.fr.md │ ├── A01_2021-Broken_Access_Control.id.md │ ├── A01_2021-Broken_Access_Control.it.md │ ├── A01_2021-Broken_Access_Control.ja.md │ ├── A01_2021-Broken_Access_Control.md │ ├── A01_2021-Broken_Access_Control.pt_BR.md │ ├── A01_2021-Broken_Access_Control.zh_CN.md │ ├── A01_2021-Broken_Access_Control.zh_TW.md │ ├── A02_2021-Cryptographic_Failures.ar.md │ ├── A02_2021-Cryptographic_Failures.es.md │ ├── A02_2021-Cryptographic_Failures.fr.md │ ├── A02_2021-Cryptographic_Failures.id.md │ ├── A02_2021-Cryptographic_Failures.it.md │ ├── A02_2021-Cryptographic_Failures.ja.md │ ├── A02_2021-Cryptographic_Failures.md │ ├── A02_2021-Cryptographic_Failures.pt_BR.md │ ├── A02_2021-Cryptographic_Failures.zh_CN.md │ ├── A02_2021-Cryptographic_Failures.zh_TW.md │ ├── A03_2021-Injection.ar.md │ ├── A03_2021-Injection.es.md │ ├── A03_2021-Injection.fr.md │ ├── A03_2021-Injection.id.md │ ├── A03_2021-Injection.it.md │ ├── A03_2021-Injection.ja.md │ ├── A03_2021-Injection.md │ ├── A03_2021-Injection.pt_BR.md │ ├── A03_2021-Injection.zh_CN.md │ ├── A03_2021-Injection.zh_TW.md │ ├── A04_2021-Insecure_Design.ar.md │ ├── A04_2021-Insecure_Design.es.md │ ├── A04_2021-Insecure_Design.fr.md │ ├── A04_2021-Insecure_Design.id.md │ ├── A04_2021-Insecure_Design.it.md │ ├── A04_2021-Insecure_Design.ja.md │ ├── A04_2021-Insecure_Design.md │ ├── A04_2021-Insecure_Design.pt_BR.md │ ├── A04_2021-Insecure_Design.zh_CN.md │ ├── A04_2021-Insecure_Design.zh_TW.md │ ├── A05_2021-Security_Misconfiguration.ar.md │ ├── A05_2021-Security_Misconfiguration.es.md │ ├── A05_2021-Security_Misconfiguration.fr.md │ ├── A05_2021-Security_Misconfiguration.id.md │ ├── A05_2021-Security_Misconfiguration.it.md │ ├── A05_2021-Security_Misconfiguration.ja.md │ ├── A05_2021-Security_Misconfiguration.md │ ├── A05_2021-Security_Misconfiguration.pt_BR.md │ ├── A05_2021-Security_Misconfiguration.zh_CN.md │ ├── A05_2021-Security_Misconfiguration.zh_TW.md │ ├── A06_2021-Vulnerable_and_Outdated_Components.ar.md │ ├── A06_2021-Vulnerable_and_Outdated_Components.es.md │ ├── A06_2021-Vulnerable_and_Outdated_Components.fr.md │ ├── A06_2021-Vulnerable_and_Outdated_Components.id.md │ ├── A06_2021-Vulnerable_and_Outdated_Components.it.md │ ├── A06_2021-Vulnerable_and_Outdated_Components.ja.md │ ├── A06_2021-Vulnerable_and_Outdated_Components.md │ ├── A06_2021-Vulnerable_and_Outdated_Components.pt_BR.md │ ├── A06_2021-Vulnerable_and_Outdated_Components.zh_CN.md │ ├── A06_2021-Vulnerable_and_Outdated_Components.zh_TW.md │ ├── A07_2021-Identification_and_Authentication_Failures.ar.md │ ├── A07_2021-Identification_and_Authentication_Failures.es.md │ ├── A07_2021-Identification_and_Authentication_Failures.fr.md │ ├── A07_2021-Identification_and_Authentication_Failures.id.md │ ├── A07_2021-Identification_and_Authentication_Failures.it.md │ ├── A07_2021-Identification_and_Authentication_Failures.ja.md │ ├── A07_2021-Identification_and_Authentication_Failures.md │ ├── A07_2021-Identification_and_Authentication_Failures.pt_BR.md │ ├── A07_2021-Identification_and_Authentication_Failures.zh_CN.md │ ├── A07_2021-Identification_and_Authentication_Failures.zh_TW.md │ ├── A08_2021-Software_and_Data_Integrity_Failures.ar.md │ ├── A08_2021-Software_and_Data_Integrity_Failures.es.md │ ├── A08_2021-Software_and_Data_Integrity_Failures.fr.md │ ├── A08_2021-Software_and_Data_Integrity_Failures.id.md │ ├── A08_2021-Software_and_Data_Integrity_Failures.it.md │ ├── A08_2021-Software_and_Data_Integrity_Failures.ja.md │ ├── A08_2021-Software_and_Data_Integrity_Failures.md │ ├── A08_2021-Software_and_Data_Integrity_Failures.pt_BR.md │ ├── A08_2021-Software_and_Data_Integrity_Failures.zh_CN.md │ ├── A08_2021-Software_and_Data_Integrity_Failures.zh_TW.md │ ├── A09_2021-Security_Logging_and_Monitoring_Failures.ar.md │ ├── A09_2021-Security_Logging_and_Monitoring_Failures.es.md │ ├── A09_2021-Security_Logging_and_Monitoring_Failures.fr.md │ ├── A09_2021-Security_Logging_and_Monitoring_Failures.id.md │ ├── A09_2021-Security_Logging_and_Monitoring_Failures.it.md │ ├── A09_2021-Security_Logging_and_Monitoring_Failures.ja.md │ ├── A09_2021-Security_Logging_and_Monitoring_Failures.md │ ├── A09_2021-Security_Logging_and_Monitoring_Failures.pt_BR.md │ ├── A09_2021-Security_Logging_and_Monitoring_Failures.zh_CN.md │ ├── A09_2021-Security_Logging_and_Monitoring_Failures.zh_TW.md │ ├── A10_2021-Server-Side_Request_Forgery_(SSRF).ar.md │ ├── A10_2021-Server-Side_Request_Forgery_(SSRF).es.md │ ├── A10_2021-Server-Side_Request_Forgery_(SSRF).fr.md │ ├── A10_2021-Server-Side_Request_Forgery_(SSRF).id.md │ ├── A10_2021-Server-Side_Request_Forgery_(SSRF).it.md │ ├── A10_2021-Server-Side_Request_Forgery_(SSRF).ja.md │ ├── A10_2021-Server-Side_Request_Forgery_(SSRF).md │ ├── A10_2021-Server-Side_Request_Forgery_(SSRF).pt_BR.md │ ├── A10_2021-Server-Side_Request_Forgery_(SSRF).zh_CN.md │ ├── A10_2021-Server-Side_Request_Forgery_(SSRF).zh_TW.md │ ├── A11_2021-Next_Steps.ar.md │ ├── A11_2021-Next_Steps.es.md │ ├── A11_2021-Next_Steps.fr.md │ ├── A11_2021-Next_Steps.id.md │ ├── A11_2021-Next_Steps.it.md │ ├── A11_2021-Next_Steps.ja.md │ ├── A11_2021-Next_Steps.md │ ├── A11_2021-Next_Steps.pt_BR.md │ ├── A11_2021-Next_Steps.zh_CN.md │ ├── A11_2021-Next_Steps.zh_TW.md │ ├── ar │ │ └── assets │ │ │ ├── LICENSE-FRONT-WASP.txt │ │ │ ├── OWASP_Logo_Transp.png │ │ │ ├── OWASP_logo.png │ │ │ ├── TOP_10_Icons_Final_Broken_Access_Control.png │ │ │ ├── TOP_10_Icons_Final_Crypto_Failures.png │ │ │ ├── TOP_10_Icons_Final_Identification_and_Authentication_Failures.png │ │ │ ├── TOP_10_Icons_Final_Injection.png │ │ │ ├── TOP_10_Icons_Final_Insecure_Design.png │ │ │ ├── TOP_10_Icons_Final_Insecure_Design_100.png │ │ │ ├── TOP_10_Icons_Final_SSRF.png │ │ │ ├── TOP_10_Icons_Final_Security_Logging_and_Monitoring_Failures.png │ │ │ ├── TOP_10_Icons_Final_Security_Misconfiguration.png │ │ │ ├── TOP_10_Icons_Final_Software_and_Data_Integrity_Failures.png │ │ │ ├── TOP_10_Icons_Final_Vulnerable_Outdated_Components.png │ │ │ ├── TOP_10_logo_Final_Logo_Colour.png │ │ │ ├── front-cc.png │ │ │ ├── front-wasp.png │ │ │ ├── image1.png │ │ │ ├── image2.png │ │ │ ├── license.png │ │ │ ├── mapping.png │ │ │ ├── readme.md │ │ │ └── securecodewarrior.png │ ├── assets │ │ ├── JustEat.png │ │ ├── LICENSE-FRONT-WASP.txt │ │ ├── OWASP_Logo_Transp.png │ │ ├── OWASP_logo.png │ │ ├── TOP_10_Icons_Final_Broken_Access_Control.png │ │ ├── TOP_10_Icons_Final_Crypto_Failures.png │ │ ├── TOP_10_Icons_Final_Identification_and_Authentication_Failures.png │ │ ├── TOP_10_Icons_Final_Injection.png │ │ ├── TOP_10_Icons_Final_Insecure_Design.png │ │ ├── TOP_10_Icons_Final_Insecure_Design_100.png │ │ ├── TOP_10_Icons_Final_SSRF.png │ │ ├── TOP_10_Icons_Final_Security_Logging_and_Monitoring_Failures.png │ │ ├── TOP_10_Icons_Final_Security_Misconfiguration.png │ │ ├── TOP_10_Icons_Final_Software_and_Data_Integrity_Failures.png │ │ ├── TOP_10_Icons_Final_Vulnerable_Outdated_Components.png │ │ ├── TOP_10_logo_Final_Logo_Colour.png │ │ ├── Top10Mapping.xlsx │ │ ├── front-cc.png │ │ ├── front-wasp.png │ │ ├── image1.png │ │ ├── image2.png │ │ ├── license.png │ │ ├── mapping.png │ │ └── securecodewarrior.png │ ├── es │ │ └── assets │ │ │ ├── Top10Mapping-es.xlsx │ │ │ └── mapping.png │ ├── index.ar.md │ ├── index.es.md │ ├── index.fr.md │ ├── index.id.md │ ├── index.it.md │ ├── index.ja.md │ ├── index.md │ ├── index.pt_BR.md │ ├── index.zh_CN.md │ ├── index.zh_TW.md │ ├── pt_BR │ │ └── assets │ │ │ ├── 2017 to 2021.drawio │ │ │ ├── 2017to2021.png │ │ │ ├── 2017to2021.svg │ │ │ ├── TOP_10_logo_Final_Logo_Colour.png │ │ │ └── image1.png │ └── zh_TW │ │ └── assets │ │ ├── LICENSE-FRONT-WASP.txt │ │ ├── OWASP_logo.png │ │ ├── front-cc.png │ │ ├── front-wasp.png │ │ ├── image1.png │ │ ├── image2.png │ │ ├── license.png │ │ └── mapping.png ├── mkdocs.yml ├── requirements.txt └── site │ └── 0x00-notice │ └── index.html ├── 2024 ├── Data │ ├── README.md │ ├── sample-data-submission.csv │ └── sample-data-submission.json ├── Presentations │ └── README.md └── docs │ └── README.md ├── .github └── FUNDING.yml ├── .gitignore ├── .markdownlint.json ├── .textlintrc ├── 2017-2003_Comparison └── OWASP_Top_Ten_-_Comparison_of_2003,2004,2007,2010,2013_and_2017_Releases.docx ├── CODE_OF_CONDUCT.md ├── CONTRIBUTING.md ├── Index.md ├── LICENSE ├── Makefile ├── Preface.md ├── Project.code-workspace ├── README.md ├── _config.yml ├── archives ├── OWASPWebApplicationSecurityTopTen-Version1.pdf ├── OWASP_Top_Ten_2004.pdf └── README.md ├── book.json ├── generated ├── cheatsheets │ ├── Glossary.md │ └── index.md ├── custom_theme │ └── 404.html └── mkdocs.yml ├── markdown-link-check-config.json ├── mkdocs.yml ├── osib ├── README.md ├── docs │ ├── A00_2021_Introduction.md │ ├── A01_2021-Broken_Access_Control.md │ ├── A02_2021-Cryptographic_Failures.md │ ├── A03_2021-Injection.md │ ├── A04_2021-Insecure_Design.md │ ├── A05_2021-Security_Misconfiguration.md │ ├── A06_2021-Vulnerable_and_Outdated_Components.md │ ├── A07_2021-Identification_and_Authentication_Failures.md │ ├── A08_2021-Software_and_Data_Integrity_Failures.md │ ├── A09_2021-Security_Logging_and_Monitoring_Failures.md │ ├── A10_2021-Server-Side_Request_Forgery_(SSRF).md │ └── A11_2021-Next_Steps.md ├── export │ └── .gitkeep ├── include │ └── osib.yml └── osib_macro.py ├── package.json ├── requirements.txt └── scripts ├── 404.html ├── Apply_Link_Check.sh ├── Generate_CheatSheets_TOC.py ├── Generate_RSS_Feed.py ├── Generate_Site.sh └── Generate_Site_mkDocs.sh /.github/FUNDING.yml: -------------------------------------------------------------------------------- 1 | custom: https://owasp.org/donate/?reponame=www-project-top-ten&title=OWASP+Top+Ten 2 | github: OWASP -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | # Mac metadata 2 | # General 3 | .DS_Store 4 | .AppleDouble 5 | .LSOverride 6 | 7 | # Icon must end with two \r 8 | Icon 9 | 10 | 11 | # Thumbnails 12 | ._* 13 | 14 | # Files that might appear in the root of a volume 15 | .DocumentRevisions-V100 16 | .fseventsd 17 | .Spotlight-V100 18 | .TemporaryItems 19 | .Trashes 20 | .VolumeIcon.icns 21 | .com.apple.timemachine.donotpresent 22 | 23 | # Directories potentially created on remote AFP share 24 | .AppleDB 25 | .AppleDesktop 26 | Network Trash Folder 27 | Temporary Items 28 | .apdisk 29 | 30 | *.tmp 31 | 32 | # Windows thumbnail cache files 33 | Thumbs.db 34 | ehthumbs.db 35 | ehthumbs_vista.db 36 | 37 | # Dump file 38 | *.stackdump 39 | 40 | # Folder config file 41 | Desktop.ini 42 | 43 | # Recycle Bin used on file shares 44 | $RECYCLE.BIN/ 45 | 46 | # Windows Installer files 47 | *.cab 48 | *.msi 49 | *.msm 50 | *.msp 51 | 52 | # Windows shortcuts 53 | *.lnk 54 | 55 | # Word temporary 56 | ~$*.doc* 57 | 58 | # Excel temporary 59 | ~$*.xls* 60 | 61 | # Excel Backup File 62 | *.xlk 63 | 64 | # PowerPoint temporary 65 | ~$*.ppt* 66 | 67 | # Visio autosave temporary files 68 | *.~vsd* 69 | 2017/pt-pt/.vscode/settings.json 70 | 71 | # IDE folders 72 | .idea/ 73 | 74 | # mkdocs site (this is built using mkdocs gh-deploy 75 | 2021/site/ 76 | 2021/site/0x00-notice/index.html 77 | 78 | # Pipenv 79 | Pipfile 80 | 2021/site/0x00-notice/index.html 81 | -------------------------------------------------------------------------------- /.markdownlint.json: -------------------------------------------------------------------------------- 1 | { 2 | "default": true, 3 | "MD004": { "style": "dash"}, 4 | "MD007": {"indent": 4}, 5 | "MD013": false, 6 | "MD024": { "siblings_only": true}, 7 | "MD029": false, 8 | "MD040": false 9 | } 10 | -------------------------------------------------------------------------------- /2013/.gitignore: -------------------------------------------------------------------------------- 1 | .DS_Store 2 | -------------------------------------------------------------------------------- /2013/OWASP Top 10 - 2013 Arabic.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/Top10/85362e6faa1b3af1e5ccb30de662283c6a447de0/2013/OWASP Top 10 - 2013 Arabic.pdf -------------------------------------------------------------------------------- /2013/OWASP Top 10 - 2013 Brazilian Portuguese.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/Top10/85362e6faa1b3af1e5ccb30de662283c6a447de0/2013/OWASP Top 10 - 2013 Brazilian Portuguese.pdf -------------------------------------------------------------------------------- /2013/OWASP Top 10 - 2013 Chinese.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/Top10/85362e6faa1b3af1e5ccb30de662283c6a447de0/2013/OWASP Top 10 - 2013 Chinese.pdf -------------------------------------------------------------------------------- /2013/OWASP Top 10 - 2013 Czech.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/Top10/85362e6faa1b3af1e5ccb30de662283c6a447de0/2013/OWASP Top 10 - 2013 Czech.pdf -------------------------------------------------------------------------------- /2013/OWASP Top 10 - 2013 English FInal.pptx: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/Top10/85362e6faa1b3af1e5ccb30de662283c6a447de0/2013/OWASP Top 10 - 2013 English FInal.pptx -------------------------------------------------------------------------------- /2013/OWASP Top 10 - 2013 French.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/Top10/85362e6faa1b3af1e5ccb30de662283c6a447de0/2013/OWASP Top 10 - 2013 French.pdf -------------------------------------------------------------------------------- /2013/OWASP Top 10 - 2013 German.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/Top10/85362e6faa1b3af1e5ccb30de662283c6a447de0/2013/OWASP Top 10 - 2013 German.pdf -------------------------------------------------------------------------------- /2013/OWASP Top 10 - 2013 Hebrew.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/Top10/85362e6faa1b3af1e5ccb30de662283c6a447de0/2013/OWASP Top 10 - 2013 Hebrew.pdf -------------------------------------------------------------------------------- /2013/OWASP Top 10 - 2013 Italiano.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/Top10/85362e6faa1b3af1e5ccb30de662283c6a447de0/2013/OWASP Top 10 - 2013 Italiano.pdf -------------------------------------------------------------------------------- /2013/OWASP Top 10 - 2013 Japanese.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/Top10/85362e6faa1b3af1e5ccb30de662283c6a447de0/2013/OWASP Top 10 - 2013 Japanese.pdf -------------------------------------------------------------------------------- /2013/OWASP Top 10 - 2013 Korea.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/Top10/85362e6faa1b3af1e5ccb30de662283c6a447de0/2013/OWASP Top 10 - 2013 Korea.pdf -------------------------------------------------------------------------------- /2013/OWASP Top 10 - 2013 Spanish.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/Top10/85362e6faa1b3af1e5ccb30de662283c6a447de0/2013/OWASP Top 10 - 2013 Spanish.pdf -------------------------------------------------------------------------------- /2013/OWASP Top 10 - 2013 Ukrainian.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/Top10/85362e6faa1b3af1e5ccb30de662283c6a447de0/2013/OWASP Top 10 - 2013 Ukrainian.pdf -------------------------------------------------------------------------------- /2013/OWASP Top 10 - 2013.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/Top10/85362e6faa1b3af1e5ccb30de662283c6a447de0/2013/OWASP Top 10 - 2013.pdf -------------------------------------------------------------------------------- /2013/OWASP_Top_10_-_2013_Final_-_English.pptx: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/Top10/85362e6faa1b3af1e5ccb30de662283c6a447de0/2013/OWASP_Top_10_-_2013_Final_-_English.pptx -------------------------------------------------------------------------------- /2013/README.md: -------------------------------------------------------------------------------- 1 | This is the OWASP Top 10 2013, which is the current version. 2 | 3 | There are translations for many languages. If you are aware of any other translations, please let us know. 4 | 5 | We are also interested in any additional drafts and data related to the OWASP Top 10 2013. 6 | -------------------------------------------------------------------------------- /2013/data/WPstats_winter11_11th.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/Top10/85362e6faa1b3af1e5ccb30de662283c6a447de0/2013/data/WPstats_winter11_11th.pdf -------------------------------------------------------------------------------- /2013/drafts/FR2013 PPTX Version/Top10 2013 v0.1.pptx: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/Top10/85362e6faa1b3af1e5ccb30de662283c6a447de0/2013/drafts/FR2013 PPTX Version/Top10 2013 v0.1.pptx -------------------------------------------------------------------------------- /2013/drafts/OWASP Top 10 - 2013 - RC1.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/Top10/85362e6faa1b3af1e5ccb30de662283c6a447de0/2013/drafts/OWASP Top 10 - 2013 - RC1.pdf -------------------------------------------------------------------------------- /2013/drafts/OWASP_Top_10_-_2013_Final_Release_-_Change_Log.docx: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/Top10/85362e6faa1b3af1e5ccb30de662283c6a447de0/2013/drafts/OWASP_Top_10_-_2013_Final_Release_-_Change_Log.docx -------------------------------------------------------------------------------- /2013/presentations/OWASP_Top-10_2013 - Changes-from-2010.pptx: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/Top10/85362e6faa1b3af1e5ccb30de662283c6a447de0/2013/presentations/OWASP_Top-10_2013 - Changes-from-2010.pptx -------------------------------------------------------------------------------- /2013/presentations/OWASP_Top-10_2013 - Presentation.pptx: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/Top10/85362e6faa1b3af1e5ccb30de662283c6a447de0/2013/presentations/OWASP_Top-10_2013 - Presentation.pptx -------------------------------------------------------------------------------- /2017-2003_Comparison/OWASP_Top_Ten_-_Comparison_of_2003,2004,2007,2010,2013_and_2017_Releases.docx: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/Top10/85362e6faa1b3af1e5ccb30de662283c6a447de0/2017-2003_Comparison/OWASP_Top_Ten_-_Comparison_of_2003,2004,2007,2010,2013_and_2017_Releases.docx -------------------------------------------------------------------------------- /2017/.gitignore: -------------------------------------------------------------------------------- 1 | # Mac metadata 2 | # General 3 | .DS_Store 4 | .AppleDouble 5 | .LSOverride 6 | 7 | # Icon must end with two \r 8 | Icon 9 | 10 | 11 | # Thumbnails 12 | ._* 13 | 14 | # Files that might appear in the root of a volume 15 | .DocumentRevisions-V100 16 | .fseventsd 17 | .Spotlight-V100 18 | .TemporaryItems 19 | .Trashes 20 | .VolumeIcon.icns 21 | .com.apple.timemachine.donotpresent 22 | 23 | # Directories potentially created on remote AFP share 24 | .AppleDB 25 | .AppleDesktop 26 | Network Trash Folder 27 | Temporary Items 28 | .apdisk 29 | 30 | *.tmp 31 | 32 | # Windows thumbnail cache files 33 | Thumbs.db 34 | ehthumbs.db 35 | ehthumbs_vista.db 36 | 37 | # Dump file 38 | *.stackdump 39 | 40 | # Folder config file 41 | Desktop.ini 42 | 43 | # Recycle Bin used on file shares 44 | $RECYCLE.BIN/ 45 | 46 | # Windows Installer files 47 | *.cab 48 | *.msi 49 | *.msm 50 | *.msp 51 | 52 | # Windows shortcuts 53 | *.lnk 54 | 55 | # Word temporary 56 | ~$*.doc* 57 | 58 | # Excel temporary 59 | ~$*.xls* 60 | 61 | # Excel Backup File 62 | *.xlk 63 | 64 | # PowerPoint temporary 65 | ~$*.ppt* 66 | 67 | # Visio autosave temporary files 68 | *.~vsd* -------------------------------------------------------------------------------- /2017/OWASP Top 10 - 2017 - Icons.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/Top10/85362e6faa1b3af1e5ccb30de662283c6a447de0/2017/OWASP Top 10 - 2017 - Icons.png -------------------------------------------------------------------------------- /2017/OWASP Top 10 - 2017 - Icons.psd: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/Top10/85362e6faa1b3af1e5ccb30de662283c6a447de0/2017/OWASP Top 10 - 2017 - Icons.psd -------------------------------------------------------------------------------- /2017/OWASP Top 10-2017 (en).pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/Top10/85362e6faa1b3af1e5ccb30de662283c6a447de0/2017/OWASP Top 10-2017 (en).pdf -------------------------------------------------------------------------------- /2017/OWASP Top 10-2017 (en).pptx: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/Top10/85362e6faa1b3af1e5ccb30de662283c6a447de0/2017/OWASP Top 10-2017 (en).pptx -------------------------------------------------------------------------------- /2017/OWASP Top 10-2017-es.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/Top10/85362e6faa1b3af1e5ccb30de662283c6a447de0/2017/OWASP Top 10-2017-es.pdf -------------------------------------------------------------------------------- /2017/OWASP Top 10-2017-es.pptx: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/Top10/85362e6faa1b3af1e5ccb30de662283c6a447de0/2017/OWASP Top 10-2017-es.pptx -------------------------------------------------------------------------------- /2017/OWASP Top 10-2017-pt_pt.odp: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/Top10/85362e6faa1b3af1e5ccb30de662283c6a447de0/2017/OWASP Top 10-2017-pt_pt.odp -------------------------------------------------------------------------------- /2017/OWASP Top 10-2017-pt_pt.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/Top10/85362e6faa1b3af1e5ccb30de662283c6a447de0/2017/OWASP Top 10-2017-pt_pt.pdf -------------------------------------------------------------------------------- /2017/OWASP Top 10-2017-ru.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/Top10/85362e6faa1b3af1e5ccb30de662283c6a447de0/2017/OWASP Top 10-2017-ru.pdf -------------------------------------------------------------------------------- /2017/OWASP Top 10-2017-ru.pptx: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/Top10/85362e6faa1b3af1e5ccb30de662283c6a447de0/2017/OWASP Top 10-2017-ru.pptx -------------------------------------------------------------------------------- /2017/OWASP-Top-10-2017-en.docx: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/Top10/85362e6faa1b3af1e5ccb30de662283c6a447de0/2017/OWASP-Top-10-2017-en.docx -------------------------------------------------------------------------------- /2017/OWASP-Top-10-2017-fr.docx: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/Top10/85362e6faa1b3af1e5ccb30de662283c6a447de0/2017/OWASP-Top-10-2017-fr.docx -------------------------------------------------------------------------------- /2017/OWASP-Top-10-2017-pt-br.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/Top10/85362e6faa1b3af1e5ccb30de662283c6a447de0/2017/OWASP-Top-10-2017-pt-br.pdf -------------------------------------------------------------------------------- /2017/README.md: -------------------------------------------------------------------------------- 1 | # OWASP Top 10 2017 2 | 3 | We have released the OWASP Top 10 - 2017 (Final) 4 | 5 | * [OWASP Top 10 2017 (PPTX)](https://github.com/OWASP/Top10/blob/master/2017/OWASP%20Top%2010-2017%20(en).pptx) 6 | * [OWASP Top 10 2017 (PDF)](https://github.com/OWASP/Top10/blob/master/2017/OWASP%20Top%2010-2017%20(en).pdf) 7 | 8 | Please [log issues](https://github.com/OWASP/Top10/issues) here. 9 | -------------------------------------------------------------------------------- /2017/archive/OWASP Top 10 2017 GM (en).pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/Top10/85362e6faa1b3af1e5ccb30de662283c6a447de0/2017/archive/OWASP Top 10 2017 GM (en).pdf -------------------------------------------------------------------------------- /2017/archive/OWASP Top 10 2017 GM (en).pptx: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/Top10/85362e6faa1b3af1e5ccb30de662283c6a447de0/2017/archive/OWASP Top 10 2017 GM (en).pptx -------------------------------------------------------------------------------- /2017/datacall/OWASP Top 10 - 2017 Data Call-Public Release.xlsx: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/Top10/85362e6faa1b3af1e5ccb30de662283c6a447de0/2017/datacall/OWASP Top 10 - 2017 Data Call-Public Release.xlsx -------------------------------------------------------------------------------- /2017/datacall/OWASP Top 10 - 2017 Data Call-Public Template.xlsx: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/Top10/85362e6faa1b3af1e5ccb30de662283c6a447de0/2017/datacall/OWASP Top 10 - 2017 Data Call-Public Template.xlsx -------------------------------------------------------------------------------- /2017/datacall/analysis/OWASP Top 10 2017 GM Data Analysis.xlsx: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/Top10/85362e6faa1b3af1e5ccb30de662283c6a447de0/2017/datacall/analysis/OWASP Top 10 2017 GM Data Analysis.xlsx -------------------------------------------------------------------------------- /2017/datacall/analysis/OWASP Top 10 2017 RC2 Data Analysis.xlsx: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/Top10/85362e6faa1b3af1e5ccb30de662283c6a447de0/2017/datacall/analysis/OWASP Top 10 2017 RC2 Data Analysis.xlsx -------------------------------------------------------------------------------- /2017/datacall/analysis/README.MD: -------------------------------------------------------------------------------- 1 | Folder to store analysis related spreadsheets and documents. 2 | Raw data should be in the submissions folders. 3 | -------------------------------------------------------------------------------- /2017/datacall/analysis/Top 10-Data.docx: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/Top10/85362e6faa1b3af1e5ccb30de662283c6a447de0/2017/datacall/analysis/Top 10-Data.docx -------------------------------------------------------------------------------- /2017/datacall/submissions/Bugcrowd-OWASP_Top_10-2017_Datacall.xlsx: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/Top10/85362e6faa1b3af1e5ccb30de662283c6a447de0/2017/datacall/submissions/Bugcrowd-OWASP_Top_10-2017_Datacall.xlsx -------------------------------------------------------------------------------- /2017/datacall/submissions/Checkmarx-OWASP_Top_10-2017_Datacall.xlsx: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/Top10/85362e6faa1b3af1e5ccb30de662283c6a447de0/2017/datacall/submissions/Checkmarx-OWASP_Top_10-2017_Datacall.xlsx -------------------------------------------------------------------------------- /2017/datacall/submissions/ContextIS-OWASP_Top_10-2017_Datacall.xlsx: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/Top10/85362e6faa1b3af1e5ccb30de662283c6a447de0/2017/datacall/submissions/ContextIS-OWASP_Top_10-2017_Datacall.xlsx -------------------------------------------------------------------------------- /2017/datacall/submissions/Fortify-OWASP_Top_10-2017_Datacall.xlsx: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/Top10/85362e6faa1b3af1e5ccb30de662283c6a447de0/2017/datacall/submissions/Fortify-OWASP_Top_10-2017_Datacall.xlsx -------------------------------------------------------------------------------- /2017/datacall/submissions/README.md: -------------------------------------------------------------------------------- 1 | You can submit your spreadsheet with the data for the OWASP Top 10 extended data call in this folder. 2 | Just fork and create a pull request and we will respond. 3 | If you would prefer email, you can send the spreadsheet to brian.glas@owasp.org 4 | 5 | You can also complete the google form: https://docs.google.com/forms/d/1sBMHN5nBicjr5xSo04xkdP5JlCnXFcKFCgEHjwPGuLw/edit 6 | 7 | Thank you for contributing! 8 | -------------------------------------------------------------------------------- /2017/datacall/submissions/Synopsys-OWASP_Top_10-2017_Datacall.xlsx: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/Top10/85362e6faa1b3af1e5ccb30de662283c6a447de0/2017/datacall/submissions/Synopsys-OWASP_Top_10-2017_Datacall.xlsx -------------------------------------------------------------------------------- /2017/datacall/submissions/Veracode-OWASP_Top_10-2017_Datacall.xlsx: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/Top10/85362e6faa1b3af1e5ccb30de662283c6a447de0/2017/datacall/submissions/Veracode-OWASP_Top_10-2017_Datacall.xlsx -------------------------------------------------------------------------------- /2017/de/OWASP Top 10-2017_de_V1.0.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/Top10/85362e6faa1b3af1e5ccb30de662283c6a447de0/2017/de/OWASP Top 10-2017_de_V1.0.pdf -------------------------------------------------------------------------------- /2017/de/OWASP Top 10-2017_de_V1.0.pptx: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/Top10/85362e6faa1b3af1e5ccb30de662283c6a447de0/2017/de/OWASP Top 10-2017_de_V1.0.pptx -------------------------------------------------------------------------------- /2017/de/readme.md: -------------------------------------------------------------------------------- 1 | # OWASP Top 10 2017 de 2 | 3 | This folder contains the German version of the OWASP Top 10 - 2017.
4 | The official website is here: https://www.owasp.org/index.php/Germany/Projekte/Top_10 5 | 6 | * [OWASP Top 10 2017 German Version (PPTX)](https://github.com/OWASP/Top10/blob/master/2017/de/OWASP%20Top%2010-2017_de_V1.0.pptx) 7 | * [OWASP Top 10 2017 German Version (PDF)](https://github.com/OWASP/Top10/blob/master/2017/de/OWASP%20Top%2010-2017_de_V1.0.pdf) 8 | 9 | Please report issues by mail to top10\owasp\de 10 | -------------------------------------------------------------------------------- /2017/drafts/OWASP Top 10 - 2017 RC1-English.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/Top10/85362e6faa1b3af1e5ccb30de662283c6a447de0/2017/drafts/OWASP Top 10 - 2017 RC1-English.pdf -------------------------------------------------------------------------------- /2017/drafts/OWASP Top 10 - 2017 RC1-English.pptx: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/Top10/85362e6faa1b3af1e5ccb30de662283c6a447de0/2017/drafts/OWASP Top 10 - 2017 RC1-English.pptx -------------------------------------------------------------------------------- /2017/drafts/OWASP Top 10 2017 RC2 Final.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/Top10/85362e6faa1b3af1e5ccb30de662283c6a447de0/2017/drafts/OWASP Top 10 2017 RC2 Final.pdf -------------------------------------------------------------------------------- /2017/drafts/OWASP Top 10 2017 RC2 Final.pptx: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/Top10/85362e6faa1b3af1e5ccb30de662283c6a447de0/2017/drafts/OWASP Top 10 2017 RC2 Final.pptx -------------------------------------------------------------------------------- /2017/en/0x00-header.md: -------------------------------------------------------------------------------- 1 | ![OWASP LOGO](images/OWASP_logo.png) 2 | 3 | ## OWASP Top 10 2017 4 | 5 | The Ten Most Critical Web Application Security Risks 6 | 7 | November 20, 2017 8 | 9 | ### Release 10 | 11 | Comments requested per instructions within 12 | 13 | ![WASP Logo URL TBA](images/front-wasp.png) 14 | 15 | | | ![Creative Commons License Logo](images/front-cc.png) | 16 | | -- | -- | 17 | | https://owasp.org | This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License | 18 | 19 | 20 | 21 | 22 | 23 | -------------------------------------------------------------------------------- /2017/en/0x00-notice.md: -------------------------------------------------------------------------------- 1 | # Release 2 | 3 | ## Important Notice 4 | 5 | ### Request for Comments 6 | 7 | This is the text version of the OWASP Top 10, and although it is useful for translators and those interested in a text version, it's not the official release, which is the PowerPoint / PDF version. 8 | 9 | At this stage, we are asking for 10 | 11 | * Translations - we have some teams working already, but do reach out to us if you can help 12 | 13 | We strongly urge for any corrections or issues to be logged at GitHub: 14 | 15 | * [https://github.com/OWASP/Top10/issues](https://github.com/OWASP/Top10/issues) 16 | 17 | Through public transparency, we provide traceability and ensure that all voices are heard during this final month before publication. 18 | 19 | * Andrew van der Stock 20 | * Brian Glas 21 | * Neil Smithline 22 | * Torsten Gigler -------------------------------------------------------------------------------- /2017/en/0x00-toc.md: -------------------------------------------------------------------------------- 1 | # TOC 2 | 3 | < replace me with a toc > 4 | -------------------------------------------------------------------------------- /2017/en/0x01-about-owasp.md: -------------------------------------------------------------------------------- 1 | # O About OWASP 2 | 3 | ## About OWASP 4 | 5 | The Open Web Application Security Project (OWASP) is an open community dedicated to enabling organizations to develop, purchase, and maintain applications and APIs that can be trusted. 6 | 7 | At OWASP, you'll find free and open: 8 | 9 | * Application security tools and standards. 10 | * Complete books on application security testing, secure code development, and secure code review. 11 | * Presentations and [videos](https://www.youtube.com/user/OWASPGLOBAL). 12 | * [Cheat sheets](https://www.owasp.org/index.php/OWASP_Cheat_Sheet_Series) on many common topics. 13 | * Standard security controls and libraries. 14 | * [Local chapters worldwide](https://www.owasp.org/index.php/OWASP_Chapter). 15 | * Cutting edge research. 16 | * Extensive [conferences worldwide](https://www.owasp.org/index.php/Category:OWASP_AppSec_Conference). 17 | * [Mailing lists](https://lists.owasp.org/mailman/listinfo). 18 | 19 | Learn more at: [https://www.owasp.org](https://www.owasp.org). 20 | 21 | All OWASP tools, documents, videos, presentations, and chapters are free and open to anyone interested in improving application security. 22 | 23 | We advocate approaching application security as a people, process, and technology problem, because the most effective approaches to application security require improvements in these areas. 24 | 25 | OWASP is a new kind of organization. Our freedom from commercial pressures allows us to provide unbiased, practical, and cost-effective information about application security. 26 | 27 | OWASP is not affiliated with any technology company, although we support the informed use of commercial security technology. OWASP produces many types of materials in a collaborative, transparent, and open way. 28 | 29 | The OWASP Foundation is the non-profit entity that ensures the project's long-term success. Almost everyone associated with OWASP is a volunteer, including the OWASP board, chapter leaders, project leaders, and project members. We support innovative security research with grants and infrastructure. 30 | 31 | Come join us! 32 | 33 | ## Copyright and License 34 | 35 | ![license](images/license.png) 36 | 37 | Copyright © 2003-2017 The OWASP Foundation. This document is released under the Creative Commons Attribution Share-Alike 4.0 license. For any reuse or distribution, you must make it clear to others the license terms of this work. 38 | 39 | -------------------------------------------------------------------------------- /2017/en/0xc1-risk-factors.md: -------------------------------------------------------------------------------- 1 | # +RF Details About Risk Factors 2 | 3 | ## Top 10 Risk Factor Summary 4 | 5 | The following table presents a summary of the 2017 Top 10 Application Security Risks, and the risk factors we have assigned to each risk. These factors were determined based on the available statistics and the experience of the OWASP Top 10 team. To understand these risks for a particular application or organization, you must consider your own specific threat agents and business impacts. Even severe software weaknesses may not present a serious risk if there are no threat agents in a position to perform the necessary attack or the business impact is negligible for the assets involved. 6 | 7 | ![Risk Factor Table](images/0xc1-risk-factor-table.png) 8 | 9 | ## Additional Risks To Consider 10 | 11 | The Top 10 covers a lot of ground, but there are many other risks you should consider and evaluate in your organization. Some of these have appeared in previous versions of the Top 10, and others have not, including new attack techniques that are being identified all the time. Other important application security risks (ordered by CWE-ID) that you should additionally consider include: 12 | 13 | * [CWE-352: Cross-Site Request Forgery (CSRF)](https://cwe.mitre.org/data/definitions/352.html) 14 | * [CWE-400: Uncontrolled Resource Consumption ('Resource Exhaustion', 'AppDoS')](https://cwe.mitre.org/data/definitions/400.html) 15 | * [CWE-434: Unrestricted Upload of File with Dangerous Type](https://cwe.mitre.org/data/definitions/434.html) 16 | * [CWE-451: User Interface (UI) Misrepresentation of Critical Information (Clickjacking and others)](https://cwe.mitre.org/data/definitions/451.html) 17 | * [CWE-601: Unvalidated Forward and Redirects](https://cwe.mitre.org/data/definitions/601.html) 18 | * [CWE-799: Improper Control of Interaction Frequency (Anti-Automation)](https://cwe.mitre.org/data/definitions/799.html) 19 | * [CWE-829: Inclusion of Functionality from Untrusted Control Sphere (3rd Party Content)](https://cwe.mitre.org/data/definitions/829.html) 20 | * [CWE-918: Server-Side Request Forgery (SSRF)](https://cwe.mitre.org/data/definitions/918.html) 21 | 22 | -------------------------------------------------------------------------------- /2017/en/images/0x06-release-notes-1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/Top10/85362e6faa1b3af1e5ccb30de662283c6a447de0/2017/en/images/0x06-release-notes-1.png -------------------------------------------------------------------------------- /2017/en/images/0x10-risk-1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/Top10/85362e6faa1b3af1e5ccb30de662283c6a447de0/2017/en/images/0x10-risk-1.png -------------------------------------------------------------------------------- /2017/en/images/0xc0-risk-explanation.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/Top10/85362e6faa1b3af1e5ccb30de662283c6a447de0/2017/en/images/0xc0-risk-explanation.png -------------------------------------------------------------------------------- /2017/en/images/0xc1-risk-factor-table.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/Top10/85362e6faa1b3af1e5ccb30de662283c6a447de0/2017/en/images/0xc1-risk-factor-table.png -------------------------------------------------------------------------------- /2017/en/images/Autodesk-logo.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/Top10/85362e6faa1b3af1e5ccb30de662283c6a447de0/2017/en/images/Autodesk-logo.png -------------------------------------------------------------------------------- /2017/en/images/OWASP_logo.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/Top10/85362e6faa1b3af1e5ccb30de662283c6a447de0/2017/en/images/OWASP_logo.png -------------------------------------------------------------------------------- /2017/en/images/front-cc.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/Top10/85362e6faa1b3af1e5ccb30de662283c6a447de0/2017/en/images/front-cc.png -------------------------------------------------------------------------------- /2017/en/images/front-wasp.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/Top10/85362e6faa1b3af1e5ccb30de662283c6a447de0/2017/en/images/front-wasp.png -------------------------------------------------------------------------------- /2017/en/images/front-wasp_without-background.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/Top10/85362e6faa1b3af1e5ccb30de662283c6a447de0/2017/en/images/front-wasp_without-background.png -------------------------------------------------------------------------------- /2017/en/images/license.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/Top10/85362e6faa1b3af1e5ccb30de662283c6a447de0/2017/en/images/license.png -------------------------------------------------------------------------------- /2017/es/.gitignore: -------------------------------------------------------------------------------- 1 | # Mac metadata 2 | # General 3 | .DS_Store 4 | .AppleDouble 5 | .LSOverride 6 | 7 | # Icon must end with two \r 8 | Icon 9 | 10 | 11 | # Thumbnails 12 | ._* 13 | 14 | # Files that might appear in the root of a volume 15 | .DocumentRevisions-V100 16 | .fseventsd 17 | .Spotlight-V100 18 | .TemporaryItems 19 | .Trashes 20 | .VolumeIcon.icns 21 | .com.apple.timemachine.donotpresent 22 | 23 | # Directories potentially created on remote AFP share 24 | .AppleDB 25 | .AppleDesktop 26 | Network Trash Folder 27 | Temporary Items 28 | .apdisk 29 | 30 | *.tmp 31 | 32 | # Windows thumbnail cache files 33 | Thumbs.db 34 | ehthumbs.db 35 | ehthumbs_vista.db 36 | 37 | # Dump file 38 | *.stackdump 39 | 40 | # Folder config file 41 | Desktop.ini 42 | 43 | # Recycle Bin used on file shares 44 | $RECYCLE.BIN/ 45 | 46 | # Windows Installer files 47 | *.cab 48 | *.msi 49 | *.msm 50 | *.msp 51 | 52 | # Windows shortcuts 53 | *.lnk 54 | 55 | # Word temporary 56 | ~$*.doc* 57 | 58 | # Excel temporary 59 | ~$*.xls* 60 | 61 | # Excel Backup File 62 | *.xlk 63 | 64 | # PowerPoint temporary 65 | ~$*.ppt* 66 | 67 | # Visio autosave temporary files 68 | *.~vsd* 69 | -------------------------------------------------------------------------------- /2017/es/0x00-header.md: -------------------------------------------------------------------------------- 1 | ![OWASP LOGO](images/OWASP_logo.png) 2 | 3 | ## OWASP Top 10 2017 4 | 5 | Los diez riesgos más críticos en Aplicaciones Web 6 | 7 | 20 de Noviembre de 2017 8 | 9 | ### Release 10 | 11 | Instrucciones para el envío de comentarios dentro del documento 12 | 13 | ![WASP Logo URL TBA](images/front-wasp.png) 14 | 15 | | | ![Creative Commons License Logo](images/front-cc.png) | 16 | | -- | -- | 17 | | https://owasp.org | Este trabajo está licenciado bajo la licencia Internacional 4.0 de Creative Commons Attribution-ShareAlike. | 18 | 19 | 20 | 21 | 22 | 23 | -------------------------------------------------------------------------------- /2017/es/0x00-notice.md: -------------------------------------------------------------------------------- 1 | # Release 2 | 3 | ## Aviso importante 4 | 5 | ### Envío de Comentarios 6 | 7 | Esta es la versión de texto del Top 10 de OWASP, y aunque es útil para traductores e interesados en una versión de texto, no es la versión oficial, siéndolo las versiones en PowerPoint / PDF. 8 | 9 | En esta etapa, estamos solicitando 10 | 11 | * Traducciones - ya tenemos algunos equipos trabajando, pero no dude en ponerse en contacto con nosotros si puede ayudarnos. 12 | 13 | Solicitamos de forma urgente el envío de cualquier corrección o asunto a ser registrado en GitHub: 14 | 15 | * [https://github.com/OWASP/Top10/issues](https://github.com/OWASP/Top10/issues) 16 | 17 | A través de transparencia pública, proveemos trazabilidad para asegurar que todas las voces fueron escuchadas durante el último mes antes de su publicación. 18 | 19 | * Andrew van der Stock 20 | * Brian Glas 21 | * Neil Smithline 22 | * Torsten Gigler 23 | -------------------------------------------------------------------------------- /2017/es/0x00-toc.md: -------------------------------------------------------------------------------- 1 | # Tabla de Contenido 2 | 3 | < replace me with a toc > 4 | -------------------------------------------------------------------------------- /2017/es/0xc1-risk-factors.md: -------------------------------------------------------------------------------- 1 | # +RF Detalles Acerca de los Factores de Riesgo 2 | 3 | ## Resumen de Factores de Riesgo del Top 10 4 | 5 | La siguiente tabla presenta un resumen del Top 10 de Riesgos de Seguridad en Aplicaciones 2017, y los factores de riesgo que hemos asignado a cada uno de ellos. Estos factores fueron determinados basándose en las estadísticas disponibles y la experiencia del equipo del Top 10 de OWASP. Para entender éstos riesgos para una aplicación en particular u organización, usted debe considerar sus propios agentes de amenaza de impactos de negocio específicos. Incluso vulnerabilidades de software graves podrían no representar un riesgo serio si no hay agentes de amenaza en posición para ejecutar el ataque necesario, o el impacto de negocio es insignificante para los activos involucrados. 6 | 7 | ![Tabla de Factores de Riesgo](images/0xc1-risk-factor-table.png) 8 | 9 | ## Riesgos Adicionales a Considerar 10 | 11 | El TOP 10 abarca un amplio espectro, pero existen otros riesgos que debería considerar y evaluar en su organización. Algunos de éstos se han publicado en versiones previas del Top 10, y otros no, incluyendo nuevas técnicas de ataque que son identificadas constantemente. Otros riesgos de seguridad en aplicaciones importantes (ordenados según su identificador de CWE) que también debería considerar: 12 | 13 | * [CWE-352: Falsificación de Peticiones en Sitios Cruzados (CSRF)](https://cwe.mitre.org/data/definitions/352.html) 14 | * [CWE-400: Consumo de Recursos sin Control ('Agotamiento de Recursos', 'AppDoS')](https://cwe.mitre.org/data/definitions/400.html) 15 | * [CWE-434: Carga de Archivos de Tipos Peligrosos sin Restricciones](https://cwe.mitre.org/data/definitions/434.html) 16 | * [CWE-451: Mal Representación de información crítica en la Interfaz de Usuario (UI) - Clickjacking y otros](https://cwe.mitre.org/data/definitions/451.html) 17 | * [CWE-601: Redirecciones y Reenvios no Validados](https://cwe.mitre.org/data/definitions/601.html) 18 | * [CWE-799: Control Inapropiado sobre la Frecuencia de Interacción (Anti-Automation)](https://cwe.mitre.org/data/definitions/799.html) 19 | * [CWE-829: Inclusión de Funcionalidades desde fuera del la zona controlada de confianza (Contenido de Terceros)](https://cwe.mitre.org/data/definitions/829.html) 20 | * [CWE-918: Falsificación de Peticiones desde el lado del Servidor (SSRF)](https://cwe.mitre.org/data/definitions/918.html) 21 | -------------------------------------------------------------------------------- /2017/es/images/0x06-release-notes-1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/Top10/85362e6faa1b3af1e5ccb30de662283c6a447de0/2017/es/images/0x06-release-notes-1.png -------------------------------------------------------------------------------- /2017/es/images/0x10-risk-1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/Top10/85362e6faa1b3af1e5ccb30de662283c6a447de0/2017/es/images/0x10-risk-1.png -------------------------------------------------------------------------------- /2017/es/images/0xc0-risk-explanation.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/Top10/85362e6faa1b3af1e5ccb30de662283c6a447de0/2017/es/images/0xc0-risk-explanation.png -------------------------------------------------------------------------------- /2017/es/images/0xc1-risk-factor-table.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/Top10/85362e6faa1b3af1e5ccb30de662283c6a447de0/2017/es/images/0xc1-risk-factor-table.png -------------------------------------------------------------------------------- /2017/es/images/Autodesk-logo.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/Top10/85362e6faa1b3af1e5ccb30de662283c6a447de0/2017/es/images/Autodesk-logo.png -------------------------------------------------------------------------------- /2017/es/images/OWASP_logo.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/Top10/85362e6faa1b3af1e5ccb30de662283c6a447de0/2017/es/images/OWASP_logo.png -------------------------------------------------------------------------------- /2017/es/images/front-cc.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/Top10/85362e6faa1b3af1e5ccb30de662283c6a447de0/2017/es/images/front-cc.png -------------------------------------------------------------------------------- /2017/es/images/front-wasp.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/Top10/85362e6faa1b3af1e5ccb30de662283c6a447de0/2017/es/images/front-wasp.png -------------------------------------------------------------------------------- /2017/es/images/front-wasp_without-background.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/Top10/85362e6faa1b3af1e5ccb30de662283c6a447de0/2017/es/images/front-wasp_without-background.png -------------------------------------------------------------------------------- /2017/es/images/license.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/Top10/85362e6faa1b3af1e5ccb30de662283c6a447de0/2017/es/images/license.png -------------------------------------------------------------------------------- /2017/fa/0x00-header.md: -------------------------------------------------------------------------------- 1 | ![OWASP LOGO](images/OWASP_logo.png) 2 | 3 | ## OWASP Top 10 2017 4 | 5 | ده ریسک امنیتی بسیار بحرانی برنامه‌های کاربردی تحت وب 6 | 7 | November 20, 2017 8 | 9 | ### Release 10 | 11 | Comments requested per instructions within 12 | 13 | ![WASP Logo URL TBA](images/front-wasp.png) 14 | 15 | | | ![Creative Commons License Logo](images/front-cc.png) | 16 | | -- | -- | 17 | | https://owasp.org | This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License | 18 | 19 | 20 | 21 | 22 | 23 | -------------------------------------------------------------------------------- /2017/fa/0x00-notice.md: -------------------------------------------------------------------------------- 1 | # انتشار 2 | 3 | ## توجه مهم 4 | 5 | ### درخواست برای اظهار نظر 6 | 7 | این نسخه متنی OWASP Top 10 است و اگرچه برای مترجمان و کسانی که به نسخه متنی علاقه دارند مفید است، اما این نسخه رسمی نیست و نسخه PowerPoint و PDF رسمی هستند. 8 | 9 | 10 | در این مرحله ما به دنبال این موارد هستیم 11 | 12 | 13 | * ترجمه - ما تیم هایی داریم که هم اکنون این کار را می کنند اما اگر شما هم می توانید به ما کمک کنید با ما تماس بگیرید. 14 | 15 | ما شدیدا به دنبال هر اصلاح یا مشکلی هستیم که از طریق Github درج شود: 16 | 17 | * [https://github.com/OWASP/Top10/issues](https://github.com/OWASP/Top10/issues) 18 | 19 | برای شفافیت، ما قابلیت ردیابی را برای اطمینان از اینکه هر صدایی در ماه های پایانی قبل از انتشار شنیده خواهد شد، تدارک دیده‌ایم. 20 | 21 | * Andrew van der Stock 22 | * Brian Glas 23 | * Neil Smithline 24 | * Torsten Gigler 25 | -------------------------------------------------------------------------------- /2017/fa/0x00-toc.md: -------------------------------------------------------------------------------- 1 | # TOC 2 | 3 | < replace me with a toc > 4 | -------------------------------------------------------------------------------- /2017/fa/0xc1-risk-factors.md: -------------------------------------------------------------------------------- 1 | #
+RF جزئیاتی در مورد فاکتورهای ریسک
2 | 3 | ##
خلاصه ۱۰ فاکتور ریسک برتر
4 | 5 |

جدول پیش رو خلاصه‌ای از ۱۰ خطر برتر امنیتی ۲۰۱۷ و فاکتورهای ریسکی که ما به انها اضافه نموده‌ایم را نمایش می‌دهد. این فاکتورها بر اساس آمارهای قابل دسترس و همینطور تجربه تیم OWASP TOP 10 تعیین شده اند. برای درک این خطرها برای برنامه یا سازمان، باید تهدیدات داخلی و تأثیرات کسب و کار خود را مورد نظر قرار دهید. حتی ضعف های امنیتی شدید هم ممکن است خطر جدی به همراه نداشته باشند، اگر که هیچ تهدیدی در موقعیت حمله قرار نداشته باشد و یا تأثیر کسب و کار بر دارایی هایی که مشمول هستند ناچیز باشد.

6 | 7 | ![Risk Factor Table](images/0xc1-risk-factor-table.png) 8 | 9 | ##
ریسک اضافه قابل توجه
10 | 11 |

TOP 10 زمینه های بسیاری را پوشش میدهد، اما ریسک های دیگری نیز وجود دارند که باید آنها را در نظر داشته و در سازمان خود ارزیابی نمایید. بعضی از اینها در نسخه های قبلی TOP 10 وجود دارند و برخی نه، که شامل تکنیک های جدید حمله که همیشه شناسایی می‌شوند است. مابقی ریسک های امنیتی برنامه کاربردی (به ترتیب CVE-ID) که شما باید به صورت اضافی در نظر بگیرید، شامل این موارد هستند :

12 | 13 | * [CWE-352: Cross-Site Request Forgery (CSRF)](https://cwe.mitre.org/data/definitions/352.html) 14 | * [CWE-400: Uncontrolled Resource Consumption ('Resource Exhaustion', 'AppDoS')](https://cwe.mitre.org/data/definitions/400.html) 15 | * [CWE-434: Unrestricted Upload of File with Dangerous Type](https://cwe.mitre.org/data/definitions/434.html) 16 | * [CWE-451: User Interface (UI) Misrepresentation of Critical Information (Clickjacking and others)](https://cwe.mitre.org/data/definitions/451.html) 17 | * [CWE-601: Unvalidated Forward and Redirects](https://cwe.mitre.org/data/definitions/601.html) 18 | * [CWE-799: Improper Control of Interaction Frequency (Anti-Automation)](https://cwe.mitre.org/data/definitions/799.html) 19 | * [CWE-829: Inclusion of Functionality from Untrusted Control Sphere (3rd Party Content)](https://cwe.mitre.org/data/definitions/829.html) 20 | * [CWE-918: Server-Side Request Forgery (SSRF)](https://cwe.mitre.org/data/definitions/918.html) 21 | 22 | -------------------------------------------------------------------------------- /2017/fa/images/0x06-release-notes-1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/Top10/85362e6faa1b3af1e5ccb30de662283c6a447de0/2017/fa/images/0x06-release-notes-1.png -------------------------------------------------------------------------------- /2017/fa/images/0x10-risk-1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/Top10/85362e6faa1b3af1e5ccb30de662283c6a447de0/2017/fa/images/0x10-risk-1.png -------------------------------------------------------------------------------- /2017/fa/images/0xc0-risk-explanation.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/Top10/85362e6faa1b3af1e5ccb30de662283c6a447de0/2017/fa/images/0xc0-risk-explanation.png -------------------------------------------------------------------------------- /2017/fa/images/0xc1-risk-factor-table.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/Top10/85362e6faa1b3af1e5ccb30de662283c6a447de0/2017/fa/images/0xc1-risk-factor-table.png -------------------------------------------------------------------------------- /2017/fa/images/Autodesk-logo.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/Top10/85362e6faa1b3af1e5ccb30de662283c6a447de0/2017/fa/images/Autodesk-logo.png -------------------------------------------------------------------------------- /2017/fa/images/OWASP_logo.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/Top10/85362e6faa1b3af1e5ccb30de662283c6a447de0/2017/fa/images/OWASP_logo.png -------------------------------------------------------------------------------- /2017/fa/images/front-cc.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/Top10/85362e6faa1b3af1e5ccb30de662283c6a447de0/2017/fa/images/front-cc.png -------------------------------------------------------------------------------- /2017/fa/images/front-wasp.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/Top10/85362e6faa1b3af1e5ccb30de662283c6a447de0/2017/fa/images/front-wasp.png -------------------------------------------------------------------------------- /2017/fa/images/front-wasp_without-background.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/Top10/85362e6faa1b3af1e5ccb30de662283c6a447de0/2017/fa/images/front-wasp_without-background.png -------------------------------------------------------------------------------- /2017/fa/images/license.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/Top10/85362e6faa1b3af1e5ccb30de662283c6a447de0/2017/fa/images/license.png -------------------------------------------------------------------------------- /2017/fa/owasp top10 2017 fa.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/Top10/85362e6faa1b3af1e5ccb30de662283c6a447de0/2017/fa/owasp top10 2017 fa.pdf -------------------------------------------------------------------------------- /2017/fa/owasp top10 2017 fa.pptx: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/Top10/85362e6faa1b3af1e5ccb30de662283c6a447de0/2017/fa/owasp top10 2017 fa.pptx -------------------------------------------------------------------------------- /2017/fr/0x00-header.md: -------------------------------------------------------------------------------- 1 | ![OWASP LOGO](images/OWASP_logo.png) 2 | 3 | ## OWASP Top 10 2017 4 | 5 | Les Dix Risques de Sécurité Applicatif Web les Plus Critiques 6 | 7 | 20 Novembre 2017 8 | 9 | ### Release 10 | 11 | 12 | 13 | ![WASP Logo URL TBA](images/front-wasp.png) 14 | 15 | | | ![Creative Commons License Logo](images/front-cc.png) | 16 | | -- | -- | 17 | | https://owasp.org | Ce travail est distribué sous licence Creative Commons Attribution-ShareAlike 4.0 International | 18 | 19 | 20 | 21 | 22 | 23 | -------------------------------------------------------------------------------- /2017/fr/0x00-notice.md: -------------------------------------------------------------------------------- 1 | # Release 2 | 3 | ## Notes importantes 4 | 5 | ### Appels à commentaires 6 | 7 | Ceci est la version texte du OWASP Top10, et bien qu'il soit utile aux traducteurs et ceux interessés par la version texte, il ne constitue pas la version officielle finale qui est la version PowerPoint/PDF. 8 | 9 | 10 | A ce stage nous demandons donc : 11 | 12 | * Aux traducteurs - Contactez les équipes de traductions déja constituées. 13 | 14 | Nous recommandons que toutes les erreurs soient consignées via GitHub: 15 | 16 | * [https://github.com/OWASP/Top10/issues](https://github.com/OWASP/Top10/issues) 17 | 18 | Cela permettra plus de transparence, de tracabilité et assurera que toutes les voix seront entendues lors de la publication finale .. 19 | 20 | * Andrew van der Stock 21 | * Brian Glas 22 | * Neil Smithline 23 | * Torsten Gigler 24 | -------------------------------------------------------------------------------- /2017/fr/0x00-toc.md: -------------------------------------------------------------------------------- 1 | # TOC 2 | 3 | < replace me with a toc > 4 | -------------------------------------------------------------------------------- /2017/fr/0xc1-risk-factors.md: -------------------------------------------------------------------------------- 1 | # +RF Détails sur les facteurs de risque 2 | 3 | ## Résumé des 10 principaux facteurs de risque 4 | 5 | Le tableau suivant présente un résumé des 10 principaux risques liés à la sécurité des applications pour 2017 et les facteurs de risque que nous avons attribués à chaque risque. Ces facteurs ont été déterminés en fonction des statistiques disponibles et de l'expérience de l'équipe du Top 10 de l'OWASP. Pour comprendre ces risques pour une application ou une organisation particulière, vous devez tenir compte de vos propres agents de menace et de leurs répercussions sur votre entreprise. Même de graves faiblesses logicielles peuvent ne pas présenter un risque sérieux, s'il n'y a pas d'agents de menace en mesure d'effectuer l'attaque nécessaire ou si l'impact commercial est négligeable pour les actifs concernés. 6 | 7 | ![Tableau des facteurs de risque](images/0xc1-risk-factor-table.png) 8 | 9 | ## Risques supplémentaires à prendre en considération 10 | 11 | Le Top 10 est très efficace, mais il existe de nombreux autres risques qu'il est nécessaire de prendre en compte et d'évaluer dans votre organisation. Certains d'entre eux sont apparus dans des versions précédentes du Top 10, mais ce n'est pas le cas d'autres risques, incluant de nouvelles techniques d'attaques qui sont identifiées en permanence. D'autres risques de sécurité applicatives importants (classés selon le CWE-ID) que vous devriez également considérer sont : 12 | 13 | * [CWE-352: Cross-Site Request Forgery (CSRF)](https://cwe.mitre.org/data/definitions/352.html) 14 | * [CWE-400: Uncontrolled Resource Consumption ('Resource Exhaustion', 'AppDoS')](https://cwe.mitre.org/data/definitions/400.html) 15 | * [CWE-434: Unrestricted Upload of File with Dangerous Type](https://cwe.mitre.org/data/definitions/434.html) 16 | * [CWE-451: User Interface (UI) Misrepresentation of Critical Information (Clickjacking and others)](https://cwe.mitre.org/data/definitions/451.html) 17 | * [CWE-601: Unvalidated Forward and Redirects](https://cwe.mitre.org/data/definitions/601.html) 18 | * [CWE-799: Improper Control of Interaction Frequency (Anti-Automation)](https://cwe.mitre.org/data/definitions/799.html) 19 | * [CWE-829: Inclusion of Functionality from Untrusted Control Sphere (3rd Party Content)](https://cwe.mitre.org/data/definitions/829.html) 20 | * [CWE-918: Server-Side Request Forgery (SSRF)](https://cwe.mitre.org/data/definitions/918.html) 21 | 22 | -------------------------------------------------------------------------------- /2017/fr/LISEZ MOI-FR.md: -------------------------------------------------------------------------------- 1 | # SOURCES DE LA TRADUCTION 2 | Le projet OWASP/Top10 a été forké le 21/11/2017. De la, le dépôt FR a été crée depuis ces sources. 3 | Un répertoire FR2013 PPTX version a été crée et comporte les sources initiaux de la traduction du 2013 depuis lequels nous allons repartir. 4 | 5 | Une fois les éléments et les personnes identifiées, il faudra donc repartir de cette version (en corrigeant les coquilles) pour traduire . 6 | 7 | Un fichier avec des termes traduits se trouve à la racine ici=> [TRADUCTION.md](https://github.com/SPoint42/Top10/blob/FR-2017-translation/TRADUCTION.md). Il est la pour essayer de garder une certaine cohérence dans la traduction 8 | 9 | 10 | # PRINCIPES A RESPECTER 11 | Pour éviter qu'une personne ne se lance dans la traduction d'un document déja en cours de traduction, merci de consulter le fichier [affectation-traduction.md](https://github.com/SPoint42/Top10/blob/FR-2017-translation/affectation-traduction.md) qui se trouve à la racine 12 | 13 | # Correction etc... 14 | Tout va passer par github, car la génération est automatique dans ce cas. Merci donc de remonter tout en issue github. 15 | Merci d'utiliser ce repository et de ne pas pousser dans le repository OWASP 16 | 17 | 18 | # OWASP Top 10 FR Leadership 19 | 20 | En cas de doute, merci de contacter la liste OWASP-FRANCE ou les personnes suivantes 21 | * Sebastien Gioria [@SPoint42](https://github.com/Spoint42) 22 | 23 | # OWASP T10 References 24 | - [OWASP T10 Wiki homepage](https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project) 25 | - [OWASP 2017 Summit Outcomes](https://owaspsummit.org/Outcomes/Owasp-Top-10-2017/Owasp-Top-10-2017.html) 26 | -------------------------------------------------------------------------------- /2017/fr/TRADUCTION.md: -------------------------------------------------------------------------------- 1 | 2 | * Access : Accès 3 | * Exploitability : Exploitation 4 | * Prevalence : Fréquence 5 | * Detectability : Détection 6 | * Technical impact : impact technique 7 | * Business impact : impact métier 8 | * Is the Application Vulnerable? : Suis-je vulnérable à .....? 9 | * Threat agents/Attack vectors : Facteurs de Menace/Vecteurs d'Attaque 10 | * Security Weakness : Vulnérabilité 11 | * How to prevent : Comment l'empêcher 12 | * Example Attack Scenarios : Exemples de scénarios d'attaque 13 | * References : Références 14 | 15 | * A1:2017 - Injection: Attaques d'injection 16 | * A2:2017 - Broken Authentication : Authentification défaillante 17 | * A3:2017 - Sensitive Data Exposure : Fuites de données sensibles 18 | * A4:2017 - XML External Entities (XXE): Entités externes XML (XXE) 19 | * A5:2017 - Broken Access Control : Contrôle d'accès défaillant 20 | * A6:2017 - Security Misconfiguration : Configurations défaillantes 21 | * A7:2017 - Cross-Site Scripting (XSS) : Attaques cross-site scripting (XSS) 22 | * A8:2017 - Insecure Deserialization : Désérialisation sans validation 23 | * A9:2017 - Using Components with Known Vulnerabilities : Composants tiers vulnérables 24 | * A10:2017 - Insufficient Logging & Monitoring : Journalisation et surveillance insuffisantes 25 | -------------------------------------------------------------------------------- /2017/fr/images/0x06-release-notes-1-fr.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/Top10/85362e6faa1b3af1e5ccb30de662283c6a447de0/2017/fr/images/0x06-release-notes-1-fr.png -------------------------------------------------------------------------------- /2017/fr/images/0x06-release-notes-1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/Top10/85362e6faa1b3af1e5ccb30de662283c6a447de0/2017/fr/images/0x06-release-notes-1.png -------------------------------------------------------------------------------- /2017/fr/images/0x10-risk-1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/Top10/85362e6faa1b3af1e5ccb30de662283c6a447de0/2017/fr/images/0x10-risk-1.png -------------------------------------------------------------------------------- /2017/fr/images/0xc0-risk-explanation.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/Top10/85362e6faa1b3af1e5ccb30de662283c6a447de0/2017/fr/images/0xc0-risk-explanation.png -------------------------------------------------------------------------------- /2017/fr/images/0xc1-risk-factor-table.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/Top10/85362e6faa1b3af1e5ccb30de662283c6a447de0/2017/fr/images/0xc1-risk-factor-table.png -------------------------------------------------------------------------------- /2017/fr/images/Autodesk-logo.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/Top10/85362e6faa1b3af1e5ccb30de662283c6a447de0/2017/fr/images/Autodesk-logo.png -------------------------------------------------------------------------------- /2017/fr/images/OWASP_logo.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/Top10/85362e6faa1b3af1e5ccb30de662283c6a447de0/2017/fr/images/OWASP_logo.png -------------------------------------------------------------------------------- /2017/fr/images/front-cc.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/Top10/85362e6faa1b3af1e5ccb30de662283c6a447de0/2017/fr/images/front-cc.png -------------------------------------------------------------------------------- /2017/fr/images/front-wasp.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/Top10/85362e6faa1b3af1e5ccb30de662283c6a447de0/2017/fr/images/front-wasp.png -------------------------------------------------------------------------------- /2017/fr/images/front-wasp_without-background.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/Top10/85362e6faa1b3af1e5ccb30de662283c6a447de0/2017/fr/images/front-wasp_without-background.png -------------------------------------------------------------------------------- /2017/fr/images/license.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/Top10/85362e6faa1b3af1e5ccb30de662283c6a447de0/2017/fr/images/license.png -------------------------------------------------------------------------------- /2017/fr/ko: -------------------------------------------------------------------------------- 1 | 2 | -------------------------------------------------------------------------------- /2017/he/0x00-header.md: -------------------------------------------------------------------------------- 1 | ![OWASP LOGO](images/OWASP_logo.png) 2 | 3 | ## OWASP Top 10 2017 4 | 5 | עשרת סיכוני האבטחה הגדולים ביותר בפיתוח WebApplications 6 | 7 | November 20, 2017 8 | 9 | ### Release 10 | 11 | Comments requested per instructions within 12 | 13 | ![WASP Logo URL TBA](images/front-wasp.png) 14 | 15 | | | ![Creative Commons License Logo](images/front-cc.png) | 16 | | -- | -- | 17 | | https://owasp.org | This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License | 18 | 19 | 20 | 21 | 22 | 23 | -------------------------------------------------------------------------------- /2017/he/0x00-notice.md: -------------------------------------------------------------------------------- 1 | # Release 2 | 3 | ## Important Notice 4 | 5 | ### Request for Comments 6 | 7 | This is the text version of the OWASP Top 10, and although it is useful for translators and those interested in a text version, it's not the official release, which is the PowerPoint / PDF version. 8 | 9 | At this stage, we are asking for 10 | 11 | * Translations - we have some teams working already, but do reach out to us if you can help 12 | 13 | We strongly urge for any corrections or issues to be logged at GitHub: 14 | 15 | * [https://github.com/OWASP/Top10/issues](https://github.com/OWASP/Top10/issues) 16 | 17 | Through public transparency, we provide traceability and ensure that all voices are heard during this final month before publication. 18 | 19 | * Andrew van der Stock 20 | * Brian Glas 21 | * Neil Smithline 22 | * Torsten Gigler -------------------------------------------------------------------------------- /2017/he/0x00-toc.md: -------------------------------------------------------------------------------- 1 | # TOC 2 | 3 | < replace me with a toc > 4 | -------------------------------------------------------------------------------- /2017/he/0x01-about-owasp.md: -------------------------------------------------------------------------------- 1 | # O About OWASP 2 | 3 | ## About OWASP 4 | 5 | The Open Web Application Security Project (OWASP) is an open community dedicated to enabling organizations to develop, purchase, and maintain applications and APIs that can be trusted. 6 | 7 | At OWASP, you'll find free and open: 8 | 9 | * Application security tools and standards. 10 | * Complete books on application security testing, secure code development, and secure code review. 11 | * Presentations and [videos](https://www.youtube.com/user/OWASPGLOBAL). 12 | * [Cheat sheets](https://www.owasp.org/index.php/OWASP_Cheat_Sheet_Series) on many common topics. 13 | * Standard security controls and libraries. 14 | * [Local chapters worldwide](https://www.owasp.org/index.php/OWASP_Chapter). 15 | * Cutting edge research. 16 | * Extensive [conferences worldwide](https://www.owasp.org/index.php/Category:OWASP_AppSec_Conference). 17 | * [Mailing lists](https://lists.owasp.org/mailman/listinfo). 18 | 19 | Learn more at: [https://www.owasp.org](https://www.owasp.org). 20 | 21 | All OWASP tools, documents, videos, presentations, and chapters are free and open to anyone interested in improving application security. 22 | 23 | We advocate approaching application security as a people, process, and technology problem, because the most effective approaches to application security require improvements in these areas. 24 | 25 | OWASP is a new kind of organization. Our freedom from commercial pressures allows us to provide unbiased, practical, and cost-effective information about application security. 26 | 27 | OWASP is not affiliated with any technology company, although we support the informed use of commercial security technology. OWASP produces many types of materials in a collaborative, transparent, and open way. 28 | 29 | The OWASP Foundation is the non-profit entity that ensures the project's long-term success. Almost everyone associated with OWASP is a volunteer, including the OWASP board, chapter leaders, project leaders, and project members. We support innovative security research with grants and infrastructure. 30 | 31 | Come join us! 32 | 33 | ## Copyright and License 34 | 35 | ![license](images/license.png) 36 | 37 | Copyright © 2003-2017 The OWASP Foundation. This document is released under the Creative Commons Attribution Share-Alike 4.0 license. For any reuse or distribution, you must make it clear to others the license terms of this work. 38 | 39 | -------------------------------------------------------------------------------- /2017/he/0x06-release-notes.md: -------------------------------------------------------------------------------- 1 | # RN Release Notes 2 | 3 | ## מה השתנה מ - 2013 ל - 2017? 4 | 5 | שינויים מהירים התרחשו בארבע השנים האחרונות, ו – OWASP Top 10 נדרש להשתנות בהתאם. שכתבנו את OWASP Top 10, חידשנו את שיטת העבודה, יצרנו תהליך איסוף מידע חדש, עבדנו עם הקהילה, סידרנו מחדש את הסיכונים שלנו, כתבנו מחדש כל סיכון והוספנו הפניות לשפות וספריות נפוצות כיום. 6 | 7 | בשנים האחרונות, היסודות הטכנולוגיים והארכיטקטורה של פרויקטי תוכנה השתנו משמעותית: 8 | * Microservices בשפות Node.JS ו - Spring Boot מחליפים רכיבים מונוליתים. ל – Microservices יש אתגרי אבטחה יחודיים כמו יצירת אמון בין microservices, containers, ניהול סיסמאות ופרטים סודיים ועוד. קוד ישן שמעולם לא תוכנן להיות נגיש לאינטרנט, עכשיו נמצא מאחורי API או שירות Web RESTful, ונצרך על ידי Single Page Applications (SPAs) ואפליקציות מובייל. הנחות ארכיטקטוניות שהיו נכונות בזמן כתיבת הקוד, כמו מי מורשה לקרוא לקוד, כבר לא נכונות. 9 | * Single Page Application, שנכתבים באמצעות ספריות JavaScript כמו Anguler או React, מאפשרים ליצור ממשק קצה מודולארי ועשיר ביכולות. יכולות צד לקוח, שבעבר היו נגישים רק מצד השרת, מוסיפים אתגרי אבטחה יחודיים. 10 | * JavaScript היא עכשיו השפה העיקרית של האינטרנט, עם Node.JS לכתיבת צד שרת, וספריות מודרניות כמו Bootstrap, Electron, Angular ו – React בצד לקוח. 11 | 12 | ## בעיות חדשות, שנתמכות באמצעות נתונים: 13 | * **A4:2017-XML External Entities (XXE)** זוהי קטגוריה חדשה שנתמכת בעיקר על ידי נתונים מ[כלי ניתוח קוד סטאטי](https://www.owasp.org/index.php/Source_Code_Analysis_Tools). 14 | 15 | ## בעיות חדשות שנתמכו באמצעות הקהילה: 16 | ביקשנו מהקהילה לספק תובנות על שתי קטגוריות של חולשות צפויות. אחרי יותר מ – 500 הצעות, וסינון הצעות שהכילו בעיות שכבר נתמכו באמצעות נתונים (כמו חשיפת מידע רגיש ו – XXE), שתי הבעיות החדשות הן: 17 | * **A8:2017-סירלוז לא בטוח**, חולשה שמאפשרת הרצת קוד מרחוק, או פעולות על מידע רגיש ברכיבים הנגועים. 18 | * **A10:2017-ניטור ולוגים שאינו מספק**, מה שיכול למנוע או להאט משמעותית זיהוי של פעילות זדונית וחדירה, מענה לתקלה וניתוח דיגיטלי. 19 | 20 | ## אוחדו או הוסרו, אבל לא נשכחו: 21 | * **A4-אזכור ישיר לרכיב לא מאובטח** ו **A7-חוסר בבקרת גישה ברמה היישומית** אוחדו לתוך **A5:2017-בקרת גישה שבורה**. 22 | * **A8-Cross-Site Request Forgery (CSRF)**, בגלל שכיום ספריות רבות כוללות הגנות מפני CSRF, חולשה זו נמצאה רק ב – 5% מהאפליקציות. 23 | * **A10-הפניות והעברות לא מאומתות**, למרות שנמצא בערך ב – 8% מהאפליקציות, XXE היתה חולשה משמעותית יותר. 24 | 25 | ![0x06-release-notes-1](images/0x06-release-notes-1.png) 26 | -------------------------------------------------------------------------------- /2017/he/0xc1-risk-factors.md: -------------------------------------------------------------------------------- 1 | # +RF Details About Risk Factors 2 | 3 | ## Top 10 Risk Factor Summary 4 | 5 | The following table presents a summary of the 2017 Top 10 Application Security Risks, and the risk factors we have assigned to each risk. These factors were determined based on the available statistics and the experience of the OWASP Top 10 team. To understand these risks for a particular application or organization, you must consider your own specific threat agents and business impacts. Even severe software weaknesses may not present a serious risk if there are no threat agents in a position to perform the necessary attack or the business impact is negligible for the assets involved. 6 | 7 | ![Risk Factor Table](images/0xc1-risk-factor-table.png) 8 | 9 | ## Additional Risks To Consider 10 | 11 | The Top 10 covers a lot of ground, but there are many other risks you should consider and evaluate in your organization. Some of these have appeared in previous versions of the Top 10, and others have not, including new attack techniques that are being identified all the time. Other important application security risks (ordered by CWE-ID) that you should additionally consider include: 12 | 13 | * [CWE-352: Cross-Site Request Forgery (CSRF)](https://cwe.mitre.org/data/definitions/352.html) 14 | * [CWE-400: Uncontrolled Resource Consumption ('Resource Exhaustion', 'AppDoS')](https://cwe.mitre.org/data/definitions/400.html) 15 | * [CWE-434: Unrestricted Upload of File with Dangerous Type](https://cwe.mitre.org/data/definitions/434.html) 16 | * [CWE-451: User Interface (UI) Misrepresentation of Critical Information (Clickjacking and others)](https://cwe.mitre.org/data/definitions/451.html) 17 | * [CWE-601: Unvalidated Forward and Redirects](https://cwe.mitre.org/data/definitions/601.html) 18 | * [CWE-799: Improper Control of Interaction Frequency (Anti-Automation)](https://cwe.mitre.org/data/definitions/799.html) 19 | * [CWE-829: Inclusion of Functionality from Untrusted Control Sphere (3rd Party Content)](https://cwe.mitre.org/data/definitions/829.html) 20 | * [CWE-918: Server-Side Request Forgery (SSRF)](https://cwe.mitre.org/data/definitions/918.html) 21 | 22 | -------------------------------------------------------------------------------- /2017/he/OWASP-Top-10-2017-he.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/Top10/85362e6faa1b3af1e5ccb30de662283c6a447de0/2017/he/OWASP-Top-10-2017-he.pdf -------------------------------------------------------------------------------- /2017/he/OWASP-Top-10-2017-he.pptx: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/Top10/85362e6faa1b3af1e5ccb30de662283c6a447de0/2017/he/OWASP-Top-10-2017-he.pptx -------------------------------------------------------------------------------- /2017/he/images/0x06-release-notes-1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/Top10/85362e6faa1b3af1e5ccb30de662283c6a447de0/2017/he/images/0x06-release-notes-1.png -------------------------------------------------------------------------------- /2017/he/images/0x10-risk-1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/Top10/85362e6faa1b3af1e5ccb30de662283c6a447de0/2017/he/images/0x10-risk-1.png -------------------------------------------------------------------------------- /2017/he/images/0xc0-risk-explanation.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/Top10/85362e6faa1b3af1e5ccb30de662283c6a447de0/2017/he/images/0xc0-risk-explanation.png -------------------------------------------------------------------------------- /2017/he/images/0xc1-risk-factor-table.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/Top10/85362e6faa1b3af1e5ccb30de662283c6a447de0/2017/he/images/0xc1-risk-factor-table.png -------------------------------------------------------------------------------- /2017/he/images/Autodesk-logo.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/Top10/85362e6faa1b3af1e5ccb30de662283c6a447de0/2017/he/images/Autodesk-logo.png -------------------------------------------------------------------------------- /2017/he/images/OWASP_logo.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/Top10/85362e6faa1b3af1e5ccb30de662283c6a447de0/2017/he/images/OWASP_logo.png -------------------------------------------------------------------------------- /2017/he/images/front-cc.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/Top10/85362e6faa1b3af1e5ccb30de662283c6a447de0/2017/he/images/front-cc.png -------------------------------------------------------------------------------- /2017/he/images/front-wasp.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/Top10/85362e6faa1b3af1e5ccb30de662283c6a447de0/2017/he/images/front-wasp.png -------------------------------------------------------------------------------- /2017/he/images/front-wasp_without-background.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/Top10/85362e6faa1b3af1e5ccb30de662283c6a447de0/2017/he/images/front-wasp_without-background.png -------------------------------------------------------------------------------- /2017/he/images/license.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/Top10/85362e6faa1b3af1e5ccb30de662283c6a447de0/2017/he/images/license.png -------------------------------------------------------------------------------- /2017/id/0x00-header.md: -------------------------------------------------------------------------------- 1 | ![OWASP LOGO](images/OWASP_logo.png) 2 | 3 | ## OWASP Top 10 2017 4 | 5 | 10 Resiko Keamanan Aplikasi Web Paling Kritis 6 | 7 | November 20, 2017 8 | 9 | ### Release 10 | 11 | Comments requested per instructions within 12 | 13 | ![WASP Logo URL TBA](images/front-wasp.png) 14 | 15 | | | ![Creative Commons License Logo](images/front-cc.png) | 16 | | -- | -- | 17 | | https://owasp.org | Karya ini dilisensikan di bawah Creative Commons Attribution-ShareAlike 4.0 Lisensi internasional | 18 | -------------------------------------------------------------------------------- /2017/id/0x00-notice.md: -------------------------------------------------------------------------------- 1 | # Rilis 2 | 3 | ## Pemberitahuan Penting 4 | 5 | Ini adalah versi teks dari OWASP Top 10, dan meskipun ini berguna bagi penerjemah dan mereka yang tertarik dengan versi teks, ini bukan rilis resmi, yaitu versi PowerPoint / PDF. 6 | 7 | Pada tahap ini, kami membutuhkan 8 | 9 | * Terjemahan - kami memiliki beberapa tim yang melakukan pengerjaan, tapi hubungi kami jika Anda dapat membantu 10 | 11 | Kami sangat mendesak agar semua koreksi atau masalah harus dicatat di GitHub: 12 | 13 | * [https://github.com/OWASP/Top10/issues](https://github.com/OWASP/Top10/issues) 14 | 15 | Melalui transparansi publik, kami menyediakan penelusuran dan memastikan bahwa semua suara didengar selama bulan terakhir ini sebelum dipublikasikan. 16 | 17 | * Andrew van der Stock 18 | * Brian Glas 19 | * Neil Smithline 20 | * Torsten Gigler 21 | -------------------------------------------------------------------------------- /2017/id/0x00-toc.md: -------------------------------------------------------------------------------- 1 | # TOC 2 | 3 | < replace me with a toc > 4 | -------------------------------------------------------------------------------- /2017/id/0xc1-risk-factors.md: -------------------------------------------------------------------------------- 1 | # +RF Rincian Tentang Faktor Risiko 2 | 3 | ## Ringkasan Faktor Risiko Top 10 4 | 5 | Tabel berikut menyajikan ringkasan Resiko Keamanan Aplikasi 10 Teratas 2017, dan faktor risiko yang telah kami berikan pada setiap risiko. Faktor-faktor ini ditentukan berdasarkan statistik yang ada dan pengalaman tim OWASP Top 10. Untuk memahami risiko ini untuk aplikasi atau organisasi tertentu, Anda harus mempertimbangkan suatu ancaman dan bisnis Anda sendiri. Bahkan kelemahan perangkat lunak yang cukup parah mungkin tidak menimbulkan risiko serius jika tidak ada suatu ancaman dalam posisi untuk tidak melakukan serangan yang diperlukan atau dampak bisnis menjadi pertimbangan agar dapat diabaikan untuk aset yang penting. 6 | 7 | ![Risk Factor Table](images/0xc1-risk-factor-table.png) 8 | 9 | ## Risiko Tambahan Yang Harus Dipertimbangkan 10 | 11 | Top 10 mencakup banyak hal, namun ada banyak risiko lain yang harus Anda pertimbangkan dan evaluasi di organisasi Anda. Beberapa di antaranya telah muncul di versi 10 Teratas sebelumnya, dan yang lainnya tidak, termasuk teknik serangan baru yang diidentifikasi setiap saat. Risiko keamanan aplikasi penting lainnya (diurutkan dari CWE-ID) yang harus Anda pertimbangkan selain mencakup: 12 | 13 | * [CWE-352: Cross-Site Request Forgery (CSRF)](https://cwe.mitre.org/data/definitions/352.html) 14 | * [CWE-400: Uncontrolled Resource Consumption ('Resource Exhaustion', 'AppDoS')](https://cwe.mitre.org/data/definitions/400.html) 15 | * [CWE-434: Unrestricted Upload of File with Dangerous Type](https://cwe.mitre.org/data/definitions/434.html) 16 | * [CWE-451: User Interface (UI) Misrepresentation of Critical Information (Clickjacking and others)](https://cwe.mitre.org/data/definitions/451.html) 17 | * [CWE-601: Unvalidated Forward and Redirects](https://cwe.mitre.org/data/definitions/601.html) 18 | * [CWE-799: Improper Control of Interaction Frequency (Anti-Automation)](https://cwe.mitre.org/data/definitions/799.html) 19 | * [CWE-829: Inclusion of Functionality from Untrusted Control Sphere (3rd Party Content)](https://cwe.mitre.org/data/definitions/829.html) 20 | * [CWE-918: Server-Side Request Forgery (SSRF)](https://cwe.mitre.org/data/definitions/918.html) 21 | 22 | -------------------------------------------------------------------------------- /2017/id/images/0x06-release-notes-1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/Top10/85362e6faa1b3af1e5ccb30de662283c6a447de0/2017/id/images/0x06-release-notes-1.png -------------------------------------------------------------------------------- /2017/id/images/0x10-risk-1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/Top10/85362e6faa1b3af1e5ccb30de662283c6a447de0/2017/id/images/0x10-risk-1.png -------------------------------------------------------------------------------- /2017/id/images/0xc0-risk-explanation.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/Top10/85362e6faa1b3af1e5ccb30de662283c6a447de0/2017/id/images/0xc0-risk-explanation.png -------------------------------------------------------------------------------- /2017/id/images/0xc1-risk-factor-table.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/Top10/85362e6faa1b3af1e5ccb30de662283c6a447de0/2017/id/images/0xc1-risk-factor-table.png -------------------------------------------------------------------------------- /2017/id/images/Autodesk-logo.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/Top10/85362e6faa1b3af1e5ccb30de662283c6a447de0/2017/id/images/Autodesk-logo.png -------------------------------------------------------------------------------- /2017/id/images/OWASP_logo.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/Top10/85362e6faa1b3af1e5ccb30de662283c6a447de0/2017/id/images/OWASP_logo.png -------------------------------------------------------------------------------- /2017/id/images/front-cc.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/Top10/85362e6faa1b3af1e5ccb30de662283c6a447de0/2017/id/images/front-cc.png -------------------------------------------------------------------------------- /2017/id/images/front-wasp.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/Top10/85362e6faa1b3af1e5ccb30de662283c6a447de0/2017/id/images/front-wasp.png -------------------------------------------------------------------------------- /2017/id/images/front-wasp_without-background.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/Top10/85362e6faa1b3af1e5ccb30de662283c6a447de0/2017/id/images/front-wasp_without-background.png -------------------------------------------------------------------------------- /2017/id/images/license.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/Top10/85362e6faa1b3af1e5ccb30de662283c6a447de0/2017/id/images/license.png -------------------------------------------------------------------------------- /2017/images/OWASP-Top-10.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/Top10/85362e6faa1b3af1e5ccb30de662283c6a447de0/2017/images/OWASP-Top-10.png -------------------------------------------------------------------------------- /2017/images/README: -------------------------------------------------------------------------------- 1 | Place for images related to Top 10 2 | -------------------------------------------------------------------------------- /2017/ja/0x00-header.md: -------------------------------------------------------------------------------- 1 | ![OWASP LOGO](images/OWASP_logo.png) 2 | 3 | ## OWASP Top 10 2017 4 | 5 | 最も重大なウェブアプリケーションリスク トップ10 6 | 7 | November 20, 2017 8 | 9 | ### Release 10 | 11 | Comments requested per instructions within 12 | 13 | ![WASP Logo URL TBA](images/front-wasp.png) 14 | 15 | | | ![Creative Commons License Logo](images/front-cc.png) | 16 | | -- | -- | 17 | | https://owasp.org | この成果物はクリエイティブコモンズ Attribution-ShareAlike 4.0 International License のもとでリリースされています | 18 | 19 | 20 | 21 | 22 | 23 | -------------------------------------------------------------------------------- /2017/ja/0x00-notice.md: -------------------------------------------------------------------------------- 1 | # リリース 2 | 3 | ## 重要な注意事項 4 | 5 | ### コメント募集 6 | 7 | これはOWASP Top 10のテキスト版です。翻訳者などテキスト版に関心のある方には便利です。しかし、PowerPoint/PDF版を正式版としており、この版は正式版ではありません。 8 | 9 | 現時点で募集しているのは 10 | 11 | * 翻訳者 - すでに作業しているチームもありますが、もし手伝えるならご連絡ください。 12 | 13 | 訂正、問題点などをログとして記録するためGithubを使うことを強く勧めています: 14 | 15 | * [https://github.com/OWASP/Top10/issues](https://github.com/OWASP/Top10/issues) 16 | 17 | この公共の透明性を担保する仕組みにより、追跡性を提供するとともに、リリース前の最終段階に寄せられた多くのご意見の取扱いについても確認できます。 18 | 19 | * Andrew van der Stock 20 | * Brian Glas 21 | * Neil Smithline 22 | * Torsten Gigler 23 | -------------------------------------------------------------------------------- /2017/ja/0x00-toc.md: -------------------------------------------------------------------------------- 1 | # TOC 2 | 3 | < replace me with a toc > 4 | -------------------------------------------------------------------------------- /2017/ja/0x01-about-owasp.md: -------------------------------------------------------------------------------- 1 | # O OWASPについて 2 | 3 | ## OWASPについて 4 | 5 | The Open Web Application Security Project (OWASP/日本語: オワスプ) は、オープンなコミュニティであり、組織がアプリケーションやAPIを開発、調達、メンテナンスするにあたりそれらが信頼できるようになることに専念しています。 6 | 7 | OWASPには、自由でオープンなものがあります: 8 | 9 | * アプリケーションセキュリティのためのツールと標準 10 | * アプリケーションセキュリティテスト、セキュアなコード開発、セキュアなコードレビューについての一揃いの文献 11 | * プレゼンテーションや[ビデオ](https://www.youtube.com/user/OWASPGLOBAL) 12 | * 開発者に共通なさまざまなトピックを扱った[チートシート](https://www.owasp.org/index.php/OWASP_Cheat_Sheet_Series) 13 | * 標準的なセキュリティコントロールとライブラリ 14 | * [世界中にあるローカルチャプター](https://www.owasp.org/index.php/OWASP_Chapter) 15 | * 先端的な調査研究 16 | * 多方面にわたる [世界中のコンファレンス](https://www.owasp.org/index.php/Category:OWASP_AppSec_Conference) 17 | * [メーリングリスト](https://lists.owasp.org/mailman/listinfo) 18 | 19 | さらに多くの情報はこちら: [https://www.owasp.org](https://www.owasp.org) 20 | 21 | すべてのOWASPのツール、ドキュメント、ビデオ、プレゼンテーション、そしてチャプターは自由でオープンなものであり、アプリケーションセキュリティを改善する人なら誰でも活用することができます。 22 | 23 | わたしたちはアプリケーションセキュリティを、人、プロセス、および技術の問題として提唱しています。最も効果的なアプリケーションセキュリティへのアプローチはそれらの領域における改善を必要とするからです。 24 | 25 | OWASPは新しいタイプの組織です。商業的な圧力に縛られないという自由は、アプリケーションセキュリティに関する、偏りのない、実用的な、かつ費用対効果の高い情報を提供することを可能にします。 26 | 27 | 商用のセキュリティ技術について、よく理解した上で利用することには賛同しますが、OWASPは、いかなるテクノロジ企業とも提携しません。OWASPは、さまざまな種類の資料を共同で、透明で、オープンな方法で制作します。 28 | 29 | The OWASP Foundation(オワスプ・ファウンデーション)は、プロジェクトの長期的な成功を実現する非営利団体です。OWASPに関わるほとんどの人すなわちOWASPボード、チャプターリーダー、プロジェクトリーダー、プロジェクトメンバーはボランティアです。私たちは、革新的なセキュリティリサーチに対しては、金銭面とインフラストラクチャを提供することによってサポートします。 30 | 31 | どうぞ、ご参加ください。 32 | 33 | ## 著作権とライセンス 34 | 35 | ![license](images/license.png) 36 | 37 | Copyright © 2003-2017 The OWASP Foundation. This document is released under the Creative Commons Attribution Share-Alike 4.0 license. For any reuse or distribution, you must make it clear to others the license terms of this work. 38 | 39 | -------------------------------------------------------------------------------- /2017/ja/0x02-foreword.md: -------------------------------------------------------------------------------- 1 | ## 前書き 2 | 3 | セキュアでないソフトウェアは財務、医療、防衛、エネルギーおよびその他の重要なインフラを損ないます。ソフトウェアがますます複雑になり、またつながるにつれて、アプリケーションセキュリティをやり遂げることは、いわば指数関数的に困難になっています。モダンなソフトウェア開発プロセスの急速な進歩により、共通するリスクを迅速かつ正確に発見し解決することは不可欠なものとなっています。我々にはもはや、このOWASP Top 10に示される比較的シンプルなセキュリティ問題を大目に見る余地などありません。 4 | 5 | OWASP Top 10 - 2017の制作中に、多くのフィードバックを受け取りました。それらは、他の同様のOWASPプロジェクトに関する努力に勝るものでした。これは、コミュニティがこのOWASP Top 10にどれほどの情熱があるかを示しており、したがってOWASPにとって、大多数の活用事例にとってTop 10を適切なものにすることがどれほど重要なことであるかを示しています。 6 | 7 | OWASP Top 10プロジェクトの当初の目標は、シンプルに開発者やマネージャーの意識を高めることでしたが、いまやTop 10はアプリケーションセキュリティのデファクト・スタンダードとなってきました。 8 | 9 | このリリースにおいて、アプリケーションセキュリティの問題や改善提案は簡潔かつ確認できる方法で記述されています。これは、さまざまなアプリケーションセキュリティ計画において、OWASP Top 10の採用を促進するものとなっています。大規模な組織や、セキュリティの取り組みにおいて高いレベルの組織において、厳密な標準が求められているような場合には、[OWASP Application Security Verification Standard (ASVS)](https://www.owasp.org/index.php/ASVS) を使うようお勧めします。しかし、ほとんどの場合、OWASP Top 10はアプリケーションセキュリティを始めるのに良いスタートとなります。 10 | 11 | OWASP Top 10のさまざまなユーザーに対して、次のステップを提案しています。「開発者のための次のステップ」、「セキュリティテスト担当者のための次のステップ」、CIOやCISOに適した「組織のための次のステップ」、アプリケーションマネージャやアプリケーションのライフサイクルの責任を持つ人に適した「アプリケーションマネージャのための次のステップ」です。 12 | 13 | 長期的には、あらゆるソフトウェア開発チームと組織が、それぞれのカルチャーとテクノロジーに適合したアプリケーションセキュリティプログラムを作り上げていくようお勧めします。さまざまな形や規模のプログラムがあります。組織が今持っている強みを活かしながら、SAMM(ソフトウェア品質成熟度モデル)を用いてアプリケーションセキュリティプログラムを計測し、改善してください。 14 | 15 | OWASP Top 10がアプリケーションセキュリティに関わる努力の助けになって欲しいと考えています。質問やコメント、またアイデアがあればOWASPに遠慮なくお知らせください。Githubプロジェクトレポジトリはこちらです: 16 | 17 | * [https://github.com/OWASP/Top10/issues](https://github.com/OWASP/Top10/issues) 18 | 19 | OWASP Top 10プロジェクトと翻訳はこちらです: 20 | 21 | * [https://www.owasp.org/index.php/top10](https://www.owasp.org/index.php/top10) 22 | 23 | 最後に、OWASP Top 10 プロジェクトのリーダーシップを創設した Dave Wichers とJeff Williamsのすべてのご尽力と、コミュニティの助けがあればこれをやり遂げられると私たちチームを信じてくれたことに感謝を述べたいと思います。 24 | 25 | * Andrew van der Stock 26 | * Brian Glas 27 | * Neil Smithline 28 | * Torsten Gigler 29 | 30 | ## プロジェクトのスポンサー 31 | OWASP Top 10 - 2017のスポンサー [Autodesk](https://www.autodesk.com) 社に感謝します。 32 | 33 | 脆弱性の蔓延状況を示すデータやその他のご助力を提供してくださった組織ならびに個人は[謝辞](0xd1-data-contributors.md)のリストに記載しました。 34 | -------------------------------------------------------------------------------- /2017/ja/0x06-release-notes.md: -------------------------------------------------------------------------------- 1 | # RN リリースノート 2 | 3 | ## 2013年版から2017年版への変更点 4 | 5 | 前のバージョンから4年以上、世の中の変化は加速してきたため、OWASP Top 10 は変化する必要がありました。我々は、OWASP Top 10 をすっかりリファクタリングし、手法を改良し、新しいデータ募集のプロセスを活用し、コミュニティと協働し、リスクを評価し直し、それぞれのリスクを一から書き直し、一般に利用されているフレームワークや言語への参照を追加しています。 6 | 7 | ここ数年で、アプリケーションの基本的な技術とアーキテクチャは大きく変わりました: 8 | 9 | * 従来のモノリシックアプリケーションからNode.jsやSpring Bootで書かれたマイクロサービスに置き換わっています。 マイクロサービスには独自のセキュリティ上の課題があります。例えば、マイクロサービス、コンテナ、機密管理などの間の信頼関係の確立、などがあります。インターネットからアクセス不可能だと期待されている古いコードは、いまや、シングルページアプリケーション(SPA)やモバイルアプリケーションで使われているAPI や RESTful Webサービスの背後に居座っています。コードによるアーキテクチャの前提、たとえば信頼できる発信者のような前提はもはや有効ではありません。 10 | * AngularやReactなどのJavaScriptフレームワークで書かれたシングルページアプリケーションによって、モジュール化された機能豊富なフロントエンドの開発ができるようになりました。従来、サーバー側で提供されてきた機能がクライアント側の機能に移るため、それはそれで独自のセキュリティ上の課題となります。 11 | * JavaScriptはいまやWebの主要言語であり、サーバー側で実行されるNode.jsや、クライアントで動作するBootstrap、Electron、Angular、Reactなどの今どきのWebフレームワークで用いられています。 12 | 13 | ## データに裏付けられた新しい問題 14 | 15 | * **A4:2017-XML 外部エンティティ参照 (XXE)** は、新しいカテゴリです。主にソースコード分析を行うセキュリティテストツール([SAST](https://www.owasp.org/index.php/Source_Code_Analysis_Tools))から寄せられたデータが根拠となっています。 16 | 17 | ## コミュニティにより裏付けられた新しい問題 18 | 19 | コミュニティに向けて、2つのセキュリティ上の弱点に関する見識を提供してくれるよう求めました。500を超える意見をいただき、すでにデータによる裏付けのある問題(機微な情報の露出とXXE)を除き、二つの新しい問題があります: 20 | 21 | * **A8:2017-安全でないデシリアライゼーション**、この問題のある環境ではリモートからのコード実行や機微なオブジェクト操作が可能になります。 22 | * **A10:2017-不十分なロギングとモニタリング**、この機能の欠落は、不正な活動やセキュリティ違反の検知、インシデント対応、デジタルフォレンジックを妨げるか、あるいは大幅に遅延させる可能性があります。 23 | 24 | ## 統合、引退。ただし、忘れて良いという意味ではない 25 | 26 | * **A4-安全でないオブジェクト直接参照** と **A7-機能レベルアクセス制御の欠落** は、**A5:2017-アクセス制御の不備**にマージされました。 27 | * **A8-クロスサイトリクエストフォージェリ (CSRF)** は、多くのフレームワークがこの対策を講じており [(CSRF対策)](https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF))、アプリケーションの5%程度でのみ観察されています。 28 | * **A10-未検証のリダクレクトとフォワード**は、アプリケーションのおよそ8%で観察されており、XXEが入ったことにより、外れることになりました。 29 | 30 | ![0x06-release-notes-1](images/0x06-release-notes-1.png) 31 | -------------------------------------------------------------------------------- /2017/ja/0x10-app-security-risks.md: -------------------------------------------------------------------------------- 1 | # アプリケーションのセキュリティリスク 2 | 3 | ## アプリケーションのセキュリティリスクについて 4 | 攻撃者はアプリケーションを介して様々な経路で、ビジネスや組織に被害を及ぼします。それぞれの経路は、注意を喚起すべき深刻なリスクやそれほど深刻ではないリスクを表しています。 5 | 6 | ![0x10-risk-1](images/0x10-risk-1.png) 7 | 8 | これらの経路の中には、検出や悪用がしやすいものもあれば、しにくいものもあります。同様に、引き起こされる被害についても、ビジネスに影響がないこともあれば、破産にまで追い込まれることもあります。組織におけるリスクを判断するためにまず、それぞれの「脅威エージェント」、「攻撃手法」、「セキュリティ上の弱点」などに関する可能性を評価し、組織に対する「技術面への影響」と「ビシネス面への影響」を考慮してみてください。最後に、これら全てのファクターに基づき、リスクの全体像を決定してください。 9 | 10 | 11 | ## あなたにとってのリスク 12 | 13 | OWASP Top 10は、多様な組織のために、最も重大なウェブアプリケーションセキュリティリスクを特定することに焦点を当てています。これらのリスクに関して、以下に示すOWASP Risk Rating Methodologyに基づいた格付手法により、発生可能性と技術面への影響について評価します。 14 | 15 | ![0x10-risk-2](images/0x10-risk-2.png) 16 | 17 | この版において、リスクの発生頻度や影響度を算出する、リスク格付の体系を更新しています。詳細は、「リスクに関する注記」を参照してください。 18 | 19 | [OWASP Risk Rating Methodology](https://www.owasp.org/index.php/OWASP_Risk_Rating_Methodology)では、各リスクに関する発生可能性や影響度を算出するリスク格付方法をアップデートしています。詳細は「リスクに関する注記」を参照してください。 20 | 各組織はユニークであるため、侵害において脅威を引き起こすアクター、目標、影響度も各組織でユニークでしょう。 21 | 公共の利益団体において公開情報をCMSにより管理している場合や、医療システムにおいてセンシティブな健康記録を管理するために同じようなCMSを利用している場合に、同じソフトウェアであっても脅威を引き起こすアクターやビジネスへの影響は大きく異なります。そのため、脅威エージェントやビジネスへの影響に基づき、組織におけるリスクを理解することが重要です。 22 | Top 10におけるリスクは、理解の促進及び混乱を招くことを避けるため、可能な限りCWEに沿った名称としています。 23 | 24 | ## 参考資料 25 | ### OWASP 26 | * [OWASP Risk Rating Methodology](https://www.owasp.org/index.php/OWASP_Risk_Rating_Methodology) 27 | * [Article on Threat/Risk Modeling](https://www.owasp.org/index.php/Threat_Risk_Modeling) 28 | 29 | ### その他 30 | * [ISO 31000: Risk Management Std](https://www.iso.org/iso-31000-risk-management.html) 31 | * [ISO 27001: ISMS](https://www.iso.org/isoiec-27001-information-security.html) 32 | * [NIST Cyber Framework (US)](https://www.nist.gov/cybersecurity-framework) 33 | * [ASD Strategic Mitigations (AU)](https://www.asd.gov.au/infosec/mitigationstrategies.htm) 34 | * [NIST CVSS 3.0](https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator) 35 | * [Microsoft Threat Modelling Tool](https://www.microsoft.com/en-us/download/details.aspx?id=49168) 36 | -------------------------------------------------------------------------------- /2017/ja/0x11-t10.md: -------------------------------------------------------------------------------- 1 | # T10 OWASP Top 10 アプリケーションセキュリティリスク – 2017 2 | 3 | | リスク | 解説 | 4 | | -- | -- | 5 | | A1:2017-インジェクション |SQLインジェクション、NoSQLインジェクション、OSコマンドインジェクション、LDAPインジェクションといったインジェクションに関する脆弱性は、コマンドやクエリの一部として信頼されないデータが送信される場合に発生します。攻撃コードはインタープリタを騙し、意図しないコマンドの実行や、権限を有していないデータへのアクセスを引き起こします。 | 6 | | A2:2017- 認証の不備 |認証やセッション管理に関連するアプリケーションの機能は、不適切に実装されていることがあります。不適切な実装により攻撃者は、パスワード、鍵、セッショントークンを侵害したり、他の実装上の欠陥により、一時的または永続的に他のユーザーの認証情報を取得します。| 7 | | A3:2017-機微な情報の露出 |多くのウェブアプリケーションやAPIでは、財務情報、健康情報や個人情報といった機微な情報を適切に保護していません。攻撃者は、このように適切に保護されていないデータを窃取または改ざんして、クレジットカード詐欺、個人情報の窃取やその他の犯罪を行う可能性があります。 機微な情報は特別な措置を講じないでいると損なわれることでしょう。保存や送信する時に暗号化を施すことや、ブラウザ経由でやり取りを行う際には安全対策を講じることなどが必要です。 | 8 | | A4:2017-XML 外部エンティティ参照 (XXE) |多くの古くて構成の悪いXMLプロセッサーにおいては、XML文書内の外部エンティティ参照を指定することができます。 外部エンティティは、ファイルURIハンドラ、内部ファイル共有、内部ポートスキャン、リモートコード実行、DoS(サービス拒否)攻撃により、内部ファイルを漏えいさせます。 | 9 | | A5:2017-アクセス制御の不備 |権限があるもののみが許可されていることに関する制御が適切に実装されていないことがあります。攻撃者は、このタイプの脆弱性を悪用して、他のユーザのアカウントへのアクセス、機密ファイルの表示、他のユーザのデータの変更、アクセス権の変更など、権限のない機能やデータにアクセスします。| 10 | | A6:2017-不適切なセキュリティ設定 |不適切なセキュリティの設定は、最も一般的に見られる問題です。これは通常、安全でないデフォルト設定、不完全またはアドホックな設定、公開されたクラウドストレージ、不適切な設定のHTTPヘッダ、機微な情報を含む冗長なエラーメッセージによりもたらされます。 すべてのオペレーティングシステム、フレームワーク、ライブラリ、アプリケーションを安全に設定するだけでなく、それらに適切なタイミングでパッチを当てることやアップグレードをすることが求められます。 | 11 | | A7:2017-クロスサイトスクリプティング (XSS) |XSSの脆弱性は、適切なバリデーションやエスケープ処理を行っていない場合や、HTMLやJavaScriptを生成できるブラウザAPIを用いているユーザ入力データで既存のWebページを更新する場合に発生します。 XSSにより攻撃者は、被害者のブラウザでスクリプトを実行してユーザーセッションを乗っ取ったり、Webサイトを改ざんしたり、悪意のあるサイトにユーザーをリダイレクトします。| 12 | | A8:2017-安全でないデシリアライゼーション |安全でないデシリアライゼーションは、リモートからのコード実行を誘発します。デシリアライゼーションの欠陥によるリモートからのコード実行に至らない場合でさえ、リプレイ攻撃やインジェクション攻撃、権限昇格といった攻撃にこの脆弱性を用います。 | 13 | | A9:2017-既知の脆弱性のあるコンポーネントの使用 |ライブラリ、フレームワークやその他ソフトウェアモジュールといったコンポーネントは、アプリケーションと同等の権限で動いています。脆弱性のあるコンポーネントが悪用されると、深刻な情報損失やサーバの乗っ取りにつながります。既知の脆弱性があるコンポーネントを利用しているアプリケーションやAPIは、アプリケーションの防御を損ない、様々な攻撃や悪影響を受けることになります。 | 14 | | A10:2017-不十分なロギングとモニタリング|不十分なロギングとモニタリングは、インシデントレスポンスに組み込まれていないか、非効率なインテグレーションになっていると、攻撃者がシステムをさらに攻撃したり、攻撃を継続できるようにし、ほかのシステムにも攻撃範囲を拡げ、データを改竄、破棄、破壊することを可能にします。ほとんどのデータ侵害事件の調査によると、侵害を検知するのに200日以上も要しており、また内部機関のプロセスやモニタリングからではなく、外部機関によって検知されています。 | 15 | -------------------------------------------------------------------------------- /2017/ja/0xb1-next-testing.md: -------------------------------------------------------------------------------- 1 | # +T: セキュリティテスト担当者のための次のステップ 2 | 3 | ## 継続的なアプリケーションセキュリティテストを確立する 4 | 5 | セキュアにコードを実装することは重要です。しかし、構築しようとしているセキュリティがあり、それが正しく実装され、あらゆる箇所に適用されていることを確認することも重要です。アプリケーションセキュリティテストの目的は、セキュアな実装がなされていることの証跡を得ることです。アプリケーションセキュリティテストは難しく、複雑であり、アジャイルやDevOpsのような最新の高速な開発プロセスにおいては、従来のアプローチやツールでは立ち行かなくなっています。そのため、アプリケーションポートフォリオの全体において、重要と考えられることにどのように焦点をあて、費用対効果の高い手法をとるべきかを考慮することを強く推奨します。昨今、リスクは急速に変化を遂げており、毎年1回程度だけ脆弱性スキャンや侵入テストを行っていた時代は遠い昔のことです。また昨今のソフトウェア開発においては、ソフトウェア開発ライフサイクル全体での継続的なアプリケーションセキュリティテストが要求されています。開発スピードを損なうことのないようセキュリティの自動化を施し、既存の開発プロセスを強化してください。どのアプローチを選択したとしても、アプリケーションポートフォリオの規模に応じたテスト、トリアージ、修復、再テスト、再デプロイに係る年間コストを考慮してください。 6 | 7 | | 活動 | 説明 | 8 | | --- | --- | 9 | | 脅威モデルの理解 | テストを開始する前に、何に対して時間を費やすべきか理解していることを確認してください。優先順位は脅威モデルに基づき決定できます。そのため、脅威モデルが検討されていない場合には、テストを実施する前に検討する必要があります。脅威モデルの検討にあたっては、[OWASP ASVS](https://www.owasp.org/index.php/ASVS) と [OWASP Testing Guide](https://www.owasp.org/index.php/OWASP_Testing_Project) を活用することを検討し、ツールベンダーに依存することなく、ビジネスにおいて重要視されることを決定してください。 | 10 | | SDLC(ソフトウェア開発ライフサイクル)の理解 | アプリケーションセキュリティテストのアプローチは、ソフトウェア開発ライフサイクルにおける、人材、プロセス及び使用するツールに馴染みがある必要があります。余計なステップ、ゲート、レビューを強制することで、軋轢を生み、バイパスされ、失敗する可能性があります。セキュリティ情報を収集し、プロセスにフィードバックする機会を探しましょう。 | 11 | | テスト戦略 | 各要件を検証するための最も簡単で、高速、かつ、正確な方法を選択してください。[OWASP Security Knowledge Framework](https://www.owasp.org/index.php/OWASP_Security_Knowledge_Framework) と[OWASP Application Security Verification Standard](https://www.owasp.org/index.php/ASVS) を単体・総合テストにおける機能及び非機能のセキュリティ要件を策定する際に参照できます。自動化したツールを利用したことによるfalse-positiveに対処することに加え、重大なfalse-negativeに対処するための人的リソースの確保を考慮してください。| 12 | | 範囲と正確さの達成 | すべてをテストする必要はありません。まずは重要なことに焦点をあて、段階的に検証プログラムの範囲を拡張していきます。つまり、自動的に検証されている一連のセキュリティ実装とリスクの範囲を拡張し、適用される一連のアプリケーションとAPIの範囲を拡張していくことを意図しています。すべてのアプリケーションとAPIが本質的にセキュアであることを継続的に検証される状態とすることを目的にしています。| 13 | | 明確な結果の伝達 | どんなに良いテストを行ったとしても、それを効果的に伝えなければ何の違いもありません。アプリケーションの仕組みを理解していることを示すことにより、信頼を築きましょう。専門用語を羅列せず明確に記述し、実際に悪用する際の攻撃シナリオを含めましょう。脆弱性がどの程度悪用され得るか、どの程度の被害を受けるのかを現実的に評価してください。最後に、PDFファイルではなく、開発チームがすでに使用しているツールで結果を提供しましょう。| 14 | -------------------------------------------------------------------------------- /2017/ja/0xb3-next-app-mgrs.md: -------------------------------------------------------------------------------- 1 | # +A: アプリケーションマネージャのための次のステップ 2 | 3 | ## アプリケーションライフサイクル全体を管理する 4 | アプリケーションは、人が定期的に作成し、維持する最も複雑なシステムです。アプリケーションにおけるITマネジメントは、アプリケーションのITライフサイクル全体の責任を有するITスペシャリストにより実施されるべきです。アプリケーションオーナーと技術的に同等な立場の者としてアプリケーションマネージャを確立することをお勧めします。アプリケーションマネージャは、ITの観点から、要件策定からシステムの廃棄に至るまでのアプリケーションライフサイクル全体を担当します。 5 | 6 | ## リソース管理の要件 7 | * 全てのデータ資産における機密性、真正性、完全性及び可用性や予想されるビジネスロジックに関する保護要件を含む、アプリケーションに対するビジネス要件を収集し、交渉する。 8 | * 機能及び非機能のセキュリティ要件を含む、技術的な要件を蓄積する。 9 | * セキュリティに関する活動を含む、設計、ビルド、テスト及び運用の全ての側面をカバー可能な予算を計画し、交渉する。 10 | 11 | ## 提案依頼書 (RFP)と契約 12 | * 例えば、ソフトウェア開発ライフサイクルにおけるベストプラクティスといったセキュリティプログラムに関するガイドラインやセキュリティ要件などについて、社内外の開発者と要件を交渉する。 13 | * 計画と設計工程を含む、全ての技術要件の達成を評価する。 14 | * 設計、セキュリティ、サービスレベルアグリーメント(SLA)を含む技術的な要件を交渉する。 15 | * [OWASP Secure Software Contract Annex](https://www.owasp.org/index.php/OWASP_Secure_Software_Contract_Annex)のような様式やチェックリストを適用する。 **注記**: OWASP Secure Software Contract Annexは米国の契約法に基づいている。そのため、参照するに当たっては、弁護士に相談する。 16 | 17 | ## 計画と設計 18 | * 開発者や社内の株主や例えばセキュリティ専門家と計画や設計を交渉する。 19 | * 保護の必要性と予想される脅威レベルに応じたセキュリティアーキテクチャ、制御及び対策を定義する。定義するに当たっては、セキュリティ専門家がサポートをするべきである。 20 | * アプリケーションオーナーが残存するリスクを受容するか、追加のリソースを提供する。 21 | * 各スプリントにおいて、非機能要件に対して追加された制約を含むセキュリティストーリーを作成する。 22 | 23 | ## デプロイ、テスト及び公開 24 | * 必要な権限を含む、アプリケーション、インタフェース、必要な全てのコンポネントのセキュアなデプロイを自動化する。 25 | * 技術的な機能とITアーキテクチャとの統合をテストし、ビジネステストを調整する。 26 | * 技術的かつビジネス的な観点から、正常系と異常系のテストケースを作成する。 27 | * アプリケーションによる内部プロセス、保護の必要性、想定される脅威レベルに応じて、セキュリティテストを管理する。 28 | * アプリケーションを起動し、適宜以前に使用していたアプリケーションから移行する。 29 | * 構成管理データベース(CMDB)やセキュリティアーキテクチャを含む、全ての文書を確定化する。 30 | 31 | ## 運用及びチェンジマネジメント 32 | * 運用には、例えばパッチ管理といったアプリケーションのセキュリティ管理に関するガイドラインを含める。 33 | * 利用者のセキュリティ意識を高め、セキュリティとユーザビリティのバランスを管理する。 34 | * 例えばアプリケーションやOS、ミドルウェア、ライブラリのバージョンアップに関する変更の計画と管理を実施する。 35 | * 変更管理データベースや運用手順書、プロジェクトに関する文書を含む全ての文書を更新する。 36 | 37 | ## システムの廃棄 38 | * 必要なデータを全てアーカイブし、その他のデータを全て安全に消去する。 39 | * 未使用のアカウント、役割、権限の削除などを実施し、アプリケーションを安全に廃棄する。 40 | * 構成管理データベースにおいてアプリケーションのステータスを廃棄にする。 41 | -------------------------------------------------------------------------------- /2017/ja/0xc0-note-about-risks.md: -------------------------------------------------------------------------------- 1 | # +R リスクに関する注記 2 | 3 | ## 弱点として表れるリスクについて 4 | Top 10のリスク格付手法は、[OWASP Risk Rating Methodology](https://www.owasp.org/index.php/OWASP_Risk_Rating_Methodology)に基づいています。我々は各Top 10のカテゴリに対して、典型的なWebアプリケーションのそれぞれの弱点について、一般的な発生可能性と影響要素をみて、リスクを推計しました。そしてアプリケーションに対してもっとも重大なリスクをもたらすような弱点に基づいてTop 10を整理しました。これらの要素は、物事が変化し進化するにつれて、新しいTop 10がリリースされる度に更新されます。 5 | 6 | [OWASP Risk Rating Methodology](https://www.owasp.org/index.php/OWASP_Risk_Rating_Methodology)は脆弱性のリスクを計算するために、多数の要素を定義しています。ただし、実際のアプリケーションやAPIにおける特定の脆弱性よりも、Top 10は一般論を議論すべきです。従って、我々は、リスク計算においてアプリケーションオーナーまたは管理者より、精緻になることはありません。アプリケーションとデータの重要性、脅威の内容、システムの構築方法や運用などに合わせ、ご自身で判断する必要があります。 7 | 8 | 我々が使用している手法は、弱点の発生可能性に関する三つの要素(蔓延度、検出のしやすさ、悪用のしやすさ)と一つの影響要素(技術面への影響)を含めています。各要素のリスクの尺度は、各要素に特有の用語を用いて、低(1)から高(3)までの範囲です。弱点の「蔓延度」は計算する時に、必ずしも含む必要はありません。「蔓延度」データについて、いくつもの組織(25ページの謝辞参照)から統計資料の提供を受け、それらの「蔓延度」に関するデータをまとめ上げ、「蔓延度」によるTop 10の存在可能性リストを作成しました。このデータは、他の二つの発生可能性に関する要素(検出のしやすさ、悪用のしやすさ)と合わせて、各弱点の発生可能性の格付を計算しました。そしてその発生可能性の評価において、各弱点ごとに我々が推計した「技術面への影響」の平均値から、Top 10各項目のリスク順位の全体像を生成しました。(高いほど高リスク)。検出のしやすさ、悪用のしやすさ、影響は、Top 10のそれぞれのカテゴリーに関連して報告されたCVEを分析して計算しました。 9 | 10 | **注意**:このアプローチが「脅威エージェント」の可能性を考慮していないことに注意して下さい。また、特定のアプリケーションの技術的な詳細も考慮していません。攻撃者が特定の脆弱性を突く際に、これらの要素が全体の発生可能性に大幅な影響を与える可能性があります。この評価はあなたのビジネスへの実際の影響も考慮していません。あなたの組織の文化、業界、規制などを考慮して、どのぐらいのセキュリティリスクをアプリケーションとAPIに対して負うかを決定してください。OWASP Top 10の目的は、特定のアプリケーションやAPIを想定したリスク分析ではありません。 11 | 12 | 以下に、**A6:2017-不適切なセキュリティ設定**を例として、我々の計算を示します。 13 | 14 | ![Risk Calculation for A6:2017-Security Misconfiguration](images/0xc0-risk-explanation.png) 15 | -------------------------------------------------------------------------------- /2017/ja/0xc1-risk-factors.md: -------------------------------------------------------------------------------- 1 | # +RF リスクファクターに関する詳細 2 | 3 | ## Top 10 リスクファクターのまとめ 4 | 5 | 下の表は、2017 Top 10アプリケーションのセキュリティリスクと各リスクに紐付けたリスクファクターのまとめです。これらのファクターは、OWASP Top 10チームが持つ統計資料と経験に基づき決定しました。それぞれのアプリケーションや組織におけるリスクを理解するために、「脅威エージェント」と「ビジネス面への影響」を考慮しないといけません。ソフトウェアに甚大な弱点があったとしても、攻撃をする「脅威エージェント」がいない、或いは関連資産への「ビジネス面への影響」が極めて少ない場合、重大なリスクにはなりません。 6 | 7 | ![Risk Factor Table](images/0xc1-risk-factor-table.png) 8 | 9 | ## その他の考慮すべきリスク 10 | 11 | Top 10は、幅広く含めていますが、考慮・評価すべきリスクは、他に多数あります。以前のTop 10に含まれていたリスクもありますが、まだ識別されていない新たな攻撃手法もあります。他に考慮すべき重要なアプリケーションのセキュリティリスクを以下に示します(CWE-ID順): 12 | 13 | * [CWE-352: Cross-Site Request Forgery (CSRF)](https://cwe.mitre.org/data/definitions/352.html) 14 | * [CWE-400: Uncontrolled Resource Consumption ('Resource Exhaustion', 'AppDoS')](https://cwe.mitre.org/data/definitions/400.html) 15 | * [CWE-434: Unrestricted Upload of File with Dangerous Type](https://cwe.mitre.org/data/definitions/434.html) 16 | * [CWE-451: User Interface (UI) Misrepresentation of Critical Information (Clickjacking and others)](https://cwe.mitre.org/data/definitions/451.html) 17 | * [CWE-601: Unvalidated Forward and Redirects](https://cwe.mitre.org/data/definitions/601.html) 18 | * [CWE-799: Improper Control of Interaction Frequency (Anti-Automation)](https://cwe.mitre.org/data/definitions/799.html) 19 | * [CWE-829: Inclusion of Functionality from Untrusted Control Sphere (3rd Party Content)](https://cwe.mitre.org/data/definitions/829.html) 20 | * [CWE-918: Server-Side Request Forgery (SSRF)](https://cwe.mitre.org/data/definitions/918.html) 21 | -------------------------------------------------------------------------------- /2017/ja/0xd0-about-data.md: -------------------------------------------------------------------------------- 1 | # +DAT 方法論とデータ 2 | ## 概要 3 | OWASP Project Summitにおいて、参加者とコミュニティメンバーは、データの量と調査の質の2つの観点から脆弱性の評価を実施することを決定しました。 4 |   5 | ## 調査 6 | 7 | 調査のために、これまでに"最先端"であると特定されたか、Top10メーリングリストの2017 RC1へのフィードバックにおいて言及された脆弱性のカテゴリーを収集しました。それらのカテゴリーを調査内容に含め、回答者にOWASP Top 10 - 2017に含めるべきと考える上位4つの脆弱性を選択するよう促しました。調査は、2017年8月2日〜9月18日まで実施され、516の回答を得ました。 8 | 9 | | ランク | 脆弱性カテゴリ | スコア | 10 | | -- | -- | -- | 11 | | 1 | Exposure of Private Information ('Privacy Violation') [CWE-359] | 748 | 12 | | 2 | Cryptographic Failures [CWE-310/311/312/326/327]| 584 | 13 | | 3 | Deserialization of Untrusted Data [CWE-502] | 514 | 14 | | 4 | Authorization Bypass Through User-Controlled Key (IDOR & Path Traversal) [CWE-639] | 493 | 15 | | 5 | Insufficient Logging and Monitoring [CWE-223 / CWE-778]| 440 | 16 | 17 | Exposure of Private Informationは、明確に重大な脆弱性ですが、既存の **A3:2017-機微な情報の露出** に含まれています。Cryptographic Failuresは **A3:2017-機微な情報の露出** に含まれています。 Deserialization of Untrusted Dataは、 **A8:2017-安全でないデシリアライゼーション** として位置付けました。4番目のUser-Controlled Keyは、 **A5:2017-アクセス制御の不備** に含めています。調査においてはより上位のランクとすべきといった意見もありましたが、認可の脆弱性に関連するデータが十分ではなかったためA5としています。5番目のInsufficient Logging and Monitoringは、 **A10:2017-不十分なロギングとモニタリング** として位置付けました。 アプリケーションは何が攻撃になり得るのか定義し、適切なロギング、アラート、エスカレーション、レスポンスを生成できる必要があり、その点を考慮しました。 18 | 19 | ## データ提供依頼 20 | 21 | 収集し分析されたデータは、頻度データの線に沿います。この場合、テストしたアプリケーションで検出された脆弱性の数です。よく知られているように、ツールは脆弱性があるとすべてのインスタンスを報告するものです。他方、人は数々の例の中からひとつの結果を報告するものです。この2つの種類の報告を同じように扱って集計するのは非常に困難です。 22 | 2017においては、与えられたデータセットのうち1つまたは複数の特定のデータ・セットを持つアプリケーションの数に基づき、発生率を計算しました。より多くの貢献者から2つの観点で情報を提供いただきました。1つ目は、脆弱性のすべてのインスタンスを数える従来の頻度スタイルであり、2つ目は、脆弱性が1回またはそれ以上検出されたアプリケーションの数です。完璧ではありませんが、これにより、ツールの結果と人の結果の双方を比較することができます。ローデータ及び分析作業結果は[GitHubでご確認いただけます](https://github.com/OWASP/Top10/tree/master/2017/datacall)。次以降のTop 10のバージョンに向け、この方法をさらに拡張していく予定です。 23 | 24 | この度のデータ提供依頼(CFD)においては、40セット以上の情報を提供いただきました。これらのほとんどは、頻度に焦点を当てたデータだったため、23の貢献者からの114,000以上のアプリケーションをカバーする情報を利用することができました。 1年かけて貢献者の特定を行いました。Veracodeからの年間のデータには繰り返し登場するアプリケーションがあることを認識していましたが、大半のアプリケーションは独自のものでした。使用した23のデータは、ツールの結果または人の結果のいずれかに区別しました。 100%以上の発生率となったデータは最大値が100%となるよう調整しました。発生率を計算するために、各脆弱性が含まれていることが判明したアプリケーションの割合を計算しました。発生率のランキングは、Top 10に位置付けられている全てのリスクの計算のために使いました。 25 | -------------------------------------------------------------------------------- /2017/ja/OWASP Top 10-2017(ja).pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/Top10/85362e6faa1b3af1e5ccb30de662283c6a447de0/2017/ja/OWASP Top 10-2017(ja).pdf -------------------------------------------------------------------------------- /2017/ja/OWASP Top 10-2017(ja).pptx: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/Top10/85362e6faa1b3af1e5ccb30de662283c6a447de0/2017/ja/OWASP Top 10-2017(ja).pptx -------------------------------------------------------------------------------- /2017/ja/OWASP-Top-10-2017-en.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/Top10/85362e6faa1b3af1e5ccb30de662283c6a447de0/2017/ja/OWASP-Top-10-2017-en.pdf -------------------------------------------------------------------------------- /2017/ja/OWASP-Top-10-2017-ja.docx: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/Top10/85362e6faa1b3af1e5ccb30de662283c6a447de0/2017/ja/OWASP-Top-10-2017-ja.docx -------------------------------------------------------------------------------- /2017/ja/images/0x06-release-notes-1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/Top10/85362e6faa1b3af1e5ccb30de662283c6a447de0/2017/ja/images/0x06-release-notes-1.png -------------------------------------------------------------------------------- /2017/ja/images/0x10-risk-1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/Top10/85362e6faa1b3af1e5ccb30de662283c6a447de0/2017/ja/images/0x10-risk-1.png -------------------------------------------------------------------------------- /2017/ja/images/0x10-risk-2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/Top10/85362e6faa1b3af1e5ccb30de662283c6a447de0/2017/ja/images/0x10-risk-2.png -------------------------------------------------------------------------------- /2017/ja/images/0xc0-risk-explanation.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/Top10/85362e6faa1b3af1e5ccb30de662283c6a447de0/2017/ja/images/0xc0-risk-explanation.png -------------------------------------------------------------------------------- /2017/ja/images/0xc1-risk-factor-table.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/Top10/85362e6faa1b3af1e5ccb30de662283c6a447de0/2017/ja/images/0xc1-risk-factor-table.png -------------------------------------------------------------------------------- /2017/ja/images/Autodesk-logo.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/Top10/85362e6faa1b3af1e5ccb30de662283c6a447de0/2017/ja/images/Autodesk-logo.png -------------------------------------------------------------------------------- /2017/ja/images/OWASP_logo.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/Top10/85362e6faa1b3af1e5ccb30de662283c6a447de0/2017/ja/images/OWASP_logo.png -------------------------------------------------------------------------------- /2017/ja/images/front-cc.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/Top10/85362e6faa1b3af1e5ccb30de662283c6a447de0/2017/ja/images/front-cc.png -------------------------------------------------------------------------------- /2017/ja/images/front-wasp.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/Top10/85362e6faa1b3af1e5ccb30de662283c6a447de0/2017/ja/images/front-wasp.png -------------------------------------------------------------------------------- /2017/ja/images/front-wasp_without-background.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/Top10/85362e6faa1b3af1e5ccb30de662283c6a447de0/2017/ja/images/front-wasp_without-background.png -------------------------------------------------------------------------------- /2017/ja/images/license.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/Top10/85362e6faa1b3af1e5ccb30de662283c6a447de0/2017/ja/images/license.png -------------------------------------------------------------------------------- /2017/ko/OWASP Top 10-2017-ko.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/Top10/85362e6faa1b3af1e5ccb30de662283c6a447de0/2017/ko/OWASP Top 10-2017-ko.pdf -------------------------------------------------------------------------------- /2017/ko/OWASP Top 10-2017-ko.pptx: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/Top10/85362e6faa1b3af1e5ccb30de662283c6a447de0/2017/ko/OWASP Top 10-2017-ko.pptx -------------------------------------------------------------------------------- /2017/ko/README.ko: -------------------------------------------------------------------------------- 1 | Korean Translation for Top10 - 2017 2 | -------------------------------------------------------------------------------- /2017/pt-br/0x00-header.md: -------------------------------------------------------------------------------- 1 | ![OWASP LOGO](images/OWASP_logo.png) 2 | 3 | ## OWASP Top 10 2017 4 | 5 | Os Dez Riscos de Segurança Mais Críticos em Aplicações Web 6 | 7 | ### Versão em Português do Brasil (PT-BR) 8 | 9 | ![WASP Logo URL TBA](images/front-wasp.png) 10 | 11 | | | ![Creative Commons License Logo](images/front-cc.png) | 12 | | -- | -- | 13 | | https://owasp.org | Este documento é publicado sob a licença Creative Commons Attribution ShareAlike 4.0. | 14 | 15 | 16 | 17 | 18 | 19 | -------------------------------------------------------------------------------- /2017/pt-br/0x00-notice.md: -------------------------------------------------------------------------------- 1 | # BR Versão PT-BR 2 | 3 | ## Notas 4 | 5 | Esta versão do OWASP Top 10 foi desenvolvida como parte integrante da atividade conjunta dos capítulos brasileiro e português da OWASP, em prol da comunidade de programadores e da segurança das aplicações desenvolvidas nos países de língua portuguesa. 6 | 7 | Este documento é baseado na versão OWASP Top 10 de 2017 e a tradução pretende ser fiel ao texto original. 8 | 9 | Se encontrar algum erro de tradução, digitação, ou diagramação, favor entrar em contato com o líder do Projeto OWASP em Língua Portuguesa. 10 | 11 | ## Participantes 12 | 13 | Participaram da tradução os líderes do Projeto OWASP Top 10 em Língua Portuguesa: 14 | 15 | * Fábio Kimura - fkimura@gmail.com - Português do Brasil 16 | * Márcio Machry - Português do Brasil 17 | * Carlos Serrão - Português de Portugal 18 | 19 | E os seguintes voluntários: 20 | 21 | * Bico Tavares 22 | * Ícaro Torres 23 | -------------------------------------------------------------------------------- /2017/pt-br/0x00-toc.md: -------------------------------------------------------------------------------- 1 | # TOC 2 | 3 | < replace me with a toc > 4 | -------------------------------------------------------------------------------- /2017/pt-br/0xc1-risk-factors.md: -------------------------------------------------------------------------------- 1 | # +RF Detalhes Sobre Fatores de Risco 2 | 3 | ## Resumo de Fator de Risco dos Top 10 4 | 5 | A tabela a seguir apresenta um resumo dos Top 10 Riscos de Segurança de Aplicações de 2017 e os fatores de risco que atribuímos a cada risco. Esses fatores foram determinados com base nas estatísticas disponíveis e na experiência da equipe OWASP Top 10. Para entender esses riscos para uma determinada aplicação ou organização, você deve considerar seus próprios agentes de ameaças específicos e impactos comerciais. Mesmo as fraquezas mais graves de software podem não representar um risco grave se não houver agentes de ameaça em condições de realizar o ataque necessário ou o impacto comercial seja insignificante para os ativos envolvidos. 6 | 7 | ![Tabela de Fatores de Risco](images/0xc1-risk-factor-table.png) 8 | 9 | ## Riscos adicionais a considerar 10 | 11 | O Top 10 cobre um monte de terreno, mas há muitos outros riscos que você deve considerar e avaliar em sua organização. Alguns deles apareceram em versões anteriores do Top 10 e outros não, incluindo novas técnicas de ataque que estão sendo identificadas o tempo todo. Outros riscos de segurança de aplicações importantes (ordenados por CWE-ID) que você também deve considerar incluir: 12 | 13 | * [CWE-352: Cross-Site Request Forgery (CSRF)](https://cwe.mitre.org/data/definitions/352.html) 14 | * [CWE-400: Uncontrolled Resource Consumption ('Resource Exhaustion', 'AppDoS')](https://cwe.mitre.org/data/definitions/400.html) 15 | * [CWE-434: Unrestricted Upload of File with Dangerous Type](https://cwe.mitre.org/data/definitions/434.html) 16 | * [CWE-451: User Interface (UI) Misrepresentation of Critical Information (Clickjacking and others)](https://cwe.mitre.org/data/definitions/451.html) 17 | * [CWE-601: Unvalidated Forward and Redirects](https://cwe.mitre.org/data/definitions/601.html) 18 | * [CWE-799: Improper Control of Interaction Frequency (Anti-Automation)](https://cwe.mitre.org/data/definitions/799.html) 19 | * [CWE-829: Inclusion of Functionality from Untrusted Control Sphere (3rd Party Content)](https://cwe.mitre.org/data/definitions/829.html) 20 | * [CWE-918: Server-Side Request Forgery (SSRF)](https://cwe.mitre.org/data/definitions/918.html) 21 | 22 | -------------------------------------------------------------------------------- /2017/pt-br/images/0x06-release-notes-1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/Top10/85362e6faa1b3af1e5ccb30de662283c6a447de0/2017/pt-br/images/0x06-release-notes-1.png -------------------------------------------------------------------------------- /2017/pt-br/images/0x10-risk-1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/Top10/85362e6faa1b3af1e5ccb30de662283c6a447de0/2017/pt-br/images/0x10-risk-1.png -------------------------------------------------------------------------------- /2017/pt-br/images/0xc0-risk-explanation.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/Top10/85362e6faa1b3af1e5ccb30de662283c6a447de0/2017/pt-br/images/0xc0-risk-explanation.png -------------------------------------------------------------------------------- /2017/pt-br/images/0xc1-risk-factor-table.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/Top10/85362e6faa1b3af1e5ccb30de662283c6a447de0/2017/pt-br/images/0xc1-risk-factor-table.png -------------------------------------------------------------------------------- /2017/pt-br/images/Autodesk-logo.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/Top10/85362e6faa1b3af1e5ccb30de662283c6a447de0/2017/pt-br/images/Autodesk-logo.png -------------------------------------------------------------------------------- /2017/pt-br/images/OWASP_logo.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/Top10/85362e6faa1b3af1e5ccb30de662283c6a447de0/2017/pt-br/images/OWASP_logo.png -------------------------------------------------------------------------------- /2017/pt-br/images/front-cc.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/Top10/85362e6faa1b3af1e5ccb30de662283c6a447de0/2017/pt-br/images/front-cc.png -------------------------------------------------------------------------------- /2017/pt-br/images/front-wasp.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/Top10/85362e6faa1b3af1e5ccb30de662283c6a447de0/2017/pt-br/images/front-wasp.png -------------------------------------------------------------------------------- /2017/pt-br/images/front-wasp_without-background.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/Top10/85362e6faa1b3af1e5ccb30de662283c6a447de0/2017/pt-br/images/front-wasp_without-background.png -------------------------------------------------------------------------------- /2017/pt-br/images/license.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/Top10/85362e6faa1b3af1e5ccb30de662283c6a447de0/2017/pt-br/images/license.png -------------------------------------------------------------------------------- /2017/pt-pt/0x00-header.md: -------------------------------------------------------------------------------- 1 | ![OWASP LOGO](images/OWASP_logo.png) 2 | 3 | ## OWASP Top 10 2017 4 | 5 | The Ten Most Critical Web Application Security Risks 6 | 7 | 13 de Novembro de 2017 8 | 9 | ### Golden Master 10 | 11 | Comentários são aceites de acordo com as instruções contidas neste documento. 12 | 13 | ![WASP Logo URL TBA](images/front-wasp.png) 14 | 15 | | | ![Creative Commons License Logo](images/front-cc.png) | 16 | | -- | -- | 17 | | https://owasp.org | Publicado ao abrigo da licença Creative Commons Attribution-ShareAlike 4.0 International License | 18 | 19 | -------------------------------------------------------------------------------- /2017/pt-pt/0x00-notice.md: -------------------------------------------------------------------------------- 1 | # GM Golden Master 2 | 3 | Aviso importante 4 | --- 5 | 6 | ## Pedido de Comentários 7 | 8 | Esta é a versão Golden Master a qual, uma vez lançada, apenas será alvo de 9 | actualização devido a alterações de prioridade elevada ou pequenas correcções 10 | ortográficas. 11 | 12 | Nesta fase, estamos a solicitar: 13 | 14 | * Traduções - existem já algumas equipas a trabalhar, mas contacte-nos se puder 15 | contribuir 16 | * Revisão profunda da escrita 17 | * Revisão dos diagramas e das tabelas para ter a certeza que as mesmas estão 18 | claras e são úteis 19 | * Se os fatores de risco (exploração, predomínio, deteção, impacto) são 20 | concisos e precisos 21 | * Se as caixas de Vulnerabilidades e Cenários estão claras no seu significado 22 | * As recomendações são exequíveis 23 | * Qualquer ligação para conteúdos da OWASP ou externa é de elevada qualidade e 24 | está de acordo com o conceito e tom do conteúdo do OWASP Top 10 25 | * As ligações para o CWE devem cobrir o conteúdo discutido em cada risco. 26 | Precisamos de acrescentar, alterar ou remover CWE? O CWE precisa de ser 27 | actualizado? Se sim, temos uma pequena janela para poder trabalhar com o 28 | MITRE para as melhorar. 29 | 30 | Recomendamos vivamente que quaisquer alterações ou problemas encontrados sejam 31 | registados no GitHub: 32 | 33 | * https://github.com/OWASP/Top10/issues 34 | 35 | Através da transparência pública, oferecemos rastreabilidade e asseguramos que 36 | todas as vozes são ouvidas durante este último mês antes da publicação final. 37 | 38 | * Andrew van der Stock 39 | * Brian Glas 40 | * Neil Smithline 41 | * Torsten Gigler 42 | 43 | -------------------------------------------------------------------------------- /2017/pt-pt/0x00-toc.md: -------------------------------------------------------------------------------- 1 | # TOC 2 | 3 | < substituir com o toc > 4 | -------------------------------------------------------------------------------- /2017/pt-pt/images/0x06-release-notes-1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/Top10/85362e6faa1b3af1e5ccb30de662283c6a447de0/2017/pt-pt/images/0x06-release-notes-1.png -------------------------------------------------------------------------------- /2017/pt-pt/images/0x10-risk-1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/Top10/85362e6faa1b3af1e5ccb30de662283c6a447de0/2017/pt-pt/images/0x10-risk-1.png -------------------------------------------------------------------------------- /2017/pt-pt/images/0xc0-risk-explanation.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/Top10/85362e6faa1b3af1e5ccb30de662283c6a447de0/2017/pt-pt/images/0xc0-risk-explanation.png -------------------------------------------------------------------------------- /2017/pt-pt/images/0xc1-risk-factor-table.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/Top10/85362e6faa1b3af1e5ccb30de662283c6a447de0/2017/pt-pt/images/0xc1-risk-factor-table.png -------------------------------------------------------------------------------- /2017/pt-pt/images/OWASP_logo.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/Top10/85362e6faa1b3af1e5ccb30de662283c6a447de0/2017/pt-pt/images/OWASP_logo.png -------------------------------------------------------------------------------- /2017/pt-pt/images/front-cc.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/Top10/85362e6faa1b3af1e5ccb30de662283c6a447de0/2017/pt-pt/images/front-cc.png -------------------------------------------------------------------------------- /2017/pt-pt/images/front-wasp.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/Top10/85362e6faa1b3af1e5ccb30de662283c6a447de0/2017/pt-pt/images/front-wasp.png -------------------------------------------------------------------------------- /2017/pt-pt/images/front-wasp_without-background.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/Top10/85362e6faa1b3af1e5ccb30de662283c6a447de0/2017/pt-pt/images/front-wasp_without-background.png -------------------------------------------------------------------------------- /2017/pt-pt/images/license.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/Top10/85362e6faa1b3af1e5ccb30de662283c6a447de0/2017/pt-pt/images/license.png -------------------------------------------------------------------------------- /2017/ro/0x00-header.md: -------------------------------------------------------------------------------- 1 | ![OWASP LOGO](images/OWASP_logo.png) 2 | 3 | ## OWASP Top 10 2017 4 | 5 | Cele mai critice zece riscuri de securitate pentru aplicațiile web 6 | 7 | Noiembrie 20, 2017 8 | 9 | ### Release 10 | 11 | Comentariile sunt solicitate conform instrucțiunilor in acest document 12 | 13 | ![WASP Logo URL TBA](images/front-wasp.png) 14 | 15 | | | ![Creative Commons License Logo](images/front-cc.png) | 16 | | -- | -- | 17 | | https://owasp.org | Această lucrare este licențiată sub o licență internațională Creative Commons Atribuire-ShareAlike 4.0 | 18 | 19 | 20 | 21 | 22 | 23 | 24 | -------------------------------------------------------------------------------- /2017/ro/0x00-notice.md: -------------------------------------------------------------------------------- 1 | # Release 2 | 3 | ## Notificare importantă 4 | 5 | ### Cerere de comentarii 6 | 7 | Aceasta este versiunea text a Top 10 OWASP și, deși este utilă pentru traducători și pentru cei interesați de o versiune text, nu este versiunea oficială, care este versiunea PowerPoint / PDF. 8 | În această etapă, solicităm 9 | 10 | * Traduceri - avem deja câteva echipe care lucrează, dar ne puteti contacta dacă puteți ajuta 11 | 12 | Solicităm ca orice corecții sau probleme să fie înregistrate pe GitHub: 13 | 14 | * [https://github.com/OWASP/Top10/issues](https://github.com/OWASP/Top10/issues) 15 | 16 | Prin transparența publică, ne asigurăm că toate vocile sunt auzite în ultima lună înainte de publicare. 17 | 18 | * Andrew van der Stock 19 | * Brian Glas 20 | * Neil Smithline 21 | * Torsten Gigler -------------------------------------------------------------------------------- /2017/ro/0x00-toc.md: -------------------------------------------------------------------------------- 1 | # TOC 2 | 3 | < înlocuiți-mă cu un toc > 4 | -------------------------------------------------------------------------------- /2017/ro/0xc1-risk-factors.md: -------------------------------------------------------------------------------- 1 | # +RF Details About Risk Factors 2 | 3 | ## Top 10 Risk Factor Summary 4 | 5 | The following table presents a summary of the 2017 Top 10 Application Security Risks, and the risk factors we have assigned to each risk. These factors were determined based on the available statistics and the experience of the OWASP Top 10 team. To understand these risks for a particular application or organization, you must consider your own specific threat agents and business impacts. Even severe software weaknesses may not present a serious risk if there are no threat agents in a position to perform the necessary attack or the business impact is negligible for the assets involved. 6 | 7 | ![Risk Factor Table](images/0xc1-risk-factor-table.png) 8 | 9 | ## Additional Risks To Consider 10 | 11 | The Top 10 covers a lot of ground, but there are many other risks you should consider and evaluate in your organization. Some of these have appeared in previous versions of the Top 10, and others have not, including new attack techniques that are being identified all the time. Other important application security risks (ordered by CWE-ID) that you should additionally consider include: 12 | 13 | * [CWE-352: Cross-Site Request Forgery (CSRF)](https://cwe.mitre.org/data/definitions/352.html) 14 | * [CWE-400: Uncontrolled Resource Consumption ('Resource Exhaustion', 'AppDoS')](https://cwe.mitre.org/data/definitions/400.html) 15 | * [CWE-434: Unrestricted Upload of File with Dangerous Type](https://cwe.mitre.org/data/definitions/434.html) 16 | * [CWE-451: User Interface (UI) Misrepresentation of Critical Information (Clickjacking and others)](https://cwe.mitre.org/data/definitions/451.html) 17 | * [CWE-601: Unvalidated Forward and Redirects](https://cwe.mitre.org/data/definitions/601.html) 18 | * [CWE-799: Improper Control of Interaction Frequency (Anti-Automation)](https://cwe.mitre.org/data/definitions/799.html) 19 | * [CWE-829: Inclusion of Functionality from Untrusted Control Sphere (3rd Party Content)](https://cwe.mitre.org/data/definitions/829.html) 20 | * [CWE-918: Server-Side Request Forgery (SSRF)](https://cwe.mitre.org/data/definitions/918.html) 21 | 22 | -------------------------------------------------------------------------------- /2017/ro/OWASP Top 10-2017_Template_DIN-A4_ro.pptx: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/Top10/85362e6faa1b3af1e5ccb30de662283c6a447de0/2017/ro/OWASP Top 10-2017_Template_DIN-A4_ro.pptx -------------------------------------------------------------------------------- /2017/ro/images/0x06-release-notes-1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/Top10/85362e6faa1b3af1e5ccb30de662283c6a447de0/2017/ro/images/0x06-release-notes-1.png -------------------------------------------------------------------------------- /2017/ro/images/0x10-risk-1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/Top10/85362e6faa1b3af1e5ccb30de662283c6a447de0/2017/ro/images/0x10-risk-1.png -------------------------------------------------------------------------------- /2017/ro/images/0xc0-risk-explanation.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/Top10/85362e6faa1b3af1e5ccb30de662283c6a447de0/2017/ro/images/0xc0-risk-explanation.png -------------------------------------------------------------------------------- /2017/ro/images/0xc1-risk-factor-table.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/Top10/85362e6faa1b3af1e5ccb30de662283c6a447de0/2017/ro/images/0xc1-risk-factor-table.png -------------------------------------------------------------------------------- /2017/ro/images/Autodesk-logo.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/Top10/85362e6faa1b3af1e5ccb30de662283c6a447de0/2017/ro/images/Autodesk-logo.png -------------------------------------------------------------------------------- /2017/ro/images/OWASP_logo.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/Top10/85362e6faa1b3af1e5ccb30de662283c6a447de0/2017/ro/images/OWASP_logo.png -------------------------------------------------------------------------------- /2017/ro/images/front-cc.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/Top10/85362e6faa1b3af1e5ccb30de662283c6a447de0/2017/ro/images/front-cc.png -------------------------------------------------------------------------------- /2017/ro/images/front-wasp.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/Top10/85362e6faa1b3af1e5ccb30de662283c6a447de0/2017/ro/images/front-wasp.png -------------------------------------------------------------------------------- /2017/ro/images/front-wasp_without-background.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/Top10/85362e6faa1b3af1e5ccb30de662283c6a447de0/2017/ro/images/front-wasp_without-background.png -------------------------------------------------------------------------------- /2017/ro/images/license.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/Top10/85362e6faa1b3af1e5ccb30de662283c6a447de0/2017/ro/images/license.png -------------------------------------------------------------------------------- /2017/ru/0x00-header.md: -------------------------------------------------------------------------------- 1 | ![OWASP LOGO](images/OWASP_logo.png) 2 | 3 | # Топ-10 OWASP 2017 4 | 5 | Десять самых опасных уязвимостей веб-приложений 6 | 7 | ![WASP Logo URL TBA](images/front-wasp.png) 8 | 9 | | ![Creative Commons License Logo](images/front-cc.png) | | 10 | |-------------------------------------------------------|--------------------------------------------------------------------------------------------------------| 11 | | https://owasp.org | Данная работа выпущена под лицензией Creative Commons Attribution-ShareAlike 4.0 International License | 12 | -------------------------------------------------------------------------------- /2017/ru/0x00-notice.md: -------------------------------------------------------------------------------- 1 | # Релиз 2 | 3 | ## Важное сообщение 4 | 5 | ### Запрос комментариев 6 | 7 | Эта текстовая версия Топ-10 OWASP будет полезна переводчикам и другим заинтересованным лицам. 8 | Данная версия не является официальным релизом, который будет представлен документами в формате PowerPoint и PDF. 9 | 10 | На данном этапе нам требуются: 11 | 12 | * **переводы** - несколько команд уже начали работу, но мы просим вас связаться с нами, 13 | если вы можете чем-то помочь. 14 | 15 | Настоятельно просим вносить все исправления или замечания на GitHub: 16 | 17 | * [https://github.com/OWASP/Top10/issues](https://github.com/OWASP/Top10/issues) 18 | 19 | Действуя публично и открыто, мы предоставляем возможность отслеживания и контроля, а также гарантируем, 20 | что все высказывания не останутся без внимания в течении последнего месяца перед публикацией. 21 | 22 | * Эндрю ван дер Сток (Andrew van der Stock) 23 | * Брайан Глас (Brian Glas) 24 | * Нейл Смитлайн (Neil Smithline) 25 | * Торстен Гиглер (Torsten Gigler) -------------------------------------------------------------------------------- /2017/ru/0xc1-risk-factors.md: -------------------------------------------------------------------------------- 1 | # +ФР О факторах риска 2 | 3 | ## Сводная таблица угроз Топ-10 4 | 5 | Таблица ниже содержит сводную информацию о Топ-10 угроз безопасности приложений 2017 г., а также факторы риска, назначенные для каждой из угроз. Эти факторы определялись на основе доступной статистики и опыта команды Топ-10 OWASP. Чтобы рассчитать риски для конкретного приложения или организации, необходимо определить специфичные для них источники угроз и последствия для бизнеса. Даже значительные недостатки ПО могут не представлять серьезной опасности, если отсутствуют источники угроз или последствия для бизнеса являются незначительными для рассматриваемых активов. 6 | 7 | ![Таблица факторов риска](images/0xc1-risk-factor-table.png) 8 | 9 | ## Дополнительные риски, требующие внимания 10 | 11 | Помимо угроз, представленных в Топ-10, существуют другие риски, которые необходимо оценивать и учитывать. Некоторые из них уже описывались в прошлых версиях Топ-10, а некоторые — нет, включая новые техники атак, которые появляются постоянно. Ниже перечислены дополнительные угрозы безопасности приложений (по номеру CWE), на которые также необходимо обратить внимание: 12 | 13 | * [CWE-352: Межсайтовая подмена запросов (CSRF)](https://cwe.mitre.org/data/definitions/352.html) 14 | * [CWE-400: Неконтролируемое использование ресурсов ("Чрезмерное потребление ресурсов", "Отказ в обслуживании приложения")](https://cwe.mitre.org/data/definitions/400.html) 15 | * [CWE-434: Отсутствие ограничений на загрузку файлов небезопасного типа](https://cwe.mitre.org/data/definitions/434.html) 16 | * [CWE-451: Некорректное представление важной информации интерфейсом пользователя (Подмена интерфейса/курсора и прочее)](https://cwe.mitre.org/data/definitions/451.html) 17 | * [CWE-601: Перенаправление на небезопасный сайт ("Открытая переадресация")](https://cwe.mitre.org/data/definitions/601.html) 18 | * [CWE-799: Некорректное ограничение частоты взаимодействия (Противодействие автоматизации)](https://cwe.mitre.org/data/definitions/799.html) 19 | * [CWE-829: Использование функций недоверенных источников (Сторонний контент)](https://cwe.mitre.org/data/definitions/829.html) 20 | * [CWE-918: Подмена запросов на стороне сервера (SSRF)](https://cwe.mitre.org/data/definitions/918.html) -------------------------------------------------------------------------------- /2017/ru/README.md: -------------------------------------------------------------------------------- 1 | # Russian Translation for Top10 - 2017 2 | 3 | ## Acknowledgements 4 | 5 | * Oleksii Skachkov (a.k.a [hamster4n](https://github.com/hamster4n)) 6 | * Taras Ivashchenko (a.k.a. [oxdef](https://github.com/oxdef)) 7 | * Ivan Kochurkin (a.k.a [KvanTTT](https://github.com/KvanTTT)) -------------------------------------------------------------------------------- /2017/ru/images/0x06-release-notes-1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/Top10/85362e6faa1b3af1e5ccb30de662283c6a447de0/2017/ru/images/0x06-release-notes-1.png -------------------------------------------------------------------------------- /2017/ru/images/0x10-risk-1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/Top10/85362e6faa1b3af1e5ccb30de662283c6a447de0/2017/ru/images/0x10-risk-1.png -------------------------------------------------------------------------------- /2017/ru/images/0xc0-risk-explanation.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/Top10/85362e6faa1b3af1e5ccb30de662283c6a447de0/2017/ru/images/0xc0-risk-explanation.png -------------------------------------------------------------------------------- /2017/ru/images/0xc1-risk-factor-table.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/Top10/85362e6faa1b3af1e5ccb30de662283c6a447de0/2017/ru/images/0xc1-risk-factor-table.png -------------------------------------------------------------------------------- /2017/ru/images/Autodesk-logo.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/Top10/85362e6faa1b3af1e5ccb30de662283c6a447de0/2017/ru/images/Autodesk-logo.png -------------------------------------------------------------------------------- /2017/ru/images/OWASP Top 10 - 2017 - Icons.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/Top10/85362e6faa1b3af1e5ccb30de662283c6a447de0/2017/ru/images/OWASP Top 10 - 2017 - Icons.png -------------------------------------------------------------------------------- /2017/ru/images/OWASP Top 10 - 2017 - Icons.xcf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/Top10/85362e6faa1b3af1e5ccb30de662283c6a447de0/2017/ru/images/OWASP Top 10 - 2017 - Icons.xcf -------------------------------------------------------------------------------- /2017/ru/images/OWASP_logo.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/Top10/85362e6faa1b3af1e5ccb30de662283c6a447de0/2017/ru/images/OWASP_logo.png -------------------------------------------------------------------------------- /2017/ru/images/front-cc.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/Top10/85362e6faa1b3af1e5ccb30de662283c6a447de0/2017/ru/images/front-cc.png -------------------------------------------------------------------------------- /2017/ru/images/front-wasp.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/Top10/85362e6faa1b3af1e5ccb30de662283c6a447de0/2017/ru/images/front-wasp.png -------------------------------------------------------------------------------- /2017/ru/images/front-wasp_without-background.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/Top10/85362e6faa1b3af1e5ccb30de662283c6a447de0/2017/ru/images/front-wasp_without-background.png -------------------------------------------------------------------------------- /2017/ru/images/license.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/Top10/85362e6faa1b3af1e5ccb30de662283c6a447de0/2017/ru/images/license.png -------------------------------------------------------------------------------- /2017/templates/reference.docx: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/Top10/85362e6faa1b3af1e5ccb30de662283c6a447de0/2017/templates/reference.docx -------------------------------------------------------------------------------- /2017/tr/0x00-header.md: -------------------------------------------------------------------------------- 1 | ![OWASP LOGO](images/OWASP_logo.png) 2 | 3 | ## OWASP Top 10 2017 4 | 5 | En Tehlikeli 10 Web Uygulaması Güvenlik Açıklıkları 6 | 7 | 20 Kasım 2017 8 | 9 | ### Sürüm 10 | 11 | Talimatlara uygun yorumlar talep edilmiştir 12 | 13 | ![WASP Logo URL TBA](images/front-wasp.png) 14 | 15 | | | ![Creative Commons License Logo](images/front-cc.png) | 16 | | -- | -- | 17 | | https://owasp.org | Bu çalışma Creative Commons Attribution-ShareAlike 4.0 International lisansı kapsamında oluşturulmuştur. | 18 | 19 | 20 | 21 | 22 | 23 | -------------------------------------------------------------------------------- /2017/tr/0x00-notice.md: -------------------------------------------------------------------------------- 1 | # Sürüm 2 | 3 | ## Önemli Hatırlatma 4 | 5 | ### Yorum Talebi 6 | 7 | OWASP İlk 10'un metin hali olan bu kısım, çevirmenler ve metin haliyle ilgilenenler için kullanışlı olmasına rağmen, resmi sürüm olmayıp, resmi sürüm PowerPoint / PDF halidir. 8 | 9 | Bu aşamada, aşağıdaki konularda yardım talep etmekteyiz: 10 | 11 | * Çeviriler - bazı takımlar üzerinde çalışmakta, ancak yardım edebileceğinizi düşünüyorsanız bize ulaşın 12 | 13 | Tüm sorun ve düzeltmelerin Github üzerinden kayıt altına alınmasına son derece özen gösteriyoruz: 14 | 15 | * [https://github.com/OWASP/Top10/issues](https://github.com/OWASP/Top10/issues) 16 | 17 | Herkese açık bir şeffaflık ile, izlenebilirlik sağlıyoruz ve yayımdan önceki bu son ayda tüm yorumların duyulmasını sağlıyoruz. 18 | 19 | * Andrew van der Stock 20 | * Brian Glas 21 | * Neil Smithline 22 | * Torsten Gigler 23 | -------------------------------------------------------------------------------- /2017/tr/0x00-toc.md: -------------------------------------------------------------------------------- 1 | # İÇİNDEKİLER 2 | 3 | < içindekiler tablosu ile değiştiriniz > 4 | -------------------------------------------------------------------------------- /2017/tr/0xc1-risk-factors.md: -------------------------------------------------------------------------------- 1 | # +RF Risk Faktörleri Hakkında Detaylar 2 | 3 | ## Top 10 Risk Faktörleri Özeti 4 | 5 | Aşağıdaki tablo 2017 İlk 10 Uygulama Güvenliği Risklerini ve herbir risk için belirlediğimiz risk faktörlerinin bir özetini sunmaktadır. Bu faktörler hazır bulunan istatistik verilerine ve OWASP İlk 10 takımının tecrübelerine göre belirlenmiştir. Belirli bir uygulama veya kurum özelinde bu riskleri anlamak için, kendi tehdit etkenlerinizi ve iş etkilerinizi düşünmelisiniz. Gerekli saldırıyı gerçekleştirmek için bir tehdit etkeni bulunmuyorsa veya varlıklar için iş etkisi ihmal edilebilirse, ciddi yazılım açıklıkları bile ciddi bir risk oluşturmayabilmektedir. 6 | 7 | ![Risk Faktörleri Tablosu](images/0xc1-risk-factor-table.png) 8 | 9 | ## Düşünülmesi Gereken İlave Riskler 10 | 11 | İlk 10 pek çok risk grubunu kapsamaktadır, ancak kurumunuzda düşünmeniz ve değerlendirmeniz gereken başka pek çok risk bulunmaktadır. Sürekli olarak keşfedilen yeni saldırı teknikleri dahil bunlardan bazıları daha önceki İlk 10 sürümlerinde belirtilmişken, bazıları ise belirtilmemiştir. Düşünmeniz gereken ilave diğer önemli uygulama güvenliği riskleri (CWE-ID değerlerine göre sıralı) aşağıdakileri içermektedir: 12 | 13 | * [CWE-352: Siteler Arası İstek Sahteciliği (CSRF)](https://cwe.mitre.org/data/definitions/352.html) 14 | * [CWE-400: Kontrolsüz Kaynak Tüketimi ('Kaynak Tüketimi', 'AppDoS')](https://cwe.mitre.org/data/definitions/400.html) 15 | * [CWE-434: Sınırsız Dosya Yükleme](https://cwe.mitre.org/data/definitions/434.html) 16 | * [CWE-451: Hassas Bilginin Kullanıcı Arayüzünde Yanlış Gösterimi (Clickjacking ve diğerleri)](https://cwe.mitre.org/data/definitions/451.html) 17 | * [CWE-601: Doğrulanmamış Yönlendirme ve İletme](https://cwe.mitre.org/data/definitions/601.html) 18 | * [CWE-799: Kontrolsüz Etkileşim Sıklığı (Anti-Otomasyon)](https://cwe.mitre.org/data/definitions/799.html) 19 | * [CWE-829: Güvenilmeyen Fonksiyon Kullanımı (3. Parti İçerik)](https://cwe.mitre.org/data/definitions/829.html) 20 | * [CWE-918: Sunucu Taraflı İstek Sahteciliği (SSRF)](https://cwe.mitre.org/data/definitions/918.html) 21 | 22 | -------------------------------------------------------------------------------- /2017/tr/OWASP Top 10-2017_TR.pptx: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/Top10/85362e6faa1b3af1e5ccb30de662283c6a447de0/2017/tr/OWASP Top 10-2017_TR.pptx -------------------------------------------------------------------------------- /2017/tr/images/0x06-release-notes-1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/Top10/85362e6faa1b3af1e5ccb30de662283c6a447de0/2017/tr/images/0x06-release-notes-1.png -------------------------------------------------------------------------------- /2017/tr/images/0x10-risk-1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/Top10/85362e6faa1b3af1e5ccb30de662283c6a447de0/2017/tr/images/0x10-risk-1.png -------------------------------------------------------------------------------- /2017/tr/images/0xc0-risk-explanation.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/Top10/85362e6faa1b3af1e5ccb30de662283c6a447de0/2017/tr/images/0xc0-risk-explanation.png -------------------------------------------------------------------------------- /2017/tr/images/0xc1-risk-factor-table.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/Top10/85362e6faa1b3af1e5ccb30de662283c6a447de0/2017/tr/images/0xc1-risk-factor-table.png -------------------------------------------------------------------------------- /2017/tr/images/Autodesk-logo.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/Top10/85362e6faa1b3af1e5ccb30de662283c6a447de0/2017/tr/images/Autodesk-logo.png -------------------------------------------------------------------------------- /2017/tr/images/OWASP_logo.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/Top10/85362e6faa1b3af1e5ccb30de662283c6a447de0/2017/tr/images/OWASP_logo.png -------------------------------------------------------------------------------- /2017/tr/images/front-cc.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/Top10/85362e6faa1b3af1e5ccb30de662283c6a447de0/2017/tr/images/front-cc.png -------------------------------------------------------------------------------- /2017/tr/images/front-wasp.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/Top10/85362e6faa1b3af1e5ccb30de662283c6a447de0/2017/tr/images/front-wasp.png -------------------------------------------------------------------------------- /2017/tr/images/front-wasp_without-background.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/Top10/85362e6faa1b3af1e5ccb30de662283c6a447de0/2017/tr/images/front-wasp_without-background.png -------------------------------------------------------------------------------- /2017/tr/images/license.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/Top10/85362e6faa1b3af1e5ccb30de662283c6a447de0/2017/tr/images/license.png -------------------------------------------------------------------------------- /2017/translations/OWASP Top 10-2017_Template_DIN-A4.pptx: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/Top10/85362e6faa1b3af1e5ccb30de662283c6a447de0/2017/translations/OWASP Top 10-2017_Template_DIN-A4.pptx -------------------------------------------------------------------------------- /2021/Data/OWASP Top 10 2020 Data Analysis Plan.docx: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/Top10/85362e6faa1b3af1e5ccb30de662283c6a447de0/2021/Data/OWASP Top 10 2020 Data Analysis Plan.docx -------------------------------------------------------------------------------- /2021/Data/README.md: -------------------------------------------------------------------------------- 1 | Folder to store documentation related to the data collection efforts. 2 | -------------------------------------------------------------------------------- /2021/Data/sample-data-submission.csv: -------------------------------------------------------------------------------- 1 | NumberofAppsTested,CWE,NumberofAppsPer,TimePeriod,ContributorName,ContributorContactEmail,TypeofTesting,PrimaryLanguage,Region,Industry,Retest 2 | 100,20,53,2019,Name,Email,TAH,.NET,North America,Retail,F 3 | 100,20,10,2019,Name,Email,TAH,.NET,North America,Technology,F 4 | 100,20,30,2019,Name,Email,TAH,PHP,North America,Technology,F 5 | 100,425,5,2019,Name,Email,TAH,.NET,North America,Retail,F 6 | -------------------------------------------------------------------------------- /2021/Data/sample-data-submission.json: -------------------------------------------------------------------------------- 1 | { 2 | "contributions":{ 3 | "appData" : 4 | { 5 | "appsSubmitted":100 6 | }, 7 | "cwe":[ 8 | { 9 | "id":20, 10 | "occurances":53, 11 | "timePeriod":2019, 12 | "language":".NET", 13 | "region":"North America", 14 | "industry":"Retail", 15 | "retest":"F", 16 | "testingType":"TAH" 17 | }, 18 | { 19 | "id":20, 20 | "occurances":10, 21 | "timePeriod":2019, 22 | "language":".NET", 23 | "region":"North America", 24 | "industry":"Technology", 25 | "retest":"F", 26 | "testingType":"TAH" 27 | }, 28 | { 29 | "id":20, 30 | "occurances":30, 31 | "timePeriod":2019, 32 | "language":"PHP", 33 | "region":"North America", 34 | "industry":"Technology", 35 | "retest":"F", 36 | "testingType":"TAH" 37 | }, 38 | { 39 | "id":425, 40 | "occurances":5, 41 | "timePeriod":2019, 42 | "language":".NET", 43 | "region":"North America", 44 | "industry":"Retail", 45 | "retest":"F", 46 | "testingType":"TAH" 47 | } 48 | ], 49 | "contributor":{ 50 | "name":"First Last", 51 | "email":"name@owasp.org" 52 | } 53 | } 54 | } -------------------------------------------------------------------------------- /2021/Presentations/20th Anniversary - OWASP Top 10 2021.pptx: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/Top10/85362e6faa1b3af1e5ccb30de662283c6a447de0/2021/Presentations/20th Anniversary - OWASP Top 10 2021.pptx -------------------------------------------------------------------------------- /2021/README.md: -------------------------------------------------------------------------------- 1 | # OWASP Top 10 2021 2 | 3 | Final Release 4 | 5 | ## Building a local copy 6 | 7 | - Install Python 3 for your platform 8 | - From the main folder, ... 9 | 10 | ```bash 11 | make install-python-requirements 12 | ``` 13 | ### Prepare a local virtual environment to manage the versions of the required Python libraries for mkdocs 14 | 15 | ```bash$ 16 | # build and activate venv 17 | cd 2021 18 | python3 -m venv . 19 | source ./bin/activate 20 | # install all required library versions 21 | pip install -r requirements.txt 22 | # optionally verify if OWASP OSIB is in your pip list 23 | pip list | grep osib 24 | ``` 25 | This installs all requirenents including the (OSIB Macro)[https://github.com/OWASP/OSIB] 26 | 27 | ### Test it locally 28 | 29 | You should test your changes locally: 30 | 31 | ```bash 32 | cd 2021 33 | mkdocs serve 34 | ``` 35 | 36 | Once you are happy, check in your changes as a branch / PR and let someone on the main team know. We'll review your changes, and merge and redeploy. 37 | 38 | ### Redeploy to gh-pages 39 | 40 | This only works if you have commit privileges on master and Git is correctly setup in your environment. 41 | 42 | ```bash 43 | cd 2021 44 | mkdocs gh-deploy 45 | ``` 46 | 47 | ### Translating the OWASP Top 10 2021 48 | 49 | - Join the OWASP Slack and join the #top-10-translations channel. Let folks know what language you are doing. Someone might already be working on it. 50 | - Fork and clone the Top 10 repo 51 | - Follow the installation and local test instructions above 52 | - Create a new branch for your language (something like 2021-fr) 53 | - Add your translation to the plugin / navigation area in mkdocs.yml 54 | - Test your translation locally by running a local server (see above) 55 | - When you're ready, create a pull request against the OWASP Top 10 repo, and let us know it's ready for deployment 56 | -------------------------------------------------------------------------------- /2021/docs/0x00-notice.es.md: -------------------------------------------------------------------------------- 1 | # Publicación 2 | 3 | Publicado el 24 de septiembre de 2021 4 | 5 | ## Autores principales 6 | 7 | - [Andrew van der Stock](mailto:vanderaj@owasp.org) (twitter: [@vanderaj](https://twitter.com/vanderaj)) 8 | - [Brian Glas](mailto:brian.glas@owasp.org) (twitter: [@infosecdad](https://twitter.com/infosecdad)) 9 | - [Neil Smithline](mailto:neil.smithline@owasp.org) (twitter: [@appsecneil](https://twitter.com/appsecneil)) 10 | - [Torsten Gigler](mailto:torsten.gigler@owasp.org) (twitter: [@torsten_tweet](https://twitter.com/torsten_tweet)) 11 | 12 | ## Colaboradores 13 | 14 | - Orange Tsai [@orange_8361](https://twitter/orange_8361), autor de A10:2021 – Falsificación de Solicitudes del Lado del Servidor (SSRF) 15 | - Jim Manico [@manicode](https://twitter/manicode) y Jakub Maćkowski [@kubamackowski](https://twitter/kubamackowski) - Coordinación de Cheat Sheets de OWASP 16 | 17 | ## ¿Cómo puedes ayudar? 18 | 19 | En esta fase, solicitamos: 20 | 21 | - Científicos de datos: por favor, revisen nuestro análisis 22 | - Diseñadores de páginas web: tenemos que hacer una versión adaptada para móviles 23 | - Traductores: por favor, revisen que el texto en inglés sea traducible 24 | - Líderes del ASVS, de la Guía de Pruebas y de la Guía de Revisión del Código: por favor, utilicen nuestros datos y ayúdenos a enlazar nuestros documentos y estándares 25 | 26 | ## Reportar issues y pull requests 27 | 28 | Por favor, reporte cualquier corrección o problema a: 29 | 30 | - [https://github.com/OWASP/Top10/issues](https://github.com/OWASP/Top10/issues) 31 | -------------------------------------------------------------------------------- /2021/docs/0x00-notice.fr.md: -------------------------------------------------------------------------------- 1 | # Publication 2 | 3 | Publié le 24 septembre 2021 4 | 5 | ## Auteurs principaux 6 | 7 | - [Andrew van der Stock](mailto:vanderaj@owasp.org) (twitter: [@vanderaj](https://twitter.com/vanderaj)) 8 | - [Brian Glas](mailto:brian.glas@owasp.org) (twitter: [@infosecdad](https://twitter.com/infosecdad)) 9 | - [Neil Smithline](mailto:neil.smithline@owasp.org) (twitter: [@appsecneil](https://twitter.com/appsecneil)) 10 | - [Torsten Gigler](mailto:torsten.gigler@owasp.org) (twitter: [@torsten_tweet](https://twitter.com/torsten_tweet)) 11 | 12 | ## Contributeurs 13 | 14 | - Orange Tsai [@orange_8361](https://twitter/orange_8361), Auteur de A10-2021: Falsification de requête côté serveur 15 | - Jim Manico [@manicode](https://twitter/manicode) et Jakub Maćkowski [@kubamackowski](https://twitter/kubamackowski) - Coordination avec le projet OWASP CheatSheets 16 | 17 | ## Comment pouvez-vous aider 18 | 19 | À ce stade nous recherchons : 20 | 21 | - Data scientists - veuillez examiner notre analyse 22 | - Concepteurs Web - nous avons besoin d'une version mobile 23 | - Traducteurs - veuillez revoir le texte anglais pour vous assurer qu'il est traduisible 24 | - Leadership ASVS, Testing Guide et Code Review Guide - veuillez utiliser nos données et nous aider à lier nos documents et nos normes ensemble 25 | 26 | ## Journalisation des erreurs et contributions 27 | 28 | Veuillez signaler toute correction ou problème : 29 | 30 | - [https://github.com/OWASP/Top10/issues](https://github.com/OWASP/Top10/issues) 31 | -------------------------------------------------------------------------------- /2021/docs/0x00-notice.id.md: -------------------------------------------------------------------------------- 1 | 2 | ## Rilis 3 | 4 | Rilis tanggal 24 September 2021 5 | 6 | ## Penulis Utama 7 | 8 | - [Andrew van der Stock](mailto:vanderaj@owasp.org) (twitter: [@vanderaj](https://twitter.com/vanderaj)) 9 | - [Brian Glas](mailto:brian.glas@owasp.org) (twitter: [@infosecdad](https://twitter.com/infosecdad)) 10 | - [Neil Smithline](mailto:neil.smithline@owasp.org) (twitter: [@appsecneil](https://twitter.com/appsecneil)) 11 | - [Torsten Gigler](mailto:torsten.gigler@owasp.org) (twitter: [@torsten_tweet](https://twitter.com/torsten_tweet)) 12 | 13 | ## Kontributor 14 | 15 | - Orange Tsai, penulis A10-2021: Server Side Request Forgery 16 | - Jim Manico danJakub Maćkowski - OWASP CheatSheets Coordination 17 | 18 | ## Bagaimana Anda dapat berkontribusi 19 | 20 | Pada level ini, kami mengharapkan 21 | 22 | - Pengolah data - mereview analisa kami 23 | - Desainer web - kami membutuhkan versi yang sesuai untuk perangkat portabel 24 | - Translators - menolong meninjau teks bahasa Inggris untuk memastikan ini dapat diterjemahkan 25 | - ASVS, panduan testing, dan pemimpin panduan tinjauan kode - silahkan menggunakan data kami dan membantu kami menghubungkan 26 | dokumen kami dan standarnya secara bersama-sama. 27 | 28 | ## Masalah log dan permintaan penarikan 29 | 30 | Berikan koreksi apapun atau jika ada isu pada: 31 | 32 | - [https://github.com/OWASP/Top10/issues](https://github.com/OWASP/Top10/issues) 33 | -------------------------------------------------------------------------------- /2021/docs/0x00-notice.it.md: -------------------------------------------------------------------------------- 1 | # Rilascio 2 | 3 | Rilasciata il 24 Settembre 2021 4 | 5 | ## Autori principali 6 | 7 | - [Andrew van der Stock](mailto:vanderaj@owasp.org) (twitter: [@vanderaj](https://twitter.com/vanderaj)) 8 | - [Brian Glas](mailto:brian.glas@owasp.org) (twitter: [@infosecdad](https://twitter.com/infosecdad)) 9 | - [Neil Smithline](mailto:neil.smithline@owasp.org) (twitter: [@appsecneil](https://twitter.com/appsecneil)) 10 | - [Torsten Gigler](mailto:torsten.gigler@owasp.org) (twitter: [@torsten_tweet](https://twitter.com/torsten_tweet)) 11 | 12 | ## Collaboratori 13 | 14 | - Orange Tsai [@orange_8361](https://twitter.com/orange_8361), Author of A10-2021: Server Side Request Forgery 15 | - Jim Manico [@manicode](https://twitter.com/manicode) and Jakub Maćkowski [@kubamackowski](https://twitter.com/kubamackowski) - OWASP CheatSheets Coordination 16 | 17 | ## Come puoi aiutarci 18 | 19 | In questa fase, chiediamo 20 | 21 | - Data scientists - per favore, fate una peer review delle nostra analisi 22 | - Web designers - abbiamo bisogno di fare una versione mobile friendly del sito 23 | - Traduttori - per favore rivedete il testo inglese per assicurarvi che sia traducibile 24 | - Responsabili di ASVS, Testing Guide, and Code Review Guide - per favore usate i nostri dati e aiutateci a collegare tra loro i nostri documenti e standard 25 | 26 | ## Log issues and pull requests 27 | 28 | Si prega di segnalare qualsiasi correzione o problema: 29 | 30 | - [https://github.com/OWASP/Top10/issues](https://github.com/OWASP/Top10/issues) 31 | -------------------------------------------------------------------------------- /2021/docs/0x00-notice.ja.md: -------------------------------------------------------------------------------- 1 | # リリース 2 | 3 | 2021年9月24日 リリース 4 | 5 | ## 筆頭著者 6 | 7 | - [Andrew van der Stock](mailto:vanderaj@owasp.org) (twitter: [@vanderaj](https://twitter.com/vanderaj)) 8 | - [Brian Glas](mailto:brian.glas@owasp.org) (twitter: [@infosecdad](https://twitter.com/infosecdad)) 9 | - [Neil Smithline](mailto:neil.smithline@owasp.org) (twitter: [@appsecneil](https://twitter.com/appsecneil)) 10 | - [Torsten Gigler](mailto:torsten.gigler@owasp.org) (twitter: [@torsten_tweet](https://twitter.com/torsten_tweet)) 11 | 12 | ## コントリビューター 13 | 14 | - Orange Tsai [@orange_8361](https://twitter/orange_8361), A10-2021: サーバーサイドリクエストフォージェリ 著者 15 | - Jim Manico [@manicode](https://twitter/manicode) と Jakub Maćkowski [@kubamackowski](https://twitter/kubamackowski) - OWASP CheatSheets コーディネーション 16 | 17 | ## 支援の方法 18 | 19 | 現在、以下の方々を必要としています 20 | 21 | - データサイエンティスト - 私たちの分析のピアレビューをお願いします 22 | - Webデザイナー - モバイルフレンドリーなバージョンの制作を必要としています 23 | - 翻訳者 - 翻訳のために英語のテキストのレビューをお願いします 24 | - ASVS、Testing GuideそしてCode Review Guideのリーダー - 私たちのデータを活用してください。また、私たちのドキュメントや標準を共に結びつけるための支援をお願いします。 25 | 26 | ## イシューとプルリクエストの起票 27 | 28 | 修正やイシューの起票をお願いします: 29 | 30 | - [https://github.com/OWASP/Top10/issues](https://github.com/OWASP/Top10/issues) 31 | 32 | 33 | -------------------------------------------------------------------------------- /2021/docs/0x00-notice.md: -------------------------------------------------------------------------------- 1 | # Release 2 | 3 | Released 24th September 2021 4 | 5 | ## Lead Authors 6 | 7 | - [Andrew van der Stock](mailto:vanderaj@owasp.org) (twitter: [@vanderaj](https://twitter.com/vanderaj)) 8 | - [Brian Glas](mailto:brian.glas@owasp.org) (twitter: [@infosecdad](https://twitter.com/infosecdad)) 9 | - [Neil Smithline](mailto:neil.smithline@owasp.org) (twitter: [@appsecneil](https://twitter.com/appsecneil)) 10 | - [Torsten Gigler](mailto:torsten.gigler@owasp.org) (twitter: [@torsten_tweet](https://twitter.com/torsten_tweet)) 11 | 12 | ## Contributors 13 | 14 | - Orange Tsai [@orange_8361](https://twitter/orange_8361), Author of A10-2021: Server Side Request Forgery 15 | - Jim Manico [@manicode](https://twitter/manicode) and Jakub Maćkowski [@kubamackowski](https://twitter/kubamackowski) - OWASP CheatSheets Coordination 16 | 17 | ## How you can help 18 | 19 | At this stage, we are asking for 20 | 21 | - Data scientists - please peer review our analysis 22 | - Web designers - we need to make a mobile friendly version 23 | - Translators - please review the English text to make sure it's translatable 24 | - ASVS, Testing Guide, and Code Review Guide leadership - please use our data and help us link our documents and standards together 25 | 26 | ## Log issues and pull requests 27 | 28 | Please log any corrections or issues: 29 | 30 | - [https://github.com/OWASP/Top10/issues](https://github.com/OWASP/Top10/issues) 31 | -------------------------------------------------------------------------------- /2021/docs/0x00-notice.pt_BR.md: -------------------------------------------------------------------------------- 1 | # Lançamento 2 | 3 | Lançado em 24 de setembro de 2021 4 | 5 | ## Status atual 6 | 7 | Esta versão será lançada na celebração do 20º aniversário da OWASP. 8 | 9 | ## Autores Principais 10 | 11 | - [Andrew van der Stock](mailto:vanderaj@owasp.org) (twitter: [@vanderaj](https://twitter.com/vanderaj)) 12 | - [Brian Glas](mailto:brian.glas@owasp.org) (twitter: [@infosecdad](https://twitter.com/infosecdad)) 13 | - [Neil Smithline](mailto:neil.smithline@owasp.org) (twitter: [@appsecneil](https://twitter.com/appsecneil)) 14 | - [Torsten Gigler](mailto:torsten.gigler@owasp.org) (twitter: [@torsten_tweet](https://twitter.com/torsten_tweet)) 15 | 16 | ## Contribuidores 17 | 18 | - Orange Tsai - [@orange_8361](https://twitter/orange_8361), Autor de A10-2021: Server Side Request Forgery 19 | - Jim Manico [@manicode](https://twitter/manicode) e Jakub Maćkowski [@kubamackowski](https://twitter/kubamackowski) - OWASP CheatSheets Coordination 20 | 21 | ## Como você pode ajudar 22 | 23 | Nesta fase, estamos pedindo 24 | 25 | - Cientistas de dados - por favor revise por pares nossas análises 26 | - Web designers - precisamos fazer uma versão amigável para celular 27 | - Tradutores - reveja o texto em inglês para se certificar de que é traduzível 28 | - ASVS, Guia de Teste e Liderança do Guia de Revisão de Código - utilize nossos dados e nos ajudar a conectar os nossos documentos e padrões juntos 29 | 30 | ## Registre issues e pull requests 31 | 32 | Por favor registra qualquer correção ou issues: 33 | 34 | - [https://github.com/OWASP/Top10/issues](https://github.com/OWASP/Top10/issues) 35 | -------------------------------------------------------------------------------- /2021/docs/0x00-notice.zh_CN.md: -------------------------------------------------------------------------------- 1 | # 发表版本 2 | 3 | 于 2021 年 9 月 24 日正式发表 4 | 5 | ## 专案主导者 6 | 7 | - [Andrew van der Stock](mailto:vanderaj@owasp.org) (twitter: [@vanderaj](https://twitter.com/vanderaj)) 8 | - [Brian Glas](mailto:brian.glas@owasp.org) (twitter: [@infosecdad](https://twitter.com/infosecdad)) 9 | - [Neil Smithline](mailto:neil.smithline@owasp.org) (twitter: [@appsecneil](https://twitter.com/appsecneil)) 10 | - [Torsten Gigler](mailto:torsten.gigler@owasp.org) (twitter: [@torsten_tweet](https://twitter.com/torsten_tweet)) 11 | 12 | ## 共享专家 13 | 14 | - Orange Tsai, [@orange_8361](https://twitter/orange_8361) A10-2021: 服务端请求伪造 的作者 15 | - Jim Manico [@manicode](https://twitter/manicode) 和 Jakub Maćkowski [@kubamackowski](https://twitter/kubamackowski) 16 | 17 | ## 你能如何帮助 18 | 19 | 在目前阶段,我們需要 20 | 21 | - 资料科学家 - 协助确认我們的资料分析結果 22 | - 网页设计师 - 我們需要做一個交互友善的版本 23 | - 翻译人员 - 请协助确认英文版本文字並确认可被翻译到其他语言版本 24 | - ASVS, Testing Guide, 和 Code Review Guide 专案领袖 - 请使用我們的资料并协助我們把其他的文件和标准连接起來 25 | 26 | ## 问题及 Pull Request 27 | 28 | 请将任何问题或是需被修改的地方记录到此: 29 | 30 | - [https://github.com/OWASP/Top10/issues](https://github.com/OWASP/Top10/issues) 31 | -------------------------------------------------------------------------------- /2021/docs/0x00-notice.zh_TW.md: -------------------------------------------------------------------------------- 1 | 2 | # 發表版本 3 | 4 | 於 2021 年 9 月 24 日正式發表 5 | 6 | ## 專案領袖 7 | 8 | - [Andrew van der Stock](mailto:vanderaj@owasp.org) (twitter: [@vanderaj](https://twitter.com/vanderaj)) 9 | - [Brian Glas](mailto:brian.glas@owasp.org) (twitter: [@infosecdad](https://twitter.com/infosecdad)) 10 | - [Neil Smithline](mailto:neil.smithline@owasp.org) (twitter: [@appsecneil](https://twitter.com/appsecneil)) 11 | - [Torsten Gigler](mailto:torsten.gigler@owasp.org) (twitter: [@torsten_tweet](https://twitter.com/torsten_tweet)) 12 | 13 | ## 貢獻專家 14 | 15 | - Orange Tsai, [@orange_8361](https://twitter/orange_8361) A10-2021: 伺服端請求偽造 的作者 16 | - Jim Manico [@manicode](https://twitter/manicode) 和 Jakub Maćkowski [@kubamackowski](https://twitter/kubamackowski) 17 | 18 | ## 你能如何幫助 19 | 20 | 在目前階段,我們需要 21 | 22 | - 資料科學家 - 協助確認我們的資料分析結果 23 | - 網頁設計師 - 我們需要做一個對行動裝置友善的版本 24 | - 翻譯人員 - 請協助確認英文版本文字並確認可被翻譯到其他語言版本 25 | - ASVS, Testing Guide, 和 Code Review Guide 專案領袖 - 請使用我們的資料並協助我們把其他的文件和標準連接起來 26 | ## 問題及 Pull Request 27 | 28 | 請將任何問題或是需被修改的地方記錄到此: 29 | 30 | - [https://github.com/OWASP/Top10/issues](https://github.com/OWASP/Top10/issues) 31 | -------------------------------------------------------------------------------- /2021/docs/A00-about-owasp.ar.md: -------------------------------------------------------------------------------- 1 | # عن أواسب 2 | 3 | مشروع أمان تطبيق الويب المفتوح أواسب (OWASP) هو مجتمع مفتوح المصدر ويركز على تمكين المؤسسات من تطوير وشراء وصيانة التطبيقات وواجهات برمجة التطبيقات (APIs) التي يمكن الوثوق بها. 4 | 5 | في أواسب ستجد: 6 | 7 | 8 | - أدوات ومعايير أمان التطبيق 9 | - الأبحاث المتطورة 10 | - الضوابط الأمنية الأساسية المبنية على افضل السياسات. 11 | - كتب كاملة عن اختبار أمن التطبيقات، وتطوير ومراجعة النص البرمجي الآمن. 12 | - العروض التقديمية و [مقاطع الفيديو](https://www.youtube.com/user/OWASPGLOBAL) 13 | - [Cheat sheets](https://cheatsheetseries.owasp.org/) حول العديد من الموضوعات الشائعة 14 | - [اجتماعات المجموعات](https://owasp.org/chapters/) 15 | - [الأحداث والتدريب والمؤتمرات](https://owasp.org/events/). 16 | - [ مجموعات قوقل ](TBA) 17 | 18 | اعرف المزيد على: [https://www.owasp.org](https://www.owasp.org). 19 | 20 | جميع أدوات أواسب والمستندات ومقاطع الفيديو والعروض التقديمية والفصول مجانية ومفتوحة لأي شخص مهتم بتحسين أمن التطبيقات. 21 | 22 | 23 | نحن ندعو إلى التعامل مع أمن التطبيقات باعتباره مشكلة تتعلق بالأشخاص والسياسات التقنية، لأن الأساليب الأكثر فاعلية لأمن التطبيقات تتطلّب تحسينات في هذه المجالات. 24 | 25 | أواسب نوع جديد من التنظيم. يسمح لنا بالتحرّر من الضغوط التجارية بتقديم معلومات غير متحيزة وعملية وفعالة من حيث التكلفة حول أمن التطبيقات. 26 | 27 | أواسب ليست تابعة لأي شركة تقنية، على الرغم من أننا ندعم الاستخدام المستنير لتقنيات الأمن التجارية. تنتج أواسب أنواعًا عديدة من المواد بطريقة تعاونية وشفافة ومنفتحة. 28 | 29 | 30 | مؤسسة أواسب هي كيان غير ربحي والذي يضمن نجاح المشروع على المدى الطويل. كل شخص مرتبط بـ أواسب تقريبًا متطوع، بما في ذلك مجلس أواسب وقادة الفروع وقادة المشروع وأعضاء المشروع. نحن ندعم الأبحاث الأمنية المُبتكرة من خلال المنح والبنية التحتية. 31 | 32 | ## حقوق النشر والترخيص 33 | 34 | ![license](assets/license.png) 35 | 36 | حقوق النشر © مؤسسة أواسب 2003-2021. تم إصدار هذا المستند بموجب ترخيص الإبداعي الترخيص بالمثل 4.0. لأي إعادة استخدام أو توزيع، يجب أن توضح للآخرين شروط ترخيص هذا العمل. 37 | -------------------------------------------------------------------------------- /2021/docs/A00-about-owasp.id.md: -------------------------------------------------------------------------------- 1 | # About OWASP 2 | 3 | Open Web Application Security Project (OWASP) adalah komunitas terbuka yang didedikasikan untuk memungkinkan organisasi mengembangkan, membeli, dan memelihara aplikasi yang dapat dipercaya. 4 | 5 | Di OWASP, anda akan menemukan kebebasan dan keterbukaan: 6 | 7 | - Alat dan standar dalam keamanan aplikasi. 8 | - Penelitian terkini. 9 | - Kendali keamanan dan pustaka standar. 10 | - Buku tentang uji keamanan aplikasi, pengembangan kode aman, dan peninjauan kode keamanan. 11 | - Presentasi dan [video](https://www.youtube.com/user/OWASPGLOBAL). 12 | - [Cheat sheets](https://cheatsheetseries.owasp.org/) untuk banyak topik umum. 13 | - [Pertemuan Chapter](https://owasp.org/chapters/). 14 | - [Kegiatan, pelatihan, dan konferensi](https://owasp.org/events/). 15 | - [Google Groups](TBA) 16 | 17 | Pelajari lebih lanjut di: [https://www.owasp.org](https://www.owasp.org). 18 | 19 | seluruh alat OWASP, dokumen, video, presentasi, dan bagian adalah kebebasan dan keterbukaan bagi semua orang yang tertarik dalam meningkatkan keamanan aplikasi 20 | 21 | Kami menganjurkan mendekati keamanan aplikasi sebagai masalah orang, proses, dan teknologi, karena pendekatan yang paling efektif untuk keamanan aplikasi memerlukan peningkatan pada bidang-bidang ini. 22 | 23 | OWASP adalah jenis organisasi baru. Kebebasan kami dari tekanan komersial memungkinkan kami memberikan informasi yang tidak bias, praktis, dan hemat biaya tentang keamanan aplikasi. 24 | 25 | OWASP tidak berafiliasi dengan perusahaan teknologi mana pun, meskipun kami mendukung penggunaan teknologi keamanan komersial yang diinformasikan. OWASP memproduksi berbagai jenis bahan secara kolaboratif, transparan, dan terbuka. 26 | 27 | Yayasan OWASP adalah entitas nonprofit yang memastikan kesuksesan jangka panjang proyek. Hampir semua orang yang terkait dengan OWASP adalah relawan, termasuk OWASP Board, OWASP Chapter Leader, Project Leader, dan Project Member. Kami mendukung penelitian keamanan yang inovatif dengan hibah dan infrastruktur. 28 | 29 | Ayo bergabung dengan kami! 30 | 31 | ## Copyright and License 32 | 33 | ![license](assets/license.png) 34 | 35 | Copyright © 2003-2021 The OWASP&tm; Foundation. This document is released under the Creative Commons Attribution Share-Alike 4.0 license. For any reuse or distribution, you must make it clear to others the license terms of this work. 36 | -------------------------------------------------------------------------------- /2021/docs/A00-about-owasp.it.md: -------------------------------------------------------------------------------- 1 | # A proposito di OWASP 2 | 3 | L'Open Web Application Security Project (OWASP) è una comunità aperta dedicata per permettere alle organizzazioni di sviluppare, acquistare e mantenere applicazioni e API affidabili. 4 | 5 | All'OWASP, troverete in modo libero e aperto: 6 | 7 | - Strumenti e standard di sicurezza delle applicazioni 8 | - Ricerca all'avanguardia 9 | - Controlli di sicurezza standard e librerie 10 | - Libri completi su test di sicurezza delle applicazioni, sviluppo di codice sicuro e revisione del codice sicuro 11 | - Presentazioni e [video](https://www.youtube.com/user/OWASPGLOBAL) 12 | - [Cheat sheets](https://cheatsheetseries.owasp.org/) su molti argomenti di interesse comune 13 | - [Chapter meetings](https://owasp.org/chapters/) 14 | - [Eventi, corsi, e conferenze](https://owasp.org/events/). 15 | - [Google Groups](TBA) 16 | 17 | Scopri di più su: [https://www.owasp.org](https://www.owasp.org). 18 | 19 | Tutti gli strumenti, i documenti, i video, le presentazioni e i chapter di OWASP sono gratuiti e aperti a chiunque sia interessato a migliorare la sicurezza delle applicazioni. 20 | 21 | Sosteniamo l'approccio alla sicurezza delle applicazioni come un problema di persone, processi e tecnologia, perché gli approcci più efficaci alla sicurezza delle applicazioni richiedono miglioramenti in tutte queste aree. 22 | 23 | OWASP è un nuovo tipo di organizzazione. La nostra libertà dalle pressioni commerciali ci permette di fornire informazioni imparziali, pratiche e convenienti sulla sicurezza delle applicazioni. 24 | 25 | OWASP non è affiliata ad alcuna azienda tecnologica, anche se sosteniamo l'uso informato della tecnologia di sicurezza commerciale. OWASP produce molti tipi di materiali in modo collaborativo, trasparente e aperto. 26 | 27 | La Fondazione OWASP è l'entità non-profit che assicura il successo a lungo termine del progetto. Quasi tutti coloro che sono associati a OWASP sono volontari, compreso il consiglio di OWASP, i leader dei chapter, i leader dei progetti e i membri degli stessi. Sosteniamo la ricerca innovativa sulla sicurezza con sovvenzioni e infrastrutture. 28 | 29 | Unisciti a noi! 30 | 31 | ## Copyright and License 32 | 33 | ![license](assets/license.png) 34 | 35 | Copyright © 2003-2021 The OWASP™ Foundation. This document is released under the Creative Commons Attribution Share-Alike 4.0 license. For any reuse or distribution, you must make it clear to others the license terms of this work. 36 | -------------------------------------------------------------------------------- /2021/docs/A00-about-owasp.ja.md: -------------------------------------------------------------------------------- 1 | # OWASPについて 2 | 3 | Open Web Application Security Project(OWASP)は、組織が信頼できるアプリケーションや API を開発、購入、維持できるよう支援することに専念する、オープンなコミュニティです。 4 | 5 | OWASP では、無料で利用できるものが公開されています: 6 | 7 | - アプリケーション・セキュリティのためのツールと標準 8 | - 最先端の研究 9 | - 標準的なセキュリティ管理とライブラリ 10 | - アプリケーション・セキュリティ・テスト、安全なコード開発、および安全なコード・レビューに関するひとそろいの文献 11 | - プレゼンテーションと[ビデオ](https://www.youtube.com/user/OWASPGLOBAL) 12 | - 数多くの共通トピックに関する [チートシート](https://cheatsheetseries.owasp.org/) 13 | - [チャプターミーティング](https://owasp.org/chapters/) 14 | - [イベント、トレーニング、カンファレンス](https://owasp.org/events/)。 15 | - [Googleグループ](TBA) 16 | 17 | 詳細はこちらをご覧ください:[https://www.owasp.org](https://www.owasp.org). 18 | 19 | すべてのOWASPのツール、ドキュメント、ビデオ、プレゼンテーション、そしてチャプターは自由でオープンなものであり、アプリケーションセキュリティを改善する人なら誰でも活用することができます。 20 | 21 | わたしたちはアプリケーションセキュリティを、人、プロセス、および技術の問題としてとらえることを提唱しています。最も効果的なアプリケーションセキュリティへのアプローチはそれらの領域における改善を必要とするからです。 22 | 23 | OWASPは、新しいタイプの組織です。商業的な圧力に拘束されていませんので、アプリケーション・セキュリティに関する偏りのない、実用的でコスト効率の高い情報を提供することができます。 24 | 25 | OWASPは、商用のセキュリティ技術をよく理解した上で利用することには賛同しますが、OWASPは、いかなるテクノロジ企業とも提携しません。OWASPは、さまざまな種類の資料を共同で、透明で、オープンな方法で作成します。 26 | 27 | The OWASP Foundation(オワスプ・ファウンデーション)は、このプロジェクトの長期的な成功を実現する非営利団体です。OWASPに関わるほとんどの人すなわちOWASPボード、チャプターリーダー、プロジェクトリーダー、プロジェクトメンバーはボランティアです。私たちは、革新的なセキュリティリサーチを、金銭面とインフラストラクチャを提供することによってサポートします。 28 | 29 | どうぞ、ご参加ください。 30 | 31 | ## Copyright and License 32 | 33 | ![license](assets/license.png) 34 | 35 | Copyright © 2003-2021 The OWASP™ Foundation. This document is released under the Creative Commons Attribution Share-Alike 4.0 license. For any reuse or distribution, you must make it clear to others the license terms of this work. 36 | -------------------------------------------------------------------------------- /2021/docs/A00-about-owasp.md: -------------------------------------------------------------------------------- 1 | # About OWASP 2 | 3 | The Open Web Application Security Project (OWASP) is an open community dedicated to enabling organizations to develop, purchase, and maintain applications and APIs that can be trusted. 4 | 5 | At OWASP, you'll find free and open: 6 | 7 | - Application security tools and standards 8 | - Cutting edge research 9 | - Standard security controls and libraries 10 | - Complete books on application security testing, secure code development, and secure code review 11 | - Presentations and [videos](https://www.youtube.com/user/OWASPGLOBAL) 12 | - [Cheat sheets](https://cheatsheetseries.owasp.org/) on many common topics 13 | - [Chapters meetings](https://owasp.org/chapters/) 14 | - [Events, training, and conferences](https://owasp.org/events/). 15 | - [Google Groups](TBA) 16 | 17 | Learn more at: [https://www.owasp.org](https://www.owasp.org). 18 | 19 | All OWASP tools, documents, videos, presentations, and chapters are free and open to anyone interested in improving application security. 20 | 21 | We advocate approaching application security as a people, process, and technology problem, because the most effective approaches to application security require improvements in these areas. 22 | 23 | OWASP is a new kind of organization. Our freedom from commercial pressures allows us to provide unbiased, practical, and cost-effective information about application security. 24 | 25 | OWASP is not affiliated with any technology company, although we support the informed use of commercial security technology. OWASP produces many types of materials in a collaborative, transparent, and open way. 26 | 27 | The OWASP Foundation is the non-profit entity that ensures the project's long-term success. Almost everyone associated with OWASP is a volunteer, including the OWASP board, chapter leaders, project leaders, and project members. We support innovative security research with grants and infrastructure. 28 | 29 | Come join us! 30 | 31 | ## Copyright and License 32 | 33 | ![license](assets/license.png) 34 | 35 | Copyright © 2003-2023 The OWASP™ Foundation. This document is released under the Creative Commons Attribution Share-Alike 4.0 license. For any reuse or distribution, you must make it clear to others the license terms of this work. 36 | -------------------------------------------------------------------------------- /2021/docs/A00-about-owasp.pt_BR.md: -------------------------------------------------------------------------------- 1 | # Sobre OWASP 2 | 3 | O Open Web Application Security Project (OWASP) é uma comunidade aberta dedicada a capacitar as organizações a desenvolver, adquirir e manter aplicações e APIs que podem ser confiáveis. 4 | 5 | No OWASP, você encontrará: 6 | 7 | - Ferramentas e padrões de segurança de aplicações 8 | - Pesquisa de ponta 9 | - Bibliotecas e controles de segurança padrão 10 | - Livros completos sobre testes de segurança de aplicações, desenvolvimento de código seguro e revisão de código seguro 11 | - Apresentações e [vídeos](https://www.youtube.com/user/OWASPGLOBAL) 12 | - [Cheat sheets](https://cheatsheetseries.owasp.org/) em muitos tópicos comuns 13 | - [Chapters meetings](https://owasp.org/chapters/) 14 | - [Eventos, trainamentos e conferências](https://owasp.org/events/). 15 | - [Google Groups](TBA) 16 | 17 | Saiba mais em: [https://www.owasp.org](https://www.owasp.org). 18 | 19 | Todas as ferramentas, documentos, vídeos, apresentações e capítulos do OWASP são gratuitos e abertos a qualquer pessoa interessada em melhorar a segurança de aplicações. 20 | 21 | Nós defendemos a abordagem da segurança de sistemas como um problema de pessoas, processos e tecnologia, porque as abordagens mais eficazes para a segurança de aplicativos requerem melhorias nessas áreas. 22 | 23 | OWASP é um novo tipo de organização. Nossa liberdade de pressões comerciais nos permite fornecer informações imparciais, práticas e econômicas sobre a segurança de aplicações. 24 | 25 | OWASP não é afiliado a nenhuma empresa de tecnologia, embora apoie o uso informado de tecnologia de segurança comercial. OWASP produz muitos tipos de materiais de forma colaborativa, transparente e aberta. 26 | 27 | A Fundação OWASP é a entidade sem fins lucrativos que garante o sucesso do projeto a longo prazo. Quase todos os associados ao OWASP são voluntários, incluindo o conselho do OWASP, líderes de capítulo, líderes de projeto e membros do projeto. Apoiamos pesquisas inovadoras de segurança com subsídios e infraestrutura. 28 | 29 | Junte-se a nós! 30 | 31 | ## Copyright e Licença 32 | 33 | ![licença](assets/license.png) 34 | 35 | Copyright © 2003-2021 The OWASP&tm; Foundation. Este documento foi lançado sob o Creative Commons Attribution Share-Alike 4.0 license. Para qualquer reutilização ou distribuição, você deve deixar claro para os outros os termos de licença desta obra. 36 | -------------------------------------------------------------------------------- /2021/docs/A00-about-owasp.zh_CN.md: -------------------------------------------------------------------------------- 1 | # 关于 OWASP 2 | 3 | The Open Web Application Security Project (OWASP) is an open community dedicated to enabling organizations to develop, purchase, and maintain applications and APIs that can be trusted. 4 | 5 | At OWASP, you'll find free and open: 6 | 7 | - Application security tools and standards 8 | - Cutting edge research 9 | - Standard security controls and libraries 10 | - Complete books on application security testing, secure code development, and secure code review 11 | - Presentations and [videos](https://www.youtube.com/user/OWASPGLOBAL) 12 | - [Cheat sheets](https://cheatsheetseries.owasp.org/) on many common topics 13 | - [Chapters meetings](https://owasp.org/chapters/) 14 | - [Events, training, and conferences](https://owasp.org/events/). 15 | - [Google Groups](TBA) 16 | 17 | Learn more at: [https://www.owasp.org](https://www.owasp.org). 18 | 19 | All OWASP tools, documents, videos, presentations, and chapters are free and open to anyone interested in improving application security. 20 | 21 | We advocate approaching application security as a people, process, and technology problem, because the most effective approaches to application security require improvements in these areas. 22 | 23 | OWASP is a new kind of organization. Our freedom from commercial pressures allows us to provide unbiased, practical, and cost-effective information about application security. 24 | 25 | OWASP is not affiliated with any technology company, although we support the informed use of commercial security technology. OWASP produces many types of materials in a collaborative, transparent, and open way. 26 | 27 | The OWASP Foundation is the non-profit entity that ensures the project's long-term success. Almost everyone associated with OWASP is a volunteer, including the OWASP board, chapter leaders, project leaders, and project members. We support innovative security research with grants and infrastructure. 28 | 29 | Come join us! 30 | 31 | ## Copyright and License 32 | 33 | ![license](assets/license.png) 34 | 35 | Copyright © 2003-2021 The OWASP&tm; Foundation. This document is released under the Creative Commons Attribution Share-Alike 4.0 license. For any reuse or distribution, you must make it clear to others the license terms of this work. 36 | -------------------------------------------------------------------------------- /2021/docs/A00-about-owasp.zh_TW.md: -------------------------------------------------------------------------------- 1 | # 關於 OWASP 2 | 3 | The Open Web Application Security Project (OWASP) is an open community dedicated to enabling organizations to develop, purchase, and maintain applications and APIs that can be trusted. 4 | 5 | At OWASP, you'll find free and open: 6 | 7 | - Application security tools and standards 8 | - Cutting edge research 9 | - Standard security controls and libraries 10 | - Complete books on application security testing, secure code development, and secure code review 11 | - Presentations and [videos](https://www.youtube.com/user/OWASPGLOBAL) 12 | - [Cheat sheets](https://cheatsheetseries.owasp.org/) on many common topics 13 | - [Chapters meetings](https://owasp.org/chapters/) 14 | - [Events, training, and conferences](https://owasp.org/events/). 15 | - [Google Groups](TBA) 16 | 17 | Learn more at: [https://www.owasp.org](https://www.owasp.org). 18 | 19 | All OWASP tools, documents, videos, presentations, and chapters are free and open to anyone interested in improving application security. 20 | 21 | We advocate approaching application security as a people, process, and technology problem, because the most effective approaches to application security require improvements in these areas. 22 | 23 | OWASP is a new kind of organization. Our freedom from commercial pressures allows us to provide unbiased, practical, and cost-effective information about application security. 24 | 25 | OWASP is not affiliated with any technology company, although we support the informed use of commercial security technology. OWASP produces many types of materials in a collaborative, transparent, and open way. 26 | 27 | The OWASP Foundation is the non-profit entity that ensures the project's long-term success. Almost everyone associated with OWASP is a volunteer, including the OWASP board, chapter leaders, project leaders, and project members. We support innovative security research with grants and infrastructure. 28 | 29 | Come join us! 30 | 31 | ## Copyright and License 32 | 33 | ![license](assets/license.png) 34 | 35 | Copyright © 2003-2021 The OWASP&tm; Foundation. This document is released under the Creative Commons Attribution Share-Alike 4.0 license. For any reuse or distribution, you must make it clear to others the license terms of this work. 36 | -------------------------------------------------------------------------------- /2021/docs/A00_2021-How_to_start_an_AppSec_program_with_the_OWASP_Top_10.zh_CN.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/Top10/85362e6faa1b3af1e5ccb30de662283c6a447de0/2021/docs/A00_2021-How_to_start_an_AppSec_program_with_the_OWASP_Top_10.zh_CN.md -------------------------------------------------------------------------------- /2021/docs/A00_2021_How_to_use_the_OWASP_Top_10_as_a_standard.zh_CN.md: -------------------------------------------------------------------------------- 1 | # 如何将 OWASP Top 10 2021 做为标准使用 2 | 3 | OWASP Top 10 最主要是一个提升意识及资安认知形态的文件。但是,从 2003 年开始,这并沒有让任何的企业或组织停止使用它当作预设的应用安全标准。如果你想要用使用 OWASP Top 10 当作程式设计或是验证测试的一个标准,要先知道这只是一个最低限度的指标并且也只是一个开始。 4 | 5 | 使用 OWASP Top 10 作为标准的困难之一是我们记录了应用安全风险,而不一定是容易测试的问题。例如,A04:2021-Insecure Design 超出了大多数能够被测试及被验证的范围。 另一个例子是要测试有效的就地、被使用中的测试记录和监控机制只能透过面谈和要求抽样有效的资安事件鉴识案例。 一个靜态原始码分析工具可以找出日志记录的缺失,但可能无法确定业务逻辑或存取控制是否在日志记录中记录了有关重要安全漏洞的日志。 滲透测试人员可能只能确定他们在测试环境中测试时有确实的执行了资安事件鉴识,在实际的实体环境中却有可能沒有做到相同的标准。 6 | 7 | 以下是我们建议在什么时候可以使用 OWASP Top 10: 8 | 9 | | 使用案例 | OWASP Top 10 2021 | OWASP 应用安全验证标准 (ASVS) | 10 | | ------------ | :---------------: | :---------------------------: | 11 | | 认知性 | 是 | | 12 | | 教育训练 | 基础 | 完整 | 13 | | 设计及架构 | 偶尔 | 可以 | 14 | | 程式标准 | 最低限度 | 可以 | 15 | | 安全程式验证 | 最低限度 | 可以 | 16 | | 同行评审清单 | 最低限度 | 可以 | 17 | | 单元测试 | 偶而可以 | 可以 | 18 | | 整合测试 | 偶而可以 | 可以 | 19 | | 滲透测试 | 最低限度 | 可以 | 20 | | 支援工具 | 最低限度 | 可以 | 21 | | 安全供应链 | 偶而可以 | 可以 | 22 | 23 | 我们鼓励任何希望能套用应用安全标准的人可以利用 OWASP 应用安全验证标准(ASVS),因为它本身的设计就是可被测试及验证的,并可以在安全软体开发生命周期的所有阶段都可被运用。 24 | 25 | ASVS 也是唯一工具提供者能被接受的选择。测试工具沒办法全面的侦测,测试,或保护 OWASP Top 10 当中的一些項目。是因为 OWASP Top 10 的风险类別的区分有一部分也是跟 A04:2021-不安全的设计有所相关。OWASP 強烈不建议用 OWASP Top 10 去涵盖所有的安全规范及需求,因为这本身就不是真的。 26 | -------------------------------------------------------------------------------- /2021/docs/A00_2021_How_to_use_the_OWASP_Top_10_as_a_standard.zh_TW.md: -------------------------------------------------------------------------------- 1 | # 如何將 OWASP Top 10 2021 做為標準使用 2 | 3 | OWASP Top 10 最主要是一個提升意識及資安認知形態的文件。但是,從 2003 年開始,這並沒有讓任何的企業或組織停止使用它當作預設的應用安全標準。如果你想要用使用 OWASP Top 10 當作程式設計或是驗證測試的一個標準,要先知道這只是一個最低限度的指標並且也只是一個開始。 4 | 5 | 使用 OWASP Top 10 作為標準的困難之一是我們記錄了應用安全風險,而不一定是容易測試的問題。例如,A04:2021-Insecure Design 超出了大多數能夠測被試及被驗證的範圍。 另一個例子是要測試有效的就地、被使用中的測試記錄和監控機制只能透過面談和要求抽樣有效的資安事件鑑識案例。 一個靜態原始碼分析工具可以找出日誌記錄的缺失,但可能無法確定業務邏輯或存取控制是否在日誌記錄中記錄了有關重要安全漏洞的日誌。 滲透測試人員可能只能確定他們在測試環境中測試時有確實的執行了資安事件鑑識,在實際的實體環境中卻有可能沒有做到相同的標準。 6 | 7 | 以下是我們建議在什麼時候可以使用 OWASP Top 10: 8 | 9 | | 使用案例 | OWASP Top 10 2021 | OWASP 應用安全驗證標準 (ASVS) | 10 | |-------------------------|:-------------------:|:--------------------------------------------------:| 11 | | 認知性 | 是 | | 12 | | 教育訓練 | 基礎 | 完整 | 13 | | 設計及架構 | 偶爾 | 可以 | 14 | | 程式標準 | 最低限度 | 可以 | 15 | | 安全程式驗證 | 最低限度 | 可以 | 16 | | 同行評審清單 | 最低限度 | 可以 | 17 | | 單元測試 | 偶而可以 | 可以 | 18 | | 整合測試 | 偶而可以 | 可以 | 19 | | 滲透測試 | 最低限度 | 可以 | 20 | | 支援工具 | 最低限度 | 可以 | 21 | | 安全供應鏈 | 偶而可以 | 可以 | 22 | 23 | 我們鼓勵任何希望能套用應用安全標準的人可以利用 OWASP 應用安全驗證標準(ASVS),因為它本身的設計就是可被測試及驗證的,並可以在安全軟體開發生命週期的所有階段都可被運用。 24 | 25 | ASVS 也是唯一工具提供者能被接受的選擇。測試工具沒辦法全面的偵測,測試,或保護 OWASP Top 10 當中的一些項目。是因為 OWASP Top 10 的風險類別的區分有一部分也是跟 A04:2021-不安全的設計有所相關。OWASP 強烈不建議用 OWASP Top 10 去函蓋所有的安全規範及需求,因為這本身就不是真的。 26 | -------------------------------------------------------------------------------- /2021/docs/ar/assets/OWASP_Logo_Transp.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/Top10/85362e6faa1b3af1e5ccb30de662283c6a447de0/2021/docs/ar/assets/OWASP_Logo_Transp.png -------------------------------------------------------------------------------- /2021/docs/ar/assets/OWASP_logo.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/Top10/85362e6faa1b3af1e5ccb30de662283c6a447de0/2021/docs/ar/assets/OWASP_logo.png -------------------------------------------------------------------------------- /2021/docs/ar/assets/TOP_10_Icons_Final_Broken_Access_Control.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/Top10/85362e6faa1b3af1e5ccb30de662283c6a447de0/2021/docs/ar/assets/TOP_10_Icons_Final_Broken_Access_Control.png -------------------------------------------------------------------------------- /2021/docs/ar/assets/TOP_10_Icons_Final_Crypto_Failures.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/Top10/85362e6faa1b3af1e5ccb30de662283c6a447de0/2021/docs/ar/assets/TOP_10_Icons_Final_Crypto_Failures.png -------------------------------------------------------------------------------- /2021/docs/ar/assets/TOP_10_Icons_Final_Identification_and_Authentication_Failures.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/Top10/85362e6faa1b3af1e5ccb30de662283c6a447de0/2021/docs/ar/assets/TOP_10_Icons_Final_Identification_and_Authentication_Failures.png -------------------------------------------------------------------------------- /2021/docs/ar/assets/TOP_10_Icons_Final_Injection.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/Top10/85362e6faa1b3af1e5ccb30de662283c6a447de0/2021/docs/ar/assets/TOP_10_Icons_Final_Injection.png -------------------------------------------------------------------------------- /2021/docs/ar/assets/TOP_10_Icons_Final_Insecure_Design.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/Top10/85362e6faa1b3af1e5ccb30de662283c6a447de0/2021/docs/ar/assets/TOP_10_Icons_Final_Insecure_Design.png -------------------------------------------------------------------------------- /2021/docs/ar/assets/TOP_10_Icons_Final_Insecure_Design_100.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/Top10/85362e6faa1b3af1e5ccb30de662283c6a447de0/2021/docs/ar/assets/TOP_10_Icons_Final_Insecure_Design_100.png -------------------------------------------------------------------------------- /2021/docs/ar/assets/TOP_10_Icons_Final_SSRF.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/Top10/85362e6faa1b3af1e5ccb30de662283c6a447de0/2021/docs/ar/assets/TOP_10_Icons_Final_SSRF.png -------------------------------------------------------------------------------- /2021/docs/ar/assets/TOP_10_Icons_Final_Security_Logging_and_Monitoring_Failures.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/Top10/85362e6faa1b3af1e5ccb30de662283c6a447de0/2021/docs/ar/assets/TOP_10_Icons_Final_Security_Logging_and_Monitoring_Failures.png -------------------------------------------------------------------------------- /2021/docs/ar/assets/TOP_10_Icons_Final_Security_Misconfiguration.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/Top10/85362e6faa1b3af1e5ccb30de662283c6a447de0/2021/docs/ar/assets/TOP_10_Icons_Final_Security_Misconfiguration.png -------------------------------------------------------------------------------- /2021/docs/ar/assets/TOP_10_Icons_Final_Software_and_Data_Integrity_Failures.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/Top10/85362e6faa1b3af1e5ccb30de662283c6a447de0/2021/docs/ar/assets/TOP_10_Icons_Final_Software_and_Data_Integrity_Failures.png -------------------------------------------------------------------------------- /2021/docs/ar/assets/TOP_10_Icons_Final_Vulnerable_Outdated_Components.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/Top10/85362e6faa1b3af1e5ccb30de662283c6a447de0/2021/docs/ar/assets/TOP_10_Icons_Final_Vulnerable_Outdated_Components.png -------------------------------------------------------------------------------- /2021/docs/ar/assets/TOP_10_logo_Final_Logo_Colour.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/Top10/85362e6faa1b3af1e5ccb30de662283c6a447de0/2021/docs/ar/assets/TOP_10_logo_Final_Logo_Colour.png -------------------------------------------------------------------------------- /2021/docs/ar/assets/front-cc.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/Top10/85362e6faa1b3af1e5ccb30de662283c6a447de0/2021/docs/ar/assets/front-cc.png -------------------------------------------------------------------------------- /2021/docs/ar/assets/front-wasp.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/Top10/85362e6faa1b3af1e5ccb30de662283c6a447de0/2021/docs/ar/assets/front-wasp.png -------------------------------------------------------------------------------- /2021/docs/ar/assets/image1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/Top10/85362e6faa1b3af1e5ccb30de662283c6a447de0/2021/docs/ar/assets/image1.png -------------------------------------------------------------------------------- /2021/docs/ar/assets/image2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/Top10/85362e6faa1b3af1e5ccb30de662283c6a447de0/2021/docs/ar/assets/image2.png -------------------------------------------------------------------------------- /2021/docs/ar/assets/license.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/Top10/85362e6faa1b3af1e5ccb30de662283c6a447de0/2021/docs/ar/assets/license.png -------------------------------------------------------------------------------- /2021/docs/ar/assets/mapping.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/Top10/85362e6faa1b3af1e5ccb30de662283c6a447de0/2021/docs/ar/assets/mapping.png -------------------------------------------------------------------------------- /2021/docs/ar/assets/readme.md: -------------------------------------------------------------------------------- 1 | 2 | -------------------------------------------------------------------------------- /2021/docs/ar/assets/securecodewarrior.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/Top10/85362e6faa1b3af1e5ccb30de662283c6a447de0/2021/docs/ar/assets/securecodewarrior.png -------------------------------------------------------------------------------- /2021/docs/assets/JustEat.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/Top10/85362e6faa1b3af1e5ccb30de662283c6a447de0/2021/docs/assets/JustEat.png -------------------------------------------------------------------------------- /2021/docs/assets/OWASP_Logo_Transp.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/Top10/85362e6faa1b3af1e5ccb30de662283c6a447de0/2021/docs/assets/OWASP_Logo_Transp.png -------------------------------------------------------------------------------- /2021/docs/assets/OWASP_logo.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/Top10/85362e6faa1b3af1e5ccb30de662283c6a447de0/2021/docs/assets/OWASP_logo.png -------------------------------------------------------------------------------- /2021/docs/assets/TOP_10_Icons_Final_Broken_Access_Control.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/Top10/85362e6faa1b3af1e5ccb30de662283c6a447de0/2021/docs/assets/TOP_10_Icons_Final_Broken_Access_Control.png -------------------------------------------------------------------------------- /2021/docs/assets/TOP_10_Icons_Final_Crypto_Failures.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/Top10/85362e6faa1b3af1e5ccb30de662283c6a447de0/2021/docs/assets/TOP_10_Icons_Final_Crypto_Failures.png -------------------------------------------------------------------------------- /2021/docs/assets/TOP_10_Icons_Final_Identification_and_Authentication_Failures.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/Top10/85362e6faa1b3af1e5ccb30de662283c6a447de0/2021/docs/assets/TOP_10_Icons_Final_Identification_and_Authentication_Failures.png -------------------------------------------------------------------------------- /2021/docs/assets/TOP_10_Icons_Final_Injection.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/Top10/85362e6faa1b3af1e5ccb30de662283c6a447de0/2021/docs/assets/TOP_10_Icons_Final_Injection.png -------------------------------------------------------------------------------- /2021/docs/assets/TOP_10_Icons_Final_Insecure_Design.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/Top10/85362e6faa1b3af1e5ccb30de662283c6a447de0/2021/docs/assets/TOP_10_Icons_Final_Insecure_Design.png -------------------------------------------------------------------------------- /2021/docs/assets/TOP_10_Icons_Final_Insecure_Design_100.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/Top10/85362e6faa1b3af1e5ccb30de662283c6a447de0/2021/docs/assets/TOP_10_Icons_Final_Insecure_Design_100.png -------------------------------------------------------------------------------- /2021/docs/assets/TOP_10_Icons_Final_SSRF.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/Top10/85362e6faa1b3af1e5ccb30de662283c6a447de0/2021/docs/assets/TOP_10_Icons_Final_SSRF.png -------------------------------------------------------------------------------- /2021/docs/assets/TOP_10_Icons_Final_Security_Logging_and_Monitoring_Failures.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/Top10/85362e6faa1b3af1e5ccb30de662283c6a447de0/2021/docs/assets/TOP_10_Icons_Final_Security_Logging_and_Monitoring_Failures.png -------------------------------------------------------------------------------- /2021/docs/assets/TOP_10_Icons_Final_Security_Misconfiguration.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/Top10/85362e6faa1b3af1e5ccb30de662283c6a447de0/2021/docs/assets/TOP_10_Icons_Final_Security_Misconfiguration.png -------------------------------------------------------------------------------- /2021/docs/assets/TOP_10_Icons_Final_Software_and_Data_Integrity_Failures.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/Top10/85362e6faa1b3af1e5ccb30de662283c6a447de0/2021/docs/assets/TOP_10_Icons_Final_Software_and_Data_Integrity_Failures.png -------------------------------------------------------------------------------- /2021/docs/assets/TOP_10_Icons_Final_Vulnerable_Outdated_Components.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/Top10/85362e6faa1b3af1e5ccb30de662283c6a447de0/2021/docs/assets/TOP_10_Icons_Final_Vulnerable_Outdated_Components.png -------------------------------------------------------------------------------- /2021/docs/assets/TOP_10_logo_Final_Logo_Colour.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/Top10/85362e6faa1b3af1e5ccb30de662283c6a447de0/2021/docs/assets/TOP_10_logo_Final_Logo_Colour.png -------------------------------------------------------------------------------- /2021/docs/assets/Top10Mapping.xlsx: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/Top10/85362e6faa1b3af1e5ccb30de662283c6a447de0/2021/docs/assets/Top10Mapping.xlsx -------------------------------------------------------------------------------- /2021/docs/assets/front-cc.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/Top10/85362e6faa1b3af1e5ccb30de662283c6a447de0/2021/docs/assets/front-cc.png -------------------------------------------------------------------------------- /2021/docs/assets/front-wasp.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/Top10/85362e6faa1b3af1e5ccb30de662283c6a447de0/2021/docs/assets/front-wasp.png -------------------------------------------------------------------------------- /2021/docs/assets/image1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/Top10/85362e6faa1b3af1e5ccb30de662283c6a447de0/2021/docs/assets/image1.png -------------------------------------------------------------------------------- /2021/docs/assets/image2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/Top10/85362e6faa1b3af1e5ccb30de662283c6a447de0/2021/docs/assets/image2.png -------------------------------------------------------------------------------- /2021/docs/assets/license.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/Top10/85362e6faa1b3af1e5ccb30de662283c6a447de0/2021/docs/assets/license.png -------------------------------------------------------------------------------- /2021/docs/assets/mapping.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/Top10/85362e6faa1b3af1e5ccb30de662283c6a447de0/2021/docs/assets/mapping.png -------------------------------------------------------------------------------- /2021/docs/assets/securecodewarrior.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/Top10/85362e6faa1b3af1e5ccb30de662283c6a447de0/2021/docs/assets/securecodewarrior.png -------------------------------------------------------------------------------- /2021/docs/es/assets/Top10Mapping-es.xlsx: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/Top10/85362e6faa1b3af1e5ccb30de662283c6a447de0/2021/docs/es/assets/Top10Mapping-es.xlsx -------------------------------------------------------------------------------- /2021/docs/es/assets/mapping.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/Top10/85362e6faa1b3af1e5ccb30de662283c6a447de0/2021/docs/es/assets/mapping.png -------------------------------------------------------------------------------- /2021/docs/pt_BR/assets/2017to2021.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/Top10/85362e6faa1b3af1e5ccb30de662283c6a447de0/2021/docs/pt_BR/assets/2017to2021.png -------------------------------------------------------------------------------- /2021/docs/pt_BR/assets/TOP_10_logo_Final_Logo_Colour.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/Top10/85362e6faa1b3af1e5ccb30de662283c6a447de0/2021/docs/pt_BR/assets/TOP_10_logo_Final_Logo_Colour.png -------------------------------------------------------------------------------- /2021/docs/pt_BR/assets/image1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/Top10/85362e6faa1b3af1e5ccb30de662283c6a447de0/2021/docs/pt_BR/assets/image1.png -------------------------------------------------------------------------------- /2021/docs/zh_TW/assets/OWASP_logo.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/Top10/85362e6faa1b3af1e5ccb30de662283c6a447de0/2021/docs/zh_TW/assets/OWASP_logo.png -------------------------------------------------------------------------------- /2021/docs/zh_TW/assets/front-cc.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/Top10/85362e6faa1b3af1e5ccb30de662283c6a447de0/2021/docs/zh_TW/assets/front-cc.png -------------------------------------------------------------------------------- /2021/docs/zh_TW/assets/front-wasp.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/Top10/85362e6faa1b3af1e5ccb30de662283c6a447de0/2021/docs/zh_TW/assets/front-wasp.png -------------------------------------------------------------------------------- /2021/docs/zh_TW/assets/image1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/Top10/85362e6faa1b3af1e5ccb30de662283c6a447de0/2021/docs/zh_TW/assets/image1.png -------------------------------------------------------------------------------- /2021/docs/zh_TW/assets/image2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/Top10/85362e6faa1b3af1e5ccb30de662283c6a447de0/2021/docs/zh_TW/assets/image2.png -------------------------------------------------------------------------------- /2021/docs/zh_TW/assets/license.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/Top10/85362e6faa1b3af1e5ccb30de662283c6a447de0/2021/docs/zh_TW/assets/license.png -------------------------------------------------------------------------------- /2021/docs/zh_TW/assets/mapping.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/Top10/85362e6faa1b3af1e5ccb30de662283c6a447de0/2021/docs/zh_TW/assets/mapping.png -------------------------------------------------------------------------------- /2021/requirements.txt: -------------------------------------------------------------------------------- 1 | requests 2 | feedgen 3 | wheel 4 | mkdocs 5 | mkdocs-material 6 | pymdown-extensions 7 | Pygments 8 | mkdocs-static-i18n<=0.56,>=0.40 9 | mkdocs-macros-plugin 10 | dacite 11 | git+https://github.com/OWASP/OSIB.git#subdirectory=mkdocs_macro_osib_package 12 | -------------------------------------------------------------------------------- /2024/Data/sample-data-submission.csv: -------------------------------------------------------------------------------- 1 | NumberofAppsTested,CWE,NumberofAppsPer,TimePeriod,ContributorName,ContributorContactEmail,TypeofTesting,PrimaryLanguage,Region,Industry,Retest 2 | 100,20,53,2021,Name,Email,TAH,.NET,North America,Retail,F 3 | 100,20,10,2022,Name,Email,TAH,.NET,North America,Technology,F 4 | 100,20,30,2023,Name,Email,TAH,PHP,North America,Technology,F 5 | 100,425,5,2021,Name,Email,TAH,.NET,North America,Retail,F 6 | -------------------------------------------------------------------------------- /2024/Data/sample-data-submission.json: -------------------------------------------------------------------------------- 1 | { 2 | "contributions":{ 3 | "appData" : 4 | { 5 | "appsSubmitted":100 6 | }, 7 | "cwe":[ 8 | { 9 | "id":20, 10 | "occurances":53, 11 | "timePeriod":2021, 12 | "language":".NET", 13 | "region":"North America", 14 | "industry":"Retail", 15 | "retest":"F", 16 | "testingType":"TAH" 17 | }, 18 | { 19 | "id":20, 20 | "occurances":10, 21 | "timePeriod":2022, 22 | "language":".NET", 23 | "region":"North America", 24 | "industry":"Technology", 25 | "retest":"F", 26 | "testingType":"TAH" 27 | }, 28 | { 29 | "id":20, 30 | "occurances":30, 31 | "timePeriod":2023, 32 | "language":"PHP", 33 | "region":"North America", 34 | "industry":"Technology", 35 | "retest":"F", 36 | "testingType":"TAH" 37 | }, 38 | { 39 | "id":425, 40 | "occurances":5, 41 | "timePeriod":2021, 42 | "language":".NET", 43 | "region":"North America", 44 | "industry":"Retail", 45 | "retest":"F", 46 | "testingType":"TAH" 47 | } 48 | ], 49 | "contributor":{ 50 | "name":"First Last", 51 | "email":"name@owasp.org" 52 | } 53 | } 54 | } -------------------------------------------------------------------------------- /2024/Presentations/README.md: -------------------------------------------------------------------------------- 1 | Folder for presentations on Top 10 2024 -------------------------------------------------------------------------------- /2024/docs/README.md: -------------------------------------------------------------------------------- 1 | Folder for site documents -------------------------------------------------------------------------------- /CONTRIBUTING.md: -------------------------------------------------------------------------------- 1 | # Contributing 2 | 3 | We encourage anyone to contribute issues, feedback and so on via logging an issue. Once the OWASP Top 10 has been released, it might be a while before that feedback is incorporated into the next version (up to 3 years). 4 | 5 | ## Translations 6 | 7 | If you are interested in translating the OWASP Top 10, please contact @owasptop10 on Twitter - someone else might already be working on your language, and you can help that effort instead of doing it over. Generally, we will create a project for you, or you can fork the main repo and provide us a pull request once you're done. To maintain traceability, we do ask that you translate the markdown as well, as that's what is included in the Wiki version. 8 | 9 | ## Forking 10 | 11 | You are more than welcome to fork the OWASP Top 10, but please abide by the Creative Commons BY-SA 4.0 license. 12 | 13 | ## Pull requests 14 | 15 | We welcome pull requests for fixes, but again, it might be a while before we accept any changes to the final version of the OWASP Top 10. 16 | -------------------------------------------------------------------------------- /Index.md: -------------------------------------------------------------------------------- 1 | # Introduction 2 | 3 | 4 | 5 | *Icons beside the cheat sheet name indicate in which language(s) code snippet(s) are provided.* 6 | 7 | [A](Index.md#a) [B](Index.md#b) [C](Index.md#c) [D](Index.md#d) [E](Index.md#e) [F](Index.md#f) [H](Index.md#h) [I](Index.md#i) [J](Index.md#j) [K](Index.md#k) [L](Index.md#l) [M](Index.md#m) [N](Index.md#n) [O](Index.md#o) [P](Index.md#p) [Q](Index.md#q) [R](Index.md#r) [S](Index.md#s) [T](Index.md#t) [U](Index.md#u) [V](Index.md#v) [W](Index.md#w) [X](Index.md#x) 8 | 9 | ## A 10 | 11 | [A00 - About OWASP](2021\en\A00-about-owasp.md) 12 | [A01 - Broken Access Control](./2021/en/) 13 | 14 | ## B 15 | 16 | [A01 - Broken Access Control](./2021/en/) 17 | 18 | ## C 19 | 20 | [A02 - Cryptographic Failures](2021\en\A02_2021-Cryptographic_Failures.md) 21 | ## D 22 | 23 | 24 | 25 | ## E 26 | 27 | 28 | 29 | ## F 30 | 31 | []() 32 | 33 | ## H 34 | 35 | 36 | 37 | ## I 38 | 39 | [A00 - Introduction](2021\en\A00_2021-Introduction.md) 40 | [A03 - Injection](2021\en\A03_2021-Injection.md) 41 | [A04 - Insecure design](2021\en\A04_2021-Insecure_Design.md) 42 | [A07 - Identification and Authentication Failures](2021\en\A07_2021-Identification_and_Authentication_Failures.md) 43 | 44 | ## J 45 | 46 | 47 | 48 | ## K 49 | 50 | 51 | 52 | ## L 53 | 54 | 55 | 56 | ## M 57 | 58 | 59 | 60 | ## N 61 | 62 | [A11 - Next Steps](2021/en/A11_2021-Next_Steps.md) 63 | 64 | ## O 65 | 66 | 67 | ## P 68 | 69 | 70 | 71 | ## Q 72 | 73 | 74 | 75 | ## R 76 | 77 | 78 | 79 | ## S 80 | 81 | [A05 - Security Misconfiguration](2021\en\A05_2021-Security_Misconfiguration.md) 82 | [A08 - Software and Data Integrity](2021\en\A08_2021-Software_and_Data_Integrity_Failures.md) 83 | [A09 - Security Logging and Monitoring](2021\en\A09_2021-Security_Logging_and_Monitoring_Failures.md) 84 | [A10 - Server Side Request Forgery](2021\en\A10_2021-Server-Side_Request_Forgery_(SSRF).md) 85 | 86 | 87 | ## T 88 | 89 | 90 | 91 | ## U 92 | 93 | 94 | 95 | ## V 96 | 97 | [A06 - Vulnerable and Outdated Components](2021\en\A06_2021-Vulnerable_and_Outdated_Components.md) 98 | 99 | ## W 100 | 101 | 102 | 103 | ## X 104 | 105 | 106 | -------------------------------------------------------------------------------- /Makefile: -------------------------------------------------------------------------------- 1 | .PHONY: help 2 | .SILENT: 3 | 4 | help: 5 | @grep -E '^[a-zA-Z_-]+:.*?# .*$$' $(MAKEFILE_LIST) | sort | awk 'BEGIN {FS = ":.*?# "}; {printf "\033[36m%-30s\033[0m %s\n", $$1, $$2}' 6 | 7 | install-python-requirements: # Install Python 3 required libraries 8 | python3 -m pip install -r requirements.txt 9 | 10 | generate-site: # Use custom-script to generate the website 11 | (cd scripts && bash Generate_Site_mkDocs.sh) 12 | 13 | serve: # Start's a Python http.server on port 8000 serving the content of ./generated/site 14 | python3 -m http.server -d generated/site 15 | -------------------------------------------------------------------------------- /Preface.md: -------------------------------------------------------------------------------- 1 | ![OWASPHeader](assets/Preface_Cheatsheet_Header.png) 2 | 3 | ![ProjectLogoOfficial](assets/Preface_Cheatsheet_Logo.png) 4 | 5 | The **OWASP Cheat Sheet Series** was created to provide a concise collection of high value information on specific application security topics. These cheat sheets were created by various application security professionals who have expertise in specific topics. 6 | 7 | We hope that this project provides you with excellent security guidance in an easy to read format. :smile: 8 | 9 | You can download this site [here](bundle.zip). 10 | 11 | An ATOM feed is available [here](News.xml) with the latest updates. 12 | 13 | Project leaders: 14 | 15 | - Neil Smithline [@neil-smithline](https://github.com/Neil-Smithline) 16 | - Brian Glas [@infosecdad](https://github.com/infosecdad) 17 | - Torsten Gigler [@sslHello](https://github.com/sslHello) 18 | - Andrew van der Stock [@vanderaj](https://github.com/vanderaj) 19 | 20 | Authors (2021) 21 | 22 | - [Orange Tsai](https://twitter.com/orange_8361) 23 | 24 | Project links: 25 | 26 | - [Homepage](https://owasp.org/www-project-top-ten/) 27 | - [GitHub repository](https://github.com/OWASP/Top10) 28 | - [How to contribute?](https://github.com/OWASP/Top10/blob/master/CONTRIBUTING.md) 29 | - [Logo](TBA) 30 | -------------------------------------------------------------------------------- /Project.code-workspace: -------------------------------------------------------------------------------- 1 | { 2 | "folders": [ 3 | { 4 | "path": "." 5 | } 6 | ], 7 | "settings": {} 8 | } -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # Top10 2 | 3 | Official OWASP Top 10 Document Repository 4 | 5 | ## OWASP Top 10 2021 - RELEASED 6 | 7 | Please log any [feedback, comments, or log issues](https://github.com/OWASP/Top10/issues) here. 8 | 9 | ## OWASP Top 10 2017 - SUPERSEDED 10 | 11 | We have released the OWASP Top 10 - 2017 (Final) 12 | 13 | - [OWASP Top 10 2017 (PPTX)](https://github.com/OWASP/Top10/blob/master/2017/OWASP%20Top%2010-2017%20(en).pptx) 14 | - [OWASP Top 10 2017 (PDF)](https://github.com/OWASP/Top10/blob/master/2017/OWASP%20Top%2010-2017%20(en).pdf) 15 | 16 | ## OWASP Top 10 Leadership 17 | 18 | There are currently four co-leaders for the OWASP Top 10. We meet every Friday at 1 pm US PDT to discuss the project. If you want to join that call, please contact us. It's really not that exciting. 19 | 20 | - [Andrew van der Stock](mailto:vanderaj@owasp.org) (twitter: [@vanderaj](https://twitter.com/vanderaj)) 21 | - [Brian Glas](mailto:brian.glas@owasp.org) (twitter: [@infosecdad](https://twitter.com/infosecdad)) 22 | - [Neil Smithline](mailto:neil.smithline@owasp.org) (twitter: [@appsecneil](https://twitter.com/appsecneil)) 23 | - [Torsten Gigler](mailto:torsten.gigler@owasp.org) (twitter: [@torsten_tweet](https://twitter.com/torsten_tweet)) 24 | 25 | ## OWASP Top 10 References 26 | 27 | - [OWASP Top 10 Project Page](https://owasp.org/www-project-top-ten) 28 | - [OWASP 2017 Summit Outcomes](https://owaspsummit.org/Outcomes/Owasp-Top-10-2017/Owasp-Top-10-2017.html) 29 | 30 | -------------------------------------------------------------------------------- /_config.yml: -------------------------------------------------------------------------------- 1 | theme: jekyll-theme-time-machine -------------------------------------------------------------------------------- /archives/OWASPWebApplicationSecurityTopTen-Version1.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/Top10/85362e6faa1b3af1e5ccb30de662283c6a447de0/archives/OWASPWebApplicationSecurityTopTen-Version1.pdf -------------------------------------------------------------------------------- /archives/OWASP_Top_Ten_2004.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/Top10/85362e6faa1b3af1e5ccb30de662283c6a447de0/archives/OWASP_Top_Ten_2004.pdf -------------------------------------------------------------------------------- /archives/README.md: -------------------------------------------------------------------------------- 1 | # OWASP Top 10 Archives 2 | 3 | ## Releases 4 | 5 | * 2021 6 | 7 | * 2017 8 | 9 | * 2013 10 | 11 | * 2010 12 | 13 | * 2007 14 | 15 | * 2004 16 | 17 | * 2003 18 | -------------------------------------------------------------------------------- /book.json: -------------------------------------------------------------------------------- 1 | { 2 | "root": "./2021/docs", 3 | "plugins": [ 4 | "anchors" 5 | ], 6 | "structure": { 7 | "readme": "Preface.md", 8 | "summary": "0x00-toc.md" 9 | }, 10 | "title": "OWASP Top 10 2021 (DRAFT)", 11 | "language": "en", 12 | "description": "Draft version of the Top 10 2021." 13 | } -------------------------------------------------------------------------------- /generated/cheatsheets/Glossary.md: -------------------------------------------------------------------------------- 1 | Title: Index Alphabetical 2 | # Introduction 3 | 4 | 5 | 6 | *Icons beside the cheat sheet name indicate in which language(s) code snippet(s) are provided.* 7 | 8 | [A](Glossary.md#a) [B](Glossary.md#b) [C](Glossary.md#c) [D](Glossary.md#d) [E](Glossary.md#e) [F](Glossary.md#f) [H](Glossary.md#h) [I](Glossary.md#i) [J](Glossary.md#j) [K](Glossary.md#k) [L](Glossary.md#l) [M](Glossary.md#m) [N](Glossary.md#n) [O](Glossary.md#o) [P](Glossary.md#p) [Q](Glossary.md#q) [R](Glossary.md#r) [S](Glossary.md#s) [T](Glossary.md#t) [U](Glossary.md#u) [V](Glossary.md#v) [W](Glossary.md#w) [X](Glossary.md#x) 9 | 10 | ## A 11 | 12 | [A00 - About OWASP](2021\en\A00-about-owasp.md) 13 | [A01 - Broken Access Control](./2021/en/) 14 | 15 | ## B 16 | 17 | [A01 - Broken Access Control](./2021/en/) 18 | 19 | ## C 20 | 21 | [A02 - Cryptographic Failures](2021\en\A02_2021-Cryptographic_Failures.md) 22 | ## D 23 | 24 | 25 | 26 | ## E 27 | 28 | 29 | 30 | ## F 31 | 32 | []() 33 | 34 | ## H 35 | 36 | 37 | 38 | ## I 39 | 40 | [A00 - Introduction](2021\en\A00_2021-Introduction.md) 41 | [A03 - Injection](2021\en\A03_2021-Injection.md) 42 | [A04 - Insecure design](2021\en\A04_2021-Insecure_Design.md) 43 | [A07 - Identification and Authentication Failures](2021\en\A07_2021-Identification_and_Authentication_Failures.md) 44 | 45 | ## J 46 | 47 | 48 | 49 | ## K 50 | 51 | 52 | 53 | ## L 54 | 55 | 56 | 57 | ## M 58 | 59 | 60 | 61 | ## N 62 | 63 | [A11 - Next Steps](2021/en/A11_2021-Next_Steps.md) 64 | 65 | ## O 66 | 67 | 68 | ## P 69 | 70 | 71 | 72 | ## Q 73 | 74 | 75 | 76 | ## R 77 | 78 | 79 | 80 | ## S 81 | 82 | [A05 - Security Misconfiguration](2021\en\A05_2021-Security_Misconfiguration.md) 83 | [A08 - Software and Data Integrity](2021\en\A08_2021-Software_and_Data_Integrity_Failures.md) 84 | [A09 - Security Logging and Monitoring](2021\en\A09_2021-Security_Logging_and_Monitoring_Failures.md) 85 | [A10 - Server Side Request Forgery](2021\en\A10_2021-Server-Side_Request_Forgery_(SSRF).md) 86 | 87 | 88 | ## T 89 | 90 | 91 | 92 | ## U 93 | 94 | 95 | 96 | ## V 97 | 98 | [A06 - Vulnerable and Outdated Components](2021\en\A06_2021-Vulnerable_and_Outdated_Components.md) 99 | 100 | ## W 101 | 102 | 103 | 104 | ## X 105 | 106 | 107 | -------------------------------------------------------------------------------- /generated/cheatsheets/index.md: -------------------------------------------------------------------------------- 1 | Title: Introduction 2 | ![OWASPHeader](assets/Preface_Cheatsheet_Header.png) 3 | 4 | ![ProjectLogoOfficial](assets/Preface_Cheatsheet_Logo.png) 5 | 6 | The **OWASP Cheat Sheet Series** was created to provide a concise collection of high value information on specific application security topics. These cheat sheets were created by various application security professionals who have expertise in specific topics. 7 | 8 | We hope that this project provides you with excellent security guidance in an easy to read format. :smile: 9 | 10 | You can download this site [here](bundle.zip). 11 | 12 | An ATOM feed is available [here](News.xml) with the latest updates. 13 | 14 | Project leaders: 15 | 16 | - Neil Smithline [@neil-smithline](https://github.com/Neil-Smithline) 17 | - Brian Glas [@infosecdad](https://github.com/infosecdad) 18 | - Torsten Gigler [@sslHello](https://github.com/sslHello) 19 | - Andrew van der Stock [@vanderaj](https://github.com/vanderaj) 20 | 21 | Authors (2021) 22 | 23 | - [Orange Tsai](https://twitter.com/orange_8361) 24 | 25 | Project links: 26 | 27 | - [Homepage](https://owasp.org/www-project-top-ten/) 28 | - [GitHub repository](https://github.com/OWASP/Top10) 29 | - [How to contribute?](https://github.com/OWASP/Top10/blob/master/CONTRIBUTING.md) 30 | - [Logo](TBA) 31 | -------------------------------------------------------------------------------- /generated/mkdocs.yml: -------------------------------------------------------------------------------- 1 | # Project information 2 | site_name: OWASP Top 10 3 | site_url: https://owasp.org/Top10 4 | site_description: OWASP Top 10 2021 Draft 5 | # Repository 6 | repo_name: OWASP/Top10 7 | repo_url: https://github.com/OWASP/Top10 8 | edit_uri: "" 9 | 10 | # Copyright 11 | copyright: © Copyright 2021 - OWASP Top 10 team - This work is licensed under a Creative Commons Attribution 3.0 Unported License. 12 | 13 | #Config 14 | docs_dir: 2021/docs 15 | google_analytics: 16 | - !!python/object/apply:os.getenv ["WORKFLOW_GOOGLE_ANALYTICS_KEY", "none"] 17 | - auto 18 | use_directory_urls: false 19 | plugins: 20 | - search: 21 | # prebuild_index: true 22 | lang: 23 | - en 24 | #For read the docs 25 | # theme: 26 | # name: readthedocs 27 | # custom_dir: custom_theme/ 28 | # highlightjs: true 29 | # sticky_navigation: false 30 | # markdown_extensions: 31 | # - pymdownx.emoji: 32 | # emoji_index: !!python/name:pymdownx.emoji.twemoji 33 | # emoji_generator: !!python/name:pymdownx.emoji.to_alt 34 | # - toc: 35 | # permalink: true 36 | 37 | #For material 38 | theme: 39 | name: material 40 | custom_dir: custom_theme/ 41 | favicon: assets/WebSite_Favicon.png 42 | logo: "assets/OWASP_Logo_Transp.png" 43 | markdown_extensions: 44 | - pymdownx.highlight 45 | - pymdownx.superfences # Required by Pygments 46 | - pymdownx.inlinehilite 47 | - pymdownx.emoji: 48 | emoji_index: !!python/name:pymdownx.emoji.twemoji 49 | emoji_generator: !!python/name:pymdownx.emoji.to_svg 50 | - toc: 51 | permalink: true 52 | -------------------------------------------------------------------------------- /markdown-link-check-config.json: -------------------------------------------------------------------------------- 1 | { 2 | "ignorePatterns": [ 3 | { 4 | "pattern": "^bundle.zip" 5 | }, 6 | { 7 | "pattern": "^News.xml" 8 | }, 9 | { 10 | "pattern": "^/" 11 | }, 12 | { 13 | "pattern": "vincent.bernat.im" 14 | }, 15 | { 16 | "pattern": "developer.android.com" 17 | }, 18 | { 19 | "pattern": "csrc.nist.gov" 20 | }, 21 | { 22 | "pattern": "www.exploit-db.com" 23 | } 24 | ], 25 | "httpHeaders": [ 26 | { 27 | "urls": ["https://", "http://"], 28 | "headers": { 29 | "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:64.0) Gecko/20100101 Firefox/64.0" 30 | } 31 | } 32 | ] 33 | } 34 | -------------------------------------------------------------------------------- /mkdocs.yml: -------------------------------------------------------------------------------- 1 | # Project information 2 | site_name: OWASP Top 10 3 | site_url: https://owasp.org/Top10 4 | site_description: OWASP Top 10 2021 Draft 5 | # Repository 6 | repo_name: OWASP/Top10 7 | repo_url: https://github.com/OWASP/Top10 8 | edit_uri: "" 9 | 10 | # Copyright 11 | copyright: © Copyright 2021 - OWASP Top 10 team - This work is licensed under a Creative Commons Attribution 3.0 Unported License. 12 | 13 | #Config 14 | docs_dir: 2021/docs 15 | google_analytics: 16 | - !!python/object/apply:os.getenv ["WORKFLOW_GOOGLE_ANALYTICS_KEY", "none"] 17 | - auto 18 | use_directory_urls: false 19 | plugins: 20 | - search: 21 | # prebuild_index: true 22 | lang: 23 | - en 24 | #For read the docs 25 | # theme: 26 | # name: readthedocs 27 | # custom_dir: custom_theme/ 28 | # highlightjs: true 29 | # sticky_navigation: false 30 | # markdown_extensions: 31 | # - pymdownx.emoji: 32 | # emoji_index: !!python/name:pymdownx.emoji.twemoji 33 | # emoji_generator: !!python/name:pymdownx.emoji.to_alt 34 | # - toc: 35 | # permalink: true 36 | 37 | #For material 38 | theme: 39 | name: material 40 | custom_dir: custom_theme/ 41 | favicon: assets/WebSite_Favicon.png 42 | logo: "assets/OWASP_Logo_Transp.png" 43 | markdown_extensions: 44 | - pymdownx.highlight 45 | - pymdownx.superfences # Required by Pygments 46 | - pymdownx.inlinehilite 47 | - pymdownx.emoji: 48 | emoji_index: !!python/name:pymdownx.emoji.twemoji 49 | emoji_generator: !!python/name:pymdownx.emoji.to_svg 50 | - toc: 51 | permalink: true 52 | -------------------------------------------------------------------------------- /osib/export/.gitkeep: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/Top10/85362e6faa1b3af1e5ccb30de662283c6a447de0/osib/export/.gitkeep -------------------------------------------------------------------------------- /package.json: -------------------------------------------------------------------------------- 1 | { 2 | "name": "owasptop10", 3 | "version": "1.0.0", 4 | "description": "OWASP CSS Project", 5 | "main": "index.js", 6 | "dependencies": {}, 7 | "devDependencies": { 8 | "markdownlint-cli": "^0.26.0", 9 | "textlint": "^11.6.3", 10 | "textlint-filter-rule-comments": "^1.2.2", 11 | "textlint-filter-rule-whitelist": "^2.0.0", 12 | "textlint-rule-terminology": "^2.1.4" 13 | }, 14 | "scripts": { 15 | "test": "npm run lint-markdown && npm run lint-terminology", 16 | "lint-terminology": "textlint ./2021/", 17 | "lint-markdown": "markdownlint ./2021/ --ignore node_modules", 18 | "link-check": "find 2021 -name \\*.md -exec markdown-link-check -c markdown-link-check-config.json 1> log 2> err {} \\; && if [ -e err ] && grep -q \"ERROR:\" err ; then exit 113 ; else echo -e \"All good\"; fi" 19 | }, 20 | "repository": { 21 | "type": "git", 22 | "url": "git+https://github.com/OWASP/Top10.git" 23 | }, 24 | "author": "OWASP", 25 | "license": "CC-BY-SA-4.0", 26 | "bugs": { 27 | "url": "https://github.com/OWASP/Top10/issues" 28 | }, 29 | "homepage": "https://github.com/OWASP/Top10#readme" 30 | } 31 | -------------------------------------------------------------------------------- /requirements.txt: -------------------------------------------------------------------------------- 1 | requests 2 | feedgen 3 | wheel 4 | mkdocs 5 | mkdocs-material 6 | pymdown-extensions 7 | Pygments 8 | mkdocs-static-i18n<=0.56,>=0.40 9 | -------------------------------------------------------------------------------- /scripts/Apply_Link_Check.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # Script in charge of auditing the released cheatsheets MD files 3 | # in order to detect dead links 4 | cd ../2021/en 5 | find . -name \*.md -exec markdown-link-check -c ../.markdownlinkcheck.json {} \; 1>../link-check-result.out 2>&1 6 | errors=`grep -c "ERROR:" ../link-check-result.out` 7 | content=`cat ../link-check-result.out` 8 | if [[ $errors != "0" ]] 9 | then 10 | echo "[!] Error(s) found by the Links validator: $errors CS have dead links !" 11 | exit $errors 12 | else 13 | echo "[+] No error found by the Links validator." 14 | fi -------------------------------------------------------------------------------- /scripts/Generate_CheatSheets_TOC.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | # -*- coding: utf-8 -*- 3 | """ 4 | Python3 script to generate the summary markdown page that is used 5 | by GitBook to generate the offline website. 6 | 7 | The summary markdown page is named "TOC.md" and is generated in the 8 | same location that the script in order to be moved later by the caller script. 9 | """ 10 | import os 11 | 12 | # Define templates 13 | cs_md_link_template = "* [%s](cheatsheets/%s)" 14 | 15 | # Scan all CS files 16 | cheatsheets = [f.name for f in os.scandir("../cheatsheets") if f.is_file()] 17 | cheatsheets.sort() 18 | 19 | # Generate the summary file 20 | with open("TOC.md", "w") as index_file: 21 | index_file.write("# Summary\n\n") 22 | index_file.write("### Cheatsheets\n\n") 23 | index_file.write(cs_md_link_template % ("Index Alphabetical", "Index.md")) 24 | index_file.write("\n") 25 | index_file.write(cs_md_link_template % ("Index ASVS", "IndexASVS.md")) 26 | index_file.write("\n") 27 | index_file.write(cs_md_link_template % ("Index Proactive Controls", "IndexProactiveControls.md")) 28 | index_file.write("\n") 29 | for cheatsheet in cheatsheets: 30 | if cheatsheet != "Index.md" and cheatsheet != "IndexASVS.md" and cheatsheet != "IndexProactiveControls.md" and cheatsheet != "TOC.md": 31 | cs_name = cheatsheet.replace("_"," ").replace(".md", "").replace("Cheat Sheet", "") 32 | index_file.write(cs_md_link_template % (cs_name, cheatsheet)) 33 | index_file.write("\n") 34 | print("Summary markdown page generated.") -------------------------------------------------------------------------------- /scripts/Generate_Site.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # Dependencies: 3 | # sudo apt install -y nodejs 4 | # sudo npm install gitbook-cli -g 5 | # Note: 6 | # PDF generation is not possible because the content is cut in 7 | # some CS like for example the abuse case one 8 | GENERATED_SITE=site 9 | WORK=../generated 10 | echo "Generate a offline portable website with all the cheat sheets..." 11 | echo "Step 1/5: Init work folder." 12 | rm -rf $WORK 1>/dev/null 2>&1 13 | mkdir $WORK 14 | mkdir $WORK/top10 15 | echo "Step 2/5: Generate the summary markdown page and the RSS News feed." 16 | python Update_CheatSheets_Index.py 17 | python Generate_CheatSheets_TOC.py 18 | python Generate_RSS_Feed.py 19 | echo "Step 3/5: Create the expected GitBook folder structure." 20 | cp ../book.json $WORK/. 21 | cp ../Preface.md $WORK/top10/. 22 | mv TOC.md $WORK/top10/. 23 | mv News.xml $WORK/. 24 | cp -r ../top10 $WORK/top10/top10 25 | cp -r ../assets $WORK/top10/assets 26 | cp ../Index.md $WORK/top10/top10/Index.md 27 | sed -i 's/assets\//..\/assets\//g' $WORK/top10/top10/Index.md 28 | sed -i 's/cheatsheets\///g' $WORK/top10/top10/Index.md 29 | echo "Step 4/5: Generate the site." 30 | cd $WORK 31 | gitbook install --log=error 32 | gitbook build . $WORK/$GENERATED_SITE --log=info 33 | if [[ $? != 0 ]] 34 | then 35 | echo "Error detected during the generation of the site, generation failed!" 36 | exit 1 37 | fi 38 | # Move the generated RSS feed 39 | mv News.xml site/. 40 | # Replace the default favicon by the OWASP one 41 | # I did not achieve to find a stable and "trustable" gitbook plugin to do that 42 | # So I only replace the default images: https://www.npmjs.com/search?q=gitbook%20favicon 43 | cp ../assets/WebSite_Favicon.png site/gitbook/images/apple-touch-icon-precomposed-152.png 44 | cp ../assets/WebSite_Favicon.ico site/gitbook/images/favicon.ico 45 | echo "Step 5/5: Cleanup." 46 | rm -rf top10 47 | rm -rf node_modules 48 | rm book.json 49 | echo "Generation finished to the folder: $WORK/$GENERATED_SITE" --------------------------------------------------------------------------------