在OWASP TOP 10 2021年发布TOP 10中,比较好的给出了每类漏洞类型对应的CWE编号,这对于开发应用安全的厂商来说无疑是一件好事。 不过大家应该也可以看到,A1-A10都是给出了几种CWE,但是官方并没有给出比较全面的的对应关系,前面我的文档中有分析并给出来了,大家可以去参考。
| ID | 中文名称 | 英文名称 | CWE | TOP 25 |
| A01 | 失效的访问控制 | Broken Access Control | CWE 200 : Exposure of Sensitive Information to an Unauthorized Actor(将敏感信息泄漏给未经授权的参与者)、 | CWE top 25 |
| CWE-201: Exposure of Sensitive Information Through Sent Data(通过发送的数据泄漏敏感信息) |
| |||
| CWE-352: Cross-Site Request Forgery (跨站请求伪造) |
| |||
| A02 | 加密机制失效 | Cryptographic Failures | CWE-259: Use of Hard-coded Password (使用硬编码密码) |
|
| CWE-327: Broken or Risky Crypto Algorithm(损坏或有风险的加密算法) |
| |||
| CWE-331 Insufficient Entropy (熵不足) |
| |||
| A03 | 注入 | Injection | CWE-79: Cross-site Scripting(跨站点脚本) | CWE top 25 |
| CWE-89:SQL Injection(SQL注入) | CWE top 25 | |||
| CWE-73:External Control of File Name or Path(文件名或路径的外部控制) |
| |||
| A04 | 不安全设计 | Insecure Design | CWE209:Generation of Error Message Containing Sensitive Information(生成包含敏感信息的错误消息) |
|
| CWE-256:Unprotected Storage of Credentials(凭证的未保护存储) |
| |||
| CWE-501:Trust Boundary Violation(信任边界冲突) |
| |||
| CWE-522:Insufficiently Protected Credentials(凭证保护不足) | CWE top 25 | |||
| A05 | 安全配置错误 | Security Misconfigureation | CWE-16 Configuration(配置) |
|
| CWE-611Improper Restriction of XML External Entity Reference(XML 外部实体引用的不当限制) | CWE top 25 | |||
| A06 | 自带缺陷和过时的组件 | Vulnerable and Outdated Components | CWE-1104 Use of Unmaintained Third-Party |
|
| 2013年 |
| |||
| 2017年 |
| |||
| A07 | 身份识别和身份验证错误 | Identification and Authentication Failures | CWE-297: Improper Validation of Certificate with Host Mismatch(与不匹配 |
|
| CWE-287: Improper Authentication(不适当的认证) | CWE top 25 | |||
| CWE-384: Session Fixation(会话固定攻击) |
| |||
| A08 | 软件和数据完整性故障 | Software and Data Integrity Failures | CWE-829:Inclusion of Functionality from Untrusted Control Sphere(包含来自不受信任控制领域的功能) |
|
| CWE-494:Download of Code Without Integrity Check(不进行完整性检查的代码下载) |
| |||
| CWE-502:Deserialization of Untrusted Data(不可信数据的反序列化) | CWE top 25 | |||
| A09 | 安全日志和监控故障 | Security Logging and Monitoring Failures | CWE-117 Improper Output Neutralization for Logs(日志输出不当) |
|
| CWE-223 Omission of Security-relevant Information(安全事件信息漏报) |
| |||
| CWE-532 Insertion of Sensitive Information into Log File(在日志文件中包含敏感信息) |
| |||
| A10 | 服务器请求伪造 | Server-Side Request Forgery | CWE-918 Server-Side Request Forgery( SSRF) 服务端请求伪造 | CWE top 25 |
(结束)
)
)
)
