'Security_Study/웹자료'에 해당되는 글 2건

OWASP TOP 10 2017년 후보 규격(Release Candidate)이 발표됐습니다. 아직 확정된 내용은 아니지만, 큰 변경을 없을 것 같습니다.
기존 2013버전과 큰 변경은 없으며 일부 취약점이 통합되고 신규 취약점이 추가됐습니다.

A1 Injection
A2 Broken Authentication and Session Management
A3 Cross-Site Scripting (XSS)
A4 Broken Access Control (As it was in 2004)
A5 Security Misconfiguration
A6 Sensitive Data Exposure
A7 Insufficient Attack Protection (NEW)
A8 Cross-Site Request Forgery (CSRF)
A9 Using Components with Known Vulnerabilities
A10 Underprotected APIs (NEW)

OWASP TOP 10 2013년 버전과 비교하면 다음과 같습니다.




1. 통합된 항목
객체직접참조(Insecure Direct Object References), 기능 수준의 접근제어 누락(Missing Function Level Access Control) 이 '접근제어 실패(Broken Access Control)' 로 통합되었습니다.
Broken Access Control 는 OWASP TOP 10 2003/2004 버전에 있던 취약점 항목입니다.

2. 추가된 항목
불충분한 공격 방어(Insufficient Attack Protection)
보호되지 않은 API(Underprotected APIs)
두 개 항목이 추가되었습니다.
1) Insufficient Attack Protection: 자동/수동 공격에 대한 탐지, 대응, 적시 패치가 이루저지 않은 경우 발생하는 취약점.
2) Underprotected APIs: OpenAPI, JSON/XML 등을 통한 제3자가 제공하는 API 이용 시 접근제어, 인증 등이 취약할 경우 발생하는 취약점.

3. 삭제된 항목
검증되지 않은 리다이렉트(Unvalidated Redirects and Forwards) 항목은 삭제됐습니다.

확정 버전이 나와봐야 알겠지만, 현재 릴리즈 후보인 RC버전에서 큰 변경은 없을 것 같습니다.
원문은 다음 링크에서 에서 확인 가능합니다.
https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project#tab=OWASP_Top_10_for_2017_Release_Candidate


저작자 표시 비영리 변경 금지
신고
블로그 이미지

Ryansecurity Ryansecurity

Life is fun security story

Code Comparison

JavaScript

VBScript

// This is a comment.
/* Multi-line
   comment. */

‘This is a comment.
Rem So is this.  No multi-line comments. 
Variables, Constants, and Arrays
 
var x, y
var z = 10


No way to force variables to be declared


No constants


var Vector = new Array(10)
var Names = new Array()

var Matrix = new Array(4)
Matrix[0] = new Array(5)

Vector[9] = 1.5
Matrix[1][4] = 2

 
Dim x, y
Dim z  ‘ Can’t assign on same line
z = 10

‘Force all vars to be declared before being used.
Option Explicit 

Const PI = 3.14


Dim Vector(9)   ‘ 9 is last slot
‘ Can’t do this – arrays must have upper bound

Dim Matrix(3, 4) 


Vector(9) = 1.5
Matrix(1, 4) = 2
 
Output
str = " there!"
document.write("hello" + str)
document.writeln("good\nbye")

Response.Write(str)  ‘Server-side
<%= str %>           ‘Another way

alert("message")  // Client-side 
str = " there!"
document.write "hello" & str
document.writeln "good" & vbCr & "bye"

Response.Write str     ‘Server-side
<%= str %>             ‘Another way

MsgBox "message"  ‘Client-side 
Functions
 
function Add(a, b)
{
  return a + b
}


Variable are always passed by value.  
Only objects can be passed by reference.







sum = Add(1, 2)


Function Add(ByVal x, ByVal y) 
  Add = x + y
End Function 


Sub Add2(ByVal x, ByVal y, ByRef ans)
  ans = x + y
End Sub 






sum = Add(1, 2) 
Add2 1, 2, sum      ‘No () for Sub params
Call Add2(1, 2, sum)    ‘Alternate call 

Decisions
 
if (score == 100)
 alert("Great!")


if (a == 1 || a == 5)
{
  vector[a] = b
  c = 1
}
else if (a == 2)
  b--
else
  b *= 2


switch(x)
{
  case 1: str = str + "end"  
    break
  case 2:
  case 3: y = y * y * y
    break
  default: z = z / 2
}

If score = 100 Then _
  MsgBox "Great!"


If a = 1 Or a = 5 Then
  vector(a) = b
  c = 1
ElseIf a = 2 Then
  b = b - 1
Else
  b = b * 2
End If



Select Case x
  Case 1 
    str = str & "end"
  Case 2, 3
    y = y ^ 3
  Case 4 To 10
    ‘4 <= x <= 10
  Case Is >= 25
    ‘x >= 25
  Case Else   ‘Default
    z = z \ 2
End Select
 

Loops
 
for (i = 1; i <= 5; i++)
  document.writeln(i)



for (c = 2; c <= 10; c += 2)
  a += c



for (var index in myArray)
  document.write(myArray[index])




while (a < 10)
  a++



do
  a++;
while (a < 10)
For i = 1 To 5
  document.writeln i
Next 


For c = 2 To 10 Step 2
  a = a + c
Next 


Dim element
For Each element in myArray
  document.write element
Next


Do While a < 10       Do Until a = 10
  a = a + 1		a = a + 1
Loop		      Loop


Do		      Do
  a = a + 1		a = a + 1
Loop While a < 10     Loop Until a = 10 


Arithmetic Operators
 
+ - * /
% (mod)
 
+ - * /
\  (integer division)
Mod  
^  (raising to a power)
Relational Operators
 
<  <=  >  >=  ==  !=
<  <=  >  >=  =  <>
Logic Operators
 
&&  ||  !

And  Not  Or  Xor  
Eqv  (Equivalent)
Imp   
Bitwise Operators
 
&  ~  |  ^  <<  >>
And  Not  Or  Xor  (no shift left/right) 
Strings
 
var x
x = "HU"
x = x + " is great!" 
Dim x				
x = "HU"
x = x & " is great!"
VBScript String Functions
FunctionDescriptionExample
StrConvUsed primarily to change the case of letters in the string. Can also do UNICODE and other format changes.x = StrConv("Test", vbUpperCase) --> “TEST”
UCase, LCaseReturns string converted to uppercase/lowercase.x = UCase(“Test”) --> “TEST”
LenReturns the string length.length = Len(“a”) + Len(x) --> 1 + 4
LSet, RSetJustifies chars in fixed-length string to left or right side.RSet y = “right” --> “ right”
Left, RightReturns the specified number of chars from left-hand or right-hand side of string.x = Left(“Harding”, 4) --> “Hard”
MidReturns substring from a search string.x = Mid(“I love you.”, 3, 4) --> “love”
LTrim, RTrim, TrimReturns a copy of the string with leading, trailing, or both leading and trailing spaces removed.x = LTrim(“  <-trim->  “) -->“<-trim->  ” 
x = Trim(“  <-trim->  “) --> “<-trim->”
StrCompCompares 2 strings. Returns –1 if str1 < str2, 1 if str1 > str2, 0 if strings are equal.r = StrComp(“HU”, “ACU”) --> 1
InStrSearches a string for a substring and returns the integer position if found, 0 if not found.r = InStr(1, “To be or not to be”, “be”) --> 4
Asc, AscWAsc returns ASCII value of given string. AscW returns UNICODE value.n = Asc(“A”) --> 65 
n = AscW(“A”) --> 65
ChrReturns string equivalent of given ASCII value.c = Chr(65) --> “A“
StrConverts a number to a string.x = Str(459) --> " 459"
SplitReturns an array of substrings produced from splitting a string based on a delimeter.myArray = Split("IxLovexVBScript!", "x")
‘myArray(0) --> “I” 
‘myArray(1) --> “Love” 
‘myArray(2) --> “VBScript!”
StrReverseReturns a reversed string.x = StrReverse("VBScript") --> "tpircSBV"


저작자 표시 비영리 변경 금지
신고
블로그 이미지

Ryansecurity Ryansecurity

Life is fun security story

티스토리 툴바