playframework owasp 前 10 名 [英] playframework owasp top 10

问题描述

我正在考虑将 Play 用于大型项目，所以，有没有人经过实战测试的 OWASP 的 Play 框架 Top10?您知道 Play 框架中存在任何安全问题吗?

I'm thinking about using Play for a large-scale project, so, has anyone battle-tested Play framework for OWASP Top 10? Are there any security problems you know of in Play framework?

推荐答案

On the OWASP Top 10 and Play (some info 这里):

On the OWASP Top 10 and Play (some info here):

• A1:注射

• A1: Injection

默认使用 JPA 并转义字符串

Uses JPA and escapes strings by default

A2:跨站脚本 (XSS)

A2: Cross-Site Scripting (XSS)

从 1.0.1 版本开始，Play 的模板引擎会自动转义字符串

Since version 1.0.1, Play’s template engine automatically escapes string

A3:损坏的身份验证和会话管理

A3: Broken Authentication and Session Management

Play 是无状态的，不涉及会话.Cookie 受加密保护.通过散列将数据安全地存储在数据库(密码)上取决于用户，而不是框架

Play is stateless, no session involved. Cookies are protected with cryptography. Storing data safely on the database (passwords) via hashing depends on the user, not the framework

A4:不安全的直接对象引用

A4: Insecure Direct Object References

同样，这取决于开发人员验证对允许资源的访问权限，而不是框架

Again this depends on developer verifying access to allowed resources, not so much the framework

A5:跨站请求伪造 (CSRF)

A5: Cross-Site Request Forgery (CSRF)

POST 请求允许使用真实性令牌来防止这种情况发生.当然这取决于开发者正确使用GET/POST

POST requests allow for authenticity tokens to prevent this. Of course this depends on developer using GET/POST properly

A6:安全配置错误

默认的错误报告过程在生产中似乎是安全的(没有堆栈跟踪泄漏).唯一需要担心的是路由中的catch all"条目，但这应该在生产模式中注释掉

The default error reporting process seems safe on production (no stack trace leaks). The only concern would be the "catch all" entry in routes, but this should be commented out in production mode

A7:不安全的加密存储

A7: Insecure Cryptographic Storage

开发者负责对数据库中的敏感信息进行加密

Developer is responsible to encrypt sensible information in the database

A8:限制 URL 访问失败

A8: Failure to Restrict URL Access

开发人员必须实施安全限制(通过@Before，如教程中所述)以禁止访问被禁止的页面.

Developer must implement a security restriction (via @Before, like in the tutorial) to disallow access to forbidden pages.

A9:传输层保护不足

Play 支持 SSL

Play supports SSL

A10:未经验证的重定向和转发

A10: Unvalidated Redirects and Forwards

播放重定向是通过 302 而不是硬编码的字符串，这应该可以防止这种情况发生.

Play redirect is via 302, not hardcoded strings, which should prevent this.

TL;DR:在框架可以完成所有工作的部分，Play 做到了.在开发人员需要做所有工作的部分，嗯，开发人员需要做所有工作.每个部分需要 50%，Play 提供 50%.

TL;DR: In the parts that the framework can do all the work, Play does it. In the parts that developer needs to do all the work, well, developer needs to do all the work. Parts that need 50% of each, Play gives its 50%.

让我们这样说吧:没有理由认为 Play 不如任何其他 Java 框架安全.在许多情况下，您可以认为它更安全.由于 Play 是一个易于开发的无状态和 REST 框架，因此您不太可能弄乱它.

Let's put it this way: there is no reason why you should consider Play less safe than any other Java framework. In many cases you can consider it more safe. And with Play being an easy to developer, stateless and REST framework you get less chances to mess it.

这篇关于playframework owasp 前 10 名的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！