playframework owasp前10名 [英] playframework owasp top 10

问题描述

我正在考虑将 Play 用于大型项目，因此，有没有经过实战考验的Play框架用于OWASP Top 10？您在Play框架中是否存在任何安全问题？

I'm thinking about using Play for a large-scale project, so, has anyone battle-tested Play framework for OWASP Top 10? Are there any security problems you know of in Play framework?

推荐答案

在OWASP Top 10和Play上（某些信息这里）：

On the OWASP Top 10 and Play (some info here):

• A1：注射

• A1: Injection

默认情况下使用JPA并转义字符串

Uses JPA and escapes strings by default

A2：Cross-网站脚本（XSS）

A2: Cross-Site Scripting (XSS)

从版本1.0.1开始，Play的模板引擎会自动转义字符串

Since version 1.0.1, Play’s template engine automatically escapes string

A3：认证和会话管理中断

A3: Broken Authentication and Session Management

播放是无状态的，不涉及会话。 Cookie受密码保护。通过散列将数据安全地存储在数据库（密码）上取决于用户，而不是框架

Play is stateless, no session involved. Cookies are protected with cryptography. Storing data safely on the database (passwords) via hashing depends on the user, not the framework

A4：不安全的直接对象引用

A4: Insecure Direct Object References

这又取决于开发人员验证对允许资源的访问权限，而不是框架

Again this depends on developer verifying access to allowed resources, not so much the framework

A5：跨站请求伪造（ CSRF）

A5: Cross-Site Request Forgery (CSRF)

POST请求允许真实性令牌来防止这种情况发生。当然这取决于开发人员正确使用GET / POST

POST requests allow for authenticity tokens to prevent this. Of course this depends on developer using GET/POST properly

A6：安全配置错误

默认值错误报告过程在生产中似乎是安全的（没有堆栈跟踪泄漏）。唯一值得关注的是路线中的全部捕获条目，但这应该在生产模式中注释掉

The default error reporting process seems safe on production (no stack trace leaks). The only concern would be the "catch all" entry in routes, but this should be commented out in production mode

A7：不安全的加密存储

A7: Insecure Cryptographic Storage

开发人员负责加密数据库中的敏感信息

Developer is responsible to encrypt sensible information in the database

A8：无法限制URL访问

A8: Failure to Restrict URL Access

开发人员必须实施安全限制（通过@Before，就像在教程中一样）禁止访问禁止的页面。

Developer must implement a security restriction (via @Before, like in the tutorial) to disallow access to forbidden pages.

A9：传输层保护不足

A9: Insufficient Transport Layer Protection

播放支持SSL

A10：未经验证的重定向和转发

A10: Unvalidated Redirects and Forwards

播放重定向是通过302，而不是硬编码的字符串，这应该可以防止这种情况发生。

Play redirect is via 302, not hardcoded strings, which should prevent this.

TL; DR：在框架可以完成所有工作的部分中，Play会这样做。在开发人员需要完成所有工作的部分中，开发人员需要完成所有工作。每个需要50％的部分，Play给出了50％。

TL;DR: In the parts that the framework can do all the work, Play does it. In the parts that developer needs to do all the work, well, developer needs to do all the work. Parts that need 50% of each, Play gives its 50%.

让我们这样说：你没有理由认为Play比其他任何Java更不安全框架。在许多情况下，您可以认为它更安全。 Play是一个易于开发，无状态和REST框架，你可以减少混乱的机会。

Let's put it this way: there is no reason why you should consider Play less safe than any other Java framework. In many cases you can consider it more safe. And with Play being an easy to developer, stateless and REST framework you get less chances to mess it.

这篇关于playframework owasp前10名的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！