This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Difference between revisions of "The Owasp Code Review Top 9"
(→Information leakage and improper error handling) |
(→Direct object reference) |
||
| Line 68: | Line 68: | ||
=== Direct object reference === | === Direct object reference === | ||
| + | Also this category is the same as the one stated in the Owasp Top 10 project. | ||
| + | It refers to the attacker's capability to interact with application internals supplying an ad hoc crafted parameter. | ||
| + | |||
| + | The families contained in this category are: | ||
| + | * Direct object reference | ||
| + | ** Direct reference to database data | ||
| + | ** Direct reference to filesystem | ||
| + | ** Direct reference to memory | ||
| + | |||
=== Resource usage === | === Resource usage === | ||
=== API usage === | === API usage === | ||
=== Best practices violation === | === Best practices violation === | ||
Revision as of 15:46, 5 June 2008
OWASP Code Review Guide Table of Contents
Preface
In this section, we will try to organize the most critical security flaws you can find during a code review in order to have a finite set of categories to evaluate the whole code review process.
needs more details here
The 7 flaw categories
In term of source code security, source code vulnerabilities can be managed in million of ways.
Source code vulnerabilities must reflect Owasp Top 10 recommendations. Applications are made of source so, in some way source code flaws can be re conducted to flaws in application.
The following seventh family will be included as default library in Owasp Orizon Project v1.0 that will be released in October 2008.
needs more details here
Here you can find the seventh source code flaw categories:
- Input validation
- Source code design
- Information leakage and improper error handling
- Direct object reference
- Resource usage
- API usage
- Best practices violation
As you may see 3 categories out of 7 are equals to the correspondent Owasp Top 10 key point.
Let's go more in detail going deeper in describing the source code flaw categories.
Input validation
This flaw categories is the source code counterpart of the Owasp Top 10 A1 category.
The check's families contained in this category are all the ones tied to the missing validation of input data submitted by user and that they will reflect in a Owasp Top 10 A1 violation.
In this category the follow security flaw family are contained:
- Input validation
- Cross site scripting
- SQL Injection
- XPATH Injection
- LDAP Injection
- Cross site request forgery
- Buffer overflow
- Format bug
Source code design
Security in source code starts from design and from the choices made before starting coding using the editor you like most.
In the source code design flaw categories, you can find security check families tied to scope and source code organization.
- Source code design
- Insecure field scope
- Insecure method scope
- Insecure class modifiers
- Unused external references
- Redundant code
Information leakage and improper error handling
This category meets the correspondent Owasp Top 10 one. It will contain security check families about how source code manage errors, exception, logging and sensitive information.
The following families are present:
- Information leakage and improper error handling
- Unhandled exception
- Routine return value usage
- NULL Pointer dereference
- Insecure logging
Direct object reference
Also this category is the same as the one stated in the Owasp Top 10 project. It refers to the attacker's capability to interact with application internals supplying an ad hoc crafted parameter.
The families contained in this category are:
- Direct object reference
- Direct reference to database data
- Direct reference to filesystem
- Direct reference to memory
