1.7. Criteria based mapping of guideline¶
The chapter 4 of this guideline is structured functionality wise. This section shows a mapping from a point of view other than functionality. It indicates which part of guideline contains which type of content.
1.7.1. Mapping based on security measures¶
1.7.1.1. A point of view by OWASP(Open Web Application Security Project)¶
Using OWASP Top 10 for 2013 as an axis, links to explanation of functionalities related to security have been given
Sr. No. | Item Name | Corresponding Guideline |
---|---|---|
A1 | Injection SQL Injection |
(Details about using bind variable at the time of placeholders for query parameters) |
A1 | Injection XXE(XML External Entity) Injection | |
A1 | Injection OS Command Injection | |
A1 | Injection Email Header Injection | |
A1 | Injection |
(Shows how to validate input values) |
A2 | Broken Authentication and Session Management | |
A3 | Cross-Site Scripting (XSS) | |
A4 | Insecure Direct Object References Directory Traversal | |
A5 | Security Misconfiguration |
|
A6 | Sensitive Data Exposure | |
A7 | Missing Function Level Access Control | |
A8 | Cross-Site Request Forgery (CSRF) | |
A9 | Using Components with Known Vulnerabilities | No mention in particular |
A10 | Unvalidated Redirects and Forwards | No mention in particular |
1.7.1.2. A point of view by CVE(Common Vulnerabilities and Exposures)¶
Explain the CVE mentioned in this guideline and show the link. About the CVE not mentioned in this guideline, refer toPivotal Product Vulnerability Reports
CVE | Outline | The mentioned point in this guideline |
---|---|---|
Apache Commons FileUpload allows remote attackers to cause a denial of service via a malicious request. | ||
CVE-2014-1904 | When action parameter of <form:form> tag is omitted, an attacker can use XSS attack. |
|
CVE-2015-3192 | Using DTD allows DoS attack. | |
CVE-2016-5007 | Differences in the strictness of the pattern matching mechanisms between Spring MVC and Spring Security cause security bypass vulnerability. |