ọdịnaya zoo
1 262-000177-001 OWASP Top 10 Maka Nchekwa API
2 Ozi ngwaahịa
2.1 Nkọwapụta
2.2 Ntuziaka ojiji ngwaahịa
2.2.1 Okwu Mmalite na Nchekwa API
2.2.2 Mpempe akwụkwọ aghụghọ nchekwa API
2.2.3 Ntuziaka Onye Mmepụta gafereview
2.3 Ajụjụ A na-ajụkarị (FAQ)
2.3.1 Ajụjụ: Gịnị kpatara nchekwa API ji dị mkpa?
2.3.2 Ajụjụ: Kedu otu m ga-esi mejuputa API echekwara?
2.3.3 Akwụkwọ / akụrụngwa
2.3.3.1 Ntụaka

262-000177-001 OWASP Top 10 Maka Nchekwa API

"

Ozi ngwaahịa

Nkọwapụta

  • Aha ngwaahịa: Ntuziaka onye nrụpụta na 2023 OWASP Top 10 maka API
    Nchekwa
  • Ọdịnaya: Mpempe akwụkwọ aghụghọ API nche, nkọwa na nkọwapụta
    ntuziaka maka 2023 OWASP Top 10 maka Nchekwa API

Ntuziaka ojiji ngwaahịa

Okwu Mmalite na Nchekwa API

Ntuziaka Onye Mmepụta na-enye ozi zuru oke na
2023 OWASP Top 10 maka nchekwa API, na-akọwapụta nchekwa nkịtị
ihe egwu mgbe ị na-emepụta ngwa na API.

Mpempe akwụkwọ aghụghọ nchekwa API

Mpempe akwụkwọ aghụghọ depụtara ụdị nchekwa API ndị a
ihe egwu:

  1. Ikike Ọkwa Ihe mebiri emebi
  2. Nnwale agbajiri
  3. Ikike Ọkwa Ngwongwo Ihe mebiri emebi
  4. Oriri akụrụngwa anaghị egbochi
  5. Ikike ọkwa ọrụ agbajiri
  6. Ịnweta na-enweghị njedebe maka usoro azụmaahịa nwere mmetụta
  7. Arịrịọ n'akụkụ nkesa
  8. Nhazi ezighi ezi nchekwa
  9. Njikwa Ndepụta Ngwaahịa na-ezighi ezi
  10. Oriri API adịghị mma

Ntuziaka Onye Mmepụta gafereview

Ntuziaka ahụ na-abanye n'ime ụdị ihe egwu nchekwa API ọ bụla, na-enye
nkọwa zuru ezu na ntụzịaka maka otu esi eleba anya na ibelata
ihe ize ndụ ndị a nke ọma.

Ajụjụ A na-ajụkarị (FAQ)

Ajụjụ: Gịnị kpatara nchekwa API ji dị mkpa?

A: Nchekwa API dị oke mkpa ka API na-ekpughekarị data nwere mmetụta
na mgbagha ngwa, na-eme ka ha bụrụ ebumnuche ndị mbuso agha maka ndị na-awakpo.
Ichekwa API dị mkpa maka igbochi mmebi data na
n'ịhụ n'ozuzu usoro nche.

Ajụjụ: Kedu otu m ga-esi mejuputa API echekwara?

A: Iji mejuputa API echekwara, soro omume kacha mma dịka
nkwenye ziri ezi, usoro ikike, nkwenye ntinye,
ezoro ezo nke mmetụta dị nro, na nyocha nchekwa mgbe niile na
mmelite.

"'

View Fullscreen

AKWỤKWỌ Ọcha
Ntuziaka onye nrụpụta na 2023 OWASP Top 10 maka Nchekwa API

ọdịnaya

Mpempe akwụkwọ nchekwa API

5

Nkọwa

5

API1:2023–Ikike Ọkwa Ihe mebiri emebi

7

API2:2023–Nnyocha agbajiri

8

API3:2023–Ikike Ọkwa Ngwongwo Ihe mebiri emebi

9

API4:2023–Ori ihe enyemaka anaghị egbochi

11

API5:2023–Ikike ọkwa ọrụ agbajiri

13

API6:2023–Nnweta na-enweghị njedebe maka usoro azụmaahịa nwere mmetụta

14

API7:2023–Arịrịọ Arịrịọ n'akụkụ sava

16

API8:2023–Nhazi nke nchekwa

18

API9: 2023 – Njikwa Ndepụta Ngwaahịa na-ezighi ezi

19

API10:2023–Eriri API adịghị mma

21

Nchekwa API Top-10 ezughi oke!

23

Mmechi

23

Ntuziaka onye nrụpụta na 2023 OWASP Top 10 maka Nchekwa API

2/23

Dị ka ụlọ ọrụ nakweere akụrụngwa nke igwe ojii na usoro ụdị DevOp, web interface mmemme ngwa, ma ọ bụ API, agbasala. Ụfọdụ n'ime API ọha ama ama gụnyere ndị na-enye ndị mmepe ohere ịnweta Google Search, wepụ data sitere na TikTok, ụgbọ ala soro, chịkọta akara egwuregwu, ma na-anakọta data na nbudata onyonyo sitere na saịtị ndị a ma ama.1 Na 2023, okporo ụzọ API metụtara 58 pasent nke ihe niile siri ike-akọwapụtara dị ka enweghị cacheable-traffic, site na pasent 54 na njedebe nke 2021.2.
API abụrụla ụzọ maka ngwa ụlọ ọrụ na-ekwurịta okwu na ijikọ n'etiti onwe ya. Ụlọ ọrụ na-eji ihe dị ka ụzọ abụọ n'ụzọ atọ nke API ha (64%) iji jikọọ ngwa ha na ndị mmekọ, ebe ihe dị ka ọkara (51%) bụ ohere ịnweta microservices. N'ozuzu, ihe karịrị ụzọ atọ n'ụzọ anọ nke ụlọ ọrụ na-eji nkezi nke ma ọ dịkarịa ala 25 API kwa ngwa.3
Nkwenye akụrụngwa ngwa dabere na API ekwesịghị iju ya anya: Ụlọ ọrụ ndị na-anakwere API iji dọta ndị mmepe nke ndị ọzọ na ịmepụta gburugburu ebe obibi na-ahụ mmụba na-abawanye. Ụlọ ọrụ ndị a "gbanwetụrụ" - nke a na-akpọ n'ihi na ha na-atụgharị echiche ọdịnala nke ịmepụta ihe mgbochi na teknụzụ ma kwe ka ohere ịnweta ụfọdụ ike na data-mere ihe fọrọ nke nta ka ọ bụrụ pasent 13 karịa afọ abụọ, na 39 pasent karịa afọ 16, ma e jiri ya tụnyere ụlọ ọrụ ndị na-anabataghị API, dị ka akwụkwọ 2022 sitere na ndị nchọpụta na Mahadum Chapman na Mahadum Boston.
Site na nnabata nke microservices, arịa ụlọ, na API, agbanyeghị, na-abịa n'ihe egwu dị iche iche, dị ka akụrụngwa sọftụwia enweghị nchekwa, mgbagha azụmaahịa na-adịghị mma, yana nchekwa data nwere ntụpọ. Ụlọ ọrụ itoolu n'ime iri (92%) enwetawo ma ọ dịkarịa ala otu ihe nchebe metụtara API ndị na-enweghị nchebe.5 Ụlọ ọrụ buru ibu na-enwekarị ọtụtụ puku API na ọgụ na usoro ndị ahụ na-akpata ihe dị ka pasent 20 nke ihe nchebe, ebe obere ụlọ ọrụ nwere ọtụtụ narị API ndị obere ọgụ elu na-akpata pasent ise nke ihe nchebe. 6 kwa afọ mfu n'ihi mmebi nke API mere ijeri $ 40 na-eme atụmatụ n'ụzọ zuru ụwa ọnụ n'ihi mmebi nke API ijeri $ 7. McLennan.XNUMX
1 Arellano, Kelly. API 50 kacha ewu ewu. Blọọgụ RapidAPI. RapidAPI. Web Ibe. Maachị 16, 2023.
2 Tremante, Michael, et al. Akụkọ Nchebe Ngwa: Q2 2023. Cloudflare Blog. Cloudflare. Bipute blọọgụ. Ọgọst 21, 2023.
3 Marks, Melinda. Na-echekwa ihu elu API Attack. Ụlọ ọrụ Strategy Group. Palo Alto Networks kwadoro ya. Akụkọ PDF, p. 10 Mee 23.
4 Benzell, Seth G., et al. Kedu ka API si emepụta uto site na ịtụgharị ụlọ ọrụ. Netwọk nyocha Sayensị Sayensị. Akwụkwọ nyocha. Emegharịrị: 30 Dec 2022.
5 Chekwaa elu elu ọgụ API. Ụlọ ọrụ Strategy Group, p. 14. 6 Lemos, Robert. Nchekwa API na-efunahụ ngụkọta ijeri, mana ọ gbagwojuru anya. Ọgụgụ Ọchịchịrị.
Akụkọ akụkọ. 30 Juun 2022. 7 Marsh McLennan. Ịkọwa ọnụ ahịa enweghị nchekwa API. Imperva kwadoro ya.
Akụkọ PDF. 22 Juun 2022.

Ntuziaka onye nrụpụta na 2023 OWASP Top 10 maka Nchekwa API

3/23

Ndepụta Top-2023 nke API Security 10 na-akọwapụta ihe egwu nchekwa iri kacha emetụta na-emepụta mgbe ị na-emepụta ngwa na-ekpughe ma ọ bụ jiri API.

Nsogbu a dị oke njọ nke mere na US National Security Agency jikọtara ya na Australian Cyber ​​​​Security Center (ACSC) na US Cybersecurity and Infrastructure Security Agency (CISA) iji nye ntụzịaka na okwu nchekwa API, karịsịa nke a na-ahụkarị, nke a maara dị ka adịghị ike kpọmkwem ihe ntụaka (IDOR) .8
N'ụzọ a na-atụghị anya ya, megide ndabere a nke nchegbu nchekwa na-arị elu, Open Worldwide Application Security Project (OWASP) wepụtara mmelite na ndepụta API Security Top-10. Na-enye ume ọhụrụ ndepụta 2019 mmalite ya, ndepụta 2023 API Security Top-10 na-egosipụta ihe egwu nchekwa iri kachasị ewu ewu na-emepụta mgbe ị na-emepụta ngwa na-ekpughe ma ọ bụ jiri API. Okwu ndị dị ka ikike ọkwa ọkwa ihe gbajiri agbaji, ihe superset nke gụnyere adịghị ike IDOR, ka bụ otu na ndepụta ndị bu ụzọ. N'agbanyeghị nke ahụ, ngalaba ọhụrụ-ma ọ bụ ngalaba ahaziri ahazi-ugbu a na-egosipụta okwu ndị a na-eleghara anya n'oge gara aga, dị ka Arịrịọ Arịrịọ-N'akụkụ Sava (API7:2023) na Ịnweta Azụmahịa Na-enweghị Mmasị (API6:2023).
"Site n'okike, API na-ekpughe mgbagha ngwa na data nwere mmetụta dị ka Personally Identifiable Information (PII) na n'ihi nke a, API na-aghọwanye ndị na-ebuso ndị na-awakpo ọgụ," otu OWASP kwuru na ọkwa ya.9 "Enweghị API echekwara, ọ gaghị ekwe omume ịmepụta ngwa ngwa."

8 Ndụmọdụ nchekwa ịntanetị ọhụrụ dọrọ aka ná ntị gbasara Web Ngwa adịghị ike. Ụlọ ọrụ nchekwa obodo. Mbipụta ndị nchụ nta akụkọ. 27 Julaị 2023.
9 Mepee oru nchekwa nchekwa ngwa zuru ụwa ọnụ. OWASP API Nchekwa Top 10: gawa n'ihu. OWASP.org. Web Ibe. 3 Julaị 2023.

Ntuziaka onye nrụpụta na 2023 OWASP Top 10 maka Nchekwa API

4/23

Mpempe akwụkwọ nchekwa API

OWASP Top 10 Atiya 1. Ikike Ọkwa Ihe Agbajiri 2. Asambodo agbajiri 3. Ikike Ọkwa Ngwongwo Ihe Agbajiri 4. Ihe eji enweta akụrụngwa na-anaghị egbochi 5. ikike ọkwa ọkwa arụrụ arụ 6. Nweta enweghị ikike ịnweta azụmaahịa nwere mmetụta 7. Arịrịọ Side Server Arịrịọ Arịrịọ 8 Nchekwa Mgbochi Mgbochi 9. Oriri API

Ihe ngwọta cybersecurity SAST SAST, DAST SAST, DAST SAST, DAST, API Secure API Manager SAST DAST DAST SAST, DAST Secure API Manager SCA, SAST

Nkọwa
Ọgwụgwụ API- Ebe nzikọrịta ozi n'etiti sistemu abụọ, na-abụkarị a URL nke akpa ma ọ bụ ihe nkesa na-arụ ọrụ microservice. Iji a URL, ngwa ma ọ bụ onye nrụpụta nwere ike ịrịọ ozi n'aka ihe nkesa ma ọ bụ mee ihe na sava API ma ọ bụ microservice.
Okporo ụzọ API metụtara–Okporo ụzọ ịntanetị nke nwere arịrịọ HTTP ma ọ bụ HTTPS ma nwee ọdịnaya nzaghachi nke XML ma ọ bụ JSON, na-egosi na a na-ebufe data na ngwa, na-abụkarị site na SOAP, WSDL, API REST, ma ọ bụ gRPC (lee n'okpuru).
Nnwale nchekwa ngwa dị iche iche (DAST) - Usoro nyocha nke ngwa ma ọ bụ ihe nkesa API site na iji interface ahụ, ma ọ bụ onye ọrụ maka ngwa, a web n'ihu njedebe maka a web ngwa, ma ọ bụ URLs maka njedebe API. N'ụdị ule igbe ojii, usoro a na-enyocha ngwa sitere na "n'èzí" site na ịwakpo ngwa n'otu ụzọ ahụ dị ka onye na-awakpo, na-enweghị ihe ọmụma nke usoro ime.
Nnwale Nchekwa Ngwa Static (SAST) – Ụzọ maka nchekwa ngwa na-enyocha isi mmalite, ọnụọgụ ọnụọgụ abụọ ma ọ bụ byte maka ụkpụrụ nke njehie ma ọ bụ adịghị ike. Mgbe ụfọdụ, a na-akpọ nnwale igbe ọcha, SAST na-eji ụzọ “ime pụta” nke na-achọpụta adịghị ike na mperi ndị nwere ike, ma ọ bụ enweghị ike, ga-erigbu site n'aka onye na-awakpo mpụga. Ngwá ọrụ static dị fechaa nwere ike inye nzaghachi ozugbo nye ndị mmepe na IDE ha.

Ntuziaka onye nrụpụta na 2023 OWASP Top 10 maka Nchekwa API

5/23

Ikike Ọkwa Ihe mebiri emebi bụ okwu zuru ebe niile ma dịkwa mfe iji web ngwa n'ihi na oku API na-ebu ozi steeti. Ngwa dị mfe ma ọ bụrụ na ha ekwe ka onye ọrụ mee ihe site na ịkọwapụta ihe nchọpụta na API na-enyochaghị ma ha nwere ikike ịme omume ndị ahụ.

Ncha/WSDL – Usoro dabere na XML maka imepụta Web API. Ncha bụ protocol n'onwe ya yana WSDL (Web Asụsụ Nkọwa Ọrụ) bụ usoro eji akọwapụta ọrụ. N'ihi nnukwu ihe karịrị akarị, ụdị API a aghọwo ihe na-adịghị amasị maka ihe ọhụrụ.
Izu Ike–A Web Ụdị API nke gụnyere izirịta ozi ozugbo n'elu HTTP, na-eji semantics nke HTTP URLs na ngwaa, na-ejighi “envelopu” agbakwunyere. A na-edokarị ọdịnaya dị ka JSON, ọ bụ ezie na n'ọnọdụ ụfọdụ ọ bụ XML.
GraphQL–Asụsụ ajụjụ emebere ka ejiri mee ihe na API (ya na arịrịọ na nzaghachi na JSON), yana oge n'akụkụ sava iji mebie ajụjụ ndị a. Ọ na-enye ndị ahịa ohere ịkọwapụta usoro data ha chọrọ wee nweta nke a site na ihe nkesa na usoro ahụ.
gRPC – Usoro API nke na-arụ ọrụ dị elu karịa REST. Ọ na-eji HTTP/2 yana advan arụmọrụtages na-enye n'elu HTTP/1.1. Ụdị ozi nke ọ bụla na-abụkarị ọnụọgụ abụọ ma dabere na ProtoBuf, na-ekepụta advan arụmọrụ ọzọtages karịrị REST na ncha.

Nchekwa API 2023 kacha 10

Ntinye nchekwa API 2019 Analogous

API1:2023–Ikike Ọkwa Ihe mebiri emebi

API1:2019–Ikike Ọkwa Ihe mebiri emebi

API2:2023–Nnyocha agbajiri

API2:2019–Nnwapụta onye ọrụ agbajiri

API3:2023–Ikike Ọkwa Ngwongwo Ihe mebiri emebi

API3:2019–Ngosipụta data karịrị akarị, API6:2019– Oke ọrụ

API4:2023–Ori ihe enyemaka anaghị egbochi

API4:2019–Enweghị akụrụngwa na oke ọnụ ahịa

API5:2023–Ikike ọkwa ọrụ agbajiri

API5:2019–Ikike ọkwa ọrụ agbajiri

API6:2023–Nnweta na-enweghị njedebe maka usoro azụmaahịa nwere mmetụta

API7:2023–Arịrịọ Arịrịọ n'akụkụ sava

API8:2023–Nhazi ezighi ezi nke nchekwa API7:2019–Nhazi na-ezighi ezi nchekwa

API9: 2023 – Njikwa Ndepụta Ngwaahịa na-ezighi ezi

API9:2019– Njikwa Akụrụngwa na-ezighi ezi

API10:2023–Eriri API adịghị mma

API8:2019–Mgbanye, API10:2019–Enweghị mbanye na nlekota oru.

Source: https://owasp.org/API-Security/editions/2023/en/0x11-t10/ Source: https://owasp.org/API-Security/editions/2019/en/0x11-t10/

Ntuziaka onye nrụpụta na 2023 OWASP Top 10 maka Nchekwa API

6/23

Ndị nrụpụta na ndị otu nchekwa ngwa ga-enwerịrị ike mejuputa ikike iji lelee njirimara onye ọrụ site na nyocha.

API1:2023–Ikike Ọkwa Ihe mebiri emebi
Kedu ihe ọ bụ?
API na-enye ohere ịnweta ọrụ na data site na iji ahaziri ahazi web arịrịọ. Companieslọ ọrụ na-ekpughe akụrụngwa na data ha na ịnweta enweghị nchebe mgbe akụ ndị ahụ anaghị echekwa nke ọma ma ọ bụ mgbe ejiri ikike ikike emejuputaghị ma ọ bụ na-anọghị ya. Ikike ọkwa ihe gbajiri agbaji—nke a na-akpọkwa ya dị ka Insecure Direct Object Reference (IDOR) -nwere ike ibute ihe egwu dị iche iche, site na mkpughe data ruo na weghara akaụntụ zuru oke.
Kedu ihe na-eme ngwa ngwa ngwa ngwa?
Nke a bụ okwu juru ebe niile ma dị mfe irigbu web ngwa. Ngwa dị mfe ma ọ bụrụ na ha ekwe ka onye ọrụ mee ihe site na ịkọwapụta ihe nchọpụta na API na-enyochaghị ma ha nwere ikike ịme omume ndị ahụ.
Na exampOWASP zuru ezu, ikpo okwu maka ụlọ ahịa dị n'ịntanetị nwere ike inye ohere ịnweta data ịzụ ahịa site na iji oku dị mfe:
/ụlọ ahịa/{shopAha}/ego _ data.json
Nke a enweghị nchebe n'ihi na onye ọrụ ọ bụla nwere ike iji aha ụlọ ahịa onye ọrụ ọzọ dochie aha ụlọ ahịa, na-enweta data ha ekwesịghị inwe.
Mwakpo examples
Na 2021, onye nyocha nchekwa chọpụtara na web-ngwa na ihe nkesa azụ azụ nke nyere data na igwe mgbatị ahụ Peloton nwere ọtụtụ njedebe API nke nyere ndị ọrụ na-akwadoghị ohere ịnweta data nkeonwe. Na Febụwarị 2021, Peloton mebere mmezi akụkụ maka okwu ahụ, na-amachi ohere API maka ndị ọrụ akwadoro, mana ka na-ahapụ ndị ọrụ ahụ ịnweta data nzuzo ọ bụla maka ndị otu ndị ọzọ. Ndozi zuru oke bịara na Mee 2021.10
Kedu ka esi egbochi ya dịka onye nrụpụta?
Ndị mmepe na-egbochi ịnweta ihe na-enweghị nchebe site na mmanye njikwa siri ike, na-ekenye njirimara njirimara na-enweghị atụ iji mebie ngụkọ akaụntụ, na ịlele ikike ọkwa ihe maka ọrụ ọ bụla na-enweta isi data. Ndị nrụpụta kwesịrị itinye akwụkwọ nlele ndị dị otú ahụ, ọkachasị ma ọ bụrụ na dabere na ntinye onye ọrụ, iji wepụ ohere na njehie amaghị ama nwere ike imebi nchekwa. Ndị ọkachamara nchekwa ngwa na arụmọrụ kwesịrị ịchọ nyocha ikike maka arịrịọ ọ bụla iji kwado data.
Kedu ka OpenText ga-esi nyere aka?
OpenTextTM Static Application Security Testing (SAST) na OpenTextTM Dynamic Application Security Testing (DAST) nwere ike ịchọpụta ọtụtụ adịghị ike dị na ngalaba ntụaka ihe akpọrọ ihe (IDOR). IOR nwere ike ịgụnye adịghị ike dịka Traversal Directory, File Bulite, na File Ntinye. Karịrị n'ozuzu, IDOR tinyekwara klas nke adịghị ike ebe ihe nchọpụta
10 Nna-ukwu, Jan. Tour de Peloton: data njirimara ekpughere. Blọọgụ Ndị Mmekọ Pen Test. Ndị mmekọ ule Pen. Web Ibe. 5 Mee 2021.

Ntuziaka onye nrụpụta na 2023 OWASP Top 10 maka Nchekwa API

7/23

Ndị nrụpụta na ndị otu nchekwa ngwa ga-enwerịrị ike mejuputa ikike iji lelee njirimara onye ọrụ site na nyocha.

enwere ike gbanwee site na URL, Ahụ, ma ọ bụ nkụnye eji isi mee ihe. Usoro a ga-eme ka ndị mmepe mara ikpe ebe onye ọrụ nwere ike họrọ isi igodo ozugbo na arịrịọ API maka nchekwa data ma ọ bụ akpa nchekwa, nsogbu na-edugakarị na klas nke adịghị ike. Usoro a ga-adọkwa aka na ntị mgbe nlele ikike a tụrụ anya na-efu.
API2:2023–Nnyocha agbajiri
Kedu ihe ọ bụ?
Nyocha ikike ikike na-amachi ịnweta data dabere na ọrụ ma ọ bụ ndị ọrụ akọwapụtara, mana oke ndị ahụ ezughi oke iji chekwaa sistemụ, data na ọrụ. Ndị nrụpụta na ndị otu nchekwa ngwa ga-enwerịrị ike mejuputa ikike iji lelee njirimara onye ọrụ site na nyocha. N'agbanyeghị ụdị nyocha dị oke egwu, a na-ejikarị ihe ndị a emejuputaghị nke ọma ma ọ bụ na-eji ya eme ihe n'ụzọ na-ezighi ezi-ihe kpatara njiri mara njirimara onye ọrụ. Nyocha onye ọrụ mebiri emebi na-enye ndị na-awakpo ohere ike icheta njirimara onye ọrụ ndị ọzọ nwa oge ma ọ bụ na-adịgide adịgide site na iji akara nyocha na-enweghị nchebe ma ọ bụ na-emebi mmejọ mmejuputa.
Kedu ihe na-eme ngwa ngwa ngwa ngwa?
Okwu a na-ahụkarị ma dị mfe iji mee ihe na-eme n'ihi na nyocha bụ usoro mgbagwoju anya nke nwere ike ịgbagwoju anya na, site na nkọwa, kpugheere ọha mmadụ. Mmejọ nke onye nrụpụta na nhazi ngwa ngwa nwere ike ibute enweghị nyocha dị mkpa na-enye ndị na-awakpo ohere izere nyocha. Ndị nrụpụta na-emezughị nyocha maka otu njedebe ma ọ bụ kwe ka usoro nyocha adịghị ike na-ekpughere ngwa na mwakpo dị iche iche, dị ka nri nzere, mmeghari akara, ma ọ bụ imi okwuntughe.
Mwakpo examples
N'agbata ọnwa Febụwarị na June 2023, mwakpo nri nri gbadoro ụkwụ na ndị na-ere uwe Hot Topic, onye gwara ndị ahịa ya na emebiela ọnụọgụ akaụntụ amabeghị. Ndị mwakpo ahụ-n'iji nzere ewepụtara site na isi mmalite ndị amabeghị-nwere ike ịnweta data nkeonwe dị nro, dị ka aha ndị ahịa, adreesị ozi-e, akụkọ ihe mere eme, nọmba ekwentị, na ọnwa na ụbọchị ọmụmụ.11
N'ọnwa Febụwarị 2022, bọket nchekwa igwe ojii ahaziri ahazi hapụrụ 1 GB nke data nwere mmetụta sitere na ahịa ahịa email Beetle Anya na-enweghị nchebe paswọọdụ ma ọ bụ izo ya ezo. Data ahụ gụnyere ozi kọntaktị yana ozi metụtara njem nlegharị anya nke ụlọ ọrụ ndị njem nlegharị anya dị iche iche na steeti US anakọtara.12 Usoro nyocha na-ezighi ezi ka a na-ahụta dị iche iche nke ụdị njirimara onye ọrụ mebiri emebi.
Kedu ka esi egbochi ya dịka onye nrụpụta?
11 Toulas, Bill. Isi okwu na-ekpo ọkụ na-eme ka a na-ere ahịa na-ekpughe ebili mmiri nke mbuso agha nzere. Kọmputa na-agba ọsọ. Akụkọ akụkọ. Ọgọst 1, 2023.
12 Nair, Prajeet. Data nke nde mmadụ asaa ekpughere site na nyiwe ahịa US. Mmebi data taa. ISMG netwọkụ. Febụwarị 7, 11.

Ntuziaka onye nrụpụta na 2023 OWASP Top 10 maka Nchekwa API

8/23

Standardization bụ enyi gị maka nyocha. Ndị otu DevSecOps kwesịrị ịmepụta otu-ma ọ bụ ọnụ ọgụgụ nwere oke-nke ụzọ nyocha maka ngwa ma hụ na ndị mmepe na-emejuputa usoro ahụ n'ofe microservices na API niile.

Standardization bụ enyi gị maka nyocha. Ndị otu DevSecOps kwesịrị ịmepụta otu-ma ọ bụ ọnụ ọgụgụ ole na ole-nke ụzọ nyocha maka ngwa ma hụ na ndị mmepe na-emejuputa usoro ahụ n'ofe microservices na API niile. Ekwesịrị ịbụ mmejuputa nkwenye ọ bụlaviewed n'ime ọnọdụ nke OWASP Application Security Verification Standard (ASVS), ugbu a na ụdị 4,13 iji hụ na izi ezi nke mmejuputa ya na njikwa nchekwa metụtara. Ngbanwe ọ bụla sitere na ọkọlọtọ-karịsịa ekpughere ụma ọ bụla nke njedebe na-akwadoghị - ndị otu nchekwa ga-enyocha ya ma hapụ ya ka o mejuo ihe azụmahịa siri ike chọrọ.
Kedu ka OpenText ga-esi nyere aka?
OAuth na JWT bụ abụọ n'ime ụdị nkwenye a na-ejikarị emejuputa API, na OpenText Dynamic Application Security Testing nwere nlele maka mmejuputa adịghị ike nke ụkpụrụ abụọ ahụ na ngwa, yana nhazi nke ọma na usoro adịghị ike, dị ka CSRF na Session Fixation, nke na-abịa na mmejuputa nkwenye omenala. Ngwá ọrụ nchekwa ngwa dị ike (DAST) nyocha site na OpenText bụ nnukwu ụzọ iji chọpụta adịghị ike nyocha, ọkachasị na API.
Nnwale nchekwa ngwa OpenText Static na-enye ohere nlele dị iche iche metụtara nyocha adịghị mma. Ngwá ọrụ nyocha static na-agụnye nchọpụta maka okwu ọnụọgụ - dị ka ntanye nzere-yana nnukwu nsogbu API dị ka nkwupụta nchebe na-efu na akara JWT, ma ọ bụ nkwupụta na-eme na ndị isi JWT.
API3:2023–Ikike Ọkwa Ngwongwo Ihe mebiri emebi
Kedu ihe ọ bụ?
Ikike Ọkwa Ngwongwo Ihe mebiri emebi bụ udi ọhụrụ na ndepụta 2023 OWASP na-ejikọta edemede abụọ sitere na ndepụta gara aga: Ngosipụta data karịrị akarị (API3:2019) na Mass Assignment (API6:2019). Ihe kpatara nsogbu a bụ enweghị nkwado nke ikike onye ọrụ-ma ọ bụ ikike na-ezighi ezi nke onye ọrụ-na ọkwa ihe-arịa. Ihe njedebe API kwesịrị ịkwado na onye ọrụ ọ bụla nwere ikike maka akụrụngwa ọ bụla ha na-agbalị ịnweta ma ọ bụ gbanwee. Irigbu okwu a nwere ike bute ikpughe ozi ma ọ bụ megharịa data site n'aka ndị enweghị ikike.
Kedu ihe na-eme ngwa ngwa ngwa ngwa?
Okwu a na-ahụkarị ma dị mfe iji na-eme mgbe enwere ike ịnye onye ọrụ ikike ịnweta ụfọdụ akụrụngwa nke otu ihe, dị ka idobe ọnụ ụlọ na ngwa njem, mana ọ bụghị ndị ọzọ, dị ka ọnụ ahịa ụlọ. Mgbe onye ọrụ nwetara ihe onwunwe site na API, ngwa kwesịrị ịlele na onye ọrụ:
· Kwesịrị inwe ike ịnweta ihe onwunwe nke ihe ahụ
13 OWASP ọkọlọtọ nkwenye nchekwa ngwa. OWASP. GitHub ibe. Enweta ikpeazụ: 17 November 2023.

Ntuziaka onye nrụpụta na 2023 OWASP Top 10 maka Nchekwa API

9/23

Ikike Ọkwa Ngwongwo Ihe mebiri emebi bụ udi ọhụrụ na ndepụta 2023 OWASP na-ejikọta edemede abụọ sitere na ndepụta gara aga: Ngosipụta data karịrị akarị (API3:2019) na Mass Assignment (API6:2019).
Nnwale nchekwa ngwa OpenTextTM Static na-enyere aka igbochi ma mkpughe data gabigara ókè yana ọrụ oke site na nyocha nrịba data. Usoro a ga-egosipụta ọtụtụ isi mmalite data nkeonwe, dị ka ndị dabere na aha mgbanwe ma ọ bụ oku API, wee chọpụta ihe na-enye ohere ọrụ oke.

(mmebi ndị a na-akpọbu dị ka Exposure Data Exposure), na/ma ọ bụ
A na-ahapụ ya ka ọ gbanwee akụrụngwa nke ihe ahụ (ụfọdụ ngwa anaghị elele nke a n'ihi na ha na-eji framework na-esepụta eserese na-akpaghị aka web ịrịọ paramita na mpaghara ihe, nsogbu a maara dị ka Mass Assignment).
Na OWSP exampN'ezie, ikpo okwu vidiyo dị n'ịntanetị na-enye onye ọrụ ohere ịgbanwe nkọwa nke vidiyo, ọbụlagodi vidiyo akpọchiri, mana ekwesịghị ikwe ka onye ọrụ gbanwee akụrụngwa 'egbochiri'.
PUT /api/video/update _ vidiyo
{
"nkọwa": "vidiyo na-atọ ọchị gbasara nwamba",
"gbochiri": ụgha
}
Mwakpo examples
Na Jenụwarị 2022, mmemme bounty bug chọpụtara mperi na Twitter nke nyere onye ọrụ ohere ịnyefe adreesị ozi-e ma ọ bụ akara ekwentị na sistemụ Twitter, nke ga-eweghachi aha akaụntụ nke ozi ahụ nwere.14 Onye mwakpo a na-amaghị ama jiri ntụpọ ahụ wee chịkọta ndepụta nde mmadụ akaụntụ ejikọrọ na nọmba ekwentị na adreesị ozi-e. Site n'ikwe ka onye ọ bụla jikọta akụrụngwa abụọ, Twitter n'amaghị ama kwere ka ndị ọrụ pseudonym kpọpụta ya nke ọma.
Kedu ka esi egbochi ya dịka onye nrụpụta?
Ndị nrụpụta kwesịrị itinye njikwa kwesịrị ekwesị mgbe niile maka ikike ịnweta ma ọ bụ gbanwee ihe eji eme ihe. Kama iweghachi usoro data izugbe na akụrụngwa ọ bụla - nke na-ejikarị usoro ọnụọgụ, dị ka to_json () na to_string () - ndị mmemme kwesịrị ịkọwapụta nke ọma na ozi ha na-eweghachi. Dịka mgbakwunye nchekwa, ngwa kwesịrị mejuputa nkwado nzaghachi dabere na schema nke na-akwado njikwa nchekwa na data niile nke ụzọ API weghachiri. Ịnweta kwesịrị ịgbaso ụkpụrụ ihe ùgwù kacha nta, na-enye ohere ịnweta ma ọ bụrụ na ọ dị mkpa.
Kedu ka OpenText ga-esi nyere aka?
Nnwale nchekwa ngwa OpenTextTM Static na-enyere aka igbochi ma mkpughe data gabigara ókè yana ọrụ oke site na nyocha nrịba data. Usoro a ga-egosipụta ọtụtụ isi mmalite data nkeonwe, dị ka ndị dabere na aha mgbanwe ma ọ bụ oku API, wee chọpụta ihe na-enye ohere ọrụ oke. Ndị ọrụ nwere ike ịkọwapụta isi mmalite nke onwe ha, na-enyocha data site na mmemme ahụ, ma ọ bụrụ na ọ kwụsịrị n'ebe na-ekwesịghị ekwesị, na-eme ka onye mmepụta ma ọ bụ onye na-arụ ọrụ mara ihe ize ndụ ahụ.

14 Ihe omume na-emetụta ụfọdụ akaụntụ na ozi nzuzo na Twitter. Ebe nzuzo Twitter. Twitter. Web Ibe. Ọgọst 5, 2022.

Ntuziaka onye nrụpụta na 2023 OWASP Top 10 maka Nchekwa API

10/23

Ngwa ndị na-adịghị amachi akụrụngwa ekenyere iji meju arịrịọ nwere ike ịdị mfe, gụnyere ndị na-egbochighị ebe nchekwa ekenye, ọnụọgụ nke files ma ọ bụ usoro enwetara, ma ọ bụ ọnụego anabatara nke arịrịọ, n'etiti njirimara ndị ọzọ.

Tụkwasị na nke ahụ, OpenText SAST nwere ihe ọmụma nke usoro nhazi usoro na nhazi usoro JSON na XML kachasị mkpa. N'iji nke a, ngwá ọrụ ahụ nwere ike ịchọpụta koodu nke na-adịghị emebi emebi ihe na-ebufe ngalaba (DTOs) nke ọma, nke nwere ike inye ohere ọrụ oke nke àgwà ya. Enwere ike hụkwa ọnọdụ ụfọdụ nke mkpughe ozi na oke ọrụ site na iji OpenText Dynamic Application Testing. N'ikpeazụ, enwere ike itinye ụfọdụ usoro mgbochi site na ịgbakwunye iwu na web Ngwa firewall (WAF).
API4:2023–Ori ihe enyemaka anaghị egbochi
Kedu ihe ọ bụ?
API na-ekpughe ọtụtụ ọrụ azụmahịa bara uru. Iji mee nke a, ha na-eji akụrụngwa mgbako dị ka sava nchekwa data ma ọ bụ nwee ike ịnweta akụrụngwa anụ ahụ site na teknụzụ arụ ọrụ. N'ihi na sistemu nwere akụrụngwa nwere oke iji zaghachi oku API, ndị na-awakpo nwere ike chepụta arịrịọ pụrụ iche iji mepụta ọnọdụ ndị na-ebute ike ọgwụgwụ akụrụngwa, ịgọnarị ọrụ, ma ọ bụ mmụba azụmaahịa. N'ọtụtụ ọnọdụ, ndị na-awakpo nwere ike izipu arịrịọ API nke na-ekekọta akụrụngwa dị mkpa, na-ebufe akụrụngwa ma ọ bụ bandwit ma na-ebute mbuso agha nke ọrụ. Site na izipu arịrịọ ugboro ugboro site na adreesị IP dị iche iche ma ọ bụ ọnọdụ igwe ojii, ndị na-awakpo nwere ike gafere ihe nchebe emere iji chọpụta spikes na-enyo enyo na ojiji.
Kedu ihe na-eme ngwa ngwa ngwa ngwa?
Arịrịọ API na-akpalite nzaghachi. Ma nzaghachi ndị ahụ gụnyere ịnweta nchekwa data, ịrụ ọrụ I/O, ịgbakọ mgbako, ma ọ bụ (na-abawanye) na-emepụta mmepụta site na ụdị mmụta igwe, API na-eji mgbakọ, netwọk, na akụrụngwa ebe nchekwa. Onye na-awakpo nwere ike izipu arịrịọ API na njedebe njedebe dị ka akụkụ nke ịgọnarị ọrụ (DoS) nke ahụ, kama ịkagbu bandwit-ebumnuche nke mwakpo DoS volumetric- kama ikpochapụ CPU, ebe nchekwa na akụrụngwa igwe ojii. Ngwa ndị na-adịghị amachi akụrụngwa ekenyere iji meju arịrịọ nwere ike ịdị mfe, gụnyere ndị na-egbochighị ebe nchekwa ekenye, ọnụọgụ nke files ma ọ bụ usoro enwetara, ma ọ bụ ọnụego anabatara nke arịrịọ, n'etiti njirimara ndị ọzọ.
API nhazi ihe nkesa kwesịrị inwe oke n'ọnọdụ iji gbochie oke oke nke ebe nchekwa na ibu ọrụ, arịrịọ oke maka arụmọrụ API kpalitere, ma ọ bụ ụgwọ oke maka ọrụ ndị ọzọ na-enweghị oke mmefu.
Mwakpo a na-emekarị bụ ịgbanwe arụmụka agafere na njedebe API, dị ka ịba ụba nke nzaghachi na ịrịọ nde ndenye nchekwa data, kama ịsị, iri mbụ:
/api/users?page=1&size=1000000
Na mgbakwunye, ọ bụrụ na onye mwakpo ahụ nwere ike ịnweta ọrụ azụ azụ nke na-ana ụgwọ maka ojiji, enwere ike iji mbuso ọgụ iji nweta ụgwọ maka onye nwe ngwa. Ọzọ OWASP example na-atụ aka a nrụpụta-paswọọdụ atụmatụ na-eji SMS ozi ederede iji nyochaa njirimara na nke nwere ike na-akpọ ọtụtụ puku ugboro na-amụba mmefu maka ndị aja.

Ntuziaka onye nrụpụta na 2023 OWASP Top 10 maka Nchekwa API

11/23

Nzacha na nsọtụ netwọkụ site na iji netwọk nnyefe ọdịnaya (CDN) jikọtara ya na web ngwa firewalls (WAFs) nwere ike ibelata idei mmiri okporo ụzọ ma na-ebelata mmetụta nke ndị ọrụ n'otu n'otu.

POST / sms/ send _ reset _ pass _ code
Onye ọbịa: willyo.net {
"ekwentị _nọmba": "6501113434" }
Mwakpo examples
Ebe ọ bụ na ọgụ na-eri ihe onwunwe na-ejikarị arụ ọrụ yana nsogbu dị, ụlọ ọrụ ndị ezubere iche na-emeso ha dị ka akụkụ nke ọnụ ahịa ịzụ ahịa, karịa ihe ndị dị mkpa ka a kọọrọ, na-ebelata visibiliti n'ime ihe iyi egwu. Na 2022, ngwa-layer nkesa-denialof-service (DDoS) ọgụ, superset nke mbuso agha oriri API, jụrụ dị ka òkè nke ọgụ niile, mana Q4 2022 ka abanyela 79% ọgụ karịa otu nkeji iri na ise nke afọ gara aga.15
N'otu mwakpo akọwapụtara na 2015, onye nrụpụta achọpụtara onye ahịa gam akporo nke kpọtụrụ saịtị ha ugboro ugboro. Web API nwere igodo API ewepụtara na-enweghị usoro, butere mbuso ọjụjụ nke ọrụ. Onye nrụpụta ahụ chere na ngwa ọjọọ arụnyere na ngwaọrụ gam akporo na-achọ ịma igodo API 64-bit.16
Kedu ka esi egbochi ya dịka onye nrụpụta?
Site n'iji oke ọnụego na ọnụ ụzọ, ọtụtụ mwakpo oriri akụrụngwa nwere ike ịkachasị njọ, n'agbanyeghị na nchekwa nchekwa na-ezighi ezi nwekwara ike imetụta okporo ụzọ ziri ezi. Ekwesịrị ịtọ oke akọwapụtara na:
· Oke ebe nchekwa
· Usoro
Ihe atụ igwe ojii
Ebugoro file nkọwa na file nha
· Ndekọ eweghachiri
Ọnụọgụ nke azụmahịa akwụ ụgwọ na ọrụ ndị ọzọ
* Ihe niile na-abata (dịka ọmụmaatụ, ogologo eriri, ogologo n'usoro, wdg.)
Ọnụ ọgụgụ nke mmekọrịta API n'otu onye ahịa n'ime windo oge akọwapụtara
Nzacha na nsọtụ netwọkụ site na iji netwọk nnyefe ọdịnaya (CDN) jikọtara ya na web ngwa firewalls (WAFs) nwere ike ibelata idei mmiri okporo ụzọ ma na-ebelata mmetụta nke ndị ọrụ n'otu n'otu. Usoro nnyefe ngwa na-enye ohere nzacha dị mfe, gụnyere oke na ebe nchekwa, CPU na usoro.
15 Yoachimik, Omer. Akụkọ iyi egwu Cloudflare DDoS maka 2022 Q4. Blọọgụ Cloudflare. Web Ibe. 10 Jenụwarị 2023.
16 Otu esi akwụsị mwakpo mbanye anataghị ikike/DOS web API. StackOverflow. Web Ibe. 15 Septemba 2015.

Ntuziaka onye nrụpụta na 2023 OWASP Top 10 maka Nchekwa API

12/23

Nnwale nchekwa ngwa OpenText Dynamic nwere ike nwalee sava na ọrụ API maka adịghị ike na mwakpo ọrụ agọnarị na-emetụtaghị ọrụ ahụ. Na mgbakwunye, otu omume nke ịme nyocha DAST nwere ike imesi ike nwalee gburugburu ebe obibi zuru oke iji gosi adịghị ike-eri ihe nwere ike ime.

Kedu ka OpenText ga-esi nyere aka?
Na OpenText SAST na OpenText Dynamic Application Security Testing, ndị otu DevSecOps nwere ike nwalee koodu ha na akụrụngwa maka nkwụsi ike na mwakpo ike ọgwụgwụ akụrụngwa. OpenText SAST nwere ike ịhụ ọtụtụ mpaghara ebe onye na-awakpo ga-enwe ike mebie mgbagha ngwa ahụ iji mepụta oke akụrụngwa.
Nchekwa ọkwa koodu ezughị iji dozie nsogbu a na ngwa. Ike ọgwụgwụ akụrụngwa na mmachi ọnụego bụ akụkụ mpaghara akọwapụtara nke ịgọnarị ọgụ ọrụ nke ekwesịrị ibelata n'oge ojiri gaa. Nnwale Nchebe Ngwa OpenText Dynamic nwere ike nwalee sava na ọrụ API maka adịghị ike na mbuso ọjụjụ nke ọrụ na-emetụtaghị ọrụ ahụ. Na mgbakwunye, otu omume nke ịme nyocha DAST nwere ike imesi ike nwalee gburugburu ebe obibi zuru oke iji gosi adịghị ike-eri ihe nwere ike ime.
API5:2023–Ikike ọkwa ọrụ agbajiri
Kedu ihe ọ bụ?
Ngwa ọgbara ọhụrụ nwere ọtụtụ ọrụ dị iche iche na-enweta, mepụta, megharịa, ihichapụ na jikwaa data. Ọ bụghị onye ọrụ ngwa ọ bụla chọrọ ịnweta ọrụ ọ bụla ma ọ bụ data niile, ma ọ bụ na ekwesighi ịhapụ ya n'okpuru ụkpụrụ nke obere ihe ùgwù. Ebe njedebe API ọ bụla nwere ndị na-ege ntị ezubere nke nwere ike ịgụnye ndị na-amaghị aha, ndị na-enweghị ihe ùgwù oge niile na ndị ọrụ nwere oke. Ọrụ nchịkwa na njikwa kwesịrị ịchọ ikike ikike, mana a na-enweta ya mgbe ụfọdụ site na oku API ziri ezi sitere n'aka onye ọrụ na-enyeghị ikike-mmalite ikike ọkwa ọkwa arụrụ arụrụ. N'ihi ọkwa dị iche iche, otu na ọrụ na-emepụta mgbagwoju anya na njikwa ohere, ọrụ ngwa nwere ike ọ gaghị enwe mmachi dabara adaba na onye nwere ike ịkpọ ha.
Kedu ihe na-eme ngwa ngwa ngwa ngwa?
Ngwa ndị na-enye ohere ka ọrụ ụfọdụ rụọ ọrụ nchịkwa nwere ike ọ gaghị amachibido ịnweta ọrụ ndị ahụ n'ụzọ echekwara. API ndị na-esetịpụ kpọmkwem na ọrụ ndị dị otú ahụ ga-ekpughe adịghị ike ndị ahụ na nrigbu. Ọrụ ndị na-adịghị eji nyocha na usoro ikike nke ngwa ahụ kwesịrị ka a tụlee adịghị ike nchekwa nwere ike ịdị.
Na exampOWASP zoro aka na ya, onye mwakpo na-enweta arịrịọ API maka ịgbakwunye onye ọrụ akpọrọ na ngwa mkpanaka ọhụrụ, na-achọpụta na òkù ahụ gụnyere ozi gbasara ọrụ onye ọkpụkpọ ahụ. N'iji adịghị ike eme ihe, onye mwakpo ahụ na-eziga oku ọhụrụ:
POST /api/invites/ọhụrụ
{
"email": "attacker@somehost.com",
"ọrụ":"admin"
} Nke a na-enye ha ohere inweta ikike nchịkwa na sistemụ.

Ntuziaka onye nrụpụta na 2023 OWASP Top 10 maka Nchekwa API

13/23

Ndị otu DevSecOps kwesịrị chepụta usoro ọkọlọtọ maka ikike na nyocha nke na-egbochi ịnweta arịrịọ site na ndabara, na-eme ka ndabara nke "ịgọnarị ihe niile."
Njikwa ngwa na mgbagha mgbagha bụ obi nke azụmaahịa ọ bụla n'ịntanetị, yana ka ụlọ ọrụ na-ebugharị ọtụtụ ọrụ ha na igwe ojii, enwere ike ikpughe ma jiri ya mee ihe. Nnweta oke a nwere ike imerụ azụmahịa ahụ.

Mwakpo examples
Na 2022, Texas Department of Insurance gwara ọha na eze na ozi nke ihe fọrọ nke nta ka nde abụọ Texans ekpughere site na akụkụ nke ngwa nkwụghachi ụgwọ ọrụ nke n'amaghị ama na-ekwe ka ndị otu ọha na eze nweta data echedoro. Ọ bụ ezie na Optus kpọrọ mwakpo ahụ “ọkaibe,” onye nyocha nchekwa nke maara nkọwa nke mwakpo ahụ kọwara ya dị ka “ihe efu.”17
Kedu ka esi egbochi ya dịka onye nrụpụta?
Ndị otu DevSecOps kwesịrị chepụta usoro ọkọlọtọ maka nyocha na ikike nke na-egbochi ịnweta arịrịọ site na ndabara, na-eme ka ndabara nke "agọnarị ihe niile." Site na ndabara a, tinye ụkpụrụ nke obere ihe ùgwù mgbe ị na-ekpebi ohere maka ọrụ/otu/ndị ọrụ. Ndị mmepe kwesịrị ịhụ na nkwenye na ikike dị maka ngwaa/ụzọ HTTP niile dị mkpa (dịka, POST, GET, PUT, PATCH, DELETE) metụtara njedebe API ọ bụla. Ekwesịrị ịhapụ ngwaa ndị na-adịghị mkpa. Na mgbakwunye, ndị mmepe kwesịrị imejuputa klaasị ntọala maka ohere nchịkwa na njikwa, na-eji ihe nketa klaasị hụ na njikwa ikike na-elele ọrụ onye ọrụ tupu inye ohere. Ọrụ nchịkwa niile dị oke mkpa kwesịrị iji usoro ikike iji gbochie mmụba ihe ùgwù.
Kedu ka OpenText ga-esi nyere aka?
Site na ijikọta koodu static na njirimara nyocha API nke OpenTextTM Static Application Security Test na nlele ọsọ ọsọ nke OpenText Dynamic Application Security Testing (DAST), otu DevSecOps nwere ike nyochaa ngwa ha maka nsogbu ikike ọkwa ọrụ gbajiri agbaji yana na-anwale koodu mmepụta maka adịghị ike nchekwa tupu ebuga ya. Iji chọpụta okwu ikike ịrụrụ ihe gbajiri agbaji, OpenTextTM Static Application Security Test na-eji iwu na-akọwapụta mgbe a ga-atụ anya nlele ikike n'asụsụ mmemme na nhazi ụfọdụ, yana enweghị akwụkwọ nlele dị otú ahụ ka akọwara.
API6:2023–Nnweta na-enweghị njedebe maka usoro azụmaahịa nwere mmetụta
Kedu ihe ọ bụ?
Site na sneakerbots ruo bots tiketi, mwakpo nke ndị na-ere ahịa n'ịntanetị site na API ha aghọwo nnukwu nsogbu maka saịtị e-azụmahịa. Site n'ịghọta ụdị azụmahịa yana mgbagha ngwa, onye na-awakpo nwere ike ịmepụta usoro oku API nke nwere ike idowe ma ọ bụ zụta na-akpaghị aka
17 Beeferman, Jason. Ozi nkeonwe nke nde Texans 1.8 nwere nkwupụta Ngalaba Inshọransị ekpughere ruo ọtụtụ afọ, nyocha kwuru. Texas Tribune. 17 Mee 2022.
18 Taylor, Josh. Mmebi data Optus: ihe niile anyị maara ruo ugbu a gbasara ihe merenụ. Onye nche. Septemba 28, 2022.

Ntuziaka onye nrụpụta na 2023 OWASP Top 10 maka Nchekwa API

14/23

Ịgbochi ohere na-enweghị njedebe na-aga n'ihu azụmahịa na-enwe mmetụta bụ ihe gbasara ụzọ zuru oke maka nchekwa ngwa yana obere maka ịchọta otu teknụzụ.

Ndepụta ngwaahịa, si otú a na-egbochi ndị ọzọ, ndị ahịa ziri ezi ịnweta ngwaahịa ma ọ bụ ọrụ azụmahịa. API ọ bụla nke na-enye ohere ịnweta usoro azụmahịa nwere ike iji onye na-awakpo mee ihe iji metụta azụmahịa ahụ wee daa n'okpuru nkọwa nke Ịnweta Azụmahịa Na-enweghị Mmasị.
Kedu ihe na-eme ngwa ngwa ngwa ngwa?
Njikwa ngwa na mgbagha mgbagha bụ obi nke azụmaahịa ọ bụla n'ịntanetị, yana ka ụlọ ọrụ na-ebugharị ọtụtụ ọrụ ha na igwe ojii, enwere ike ikpughe ma jiri ya mee ihe. Ịnweta oke a nwere ike imerụ azụmahịa ahụ, mgbe ndị na-awakpo na-emezi ịzụrụ ngwaahịa, mepụta bots maka ịhapụ nkọwa wee malitegharịa.views, ma ọ bụ megharịa ndoputa nke ngwaahịa ma ọ bụ ọrụ.
Ọ bụrụ na ngwa na-enye njedebe njedebe nke nwere ike ịnweta usoro azụmahịa nke ụlọ ọrụ na-enweghị njedebe ịnweta ọrụ azụmahịa n'azụ njedebe, mgbe ahụ ngwa ahụ ga-adị mfe. Nchedo gụnyere ịmachi ọnụ ọgụgụ nke ịnweta n'otu ngwaọrụ site na ịpị mkpịsị aka, ịchọpụta ma ọrụ a sitere na onye na-eme ihe nkiri, na ịchọpụta ma akpaaka ọ gụnyere.
Mwakpo examples
Mgbe tiketi Taylor Swift gara n'ihu na Ticketmaster na Nọvemba 2022, ndị ahịa nde 1.5 edebanyelarị aha mbụ, mana ihe karịrị nde 14 arịrịọ - gụnyere okpukpu atọ karịa okporo ụzọ bot-sw.amped njikọ ịzụrụ na API ozugbo ahịa tiketi mepere. Ebe ahụ dara, gbochiri ọtụtụ ndị ahịa ịzụrụ tiketi.19
Mwakpo nke bots reseller yiri ndị mebiri mmalite nke PlayStation 5 na Nọvemba 2020. Okwu ndị na-eweta ihe na-enye ya enweelarị oke ọkọnọ tupu mmalite nke ihe njikwa egwuregwu Sony kacha ọhụrụ, mana bots na-akpaghị aka mere ka ịchọta nkeji dịnụ sie ike karị wee butere ọnụ ahịa resale nke mbara igwe. N'otu ebe e-azụmahịa e-azụmahịa, ọnụ ọgụgụ nke azụmahịa "tinye na ụgbọ ibu" toro site na nkezi nke 15,000 arịrịọ kwa elekere ruo ihe karịrị nde 27, na-eji API ụlọ ahịa na-arịọ ngwaahịa ozugbo site na nọmba SKU.20
Kedu ka esi egbochi ya dịka onye nrụpụta?
Ndị na-emepụta ihe kwesịrị ịrụ ọrụ na ma ndị ọrụ-azụmahịa na ndị ọrụ injinịa iji dozie okwu ndị nwere ike ịnweta ohere azụmahịa. Ndị otu azụmaahịa nwere ike ịchọpụta ọwara mmiri na-ekpughere site na API wee mee nyocha ihe egwu iji chọpụta ka ndị mwakpo nwere ike isi mebie njedebe ndị ahụ. Ka ọ dị ugbu a, ndị mmepe kwesịrị ịrụ ọrụ na injinia dị ka akụkụ nke otu DevOps iji guzobe usoro nchekwa teknụzụ ọzọ, dị ka iji akara mkpịsị aka ngwaọrụ iji gbochie ihe nchọgharị akpaghị aka ka ọ ghara ịdị ukwuu yana ịchọpụta ụkpụrụ omume dị iche n'etiti mmadụ na ndị na-eme igwe.
19 Steele, Billy. Ticketmaster maara na o nwere nsogbu bot, mana ọ chọrọ ka Congress dozie ya. itinye aka. Akụkọ akụkọ. 24 Jenụwarị 2023.
20 Muwandi, Tafara na Warburton, David. Kedu ka Bots si bibie mmalite PlayStation 5 maka nde ndị egwuregwu. F5 Labs Blog. F5. Web Ibe. Maachị 18, 2023.

Ntuziaka onye nrụpụta na 2023 OWASP Top 10 maka Nchekwa API

15/23

Nke kacha mara amara bụ exampMwakpo SSRF metụtara onye bụbu Amazon Web Injinia Ọrụ (AWS) bụ onye riri arụrụ arụghị ọrụ web ngwa firewall (WAF) iji wee jiri ntụpọ SSRF kpokọta data sitere na ihe nkesa nke nwere nnukwu ego Capital One.

Otu ndị na-arụ ọrụ kwesịkwara imegharịview API ọ bụla e mere ka igwe ndị ọzọ jiri ya mee ihe, dị ka maka ikpe B2B, ma hụ na ụfọdụ ihe nchebe dị n'ọnọdụ iji gbochie ndị na-awakpo iji igwe-na-igwe na-emekọrịta ihe.
Kedu ka OpenText ga-esi nyere aka?
Ịnweta usoro azụmahịa na-adịghị ike na nke nwere mmetụta na-adaberekarị na ime ihe ndị bụ isi. Ndị ụlọ ọrụ kwesịrị ịdekọ ma soro API ha niile na-arụ ọrụ wee chọpụta ndị na-ekpughe usoro dị nro na data nye ndị nwere ike ịwakpo. Ọ dị mkpa ka enyochakwa mgbagha ngwa maka ntụpọ mgbagha nke ndị mwakpo nwere ike irigbu.
N'ozuzu, igbochi ohere na-enweghị njedebe nke azụmahịa azụmahịa nwere mmetụta bụ ihe gbasara usoro zuru oke maka nchekwa ngwa yana obere ịchọta otu nkà na ụzụ.
API7:2023–Arịrịọ Arịrịọ n'akụkụ sava
Kedu ihe ọ bụ?
Sava azụ azụ na-ejikwa arịrịọ emere site na njedebe API. Arịrịọ Arịrịọ Side-Serva (SSRF) bụ adịghị ike na-enye ohere ka onye na-awakpo weta ihe nkesa ka ọ ziga arịrịọ n'aha ha yana n'ogo ọkwa nke ihe nkesa ahụ. Ọtụtụ mgbe, ọgụ a na-eji ihe nkesa emechie oghere dị n'etiti onye na-awakpo mpụga na netwọk dị n'ime. Mwakpo SSRF bụ isi na-ebute nzaghachi laghachi na onye mwakpo ahụ, ọnọdụ dị nnọọ mfe karịa ọgụ SSRF kpuru ìsì, ebe ọ dịghị nzaghachi na-eweghachite, na-ahapụ onye mwakpo ahụ na-enweghị nkwenye ma mwakpo ahụ ọ gara nke ọma.
Kedu ihe na-eme ngwa ngwa ngwa ngwa?
Arịrịọ Arịrịọ Arịrịọ nke Sava-Side (SSRF) bụ n'ezie n'ihi enweghị nkwado ntinye aka onye ọrụ wetara. Ndị na-awakpo nwere ike ime arịrịọ ma tinye URI na-enye ohere ịnweta ngwa ezubere iche.
Echiche ọgbara ọhụrụ na mmepe ngwa, dị ka webnko na usoro ngwa ahaziri ahazi, na-eme ka SSRF bụrụ nke a na-ahụkarị na nke dị ize ndụ, dịka OWASP siri kwuo.
Na exampOWASP zoro aka na ya, netwọk mmekọrịta na-enye ndị ọrụ ohere bulite profile foto nwere ike ịdị mfe na SSRF, ma ọ bụrụ na ihe nkesa anaghị akwado arụmụka ezigara na ngwa a. Kama a URL na-atụ aka na onyonyo, dịka:
POST /api/profile/ bulite foto
{
"Foto _ url":" http://example.com/profile Foto dị na foto.jpg
}
Onye mwakpo nwere ike izipu URI nke nwere ike ikpebi ma otu ọdụ ụgbọ mmiri mepere emepe site na iji oku API a:
{"foto _ url": "Localhost:8080"
}

Ntuziaka onye nrụpụta na 2023 OWASP Top 10 maka Nchekwa API

16/23

Nhazi ezighi ezi nke nchekwa gụnyere ịtọlite ​​ngwa nwere nhazi ndabara adịghị ike, na-enye ohere ịnweta oke ọrụ yana data, yana ikpughe ozi ngwa n'ihu ọha site na ozi njehie zuru oke.

Ọbụna n'okwu SSRF kpuru ìsì, onye na-awakpo nwere ike ịchọpụta ma ọdụ ụgbọ mmiri ahụ emeghere site n'ịtụ oge ọ na-ewe iji nweta nzaghachi.
Mwakpo examples
Nke kacha mara amara bụ exampMwakpo SSRF metụtara onye bụbu Amazon Web Injinia Ọrụ (AWS) bụ onye riri arụrụ arụghị ọrụ web ngwa firewall (WAF) iji wee jiri ntụpọ SSRF kpokọta data sitere na ihe nkesa nke nwere nnukwu ego Capital One. Ihe omume a, nke mere na Julaị 2019, butere data sitere na ihe dị ka nde ụmụ amaala US 100 na ụmụ amaala Canada nde isii ka ezuru.21 Amazon na-ewere ngbanwe ahụ dị ka isi mmalite nke nkwekọrịta ahụ, karịa ntụpọ SSRF.22
N'ọnwa Ọktoba 2022, ụlọ ọrụ nchekwa igwe ojii gwara Microsoft maka adịghị ike anọ SSRF na ikpo okwu igwe ojii Azure nke ụlọ ọrụ. Ihe ọghọm ọ bụla metụtara ọrụ Azure dị iche, gụnyere ọrụ mmụta igwe Azure na ọrụ njikwa API Azure.23
Kedu ka esi egbochi ya dịka onye nrụpụta?
Ndị nrụpụta kwesịrị itinye usoro iji nweta akụrụngwa na koodu ha, kewapụ atụmatụ ahụ yana idobe ihe nchekwa mgbakwunye iji nyochaa arịrịọ ọ bụla. N'ihi na a na-ejikarị atụmatụ ndị dị otú ahụ weta akụrụngwa dịpụrụ adịpụ ọ bụghị nke dị n'ime, ndị mmepe kwesịrị ịhazi atụmatụ ndị ahụ etinyere ka ha jiri ndepụta akụrụngwa dịpụrụ adịpụ ekwenyere ma gbochie mbọ iji nweta akụrụngwa dị n'ime. Ekwesịrị ịgbanyụọ ntụgharị HTTP maka ọrụ mbubata akụrụngwa yana arịrịọ ọ bụla ewepụtara maka koodu ọjọọ.
Enweghị ike iwepụ ihe ize ndụ nke adịghị ike SSRF mgbe niile, yabụ ụlọ ọrụ kwesịrị ịtụle nke ọma ihe ize ndụ nke iji oku gaa na akụrụngwa mpụga.
Kedu ka OpenText ga-esi nyere aka?
Nnwale nchekwa ngwa OpenText na-enye ohere ka ndị otu DevSecOps na-anwale oge niile maka Arịrịọ Arịrịọ-N'akụkụ Sava. Nnwale Nchebe Ngwa Dynamic OpenTextTM na-enyocha ihe nkesa ngwa na mpaghara ahaziri ka e wee nwalee ngwa niile - ngwa, ihe nkesa, na netwọkụ, na-enye ikpo okwu nyocha ike zuru oke. view nke mmetụta nke ihe nkesa arịrịọ.
OpenText SAST nwere ike ịchọpụta ọtụtụ ikpe SSRF site na nyocha nke nrụrụ-maka example, ọ bụrụ na ngwa a na-eji ntinye onye ọrụ na-akwadoghị iji wuo a URL nke a ga-enweta mgbe ahụ. Ngwá ọrụ ahụ ga-egosipụta iji ntinye onye ọrụ na-enweghị mmachi.

21 Ozi gbasara ihe omume cyber nke Capital One. Capitol Otu Ndụmọdụ. Web Ibe. Emelitere 22 Eprel 2022.
22 Ng, Alfred. Amazon gwara ndị omebe iwu na ọ bụghị ụta maka imebi Capital One. Akụkọ CNET. com. Akụkọ akụkọ. Nọvemba 21, 2019.
23 Shitrit, Lidor Ben. Kedu ka Orca si chọta Arịrịọ Arịrịọ nke Sava-Side (SSRF) adịghị ike na ọrụ Azure anọ dị iche iche. Blog Nchebe Orca. Web Ibe. 17 Jenụwarị 2023.

Ntuziaka onye nrụpụta na 2023 OWASP Top 10 maka Nchekwa API

17/23

Nchekwa-as-koodu nwere ike inye aka, site n'ime nhazigharị na inye ndị otu nchekwa ngwa ikike ịtọ ntọala nhazi ọkọlọtọ maka ngwa ngwa akọwapụtara.

API8:2023–Nhazi nke nchekwa
Kedu ihe ọ bụ?
Ndị mmepe na-ahazikarị ngwa ha na-ezighi ezi, na-enweghị ikewapụ akụ mmepe na akụrụngwa mmepụta, na-ebupụ enweghị mmetụta files - nhazi dị otú ahụ files - gaa n'ebe nchekwa ọha ha, yana ịghara ịgbanwe nhazi ndabara. Nhazi ezighi ezi nke nchekwa gụnyere ịtọlite ​​ngwa nwere nhazi ndabara adịghị ike, na-enye ohere ịnweta oke ọrụ yana data, yana ikpughe ozi ngwa n'ihu ọha site na ozi njehie zuru oke.
Kedu ihe na-eme ngwa ngwa ngwa ngwa?
Nhazi ngwa akpaghị aka na-anabatakarị oke, enweghị ike nchekwa, yana ịhapụ ebe nchekwa igwe ojii mepere ọha. Ọtụtụ mgbe, ndị web Usoro nke ngwa dabere na ya gụnyere ọtụtụ njirimara ngwa na-adịghị mkpa yana nsonye ya na-ebelata nchekwa.
Na exampnke OWASP zuru ezu, netwọkụ mmekọrịta na-enye atụmatụ izisa ozi kwesịrị ichedo nzuzo nke ndị ọrụ, mana na-enye arịrịọ API iji weghachite mkparịta ụka akọwapụtara site na iji ex na-esonụ.amparịrịọ API:
Nweta /dm/onye ọrụ _ updates.json?mkparịta ụka _ id=1234567&cursor=GRlFp7LCUAAAA
Ebe njedebe API anaghị egbochi data echekwara na cache, na-ebute mkparịta ụka nzuzo nke ndị na-echekwa ya. web ihe nchọgharị. Ndị mwakpo nwere ike iweghachite ozi ahụ na ihe nchọgharị ahụ, na-ekpughe ozi nzuzo onye ahụ.
Mwakpo examples
Na Mee 2021, ụlọ ọrụ nchekwa igwe ojii gwara Microsoft na opekata mpe ndị ahịa 47 agbanwebeghị nhazi nke ndabara nke ngwa ike Microsoft ha. Òtù ndị ahụ metụtara gụnyere ụlọ ọrụ, dị ka American ụgbọ elu na Microsoft, na ọchịchị steeti, dị ka nke Indiana na Maryland, ma kpughee nde 38 nde ndekọ na nwere ike imebi n'ofe Power Apps portals.24
Na 2022, ụlọ ọrụ na-ahụ maka adịghị ike chọpụtara na igwe ojii 12,000 kwadoro na Amazon. Web Ọrụ na 10,500 kwadoro na Azure gara n'ihu na-ekpughe Telnet, usoro ịnweta ohere dịpụrụ adịpụ weere "adịghị mma maka ojiji ịntanetị ọ bụla taa," dị ka akụkọ 2022 si kwuo.25 Ntinye nke ihe ndị na-adịghị mkpa na enweghị nchebe na-emebi nchebe ndị a nke API na ngwa.

24 Nchọpụta nkwalite. Site na imewe: Kedu ka ikike ezighi ezi na ngwa ike Microsoft si kpughee nde mmadụ. Blog nyocha Upgard. Web Ibe. Ọgọst 23, 2021.
25 Beardsley, Todd. 2022 Cloud misconfigurations Report. Ngwa ngwa7. Akụkọ PDF. p. Ọnwa Iri na Abụọ 12.

Ntuziaka onye nrụpụta na 2023 OWASP Top 10 maka Nchekwa API

18/23

Ihe mkpuchi akwụkwọ bụ mgbe nkọwapụta nke ebumnuche API, arụ ọrụ, na mbipụta na-edoghị anya n'ihi enweghị akwụkwọ na-akọwapụta njirimara ndị a dị mkpa.

Kedu ka esi egbochi ya a onye nrụpụta?
Ndị otu DevSecOps kwesịrị ịghọta usoro ndị dị mkpa iji mepụta nhazi echekwara maka ngwa ha wee jiri pipeline mmepe akpaaka iji lelee nhazi. files tupu ebuga ya, gụnyere ule otu oge na nlele oge iji lelee ngwanro ahụ maka mperi nhazi ma ọ bụ nsogbu nchekwa. Nchekwa-as-koodu nwere ike inye aka, site n'ime nhazigharị na inye ndị otu nchekwa ngwa ikike ịtọ ntọala nhazi ọkọlọtọ maka ngwa ngwa akọwapụtara.
Dịka akụkụ nke usoro ndụ mmepe ha echekwara, ndị mmepe na ndị otu ọrụ kwesịrị:
· Mepụta usoro nke siri ike nke na-eme ka imepụtaghachi na idobe gburugburu ngwa ngwa dị mfe,
· Review ma melite nhazi niile n'ofe nchịkọta API iji tinye ọkọlọtọ ọhụrụ mgbe niile, na
· Megharịa nyocha nke ịdị irè nke ntọala nhazi n'ofe gburugburu niile.
Kedu ka OpenText ga-esi nyere aka?
Nnwale Nchebe Ngwa OpenText Static nwere ike ịlele nhazi n'oge usoro mmepe wee hụ ọtụtụ ụdị adịghị ike. N'ihi na nchekwa adịghị mma na-eme ma ọkwa koodu ngwa yana n'ọkwa akụrụngwa, ngwaahịa OpenText dị iche iche nwere ike iji nweta nhazi ezighi ezi.
Nnwale nyocha nchekwa ngwa OpenText Static nwere ike ịlele koodu ngwa maka okwu enweghị nhazi. N'oge nlele nyocha static, OpenText SAST nwere ike nyochaa nhazi files maka mmejọ nchekwa, gụnyere ndị nke Docker, Kubernetes, kwere omume, Amazon Web Ọrụ, CloudFormation, Terraform, na ndebiri njikwa akụrụngwa Azure.
Enwere ike ijide mperi nhazi n'oge ọ na-agba ọsọ. Nnwale nchekwa ngwa OpenText Dynamic na-enye ohere ka ndị otu DevSecOps na-anwale oge niile maka nhazi nchekwa na-ezighi ezi. Otu n'ime ike kachasị ike nke nyocha DAST bụ na ọ na-agba ọsọ na ihe nkesa ngwa na mpaghara ahaziri ahazi, nke pụtara na a na-anwale gburugburu ebe obibi zuru ezu-ngwa, ihe nkesa, na netwọk n'otu oge, na-enye ikpo okwu nyocha ike zuru oke. view nke mmepụta gburugburu ebe obibi na-ahazi.
API9: 2023 – Njikwa Ndepụta Ngwaahịa na-ezighi ezi
Kedu ihe ọ bụ?
Dị ka ọtụtụ akụrụngwa ngwanrọ, API nwere okirikiri ndụ, nke ejiri API dị nchebe yana nke ọma dochie ụdị ochie ma ọ bụ, na-arịwanye elu, na-eji API ejikọrọ na ọrụ ndị ọzọ. Ndị otu DevSecOps ndị na-edobeghị ụdị API ha na akwụkwọ nwere ike iwebata adịghị ike mgbe ụdị API ndị nwere ntụpọ na-aga n'ihu na-eji ya-adịghị ike a maara dị ka njikwa ngwa ahịa na-ezighi ezi. Omume kachasị mma maka njikwa ngwa ahịa chọrọ nleba anya nke

Ntuziaka onye nrụpụta na 2023 OWASP Top 10 maka Nchekwa API

19/23

Ụdị API, nleba anya na ịchịkọta ọnụ ahịa nke ọrụ agbakwunyere oge niile, yana nbibi nke ụdị ihe nketa mgbe niile iji gbochie mgbasa nke adịghị ike nchekwa.
Kedu ihe na-eme ngwa ngwa ngwa ngwa?
Nrụpụta akụrụngwa dabere na API-karịsịa ndị na-eji ụlọ ọrụ microservice – na-ekpughere njedebe njedebe karịa ọdịnala. web ngwa. Plethora nke njedebe API, yana ohere nke ọtụtụ ụdị API dị n'otu oge, chọrọ akụrụngwa njikwa agbakwunyere site n'aka onye na-eweta API iji gbochie elu ọgụ na-agbasawanye. OWASP na-achọpụta oghere abụọ bụ isi nke ndị otu DevSecOps nwere gbasara akụrụngwa API ha.
Nke mbụ, ihe nkpuchi akwụkwọ bụ mgbe nkọwapụta nke ebumnuche API, arụrụ ya, na mbipụta ya edoghị anya n'ihi enweghị akwụkwọ na-akọwapụta njirimara ndị a dị mkpa.
Nke abụọ, ihe mkpuchi data na-asọba na-eme mgbe ejiri API mee ihe n'ụzọ na-enweghị nkọwa doro anya, na-ebute ikike ndị na-ekwesịghị ikwe ka ọ bụrụ na-enweghị ezigbo nkwado azụmahịa. Ịkekọrịta data nwere mmetụta n'aka ndị ọzọ na-enweghị nkwa nchekwa, enweghị nhụta nke njedebe njedebe data, na ịghara ịdepụta ihe niile data na-eru na API ndị nwere eriri bụ ihe mkpuchi.
Dị ka example, akụkọ OWASP zoro aka na netwọk mmekọrịta akụkọ ifo nke na-enye ohere ijikọ na ngwa ndị ọzọ nwere onwe. Ọ bụ ezie na achọrọ nkwenye site n'aka onye ọrụ njedebe, netwọk mmekọrịta anaghị echekwa ọhụụ zuru oke n'ime data data iji gbochie ndị ọzọ dị n'okpuru ịnweta data, dị ka nyochaa ọrụ nke ọ bụghị naanị onye ọrụ, kamakwa ndị enyi ha.
Mwakpo examples
Na 2013 na 2014, ihe ruru mmadụ 300,000 weere ajụjụ gbasara mmụọ n'ịntanetị na ikpo okwu Facebook. Ụlọ ọrụ dị n'azụ ajụjụ a, Cambridge Analytica, ọ bụghị nanị na-anakọta ozi gbasara ndị ọrụ ahụ, ma ndị enyi ha jikọtara ọnụ yana ọnụ ọgụgụ ndị mmadụ ruru nde mmadụ 87, ihe ka ọtụtụ n'ime ha enyeghị ikike ịnakọta ozi ha. Ụlọ ọrụ ahụ jiri ozi ahụ mee ka mgbasa ozi na izigara ndị ahụ ozi maka ndị ahịa ha, gụnyere izipu mgbasa ozi ndọrọ ndọrọ ọchịchị na-akwado Trump c.ampaign na ntuli aka 2016 Facebook enweghị visibiliti ka ndị ọzọ si jiri ozi ewepụtara n'elu ikpo okwu ya bụ mbụ.ample nke Njikwa Ndepụta Ngwaahịa Na-ezighi ezi.
Kedu ka esi egbochi ya dịka onye nrụpụta?
Ndị otu DevSecOps kwesịrị idetu ndị ọbịa API niile ma lekwasị anya n'ịkwado visibiliti n'ime data na-eru n'etiti API na ọrụ ndị ọzọ. Ụzọ bụ isi iji gbochie njikwa ngwa ahịa na-ezighi ezi bụ akwụkwọ zuru ezu nke akụkụ dị oke mkpa nke ọrụ API niile na ndị ọbịa, gụnyere ozi gbasara data ha na-ejikwa, onye nwere ohere ịnweta ndị ọbịa na data,
26 Rosenberg, Matthew na Dance, Gabriel. 'Ị bụ ngwaahịa': Cambridge Analytica chere na Facebook. Akwụkwọ akụkọ New York Times. Akụkọ akụkọ. Eprel 8, 2018.

Ntuziaka onye nrụpụta na 2023 OWASP Top 10 maka Nchekwa API

20/23

Ndị otu nwere ike ijikwa, nyochaa, chekwaa, ma detuo ojiji API ha site na iji OpenText Secure API Manager site na OpenText, nke na-enye ndị otu nchekwa ngwa aka idowe ngwa ahịa ngwa ngwa nke akụ API.

yana ụdị API akọwapụtara nke onye ọbịa ọ bụla. Nkọwa nka na ụzụ ekwesịrị idekọ gụnyere mmejuputa nyocha, njikwa njehie, ihe nchebe na-ebelata ọnụego, amụma nkekọrịta ihe onwunwe (CORS), na nkọwapụta nke njedebe ọ bụla.
Ọnụ ọgụgụ dị ịrịba ama nke akwụkwọ na-esiri ike iji aka ya, ya mere a na-atụ aro ịmepụta akwụkwọ site na usoro ntinye aka na-aga n'ihu na iji ụkpụrụ mepere emepe. Ịnweta akwụkwọ API kwesịkwara ịbụ naanị na ndị nrụpụta ahụ enyere ikike iji API.
N'oge a na-ewu ngwa na usoro nnwale, ndị mmepe kwesịrị izere iji data mmepụta na mmepe ma ọ bụ stagỤdị ed nke ngwa ahụ iji gbochie ntapu data. Mgbe ewepụtara ụdị API ọhụrụ, ndị otu DevSecOps kwesịrị ime nyocha ihe egwu iji chọpụta ụzọ kachasị mma maka ịkwalite ngwa iji were advan.tage nke ụba nche.
Kedu ka OpenText ga-esi nyere aka?
Otu dị iche iche nwere ike ijikwa, nyochaa, chekwaa, ma detuo ojiji API ha site na iji OpenTextTM Secure API Manager, nke na-enye ndị otu nchekwa ngwa aka idowe ngwa ahịa ngwa ahịa API. Onye njikwa API OpenText Secure na-enye ebe nchekwa ikike ebe ndị otu DevSecOps nwere ike ịchekwa ma jikwaa API niile nke nzukọ a na-eji, na-enye ohere ijikwa usoro ndụ dị mfe site na mmepe API ịla ezumike nka. Akụrụngwa na-enyere aka melite nrube isi na ụkpụrụ na ikike site na ikwe ka nyocha zuru ezu.
API10:2023–Eriri API adịghị mma
Kedu ihe ọ bụ?
Site na iji akụrụngwa igwe ojii na-abawanye ụba iji mepụta ngwa, API abụrụla ebe njikọta n'etiti akụrụngwa ngwa. Agbanyeghị, ọnọdụ nchekwa nke ọrụ ndị ọzọ na-enweta site na API adịghị adịkarị nke ọma, na-enye ndị na-awakpo ohere ikpebi ọrụ ndị ngwa dabere na ma nke ọ bụla n'ime ọrụ ndị ahụ nwere adịghị ike nchekwa. Ndị mmepe na-atụkwasị obi na njedebe nke ngwa ha na-emekọrịta ihe na-enyochaghị API mpụga ma ọ bụ nke atọ. Oriri API a na-adịghị ize ndụ na-edugakarị na ngwa ahụ dabere na ọrụ ndị nwere ihe nchekwa chọrọ adịghị ike ma ọ bụ enweghị isi nchekwa nchekwa, dị ka ntinye ntinye.
Kedu ihe na-eme ngwa ngwa ngwa ngwa?
Ndị nrụpụta na-atụkwasị obi na data enwetara site na API ndị ọzọ karịa ntinye onye ọrụ, n'agbanyeghị na isi mmalite abụọ ahụ dabara nke ọma maka onye mbuso agha. N'ihi ntụkwasị obi a na-ezighi ezi, ndị mmepe na-emecha dabere na ụkpụrụ nchekwa adịghị ike n'ihi enweghị nkwado ntinye na ịdị ọcha.
Oriri API adịghị mma nwere ike ime ma ọ bụrụ na ngwa a:
Na-eji ma ọ bụ na-eri API ndị ọzọ site na iji nkwukọrịta ezoro ezo,
Ọ naghị akwado ma mebie data sitere na API ma ọ bụ ọrụ ndị ọzọ,
Na-enye ohere ntụgharị na-enweghị nlele nchekwa ọ bụla, ma ọ bụ

Ntuziaka onye nrụpụta na 2023 OWASP Top 10 maka Nchekwa API

21/23

Ọ bụrụ na onye nrụpụta enweghị koodu nyocha nchekwa n'ime ngwa ha iji nyochaa data ọ bụla nke njedebe API weghachitere, ngwa ha ga-esogharị redirect wee ziga onye mwakpo ahụ ozi ahụike siri ike.
Nchebe OWASP API Top-10 dị mkpa maka ndị mmepe igwe ojii na-ewu API. N'agbanyeghị nke ahụ, ilebara adịghị ike ngwa ngwa dị ka ịgbanye SQL, ikpughe data, na enweghị nhazi nchekwa kwesịrị ibute ụzọ, ebe egwu cyber na-erigbukarị ha. Nchekwa API Top-10 bụ akụkụ dị mkpa nke mmepe ngwanrọ echedoro mana ọ kwesịrị ịbụ nke abụọ n'ịgbasa adịghị ike ngwa ngwa niile.

 Edaghị ịmachi oriri akụrụngwa site na iji ọnụ ụzọ na nkwụsị oge.
Na exampsite na akụkọ OWASP, API nke jikọtara ya na onye na-eweta ọrụ ndị ọzọ iji chekwaa ozi ahụike onye ọrụ nwere mmetụta nwere ike izipu data nkeonwe site na njedebe API. Ndị mwakpo nwere ike mebie onye ọbịa API nke atọ iji zaghachi arịrịọ n'ọdịnihu site na iji 308 Permanent Redirect: HTTP/1.1 308 Permanent Redirect
Ọnọdụ: https://attacker.com/
Ọ bụrụ na onye nrụpụta enweghị koodu nyocha nchekwa n'ime ngwa ha iji nyochaa data ọ bụla nke njedebe API weghachitere, ngwa ha ga-esogharị redirect wee ziga onye mwakpo ahụ ozi ahụike siri ike.
Mwakpo examples
Na Disemba 2021, ọtụtụ adịghị ike na akụrụngwa akụrụngwa mepere emepe nke a na-ejikarị, Log4J, kwere ka onye na-awakpo weta ntinye adịghị ọcha, dị ka script edobere, wee jiri ụdị Log4J adịghị ike iji mebie script na sava ahụ. Esemokwu dị n'azụ adịghị ike Log4J sitere na enweghị nkwado ntinye, ọkachasị ọdịda ime nyocha nchekwa na data onye ọrụ wetara. Site na izipu koodu obi ọjọọ serialized, ndị na-awakpo nwere ike iji adịghị ike ahụ wee mee mwakpo na ihe nkesa na adịghị ike ahụ. Ndị nrụpụta kwesịrị ịlele ndenye niile API ndị ọzọ na isi mmalite ndị ọzọ na-enye.27
Kedu ka esi egbochi ya a onye nrụpụta?
Ndị nrụpụta kwesịrị ịkpachapụ anya mgbe ha na-enyocha ndị na-enye ọrụ, na-enyocha ọnọdụ nchekwa API ha na itinye njikwa nchekwa siri ike. Na mgbakwunye, ndị mmepe kwesịrị ikwenye na nkwukọrịta niile na API ndị ọzọ yana site na ndị ọzọ na API nzukọ na-eji ọwa nzikọrịta ozi echedoro iji gbochie snooping na megharịa ọgụ.
Mgbe ị na-anata data sitere n'aka ndị ọrụ na igwe na-apụ apụ, ihe ntinye kwesịrị ịdị ọcha mgbe niile iji gbochie mmezu nke koodu n'amaghị ama. N'ikpeazụ, maka ọrụ ígwé ojii agbakwunyere site na API, ekwesịrị iji ndepụta kwe ka akpọchie adreesị nke ngwọta agbakwunyere, kama ikwe ka adreesị IP ọ bụla kpọọ API ngwa ahụ.
Kedu ka OpenText ga-esi nyere aka?
Site na ijikọta koodu static na njirimara nyocha API nke OpenText Static Application Security Test na nyocha oge nke OpenText Dynamic Application Security Testing (DAST), otu DevSecOps nwere ike lelee ojiji ngwa ha jiri API ndị ọzọ wee nwalee ụdị ọgụ a na-ahụkarị. Iji chọta API adịghị mma, OpenText Secure API Manager nwere ike iwulite ebe nchekwa API niile nke sistemụ na-akpọ yana ngwa mpụga nwere ike iji API ngwa gị.
27 Microsoft iyi egwu ọgụgụ isi. Ntuziaka maka igbochi, ịchọpụta na ichu nta maka nrigbu nke adịghị ike Log4j 2. Microsoft. Web ibe. Emelitere: 10 Jenụwarị 2022.

Ntuziaka onye nrụpụta na 2023 OWASP Top 10 maka Nchekwa API

22/23

Ebe aga na-esote
Nke a bụ ngwaahịa ndị a kpọtụrụ aha n'akwụkwọ a: OpenText Application Security>
Nnwale nchekwa ngwa ngwa OpenText>
Nnwale nchekwa ngwa mepere emepe>
MepeeText Secure API Manager>
Ngwa mgbakwunye OWASP Top 10 API Nchekwa Egwu–2023 >
Gartner Magic Quadrant maka Nnwale Nchekwa Ngwa>
Nchekwa ngwa OpenText Webinar Series >

Nchekwa API Top-10 ezughi oke!
Maka ndị mmepe igwe ojii gbadoro anya na imepụta API iji nye ọrụ n'akụkụ ndị ọzọ nke ngwa, ndị ọrụ ime, ma ọ bụ maka oriri zuru ụwa ọnụ, ndepụta OWASP API Security Top 10 bụ akwụkwọ dị mkpa ịgụ na ịghọta.
Agbanyeghị, OWASP API Nchekwa Top 10 abụghị akwụkwọ kwụụrụ onwe ya. Ndị mmepe kwesịkwara ijide n'aka na ha na-eji isi mmalite ndị ọzọ nke omume kacha mma, dị ka OWASP Top 10, nke dabara na ngwa na nhazi ha ugbu a. Ọdịmma ngwa a na-ahụkarị - ịgba ọgwụ SQL, ikpughe data, na nhazi ezighi ezi na-aga n'ihu na-abụ ụzọ a na-ahụkarị nke ndị otu iyi egwu cyber nwere ike imebi akụrụngwa ụlọ ọrụ na ekwesịrị idozi ya ngwa ngwa. Na mgbakwunye, ụfọdụ ngwa dabere na API, dị ka ngwa mkpanaaka, chọrọ usoro ihe ike ngwa ngwa dị iche iche karịa ịnọrọ naanị ya web-app, ma dị iche na nke enwere ike ịchọ maka njikọ na ngwaọrụ IoT. N'ozuzu, ndepụta API Security Top 10 dị mkpa, mana ọ ka bụ naanị akụkụ nke usoro ndụ mmepe ngwanrọ zuru oke. Ndepụta ahụ, na ndepụta OWASP Top 10, kwesịrị ijikọ ya na ụkpụrụ ọ bụla dị mkpa na omume kachasị mma nke achọrọ maka ngwọta n'okpuru nyocha.
Mmechi
Ka ngwa na-adaberewanye na akụrụngwa igwe ojii, web ngwa mmemme interfaces (APIs) aghọwo ntọala nke ịntanetị. Ụlọ ọrụ na-enwekarị narị narị, ma ọ bụrụ na ọ bụghị puku kwuru puku, nke njedebe API na gburugburu ha, na-abawanye elu ọgụ ha n'ụzọ dị egwu na ikpughe ngwa na adịghị ike dị iche iche.
Mwepụta nke 2023 OWASP API Security Top 10 bụ mmalite mmalite maka ụlọ ọrụ na ndị mmepe ka ha kuziere onwe ha ihe egwu dị na akụrụngwa dabere na API yana ịtụle ngwa nke ha. Tinyere ndepụta Top-10 nchekwa ngwa ama ama nke ọma, ọkwa abụọ a nwere ike inyere ndị otu DevSecOps aka n'ịzụlite ụzọ zuru oke maka nchekwa ngwa ha niile.
Ndị otu DevSecOps kwesịrị ịma maka nchekwa nchekwa nke API, otu esi ebelata mmejọ nke mmejuputa na adịghị ike nchekwa, yana otu esi eme ka pipeline mmepe ha na ihe nkesa API pụta iji mee ka o siere ndị na-awakpo ike mebie ngwa site na API ya.

Nwebiisinka © 2025 Mepee ederede · 04.25 | 262-000177-001

Akwụkwọ / akụrụngwa

Mepee ederede 262-000177-001 OWASP kacha 10 maka nchekwa API [pdf] Akwụkwọ ntuziaka onye ọrụ
262-000177-001, 262-000177-001 OWASP Top 10 Maka Nchekwa API, 262-000177-001, OWASP Top 10 Maka Nchekwa API, Maka Nchekwa API, Nchekwa API, Nchekwa

Ntụaka

Hapụ ikwu

Agaghị ebipụta adreesị ozi-e gị. Akara mpaghara achọrọ akara *