Open Web Application Security Project- OWASP

1. OWASP Maddeleri

A06:2021-Vulnerable and Outdated Components 

Açıklaması şöyle

A06:2021-Vulnerable and Outdated Components was previously titled Using Components with Known Vulnerabilities

...

Components, such as libraries, frameworks, and other software modules, run with the same privileges as the application. If a vulnerable component is exploited, it could facilitate serious data loss or server takeover. Applications and APIs using components with known vulnerabilities may undermine application defenses and enable various attacks and impacts.

2. OWASP API Maddeleri

OWASP API #3, Excessive Data Exposure

Sadece gereken veri dışarı açılmalı

OWASP API #4, Lack of Resources & Rate Limiting

Rate Limiting yapılmalı. Bir örnek burada

Diğer

Şifre Uzunluğu Üst Sınırı
Şifre uzunluğu için bir üst sınır olmalı. Üst sınıf kullanılan algoritmaya göre ayarlanmalı. Açıklaması şöyle

Some hashing algorithms such as Bcrypt have a maximum length for the input, which is 72 characters for most implementations (there are some reports that other implementations have lower maximum lengths, but none have been identified at the time of writing). Where Bcrypt is used, a maximum length of 64 characters should be enforced on the input, as this provides a sufficiently high limit, while still allowing for string termination issues and not revealing that the application uses Bcrypt.

Password Reset
Kullanıcı ismi asla gönderilmemeli. Kullanıcıdan istenen e-posta adresi için adres doğru/adres yanlış şeklinde bilgi verilmemeli. Açıklaması şöyle

This is what I usually do:

1. user asks for a password reset
2. system asks for the registered email
3. user enters email, and no matter if email exists or not, you say that you sent a reset link
4. server stores email and reset token on a reset_password table
5. when the link is accessed, open a form to reset the password.
6. User only receives a link with a large random token.