forked from OWASP/ASVS
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathOWASP Application Security Verification Standard 4.0.3-zh-cn.xml
1 lines (1 loc) · 145 KB
/
OWASP Application Security Verification Standard 4.0.3-zh-cn.xml
1
<?xml version="1.0" encoding="UTF-8" ?><root><Name>Application Security Verification Standard Project</Name><ShortName>ASVS</ShortName><Version>4.0.3</Version><Description>The OWASP Application Security Verification Standard (ASVS) Project provides a basis for testing web application technical security controls and also provides developers with a list of requirements for secure development.</Description><Requirements><item><Shortcode>V1</Shortcode><Ordinal>1</Ordinal><ShortName>Architecture</ShortName><Name>架构、设计和威胁建模</Name><Items><item><Shortcode>V1.1</Shortcode><Ordinal>1</Ordinal><Name>安全软件开发生命周期</Name><Items><item><Shortcode>V1.1.1</Shortcode><Ordinal>1</Ordinal><Description>验证使用安全的软件开发生命周期,在开发的各个阶段解决安全问题。 ([C1](https://owasp.org/www-project-proactive-controls/#div-numbering))</Description><L1><Required>False</Required><Requirement></Requirement></L1><L2><Required>True</Required><Requirement>✓</Requirement></L2><L3><Required>True</Required><Requirement>✓</Requirement></L3><CWE></CWE><NIST></NIST></item><item><Shortcode>V1.1.2</Shortcode><Ordinal>1</Ordinal><Description>验证在每次设计变更或sprint计划中使用威胁建模,以识别威胁、计划对策、促进适当的风险响应,并指导安全测试。</Description><L1><Required>False</Required><Requirement></Requirement></L1><L2><Required>True</Required><Requirement>✓</Requirement></L2><L3><Required>True</Required><Requirement>✓</Requirement></L3><CWE><item>1053</item></CWE><NIST></NIST></item><item><Shortcode>V1.1.3</Shortcode><Ordinal>1</Ordinal><Description>验证所有用户信息和功能是否包含功能安全约束,例如 “作为一个用户,我应该能够查看和编辑我的个人资料。我不应该能够查看或编辑其他人的资料”</Description><L1><Required>False</Required><Requirement></Requirement></L1><L2><Required>True</Required><Requirement>✓</Requirement></L2><L3><Required>True</Required><Requirement>✓</Requirement></L3><CWE><item>1110</item></CWE><NIST></NIST></item><item><Shortcode>V1.1.4</Shortcode><Ordinal>1</Ordinal><Description>验证应用程序所有的信任边界、组件和重要数据流的文档,判断其合理性。</Description><L1><Required>False</Required><Requirement></Requirement></L1><L2><Required>True</Required><Requirement>✓</Requirement></L2><L3><Required>True</Required><Requirement>✓</Requirement></L3><CWE><item>1059</item></CWE><NIST></NIST></item><item><Shortcode>V1.1.5</Shortcode><Ordinal>1</Ordinal><Description>验证应用程序的高级架构及远程连接服务涉及的定义和安全分析。 ([C1](https://owasp.org/www-project-proactive-controls/#div-numbering))</Description><L1><Required>False</Required><Requirement></Requirement></L1><L2><Required>True</Required><Requirement>✓</Requirement></L2><L3><Required>True</Required><Requirement>✓</Requirement></L3><CWE><item>1059</item></CWE><NIST></NIST></item><item><Shortcode>V1.1.6</Shortcode><Ordinal>1</Ordinal><Description>验证集中、简单(设计)、安全、经过审查、和可重复使用的安全控制措施的实施情况,以避免重复、缺失、无效或不安全的控制措施。 ([C10](https://owasp.org/www-project-proactive-controls/#div-numbering))</Description><L1><Required>False</Required><Requirement></Requirement></L1><L2><Required>True</Required><Requirement>✓</Requirement></L2><L3><Required>True</Required><Requirement>✓</Requirement></L3><CWE><item>637</item></CWE><NIST></NIST></item><item><Shortcode>V1.1.7</Shortcode><Ordinal>1</Ordinal><Description>向所有开发人员和测试人员,验证安全编码Checklist、安全需求、指南或策略的可用性。</Description><L1><Required>False</Required><Requirement></Requirement></L1><L2><Required>True</Required><Requirement>✓</Requirement></L2><L3><Required>True</Required><Requirement>✓</Requirement></L3><CWE><item>637</item></CWE><NIST></NIST></item></Items></item><item><Shortcode>V1.2</Shortcode><Ordinal>2</Ordinal><Name>认证架构</Name><Items><item><Shortcode>V1.2.1</Shortcode><Ordinal>1</Ordinal><Description>验证应用程序所有的组件、服务和服务器,是否使用了唯一或特殊的低权限操作系统帐户。 ([C3](https://owasp.org/www-project-proactive-controls/#div-numbering))</Description><L1><Required>False</Required><Requirement></Requirement></L1><L2><Required>True</Required><Requirement>✓</Requirement></L2><L3><Required>True</Required><Requirement>✓</Requirement></L3><CWE><item>250</item></CWE><NIST></NIST></item><item><Shortcode>V1.2.2</Shortcode><Ordinal>1</Ordinal><Description>验证应用组件之间(包括 API、中间件和数据层)的通信是否经过验证。组件只具有最低的必要权限。 ([C3](https://owasp.org/www-project-proactive-controls/#div-numbering))</Description><L1><Required>False</Required><Requirement></Requirement></L1><L2><Required>True</Required><Requirement>✓</Requirement></L2><L3><Required>True</Required><Requirement>✓</Requirement></L3><CWE><item>306</item></CWE><NIST></NIST></item><item><Shortcode>V1.2.3</Shortcode><Ordinal>1</Ordinal><Description>验证应用程序是否使用已知安全的单一认证机制,可以扩展到强身份验证,并有足够的日志记录和监控,来检测帐户滥用或违规行为。</Description><L1><Required>False</Required><Requirement></Requirement></L1><L2><Required>True</Required><Requirement>✓</Requirement></L2><L3><Required>True</Required><Requirement>✓</Requirement></L3><CWE><item>306</item></CWE><NIST></NIST></item><item><Shortcode>V1.2.4</Shortcode><Ordinal>1</Ordinal><Description>验证所有的认证途径和身份管理 API ,都实现了一致的认证安全控制强度, 以便收敛应用程序的风险。</Description><L1><Required>False</Required><Requirement></Requirement></L1><L2><Required>True</Required><Requirement>✓</Requirement></L2><L3><Required>True</Required><Requirement>✓</Requirement></L3><CWE><item>306</item></CWE><NIST></NIST></item></Items></item><item><Shortcode>V1.3</Shortcode><Ordinal>3</Ordinal><Name>会话管理架构</Name><Items></Items></item><item><Shortcode>V1.4</Shortcode><Ordinal>4</Ordinal><Name>访问控制架构</Name><Items><item><Shortcode>V1.4.1</Shortcode><Ordinal>1</Ordinal><Description>验证受信任的实施点(如访问控制网关、服务器和Serverless函数)是否实施了访问控制。切勿在客户端实施访问控制。</Description><L1><Required>False</Required><Requirement></Requirement></L1><L2><Required>True</Required><Requirement>✓</Requirement></L2><L3><Required>True</Required><Requirement>✓</Requirement></L3><CWE><item>602</item></CWE><NIST></NIST></item><item><Shortcode>V1.4.2</Shortcode><Ordinal>1</Ordinal><Description>[已删除,不可操作]</Description><L1><Required>False</Required><Requirement></Requirement></L1><L2><Required>False</Required><Requirement></Requirement></L2><L3><Required>False</Required><Requirement></Requirement></L3><CWE></CWE><NIST></NIST></item><item><Shortcode>V1.4.3</Shortcode><Ordinal>1</Ordinal><Description>[已删除,与 4.1.3 重复]</Description><L1><Required>False</Required><Requirement></Requirement></L1><L2><Required>False</Required><Requirement></Requirement></L2><L3><Required>False</Required><Requirement></Requirement></L3><CWE></CWE><NIST></NIST></item><item><Shortcode>V1.4.4</Shortcode><Ordinal>1</Ordinal><Description>验证应用程序使用单一的、经过严格审查的访问控制机制,来访问受保护的数据和资源。 所有请求都必须通过这个单一机制,以避免复制、粘贴或不安全的替代路径。 ([C7](https://owasp.org/www-project-proactive-controls/#div-numbering))</Description><L1><Required>False</Required><Requirement></Requirement></L1><L2><Required>True</Required><Requirement>✓</Requirement></L2><L3><Required>True</Required><Requirement>✓</Requirement></L3><CWE><item>284</item></CWE><NIST></NIST></item><item><Shortcode>V1.4.5</Shortcode><Ordinal>1</Ordinal><Description>验证是否使用基于属性/特征的访问控制,即代码应检查用户对某一特征/数据项的授权,而不仅仅是他们的角色。 权限仍应依照不同角色进行分配。 ([C7](https://owasp.org/www-project-proactive-controls/#div-numbering))</Description><L1><Required>False</Required><Requirement></Requirement></L1><L2><Required>True</Required><Requirement>✓</Requirement></L2><L3><Required>True</Required><Requirement>✓</Requirement></L3><CWE><item>275</item></CWE><NIST></NIST></item></Items></item><item><Shortcode>V1.5</Shortcode><Ordinal>5</Ordinal><Name>输入和输出架构</Name><Items><item><Shortcode>V1.5.1</Shortcode><Ordinal>1</Ordinal><Description>验证输入和输出要求,明确规定如何根据类型、内容以及适用的法律、法规和其他政策规定,来操作和处理数据。</Description><L1><Required>False</Required><Requirement></Requirement></L1><L2><Required>True</Required><Requirement>✓</Requirement></L2><L3><Required>True</Required><Requirement>✓</Requirement></L3><CWE><item>1029</item></CWE><NIST></NIST></item><item><Shortcode>V1.5.2</Shortcode><Ordinal>1</Ordinal><Description>验证在与不受信任的客户进行通信时,不使用序列化。 如果无法做到这一点,请确保执行足够的完整性控制(如果发送敏感数据,可能还要进行加密),以防止反序列化攻击,包括对象注入。</Description><L1><Required>False</Required><Requirement></Requirement></L1><L2><Required>True</Required><Requirement>✓</Requirement></L2><L3><Required>True</Required><Requirement>✓</Requirement></L3><CWE><item>502</item></CWE><NIST></NIST></item><item><Shortcode>V1.5.3</Shortcode><Ordinal>1</Ordinal><Description>验证输入验证是否在可信的服务层上执行。 ([C5](https://owasp.org/www-project-proactive-controls/#div-numbering))</Description><L1><Required>False</Required><Requirement></Requirement></L1><L2><Required>True</Required><Requirement>✓</Requirement></L2><L3><Required>True</Required><Requirement>✓</Requirement></L3><CWE><item>602</item></CWE><NIST></NIST></item><item><Shortcode>V1.5.4</Shortcode><Ordinal>1</Ordinal><Description>验证输出编码是否发生在其预期的解释器附近(或由解释器进行)。 ([C4](https://owasp.org/www-project-proactive-controls/#div-numbering))</Description><L1><Required>False</Required><Requirement></Requirement></L1><L2><Required>True</Required><Requirement>✓</Requirement></L2><L3><Required>True</Required><Requirement>✓</Requirement></L3><CWE><item>116</item></CWE><NIST></NIST></item></Items></item><item><Shortcode>V1.6</Shortcode><Ordinal>6</Ordinal><Name>加密架构</Name><Items><item><Shortcode>V1.6.1</Shortcode><Ordinal>1</Ordinal><Description>验证是否有明确的加密密钥管理政策,以及加密密钥的生命周期是否遵循密钥管理标准,如NIST SP 800-57。</Description><L1><Required>False</Required><Requirement></Requirement></L1><L2><Required>True</Required><Requirement>✓</Requirement></L2><L3><Required>True</Required><Requirement>✓</Requirement></L3><CWE><item>320</item></CWE><NIST></NIST></item><item><Shortcode>V1.6.2</Shortcode><Ordinal>1</Ordinal><Description>验证密码服务的消费者是否通过使用密钥库或基于API的替代方案,来保护密钥材料和其他机密。</Description><L1><Required>False</Required><Requirement></Requirement></L1><L2><Required>True</Required><Requirement>✓</Requirement></L2><L3><Required>True</Required><Requirement>✓</Requirement></L3><CWE><item>320</item></CWE><NIST></NIST></item><item><Shortcode>V1.6.3</Shortcode><Ordinal>1</Ordinal><Description>验证所有的密钥和密码是否可替换的,并且是重新加密敏感数据的明确定义流程的一部分。</Description><L1><Required>False</Required><Requirement></Requirement></L1><L2><Required>True</Required><Requirement>✓</Requirement></L2><L3><Required>True</Required><Requirement>✓</Requirement></L3><CWE><item>320</item></CWE><NIST></NIST></item><item><Shortcode>V1.6.4</Shortcode><Ordinal>1</Ordinal><Description>验证架构是否将客户端机密(例如对称密钥、密码或 API 令牌)视为不安全的,并且从不使用它们来保护或访问敏感数据。</Description><L1><Required>False</Required><Requirement></Requirement></L1><L2><Required>True</Required><Requirement>✓</Requirement></L2><L3><Required>True</Required><Requirement>✓</Requirement></L3><CWE><item>320</item></CWE><NIST></NIST></item></Items></item><item><Shortcode>V1.7</Shortcode><Ordinal>7</Ordinal><Name>错误、日志和审计架构</Name><Items><item><Shortcode>V1.7.1</Shortcode><Ordinal>1</Ordinal><Description>验证整个系统是否使用了通用的日志记录格式和方法。 ([C9](https://owasp.org/www-project-proactive-controls/#div-numbering))</Description><L1><Required>False</Required><Requirement></Requirement></L1><L2><Required>True</Required><Requirement>✓</Requirement></L2><L3><Required>True</Required><Requirement>✓</Requirement></L3><CWE><item>1009</item></CWE><NIST></NIST></item><item><Shortcode>V1.7.2</Shortcode><Ordinal>1</Ordinal><Description>验证日志是否安全地传输到远程系统,以便进行分析、检测、报警和升级。 ([C9](https://owasp.org/www-project-proactive-controls/#div-numbering))</Description><L1><Required>False</Required><Requirement></Requirement></L1><L2><Required>True</Required><Requirement>✓</Requirement></L2><L3><Required>True</Required><Requirement>✓</Requirement></L3><CWE></CWE><NIST></NIST></item></Items></item><item><Shortcode>V1.8</Shortcode><Ordinal>8</Ordinal><Name>数据保护和隐私架构</Name><Items><item><Shortcode>V1.8.1</Shortcode><Ordinal>1</Ordinal><Description>验证所有敏感数据都已识别并归入保护级别。</Description><L1><Required>False</Required><Requirement></Requirement></L1><L2><Required>True</Required><Requirement>✓</Requirement></L2><L3><Required>True</Required><Requirement>✓</Requirement></L3><CWE></CWE><NIST></NIST></item><item><Shortcode>V1.8.2</Shortcode><Ordinal>1</Ordinal><Description>验证所有保护级别都具有一套相关的保护要求,如加密要求、完整性要求、保留、隐私和其他机密性要求,并在架构中应用这些要求。</Description><L1><Required>False</Required><Requirement></Requirement></L1><L2><Required>True</Required><Requirement>✓</Requirement></L2><L3><Required>True</Required><Requirement>✓</Requirement></L3><CWE></CWE><NIST></NIST></item></Items></item><item><Shortcode>V1.9</Shortcode><Ordinal>9</Ordinal><Name>通信架构</Name><Items><item><Shortcode>V1.9.1</Shortcode><Ordinal>1</Ordinal><Description>验证应用程序对组件之间的通信进行加密,特别是当这些组件处于不同的容器、系统、站点或云提供商时。 ([C3](https://owasp.org/www-project-proactive-controls/#div-numbering))</Description><L1><Required>False</Required><Requirement></Requirement></L1><L2><Required>True</Required><Requirement>✓</Requirement></L2><L3><Required>True</Required><Requirement>✓</Requirement></L3><CWE><item>319</item></CWE><NIST></NIST></item><item><Shortcode>V1.9.2</Shortcode><Ordinal>1</Ordinal><Description>验证应用组件是否验证了通信链接中每一方的真实性,以防止中间人攻击。例如,应用程序组件应校验TLS证书链。</Description><L1><Required>False</Required><Requirement></Requirement></L1><L2><Required>True</Required><Requirement>✓</Requirement></L2><L3><Required>True</Required><Requirement>✓</Requirement></L3><CWE><item>295</item></CWE><NIST></NIST></item></Items></item><item><Shortcode>V1.10</Shortcode><Ordinal>10</Ordinal><Name>恶意软件架构</Name><Items><item><Shortcode>V1.10.1</Shortcode><Ordinal>1</Ordinal><Description>验证是否使用了源代码控制系统,以及有程序确保签入时附带问题或变更单。源代码控制系统应该具有访问控制和可识别的用户,以追溯任何的更改。</Description><L1><Required>False</Required><Requirement></Requirement></L1><L2><Required>True</Required><Requirement>✓</Requirement></L2><L3><Required>True</Required><Requirement>✓</Requirement></L3><CWE><item>284</item></CWE><NIST></NIST></item></Items></item><item><Shortcode>V1.11</Shortcode><Ordinal>11</Ordinal><Name>业务逻辑架构</Name><Items><item><Shortcode>V1.11.1</Shortcode><Ordinal>1</Ordinal><Description>验证所有应用组件在其提供的业务或安全功能方面的定义和文档。</Description><L1><Required>False</Required><Requirement></Requirement></L1><L2><Required>True</Required><Requirement>✓</Requirement></L2><L3><Required>True</Required><Requirement>✓</Requirement></L3><CWE><item>1059</item></CWE><NIST></NIST></item><item><Shortcode>V1.11.2</Shortcode><Ordinal>1</Ordinal><Description>验证所有高价值的业务逻辑流,包括认证、会话管理和访问控制,不共享不同步的状态。</Description><L1><Required>False</Required><Requirement></Requirement></L1><L2><Required>True</Required><Requirement>✓</Requirement></L2><L3><Required>True</Required><Requirement>✓</Requirement></L3><CWE><item>362</item></CWE><NIST></NIST></item><item><Shortcode>V1.11.3</Shortcode><Ordinal>1</Ordinal><Description>验证所有高价值的业务逻辑流,包括身份验证、会话管理和访问控制都是线程安全的,并能抵抗检查时间和使用时间不同步时的条件竞争。</Description><L1><Required>False</Required><Requirement></Requirement></L1><L2><Required>False</Required><Requirement></Requirement></L2><L3><Required>True</Required><Requirement>✓</Requirement></L3><CWE><item>367</item></CWE><NIST></NIST></item></Items></item><item><Shortcode>V1.12</Shortcode><Ordinal>12</Ordinal><Name>安全上传架构</Name><Items><item><Shortcode>V1.12.1</Shortcode><Ordinal>1</Ordinal><Description>[已删除,与 12.4.1 重复]</Description><L1><Required>False</Required><Requirement></Requirement></L1><L2><Required>False</Required><Requirement></Requirement></L2><L3><Required>False</Required><Requirement></Requirement></L3><CWE></CWE><NIST></NIST></item><item><Shortcode>V1.12.2</Shortcode><Ordinal>1</Ordinal><Description>验证用户上传的文件——如果需要显示或从应用中下载,是通过二进制流下载,或从无关的域(如云文件存储桶)提供。实施合适的内容安全策略(CSP),以减少来自上传文件的XSS向量或其他攻击的风险。</Description><L1><Required>False</Required><Requirement></Requirement></L1><L2><Required>True</Required><Requirement>✓</Requirement></L2><L3><Required>True</Required><Requirement>✓</Requirement></L3><CWE><item>646</item></CWE><NIST></NIST></item></Items></item><item><Shortcode>V1.13</Shortcode><Ordinal>13</Ordinal><Name>API架构</Name><Items></Items></item><item><Shortcode>V1.14</Shortcode><Ordinal>14</Ordinal><Name>配置架构</Name><Items><item><Shortcode>V1.14.1</Shortcode><Ordinal>1</Ordinal><Description>通过明确的安全控制、防火墙规则、API 网关、反向代理、基于云的安全组或类似机制,验证不同信任级别的组件的隔离情况。</Description><L1><Required>False</Required><Requirement></Requirement></L1><L2><Required>True</Required><Requirement>✓</Requirement></L2><L3><Required>True</Required><Requirement>✓</Requirement></L3><CWE><item>923</item></CWE><NIST></NIST></item><item><Shortcode>V1.14.2</Shortcode><Ordinal>1</Ordinal><Description>验证二进制签名、可信连接和经过验证的接口,以将二进制文件部署到远程设备。</Description><L1><Required>False</Required><Requirement></Requirement></L1><L2><Required>True</Required><Requirement>✓</Requirement></L2><L3><Required>True</Required><Requirement>✓</Requirement></L3><CWE><item>494</item></CWE><NIST></NIST></item><item><Shortcode>V1.14.3</Shortcode><Ordinal>1</Ordinal><Description>验证构建管道是否对过期或不安全的组件发出警告并采取适当的行动。</Description><L1><Required>False</Required><Requirement></Requirement></L1><L2><Required>True</Required><Requirement>✓</Requirement></L2><L3><Required>True</Required><Requirement>✓</Requirement></L3><CWE><item>1104</item></CWE><NIST></NIST></item><item><Shortcode>V1.14.4</Shortcode><Ordinal>1</Ordinal><Description>验证构建管道是否包含自动构建和验证应用安全部署的构建步骤,特别是当应用基础设施是软件定义时,例如云环境构建脚本。</Description><L1><Required>False</Required><Requirement></Requirement></L1><L2><Required>True</Required><Requirement>✓</Requirement></L2><L3><Required>True</Required><Requirement>✓</Requirement></L3><CWE></CWE><NIST></NIST></item><item><Shortcode>V1.14.5</Shortcode><Ordinal>1</Ordinal><Description>验证应用程序部署是否在网络级别进行了充分的沙盒化、容器化或隔离,以延迟和阻止攻击者攻击其他应用程序,尤其是当攻击者执行敏感或危险操作时(如反序列化)。 ([C5](https://owasp.org/www-project-proactive-controls/#div-numbering))</Description><L1><Required>False</Required><Requirement></Requirement></L1><L2><Required>True</Required><Requirement>✓</Requirement></L2><L3><Required>True</Required><Requirement>✓</Requirement></L3><CWE><item>265</item></CWE><NIST></NIST></item><item><Shortcode>V1.14.6</Shortcode><Ordinal>1</Ordinal><Description>验证应用程序未使用不受支持、不安全或不推荐的客户端技术,如NSAPI插件、Flash、Shockwave、ActiveX、Silverlight、NACL或客户端Java applets。</Description><L1><Required>False</Required><Requirement></Requirement></L1><L2><Required>True</Required><Requirement>✓</Requirement></L2><L3><Required>True</Required><Requirement>✓</Requirement></L3><CWE><item>477</item></CWE><NIST></NIST></item></Items></item></Items></item><item><Shortcode>V2</Shortcode><Ordinal>2</Ordinal><ShortName>Authentication</ShortName><Name>认证</Name><Items><item><Shortcode>V2.1</Shortcode><Ordinal>1</Ordinal><Name>密码安全</Name><Items><item><Shortcode>V2.1.1</Shortcode><Ordinal>2</Ordinal><Description>验证用户设置的密码长度至少为 12 个字符(多个空格合并后)。 ([C6](https://owasp.org/www-project-proactive-controls/#div-numbering))</Description><L1><Required>True</Required><Requirement>✓</Requirement></L1><L2><Required>True</Required><Requirement>✓</Requirement></L2><L3><Required>True</Required><Requirement>✓</Requirement></L3><CWE><item>521</item></CWE><NIST><item>5.1.1.2</item></NIST></item><item><Shortcode>V2.1.2</Shortcode><Ordinal>2</Ordinal><Description>验证是否允许64个字符以上的密码,并拒绝超过128个字符的密码。 ([C6](https://owasp.org/www-project-proactive-controls/#div-numbering))</Description><L1><Required>True</Required><Requirement>✓</Requirement></L1><L2><Required>True</Required><Requirement>✓</Requirement></L2><L3><Required>True</Required><Requirement>✓</Requirement></L3><CWE><item>521</item></CWE><NIST><item>5.1.1.2</item></NIST></item><item><Shortcode>V2.1.3</Shortcode><Ordinal>2</Ordinal><Description>验证不进行密码截断。然而,连续的多个空格可以被单个空格代替。 ([C6](https://owasp.org/www-project-proactive-controls/#div-numbering))</Description><L1><Required>True</Required><Requirement>✓</Requirement></L1><L2><Required>True</Required><Requirement>✓</Requirement></L2><L3><Required>True</Required><Requirement>✓</Requirement></L3><CWE><item>521</item></CWE><NIST><item>5.1.1.2</item></NIST></item><item><Shortcode>V2.1.4</Shortcode><Ordinal>2</Ordinal><Description>验证密码中是否允许使用任何可打印的Unicode字符,包括语言中立字符,例如空格和表情符号。</Description><L1><Required>True</Required><Requirement>✓</Requirement></L1><L2><Required>True</Required><Requirement>✓</Requirement></L2><L3><Required>True</Required><Requirement>✓</Requirement></L3><CWE><item>521</item></CWE><NIST><item>5.1.1.2</item></NIST></item><item><Shortcode>V2.1.5</Shortcode><Ordinal>2</Ordinal><Description>验证用户可以更改其密码。</Description><L1><Required>True</Required><Requirement>✓</Requirement></L1><L2><Required>True</Required><Requirement>✓</Requirement></L2><L3><Required>True</Required><Requirement>✓</Requirement></L3><CWE><item>620</item></CWE><NIST><item>5.1.1.2</item></NIST></item><item><Shortcode>V2.1.6</Shortcode><Ordinal>2</Ordinal><Description>验证密码更改功能是否需要用户的当前密码和新密码。</Description><L1><Required>True</Required><Requirement>✓</Requirement></L1><L2><Required>True</Required><Requirement>✓</Requirement></L2><L3><Required>True</Required><Requirement>✓</Requirement></L3><CWE><item>620</item></CWE><NIST><item>5.1.1.2</item></NIST></item><item><Shortcode>V2.1.7</Shortcode><Ordinal>2</Ordinal><Description>验证在账户注册、登录和密码更改过程中提交的密码,是否出现在被泄露过的密码中,这些密码可以是本地的(如符合系统密码策略的前1000个或10000个最常见的密码),也可以使用外部API。 如果使用API,应使用零知识证明或其他机制,以确保纯文本密码不被发送或用于验证密码的违反状态。 如果密码被泄露,应用程序必须要求用户设置一个新的未被泄露的密码。 ([C6](https://owasp.org/www-project-proactive-controls/#div-numbering))</Description><L1><Required>True</Required><Requirement>✓</Requirement></L1><L2><Required>True</Required><Requirement>✓</Requirement></L2><L3><Required>True</Required><Requirement>✓</Requirement></L3><CWE><item>521</item></CWE><NIST><item>5.1.1.2</item></NIST></item><item><Shortcode>V2.1.8</Shortcode><Ordinal>2</Ordinal><Description>验证是否提供了密码强度表,以帮助用户设置更强的密码。</Description><L1><Required>True</Required><Requirement>✓</Requirement></L1><L2><Required>True</Required><Requirement>✓</Requirement></L2><L3><Required>True</Required><Requirement>✓</Requirement></L3><CWE><item>521</item></CWE><NIST><item>5.1.1.2</item></NIST></item><item><Shortcode>V2.1.9</Shortcode><Ordinal>2</Ordinal><Description>验证是否有限制允许的字符类型的密码组成规则。对大写或小写、数字或特殊字符不应有任何要求。 ([C6](https://owasp.org/www-project-proactive-controls/#div-numbering))</Description><L1><Required>True</Required><Requirement>✓</Requirement></L1><L2><Required>True</Required><Requirement>✓</Requirement></L2><L3><Required>True</Required><Requirement>✓</Requirement></L3><CWE><item>521</item></CWE><NIST><item>5.1.1.2</item></NIST></item><item><Shortcode>V2.1.10</Shortcode><Ordinal>2</Ordinal><Description>验证没有定期更换凭证或密码历史的要求。</Description><L1><Required>True</Required><Requirement>✓</Requirement></L1><L2><Required>True</Required><Requirement>✓</Requirement></L2><L3><Required>True</Required><Requirement>✓</Requirement></L3><CWE><item>263</item></CWE><NIST><item>5.1.1.2</item></NIST></item><item><Shortcode>V2.1.11</Shortcode><Ordinal>2</Ordinal><Description>验证是否允许 “粘贴” 功能、浏览器密码辅助工具和外部密码管理器。</Description><L1><Required>True</Required><Requirement>✓</Requirement></L1><L2><Required>True</Required><Requirement>✓</Requirement></L2><L3><Required>True</Required><Requirement>✓</Requirement></L3><CWE><item>521</item></CWE><NIST><item>5.1.1.2</item></NIST></item><item><Shortcode>V2.1.12</Shortcode><Ordinal>2</Ordinal><Description>验证用户可以选择临时查看整个屏蔽的密码,或者在没有内置功能的平台上临时查看密码的最后输入的字符。</Description><L1><Required>True</Required><Requirement>✓</Requirement></L1><L2><Required>True</Required><Requirement>✓</Requirement></L2><L3><Required>True</Required><Requirement>✓</Requirement></L3><CWE><item>521</item></CWE><NIST><item>5.1.1.2</item></NIST></item></Items></item><item><Shortcode>V2.2</Shortcode><Ordinal>2</Ordinal><Name>通用身份验证器的安全性</Name><Items><item><Shortcode>V2.2.1</Shortcode><Ordinal>2</Ordinal><Description>验证反自动化控制的措施能够有效地缓解被泄露的凭证测试、暴力破解和账户锁定攻击。 这些控制措施包括阻止最常见的泄露密码、软锁定、速率限制、验证码、每次尝试后逐渐增加的间隔时间、IP地址限制,或基于风险的限制,例如位置、设备上的首次登录、最近解锁账户的尝试等类似情况。 验证单个帐户每小时的失败尝试次数不超过 100 次。</Description><L1><Required>True</Required><Requirement>✓</Requirement></L1><L2><Required>True</Required><Requirement>✓</Requirement></L2><L3><Required>True</Required><Requirement>✓</Requirement></L3><CWE><item>307</item></CWE><NIST><item>5.2.2</item><item>5.1.1.2</item><item>5.1.4.2</item><item>5.1.5.2</item></NIST></item><item><Shortcode>V2.2.2</Shortcode><Ordinal>2</Ordinal><Description>验证弱身份验证器(例如 SMS 和电子邮件)的使用,仅限于二次验证和批准交易,而不是作为更安全的认证方法的替代。 验证是否在弱方法之前提供了更强的方法,用户是否意识到风险,或者是否采取了适当的措施来限制帐户泄露的风险。</Description><L1><Required>True</Required><Requirement>✓</Requirement></L1><L2><Required>True</Required><Requirement>✓</Requirement></L2><L3><Required>True</Required><Requirement>✓</Requirement></L3><CWE><item>304</item></CWE><NIST><item>5.2.10</item></NIST></item><item><Shortcode>V2.2.3</Shortcode><Ordinal>2</Ordinal><Description>验证在更新认证信息(如凭证重置、电子邮件或地址变更、从未知或风险地点登录)后向用户发送安全通知。 最好使用推送通知——而不是短信或电子邮件,但在没有推送通知的情况下,只要通知中没有披露敏感信息,短信或电子邮件也是可以接受的。</Description><L1><Required>True</Required><Requirement>✓</Requirement></L1><L2><Required>True</Required><Requirement>✓</Requirement></L2><L3><Required>True</Required><Requirement>✓</Requirement></L3><CWE><item>620</item></CWE><NIST></NIST></item><item><Shortcode>V2.2.4</Shortcode><Ordinal>2</Ordinal><Description>验证对网络钓鱼的抗冒充性,如使用多因素认证、有意图的加密设备(如有推送认证的连接密钥),或在更高的AAL级别,客户端证书。</Description><L1><Required>False</Required><Requirement></Requirement></L1><L2><Required>False</Required><Requirement></Requirement></L2><L3><Required>True</Required><Requirement>✓</Requirement></L3><CWE><item>308</item></CWE><NIST><item>5.2.5</item></NIST></item><item><Shortcode>V2.2.5</Shortcode><Ordinal>2</Ordinal><Description>验证当凭证服务提供者(CSP)和验证认证的应用程序分开时,两个端点之间有相互认证的TLS(mTLS)。</Description><L1><Required>False</Required><Requirement></Requirement></L1><L2><Required>False</Required><Requirement></Requirement></L2><L3><Required>True</Required><Requirement>✓</Requirement></L3><CWE><item>319</item></CWE><NIST><item>5.2.6</item></NIST></item><item><Shortcode>V2.2.6</Shortcode><Ordinal>2</Ordinal><Description>验证抗重放性,是否通过强制使用一次性密码(OTP)设备、加密认证器或查询代码。</Description><L1><Required>False</Required><Requirement></Requirement></L1><L2><Required>False</Required><Requirement></Requirement></L2><L3><Required>True</Required><Requirement>✓</Requirement></L3><CWE><item>308</item></CWE><NIST><item>5.2.8</item></NIST></item><item><Shortcode>V2.2.7</Shortcode><Ordinal>2</Ordinal><Description>通过要求输入OTP令牌或用户发起的动作(如按下FIDO硬件钥匙的按钮)来验证认证意图。</Description><L1><Required>False</Required><Requirement></Requirement></L1><L2><Required>False</Required><Requirement></Requirement></L2><L3><Required>True</Required><Requirement>✓</Requirement></L3><CWE><item>308</item></CWE><NIST><item>5.2.9</item></NIST></item></Items></item><item><Shortcode>V2.3</Shortcode><Ordinal>3</Ordinal><Name>身份验证器生命周期</Name><Items><item><Shortcode>V2.3.1</Shortcode><Ordinal>2</Ordinal><Description>验证系统生成的初始密码或激活码应该是安全随机生成的,应该至少有6个字符的长度,可以包含字母和数字,并在短时间内过期。这些初始秘密不得被允许成为长期密码。</Description><L1><Required>True</Required><Requirement>✓</Requirement></L1><L2><Required>True</Required><Requirement>✓</Requirement></L2><L3><Required>True</Required><Requirement>✓</Requirement></L3><CWE><item>330</item></CWE><NIST><item>5.1.1.2</item><item>A.3</item></NIST></item><item><Shortcode>V2.3.2</Shortcode><Ordinal>2</Ordinal><Description>验证是否支持注册和使用用户提供的认证设备,如U2F或FIDO令牌。</Description><L1><Required>False</Required><Requirement></Requirement></L1><L2><Required>True</Required><Requirement>✓</Requirement></L2><L3><Required>True</Required><Requirement>✓</Requirement></L3><CWE><item>308</item></CWE><NIST><item>6.1.3</item></NIST></item><item><Shortcode>V2.3.3</Shortcode><Ordinal>2</Ordinal><Description>验证更新指令的发送时间是否足够,以更新有时间限制的认证器。</Description><L1><Required>False</Required><Requirement></Requirement></L1><L2><Required>True</Required><Requirement>✓</Requirement></L2><L3><Required>True</Required><Requirement>✓</Requirement></L3><CWE><item>287</item></CWE><NIST><item>6.1.4</item></NIST></item></Items></item><item><Shortcode>V2.4</Shortcode><Ordinal>4</Ordinal><Name>凭证存储</Name><Items><item><Shortcode>V2.4.1</Shortcode><Ordinal>2</Ordinal><Description>验证密码是以一种可以抵抗离线攻击的形式存储的。密码应使用认可的单向密钥推导或密码散列函数进行加盐和散列。密钥推导和密码散列函数,在生成密码散列时,将密码、盐和计算成本作为输入。 ([C6](https://owasp.org/www-project-proactive-controls/#div-numbering))</Description><L1><Required>False</Required><Requirement></Requirement></L1><L2><Required>True</Required><Requirement>✓</Requirement></L2><L3><Required>True</Required><Requirement>✓</Requirement></L3><CWE><item>916</item></CWE><NIST><item>5.1.1.2</item></NIST></item><item><Shortcode>V2.4.2</Shortcode><Ordinal>2</Ordinal><Description>验证盐的长度至少为32位,并且是任意选择的,以减少存储的哈希值之间的碰撞。对于每个凭证,应存储唯一的盐值和由此产生的哈希值。 ([C6](https://owasp.org/www-project-proactive-controls/#div-numbering))</Description><L1><Required>False</Required><Requirement></Requirement></L1><L2><Required>True</Required><Requirement>✓</Requirement></L2><L3><Required>True</Required><Requirement>✓</Requirement></L3><CWE><item>916</item></CWE><NIST><item>5.1.1.2</item></NIST></item><item><Shortcode>V2.4.3</Shortcode><Ordinal>2</Ordinal><Description>验证如果使用 PBKDF2,迭代次数应在验证服务器性能允许的范围内,一般至少为100,000次迭代。 ([C6](https://owasp.org/www-project-proactive-controls/#div-numbering))</Description><L1><Required>False</Required><Requirement></Requirement></L1><L2><Required>True</Required><Requirement>✓</Requirement></L2><L3><Required>True</Required><Requirement>✓</Requirement></L3><CWE><item>916</item></CWE><NIST><item>5.1.1.2</item></NIST></item><item><Shortcode>V2.4.4</Shortcode><Ordinal>2</Ordinal><Description>验证如果使用 bcrypt,工作系数应在验证服务器性能允许的范围内尽量大,最小为10。 ([C6](https://owasp.org/www-project-proactive-controls/#div-numbering))</Description><L1><Required>False</Required><Requirement></Requirement></L1><L2><Required>True</Required><Requirement>✓</Requirement></L2><L3><Required>True</Required><Requirement>✓</Requirement></L3><CWE><item>916</item></CWE><NIST><item>5.1.1.2</item></NIST></item><item><Shortcode>V2.4.5</Shortcode><Ordinal>2</Ordinal><Description>验证是否执行了密钥派生函数的额外迭代,使用的是只有验证者知道的秘密盐值。使用经批准的随机位生成器 [SP 800-90Ar1] 生成盐值,并至少提供 SP 800-131A 最新修订版中规定的最低安全强度。秘密盐值应与散列密码分开存储(例如,在像硬件安全模块这样的专用设备中)。</Description><L1><Required>False</Required><Requirement></Requirement></L1><L2><Required>True</Required><Requirement>✓</Requirement></L2><L3><Required>True</Required><Requirement>✓</Requirement></L3><CWE><item>916</item></CWE><NIST><item>5.1.1.2</item></NIST></item></Items></item><item><Shortcode>V2.5</Shortcode><Ordinal>5</Ordinal><Name>凭证恢复</Name><Items><item><Shortcode>V2.5.1</Shortcode><Ordinal>2</Ordinal><Description>验证系统生成的初始激活或恢复密码,不会以明文形式发送给用户。 ([C6](https://owasp.org/www-project-proactive-controls/#div-numbering))</Description><L1><Required>True</Required><Requirement>✓</Requirement></L1><L2><Required>True</Required><Requirement>✓</Requirement></L2><L3><Required>True</Required><Requirement>✓</Requirement></L3><CWE><item>640</item></CWE><NIST><item>5.1.1.2</item></NIST></item><item><Shortcode>V2.5.2</Shortcode><Ordinal>2</Ordinal><Description>验证密码提示或基于知识的身份验证(所谓的“密码保护问题”)不存在。</Description><L1><Required>True</Required><Requirement>✓</Requirement></L1><L2><Required>True</Required><Requirement>✓</Requirement></L2><L3><Required>True</Required><Requirement>✓</Requirement></L3><CWE><item>640</item></CWE><NIST><item>5.1.1.2</item></NIST></item><item><Shortcode>V2.5.3</Shortcode><Ordinal>2</Ordinal><Description>验证密码凭据恢复不会以任何方式泄露当前密码。 ([C6](https://owasp.org/www-project-proactive-controls/#div-numbering))</Description><L1><Required>True</Required><Requirement>✓</Requirement></L1><L2><Required>True</Required><Requirement>✓</Requirement></L2><L3><Required>True</Required><Requirement>✓</Requirement></L3><CWE><item>640</item></CWE><NIST><item>5.1.1.2</item></NIST></item><item><Shortcode>V2.5.4</Shortcode><Ordinal>2</Ordinal><Description>验证共享或默认帐户不存在(例如“root”、“admin”或“sa”).</Description><L1><Required>True</Required><Requirement>✓</Requirement></L1><L2><Required>True</Required><Requirement>✓</Requirement></L2><L3><Required>True</Required><Requirement>✓</Requirement></L3><CWE><item>16</item></CWE><NIST><item>5.1.1.2</item><item>A.3</item></NIST></item><item><Shortcode>V2.5.5</Shortcode><Ordinal>2</Ordinal><Description>验证如果更改或替换了身份验证因素,则用户会收到此事件的通知。</Description><L1><Required>True</Required><Requirement>✓</Requirement></L1><L2><Required>True</Required><Requirement>✓</Requirement></L2><L3><Required>True</Required><Requirement>✓</Requirement></L3><CWE><item>304</item></CWE><NIST><item>6.1.2.3</item></NIST></item><item><Shortcode>V2.5.6</Shortcode><Ordinal>2</Ordinal><Description>验证忘记密码以及其他恢复路径,使用了安全的恢复机制,例如基于时间的OTP(TOTP)或其他软令牌、移动推送或其他离线恢复机制。 ([C6](https://owasp.org/www-project-proactive-controls/#div-numbering))</Description><L1><Required>True</Required><Requirement>✓</Requirement></L1><L2><Required>True</Required><Requirement>✓</Requirement></L2><L3><Required>True</Required><Requirement>✓</Requirement></L3><CWE><item>640</item></CWE><NIST><item>5.1.1.2</item></NIST></item><item><Shortcode>V2.5.7</Shortcode><Ordinal>2</Ordinal><Description>验证如果OTP或多因素身份验证因素丢失,身份证明的执行水平与注册时相同。</Description><L1><Required>False</Required><Requirement></Requirement></L1><L2><Required>True</Required><Requirement>✓</Requirement></L2><L3><Required>True</Required><Requirement>✓</Requirement></L3><CWE><item>308</item></CWE><NIST><item>6.1.2.3</item></NIST></item></Items></item><item><Shortcode>V2.6</Shortcode><Ordinal>6</Ordinal><Name>查找密码认证</Name><Items><item><Shortcode>V2.6.1</Shortcode><Ordinal>2</Ordinal><Description>验证查找密文只能使用一次。</Description><L1><Required>False</Required><Requirement></Requirement></L1><L2><Required>True</Required><Requirement>✓</Requirement></L2><L3><Required>True</Required><Requirement>✓</Requirement></L3><CWE><item>308</item></CWE><NIST><item>5.1.2.2</item></NIST></item><item><Shortcode>V2.6.2</Shortcode><Ordinal>2</Ordinal><Description>验证查询秘密有足够的随机性(112位熵),如果少于112位熵,则用唯一的随机32位盐进行加盐,并用认可的单向散列进行散列。</Description><L1><Required>False</Required><Requirement></Requirement></L1><L2><Required>True</Required><Requirement>✓</Requirement></L2><L3><Required>True</Required><Requirement>✓</Requirement></L3><CWE><item>330</item></CWE><NIST><item>5.1.2.2</item></NIST></item><item><Shortcode>V2.6.3</Shortcode><Ordinal>2</Ordinal><Description>验证查找秘密能够抵抗离线攻击,例如可预测的值。</Description><L1><Required>False</Required><Requirement></Requirement></L1><L2><Required>True</Required><Requirement>✓</Requirement></L2><L3><Required>True</Required><Requirement>✓</Requirement></L3><CWE><item>310</item></CWE><NIST><item>5.1.2.2</item></NIST></item></Items></item><item><Shortcode>V2.7</Shortcode><Ordinal>7</Ordinal><Name>带外验证器</Name><Items><item><Shortcode>V2.7.1</Shortcode><Ordinal>2</Ordinal><Description>验证默认情况下不提供短信或PSTN等带外的明文认证器,并首先提供推送通知等更强的替代方案。</Description><L1><Required>True</Required><Requirement>✓</Requirement></L1><L2><Required>True</Required><Requirement>✓</Requirement></L2><L3><Required>True</Required><Requirement>✓</Requirement></L3><CWE><item>287</item></CWE><NIST><item>5.1.3.2</item></NIST></item><item><Shortcode>V2.7.2</Shortcode><Ordinal>2</Ordinal><Description>验证带外验证器在10分钟后将带外验证请求、代码或令牌过期。</Description><L1><Required>True</Required><Requirement>✓</Requirement></L1><L2><Required>True</Required><Requirement>✓</Requirement></L2><L3><Required>True</Required><Requirement>✓</Requirement></L3><CWE><item>287</item></CWE><NIST><item>5.1.3.2</item></NIST></item><item><Shortcode>V2.7.3</Shortcode><Ordinal>2</Ordinal><Description>验证带外验证器身份验证请求、代码或令牌仅可使用一次,并且仅可用于原始身份验证请求。</Description><L1><Required>True</Required><Requirement>✓</Requirement></L1><L2><Required>True</Required><Requirement>✓</Requirement></L2><L3><Required>True</Required><Requirement>✓</Requirement></L3><CWE><item>287</item></CWE><NIST><item>5.1.3.2</item></NIST></item><item><Shortcode>V2.7.4</Shortcode><Ordinal>2</Ordinal><Description>验证带外验证器和验证器是否通过安全的独立信道进行通信。</Description><L1><Required>True</Required><Requirement>✓</Requirement></L1><L2><Required>True</Required><Requirement>✓</Requirement></L2><L3><Required>True</Required><Requirement>✓</Requirement></L3><CWE><item>523</item></CWE><NIST><item>5.1.3.2</item></NIST></item><item><Shortcode>V2.7.5</Shortcode><Ordinal>2</Ordinal><Description>验证带外验证器只保留认证代码的散列版本。</Description><L1><Required>False</Required><Requirement></Requirement></L1><L2><Required>True</Required><Requirement>✓</Requirement></L2><L3><Required>True</Required><Requirement>✓</Requirement></L3><CWE><item>256</item></CWE><NIST><item>5.1.3.2</item></NIST></item><item><Shortcode>V2.7.6</Shortcode><Ordinal>2</Ordinal><Description>验证初始验证码是否由安全随机数生成器生成,包含至少 20 位熵(通常为 6 位数字随机数即可)。</Description><L1><Required>False</Required><Requirement></Requirement></L1><L2><Required>True</Required><Requirement>✓</Requirement></L2><L3><Required>True</Required><Requirement>✓</Requirement></L3><CWE><item>310</item></CWE><NIST><item>5.1.3.2</item></NIST></item></Items></item><item><Shortcode>V2.8</Shortcode><Ordinal>8</Ordinal><Name>一次性验证器</Name><Items><item><Shortcode>V2.8.1</Shortcode><Ordinal>2</Ordinal><Description>验证基于时间的OTP在过期前有确定的使用寿命</Description><L1><Required>True</Required><Requirement>✓</Requirement></L1><L2><Required>True</Required><Requirement>✓</Requirement></L2><L3><Required>True</Required><Requirement>✓</Requirement></L3><CWE><item>613</item></CWE><NIST><item>5.1.4.2</item><item>5.1.5.2</item></NIST></item><item><Shortcode>V2.8.2</Shortcode><Ordinal>2</Ordinal><Description>验证用于验证提交的OTP的对称密钥是否被高度保护,例如使用硬件安全模块或基于安全操作系统的密钥存储。</Description><L1><Required>False</Required><Requirement></Requirement></L1><L2><Required>True</Required><Requirement>✓</Requirement></L2><L3><Required>True</Required><Requirement>✓</Requirement></L3><CWE><item>320</item></CWE><NIST><item>5.1.4.2</item><item>5.1.5.2</item></NIST></item><item><Shortcode>V2.8.3</Shortcode><Ordinal>2</Ordinal><Description>验证OTP的生成、播种和验证是否使用了经过批准的加密算法。</Description><L1><Required>False</Required><Requirement></Requirement></L1><L2><Required>True</Required><Requirement>✓</Requirement></L2><L3><Required>True</Required><Requirement>✓</Requirement></L3><CWE><item>326</item></CWE><NIST><item>5.1.4.2</item><item>5.1.5.2</item></NIST></item><item><Shortcode>V2.8.4</Shortcode><Ordinal>2</Ordinal><Description>验证基于时间的OTP在有效期内只能使用一次。</Description><L1><Required>False</Required><Requirement></Requirement></L1><L2><Required>True</Required><Requirement>✓</Requirement></L2><L3><Required>True</Required><Requirement>✓</Requirement></L3><CWE><item>287</item></CWE><NIST><item>5.1.4.2</item><item>5.1.5.2</item></NIST></item><item><Shortcode>V2.8.5</Shortcode><Ordinal>2</Ordinal><Description>验证如果基于时间的多因素OTP令牌在有效期内被重复使用,将被记录并拒绝,同时向设备持有者发送安全通知。</Description><L1><Required>False</Required><Requirement></Requirement></L1><L2><Required>True</Required><Requirement>✓</Requirement></L2><L3><Required>True</Required><Requirement>✓</Requirement></L3><CWE><item>287</item></CWE><NIST><item>5.1.5.2</item></NIST></item><item><Shortcode>V2.8.6</Shortcode><Ordinal>2</Ordinal><Description>验证物理单因素OTP生成器在被盗或其他损失的情况下可以被撤销。确保撤销在登录会话中立即生效,无论在何处。</Description><L1><Required>False</Required><Requirement></Requirement></L1><L2><Required>True</Required><Requirement>✓</Requirement></L2><L3><Required>True</Required><Requirement>✓</Requirement></L3><CWE><item>613</item></CWE><NIST><item>5.2.1</item></NIST></item><item><Shortcode>V2.8.7</Shortcode><Ordinal>2</Ordinal><Description>验证生物特征身份验证器仅限于用作次要因素,与“你拥有的东西”和“你知道的东西”一起使用。</Description><L1><Required>False</Required><Requirement></Requirement></L1><L2><Required>True</Required><Requirement>Optional</Requirement></L2><L3><Required>True</Required><Requirement>✓</Requirement></L3><CWE><item>308</item></CWE><NIST><item>5.2.3</item></NIST></item></Items></item><item><Shortcode>V2.9</Shortcode><Ordinal>9</Ordinal><Name>密码验证器</Name><Items><item><Shortcode>V2.9.1</Shortcode><Ordinal>2</Ordinal><Description>验证用于验证的加密密钥是否安全存储并防止泄露,例如使用可信平台模块(TPM)或硬件安全模块(HSM),或可以使用这种安全存储的操作系统服务。</Description><L1><Required>False</Required><Requirement></Requirement></L1><L2><Required>True</Required><Requirement>✓</Requirement></L2><L3><Required>True</Required><Requirement>✓</Requirement></L3><CWE><item>320</item></CWE><NIST><item>5.1.7.2</item></NIST></item><item><Shortcode>V2.9.2</Shortcode><Ordinal>2</Ordinal><Description>验证质询随机数的长度至少为 64 位,并且在统计学上是唯一的,或在加密设备的生命周期内是唯一的。</Description><L1><Required>False</Required><Requirement></Requirement></L1><L2><Required>True</Required><Requirement>✓</Requirement></L2><L3><Required>True</Required><Requirement>✓</Requirement></L3><CWE><item>330</item></CWE><NIST><item>5.1.7.2</item></NIST></item><item><Shortcode>V2.9.3</Shortcode><Ordinal>2</Ordinal><Description>验证在生成、播种和验证中使用经批准的加密算法。</Description><L1><Required>False</Required><Requirement></Requirement></L1><L2><Required>True</Required><Requirement>✓</Requirement></L2><L3><Required>True</Required><Requirement>✓</Requirement></L3><CWE><item>327</item></CWE><NIST><item>5.1.7.2</item></NIST></item></Items></item><item><Shortcode>V2.10</Shortcode><Ordinal>10</Ordinal><Name>服务认证</Name><Items><item><Shortcode>V2.10.1</Shortcode><Ordinal>2</Ordinal><Description>验证服务内机密不依赖于不变的凭据,例如密码、API 密钥或具有特权访问权限的共享帐户。</Description><L1><Required>False</Required><Requirement></Requirement></L1><L2><Required>True</Required><Requirement>OS assisted</Requirement></L2><L3><Required>True</Required><Requirement>HSM</Requirement></L3><CWE><item>287</item></CWE><NIST><item>5.1.1.1</item></NIST></item><item><Shortcode>V2.10.2</Shortcode><Ordinal>2</Ordinal><Description>验证如果服务身份验证需要密码,则使用的服务帐户不是默认凭据(例如,root/root 或 admin/admin 是安装过程中某些服务的默认设置)。</Description><L1><Required>False</Required><Requirement></Requirement></L1><L2><Required>True</Required><Requirement>OS assisted</Requirement></L2><L3><Required>True</Required><Requirement>HSM</Requirement></L3><CWE><item>255</item></CWE><NIST><item>5.1.1.1</item></NIST></item><item><Shortcode>V2.10.3</Shortcode><Ordinal>2</Ordinal><Description>验证存储的密码是否有足够的保护,以防止离线恢复攻击,包括本地系统访问。</Description><L1><Required>False</Required><Requirement></Requirement></L1><L2><Required>True</Required><Requirement>OS assisted</Requirement></L2><L3><Required>True</Required><Requirement>HSM</Requirement></L3><CWE><item>522</item></CWE><NIST><item>5.1.1.1</item></NIST></item><item><Shortcode>V2.10.4</Shortcode><Ordinal>2</Ordinal><Description>验证密码、与数据库和第三方系统的集成、种子和内部机密以及 API 密钥都得到安全管理,不包含在源代码中或存储在源代码存储库中。 这种存储应能抵御离线攻击。建议使用安全的软件密钥存储(L1)、硬件 TPM 或 HSM(L3)来存储密码。</Description><L1><Required>False</Required><Requirement></Requirement></L1><L2><Required>True</Required><Requirement>OS assisted</Requirement></L2><L3><Required>True</Required><Requirement>HSM</Requirement></L3><CWE><item>798</item></CWE><NIST></NIST></item></Items></item></Items></item><item><Shortcode>V3</Shortcode><Ordinal>3</Ordinal><ShortName>Session</ShortName><Name>会话管理</Name><Items><item><Shortcode>V3.1</Shortcode><Ordinal>1</Ordinal><Name>基本会话管理安全</Name><Items><item><Shortcode>V3.1.1</Shortcode><Ordinal>3</Ordinal><Description>验证应用不会在URL参数中显示会话令牌。</Description><L1><Required>True</Required><Requirement>✓</Requirement></L1><L2><Required>True</Required><Requirement>✓</Requirement></L2><L3><Required>True</Required><Requirement>✓</Requirement></L3><CWE><item>598</item></CWE><NIST></NIST></item></Items></item><item><Shortcode>V3.2</Shortcode><Ordinal>2</Ordinal><Name>会话绑定</Name><Items><item><Shortcode>V3.2.1</Shortcode><Ordinal>3</Ordinal><Description>验证应用程序在用户身份验证时,生成新的会话令牌。 ([C6](https://owasp.org/www-project-proactive-controls/#div-numbering))</Description><L1><Required>True</Required><Requirement>✓</Requirement></L1><L2><Required>True</Required><Requirement>✓</Requirement></L2><L3><Required>True</Required><Requirement>✓</Requirement></L3><CWE><item>384</item></CWE><NIST><item>7.1</item></NIST></item><item><Shortcode>V3.2.2</Shortcode><Ordinal>3</Ordinal><Description>验证会话令牌具有至少 64 位的熵。 ([C6](https://owasp.org/www-project-proactive-controls/#div-numbering))</Description><L1><Required>True</Required><Requirement>✓</Requirement></L1><L2><Required>True</Required><Requirement>✓</Requirement></L2><L3><Required>True</Required><Requirement>✓</Requirement></L3><CWE><item>331</item></CWE><NIST><item>7.1</item></NIST></item><item><Shortcode>V3.2.3</Shortcode><Ordinal>3</Ordinal><Description>验证应用程序仅使用安全方法在浏览器中存储会话令牌,例如适当的 cookie保护(参见第 3.4 节)或 HTML 5 会话存储。</Description><L1><Required>True</Required><Requirement>✓</Requirement></L1><L2><Required>True</Required><Requirement>✓</Requirement></L2><L3><Required>True</Required><Requirement>✓</Requirement></L3><CWE><item>539</item></CWE><NIST><item>7.1</item></NIST></item><item><Shortcode>V3.2.4</Shortcode><Ordinal>3</Ordinal><Description>验证会话令牌是使用批准的加密算法生成的。 ([C6](https://owasp.org/www-project-proactive-controls/#div-numbering))</Description><L1><Required>False</Required><Requirement></Requirement></L1><L2><Required>True</Required><Requirement>✓</Requirement></L2><L3><Required>True</Required><Requirement>✓</Requirement></L3><CWE><item>331</item></CWE><NIST><item>7.1</item></NIST></item></Items></item><item><Shortcode>V3.3</Shortcode><Ordinal>3</Ordinal><Name>会话终止</Name><Items><item><Shortcode>V3.3.1</Shortcode><Ordinal>3</Ordinal><Description>验证注销和到期是否会使会话令牌无效,以便后退按钮或下游依赖方不会恢复经身份验证过的会话。 ([C6](https://owasp.org/www-project-proactive-controls/#div-numbering))</Description><L1><Required>True</Required><Requirement>✓</Requirement></L1><L2><Required>True</Required><Requirement>✓</Requirement></L2><L3><Required>True</Required><Requirement>✓</Requirement></L3><CWE><item>613</item></CWE><NIST><item>7.1</item></NIST></item><item><Shortcode>V3.3.2</Shortcode><Ordinal>3</Ordinal><Description>如果认证器允许用户保持登录状态,请验证在活跃使用或空闲一段时间过后,定期进行重新认证。 ([C6](https://owasp.org/www-project-proactive-controls/#div-numbering))</Description><L1><Required>True</Required><Requirement>30天</Requirement></L1><L2><Required>True</Required><Requirement>12小时 或 30分钟不活动,可选2FA</Requirement></L2><L3><Required>True</Required><Requirement>12小时 或 15 分钟不活动,使用2FA</Requirement></L3><CWE><item>613</item></CWE><NIST><item>7.2</item></NIST></item><item><Shortcode>V3.3.3</Shortcode><Ordinal>3</Ordinal><Description>验证应用程序是否提供了在成功更改密码(包括通过密码重置/恢复)后终止所有其他活动会话的选项,并且这在应用程序、联合登录(如果存在)和任何依赖方中都是有效的。</Description><L1><Required>False</Required><Requirement></Requirement></L1><L2><Required>True</Required><Requirement>✓</Requirement></L2><L3><Required>True</Required><Requirement>✓</Requirement></L3><CWE><item>613</item></CWE><NIST></NIST></item><item><Shortcode>V3.3.4</Shortcode><Ordinal>3</Ordinal><Description>验证用户能够查看并(在重新输入登录凭证后)注销当前的所有活动会话和设备。</Description><L1><Required>False</Required><Requirement></Requirement></L1><L2><Required>True</Required><Requirement>✓</Requirement></L2><L3><Required>True</Required><Requirement>✓</Requirement></L3><CWE><item>613</item></CWE><NIST><item>7.1</item></NIST></item></Items></item><item><Shortcode>V3.4</Shortcode><Ordinal>4</Ordinal><Name>基于 Cookie 的会话管理</Name><Items><item><Shortcode>V3.4.1</Shortcode><Ordinal>3</Ordinal><Description>验证基于 cookie 的会话令牌是否设置了'Secure'属性。 ([C6](https://owasp.org/www-project-proactive-controls/#div-numbering))</Description><L1><Required>True</Required><Requirement>✓</Requirement></L1><L2><Required>True</Required><Requirement>✓</Requirement></L2><L3><Required>True</Required><Requirement>✓</Requirement></L3><CWE><item>614</item></CWE><NIST><item>7.1.1</item></NIST></item><item><Shortcode>V3.4.2</Shortcode><Ordinal>3</Ordinal><Description>验证基于 cookie 的会话令牌是否设置了'HttpOnly'属性。 ([C6](https://owasp.org/www-project-proactive-controls/#div-numbering))</Description><L1><Required>True</Required><Requirement>✓</Requirement></L1><L2><Required>True</Required><Requirement>✓</Requirement></L2><L3><Required>True</Required><Requirement>✓</Requirement></L3><CWE><item>1004</item></CWE><NIST><item>7.1.1</item></NIST></item><item><Shortcode>V3.4.3</Shortcode><Ordinal>3</Ordinal><Description>验证基于cookie的会话令牌是否使用了'SameSite'属性,以限制跨站点请求伪造攻击(CSRF)的风险。 ([C6](https://owasp.org/www-project-proactive-controls/#div-numbering))</Description><L1><Required>True</Required><Requirement>✓</Requirement></L1><L2><Required>True</Required><Requirement>✓</Requirement></L2><L3><Required>True</Required><Requirement>✓</Requirement></L3><CWE><item>16</item></CWE><NIST><item>7.1.1</item></NIST></item><item><Shortcode>V3.4.4</Shortcode><Ordinal>3</Ordinal><Description>验证基于cookie的会话令牌是否使用'__Host-'前缀,这样cookie只会被发送到最初设置cookie的主机。</Description><L1><Required>True</Required><Requirement>✓</Requirement></L1><L2><Required>True</Required><Requirement>✓</Requirement></L2><L3><Required>True</Required><Requirement>✓</Requirement></L3><CWE><item>16</item></CWE><NIST><item>7.1.1</item></NIST></item><item><Shortcode>V3.4.5</Shortcode><Ordinal>3</Ordinal><Description>验证如果应用程序在一个域名下发布,而其他应用程序设置或使用会话cookie(这可能会泄露会话cookie),则在基于cookie的会话令牌中设置路径属性(Path),尽可能使用最精确的路径。 ([C6](https://owasp.org/www-project-proactive-controls/#div-numbering))</Description><L1><Required>True</Required><Requirement>✓</Requirement></L1><L2><Required>True</Required><Requirement>✓</Requirement></L2><L3><Required>True</Required><Requirement>✓</Requirement></L3><CWE><item>16</item></CWE><NIST><item>7.1.1</item></NIST></item></Items></item><item><Shortcode>V3.5</Shortcode><Ordinal>5</Ordinal><Name>基于令牌的会话管理</Name><Items><item><Shortcode>V3.5.1</Shortcode><Ordinal>3</Ordinal><Description>验证该应用允许用户撤销与链接应用建立信任关系的OAuth令牌。</Description><L1><Required>False</Required><Requirement></Requirement></L1><L2><Required>True</Required><Requirement>✓</Requirement></L2><L3><Required>True</Required><Requirement>✓</Requirement></L3><CWE><item>290</item></CWE><NIST><item>7.1.2</item></NIST></item><item><Shortcode>V3.5.2</Shortcode><Ordinal>3</Ordinal><Description>验证应用程序使用会话令牌,而不是静态API密码或密钥,旧的实现除外。</Description><L1><Required>False</Required><Requirement></Requirement></L1><L2><Required>True</Required><Requirement>✓</Requirement></L2><L3><Required>True</Required><Requirement>✓</Requirement></L3><CWE><item>798</item></CWE><NIST></NIST></item><item><Shortcode>V3.5.3</Shortcode><Ordinal>3</Ordinal><Description>验证无状态会话令牌是否使用数字签名、加密等对策,来防止篡改、封装、重放、空密码和密钥替换等攻击。</Description><L1><Required>False</Required><Requirement></Requirement></L1><L2><Required>True</Required><Requirement>✓</Requirement></L2><L3><Required>True</Required><Requirement>✓</Requirement></L3><CWE><item>345</item></CWE><NIST></NIST></item></Items></item><item><Shortcode>V3.6</Shortcode><Ordinal>6</Ordinal><Name>联合重认证</Name><Items><item><Shortcode>V3.6.1</Shortcode><Ordinal>3</Ordinal><Description>验证依赖方(RP)是否指定了凭证服务提供商(CSP)的最长身份验证时间,并且如果用户在该期间内未使用会话,CSP是否会重新验证用户。</Description><L1><Required>False</Required><Requirement></Requirement></L1><L2><Required>False</Required><Requirement></Requirement></L2><L3><Required>True</Required><Requirement>✓</Requirement></L3><CWE><item>613</item></CWE><NIST><item>7.2.1</item></NIST></item><item><Shortcode>V3.6.2</Shortcode><Ordinal>3</Ordinal><Description>验证凭证服务提供商(CSP)通知依赖方(RP)最后一次认证事件,以便 RP 确定他们是否需要重新认证用户。</Description><L1><Required>False</Required><Requirement></Requirement></L1><L2><Required>False</Required><Requirement></Requirement></L2><L3><Required>True</Required><Requirement>✓</Requirement></L3><CWE><item>613</item></CWE><NIST><item>7.2.1</item></NIST></item></Items></item><item><Shortcode>V3.7</Shortcode><Ordinal>7</Ordinal><Name>针对会话管理漏洞的防御措施</Name><Items><item><Shortcode>V3.7.1</Shortcode><Ordinal>3</Ordinal><Description>在允许任何敏感交易或帐户修改之前,验证应用程序确保完整、有效的登录会话,或要求重新验证(二次验证)。</Description><L1><Required>True</Required><Requirement>✓</Requirement></L1><L2><Required>True</Required><Requirement>✓</Requirement></L2><L3><Required>True</Required><Requirement>✓</Requirement></L3><CWE><item>306</item></CWE><NIST></NIST></item></Items></item></Items></item><item><Shortcode>V4</Shortcode><Ordinal>4</Ordinal><ShortName>Access</ShortName><Name>访问控制</Name><Items><item><Shortcode>V4.1</Shortcode><Ordinal>1</Ordinal><Name>通用访问控制设计</Name><Items><item><Shortcode>V4.1.1</Shortcode><Ordinal>4</Ordinal><Description>验证应用程序是否在受信任的服务层上执行访问控制规则,尤其是在有客户端访问控制并且可能被绕过的情况下。</Description><L1><Required>True</Required><Requirement>✓</Requirement></L1><L2><Required>True</Required><Requirement>✓</Requirement></L2><L3><Required>True</Required><Requirement>✓</Requirement></L3><CWE><item>602</item></CWE><NIST></NIST></item><item><Shortcode>V4.1.2</Shortcode><Ordinal>4</Ordinal><Description>验证访问控制所使用的所有用户和数据属性以及策略信息,不能被最终用户操纵,除非得到特别授权。</Description><L1><Required>True</Required><Requirement>✓</Requirement></L1><L2><Required>True</Required><Requirement>✓</Requirement></L2><L3><Required>True</Required><Requirement>✓</Requirement></L3><CWE><item>639</item></CWE><NIST></NIST></item><item><Shortcode>V4.1.3</Shortcode><Ordinal>4</Ordinal><Description>验证是否存在最小权限原则——用户应该只能访问他们拥有特定授权的功能、数据文件、URL、控制器、服务和其他资源。这意味着防止欺骗或特权提升。 ([C7](https://owasp.org/www-project-proactive-controls/#div-numbering))</Description><L1><Required>True</Required><Requirement>✓</Requirement></L1><L2><Required>True</Required><Requirement>✓</Requirement></L2><L3><Required>True</Required><Requirement>✓</Requirement></L3><CWE><item>285</item></CWE><NIST></NIST></item><item><Shortcode>V4.1.4</Shortcode><Ordinal>4</Ordinal><Description>[已删除,与 4.1.3 重复]</Description><L1><Required>False</Required><Requirement></Requirement></L1><L2><Required>False</Required><Requirement></Requirement></L2><L3><Required>False</Required><Requirement></Requirement></L3><CWE></CWE><NIST></NIST></item><item><Shortcode>V4.1.5</Shortcode><Ordinal>4</Ordinal><Description>验证访问控制安全,在发生异常时是否失效。 ([C10](https://owasp.org/www-project-proactive-controls/#div-numbering))</Description><L1><Required>True</Required><Requirement>✓</Requirement></L1><L2><Required>True</Required><Requirement>✓</Requirement></L2><L3><Required>True</Required><Requirement>✓</Requirement></L3><CWE><item>285</item></CWE><NIST></NIST></item></Items></item><item><Shortcode>V4.2</Shortcode><Ordinal>2</Ordinal><Name>操作级访问控制</Name><Items><item><Shortcode>V4.2.1</Shortcode><Ordinal>4</Ordinal><Description>验证敏感数据和API的保护,防止针对创建、读取、更新和删除记录的不安全直接对象引用(IDOR)攻击,如创建或更新别人的记录,查看每个人的记录或删除所有记录。</Description><L1><Required>True</Required><Requirement>✓</Requirement></L1><L2><Required>True</Required><Requirement>✓</Requirement></L2><L3><Required>True</Required><Requirement>✓</Requirement></L3><CWE><item>639</item></CWE><NIST></NIST></item><item><Shortcode>V4.2.2</Shortcode><Ordinal>4</Ordinal><Description>验证应用程序或框架是否实施了强大的反 CSRF 机制来保护经过身份验证的功能,以及有效的反自动化或反 CSRF 保护无需身份验证的功能。</Description><L1><Required>True</Required><Requirement>✓</Requirement></L1><L2><Required>True</Required><Requirement>✓</Requirement></L2><L3><Required>True</Required><Requirement>✓</Requirement></L3><CWE><item>352</item></CWE><NIST></NIST></item></Items></item><item><Shortcode>V4.3</Shortcode><Ordinal>3</Ordinal><Name>其他访问控制注意事项</Name><Items><item><Shortcode>V4.3.1</Shortcode><Ordinal>4</Ordinal><Description>验证管理界面使用适当的多因素认证,防止未经授权的使用。</Description><L1><Required>True</Required><Requirement>✓</Requirement></L1><L2><Required>True</Required><Requirement>✓</Requirement></L2><L3><Required>True</Required><Requirement>✓</Requirement></L3><CWE><item>419</item></CWE><NIST></NIST></item><item><Shortcode>V4.3.2</Shortcode><Ordinal>4</Ordinal><Description>验证目录浏览被禁用,除非特意需要。此外,应用程序不应允许披露文件或目录元数据,例如Thumbs.db、.DS_Store、.git或.svn文件夹。</Description><L1><Required>True</Required><Requirement>✓</Requirement></L1><L2><Required>True</Required><Requirement>✓</Requirement></L2><L3><Required>True</Required><Requirement>✓</Requirement></L3><CWE><item>548</item></CWE><NIST></NIST></item><item><Shortcode>V4.3.3</Shortcode><Ordinal>4</Ordinal><Description>验证应用程序对低价值的系统有额外的授权(如升级或自适应认证),对高价值的应用程序进行职责分离,以根据应用程序和过去的欺诈风险执行反欺诈控制。</Description><L1><Required>False</Required><Requirement></Requirement></L1><L2><Required>True</Required><Requirement>✓</Requirement></L2><L3><Required>True</Required><Requirement>✓</Requirement></L3><CWE><item>732</item></CWE><NIST></NIST></item></Items></item></Items></item><item><Shortcode>V5</Shortcode><Ordinal>5</Ordinal><ShortName>Validation</ShortName><Name>验证、过滤和编码</Name><Items><item><Shortcode>V5.1</Shortcode><Ordinal>1</Ordinal><Name>输入验证</Name><Items><item><Shortcode>V5.1.1</Shortcode><Ordinal>5</Ordinal><Description>验证应用程序是否有HTTP参数污染攻击的防御措施,特别是当应用程序框架没有区分请求参数的来源(GET、POST、cookies、请求头或环境变量)。</Description><L1><Required>True</Required><Requirement>✓</Requirement></L1><L2><Required>True</Required><Requirement>✓</Requirement></L2><L3><Required>True</Required><Requirement>✓</Requirement></L3><CWE><item>235</item></CWE><NIST></NIST></item><item><Shortcode>V5.1.2</Shortcode><Ordinal>5</Ordinal><Description>验证框架是否能防止批量参数分配攻击,或者应用程序是否有对策来防止不安全的参数分配,如将字段标记为私有等类型。 ([C5](https://owasp.org/www-project-proactive-controls/#div-numbering))</Description><L1><Required>True</Required><Requirement>✓</Requirement></L1><L2><Required>True</Required><Requirement>✓</Requirement></L2><L3><Required>True</Required><Requirement>✓</Requirement></L3><CWE><item>915</item></CWE><NIST></NIST></item><item><Shortcode>V5.1.3</Shortcode><Ordinal>5</Ordinal><Description>验证所有输入(HTML 表单字段、REST 请求、URL 参数、HTTP 请求头、cookies、批处理文件、RSS 源等)都使用“白名单”(允许列表)。 ([C5](https://owasp.org/www-project-proactive-controls/#div-numbering))</Description><L1><Required>True</Required><Requirement>✓</Requirement></L1><L2><Required>True</Required><Requirement>✓</Requirement></L2><L3><Required>True</Required><Requirement>✓</Requirement></L3><CWE><item>20</item></CWE><NIST></NIST></item><item><Shortcode>V5.1.4</Shortcode><Ordinal>5</Ordinal><Description>验证结构化数据是强类型的,并根据定义的模式进行验证,包括允许的字符、长度和模式(如信用卡号码、电子邮件地址、电话号码,或验证两个相关字段是否合理,如检查郊区和邮政编码是否匹配)。 ([C5](https://owasp.org/www-project-proactive-controls/#div-numbering))</Description><L1><Required>True</Required><Requirement>✓</Requirement></L1><L2><Required>True</Required><Requirement>✓</Requirement></L2><L3><Required>True</Required><Requirement>✓</Requirement></L3><CWE><item>20</item></CWE><NIST></NIST></item><item><Shortcode>V5.1.5</Shortcode><Ordinal>5</Ordinal><Description>验证URL重定向和转发的目标地址都在白名单中,或者在重定向到可能不受信任的内容时显示警告。</Description><L1><Required>True</Required><Requirement>✓</Requirement></L1><L2><Required>True</Required><Requirement>✓</Requirement></L2><L3><Required>True</Required><Requirement>✓</Requirement></L3><CWE><item>601</item></CWE><NIST></NIST></item></Items></item><item><Shortcode>V5.2</Shortcode><Ordinal>2</Ordinal><Name>过滤和沙盒化</Name><Items><item><Shortcode>V5.2.1</Shortcode><Ordinal>5</Ordinal><Description>验证所有来自“所见即所得”编辑器或类似的不受信任的HTML输入,都已经通过HTML过滤库或框架功能,进行了适当的净化。 ([C5](https://owasp.org/www-project-proactive-controls/#div-numbering))</Description><L1><Required>True</Required><Requirement>✓</Requirement></L1><L2><Required>True</Required><Requirement>✓</Requirement></L2><L3><Required>True</Required><Requirement>✓</Requirement></L3><CWE><item>116</item></CWE><NIST></NIST></item><item><Shortcode>V5.2.2</Shortcode><Ordinal>5</Ordinal><Description>验证非结构化数据是否经过消毒处理,以执行安全措施,如允许的字符集和长度。</Description><L1><Required>True</Required><Requirement>✓</Requirement></L1><L2><Required>True</Required><Requirement>✓</Requirement></L2><L3><Required>True</Required><Requirement>✓</Requirement></L3><CWE><item>138</item></CWE><NIST></NIST></item><item><Shortcode>V5.2.3</Shortcode><Ordinal>5</Ordinal><Description>验证应用程序在传递给邮件系统之前,对用户的输入进行过滤,以防止SMTP或IMAP注入。</Description><L1><Required>True</Required><Requirement>✓</Requirement></L1><L2><Required>True</Required><Requirement>✓</Requirement></L2><L3><Required>True</Required><Requirement>✓</Requirement></L3><CWE><item>147</item></CWE><NIST></NIST></item><item><Shortcode>V5.2.4</Shortcode><Ordinal>5</Ordinal><Description>验证应用程序是否避免使用eval()或其他动态代码执行功能。在没有其他选择的情况下,任何被包含的用户输入必须在执行前进行过滤或沙箱处理。</Description><L1><Required>True</Required><Requirement>✓</Requirement></L1><L2><Required>True</Required><Requirement>✓</Requirement></L2><L3><Required>True</Required><Requirement>✓</Requirement></L3><CWE><item>95</item></CWE><NIST></NIST></item><item><Shortcode>V5.2.5</Shortcode><Ordinal>5</Ordinal><Description>验证应用程序是否对相关的用户输入进行过滤或沙箱处理,来防止模板注入攻击。</Description><L1><Required>True</Required><Requirement>✓</Requirement></L1><L2><Required>True</Required><Requirement>✓</Requirement></L2><L3><Required>True</Required><Requirement>✓</Requirement></L3><CWE><item>94</item></CWE><NIST></NIST></item><item><Shortcode>V5.2.6</Shortcode><Ordinal>5</Ordinal><Description>验证应用程序是否通过验证或净化不受信任的数据或HTTP文件元数据(如文件名和URL输入字段),并使用协议、域、路径和端口的白名单,来防止SSRF攻击。</Description><L1><Required>True</Required><Requirement>✓</Requirement></L1><L2><Required>True</Required><Requirement>✓</Requirement></L2><L3><Required>True</Required><Requirement>✓</Requirement></L3><CWE><item>918</item></CWE><NIST></NIST></item><item><Shortcode>V5.2.7</Shortcode><Ordinal>5</Ordinal><Description>验证应用程序是否过滤、禁用或沙盒处理了用户提供的可扩展矢量图(SVG)脚本内容,特别是与内联脚本产生的XSS有关的内容,以及外部对象。</Description><L1><Required>True</Required><Requirement>✓</Requirement></L1><L2><Required>True</Required><Requirement>✓</Requirement></L2><L3><Required>True</Required><Requirement>✓</Requirement></L3><CWE><item>159</item></CWE><NIST></NIST></item><item><Shortcode>V5.2.8</Shortcode><Ordinal>5</Ordinal><Description>验证应用程序是否对用户提供的模板语言内容(脚本或表达式,如Markdown、CSS或XSL样式表、BBCode或类似内容)进行过滤、禁用或沙盒处理。</Description><L1><Required>True</Required><Requirement>✓</Requirement></L1><L2><Required>True</Required><Requirement>✓</Requirement></L2><L3><Required>True</Required><Requirement>✓</Requirement></L3><CWE><item>94</item></CWE><NIST></NIST></item></Items></item><item><Shortcode>V5.3</Shortcode><Ordinal>3</Ordinal><Name>输出编码和预防注入</Name><Items><item><Shortcode>V5.3.1</Shortcode><Ordinal>5</Ordinal><Description>验证输出编码是否与所需的解释器和环境相关。例如,根据HTML值、HTML属性、JavaScript、URL参数、HTTP头、SMTP等上下文的要求,使用专门的编码器,特别是来自不可信任的输入(如带有Unicode或单引号的名字,如ねこ或O'Hara)。 ([C4](https://owasp.org/www-project-proactive-controls/#div-numbering))</Description><L1><Required>True</Required><Requirement>✓</Requirement></L1><L2><Required>True</Required><Requirement>✓</Requirement></L2><L3><Required>True</Required><Requirement>✓</Requirement></L3><CWE><item>116</item></CWE><NIST></NIST></item><item><Shortcode>V5.3.2</Shortcode><Ordinal>5</Ordinal><Description>验证输出编码是否保留了用户选择的字符集和地域,从而使任何Unicode字符点都能得到有效和安全的处理。 ([C4](https://owasp.org/www-project-proactive-controls/#div-numbering))</Description><L1><Required>True</Required><Requirement>✓</Requirement></L1><L2><Required>True</Required><Requirement>✓</Requirement></L2><L3><Required>True</Required><Requirement>✓</Requirement></L3><CWE><item>176</item></CWE><NIST></NIST></item><item><Shortcode>V5.3.3</Shortcode><Ordinal>5</Ordinal><Description>验证上下文感知,最好是自动——或者最差也是手动——转义输出,以防止反射、存储或基于DOM的XSS。 ([C4](https://owasp.org/www-project-proactive-controls/#div-numbering))</Description><L1><Required>True</Required><Requirement>✓</Requirement></L1><L2><Required>True</Required><Requirement>✓</Requirement></L2><L3><Required>True</Required><Requirement>✓</Requirement></L3><CWE><item>79</item></CWE><NIST></NIST></item><item><Shortcode>V5.3.4</Shortcode><Ordinal>5</Ordinal><Description>验证数据选择或数据库查询(如 SQL、HQL、ORM、NoSQL)是否使用参数化查询、ORM、实体框架,或以其他方式防止数据库注入攻击。 ([C3](https://owasp.org/www-project-proactive-controls/#div-numbering))</Description><L1><Required>True</Required><Requirement>✓</Requirement></L1><L2><Required>True</Required><Requirement>✓</Requirement></L2><L3><Required>True</Required><Requirement>✓</Requirement></L3><CWE><item>89</item></CWE><NIST></NIST></item><item><Shortcode>V5.3.5</Shortcode><Ordinal>5</Ordinal><Description>验证在没有参数化或更安全机制的情况下,使用特定上下文的输出编码来防止注入攻击,例如使用SQL转义来防止SQL注入。 ([C3, C4](https://owasp.org/www-project-proactive-controls/#div-numbering))</Description><L1><Required>True</Required><Requirement>✓</Requirement></L1><L2><Required>True</Required><Requirement>✓</Requirement></L2><L3><Required>True</Required><Requirement>✓</Requirement></L3><CWE><item>89</item></CWE><NIST></NIST></item><item><Shortcode>V5.3.6</Shortcode><Ordinal>5</Ordinal><Description>验证应用程序是否可以防止JSON注入攻击、JSON eval攻击和JavaScript表达式评估。 ([C4](https://owasp.org/www-project-proactive-controls/#div-numbering))</Description><L1><Required>True</Required><Requirement>✓</Requirement></L1><L2><Required>True</Required><Requirement>✓</Requirement></L2><L3><Required>True</Required><Requirement>✓</Requirement></L3><CWE><item>830</item></CWE><NIST></NIST></item><item><Shortcode>V5.3.7</Shortcode><Ordinal>5</Ordinal><Description>验证应用程序可以防止LDAP注入漏洞,或者已经实施了特定的安全控制来防止LDAP注入。 ([C4](https://owasp.org/www-project-proactive-controls/#div-numbering))</Description><L1><Required>True</Required><Requirement>✓</Requirement></L1><L2><Required>True</Required><Requirement>✓</Requirement></L2><L3><Required>True</Required><Requirement>✓</Requirement></L3><CWE><item>90</item></CWE><NIST></NIST></item><item><Shortcode>V5.3.8</Shortcode><Ordinal>5</Ordinal><Description>验证应用程序是否能防止操作系统命令注入,以及操作系统调用是否使用参数化的操作系统查询或使用上下文命令行输出编码。 ([C4](https://owasp.org/www-project-proactive-controls/#div-numbering))</Description><L1><Required>True</Required><Requirement>✓</Requirement></L1><L2><Required>True</Required><Requirement>✓</Requirement></L2><L3><Required>True</Required><Requirement>✓</Requirement></L3><CWE><item>78</item></CWE><NIST></NIST></item><item><Shortcode>V5.3.9</Shortcode><Ordinal>5</Ordinal><Description>验证应用程序是否能防止本地文件包含(LFI)或远程文件包含(RFI)攻击。</Description><L1><Required>True</Required><Requirement>✓</Requirement></L1><L2><Required>True</Required><Requirement>✓</Requirement></L2><L3><Required>True</Required><Requirement>✓</Requirement></L3><CWE><item>829</item></CWE><NIST></NIST></item><item><Shortcode>V5.3.10</Shortcode><Ordinal>5</Ordinal><Description>验证应用程序是否能防止XPath注入或XML注入攻击。 ([C4](https://owasp.org/www-project-proactive-controls/#div-numbering))</Description><L1><Required>True</Required><Requirement>✓</Requirement></L1><L2><Required>True</Required><Requirement>✓</Requirement></L2><L3><Required>True</Required><Requirement>✓</Requirement></L3><CWE><item>643</item></CWE><NIST></NIST></item></Items></item><item><Shortcode>V5.4</Shortcode><Ordinal>4</Ordinal><Name>内存、字符串和非托管代码</Name><Items><item><Shortcode>V5.4.1</Shortcode><Ordinal>5</Ordinal><Description>验证应用程序是否使用内存安全字符串、更安全的内存复制和指针运算,以检测或防止堆栈、缓冲区或堆溢出。</Description><L1><Required>False</Required><Requirement></Requirement></L1><L2><Required>True</Required><Requirement>✓</Requirement></L2><L3><Required>True</Required><Requirement>✓</Requirement></L3><CWE><item>120</item></CWE><NIST></NIST></item><item><Shortcode>V5.4.2</Shortcode><Ordinal>5</Ordinal><Description>验证格式化字符串不接受潜在的有害输入,并且是常量。</Description><L1><Required>False</Required><Requirement></Requirement></L1><L2><Required>True</Required><Requirement>✓</Requirement></L2><L3><Required>True</Required><Requirement>✓</Requirement></L3><CWE><item>134</item></CWE><NIST></NIST></item><item><Shortcode>V5.4.3</Shortcode><Ordinal>5</Ordinal><Description>验证运用了符号、范围和输入验证技术来防止整数溢出。</Description><L1><Required>False</Required><Requirement></Requirement></L1><L2><Required>True</Required><Requirement>✓</Requirement></L2><L3><Required>True</Required><Requirement>✓</Requirement></L3><CWE><item>190</item></CWE><NIST></NIST></item></Items></item><item><Shortcode>V5.5</Shortcode><Ordinal>5</Ordinal><Name>预防反序列化</Name><Items><item><Shortcode>V5.5.1</Shortcode><Ordinal>5</Ordinal><Description>验证序列化对象是否使用完整性检查或加密,以防止恶意对象的创建或数据篡改。 ([C5](https://owasp.org/www-project-proactive-controls/#div-numbering))</Description><L1><Required>True</Required><Requirement>✓</Requirement></L1><L2><Required>True</Required><Requirement>✓</Requirement></L2><L3><Required>True</Required><Requirement>✓</Requirement></L3><CWE><item>502</item></CWE><NIST></NIST></item><item><Shortcode>V5.5.2</Shortcode><Ordinal>5</Ordinal><Description>验证应用程序正确限制 XML 解析器,使其只使用最严格的配置,并确保禁用不安全的功能,如解析外部实体,以防止 XML 外部实体注入(XXE)攻击。</Description><L1><Required>True</Required><Requirement>✓</Requirement></L1><L2><Required>True</Required><Requirement>✓</Requirement></L2><L3><Required>True</Required><Requirement>✓</Requirement></L3><CWE><item>611</item></CWE><NIST></NIST></item><item><Shortcode>V5.5.3</Shortcode><Ordinal>5</Ordinal><Description>验证自定义代码和第三方库(如JSON、XML和YAML解析器)禁止或限制不受信任数据的反序列化。</Description><L1><Required>True</Required><Requirement>✓</Requirement></L1><L2><Required>True</Required><Requirement>✓</Requirement></L2><L3><Required>True</Required><Requirement>✓</Requirement></L3><CWE><item>502</item></CWE><NIST></NIST></item><item><Shortcode>V5.5.4</Shortcode><Ordinal>5</Ordinal><Description>验证在浏览器或基于 JavaScript 的后端解析 JSON 时,使用 JSON.parse 来解析 JSON 文档。不使用 eval() 来解析 JSON。</Description><L1><Required>True</Required><Requirement>✓</Requirement></L1><L2><Required>True</Required><Requirement>✓</Requirement></L2><L3><Required>True</Required><Requirement>✓</Requirement></L3><CWE><item>95</item></CWE><NIST></NIST></item></Items></item></Items></item><item><Shortcode>V6</Shortcode><Ordinal>6</Ordinal><ShortName>Cryptography</ShortName><Name>存储密码学</Name><Items><item><Shortcode>V6.1</Shortcode><Ordinal>1</Ordinal><Name>数据分类</Name><Items><item><Shortcode>V6.1.1</Shortcode><Ordinal>6</Ordinal><Description>验证受监管的私人数据在静止状态下是否被加密存储,如个人身份信息(PII)、敏感个人信息或经评估可能受制于欧盟GDPR的数据。</Description><L1><Required>False</Required><Requirement></Requirement></L1><L2><Required>True</Required><Requirement>✓</Requirement></L2><L3><Required>True</Required><Requirement>✓</Requirement></L3><CWE><item>311</item></CWE><NIST></NIST></item><item><Shortcode>V6.1.2</Shortcode><Ordinal>6</Ordinal><Description>验证受监管的健康数据在静止状态下是否被加密存储,如医疗记录、医疗设备详情或去匿名化的研究记录。</Description><L1><Required>False</Required><Requirement></Requirement></L1><L2><Required>True</Required><Requirement>✓</Requirement></L2><L3><Required>True</Required><Requirement>✓</Requirement></L3><CWE><item>311</item></CWE><NIST></NIST></item><item><Shortcode>V6.1.3</Shortcode><Ordinal>6</Ordinal><Description>验证受监管的金融数据在静止状态下是否被加密存储,如金融账户、违约或信用记录、税务记录、工资记录、受益人或去匿名化的市场或研究记录。</Description><L1><Required>False</Required><Requirement></Requirement></L1><L2><Required>True</Required><Requirement>✓</Requirement></L2><L3><Required>True</Required><Requirement>✓</Requirement></L3><CWE><item>311</item></CWE><NIST></NIST></item></Items></item><item><Shortcode>V6.2</Shortcode><Ordinal>2</Ordinal><Name>算法</Name><Items><item><Shortcode>V6.2.1</Shortcode><Ordinal>6</Ordinal><Description>验证所有的加密模块即使在故障时也是安全的,并且处理错误的方式不会使Padding Oracle攻击得逞。</Description><L1><Required>True</Required><Requirement>✓</Requirement></L1><L2><Required>True</Required><Requirement>✓</Requirement></L2><L3><Required>True</Required><Requirement>✓</Requirement></L3><CWE><item>310</item></CWE><NIST></NIST></item><item><Shortcode>V6.2.2</Shortcode><Ordinal>6</Ordinal><Description>验证使用业界认可或政府批准的加密算法、模式和库,而不是自定义编码的加密技术。 ([C8](https://owasp.org/www-project-proactive-controls/#div-numbering))</Description><L1><Required>False</Required><Requirement></Requirement></L1><L2><Required>True</Required><Requirement>✓</Requirement></L2><L3><Required>True</Required><Requirement>✓</Requirement></L3><CWE><item>327</item></CWE><NIST></NIST></item><item><Shortcode>V6.2.3</Shortcode><Ordinal>6</Ordinal><Description>验证加密初始化向量、密码配置和分组模式是否使用最新建议进行安全配置。</Description><L1><Required>False</Required><Requirement></Requirement></L1><L2><Required>True</Required><Requirement>✓</Requirement></L2><L3><Required>True</Required><Requirement>✓</Requirement></L3><CWE><item>326</item></CWE><NIST></NIST></item><item><Shortcode>V6.2.4</Shortcode><Ordinal>6</Ordinal><Description>验证随机数、加密或散列算法、密钥长度、轮次、密码或模式,可以在任何时候重新配置、升级或交换,以防止密码中断。 ([C8](https://owasp.org/www-project-proactive-controls/#div-numbering))</Description><L1><Required>False</Required><Requirement></Requirement></L1><L2><Required>True</Required><Requirement>✓</Requirement></L2><L3><Required>True</Required><Requirement>✓</Requirement></L3><CWE><item>326</item></CWE><NIST></NIST></item><item><Shortcode>V6.2.5</Shortcode><Ordinal>6</Ordinal><Description>验证不使用已知不安全的分组模式(如ECB等)、填充模式(如PKCS#1 v1.5等)、小块大小的密码(如Triple-DES、Blowfish等)和弱散列算法(如MD5、SHA1等),除非需要向后兼容。</Description><L1><Required>False</Required><Requirement></Requirement></L1><L2><Required>True</Required><Requirement>✓</Requirement></L2><L3><Required>True</Required><Requirement>✓</Requirement></L3><CWE><item>326</item></CWE><NIST></NIST></item><item><Shortcode>V6.2.6</Shortcode><Ordinal>6</Ordinal><Description>验证随机数、初始化向量和其他一次性使用的数字,不得与特定的加密密钥使用超过一次。生成方法必须适合所使用的算法。</Description><L1><Required>False</Required><Requirement></Requirement></L1><L2><Required>True</Required><Requirement>✓</Requirement></L2><L3><Required>True</Required><Requirement>✓</Requirement></L3><CWE><item>326</item></CWE><NIST></NIST></item><item><Shortcode>V6.2.7</Shortcode><Ordinal>6</Ordinal><Description>验证加密数据是否通过签名、认证的密码模式或 HMAC 进行身份验证,以确保密文不会被未经授权的一方更改。</Description><L1><Required>False</Required><Requirement></Requirement></L1><L2><Required>False</Required><Requirement></Requirement></L2><L3><Required>True</Required><Requirement>✓</Requirement></L3><CWE><item>326</item></CWE><NIST></NIST></item><item><Shortcode>V6.2.8</Shortcode><Ordinal>6</Ordinal><Description>验证所有的密码操作都是恒定时间的,在比较、计算或返回中没有“短路”操作,以避免信息泄漏。</Description><L1><Required>False</Required><Requirement></Requirement></L1><L2><Required>False</Required><Requirement></Requirement></L2><L3><Required>True</Required><Requirement>✓</Requirement></L3><CWE><item>385</item></CWE><NIST></NIST></item></Items></item><item><Shortcode>V6.3</Shortcode><Ordinal>3</Ordinal><Name>随机值</Name><Items><item><Shortcode>V6.3.1</Shortcode><Ordinal>6</Ordinal><Description>验证所有的随机数、随机文件名、随机GUID和随机字符串,都是使用加密模块认可的加密安全随机数生成器生成的,而这些随机值旨在不被攻击者猜测。</Description><L1><Required>False</Required><Requirement></Requirement></L1><L2><Required>True</Required><Requirement>✓</Requirement></L2><L3><Required>True</Required><Requirement>✓</Requirement></L3><CWE><item>338</item></CWE><NIST></NIST></item><item><Shortcode>V6.3.2</Shortcode><Ordinal>6</Ordinal><Description>验证是否使用 GUID v4 算法和加密安全伪随机数生成器(CSPRNG)创建了随机 GUID。使用其他伪随机数生成器创建的 GUID 可能是可预测的。</Description><L1><Required>False</Required><Requirement></Requirement></L1><L2><Required>True</Required><Requirement>✓</Requirement></L2><L3><Required>True</Required><Requirement>✓</Requirement></L3><CWE><item>338</item></CWE><NIST></NIST></item><item><Shortcode>V6.3.3</Shortcode><Ordinal>6</Ordinal><Description>验证应用程序即使在处于高负载下时也使用适当的熵创建随机数,或者应用程序在这种情况下优雅地降级。</Description><L1><Required>False</Required><Requirement></Requirement></L1><L2><Required>False</Required><Requirement></Requirement></L2><L3><Required>True</Required><Requirement>✓</Requirement></L3><CWE><item>338</item></CWE><NIST></NIST></item></Items></item><item><Shortcode>V6.4</Shortcode><Ordinal>4</Ordinal><Name>密钥管理</Name><Items><item><Shortcode>V6.4.1</Shortcode><Ordinal>6</Ordinal><Description>验证秘密管理解决方案,如钥匙库,用于安全地创建、存储、控制对秘密的访问和销毁。 ([C8](https://owasp.org/www-project-proactive-controls/#div-numbering))</Description><L1><Required>False</Required><Requirement></Requirement></L1><L2><Required>True</Required><Requirement>✓</Requirement></L2><L3><Required>True</Required><Requirement>✓</Requirement></L3><CWE><item>798</item></CWE><NIST></NIST></item><item><Shortcode>V6.4.2</Shortcode><Ordinal>6</Ordinal><Description>验证密钥材料是否未暴露给应用程序,而是使用一个隔离的安全模块(如保险库)进行加密操作。 ([C8](https://owasp.org/www-project-proactive-controls/#div-numbering))</Description><L1><Required>False</Required><Requirement></Requirement></L1><L2><Required>True</Required><Requirement>✓</Requirement></L2><L3><Required>True</Required><Requirement>✓</Requirement></L3><CWE><item>320</item></CWE><NIST></NIST></item></Items></item></Items></item><item><Shortcode>V7</Shortcode><Ordinal>7</Ordinal><ShortName>Error</ShortName><Name>错误处理和日志记录</Name><Items><item><Shortcode>V7.1</Shortcode><Ordinal>1</Ordinal><Name>日志内容</Name><Items><item><Shortcode>V7.1.1</Shortcode><Ordinal>7</Ordinal><Description>验证应用程序不记录凭证或支付细节。会话令牌应该只以不可逆的散列形式存储在日志中。 ([C9, C10](https://owasp.org/www-project-proactive-controls/#div-numbering))</Description><L1><Required>True</Required><Requirement>✓</Requirement></L1><L2><Required>True</Required><Requirement>✓</Requirement></L2><L3><Required>True</Required><Requirement>✓</Requirement></L3><CWE><item>532</item></CWE><NIST></NIST></item><item><Shortcode>V7.1.2</Shortcode><Ordinal>7</Ordinal><Description>验证应用程序不会记录当地隐私法或相关安全政策规定的其他敏感数据。 ([C9](https://owasp.org/www-project-proactive-controls/#div-numbering))</Description><L1><Required>True</Required><Requirement>✓</Requirement></L1><L2><Required>True</Required><Requirement>✓</Requirement></L2><L3><Required>True</Required><Requirement>✓</Requirement></L3><CWE><item>532</item></CWE><NIST></NIST></item><item><Shortcode>V7.1.3</Shortcode><Ordinal>7</Ordinal><Description>验证应用程序是否记录安全相关事件,例如成功和失败的认证事件、访问控制失败、反序列化失败和输入验证失败的事件。 ([C5, C7](https://owasp.org/www-project-proactive-controls/#div-numbering))</Description><L1><Required>False</Required><Requirement></Requirement></L1><L2><Required>True</Required><Requirement>✓</Requirement></L2><L3><Required>True</Required><Requirement>✓</Requirement></L3><CWE><item>778</item></CWE><NIST></NIST></item><item><Shortcode>V7.1.4</Shortcode><Ordinal>7</Ordinal><Description>验证每个日志事件都包含必要的信息,以便在事件发生后详细调查时间轴。 ([C9](https://owasp.org/www-project-proactive-controls/#div-numbering))</Description><L1><Required>False</Required><Requirement></Requirement></L1><L2><Required>True</Required><Requirement>✓</Requirement></L2><L3><Required>True</Required><Requirement>✓</Requirement></L3><CWE><item>778</item></CWE><NIST></NIST></item></Items></item><item><Shortcode>V7.2</Shortcode><Ordinal>2</Ordinal><Name>日志处理</Name><Items><item><Shortcode>V7.2.1</Shortcode><Ordinal>7</Ordinal><Description>验证所有的认证决策都被记录下来,不存储敏感的会话令牌或密码。这应该包括安全调查所需的具有相关元数据的请求。</Description><L1><Required>False</Required><Requirement></Requirement></L1><L2><Required>True</Required><Requirement>✓</Requirement></L2><L3><Required>True</Required><Requirement>✓</Requirement></L3><CWE><item>778</item></CWE><NIST></NIST></item><item><Shortcode>V7.2.2</Shortcode><Ordinal>7</Ordinal><Description>验证是否可以记录所有访问控制决策并记录所有失败的决策。这应包括安全调查所需的具有相关元数据的请求。</Description><L1><Required>False</Required><Requirement></Requirement></L1><L2><Required>True</Required><Requirement>✓</Requirement></L2><L3><Required>True</Required><Requirement>✓</Requirement></L3><CWE><item>285</item></CWE><NIST></NIST></item></Items></item><item><Shortcode>V7.3</Shortcode><Ordinal>3</Ordinal><Name>日志保护</Name><Items><item><Shortcode>V7.3.1</Shortcode><Ordinal>7</Ordinal><Description>验证所有日志组件是否对数据进行了适当的编码,以防止日志注入。 ([C9](https://owasp.org/www-project-proactive-controls/#div-numbering))</Description><L1><Required>False</Required><Requirement></Requirement></L1><L2><Required>True</Required><Requirement>✓</Requirement></L2><L3><Required>True</Required><Requirement>✓</Requirement></L3><CWE><item>117</item></CWE><NIST></NIST></item><item><Shortcode>V7.3.2</Shortcode><Ordinal>7</Ordinal><Description>[已删除,与 7.3.1 重复]</Description><L1><Required>False</Required><Requirement></Requirement></L1><L2><Required>False</Required><Requirement></Requirement></L2><L3><Required>False</Required><Requirement></Requirement></L3><CWE></CWE><NIST></NIST></item><item><Shortcode>V7.3.3</Shortcode><Ordinal>7</Ordinal><Description>验证安全日志是否受到保护,防止未授权的访问或修改。 ([C9](https://owasp.org/www-project-proactive-controls/#div-numbering))</Description><L1><Required>False</Required><Requirement></Requirement></L1><L2><Required>True</Required><Requirement>✓</Requirement></L2><L3><Required>True</Required><Requirement>✓</Requirement></L3><CWE><item>200</item></CWE><NIST></NIST></item><item><Shortcode>V7.3.4</Shortcode><Ordinal>7</Ordinal><Description>验证时间源是否同步到正确的时间和时区。如果系统是全球性的,强烈考虑只用UTC来记录,以协助事件后的取证分析。 ([C9](https://owasp.org/www-project-proactive-controls/#div-numbering))</Description><L1><Required>False</Required><Requirement></Requirement></L1><L2><Required>True</Required><Requirement>✓</Requirement></L2><L3><Required>True</Required><Requirement>✓</Requirement></L3><CWE></CWE><NIST></NIST></item></Items></item><item><Shortcode>V7.4</Shortcode><Ordinal>4</Ordinal><Name>错误处理</Name><Items><item><Shortcode>V7.4.1</Shortcode><Ordinal>7</Ordinal><Description>验证在发生意外或安全敏感错误时,是否显示通用信息,可能带有支持人员可以用于调查的唯一ID。 ([C10](https://owasp.org/www-project-proactive-controls/#div-numbering))</Description><L1><Required>True</Required><Requirement>✓</Requirement></L1><L2><Required>True</Required><Requirement>✓</Requirement></L2><L3><Required>True</Required><Requirement>✓</Requirement></L3><CWE><item>210</item></CWE><NIST></NIST></item><item><Shortcode>V7.4.2</Shortcode><Ordinal>7</Ordinal><Description>验证整个代码库是否使用了异常处理(或类似功能),以说明预期和非预期的错误情况。 ([C10](https://owasp.org/www-project-proactive-controls/#div-numbering))</Description><L1><Required>False</Required><Requirement></Requirement></L1><L2><Required>True</Required><Requirement>✓</Requirement></L2><L3><Required>True</Required><Requirement>✓</Requirement></L3><CWE><item>544</item></CWE><NIST></NIST></item><item><Shortcode>V7.4.3</Shortcode><Ordinal>7</Ordinal><Description>验证是否定义了“最后手段”的错误处理程序,以捕获所有未处理的异常。 ([C10](https://owasp.org/www-project-proactive-controls/#div-numbering))</Description><L1><Required>False</Required><Requirement></Requirement></L1><L2><Required>True</Required><Requirement>✓</Requirement></L2><L3><Required>True</Required><Requirement>✓</Requirement></L3><CWE><item>431</item></CWE><NIST></NIST></item></Items></item></Items></item><item><Shortcode>V8</Shortcode><Ordinal>8</Ordinal><ShortName>Data</ShortName><Name>数据保护</Name><Items><item><Shortcode>V8.1</Shortcode><Ordinal>1</Ordinal><Name>通用数据保护</Name><Items><item><Shortcode>V8.1.1</Shortcode><Ordinal>8</Ordinal><Description>验证应用程序保护敏感数据不被缓存在负载均衡和应用程序缓存等服务器组件中。</Description><L1><Required>False</Required><Requirement></Requirement></L1><L2><Required>True</Required><Requirement>✓</Requirement></L2><L3><Required>True</Required><Requirement>✓</Requirement></L3><CWE><item>524</item></CWE><NIST></NIST></item><item><Shortcode>V8.1.2</Shortcode><Ordinal>8</Ordinal><Description>验证在服务器上所存储敏感数据的所有缓存或临时副本是否受到保护(防止未经授权的访问),或在被授权用户访问后清除/失效。</Description><L1><Required>False</Required><Requirement></Requirement></L1><L2><Required>True</Required><Requirement>✓</Requirement></L2><L3><Required>True</Required><Requirement>✓</Requirement></L3><CWE><item>524</item></CWE><NIST></NIST></item><item><Shortcode>V8.1.3</Shortcode><Ordinal>8</Ordinal><Description>验证应用程序尽量减少请求中的参数数量,如隐藏字段、Ajax 变量、cookies 和请求头。</Description><L1><Required>False</Required><Requirement></Requirement></L1><L2><Required>True</Required><Requirement>✓</Requirement></L2><L3><Required>True</Required><Requirement>✓</Requirement></L3><CWE><item>233</item></CWE><NIST></NIST></item><item><Shortcode>V8.1.4</Shortcode><Ordinal>8</Ordinal><Description>验证应用程序能够检测并提醒异常的请求数量,例如按IP、用户、每小时或每天的总数,或其它对应用程序有意义的指标。</Description><L1><Required>False</Required><Requirement></Requirement></L1><L2><Required>True</Required><Requirement>✓</Requirement></L2><L3><Required>True</Required><Requirement>✓</Requirement></L3><CWE><item>770</item></CWE><NIST></NIST></item><item><Shortcode>V8.1.5</Shortcode><Ordinal>8</Ordinal><Description>验证是否对重要数据进行了定期备份,是否对数据进行了测试恢复。</Description><L1><Required>False</Required><Requirement></Requirement></L1><L2><Required>False</Required><Requirement></Requirement></L2><L3><Required>True</Required><Requirement>✓</Requirement></L3><CWE><item>19</item></CWE><NIST></NIST></item><item><Shortcode>V8.1.6</Shortcode><Ordinal>8</Ordinal><Description>验证备份的安全存储,防止数据被盗或损坏。</Description><L1><Required>False</Required><Requirement></Requirement></L1><L2><Required>False</Required><Requirement></Requirement></L2><L3><Required>True</Required><Requirement>✓</Requirement></L3><CWE><item>19</item></CWE><NIST></NIST></item></Items></item><item><Shortcode>V8.2</Shortcode><Ordinal>2</Ordinal><Name>客户端数据保护</Name><Items><item><Shortcode>V8.2.1</Shortcode><Ordinal>8</Ordinal><Description>验证应用程序设置足够的“禁止缓存”头,以便敏感数据不会在现代浏览器中被缓存。</Description><L1><Required>True</Required><Requirement>✓</Requirement></L1><L2><Required>True</Required><Requirement>✓</Requirement></L2><L3><Required>True</Required><Requirement>✓</Requirement></L3><CWE><item>525</item></CWE><NIST></NIST></item><item><Shortcode>V8.2.2</Shortcode><Ordinal>8</Ordinal><Description>验证存储在浏览器存储(例如 localStorage、sessionStorage、IndexedDB 或 cookie)中的数据不包含敏感数据。</Description><L1><Required>True</Required><Requirement>✓</Requirement></L1><L2><Required>True</Required><Requirement>✓</Requirement></L2><L3><Required>True</Required><Requirement>✓</Requirement></L3><CWE><item>922</item></CWE><NIST></NIST></item><item><Shortcode>V8.2.3</Shortcode><Ordinal>8</Ordinal><Description>在客户端或会话终止后,验证经过身份验证的数据已从客户端存储(例如浏览器 DOM)中清除。</Description><L1><Required>True</Required><Requirement>✓</Requirement></L1><L2><Required>True</Required><Requirement>✓</Requirement></L2><L3><Required>True</Required><Requirement>✓</Requirement></L3><CWE><item>922</item></CWE><NIST></NIST></item></Items></item><item><Shortcode>V8.3</Shortcode><Ordinal>3</Ordinal><Name>敏感私有数据</Name><Items><item><Shortcode>V8.3.1</Shortcode><Ordinal>8</Ordinal><Description>验证敏感数据是在HTTP消息正文或请求头中被发送到服务器,以及HTTP请求方法的查询字符串参数都不包含敏感数据。</Description><L1><Required>True</Required><Requirement>✓</Requirement></L1><L2><Required>True</Required><Requirement>✓</Requirement></L2><L3><Required>True</Required><Requirement>✓</Requirement></L3><CWE><item>319</item></CWE><NIST></NIST></item><item><Shortcode>V8.3.2</Shortcode><Ordinal>8</Ordinal><Description>验证用户是否有途径按需删除或导出自己的数据。</Description><L1><Required>True</Required><Requirement>✓</Requirement></L1><L2><Required>True</Required><Requirement>✓</Requirement></L2><L3><Required>True</Required><Requirement>✓</Requirement></L3><CWE><item>212</item></CWE><NIST></NIST></item><item><Shortcode>V8.3.3</Shortcode><Ordinal>8</Ordinal><Description>验证向用户提供了关于收集和使用其个人信息的明确语言,并且在以任何方式使用这些数据之前,用户已勾选了同意。</Description><L1><Required>True</Required><Requirement>✓</Requirement></L1><L2><Required>True</Required><Requirement>✓</Requirement></L2><L3><Required>True</Required><Requirement>✓</Requirement></L3><CWE><item>285</item></CWE><NIST></NIST></item><item><Shortcode>V8.3.4</Shortcode><Ordinal>8</Ordinal><Description>验证应用程序创建和处理的所有敏感数据是否已被识别,并确保已制定了如何处理敏感数据的策略。 ([C8](https://owasp.org/www-project-proactive-controls/#div-numbering))</Description><L1><Required>True</Required><Requirement>✓</Requirement></L1><L2><Required>True</Required><Requirement>✓</Requirement></L2><L3><Required>True</Required><Requirement>✓</Requirement></L3><CWE><item>200</item></CWE><NIST></NIST></item><item><Shortcode>V8.3.5</Shortcode><Ordinal>8</Ordinal><Description>如果数据是根据相关数据保护指令收集的或(应用)要求记录访问日志,验证访问敏感数据是否被审计(不记录敏感数据本身)。</Description><L1><Required>False</Required><Requirement></Requirement></L1><L2><Required>True</Required><Requirement>✓</Requirement></L2><L3><Required>True</Required><Requirement>✓</Requirement></L3><CWE><item>532</item></CWE><NIST></NIST></item><item><Shortcode>V8.3.6</Shortcode><Ordinal>8</Ordinal><Description>为了减少内存转储攻击,一旦不再需要内存中的敏感信息,请检查该敏感信息是否会被覆盖(使用0或随机数)。</Description><L1><Required>False</Required><Requirement></Requirement></L1><L2><Required>True</Required><Requirement>✓</Requirement></L2><L3><Required>True</Required><Requirement>✓</Requirement></L3><CWE><item>226</item></CWE><NIST></NIST></item><item><Shortcode>V8.3.7</Shortcode><Ordinal>8</Ordinal><Description>验证需要加密的敏感信息或私有信息是否使用经过批准的机密性和完整性算法加密。 ([C8](https://owasp.org/www-project-proactive-controls/#div-numbering))</Description><L1><Required>False</Required><Requirement></Requirement></L1><L2><Required>True</Required><Requirement>✓</Requirement></L2><L3><Required>True</Required><Requirement>✓</Requirement></L3><CWE><item>327</item></CWE><NIST></NIST></item><item><Shortcode>V8.3.8</Shortcode><Ordinal>8</Ordinal><Description>验证敏感的个人信息是否符合数据保留分类,以便自动、按计划或根据情况需要删除旧数据或过时数据。</Description><L1><Required>False</Required><Requirement></Requirement></L1><L2><Required>True</Required><Requirement>✓</Requirement></L2><L3><Required>True</Required><Requirement>✓</Requirement></L3><CWE><item>285</item></CWE><NIST></NIST></item></Items></item></Items></item><item><Shortcode>V9</Shortcode><Ordinal>9</Ordinal><ShortName>Communications</ShortName><Name>通讯</Name><Items><item><Shortcode>V9.1</Shortcode><Ordinal>1</Ordinal><Name>客户端通信安全</Name><Items><item><Shortcode>V9.1.1</Shortcode><Ordinal>9</Ordinal><Description>验证所有客户端连接都使用了TLS,并且不会降级到不安全或未加密的通信。 ([C8](https://owasp.org/www-project-proactive-controls/#div-numbering))</Description><L1><Required>True</Required><Requirement>✓</Requirement></L1><L2><Required>True</Required><Requirement>✓</Requirement></L2><L3><Required>True</Required><Requirement>✓</Requirement></L3><CWE><item>319</item></CWE><NIST></NIST></item><item><Shortcode>V9.1.2</Shortcode><Ordinal>9</Ordinal><Description>使用最新的TLS测试工具,验证是否只启用了强密码套件,并将最强的密码套件设置为首选。</Description><L1><Required>True</Required><Requirement>✓</Requirement></L1><L2><Required>True</Required><Requirement>✓</Requirement></L2><L3><Required>True</Required><Requirement>✓</Requirement></L3><CWE><item>326</item></CWE><NIST></NIST></item><item><Shortcode>V9.1.3</Shortcode><Ordinal>9</Ordinal><Description>验证只启用最新推荐版本的TLS协议,如TLS 1.2和TLS 1.3。最新版本的TLS协议应该是首选项。</Description><L1><Required>True</Required><Requirement>✓</Requirement></L1><L2><Required>True</Required><Requirement>✓</Requirement></L2><L3><Required>True</Required><Requirement>✓</Requirement></L3><CWE><item>326</item></CWE><NIST></NIST></item></Items></item><item><Shortcode>V9.2</Shortcode><Ordinal>2</Ordinal><Name>服务器通信安全</Name><Items><item><Shortcode>V9.2.1</Shortcode><Ordinal>9</Ordinal><Description>验证与服务器的连接是否使用受信任的TLS证书。在使用内部生成或自签名证书的情况下,必须将服务器配置为只信任特定的内部CA和特定的自签证书。所有其他的都应该被拒绝。</Description><L1><Required>False</Required><Requirement></Requirement></L1><L2><Required>True</Required><Requirement>✓</Requirement></L2><L3><Required>True</Required><Requirement>✓</Requirement></L3><CWE><item>295</item></CWE><NIST></NIST></item><item><Shortcode>V9.2.2</Shortcode><Ordinal>9</Ordinal><Description>确认所有入站和出站连接都使用了 TLS 等加密通信,包括管理端口、监控、身份验证、API 或 Web 服务调用、数据库、云、serverless、大型机、外部和合作伙伴的连接。服务器不得回退到不安全或未加密的协议。</Description><L1><Required>False</Required><Requirement></Requirement></L1><L2><Required>True</Required><Requirement>✓</Requirement></L2><L3><Required>True</Required><Requirement>✓</Requirement></L3><CWE><item>319</item></CWE><NIST></NIST></item><item><Shortcode>V9.2.3</Shortcode><Ordinal>9</Ordinal><Description>验证所有外部系统中与敏感信息/功能相关的加密连接,均已通过身份验证。</Description><L1><Required>False</Required><Requirement></Requirement></L1><L2><Required>True</Required><Requirement>✓</Requirement></L2><L3><Required>True</Required><Requirement>✓</Requirement></L3><CWE><item>287</item></CWE><NIST></NIST></item><item><Shortcode>V9.2.4</Shortcode><Ordinal>9</Ordinal><Description>验证是否启用并配置了正确的证书吊销,例如在线证书状态协议(OCSP)Stapling。</Description><L1><Required>False</Required><Requirement></Requirement></L1><L2><Required>True</Required><Requirement>✓</Requirement></L2><L3><Required>True</Required><Requirement>✓</Requirement></L3><CWE><item>299</item></CWE><NIST></NIST></item><item><Shortcode>V9.2.5</Shortcode><Ordinal>9</Ordinal><Description>验证是否记录了后端TLS连接失败(的事件)。</Description><L1><Required>False</Required><Requirement></Requirement></L1><L2><Required>False</Required><Requirement></Requirement></L2><L3><Required>True</Required><Requirement>✓</Requirement></L3><CWE><item>544</item></CWE><NIST></NIST></item></Items></item></Items></item><item><Shortcode>V10</Shortcode><Ordinal>10</Ordinal><ShortName>Malicious</ShortName><Name>恶意代码</Name><Items><item><Shortcode>V10.1</Shortcode><Ordinal>1</Ordinal><Name>代码完整性</Name><Items><item><Shortcode>V10.1.1</Shortcode><Ordinal>10</Ordinal><Description>验证是否使用了代码分析工具,可以检测潜在的恶意代码,如时间函数、不安全的文件操作和网络连接。</Description><L1><Required>False</Required><Requirement></Requirement></L1><L2><Required>False</Required><Requirement></Requirement></L2><L3><Required>True</Required><Requirement>✓</Requirement></L3><CWE><item>749</item></CWE><NIST></NIST></item></Items></item><item><Shortcode>V10.2</Shortcode><Ordinal>2</Ordinal><Name>恶意代码搜索</Name><Items><item><Shortcode>V10.2.1</Shortcode><Ordinal>10</Ordinal><Description>验证应用程序的源代码和第三方库不包含未经授权的回连或数据收集功能。如果存在这样的功能,在收集任何数据之前,要获得用户的操作许可。</Description><L1><Required>False</Required><Requirement></Requirement></L1><L2><Required>True</Required><Requirement>✓</Requirement></L2><L3><Required>True</Required><Requirement>✓</Requirement></L3><CWE><item>359</item></CWE><NIST></NIST></item><item><Shortcode>V10.2.2</Shortcode><Ordinal>10</Ordinal><Description>验证应用程序不会对隐私相关的功能或传感器(例如联系人、摄像头、麦克风或位置)要求不必要或过度的权限。</Description><L1><Required>False</Required><Requirement></Requirement></L1><L2><Required>True</Required><Requirement>✓</Requirement></L2><L3><Required>True</Required><Requirement>✓</Requirement></L3><CWE><item>272</item></CWE><NIST></NIST></item><item><Shortcode>V10.2.3</Shortcode><Ordinal>10</Ordinal><Description>验证应用程序的源代码和第三方库不包含后门,如硬编码或额外的未记录的账户或密钥、代码混淆、未记录的二进制blobs、rootkits或反调试、不安全的调试特性,或其他过时、不安全或隐藏的功能,一旦被发现可能会被恶意使用。</Description><L1><Required>False</Required><Requirement></Requirement></L1><L2><Required>False</Required><Requirement></Requirement></L2><L3><Required>True</Required><Requirement>✓</Requirement></L3><CWE><item>507</item></CWE><NIST></NIST></item><item><Shortcode>V10.2.4</Shortcode><Ordinal>10</Ordinal><Description>通过搜索日期和时间相关函数,来验证应用程序源代码和第三方库不包含时间炸弹。</Description><L1><Required>False</Required><Requirement></Requirement></L1><L2><Required>False</Required><Requirement></Requirement></L2><L3><Required>True</Required><Requirement>✓</Requirement></L3><CWE><item>511</item></CWE><NIST></NIST></item><item><Shortcode>V10.2.5</Shortcode><Ordinal>10</Ordinal><Description>验证应用程序源代码和第三方库不包含恶意代码,例如salami攻击、逻辑绕过或逻辑炸弹。</Description><L1><Required>False</Required><Requirement></Requirement></L1><L2><Required>False</Required><Requirement></Requirement></L2><L3><Required>True</Required><Requirement>✓</Requirement></L3><CWE><item>511</item></CWE><NIST></NIST></item><item><Shortcode>V10.2.6</Shortcode><Ordinal>10</Ordinal><Description>验证应用程序的源代码和第三方库不包含复活节彩蛋或任何其他潜在的冗余功能。</Description><L1><Required>False</Required><Requirement></Requirement></L1><L2><Required>False</Required><Requirement></Requirement></L2><L3><Required>True</Required><Requirement>✓</Requirement></L3><CWE><item>507</item></CWE><NIST></NIST></item></Items></item><item><Shortcode>V10.3</Shortcode><Ordinal>3</Ordinal><Name>应用程序完整性</Name><Items><item><Shortcode>V10.3.1</Shortcode><Ordinal>10</Ordinal><Description>验证如果应用程序具有客户端或服务器自动更新功能,则应通过安全通道获得更新,并进行数字签名。更新代码必须在安装或执行更新之前验证更新的数字签名。</Description><L1><Required>True</Required><Requirement>✓</Requirement></L1><L2><Required>True</Required><Requirement>✓</Requirement></L2><L3><Required>True</Required><Requirement>✓</Requirement></L3><CWE><item>16</item></CWE><NIST></NIST></item><item><Shortcode>V10.3.2</Shortcode><Ordinal>10</Ordinal><Description>验证应用程序是否采用了完整性保护,如代码签名或子资源完整性。应用程序不得从不受信任的来源加载或执行代码,例如从不可信任的来源或互联网加载模块、插件、代码或库。</Description><L1><Required>True</Required><Requirement>✓</Requirement></L1><L2><Required>True</Required><Requirement>✓</Requirement></L2><L3><Required>True</Required><Requirement>✓</Requirement></L3><CWE><item>353</item></CWE><NIST></NIST></item><item><Shortcode>V10.3.3</Shortcode><Ordinal>10</Ordinal><Description>如果应用程序依赖 DNS 条目或 DNS 子域,例如过期的域名、过时的 DNS 指针或 CNAME、公共源代码库中过期的项目或临时的云API接口、serverless功能或存储桶(*autogen-bucket-id*.cloud.example.com)或类似情况,则验证该应用程序是否具有防止子域接管的措施。保护措施可以包括确保定期检查应用程序使用的DNS名称是否过期或改变。</Description><L1><Required>True</Required><Requirement>✓</Requirement></L1><L2><Required>True</Required><Requirement>✓</Requirement></L2><L3><Required>True</Required><Requirement>✓</Requirement></L3><CWE><item>350</item></CWE><NIST></NIST></item></Items></item></Items></item><item><Shortcode>V11</Shortcode><Ordinal>11</Ordinal><ShortName>BusLogic</ShortName><Name>业务逻辑</Name><Items><item><Shortcode>V11.1</Shortcode><Ordinal>1</Ordinal><Name>业务逻辑安全</Name><Items><item><Shortcode>V11.1.1</Shortcode><Ordinal>11</Ordinal><Description>验证应用程序仅按串行顺序处理同一用户的业务逻辑流,不会跳过步骤。</Description><L1><Required>True</Required><Requirement>✓</Requirement></L1><L2><Required>True</Required><Requirement>✓</Requirement></L2><L3><Required>True</Required><Requirement>✓</Requirement></L3><CWE><item>841</item></CWE><NIST></NIST></item><item><Shortcode>V11.1.2</Shortcode><Ordinal>11</Ordinal><Description>验证应用程序将只处理业务逻辑流,所有步骤都在现实的人工时间内处理,即事务不会提交得太快。</Description><L1><Required>True</Required><Requirement>✓</Requirement></L1><L2><Required>True</Required><Requirement>✓</Requirement></L2><L3><Required>True</Required><Requirement>✓</Requirement></L3><CWE><item>799</item></CWE><NIST></NIST></item><item><Shortcode>V11.1.3</Shortcode><Ordinal>11</Ordinal><Description>验证应用程序是否对特定的业务操作或交易有适当的限制,并在每个用户的基础上正确执行。</Description><L1><Required>True</Required><Requirement>✓</Requirement></L1><L2><Required>True</Required><Requirement>✓</Requirement></L2><L3><Required>True</Required><Requirement>✓</Requirement></L3><CWE><item>770</item></CWE><NIST></NIST></item><item><Shortcode>V11.1.4</Shortcode><Ordinal>11</Ordinal><Description>验证应用程序具有反自动化的控制手段,以防止过度调用,如大量数据泄露、业务逻辑请求、文件上传或拒绝服务攻击。</Description><L1><Required>True</Required><Requirement>✓</Requirement></L1><L2><Required>True</Required><Requirement>✓</Requirement></L2><L3><Required>True</Required><Requirement>✓</Requirement></L3><CWE><item>770</item></CWE><NIST></NIST></item><item><Shortcode>V11.1.5</Shortcode><Ordinal>11</Ordinal><Description>验证应用程序是否具有业务逻辑限制或验证,以防止可能的业务风险或威胁(使用威胁建模或类似方法识别)。</Description><L1><Required>True</Required><Requirement>✓</Requirement></L1><L2><Required>True</Required><Requirement>✓</Requirement></L2><L3><Required>True</Required><Requirement>✓</Requirement></L3><CWE><item>841</item></CWE><NIST></NIST></item><item><Shortcode>V11.1.6</Shortcode><Ordinal>11</Ordinal><Description>验证应用程序是否存在TOCTOU(Time Of Check to Time Of Use)问题 或敏感操作的其他条件竞争问题。</Description><L1><Required>False</Required><Requirement></Requirement></L1><L2><Required>True</Required><Requirement>✓</Requirement></L2><L3><Required>True</Required><Requirement>✓</Requirement></L3><CWE><item>367</item></CWE><NIST></NIST></item><item><Shortcode>V11.1.7</Shortcode><Ordinal>11</Ordinal><Description>验证应用程序是否从业务逻辑角度监控异常事件或活动。例如,尝试执行无序的操作或普通用户永远不会尝试的操作。 ([C9](https://owasp.org/www-project-proactive-controls/#div-numbering))</Description><L1><Required>False</Required><Requirement></Requirement></L1><L2><Required>True</Required><Requirement>✓</Requirement></L2><L3><Required>True</Required><Requirement>✓</Requirement></L3><CWE><item>754</item></CWE><NIST></NIST></item><item><Shortcode>V11.1.8</Shortcode><Ordinal>11</Ordinal><Description>验证应用程序在检测到自动化攻击或异常活动时,具有可配置的警报。</Description><L1><Required>False</Required><Requirement></Requirement></L1><L2><Required>True</Required><Requirement>✓</Requirement></L2><L3><Required>True</Required><Requirement>✓</Requirement></L3><CWE><item>390</item></CWE><NIST></NIST></item></Items></item></Items></item><item><Shortcode>V12</Shortcode><Ordinal>12</Ordinal><ShortName>Files</ShortName><Name>文件和资源</Name><Items><item><Shortcode>V12.1</Shortcode><Ordinal>1</Ordinal><Name>文件上传</Name><Items><item><Shortcode>V12.1.1</Shortcode><Ordinal>12</Ordinal><Description>确认应用程序不会接受可能会填满存储空间或导致拒绝服务的大文件。</Description><L1><Required>True</Required><Requirement>✓</Requirement></L1><L2><Required>True</Required><Requirement>✓</Requirement></L2><L3><Required>True</Required><Requirement>✓</Requirement></L3><CWE><item>400</item></CWE><NIST></NIST></item><item><Shortcode>V12.1.2</Shortcode><Ordinal>12</Ordinal><Description>验证应用程序在解压缩文件前,根据允许的最大解压缩尺寸和最大文件数检查压缩文件(如zip,gz,docx,odt)。</Description><L1><Required>False</Required><Requirement></Requirement></L1><L2><Required>True</Required><Requirement>✓</Requirement></L2><L3><Required>True</Required><Requirement>✓</Requirement></L3><CWE><item>409</item></CWE><NIST></NIST></item><item><Shortcode>V12.1.3</Shortcode><Ordinal>12</Ordinal><Description>验证文件大小配额和每个用户的最大文件数是否被强制执行,以确保单个用户不能用过多的文件或过大的文件填满存储。</Description><L1><Required>False</Required><Requirement></Requirement></L1><L2><Required>True</Required><Requirement>✓</Requirement></L2><L3><Required>True</Required><Requirement>✓</Requirement></L3><CWE><item>770</item></CWE><NIST></NIST></item></Items></item><item><Shortcode>V12.2</Shortcode><Ordinal>2</Ordinal><Name>文件完整性</Name><Items><item><Shortcode>V12.2.1</Shortcode><Ordinal>12</Ordinal><Description>验证从不可信任的来源获得的文件,根据文件的内容,验证其是否为预期类型。</Description><L1><Required>False</Required><Requirement></Requirement></L1><L2><Required>True</Required><Requirement>✓</Requirement></L2><L3><Required>True</Required><Requirement>✓</Requirement></L3><CWE><item>434</item></CWE><NIST></NIST></item></Items></item><item><Shortcode>V12.3</Shortcode><Ordinal>3</Ordinal><Name>文件执行</Name><Items><item><Shortcode>V12.3.1</Shortcode><Ordinal>12</Ordinal><Description>验证系统或框架文件系统不直接使用用户提交的文件名元数据,并且使用 URL API 来防止路径遍历。</Description><L1><Required>True</Required><Requirement>✓</Requirement></L1><L2><Required>True</Required><Requirement>✓</Requirement></L2><L3><Required>True</Required><Requirement>✓</Requirement></L3><CWE><item>22</item></CWE><NIST></NIST></item><item><Shortcode>V12.3.2</Shortcode><Ordinal>12</Ordinal><Description>验证用户提交的文件名元数据是否经过验证或忽略,以防止通过本地文件包含(LFI) 泄露、创建、更新或删除本地文件。</Description><L1><Required>True</Required><Requirement>✓</Requirement></L1><L2><Required>True</Required><Requirement>✓</Requirement></L2><L3><Required>True</Required><Requirement>✓</Requirement></L3><CWE><item>73</item></CWE><NIST></NIST></item><item><Shortcode>V12.3.3</Shortcode><Ordinal>12</Ordinal><Description>验证用户提交的文件名元数据是否经过验证或忽略,以防止通过远程文件包含(Remote File Inclusion,RFI)或服务器端请求伪造攻击(server - Server Side Request Forgery,SSRF)泄露或执行远程文件。</Description><L1><Required>True</Required><Requirement>✓</Requirement></L1><L2><Required>True</Required><Requirement>✓</Requirement></L2><L3><Required>True</Required><Requirement>✓</Requirement></L3><CWE><item>98</item></CWE><NIST></NIST></item><item><Shortcode>V12.3.4</Shortcode><Ordinal>12</Ordinal><Description>验证应用程序通过验证或忽略用户提交的JSON、JSONP或URL参数中的文件名来防止反射文件下载(RFD),响应的Content-Type头应该设置为 text/plain,而Content-Disposition头应该有一个固定的文件名。</Description><L1><Required>True</Required><Requirement>✓</Requirement></L1><L2><Required>True</Required><Requirement>✓</Requirement></L2><L3><Required>True</Required><Requirement>✓</Requirement></L3><CWE><item>641</item></CWE><NIST></NIST></item><item><Shortcode>V12.3.5</Shortcode><Ordinal>12</Ordinal><Description>验证未受信任的文件元数据不直接用于系统API或库,以防止操作系统命令注入。</Description><L1><Required>True</Required><Requirement>✓</Requirement></L1><L2><Required>True</Required><Requirement>✓</Requirement></L2><L3><Required>True</Required><Requirement>✓</Requirement></L3><CWE><item>78</item></CWE><NIST></NIST></item><item><Shortcode>V12.3.6</Shortcode><Ordinal>12</Ordinal><Description>验证应用程序不包含或执行不可信任来源的功能,如未经验证的内容分发网络、JavaScript 库、node npm 库或服务器端 DLL。</Description><L1><Required>False</Required><Requirement></Requirement></L1><L2><Required>True</Required><Requirement>✓</Requirement></L2><L3><Required>True</Required><Requirement>✓</Requirement></L3><CWE><item>829</item></CWE><NIST></NIST></item></Items></item><item><Shortcode>V12.4</Shortcode><Ordinal>4</Ordinal><Name>文件存储</Name><Items><item><Shortcode>V12.4.1</Shortcode><Ordinal>12</Ordinal><Description>验证从不受信任的来源获得的文件是否存储在 Web 根目录之外,并具有有限的权限。</Description><L1><Required>True</Required><Requirement>✓</Requirement></L1><L2><Required>True</Required><Requirement>✓</Requirement></L2><L3><Required>True</Required><Requirement>✓</Requirement></L3><CWE><item>552</item></CWE><NIST></NIST></item><item><Shortcode>V12.4.2</Shortcode><Ordinal>12</Ordinal><Description>验证从不受信任的来源获得的文件是否已被防病毒扫描程序扫描,以防止上传和提供已知的恶意内容。</Description><L1><Required>True</Required><Requirement>✓</Requirement></L1><L2><Required>True</Required><Requirement>✓</Requirement></L2><L3><Required>True</Required><Requirement>✓</Requirement></L3><CWE><item>509</item></CWE><NIST></NIST></item></Items></item><item><Shortcode>V12.5</Shortcode><Ordinal>5</Ordinal><Name>文件下载</Name><Items><item><Shortcode>V12.5.1</Shortcode><Ordinal>12</Ordinal><Description>验证网络层是否被配置为只提供具有特定文件扩展名的文件,以防止意外信息和源代码泄漏。例如,除非有需要,应阻止提供备份文件(如.bak)、临时工作文件(如.swp)、压缩文件(.zip、.tar.gz等)以及其他编辑人员常用的扩展名。</Description><L1><Required>True</Required><Requirement>✓</Requirement></L1><L2><Required>True</Required><Requirement>✓</Requirement></L2><L3><Required>True</Required><Requirement>✓</Requirement></L3><CWE><item>552</item></CWE><NIST></NIST></item><item><Shortcode>V12.5.2</Shortcode><Ordinal>12</Ordinal><Description>验证对上传文件的直接请求永远不会作为 HTML/JavaScript 内容执行。</Description><L1><Required>True</Required><Requirement>✓</Requirement></L1><L2><Required>True</Required><Requirement>✓</Requirement></L2><L3><Required>True</Required><Requirement>✓</Requirement></L3><CWE><item>434</item></CWE><NIST></NIST></item></Items></item><item><Shortcode>V12.6</Shortcode><Ordinal>6</Ordinal><Name>SSRF保护</Name><Items><item><Shortcode>V12.6.1</Shortcode><Ordinal>12</Ordinal><Description>验证 Web 或应用程序服务器是否配置了资源或系统的白名单列表,服务器可以向其发送请求或加载数据/文件。</Description><L1><Required>True</Required><Requirement>✓</Requirement></L1><L2><Required>True</Required><Requirement>✓</Requirement></L2><L3><Required>True</Required><Requirement>✓</Requirement></L3><CWE><item>918</item></CWE><NIST></NIST></item></Items></item></Items></item><item><Shortcode>V13</Shortcode><Ordinal>13</Ordinal><ShortName>API</ShortName><Name>API和Web Service</Name><Items><item><Shortcode>V13.1</Shortcode><Ordinal>1</Ordinal><Name>通用Web Service安全</Name><Items><item><Shortcode>V13.1.1</Shortcode><Ordinal>13</Ordinal><Description>验证所有应用程序组件使用相同的编码和解析器,以避免利用不同的URI或文件解析特性的攻击(这些解析特性可能被用于SSRF和RFI攻击)。</Description><L1><Required>True</Required><Requirement>✓</Requirement></L1><L2><Required>True</Required><Requirement>✓</Requirement></L2><L3><Required>True</Required><Requirement>✓</Requirement></L3><CWE><item>116</item></CWE><NIST></NIST></item><item><Shortcode>V13.1.2</Shortcode><Ordinal>13</Ordinal><Description>[已删除,与 4.3.1 重复]</Description><L1><Required>False</Required><Requirement></Requirement></L1><L2><Required>False</Required><Requirement></Requirement></L2><L3><Required>False</Required><Requirement></Requirement></L3><CWE></CWE><NIST></NIST></item><item><Shortcode>V13.1.3</Shortcode><Ordinal>13</Ordinal><Description>验证 API URL不公开敏感信息,例如 API 密钥、会话令牌等。</Description><L1><Required>True</Required><Requirement>✓</Requirement></L1><L2><Required>True</Required><Requirement>✓</Requirement></L2><L3><Required>True</Required><Requirement>✓</Requirement></L3><CWE><item>598</item></CWE><NIST></NIST></item><item><Shortcode>V13.1.4</Shortcode><Ordinal>13</Ordinal><Description>验证授权决策是同时在URI(由程序性或声明性的控制器或路由安全执行)和资源层面(由基于模型的权限执行)做出的。</Description><L1><Required>False</Required><Requirement></Requirement></L1><L2><Required>True</Required><Requirement>✓</Requirement></L2><L3><Required>True</Required><Requirement>✓</Requirement></L3><CWE><item>285</item></CWE><NIST></NIST></item><item><Shortcode>V13.1.5</Shortcode><Ordinal>13</Ordinal><Description>验证包含意外或缺少内容类型的请求是否通过适当的响应头拒绝(HTTP 响应状态 406 Unacceptable 或 415 Unsupported Media Type)。</Description><L1><Required>False</Required><Requirement></Requirement></L1><L2><Required>True</Required><Requirement>✓</Requirement></L2><L3><Required>True</Required><Requirement>✓</Requirement></L3><CWE><item>434</item></CWE><NIST></NIST></item></Items></item><item><Shortcode>V13.2</Shortcode><Ordinal>2</Ordinal><Name>RESTful Web Service</Name><Items><item><Shortcode>V13.2.1</Shortcode><Ordinal>13</Ordinal><Description>验证启用的RESTful HTTP方法对用户或操作来说是有效的选择,例如防止普通用户在受保护的API或资源上使用DELETE或PUT。</Description><L1><Required>True</Required><Requirement>✓</Requirement></L1><L2><Required>True</Required><Requirement>✓</Requirement></L2><L3><Required>True</Required><Requirement>✓</Requirement></L3><CWE><item>650</item></CWE><NIST></NIST></item><item><Shortcode>V13.2.2</Shortcode><Ordinal>13</Ordinal><Description>验证 JSON 模式验证是否到位,并在接受输入之前进行验证。</Description><L1><Required>True</Required><Requirement>✓</Requirement></L1><L2><Required>True</Required><Requirement>✓</Requirement></L2><L3><Required>True</Required><Requirement>✓</Requirement></L3><CWE><item>20</item></CWE><NIST></NIST></item><item><Shortcode>V13.2.3</Shortcode><Ordinal>13</Ordinal><Description>通过使用以下至少一项或多项来验证使用 cookie 的 RESTful Web services是否受到跨站点请求伪造(CSRF)的保护:双重提交 cookie 模式、CSRF 随机数或 Origin 请求头检查。</Description><L1><Required>True</Required><Requirement>✓</Requirement></L1><L2><Required>True</Required><Requirement>✓</Requirement></L2><L3><Required>True</Required><Requirement>✓</Requirement></L3><CWE><item>352</item></CWE><NIST></NIST></item><item><Shortcode>V13.2.4</Shortcode><Ordinal>13</Ordinal><Description>[已删除,与 11.1.4 重复]</Description><L1><Required>False</Required><Requirement></Requirement></L1><L2><Required>False</Required><Requirement></Requirement></L2><L3><Required>False</Required><Requirement></Requirement></L3><CWE></CWE><NIST></NIST></item><item><Shortcode>V13.2.5</Shortcode><Ordinal>13</Ordinal><Description>验证REST服务明确检查传入的Content-Type是否为预期类型,如application/xml或application/json。</Description><L1><Required>False</Required><Requirement></Requirement></L1><L2><Required>True</Required><Requirement>✓</Requirement></L2><L3><Required>True</Required><Requirement>✓</Requirement></L3><CWE><item>436</item></CWE><NIST></NIST></item><item><Shortcode>V13.2.6</Shortcode><Ordinal>13</Ordinal><Description>验证消息头和有效载荷是可信的,在传输过程中没有被修改。在许多情况下,要求对传输进行强加密(仅TLS)可能就足够了,因为它同时提供保密性和完整性保护。每条信息的数字签名可以在传输保护的基础上,为高安全性的应用提供额外的保证,但也带来了额外的复杂性和风险,需要权衡利弊。</Description><L1><Required>False</Required><Requirement></Requirement></L1><L2><Required>True</Required><Requirement>✓</Requirement></L2><L3><Required>True</Required><Requirement>✓</Requirement></L3><CWE><item>345</item></CWE><NIST></NIST></item></Items></item><item><Shortcode>V13.3</Shortcode><Ordinal>3</Ordinal><Name>SOAP Web Service</Name><Items><item><Shortcode>V13.3.1</Shortcode><Ordinal>13</Ordinal><Description>验证是否进行了 XSD 模式验证以确保 XML 文档格式正确,然后在对该数据进行任何处理之前验证每个输入字段。</Description><L1><Required>True</Required><Requirement>✓</Requirement></L1><L2><Required>True</Required><Requirement>✓</Requirement></L2><L3><Required>True</Required><Requirement>✓</Requirement></L3><CWE><item>20</item></CWE><NIST></NIST></item><item><Shortcode>V13.3.2</Shortcode><Ordinal>13</Ordinal><Description>验证消息负载是否使用 WS-Security 进行签名,以确保客户端和service之间的可靠传输。</Description><L1><Required>False</Required><Requirement></Requirement></L1><L2><Required>True</Required><Requirement>✓</Requirement></L2><L3><Required>True</Required><Requirement>✓</Requirement></L3><CWE><item>345</item></CWE><NIST></NIST></item></Items></item><item><Shortcode>V13.4</Shortcode><Ordinal>4</Ordinal><Name>GraphQL</Name><Items><item><Shortcode>V13.4.1</Shortcode><Ordinal>13</Ordinal><Description>验证是否使用查询白名单或深度和数量限制的组合,来防止昂贵的嵌套查询,导致对 GraphQL 或数据层表达式的拒绝服务(DoS)。对于更高级的场景,应该使用查询成本分析。</Description><L1><Required>False</Required><Requirement></Requirement></L1><L2><Required>True</Required><Requirement>✓</Requirement></L2><L3><Required>True</Required><Requirement>✓</Requirement></L3><CWE><item>770</item></CWE><NIST></NIST></item><item><Shortcode>V13.4.2</Shortcode><Ordinal>13</Ordinal><Description>验证 GraphQL 或其他数据层的授权逻辑应在业务逻辑层,而不是 GraphQL 层实现。</Description><L1><Required>False</Required><Requirement></Requirement></L1><L2><Required>True</Required><Requirement>✓</Requirement></L2><L3><Required>True</Required><Requirement>✓</Requirement></L3><CWE><item>285</item></CWE><NIST></NIST></item></Items></item></Items></item><item><Shortcode>V14</Shortcode><Ordinal>14</Ordinal><ShortName>Config</ShortName><Name>配置</Name><Items><item><Shortcode>V14.1</Shortcode><Ordinal>1</Ordinal><Name>构建和部署</Name><Items><item><Shortcode>V14.1.1</Shortcode><Ordinal>14</Ordinal><Description>验证应用程序的构建和部署过程是以安全和可重复的方式进行的,如 CI / CD 自动化、自动配置管理和自动部署脚本。</Description><L1><Required>False</Required><Requirement></Requirement></L1><L2><Required>True</Required><Requirement>✓</Requirement></L2><L3><Required>True</Required><Requirement>✓</Requirement></L3><CWE></CWE><NIST></NIST></item><item><Shortcode>V14.1.2</Shortcode><Ordinal>14</Ordinal><Description>验证编译器标志的配置是否配置为启用所有可用的缓冲区溢出保护和警告,包括堆栈随机化、数据执行保护,并在发现不安全的指针、内存、格式字符串、整数或字符串操作时中断构建。</Description><L1><Required>False</Required><Requirement></Requirement></L1><L2><Required>True</Required><Requirement>✓</Requirement></L2><L3><Required>True</Required><Requirement>✓</Requirement></L3><CWE><item>120</item></CWE><NIST></NIST></item><item><Shortcode>V14.1.3</Shortcode><Ordinal>14</Ordinal><Description>验证服务器配置是否按照应用程序服务器和所使用框架的建议进行了加固。</Description><L1><Required>False</Required><Requirement></Requirement></L1><L2><Required>True</Required><Requirement>✓</Requirement></L2><L3><Required>True</Required><Requirement>✓</Requirement></L3><CWE><item>16</item></CWE><NIST></NIST></item><item><Shortcode>V14.1.4</Shortcode><Ordinal>14</Ordinal><Description>验证应用程序、配置和所有依赖项是否可以使用自动部署脚本重新部署、在合理的时间内根据记录和测试的运行手册构建,或者及时从备份中恢复。</Description><L1><Required>False</Required><Requirement></Requirement></L1><L2><Required>True</Required><Requirement>✓</Requirement></L2><L3><Required>True</Required><Requirement>✓</Requirement></L3><CWE></CWE><NIST></NIST></item><item><Shortcode>V14.1.5</Shortcode><Ordinal>14</Ordinal><Description>验证授权管理员可以验证所有安全相关配置的完整性,以发现篡改行为。</Description><L1><Required>False</Required><Requirement></Requirement></L1><L2><Required>False</Required><Requirement></Requirement></L2><L3><Required>True</Required><Requirement>✓</Requirement></L3><CWE></CWE><NIST></NIST></item></Items></item><item><Shortcode>V14.2</Shortcode><Ordinal>2</Ordinal><Name>依赖</Name><Items><item><Shortcode>V14.2.1</Shortcode><Ordinal>14</Ordinal><Description>验证所有组件都是最新的,最好是在构建或编译时使用依赖检查工具。 ([C2](https://owasp.org/www-project-proactive-controls/#div-numbering))</Description><L1><Required>True</Required><Requirement>✓</Requirement></L1><L2><Required>True</Required><Requirement>✓</Requirement></L2><L3><Required>True</Required><Requirement>✓</Requirement></L3><CWE><item>1026</item></CWE><NIST></NIST></item><item><Shortcode>V14.2.2</Shortcode><Ordinal>14</Ordinal><Description>验证所有不需要的功能、文档、示例应用程序和配置均已被删除。</Description><L1><Required>True</Required><Requirement>✓</Requirement></L1><L2><Required>True</Required><Requirement>✓</Requirement></L2><L3><Required>True</Required><Requirement>✓</Requirement></L3><CWE><item>1002</item></CWE><NIST></NIST></item><item><Shortcode>V14.2.3</Shortcode><Ordinal>14</Ordinal><Description>应用资产,例如JavaScript库、CSS或网页字体,如果被托管在外部的内容分发网络(CDN)或供应商,则验证使用子资源完整性(SRI)来验证该资产的完整性。</Description><L1><Required>True</Required><Requirement>✓</Requirement></L1><L2><Required>True</Required><Requirement>✓</Requirement></L2><L3><Required>True</Required><Requirement>✓</Requirement></L3><CWE><item>829</item></CWE><NIST></NIST></item><item><Shortcode>V14.2.4</Shortcode><Ordinal>14</Ordinal><Description>验证第三方组件来自预先定义的、可信的和持续维护的资源库。 ([C2](https://owasp.org/www-project-proactive-controls/#div-numbering))</Description><L1><Required>False</Required><Requirement></Requirement></L1><L2><Required>True</Required><Requirement>✓</Requirement></L2><L3><Required>True</Required><Requirement>✓</Requirement></L3><CWE><item>829</item></CWE><NIST></NIST></item><item><Shortcode>V14.2.5</Shortcode><Ordinal>14</Ordinal><Description>验证是否维护了正在使用中的所有第三方库的软件材料清单(SBOM)。 ([C2](https://owasp.org/www-project-proactive-controls/#div-numbering))</Description><L1><Required>False</Required><Requirement></Requirement></L1><L2><Required>True</Required><Requirement>✓</Requirement></L2><L3><Required>True</Required><Requirement>✓</Requirement></L3><CWE></CWE><NIST></NIST></item><item><Shortcode>V14.2.6</Shortcode><Ordinal>14</Ordinal><Description>验证通过沙盒或封装第三方库来减少攻击面,只将必需的行为暴露在应用程序中。 ([C2](https://owasp.org/www-project-proactive-controls/#div-numbering))</Description><L1><Required>False</Required><Requirement></Requirement></L1><L2><Required>True</Required><Requirement>✓</Requirement></L2><L3><Required>True</Required><Requirement>✓</Requirement></L3><CWE><item>265</item></CWE><NIST></NIST></item></Items></item><item><Shortcode>V14.3</Shortcode><Ordinal>3</Ordinal><Name>意外安全泄露</Name><Items><item><Shortcode>V14.3.1</Shortcode><Ordinal>14</Ordinal><Description>[已删除,与 7.4.1 重复]</Description><L1><Required>False</Required><Requirement></Requirement></L1><L2><Required>False</Required><Requirement></Requirement></L2><L3><Required>False</Required><Requirement></Requirement></L3><CWE></CWE><NIST></NIST></item><item><Shortcode>V14.3.2</Shortcode><Ordinal>14</Ordinal><Description>验证Web或应用服务器和应用框架的调试模式在生产中是否被禁用,以消除调试功能、开发人员控制台和非预期的安全披露。</Description><L1><Required>True</Required><Requirement>✓</Requirement></L1><L2><Required>True</Required><Requirement>✓</Requirement></L2><L3><Required>True</Required><Requirement>✓</Requirement></L3><CWE><item>497</item></CWE><NIST></NIST></item><item><Shortcode>V14.3.3</Shortcode><Ordinal>14</Ordinal><Description>验证HTTP标头或HTTP响应的任何部分不暴露系统组件的详细版本信息。</Description><L1><Required>True</Required><Requirement>✓</Requirement></L1><L2><Required>True</Required><Requirement>✓</Requirement></L2><L3><Required>True</Required><Requirement>✓</Requirement></L3><CWE><item>200</item></CWE><NIST></NIST></item></Items></item><item><Shortcode>V14.4</Shortcode><Ordinal>4</Ordinal><Name>HTTP 安全标头</Name><Items><item><Shortcode>V14.4.1</Shortcode><Ordinal>14</Ordinal><Description>验证每个HTTP响应都包含一个 Content-Type 头。如果内容类型是 text/* 、 /+xml 和 application/xml ,还要指定一个安全的字符集(如UTF-8,ISO-8859-1)。内容必须与提供的Content-Type头相匹配。</Description><L1><Required>True</Required><Requirement>✓</Requirement></L1><L2><Required>True</Required><Requirement>✓</Requirement></L2><L3><Required>True</Required><Requirement>✓</Requirement></L3><CWE><item>173</item></CWE><NIST></NIST></item><item><Shortcode>V14.4.2</Shortcode><Ordinal>14</Ordinal><Description>验证所有 API 响应是否包含 Content-Disposition: attachment; filename="api.json" 标头(或内容类型的其他适当文件名)。</Description><L1><Required>True</Required><Requirement>✓</Requirement></L1><L2><Required>True</Required><Requirement>✓</Requirement></L2><L3><Required>True</Required><Requirement>✓</Requirement></L3><CWE><item>116</item></CWE><NIST></NIST></item><item><Shortcode>V14.4.3</Shortcode><Ordinal>14</Ordinal><Description>验证内容安全策略(CSP)响应标头是否到位,有助于减轻对 HTML、DOM、JSON 和 JavaScript 注入漏洞等 XSS 攻击的影响。</Description><L1><Required>True</Required><Requirement>✓</Requirement></L1><L2><Required>True</Required><Requirement>✓</Requirement></L2><L3><Required>True</Required><Requirement>✓</Requirement></L3><CWE><item>1021</item></CWE><NIST></NIST></item><item><Shortcode>V14.4.4</Shortcode><Ordinal>14</Ordinal><Description>验证所有响应是否包含 X-Content-Type-Options: nosniff 标头。</Description><L1><Required>True</Required><Requirement>✓</Requirement></L1><L2><Required>True</Required><Requirement>✓</Requirement></L2><L3><Required>True</Required><Requirement>✓</Requirement></L3><CWE><item>116</item></CWE><NIST></NIST></item><item><Shortcode>V14.4.5</Shortcode><Ordinal>14</Ordinal><Description>验证所有响应和所有子域中是否包含 Strict-Transport-Security 标头,例如 Strict-Transport-Security: max-age=15724800; includeSubdomains。</Description><L1><Required>True</Required><Requirement>✓</Requirement></L1><L2><Required>True</Required><Requirement>✓</Requirement></L2><L3><Required>True</Required><Requirement>✓</Requirement></L3><CWE><item>523</item></CWE><NIST></NIST></item><item><Shortcode>V14.4.6</Shortcode><Ordinal>14</Ordinal><Description>验证是否包含合适的 Referrer-Policy 标头,以避免通过 Referer 标头将 URL 中的敏感信息暴露给不受信任的各方。</Description><L1><Required>True</Required><Requirement>✓</Requirement></L1><L2><Required>True</Required><Requirement>✓</Requirement></L2><L3><Required>True</Required><Requirement>✓</Requirement></L3><CWE><item>116</item></CWE><NIST></NIST></item><item><Shortcode>V14.4.7</Shortcode><Ordinal>14</Ordinal><Description>验证网络应用程序的内容在默认情况下不能被嵌入第三方网站,只有在必要时,才允许使用合适的Content-Security-Policy: frame-ancestors和X-Frame-Options响应头嵌入确切的资源。</Description><L1><Required>True</Required><Requirement>✓</Requirement></L1><L2><Required>True</Required><Requirement>✓</Requirement></L2><L3><Required>True</Required><Requirement>✓</Requirement></L3><CWE><item>1021</item></CWE><NIST></NIST></item></Items></item><item><Shortcode>V14.5</Shortcode><Ordinal>5</Ordinal><Name>HTTP 请求头验证</Name><Items><item><Shortcode>V14.5.1</Shortcode><Ordinal>14</Ordinal><Description>验证应用服务器只接受应用/API使用的HTTP方法,包括预检请求的OPTIONS,并对使应用上下文无效的请求进行记录/警告。</Description><L1><Required>True</Required><Requirement>✓</Requirement></L1><L2><Required>True</Required><Requirement>✓</Requirement></L2><L3><Required>True</Required><Requirement>✓</Requirement></L3><CWE><item>749</item></CWE><NIST></NIST></item><item><Shortcode>V14.5.2</Shortcode><Ordinal>14</Ordinal><Description>验证提供的 Origin 标头是否不用于身份验证或访问控制决策,因为 Origin 标头很容易被攻击者更改。</Description><L1><Required>True</Required><Requirement>✓</Requirement></L1><L2><Required>True</Required><Requirement>✓</Requirement></L2><L3><Required>True</Required><Requirement>✓</Requirement></L3><CWE><item>346</item></CWE><NIST></NIST></item><item><Shortcode>V14.5.3</Shortcode><Ordinal>14</Ordinal><Description>验证跨域资源共享(CORS)的 Access-Control-Allow-Origin 标头是否使用受信任域和子域的严格白名单匹配。并且不支持'null'源。</Description><L1><Required>True</Required><Requirement>✓</Requirement></L1><L2><Required>True</Required><Requirement>✓</Requirement></L2><L3><Required>True</Required><Requirement>✓</Requirement></L3><CWE><item>346</item></CWE><NIST></NIST></item><item><Shortcode>V14.5.4</Shortcode><Ordinal>14</Ordinal><Description>验证由受信任的代理或 SSO 设备添加的 HTTP 标头(例如bearer令牌)是否已通过应用程序的身份验证。</Description><L1><Required>False</Required><Requirement></Requirement></L1><L2><Required>True</Required><Requirement>✓</Requirement></L2><L3><Required>True</Required><Requirement>✓</Requirement></L3><CWE><item>306</item></CWE><NIST></NIST></item></Items></item></Items></item></Requirements></root>