OWASP Top 10 là gì? Những rủi ro bảo mật quan trọng nhất gồm những gì?

OWASP Top 10 là danh sách 10 rủi ro bảo mật web phổ biến nhất, cập nhật định kỳ vài năm một lần bởi Open Web Application Security Project (bản 2021 đang được áp dụng rộng rãi, bản 2025 đang hoàn thiện).

Ba rủi ro quan trọng nhất với web/Node.js dev thường là Broken Access Control, Injection, và Authentication Failures. A01: Broken Access Control (lên #1 từ #5) — user truy cập resources không được phép: thiếu authorization checks, IDOR (Insecure Direct Object Reference). A02: Cryptographic Failures — dữ liệu nhạy cảm không được mã hóa, dùng thuật toán yếu (MD5, SHA1 cho password). A03: Injection — SQL, NoSQL, command injection. A04: Insecure Design — thiếu threat modeling, security requirements. A05: Security Misconfiguration — default credentials, verbose errors, unnecessary features enabled. A06: Vulnerable Components — outdated dependencies với known CVEs. A07: Auth Failures — weak passwords, session fixation, no rate limiting trên login. A08: Software Integrity Failures — CI/CD pipeline không secure, unsigned packages. A09: Security Logging Failures — không log security events, không alert. A10: SSRF (Server-Side Request Forgery) — attacker khiến server fetch internal URLs.
Trong Node.js context: A03 (SQL injection → parameterized queries), A02 (bcrypt/argon2 thay MD5), A01 (middleware authorization), A06 (npm audit + Dependabot), A07 (rate limiting + account lockout).

The OWASP Top 10 is a list of the 10 most common web security risks, updated every few years by the Open Web Application Security Project (the 2021 edition is widely adopted; the 2025 edition is being finalized).

The three most critical risks for web/Node.js developers are typically Broken Access Control, Injection, and Authentication Failures. A01: Broken Access Control (up from #5) — users access unauthorized resources: missing authorization checks, IDOR (Insecure Direct Object Reference). A02: Cryptographic Failures — sensitive data not encrypted, weak algorithms (MD5, SHA1 for passwords). A03: Injection — SQL, NoSQL, command injection. A04: Insecure Design — lack of threat modeling and security requirements. A05: Security Misconfiguration — default credentials, verbose errors, unnecessary features enabled. A06: Vulnerable Components — outdated dependencies with known CVEs. A07: Auth Failures — weak passwords, session fixation, no rate limiting on login. A08: Software Integrity Failures — insecure CI/CD pipelines, unsigned packages. A09: Security Logging Failures — no security event logging, no alerts. A10: SSRF (Server-Side Request Forgery) — attacker causes server to fetch internal URLs.
In a Node.js context: A03 (SQL injection → parameterized queries), A02 (bcrypt/argon2 instead of MD5), A01 (authorization middleware), A06 (npm audit + Dependabot), A07 (rate limiting + account lockout).

Xem toàn bộ Bảo Mật cùng filter theo level & chủ đề con.

Mở danh sách Bảo Mật

OWASP Top 10 là gì? Những rủi ro bảo mật quan trọng nhất gồm những gì?

Ba rủi ro quan trọng nhất với web/Node.js dev thường là Broken Access Control, Injection, và Authentication Failures. A01: Broken Access Control (lên #1 từ #5) — user truy cập resources không được phép: thiếu authorization checks, IDOR (Insecure Direct Object Reference). A02: Cryptographic Failures — dữ liệu nhạy cảm không được mã hóa, dùng thuật toán yếu (MD5, SHA1 cho password). A03: Injection — SQL, NoSQL, command injection. A04: Insecure Design — thiếu threat modeling, security requirements. A05: Security Misconfiguration — default credentials, verbose errors, unnecessary features enabled. A06: Vulnerable Components — outdated dependencies với known CVEs. A07: Auth Failures — weak passwords, session fixation, no rate limiting trên login. A08: Software Integrity Failures — CI/CD pipeline không secure, unsigned packages. A09: Security Logging Failures — không log security events, không alert. A10: SSRF (Server-Side Request Forgery) — attacker khiến server fetch internal URLs.
Trong Node.js context: A03 (SQL injection → parameterized queries), A02 (bcrypt/argon2 thay MD5), A01 (middleware authorization), A06 (npm audit + Dependabot), A07 (rate limiting + account lockout).

The three most critical risks for web/Node.js developers are typically Broken Access Control, Injection, and Authentication Failures. A01: Broken Access Control (up from #5) — users access unauthorized resources: missing authorization checks, IDOR (Insecure Direct Object Reference). A02: Cryptographic Failures — sensitive data not encrypted, weak algorithms (MD5, SHA1 for passwords). A03: Injection — SQL, NoSQL, command injection. A04: Insecure Design — lack of threat modeling and security requirements. A05: Security Misconfiguration — default credentials, verbose errors, unnecessary features enabled. A06: Vulnerable Components — outdated dependencies with known CVEs. A07: Auth Failures — weak passwords, session fixation, no rate limiting on login. A08: Software Integrity Failures — insecure CI/CD pipelines, unsigned packages. A09: Security Logging Failures — no security event logging, no alerts. A10: SSRF (Server-Side Request Forgery) — attacker causes server to fetch internal URLs.
In a Node.js context: A03 (SQL injection → parameterized queries), A02 (bcrypt/argon2 instead of MD5), A01 (authorization middleware), A06 (npm audit + Dependabot), A07 (rate limiting + account lockout).

Xem toàn bộ Bảo Mật cùng filter theo level & chủ đề con.

Mở danh sách Bảo Mật