Hacking Book | Free Online Hacking Learning


summary of owasp china project in 2019

Posted by graebner at 2020-02-27

2019 OWASP China project summary

Walk with you

OWASP China Project


OWASP top 10 proactive controls V3 Chinese


OWASP top 10 active control 2018 is a list of security technologies that should be considered and implemented for each software development project. This document is written for developers to help developers who are new to security development.

One of the main objectives of this document is to provide specific practical guidance to help developers develop secure software. These control mechanisms should be actively applied in the early stages of software development to ensure maximum effectiveness.

Top 10 active controls

This list is sorted by importance. The first list item is the most important:

C1: define security requirements

C2: using the security framework and libraries

C3: secure database access

C4: encode and escape data

C5: validate all inputs

C6: implementation digital identity

C7: enforce access controls

C8: protect data everywhere

C9: implementation security logging and monitoring

C10: handle all errors and exceptions

Project team:

Project team leader: Wang Jie project team members: Guo Zhenxin, Li Rui, Li Yongkai, Qin Bo, Zhang Jinghe


English version:

OWASP Top 10 Proactive Controls V3

Chinese version:

Top 10 main controls


OWASP no server application security risk top 10


Based on the 2017 version of OWASP top 10 document, this report examines each risk in OWASP top 10 from the following six aspects:

*Possible new attack vectors for serverless applications;

*Why is no service application vulnerable to such attacks and how;

*Business impact on cloud accounts;

*Best practices and recommendations for the prevention and mitigation of such risks or attacks;

*Attack case scenario, display possible loopholes and utilization methods;

*Considering the attack vector, security weakness, impact, risk identification and risk mitigation capability, is the risk higher, lower or the same in serverless applications?

Project team:

Project team leader: Xiao Wendi, Wang Jie project team members: Liu Xiaohui, Li Yuquan, Ming min, Wang Bin


English documents:


Chinese document:

OWASP no server application risk top 10


OWASP IOT top 10 2018 Chinese


The OWASP IOT project started in 2014 to help developers, manufacturers, businesses and consumers make better decisions when creating and using IOT systems. OWASP IOT top 10 released by OWASP in 2018 also continues this concept, and uses a single list to illustrate the top ten problems that should be avoided when building, deploying or managing the Internet of things system, so as to solve the highest priority problems of manufacturers, enterprises and consumers.

Project team:

360 code guard team: Shen Shaohua, Han Jian, Zhang Lei open source network security team: Cao Chuanyong, Zhang Haichun


English documents:


Chinese document:



Blockchain security top 10 2019


OWASP China has set up a special research group to collect, sort out and analyze 160 typical blockchain security events from 2011 to 2019, and has given the arrangement and description in this document, hoping to help the vast number of blockchain practitioners and people concerned about blockchain security.

After referring to the security threat assessment methods such as CVss (common vulnerability scoring system), this paper evaluates the threat through objective data based on the total direct economic loss caused by each kind of threat historical security events. The total amount of direct economic loss includes two important factors of threat assessment, one is the number of threats, that is, the number of threats; the other is the impact caused by threats, that is, direct economic loss. Therefore, the direct economic loss is enough to represent the size of the threat, and the data is relatively objective, which avoids the subjective data leading to the larger error of the evaluation results. At the same time, the evaluation method is more explanatory.

1) Advanced Sustainable threat

2) Runaway currency inflation

3) Invalid authority control

4) Unsafe consensus agreement

5) Inadequate program logic

6) Loose business strategy

7) Less strict transaction logic verification

8) Fragile random number mechanism

9) Defective incentive mechanism

10) Insufficient logging and monitoring

Project team:

Project team leader: Fu Shanyang project team members: Kevin Gu, Victor Fang, Wei Quan, Hou Xinjie, Jiang Xuxian, Song Fei, Wang Jie, Zhang xudi


Document download:



Evaluation benchmark of database audit system


The purpose of database audit system is to help the units that store and use data to conduct comprehensive monitoring and security audit on the core data, truly grasp the data dynamics, intuitively and clearly locate who, when, what tools, where and what operations have been done to the data. At present, the corresponding database audit solutions have been formed in the industry. However, due to the lack of appropriate evaluation criteria, the effectiveness of database audit can not be effectively evaluated.

This benchmark is the basic and framework benchmark for the construction and evaluation of database audit system, and gives the general requirements for database audit system. The significance of this benchmark is to:

a) It provides a standard and general description language for the design, implementation, construction, evaluation and audit of database audit system;

b) It is beneficial for the owner of database audit system to compile the system requirements;

c) It is beneficial for database audit system providers to provide more scientific and standardized design and services, and promote the development of the industry;

d) It is beneficial for the relevant administrative departments and evaluation and certification institutions to conduct security inspection, detection, audit, evaluation and certification for the database audit system.

Scope: this benchmark is applicable to database audit system.

Project team:

Shenzhen angkai Technology Co., Ltd., Shenzhen Kaiyuan Internet Security Technology Co., Ltd


Document download

Evaluation benchmark of database audit system


Web application firewall evaluation benchmark v2.0


Waf2.0 redefines the overall testing framework on the basis of v1.0, and makes a comprehensive expansion in new attacks, product performance (value-added services), and product security performance. V1.0 is mainly based on traditional vulnerabilities and basic network firewall like functions, and v2.0 is based on this to reduce and optimize, adding OWASP top 2017 as the main extension of business logic layer protection, multi-dimensional rating of bypass defense, etc. In addition to the special requirements of this document, unless otherwise specified, during the installation and configuration process, the tested web application firewall product must meet the requirements of this document, and the product must meet the requirements before, after and throughout the installation process.

Assessment content

Based on the OWASP top 10 risk, a comprehensive security vulnerability protection test is extended. The tested system needs to effectively protect all kinds of security vulnerabilities from traditional vulnerabilities to business logic layer.

When identifying security vulnerabilities to protect web applications, the tested system should be able to fully protect its own security and meet the accuracy and false alarm rate at the same time.

Detect the stability of the tested system to perform the specified functions in a specific environment and within a specific time.

Test the structure design, linkage, fault tolerance and expansibility of the tested equipment.

Project team:

Beijing Changting Technology Co., Ltd., Beijing Qiming Star Information Security Technology Co., Ltd., Beijing Shenzhou Lvmeng Technology Co., Ltd., Shenzhen Kaiyuan Internet Security Technology Co., Ltd., Sichuan Hong Micro Technology Co., Ltd., Xiamen Fuyun Information Technology Co., Ltd


Document download

Implementation rules of web application fire assessment certification 2.0

More highlights

Please pay attention to the official account.