OWASP Top 10 Cheatsheet

Quick reference for OWASP Top 10 vulnerabilities covering injection, broken auth, sensitive data, XXE, access control, misconfiguration, XSS, deserialization, components, and logging

Related Categories:SecurityWeb

57 commands

パラメータ化クエリ

Use prepared statements to prevent SQL injection

db.query('SELECT * FROM users WHERE id = ?', [userId])

ORMの使用

Use ORM instead of raw SQL to prevent injection

User.findOne({ where: { id: userId } })

入力バリデーション

Validate all user input with whitelist approach

if (!/^[a-zA-Z0-9]+$/.test(input)) throw Error()

ストアドプロシージャ

Use stored procedures to prevent SQL injection

CALL get_user_by_id(@user_id)

エスケープ処理

Escape special characters to prevent injection

mysql.escape(userInput)

NoSQLインジェクション対策

Prevent $operator injection in MongoDB queries

sanitize-mongo: mongo-sanitize(req.body)

LDAPインジェクション対策

Escape special characters in LDAP queries

ldap.escape.filter(userInput)

bcryptハッシュ

Hash passwords with bcrypt before storing

bcrypt.hash(password, 12)

多要素認証 (MFA)

Implement TOTP-based two-factor authentication

speakeasy.totp.verify({ secret, token })

セッション管理

Regenerate session ID after authentication

req.session.regenerate(callback)

レート制限

Implement rate limiting to prevent brute force

express-rate-limit: { max: 5, windowMs: 15*60*1000 }

パスワードポリシー

Enforce strong password policy

zxcvbn(password).score >= 3

アカウントロックアウト

Temporarily lock account after consecutive failures

if (failCount >= 5) lockUntil = Date.now() + 30*60*1000

HTTPS強制

Force all communication over HTTPS

Strict-Transport-Security: max-age=31536000

AES-256暗号化

Encrypt sensitive data with AES-256-GCM

crypto.createCipheriv('aes-256-gcm', key, iv)

TLS 1.2以上

Allow only TLS 1.2 or higher

ssl_protocols TLSv1.2 TLSv1.3;

機密データのマスキング

Mask sensitive data in logs and responses

card: '****-****-****-' + last4

鍵管理

Manage encryption keys with HSM or dedicated service

AWS KMS: aws kms encrypt --key-id alias/mykey

外部エンティティ無効化

Disable external entity processing in XML parser

factory.setFeature(DISALLOW_DOCTYPE, true)

DTD無効化

Completely disable DTD processing

libxml_disable_entity_loader(true)

JSONの使用

Use JSON format instead of XML where possible

Content-Type: application/json

XMLバリデーション

Validate XML input against XML Schema (XSD)

schema.validate(xmlDocument)

SAST検出

Detect XXE vulnerabilities with static analysis tools

semgrep --config=p/owasp-top-ten

RBAC実装

Implement role-based access control

@Roles('admin') @UseGuards(RolesGuard)

JWTクレーム検証

Verify JWT token claims on every request

jwt.verify(token, secret, { audience: 'api' })

CORS設定

Explicitly specify allowed origins

Access-Control-Allow-Origin: https://example.com

IDOR防止

Verify ownership when accessing object references

if (resource.ownerId !== req.user.id) return 403

最小権限の原則

Grant only the minimum required permissions

GRANT SELECT ON users TO readonly_role

デフォルト認証情報変更

Change default passwords and admin accounts

ALTER USER admin SET PASSWORD 'strongP@ss!'

不要なサービス無効化

Disable unused ports and services

systemctl disable --now telnet.socket

エラーメッセージ制御

Hide stack traces in production

app.use((err, req, res, next) => res.status(500).json({error:'Internal'}))

セキュリティヘッダー設定

Set security headers using Helmet middleware

app.use(helmet())

ディレクトリリスティング無効化

Disable directory listing on web server

Options -Indexes

サーバーバナー非表示

Remove server information from HTTP response

server_tokens off;

出力エンコーディング

Encode output based on HTML context

DOMPurify.sanitize(userInput)

CSP設定

Set Content-Security-Policy header

Content-Security-Policy: default-src 'self'

HttpOnly Cookie

Set HttpOnly flag on cookies

Set-Cookie: session=abc; HttpOnly; Secure

テンプレートエンジンの自動エスケープ

Enable auto-escaping in template engine

{{ user.name | escape }}

DOM操作の安全化

Use textContent instead of innerHTML

element.textContent = userInput

サニタイゼーション

Sanitize rich text input with whitelist approach

sanitizeHtml(input, { allowedTags: ['b','i','em'] })

署名付きシリアライズ

Add HMAC signature to serialized data

hmac = crypto.createHmac('sha256', secret).update(data)

型チェック

Strictly check types during deserialization

zod.object({ name: z.string(), age: z.number() }).parse(data)

Javaデシリアライズ対策

Filter Java ObjectInputStream deserialization

ObjectInputFilter.Config.setSerialFilter(filter)

JSON Webトークン検証

Explicitly specify JWT signature algorithm

jwt.verify(token, key, { algorithms: ['RS256'] })

pickle回避

Avoid Python pickle for untrusted data

json.loads(data) # instead of pickle.loads(data)

npm audit

Scan Node.js dependencies for vulnerabilities

npm audit --production

Snykスキャン

Scan project vulnerabilities with Snyk

snyk test --all-projects

Dependabot有効化

Enable GitHub Dependabot for automatic security updates

dependabot.yml: schedule: interval: daily

OWASP Dependency-Check

Detect vulnerable libraries with OWASP Dependency-Check

dependency-check --project myapp --scan ./lib

Trivy コンテナスキャン

Scan container image vulnerabilities with Trivy

trivy image myapp:latest

pip-audit

Scan Python dependencies for vulnerabilities

pip-audit --requirement requirements.txt

認証イベントログ

Always log authentication success and failures

logger.info('login_success', { userId, ip, timestamp })

アクセスログ設定

Configure detailed access logging

access_log /var/log/nginx/access.log combined;

SIEM連携

Send logs to SIEM for correlation analysis

filebeat -> Elasticsearch -> Kibana

アラート設定

Set up alerts for anomalous activity

alert: login_failures > 10 in 5m -> notify

監査ログ

Record audit logs for permission changes and data access

auditLog.record({ action: 'delete', resource, actor })

ログの改ざん防止

Store logs in write-once storage to prevent tampering

aws s3api put-object-lock-configuration --bucket logs