@chain305/x-security 0.2.5 โ 0.2.6
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +4 -4
- package/package.json +1 -1
package/README.md
CHANGED
|
@@ -111,22 +111,22 @@ Run `xsecurity <command> --help` for full flags.
|
|
|
111
111
|
|
|
112
112
|
### OWASP API Top 10 coverage per target
|
|
113
113
|
|
|
114
|
-
How much of each class a target can **enforce natively**. ๐ข full ยท ๐ก partial ยท ๐ด gap ยท โช not yet measured.
|
|
114
|
+
How much of each class a target can **enforce natively**. ๐ข full ยท ๐ก partial ยท ๐ด gap ยท โช not yet measured. Authorization cells show **stateless โ with a JWT identity wired**.
|
|
115
115
|
|
|
116
116
|
| OWASP API class | Cloudflare | AWS API GW | BunkerWeb |
|
|
117
117
|
| --- | :--: | :--: | :--: |
|
|
118
|
-
| API1 ยท Broken Object Level Auth (BOLA) |
|
|
118
|
+
| API1 ยท Broken Object Level Auth (BOLA) | ๐ดโ๐ก | ๐ดโ๐ข | ๐ด |
|
|
119
119
|
| API2 ยท Broken Authentication | ๐ก | ๐ก | ๐ก |
|
|
120
120
|
| API3 ยท Broken Object Property Auth (BOPLA) | ๐ก | ๐ก | ๐ก |
|
|
121
121
|
| API4 ยท Unrestricted Resource Consumption | ๐ข | ๐ก | ๐ก |
|
|
122
|
-
| API5 ยท Broken Function Level Auth (BFLA) | ๐ก |
|
|
122
|
+
| API5 ยท Broken Function Level Auth (BFLA) | ๐ก | ๐กโ๐ข | ๐ก |
|
|
123
123
|
| API6 ยท Unrestricted Access to Business Flows | ๐ก | ๐ก | ๐ก |
|
|
124
124
|
| API7 ยท Server-Side Request Forgery (SSRF) | ๐ด | ๐ด | ๐ข |
|
|
125
125
|
| API8 ยท Security Misconfiguration | ๐ก | ๐ก | ๐ก |
|
|
126
126
|
| API9 ยท Improper Inventory Management | ๐ด | ๐ด | ๐ก |
|
|
127
127
|
| API10 ยท Unsafe Consumption of APIs | ๐ก | ๐ก | ๐ก |
|
|
128
128
|
|
|
129
|
-
Only these three targets are independently **measured** today; Kong, Coraza, NGINX, Envoy and OpenAppSec compile the same policy but aren't yet published with a per-class measurement (โช).
|
|
129
|
+
Only these three targets are independently **measured** today; Kong, Coraza, NGINX, Envoy and OpenAppSec compile the same policy but aren't yet published with a per-class measurement (โช). Cells like **๐ดโ๐ข** are the same control stateless vs. with a JWT identity wired โ ownership checks (BOLA/BFLA) need to know who the caller is, so a stateless WAF can't enforce them. A **๐ก** means the target enforces most of the class natively, not all. Full per-field matrix (incl. the Writ-native injection / prompt-injection / audit classes): **[usewaf.com/coverage](https://usewaf.com/coverage)**.
|
|
130
130
|
|
|
131
131
|
## License
|
|
132
132
|
|
package/package.json
CHANGED