OWASP - User contributions [en]

Guia Tabla de Contenido

2006-08-17T12:43:51Z

Fedevela paysett: /* Acerca del Open Web Application Security Project */

=[[Guía Portada|Portada]]=
#Dedicación
#Derechos de autor y licencia
#Editores
#Autores y críticos
#Historia de revisiones
=[[Acerca del Open Web Application Security Project]]=
#Estructura y licenciamiento
#Participación y afiliación
#Proyectos

=[[Guía Introducción| Introducción]]=
#Desarrollando aplicaciones seguras
#Mejoras en esta edición
#Como usar la guía
#Actualizaciones y errata
#Agradecimientos
=[[What are web applications?]]=
#Technologies
#First generation – CGI
#Filters
#Scripting
#Web application frameworks – J
#Small to medium scale applications
#Large scale applications
#View
#Controller
#Model
#Conclusion
=[[Policy Frameworks]]=
#Organizational commitment to security
#OWASP’s Place at the Framework table
#Development Methodology
#Coding Standards
#Source Code Control
#Summary
=[[Secure Coding Principles]]=
#Asset Classification
#About attackers
#Core pillars of information security
#Security Architecture
#Security Principles
=[[Threat Risk Modeling]]=
#Threat Risk Modeling
#Performing threat risk modeling using the Microsoft Threat Modeling Process
#Alternative Threat Modeling Systems
#Trike
#AS/NZS
#CVSS
#OCTAVE
#Conclusion
#Further Reading
=[[Handling E-Commerce Payments]]=
#Objectives
#Compliance and Laws
#PCI Compliance
#Handling Credit Cards
#Further Reading
=[[Phishing]]=
#What is phishing?
#User Education
#Make it easy for your users to report scams
#Communicating with customers via e-mail
#Never ask your customers for their secrets
#Fix all your XSS issues
#Do not use pop-ups
#Don’t be framed
#Move your application one link away from your front page
#Enforce local referrers for images and other resources
#Keep the address bar, use SSL, do not use IP addresses
#Don’t be the source of identity theft
#Implement safe-guards within your application
#Monitor unusual account activity
#Get the phishing target servers offline pronto
#Take control of the fraudulent domain name
#Work with law enforcement
#When an attack happens
#Further Reading
=[[Web Services]]=
#Securing Web Services
#Communication security
#Passing credentials
#Ensuring message freshness
#Protecting message integrity
#Protecting message confidentiality
#Access control
#Audit
#Web Services Security Hierarchy
#SOAP
#WS-Security Standard
#WS-Security Building Blocks
#Communication Protection Mechanisms
#Access Control Mechanisms
#Forming Web Service Chains
#Available Implementations
#Problems
#Further Reading
=[[Ajax and Other "Rich" Interface Technologies]]=
#Objective
#Platforms Affected
#Architecture
#Access control: Authentication and Authorization
#Silent transactional authorization
#Untrusted or absent session data
#State management
#Tamper resistance
#Privacy
#Proxy Façade
#SOAP Injection Attacks
#XMLRPC Injection Attacks
#DOM Injection Attacks
#XML Injection Attacks
#JSON (Javascript Object Notation) Injection Attacks
#Encoding safety
#Auditing
#Error Handling
#Accessibility
#Further Reading
=[[Authentication]]=
#Objective
#Environments Affected
#Relevant COBIT Topics
#Best Practices
#Common web authentication techniques
#Strong Authentication
#Federated Authentication
#Client side authentication controls
#Positive Authentication
#Multiple Key Lookups
#Referer Checks
#Browser remembers passwords
#Default accounts
#Choice of usernames
#Change passwords
#Short passwords
#Weak password controls
#Reversible password encryption
#Automated password resets
#Brute Force
#Remember Me
#Idle Timeouts
#Logout
#Account Expiry
#Self registration
#CAPTCHA
#Further Reading
#Authentication
=[[Authorization]]=
#Objectives
#Environments Affected
#Relevant COBIT Topics
#Best Practices
#Best Practices in Action
#Principle of least privilege
#Centralized authorization routines
#Authorization matrix
#Controlling access to protected resources
#Protecting access to static resources
#Reauthorization for high value activities or after idle out
#Time based authorization
#Be cautious of custom authorization controls
#Never implement client-side authorization tokens
#Further Reading
=[[Session Management]]=
#Objective
#Environments Affected
#Relevant COBIT Topics
#Description
#Best practices
#Exposed Session Variables
#Page and Form Tokens
#Weak Session Cryptographic Algorithms
#Session Token Entropy
#Session Time-out
#Regeneration of Session Tokens
#Session Forging/Brute-Forcing Detection and/or Lockout
#Session Token Capture and Session Hijacking
#Session Tokens on Logout
#Session Validation Attacks
#PHP
#Sessions
#Further Reading
#Session Management
=[[Data Validation]]=
#Objective
#Platforms Affected
#Relevant COBIT Topics
#Description
#Definitions
#Where to include integrity checks
#Where to include validation
#Where to include business rule validation
#Data Validation Strategies
#Prevent parameter tampering
#Hidden fields
#ASP.NET Viewstate
#URL encoding
#HTML encoding
#Encoded strings
#Data Validation and Interpreter Injection
#Delimiter and special characters
#Further Reading
=[[Interpreter Injection]]=
#Objective
#Platforms Affected
#Relevant COBIT Topics
#User Agent Injection
#HTTP Response Splitting
#SQL Injection
#ORM Injection
#LDAP Injection
#XML Injection
#Code Injection
#Further Reading
#SQL-injection
#Code Injection
#Command injection
=[[Canoncalization, locale and Unicode]]=
#Objective
#Platforms Affected
#Relevant COBIT Topics
#Description
#Unicode
#http://www.ietf.org/rfc/rfc#
#Input Formats
#Locale assertion
#Double (or n-) encoding
# HTTP Request Smuggling
# Further Reading
=[[Error Handling, Auditing and Logging]]=
#Objective
#Environments Affected
#Relevant COBIT Topics
#Description
#Best practices
#Error Handling
#Detailed error messages
#Logging
#Noise
#Cover Tracks
#False Alarms
#Destruction
#Audit Trails
#Further Reading
#Error Handling and Logging
=[[File System]]=
#Objective
#Environments Affected
#Relevant COBIT Topics
#Description
#Best Practices
#Defacement
#Path traversal
#Insecure permissions
#Insecure Indexing
#Unmapped files
#Temporary files
#PHP
#Includes and Remote files
#File upload
#Old, unreferenced files
#Second Order Injection
#Further Reading
#File System
=[[Distributed Computing]]=
#Objective
#Environments Affected
#Relevant COBIT Topics
#Best Practices
#Race conditions
#Distributed synchronization
#Further Reading
=[[Buffer Overflows]]=
#Objective
#Platforms Affected
#Relevant COBIT Topics
#Description
#General Prevention Techniques
#Stack Overflow
#Heap Overflow
#Format String
#Unicode Overflow
#Integer Overflow
#Further reading
=[[Administrative Interface]]=
#Objective
#Environments Affected
#Relevant COBIT Topics
#Best practices
#Administrators are not users
#Authentication for high value systems
#Further Reading
=[[Cryptography]]=
#Objective
#Platforms Affected
#Relevant COBIT Topics
#Description
#Cryptographic Functions
#Cryptographic Algorithms
#Algorithm Selection
#Key Storage
#Insecure transmission of secrets
#Reversible Authentication Tokens
#Safe UUID generation
#Summary
#Further Reading
#Cryptography
=[[Configuration]]=
#Objective
#Platforms Affected
#Relevant COBIT Topics
#Best Practices
#Default passwords
#Secure connection strings
#Secure network transmission
#Encrypted data
#PHP Configuration
#Global variables
#register_globals
#Database security
#Further Reading
#ColdFusion Components (CFCs)
#Configuration
=[[Software Quality Assurance]]=
#Objective
#Platforms Affected
#Best practices
#Process
#Metrics
#Testing Activities
=[[Deployment]]=
#Objective
#Platforms Affected
#Best Practices
#Release Management
#Secure delivery of code
#Code signing
#Permissions are set to least privilege
#Automated packaging
#Automated deployment
#Automated removal
#No backup or old files
#Unnecessary features are off by default
#Setup log files are clean
#No default accounts
#Easter eggs
#Malicious software
#Further Reading
=[[Maintenance]]=
#Objective
#Platforms Affected
#Relevant COBIT Topics
#Best Practices
#Security Incident Response
#Fix Security Issues Correctly
#Update Notifications
#Regularly check permissions
#Further Reading
#Maintenance
=[[GNU Free Documentation License]]=
#PREAMBLE
#APPLICABILITY AND DEFINITIONS
#VERBATIM COPYING
#COPYING IN QUANTITY
#MODIFICATIONS
#COMBINING DOCUMENTS
#COLLECTIONS OF DOCUMENTS
#AGGREGATION WITH INDEPENDENT WORKS
#TRANSLATION
#TERMINATION
#FUTURE REVISIONS OF THIS LICENSE
=Reference=
[[Category:OWASP_Guide_Project]]

Guia Tabla de Contenido

2006-08-17T12:34:20Z

Fedevela paysett: Begin translation

=[[Guía Portada|Portada]]=
#Dedicación
#Derechos de autor y licencia
#Editores
#Autores y críticos
#Historia de revisiones
=[[Acerca del Open Web Application Security Project]]=
#Estructura y licenciamiento
#Participación y pertenencia
#Proyectos
=[[Guía Introducción| Introducción]]=
#Desarrollando aplicaciones seguras
#Mejoras en esta edición
#Como usar la guía
#Actualizaciones y errata
#Agradecimientos
=[[What are web applications?]]=
#Technologies
#First generation – CGI
#Filters
#Scripting
#Web application frameworks – J
#Small to medium scale applications
#Large scale applications
#View
#Controller
#Model
#Conclusion
=[[Policy Frameworks]]=
#Organizational commitment to security
#OWASP’s Place at the Framework table
#Development Methodology
#Coding Standards
#Source Code Control
#Summary
=[[Secure Coding Principles]]=
#Asset Classification
#About attackers
#Core pillars of information security
#Security Architecture
#Security Principles
=[[Threat Risk Modeling]]=
#Threat Risk Modeling
#Performing threat risk modeling using the Microsoft Threat Modeling Process
#Alternative Threat Modeling Systems
#Trike
#AS/NZS
#CVSS
#OCTAVE
#Conclusion
#Further Reading
=[[Handling E-Commerce Payments]]=
#Objectives
#Compliance and Laws
#PCI Compliance
#Handling Credit Cards
#Further Reading
=[[Phishing]]=
#What is phishing?
#User Education
#Make it easy for your users to report scams
#Communicating with customers via e-mail
#Never ask your customers for their secrets
#Fix all your XSS issues
#Do not use pop-ups
#Don’t be framed
#Move your application one link away from your front page
#Enforce local referrers for images and other resources
#Keep the address bar, use SSL, do not use IP addresses
#Don’t be the source of identity theft
#Implement safe-guards within your application
#Monitor unusual account activity
#Get the phishing target servers offline pronto
#Take control of the fraudulent domain name
#Work with law enforcement
#When an attack happens
#Further Reading
=[[Web Services]]=
#Securing Web Services
#Communication security
#Passing credentials
#Ensuring message freshness
#Protecting message integrity
#Protecting message confidentiality
#Access control
#Audit
#Web Services Security Hierarchy
#SOAP
#WS-Security Standard
#WS-Security Building Blocks
#Communication Protection Mechanisms
#Access Control Mechanisms
#Forming Web Service Chains
#Available Implementations
#Problems
#Further Reading
=[[Ajax and Other "Rich" Interface Technologies]]=
#Objective
#Platforms Affected
#Architecture
#Access control: Authentication and Authorization
#Silent transactional authorization
#Untrusted or absent session data
#State management
#Tamper resistance
#Privacy
#Proxy Façade
#SOAP Injection Attacks
#XMLRPC Injection Attacks
#DOM Injection Attacks
#XML Injection Attacks
#JSON (Javascript Object Notation) Injection Attacks
#Encoding safety
#Auditing
#Error Handling
#Accessibility
#Further Reading
=[[Authentication]]=
#Objective
#Environments Affected
#Relevant COBIT Topics
#Best Practices
#Common web authentication techniques
#Strong Authentication
#Federated Authentication
#Client side authentication controls
#Positive Authentication
#Multiple Key Lookups
#Referer Checks
#Browser remembers passwords
#Default accounts
#Choice of usernames
#Change passwords
#Short passwords
#Weak password controls
#Reversible password encryption
#Automated password resets
#Brute Force
#Remember Me
#Idle Timeouts
#Logout
#Account Expiry
#Self registration
#CAPTCHA
#Further Reading
#Authentication
=[[Authorization]]=
#Objectives
#Environments Affected
#Relevant COBIT Topics
#Best Practices
#Best Practices in Action
#Principle of least privilege
#Centralized authorization routines
#Authorization matrix
#Controlling access to protected resources
#Protecting access to static resources
#Reauthorization for high value activities or after idle out
#Time based authorization
#Be cautious of custom authorization controls
#Never implement client-side authorization tokens
#Further Reading
=[[Session Management]]=
#Objective
#Environments Affected
#Relevant COBIT Topics
#Description
#Best practices
#Exposed Session Variables
#Page and Form Tokens
#Weak Session Cryptographic Algorithms
#Session Token Entropy
#Session Time-out
#Regeneration of Session Tokens
#Session Forging/Brute-Forcing Detection and/or Lockout
#Session Token Capture and Session Hijacking
#Session Tokens on Logout
#Session Validation Attacks
#PHP
#Sessions
#Further Reading
#Session Management
=[[Data Validation]]=
#Objective
#Platforms Affected
#Relevant COBIT Topics
#Description
#Definitions
#Where to include integrity checks
#Where to include validation
#Where to include business rule validation
#Data Validation Strategies
#Prevent parameter tampering
#Hidden fields
#ASP.NET Viewstate
#URL encoding
#HTML encoding
#Encoded strings
#Data Validation and Interpreter Injection
#Delimiter and special characters
#Further Reading
=[[Interpreter Injection]]=
#Objective
#Platforms Affected
#Relevant COBIT Topics
#User Agent Injection
#HTTP Response Splitting
#SQL Injection
#ORM Injection
#LDAP Injection
#XML Injection
#Code Injection
#Further Reading
#SQL-injection
#Code Injection
#Command injection
=[[Canoncalization, locale and Unicode]]=
#Objective
#Platforms Affected
#Relevant COBIT Topics
#Description
#Unicode
#http://www.ietf.org/rfc/rfc#
#Input Formats
#Locale assertion
#Double (or n-) encoding
# HTTP Request Smuggling
# Further Reading
=[[Error Handling, Auditing and Logging]]=
#Objective
#Environments Affected
#Relevant COBIT Topics
#Description
#Best practices
#Error Handling
#Detailed error messages
#Logging
#Noise
#Cover Tracks
#False Alarms
#Destruction
#Audit Trails
#Further Reading
#Error Handling and Logging
=[[File System]]=
#Objective
#Environments Affected
#Relevant COBIT Topics
#Description
#Best Practices
#Defacement
#Path traversal
#Insecure permissions
#Insecure Indexing
#Unmapped files
#Temporary files
#PHP
#Includes and Remote files
#File upload
#Old, unreferenced files
#Second Order Injection
#Further Reading
#File System
=[[Distributed Computing]]=
#Objective
#Environments Affected
#Relevant COBIT Topics
#Best Practices
#Race conditions
#Distributed synchronization
#Further Reading
=[[Buffer Overflows]]=
#Objective
#Platforms Affected
#Relevant COBIT Topics
#Description
#General Prevention Techniques
#Stack Overflow
#Heap Overflow
#Format String
#Unicode Overflow
#Integer Overflow
#Further reading
=[[Administrative Interface]]=
#Objective
#Environments Affected
#Relevant COBIT Topics
#Best practices
#Administrators are not users
#Authentication for high value systems
#Further Reading
=[[Cryptography]]=
#Objective
#Platforms Affected
#Relevant COBIT Topics
#Description
#Cryptographic Functions
#Cryptographic Algorithms
#Algorithm Selection
#Key Storage
#Insecure transmission of secrets
#Reversible Authentication Tokens
#Safe UUID generation
#Summary
#Further Reading
#Cryptography
=[[Configuration]]=
#Objective
#Platforms Affected
#Relevant COBIT Topics
#Best Practices
#Default passwords
#Secure connection strings
#Secure network transmission
#Encrypted data
#PHP Configuration
#Global variables
#register_globals
#Database security
#Further Reading
#ColdFusion Components (CFCs)
#Configuration
=[[Software Quality Assurance]]=
#Objective
#Platforms Affected
#Best practices
#Process
#Metrics
#Testing Activities
=[[Deployment]]=
#Objective
#Platforms Affected
#Best Practices
#Release Management
#Secure delivery of code
#Code signing
#Permissions are set to least privilege
#Automated packaging
#Automated deployment
#Automated removal
#No backup or old files
#Unnecessary features are off by default
#Setup log files are clean
#No default accounts
#Easter eggs
#Malicious software
#Further Reading
=[[Maintenance]]=
#Objective
#Platforms Affected
#Relevant COBIT Topics
#Best Practices
#Security Incident Response
#Fix Security Issues Correctly
#Update Notifications
#Regularly check permissions
#Further Reading
#Maintenance
=[[GNU Free Documentation License]]=
#PREAMBLE
#APPLICABILITY AND DEFINITIONS
#VERBATIM COPYING
#COPYING IN QUANTITY
#MODIFICATIONS
#COMBINING DOCUMENTS
#COLLECTIONS OF DOCUMENTS
#AGGREGATION WITH INDEPENDENT WORKS
#TRANSLATION
#TERMINATION
#FUTURE REVISIONS OF THIS LICENSE
=Reference=
[[Category:OWASP_Guide_Project]]

Category:OWASP Guide Project

2006-08-17T12:09:07Z

Fedevela paysett: /* OWASP Guide 3.0 (Current) */ begin spanish translation

[[Guide Table of Contents]]__TOC__
==Overview==

The OWASP Guide to Building Secure Web Applications v2 is now released. Its release was announced at Black Hat in Las Vegas in late July 2005. This new version of the OWASP Guide is a major overhaul of the original document, containing nearly three times as much material. The project is currently steered by Andrew van der Stock.

The original OWASP Guide had become a staple diet for many web security professionals. Since 2002, the initial version was downloaded over 2 million times. Today, the Guide is referenced by many leading government, financial, and corporate standards and is the Gold standard for web application security.

The Guide is aimed at architects, developers, consultants and auditors and is a comprehensive manual for designing, developing and deploying secure web applications.

==Announcements==

==Volunteers Needed==
Much work remains to be done in these sections:
*[[Distributed Computing]]
*[[Deployment]]

==OWASP Guide 2.0 Downloads==

If you need a stable edition of the Guide, you should use one of these editions:

OWASP Guide 2.0.1 (English)
* [http://prdownloads.sourceforge.net/owasp/OWASPGuide2.0.1.pdf?download PDF (3 MB)]
* [http://prdownloads.sourceforge.net/owasp/OWASPGuide2.0.1.zip?download Word (zip file, 1.4 MB)]

OWASP Guide 1.1.1 (Japanese, にほんご)
* [http://prdownloads.sourceforge.net/owasp/OWASPGuideV1.1.1-jp.pdf?download PDF (1.4 MB)]

Earlier versions of the Guide (1.0 and 1.1.1) can be found at our [http://sourceforge.net/project/showfiles.php?group_id=64424&package_id=62287 file download center], and in [http://sourceforge.net/cvs/?group_id=64424 CVS].

==OWASP Guide 3.0 (Current)==

If you'd like a point in time version of the Guide 3.0 in PDF format:
* [http://owasp.cvs.sourceforge.net/*checkout*/owasp/guide/current%20draft.pdf Guide 3.0 draft as of March 2006]

This file is regenerated from time to time.

===OWASP Guide 3.0===

This is the working (current) draft of the OWASP Guide 3.0. Please login to make changes as you see fit. Changes will be vetted by the OWASP Guide Project team.

[http://www.owasp.org/index.php/Guide_Table_of_Contents OWASP Guide 3.0 Table of Contents]

===OWASP Guide 3.0 (Spanish)===

This will hold the working (current) draft of the translation of the OWASP Guide 3.0 to Spanish. Please help us in this translation effort!!! Login and make changes as you see fit. Changes will be vetted by the OWASP Guide Project team.
''NEED LINKS''

==Roadmap==
[[OWASP Guide Project Roadmap]]

[[Category:OWASP Project]]
[[Category:OWASP Download]]
[[Category:OWASP Document]]