OWASP - User contributions [en]

Talk:SameSite

2018-05-05T15:42:12Z

Pawel Krawczyk: re

I know browsers have implemented the SameSite attribute, but the only IETF document that defines it is draft-ietf-httpbis-rfc6265bis-02, which is expired. RFC6265 does not include the SameSite attribute. Do browsers choose to implement draft specs on their own?
* It's been always the case - such minor security controls are frequently proposed and then implemented based on industry consensus, and after they're verified in the field, a RFC is created to standardize them retroactively. [[User:Pawel Krawczyk|Pawel Krawczyk]] ([[User talk:Pawel Krawczyk|talk]]) 10:42, 5 May 2018 (CDT)

Input Validation Cheat Sheet

2017-06-15T11:24:33Z

Pawel Krawczyk: /* Whitelisting vs blacklisting */ Validating free-form Unicode text=

Talk:Cryptographic Storage Cheat Sheet

2017-05-17T12:25:17Z

2017-05-03T16:33:31Z

Pawel Krawczyk: /* Open Source or Free Tools Of This Type */ Bandit

Source code analysis tools, also referred to as Static Application Security Testing (SAST) Tools, are designed to analyze source code and/or compiled versions of code to help find security flaws. Ideally, such tools would automatically find security flaws with such a high degree of confidence that what's found is indeed a flaw. However, this is beyond the state of the art for many types of application security flaws. Thus, such tools frequently serve as aids for an analyst to help them zero in on security relevant portions of code so they can find flaws more efficiently, rather than a tool that just automatically finds flaws. If you are interested in the effectiveness of SAST tools, check out the OWASP [[Benchmark]] project, which is scientifically measuring the effectiveness of all types of vulnerability detection tools, including SAST.

Some tools are starting to move into the IDE. For the types of problems that can be detected during the software development phase itself, this is a powerful phase within the development life cycle to employ such tools, as it provides immediate feedback to the developer on issues they might be introducing into the code during code development itself. This immediate feedback is very useful, especially when compared to finding vulnerabilities much later in the development cycle.

== Strengths and Weaknesses ==

=== Strengths ===

* Scales well -- can be run on lots of software, and can be run repeatedly (as with nightly builds or continuous integration)
* Useful for things that such tools can automatically find with high confidence, such as buffer overflows, SQL Injection Flaws, and so forth
* Output is good for developers -- highlights the precise source files, line numbers, and even subsections of lines that are affected

=== Weaknesses ===

* Many types of security vulnerabilities are very difficult to find automatically, such as authentication problems, access control issues, insecure use of cryptography, etc. The current state of the art only allows such tools to automatically find a relatively small percentage of application security flaws. However, tools of this type are getting better.
* High numbers of false positives.
* Frequently can't find configuration issues, since they are not represented in the code.
* Difficult to 'prove' that an identified security issue is an actual vulnerability.
* Many of these tools have difficulty analyzing code that can't be compiled. Analysts frequently can't compile code because they don't have the right libraries, all the compilation instructions, all the code, etc.

==Important Selection Criteria==

* Requirement: Must support your programming language, but not usually a key factor once it does.
* Types of vulnerabilities it can detect (out of the [[OWASP Top Ten]]?) (plus more?)
* How accurate is it? False Positive/False Negative rates?
** Does the tool have an OWASP [[Benchmark]] score?
* Does it understand the libraries/frameworks you use?
* Does it require a fully buildable set of source?
* Can it run against binaries instead of source?
* Can it be integrated into the developer's IDE?
* How hard is it to setup/use?
* Can it be run continuously and automatically?
* License cost for the tool. (Some are sold per user, per org, per app, per line of code analyzed. Consulting licenses are frequently different than end user licenses.)

==OWASP Tools Of This Type==

* [http://www.owasp.org/index.php/Category:OWASP_Orizon_Project OWASP Orizon Project]
* [[OWASP_LAPSE_Project | OWASP LAPSE Project]]
* [[OWASP O2 Platform]]
* [[OWASP WAP-Web Application Protection]]

==Disclaimer==

Disclaimer: <b>The tools listed in the tables below are presented in alphabetical order. <i>OWASP does not endorse any of the vendors or tools by listing them in the table below.</i> We have made every effort to provide this information as accurately as possible. If you are the vendor of a tool below and think that this information is incomplete or incorrect, please send an e-mail to our mailing list and we will make every effort to correct this information.</b>

==Open Source or Free Tools Of This Type==

* [https://wiki.openstack.org/wiki/Security/Projects/Bandit Bandit] - bandit is a comprehensive source vulnerability scanner for Python
* [http://brakemanscanner.org/ Brakeman] - Brakeman is an open source vulnerability scanner specifically designed for Ruby on Rails applications
* [http://rubygems.org/gems/codesake-dawn Codesake Dawn] - Codesake Dawn is an open source security source code analyzer designed for Sinatra, Padrino for Ruby on Rails applications. It also works on non-web applications written in Ruby
* [http://findbugs.sourceforge.net/ FindBugs] - Find Bugs (including a few security flaws) in Java programs
* [https://find-sec-bugs.github.io/ FindSecBugs] - A security specific plugin for FingBugs that significantly improves FindBug's ability to find security vulnerabilities in Java programs
* [http://www.dwheeler.com/flawfinder/ Flawfinder] Flawfinder - Scans C and C++
* [https://www.bishopfox.com/resources/tools/google-hacking-diggity/attack-tools/ Google CodeSearchDiggity] - Uses Google Code Search to identifies vulnerabilities in open source code projects hosted by Google Code, MS CodePlex, SourceForge, Github, and more. The tool comes with over 130 default searches that identify SQL injection, cross-site scripting (XSS), insecure remote and local file includes, hard-coded passwords, and much more. ''Essentially, Google CodeSearchDiggity provides a source code security analysis of nearly every single open source code project in existence – simultaneously.''
* [http://pmd.sourceforge.net/ PMD] - PMD scans Java source code and looks for potential code problems (this is a code quality tool that does not focus on security issues)
* [http://msdn.microsoft.com/en-us/library/ms933794.aspx PreFast] (Microsoft) - PREfast is a static analysis tool that identifies defects in C/C++ programs. Last update 2006.
* [http://sourceforge.net/projects/rips-scanner/ RIPS] - RIPS is a static source code analyzer for vulnerabilities in PHP web applications. Please see notes on the sourceforge.net site.
* [http://www.sonarqube.org/ SonarQube] - Scans source code for more than 20 languages for Bugs, Vulnerabilities, and Code Smells. SonarQube IDE plugins for Eclipse, Visual Studio, and IntelliJ provided by [http://www.sonarlint.org/ SonarLint].
* [http://sourceforge.net/projects/visualcodegrepp/ VisualCodeGrepper (VCG)] - Scans C/C++, C#, VB, PHP, Java, and PL/SQL for security issues and for comments which may indicate defective code. The config files can be used to carry out additional checks for banned functions or functions which commonly cause security issues.
* [http://www.xanitizer.net Xanitizer] - Scans Java for security vulnerabilities, mainly via taint analysis. The tool comes with a number of predefined vulnerability detectors which can additionally be extended by the user.

==Commercial Tools Of This Type==

* [http://www-01.ibm.com/software/rational/products/appscan/source/ AppScan Source] (IBM)
* [http://www.blueclosure.com BlueClosure BC Detect] (BlueClosure)
* [https://buguroo.com/products/bugblast-next-gen-appsec-platform/bugscout-sca bugScout] (Buguroo Offensive Security) Latest generation source code analysis tool bugScout detects source code vulnerabilities and makes possible an accurate management of the life cycles due to its easy use.
* [https://www.codacy.com/ Codacy] is free for open source projects, and integrates with tools such as Brakeman, Bandit, FindBugs, and a number of others. It offers security patterns for languages such as Python, Ruby, Scala, Java, Javascript and more.
* [http://www.contrastsecurity.com/ Contrast from Contrast Security] Contrast performs code security without actually doing static analysis. Contrast does Interactive Application Security Testing (IAST), correlating runtime code & data analysis. It provides code level results without actually relying on static analysis.
* [http://www.coverity.com/products/code-advisor/ Coverity Code Advisor] (Synopsys)
* [https://www.checkmarx.com/technology/static-code-analysis-sca/ CxSAST] (Checkmarx)
* [http://www8.hp.com/us/en/software-solutions/static-code-analysis-sast/ Fortify] (HP)
* [http://www.juliasoft.com/solutions Julia] - SaaS Java static analysis (JuliaSoft)
* [http://www.klocwork.com/capabilities/static-code-analysis KlocWork] (KlocWork)
* [https://www.kiuwan.com/code-analysis/ Kiuwan] - SaaS Software Quality & Security Analysis (an [http://www.optimyth.com Optimyth] company)
* [http://www.parasoft.com/jsp/capabilities/static_analysis.jsp?itemId=547 Parasoft Test] (Parasoft)
* [http://www.viva64.com/en/ PVS-Studio] (PVS-Studio) For C/C++, C#
* [https://www.whitehatsec.com/products/static-application-security-testing/ Sentinel Source] (Whitehat)
* [https://www.synopsys.com/software-integrity/products/interactive-application-security-testing.html Seeker] (Synopsys) Seeker performs code security without actually doing static analysis. Seeker does Interactive Application Security Testing (IAST), correlating runtime code & data analysis with simulated attacks. It provides code level results without actually relying on static analysis.
* [http://www.sourcepatrol.co.uk/ Source Patrol] (Pentest)
* [http://www.veracode.com/products/binary-static-analysis-sast Veracode Static Analysis] (Veracode)

==More info==

* [[Appendix_A:_Testing_Tools | Appendix A: Testing Tools]]
* [http://samate.nist.gov/index.php/Source_Code_Security_Analyzers.html NIST's list of Source Code Security Analysis Tools]
* [[:Category:Vulnerability_Scanning_Tools | DAST Tools]] - Similar info on Dynamic Application Security Testing (DAST) Tools

[[Category:OWASP .NET Project]]
[[Category:SAMM-CR-2]]
__NOTOC__

Category:Vulnerability Scanning Tools

2017-05-03T16:14:33Z

Pawel Krawczyk: update the Beyond Security URL

== Description ==

Web Application Vulnerability Scanners are automated tools that scan web applications, normally from the outside, to look for security vulnerabilities such as [[Cross-site scripting]], [[SQL Injection]], [[Command Injection]], [[Path Traversal]] and insecure server configuration. This category of tools is frequently referred to as [https://www.techopedia.com/definition/30958/dynamic-application-security-testing-dast Dynamic Application Security Testing] (DAST) Tools. A large number of both commercial and open source tools of this type are available and all of these tools have their own strengths and weaknesses. If you are interested in the effectiveness of DAST tools, check out the OWASP [[Benchmark]] project, which is scientifically measuring the effectiveness of all types of vulnerability detection tools, including DAST.

Here we provide a list of vulnerability scanning tools currently available in the market.

<br> '''Disclaimer:''' The tools listing in the table below are presented in an alphabetical order. <b>OWASP does not endorse any of the Vendors or Scanning Tools by listing them in the table below. We have made every effort to provide this information as accurately as possible. If you are the vendor of a tool below and think this information is incomplete or incorrect, please send an e-mail to our [mailto:owasp_ha_vulnerability_scanner_project@lists.owasp.org mailing list] and we will make every effort to correct this information.</b>

== Tools Listing ==

{{:Template:OWASP Tool Headings}}
{{OWASP Tool Info || tool_name = [http://www.acunetix.com/ Acunetix WVS] || tool_owner = Acunetix || tool_licence = Commercial / Free (Limited Capability) || tool_platforms = Windows}}
{{OWASP Tool Info || tool_name = [http://www-03.ibm.com/software/products/en/appscan-standard AppScan] || tool_owner = IBM || tool_licence = Commercial || tool_platforms = Windows}}
{{OWASP Tool Info || tool_name = [https://www.trustwave.com/Products/Application-Security/App-Scanner-Family/App-Scanner-Enterprise/ App Scanner] || tool_owner = Trustwave || tool_licence = Commercial || tool_platforms = Windows }}
{{OWASP Tool Info || tool_name = [http://www.rapid7.com/products/appspider/ AppSpider] || tool_owner = Rapid7 || tool_licence = Commercial || tool_platforms = Windows}}
{{OWASP Tool Info || tool_name = [https://www.scanmyserver.com/ AVDS] || tool_owner = Beyond Security || tool_licence = Commercial / Free (Limited Capability)|| tool_platforms = SaaS }}
{{OWASP Tool Info || tool_name = [https://www.blueclosure.com BlueClosure BC Detect] || tool_owner = BlueClosure || tool_licence = Commercial, 2 weeks trial || tool_platforms = Most platforms supported}}
{{OWASP Tool Info || tool_name = [http://www.portswigger.net/ Burp Suite] || tool_owner = PortSwiger || tool_licence = Commercial / Free (Limited Capability)|| tool_platforms = Most platforms supported }}
{{OWASP Tool Info || tool_name = [https://contrastsecurity.com Contrast] || tool_owner = Contrast Security || tool_licence = Commercial / Free (Limited Capability) || tool_platforms = SaaS or On-Premises }}
{{OWASP Tool Info || tool_name = [https://detectify.com/ Detectify] || tool_owner = Detectify || tool_licence = Commercial || tool_platforms = SaaS }}
{{OWASP Tool Info || tool_name = [http://www.gamasec.com/Gamascan.aspx GamaScan] || tool_owner = GamaSec || tool_licence = Commercial || tool_platforms = Windows }}
{{OWASP Tool Info || tool_name = [http://rgaucher.info/beta/grabber/ Grabber] || tool_owner = Romain Gaucher || tool_licence = Open Source || tool_platforms = Python 2.4, BeautifulSoup and PyXML}}
{{OWASP Tool Info || tool_name = [http://sourceforge.net/p/grendel/code/ci/c59780bfd41bdf34cc13b27bc3ce694fd3cb7456/tree/ Grendel-Scan] || tool_owner = David Byrne || tool_licence = Open Source || tool_platforms = Windows, Linux and Macintosh}}
{{OWASP Tool Info || tool_name = [http://www.golismero.com GoLismero] || tool_owner = GoLismero Team || tool_licence = GPLv2.0 || tool_platforms = Windows, Linux and Macintosh}}
{{OWASP Tool Info || tool_name = [http://www.ikare-monitoring.com/ IKare] || tool_owner = ITrust || tool_licence = Commercial || tool_platforms = N/A }}
{{OWASP Tool Info || tool_name = [https://www.indusface.com/index.php/products/web-application-scanning Indusface Web Application Scanning] || tool_owner = Indusface || tool_licence = Commercial || tool_platforms = SaaS}}
{{OWASP Tool Info || tool_name = [http://www.nstalker.com/ N-Stealth] || tool_owner = N-Stalker || tool_licence = Commercial || tool_platforms = Windows}}
{{OWASP Tool Info || tool_name = [http://www.mavitunasecurity.com/ Netsparker] || tool_owner = MavitunaSecurity || tool_licence = Commercial || tool_platforms = Windows}}
{{OWASP Tool Info || tool_name = [http://www.rapid7.com/products/nexpose-community-edition.jsp Nexpose] || tool_owner = Rapid7 || tool_licence = Commercial / Free (Limited Capability)|| tool_platforms = Windows/Linux}}
{{OWASP Tool Info || tool_name = [http://www.cirt.net/nikto2 Nikto] || tool_owner = CIRT || tool_licence = Open Source|| tool_platforms = Unix/Linux}}
{{OWASP Tool Info || tool_name = [http://www.milescan.com/ ParosPro] || tool_owner = MileSCAN || tool_licence = Commercial || tool_platforms = Windows}}
{{OWASP Tool Info || tool_name = [http://www.websecurify.com/desktop/proxy.html Proxy.app] || tool_owner = Websecurify || tool_licence = Commercial || tool_platforms = Macintosh}}
{{OWASP Tool Info || tool_name = [http://www.qualys.com/products/qg_suite/was/ QualysGuard] || tool_owner = Qualys || tool_licence = Commercial || tool_platforms = N/A}}
{{OWASP Tool Info || tool_name = [http://www.beyondtrust.com/Products/RetinaNetworkSecurityScanner/ Retina] || tool_owner = BeyondTrust || tool_licence = Commercial || tool_platforms = Windows}}
{{OWASP Tool Info || tool_name = [http://www.orvant.com Securus] || tool_owner = Orvant, Inc || tool_licence = Commercial || tool_platforms = N/A}}
{{OWASP Tool Info || tool_name = [http://www.whitehatsec.com/home/services/services.html Sentinel] || tool_owner = WhiteHat Security || tool_licence = Commercial || tool_platforms = N/A}}
{{OWASP Tool Info || tool_name = [http://www.parasoft.com/products/article.jsp?articleId=3169&redname=webtesting&referred=webtesting SOATest] || tool_owner = Parasoft || tool_licence = Commercial || tool_platforms = Windows / Linux / Solaris}}
{{OWASP Tool Info || tool_name = [https://www.tinfoilsecurity.com Tinfoil Security] || tool_owner = Tinfoil Security, Inc. || tool_licence = Commercial / Free (Limited Capability) || tool_platforms = SaaS or On-Premises}}
{{OWASP Tool Info || tool_name = [https://www.trustwave.com/external-vulnerability-scanning.php Trustkeeper Scanner] || tool_owner = Trustwave SpiderLabs || tool_licence = Commercial || tool_platforms = SaaS}}
{{OWASP Tool Info || tool_name = [https://subgraph.com/vega/ Vega] || tool_owner = Subgraph || tool_licence = Open Source || tool_platforms = Windows, Linux and Macintosh}}
{{OWASP Tool Info || tool_name = [http://wapiti.sourceforge.net/ Wapiti] || tool_owner = Informática Gesfor || tool_licence = Open Source || tool_platforms = Windows, Unix/Linux and Macintosh}}
{{OWASP Tool Info || tool_name = [http://www.tripwire.com/it-security-software/enterprise-vulnerability-management/web-application-vulnerability-scanning/ WebApp360] || tool_owner = TripWire || tool_licence = Commercial || tool_platforms = Windows}}
{{OWASP Tool Info || tool_name = [https://webcookies.org WebCookies] || tool_owner = WebCookies || tool_licence = Free|| tool_platforms = SaaS}}
{{OWASP Tool Info || tool_name = [http://www8.hp.com/us/en/software-solutions/software.html?compURI=1341991#.Uuf0KBAo4iw WebInspect] || tool_owner = HP || tool_licence = Commercial || tool_platforms = Windows}}
{{OWASP Tool Info || tool_name = [http://www.websecurify.com/desktop/webreaver.html WebReaver] || tool_owner = Websecurify || tool_licence = Commercial || tool_platforms = Macintosh}}
{{OWASP Tool Info || tool_name = [http://www.german-websecurity.com/en/products/webscanservice/product-details/overview/ WebScanService] || tool_owner = German Web Security || tool_licence = Commercial || tool_platforms = N/A}}
{{OWASP Tool Info || tool_name = [https://suite.websecurify.com/ Websecurify Suite] || tool_owner = Websecurify || tool_licence = Commercial / Free (Limited Capability) || tool_platforms = Windows, Linux, Macintosh}}
{{OWASP Tool Info || tool_name = [http://www.sensepost.com/research/wikto/ Wikto] || tool_owner = Sensepost || tool_licence = Open Source || tool_platforms = Windows}}
{{OWASP Tool Info || tool_name = [http://www.w3af.org/ w3af] || tool_owner = w3af.org || tool_licence = GPLv2.0 || tool_platforms = Linux and Mac}}
{{OWASP Tool Info || tool_name = [https://www.owasp.org/index.php/OWASP_Xenotix_XSS_Exploit_Framework Xenotix XSS Exploit Framework] || tool_owner = OWASP || tool_licence = Open Source || tool_platforms = Windows}}
{{OWASP Tool Info || tool_name = [https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project Zed Attack Proxy] || tool_owner = OWASP || tool_licence = Open Source || tool_platforms = Windows, Unix/Linux and Macintosh}}
|}

== References ==

*[[Source_Code_Analysis_Tools | SAST Tools]] - Similar Information on Static Application Security Testing (SAST) Tools
*http://projects.webappsec.org/Web-Application-Security-Scanner-Evaluation-Criteria
*http://www.slideshare.net/lbsuto/accuracy-and-timecostsofwebappscanners
*http://samate.nist.gov/index.php/Web_Application_Vulnerability_Scanners.html
*http://www.tssci-security.com/archives/2007/11/24/2007-security-testing-tools-in-review/
*http://www.softwareqatest.com/qatweb1.html#SECURITY

[[Category:OWASP_Tools_Project]]

Category:Vulnerability Scanning Tools

2017-05-03T16:08:51Z

Pawel Krawczyk: +Detectify

== Description ==

Web Application Vulnerability Scanners are automated tools that scan web applications, normally from the outside, to look for security vulnerabilities such as [[Cross-site scripting]], [[SQL Injection]], [[Command Injection]], [[Path Traversal]] and insecure server configuration. This category of tools is frequently referred to as [https://www.techopedia.com/definition/30958/dynamic-application-security-testing-dast Dynamic Application Security Testing] (DAST) Tools. A large number of both commercial and open source tools of this type are available and all of these tools have their own strengths and weaknesses. If you are interested in the effectiveness of DAST tools, check out the OWASP [[Benchmark]] project, which is scientifically measuring the effectiveness of all types of vulnerability detection tools, including DAST.

Here we provide a list of vulnerability scanning tools currently available in the market.

<br> '''Disclaimer:''' The tools listing in the table below are presented in an alphabetical order. <b>OWASP does not endorse any of the Vendors or Scanning Tools by listing them in the table below. We have made every effort to provide this information as accurately as possible. If you are the vendor of a tool below and think this information is incomplete or incorrect, please send an e-mail to our [mailto:owasp_ha_vulnerability_scanner_project@lists.owasp.org mailing list] and we will make every effort to correct this information.</b>

== Tools Listing ==

{{:Template:OWASP Tool Headings}}
{{OWASP Tool Info || tool_name = [http://www.acunetix.com/ Acunetix WVS] || tool_owner = Acunetix || tool_licence = Commercial / Free (Limited Capability) || tool_platforms = Windows}}
{{OWASP Tool Info || tool_name = [http://www-03.ibm.com/software/products/en/appscan-standard AppScan] || tool_owner = IBM || tool_licence = Commercial || tool_platforms = Windows}}
{{OWASP Tool Info || tool_name = [https://www.trustwave.com/Products/Application-Security/App-Scanner-Family/App-Scanner-Enterprise/ App Scanner] || tool_owner = Trustwave || tool_licence = Commercial || tool_platforms = Windows }}
{{OWASP Tool Info || tool_name = [http://www.rapid7.com/products/appspider/ AppSpider] || tool_owner = Rapid7 || tool_licence = Commercial || tool_platforms = Windows}}
{{OWASP Tool Info || tool_name = [http://www.beyondsecurity.com/avds AVDS] || tool_owner = Beyond Security || tool_licence = Commercial / Free (Limited Capability)|| tool_platforms = N/A }}
{{OWASP Tool Info || tool_name = [https://www.blueclosure.com BlueClosure BC Detect] || tool_owner = BlueClosure || tool_licence = Commercial, 2 weeks trial || tool_platforms = Most platforms supported}}
{{OWASP Tool Info || tool_name = [http://www.portswigger.net/ Burp Suite] || tool_owner = PortSwiger || tool_licence = Commercial / Free (Limited Capability)|| tool_platforms = Most platforms supported }}
{{OWASP Tool Info || tool_name = [https://contrastsecurity.com Contrast] || tool_owner = Contrast Security || tool_licence = Commercial / Free (Limited Capability) || tool_platforms = SaaS or On-Premises }}
{{OWASP Tool Info || tool_name = [https://detectify.com/ Detectify] || tool_owner = Detectify || tool_licence = Commercial || tool_platforms = SaaS }}
{{OWASP Tool Info || tool_name = [http://www.gamasec.com/Gamascan.aspx GamaScan] || tool_owner = GamaSec || tool_licence = Commercial || tool_platforms = Windows }}
{{OWASP Tool Info || tool_name = [http://rgaucher.info/beta/grabber/ Grabber] || tool_owner = Romain Gaucher || tool_licence = Open Source || tool_platforms = Python 2.4, BeautifulSoup and PyXML}}
{{OWASP Tool Info || tool_name = [http://sourceforge.net/p/grendel/code/ci/c59780bfd41bdf34cc13b27bc3ce694fd3cb7456/tree/ Grendel-Scan] || tool_owner = David Byrne || tool_licence = Open Source || tool_platforms = Windows, Linux and Macintosh}}
{{OWASP Tool Info || tool_name = [http://www.golismero.com GoLismero] || tool_owner = GoLismero Team || tool_licence = GPLv2.0 || tool_platforms = Windows, Linux and Macintosh}}
{{OWASP Tool Info || tool_name = [http://www.ikare-monitoring.com/ IKare] || tool_owner = ITrust || tool_licence = Commercial || tool_platforms = N/A }}
{{OWASP Tool Info || tool_name = [https://www.indusface.com/index.php/products/web-application-scanning Indusface Web Application Scanning] || tool_owner = Indusface || tool_licence = Commercial || tool_platforms = SaaS}}
{{OWASP Tool Info || tool_name = [http://www.nstalker.com/ N-Stealth] || tool_owner = N-Stalker || tool_licence = Commercial || tool_platforms = Windows}}
{{OWASP Tool Info || tool_name = [http://www.mavitunasecurity.com/ Netsparker] || tool_owner = MavitunaSecurity || tool_licence = Commercial || tool_platforms = Windows}}
{{OWASP Tool Info || tool_name = [http://www.rapid7.com/products/nexpose-community-edition.jsp Nexpose] || tool_owner = Rapid7 || tool_licence = Commercial / Free (Limited Capability)|| tool_platforms = Windows/Linux}}
{{OWASP Tool Info || tool_name = [http://www.cirt.net/nikto2 Nikto] || tool_owner = CIRT || tool_licence = Open Source|| tool_platforms = Unix/Linux}}
{{OWASP Tool Info || tool_name = [http://www.milescan.com/ ParosPro] || tool_owner = MileSCAN || tool_licence = Commercial || tool_platforms = Windows}}
{{OWASP Tool Info || tool_name = [http://www.websecurify.com/desktop/proxy.html Proxy.app] || tool_owner = Websecurify || tool_licence = Commercial || tool_platforms = Macintosh}}
{{OWASP Tool Info || tool_name = [http://www.qualys.com/products/qg_suite/was/ QualysGuard] || tool_owner = Qualys || tool_licence = Commercial || tool_platforms = N/A}}
{{OWASP Tool Info || tool_name = [http://www.beyondtrust.com/Products/RetinaNetworkSecurityScanner/ Retina] || tool_owner = BeyondTrust || tool_licence = Commercial || tool_platforms = Windows}}
{{OWASP Tool Info || tool_name = [http://www.orvant.com Securus] || tool_owner = Orvant, Inc || tool_licence = Commercial || tool_platforms = N/A}}
{{OWASP Tool Info || tool_name = [http://www.whitehatsec.com/home/services/services.html Sentinel] || tool_owner = WhiteHat Security || tool_licence = Commercial || tool_platforms = N/A}}
{{OWASP Tool Info || tool_name = [http://www.parasoft.com/products/article.jsp?articleId=3169&redname=webtesting&referred=webtesting SOATest] || tool_owner = Parasoft || tool_licence = Commercial || tool_platforms = Windows / Linux / Solaris}}
{{OWASP Tool Info || tool_name = [https://www.tinfoilsecurity.com Tinfoil Security] || tool_owner = Tinfoil Security, Inc. || tool_licence = Commercial / Free (Limited Capability) || tool_platforms = SaaS or On-Premises}}
{{OWASP Tool Info || tool_name = [https://www.trustwave.com/external-vulnerability-scanning.php Trustkeeper Scanner] || tool_owner = Trustwave SpiderLabs || tool_licence = Commercial || tool_platforms = SaaS}}
{{OWASP Tool Info || tool_name = [https://subgraph.com/vega/ Vega] || tool_owner = Subgraph || tool_licence = Open Source || tool_platforms = Windows, Linux and Macintosh}}
{{OWASP Tool Info || tool_name = [http://wapiti.sourceforge.net/ Wapiti] || tool_owner = Informática Gesfor || tool_licence = Open Source || tool_platforms = Windows, Unix/Linux and Macintosh}}
{{OWASP Tool Info || tool_name = [http://www.tripwire.com/it-security-software/enterprise-vulnerability-management/web-application-vulnerability-scanning/ WebApp360] || tool_owner = TripWire || tool_licence = Commercial || tool_platforms = Windows}}
{{OWASP Tool Info || tool_name = [https://webcookies.org WebCookies] || tool_owner = WebCookies || tool_licence = Free|| tool_platforms = SaaS}}
{{OWASP Tool Info || tool_name = [http://www8.hp.com/us/en/software-solutions/software.html?compURI=1341991#.Uuf0KBAo4iw WebInspect] || tool_owner = HP || tool_licence = Commercial || tool_platforms = Windows}}
{{OWASP Tool Info || tool_name = [http://www.websecurify.com/desktop/webreaver.html WebReaver] || tool_owner = Websecurify || tool_licence = Commercial || tool_platforms = Macintosh}}
{{OWASP Tool Info || tool_name = [http://www.german-websecurity.com/en/products/webscanservice/product-details/overview/ WebScanService] || tool_owner = German Web Security || tool_licence = Commercial || tool_platforms = N/A}}
{{OWASP Tool Info || tool_name = [https://suite.websecurify.com/ Websecurify Suite] || tool_owner = Websecurify || tool_licence = Commercial / Free (Limited Capability) || tool_platforms = Windows, Linux, Macintosh}}
{{OWASP Tool Info || tool_name = [http://www.sensepost.com/research/wikto/ Wikto] || tool_owner = Sensepost || tool_licence = Open Source || tool_platforms = Windows}}
{{OWASP Tool Info || tool_name = [http://www.w3af.org/ w3af] || tool_owner = w3af.org || tool_licence = GPLv2.0 || tool_platforms = Linux and Mac}}
{{OWASP Tool Info || tool_name = [https://www.owasp.org/index.php/OWASP_Xenotix_XSS_Exploit_Framework Xenotix XSS Exploit Framework] || tool_owner = OWASP || tool_licence = Open Source || tool_platforms = Windows}}
{{OWASP Tool Info || tool_name = [https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project Zed Attack Proxy] || tool_owner = OWASP || tool_licence = Open Source || tool_platforms = Windows, Unix/Linux and Macintosh}}
|}

== References ==

*[[Source_Code_Analysis_Tools | SAST Tools]] - Similar Information on Static Application Security Testing (SAST) Tools
*http://projects.webappsec.org/Web-Application-Security-Scanner-Evaluation-Criteria
*http://www.slideshare.net/lbsuto/accuracy-and-timecostsofwebappscanners
*http://samate.nist.gov/index.php/Web_Application_Vulnerability_Scanners.html
*http://www.tssci-security.com/archives/2007/11/24/2007-security-testing-tools-in-review/
*http://www.softwareqatest.com/qatweb1.html#SECURITY

[[Category:OWASP_Tools_Project]]

Category:Vulnerability Scanning Tools

2017-05-03T16:06:02Z

Pawel Krawczyk: +WebCookies

== Description ==

Web Application Vulnerability Scanners are automated tools that scan web applications, normally from the outside, to look for security vulnerabilities such as [[Cross-site scripting]], [[SQL Injection]], [[Command Injection]], [[Path Traversal]] and insecure server configuration. This category of tools is frequently referred to as [https://www.techopedia.com/definition/30958/dynamic-application-security-testing-dast Dynamic Application Security Testing] (DAST) Tools. A large number of both commercial and open source tools of this type are available and all of these tools have their own strengths and weaknesses. If you are interested in the effectiveness of DAST tools, check out the OWASP [[Benchmark]] project, which is scientifically measuring the effectiveness of all types of vulnerability detection tools, including DAST.

Here we provide a list of vulnerability scanning tools currently available in the market.

<br> '''Disclaimer:''' The tools listing in the table below are presented in an alphabetical order. <b>OWASP does not endorse any of the Vendors or Scanning Tools by listing them in the table below. We have made every effort to provide this information as accurately as possible. If you are the vendor of a tool below and think this information is incomplete or incorrect, please send an e-mail to our [mailto:owasp_ha_vulnerability_scanner_project@lists.owasp.org mailing list] and we will make every effort to correct this information.</b>

== Tools Listing ==

{{:Template:OWASP Tool Headings}}
{{OWASP Tool Info || tool_name = [http://www.acunetix.com/ Acunetix WVS] || tool_owner = Acunetix || tool_licence = Commercial / Free (Limited Capability) || tool_platforms = Windows}}
{{OWASP Tool Info || tool_name = [http://www-03.ibm.com/software/products/en/appscan-standard AppScan] || tool_owner = IBM || tool_licence = Commercial || tool_platforms = Windows}}
{{OWASP Tool Info || tool_name = [https://www.trustwave.com/Products/Application-Security/App-Scanner-Family/App-Scanner-Enterprise/ App Scanner] || tool_owner = Trustwave || tool_licence = Commercial || tool_platforms = Windows }}
{{OWASP Tool Info || tool_name = [http://www.rapid7.com/products/appspider/ AppSpider] || tool_owner = Rapid7 || tool_licence = Commercial || tool_platforms = Windows}}
{{OWASP Tool Info || tool_name = [http://www.beyondsecurity.com/avds AVDS] || tool_owner = Beyond Security || tool_licence = Commercial / Free (Limited Capability)|| tool_platforms = N/A }}
{{OWASP Tool Info || tool_name = [https://www.blueclosure.com BlueClosure BC Detect] || tool_owner = BlueClosure || tool_licence = Commercial, 2 weeks trial || tool_platforms = Most platforms supported}}
{{OWASP Tool Info || tool_name = [http://www.portswigger.net/ Burp Suite] || tool_owner = PortSwiger || tool_licence = Commercial / Free (Limited Capability)|| tool_platforms = Most platforms supported }}
{{OWASP Tool Info || tool_name = [https://contrastsecurity.com Contrast] || tool_owner = Contrast Security || tool_licence = Commercial / Free (Limited Capability) || tool_platforms = SaaS or On-Premises }}
{{OWASP Tool Info || tool_name = [http://www.gamasec.com/Gamascan.aspx GamaScan] || tool_owner = GamaSec || tool_licence = Commercial || tool_platforms = Windows }}
{{OWASP Tool Info || tool_name = [http://rgaucher.info/beta/grabber/ Grabber] || tool_owner = Romain Gaucher || tool_licence = Open Source || tool_platforms = Python 2.4, BeautifulSoup and PyXML}}
{{OWASP Tool Info || tool_name = [http://sourceforge.net/p/grendel/code/ci/c59780bfd41bdf34cc13b27bc3ce694fd3cb7456/tree/ Grendel-Scan] || tool_owner = David Byrne || tool_licence = Open Source || tool_platforms = Windows, Linux and Macintosh}}
{{OWASP Tool Info || tool_name = [http://www.golismero.com GoLismero] || tool_owner = GoLismero Team || tool_licence = GPLv2.0 || tool_platforms = Windows, Linux and Macintosh}}
{{OWASP Tool Info || tool_name = [http://www.ikare-monitoring.com/ IKare] || tool_owner = ITrust || tool_licence = Commercial || tool_platforms = N/A }}
{{OWASP Tool Info || tool_name = [https://www.indusface.com/index.php/products/web-application-scanning Indusface Web Application Scanning] || tool_owner = Indusface || tool_licence = Commercial || tool_platforms = SaaS}}
{{OWASP Tool Info || tool_name = [http://www.nstalker.com/ N-Stealth] || tool_owner = N-Stalker || tool_licence = Commercial || tool_platforms = Windows}}
{{OWASP Tool Info || tool_name = [http://www.mavitunasecurity.com/ Netsparker] || tool_owner = MavitunaSecurity || tool_licence = Commercial || tool_platforms = Windows}}
{{OWASP Tool Info || tool_name = [http://www.rapid7.com/products/nexpose-community-edition.jsp Nexpose] || tool_owner = Rapid7 || tool_licence = Commercial / Free (Limited Capability)|| tool_platforms = Windows/Linux}}
{{OWASP Tool Info || tool_name = [http://www.cirt.net/nikto2 Nikto] || tool_owner = CIRT || tool_licence = Open Source|| tool_platforms = Unix/Linux}}
{{OWASP Tool Info || tool_name = [http://www.milescan.com/ ParosPro] || tool_owner = MileSCAN || tool_licence = Commercial || tool_platforms = Windows}}
{{OWASP Tool Info || tool_name = [http://www.websecurify.com/desktop/proxy.html Proxy.app] || tool_owner = Websecurify || tool_licence = Commercial || tool_platforms = Macintosh}}
{{OWASP Tool Info || tool_name = [http://www.qualys.com/products/qg_suite/was/ QualysGuard] || tool_owner = Qualys || tool_licence = Commercial || tool_platforms = N/A}}
{{OWASP Tool Info || tool_name = [http://www.beyondtrust.com/Products/RetinaNetworkSecurityScanner/ Retina] || tool_owner = BeyondTrust || tool_licence = Commercial || tool_platforms = Windows}}
{{OWASP Tool Info || tool_name = [http://www.orvant.com Securus] || tool_owner = Orvant, Inc || tool_licence = Commercial || tool_platforms = N/A}}
{{OWASP Tool Info || tool_name = [http://www.whitehatsec.com/home/services/services.html Sentinel] || tool_owner = WhiteHat Security || tool_licence = Commercial || tool_platforms = N/A}}
{{OWASP Tool Info || tool_name = [http://www.parasoft.com/products/article.jsp?articleId=3169&redname=webtesting&referred=webtesting SOATest] || tool_owner = Parasoft || tool_licence = Commercial || tool_platforms = Windows / Linux / Solaris}}
{{OWASP Tool Info || tool_name = [https://www.tinfoilsecurity.com Tinfoil Security] || tool_owner = Tinfoil Security, Inc. || tool_licence = Commercial / Free (Limited Capability) || tool_platforms = SaaS or On-Premises}}
{{OWASP Tool Info || tool_name = [https://www.trustwave.com/external-vulnerability-scanning.php Trustkeeper Scanner] || tool_owner = Trustwave SpiderLabs || tool_licence = Commercial || tool_platforms = SaaS}}
{{OWASP Tool Info || tool_name = [https://subgraph.com/vega/ Vega] || tool_owner = Subgraph || tool_licence = Open Source || tool_platforms = Windows, Linux and Macintosh}}
{{OWASP Tool Info || tool_name = [http://wapiti.sourceforge.net/ Wapiti] || tool_owner = Informática Gesfor || tool_licence = Open Source || tool_platforms = Windows, Unix/Linux and Macintosh}}
{{OWASP Tool Info || tool_name = [http://www.tripwire.com/it-security-software/enterprise-vulnerability-management/web-application-vulnerability-scanning/ WebApp360] || tool_owner = TripWire || tool_licence = Commercial || tool_platforms = Windows}}
{{OWASP Tool Info || tool_name = [https://webcookies.org WebCookies] || tool_owner = WebCookies || tool_licence = Free|| tool_platforms = SaaS}}
{{OWASP Tool Info || tool_name = [http://www8.hp.com/us/en/software-solutions/software.html?compURI=1341991#.Uuf0KBAo4iw WebInspect] || tool_owner = HP || tool_licence = Commercial || tool_platforms = Windows}}
{{OWASP Tool Info || tool_name = [http://www.websecurify.com/desktop/webreaver.html WebReaver] || tool_owner = Websecurify || tool_licence = Commercial || tool_platforms = Macintosh}}
{{OWASP Tool Info || tool_name = [http://www.german-websecurity.com/en/products/webscanservice/product-details/overview/ WebScanService] || tool_owner = German Web Security || tool_licence = Commercial || tool_platforms = N/A}}
{{OWASP Tool Info || tool_name = [https://suite.websecurify.com/ Websecurify Suite] || tool_owner = Websecurify || tool_licence = Commercial / Free (Limited Capability) || tool_platforms = Windows, Linux, Macintosh}}
{{OWASP Tool Info || tool_name = [http://www.sensepost.com/research/wikto/ Wikto] || tool_owner = Sensepost || tool_licence = Open Source || tool_platforms = Windows}}
{{OWASP Tool Info || tool_name = [http://www.w3af.org/ w3af] || tool_owner = w3af.org || tool_licence = GPLv2.0 || tool_platforms = Linux and Mac}}
{{OWASP Tool Info || tool_name = [https://www.owasp.org/index.php/OWASP_Xenotix_XSS_Exploit_Framework Xenotix XSS Exploit Framework] || tool_owner = OWASP || tool_licence = Open Source || tool_platforms = Windows}}
{{OWASP Tool Info || tool_name = [https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project Zed Attack Proxy] || tool_owner = OWASP || tool_licence = Open Source || tool_platforms = Windows, Unix/Linux and Macintosh}}
|}

== References ==

*[[Source_Code_Analysis_Tools | SAST Tools]] - Similar Information on Static Application Security Testing (SAST) Tools
*http://projects.webappsec.org/Web-Application-Security-Scanner-Evaluation-Criteria
*http://www.slideshare.net/lbsuto/accuracy-and-timecostsofwebappscanners
*http://samate.nist.gov/index.php/Web_Application_Vulnerability_Scanners.html
*http://www.tssci-security.com/archives/2007/11/24/2007-security-testing-tools-in-review/
*http://www.softwareqatest.com/qatweb1.html#SECURITY

[[Category:OWASP_Tools_Project]]

Content Security Policy

2017-05-02T10:43:59Z

Pawel Krawczyk: /* Tools */ no longer active

{{taggedDocument
| type=pls_review
}}

Last revision (mm/dd/yy): '''08/31/2013'''

== Introduction ==
'''CSP''' stands for '''C'''ontent '''S'''ecurity '''P'''olicy.

Is an W3C specification offering the possbility to instruct the client browser from which location and/or which type of resources are allowed to be loaded. To define a loading behavior, the CSP specification use "directive" where a directive defines a loading behavior for a target resource type.

This article is based on version [http://w3c.github.io/webappsec/specs/content-security-policy/csp-specification.dev.html 1.1] of the W3C specification.

Directives can be specified using HTTP response header (a server may send more than one CSP HTTP header field with a given resource representation and a server may send different CSP header field values with different representations of the same resource or with different resources) or HTML Meta tag, the HTTP headers below are defined by the specs:
* '''Content-Security-Policy''' : Defined by W3C Specs as standard header, used by Chrome version 25 and later, Firefox version 23 and later, Opera version 19 and later.
* '''X-Content-Security-Policy''' : Used by Firefox until version 23, and Internet Explorer version 10 (which partially implements Content Security Policy).
* '''X-WebKit-CSP''' : Used by Chrome until version 25

The supported directives are:
* '''default-src''' : Define loading policy for all resources type in case of a resource type dedicated directive is not defined (fallback),
* '''script-src''' : Define which scripts the protected resource can execute,
* '''object-src''' : Define from where the protected resource can load plugins,
* '''style-src''' : Define which styles (CSS) the user applies to the protected resource,
* '''img-src''' : Define from where the protected resource can load images,
* '''media-src''' : Define from where the protected resource can load video and audio,
* '''frame-src''' : Define from where the protected resource can embed frames,
* '''font-src''' : Define from where the protected resource can load fonts,
* '''connect-src''' : Define which URIs the protected resource can load using script interfaces,
* '''form-action''' : Define which URIs can be used as the action of HTML form elements,
* '''sandbox''' : Specifies an HTML sandbox policy that the user agent applies to the protected resource,
* '''script-nonce''' : Define script execution by requiring the presence of the specified nonce on script elements,
* '''plugin-types''' : Define the set of plugins that can be invoked by the protected resource by limiting the types of resources that can be embedded,
* '''reflected-xss''' : Instructs a user agent to activate or deactivate any heuristics used to filter or block reflected cross-site scripting attacks, equivalent to the effects of the non-standard X-XSS-Protection header,
* '''report-uri''' : Specifies a URI to which the user agent sends reports about policy violation

An introduction to CSP is available on [http://www.html5rocks.com/en/tutorials/security/content-security-policy/ HTML5Rocks]. The browser support is shown on http://caniuse.com/#feat=contentsecuritypolicy

== Risk ==
The risk with CSP can have 2 main sources:
# Policies misconfiguration,
# Too permissive policies.

== Countermeasure ==
This article will focus on providing an sample implementation of a JEE Web Filter in order to apply a set of CSP policies on all HTTP response returned by server.

The policies will instruct the browser to have the loading behavior below using all HTTP headers defined in W3C Specs:
* Explicit loading definition of each resource type,
* Resources are loaded only from source domain,
* Inline style is not allowed,
* For JavaScript:
** ''Inline script'' will be allowed because inline scripting is commonly used (can be disabled if target site does not use this type of scripting),
** ''eval()'' function will be allowed in order to not break use of popular JavaScript libraries (ex: JQuery, JQueryUI, Sencha, ...) because they use eval() function (it was the case last time I have checked the source code from CDN ;) ),
* Generation of a random not guessable script nonce to use into all script tags,
* Plugin types only allow PDF and Flash,
* No font loading (configurable),
* No Audio / Video loading (configurable),
* Enable browser XSS filtering feature.

<pre style="color:navy">
The support for CSP directives is not the same level in major browsers (Firefox/Chrome/IE). It's recommanded to check the support
provided by target browsers (using site provided in link section of this article) in order to configure CSP policies. The sample
below try to provide a set of policies from which your can add policies specific to your application context.
</pre>

''This implementation provide an option to add CSP directives used by Firefox (Mozilla CSP directives).''

<pre>
import java.io.IOException;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import java.security.SecureRandom;
import java.util.ArrayList;
import java.util.List;

import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.annotation.WebFilter;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;

import org.apache.commons.codec.binary.Hex;

/**
* Sample filter implementation to define a set of Content Security Policies.<br/>
*
* This implementation has a dependency on Commons Codec API.<br/>
*
* This filter set CSP policies using all HTTP headers defined into W3C specification.<br/>
* <br/>
* This implementation is oriented to be easily understandable and easily adapted.<br/>
*
*/
@WebFilter("/*")
public class CSPPoliciesApplier implements Filter {

/** Configuration member to specify if web app use web fonts */
public static final boolean APP_USE_WEBFONTS = false;

/** Configuration member to specify if web app use videos or audios */
public static final boolean APP_USE_AUDIOS_OR_VIDEOS = false;

/** Configuration member to specify if filter must add CSP directive used by Mozilla (Firefox) */
public static final boolean INCLUDE_MOZILLA_CSP_DIRECTIVES = true;

/** Filter configuration */
@SuppressWarnings("unused")
private FilterConfig filterConfig = null;

/** List CSP HTTP Headers */
private List<String> cspHeaders = new ArrayList<String>();

/** Collection of CSP polcies that will be applied */
private String policies = null;

/** Used for Script Nonce */
private SecureRandom prng = null;

/**
* Used to prepare (one time for all) set of CSP policies that will be applied on each HTTP response.
*
* @see javax.servlet.Filter#init(javax.servlet.FilterConfig)
*/
@Override
public void init(FilterConfig fConfig) throws ServletException {
// Get filter configuration
this.filterConfig = fConfig;

// Init secure random
try {
this.prng = SecureRandom.getInstance("SHA1PRNG");
}
catch (NoSuchAlgorithmException e) {
throw new ServletException(e);
}

// Define list of CSP HTTP Headers
this.cspHeaders.add("Content-Security-Policy");
this.cspHeaders.add("X-Content-Security-Policy");
this.cspHeaders.add("X-WebKit-CSP");

// Define CSP policies
// Loading policies for Frame and Sandboxing will be dynamically defined : We need to know if context use Frame
List<String> cspPolicies = new ArrayList<String>();
String originLocationRef = "'self'";
// --Disable default source in order to avoid browser fallback loading using 'default-src' locations
cspPolicies.add("default-src 'none'");
// --Define loading policies for Scripts
cspPolicies.add("script-src " + originLocationRef + " 'unsafe-inline' 'unsafe-eval'");
if (INCLUDE_MOZILLA_CSP_DIRECTIVES) {
cspPolicies.add("options inline-script eval-script");
cspPolicies.add("xhr-src 'self'");
}
// --Define loading policies for Plugins
cspPolicies.add("object-src " + originLocationRef);
// --Define loading policies for Styles (CSS)
cspPolicies.add("style-src " + originLocationRef);
// --Define loading policies for Images
cspPolicies.add("img-src " + originLocationRef);
// --Define loading policies for Form
cspPolicies.add("form-action " + originLocationRef);
// --Define loading policies for Audios/Videos
if (APP_USE_AUDIOS_OR_VIDEOS) {
cspPolicies.add("media-src " + originLocationRef);
}
// --Define loading policies for Fonts
if (APP_USE_WEBFONTS) {
cspPolicies.add("font-src " + originLocationRef);
}
// --Define loading policies for Connection
cspPolicies.add("connect-src " + originLocationRef);
// --Define loading policies for Plugins Types
cspPolicies.add("plugin-types application/pdf application/x-shockwave-flash");
// --Define browser XSS filtering feature running mode
cspPolicies.add("reflected-xss block");

// Target formating
this.policies = cspPolicies.toString().replaceAll("(\\[|\\])", "").replaceAll(",", ";").trim();
}

/**
* Add CSP policies on each HTTP response.
*
* @see javax.servlet.Filter#doFilter(javax.servlet.ServletRequest, javax.servlet.ServletResponse, javax.servlet.FilterChain)
*/
@Override
public void doFilter(ServletRequest request, ServletResponse response, FilterChain fchain) throws IOException, ServletException {
HttpServletRequest httpRequest = ((HttpServletRequest) request);
HttpServletResponse httpResponse = ((HttpServletResponse) response);

/* Step 1 : Detect if target resource is a Frame */
// Customize here according to your context...
boolean isFrame = true;

/* Step 2 : Add CSP policies to HTTP response */
StringBuilder policiesBuffer = new StringBuilder(this.policies);

// If resource is a frame add Frame/Sandbox CSP policy
if (isFrame) {
// Frame + Sandbox : Here sandbox allow nothing, customize sandbox options depending on your app....
policiesBuffer.append(";").append("frame-src 'self';sandbox");
if (INCLUDE_MOZILLA_CSP_DIRECTIVES) {
policiesBuffer.append(";").append("frame-ancestors 'self'");
}
}

// Add Script Nonce CSP Policy
// --Generate a random number
String randomNum = new Integer(this.prng.nextInt()).toString();
// --Get its digest
MessageDigest sha;
try {
sha = MessageDigest.getInstance("SHA-1");
}
catch (NoSuchAlgorithmException e) {
throw new ServletException(e);
}
byte[] digest = sha.digest(randomNum.getBytes());
// --Encode it into HEXA
String scriptNonce = Hex.encodeHexString(digest);
policiesBuffer.append(";").append("script-nonce ").append(scriptNonce);
// --Made available script nonce in view app layer
httpRequest.setAttribute("CSP_SCRIPT_NONCE", scriptNonce);

// Add policies to all HTTP headers
for (String header : this.cspHeaders) {
httpResponse.setHeader(header, policiesBuffer.toString());
}

/* Step 3 : Let request continue chain filter */
fchain.doFilter(request, response);
}

/**
* {@inheritDoc}
*
* @see javax.servlet.Filter#destroy()
*/
@Override
public void destroy() {
// Not used
}
}

</pre>

== Tools ==

[[Automated Audit using w3af|w3af]] audit tools (http://w3af.org) contain [https://github.com/andresriancho/w3af/blob/master/plugins/grep/csp.py plugin] to automatically audit web application to check if they correctly implement CSP policies.

<pre style="color:#088A08">
It's very useful to include this type of tools into a web application development process in order to
perform a regular automatic first level check (do not replace an manual audit and manual audit must be also conducted regularly).
</pre>

You can also use [https://www.oxdef.info/csp-tester CSP Tester (browser extension)] to build and test the policy for your web application.

== Information links ==
* W3C Specifications: CSP 1.0 - http://www.w3.org/TR/CSP, CSP 1.1 - http://w3c.github.io/webappsec/specs/content-security-policy/csp-specification.dev.html
* Introduction to CSP: http://www.html5rocks.com/en/tutorials/security/content-security-policy
* CSP browser support: http://caniuse.com/#feat=contentsecuritypolicy
* CSP readiness browser testing: http://erlend.oftedal.no/blog/csp/readiness/

[[Category:Java]]
[[Category: Injection]]
[[Category:Attack]]
[[Category:Injection Attack]]

PL/SQL Security Cheat Sheet

2017-04-27T13:45:24Z

User:Pawel Krawczyk

2016-11-22T06:52:07Z

Pawel Krawczyk:

'''Paweł Krawczyk'''

* [https://www.linkedin.com/in/pawelkrawczyk my LinkedIn profile]
* [https://ipsec.pl/ IPSec.pl my application security and electronic signature articles]
* [https://webcookies.org/ my tool for web application cookie inspection]
* [https://echelon.pl/ my articles in Polish]

My draft articles:

* [[User:Pawel_Krawczyk/List_of_useful_HTTP_headers]]

Transport Layer Protection Cheat Sheet

2015-06-09T20:54:14Z

Pawel Krawczyk: /* Rule - REMOVED - Do Not Perform Redirects from Non-TLS Page to TLS Login Page */ if it's removed, it should be removed

__NOTOC__
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:Cheatsheets-header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |
Last revision (mm/dd/yy): '''{{REVISIONMONTH}}/{{REVISIONDAY}}/{{REVISIONYEAR}}'''
= Introduction =
__TOC__{{TOC hidden}}

This cheat sheet provides a simple model to follow when implementing transport layer protection for an application. Although the concept of SSL is known to many, the actual details and security specific decisions of implementation are often poorly understood and frequently result in insecure deployments. This article establishes clear rules which provide guidance on securely designing and configuring transport layer security for an application. This article is focused on the use of SSL/TLS between a web application and a web browser, but we also encourage the use of SSL/TLS or other network encryption technologies, such as VPN, on back end and other non-browser based connections.<br>

== Architectural Decision ==

An architectural decision must be made to determine the appropriate method to protect data when it is being transmitted. The most common options available to corporations are Virtual Private Networks (VPN) or a SSL/TLS model commonly used by web applications. The selected model is determined by the business needs of the particular organization. For example, a VPN connection may be the best design for a partnership between two companies that includes mutual access to a shared server over a variety of protocols. Conversely, an Internet facing enterprise web application would likely be best served by a SSL/TLS model.

This cheat sheet will focus on security considerations when the SSL/TLS model is selected. This is a frequently used model for publicly accessible web applications.

= Providing Transport Layer Protection with SSL/TLS =

== Benefits ==

The primary benefit of transport layer security is the protection of web application data from unauthorized disclosure and modification when it is transmitted between clients (web browsers) and the web application server, and between the web application server and back end and other non-browser based enterprise components.

The server validation component of TLS provides authentication of the server to the client. If configured to require client side certificates, TLS can also play a role in client authentication to the server. However, in practice client side certificates are not often used in lieu of username and password based authentication models for clients.

TLS also provides two additional benefits that are commonly overlooked; integrity guarantees and replay prevention. A TLS stream of communication contains built-in controls to prevent tampering with any portion of the encrypted data. In addition, controls are also built-in to prevent a captured stream of TLS data from being replayed at a later time.

It should be noted that TLS provides the above guarantees to data during transmission. TLS does not offer any of these security benefits to data that is at rest. Therefore appropriate security controls must be added to protect data while at rest within the application or within data stores.

== Basic Requirements ==

The basic requirements for using TLS are: access to a Public Key Infrastructure (PKI) in order to obtain certificates, access to a directory or an Online Certificate Status Protocol (OCSP) responder in order to check certificate revocation status, and agreement/ability to support a minimum configuration of protocol versions and protocol options for each version.

== SSL vs. TLS ==

The terms, Secure Socket Layer (SSL) and Transport Layer Security (TLS) are often used interchangeably. In fact, SSL v3.1 is equivalent to TLS v1.0. However, different versions of SSL and TLS are supported by modern web browsers and by most modern web frameworks and platforms. For the purposes of this cheat sheet we will refer to the technology generically as TLS. Recommendations regarding the use of SSL and TLS protocols, as well as browser support for TLS, can be found in the rule below titled [[Transport_Layer_Protection_Cheat_Sheet#Rule_-_Only_Support_Strong_Protocols| "Only Support Strong Protocols"]].

[[Image:Asvs_cryptomodule.gif|thumb|350px|right|Cryptomodule Parts and Operation]]

== When to Use a FIPS 140-2 Validated Cryptomodule ==

If the web application may be the target of determined attackers (a common threat model for Internet accessible applications handling sensitive data), it is strongly advised to use TLS services that are provided by [http://csrc.nist.gov/groups/STM/cmvp/validation.html FIPS 140-2 validated cryptomodules].

A cryptomodule, whether it is a software library or a hardware device, basically consists of three parts:

* Components that implement cryptographic algorithms (symmetric and asymmetric algorithms, hash algorithms, random number generator algorithms, and message authentication code algorithms)
* Components that call and manage cryptographic functions (inputs and outputs include cryptographic keys and so-called critical security parameters)
* A physical container around the components that implement cryptographic algorithms and the components that call and manage cryptographic functions

The security of a cryptomodule and its services (and the web applications that call the cryptomodule) depend on the correct implementation and integration of each of these three parts. In addition, the cryptomodule must be used and accessed securely. The includes consideration for:

* Calling and managing cryptographic functions
* Securely Handling inputs and output
* Ensuring the secure construction of the physical container around the components

In order to leverage the benefits of TLS it is important to use a TLS service (e.g. library, web framework, web application server) which has been FIPS 140-2 validated. In addition, the cryptomodule must be installed, configured and operated in either an approved or an allowed mode to provide a high degree of certainty that the FIPS 140-2 validated cryptomodule is providing the expected security services in the expected manner.

If the system is legally required to use FIPS 140-2 encryption (e.g., owned or operated by or on behalf of the U.S. Government) then TLS must be used and SSL disabled. Details on why SSL is unacceptable are described in Section 7.1 of [http://csrc.nist.gov/groups/STM/cmvp/documents/fips140-2/FIPS1402IG.pdf Implementation Guidance for FIPS PUB 140-2 and the Cryptographic Module Validation Program].

Further reading on the use of TLS to protect highly sensitive data against determined attackers can be viewed in [http://csrc.nist.gov/publications/nistpubs/800-52/SP800-52.pdf SP800-52 Guidelines for the Selection and Use of Transport Layer Security (TLS) Implementations]

== Secure Server Design ==

=== Rule - Use TLS for All Login Pages and All Authenticated Pages ===

The login page and all subsequent authenticated pages must be exclusively accessed over TLS. The initial login page, referred to as the "login landing page", must be served over TLS. Failure to utilize TLS for the login landing page allows an attacker to modify the login form action, causing the user's credentials to be posted to an arbitrary location. Failure to utilize TLS for authenticated pages after the login enables an attacker to view the unencrypted session ID and compromise the user's authenticated session.

=== Rule - Use TLS on Any Networks (External and Internal) Transmitting Sensitive Data ===

All networks, both external and internal, which transmit sensitive data must utilize TLS or an equivalent transport layer security mechanism. It is not sufficient to claim that access to the internal network is "restricted to employees". Numerous recent data compromises have shown that the internal network can be breached by attackers. In these attacks, sniffers have been installed to access unencrypted sensitive data sent on the internal network.

=== Rule - Do Not Provide Non-TLS Pages for Secure Content ===

All pages which are available over TLS must not be available over a non-TLS connection. A user may inadvertently bookmark or manually type a URL to a HTTP page (e.g. http://example.com/myaccount) within the authenticated portion of the application. If this request is processed by the application then the response, and any sensitive data, would be returned to the user over the clear text HTTP.

=== Rule - Do Not Mix TLS and Non-TLS Content ===

A page that is available over TLS must be comprised completely of content which is transmitted over TLS. The page must not contain any content that is transmitted over unencrypted HTTP. This includes content from unrelated third party sites.

An attacker could intercept any of the data transmitted over the unencrypted HTTP and inject malicious content into the user's page. This malicious content would be included in the page even if the overall page is served over TLS. In addition, an attacker could steal the user's session cookie that is transmitted with any non-TLS requests. This is possible if the cookie's 'secure' flag is not set. See the rule 'Use "Secure" Cookie Flag'

=== Rule - Use "Secure" Cookie Flag ===

The "Secure" flag must be set for all user cookies. Failure to use the "secure" flag enables an attacker to access the session cookie by tricking the user's browser into submitting a request to an unencrypted page on the site. This attack is possible even if the server is not configured to offer HTTP content since the attacker is monitoring the requests and does not care if the server responds with a 404 or doesn't respond at all.

=== Rule - Keep Sensitive Data Out of the URL ===

Sensitive data must not be transmitted via URL arguments. A more appropriate place is to store sensitive data in a server side repository or within the user's session. When using TLS the URL arguments and values are encrypted during transit. However, there are two methods that the URL arguments and values could be exposed.

1. The entire URL is cached within the local user's browser history. This may expose sensitive data to any other user of the workstation.

2. The entire URL is exposed if the user clicks on a link to another HTTPS site. This may expose sensitive data within the referral field to the third party site. This exposure occurs in most browsers and will only occur on transitions between two TLS sites.

For example, a user following a link on [http://owasp.org https://example.com] which leads to [http://owasp.org https://someOtherexample.com] would expose the full URL of [http://owasp.org https://example.com] (including URL arguments) in the referral header (within most browsers). This would not be the case if the user followed a link on [http://owasp.org https://example.com] to [http://owasp.org http://someHTTPexample.com]

=== Rule - Prevent Caching of Sensitive Data ===

The TLS protocol provides confidentiality only for data in transit but it does not help with potential data leakage issues at the client or intermediary proxies. As a result, it is frequently prudent to instruct these nodes not to cache or persist sensitive data. One option is to add anticaching headers to relevant HTTP responses, (for example, "Cache-Control: no-cache, no-store" and "Expires: 0" for coverage of many modern browsers as of 2013). For compatibility with HTTP/1.0 (i.e., when user agents are really old or the webserver works around quirks by forcing HTTP/1.0) the response should also include the header "Pragma: no-cache". More information is available in [https://tools.ietf.org/html/rfc2616 HTTP 1.1 RFC 2616], section 14.9.

=== Rule - Use HTTP Strict Transport Security ===

See: [[HTTP Strict Transport Security]]

===Rule - Use Public Key Pinning===

See: [[Certificate and Public Key Pinning]]

<span id="Server_Certificate_and_Protocol_Configuration"></span> 

== Server Certificate ==
Note: If using a FIPS 140-2 cryptomodule disregard the following rules and defer to the recommended configuration for the particular cryptomodule. Nevertheless we recommend to use this rules to audit your configuration.

=== Rule - Use Strong Keys & Protect Them ===

The private key used to generate the cipher key must be sufficiently strong for the anticipated lifetime of the private key and corresponding certificate. The current best practice is to select a key size of at least 2048 bits. Additional information on key lifetimes and comparable key strengths can be found in [http://www.keylength.com/en/compare/], [http://csrc.nist.gov/publications/nistpubs/800-57/sp800-57_part1_rev3_general.pdf NIST SP 800-57]. In addition, the private key must be stored in a location that is protected from unauthorized access.

=== Rule - Use a Certificate That Supports Required Domain Names ===

A user should never be presented with a certificate error, including prompts to reconcile domain or hostname mismatches, or expired certificates. If the application is available at both [https://owasp.org https://www.example.com] and [https://owasp.org https://example.com] then an appropriate certificate, or certificates, must be presented to accommodate the situation. The presence of certificate errors desensitizes users to TLS error messages and increases the possibility an attacker could launch a convincing phishing or man-in-the-middle attack.

For example, consider a web application accessible at [https://owasp.org https://abc.example.com] and [https://owasp.org https://xyz.example.com]. One certificate should be acquired for the host or server ''abc.example.com''; and a second certificate for host or server ''xyz.example.com''. In both cases, the hostname would be present in the Subject's Common Name (CN).

Alternatively, the Subject Alternate Names (SANs) can be used to provide a specific listing of multiple names where the certificate is valid. In the example above, the certificate could list the Subject's CN as ''example.com'', and list two SANs: ''abc.example.com'' and ''xyz.example.com''. These certificates are sometimes referred to as "multiple domain certificates".

=== Rule - Use Fully Qualified Names in Certificates ===

Use fully qualified names in the DNS name field, and do not use unqualifed names (e.g., 'www'), local names (e.g., 'localhost'), or private IP addresses (e.g., 192.168.1.1) in the DNS name field. Unqualifed names, local names, or private IP addresses violate the certificate specification.

=== Rule - Do Not Use Wildcard Certificates ===

You should refrain from using wildcard certificates. Though they are expedient at circumventing annoying user prompts, they also [[Least_privilege|violate the principal of least privilege]] and asks the user to trust all machines, including developer's machines, the secretary's machine in the lobby and the sign-in kiosk. Obtaining access to the private key is left as an exercise for the attacker, but its made much easier when stored on the file system unprotected.

Statistics gathered by Qualys for [http://media.blackhat.com/bh-us-10/presentations/Ristic/BlackHat-USA-2010-Ristic-Qualys-SSL-Survey-HTTP-Rating-Guide-slides.pdf Internet SSL Survey 2010] indicate wildcard certificates have a 4.4% share, so the practice is not standard for public facing hosts. Finally, wildcard certificates violate [https://www.cabforum.org/EV_Certificate_Guidelines.pdf EV Certificate Guidelines].

=== Rule - Do Not Use RFC 1918 Addresses in Certificates ===

Certificates should not use private addresses. RFC 1918 is [https://tools.ietf.org/html/rfc1918 Address Allocation for Private Internets]. Private addresses are Internet Assigned Numbers Authority (IANA) reserved and include 192.168/16, 172.16/12, and 10/8.

Certificates issued with private addresses violate [https://www.cabforum.org/EV_Certificate_Guidelines.pdf EV Certificate Guidelines]. In addition, Peter Gutmann writes in in [http://www.cs.auckland.ac.nz/~pgut001/pubs/book.pdf Engineering Security]: "This one is particularly troublesome because, in combination with the router-compromise attacks... and ...OSCP-defeating measures, it allows an attacker to spoof any EV-certificate site."

=== Rule - Use an Appropriate Certification Authority for the Application's User Base ===

An application user must never be presented with a warning that the certificate was signed by an unknown or untrusted authority. The application's user population must have access to the public certificate of the certification authority which issued the server's certificate. For Internet accessible websites, the most effective method of achieving this goal is to purchase the TLS certificate from a recognize certification authority. Popular Internet browsers already contain the public certificates of these recognized certification authorities.

Internal applications with a limited user population can use an internal certification authority provided its public certificate is securely distributed to all users. However, remember that all certificates issued by this certification authority will be trusted by the users. Therefore, utilize controls to protect the private key and ensure that only authorized individuals have the ability to sign certificates.

The use of self signed certificates is never acceptable. Self signed certificates negate the benefit of end-point authentication and also significantly decrease the ability for an individual to detect a man-in-the-middle attack.

=== Rule - Always Provide All Needed Certificates ===

Clients attempt to solve the problem of identifying a server or host using PKI and X509 certificate. When a user receives a server or host's certificate, the certificate must be validated back to a trusted root certification authority. This is known as path validation.

There can be one or more intermediate certificates in between the end-entity (server or host) certificate and root certificate. In addition to validating both endpoints, the user will also have to validate all intermediate certificates. Validating all intermediate certificates can be tricky because the user may not have them locally. This is a well-known PKI issue called the “Which Directory?" problem.

To avoid the “Which Directory?" problem, a server should provide the user with all required certificates used in a path validation.

=== Rule - Be aware of and have a plan for the SHA-1 deprecation plan ===

In order to avoid presenting end users with progressive certificate warnings, organizations must proactively address the browser vendor's upcoming SHA-1 deprecation plans. The Google Chrome plan is probably the most specific and aggressive at this point: [http://googleonlinesecurity.blogspot.com/2014/09/gradually-sunsetting-sha-1.html Gradually sunsetting SHA-1]

If your organization has no [https://support.globalsign.com/customer/portal/articles/1499561-sha-256-compatibility SHA256 compatibility issues] then it may be appropriate to move your site to a SHA256 signed certificate/chain. If there are, or may be, issues - you should ensure that your SHA-1 certificates expire before 1/1/2017.

== Server Protocol and Cipher Configuration ==
Note: If using a FIPS 140-2 cryptomodule disregard the following rules and defer to the recommended configuration for the particular cryptomodule. Nevertheless we recommend to use this rules to audit your configuration.

=== Rule - Only Support Strong Protocols ===

SSL/TLS is a collection of protocols. Weaknesses have been identified with earlier SSL protocols, including [http://www.schneier.com/paper-ssl-revised.pdf SSLv2] and [http://www.yaksman.org/~lweith/ssl.pdf SSLv3] hence SSL versions 1, 2 and 3 should not longer be used. The best practice for transport layer protection is to only provide support for the TLS protocols - TLS1.0, TLS 1.1 and TLS 1.2. This configuration will provide maximum protection against skilled and determined attackers and is appropriate for applications handling sensitive data or performing critical operations.

[http://en.wikipedia.org/wiki/Transport_Layer_Security#Web_browsers Nearly all modern browsers support at least TLS 1.0]. As of February 2013, contemporary browsers (Chrome v20+, IE v8+, Opera v10+, and Safari v5+) [http://en.wikipedia.org/wiki/Transport_Layer_Security#Web_browsers support TLS 1.1 and TLS 1.2]. You should provide support for TLS 1.1 and TLS 1.2 to accommodate clients which support the protocols. The client and server (usually) negotiate the best protocol, that is supported on both sides.

TLS 1.0 is still widely used as 'best' protocol by a lot of browsers, that are not patched to the very latest version. It suffers [http://www.yassl.com/yaSSL/Blog/Entries/2010/10/7_Differences_between_SSL_and_TLS_Protocol_Versions.html CBC Chaining attacks and Padding Oracle attacks]. TLSv1.0 should only be used only after risk analysis and acceptance.

Under no circumstances neither SSLv2 nor SSLv3 should be enabled as a protocol selection:
* The [http://www.schneier.com/paper-ssl-revised.pdf SSLv2 protocol is broken] and does not provide adequate transport layer protection.
* [http://www.yaksman.org/~lweith/ssl.pdf SSLv3 had been known for weaknesses] which severely compromise the channel's security long before the [https://www.openssl.org/~bodo/ssl-poodle.pdf 'POODLE'-Bug] finally stopped to tolerate this protocol by October 2014. Switching off SSLv3 terminates the support of legacy browsers like [https://www.ssllabs.com/ssltest/viewClient.html?name=IE&version=6&platform=XP IE6/XP] and elder.

=== Rule - Prefer Ephemeral Key Exchanges ===

Ephemeral key exchanges are based on Diffie-Hellman and use per-session, temporary keys during the initial SSL/TLS handshake. They provide perfect forward secrecy (PFS), which means a compromise of the server's long term signing key does not compromise the confidentiality of past session (see [[#Rule_-_Only_Support_Strong_Cryptographic_Ciphers | following rule]]). When the server uses an ephemeral key, the server will sign the temporary key with its long term key (the long term key is the customary key available in its certificate).

Use cryptographic parameters (like DH-parameter) that use a secure length that match to the supported keylength of your certificate (>=2048 bits or equivalent Elliptic Curves). As some middleware had some issues with this, upgrade to the latest version.

If you have a server farm and are providing forward secrecy, then you might have to disable session resumption. For example, Apache writes the session id's and master secrets to disk so all servers in the farm can participate in resuming a session (there is currently no in-memory mechanism to achieve the sharing). Writing the session id and master secret to disk undermines forward secrecy.

=== Rule - Only Support Strong Cryptographic Ciphers ===

Each protocol (TLSv1.0, TLSv1.1, TLSv1.2, etc) provides cipher suites. As of TLS 1.2, [http://www.iana.org/assignments/tls-parameters/tls-parameters.xml#tls-parameters-3 there is support for over 300 suites (320+ and counting)], including [http://www.mail-archive.com/cryptography@randombit.net/msg03785.html national vanity cipher suites]. The strength of the encryption used within a TLS session is determined by the encryption cipher negotiated between the server and the browser. In order to ensure that only strong cryptographic ciphers are selected the server must be modified to disable the use of weak ciphers and to configure the ciphers in an adequate order. It is recommended to configure the server to only support strong ciphers and to use sufficiently large key sizes. In general, the following should be observed when selecting CipherSuites:
* Use the very latest recommendations, they may be volantile these days
* Setup your Policy to get a Whitelist for recommended Ciphers, e.g.:
** Activate to set the Cipher Order by the Server
** Highest Priority for Ciphers that support 'Forward Secrecy' (-> Support ephemeral Diffie-Hellman key exchange, see rule above) [http://vincent.bernat.im/en/blog/2011-ssl-perfect-forward-secrecy.html]
** Favor DHE over ECDHE (and monitor the CPU usage, see Notes below), ECDHE lacks now of really reliable Elliptic Curves, see discussion about secp{224,256,384,521}r1 and secp256k1, cf. [http://safecurves.cr.yp.to], [https://www.schneier.com/blog/archives/2013/09/the_nsa_is_brea.html#c1675929]. The solution might be to use [http://www.researchgate.net/profile/Johannes_Merkle/publication/260050106_Standardisierung_der_Brainpool-Kurven_fr_TLS_und_IPSec/file/60b7d52f36a0cc2fdd.pdf Brainpool Curves <nowiki>[German]</nowiki>], defined for TLS in [https://tools.ietf.org/html/rfc7027 RFC 7027], or [http://eprint.iacr.org/2007/286 Edwards Curves]. The most promising candidates for the latter are [https://tools.ietf.org/html/draft-josefsson-tls-curve25519-06 'Curve25519'] and [http://sourceforge.net/p/ed448goldilocks/wiki/Home/ Ed448-Goldilocks] (see [https://tools.ietf.org/html/draft-irtf-cfrg-curves-02 DRAFT-irtf-cfrg-curves]), that is not yet defined for TLS, cf. [http://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#tls-parameters-8 IANA] 
** Use RSA-Keys (no DSA/DSS: they get very weak, if a bad entropy source is used during signing, cf. [https://projectbullrun.org/dual-ec/tls.html], [https://factorable.net/weakkeys12.conference.pdf]) 
** Favor GCM over CBC regardless of the cipher size. In other words, use Authenticated Encryption with Associated Data (AEAD), e.g. AES-GCM, AES-CCM.
** Watch also for Stream Ciphers which XOR the key stream with plaintext (such as AES/CTR mode) 
** Priorize the ciphers by the sizes of the Cipher and the MAC
** Use SHA1 or above for digests, prefer SHA2 (or equivalent)
** Disable weak ciphers (which is implicitly done by this whitelist) without disabling legacy browsers and bots that have to be supported (find the best compromise), actually the cipher TLS_RSA_WITH_3DES_EDE_CBC_SHA (0xa) does this job.
*** Disable cipher suites that do not offer encryption (eNULL, NULL)
*** Disable cipher suites that do not offer authentication (aNULL). aNULL includes anonymous cipher suites ADH (Anonymous Diffie-Hellman) and AECDH (Anonymous Elliptic Curve Diffie Hellman).
*** Disable export level ciphers (EXP, eg. ciphers containing DES)
*** Disable key sizes smaller than 128 bits for encrypting payload traffic (see [https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Publikationen/TechnischeRichtlinien/TR02102/BSI-TR-02102-2_pdf.html BSI: TR-02102 Part 2 (German)])
*** Disable the use of MD5 as a hashing mechanism for payload traffic
*** Disable the use of IDEA Cipher Suites (see [https://tools.ietf.org/html/rfc5469])
*** Disable RC4 cipher suites (see [https://tools.ietf.org/html/rfc7465], [http://www.isg.rhul.ac.uk/tls/])
** Ciphers should be usable for DH-Pamameters >= 2048 bits, without blocking legacy browsers (The cipher ‘DHE-RSA-AES128-SHA’ is suppressed as some browsers like to use it but are not capable to cope with DH-Params > 1024 bits.)
* Define a Cipher String that works with different Versions of your encryption tool, like openssl
* Verify your cipher string
** with an audit-tool, like [[O-Saft|OWASP 'O-Saft' (OWASP SSL audit for testers / OWASP SSL advanced forensic tool)]]
** listing it manually with your encryption software, e.g. openssl ciphers -v <cipher-string> (the result may differ by version), e.g.:
{{Top_10_2010:ExampleBeginTemplate|year=2013}}
openssl ciphers -v "EDH+aRSA+AESGCM:EDH+aRSA+AES:DHE-RSA-AES256-SHA:EECDH+aRSA+AESGCM:EECDH+aRSA+AES:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:RSA+AESGCM:RSA+AES+SHA:DES-CBC3-SHA:-DHE-RSA-AES128-SHA" <br>
<nowiki>#</nowiki>add optionally ':!aNULL:!eNULL:!LOW:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!ECDSA:!ADH:!IDEA' to protect older Versions of OpenSSL<br>
<nowiki>#</nowiki>you may use openssl ciphers -V "..." for openssl >= 1.0.1:
<small>
0x00,0x9F - DHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=DH Au=RSA Enc=AESGCM(256) Mac=AEAD
0x00,0x9E - DHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=DH Au=RSA Enc=AESGCM(128) Mac=AEAD
0x00,0x6B - DHE-RSA-AES256-SHA256 TLSv1.2 Kx=DH Au=RSA Enc=AES(256) Mac=SHA256
0x00,0x39 - DHE-RSA-AES256-SHA SSLv3 Kx=DH Au=RSA Enc=AES(256) Mac=SHA1
0x00,0x67 - DHE-RSA-AES128-SHA256 TLSv1.2 Kx=DH Au=RSA Enc=AES(128) Mac=SHA256
0xC0,0x30 - ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH Au=RSA Enc=AESGCM(256) Mac=AEAD
0xC0,0x2F - ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH Au=RSA Enc=AESGCM(128) Mac=AEAD
0xC0,0x28 - ECDHE-RSA-AES256-SHA384 TLSv1.2 Kx=ECDH Au=RSA Enc=AES(256) Mac=SHA384
0xC0,0x14 - ECDHE-RSA-AES256-SHA SSLv3 Kx=ECDH Au=RSA Enc=AES(256) Mac=SHA1
0xC0,0x27 - ECDHE-RSA-AES128-SHA256 TLSv1.2 Kx=ECDH Au=RSA Enc=AES(128) Mac=SHA256
0xC0,0x13 - ECDHE-RSA-AES128-SHA SSLv3 Kx=ECDH Au=RSA Enc=AES(128) Mac=SHA1
0x00,0x9D - AES256-GCM-SHA384 TLSv1.2 Kx=RSA Au=RSA Enc=AESGCM(256) Mac=AEAD
0x00,0x9C - AES128-GCM-SHA256 TLSv1.2 Kx=RSA Au=RSA Enc=AESGCM(128) Mac=AEAD
0x00,0x35 - AES256-SHA SSLv3 Kx=RSA Au=RSA Enc=AES(256) Mac=SHA1
0x00,0x2F - AES128-SHA SSLv3 Kx=RSA Au=RSA Enc=AES(128) Mac=SHA1
0x00,0x0A - DES-CBC3-SHA SSLv3 Kx=RSA Au=RSA Enc=3DES(168) Mac=SHA1
</small>
{{Top_10_2010:ExampleEndTemplate}}

* Inform yourself how to securely configure the settings for your used services or hardware, e.g. [https://bettercrypto.org BetterCrypto.org: Applied Crypto Hardening (DRAFT)]
* Check new software and hardware versions for new security settings.

<b>Notes:</b>
* According to my researches the most common browsers should be supported with this setting, too (see also [https://www.ssllabs.com/ssltest/index.html SSL Labs: SSL Server Test -> SSL Report -> Handshake Simulation]).
* Monitor the performance of your server, e.g. the TLS handshake with DHE hinders the CPU abt 2.4 times more than ECDHE, cf. [http://vincent.bernat.im/en/blog/2011-ssl-perfect-forward-secrecy.html#some-benchmarks Vincent Bernat, 2011], [http://nmav.gnutls.org/2011/12/price-to-pay-for-perfect-forward.html nmav's Blog, 2011].
* Use of Ephemeral Diffie-Hellman key exchange will protect confidentiality of the transmitted plaintext data even if the corresponding RSA or DSS server private key got compromised. An attacker would have to perform active man-in-the-middle attack at the time of the key exchange to be able to extract the transmitted plaintext. All modern browsers support this key exchange with the notable exception of Internet Explorer prior to Windows Vista.

Additional information can be obtained within the [https://tools.ietf.org/html/rfc5246 TLS 1.2 RFC 5246], [https://www.ssllabs.com/projects/best-practices/index.html SSL Labs: 'SSL/TLS Deployment Best Practices'], [https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Publikationen/TechnischeRichtlinien/TR02102/BSI-TR-02102-2_pdf.html BSI: 'TR-02102 Part 2 (German)'], [http://www.enisa.europa.eu/activities/identity-and-trust/library/deliverables/algorithms-key-sizes-and-parameters-report ENISA: 'Algorithms, Key Sizes and Parameters Report'], [https://tools.ietf.org/html/rfc7525 RFC 7525: Recommendations for Secure Use of Transport Layer Security (TLS) and Datagram Transport Layer Security (DTLS)] and [http://csrc.nist.gov/groups/STM/cmvp/documents/fips140-2/FIPS1402IG.pdf FIPS 140-2 IG].

=== Rule - Support TLS-PSK and TLS-SRP for Mutual Authentication ===

When using a shared secret or password offer TLS-PSK (Pre-Shared Key) or TLS-SRP (Secure Remote Password), which are known as Password Authenticated Key Exchange (PAKEs). TLS-PSK and TLS-SRP properly bind the channel, which refers to the cryptographic binding between the outer tunnel and the inner authentication protocol. IANA currently reserves [http://www.iana.org/assignments/tls-parameters/tls-parameters.xml#tls-parameters-3 79 PSK cipehr suites] and [http://www.iana.org/assignments/tls-parameters/tls-parameters.xml#tls-parameters-3 9 SRP cipher suites].

Basic authentication places the user's password on the wire in the plain text after a server authenticates itself. Basic authentication only provides unilateral authentication. In contrast, both TLS-PSK and TLS-SRP provide mutual authentication, meaning each party proves it knows the password without placing the password on the wire in the plain text.

Finally, using a PAKE removes the need to trust an outside party, such as a Certification Authority (CA).

=== Rule - Only Support Secure Renegotiations ===

A design weakness in TLS, identified as [http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-3555 CVE-2009-3555], allows an attacker to inject a plaintext of his choice into a TLS session of a victim. In the HTTPS context the attacker might be able to inject his own HTTP requests on behalf of the victim. The issue can be mitigated either by disabling support for TLS renegotiations or by supporting only renegotiations compliant with [https://tools.ietf.org/html/rfc5746 RFC 5746]. All modern browsers have been updated to comply with this RFC.

=== Rule - Disable Compression ===

Compression Ratio Info-leak Made Easy (CRIME) is an exploit against the data compression scheme used by the TLS and SPDY protocols. The exploit allows an adversary to recover user authentication cookies from HTTPS. The recovered cookie can be subsequently used for session hijacking attacks.

== Test your overall TLS/SSL setup and your Certificate ==
This section shows the most common references only. For more tools and such, please refer to [[#Tools|Tools]].

* [[Testing_for_SSL-TLS_%28OWASP-CM-001%29 | OWASP Testing Guide: Chapter on SSL/TLS Testing]]
* [[O-Saft|OWASP 'O-Saft' (OWASP SSL audit for testers / OWASP SSL advanced forensic tool)]]
* [https://www.ssllabs.com/ssltest SSL LABS Server Test]
* other Tools: [[Testing_for_Weak_SSL/TSL_Ciphers,_Insufficient_Transport_Layer_Protection_%28OWASP-EN-002%29#References| Testing for Weak SSL/TSL Ciphers, Insufficient Transport Layer Protection (OWASP-EN-002) (DRAFT)]] - References - Tools

== Client (Browser) Configuration ==

The validation procedures to ensure that a certificate is valid are complex and difficult to correctly perform. In a typical web application model, these checks will be performed by the client's web browser in accordance with local browser settings and are out of the control of the application. However, these items do need to be addressed in the following scenarios:

* The application server establishes connections to other applications over TLS for purposes such as web services or any exchange of data
* A thick client application is connecting to a server via TLS

In these situations extensive certificate validation checks must occur in order to establish the validity of the certificate. Consult the following resources to assist in the design and testing of this functionality. The NIST PKI testing site includes a full test suite of certificates and expected outcomes of the test cases.
* [http://csrc.nist.gov/groups/ST/crypto_apps_infra/pki/pkitesting.html NIST PKI Testing]
* [https://tools.ietf.org/html/rfc5280 IETF RFC 5280]

As specified in the above guidance, if the certificate can not be validated for any reason then the connection between the client and server must be dropped. Any data exchanged over a connection where the certificate has not properly been validated could be exposed to unauthorized access or modification.

== Additional Controls ==

=== Extended Validation Certificates ===

Extended validation certificates (EV Certificates) proffer an enhanced investigation by the issuer into the requesting party due to the industry's race to the bottom. The purpose of EV certificates is to provide the user with greater assurance that the owner of the certificate is a verified legal entity for the site. Browsers with support for EV certificates distinguish an EV certificate in a variety of ways. Internet Explorer will color a portion of the URL in green, while Mozilla will add a green portion to the left of the URL indicating the company name.

High value websites should consider the use of EV certificates to enhance customer confidence in the certificate. It should also be noted that EV certificates do not provide any greater technical security for the TLS. The purpose of the EV certificate is to increase user confidence that the target site is indeed who it claims to be.

=== Client-Side Certificates ===

Client side certificates can be used with TLS to prove the identity of the client to the server. Referred to as "two-way TLS", this configuration requires the client to provide their certificate to the server, in addition to the server providing their's to the client. If client certificates are used, ensure that the same validation of the client certificate is performed by the server, as indicated for the validation of server certificates above. In addition, the server should be configured to drop the TLS connection if the client certificate cannot be verified or is not provided.

The use of client side certificates is relatively rare currently due to the complexities of certificate generation, safe distribution, client side configuration, certificate revocation and reissuance, and the fact that clients can only authenticate on machines where their client side certificate is installed. Such certificates are typically used for very high value connections that have small user populations.

=== Certificate and Public Key Pinning ===

Hybrid and native applications can take advantage of [[Certificate_and_Public_Key_Pinning|certificate and public key pinning]]. Pinning associates a host (for example, server) with an identity (for example, certificate or public key), and allows an application to leverage knowledge of the pre-existing relationship. At runtime, the application would inspect the certificate or public key received after connecting to the server. If the certificate or public key is expected, then the application would proceed as normal. If unexpected, the application would stop using the channel and close the connection since an adversary could control the channel or server.

Pinning still requires customary X509 checks, such as revocation, since CRLs and OCSP provides real time status information. Otherwise, an application could possibly (1) accept a known bad certificate; or (2) require an out-of-band update, which could result in a lengthy App Store approval.

Browser based applications are at a disadvantage since most browsers do not allow the user to leverage pre-existing relationships and ''a priori'' knowledge. In addition, Javascript and Websockets do not expose methods to for a web app to query the underlying secure connection information (such as the certificate or public key). It is noteworthy that Chromium based browsers perform pinning on selected sites, but the list is currently maintained by the vendor.

For more information, please see the [[Pinning Cheat Sheet]].

= Providing Transport Layer Protection for Back End and Other Connections =

Although not the focus of this cheat sheet, it should be stressed that transport layer protection is necessary for back-end connections and any other connection where sensitive data is exchanged or where user identity is established. Failure to implement an effective and robust transport layer security will expose sensitive data and undermine the effectiveness of any authentication or access control mechanism.

== Secure Internal Network Fallacy ==

The internal network of a corporation is not immune to attacks. Many recent high profile intrusions, where thousands of sensitive customer records were compromised, have been perpetrated by attackers that have gained internal network access and then used sniffers to capture unencrypted data as it traversed the internal network.

= Tools =
=== local/offline ===
* [[O-Saft|O-Saft - OWASP SSL advanced forensic tool)]]
* [http://sourceforge.net/projects/sslscan/ SSLScan - Fast SSL Scanner]
* [https://github.com/iSECPartners/sslyze SSLyze]
* [http://www.g-sec.lu/sslaudit/sslaudit.zip SSL Audit]

=== Online ===
* [https://www.ssllabs.com/ssltest SSL LABS Server Test]

= Related Articles =

* Mozilla – [https://wiki.mozilla.org/Security/Server_Side_TLS#Recommended_configurations Mozilla Recommended Configurations]
* OWASP – [[Testing for SSL-TLS (OWASP-CM-001)|Testing for SSL-TLS]], and OWASP [[Guide to Cryptography]]
* OWASP – [http://www.owasp.org/index.php/ASVS Application Security Verification Standard (ASVS) – Communication Security Verification Requirements (V10)]
* OWASP – ASVS Article on [[Why you need to use a FIPS 140-2 validated cryptomodule]]
* SSL Labs – [https://www.ssllabs.com/projects/best-practices/index.html SSL/TLS Deployment Best Practices]
* SSL Labs – [http://www.ssllabs.com/projects/rating-guide/index.html SSL Server Rating Guide]
* ENISA – [http://www.enisa.europa.eu/activities/identity-and-trust/library/deliverables/algorithms-key-sizes-and-parameters-report Algorithms, Key Sizes and Parameters Report]
* BSI – [https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Publikationen/TechnischeRichtlinien/TR02102/BSI-TR-02102-2_pdf.html BSI TR-02102 Part 2 (German)]
* yaSSL – [http://www.yassl.com/yaSSL/Blog/Entries/2010/10/7_Differences_between_SSL_and_TLS_Protocol_Versions.html Differences between SSL and TLS Protocol Versions]
* NIST – [http://csrc.nist.gov/publications/PubsSPs.html#800-52 SP 800-52 Rev. 1 Guidelines for the Selection, Configuration, and Use of Transport Layer Security (TLS) Implementations]
* NIST – [http://csrc.nist.gov/publications/fips/fips140-2/fips1402.pdf FIPS 140-2 Security Requirements for Cryptographic Modules]
* NIST – [http://csrc.nist.gov/groups/STM/cmvp/documents/fips140-2/FIPS1402IG.pdf Implementation Guidance for FIPS PUB 140-2 and the Cryptographic Module Validation Program]
* NIST – [http://csrc.nist.gov/publications/nistpubs/800-57/sp800-57_part1_rev3_general.pdf NIST SP 800-57 Recommendation for Key Management, Revision 3], [http://csrc.nist.gov/publications/PubsDrafts.html#SP-800-57-Part%203-Rev.1 Public DRAFT]
* NIST – [http://csrc.nist.gov/publications/drafts.html#sp800-95 SP 800-95 Guide to Secure Web Services]
* IETF – [https://tools.ietf.org/html/rfc5280 RFC 5280 Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile]
* IETF – [https://tools.ietf.org/html/rfc2246 RFC 2246 The Transport Layer Security (TLS) Protocol Version 1.0 (JAN 1999)]
* IETF – [https://tools.ietf.org/html/rfc4346 RFC 4346 The Transport Layer Security (TLS) Protocol Version 1.1 (APR 2006)]
* IETF – [https://tools.ietf.org/html/rfc5246 RFC 5246 The Transport Layer Security (TLS) Protocol Version 1.2 (AUG 2008)]
* IETF – [https://tools.ietf.org/html/rfc7525 RFC 7525 Recommendations for Secure Use of Transport Layer Security (TLS) and Datagram Transport Layer Security (DTLS)]
* bettercrypto - [https://bettercrypto.org Applied Crypto Hardening: HOWTO for secure crypto settings of the most common services (DRAFT)]

= Authors and Primary Editors =

Michael Coates - michael.coates[at]owasp.org <br/>
Dave Wichers - dave.wichers[at]owasp.org <br/>
Michael Boberski - boberski_michael[at]bah.com<br/>
Tyler Reguly -treguly[at]sslfail.com
| valign="top" style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" |

== Other Cheatsheets ==

{{Cheatsheet_Navigation_Body}}

|}

[[Category:Cheatsheets]]
[[Category:OWASP Best Practices]]

HTTP Strict Transport Security

2015-06-09T20:53:11Z

Pawel Krawczyk: /* Links */ typo

<br>
== Description ==

HTTP Strict Transport Security (HSTS) is an opt-in security enhancement that is specified by a web application through the use of a special response header. Once a supported browser receives this header that browser will prevent any communications from being sent over HTTP to the specified domain and will instead send all communications over HTTPS. It also prevents HTTPS click through prompts on browsers.

<br>

The specification has been released and published end of 2012 as RFC 6797 (HTTP Strict Transport Security (HSTS)) by the IETF. (Reference see in the links at the bottom.)

== Examples ==

Simple example, using a long (1 year) max-age:

Strict-Transport-Security: max-age=31536000

If all present and future subdomains will be HTTPS:

Strict-Transport-Security: max-age=31536000; includeSubDomains

'''Recommended:''' If the site owner would like their domain to be included in the [https://hstspreload.appspot.com/ HSTS preload list] maintained by Chrome (and used by Firefox and Safari), then use:

Strict-Transport-Security: max-age=31536000; includeSubDomains; preload

The `preload` flag indicates the site owner's consent to have their domain preloaded. The site owner still needs to then go and submit the domain to the list.

== Excessively Strict STS ==

Use caution when setting excessively strict STS policies. Including subdomains should only be used in environments where all sites within your organization for the given domain name require ssl. Max-age limits should be carefully considered as infrequent visitors may find your site inaccessible if you relax your policy.

Before enabling includeSubDomains, also consider the impact of any existing DNS CNAME records for CDNs, email services, or other 3rd party services. Since includeSubDomains will force such CNAME subdomains to https:// it's likely the browser will throw a domain-mismatch error, which is hard to reverse because of the browser caching nature of HSTS.

== Browser Support ==

{| width="400" cellspacing="1" cellpadding="1" border="1"
|-
| '''Browser'''<br>
| '''Support Introduced'''<br>
|-
| Internet Explorer <br>
| support expected starting with ie12[https://threatpost.com/ie-12-to-support-hsts-encryption-protocol/105266]<br>
|-
| Firefox<br>
| 4<br>
|-
| Opera<br>
| 12<br>
|-
| Safari<br>
| Mavericks (Mac OS X 10.9)<br>
|-
| Chrome<br>
| 4.0.211.0<br>
|}

<br>
A detailed overview of supporting browsers can be found at [http://caniuse.com/#feat=stricttransportsecurity caniuse.com].
== Server Side ==

The web server side needs to inject the HSTS header.

For HTTP sites on the same domain it is [http://tools.ietf.org/html/draft-ietf-websec-strict-transport-sec#section-6.1 not recommended] to add a HSTS header but to do a permanent redirect (301 status code) to the HTTPS site.

An Apache HTTPd example that will permanently redirect a URL to the identical URL with a HTTPS scheme, is as follows:

<VirtualHost *:80>
ServerAlias *
RewriteEngine On
RewriteRule ^(.*)$ https://%{HTTP_HOST}$1 [redirect=301]
</VirtualHost>

On the HTTPS site configuration the following is needed to add the header as [http://tools.ietf.org/html/draft-ietf-websec-strict-transport-sec#section-6.1 recommended by the standard]:
Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"

The following links show how to set response headers in other web servers:
* [http://wiki.nginx.org/HttpHeadersModule NGINX]
* [http://redmine.lighttpd.net/wiki/lighttpd/Docs:ModSetEnv#Options Lighttpd]
* [http://httpd.apache.org/docs/2.2/mod/mod_headers.html HTTPd]

==== IIS ====
Whilst [http://technet.microsoft.com/en-us/library/cc753133(WS.10).aspx custom headers] can be configured in IIS without any extensions, it is not possible to restrict these headers to secure transport channels [http://tools.ietf.org/html/rfc6797#section-7.2 as per the HSTS specification]. This leaves the following options.

===== Custom Module =====
HSTS has been implemented, per the specification, as an [http://hstsiis.codeplex.com/ open source IIS module].

===== URL Rewrite =====
Install [http://www.iis.net/downloads/microsoft/url-rewrite Microsoft URL Rewrite] and use following rewrite rules.

<configuration>
<system.webServer>
<rewrite>
<rules>
<rule name="HTTPS_301_Redirect" stopProcessing="true">
<match url="(.*)" />
<conditions>
<add input="{HTTPS}" pattern="^OFF$" />
</conditions>
<action type="Redirect" url="https://{HTTP_HOST}{REQUEST_URI}" appendQueryString="false" redirectType="Permanent" />
</rule>
</rules>
<outboundRules>
<rule name="Add_HSTS_Header" preCondition="USING_HTTPS" patternSyntax="Wildcard">
<match serverVariable="RESPONSE_Strict-Transport-Security" pattern="*" />
<action type="Rewrite" value="max-age=31536000" />
</rule>
<preConditions>
<preCondition name="USING_HTTPS">
<add input="{HTTPS}" pattern="^ON$" />
</preCondition>
</preConditions>
</outboundRules>
</rewrite>
</system.webServer>
</configuration>

== Threats ==

HSTS addresses the following threats:
* User bookmarks or manually types http://example.com and is subject to a man-in-the-middle attacker
** HSTS automatically redirects HTTP requests to HTTPS for the target domain
* Web application that is intended to be purely HTTPS inadvertently contains HTTP links or serves content over HTTP
** HSTS automatically redirects HTTP requests to HTTPS for the target domain
* A man-in-the-middle attacker attempts to intercept traffic from a victim user using an invalid certificate and hopes the user will accept the bad certificate
** HSTS does not allow a user to override the invalid certificate message

== Links ==
* [http://www.youtube.com/watch?v=zEV3HOuM_Vw&feature=youtube_gdata AppSecTutorial Series - Episode 4]
* [http://dev.chromium.org/sts Chromium Projects/HSTS]
* [http://tools.ietf.org/html/rfc6797 HSTS Spec]
* [http://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security Wikipedia]
* [https://developer.mozilla.org/en/Security/HTTP_Strict_Transport_Security Mozilla Developer Network]
* [https://www.owasp.org/index.php/Transport_Layer_Protection_Cheat_Sheet OWASP TLS Protection Cheat Sheet]
* [https://developer.mozilla.org/en/Security/HTTP_Strict_Transport_Security Firefox STS Support]
* [http://lists.w3.org/Archives/Public/public-webapps/2009JulSep/1148.html Google Chrome STS Support]
* [http://www.thoughtcrime.org/software/sslstrip/ Moxie Marlinspike's Black Hat 2009 talk on sslstrip, that demonstrates why you need HSTS]

[[Category:Control|Control]]

Transport Layer Protection Cheat Sheet

2015-06-09T20:52:55Z

Pawel Krawczyk: /* Rule - Use HTTP Strict Transport Security */ link to appropriate articles on STS and PKP instead of duplicating content, add PKP

__NOTOC__
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:Cheatsheets-header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |
Last revision (mm/dd/yy): '''{{REVISIONMONTH}}/{{REVISIONDAY}}/{{REVISIONYEAR}}'''
= Introduction =
__TOC__{{TOC hidden}}

This cheat sheet provides a simple model to follow when implementing transport layer protection for an application. Although the concept of SSL is known to many, the actual details and security specific decisions of implementation are often poorly understood and frequently result in insecure deployments. This article establishes clear rules which provide guidance on securely designing and configuring transport layer security for an application. This article is focused on the use of SSL/TLS between a web application and a web browser, but we also encourage the use of SSL/TLS or other network encryption technologies, such as VPN, on back end and other non-browser based connections.<br>

== Architectural Decision ==

An architectural decision must be made to determine the appropriate method to protect data when it is being transmitted. The most common options available to corporations are Virtual Private Networks (VPN) or a SSL/TLS model commonly used by web applications. The selected model is determined by the business needs of the particular organization. For example, a VPN connection may be the best design for a partnership between two companies that includes mutual access to a shared server over a variety of protocols. Conversely, an Internet facing enterprise web application would likely be best served by a SSL/TLS model.

This cheat sheet will focus on security considerations when the SSL/TLS model is selected. This is a frequently used model for publicly accessible web applications.

= Providing Transport Layer Protection with SSL/TLS =

== Benefits ==

The primary benefit of transport layer security is the protection of web application data from unauthorized disclosure and modification when it is transmitted between clients (web browsers) and the web application server, and between the web application server and back end and other non-browser based enterprise components.

The server validation component of TLS provides authentication of the server to the client. If configured to require client side certificates, TLS can also play a role in client authentication to the server. However, in practice client side certificates are not often used in lieu of username and password based authentication models for clients.

TLS also provides two additional benefits that are commonly overlooked; integrity guarantees and replay prevention. A TLS stream of communication contains built-in controls to prevent tampering with any portion of the encrypted data. In addition, controls are also built-in to prevent a captured stream of TLS data from being replayed at a later time.

It should be noted that TLS provides the above guarantees to data during transmission. TLS does not offer any of these security benefits to data that is at rest. Therefore appropriate security controls must be added to protect data while at rest within the application or within data stores.

== Basic Requirements ==

The basic requirements for using TLS are: access to a Public Key Infrastructure (PKI) in order to obtain certificates, access to a directory or an Online Certificate Status Protocol (OCSP) responder in order to check certificate revocation status, and agreement/ability to support a minimum configuration of protocol versions and protocol options for each version.

== SSL vs. TLS ==

The terms, Secure Socket Layer (SSL) and Transport Layer Security (TLS) are often used interchangeably. In fact, SSL v3.1 is equivalent to TLS v1.0. However, different versions of SSL and TLS are supported by modern web browsers and by most modern web frameworks and platforms. For the purposes of this cheat sheet we will refer to the technology generically as TLS. Recommendations regarding the use of SSL and TLS protocols, as well as browser support for TLS, can be found in the rule below titled [[Transport_Layer_Protection_Cheat_Sheet#Rule_-_Only_Support_Strong_Protocols| "Only Support Strong Protocols"]].

[[Image:Asvs_cryptomodule.gif|thumb|350px|right|Cryptomodule Parts and Operation]]

== When to Use a FIPS 140-2 Validated Cryptomodule ==

If the web application may be the target of determined attackers (a common threat model for Internet accessible applications handling sensitive data), it is strongly advised to use TLS services that are provided by [http://csrc.nist.gov/groups/STM/cmvp/validation.html FIPS 140-2 validated cryptomodules].

A cryptomodule, whether it is a software library or a hardware device, basically consists of three parts:

* Components that implement cryptographic algorithms (symmetric and asymmetric algorithms, hash algorithms, random number generator algorithms, and message authentication code algorithms)
* Components that call and manage cryptographic functions (inputs and outputs include cryptographic keys and so-called critical security parameters)
* A physical container around the components that implement cryptographic algorithms and the components that call and manage cryptographic functions

The security of a cryptomodule and its services (and the web applications that call the cryptomodule) depend on the correct implementation and integration of each of these three parts. In addition, the cryptomodule must be used and accessed securely. The includes consideration for:

* Calling and managing cryptographic functions
* Securely Handling inputs and output
* Ensuring the secure construction of the physical container around the components

In order to leverage the benefits of TLS it is important to use a TLS service (e.g. library, web framework, web application server) which has been FIPS 140-2 validated. In addition, the cryptomodule must be installed, configured and operated in either an approved or an allowed mode to provide a high degree of certainty that the FIPS 140-2 validated cryptomodule is providing the expected security services in the expected manner.

If the system is legally required to use FIPS 140-2 encryption (e.g., owned or operated by or on behalf of the U.S. Government) then TLS must be used and SSL disabled. Details on why SSL is unacceptable are described in Section 7.1 of [http://csrc.nist.gov/groups/STM/cmvp/documents/fips140-2/FIPS1402IG.pdf Implementation Guidance for FIPS PUB 140-2 and the Cryptographic Module Validation Program].

Further reading on the use of TLS to protect highly sensitive data against determined attackers can be viewed in [http://csrc.nist.gov/publications/nistpubs/800-52/SP800-52.pdf SP800-52 Guidelines for the Selection and Use of Transport Layer Security (TLS) Implementations]

== Secure Server Design ==

=== Rule - Use TLS for All Login Pages and All Authenticated Pages ===

The login page and all subsequent authenticated pages must be exclusively accessed over TLS. The initial login page, referred to as the "login landing page", must be served over TLS. Failure to utilize TLS for the login landing page allows an attacker to modify the login form action, causing the user's credentials to be posted to an arbitrary location. Failure to utilize TLS for authenticated pages after the login enables an attacker to view the unencrypted session ID and compromise the user's authenticated session.

=== Rule - Use TLS on Any Networks (External and Internal) Transmitting Sensitive Data ===

All networks, both external and internal, which transmit sensitive data must utilize TLS or an equivalent transport layer security mechanism. It is not sufficient to claim that access to the internal network is "restricted to employees". Numerous recent data compromises have shown that the internal network can be breached by attackers. In these attacks, sniffers have been installed to access unencrypted sensitive data sent on the internal network.

=== Rule - Do Not Provide Non-TLS Pages for Secure Content ===

All pages which are available over TLS must not be available over a non-TLS connection. A user may inadvertently bookmark or manually type a URL to a HTTP page (e.g. http://example.com/myaccount) within the authenticated portion of the application. If this request is processed by the application then the response, and any sensitive data, would be returned to the user over the clear text HTTP.

=== Rule - REMOVED - Do Not Perform Redirects from Non-TLS Page to TLS Login Page ===

This recommendation has been removed. Ultimately, the below guidance will only provide user education and cannot provide any technical controls to protect the user against a man-in-the-middle attack.

--

A common practice is to redirect users that have requested a non-TLS version of the login page to the TLS version (e.g. http://example.com/login redirects to https://example.com/login). This practice creates an additional attack vector for a man in the middle attack. In addition, redirecting from non-TLS versions to the TLS version reinforces to the user that the practice of requesting the non-TLS page is acceptable and secure.

In this scenario, the man-in-the-middle attack is used by the attacker to intercept the non-TLS to TLS redirect message. The attacker then injects the HTML of the actual login page and changes the form to post over unencrypted HTTP. This allows the attacker to view the user's credentials as they are transmitted in the clear.

It is recommended to display a security warning message to the user whenever the non-TLS login page is requested. This security warning should urge the user to always type "HTTPS" into the browser or bookmark the secure login page. This approach will help educate users on the correct and most secure method of accessing the application.

Currently there are no controls that an application can enforce to entirely mitigate this risk. Ultimately, this issue is the responsibility of the user since the application cannot prevent the user from initially typing [http://owasp.org http://example.com/login] (versus HTTPS).

Note: [http://www.w3.org/Security/wiki/Strict_Transport_Security Strict Transport Security] will address this issue and will provide a server side control to instruct supporting browsers that the site should only be accessed over HTTPS

=== Rule - Do Not Mix TLS and Non-TLS Content ===

A page that is available over TLS must be comprised completely of content which is transmitted over TLS. The page must not contain any content that is transmitted over unencrypted HTTP. This includes content from unrelated third party sites.

An attacker could intercept any of the data transmitted over the unencrypted HTTP and inject malicious content into the user's page. This malicious content would be included in the page even if the overall page is served over TLS. In addition, an attacker could steal the user's session cookie that is transmitted with any non-TLS requests. This is possible if the cookie's 'secure' flag is not set. See the rule 'Use "Secure" Cookie Flag'

=== Rule - Use "Secure" Cookie Flag ===

The "Secure" flag must be set for all user cookies. Failure to use the "secure" flag enables an attacker to access the session cookie by tricking the user's browser into submitting a request to an unencrypted page on the site. This attack is possible even if the server is not configured to offer HTTP content since the attacker is monitoring the requests and does not care if the server responds with a 404 or doesn't respond at all.

=== Rule - Keep Sensitive Data Out of the URL ===

Sensitive data must not be transmitted via URL arguments. A more appropriate place is to store sensitive data in a server side repository or within the user's session. When using TLS the URL arguments and values are encrypted during transit. However, there are two methods that the URL arguments and values could be exposed.

1. The entire URL is cached within the local user's browser history. This may expose sensitive data to any other user of the workstation.

2. The entire URL is exposed if the user clicks on a link to another HTTPS site. This may expose sensitive data within the referral field to the third party site. This exposure occurs in most browsers and will only occur on transitions between two TLS sites.

For example, a user following a link on [http://owasp.org https://example.com] which leads to [http://owasp.org https://someOtherexample.com] would expose the full URL of [http://owasp.org https://example.com] (including URL arguments) in the referral header (within most browsers). This would not be the case if the user followed a link on [http://owasp.org https://example.com] to [http://owasp.org http://someHTTPexample.com]

=== Rule - Prevent Caching of Sensitive Data ===

The TLS protocol provides confidentiality only for data in transit but it does not help with potential data leakage issues at the client or intermediary proxies. As a result, it is frequently prudent to instruct these nodes not to cache or persist sensitive data. One option is to add anticaching headers to relevant HTTP responses, (for example, "Cache-Control: no-cache, no-store" and "Expires: 0" for coverage of many modern browsers as of 2013). For compatibility with HTTP/1.0 (i.e., when user agents are really old or the webserver works around quirks by forcing HTTP/1.0) the response should also include the header "Pragma: no-cache". More information is available in [https://tools.ietf.org/html/rfc2616 HTTP 1.1 RFC 2616], section 14.9.

=== Rule - Use HTTP Strict Transport Security ===

See: [[HTTP Strict Transport Security]]

===Rule - Use Public Key Pinning===

See: [[Certificate and Public Key Pinning]]

<span id="Server_Certificate_and_Protocol_Configuration"></span> 

== Server Certificate ==
Note: If using a FIPS 140-2 cryptomodule disregard the following rules and defer to the recommended configuration for the particular cryptomodule. Nevertheless we recommend to use this rules to audit your configuration.

=== Rule - Use Strong Keys & Protect Them ===

The private key used to generate the cipher key must be sufficiently strong for the anticipated lifetime of the private key and corresponding certificate. The current best practice is to select a key size of at least 2048 bits. Additional information on key lifetimes and comparable key strengths can be found in [http://www.keylength.com/en/compare/], [http://csrc.nist.gov/publications/nistpubs/800-57/sp800-57_part1_rev3_general.pdf NIST SP 800-57]. In addition, the private key must be stored in a location that is protected from unauthorized access.

=== Rule - Use a Certificate That Supports Required Domain Names ===

A user should never be presented with a certificate error, including prompts to reconcile domain or hostname mismatches, or expired certificates. If the application is available at both [https://owasp.org https://www.example.com] and [https://owasp.org https://example.com] then an appropriate certificate, or certificates, must be presented to accommodate the situation. The presence of certificate errors desensitizes users to TLS error messages and increases the possibility an attacker could launch a convincing phishing or man-in-the-middle attack.

For example, consider a web application accessible at [https://owasp.org https://abc.example.com] and [https://owasp.org https://xyz.example.com]. One certificate should be acquired for the host or server ''abc.example.com''; and a second certificate for host or server ''xyz.example.com''. In both cases, the hostname would be present in the Subject's Common Name (CN).

Alternatively, the Subject Alternate Names (SANs) can be used to provide a specific listing of multiple names where the certificate is valid. In the example above, the certificate could list the Subject's CN as ''example.com'', and list two SANs: ''abc.example.com'' and ''xyz.example.com''. These certificates are sometimes referred to as "multiple domain certificates".

=== Rule - Use Fully Qualified Names in Certificates ===

Use fully qualified names in the DNS name field, and do not use unqualifed names (e.g., 'www'), local names (e.g., 'localhost'), or private IP addresses (e.g., 192.168.1.1) in the DNS name field. Unqualifed names, local names, or private IP addresses violate the certificate specification.

=== Rule - Do Not Use Wildcard Certificates ===

You should refrain from using wildcard certificates. Though they are expedient at circumventing annoying user prompts, they also [[Least_privilege|violate the principal of least privilege]] and asks the user to trust all machines, including developer's machines, the secretary's machine in the lobby and the sign-in kiosk. Obtaining access to the private key is left as an exercise for the attacker, but its made much easier when stored on the file system unprotected.

Statistics gathered by Qualys for [http://media.blackhat.com/bh-us-10/presentations/Ristic/BlackHat-USA-2010-Ristic-Qualys-SSL-Survey-HTTP-Rating-Guide-slides.pdf Internet SSL Survey 2010] indicate wildcard certificates have a 4.4% share, so the practice is not standard for public facing hosts. Finally, wildcard certificates violate [https://www.cabforum.org/EV_Certificate_Guidelines.pdf EV Certificate Guidelines].

=== Rule - Do Not Use RFC 1918 Addresses in Certificates ===

Certificates should not use private addresses. RFC 1918 is [https://tools.ietf.org/html/rfc1918 Address Allocation for Private Internets]. Private addresses are Internet Assigned Numbers Authority (IANA) reserved and include 192.168/16, 172.16/12, and 10/8.

Certificates issued with private addresses violate [https://www.cabforum.org/EV_Certificate_Guidelines.pdf EV Certificate Guidelines]. In addition, Peter Gutmann writes in in [http://www.cs.auckland.ac.nz/~pgut001/pubs/book.pdf Engineering Security]: "This one is particularly troublesome because, in combination with the router-compromise attacks... and ...OSCP-defeating measures, it allows an attacker to spoof any EV-certificate site."

=== Rule - Use an Appropriate Certification Authority for the Application's User Base ===

An application user must never be presented with a warning that the certificate was signed by an unknown or untrusted authority. The application's user population must have access to the public certificate of the certification authority which issued the server's certificate. For Internet accessible websites, the most effective method of achieving this goal is to purchase the TLS certificate from a recognize certification authority. Popular Internet browsers already contain the public certificates of these recognized certification authorities.

Internal applications with a limited user population can use an internal certification authority provided its public certificate is securely distributed to all users. However, remember that all certificates issued by this certification authority will be trusted by the users. Therefore, utilize controls to protect the private key and ensure that only authorized individuals have the ability to sign certificates.

The use of self signed certificates is never acceptable. Self signed certificates negate the benefit of end-point authentication and also significantly decrease the ability for an individual to detect a man-in-the-middle attack.

=== Rule - Always Provide All Needed Certificates ===

Clients attempt to solve the problem of identifying a server or host using PKI and X509 certificate. When a user receives a server or host's certificate, the certificate must be validated back to a trusted root certification authority. This is known as path validation.

There can be one or more intermediate certificates in between the end-entity (server or host) certificate and root certificate. In addition to validating both endpoints, the user will also have to validate all intermediate certificates. Validating all intermediate certificates can be tricky because the user may not have them locally. This is a well-known PKI issue called the “Which Directory?" problem.

To avoid the “Which Directory?" problem, a server should provide the user with all required certificates used in a path validation.

=== Rule - Be aware of and have a plan for the SHA-1 deprecation plan ===

In order to avoid presenting end users with progressive certificate warnings, organizations must proactively address the browser vendor's upcoming SHA-1 deprecation plans. The Google Chrome plan is probably the most specific and aggressive at this point: [http://googleonlinesecurity.blogspot.com/2014/09/gradually-sunsetting-sha-1.html Gradually sunsetting SHA-1]

If your organization has no [https://support.globalsign.com/customer/portal/articles/1499561-sha-256-compatibility SHA256 compatibility issues] then it may be appropriate to move your site to a SHA256 signed certificate/chain. If there are, or may be, issues - you should ensure that your SHA-1 certificates expire before 1/1/2017.

== Server Protocol and Cipher Configuration ==
Note: If using a FIPS 140-2 cryptomodule disregard the following rules and defer to the recommended configuration for the particular cryptomodule. Nevertheless we recommend to use this rules to audit your configuration.

=== Rule - Only Support Strong Protocols ===

SSL/TLS is a collection of protocols. Weaknesses have been identified with earlier SSL protocols, including [http://www.schneier.com/paper-ssl-revised.pdf SSLv2] and [http://www.yaksman.org/~lweith/ssl.pdf SSLv3] hence SSL versions 1, 2 and 3 should not longer be used. The best practice for transport layer protection is to only provide support for the TLS protocols - TLS1.0, TLS 1.1 and TLS 1.2. This configuration will provide maximum protection against skilled and determined attackers and is appropriate for applications handling sensitive data or performing critical operations.

[http://en.wikipedia.org/wiki/Transport_Layer_Security#Web_browsers Nearly all modern browsers support at least TLS 1.0]. As of February 2013, contemporary browsers (Chrome v20+, IE v8+, Opera v10+, and Safari v5+) [http://en.wikipedia.org/wiki/Transport_Layer_Security#Web_browsers support TLS 1.1 and TLS 1.2]. You should provide support for TLS 1.1 and TLS 1.2 to accommodate clients which support the protocols. The client and server (usually) negotiate the best protocol, that is supported on both sides.

TLS 1.0 is still widely used as 'best' protocol by a lot of browsers, that are not patched to the very latest version. It suffers [http://www.yassl.com/yaSSL/Blog/Entries/2010/10/7_Differences_between_SSL_and_TLS_Protocol_Versions.html CBC Chaining attacks and Padding Oracle attacks]. TLSv1.0 should only be used only after risk analysis and acceptance.

Under no circumstances neither SSLv2 nor SSLv3 should be enabled as a protocol selection:
* The [http://www.schneier.com/paper-ssl-revised.pdf SSLv2 protocol is broken] and does not provide adequate transport layer protection.
* [http://www.yaksman.org/~lweith/ssl.pdf SSLv3 had been known for weaknesses] which severely compromise the channel's security long before the [https://www.openssl.org/~bodo/ssl-poodle.pdf 'POODLE'-Bug] finally stopped to tolerate this protocol by October 2014. Switching off SSLv3 terminates the support of legacy browsers like [https://www.ssllabs.com/ssltest/viewClient.html?name=IE&version=6&platform=XP IE6/XP] and elder.

=== Rule - Prefer Ephemeral Key Exchanges ===

Ephemeral key exchanges are based on Diffie-Hellman and use per-session, temporary keys during the initial SSL/TLS handshake. They provide perfect forward secrecy (PFS), which means a compromise of the server's long term signing key does not compromise the confidentiality of past session (see [[#Rule_-_Only_Support_Strong_Cryptographic_Ciphers | following rule]]). When the server uses an ephemeral key, the server will sign the temporary key with its long term key (the long term key is the customary key available in its certificate).

Use cryptographic parameters (like DH-parameter) that use a secure length that match to the supported keylength of your certificate (>=2048 bits or equivalent Elliptic Curves). As some middleware had some issues with this, upgrade to the latest version.

If you have a server farm and are providing forward secrecy, then you might have to disable session resumption. For example, Apache writes the session id's and master secrets to disk so all servers in the farm can participate in resuming a session (there is currently no in-memory mechanism to achieve the sharing). Writing the session id and master secret to disk undermines forward secrecy.

=== Rule - Only Support Strong Cryptographic Ciphers ===

Each protocol (TLSv1.0, TLSv1.1, TLSv1.2, etc) provides cipher suites. As of TLS 1.2, [http://www.iana.org/assignments/tls-parameters/tls-parameters.xml#tls-parameters-3 there is support for over 300 suites (320+ and counting)], including [http://www.mail-archive.com/cryptography@randombit.net/msg03785.html national vanity cipher suites]. The strength of the encryption used within a TLS session is determined by the encryption cipher negotiated between the server and the browser. In order to ensure that only strong cryptographic ciphers are selected the server must be modified to disable the use of weak ciphers and to configure the ciphers in an adequate order. It is recommended to configure the server to only support strong ciphers and to use sufficiently large key sizes. In general, the following should be observed when selecting CipherSuites:
* Use the very latest recommendations, they may be volantile these days
* Setup your Policy to get a Whitelist for recommended Ciphers, e.g.:
** Activate to set the Cipher Order by the Server
** Highest Priority for Ciphers that support 'Forward Secrecy' (-> Support ephemeral Diffie-Hellman key exchange, see rule above) [http://vincent.bernat.im/en/blog/2011-ssl-perfect-forward-secrecy.html]
** Favor DHE over ECDHE (and monitor the CPU usage, see Notes below), ECDHE lacks now of really reliable Elliptic Curves, see discussion about secp{224,256,384,521}r1 and secp256k1, cf. [http://safecurves.cr.yp.to], [https://www.schneier.com/blog/archives/2013/09/the_nsa_is_brea.html#c1675929]. The solution might be to use [http://www.researchgate.net/profile/Johannes_Merkle/publication/260050106_Standardisierung_der_Brainpool-Kurven_fr_TLS_und_IPSec/file/60b7d52f36a0cc2fdd.pdf Brainpool Curves <nowiki>[German]</nowiki>], defined for TLS in [https://tools.ietf.org/html/rfc7027 RFC 7027], or [http://eprint.iacr.org/2007/286 Edwards Curves]. The most promising candidates for the latter are [https://tools.ietf.org/html/draft-josefsson-tls-curve25519-06 'Curve25519'] and [http://sourceforge.net/p/ed448goldilocks/wiki/Home/ Ed448-Goldilocks] (see [https://tools.ietf.org/html/draft-irtf-cfrg-curves-02 DRAFT-irtf-cfrg-curves]), that is not yet defined for TLS, cf. [http://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#tls-parameters-8 IANA] 
** Use RSA-Keys (no DSA/DSS: they get very weak, if a bad entropy source is used during signing, cf. [https://projectbullrun.org/dual-ec/tls.html], [https://factorable.net/weakkeys12.conference.pdf]) 
** Favor GCM over CBC regardless of the cipher size. In other words, use Authenticated Encryption with Associated Data (AEAD), e.g. AES-GCM, AES-CCM.
** Watch also for Stream Ciphers which XOR the key stream with plaintext (such as AES/CTR mode) 
** Priorize the ciphers by the sizes of the Cipher and the MAC
** Use SHA1 or above for digests, prefer SHA2 (or equivalent)
** Disable weak ciphers (which is implicitly done by this whitelist) without disabling legacy browsers and bots that have to be supported (find the best compromise), actually the cipher TLS_RSA_WITH_3DES_EDE_CBC_SHA (0xa) does this job.
*** Disable cipher suites that do not offer encryption (eNULL, NULL)
*** Disable cipher suites that do not offer authentication (aNULL). aNULL includes anonymous cipher suites ADH (Anonymous Diffie-Hellman) and AECDH (Anonymous Elliptic Curve Diffie Hellman).
*** Disable export level ciphers (EXP, eg. ciphers containing DES)
*** Disable key sizes smaller than 128 bits for encrypting payload traffic (see [https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Publikationen/TechnischeRichtlinien/TR02102/BSI-TR-02102-2_pdf.html BSI: TR-02102 Part 2 (German)])
*** Disable the use of MD5 as a hashing mechanism for payload traffic
*** Disable the use of IDEA Cipher Suites (see [https://tools.ietf.org/html/rfc5469])
*** Disable RC4 cipher suites (see [https://tools.ietf.org/html/rfc7465], [http://www.isg.rhul.ac.uk/tls/])
** Ciphers should be usable for DH-Pamameters >= 2048 bits, without blocking legacy browsers (The cipher ‘DHE-RSA-AES128-SHA’ is suppressed as some browsers like to use it but are not capable to cope with DH-Params > 1024 bits.)
* Define a Cipher String that works with different Versions of your encryption tool, like openssl
* Verify your cipher string
** with an audit-tool, like [[O-Saft|OWASP 'O-Saft' (OWASP SSL audit for testers / OWASP SSL advanced forensic tool)]]
** listing it manually with your encryption software, e.g. openssl ciphers -v <cipher-string> (the result may differ by version), e.g.:
{{Top_10_2010:ExampleBeginTemplate|year=2013}}
openssl ciphers -v "EDH+aRSA+AESGCM:EDH+aRSA+AES:DHE-RSA-AES256-SHA:EECDH+aRSA+AESGCM:EECDH+aRSA+AES:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:RSA+AESGCM:RSA+AES+SHA:DES-CBC3-SHA:-DHE-RSA-AES128-SHA" <br>
<nowiki>#</nowiki>add optionally ':!aNULL:!eNULL:!LOW:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!ECDSA:!ADH:!IDEA' to protect older Versions of OpenSSL<br>
<nowiki>#</nowiki>you may use openssl ciphers -V "..." for openssl >= 1.0.1:
<small>
0x00,0x9F - DHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=DH Au=RSA Enc=AESGCM(256) Mac=AEAD
0x00,0x9E - DHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=DH Au=RSA Enc=AESGCM(128) Mac=AEAD
0x00,0x6B - DHE-RSA-AES256-SHA256 TLSv1.2 Kx=DH Au=RSA Enc=AES(256) Mac=SHA256
0x00,0x39 - DHE-RSA-AES256-SHA SSLv3 Kx=DH Au=RSA Enc=AES(256) Mac=SHA1
0x00,0x67 - DHE-RSA-AES128-SHA256 TLSv1.2 Kx=DH Au=RSA Enc=AES(128) Mac=SHA256
0xC0,0x30 - ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH Au=RSA Enc=AESGCM(256) Mac=AEAD
0xC0,0x2F - ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH Au=RSA Enc=AESGCM(128) Mac=AEAD
0xC0,0x28 - ECDHE-RSA-AES256-SHA384 TLSv1.2 Kx=ECDH Au=RSA Enc=AES(256) Mac=SHA384
0xC0,0x14 - ECDHE-RSA-AES256-SHA SSLv3 Kx=ECDH Au=RSA Enc=AES(256) Mac=SHA1
0xC0,0x27 - ECDHE-RSA-AES128-SHA256 TLSv1.2 Kx=ECDH Au=RSA Enc=AES(128) Mac=SHA256
0xC0,0x13 - ECDHE-RSA-AES128-SHA SSLv3 Kx=ECDH Au=RSA Enc=AES(128) Mac=SHA1
0x00,0x9D - AES256-GCM-SHA384 TLSv1.2 Kx=RSA Au=RSA Enc=AESGCM(256) Mac=AEAD
0x00,0x9C - AES128-GCM-SHA256 TLSv1.2 Kx=RSA Au=RSA Enc=AESGCM(128) Mac=AEAD
0x00,0x35 - AES256-SHA SSLv3 Kx=RSA Au=RSA Enc=AES(256) Mac=SHA1
0x00,0x2F - AES128-SHA SSLv3 Kx=RSA Au=RSA Enc=AES(128) Mac=SHA1
0x00,0x0A - DES-CBC3-SHA SSLv3 Kx=RSA Au=RSA Enc=3DES(168) Mac=SHA1
</small>
{{Top_10_2010:ExampleEndTemplate}}

* Inform yourself how to securely configure the settings for your used services or hardware, e.g. [https://bettercrypto.org BetterCrypto.org: Applied Crypto Hardening (DRAFT)]
* Check new software and hardware versions for new security settings.

<b>Notes:</b>
* According to my researches the most common browsers should be supported with this setting, too (see also [https://www.ssllabs.com/ssltest/index.html SSL Labs: SSL Server Test -> SSL Report -> Handshake Simulation]).
* Monitor the performance of your server, e.g. the TLS handshake with DHE hinders the CPU abt 2.4 times more than ECDHE, cf. [http://vincent.bernat.im/en/blog/2011-ssl-perfect-forward-secrecy.html#some-benchmarks Vincent Bernat, 2011], [http://nmav.gnutls.org/2011/12/price-to-pay-for-perfect-forward.html nmav's Blog, 2011].
* Use of Ephemeral Diffie-Hellman key exchange will protect confidentiality of the transmitted plaintext data even if the corresponding RSA or DSS server private key got compromised. An attacker would have to perform active man-in-the-middle attack at the time of the key exchange to be able to extract the transmitted plaintext. All modern browsers support this key exchange with the notable exception of Internet Explorer prior to Windows Vista.

Additional information can be obtained within the [https://tools.ietf.org/html/rfc5246 TLS 1.2 RFC 5246], [https://www.ssllabs.com/projects/best-practices/index.html SSL Labs: 'SSL/TLS Deployment Best Practices'], [https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Publikationen/TechnischeRichtlinien/TR02102/BSI-TR-02102-2_pdf.html BSI: 'TR-02102 Part 2 (German)'], [http://www.enisa.europa.eu/activities/identity-and-trust/library/deliverables/algorithms-key-sizes-and-parameters-report ENISA: 'Algorithms, Key Sizes and Parameters Report'], [https://tools.ietf.org/html/rfc7525 RFC 7525: Recommendations for Secure Use of Transport Layer Security (TLS) and Datagram Transport Layer Security (DTLS)] and [http://csrc.nist.gov/groups/STM/cmvp/documents/fips140-2/FIPS1402IG.pdf FIPS 140-2 IG].

=== Rule - Support TLS-PSK and TLS-SRP for Mutual Authentication ===

When using a shared secret or password offer TLS-PSK (Pre-Shared Key) or TLS-SRP (Secure Remote Password), which are known as Password Authenticated Key Exchange (PAKEs). TLS-PSK and TLS-SRP properly bind the channel, which refers to the cryptographic binding between the outer tunnel and the inner authentication protocol. IANA currently reserves [http://www.iana.org/assignments/tls-parameters/tls-parameters.xml#tls-parameters-3 79 PSK cipehr suites] and [http://www.iana.org/assignments/tls-parameters/tls-parameters.xml#tls-parameters-3 9 SRP cipher suites].

Basic authentication places the user's password on the wire in the plain text after a server authenticates itself. Basic authentication only provides unilateral authentication. In contrast, both TLS-PSK and TLS-SRP provide mutual authentication, meaning each party proves it knows the password without placing the password on the wire in the plain text.

Finally, using a PAKE removes the need to trust an outside party, such as a Certification Authority (CA).

=== Rule - Only Support Secure Renegotiations ===

A design weakness in TLS, identified as [http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-3555 CVE-2009-3555], allows an attacker to inject a plaintext of his choice into a TLS session of a victim. In the HTTPS context the attacker might be able to inject his own HTTP requests on behalf of the victim. The issue can be mitigated either by disabling support for TLS renegotiations or by supporting only renegotiations compliant with [https://tools.ietf.org/html/rfc5746 RFC 5746]. All modern browsers have been updated to comply with this RFC.

=== Rule - Disable Compression ===

Compression Ratio Info-leak Made Easy (CRIME) is an exploit against the data compression scheme used by the TLS and SPDY protocols. The exploit allows an adversary to recover user authentication cookies from HTTPS. The recovered cookie can be subsequently used for session hijacking attacks.

== Test your overall TLS/SSL setup and your Certificate ==
This section shows the most common references only. For more tools and such, please refer to [[#Tools|Tools]].

* [[Testing_for_SSL-TLS_%28OWASP-CM-001%29 | OWASP Testing Guide: Chapter on SSL/TLS Testing]]
* [[O-Saft|OWASP 'O-Saft' (OWASP SSL audit for testers / OWASP SSL advanced forensic tool)]]
* [https://www.ssllabs.com/ssltest SSL LABS Server Test]
* other Tools: [[Testing_for_Weak_SSL/TSL_Ciphers,_Insufficient_Transport_Layer_Protection_%28OWASP-EN-002%29#References| Testing for Weak SSL/TSL Ciphers, Insufficient Transport Layer Protection (OWASP-EN-002) (DRAFT)]] - References - Tools

== Client (Browser) Configuration ==

The validation procedures to ensure that a certificate is valid are complex and difficult to correctly perform. In a typical web application model, these checks will be performed by the client's web browser in accordance with local browser settings and are out of the control of the application. However, these items do need to be addressed in the following scenarios:

* The application server establishes connections to other applications over TLS for purposes such as web services or any exchange of data
* A thick client application is connecting to a server via TLS

In these situations extensive certificate validation checks must occur in order to establish the validity of the certificate. Consult the following resources to assist in the design and testing of this functionality. The NIST PKI testing site includes a full test suite of certificates and expected outcomes of the test cases.
* [http://csrc.nist.gov/groups/ST/crypto_apps_infra/pki/pkitesting.html NIST PKI Testing]
* [https://tools.ietf.org/html/rfc5280 IETF RFC 5280]

As specified in the above guidance, if the certificate can not be validated for any reason then the connection between the client and server must be dropped. Any data exchanged over a connection where the certificate has not properly been validated could be exposed to unauthorized access or modification.

== Additional Controls ==

=== Extended Validation Certificates ===

Extended validation certificates (EV Certificates) proffer an enhanced investigation by the issuer into the requesting party due to the industry's race to the bottom. The purpose of EV certificates is to provide the user with greater assurance that the owner of the certificate is a verified legal entity for the site. Browsers with support for EV certificates distinguish an EV certificate in a variety of ways. Internet Explorer will color a portion of the URL in green, while Mozilla will add a green portion to the left of the URL indicating the company name.

High value websites should consider the use of EV certificates to enhance customer confidence in the certificate. It should also be noted that EV certificates do not provide any greater technical security for the TLS. The purpose of the EV certificate is to increase user confidence that the target site is indeed who it claims to be.

=== Client-Side Certificates ===

Client side certificates can be used with TLS to prove the identity of the client to the server. Referred to as "two-way TLS", this configuration requires the client to provide their certificate to the server, in addition to the server providing their's to the client. If client certificates are used, ensure that the same validation of the client certificate is performed by the server, as indicated for the validation of server certificates above. In addition, the server should be configured to drop the TLS connection if the client certificate cannot be verified or is not provided.

The use of client side certificates is relatively rare currently due to the complexities of certificate generation, safe distribution, client side configuration, certificate revocation and reissuance, and the fact that clients can only authenticate on machines where their client side certificate is installed. Such certificates are typically used for very high value connections that have small user populations.

=== Certificate and Public Key Pinning ===

Hybrid and native applications can take advantage of [[Certificate_and_Public_Key_Pinning|certificate and public key pinning]]. Pinning associates a host (for example, server) with an identity (for example, certificate or public key), and allows an application to leverage knowledge of the pre-existing relationship. At runtime, the application would inspect the certificate or public key received after connecting to the server. If the certificate or public key is expected, then the application would proceed as normal. If unexpected, the application would stop using the channel and close the connection since an adversary could control the channel or server.

Pinning still requires customary X509 checks, such as revocation, since CRLs and OCSP provides real time status information. Otherwise, an application could possibly (1) accept a known bad certificate; or (2) require an out-of-band update, which could result in a lengthy App Store approval.

Browser based applications are at a disadvantage since most browsers do not allow the user to leverage pre-existing relationships and ''a priori'' knowledge. In addition, Javascript and Websockets do not expose methods to for a web app to query the underlying secure connection information (such as the certificate or public key). It is noteworthy that Chromium based browsers perform pinning on selected sites, but the list is currently maintained by the vendor.

For more information, please see the [[Pinning Cheat Sheet]].

= Providing Transport Layer Protection for Back End and Other Connections =

Although not the focus of this cheat sheet, it should be stressed that transport layer protection is necessary for back-end connections and any other connection where sensitive data is exchanged or where user identity is established. Failure to implement an effective and robust transport layer security will expose sensitive data and undermine the effectiveness of any authentication or access control mechanism.

== Secure Internal Network Fallacy ==

The internal network of a corporation is not immune to attacks. Many recent high profile intrusions, where thousands of sensitive customer records were compromised, have been perpetrated by attackers that have gained internal network access and then used sniffers to capture unencrypted data as it traversed the internal network.

= Tools =
=== local/offline ===
* [[O-Saft|O-Saft - OWASP SSL advanced forensic tool)]]
* [http://sourceforge.net/projects/sslscan/ SSLScan - Fast SSL Scanner]
* [https://github.com/iSECPartners/sslyze SSLyze]
* [http://www.g-sec.lu/sslaudit/sslaudit.zip SSL Audit]

=== Online ===
* [https://www.ssllabs.com/ssltest SSL LABS Server Test]

= Related Articles =

* Mozilla – [https://wiki.mozilla.org/Security/Server_Side_TLS#Recommended_configurations Mozilla Recommended Configurations]
* OWASP – [[Testing for SSL-TLS (OWASP-CM-001)|Testing for SSL-TLS]], and OWASP [[Guide to Cryptography]]
* OWASP – [http://www.owasp.org/index.php/ASVS Application Security Verification Standard (ASVS) – Communication Security Verification Requirements (V10)]
* OWASP – ASVS Article on [[Why you need to use a FIPS 140-2 validated cryptomodule]]
* SSL Labs – [https://www.ssllabs.com/projects/best-practices/index.html SSL/TLS Deployment Best Practices]
* SSL Labs – [http://www.ssllabs.com/projects/rating-guide/index.html SSL Server Rating Guide]
* ENISA – [http://www.enisa.europa.eu/activities/identity-and-trust/library/deliverables/algorithms-key-sizes-and-parameters-report Algorithms, Key Sizes and Parameters Report]
* BSI – [https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Publikationen/TechnischeRichtlinien/TR02102/BSI-TR-02102-2_pdf.html BSI TR-02102 Part 2 (German)]
* yaSSL – [http://www.yassl.com/yaSSL/Blog/Entries/2010/10/7_Differences_between_SSL_and_TLS_Protocol_Versions.html Differences between SSL and TLS Protocol Versions]
* NIST – [http://csrc.nist.gov/publications/PubsSPs.html#800-52 SP 800-52 Rev. 1 Guidelines for the Selection, Configuration, and Use of Transport Layer Security (TLS) Implementations]
* NIST – [http://csrc.nist.gov/publications/fips/fips140-2/fips1402.pdf FIPS 140-2 Security Requirements for Cryptographic Modules]
* NIST – [http://csrc.nist.gov/groups/STM/cmvp/documents/fips140-2/FIPS1402IG.pdf Implementation Guidance for FIPS PUB 140-2 and the Cryptographic Module Validation Program]
* NIST – [http://csrc.nist.gov/publications/nistpubs/800-57/sp800-57_part1_rev3_general.pdf NIST SP 800-57 Recommendation for Key Management, Revision 3], [http://csrc.nist.gov/publications/PubsDrafts.html#SP-800-57-Part%203-Rev.1 Public DRAFT]
* NIST – [http://csrc.nist.gov/publications/drafts.html#sp800-95 SP 800-95 Guide to Secure Web Services]
* IETF – [https://tools.ietf.org/html/rfc5280 RFC 5280 Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile]
* IETF – [https://tools.ietf.org/html/rfc2246 RFC 2246 The Transport Layer Security (TLS) Protocol Version 1.0 (JAN 1999)]
* IETF – [https://tools.ietf.org/html/rfc4346 RFC 4346 The Transport Layer Security (TLS) Protocol Version 1.1 (APR 2006)]
* IETF – [https://tools.ietf.org/html/rfc5246 RFC 5246 The Transport Layer Security (TLS) Protocol Version 1.2 (AUG 2008)]
* IETF – [https://tools.ietf.org/html/rfc7525 RFC 7525 Recommendations for Secure Use of Transport Layer Security (TLS) and Datagram Transport Layer Security (DTLS)]
* bettercrypto - [https://bettercrypto.org Applied Crypto Hardening: HOWTO for secure crypto settings of the most common services (DRAFT)]

= Authors and Primary Editors =

Michael Coates - michael.coates[at]owasp.org <br/>
Dave Wichers - dave.wichers[at]owasp.org <br/>
Michael Boberski - boberski_michael[at]bah.com<br/>
Tyler Reguly -treguly[at]sslfail.com
| valign="top" style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" |

== Other Cheatsheets ==

{{Cheatsheet_Navigation_Body}}

|}

[[Category:Cheatsheets]]
[[Category:OWASP Best Practices]]

HTTP Strict Transport Security

2015-06-09T20:52:25Z

Pawel Krawczyk: /* Links */ add AppSec tutorials

<br>
== Description ==

HTTP Strict Transport Security (HSTS) is an opt-in security enhancement that is specified by a web application through the use of a special response header. Once a supported browser receives this header that browser will prevent any communications from being sent over HTTP to the specified domain and will instead send all communications over HTTPS. It also prevents HTTPS click through prompts on browsers.

<br>

The specification has been released and published end of 2012 as RFC 6797 (HTTP Strict Transport Security (HSTS)) by the IETF. (Reference see in the links at the bottom.)

== Examples ==

Simple example, using a long (1 year) max-age:

Strict-Transport-Security: max-age=31536000

If all present and future subdomains will be HTTPS:

Strict-Transport-Security: max-age=31536000; includeSubDomains

'''Recommended:''' If the site owner would like their domain to be included in the [https://hstspreload.appspot.com/ HSTS preload list] maintained by Chrome (and used by Firefox and Safari), then use:

Strict-Transport-Security: max-age=31536000; includeSubDomains; preload

The `preload` flag indicates the site owner's consent to have their domain preloaded. The site owner still needs to then go and submit the domain to the list.

== Excessively Strict STS ==

Use caution when setting excessively strict STS policies. Including subdomains should only be used in environments where all sites within your organization for the given domain name require ssl. Max-age limits should be carefully considered as infrequent visitors may find your site inaccessible if you relax your policy.

Before enabling includeSubDomains, also consider the impact of any existing DNS CNAME records for CDNs, email services, or other 3rd party services. Since includeSubDomains will force such CNAME subdomains to https:// it's likely the browser will throw a domain-mismatch error, which is hard to reverse because of the browser caching nature of HSTS.

== Browser Support ==

{| width="400" cellspacing="1" cellpadding="1" border="1"
|-
| '''Browser'''<br>
| '''Support Introduced'''<br>
|-
| Internet Explorer <br>
| support expected starting with ie12[https://threatpost.com/ie-12-to-support-hsts-encryption-protocol/105266]<br>
|-
| Firefox<br>
| 4<br>
|-
| Opera<br>
| 12<br>
|-
| Safari<br>
| Mavericks (Mac OS X 10.9)<br>
|-
| Chrome<br>
| 4.0.211.0<br>
|}

<br>
A detailed overview of supporting browsers can be found at [http://caniuse.com/#feat=stricttransportsecurity caniuse.com].
== Server Side ==

The web server side needs to inject the HSTS header.

For HTTP sites on the same domain it is [http://tools.ietf.org/html/draft-ietf-websec-strict-transport-sec#section-6.1 not recommended] to add a HSTS header but to do a permanent redirect (301 status code) to the HTTPS site.

An Apache HTTPd example that will permanently redirect a URL to the identical URL with a HTTPS scheme, is as follows:

<VirtualHost *:80>
ServerAlias *
RewriteEngine On
RewriteRule ^(.*)$ https://%{HTTP_HOST}$1 [redirect=301]
</VirtualHost>

On the HTTPS site configuration the following is needed to add the header as [http://tools.ietf.org/html/draft-ietf-websec-strict-transport-sec#section-6.1 recommended by the standard]:
Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"

The following links show how to set response headers in other web servers:
* [http://wiki.nginx.org/HttpHeadersModule NGINX]
* [http://redmine.lighttpd.net/wiki/lighttpd/Docs:ModSetEnv#Options Lighttpd]
* [http://httpd.apache.org/docs/2.2/mod/mod_headers.html HTTPd]

==== IIS ====
Whilst [http://technet.microsoft.com/en-us/library/cc753133(WS.10).aspx custom headers] can be configured in IIS without any extensions, it is not possible to restrict these headers to secure transport channels [http://tools.ietf.org/html/rfc6797#section-7.2 as per the HSTS specification]. This leaves the following options.

===== Custom Module =====
HSTS has been implemented, per the specification, as an [http://hstsiis.codeplex.com/ open source IIS module].

===== URL Rewrite =====
Install [http://www.iis.net/downloads/microsoft/url-rewrite Microsoft URL Rewrite] and use following rewrite rules.

<configuration>
<system.webServer>
<rewrite>
<rules>
<rule name="HTTPS_301_Redirect" stopProcessing="true">
<match url="(.*)" />
<conditions>
<add input="{HTTPS}" pattern="^OFF$" />
</conditions>
<action type="Redirect" url="https://{HTTP_HOST}{REQUEST_URI}" appendQueryString="false" redirectType="Permanent" />
</rule>
</rules>
<outboundRules>
<rule name="Add_HSTS_Header" preCondition="USING_HTTPS" patternSyntax="Wildcard">
<match serverVariable="RESPONSE_Strict-Transport-Security" pattern="*" />
<action type="Rewrite" value="max-age=31536000" />
</rule>
<preConditions>
<preCondition name="USING_HTTPS">
<add input="{HTTPS}" pattern="^ON$" />
</preCondition>
</preConditions>
</outboundRules>
</rewrite>
</system.webServer>
</configuration>

== Threats ==

HSTS addresses the following threats:
* User bookmarks or manually types http://example.com and is subject to a man-in-the-middle attacker
** HSTS automatically redirects HTTP requests to HTTPS for the target domain
* Web application that is intended to be purely HTTPS inadvertently contains HTTP links or serves content over HTTP
** HSTS automatically redirects HTTP requests to HTTPS for the target domain
* A man-in-the-middle attacker attempts to intercept traffic from a victim user using an invalid certificate and hopes the user will accept the bad certificate
** HSTS does not allow a user to override the invalid certificate message

== Links ==
* [[http://www.youtube.com/watch?v=zEV3HOuM_Vw&feature=youtube_gdata AppSecTutorial Series - Episode 4]
* [http://dev.chromium.org/sts Chromium Projects/HSTS]
* [http://tools.ietf.org/html/rfc6797 HSTS Spec]
* [http://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security Wikipedia]
* [https://developer.mozilla.org/en/Security/HTTP_Strict_Transport_Security Mozilla Developer Network]
* [https://www.owasp.org/index.php/Transport_Layer_Protection_Cheat_Sheet OWASP TLS Protection Cheat Sheet]
* [https://developer.mozilla.org/en/Security/HTTP_Strict_Transport_Security Firefox STS Support]
* [http://lists.w3.org/Archives/Public/public-webapps/2009JulSep/1148.html Google Chrome STS Support]
* [http://www.thoughtcrime.org/software/sslstrip/ Moxie Marlinspike's Black Hat 2009 talk on sslstrip, that demonstrates why you need HSTS]

[[Category:Control|Control]]

Authentication Cheat Sheet

2015-06-09T20:49:00Z

Pawel Krawczyk: /* SAML */ reference SAML Security Cheat Sheet

SAML Security Cheat Sheet

2015-03-25T15:40:10Z

Pawel Krawczyk: /* How to Test */ EICAR anti-malware test file

{{Template:OWASP Testing Guide v4}}

== Summary ==

Many application’s business processes allow for the upload of data/information. We regularly check the validity and security of text but accepting files can introduce even more risk. To reduce the risk we may only accept certain file extensions, but attackers are able to encapsulate malicious code into inert file types. Testing for malicious files verifies that the application/system is able to correctly protect against attackers uploading malicious files.

Vulnerabilities related to the uploading of malicious files is unique in that these “malicious” files can easily be rejected through including business logic that will scan files during the upload process and reject those perceived as malicious. Additionally, this is different from uploading unexpected files in that while the file type may be accepted the file may still be malicious to the system.

Finally, "malicious" means different things to different systems, for example Malicious files that may exploit SQL server vulnerabilities may not be considered a "malicious" to a main frame flat file environment.

The application may allow the upload of malicious files that include exploits or shellcode without submitting them to malicious file scanning. Malicious files could be detected and stopped at various points of the application architecture such as: IPS/IDS, application server anti-virus software or anti-virus scanning by application as files are uploaded (perhaps offloading the scanning using SCAP).

== Example ==

Suppose a picture sharing application allows users to upload their .gif or .jpg graphic files to the web site. What if an attacker is able to upload a PHP shell, or exe file, or virus? The attacker may then upload the file that may be saved on the system and the virus may spread itself or through remote processes exes or shell code can be executed.

== How to Test==

Generic Testing Method

• Review the project documentation and use exploratory testing looking at the application/system to identify what constitutes and "malicious" file in your environment.

• Develop or acquire a known “malicious” file. An [http://www.eicar.org/85-0-Download.html EICAR anti-malware test file] can be used as harmless, but widely detected by antivirus software.

• Try to upload the malicious file to the application/system and verify that it is correctly rejected.

• If multiple files can be uploaded at once, there must be tests in place to verify that each file is properly evaluated.

Specific Testing Method 1

• Using the Metasploit payload generation functionality generates a shellcode as a Windows executable using the Metasploit "msfpayload" command.

• Submit the executable via the application’s upload functionality and see if it is accepted or properly rejected.

Specific Testing Method 2

• Develop or create a file that should fail the application malware detection process. There are many available on the Internet such as ducklin.htm or ducklin-html.htm.

• Submit the executable via the application’s upload functionality and see if it is accepted or properly rejected.

Specific Testing Method 3

• Set up the intercepting proxy to capture the “valid” request for an accepted file.

• Send an “invalid” request through with a valid/acceptable file extension and see if the request is accepted or properly rejected.

== Related Test Cases ==

[[Test File Extensions Handling for Sensitive Information (OTG-CONFIG-003)| Test File Extensions Handling for Sensitive Information (OTG-CONFIG-003) ]]

[[Test Upload of Unexpected File Types (OTG-BUSLOGIC-008)| Test Upload of Unexpected File Types (OTG-BUSLOGIC-008)]]

== Tools ==

• Metasploit's payload generation functionality

• Intercepting proxy

== References ==

OWASP - Unrestricted File Upload - https://www.owasp.org/index.php/Unrestricted_File_Upload

Why File Upload Forms are a Major Security Threat - http://www.acunetix.com/websitesecurity/upload-forms-threat/

File upload security best practices: Block a malicious file upload - http://www.computerweekly.com/answer/File-upload-security-best-practices-Block-a-malicious-file-upload

Overview of Malicious File Upload Attacks - http://securitymecca.com/article/overview-of-malicious-file-upload-attacks/

Stop people uploading malicious PHP files via forms - http://stackoverflow.com/questions/602539/stop-people-uploading-malicious-php-files-via-forms

How to Tell if a File is Malicious - http://www.techsupportalert.com/content/how-tell-if-file-malicious.htm

CWE-434: Unrestricted Upload of File with Dangerous Type - http://cwe.mitre.org/data/definitions/434.html

Implementing Secure File Upload - http://infosecauditor.wordpress.com/tag/malicious-file-upload/

Watchful File Upload - http://palizine.plynt.com/issues/2011Apr/file-upload/

Matasploit Generating Payloads - http://www.offensive-security.com/metasploit-unleashed/Generating_Payloads

Project Shellcode – Shellcode Tutorial 9: Generating Shellcode Using Metasploit
http://www.projectshellcode.com/?q=node/29

Anti-Malware Test file - http://www.eicar.org/86-0-Intended-use.html

== Remediation ==

While safeguards such as black or white listing of file extensions, using “Content-Type” from the header, or using a file type recognizer may not always be protections against this type of vulnerability. Every application that accepts files from users must have a mechanism to verify that the uploaded file does not contain malicious code. Uploaded files should never be stored where the users or attackers can directly access them.

Category:OWASP Speakers Project

2015-02-09T13:40:29Z

Pawel Krawczyk: Pawel Krawczyk

=Main=

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

==OWASP Speakers Project==

OWASP Speakers Project is...

==Introduction==

This program helps local chapters or application security conferences to find OWASP related speakers to have OWASP presenters on site.

==Description==

This program allows two parties to find each other:
*Local chapters or application security events that want to attract an OWASP speaker.
*OWASP speakers to entertain OWASP presentations and that want to see the world.

For sponsorship, see the [[:Category:OWASP_on_the_Move_Project|OWASP on the Move Project]] page

==Licensing==
OWASP XXX is free to use. It is licensed under the http://creativecommons.org/licenses/by-sa/3.0/ Creative Commons Attribution-ShareAlike 3.0 license], so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.

| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |

== What is OWASP Speakers Project? ==

OWASP Speakers Project provides:
*OWASP related speakers for local chapter and conferences.

== Presentation ==

== Project Leader ==
[mailto:Martin.knoblock@owasp.org Martin Knobloch]

== Related Projects ==

| valign="top" style="padding-left:25px;width:200px;" |

== News and Events ==

==Classifications==

{| width="200" cellpadding="2"
|-
| align="center" valign="top" width="50%" rowspan="2"| [[File:Owasp-incubator-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]]
|-
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=]]
|-
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]
|-
| colspan="2" align="center" | [[File:Project_Type_Files_CODE.jpg|link=]]
|}

|}

= Available Speakers =
If you want to (re)do an OWASP related presentation, propose them here with your availability boundaries (timing/geographical)

*Add your name, contact and bio information to become available as OWASP Speaker!
{| class="prettytable"
|-
! Name
! Introduction
! Available Area
! Bios
|-
| [mailto:Robert(at)ZakonGroup.com Robert H'obbes' Zakon]
| Presenter on Web Application Security, OWASP Top 10, PHP Security, and assorted other topics. Training sessions taught at events such as [http://www.zakongroup.com/technology/services-training.shtml OWASP, ACSAC, and CCS]. Based in New Hampshire, and available for travel worldwide. Fluent in English, and able to converse in Portuguese. A developer and consultant for the past decade, formerly a Principal Engineer with MITRE's InfoSec Group.
| Global (USA/NH-based)
| [http://www.zakon.org/robert/vitae.html BIO]
|-
| [mailto:jmcgovern@virtusa.com James McGovern]
| Presenter on Enterprise Architecture and Web Application Security, SOA Web Services Security and Federated Identity.
| Global (USA/CT-based)
| [http://www.linkedin.com/in/jamesmcgovern BIO]
|-
| [mailto:chuck(at)McCulloughAssociates.com Chuck McCullough]
| Chuck provides training sessions to developers on the Top 10. Chuck welcomes speaking opportunities to any group. Chuck is available in the Texas area and at various other locations in the USA.
| USA/Texas
| [http://www.linkedin.com/in/chuckmccullough BIO]
|-
| Marc Curphey
| Marc will happily speak about the WebAppSec industry, SDLC etc. around Europe. You can see him in action at [http://video.hitb.org/2006.html HITB with John Viega] (big download)
| Europe
| [http://www.linkedin.com/in/curphey BIO]
|-
| [mailto:tomb@proactiverisk.com Tom Brennan]
| Tom is based in Northern New Jersey and leads the NYC Metro Chapters of OWASP Foundation since 2004. Tom served the community for (7) years as a member of the Global Board of Directors (2007-2014) and as a active project contributor. Tom is available for events worldwide to educate audiences about the OWASP Foundation core mission, how it works and various projects related to software security. He has a background as a Builder, Breaker and Defender [https://www.owasp.org/index.php/User:Brennan BIO]
| Global
| [http://www.linkedin.com/in/tombrennan BIO]
|-
| [mailto:thesp0nge@owasp.org Paolo Perego]
| Paolo is available to talk about [http://www.owasp.org/index.php/Category:OWASP_Orizon_Project Orizon project], safe coding and code review issues around Europe in the near October-December.
| Europe
| [http://www.linkedin.com/in/thesp0nge BIO]
|-
| [mailto:marc.m.morana@gmail.org Marco Morana]
| Marco is available to talk about [http://iac.dtic.mil/iatac/download/security.pdf Software Security Frameworks]and Secure Code Reviews [https://www.cmpevents.com/CSI33/a.asp?option=G&V=3&id=443342 see 07 CSI conference as reference] in USA around November-December and in Europe around January-February
| Europe
| [http://www.linkedin.com/pub/2/a7a/59b BIO]
|-
|-
| [mailto:amro@owasp.org Amro Alolaqi]
| Amro is leading the OWASP Saudi Arabia and UAE chapters, futhermore a contributor for the OWASP Testing Guide v4, OWASP Zed Attack Proxy (ZAP) and OWASP Web Application Security Testing Cheat Sheet. He is a frequent speaker at various industry conferences and events; topics of interest include Web App Critical Vulnerabilities, OWASP Zed Attack Proxy (ZAP), OWASP Testing Guide, Web Application Security Testing and Threat Modeling.
| Global (Middle East-based)
| [https://www.owasp.org/index.php/User:Amro_Ahmed BIO]
|-
| [mailto:sebastien.gioria@owasp.fr Sébastien Gioria]
| Sebastien is available to talk about WebAppSec, educational purpose on AppSec in French or at least in english around France/Europe/Canada from middle of March 08. You can find some Talk on the [http://www.owasp.fr Owasp France Chapter]
| France/Europe/Canada
| [http://www.linkedin.com/in/gioria BIO]
|-
| [mailto:mordecai.kraushar@owasp.org Mordecai Kraushar]
| Mordecai is available to talk about different topics within the Web application security space. Discussions typically involve either the Broken Web Application project or the Vicnum project, [http://www.owasp.org/index.php/Category:OWASP_Vicnum_Project], a flexible vulnerable web application that can be used in many scenarios including 'capture the flag' exercises.
| Global
| [http://www.linkedin.com/in/mkraushar BIO]
|-
| [mailto:michael.coates@owasp.org Michael Coates]
| Michael is available to talk on a variety of web application security topics. Talks are interactive and include live demos and code examples. Michael has spoken at multiple OWASP conferences and University security courses on topics such as Introduction to Application Security, Automated Defense Systems in Applications, Real Time Detection and Prevention of Application Worms, and security risks in SSL/TLS.
| USA/San Francisco & Virtual Presentations
| [http://www.linkedin.com/in/mcoates BIO]
|-
| [mailto:tobias.gondrom@owasp.org Tobias Gondrom]
| Tobias is on the London chapter board (and previously Germany chapter lead) and currently member of the OWASP Global Industry committee. He is available to talk on a variety of web application and information security and risk management topics. He gives two different types of presentations - preferred in Asia or Europe: <br>- CISO level: information security, risk management from Secure SDLCs, maturity models, standards and security strategy, to change management and managing application security in large organisations and the OWASP CISO Guide. <br>- Deep technical talks: new security standards and research, involving his work in web security research and as the chair of the web security working group at the IETF. Tobias has spoken at multiple OWASP AppSec and other security conferences, given university guest lectures and full training days on topics like CISO training, browser security, web security, new technologies for channel protection with SSL/TLS, electronic signatures, ...
| Asia and Europe <br>(dual based in both regions)
| [http://uk.linkedin.com/in/gondrom BIO]
|-
| [mailto:dan.cornell@owasp.org Dan Cornell]
| Dan Cornell has over twelve years of experience architecting, developing and securing web-based software systems. He speaks on a variety of software development and software security topics such as Vulnerability Management, Software Security Remediation, and Code Review/Static Analysis. Dan is based in San Antonio, TX and available to fly/drive as needed to the site.
| USA/San Antonio
| [http://www.denimgroup.com/about_team_dan.html BIO]
|-
| [mailto:John.Steven@owasp.org John Steven]
| John speaks on a variety of topics including "How to build your own application security group", "Threat Modeling", "Code Review and Static analysis", as well as other topics. John has spoken at and given tutorials for multiple OWASP conferences. John frequents New York, Boston, Washington DC, and Charlotte, but is available for travel elsewhere.
| Washington, DC/USA
| [http://www.cigital.com/about/team/management.php#jsteven BIO]
|-
| [mailto:blake@owasp.org Blake Cornell]
| Blake is available to speak regarding topics including Security v. HIPPA, Penetration Testing Methodologies, Fuzzing and Blended Threats such as attacking VoIP with the OWASP Top 10. Blake lives in the NY Metro area and is available for speaking at regional, national and world wide events.
| New York, NY/USA
| [http://www.linkedin.com/in/blakecornell BIO]
|-
| [mailto:Nick.Coblentz@gmail.com Nick Coblentz]
| Nick regularly performs research related to secure software development. He is available to present on topics such as the [http://www.owasp.org/index.php/Category:Software_Assurance_Maturity_Model Software Assurance Maturity Model (SAMM)], the [http://nickcoblentz.blogspot.com/2009/06/samm-inteview-template-version-10.html SAMM Interview Template], [http://nickcoblentz.blogspot.com/2009/05/issa-journal-web-application-security.html Building Web Application Security Portfolios], and [http://nickcoblentz.blogspot.com/2009/11/owasp-presentation-on-dec-10-microsoft.html The Microsoft SDL for Agile Development]. Please email Nick if you see articles on his [http://nickcoblentz.blogspot.com/ blog] that you would like him to present.
| USA/Kansas, Oklahoma, Missouri
| [http://www.linkedin.com/in/ncoblentz BIO]
|-
| [mailto:johnccr@yahoo.com Juan Carlos Calderon]
| Juan has being part of the Appliction Security industry for 9 years, currently performs research on application and information security arena. He is available to present "Preparing an strategy for application vulnerability detection", "Owasp Spanish and Internationalization" and "Análisis y efectos del cibercrimen en Mexico"(Analysis and effects of cibercrime in México). He is also open to talk about other topics related to OWASP materials and tools, send him a note to verify the coverage.
| Aguascalientes/México
| [http://www.linkedin.com/in/juancarloscalderon BIO]
|-
| [mailto:edward@owasp.org Edward Bonver]
| Edward has over a decade of experience in the software security field. He currently works for Symantec's Product Security Team, where he brings all aspects of secure software development to product teams across the company. He is a frequent speaker at various industry conferences and OWASP events; topics of interest include Threat Modeling and Security Testing.
| Global(USA/Los Angeles-based)
| [http://www.linkedin.com/in/bonver BIO]
|-
| [mailto:ludovic.petit@owasp.org Ludovic Petit]
| Chapter Leader OWASP France and OWASP Global Connections Committee Member, [https://www.owasp.org/index.php/User:Ludovic_Petit '''Ludovic'''] is living in Paris and is willing to talk about Web Application Security topics with a Corporate dimension, including about Legal and Law Enforcement, the OWASP Foundation approach, and explain why WebApp Security is also linked to Legal and Regulatory aspects, so Corporate responsibility, to protect your business.
| France, Europe and elsewhere, according to my availabilities and if you pay yourself the travel and accommodation expenses.
| [http://www.linkedin.com/in/lpetit BIO]
|-
| [mailto:magno.logan@owasp.org Magno Logan]
| OWASP Paraiba Chapter Leader and OWASP Portuguese Language Project Member. Magno (Logan) Rodrigues has an MBA in Information Security and studied Computer Forensics for one year in New York. He has done many talks about OWASP and it's main projects at national and international events such as [http://www.ensol.org.br/ ENSOL], [http://gts.nic.br/ GTS] and [https://www.owasp.org/index.php/AppSecLatam2011 App Sec Latam 2011]. Topics of interest include: OWASP Top 10, WebGoat, Java Security, E-commerce Security and Computer Forensics.

| Latin America
| [https://www.owasp.org/index.php/User:Magno_Logan BIO]
|-
| [mailto:wagner.elias@owasp.org Wagner Elias]
| Wagner founded the Brazil chapter is currently Curitiba-Brazil Chapter Leader and available to talk on a variety of web application security topics. Talks are interactive and include live demos and code examples. Wagner has spoken at various conferences in Brazil.

Topics of interest: Mobile Security; SDL Process and Implementation; Code Review and Application Test

| Brazil
| [https://www.owasp.org/index.php/User:wagner.elias BIO]
|-
| [mailto:ramiro.pulgar@owasp.org Ramiro Pulgar]
| Chapter Leader OWASP Ecuador. [https://www.owasp.org/index.php/User:Ramiro_Pulgar '''milovisho'''] OWASP Ecuador Chapter Leader
| Ecuador, Latin America, Global
| [http://ec.linkedin.com/in/ramiropulgar BIO]
|-
| [mailto:john.vargas@owasp.org John Vargas]
| Chapter Leader OWASP Perú. [https://www.owasp.org/index.php/User:Jvargas '''John Vargas'''] OWASP Perú Chapter Leader
| Perú, Latin America, Global
| [http://pe.linkedin.com/in/jvargasp BIO]
|-
|[mailto:Ahmed.neil@owasp.org Ahmed M Neil]
|Neil is available to speak regarding topics including Digital forensics,Wep Application threats and security, Medical Information System Security, Wep application Penetration Testing,Always like to discuss OWASP Top 10. I am in Mansoura, Egypt now and available for speaking at regional,and world wide events.
[https://www.owasp.org/index.php/User:Ahmed_M_Neil '''Ahmed Neil'''] OWASP Mansoura Chapter Leader
| Africa,Global
| [http://www.linkedin.com/pub/ahmed-m-neil/38/590/73 BIO]
|-
|[mailto:pawel.krawczyk@owasp.org Pawel Krawczyk]
|Former chapter leader of OWASP Poland, speaking on hundreds of conferences and OWASP meetings. Topics: application security management, large scale vulnerability assessment, developing secure coding standards in agile environments,
|Europe, Global
|[https://uk.linkedin.com/in/pawelkrawczyk/ BIO]
|}

= Road Map and Getting Involved =
If you want to (re)do an OWASP related presentation, propose them here with your availability boundaries (timing/geographical)

*Add your name, contact and bio information to become available as OWASP Speaker!

=Project About=

__NOTOC__ <headertabs />

[[Category:OWASP Project]] [[Category:OWASP_Builders]] [[Category:OWASP_Defenders]] [[Category:OWASP_Document]]