OWASP Periodic Table of Vulnerabilities - Revision history

Claudia casanovas at 05:42, 13 February 2016

2016-02-13T05:42:44Z

Kait Disney-Leugers at 19:44, 16 June 2014

2014-06-16T19:44:18Z

Kait Disney-Leugers at 20:58, 9 May 2014

2014-05-09T20:58:21Z

James Landis at 07:38, 20 November 2013

2013-11-20T07:38:11Z

James Landis at 06:42, 20 November 2013

2013-11-20T06:42:08Z

James Landis at 21:34, 22 July 2013

2013-07-22T21:34:22Z

James Landis: session lifetime is covered by "insufficient session expiration"

2013-07-22T11:44:33Z

session lifetime is covered by "insufficient session expiration"

James Landis at 11:06, 22 July 2013

2013-07-22T11:06:59Z

James Landis at 06:15, 22 July 2013

2013-07-22T06:15:13Z

James Landis at 05:02, 22 July 2013

2013-07-22T05:02:31Z

@@ Line 1: / Line 1: @@
 = Main =
+<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE -->
 == Introduction ==

← Older revision		Revision as of 19:44, 16 June 2014
Line 1:		Line 1:
−	{\|
−	\|-
−	~~! width="700" align="center" \| <br>~~
−	~~! width="500" align="center" \| <br>~~
−	\|-
−	~~\| align="right" \| [[Image:OWASP Inactive Banner.jpg\|800px\| link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Inactive_Projects]]~~
−	~~\| align="right" \|~~
−
−	\|}
	= Main =		= Main =

← Older revision		Revision as of 20:58, 9 May 2014
Line 1:		Line 1:
		+	{\|
		+	\|-
		+	! width="700" align="center" \| <br>
		+	! width="500" align="center" \| <br>
		+	\|-
		+	\| align="right" \| [[Image:OWASP Inactive Banner.jpg\|800px\| link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Inactive_Projects]]
		+	\| align="right" \|
		+
		+	\|}
	= Main =		= Main =

@@ Line 155: / Line 155: @@
 * Solution Detail (see linked issues on summary view) - Detailed view combines references, detailed solution designs, discussion/controversy detail, and other relevant information for each solution recommendation. The detail view does NOT explain what each vulnerability/weakness is - it only references existing vulnerability descriptions from other projects (e.g. OWASP Top 10, WASC TCv2, CWE, etc.). A short summary of root cause(s) is included, but only to the level of depth required to suggest all of the solution design elements that need to be addressed.
 * Solution Checklist - Summary of solutions grouped by target (e.g. perimeter or framework) so that maintainers of standards, frameworks, and perimeter technologies can view the solutions required for their areas ONLY. May require templating to generate list automatically, or short summaries in place of detailed descriptions.
-* [[Media:OWASP_Periodic_Table_-_Interactive.html|Periodic Table Interactive View]] - Minimal representation of the Periodic Table View combined with a legend mapping each symbol to the vulnerability name, related taxonomies, and solution targets. Rolling over each element gives solution highlights. Clicking an element opens the corresponding Solution Detail view.
+* [http://periodictable.github.io/ Periodic Table Interactive View] - Minimal representation of the Periodic Table View combined with a legend mapping each symbol to the vulnerability name, related taxonomies, and solution targets. Rolling over each element gives solution highlights. Clicking an element opens the corresponding Solution Detail view.
 * Periodic Table Poster-Size View - Vulns/Weaknesses laid out like the table of chemical elements, with solution target along the top and some measure of severity progressing down through the "periods". Top 10 could be highlighted in some way. Issues may show up in multiple periods. Poster-size so we can get all the relevant information in each "element".
 * [[Media:OWASP_Periodic_Table_-_Letter_Size.pdf|Periodic Table Compact View]] - Minimal representation of the Periodic Table View combined with a legend mapping each symbol to the vulnerability name, related taxonomies, and solution targets. View is designed to fit on a single US Letter size piece of paper, printed in grayscale.

@@ Line 155: / Line 155: @@
 * Solution Detail (see linked issues on summary view) - Detailed view combines references, detailed solution designs, discussion/controversy detail, and other relevant information for each solution recommendation. The detail view does NOT explain what each vulnerability/weakness is - it only references existing vulnerability descriptions from other projects (e.g. OWASP Top 10, WASC TCv2, CWE, etc.). A short summary of root cause(s) is included, but only to the level of depth required to suggest all of the solution design elements that need to be addressed.
 * Solution Checklist - Summary of solutions grouped by target (e.g. perimeter or framework) so that maintainers of standards, frameworks, and perimeter technologies can view the solutions required for their areas ONLY. May require templating to generate list automatically, or short summaries in place of detailed descriptions.
-* Periodic Table View - Vulns/Weaknesses laid out like the table of chemical elements, with solution target along the top and some measure of severity progressing down through the "periods". Top 10 could be highlighted in some way. Issues may show up in multiple periods. Poster-size so we can get all the relevant information in each "element".
+* [[Media:OWASP_Periodic_Table_-_Interactive.html|Periodic Table Interactive View]] - Minimal representation of the Periodic Table View combined with a legend mapping each symbol to the vulnerability name, related taxonomies, and solution targets. Rolling over each element gives solution highlights. Clicking an element opens the corresponding Solution Detail view.
 * [[Media:OWASP_Periodic_Table_-_Letter_Size.pdf|Periodic Table Compact View]] - Minimal representation of the Periodic Table View combined with a legend mapping each symbol to the vulnerability name, related taxonomies, and solution targets. View is designed to fit on a single US Letter size piece of paper, printed in grayscale.

@@ Line 11: / Line 11: @@
 The most scalable and effective approach to addressing vulnerability classes is to fix the browsers, standards, and protocols that enable web applications. This approach can sometimes increase security for every application on the internet without changing a single line of application code. The amount of industry collaboration required to implement a protocol/standard change can be enormous, but some classes of vulnerabilities simply cannot be addressed without this kind of change (e.g. Clickjacking). A solution at this level is incredibly powerful: a Content Security Policy (CSP) solution to Cross-Site Scripting (XSS) might allow most application owners to write a simple policy file instead of implementing a costly framework or custom code solution to protect their existing application assets.
-== Perimeter Technologies ==
+== Perimeter / Platform Technologies ==
 Less scalable, but almost as effective, is to address vulnerabilities in perimeter technologies such as application firewalls, load balancers, geocaching services (e.g. Akamai), and proxies. These technologies can shield vulnerable applications without requiring changes to the applications themselves. While most classes of vulnerability depend heavily on the application code and aren't easily solved by a generic perimeter solution, some are generalizable to the point where a perimeter solution could protect any application behind it before an attack even has a chance to do damage. Anti-automation and protocol validation are especially good solutions for perimeter technologies to address.
 == Generic Application Frameworks ==

@@ Line 63: / Line 63: @@
 | style="background:#f0f0f0; border-width:2px 1px 2px 3px;" | '''[[OWASP Periodic Table of Vulnerabilities - Content Spoofing|Content Spoofing]]''' || align="center" style="background:#f0f0f0; border-width:2px 1px 2px 1px;" | CS || style="border-width:2px 1px 2px 1px;" | Provide a new response status code for "File not found, but show custom 404 content body AND replace the URL displayed in the title bar because the current requested URL will confuse users".|| style="border-width:2px 1px 2px 1px;" | || style="border-width:2px 1px 2px 1px;" | || style="border-width:2px 1px 2px 1px;" | If the framework supports user-supplied content, such content must be clearly marked as such in the display context.|| style="border-width:2px 3px 2px 1px;" |
 |-
-| style="background:#f0f0f0; border-width:2px 1px 2px 3px;" | '''[[OWASP Periodic Table of Vulnerabilities - Cookie Theft/Session Hijacking|Cookie Theft/Session Hijacking]]''' || align="center" style="background:#f0f0f0; border-width:2px 1px 2px 1px;" | SH || style="border-width:2px 1px 2px 1px;" | Define a new standard for transmitting session information to replace cookies.|| style="border-width:2px 1px 2px 1px;" | Terminate/regenerate session if the session token is transmitted insecurely. Help enforce cookie/session management rules.|| style="border-width:2px 1px 2px 1px;" | Prevent leakage of session tokens with strict cookie parameters and other rules. Detect evidence of successful hijack to proactively terminate compromised sessions. Limit the lifetime of sessions as much as possible. Rotate the session token as often as possible.|| style="border-width:2px 1px 2px 1px;" | || style="border-width:2px 3px 2px 1px;" |
+| style="background:#f0f0f0; border-width:2px 1px 2px 3px;" | '''[[OWASP Periodic Table of Vulnerabilities - Cookie Theft/Session Hijacking|Cookie Theft/Session Hijacking]]''' || align="center" style="background:#f0f0f0; border-width:2px 1px 2px 1px;" | SH || style="border-width:2px 1px 2px 1px;" | Define a new standard for transmitting session information to replace cookies.|| style="border-width:2px 1px 2px 1px;" | Terminate/regenerate session if the session token is transmitted insecurely. Help enforce cookie/session management rules.|| style="border-width:2px 1px 2px 1px;" | Prevent leakage of session tokens with strict cookie parameters and other rules. Detect evidence of successful hijack to proactively terminate compromised sessions. Rotate the session token as often as possible.|| style="border-width:2px 1px 2px 1px;" | || style="border-width:2px 3px 2px 1px;" |
 |-
 | style="background:#f0f0f0; border-width:2px 1px 2px 3px;" | '''[[OWASP Periodic Table of Vulnerabilities - Cross-Site Request Forgery|Cross-Site Request Forgery]]''' || align="center" style="background:#f0f0f0; border-width:2px 1px 2px 1px;" | XF || style="border-width:2px 1px 2px 1px;" | Change default browser behavior to look for policy file for cross-domain writes instead of "default allow", transitioning through CSP framework.|| style="border-width:2px 1px 2px 1px;" | || style="border-width:2px 1px 2px 1px;" | Automatically generate and check tokens for all POST requests by default, with configuration-based exclusion list. Disallow state changes via GET requests, enforcing RFC.|| style="border-width:2px 1px 2px 1px;" | || style="border-width:2px 3px 2px 1px;" |

@@ Line 63: / Line 63: @@
 | style="background:#f0f0f0; border-width:2px 1px 2px 3px;" | '''[[OWASP Periodic Table of Vulnerabilities - Content Spoofing|Content Spoofing]]''' || align="center" style="background:#f0f0f0; border-width:2px 1px 2px 1px;" | CS || style="border-width:2px 1px 2px 1px;" | Provide a new response status code for "File not found, but show custom 404 content body AND replace the URL displayed in the title bar because the current requested URL will confuse users".|| style="border-width:2px 1px 2px 1px;" | || style="border-width:2px 1px 2px 1px;" | || style="border-width:2px 1px 2px 1px;" | If the framework supports user-supplied content, such content must be clearly marked as such in the display context.|| style="border-width:2px 3px 2px 1px;" |
 |-
-| style="background:#f0f0f0; border-width:2px 1px 2px 3px;" | '''[[OWASP Periodic Table of Vulnerabilities - Cookie Theft/Session Hijacking|Cookie Theft/Session Hijacking]]''' || align="center" style="background:#f0f0f0; border-width:2px 1px 2px 1px;" | SH || style="border-width:2px 1px 2px 1px;" | Define a new standard for transmitting session information to replace cookies.|| style="border-width:2px 1px 2px 1px;" | Terminate/regenerate session if the session token is transmitted insecurely. Help enforce cookie/session management rules.|| style="border-width:2px 1px 2px 1px;" | Enforce Secure and HttpOnly flags for all cookies. Alert user and deauthorize oldest session when multiple simultaneous login is detected. Terminate session if User-Agent string or other client fingerprinting changes. Terminate session if user acceses login page.|| style="border-width:2px 1px 2px 1px;" | || style="border-width:2px 3px 2px 1px;" |
+| style="background:#f0f0f0; border-width:2px 1px 2px 3px;" | '''[[OWASP Periodic Table of Vulnerabilities - Cookie Theft/Session Hijacking|Cookie Theft/Session Hijacking]]''' || align="center" style="background:#f0f0f0; border-width:2px 1px 2px 1px;" | SH || style="border-width:2px 1px 2px 1px;" | Define a new standard for transmitting session information to replace cookies.|| style="border-width:2px 1px 2px 1px;" | Terminate/regenerate session if the session token is transmitted insecurely. Help enforce cookie/session management rules.|| style="border-width:2px 1px 2px 1px;" | Prevent leakage of session tokens with strict cookie parameters and other rules. Detect evidence of successful hijack to proactively terminate compromised sessions. Limit the lifetime of sessions as much as possible. Rotate the session token as often as possible.|| style="border-width:2px 1px 2px 1px;" | || style="border-width:2px 3px 2px 1px;" |
 |-
 | style="background:#f0f0f0; border-width:2px 1px 2px 3px;" | '''[[OWASP Periodic Table of Vulnerabilities - Cross-Site Request Forgery|Cross-Site Request Forgery]]''' || align="center" style="background:#f0f0f0; border-width:2px 1px 2px 1px;" | XF || style="border-width:2px 1px 2px 1px;" | Change default browser behavior to look for policy file for cross-domain writes instead of "default allow", transitioning through CSP framework.|| style="border-width:2px 1px 2px 1px;" | || style="border-width:2px 1px 2px 1px;" | Automatically generate and check tokens for all POST requests by default, with configuration-based exclusion list. Disallow state changes via GET requests, enforcing RFC.|| style="border-width:2px 1px 2px 1px;" | || style="border-width:2px 3px 2px 1px;" |
@@ Line 127: / Line 127: @@
 | style="background:#f0f0f0; border-width:2px 1px 2px 3px;" | '''[[OWASP Periodic Table of Vulnerabilities - Server Misconfiguration|Server Misconfiguration]]''' || align="center" style="background:#f0f0f0; border-width:2px 1px 2px 1px;" | SM || style="border-width:2px 1px 2px 1px;" | || style="border-width:2px 1px 2px 1px;" | Ensure proper application settings are deployed in configuration file/s. Provide secure default settings.|| style="border-width:2px 1px 2px 1px;" | || style="border-width:2px 1px 2px 1px;" | || style="border-width:2px 3px 2px 1px;" |
 |-
-| style="background:#f0f0f0; border-width:2px 1px 2px 3px;" | '''[[OWASP Periodic Table of Vulnerabilities - Session Fixation|Session Fixation]]''' || align="center" style="background:#f0f0f0; border-width:2px 1px 2px 1px;" | SF || style="border-width:2px 1px 2px 1px;" | || style="border-width:2px 1px 2px 1px;" | || style="border-width:2px 1px 2px 1px;" | Do not start sessions with user-provided tokens and rotate session IDs periodically during longer sessions.|| style="border-width:2px 1px 2px 1px;" | || style="border-width:2px 3px 2px 1px;" |
+| style="background:#f0f0f0; border-width:2px 1px 2px 3px;" | '''[[OWASP Periodic Table of Vulnerabilities - Session Fixation|Session Fixation]]''' || align="center" style="background:#f0f0f0; border-width:2px 1px 2px 1px;" | SF || style="border-width:2px 1px 2px 1px;" | || style="border-width:2px 1px 2px 1px;" | || style="border-width:2px 1px 2px 1px;" | Do not create sessions using session IDs generated by the HTTP client. Expire and rotate session IDs whenever the privilege level associated with a session changes.|| style="border-width:2px 1px 2px 1px;" | || style="border-width:2px 3px 2px 1px;" |
 |-
 | style="background:#f0f0f0; border-width:2px 1px 2px 3px;" | '''[[OWASP Periodic Table of Vulnerabilities - SOAP Array Abuse, XML Attribute Blowup, XML Entity Expansion|SOAP Array Abuse, XML Attribute Blowup, XML Entity Expansion]]''' || align="center" style="background:#f0f0f0; border-width:2px 1px 2px 1px;" | SA || style="border-width:2px 1px 2px 1px;" | || style="border-width:2px 1px 2px 1px;" | Perform schema validation of XML structure on incoming requests.|| style="border-width:2px 1px 2px 1px;" | || style="border-width:2px 1px 2px 1px;" | || style="border-width:2px 3px 2px 1px;" |

@@ Line 150: / Line 150: @@
 * [[Media:Periodic Table Infographic.pdf|Compressed view]] - One-pager that highlights the vulnerability classes that developers will still have to worry about at the top, with "solved" vulnerabilities ordered toward the bottom.
 * Infographic - Cartoony, visually-appealing storyboard introduction of the project, its goals, and high-level approach.
-* [[OWASP Periodic Table of Vulnerabilities#Periodic Table of Vulnerabilities|Working View/Summary]] - Working view summarizes solutions in respective columns for quick reference but doesn't provide details. May link to detailed sections.
+* [[OWASP_Periodic_Table_of_Vulnerabilities#tab=Periodic_Table_of_Vulnerabilities|Working View/Summary]] - Working view summarizes solutions in respective columns for quick reference but doesn't provide details. Links directly to detailed sections.
 * Solution Detail (see linked issues on summary view) - Detailed view combines references, detailed solution designs, discussion/controversy detail, and other relevant information for each solution recommendation. The detail view does NOT explain what each vulnerability/weakness is - it only references existing vulnerability descriptions from other projects (e.g. OWASP Top 10, WASC TCv2, CWE, etc.). A short summary of root cause(s) is included, but only to the level of depth required to suggest all of the solution design elements that need to be addressed.
 * Solution Checklist - Summary of solutions grouped by target (e.g. perimeter or framework) so that maintainers of standards, frameworks, and perimeter technologies can view the solutions required for their areas ONLY. May require templating to generate list automatically, or short summaries in place of detailed descriptions.

@@ Line 3: / Line 3: @@
 == Introduction ==
-After 25 years of software engineering since the first Internet worm was written to exploit a buffer overflow vulnerability, web developers are still building insecure software. It is time for a new approach. The vast majority of software bug classes can be eliminated by building protections into perimeter technologies, platform infrastructures, and application frameworks before a developer even writes a single line of custom code. By allowing developers to focus on just a small subset of bug classes, training and standards programs can be more targeted and effective so developers can write secure code much more efficiently.
+After 25 years of software engineering since the first Internet worm was written to exploit a buffer overflow vulnerability, web developers are still building insecure software. It is time for a new approach. The vast majority of software bug classes can be eliminated by making changes to protocols and standards and building protections into perimeter technologies, platform infrastructures, and application frameworks before a developer even writes a single line of custom code. By allowing developers to focus on just a small subset of bug classes, training and standards programs can be more targeted and effective, enabling developers to write secure code much more efficiently.
 Vulnerabilities and weaknesses from industry-recognized indexes including OWASP Top 10, WASC TCv2, and CWE-25 are analyzed to determine which of the remediation strategies are ideal for solving the software security problem. Where changes to internet standards and protocols are required, alternatives in perimeter, framework, or custom code solutions are also provided until the internet-scale solutions are in place. If a solution can be completely implemented in perimeter or infrastructure technologies, only that solution is provided. Similarly, if any part of the solution can be provided in standard or custom frameworks, that solution is not recommended to be implemented in custom code. The guiding principle is essentially: "implement security controls as far from custom code as possible." Only if there is no other way to solve a particular security problem is a custom code solution recommended.