Top 10-2017-A3-Sensitive Data Exposure - Revision history

T.Gigler: OWASP Top 10-2017 Release

2017-12-11T23:10:40Z

OWASP Top 10-2017 Release

T.Gigler: T.Gigler moved page Top 10 2017-A6-Sensitive Data Exposure to Top 10-2017-A3-Sensitive Data Exposure

2017-12-11T22:46:01Z

T.Gigler moved page Top 10 2017-A6-Sensitive Data Exposure to Top 10-2017-A3-Sensitive Data Exposure

T.Gigler: Top 10 2017 RC1: A6-Sensitive Data Exposure

2017-04-22T22:13:50Z

Top 10 2017 RC1: A6-Sensitive Data Exposure

T.Gigler: Added some comments in Wiki source code of the SummaryTable Header (SummaryTableRowStyleTemplates)

2017-04-22T21:11:53Z

Added some comments in Wiki source code of the SummaryTable Header (SummaryTableRowStyleTemplates)

T.Gigler: Launch the new page for Top 10 2017-A6-Sensitive Data Exposure (RC1) with content of 2013-A6 as a reference to compare changes

2017-04-20T22:56:02Z

Launch the new page for Top 10 2017-A6-Sensitive Data Exposure (RC1) with content of 2013-A6 as a reference to compare changes

New page

{{Top_10_2013:TopTemplate
|usenext=2013NextLink
|next=A7-{{Top_10_2010:ByTheNumbers
|7
|year=2017
|language=en}}
|useprev=2013PrevLink
|prev=A5-{{Top_10_2010:ByTheNumbers
|5
|year=2017
|language=en}}
|year=2017
|language=en
}}

{{Top_10_2010:SummaryTableHeaderBeginTemplate|year=2017|language=en}}
{{Top_10:SummaryTableTemplate|exploitability=3|prevalence=3|detectability=2|impact=1|year=2017|language=en}}
{{Top_10_2010:SummaryTableHeaderEndTemplate|year=2017}}
<td {{Template:Top 10 2010:SummaryTableRowStyleTemplate|year=2017}}>Consider who can gain access to your sensitive data and any backups of that data. This includes the data at rest, in transit, and even in your customers’ browsers. Include both external and internal threats.
</td>
<td {{Template:Top 10 2010:SummaryTableRowStyleTemplate|year=2017}}>
Attackers typically don’t break crypto directly. They break something else, such as steal keys, do man-in-the-middle attacks, or steal clear text data off the server, while in transit, or from the user’s browser.

</td>
<td colspan=2 {{Template:Top 10 2010:SummaryTableRowStyleTemplate|year=2017}}>
The most common flaw is simply not encrypting sensitive data. When crypto is employed, weak key generation and management, and weak algorithm usage is common, particularly weak password hashing techniques. Browser weaknesses are very common and easy to detect, but hard to exploit on a large scale. External attackers have difficulty detecting server side flaws due to limited access and they are also usually hard to exploit.

</td>
<td {{Template:Top 10 2010:SummaryTableRowStyleTemplate|year=2017}}>
Failure frequently compromises all data that should have been protected. Typically, this information includes sensitive data such as health records, credentials, personal data, credit cards, etc.

</td>
<td {{Template:Top 10 2010:SummaryTableRowStyleTemplate|year=2017}}>
Consider the business value of the lost data and impact to your reputation. What is your legal liability if this data is exposed? Also consider the damage to your reputation.

</td>
{{Top_10_2010:SummaryTableEndTemplate|year=2017}}

{{Top_10:SubsectionTableBeginTemplate|type=main|year=2017}} {{Top_10_2010:SubsectionAdvancedTemplate|type={{Top_10_2010:StyleTemplate}}|subsection=vulnerableTo|position=firstLeft|risk=6|year=2017|language=en}}
The first thing you have to determine is which data is sensitive enough to require extra protection. For example, passwords, credit card numbers, health records, and personal information should be protected. For all such data:
# Is any of this data stored in clear text long term, including backups of this data?
# Is any of this data transmitted in clear text, internally or externally? Internet traffic is especially dangerous.
# Are any old / weak cryptographic algorithms used?
# Are weak crypto keys generated, or is proper key management or rotation missing?
# Are any browser security directives or headers missing when sensitive data is provided by / sent to the browser?

And more … For a more complete set of problems to avoid, see [https://www.owasp.org/index.php/ASVS ASVS areas Crypto (V7), Data Prot. (V9), and SSL (V10)].

{{Top_10_2010:SubsectionAdvancedTemplate|type={{Top_10_2010:StyleTemplate}}|subsection=howPrevent|position=right|risk=6|year=2017|language=en}}
The full perils of unsafe cryptography, SSL usage, and data protection are well beyond the scope of the Top 10. That said, for all sensitive data, do all of the following, at a minimum:
# Considering the threats you plan to protect this data from (e.g., insider attack, external user), make sure you encrypt all sensitive data at rest and in transit in a manner that defends against these threats.
# Don’t store sensitive data unnecessarily. Discard it as soon as possible. Data you don’t have can’t be stolen.
# Ensure strong standard algorithms and strong keys are used, and proper key management is in place. Consider using [http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140val-all.htm FIPS 140 validated cryptographic modules].
# Ensure passwords are stored with an algorithm specifically designed for password protection, such as [http://en.wikipedia.org/wiki/Bcrypt bcrypt], [http://en.wikipedia.org/wiki/PBKDF2 PBKDF2], or [http://en.wikipedia.org/wiki/Scrypt scrypt].
# Disable autocomplete on forms collecting sensitive data and disable caching for pages that contain sensitive data.
{{Top_10_2010:SubsectionAdvancedTemplate|type={{Top_10_2010:StyleTemplate}}|subsection=example|position=left|risk=6|year=2017|language=en}}
'''Scenario #1:''' An application encrypts credit card numbers in a database using automatic database encryption. However, this means it also decrypts this data automatically when retrieved, allowing an SQL injection flaw to retrieve credit card numbers in clear text. The system should have encrypted the credit card numbers using a public key, and only allowed back-end applications to decrypt them with the private key.

'''Scenario #2:''' A site simply doesn’t use SSL for all authenticated pages. Attacker simply monitors network traffic (like an open wireless network), and steals the user’s session cookie. Attacker then replays this cookie and hijacks the user’s session, accessing the user’s private data.

'''Scenario #3:''' The password database uses unsalted hashes to store everyone’s passwords. A file upload flaw allows an attacker to retrieve the password file. All of the unsalted hashes can be exposed with a rainbow table of precalculated hashes.

{{Top_10_2010:SubsectionAdvancedTemplate|type={{Top_10_2010:StyleTemplate}}|subsection=references|position=right|risk=6|year=2017|language=en}}
{{Top_10_2010:SubSubsectionOWASPReferencesTemplate}} <br/>
For a more complete set of requirements, see [https://www.owasp.org/index.php/ASVS ASVS req’ts on Cryptography (V7), Data Protection (V9)] and [https://www.owasp.org/index.php/ASVS Communications Security (V10)]
* [https://www.owasp.org/index.php/Cryptographic_Storage_Cheat_Sheet OWASP Cryptographic Storage Cheat Sheet]
* [https://www.owasp.org/index.php/Password_Storage_Cheat_Sheet OWASP Password Storage Cheat Sheet]
* [https://www.owasp.org/index.php/Transport_Layer_Protection_Cheat_Sheet OWASP Transport Layer Protection Cheat Sheet]
* [https://www.owasp.org/index.php/Testing_for_SSL-TLS OWASP Testing Guide: Chapter on SSL/TLS Testing]
{{Top_10_2010:SubSubsectionExternalReferencesTemplate|language=en}}
* [http://cwe.mitre.org/data/definitions/310.html CWE Entry 310 on Cryptographic Issues]
* [http://cwe.mitre.org/data/definitions/312.html CWE Entry 312 on Cleartext Storage of Sensitive Information]
* [http://cwe.mitre.org/data/definitions/319.html CWE Entry 319 on Cleartext Transmission of Sensitive Information]
* [http://cwe.mitre.org/data/definitions/326.html CWE Entry 326 on Weak Encryption]

{{Top_10_2013:BottomAdvancedTemplate
|type={{Top_10_2010:StyleTemplate}}
|usenext=2013NextLink
|next=A7-{{Top_10_2010:ByTheNumbers
|7
|year=2017
|language=en}}
|useprev=2013PrevLink
|prev=A5-{{Top_10_2010:ByTheNumbers
|5
|year=2017
|language=en}}
|year=2017
|language=en
}}

[[Category:OWASP Top Ten Project]]

← Older revision		Revision as of 23:10, 11 December 2017
Line 1:		Line 1:
−	~~{{Top_10_2013:TopTemplate~~	+	#REDIRECT [[Top 10-2017 A3-Sensitive Data Exposure]]
−	~~\|usenext=2013NextLink~~
−	~~\|next=A7-{{Top_10_2010:ByTheNumbers~~
−	\|7
−	~~\|year=2017~~
−	~~\|language=en}}~~
−	~~\|useprev=2013PrevLink~~
−	~~\|prev=A5-{{Top_10_2010:ByTheNumbers~~
−	\|5
−	~~\|year=2017~~
−	~~\|language=en}}~~
−	~~\|year=2017~~
−	~~\|language=en~~
−	}}
−
−	~~{{Top_10_2010:SummaryTableHeaderBeginTemplate\|year=2017\|language=en}}~~
−	~~{{Top_10:SummaryTableTemplate\|exploitability=3\|prevalence=3\|detectability=2\|impact=1\|year=2017\|language=en}}~~
−	~~{{Top_10_2010:SummaryTableHeaderEndTemplate\|year=2017}}~~
−	~~<td {{Template:Top 10 2010:SummaryTableRowStyleTemplate\|year=2017}}>~~
−	<!--- Threat Agents: --->Consider who can gain access to your sensitive data and any backups of that data. This includes the data at rest, in transit and even in your customers’ browsers. Include both external and internal threats.
−	~~</td>~~
−	~~<td {{Template:Top 10 2010:SummaryTableRowStyleTemplate\|year=2017}}>~~
−	<!--- Attack Vectors --->Attackers typically don’t break crypto directly. They break something else, such as steal keys, do man-in-the-middle attacks, or steal clear text data off the server, while in transit, or from the user’s browser.
−	~~</td>~~
−	~~<td colspan=2 {{Template:Top 10 2010:SummaryTableRowStyleTemplate\|year=2017}}>~~
−	<!--- Security Weakness --->The most common flaw is simply not encrypting sensitive data. When crypto is employed, weak key generation and management, and weak algorithm usage is common, particularly weak password hashing techniques. Browser weaknesses are very common and easy to detect, but hard to exploit on a large scale. External attackers have difficulty detecting server side flaws due to limited access and they are also usually hard to exploit.
−	~~</td>~~
−	~~<td {{Template:Top 10 2010:SummaryTableRowStyleTemplate\|year=2017}}>~~
−	<!--- Technical Impacts --->Failure frequently compromises all data that should have been protected. Typically, this information includes sensitive data such as health records, credentials, personal data, credit cards, etc.
−	~~</td>~~
−	~~<td {{Template:Top 10 2010:SummaryTableRowStyleTemplate\|year=2017}}>~~
−	<!--- Business Impacts --->Consider the business value of the lost data and impact to your reputation. What is your legal liability if this data is exposed? Also consider the damage to your reputation.
−	~~</td>~~
−	~~{{Top_10_2010:SummaryTableEndTemplate\|year=2017}}~~
−
−	{{Top_10:SubsectionTableBeginTemplate\|type=main\|year=2017}} {{Top_10_2010:SubsectionAdvancedTemplate\|type={{Top_10_2010:StyleTemplate}}\|subsection=vulnerableTo\|position=firstLeft\|risk=6\|year=2017\|language=en}}
−	The first thing you have to determine is which data is sensitive enough to require extra protection. For example, passwords, credit card numbers, health records, and personal information should be protected. For all such data:
−	~~# Is any of this data stored in clear text long term, including backups of this data?~~
−	~~# Is any of this data transmitted in clear text, internally or externally? Internet traffic is especially dangerous.~~
−	~~# Are any old / weak cryptographic algorithms used?~~
−	~~# Are weak crypto keys generated, or is proper key management or rotation missing?~~
−	# ~~Are any browser security directives or headers missing when sensitive data is provided by / sent to the browser?~~
−	~~And more ... For a more complete set of problems to avoid, see <u>~~[[~~ASVS\|ASVS areas Crypto (V7), Data Prot (V9), and SSL/TLS (V10)]]</u>.~~
−
−	~~{{Top_10_2010:SubsectionAdvancedTemplate\|type={{Top_10_2010:StyleTemplate}}\|subsection=howPrevent\|position=right\|risk=6\|year=2017\|language=en}}~~
−	~~The full perils of unsafe cryptography, SSL/TLS usage, and data protection are well beyond the scope of the~~ Top 10~~. That said, for all sensitive data, do the following, at a minimum:~~
−	# Considering the threats you plan to protect this data from (e.g., insider attack, external user), make sure you encrypt all sensitive data at rest and in transit in a manner that defends against these threats.
−	~~# Don’t store sensitive data unnecessarily. Discard it as soon as possible. Data you don’t retain can’t be stolen.~~
−	~~# Ensure strong standard algorithms and strong keys are used, and proper key management is in place. Consider using <u>[http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140val~~-~~all.htm FIPS 140 validated cryptographic modules]</u>.~~
−	# Ensure passwords are stored with an algorithm specifically designed for password protection, such as <u>[http://en.wikipedia.org/wiki/Bcrypt bcrypt]</u>, <u>[http://en.wikipedia.org/wiki/PBKDF2 PBKDF2]</u>, or <u>[http://en.wikipedia.org/wiki/Scrypt scrypt]</u>.
−	~~# Disable autocomplete on forms requesting sensitive data and disable caching for pages that contain sensitive data.~~
−
−	~~{{Top_10_2010:SubsectionAdvancedTemplate\|type={{Top_10_2010:StyleTemplate}}\|subsection=example\|position=left\|risk=6\|year=2017\|language=en}}~~
−	<u>'''Scenario #1:'''</u> An application encrypts credit card numbers in a database using automatic database encryption. However, this data is automatically decrypted when retrieved, allowing an SQL injection flaw to retrieve credit card numbers in clear text. Alternatives include not storing credit card numbers, using tokenization, or using public key encryption.
−
−	<u>'''Scenario #2:'''</u> A site simply doesn’t use TLS for all authenticated pages. An attacker simply monitors network traffic (like an open wireless network), and steals the user’s session cookie. The attacker then replays this cookie and hijacks the user’s session, accessing the user’s private data.
−
−	<u>'''Scenario #3:'''</u> The password database uses unsalted hashes to store everyone’s passwords. A file upload flaw allows an attacker to retrieve the password database. All of the unsalted hashes can be exposed with a rainbow table of precalculated hashes.
−
−	~~{{Top_10_2010:SubsectionAdvancedTemplate\|type={{Top_10_2010:StyleTemplate}}\|subsection=references\|position=right\|risk=6\|year=~~2017~~\|language=en}}~~
−	~~{{Top_10_2010:SubSubsectionOWASPReferencesTemplate\|year=2017\|language=en}} <br/>~~
−	* For a more complete set of requirements, see ASVS req’ts on <u>[[ASVS\|Cryptography (V7), Data Protection (V9), and Communications Security (V10)]]</u>
−	* <u>[[Cryptographic_Storage_Cheat_Sheet\|OWASP Cryptographic Storage Cheat Sheet]]</u>
−	* <u>[[Password_Storage_Cheat_Sheet\|OWASP Password Storage Cheat Sheet]]</u>
−	* <u>[[Transport_Layer_Protection_Cheat_Sheet\|OWASP Transport Layer Protection Cheat Sheet]]</u>
−	* <u>[[Testing_for_SSL-~~TLS\|OWASP Testing Guide: Chapter on SSL/TLS Testing]]</u>~~
−
−	~~{{Top_10_2010:SubSubsectionExternalReferencesTemplate\|year=2017\|language=en}}~~
−	* <u>[http://cwe.mitre.org/data/definitions/310.html CWE Entry 310 on Cryptographic Issues]</u>
−	* <u>[http://cwe.mitre.org/data/definitions/312.html CWE Entry 312 on Cleartext Storage of Sensitive ~~Information]</u>~~
−	* <u>[http://cwe.mitre.org/data/definitions/319.html CWE Entry 319 on Cleartext Transmission of Sensitive Information]</u>
−	* <u>[http://cwe.mitre.org/data/definitions/326.html CWE Entry 326 on Weak Encryption]</u>
−
−	~~{{Top_10_2013:BottomAdvancedTemplate~~
−	~~\|type={{Top_10_2010:StyleTemplate}}~~
−	~~\|usenext=2013NextLink~~
−	~~\|next=A7-{{Top_10_2010:ByTheNumbers~~
−	\|7
−	~~\|year=2017~~
−	~~\|language=en}}~~
−	~~\|useprev=2013PrevLink~~
−	~~\|prev=A5-{{Top_10_2010:ByTheNumbers~~
−	\|5
−	~~\|year=2017~~
−	~~\|language=en}}~~
−	~~\|year=2017~~
−	~~\|language=en~~
−	}}
−
−	~~[[Category:OWASP Top Ten Project~~]]

← Older revision	Revision as of 22:46, 11 December 2017
(No difference)

@@ Line 18: / Line 18: @@
 {{Top_10_2010:SummaryTableHeaderEndTemplate|year=2017}}
       <td {{Template:Top 10 2010:SummaryTableRowStyleTemplate|year=2017}}>
-<!--- Threat Agents: --->Consider who can gain access to your sensitive data and any backups of that data. This includes the data at rest, in transit, and even in your customers’ browsers. Include both external and internal threats.
+<!--- Threat Agents: --->Consider who can gain access to your sensitive data and any backups of that data. This includes the data at rest, in transit and even in your customers’ browsers. Include both external and internal threats.
 </td>
       <td {{Template:Top 10 2010:SummaryTableRowStyleTemplate|year=2017}}>
 <!--- Attack Vectors --->Attackers typically don’t break crypto directly. They break something else, such as steal keys, do man-in-the-middle attacks, or steal clear text data off the server, while in transit, or from the user’s browser.
 </td>
       <td colspan=2  {{Template:Top 10 2010:SummaryTableRowStyleTemplate|year=2017}}>
 <!--- Security Weakness --->The most common flaw is simply not encrypting sensitive data. When crypto is employed, weak key generation and management, and weak algorithm usage is common, particularly weak password hashing techniques. Browser weaknesses are very common and easy to detect, but hard to exploit on a large scale. External attackers have difficulty detecting server side flaws due to limited access and they are also usually hard to exploit.
 </td>
       <td {{Template:Top 10 2010:SummaryTableRowStyleTemplate|year=2017}}>
-<!--- Technical Impacts --->Failure frequently compromises all data that should have been protected. Typically, this information includes  sensitive data such as health records, credentials, personal data, credit cards, etc.
+<!--- Technical Impacts --->Failure frequently compromises all data that should have been protected. Typically, this information includes sensitive data such as health records, credentials, personal data, credit cards, etc.
 </td>
       <td {{Template:Top 10 2010:SummaryTableRowStyleTemplate|year=2017}}>
 <!--- Business Impacts  --->Consider the business value of the lost data and impact to your reputation. What is your legal liability if this data is exposed? Also consider the damage to your reputation.
 </td>
 {{Top_10_2010:SummaryTableEndTemplate|year=2017}}
@@ Line 45: / Line 41: @@
 # Are weak crypto keys generated, or is proper key management or rotation missing?
 # Are any browser security directives or headers missing when sensitive data is provided by / sent to the browser?
+And more ... For a more complete set of problems to avoid, see <u>[[ASVS|ASVS areas Crypto (V7), Data Prot (V9), and SSL/TLS (V10)]]</u>.
 {{Top_10_2010:SubsectionAdvancedTemplate|type={{Top_10_2010:StyleTemplate}}|subsection=howPrevent|position=right|risk=6|year=2017|language=en}}
-The full perils of unsafe cryptography, SSL usage, and data protection are well beyond the scope of the Top 10. That said, for all sensitive data, do all of the following, at a minimum:
+The full perils of unsafe cryptography, SSL/TLS usage, and data protection are well beyond the scope of the Top 10. That said, for all sensitive data, do the following, at a minimum:
 # Considering the threats you plan to protect this data from (e.g., insider attack, external user), make sure you encrypt all sensitive data at rest and in transit in a manner that defends against these threats.
-# Don’t store sensitive data unnecessarily. Discard it as soon as possible. Data you don’t have can’t be stolen.
+# Don’t store sensitive data unnecessarily. Discard it as soon as possible. Data you don’t retain can’t be stolen.
-# Ensure strong standard algorithms and strong keys are used, and proper key management is in place. Consider using [http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140val-all.htm  FIPS 140 validated cryptographic modules].
+# Ensure strong standard algorithms and strong keys are used, and proper key management is in place. Consider using <u>[http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140val-all.htm FIPS 140 validated cryptographic modules]</u>.
-# Ensure passwords are stored with an algorithm specifically designed for password protection, such as [http://en.wikipedia.org/wiki/Bcrypt  bcrypt], [http://en.wikipedia.org/wiki/PBKDF2  PBKDF2], or [http://en.wikipedia.org/wiki/Scrypt  scrypt].
+# Ensure passwords are stored with an algorithm specifically designed for password protection, such as <u>[http://en.wikipedia.org/wiki/Bcrypt bcrypt]</u>, <u>[http://en.wikipedia.org/wiki/PBKDF2 PBKDF2]</u>, or <u>[http://en.wikipedia.org/wiki/Scrypt scrypt]</u>.
-# Disable autocomplete on forms collecting sensitive data and disable caching for pages that contain sensitive data.
+# Disable autocomplete on forms requesting sensitive data and disable caching for pages that contain sensitive data.
 {{Top_10_2010:SubsectionAdvancedTemplate|type={{Top_10_2010:StyleTemplate}}|subsection=example|position=left|risk=6|year=2017|language=en}}
-'''Scenario #1:''' An application encrypts credit card numbers in a database using automatic database encryption. However, this means it also decrypts this data automatically when retrieved, allowing an SQL injection flaw to retrieve credit card numbers in clear text. The system should have encrypted the credit card numbers using a public key, and only allowed back-end applications to decrypt them with the private key.
+<u>'''Scenario #1:'''</u> An application encrypts credit card numbers in a database using automatic database encryption. However, this data is automatically decrypted when retrieved, allowing an SQL injection flaw to retrieve credit card numbers in clear text. Alternatives include not storing credit card numbers, using tokenization, or using public key encryption.
-'''Scenario #2:''' A site simply doesn’t use SSL for all authenticated pages. Attacker simply monitors network traffic (like an open wireless network), and steals the user’s session cookie. Attacker then replays this cookie and hijacks the user’s session, accessing the user’s private data.
+<u>'''Scenario #2:'''</u> A site simply doesn’t use TLS for all authenticated pages. An attacker simply monitors network traffic (like an open wireless network), and steals the user’s session cookie. The attacker then replays this cookie and hijacks the user’s session, accessing the user’s private data.
-'''Scenario #3:''' The password database uses unsalted hashes to store everyone’s passwords. A file upload flaw allows an attacker to retrieve the password file. All of the unsalted hashes can be exposed with a rainbow table of precalculated hashes.
+<u>'''Scenario #3:'''</u> The password database uses unsalted hashes to store everyone’s passwords. A file upload flaw allows an attacker to retrieve the password database. All of the unsalted hashes can be exposed with a rainbow table of precalculated hashes.
 {{Top_10_2010:SubsectionAdvancedTemplate|type={{Top_10_2010:StyleTemplate}}|subsection=references|position=right|risk=6|year=2017|language=en}}
-{{Top_10_2010:SubSubsectionOWASPReferencesTemplate}} <br/>
+{{Top_10_2010:SubSubsectionOWASPReferencesTemplate|year=2017|language=en}} <br/>
-For a more complete set of requirements, see [https://www.owasp.org/index.php/ASVS  ASVS req’ts on Cryptography (V7), Data Protection (V9)]  and [https://www.owasp.org/index.php/ASVS   Communications Security (V10)]
+* For a more complete set of requirements, see ASVS req’ts on <u>[[ASVS|Cryptography (V7), Data Protection (V9), and Communications Security (V10)]]</u>
-* [https://www.owasp.org/index.php/Cryptographic_Storage_Cheat_Sheet  OWASP Cryptographic Storage Cheat Sheet]
+* <u>[[Cryptographic_Storage_Cheat_Sheet|OWASP Cryptographic Storage Cheat Sheet]]</u>
-* [https://www.owasp.org/index.php/Password_Storage_Cheat_Sheet  OWASP Password Storage Cheat Sheet]
+* <u>[[Password_Storage_Cheat_Sheet|OWASP Password Storage Cheat Sheet]]</u>
-* [https://www.owasp.org/index.php/Transport_Layer_Protection_Cheat_Sheet  OWASP Transport Layer Protection Cheat Sheet]
+* <u>[[Transport_Layer_Protection_Cheat_Sheet|OWASP Transport Layer Protection Cheat Sheet]]</u>
-* [https://www.owasp.org/index.php/Testing_for_SSL-TLS  OWASP Testing Guide: Chapter on SSL/TLS Testing]
+* <u>[[Testing_for_SSL-TLS|OWASP Testing Guide: Chapter on SSL/TLS Testing]]</u>
 {{Top_10_2013:BottomAdvancedTemplate