Revision as of 12:43, 17 August 2006 (view source) Fedevela paysett (talk | contribs) m (→‎Acerca del Open Web Application Security Project) ← Older edit		Latest revision as of 23:05, 21 February 2008 (view source) Benfellows (talk | contribs) (→‎Policy Frameworks: - two quick translations)
(5 intermediate revisions by 2 users not shown)
Line 16:		Line 16:
	#Actualizaciones y errata		#Actualizaciones y errata
	#Agradecimientos		#Agradecimientos
−	=[[What are web applications?]]=	+	=[[¿Qué son las aplicaciones web?]]=
−	#Technologies	+	#Tecnologías
−	#First generation – CGI	+	#La primera generación – CGI
−	#Filters	+	#Filtros
	#Scripting		#Scripting
	#Web application frameworks – J		#Web application frameworks – J
−	#Small to medium scale applications	+	#Aplicaciones de pequeña y mediana escala
−	#Large scale applications	+	#Aplicaciones de gran escala
−	#View	+	#Vista
−	#Controller	+	#Controlador
−	#Model	+	#Modelo
−	#Conclusion	+	#Conclusiones
−	=[[Policy Frameworks]]=	+
		+	=[[Armazón de Reglas]]=
	#Organizational commitment to security		#Organizational commitment to security
−	#OWASP’s Place at the Framework table	+	#Lugar de OWASP al mesa de Armazónes
	#Development Methodology		#Development Methodology
	#Coding Standards		#Coding Standards
	#Source Code Control		#Source Code Control
	#Summary		#Summary
		+
	=[[Secure Coding Principles]]=		=[[Secure Coding Principles]]=
	#Asset Classification		#Asset Classification
Line 117:		Line 119:
	#Accessibility		#Accessibility
	#Further Reading		#Further Reading
−	=[[Authentication]]=	+	=[[Autenticación]]=
−	#Objective	+	#Objetivo
−	#Environments Affected	+	#Entornos afectados
	#Relevant COBIT Topics		#Relevant COBIT Topics
	#Best Practices		#Best Practices
−	#Common web authentication techniques	+	#Técnicas comunes de autenticación web
−	#Strong Authentication	+	#Autenticación fuerte
	#Federated Authentication		#Federated Authentication
−	#Client side authentication controls	+	#Controles de autenticación del lado del cliente
−	#Positive Authentication	+	#Autenticación positiva
−	#Multiple Key Lookups	+	#Búsquedas en claves múltiples
−	#Referer Checks	+	#Verificaciión del Referer
−	#Browser remembers passwords	+	#Guardando la clave en el navegador
−	#Default accounts	+	#Cuentas por defecto
−	#Choice of usernames	+	#Elección de nombres de usuario
−	#Change passwords	+	#Cambiar las claves
−	#Short passwords	+	#Claves cortas
−	#Weak password controls	+	#Controles de claves débiles
−	#Reversible password encryption	+	#Encriptación reversible de claves
	#Automated password resets		#Automated password resets
−	#Brute Force	+	#Fuerza Bruta
−	#Remember Me	+	#Recordarme
	#Idle Timeouts		#Idle Timeouts
	#Logout		#Logout
−	#Account Expiry	+	#Expiración de cuentas
−	#Self registration	+	#Autoregistro
	#CAPTCHA		#CAPTCHA
	#Further Reading		#Further Reading
	#Authentication		#Authentication
−	=[[Authorization]]=	+
		+	=[[Guide to Authorization]]=
	#Objectives		#Objectives
	#Environments Affected		#Environments Affected
Line 162:		Line 165:
	#Never implement client-side authorization tokens		#Never implement client-side authorization tokens
	#Further Reading		#Further Reading
		+
	=[[Session Management]]=		=[[Session Management]]=
	#Objective		#Objective
Line 291:		Line 295:
	#Authentication for high value systems		#Authentication for high value systems
	#Further Reading		#Further Reading
−	=[[Cryptography]]=	+	=[[Guide to Cryptography]]=
	#Objective		#Objective
	#Platforms Affected		#Platforms Affected
Line 306:		Line 310:
	#Further Reading		#Further Reading
	#Cryptography		#Cryptography
		+
	=[[Configuration]]=		=[[Configuration]]=
	#Objective		#Objective

---

Latest revision as of 23:05, 21 February 2008

Portada

1. Dedicación
2. Derechos de autor y licencia
3. Editores
4. Autores y críticos
5. Historia de revisiones

Acerca del Open Web Application Security Project

1. Estructura y licenciamiento
2. Participación y afiliación
3. Proyectos

Introducción

1. Desarrollando aplicaciones seguras
2. Mejoras en esta edición
3. Como usar la guía
4. Actualizaciones y errata
5. Agradecimientos

¿Qué son las aplicaciones web?

1. Tecnologías
2. La primera generación – CGI
3. Filtros
4. Scripting
5. Web application frameworks – J
6. Aplicaciones de pequeña y mediana escala
7. Aplicaciones de gran escala
8. Vista
9. Controlador
10. Modelo
11. Conclusiones

Armazón de Reglas

1. Organizational commitment to security
2. Lugar de OWASP al mesa de Armazónes
3. Development Methodology
4. Coding Standards
5. Source Code Control
6. Summary

Secure Coding Principles

1. Asset Classification
2. About attackers
3. Core pillars of information security
4. Security Architecture
5. Security Principles

Threat Risk Modeling

1. Threat Risk Modeling
2. Performing threat risk modeling using the Microsoft Threat Modeling Process
3. Alternative Threat Modeling Systems
4. Trike
5. AS/NZS
6. CVSS
7. OCTAVE
8. Conclusion
9. Further Reading

Handling E-Commerce Payments

1. Objectives
2. Compliance and Laws
3. PCI Compliance
4. Handling Credit Cards
5. Further Reading

Phishing

1. What is phishing?
2. User Education
3. Make it easy for your users to report scams
4. Communicating with customers via e-mail
5. Never ask your customers for their secrets
6. Fix all your XSS issues
7. Do not use pop-ups
8. Don’t be framed
9. Move your application one link away from your front page
10. Enforce local referrers for images and other resources
11. Keep the address bar, use SSL, do not use IP addresses
12. Don’t be the source of identity theft
13. Implement safe-guards within your application
14. Monitor unusual account activity
15. Get the phishing target servers offline pronto
16. Take control of the fraudulent domain name
17. Work with law enforcement
18. When an attack happens
19. Further Reading

Web Services

1. Securing Web Services
2. Communication security
3. Passing credentials
4. Ensuring message freshness
5. Protecting message integrity
6. Protecting message confidentiality
7. Access control
8. Audit
9. Web Services Security Hierarchy
10. SOAP
11. WS-Security Standard
12. WS-Security Building Blocks
13. Communication Protection Mechanisms
14. Access Control Mechanisms
15. Forming Web Service Chains
16. Available Implementations
17. Problems
18. Further Reading

Ajax and Other "Rich" Interface Technologies

1. Objective
2. Platforms Affected
3. Architecture
4. Access control: Authentication and Authorization
5. Silent transactional authorization
6. Untrusted or absent session data
7. State management
8. Tamper resistance
9. Privacy
10. Proxy Façade
11. SOAP Injection Attacks
12. XMLRPC Injection Attacks
13. DOM Injection Attacks
14. XML Injection Attacks
15. JSON (Javascript Object Notation) Injection Attacks
16. Encoding safety
17. Auditing
18. Error Handling
19. Accessibility
20. Further Reading

Autenticación

1. Objetivo
2. Entornos afectados
3. Relevant COBIT Topics
4. Best Practices
5. Técnicas comunes de autenticación web
6. Autenticación fuerte
7. Federated Authentication
8. Controles de autenticación del lado del cliente
9. Autenticación positiva
10. Búsquedas en claves múltiples
11. Verificaciión del Referer
12. Guardando la clave en el navegador
13. Cuentas por defecto
14. Elección de nombres de usuario
15. Cambiar las claves
16. Claves cortas
17. Controles de claves débiles
18. Encriptación reversible de claves
19. Automated password resets
20. Fuerza Bruta
21. Recordarme
22. Idle Timeouts
23. Logout
24. Expiración de cuentas
25. Autoregistro
26. CAPTCHA
27. Further Reading
28. Authentication

Guide to Authorization

1. Objectives
2. Environments Affected
3. Relevant COBIT Topics
4. Best Practices
5. Best Practices in Action
6. Principle of least privilege
7. Centralized authorization routines
8. Authorization matrix
9. Controlling access to protected resources
10. Protecting access to static resources
11. Reauthorization for high value activities or after idle out
12. Time based authorization
13. Be cautious of custom authorization controls
14. Never implement client-side authorization tokens
15. Further Reading

Session Management

1. Objective
2. Environments Affected
3. Relevant COBIT Topics
4. Description
5. Best practices
6. Exposed Session Variables
7. Page and Form Tokens
8. Weak Session Cryptographic Algorithms
9. Session Token Entropy
10. Session Time-out
11. Regeneration of Session Tokens
12. Session Forging/Brute-Forcing Detection and/or Lockout
13. Session Token Capture and Session Hijacking
14. Session Tokens on Logout
15. Session Validation Attacks
16. PHP
17. Sessions
18. Further Reading
19. Session Management

Data Validation

1. Objective
2. Platforms Affected
3. Relevant COBIT Topics
4. Description
5. Definitions
6. Where to include integrity checks
7. Where to include validation
8. Where to include business rule validation
9. Data Validation Strategies
10. Prevent parameter tampering
11. Hidden fields
12. ASP.NET Viewstate
13. URL encoding
14. HTML encoding
15. Encoded strings
16. Data Validation and Interpreter Injection
17. Delimiter and special characters
18. Further Reading

Interpreter Injection

1. Objective
2. Platforms Affected
3. Relevant COBIT Topics
4. User Agent Injection
5. HTTP Response Splitting
6. SQL Injection
7. ORM Injection
8. LDAP Injection
9. XML Injection
10. Code Injection
11. Further Reading
12. SQL-injection
13. Code Injection
14. Command injection

Canoncalization, locale and Unicode

1. Objective
2. Platforms Affected
3. Relevant COBIT Topics
4. Description
5. Unicode
6. http://www.ietf.org/rfc/rfc#
7. Input Formats
8. Locale assertion
9. Double (or n-) encoding
10. HTTP Request Smuggling
11. Further Reading

Error Handling, Auditing and Logging

1. Objective
2. Environments Affected
3. Relevant COBIT Topics
4. Description
5. Best practices
6. Error Handling
7. Detailed error messages
8. Logging
9. Noise
10. Cover Tracks
11. False Alarms
12. Destruction
13. Audit Trails
14. Further Reading
15. Error Handling and Logging

File System

1. Objective
2. Environments Affected
3. Relevant COBIT Topics
4. Description
5. Best Practices
6. Defacement
7. Path traversal
8. Insecure permissions
9. Insecure Indexing
10. Unmapped files
11. Temporary files
12. PHP
13. Includes and Remote files
14. File upload
15. Old, unreferenced files
16. Second Order Injection
17. Further Reading
18. File System

Distributed Computing

1. Objective
2. Environments Affected
3. Relevant COBIT Topics
4. Best Practices
5. Race conditions
6. Distributed synchronization
7. Further Reading

Buffer Overflows

1. Objective
2. Platforms Affected
3. Relevant COBIT Topics
4. Description
5. General Prevention Techniques
6. Stack Overflow
7. Heap Overflow
8. Format String
9. Unicode Overflow
10. Integer Overflow
11. Further reading

Administrative Interface

1. Objective
2. Environments Affected
3. Relevant COBIT Topics
4. Best practices
5. Administrators are not users
6. Authentication for high value systems
7. Further Reading

Guide to Cryptography

1. Objective
2. Platforms Affected
3. Relevant COBIT Topics
4. Description
5. Cryptographic Functions
6. Cryptographic Algorithms
7. Algorithm Selection
8. Key Storage
9. Insecure transmission of secrets
10. Reversible Authentication Tokens
11. Safe UUID generation
12. Summary
13. Further Reading
14. Cryptography

Configuration

1. Objective
2. Platforms Affected
3. Relevant COBIT Topics
4. Best Practices
5. Default passwords
6. Secure connection strings
7. Secure network transmission
8. Encrypted data
9. PHP Configuration
10. Global variables
11. register_globals
12. Database security
13. Further Reading
14. ColdFusion Components (CFCs)
15. Configuration

Software Quality Assurance

1. Objective
2. Platforms Affected
3. Best practices
4. Process
5. Metrics
6. Testing Activities

Deployment

1. Objective
2. Platforms Affected
3. Best Practices
4. Release Management
5. Secure delivery of code
6. Code signing
7. Permissions are set to least privilege
8. Automated packaging
9. Automated deployment
10. Automated removal
11. No backup or old files
12. Unnecessary features are off by default
13. Setup log files are clean
14. No default accounts
15. Easter eggs
16. Malicious software
17. Further Reading

Maintenance

1. Objective
2. Platforms Affected
3. Relevant COBIT Topics
4. Best Practices
5. Security Incident Response
6. Fix Security Issues Correctly
7. Update Notifications
8. Regularly check permissions
9. Further Reading
10. Maintenance

GNU Free Documentation License

1. PREAMBLE
2. APPLICABILITY AND DEFINITIONS
3. VERBATIM COPYING
4. COPYING IN QUANTITY
5. MODIFICATIONS
6. COMBINING DOCUMENTS
7. COLLECTIONS OF DOCUMENTS
8. AGGREGATION WITH INDEPENDENT WORKS
9. TRANSLATION
10. TERMINATION
11. FUTURE REVISIONS OF THIS LICENSE

Reference