This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Difference between revisions of "Guide Table of Contents"

From OWASP
Jump to: navigation, search
Line 9: Line 9:
 
##Participation and Membership
 
##Participation and Membership
 
##Projects
 
##Projects
#INTRODUCTION
+
#[[Introduction]]
 
##Developing Secure Applications
 
##Developing Secure Applications
 
##Improvements in this edition
 
##Improvements in this edition
Line 15: Line 15:
 
##Updates and errata
 
##Updates and errata
 
##With thanks
 
##With thanks
#WHAT ARE WEB APPLICATIONS?
+
#[[What are web applications?]]
 
##Technologies
 
##Technologies
 
##First generation – CGI
 
##First generation – CGI
Line 27: Line 27:
 
##Model
 
##Model
 
##Conclusion
 
##Conclusion
#POLICY FRAMEWORKS
+
#[[Policy Frameworks]]
 
##Organizational commitment to security
 
##Organizational commitment to security
 
##OWASP’s Place at the Framework table
 
##OWASP’s Place at the Framework table
Line 34: Line 34:
 
##Source Code Control
 
##Source Code Control
 
##Summary
 
##Summary
#SECURE CODING PRINCIPLES
+
#[[Secure Coding Principles]]
 
##Asset Classification
 
##Asset Classification
 
##About attackers
 
##About attackers
Line 40: Line 40:
 
##Security Architecture
 
##Security Architecture
 
##Security Principles
 
##Security Principles
#THREAT RISK MODELING
+
#[[Threat Risk Modeling]]
 
##Threat Risk Modeling
 
##Threat Risk Modeling
 
##Performing threat risk modeling using the Microsoft Threat Modeling Process
 
##Performing threat risk modeling using the Microsoft Threat Modeling Process
Line 50: Line 50:
 
##Conclusion
 
##Conclusion
 
##Further Reading
 
##Further Reading
#HANDLING E-COMMERCE PAYMENTS
+
#[[Handling E-Commerce Payments]]
 
##Objectives
 
##Objectives
 
##Compliance and Laws
 
##Compliance and Laws
Line 56: Line 56:
 
##Handling Credit Cards
 
##Handling Credit Cards
 
##Further Reading
 
##Further Reading
#PHISHING
+
#[[Phishing]]
 
##What is phishing?
 
##What is phishing?
 
##User Education
 
##User Education
Line 76: Line 76:
 
##When an attack happens
 
##When an attack happens
 
##Further Reading
 
##Further Reading
#WEB SERVICES
+
#[[Web Services]]
 
##Securing Web Services
 
##Securing Web Services
 
##Communication security
 
##Communication security
Line 116: Line 116:
 
##Accessibility
 
##Accessibility
 
##Further Reading
 
##Further Reading
#AUTHENTICATION
+
#[[Authentication]]
 
##Objective
 
##Objective
 
##Environments Affected
 
##Environments Affected
Line 181: Line 181:
 
##Further Reading
 
##Further Reading
 
##Session Management
 
##Session Management
#DATA VALIDATION
+
#[[Data Validation]]
 
##Objective
 
##Objective
 
##Platforms Affected
 
##Platforms Affected
Line 200: Line 200:
 
##Delimiter and special characters
 
##Delimiter and special characters
 
##Further Reading
 
##Further Reading
#INTERPRETER INJECTION
+
#[[Interpreter Injection]]
 
##Objective
 
##Objective
 
##Platforms Affected
 
##Platforms Affected
Line 215: Line 215:
 
##Code Injection
 
##Code Injection
 
##Command injection
 
##Command injection
#CANONCALIZATION, LOCALE AND UNICODE
+
#[[Canoncalization, locale and Unicode]]
 
##Objective
 
##Objective
 
##Platforms Affected
 
##Platforms Affected
Line 227: Line 227:
 
## HTTP Request Smuggling
 
## HTTP Request Smuggling
 
## Further Reading
 
## Further Reading
#ERROR HANDLING, AUDITING AND LOGGING
+
#[[Error Handling, Auditing and Logging]]
 
##Objective
 
##Objective
 
##Environments Affected
 
##Environments Affected
Line 243: Line 243:
 
##Further Reading
 
##Further Reading
 
##Error Handling and Logging
 
##Error Handling and Logging
#FILE SYSTEM
+
#[[File System]]
 
##Objective
 
##Objective
 
##Environments Affected
 
##Environments Affected
Line 290: Line 290:
 
##Authentication for high value systems
 
##Authentication for high value systems
 
##Further Reading
 
##Further Reading
#CRYPTOGRAPHY
+
#[[Cryptography]]
 
##Objective
 
##Objective
 
##Platforms Affected
 
##Platforms Affected
Line 305: Line 305:
 
##Further Reading
 
##Further Reading
 
##Cryptography
 
##Cryptography
#CONFIGURATION
+
#[[Configuration]]
 
##Objective
 
##Objective
 
##Platforms Affected
 
##Platforms Affected
Line 357: Line 357:
 
##Further Reading
 
##Further Reading
 
##Maintenance
 
##Maintenance
#GNU FREE DOCUMENTATION LICENSE
+
#[[GNU Free Documentation License]]
 
##PREAMBLE
 
##PREAMBLE
 
##APPLICABILITY AND DEFINITIONS
 
##APPLICABILITY AND DEFINITIONS

Revision as of 17:18, 18 May 2006

  1. Frontispiece
    1. Dedication
    2. Copyright and license
    3. Editors
    4. Authors and Reviewers
    5. Revision History
  2. About The Open Web Application Security Project
    1. Structure and Licensing
    2. Participation and Membership
    3. Projects
  3. Introduction
    1. Developing Secure Applications
    2. Improvements in this edition
    3. How to use this Guide
    4. Updates and errata
    5. With thanks
  4. What are web applications?
    1. Technologies
    2. First generation – CGI
    3. Filters
    4. Scripting
    5. Web application frameworks – J
    6. Small to medium scale applications
    7. Large scale applications
    8. View
    9. Controller
    10. Model
    11. Conclusion
  5. Policy Frameworks
    1. Organizational commitment to security
    2. OWASP’s Place at the Framework table
    3. Development Methodology
    4. Coding Standards
    5. Source Code Control
    6. Summary
  6. Secure Coding Principles
    1. Asset Classification
    2. About attackers
    3. Core pillars of information security
    4. Security Architecture
    5. Security Principles
  7. Threat Risk Modeling
    1. Threat Risk Modeling
    2. Performing threat risk modeling using the Microsoft Threat Modeling Process
    3. Alternative Threat Modeling Systems
    4. Trike
    5. AS/NZS
    6. CVSS
    7. OCTAVE
    8. Conclusion
    9. Further Reading
  8. Handling E-Commerce Payments
    1. Objectives
    2. Compliance and Laws
    3. PCI Compliance
    4. Handling Credit Cards
    5. Further Reading
  9. Phishing
    1. What is phishing?
    2. User Education
    3. Make it easy for your users to report scams
    4. Communicating with customers via e-mail
    5. Never ask your customers for their secrets
    6. Fix all your XSS issues
    7. Do not use pop-ups
    8. Don’t be framed
    9. Move your application one link away from your front page
    10. Enforce local referrers for images and other resources
    11. Keep the address bar, use SSL, do not use IP addresses
    12. Don’t be the source of identity theft
    13. Implement safe-guards within your application
    14. Monitor unusual account activity
    15. Get the phishing target servers offline pronto
    16. Take control of the fraudulent domain name
    17. Work with law enforcement
    18. When an attack happens
    19. Further Reading
  10. Web Services
    1. Securing Web Services
    2. Communication security
    3. Passing credentials
    4. Ensuring message freshness
    5. Protecting message integrity
    6. Protecting message confidentiality
    7. Access control
    8. Audit
    9. Web Services Security Hierarchy
    10. SOAP
    11. WS-Security Standard
    12. WS-Security Building Blocks
    13. Communication Protection Mechanisms
    14. Access Control Mechanisms
    15. Forming Web Service Chains
    16. Available Implementations
    17. Problems
    18. Further Reading
  11. AJAX AND OTHER “RICH” INTERFACE TECHNOLOGIES
    1. Objective
    2. Platforms Affected
    3. Architecture
    4. Access control: Authentication and Authorization
    5. Silent transactional authorization
    6. Untrusted or absent session data
    7. State management
    8. Tamper resistance
    9. Privacy
    10. Proxy Façade
    11. SOAP Injection Attacks
    12. XMLRPC Injection Attacks
    13. DOM Injection Attacks
    14. XML Injection Attacks
    15. JSON (Javascript Object Notation) Injection Attacks
    16. Encoding safety
    17. Auditing
    18. Error Handling
    19. Accessibility
    20. Further Reading
  12. Authentication
    1. Objective
    2. Environments Affected
    3. Relevant COBIT Topics
    4. Best Practices
    5. Common web authentication techniques
    6. Strong Authentication
    7. Federated Authentication
    8. Client side authentication controls
    9. Positive Authentication
    10. Multiple Key Lookups
    11. Referer Checks
    12. Browser remembers passwords
    13. Default accounts
    14. Choice of usernames
    15. Change passwords
    16. Short passwords
    17. Weak password controls
    18. Reversible password encryption
    19. Automated password resets
    20. Brute Force
    21. Remember Me
    22. Idle Timeouts
    23. Logout
    24. Account Expiry
    25. Self registration
    26. CAPTCHA
    27. Further Reading
    28. Authentication
  13. AUTHORIZATION
    1. Objectives
    2. Environments Affected
    3. Relevant COBIT Topics
    4. Best Practices
    5. Best Practices in Action
    6. Principle of least privilege
    7. Centralized authorization routines
    8. Authorization matrix
    9. Controlling access to protected resources
    10. Protecting access to static resources
    11. Reauthorization for high value activities or after idle out
    12. Time based authorization
    13. Be cautious of custom authorization controls
    14. Never implement client-side authorization tokens
    15. Further Reading
  14. SESSION MANAGEMENT
    1. Objective
    2. Environments Affected
    3. Relevant COBIT Topics
    4. Description
    5. Best practices
    6. Exposed Session Variables
    7. Page and Form Tokens
    8. Weak Session Cryptographic Algorithms
    9. Session Token Entropy
    10. Session Time-out
    11. Regeneration of Session Tokens
    12. Session Forging/Brute-Forcing Detection and/or Lockout
    13. Session Token Capture and Session Hijacking
    14. Session Tokens on Logout
    15. Session Validation Attacks
    16. PHP
    17. Sessions
    18. Further Reading
    19. Session Management
  15. Data Validation
    1. Objective
    2. Platforms Affected
    3. Relevant COBIT Topics
    4. Description
    5. Definitions
    6. Where to include integrity checks
    7. Where to include validation
    8. Where to include business rule validation
    9. Data Validation Strategies
    10. Prevent parameter tampering
    11. Hidden fields
    12. ASP.NET Viewstate
    13. URL encoding
    14. HTML encoding
    15. Encoded strings
    16. Data Validation and Interpreter Injection
    17. Delimiter and special characters
    18. Further Reading
  16. Interpreter Injection
    1. Objective
    2. Platforms Affected
    3. Relevant COBIT Topics
    4. User Agent Injection
    5. HTTP Response Splitting
    6. SQL Injection
    7. ORM Injection
    8. LDAP Injection
    9. XML Injection
    10. Code Injection
    11. Further Reading
    12. SQL-injection
    13. Code Injection
    14. Command injection
  17. Canoncalization, locale and Unicode
    1. Objective
    2. Platforms Affected
    3. Relevant COBIT Topics
    4. Description
    5. Unicode
    6. http://www.ietf.org/rfc/rfc##
    7. Input Formats
    8. Locale assertion
    9. Double (or n-) encoding
    10. HTTP Request Smuggling
    11. Further Reading
  18. Error Handling, Auditing and Logging
    1. Objective
    2. Environments Affected
    3. Relevant COBIT Topics
    4. Description
    5. Best practices
    6. Error Handling
    7. Detailed error messages
    8. Logging
    9. Noise
    10. Cover Tracks
    11. False Alarms
    12. Destruction
    13. Audit Trails
    14. Further Reading
    15. Error Handling and Logging
  19. File System
    1. Objective
    2. Environments Affected
    3. Relevant COBIT Topics
    4. Description
    5. Best Practices
    6. Defacement
    7. Path traversal
    8. Insecure permissions
    9. Insecure Indexing
    10. Unmapped files
    11. Temporary files
    12. PHP
    13. Includes and Remote files
    14. File upload
    15. Old, unreferenced files
    16. Second Order Injection
    17. Further Reading
    18. File System
  20. DISTRIBUTED COMPUTING
    1. Objective
    2. Environments Affected
    3. Relevant COBIT Topics
    4. Best Practices
    5. Race conditions
    6. Distributed synchronization
    7. Further Reading
  21. BUFFER OVERFLOWS
    1. Objective
    2. Platforms Affected
    3. Relevant COBIT Topics
    4. Description
    5. General Prevention Techniques
    6. Stack Overflow
    7. Heap Overflow
    8. Format String
    9. Unicode Overflow
    10. Integer Overflow
    11. Further reading
  22. ADMINISTRATIVE INTERFACES
    1. Objective
    2. Environments Affected
    3. Relevant COBIT Topics
    4. Best practices
    5. Administrators are not users
    6. Authentication for high value systems
    7. Further Reading
  23. Cryptography
    1. Objective
    2. Platforms Affected
    3. Relevant COBIT Topics
    4. Description
    5. Cryptographic Functions
    6. Cryptographic Algorithms
    7. Algorithm Selection
    8. Key Storage
    9. Insecure transmission of secrets
    10. Reversible Authentication Tokens
    11. Safe UUID generation
    12. Summary
    13. Further Reading
    14. Cryptography
  24. Configuration
    1. Objective
    2. Platforms Affected
    3. Relevant COBIT Topics
    4. Best Practices
    5. Default passwords
    6. Secure connection strings
    7. Secure network transmission
    8. Encrypted data
    9. PHP Configuration
    10. Global variables
    11. register_globals
    12. Database security
    13. Further Reading
    14. ColdFusion Components (CFCs)
    15. Configuration
  25. SOFTWARE QUALITY ASSURANCE
    1. Objective
    2. Platforms Affected
    3. Best practices
    4. Process
    5. Metrics
    6. Testing Activities
  26. DEPLOYMENT
    1. Objective
    2. Platforms Affected
    3. Best Practices
    4. Release Management
    5. Secure delivery of code
    6. Code signing
    7. Permissions are set to least privilege
    8. Automated packaging
    9. Automated deployment
    10. Automated removal
    11. No backup or old files
    12. Unnecessary features are off by default
    13. Setup log files are clean
    14. No default accounts
    15. Easter eggs
    16. Malicious software
    17. Further Reading
  27. MAINTENANCE
    1. Objective
    2. Platforms Affected
    3. Relevant COBIT Topics
    4. Best Practices
    5. Security Incident Response
    6. Fix Security Issues Correctly
    7. Update Notifications
    8. Regularly check permissions
    9. Further Reading
    10. Maintenance
  28. GNU Free Documentation License
    1. PREAMBLE
    2. APPLICABILITY AND DEFINITIONS
    3. VERBATIM COPYING
    4. COPYING IN QUANTITY
    5. MODIFICATIONS
    6. COMBINING DOCUMENTS
    7. COLLECTIONS OF DOCUMENTS
    8. AGGREGATION WITH INDEPENDENT WORKS
    9. TRANSLATION
    10. TERMINATION
    11. FUTURE REVISIONS OF THIS LICENSE
Retrieved from "https://wiki.owasp.org/index.php?title=Guide_Table_of_Contents&oldid=2593"