This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Difference between revisions of "Guide:Frontispiece"

From OWASP
Jump to: navigation, search
 
(13 intermediate revisions by 3 users not shown)
Line 1: Line 1:
 +
{{taggedDocument
 +
| type=historical
 +
| link=:Category:OWASP_Top_Ten_Project#tab=OWASP_Top_10_for_2013
 +
}}
 
A Guide to Building Secure Web Applications and
 
A Guide to Building Secure Web Applications and
 
Web Services
 
Web Services
Line 6: Line 10:
  
  
== Frontispiece ==
+
OWASP Foundation
 
+
Dedication
+
=Frontispiece =
To my fellow procrastinators and TiVo addicts, this book proves that given enough “tomorrows,anything is possible.
+
==Dedication ==
Andrew van der Stock
+
''To my fellow procrastinators and TiVo addicts, this book proves that given enough "tomorrows", anything is possible.'' -- Andrew van der Stock
  
Copyright and license
+
==Copyright and license ==
 
© 2001 – 2006 OWASP Foundation.  
 
© 2001 – 2006 OWASP Foundation.  
 
The Guide is licensed under the Free Documentation License, a copy of which is found in the Appendix. PERMISSION IS GRANTED TO COPY, DISTRIBUTE, AND/OR MODIFY THIS DOCUMENT PROVIDED THIS COPYRIGHT NOTICE AND ATTRIBUTION TO OWASP IS RETAINED.  
 
The Guide is licensed under the Free Documentation License, a copy of which is found in the Appendix. PERMISSION IS GRANTED TO COPY, DISTRIBUTE, AND/OR MODIFY THIS DOCUMENT PROVIDED THIS COPYRIGHT NOTICE AND ATTRIBUTION TO OWASP IS RETAINED.  
Editors
+
==Editors ==
 
The Guide has had several editors over various editions, all of whom have contributed immensely as authors, project managers, and editors over the lengthy period of the Guide’s gestation.  
 
The Guide has had several editors over various editions, all of whom have contributed immensely as authors, project managers, and editors over the lengthy period of the Guide’s gestation.  
 
Guide 2.x series editors:
 
Guide 2.x series editors:
Line 22: Line 26:
 
Adrian Wiesmann
 
Adrian Wiesmann
 
   
 
   
+
==Authors and Reviewers ==
Authors and Reviewers
 
 
The Guide would not be where it is today without the generous gift of volunteer time and effort from many individuals. The following people helped develop Guide 2.x:
 
The Guide would not be where it is today without the generous gift of volunteer time and effort from many individuals. The following people helped develop Guide 2.x:
  
+
{| cellspacing="5" valign="top"
Abraham Kang
+
|
Adrian Wiesmann
+
* Abraham Kang
Amit Klein
+
* Adrian Wiesmann
Andrew van der Stock
+
* Amit Klein
Brian Greidanus
+
* Andrew van der Stock
Christopher Todd
+
* Brian Greidanus
Darrel Grundy
+
* Christopher Todd
Daniel Cornell
+
* Darrel Grundy
David Endler
+
* Daniel Cornell
Denis Pilipchuk
+
* David Endler
Dennis Groves
+
* Denis Pilipchuk
Derek Browne
+
|
Eoin Keary
+
* Dennis Groves
Erik Lee
+
* Derek Browne
Ernesto Arroyo
+
* Eoin Keary
Frank Lemmon
+
* Erick Lee
Gene McKenna
+
* Ernesto Arroyo
Hal Lockhart
+
* Frank Lemmon
Izhar By-Gad
+
* Gene McKenna
Jeremy Poteet
+
* Hal Lockhart
José Pedro Arroyo
+
* Izhar By-Gad
K.K. Mookhey
+
* Jeremy Poteet
Kevin McLaughlin
+
|
Martin Eizner
+
* José Pedro Arroyo
Michael Howard
+
* K.K. Mookhey
Michael Scovetta
+
* Kevin McLaughlin
Mikael Simonsson
+
* Martin Eizner
Neal Krawetz
+
* Michael Howard
Nigel Tranter
+
* Michael Scovetta
Raoul Endres
+
* Mikael Simonsson
Ray Stirbei
+
* Neal Krawetz
Richard Parke
+
* Nigel Tranter
Robert Hansen
+
* Raoul Endres
Roy McNamara
+
| valign="top" |
Steve Taylor
+
* Ray Stirbei
Sverre Huseby
+
* Richard Parke
Tim Smith
+
* Robert Hansen
William Hau
+
* Roy McNamara
+
* Steve Taylor
+
* Sverre Huseby
Revision History
+
* Tim Smith
 
+
* William Hau
Date Version Pages Notes
+
|}
July 26, 2005 2.0 Blackhat Edition 280 pages Andrew van der Stock, Guide Lead
 
July 27, 2005 2.0.1 Blackhat Edition++ 293 pages Cryptography chapter review
 
from Michael Howard incorporated
 
September 12, 2005 2.1 DRAFT 1 X pages Changes from many sources
 
New SQA chapter from Frank Lemmon
 
January 2006 2.1 DRAFT 2 X pages Changes from Bill Pollock
 
New chapters from Erick Lee
 
New revisions from Dan Cornell
 
February 2006 2.1 DRAFT 3 X pages Ajax chapter
 
Many chapters back from reviewers
 
 
 
 
 
After here:::
 
  
+
==Revision History ==
 
 
A Guide to Building Secure Web Applications and
 
Web Services
 
 
 
2.1 (DRAFT 3)
 
February 2006
 
 
 
 
 
OWASP Foundation
 
 
'''''Frontispiece'''''
 
'''''Dedication'''''
 
To my fellow procrastinators and TiVo addicts, this book proves that given enough “tomorrows,” anything is possible.
 
Andrew van der Stock
 
'''''Copyright and license'''''
 
© 2001 – 2006 OWASP Foundation.
 
The Guide is licensed under the Free Documentation License, a copy of which is found in the Appendix. PERMISSION IS GRANTED TO COPY, DISTRIBUTE, AND/OR MODIFY THIS DOCUMENT PROVIDED THIS COPYRIGHT NOTICE AND ATTRIBUTION TO OWASP IS RETAINED.
 
'''''Editors'''''
 
The Guide has had several editors over various editions, all of whom have contributed immensely as authors, project managers, and editors over the lengthy period of the Guide’s gestation.
 
Guide 2.x series editors:
 
 
Andrew van der Stock
 
Adrian Wiesmann
 
 
'''''
 
Authors and Reviewers'''''
 
The Guide would not be where it is today without the generous gift of volunteer time and effort from many individuals. The following people helped develop Guide 2.x:
 
 
 
 
Abraham Kang
 
Adrian Wiesmann
 
Amit Klein
 
Andrew van der Stock
 
Brian Greidanus
 
Christopher Todd
 
Darrel Grundy
 
Daniel Cornell
 
David Endler
 
Denis Pilipchuk
 
Dennis Groves
 
Derek Browne
 
Eoin Keary
 
Erik Lee
 
Ernesto Arroyo
 
Frank Lemmon
 
Gene McKenna
 
Hal Lockhart
 
Izhar By-Gad
 
Jeremy Poteet
 
José Pedro Arroyo
 
K.K. Mookhey
 
Kevin McLaughlin
 
Martin Eizner
 
Michael Howard
 
Michael Scovetta
 
Mikael Simonsson
 
Neal Krawetz
 
Nigel Tranter
 
Raoul Endres
 
Ray Stirbei
 
Richard Parke
 
Robert Hansen
 
Roy McNamara
 
Steve Taylor
 
Sverre Huseby
 
Tim Smith
 
William Hau
 
 
'''''
 
Revision History'''''
 
  
 
'''Date''' '''Version''' '''Pages''' '''Notes'''
 
'''Date''' '''Version''' '''Pages''' '''Notes'''
Line 188: Line 108:
  
  
 +
=Table of Contents =
  
 
+
[[Guide:Table of Contents]]
'''''Table of Contents'''''
 
'''1''' '''ABOUT THE OPEN WEB APPLICATION SECURITY PROJECT 13'''
 
1.1 STRUCTURE AND LICENSING 13
 
1.2 PARTICIPATION AND MEMBERSHIP 13
 
1.3 PROJECTS 14
 
'''2''' '''INTRODUCTION 15'''
 
2.1 DEVELOPING SECURE APPLICATIONS 15
 
2.2 IMPROVEMENTS IN THIS EDITION 15
 
2.3 HOW TO USE THIS GUIDE 16
 
2.4 UPDATES AND ERRATA 16
 
2.5 WITH THANKS 16
 
'''3''' '''WHAT ARE WEB APPLICATIONS? 17'''
 
3.1 TECHNOLOGIES 18
 
3.2 FIRST GENERATION – CGI 18
 
3.3 FILTERS 18
 
3.4 SCRIPTING 19
 
3.5 WEB APPLICATION FRAMEWORKS – J2EE AND ASP.NET 20
 
3.6 SMALL TO MEDIUM SCALE APPLICATIONS 21
 
3.7 LARGE SCALE APPLICATIONS 22
 
3.8 VIEW 22
 
3.9 CONTROLLER 22
 
3.10 MODEL 23
 
3.11 CONCLUSION 24
 
'''4''' '''POLICY FRAMEWORKS 25'''
 
4.1 ORGANIZATIONAL COMMITMENT TO SECURITY 25
 
4.2 OWASP’S PLACE AT THE FRAMEWORK TABLE 26
 
4.3 DEVELOPMENT METHODOLOGY 28
 
4.4 CODING STANDARDS 29
 
4.5 SOURCE CODE CONTROL 29
 
4.6 SUMMARY 30
 
'''5''' '''SECURE CODING PRINCIPLES 31'''
 
5.1 ASSET CLASSIFICATION 31
 
5.2 ABOUT ATTACKERS 31
 
5.3 CORE PILLARS OF INFORMATION SECURITY 32
 
5.4 SECURITY ARCHITECTURE 32
 
5.5 SECURITY PRINCIPLES 33
 
'''6''' '''THREAT RISK MODELING 37'''
 
6.1 THREAT RISK MODELING 37
 
6.2 PERFORMING THREAT RISK MODELING USING THE MICROSOFT THREAT MODELING PROCESS 37
 
6.3 ALTERNATIVE THREAT MODELING SYSTEMS 44
 
6.4 TRIKE 44
 
6.5 AS/NZS 4360:2004 RISK MANAGEMENT 44
 
6.6 CVSS 45
 
6.7 OCTAVE 46
 
6.8 CONCLUSION 47
 
6.9 FURTHER READING 47
 
'''7''' '''HANDLING E-COMMERCE PAYMENTS 49'''
 
7.1 OBJECTIVES 49
 
7.2 COMPLIANCE AND LAWS 49
 
7.3 PCI COMPLIANCE 49
 
7.4 HANDLING CREDIT CARDS 50
 
7.5 FURTHER READING 53
 
'''8''' '''PHISHING 55'''
 
8.1 WHAT IS PHISHING? 55
 
8.2 USER EDUCATION 56
 
8.3 MAKE IT EASY FOR YOUR USERS TO REPORT SCAMS 57
 
8.4 COMMUNICATING WITH CUSTOMERS VIA E-MAIL 57
 
8.5 NEVER ASK YOUR CUSTOMERS FOR THEIR SECRETS 58
 
8.6 FIX ALL YOUR XSS ISSUES 58
 
8.7 DO NOT USE POP-UPS 59
 
8.8 DON’T BE FRAMED 59
 
8.9 MOVE YOUR APPLICATION ONE LINK AWAY FROM YOUR FRONT PAGE 59
 
8.10 ENFORCE LOCAL REFERRERS FOR IMAGES AND OTHER RESOURCES 59
 
8.11 KEEP THE ADDRESS BAR, USE SSL, DO NOT USE IP ADDRESSES 60
 
8.12 DON’T BE THE SOURCE OF IDENTITY THEFT 60
 
8.13 IMPLEMENT SAFE-GUARDS WITHIN YOUR APPLICATION 61
 
8.14 MONITOR UNUSUAL ACCOUNT ACTIVITY 61
 
8.15 GET THE PHISHING TARGET SERVERS OFFLINE PRONTO 62
 
8.16 TAKE CONTROL OF THE FRAUDULENT DOMAIN NAME 62
 
8.17 WORK WITH LAW ENFORCEMENT 63
 
8.18 WHEN AN ATTACK HAPPENS 63
 
8.19 FURTHER READING 63
 
'''9''' '''WEB SERVICES 64'''
 
SECURING WEB SERVICES 64
 
COMMUNICATION SECURITY 65
 
PASSING CREDENTIALS 65
 
ENSURING MESSAGE FRESHNESS 66
 
PROTECTING MESSAGE INTEGRITY 66
 
PROTECTING MESSAGE CONFIDENTIALITY 67
 
ACCESS CONTROL 67
 
AUDIT 68
 
WEB SERVICES SECURITY HIERARCHY 68
 
SOAP 69
 
WS-SECURITY STANDARD 70
 
WS-SECURITY BUILDING BLOCKS 72
 
COMMUNICATION PROTECTION MECHANISMS 78
 
ACCESS CONTROL MECHANISMS 80
 
FORMING WEB SERVICE CHAINS 82
 
AVAILABLE IMPLEMENTATIONS 83
 
PROBLEMS 85
 
FURTHER READING 87
 
'''10''' '''AJAX AND OTHER “RICH” INTERFACE TECHNOLOGIES 5'''
 
10.1 OBJECTIVE 5
 
10.2 PLATFORMS AFFECTED 5
 
10.3 ARCHITECTURE 5
 
10.4 ACCESS CONTROL: AUTHENTICATION AND AUTHORIZATION 5
 
10.5 SILENT TRANSACTIONAL AUTHORIZATION 5
 
10.6 UNTRUSTED OR ABSENT SESSION DATA 5
 
10.7 STATE MANAGEMENT 5
 
10.8 TAMPER RESISTANCE 5
 
10.9 PRIVACY 5
 
10.10 PROXY FAÇADE 5
 
10.11 SOAP INJECTION ATTACKS 5
 
10.12 XMLRPC INJECTION ATTACKS 5
 
10.13 DOM INJECTION ATTACKS 5
 
10.14 XML INJECTION ATTACKS 5
 
10.15 JSON (JAVASCRIPT OBJECT NOTATION) INJECTION ATTACKS 5
 
10.16 ENCODING SAFETY 5
 
10.17 AUDITING 5
 
10.18 ERROR HANDLING 5
 
10.19 ACCESSIBILITY 5
 
10.20 FURTHER READING 5
 
'''11''' '''AUTHENTICATION 108'''
 
11.1 OBJECTIVE 108
 
11.2 ENVIRONMENTS AFFECTED 108
 
11.3 RELEVANT COBIT TOPICS 108
 
11.4 BEST PRACTICES 108
 
11.5 COMMON WEB AUTHENTICATION TECHNIQUES 109
 
11.6 STRONG AUTHENTICATION 111
 
11.7 FEDERATED AUTHENTICATION 115
 
11.8 CLIENT SIDE AUTHENTICATION CONTROLS 117
 
11.9 POSITIVE AUTHENTICATION 118
 
11.10 MULTIPLE KEY LOOKUPS 120
 
11.11 REFERER CHECKS 122
 
11.12 BROWSER REMEMBERS PASSWORDS 123
 
11.13 DEFAULT ACCOUNTS 124
 
11.14 CHOICE OF USERNAMES 125
 
11.15 CHANGE PASSWORDS 126
 
11.16 SHORT PASSWORDS 126
 
11.17 WEAK PASSWORD CONTROLS 127
 
11.18 REVERSIBLE PASSWORD ENCRYPTION 128
 
11.19 AUTOMATED PASSWORD RESETS 128
 
11.20 BRUTE FORCE 130
 
11.21 REMEMBER ME 131
 
11.22 IDLE TIMEOUTS 132
 
11.23 LOGOUT 132
 
11.24 ACCOUNT EXPIRY 133
 
11.25 SELF REGISTRATION 134
 
11.26 CAPTCHA 134
 
11.27 FURTHER READING 135
 
11.28 AUTHENTICATION 136
 
'''12''' '''AUTHORIZATION 148'''
 
12.1 OBJECTIVES 148
 
12.2 ENVIRONMENTS AFFECTED 148
 
12.3 RELEVANT COBIT TOPICS 148
 
12.4 BEST PRACTICES 148
 
12.5 BEST PRACTICES IN ACTION 149
 
12.6 PRINCIPLE OF LEAST PRIVILEGE 150
 
12.7 CENTRALIZED AUTHORIZATION ROUTINES 152
 
12.8 AUTHORIZATION MATRIX 152
 
12.9 CONTROLLING ACCESS TO PROTECTED RESOURCES 153
 
12.10 PROTECTING ACCESS TO STATIC RESOURCES 153
 
12.11 REAUTHORIZATION FOR HIGH VALUE ACTIVITIES OR AFTER IDLE OUT 154
 
12.12 TIME BASED AUTHORIZATION 154
 
12.13 BE CAUTIOUS OF CUSTOM AUTHORIZATION CONTROLS 154
 
12.14 NEVER IMPLEMENT CLIENT-SIDE AUTHORIZATION TOKENS 155
 
12.15 FURTHER READING 156
 
'''13''' '''SESSION MANAGEMENT 157'''
 
13.1 OBJECTIVE 157
 
13.2 ENVIRONMENTS AFFECTED 157
 
13.3 RELEVANT COBIT TOPICS 157
 
13.4 DESCRIPTION 157
 
13.5 BEST PRACTICES 158
 
13.6 EXPOSED SESSION VARIABLES 159
 
13.7 PAGE AND FORM TOKENS 159
 
13.8 WEAK SESSION CRYPTOGRAPHIC ALGORITHMS 160
 
13.9 SESSION TOKEN ENTROPY 161
 
13.10 SESSION TIME-OUT 161
 
13.11 REGENERATION OF SESSION TOKENS 162
 
13.12 SESSION FORGING/BRUTE-FORCING DETECTION AND/OR LOCKOUT 163
 
13.13 SESSION TOKEN CAPTURE AND SESSION HIJACKING 163
 
13.14 SESSION TOKENS ON LOGOUT 165
 
13.15 SESSION VALIDATION ATTACKS 165
 
13.16 PHP 166
 
13.17 SESSIONS 166
 
13.18 FURTHER READING 167
 
13.19 SESSION MANAGEMENT 168
 
'''14''' '''DATA VALIDATION 173'''
 
14.1 OBJECTIVE 173
 
14.2 PLATFORMS AFFECTED 173
 
14.3 RELEVANT COBIT TOPICS 173
 
14.4 DESCRIPTION 173
 
14.5 DEFINITIONS 173
 
14.6 WHERE TO INCLUDE INTEGRITY CHECKS 174
 
14.7 WHERE TO INCLUDE VALIDATION 174
 
14.8 WHERE TO INCLUDE BUSINESS RULE VALIDATION 174
 
14.9 DATA VALIDATION STRATEGIES 175
 
14.10 PREVENT PARAMETER TAMPERING 177
 
14.11 HIDDEN FIELDS 178
 
14.12 ASP.NET VIEWSTATE 179
 
14.13 URL ENCODING 182
 
14.14 HTML ENCODING 182
 
14.15 ENCODED STRINGS 183
 
14.16 DATA VALIDATION AND INTERPRETER INJECTION 183
 
14.17 186
 
14.18 DELIMITER AND SPECIAL CHARACTERS 186
 
14.19 FURTHER READING 187
 
'''15''' '''INTERPRETER INJECTION 188'''
 
15.1 OBJECTIVE 188
 
15.2 PLATFORMS AFFECTED 188
 
15.3 RELEVANT COBIT TOPICS 188
 
15.4 USER AGENT INJECTION 188
 
15.5 HTTP RESPONSE SPLITTING 192
 
15.6 SQL INJECTION 193
 
15.7 ORM INJECTION 193
 
15.8 LDAP INJECTION 194
 
15.9 XML INJECTION 196
 
15.10 CODE INJECTION 196
 
15.11 FURTHER READING 197
 
15.12 SQL-INJECTION 199
 
15.13 CODE INJECTION 202
 
15.14 COMMAND INJECTION 202
 
'''16''' '''CANONCALIZATION, LOCALE AND UNICODE 203'''
 
16.1 OBJECTIVE 203
 
16.2 PLATFORMS AFFECTED 203
 
16.3 RELEVANT COBIT TOPICS 203
 
16.4 DESCRIPTION 203
 
16.5 UNICODE 204
 
16.6 <u>HTTP://WWW.IETF.ORG/RFC/RFC2279.TXT?NUMBER=2279</U> 206
 
16.7 INPUT FORMATS 206
 
16.8 LOCALE ASSERTION 207
 
16.9 DOUBLE (OR N-) ENCODING 207
 
16.10 HTTP REQUEST SMUGGLING 208
 
16.11 FURTHER READING 208
 
'''17''' '''ERROR HANDLING, AUDITING AND LOGGING 210'''
 
17.1 OBJECTIVE 210
 
17.2 ENVIRONMENTS AFFECTED 210
 
17.3 RELEVANT COBIT TOPICS 210
 
17.4 DESCRIPTION 210
 
17.5 BEST PRACTICES 211
 
17.6 ERROR HANDLING 211
 
17.7 DETAILED ERROR MESSAGES 212
 
17.8 LOGGING 213
 
17.9 NOISE 216
 
17.10 COVER TRACKS 216
 
17.11 FALSE ALARMS 217
 
17.12 DESTRUCTION 218
 
17.13 AUDIT TRAILS 218
 
17.14 FURTHER READING 219
 
17.15 ERROR HANDLING AND LOGGING 219
 
'''18''' '''FILE SYSTEM 226'''
 
18.1 OBJECTIVE 226
 
18.2 ENVIRONMENTS AFFECTED 226
 
18.3 RELEVANT COBIT TOPICS 226
 
18.4 DESCRIPTION 226
 
18.5 BEST PRACTICES 226
 
18.6 DEFACEMENT 226
 
18.7 PATH TRAVERSAL 227
 
18.8 INSECURE PERMISSIONS 228
 
18.9 INSECURE INDEXING 228
 
18.10 UNMAPPED FILES 229
 
18.11 TEMPORARY FILES 229
 
18.12 PHP 230
 
18.13 INCLUDES AND REMOTE FILES 230
 
18.14 FILE UPLOAD 232
 
18.15 OLD, UNREFERENCED FILES 234
 
18.16 SECOND ORDER INJECTION 234
 
18.17 FURTHER READING 235
 
18.18 FILE SYSTEM 235
 
'''19''' '''DISTRIBUTED COMPUTING 237'''
 
19.1 OBJECTIVE 237
 
19.2 ENVIRONMENTS AFFECTED 237
 
19.3 RELEVANT COBIT TOPICS 237
 
19.4 BEST PRACTICES 237
 
19.5 RACE CONDITIONS 237
 
19.6 DISTRIBUTED SYNCHRONIZATION 237
 
19.7 FURTHER READING 238
 
'''20''' '''BUFFER OVERFLOWS 239'''
 
20.1 OBJECTIVE 239
 
20.2 PLATFORMS AFFECTED 239
 
20.3 RELEVANT COBIT TOPICS 239
 
20.4 DESCRIPTION 239
 
20.5 GENERAL PREVENTION TECHNIQUES 240
 
20.6 STACK OVERFLOW 241
 
20.7 HEAP OVERFLOW 242
 
20.8 FORMAT STRING 243
 
20.9 UNICODE OVERFLOW 245
 
20.10 INTEGER OVERFLOW 246
 
20.11 FURTHER READING 247
 
'''21''' '''ADMINISTRATIVE INTERFACES 249'''
 
21.1 OBJECTIVE 249
 
21.2 ENVIRONMENTS AFFECTED 249
 
21.3 RELEVANT COBIT TOPICS 249
 
21.4 BEST PRACTICES 249
 
21.5 ADMINISTRATORS ARE NOT USERS 250
 
21.6 AUTHENTICATION FOR HIGH VALUE SYSTEMS 250
 
21.7 FURTHER READING 251
 
'''22''' '''CRYPTOGRAPHY 252'''
 
22.1 OBJECTIVE 252
 
22.2 PLATFORMS AFFECTED 252
 
22.3 RELEVANT COBIT TOPICS 252
 
22.4 DESCRIPTION 252
 
22.5 CRYPTOGRAPHIC FUNCTIONS 253
 
22.6 CRYPTOGRAPHIC ALGORITHMS 253
 
22.7 ALGORITHM SELECTION 255
 
22.8 KEY STORAGE 256
 
22.9 INSECURE TRANSMISSION OF SECRETS 258
 
22.10 REVERSIBLE AUTHENTICATION TOKENS 259
 
22.11 SAFE UUID GENERATION 260
 
22.12 SUMMARY 260
 
22.13 FURTHER READING 261
 
22.14 CRYPTOGRAPHY 261
 
'''23''' '''CONFIGURATION 266'''
 
23.1 OBJECTIVE 266
 
23.2 PLATFORMS AFFECTED 266
 
23.3 RELEVANT COBIT TOPICS 266
 
23.4 BEST PRACTICES 266
 
23.5 DEFAULT PASSWORDS 266
 
23.6 SECURE CONNECTION STRINGS 267
 
23.7 SECURE NETWORK TRANSMISSION 267
 
23.8 ENCRYPTED DATA 268
 
23.9 PHP CONFIGURATION 268
 
23.10 GLOBAL VARIABLES 268
 
23.11 REGISTER_GLOBALS 269
 
23.12 DATABASE SECURITY 272
 
23.13 FURTHER READING 273
 
23.14 COLDFUSION COMPONENTS (CFCS) 273
 
23.15 CONFIGURATION 274
 
'''24''' '''SOFTWARE QUALITY ASSURANCE 281'''
 
24.1 OBJECTIVE 281
 
24.2 PLATFORMS AFFECTED 281
 
24.3 BEST PRACTICES 281
 
24.4 PROCESS 283
 
24.5 METRICS 283
 
24.6 TESTING ACTIVITIES 284
 
'''25''' '''DEPLOYMENT 286'''
 
25.1 OBJECTIVE 286
 
25.2 PLATFORMS AFFECTED 286
 
25.3 BEST PRACTICES 286
 
25.4 RELEASE MANAGEMENT 287
 
25.5 SECURE DELIVERY OF CODE 287
 
25.6 CODE SIGNING 288
 
25.7 PERMISSIONS ARE SET TO LEAST PRIVILEGE 288
 
25.8 AUTOMATED PACKAGING 288
 
25.9 AUTOMATED DEPLOYMENT 289
 
25.10 AUTOMATED REMOVAL 289
 
25.11 NO BACKUP OR OLD FILES 289
 
25.12 UNNECESSARY FEATURES ARE OFF BY DEFAULT 289
 
25.13 SETUP LOG FILES ARE CLEAN 289
 
25.14 NO DEFAULT ACCOUNTS 290
 
25.15 EASTER EGGS 290
 
25.16 MALICIOUS SOFTWARE 291
 
25.17 FURTHER READING 292
 
'''26''' '''MAINTENANCE 294'''
 
26.1 OBJECTIVE 294
 
26.2 PLATFORMS AFFECTED 294
 
26.3 RELEVANT COBIT TOPICS 294
 
26.4 BEST PRACTICES 294
 
26.5 SECURITY INCIDENT RESPONSE 295
 
26.6 FIX SECURITY ISSUES CORRECTLY 295
 
26.7 UPDATE NOTIFICATIONS 296
 
26.8 REGULARLY CHECK PERMISSIONS 296
 
26.9 FURTHER READING 297
 
26.10 297
 
26.11 MAINTENANCE 297
 
'''27''' ''''''GNU FREE DOCUMENTATION LICENSE 301''''''
 
27.1 PREAMBLE 301
 
27.2 APPLICABILITY AND DEFINITIONS 301
 
27.3 VERBATIM COPYING 302
 
27.4 COPYING IN QUANTITY 303
 
27.5 MODIFICATIONS 303
 
27.6 COMBINING DOCUMENTS 305
 
27.7 COLLECTIONS OF DOCUMENTS 305
 
27.8 AGGREGATION WITH INDEPENDENT WORKS 306
 
27.9 TRANSLATION 306
 
27.10 TERMINATION 306
 
27.11 FUTURE REVISIONS OF THIS LICENSE 306
 

Latest revision as of 21:29, 30 July 2016

This historical page is now part of the OWASP archive.
This page contains content that is outdated and is no longer being maintained. It is provided as a courtesy for individuals who are still using these technologies. This page may contain URLs that were once valid but may now link to sites or pages that no longer exist.
Please use the newer Edition(s) like Category:OWASP_Top_Ten_Project#tab=OWASP_Top_10_for_2013

A Guide to Building Secure Web Applications and Web Services

2.1 (DRAFT 3) February 2006


OWASP Foundation

Frontispiece

Dedication

To my fellow procrastinators and TiVo addicts, this book proves that given enough "tomorrows", anything is possible. -- Andrew van der Stock

Copyright and license

© 2001 – 2006 OWASP Foundation. The Guide is licensed under the Free Documentation License, a copy of which is found in the Appendix. PERMISSION IS GRANTED TO COPY, DISTRIBUTE, AND/OR MODIFY THIS DOCUMENT PROVIDED THIS COPYRIGHT NOTICE AND ATTRIBUTION TO OWASP IS RETAINED.

Editors

The Guide has had several editors over various editions, all of whom have contributed immensely as authors, project managers, and editors over the lengthy period of the Guide’s gestation. Guide 2.x series editors:

Andrew van der Stock Adrian Wiesmann

Authors and Reviewers

The Guide would not be where it is today without the generous gift of volunteer time and effort from many individuals. The following people helped develop Guide 2.x:

  • Abraham Kang
  • Adrian Wiesmann
  • Amit Klein
  • Andrew van der Stock
  • Brian Greidanus
  • Christopher Todd
  • Darrel Grundy
  • Daniel Cornell
  • David Endler
  • Denis Pilipchuk
  • Dennis Groves
  • Derek Browne
  • Eoin Keary
  • Erick Lee
  • Ernesto Arroyo
  • Frank Lemmon
  • Gene McKenna
  • Hal Lockhart
  • Izhar By-Gad
  • Jeremy Poteet
  • José Pedro Arroyo
  • K.K. Mookhey
  • Kevin McLaughlin
  • Martin Eizner
  • Michael Howard
  • Michael Scovetta
  • Mikael Simonsson
  • Neal Krawetz
  • Nigel Tranter
  • Raoul Endres
  • Ray Stirbei
  • Richard Parke
  • Robert Hansen
  • Roy McNamara
  • Steve Taylor
  • Sverre Huseby
  • Tim Smith
  • William Hau

Revision History

Date Version Pages Notes July 26, 2005 2.0 Blackhat Edition 280 pages Andrew van der Stock, Guide Lead July 27, 2005 2.0.1 Blackhat Edition++ 293 pages Cryptography chapter review from Michael Howard incorporated September 12, 2005 2.1 DRAFT 1 X pages Changes from many sources New SQA chapter from Frank Lemmon January 2006 2.1 DRAFT 2 X pages Changes from Bill Pollock New chapters from Erick Lee New revisions from Dan Cornell February 2006 2.1 DRAFT 3 X pages Ajax chapter Many chapters back from reviewers

Date Version Pages Notes
July 26, 2005 2.0 Blackhat Edition 280 pages Andrew van der Stock, Guide Lead
July 27, 2005 2.0.1 Blackhat Edition++ 293 pages Cryptography chapter review

from Michael Howard incorporated

September 12, 2005 2.1 DRAFT 1 X pages Changes from many sources

New SQA chapter from Frank Lemmon

January 2006 2.1 DRAFT 2 X pages Changes from Bill Pollock

New chapters from Erick Lee New revisions from Dan Cornell

February 2006 2.1 DRAFT 3 X pages Ajax chapter

Many chapters back from reviewers


Table of Contents

Guide:Table of Contents

Retrieved from "https://wiki.owasp.org/index.php?title=Guide:Frontispiece&oldid=219721"