Latest revision as of 21:42, 26 January 2007

@@ Line 1: / Line 1: @@
-=[[Guide Frontispiece|Frontispiece]]
+=[[Guide Frontispiece|Frontispiece]]=
-== Dedication
+#Dedication
-== Copyright and license
+#Copyright and license
-== Editors
+#Editors
-== Authors and Reviewers
+#Authors and Reviewers
-== Revision History
+#Revision History
-=[[About The Open Web Application Security Project]]
+=[[About The Open Web Application Security Project]]=
-==Structure and Licensing
+#Structure and Licensing
-==Participation and Membership
+#Participation and Membership
-==Projects
+#Projects
-=[[Guide Introduction | Introduction]]
+=[[Guide Introduction | Introduction]]=
-==Developing Secure Applications
+#Developing Secure Applications
-==Improvements in this edition
+#Improvements in this edition
-==How to use this Guide
+#How to use this Guide
-==Updates and errata
+#Updates and errata
-==With thanks
+#With thanks
-=[[What are web applications?]]
+=[[What are web applications?]]=
-==Technologies
+#Technologies
-==First generation – CGI
+#First generation – CGI
-==Filters
+#Filters
-==Scripting
+#Scripting
-==Web application frameworks – J
+#Web application frameworks – J
-==Small to medium scale applications
+#Small to medium scale applications
-==Large scale applications
+#Large scale applications
-==View
+#View
-==Controller
+#Controller
-==Model
+#Model
-==Conclusion
+#Conclusion
-=[[Policy Frameworks]]
+=[[Policy Frameworks]]=
-==Organizational commitment to security
+#Organizational commitment to security
-==OWASP’s Place at the Framework table
+#OWASP’s Place at the Framework table
-==Development Methodology
+#Development Methodology
-==Coding Standards
+#Coding Standards
-==Source Code Control
+#Source Code Control
-==Summary
+#Summary
-=[[Secure Coding Principles]]
+=[[Secure Coding Principles]]=
-==Asset Classification
+#Asset Classification
-==About attackers
+#About attackers
-==Core pillars of information security
+#Core pillars of information security
-==Security Architecture
+#Security Architecture
-==Security Principles
+#Security Principles
-=[[Threat Risk Modeling]]
+=[[Threat Risk Modeling]]=
-==Threat Risk Modeling
+#Threat Risk Modeling
-==Performing threat risk modeling using the Microsoft Threat Modeling Process
+#Performing threat risk modeling using the Microsoft Threat Modeling Process
-==Alternative Threat Modeling Systems
+#Alternative Threat Modeling Systems
-==Trike
+#Trike
-==AS/NZS
+#AS/NZS
-==CVSS
+#CVSS
-==OCTAVE
+#OCTAVE
-==Conclusion
+#Conclusion
-==Further Reading
+#Further Reading
-=[[Handling E-Commerce Payments]]
+=[[Handling E-Commerce Payments]]=
-==Objectives
+#Objectives
-==Compliance and Laws
+#Compliance and Laws
-==PCI Compliance
+#PCI Compliance
-==Handling Credit Cards
+#Handling Credit Cards
-==Further Reading
+#Further Reading
-=[[Phishing]]
+=[[Phishing]]=
-==What is phishing?
+#What is phishing?
-==User Education
+#User Education
-==Make it easy for your users to report scams
+#Make it easy for your users to report scams
-==Communicating with customers via e-mail
+#Communicating with customers via e-mail
-==Never ask your customers for their secrets
+#Never ask your customers for their secrets
-==Fix all your XSS issues
+#Fix all your XSS issues
-==Do not use pop-ups
+#Do not use pop-ups
-==Don’t be framed
+#Don’t be framed
-==Move your application one link away from your front page
+#Move your application one link away from your front page
-==Enforce local referrers for images and other resources
+#Enforce local referrers for images and other resources
-==Keep the address bar, use SSL, do not use IP addresses
+#Keep the address bar, use SSL, do not use IP addresses
-==Don’t be the source of identity theft
+#Don’t be the source of identity theft
-==Implement safe-guards within your application
+#Implement safe-guards within your application
-==Monitor unusual account activity
+#Monitor unusual account activity
-==Get the phishing target servers offline pronto
+#Get the phishing target servers offline pronto
-==Take control of the fraudulent domain name
+#Take control of the fraudulent domain name
-==Work with law enforcement
+#Work with law enforcement
-==When an attack happens
+#When an attack happens
-==Further Reading
+#Further Reading
-=[[Web Services]]
+=[[Web Services]]=
-==Securing Web Services
+#Securing Web Services
-==Communication security
+#Communication security
-==Passing credentials
+#Passing credentials
-==Ensuring message freshness
+#Ensuring message freshness
-==Protecting message integrity
+#Protecting message integrity
-==Protecting message confidentiality
+#Protecting message confidentiality
-==Access control
+#Access control
-==Audit
+#Audit
-==Web Services Security Hierarchy
+#Web Services Security Hierarchy
-==SOAP
+#SOAP
-==WS-Security Standard
+#WS-Security Standard
-==WS-Security Building Blocks
+#WS-Security Building Blocks
-==Communication Protection Mechanisms
+#Communication Protection Mechanisms
-==Access Control Mechanisms
+#Access Control Mechanisms
-==Forming Web Service Chains
+#Forming Web Service Chains
-==Available Implementations
+#Available Implementations
-==Problems
+#Problems
-==Further Reading
+#Further Reading
-=[[Ajax and Other "Rich" Interface Technologies]]
+=[[Ajax and Other "Rich" Interface Technologies]]=
-==Objective
+#Objective
-==Platforms Affected
+#Platforms Affected
-==Architecture
+#Architecture
-==Access control: Authentication and Authorization
+#Access control: Authentication and Authorization
-==Silent transactional authorization
+#Silent transactional authorization
-==Untrusted or absent session data
+#Untrusted or absent session data
-==State management
+#State management
-==Tamper resistance
+#Tamper resistance
-==Privacy
+#Privacy
-==Proxy Façade
+#Proxy Façade
-==SOAP Injection Attacks
+#SOAP Injection Attacks
-==XMLRPC Injection Attacks
+#XMLRPC Injection Attacks
-==DOM Injection Attacks
+#DOM Injection Attacks
-==XML Injection Attacks
+#XML Injection Attacks
-==JSON (Javascript Object Notation) Injection Attacks
+#JSON (Javascript Object Notation) Injection Attacks
-==Encoding safety
+#Encoding safety
-==Auditing
+#Auditing
-==Error Handling
+#Error Handling
-==Accessibility
+#Accessibility
-==Further Reading
+#Further Reading
-=[[Authentication]]
+=[[Guide to Authentication]]=
-==Objective
+#Objective
-==Environments Affected
+#Environments Affected
-==Relevant COBIT Topics
+#Relevant COBIT Topics
-==Best Practices
+#Best Practices
-==Common web authentication techniques
+#Common web authentication techniques
-==Strong Authentication
+#Strong Authentication
-==Federated Authentication
+#Federated Authentication
-==Client side authentication controls
+#Client side authentication controls
-==Positive Authentication
+#Positive Authentication
-==Multiple Key Lookups
+#Multiple Key Lookups
-==Referer Checks
+#Referer Checks
-==Browser remembers passwords
+#Browser remembers passwords
-==Default accounts
+#Default accounts
-==Choice of usernames
+#Choice of usernames
-==Change passwords
+#Change passwords
-==Short passwords
+#Short passwords
-==Weak password controls
+#Weak password controls
-==Reversible password encryption
+#Reversible password encryption
-==Automated password resets
+#Automated password resets
-==Brute Force
+#Brute Force
-==Remember Me
+#Remember Me
-==Idle Timeouts
+#Idle Timeouts
-==Logout
+#Logout
-==Account Expiry
+#Account Expiry
-==Self registration
+#Self registration
-==CAPTCHA
+#CAPTCHA
-==Further Reading
+#Further Reading
-==Authentication
+#Authentication
-=[[Authorization]]
-==Objectives
+=[[Guide to Authorization]]=
-==Environments Affected
+#Objectives
-==Relevant COBIT Topics
+#Environments Affected
-==Best Practices
+#Relevant COBIT Topics
-==Best Practices in Action
+#Best Practices
-==Principle of least privilege
+#Best Practices in Action
-==Centralized authorization routines
+#Principle of least privilege
-==Authorization matrix
+#Centralized authorization routines
-==Controlling access to protected resources
+#Authorization matrix
-==Protecting access to static resources
+#Controlling access to protected resources
-==Reauthorization for high value activities or after idle out
+#Protecting access to static resources
-==Time based authorization
+#Reauthorization for high value activities or after idle out
-==Be cautious of custom authorization controls
+#Time based authorization
-==Never implement client-side authorization tokens
+#Be cautious of custom authorization controls
-==Further Reading
+#Never implement client-side authorization tokens
-=[[Session Management]]
+#Further Reading
-==Objective
-==Environments Affected
+=[[Session Management]]=
-==Relevant COBIT Topics
+#Objective
-==Description
+#Environments Affected
-==Best practices
+#Relevant COBIT Topics
-==Exposed Session Variables
+#Description
-==Page and Form Tokens
+#Best practices
-==Weak Session Cryptographic Algorithms
+#Exposed Session Variables
-==Session Token Entropy
+#Page and Form Tokens
-==Session Time-out
+#Weak Session Cryptographic Algorithms
-==Regeneration of Session Tokens
+#Session Token Entropy
-==Session Forging/Brute-Forcing Detection and/or Lockout
+#Session Time-out
-==Session Token Capture and Session Hijacking
+#Regeneration of Session Tokens
-==Session Tokens on Logout
+#Session Forging/Brute-Forcing Detection and/or Lockout
-==Session Validation Attacks
+#Session Token Capture and Session Hijacking
-==PHP
+#Session Tokens on Logout
-==Sessions
+#Session Validation Attacks
-==Further Reading
+#PHP
-==Session Management
+#Sessions
-=[[Data Validation]]
+#Further Reading
-==Objective
+#Session Management
-==Platforms Affected
+=[[Data Validation]]=
-==Relevant COBIT Topics
+#Objective
-==Description
+#Platforms Affected
-==Definitions
+#Relevant COBIT Topics
-==Where to include integrity checks
+#Description
-==Where to include validation
+#Definitions
-==Where to include business rule validation
+#Where to include integrity checks
-==Data Validation Strategies
+#Where to include validation
-==Prevent parameter tampering
+#Where to include business rule validation
-==Hidden fields
+#Data Validation Strategies
-==ASP.NET Viewstate
+#Prevent parameter tampering
-==URL encoding
+#Hidden fields
-==HTML encoding
+#ASP.NET Viewstate
-==Encoded strings
+#URL encoding
-==Data Validation and Interpreter Injection
+#HTML encoding
-==Delimiter and special characters
+#Encoded strings
-==Further Reading
+#Data Validation and Interpreter Injection
-=[[Interpreter Injection]]
+#Delimiter and special characters
-==Objective
+#Further Reading
-==Platforms Affected
+=[[Interpreter Injection]]=
-==Relevant COBIT Topics
+#Objective
-==User Agent Injection
+#Platforms Affected
-==HTTP Response Splitting
+#Relevant COBIT Topics
-==SQL Injection
+#User Agent Injection
-==ORM Injection
+#HTTP Response Splitting
-==LDAP Injection
+#SQL Injection
-==XML Injection
+#ORM Injection
-==Code Injection
+#LDAP Injection
-==Further Reading
+#XML Injection
-==SQL-injection
+#Code Injection
-==Code Injection
+#Further Reading
-==Command injection
+#SQL-injection
-=[[Canoncalization, locale and Unicode]]
+#Code Injection
-==Objective
+#Command injection
-==Platforms Affected
+=[[Canonicalization, locale and Unicode]]=
-==Relevant COBIT Topics
+#Objective
-==Description
+#Platforms Affected
-==Unicode
+#Relevant COBIT Topics
-==http://www.ietf.org/rfc/rfc==
+#Description
-==Input Formats
+#Unicode
-==Locale assertion
+#http://www.ietf.org/rfc/rfc#
-==Double (or n-) encoding
+#Input Formats
-==	HTTP Request Smuggling
+#Locale assertion
-==	Further Reading
+#Double (or n-) encoding
-=[[Error Handling, Auditing and Logging]]
+#	HTTP Request Smuggling
-==Objective
+#	Further Reading
-==Environments Affected
-==Relevant COBIT Topics
+=[[Error Handling, Auditing and Logging]]=
-==Description
+#Objective
-==Best practices
+#Environments Affected
-==Error Handling
+#Relevant COBIT Topics
-==Detailed error messages
+#Description
-==Logging
+#Best practices
-==Noise
+#Error Handling
-==Cover Tracks
+#Detailed error messages
-==False Alarms
+#Logging
-==Destruction
+#Noise
-==Audit Trails
+#Cover Tracks
-==Further Reading
+#False Alarms
-==Error Handling and Logging
+#Destruction
-=[[File System]]
+#Audit Trails
-==Objective
+#Further Reading
-==Environments Affected
+#Error Handling and Logging
-==Relevant COBIT Topics
+=[[File System]]=
-==Description
+#Objective
-==Best Practices
+#Environments Affected
-==Defacement
+#Relevant COBIT Topics
-==Path traversal
+#Description
-==Insecure permissions
+#Best Practices
-==Insecure Indexing
+#Defacement
-==Unmapped files
+#Path traversal
-==Temporary files
+#Insecure permissions
-==PHP
+#Insecure Indexing
-==Includes and Remote files
+#Unmapped files
-==File upload
+#Temporary files
-==Old, unreferenced files
+#PHP
-==Second Order Injection
+#Includes and Remote files
-==Further Reading
+#File upload
-==File System
+#Old, unreferenced files
-=[[Distributed Computing]]
+#Second Order Injection
-==Objective
+#Further Reading
-==Environments Affected
+#File System
-==Relevant COBIT Topics
+=[[Distributed Computing]]=
-==Best Practices
+#Objective
-==Race conditions
+#Environments Affected
-==Distributed synchronization
+#Relevant COBIT Topics
-==Further Reading
+#Best Practices
-=[[Buffer Overflows]]
+#Race conditions
-==Objective
+#Distributed synchronization
-==Platforms Affected
+#Further Reading
-==Relevant COBIT Topics
+=[[Buffer Overflows]]=
-==Description
+#Objective
-==General Prevention Techniques
+#Platforms Affected
-==Stack Overflow
+#Relevant COBIT Topics
-==Heap Overflow
+#Description
-==Format String
+#General Prevention Techniques
-==Unicode Overflow
+#Stack Overflow
-==Integer Overflow
+#Heap Overflow
-==Further reading
+#Format String
-=[[Administrative Interface]]
+#Unicode Overflow
-==Objective
+#Integer Overflow
-==Environments Affected
+#Further reading
-==Relevant COBIT Topics
+=[[Administrative Interface]]=
-==Best practices
+#Objective
-==Administrators are not users
+#Environments Affected
-==Authentication for high value systems
+#Relevant COBIT Topics
-==Further Reading
+#Best practices
-=[[Cryptography]]
+#Administrators are not users
-==Objective
+#Authentication for high value systems
-==Platforms Affected
+#Further Reading
-==Relevant COBIT Topics
+=[[Guide to Cryptography]]=
-==Description
+#Objective
-==Cryptographic Functions
+#Platforms Affected
-==Cryptographic Algorithms
+#Relevant COBIT Topics
-==Algorithm Selection
+#Description
-==Key Storage
+#Cryptographic Functions
-==Insecure transmission of secrets
+#Cryptographic Algorithms
-==Reversible Authentication Tokens
+#Algorithm Selection
-==Safe UUID generation
+#Key Storage
-==Summary
+#Insecure transmission of secrets
-==Further Reading
+#Reversible Authentication Tokens
-==Cryptography
+#Safe UUID generation
-=[[Configuration]]
+#Summary
-==Objective
+#Further Reading
-==Platforms Affected
+#Cryptography
-==Relevant COBIT Topics
-==Best Practices
+=[[Configuration]]=
-==Default passwords
+#Objective
-==Secure connection strings
+#Platforms Affected
-==Secure network transmission
+#Relevant COBIT Topics
-==Encrypted data
+#Best Practices
-==PHP Configuration
+#Default passwords
-==Global variables
+#Secure connection strings
-==register_globals
+#Secure network transmission
-==Database security
+#Encrypted data
-==Further Reading
+#PHP Configuration
-==ColdFusion Components (CFCs)
+#Global variables
-==Configuration
+#register_globals
-=[[Software Quality Assurance]]
+#Database security
-==Objective
+#Further Reading
-==Platforms Affected
+#ColdFusion Components (CFCs)
-==Best practices
+#Configuration
-==Process
+=[[Software Quality Assurance]]=
-==Metrics
+#Objective
-==Testing Activities
+#Platforms Affected
-=[[Deployment]]
+#Best practices
-==Objective
+#Process
-==Platforms Affected
+#Metrics
-==Best Practices
+#Testing Activities
-==Release Management
+=[[Deployment]]=
-==Secure delivery of code
+#Objective
-==Code signing
+#Platforms Affected
-==Permissions are set to least privilege
+#Best Practices
-==Automated packaging
+#Release Management
-==Automated deployment
+#Secure delivery of code
-==Automated removal
+#Code signing
-==No backup or old files
+#Permissions are set to least privilege
-==Unnecessary features are off by default
+#Automated packaging
-==Setup log files are clean
+#Automated deployment
-==No default accounts
+#Automated removal
-==Easter eggs
+#No backup or old files
-==Malicious software
+#Unnecessary features are off by default
-==Further Reading
+#Setup log files are clean
-=[[Maintenance]]
+#No default accounts
-==Objective
+#Easter eggs
-==Platforms Affected
+#Malicious software
-==Relevant COBIT Topics
+#Further Reading
-==Best Practices
+=[[Maintenance]]=
-==Security Incident Response
+#Objective
-==Fix Security Issues Correctly
+#Platforms Affected
-==Update Notifications
+#Relevant COBIT Topics
-==Regularly check permissions
+#Best Practices
-==Further Reading
+#Security Incident Response
-==Maintenance
+#Fix Security Issues Correctly
-=[[GNU Free Documentation License]]
+#Update Notifications
-==PREAMBLE
+#Regularly check permissions
-==APPLICABILITY AND DEFINITIONS
+#Further Reading
-==VERBATIM COPYING
+#Maintenance
-==COPYING IN QUANTITY
+=[[GNU Free Documentation License]]=
-==MODIFICATIONS
+#PREAMBLE
-==COMBINING DOCUMENTS
+#APPLICABILITY AND DEFINITIONS
-==COLLECTIONS OF DOCUMENTS
+#VERBATIM COPYING
-==AGGREGATION WITH INDEPENDENT WORKS
+#COPYING IN QUANTITY
-==TRANSLATION
+#MODIFICATIONS
-==TERMINATION
+#COMBINING DOCUMENTS
-==FUTURE REVISIONS OF THIS LICENSE
+#COLLECTIONS OF DOCUMENTS
+#AGGREGATION WITH INDEPENDENT WORKS
+#TRANSLATION
+#TERMINATION
+#FUTURE REVISIONS OF THIS LICENSE
+=Reference=
+[[Category:OWASP_Guide_Project]]

Difference between revisions of "Guide Table of Contents"

Latest revision as of 21:42, 26 January 2007

Reference

Navigation menu

Search