Latest revision as of 21:42, 26 January 2007

@@ Line 1: / Line 1: @@
 =[[Guide Frontispiece|Frontispiece]]=
- ## Dedication
+#Dedication
- ## Copyright and license
+#Copyright and license
- ## Editors
+#Editors
- ## Authors and Reviewers
+#Authors and Reviewers
- ## Revision History
+#Revision History
 =[[About The Open Web Application Security Project]]=
- ##Structure and Licensing
+#Structure and Licensing
- ##Participation and Membership
+#Participation and Membership
- ##Projects
+#Projects
 =[[Guide Introduction | Introduction]]=
- ##Developing Secure Applications
+#Developing Secure Applications
- ##Improvements in this edition
+#Improvements in this edition
- ##How to use this Guide
+#How to use this Guide
- ##Updates and errata
+#Updates and errata
- ##With thanks
+#With thanks
- =[[What are web applications?]]=
+=[[What are web applications?]]=
- ##Technologies
+#Technologies
- ##First generation – CGI
+#First generation – CGI
- ##Filters
+#Filters
- ##Scripting
+#Scripting
- ##Web application frameworks – J
+#Web application frameworks – J
- ##Small to medium scale applications
+#Small to medium scale applications
- ##Large scale applications
+#Large scale applications
- ##View
+#View
- ##Controller
+#Controller
- ##Model
+#Model
- ##Conclusion
+#Conclusion
- =[[Policy Frameworks]]=
+=[[Policy Frameworks]]=
- ##Organizational commitment to security
+#Organizational commitment to security
- ##OWASP’s Place at the Framework table
+#OWASP’s Place at the Framework table
- ##Development Methodology
+#Development Methodology
- ##Coding Standards
+#Coding Standards
- ##Source Code Control
+#Source Code Control
- ##Summary
+#Summary
- =[[Secure Coding Principles]]=
+=[[Secure Coding Principles]]=
- ##Asset Classification
+#Asset Classification
- ##About attackers
+#About attackers
- ##Core pillars of information security
+#Core pillars of information security
- ##Security Architecture
+#Security Architecture
- ##Security Principles
+#Security Principles
- =[[Threat Risk Modeling]]=
+=[[Threat Risk Modeling]]=
- ##Threat Risk Modeling
+#Threat Risk Modeling
- ##Performing threat risk modeling using the Microsoft Threat Modeling Process
+#Performing threat risk modeling using the Microsoft Threat Modeling Process
- ##Alternative Threat Modeling Systems
+#Alternative Threat Modeling Systems
- ##Trike
+#Trike
- ##AS/NZS
+#AS/NZS
- ##CVSS
+#CVSS
- ##OCTAVE
+#OCTAVE
- ##Conclusion
+#Conclusion
- ##Further Reading
+#Further Reading
- =[[Handling E-Commerce Payments]]=
+=[[Handling E-Commerce Payments]]=
- ##Objectives
+#Objectives
- ##Compliance and Laws
+#Compliance and Laws
- ##PCI Compliance
+#PCI Compliance
- ##Handling Credit Cards
+#Handling Credit Cards
- ##Further Reading
+#Further Reading
- =[[Phishing]]=
+=[[Phishing]]=
- ##What is phishing?
+#What is phishing?
- ##User Education
+#User Education
- ##Make it easy for your users to report scams
+#Make it easy for your users to report scams
- ##Communicating with customers via e-mail
+#Communicating with customers via e-mail
- ##Never ask your customers for their secrets
+#Never ask your customers for their secrets
- ##Fix all your XSS issues
+#Fix all your XSS issues
- ##Do not use pop-ups
+#Do not use pop-ups
- ##Don’t be framed
+#Don’t be framed
- ##Move your application one link away from your front page
+#Move your application one link away from your front page
- ##Enforce local referrers for images and other resources
+#Enforce local referrers for images and other resources
- ##Keep the address bar, use SSL, do not use IP addresses
+#Keep the address bar, use SSL, do not use IP addresses
- ##Don’t be the source of identity theft
+#Don’t be the source of identity theft
- ##Implement safe-guards within your application
+#Implement safe-guards within your application
- ##Monitor unusual account activity
+#Monitor unusual account activity
- ##Get the phishing target servers offline pronto
+#Get the phishing target servers offline pronto
- ##Take control of the fraudulent domain name
+#Take control of the fraudulent domain name
- ##Work with law enforcement
+#Work with law enforcement
- ##When an attack happens
+#When an attack happens
- ##Further Reading
+#Further Reading
- =[[Web Services]]=
+=[[Web Services]]=
- ##Securing Web Services
+#Securing Web Services
- ##Communication security
+#Communication security
- ##Passing credentials
+#Passing credentials
- ##Ensuring message freshness
+#Ensuring message freshness
- ##Protecting message integrity
+#Protecting message integrity
- ##Protecting message confidentiality
+#Protecting message confidentiality
- ##Access control
+#Access control
- ##Audit
+#Audit
- ##Web Services Security Hierarchy
+#Web Services Security Hierarchy
- ##SOAP
+#SOAP
- ##WS-Security Standard
+#WS-Security Standard
- ##WS-Security Building Blocks
+#WS-Security Building Blocks
- ##Communication Protection Mechanisms
+#Communication Protection Mechanisms
- ##Access Control Mechanisms
+#Access Control Mechanisms
- ##Forming Web Service Chains
+#Forming Web Service Chains
- ##Available Implementations
+#Available Implementations
- ##Problems
+#Problems
- ##Further Reading
+#Further Reading
- =[[Ajax and Other "Rich" Interface Technologies]]=
+=[[Ajax and Other "Rich" Interface Technologies]]=
- ##Objective
+#Objective
- ##Platforms Affected
+#Platforms Affected
- ##Architecture
+#Architecture
- ##Access control: Authentication and Authorization
+#Access control: Authentication and Authorization
- ##Silent transactional authorization
+#Silent transactional authorization
- ##Untrusted or absent session data
+#Untrusted or absent session data
- ##State management
+#State management
- ##Tamper resistance
+#Tamper resistance
- ##Privacy
+#Privacy
- ##Proxy Façade
+#Proxy Façade
- ##SOAP Injection Attacks
+#SOAP Injection Attacks
- ##XMLRPC Injection Attacks
+#XMLRPC Injection Attacks
- ##DOM Injection Attacks
+#DOM Injection Attacks
- ##XML Injection Attacks
+#XML Injection Attacks
- ##JSON (Javascript Object Notation) Injection Attacks
+#JSON (Javascript Object Notation) Injection Attacks
- ##Encoding safety
+#Encoding safety
- ##Auditing
+#Auditing
- ##Error Handling
+#Error Handling
- ##Accessibility
+#Accessibility
- ##Further Reading
+#Further Reading
- =[[Authentication]]=
+=[[Guide to Authentication]]=
- ##Objective
+#Objective
- ##Environments Affected
+#Environments Affected
- ##Relevant COBIT Topics
+#Relevant COBIT Topics
- ##Best Practices
+#Best Practices
- ##Common web authentication techniques
+#Common web authentication techniques
- ##Strong Authentication
+#Strong Authentication
- ##Federated Authentication
+#Federated Authentication
- ##Client side authentication controls
+#Client side authentication controls
- ##Positive Authentication
+#Positive Authentication
- ##Multiple Key Lookups
+#Multiple Key Lookups
- ##Referer Checks
+#Referer Checks
- ##Browser remembers passwords
+#Browser remembers passwords
- ##Default accounts
+#Default accounts
- ##Choice of usernames
+#Choice of usernames
- ##Change passwords
+#Change passwords
- ##Short passwords
+#Short passwords
- ##Weak password controls
+#Weak password controls
- ##Reversible password encryption
+#Reversible password encryption
- ##Automated password resets
+#Automated password resets
- ##Brute Force
+#Brute Force
- ##Remember Me
+#Remember Me
- ##Idle Timeouts
+#Idle Timeouts
- ##Logout
+#Logout
- ##Account Expiry
+#Account Expiry
- ##Self registration
+#Self registration
- ##CAPTCHA
+#CAPTCHA
- ##Further Reading
+#Further Reading
- ##Authentication
+#Authentication
- =[[Authorization]]=
- ##Objectives
- ##Environments Affected
- ##Relevant COBIT Topics
- ##Best Practices
- ##Best Practices in Action
- ##Principle of least privilege
- ##Centralized authorization routines
- ##Authorization matrix
- ##Controlling access to protected resources
- ##Protecting access to static resources
- ##Reauthorization for high value activities or after idle out
- ##Time based authorization
- ##Be cautious of custom authorization controls
- ##Never implement client-side authorization tokens
- ##Further Reading
- =[[Session Management]]=
- ##Objective
- ##Environments Affected
- ##Relevant COBIT Topics
- ##Description
- ##Best practices
- ##Exposed Session Variables
- ##Page and Form Tokens
- ##Weak Session Cryptographic Algorithms
- ##Session Token Entropy
- ##Session Time-out
- ##Regeneration of Session Tokens
- ##Session Forging/Brute-Forcing Detection and/or Lockout
- ##Session Token Capture and Session Hijacking
- ##Session Tokens on Logout
- ##Session Validation Attacks
- ##PHP
- ##Sessions
- ##Further Reading
- ##Session Management
- =[[Data Validation]]=
- ##Objective
- ##Platforms Affected
- ##Relevant COBIT Topics
- ##Description
- ##Definitions
- ##Where to include integrity checks
- ##Where to include validation
- ##Where to include business rule validation
- ##Data Validation Strategies
- ##Prevent parameter tampering
- ##Hidden fields
- ##ASP.NET Viewstate
- ##URL encoding
- ##HTML encoding
- ##Encoded strings
- ##Data Validation and Interpreter Injection
- ##Delimiter and special characters
- ##Further Reading
- =[[Interpreter Injection]]=
- ##Objective
- ##Platforms Affected
- ##Relevant COBIT Topics
- ##User Agent Injection
- ##HTTP Response Splitting
- ##SQL Injection
- ##ORM Injection
- ##LDAP Injection
- ##XML Injection
- ##Code Injection
- ##Further Reading
- ##SQL-injection
- ##Code Injection
- ##Command injection
- =[[Canoncalization, locale and Unicode]]=
- ##Objective
- ##Platforms Affected
- ##Relevant COBIT Topics
- ##Description
- ##Unicode
- ##http://www.ietf.org/rfc/rfc##
- ##Input Formats
- ##Locale assertion
- ##Double (or n-) encoding
- ##	HTTP Request Smuggling
- ##	Further Reading
- =[[Error Handling, Auditing and Logging]]=
- ##Objective
- ##Environments Affected
- ##Relevant COBIT Topics
- ##Description
- ##Best practices
- ##Error Handling
- ##Detailed error messages
- ##Logging
- ##Noise
- ##Cover Tracks
- ##False Alarms
- ##Destruction
- ##Audit Trails
- ##Further Reading
- ##Error Handling and Logging
- =[[File System]]=
- ##Objective
- ##Environments Affected
- ##Relevant COBIT Topics
- ##Description
- ##Best Practices
- ##Defacement
- ##Path traversal
- ##Insecure permissions
- ##Insecure Indexing
- ##Unmapped files
- ##Temporary files
- ##PHP
- ##Includes and Remote files
- ##File upload
- ##Old, unreferenced files
- ##Second Order Injection
- ##Further Reading
- ##File System
- =[[Distributed Computing]]=
- ##Objective
- ##Environments Affected
- ##Relevant COBIT Topics
- ##Best Practices
- ##Race conditions
- ##Distributed synchronization
- ##Further Reading
- =[[Buffer Overflows]]=
- ##Objective
- ##Platforms Affected
- ##Relevant COBIT Topics
- ##Description
- ##General Prevention Techniques
- ##Stack Overflow
- ##Heap Overflow
- ##Format String
- ##Unicode Overflow
- ##Integer Overflow
- ##Further reading
- =[[Administrative Interface]]=
- ##Objective
- ##Environments Affected
- ##Relevant COBIT Topics
- ##Best practices
- ##Administrators are not users
- ##Authentication for high value systems
- ##Further Reading
- =[[Cryptography]]=
- ##Objective
- ##Platforms Affected
- ##Relevant COBIT Topics
- ##Description
- ##Cryptographic Functions
- ##Cryptographic Algorithms
- ##Algorithm Selection
- ##Key Storage
- ##Insecure transmission of secrets
- ##Reversible Authentication Tokens
- ##Safe UUID generation
- ##Summary
- ##Further Reading
- ##Cryptography
- =[[Configuration]]=
- ##Objective
- ##Platforms Affected
- ##Relevant COBIT Topics
- ##Best Practices
- ##Default passwords
- ##Secure connection strings
- ##Secure network transmission
- ##Encrypted data
- ##PHP Configuration
- ##Global variables
- ##register_globals
- ##Database security
- ##Further Reading
- ##ColdFusion Components (CFCs)
- ##Configuration
- =[[Software Quality Assurance]]=
- ##Objective
- ##Platforms Affected
- ##Best practices
- ##Process
- ##Metrics
- ##Testing Activities
- =[[Deployment]]=
- ##Objective
- ##Platforms Affected
- ##Best Practices
- ##Release Management
- ##Secure delivery of code
- ##Code signing
- ##Permissions are set to least privilege
- ##Automated packaging
- ##Automated deployment
- ##Automated removal
- ##No backup or old files
- ##Unnecessary features are off by default
- ##Setup log files are clean
- ##No default accounts
- ##Easter eggs
- ##Malicious software
- ##Further Reading
- =[[Maintenance]]=
- ##Objective
- ##Platforms Affected
- ##Relevant COBIT Topics
- ##Best Practices
- ##Security Incident Response
- ##Fix Security Issues Correctly
- ##Update Notifications
- ##Regularly check permissions
- ##Further Reading
- ##Maintenance
- =[[GNU Free Documentation License]]=
- ##PREAMBLE
- ##APPLICABILITY AND DEFINITIONS
- ##VERBATIM COPYING
- ##COPYING IN QUANTITY
- ##MODIFICATIONS
- ##COMBINING DOCUMENTS
- ##COLLECTIONS OF DOCUMENTS
- ##AGGREGATION WITH INDEPENDENT WORKS
- ##TRANSLATION
- ##TERMINATION
- ##FUTURE REVISIONS OF THIS LICENSE
-[[Category OWASP Guide Project]]
+=[[Guide to Authorization]]=
+#Objectives
+#Environments Affected
+#Relevant COBIT Topics
+#Best Practices
+#Best Practices in Action
+#Principle of least privilege
+#Centralized authorization routines
+#Authorization matrix
+#Controlling access to protected resources
+#Protecting access to static resources
+#Reauthorization for high value activities or after idle out
+#Time based authorization
+#Be cautious of custom authorization controls
+#Never implement client-side authorization tokens
+#Further Reading
+=[[Session Management]]=
+#Objective
+#Environments Affected
+#Relevant COBIT Topics
+#Description
+#Best practices
+#Exposed Session Variables
+#Page and Form Tokens
+#Weak Session Cryptographic Algorithms
+#Session Token Entropy
+#Session Time-out
+#Regeneration of Session Tokens
+#Session Forging/Brute-Forcing Detection and/or Lockout
+#Session Token Capture and Session Hijacking
+#Session Tokens on Logout
+#Session Validation Attacks
+#PHP
+#Sessions
+#Further Reading
+#Session Management
+=[[Data Validation]]=
+#Objective
+#Platforms Affected
+#Relevant COBIT Topics
+#Description
+#Definitions
+#Where to include integrity checks
+#Where to include validation
+#Where to include business rule validation
+#Data Validation Strategies
+#Prevent parameter tampering
+#Hidden fields
+#ASP.NET Viewstate
+#URL encoding
+#HTML encoding
+#Encoded strings
+#Data Validation and Interpreter Injection
+#Delimiter and special characters
+#Further Reading
+=[[Interpreter Injection]]=
+#Objective
+#Platforms Affected
+#Relevant COBIT Topics
+#User Agent Injection
+#HTTP Response Splitting
+#SQL Injection
+#ORM Injection
+#LDAP Injection
+#XML Injection
+#Code Injection
+#Further Reading
+#SQL-injection
+#Code Injection
+#Command injection
+=[[Canonicalization, locale and Unicode]]=
+#Objective
+#Platforms Affected
+#Relevant COBIT Topics
+#Description
+#Unicode
+#http://www.ietf.org/rfc/rfc#
+#Input Formats
+#Locale assertion
+#Double (or n-) encoding
+#	HTTP Request Smuggling
+#	Further Reading
+=[[Error Handling, Auditing and Logging]]=
+#Objective
+#Environments Affected
+#Relevant COBIT Topics
+#Description
+#Best practices
+#Error Handling
+#Detailed error messages
+#Logging
+#Noise
+#Cover Tracks
+#False Alarms
+#Destruction
+#Audit Trails
+#Further Reading
+#Error Handling and Logging
+=[[File System]]=
+#Objective
+#Environments Affected
+#Relevant COBIT Topics
+#Description
+#Best Practices
+#Defacement
+#Path traversal
+#Insecure permissions
+#Insecure Indexing
+#Unmapped files
+#Temporary files
+#PHP
+#Includes and Remote files
+#File upload
+#Old, unreferenced files
+#Second Order Injection
+#Further Reading
+#File System
+=[[Distributed Computing]]=
+#Objective
+#Environments Affected
+#Relevant COBIT Topics
+#Best Practices
+#Race conditions
+#Distributed synchronization
+#Further Reading
+=[[Buffer Overflows]]=
+#Objective
+#Platforms Affected
+#Relevant COBIT Topics
+#Description
+#General Prevention Techniques
+#Stack Overflow
+#Heap Overflow
+#Format String
+#Unicode Overflow
+#Integer Overflow
+#Further reading
+=[[Administrative Interface]]=
+#Objective
+#Environments Affected
+#Relevant COBIT Topics
+#Best practices
+#Administrators are not users
+#Authentication for high value systems
+#Further Reading
+=[[Guide to Cryptography]]=
+#Objective
+#Platforms Affected
+#Relevant COBIT Topics
+#Description
+#Cryptographic Functions
+#Cryptographic Algorithms
+#Algorithm Selection
+#Key Storage
+#Insecure transmission of secrets
+#Reversible Authentication Tokens
+#Safe UUID generation
+#Summary
+#Further Reading
+#Cryptography
+=[[Configuration]]=
+#Objective
+#Platforms Affected
+#Relevant COBIT Topics
+#Best Practices
+#Default passwords
+#Secure connection strings
+#Secure network transmission
+#Encrypted data
+#PHP Configuration
+#Global variables
+#register_globals
+#Database security
+#Further Reading
+#ColdFusion Components (CFCs)
+#Configuration
+=[[Software Quality Assurance]]=
+#Objective
+#Platforms Affected
+#Best practices
+#Process
+#Metrics
+#Testing Activities
+=[[Deployment]]=
+#Objective
+#Platforms Affected
+#Best Practices
+#Release Management
+#Secure delivery of code
+#Code signing
+#Permissions are set to least privilege
+#Automated packaging
+#Automated deployment
+#Automated removal
+#No backup or old files
+#Unnecessary features are off by default
+#Setup log files are clean
+#No default accounts
+#Easter eggs
+#Malicious software
+#Further Reading
+=[[Maintenance]]=
+#Objective
+#Platforms Affected
+#Relevant COBIT Topics
+#Best Practices
+#Security Incident Response
+#Fix Security Issues Correctly
+#Update Notifications
+#Regularly check permissions
+#Further Reading
+#Maintenance
+=[[GNU Free Documentation License]]=
+#PREAMBLE
+#APPLICABILITY AND DEFINITIONS
+#VERBATIM COPYING
+#COPYING IN QUANTITY
+#MODIFICATIONS
+#COMBINING DOCUMENTS
+#COLLECTIONS OF DOCUMENTS
+#AGGREGATION WITH INDEPENDENT WORKS
+#TRANSLATION
+#TERMINATION
+#FUTURE REVISIONS OF THIS LICENSE
+=Reference=
+[[Category:OWASP_Guide_Project]]

Difference between revisions of "Guide Table of Contents"

Latest revision as of 21:42, 26 January 2007

Reference

Navigation menu

Search