This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Difference between revisions of "Guide Table of Contents"
From OWASP
Weilin Zhong (talk | contribs) |
Weilin Zhong (talk | contribs) |
||
| Line 1: | Line 1: | ||
=[[Guide Frontispiece|Frontispiece]]= | =[[Guide Frontispiece|Frontispiece]]= | ||
| + | ## Dedication | ||
| + | ## Copyright and license | ||
| + | ## Editors | ||
| + | ## Authors and Reviewers | ||
| + | ## Revision History | ||
| + | =[[About The Open Web Application Security Project]]= | ||
| + | ##Structure and Licensing | ||
| + | ##Participation and Membership | ||
| + | ##Projects | ||
| + | =[[Guide Introduction | Introduction]]= | ||
| + | ##Developing Secure Applications | ||
| + | ##Improvements in this edition | ||
| + | ##How to use this Guide | ||
| + | ##Updates and errata | ||
| + | ##With thanks | ||
| + | =[[What are web applications?]]= | ||
| + | ##Technologies | ||
| + | ##First generation – CGI | ||
| + | ##Filters | ||
| + | ##Scripting | ||
| + | ##Web application frameworks – J | ||
| + | ##Small to medium scale applications | ||
| + | ##Large scale applications | ||
| + | ##View | ||
| + | ##Controller | ||
| + | ##Model | ||
| + | ##Conclusion | ||
| + | =[[Policy Frameworks]]= | ||
| + | ##Organizational commitment to security | ||
| + | ##OWASP’s Place at the Framework table | ||
| + | ##Development Methodology | ||
| + | ##Coding Standards | ||
| + | ##Source Code Control | ||
| + | ##Summary | ||
| + | =[[Secure Coding Principles]]= | ||
| + | ##Asset Classification | ||
| + | ##About attackers | ||
| + | ##Core pillars of information security | ||
| + | ##Security Architecture | ||
| + | ##Security Principles | ||
| + | =[[Threat Risk Modeling]]= | ||
| + | ##Threat Risk Modeling | ||
| + | ##Performing threat risk modeling using the Microsoft Threat Modeling Process | ||
| + | ##Alternative Threat Modeling Systems | ||
| + | ##Trike | ||
| + | ##AS/NZS | ||
| + | ##CVSS | ||
| + | ##OCTAVE | ||
| + | ##Conclusion | ||
| + | ##Further Reading | ||
| + | =[[Handling E-Commerce Payments]]= | ||
| + | ##Objectives | ||
| + | ##Compliance and Laws | ||
| + | ##PCI Compliance | ||
| + | ##Handling Credit Cards | ||
| + | ##Further Reading | ||
| + | =[[Phishing]]= | ||
| + | ##What is phishing? | ||
| + | ##User Education | ||
| + | ##Make it easy for your users to report scams | ||
| + | ##Communicating with customers via e-mail | ||
| + | ##Never ask your customers for their secrets | ||
| + | ##Fix all your XSS issues | ||
| + | ##Do not use pop-ups | ||
| + | ##Don’t be framed | ||
| + | ##Move your application one link away from your front page | ||
| + | ##Enforce local referrers for images and other resources | ||
| + | ##Keep the address bar, use SSL, do not use IP addresses | ||
| + | ##Don’t be the source of identity theft | ||
| + | ##Implement safe-guards within your application | ||
| + | ##Monitor unusual account activity | ||
| + | ##Get the phishing target servers offline pronto | ||
| + | ##Take control of the fraudulent domain name | ||
| + | ##Work with law enforcement | ||
| + | ##When an attack happens | ||
| + | ##Further Reading | ||
| + | =[[Web Services]]= | ||
| + | ##Securing Web Services | ||
| + | ##Communication security | ||
| + | ##Passing credentials | ||
| + | ##Ensuring message freshness | ||
| + | ##Protecting message integrity | ||
| + | ##Protecting message confidentiality | ||
| + | ##Access control | ||
| + | ##Audit | ||
| + | ##Web Services Security Hierarchy | ||
| + | ##SOAP | ||
| + | ##WS-Security Standard | ||
| + | ##WS-Security Building Blocks | ||
| + | ##Communication Protection Mechanisms | ||
| + | ##Access Control Mechanisms | ||
| + | ##Forming Web Service Chains | ||
| + | ##Available Implementations | ||
| + | ##Problems | ||
| + | ##Further Reading | ||
| + | =[[Ajax and Other "Rich" Interface Technologies]]= | ||
| + | ##Objective | ||
| + | ##Platforms Affected | ||
| + | ##Architecture | ||
| + | ##Access control: Authentication and Authorization | ||
| + | ##Silent transactional authorization | ||
| + | ##Untrusted or absent session data | ||
| + | ##State management | ||
| + | ##Tamper resistance | ||
| + | ##Privacy | ||
| + | ##Proxy Façade | ||
| + | ##SOAP Injection Attacks | ||
| + | ##XMLRPC Injection Attacks | ||
| + | ##DOM Injection Attacks | ||
| + | ##XML Injection Attacks | ||
| + | ##JSON (Javascript Object Notation) Injection Attacks | ||
| + | ##Encoding safety | ||
| + | ##Auditing | ||
| + | ##Error Handling | ||
| + | ##Accessibility | ||
| + | ##Further Reading | ||
| + | =[[Authentication]]= | ||
| + | ##Objective | ||
| + | ##Environments Affected | ||
| + | ##Relevant COBIT Topics | ||
| + | ##Best Practices | ||
| + | ##Common web authentication techniques | ||
| + | ##Strong Authentication | ||
| + | ##Federated Authentication | ||
| + | ##Client side authentication controls | ||
| + | ##Positive Authentication | ||
| + | ##Multiple Key Lookups | ||
| + | ##Referer Checks | ||
| + | ##Browser remembers passwords | ||
| + | ##Default accounts | ||
| + | ##Choice of usernames | ||
| + | ##Change passwords | ||
| + | ##Short passwords | ||
| + | ##Weak password controls | ||
| + | ##Reversible password encryption | ||
| + | ##Automated password resets | ||
| + | ##Brute Force | ||
| + | ##Remember Me | ||
| + | ##Idle Timeouts | ||
| + | ##Logout | ||
| + | ##Account Expiry | ||
| + | ##Self registration | ||
| + | ##CAPTCHA | ||
| + | ##Further Reading | ||
| + | ##Authentication | ||
| + | =[[Authorization]]= | ||
| + | ##Objectives | ||
| + | ##Environments Affected | ||
| + | ##Relevant COBIT Topics | ||
| + | ##Best Practices | ||
| + | ##Best Practices in Action | ||
| + | ##Principle of least privilege | ||
| + | ##Centralized authorization routines | ||
| + | ##Authorization matrix | ||
| + | ##Controlling access to protected resources | ||
| + | ##Protecting access to static resources | ||
| + | ##Reauthorization for high value activities or after idle out | ||
| + | ##Time based authorization | ||
| + | ##Be cautious of custom authorization controls | ||
| + | ##Never implement client-side authorization tokens | ||
| + | ##Further Reading | ||
| + | =[[Session Management]]= | ||
| + | ##Objective | ||
| + | ##Environments Affected | ||
| + | ##Relevant COBIT Topics | ||
| + | ##Description | ||
| + | ##Best practices | ||
| + | ##Exposed Session Variables | ||
| + | ##Page and Form Tokens | ||
| + | ##Weak Session Cryptographic Algorithms | ||
| + | ##Session Token Entropy | ||
| + | ##Session Time-out | ||
| + | ##Regeneration of Session Tokens | ||
| + | ##Session Forging/Brute-Forcing Detection and/or Lockout | ||
| + | ##Session Token Capture and Session Hijacking | ||
| + | ##Session Tokens on Logout | ||
| + | ##Session Validation Attacks | ||
| + | ##PHP | ||
| + | ##Sessions | ||
| + | ##Further Reading | ||
| + | ##Session Management | ||
| + | =[[Data Validation]]= | ||
| + | ##Objective | ||
| + | ##Platforms Affected | ||
| + | ##Relevant COBIT Topics | ||
| + | ##Description | ||
| + | ##Definitions | ||
| + | ##Where to include integrity checks | ||
| + | ##Where to include validation | ||
| + | ##Where to include business rule validation | ||
| + | ##Data Validation Strategies | ||
| + | ##Prevent parameter tampering | ||
| + | ##Hidden fields | ||
| + | ##ASP.NET Viewstate | ||
| + | ##URL encoding | ||
| + | ##HTML encoding | ||
| + | ##Encoded strings | ||
| + | ##Data Validation and Interpreter Injection | ||
| + | ##Delimiter and special characters | ||
| + | ##Further Reading | ||
| + | =[[Interpreter Injection]]= | ||
| + | ##Objective | ||
| + | ##Platforms Affected | ||
| + | ##Relevant COBIT Topics | ||
| + | ##User Agent Injection | ||
| + | ##HTTP Response Splitting | ||
| + | ##SQL Injection | ||
| + | ##ORM Injection | ||
| + | ##LDAP Injection | ||
| + | ##XML Injection | ||
| + | ##Code Injection | ||
| + | ##Further Reading | ||
| + | ##SQL-injection | ||
| + | ##Code Injection | ||
| + | ##Command injection | ||
| + | =[[Canoncalization, locale and Unicode]]= | ||
| + | ##Objective | ||
| + | ##Platforms Affected | ||
| + | ##Relevant COBIT Topics | ||
| + | ##Description | ||
| + | ##Unicode | ||
| + | ##http://www.ietf.org/rfc/rfc## | ||
| + | ##Input Formats | ||
| + | ##Locale assertion | ||
| + | ##Double (or n-) encoding | ||
| + | ## HTTP Request Smuggling | ||
| + | ## Further Reading | ||
| + | =[[Error Handling, Auditing and Logging]]= | ||
| + | ##Objective | ||
| + | ##Environments Affected | ||
| + | ##Relevant COBIT Topics | ||
| + | ##Description | ||
| + | ##Best practices | ||
| + | ##Error Handling | ||
| + | ##Detailed error messages | ||
| + | ##Logging | ||
| + | ##Noise | ||
| + | ##Cover Tracks | ||
| + | ##False Alarms | ||
| + | ##Destruction | ||
| + | ##Audit Trails | ||
| + | ##Further Reading | ||
| + | ##Error Handling and Logging | ||
| + | =[[File System]]= | ||
| + | ##Objective | ||
| + | ##Environments Affected | ||
| + | ##Relevant COBIT Topics | ||
| + | ##Description | ||
| + | ##Best Practices | ||
| + | ##Defacement | ||
| + | ##Path traversal | ||
| + | ##Insecure permissions | ||
| + | ##Insecure Indexing | ||
| + | ##Unmapped files | ||
| + | ##Temporary files | ||
| + | ##PHP | ||
| + | ##Includes and Remote files | ||
| + | ##File upload | ||
| + | ##Old, unreferenced files | ||
| + | ##Second Order Injection | ||
| + | ##Further Reading | ||
| + | ##File System | ||
| + | =[[Distributed Computing]]= | ||
| + | ##Objective | ||
| + | ##Environments Affected | ||
| + | ##Relevant COBIT Topics | ||
| + | ##Best Practices | ||
| + | ##Race conditions | ||
| + | ##Distributed synchronization | ||
| + | ##Further Reading | ||
| + | =[[Buffer Overflows]]= | ||
| + | ##Objective | ||
| + | ##Platforms Affected | ||
| + | ##Relevant COBIT Topics | ||
| + | ##Description | ||
| + | ##General Prevention Techniques | ||
| + | ##Stack Overflow | ||
| + | ##Heap Overflow | ||
| + | ##Format String | ||
| + | ##Unicode Overflow | ||
| + | ##Integer Overflow | ||
| + | ##Further reading | ||
| + | =[[Administrative Interface]]= | ||
| + | ##Objective | ||
| + | ##Environments Affected | ||
| + | ##Relevant COBIT Topics | ||
| + | ##Best practices | ||
| + | ##Administrators are not users | ||
| + | ##Authentication for high value systems | ||
| + | ##Further Reading | ||
| + | =[[Cryptography]]= | ||
| + | ##Objective | ||
| + | ##Platforms Affected | ||
| + | ##Relevant COBIT Topics | ||
| + | ##Description | ||
| + | ##Cryptographic Functions | ||
| + | ##Cryptographic Algorithms | ||
| + | ##Algorithm Selection | ||
| + | ##Key Storage | ||
| + | ##Insecure transmission of secrets | ||
| + | ##Reversible Authentication Tokens | ||
| + | ##Safe UUID generation | ||
| + | ##Summary | ||
| + | ##Further Reading | ||
| + | ##Cryptography | ||
| + | =[[Configuration]]= | ||
| + | ##Objective | ||
| + | ##Platforms Affected | ||
| + | ##Relevant COBIT Topics | ||
| + | ##Best Practices | ||
| + | ##Default passwords | ||
| + | ##Secure connection strings | ||
| + | ##Secure network transmission | ||
| + | ##Encrypted data | ||
| + | ##PHP Configuration | ||
| + | ##Global variables | ||
| + | ##register_globals | ||
| + | ##Database security | ||
| + | ##Further Reading | ||
| + | ##ColdFusion Components (CFCs) | ||
| + | ##Configuration | ||
| + | =[[Software Quality Assurance]]= | ||
| + | ##Objective | ||
| + | ##Platforms Affected | ||
| + | ##Best practices | ||
| + | ##Process | ||
| + | ##Metrics | ||
| + | ##Testing Activities | ||
| + | =[[Deployment]]= | ||
| + | ##Objective | ||
| + | ##Platforms Affected | ||
| + | ##Best Practices | ||
| + | ##Release Management | ||
| + | ##Secure delivery of code | ||
| + | ##Code signing | ||
| + | ##Permissions are set to least privilege | ||
| + | ##Automated packaging | ||
| + | ##Automated deployment | ||
| + | ##Automated removal | ||
| + | ##No backup or old files | ||
| + | ##Unnecessary features are off by default | ||
| + | ##Setup log files are clean | ||
| + | ##No default accounts | ||
| + | ##Easter eggs | ||
| + | ##Malicious software | ||
| + | ##Further Reading | ||
| + | =[[Maintenance]]= | ||
| + | ##Objective | ||
| + | ##Platforms Affected | ||
| + | ##Relevant COBIT Topics | ||
| + | ##Best Practices | ||
| + | ##Security Incident Response | ||
| + | ##Fix Security Issues Correctly | ||
| + | ##Update Notifications | ||
| + | ##Regularly check permissions | ||
| + | ##Further Reading | ||
| + | ##Maintenance | ||
| + | =[[GNU Free Documentation License]]= | ||
| + | ##PREAMBLE | ||
| + | ##APPLICABILITY AND DEFINITIONS | ||
| + | ##VERBATIM COPYING | ||
| + | ##COPYING IN QUANTITY | ||
| + | ##MODIFICATIONS | ||
| + | ##COMBINING DOCUMENTS | ||
| + | ##COLLECTIONS OF DOCUMENTS | ||
| + | ##AGGREGATION WITH INDEPENDENT WORKS | ||
| + | ##TRANSLATION | ||
| + | ##TERMINATION | ||
| + | ##FUTURE REVISIONS OF THIS LICENSE | ||
| − | + | [[Category OWASP Guide Project]] | |
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
Revision as of 12:47, 22 May 2006
Frontispiece
## Dedication ## Copyright and license ## Editors ## Authors and Reviewers ## Revision History =About The Open Web Application Security Project= ##Structure and Licensing ##Participation and Membership ##Projects = Introduction= ##Developing Secure Applications ##Improvements in this edition ##How to use this Guide ##Updates and errata ##With thanks =What are web applications?= ##Technologies ##First generation – CGI ##Filters ##Scripting ##Web application frameworks – J ##Small to medium scale applications ##Large scale applications ##View ##Controller ##Model ##Conclusion =Policy Frameworks= ##Organizational commitment to security ##OWASP’s Place at the Framework table ##Development Methodology ##Coding Standards ##Source Code Control ##Summary =Secure Coding Principles= ##Asset Classification ##About attackers ##Core pillars of information security ##Security Architecture ##Security Principles =Threat Risk Modeling= ##Threat Risk Modeling ##Performing threat risk modeling using the Microsoft Threat Modeling Process ##Alternative Threat Modeling Systems ##Trike ##AS/NZS ##CVSS ##OCTAVE ##Conclusion ##Further Reading =Handling E-Commerce Payments= ##Objectives ##Compliance and Laws ##PCI Compliance ##Handling Credit Cards ##Further Reading =Phishing= ##What is phishing? ##User Education ##Make it easy for your users to report scams ##Communicating with customers via e-mail ##Never ask your customers for their secrets ##Fix all your XSS issues ##Do not use pop-ups ##Don’t be framed ##Move your application one link away from your front page ##Enforce local referrers for images and other resources ##Keep the address bar, use SSL, do not use IP addresses ##Don’t be the source of identity theft ##Implement safe-guards within your application ##Monitor unusual account activity ##Get the phishing target servers offline pronto ##Take control of the fraudulent domain name ##Work with law enforcement ##When an attack happens ##Further Reading =Web Services= ##Securing Web Services ##Communication security ##Passing credentials ##Ensuring message freshness ##Protecting message integrity ##Protecting message confidentiality ##Access control ##Audit ##Web Services Security Hierarchy ##SOAP ##WS-Security Standard ##WS-Security Building Blocks ##Communication Protection Mechanisms ##Access Control Mechanisms ##Forming Web Service Chains ##Available Implementations ##Problems ##Further Reading =Ajax and Other "Rich" Interface Technologies= ##Objective ##Platforms Affected ##Architecture ##Access control: Authentication and Authorization ##Silent transactional authorization ##Untrusted or absent session data ##State management ##Tamper resistance ##Privacy ##Proxy Façade ##SOAP Injection Attacks ##XMLRPC Injection Attacks ##DOM Injection Attacks ##XML Injection Attacks ##JSON (Javascript Object Notation) Injection Attacks ##Encoding safety ##Auditing ##Error Handling ##Accessibility ##Further Reading =Authentication= ##Objective ##Environments Affected ##Relevant COBIT Topics ##Best Practices ##Common web authentication techniques ##Strong Authentication ##Federated Authentication ##Client side authentication controls ##Positive Authentication ##Multiple Key Lookups ##Referer Checks ##Browser remembers passwords ##Default accounts ##Choice of usernames ##Change passwords ##Short passwords ##Weak password controls ##Reversible password encryption ##Automated password resets ##Brute Force ##Remember Me ##Idle Timeouts ##Logout ##Account Expiry ##Self registration ##CAPTCHA ##Further Reading ##Authentication =Authorization= ##Objectives ##Environments Affected ##Relevant COBIT Topics ##Best Practices ##Best Practices in Action ##Principle of least privilege ##Centralized authorization routines ##Authorization matrix ##Controlling access to protected resources ##Protecting access to static resources ##Reauthorization for high value activities or after idle out ##Time based authorization ##Be cautious of custom authorization controls ##Never implement client-side authorization tokens ##Further Reading =Session Management= ##Objective ##Environments Affected ##Relevant COBIT Topics ##Description ##Best practices ##Exposed Session Variables ##Page and Form Tokens ##Weak Session Cryptographic Algorithms ##Session Token Entropy ##Session Time-out ##Regeneration of Session Tokens ##Session Forging/Brute-Forcing Detection and/or Lockout ##Session Token Capture and Session Hijacking ##Session Tokens on Logout ##Session Validation Attacks ##PHP ##Sessions ##Further Reading ##Session Management =Data Validation= ##Objective ##Platforms Affected ##Relevant COBIT Topics ##Description ##Definitions ##Where to include integrity checks ##Where to include validation ##Where to include business rule validation ##Data Validation Strategies ##Prevent parameter tampering ##Hidden fields ##ASP.NET Viewstate ##URL encoding ##HTML encoding ##Encoded strings ##Data Validation and Interpreter Injection ##Delimiter and special characters ##Further Reading =Interpreter Injection= ##Objective ##Platforms Affected ##Relevant COBIT Topics ##User Agent Injection ##HTTP Response Splitting ##SQL Injection ##ORM Injection ##LDAP Injection ##XML Injection ##Code Injection ##Further Reading ##SQL-injection ##Code Injection ##Command injection =Canoncalization, locale and Unicode= ##Objective ##Platforms Affected ##Relevant COBIT Topics ##Description ##Unicode ##http://www.ietf.org/rfc/rfc## ##Input Formats ##Locale assertion ##Double (or n-) encoding ## HTTP Request Smuggling ## Further Reading =Error Handling, Auditing and Logging= ##Objective ##Environments Affected ##Relevant COBIT Topics ##Description ##Best practices ##Error Handling ##Detailed error messages ##Logging ##Noise ##Cover Tracks ##False Alarms ##Destruction ##Audit Trails ##Further Reading ##Error Handling and Logging =File System= ##Objective ##Environments Affected ##Relevant COBIT Topics ##Description ##Best Practices ##Defacement ##Path traversal ##Insecure permissions ##Insecure Indexing ##Unmapped files ##Temporary files ##PHP ##Includes and Remote files ##File upload ##Old, unreferenced files ##Second Order Injection ##Further Reading ##File System =Distributed Computing= ##Objective ##Environments Affected ##Relevant COBIT Topics ##Best Practices ##Race conditions ##Distributed synchronization ##Further Reading =Buffer Overflows= ##Objective ##Platforms Affected ##Relevant COBIT Topics ##Description ##General Prevention Techniques ##Stack Overflow ##Heap Overflow ##Format String ##Unicode Overflow ##Integer Overflow ##Further reading =Administrative Interface= ##Objective ##Environments Affected ##Relevant COBIT Topics ##Best practices ##Administrators are not users ##Authentication for high value systems ##Further Reading =Cryptography= ##Objective ##Platforms Affected ##Relevant COBIT Topics ##Description ##Cryptographic Functions ##Cryptographic Algorithms ##Algorithm Selection ##Key Storage ##Insecure transmission of secrets ##Reversible Authentication Tokens ##Safe UUID generation ##Summary ##Further Reading ##Cryptography =Configuration= ##Objective ##Platforms Affected ##Relevant COBIT Topics ##Best Practices ##Default passwords ##Secure connection strings ##Secure network transmission ##Encrypted data ##PHP Configuration ##Global variables ##register_globals ##Database security ##Further Reading ##ColdFusion Components (CFCs) ##Configuration =Software Quality Assurance= ##Objective ##Platforms Affected ##Best practices ##Process ##Metrics ##Testing Activities =Deployment= ##Objective ##Platforms Affected ##Best Practices ##Release Management ##Secure delivery of code ##Code signing ##Permissions are set to least privilege ##Automated packaging ##Automated deployment ##Automated removal ##No backup or old files ##Unnecessary features are off by default ##Setup log files are clean ##No default accounts ##Easter eggs ##Malicious software ##Further Reading =Maintenance= ##Objective ##Platforms Affected ##Relevant COBIT Topics ##Best Practices ##Security Incident Response ##Fix Security Issues Correctly ##Update Notifications ##Regularly check permissions ##Further Reading ##Maintenance =GNU Free Documentation License= ##PREAMBLE ##APPLICABILITY AND DEFINITIONS ##VERBATIM COPYING ##COPYING IN QUANTITY ##MODIFICATIONS ##COMBINING DOCUMENTS ##COLLECTIONS OF DOCUMENTS ##AGGREGATION WITH INDEPENDENT WORKS ##TRANSLATION ##TERMINATION ##FUTURE REVISIONS OF THIS LICENSE
