Guide:Frontispiece

A Guide to Building Secure Web Applications and Web Services

2.1 (DRAFT 3) February 2006

A Guide to Building Secure Web Applications and Web Services

2.1 (DRAFT 3) February 2006

OWASP Foundation

=========Frontispiece =========

Dedication

To my fellow procrastinators and TiVo addicts, this book proves that given enough “tomorrows,” anything is possible. Andrew van der Stock

Copyright and license

© 2001 – 2006 OWASP Foundation. The Guide is licensed under the Free Documentation License, a copy of which is found in the Appendix. PERMISSION IS GRANTED TO COPY, DISTRIBUTE, AND/OR MODIFY THIS DOCUMENT PROVIDED THIS COPYRIGHT NOTICE AND ATTRIBUTION TO OWASP IS RETAINED.

Editors

The Guide has had several editors over various editions, all of whom have contributed immensely as authors, project managers, and editors over the lengthy period of the Guide’s gestation. Guide 2.x series editors:

Andrew van der Stock Adrian Wiesmann

Authors and Reviewers

The Guide would not be where it is today without the generous gift of volunteer time and effort from many individuals. The following people helped develop Guide 2.x:

Abraham Kang Adrian Wiesmann Amit Klein Andrew van der Stock Brian Greidanus Christopher Todd Darrel Grundy Daniel Cornell David Endler Denis Pilipchuk Dennis Groves Derek Browne Eoin Keary Erik Lee Ernesto Arroyo Frank Lemmon Gene McKenna Hal Lockhart Izhar By-Gad Jeremy Poteet José Pedro Arroyo K.K. Mookhey Kevin McLaughlin Martin Eizner Michael Howard Michael Scovetta Mikael Simonsson Neal Krawetz Nigel Tranter Raoul Endres Ray Stirbei Richard Parke Robert Hansen Roy McNamara Steve Taylor Sverre Huseby Tim Smith William Hau

Revision History

Date Version Pages Notes July 26, 2005 2.0 Blackhat Edition 280 pages Andrew van der Stock, Guide Lead July 27, 2005 2.0.1 Blackhat Edition++ 293 pages Cryptography chapter review from Michael Howard incorporated September 12, 2005 2.1 DRAFT 1 X pages Changes from many sources New SQA chapter from Frank Lemmon January 2006 2.1 DRAFT 2 X pages Changes from Bill Pollock New chapters from Erick Lee New revisions from Dan Cornell February 2006 2.1 DRAFT 3 X pages Ajax chapter Many chapters back from reviewers

Date	Version	Pages	Notes
July 26, 2005	2.0 Blackhat Edition	280 pages	Andrew van der Stock, Guide Lead
July 27, 2005	2.0.1 Blackhat Edition++	293 pages	Cryptography chapter review from Michael Howard incorporated
September 12, 2005	2.1 DRAFT 1	X pages	Changes from many sources New SQA chapter from Frank Lemmon
January 2006	2.1 DRAFT 2	X pages	Changes from Bill Pollock New chapters from Erick Lee New revisions from Dan Cornell
February 2006	2.1 DRAFT 3	X pages	Ajax chapter Many chapters back from reviewers

=========Table of Contents =========

1 ABOUT THE OPEN WEB APPLICATION SECURITY PROJECT 13

1.1 Structure and Licensing 13

1.2 Participation and Membership 13

1.3 Projects 14

2 INTRODUCTION 15

2.1 Developing Secure Applications 15

2.2 Improvements in this edition 15

2.3 How to use this Guide 16

2.4 Updates and errata 16

2.5 With thanks 16

3 WHAT ARE WEB APPLICATIONS? 17

3.1 Technologies 18

3.2 First generation – CGI 18

3.3 Filters 18

3.4 Scripting 19

3.5 Web application frameworks – J2EE and ASP.NET 20

3.6 Small to medium scale applications 21

3.7 Large scale applications 22

3.8 View 22

3.9 Controller 22

3.10 Model 23

3.11 Conclusion 24

4 POLICY FRAMEWORKS 25

4.1 Organizational commitment to security 25

4.2 OWASP’s Place at the Framework table 26

4.3 Development Methodology 28

4.4 Coding Standards 29

4.5 Source Code Control 29

4.6 Summary 30

5 SECURE CODING PRINCIPLES 31

5.1 Asset Classification 31

5.2 About attackers 31

5.3 Core pillars of information security 32

5.4 Security Architecture 32

5.5 Security Principles 33

6 THREAT RISK MODELING 37

6.1 Threat Risk Modeling 37

6.2 Performing threat risk modeling using the Microsoft Threat Modeling Process 37

6.3 Alternative Threat Modeling Systems 44

6.4 Trike 44

6.5 AS/NZS 4360:2004 Risk Management 44

6.6 CVSS 45

6.7 OCTAVE 46

6.8 Conclusion 47

6.9 Further Reading 47

7 HANDLING E-COMMERCE PAYMENTS 49

7.1 Objectives 49

7.2 Compliance and Laws 49

7.3 PCI Compliance 49

7.4 Handling Credit Cards 50

7.5 Further Reading 53

8 PHISHING 55

8.1 What is phishing? 55

8.2 User Education 56

8.3 Make it easy for your users to report scams 57

8.4 Communicating with customers via e-mail 57

8.5 Never ask your customers for their secrets 58

8.6 Fix all your XSS issues 58

8.7 Do not use pop-ups 59

8.8 Don’t be framed 59

8.9 Move your application one link away from your front page 59

8.10 Enforce local referrers for images and other resources 59

8.11 Keep the address bar, use SSL, do not use IP addresses 60

8.12 Don’t be the source of identity theft 60

8.13 Implement safe-guards within your application 61

8.14 Monitor unusual account activity 61

8.15 Get the phishing target servers offline pronto 62

8.16 Take control of the fraudulent domain name 62

8.17 Work with law enforcement 63

8.18 When an attack happens 63

8.19 Further Reading 63

9 WEB SERVICES 64

Securing Web Services 64

Communication security 65

Passing credentials 65

Ensuring message freshness 66

Protecting message integrity 66

Protecting message confidentiality 67

Access control 67

Audit 68

Web Services Security Hierarchy 68

SOAP 69

WS-Security Standard 70

WS-Security Building Blocks 72

Communication Protection Mechanisms 78

Access Control Mechanisms 80

Forming Web Service Chains 82

Available Implementations 83

Problems 85

Further Reading 87

10 AJAX AND OTHER “RICH” INTERFACE TECHNOLOGIES 5

10.1 Objective 5

10.2 Platforms Affected 5

10.3 Architecture 5

10.4 Access control: Authentication and Authorization 5

10.5 Silent transactional authorization 5

10.6 Untrusted or absent session data 5

10.7 State management 5

10.8 Tamper resistance 5

10.9 Privacy 5

10.10 Proxy Façade 5

10.11 SOAP Injection Attacks 5

10.12 XMLRPC Injection Attacks 5

10.13 DOM Injection Attacks 5

10.14 XML Injection Attacks 5

10.15 JSON (Javascript Object Notation) Injection Attacks 5

10.16 Encoding safety 5

10.17 Auditing 5

10.18 Error Handling 5

10.19 Accessibility 5

10.20 Further Reading 5

11 AUTHENTICATION 108

11.1 Objective 108

11.2 Environments Affected 108

11.3 Relevant COBIT Topics 108

11.4 Best Practices 108

11.5 Common web authentication techniques 109

11.6 Strong Authentication 111

11.7 Federated Authentication 115

11.8 Client side authentication controls 117

11.9 Positive Authentication 118

11.10 Multiple Key Lookups 120

11.11 Referer Checks 122

11.12 Browser remembers passwords 123

11.13 Default accounts 124

11.14 Choice of usernames 125

11.15 Change passwords 126

11.16 Short passwords 126

11.17 Weak password controls 127

11.18 Reversible password encryption 128

11.19 Automated password resets 128

11.20 Brute Force 130

11.21 Remember Me 131

11.22 Idle Timeouts 132

11.23 Logout 132

11.24 Account Expiry 133

11.25 Self registration 134

11.26 CAPTCHA 134

11.27 Further Reading 135

11.28 Authentication 136

12 AUTHORIZATION 148

12.1 Objectives 148

12.2 Environments Affected 148

12.3 Relevant COBIT Topics 148

12.4 Best Practices 148

12.5 Best Practices in Action 149

12.6 Principle of least privilege 150

12.7 Centralized authorization routines 152

12.8 Authorization matrix 152

12.9 Controlling access to protected resources 153

12.10 Protecting access to static resources 153

12.11 Reauthorization for high value activities or after idle out 154

12.12 Time based authorization 154

12.13 Be cautious of custom authorization controls 154

12.14 Never implement client-side authorization tokens 155

12.15 Further Reading 156

13 SESSION MANAGEMENT 157

13.1 Objective 157

13.2 Environments Affected 157

13.3 Relevant COBIT Topics 157

13.4 Description 157

13.5 Best practices 158

13.6 Exposed Session Variables 159

13.7 Page and Form Tokens 159

13.8 Weak Session Cryptographic Algorithms 160

13.9 Session Token Entropy 161

13.10 Session Time-out 161

13.11 Regeneration of Session Tokens 162

13.12 Session Forging/Brute-Forcing Detection and/or Lockout 163

13.13 Session Token Capture and Session Hijacking 163

13.14 Session Tokens on Logout 165

13.15 Session Validation Attacks 165

13.16 PHP 166

13.17 Sessions 166

13.18 Further Reading 167

13.19 Session Management 168

14 DATA VALIDATION 173

14.1 Objective 173

14.2 Platforms Affected 173

14.3 Relevant COBIT Topics 173

14.4 Description 173

14.5 Definitions 173

14.6 Where to include integrity checks 174

14.7 Where to include validation 174

14.8 Where to include business rule validation 174

14.9 Data Validation Strategies 175

14.10 Prevent parameter tampering 177

14.11 Hidden fields 178

14.12 ASP.NET Viewstate 179

14.13 URL encoding 182

14.14 HTML encoding 182

14.15 Encoded strings 183

14.16 Data Validation and Interpreter Injection 183

14.17 186

14.18 Delimiter and special characters 186

14.19 Further Reading 187

15 INTERPRETER INJECTION 188

15.1 Objective 188

15.2 Platforms Affected 188

15.3 Relevant COBIT Topics 188

15.4 User Agent Injection 188

15.5 HTTP Response Splitting 192

15.6 SQL Injection 193

15.7 ORM Injection 193

15.8 LDAP Injection 194

15.9 XML Injection 196

15.10 Code Injection 196

15.11 Further Reading 197

15.12 SQL-injection 199

15.13 Code Injection 202

15.14 Command injection 202

16 CANONCALIZATION, LOCALE AND UNICODE 203

16.1 Objective 203

16.2 Platforms Affected 203

16.3 Relevant COBIT Topics 203

16.4 Description 203

16.5 Unicode 204

16.6 http://www.ietf.org/rfc/rfc2279.txt?number=2279 206

16.7 Input Formats 206

16.8 Locale assertion 207

16.9 Double (or n-) encoding 207

16.10 HTTP Request Smuggling 208

16.11 Further Reading 208

17 ERROR HANDLING, AUDITING AND LOGGING 210

17.1 Objective 210

17.2 Environments Affected 210

17.3 Relevant COBIT Topics 210

17.4 Description 210

17.5 Best practices 211

17.6 Error Handling 211

17.7 Detailed error messages 212

17.8 Logging 213

17.9 Noise 216

17.10 Cover Tracks 216

17.11 False Alarms 217

17.12 Destruction 218

17.13 Audit Trails 218

17.14 Further Reading 219

17.15 Error Handling and Logging 219

18 FILE SYSTEM 226

18.1 Objective 226

18.2 Environments Affected 226

18.3 Relevant COBIT Topics 226

18.4 Description 226

18.5 Best Practices 226

18.6 Defacement 226

18.7 Path traversal 227

18.8 Insecure permissions 228

18.9 Insecure Indexing 228

18.10 Unmapped files 229

18.11 Temporary files 229

18.12 PHP 230

18.13 Includes and Remote files 230

18.14 File upload 232

18.15 Old, unreferenced files 234

18.16 Second Order Injection 234

18.17 Further Reading 235

18.18 File System 235

19 DISTRIBUTED COMPUTING 237

19.1 Objective 237

19.2 Environments Affected 237

19.3 Relevant COBIT Topics 237

19.4 Best Practices 237

19.5 Race conditions 237

19.6 Distributed synchronization 237

19.7 Further Reading 238

20 BUFFER OVERFLOWS 239

20.1 Objective 239

20.2 Platforms Affected 239

20.3 Relevant COBIT Topics 239

20.4 Description 239

20.5 General Prevention Techniques 240

20.6 Stack Overflow 241

20.7 Heap Overflow 242

20.8 Format String 243

20.9 Unicode Overflow 245

20.10 Integer Overflow 246

20.11 Further reading 247

21 ADMINISTRATIVE INTERFACES 249

21.1 Objective 249

21.2 Environments Affected 249

21.3 Relevant COBIT Topics 249

21.4 Best practices 249

21.5 Administrators are not users 250

21.6 Authentication for high value systems 250

21.7 Further Reading 251

22 CRYPTOGRAPHY 252

22.1 Objective 252

22.2 Platforms Affected 252

22.3 Relevant COBIT Topics 252

22.4 Description 252

22.5 Cryptographic Functions 253

22.6 Cryptographic Algorithms 253

22.7 Algorithm Selection 255

22.8 Key Storage 256

22.9 Insecure transmission of secrets 258

22.10 Reversible Authentication Tokens 259

22.11 Safe UUID generation 260

22.12 Summary 260

22.13 Further Reading 261

22.14 Cryptography 261

23 CONFIGURATION 266

23.1 Objective 266

23.2 Platforms Affected 266

23.3 Relevant COBIT Topics 266

23.4 Best Practices 266

23.5 Default passwords 266

23.6 Secure connection strings 267

23.7 Secure network transmission 267

23.8 Encrypted data 268

23.9 PHP Configuration 268

23.10 Global variables 268

23.11 register_globals 269

23.12 Database security 272

23.13 Further Reading 273

23.14 ColdFusion Components (CFCs) 273

23.15 Configuration 274

24 SOFTWARE QUALITY ASSURANCE 281

24.1 Objective 281

24.2 Platforms Affected 281

24.3 Best practices 281

24.4 Process 283

24.5 Metrics 283

24.6 Testing Activities 284

25 DEPLOYMENT 286

25.1 Objective 286

25.2 Platforms Affected 286

25.3 Best Practices 286

25.4 Release Management 287

25.5 Secure delivery of code 287

25.6 Code signing 288

25.7 Permissions are set to least privilege 288

25.8 Automated packaging 288

25.9 Automated deployment 289

25.10 Automated removal 289

25.11 No backup or old files 289

25.12 Unnecessary features are off by default 289

25.13 Setup log files are clean 289

25.14 No default accounts 290

25.15 Easter eggs 290

25.16 Malicious software 291

25.17 Further Reading 292

26 MAINTENANCE 294

26.1 Objective 294

26.2 Platforms Affected 294

26.3 Relevant COBIT Topics 294

26.4 Best Practices 294

26.5 Security Incident Response 295

26.6 Fix Security Issues Correctly 295

26.7 Update Notifications 296

26.8 Regularly check permissions 296

26.9 Further Reading 297

26.10 297

26.11 Maintenance 297

27 'GNU FREE DOCUMENTATION LICENSE 301'

27.1 PREAMBLE 301

27.2 APPLICABILITY AND DEFINITIONS 301

27.3 VERBATIM COPYING 302

27.4 COPYING IN QUANTITY 303

27.5 MODIFICATIONS 303

27.6 COMBINING DOCUMENTS 305

27.7 COLLECTIONS OF DOCUMENTS 305

27.8 AGGREGATION WITH INDEPENDENT WORKS 306

27.9 TRANSLATION 306

27.10 TERMINATION 306

27.11 FUTURE REVISIONS OF THIS LICENSE 306