This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Difference between revisions of "Cheat Sheets"
Line 6: | Line 6: | ||
==Authentication== | ==Authentication== | ||
Ensure all entities go through an appropriate and adequate form of authentication. All the application non-public resource must be protected and shouldn't be bypassed. | Ensure all entities go through an appropriate and adequate form of authentication. All the application non-public resource must be protected and shouldn't be bypassed. | ||
+ | |||
For more information, check [https://www.owasp.org/index.php/Authentication_Cheat_Sheet Authentication Cheat Sheat] | For more information, check [https://www.owasp.org/index.php/Authentication_Cheat_Sheet Authentication Cheat Sheat] | ||
Line 11: | Line 12: | ||
Use secure session management practices that ensure that users authenticated users have a robust and cryptographically secure association with their session. | Use secure session management practices that ensure that users authenticated users have a robust and cryptographically secure association with their session. | ||
+ | |||
For more information, check [https://www.owasp.org/index.php/Session_Management_Cheat_Sheet Session Management Cheat Sheet] | For more information, check [https://www.owasp.org/index.php/Session_Management_Cheat_Sheet Session Management Cheat Sheet] | ||
Line 20: | Line 22: | ||
Input validation is performed to minimize malformed data from entering the system. Input Validation is NOT the primary method of preventing XSS, SQL Injection. These are covered in output encoding below. | Input validation is performed to minimize malformed data from entering the system. Input Validation is NOT the primary method of preventing XSS, SQL Injection. These are covered in output encoding below. | ||
+ | |||
For more information, check [https://www.owasp.org/index.php/Input_Validation_Cheat_Sheet Input Validation Cheat Sheet] | For more information, check [https://www.owasp.org/index.php/Input_Validation_Cheat_Sheet Input Validation Cheat Sheet] | ||
Line 25: | Line 28: | ||
Output encoding is the primary method of preventing XSS and injection attacks. Input validation helps minimize the introduction of malformed data, but it is a secondary control. | Output encoding is the primary method of preventing XSS and injection attacks. Input validation helps minimize the introduction of malformed data, but it is a secondary control. | ||
+ | |||
For more information, check [https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet Cross Site Scripting Prevention Cheat Sheet] | For more information, check [https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet Cross Site Scripting Prevention Cheat Sheet] | ||
Line 30: | Line 34: | ||
Ensure that adequate controls are present to prevent against Cross-site Request Forgery, Clickjacking and other 3rd Party Malicious scripts. | Ensure that adequate controls are present to prevent against Cross-site Request Forgery, Clickjacking and other 3rd Party Malicious scripts. | ||
+ | |||
For more information, check [https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet Cross Site Request Forgery] | For more information, check [https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet Cross Site Request Forgery] | ||
Line 35: | Line 40: | ||
Ensure that all the applications pages are served over cryptographically secure HTTPs protocols. Prohibit the transmission of session cookies over HTTP. | Ensure that all the applications pages are served over cryptographically secure HTTPs protocols. Prohibit the transmission of session cookies over HTTP. | ||
+ | |||
For more information, check [https://www.owasp.org/index.php/Transport_Layer_Protection_Cheat_Sheet Transport Protection Cheat Sheet] | For more information, check [https://www.owasp.org/index.php/Transport_Layer_Protection_Cheat_Sheet Transport Protection Cheat Sheet] | ||
Revision as of 02:54, 11 November 2011
Main
The OWASP Prevention Cheat Sheet Series was created to provide a concise collection of high value information on specific web application security topics. These cheat sheets were created by multiple application security experts and provide excellent security guidance in an easy to read format.
Authentication
Ensure all entities go through an appropriate and adequate form of authentication. All the application non-public resource must be protected and shouldn't be bypassed.
For more information, check Authentication Cheat Sheat
Session Management
Use secure session management practices that ensure that users authenticated users have a robust and cryptographically secure association with their session.
For more information, check Session Management Cheat Sheet
Access Control
Ensure that a user has access only to the resources they are entitled to. Perform access control checks on the server side on every request. All user-controlled parameters should be validated for entitlemens checks.
Input Validation
Input validation is performed to minimize malformed data from entering the system. Input Validation is NOT the primary method of preventing XSS, SQL Injection. These are covered in output encoding below.
For more information, check Input Validation Cheat Sheet
Output Encoding
Output encoding is the primary method of preventing XSS and injection attacks. Input validation helps minimize the introduction of malformed data, but it is a secondary control.
For more information, check Cross Site Scripting Prevention Cheat Sheet
Cross Domain
Ensure that adequate controls are present to prevent against Cross-site Request Forgery, Clickjacking and other 3rd Party Malicious scripts.
For more information, check Cross Site Request Forgery
Secure Transmission
Ensure that all the applications pages are served over cryptographically secure HTTPs protocols. Prohibit the transmission of session cookies over HTTP.
For more information, check Transport Protection Cheat Sheet
Logging
Ensure that all the security related events are logged. Audit logs should be immutable and write only and must be protected from unauthorized access.
Admin Pages
Ensure that admin pages are segregated from user page. Appropriate and adequate access controls must be utilized to prevent users from gaining access to admin pages. Ensure that necessary audit trails are saved for all the administrative transactions.
Uploads
Ensure that the size, contents and name of the uploaded files are validated. Uploaded files must not be accessible to users by direct browsing. All files must be virus scanned using a regularily updated scanner.
Error Handling
Detailed exceptions and stack traces should never be displayed to the user. Instead a generic error page should be displayed for all the application error scenarios. All exceptions must be logged and examined later on. The application must always fale safe from all the error scenarios.
The following cheat sheets are currently available.
OWASP Cheat Sheets Project Homepage
The following alternate formats are under development
- A single PDF version containing all of the OWASP prevention cheat sheets
- An OWASP lulu book with the prevention cheat sheets
Project About
PROJECT INFO What does this OWASP project offer you? |
RELEASE(S) INFO What releases are available for this project? | |||||||||||||||||||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|