This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Difference between revisions of "Guide:Frontispiece"
From OWASP
Weilin Zhong (talk | contribs) |
Weilin Zhong (talk | contribs) (→Frontispiece) |
||
| Line 5: | Line 5: | ||
February 2006 | February 2006 | ||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| Line 95: | Line 17: | ||
OWASP Foundation | OWASP Foundation | ||
| − | + | ===============Frontispiece =============== | |
| − | + | ==Dedication == | |
To my fellow procrastinators and TiVo addicts, this book proves that given enough “tomorrows,” anything is possible. | To my fellow procrastinators and TiVo addicts, this book proves that given enough “tomorrows,” anything is possible. | ||
Andrew van der Stock | Andrew van der Stock | ||
| − | + | ==Copyright and license == | |
© 2001 – 2006 OWASP Foundation. | © 2001 – 2006 OWASP Foundation. | ||
The Guide is licensed under the Free Documentation License, a copy of which is found in the Appendix. PERMISSION IS GRANTED TO COPY, DISTRIBUTE, AND/OR MODIFY THIS DOCUMENT PROVIDED THIS COPYRIGHT NOTICE AND ATTRIBUTION TO OWASP IS RETAINED. | The Guide is licensed under the Free Documentation License, a copy of which is found in the Appendix. PERMISSION IS GRANTED TO COPY, DISTRIBUTE, AND/OR MODIFY THIS DOCUMENT PROVIDED THIS COPYRIGHT NOTICE AND ATTRIBUTION TO OWASP IS RETAINED. | ||
| − | + | ==Editors == | |
The Guide has had several editors over various editions, all of whom have contributed immensely as authors, project managers, and editors over the lengthy period of the Guide’s gestation. | The Guide has had several editors over various editions, all of whom have contributed immensely as authors, project managers, and editors over the lengthy period of the Guide’s gestation. | ||
Guide 2.x series editors: | Guide 2.x series editors: | ||
| Line 109: | Line 31: | ||
Adrian Wiesmann | Adrian Wiesmann | ||
| − | + | ==Authors and Reviewers == | |
| − | Authors and Reviewers | ||
The Guide would not be where it is today without the generous gift of volunteer time and effort from many individuals. The following people helped develop Guide 2.x: | The Guide would not be where it is today without the generous gift of volunteer time and effort from many individuals. The following people helped develop Guide 2.x: | ||
| Line 153: | Line 74: | ||
William Hau | William Hau | ||
| − | + | ==Revision History == | |
| − | Revision History | ||
'''Date''' '''Version''' '''Pages''' '''Notes''' | '''Date''' '''Version''' '''Pages''' '''Notes''' | ||
| Line 190: | Line 110: | ||
| − | + | ===============Table of Contents =============== | |
'''1''' '''ABOUT THE OPEN WEB APPLICATION SECURITY PROJECT 13''' | '''1''' '''ABOUT THE OPEN WEB APPLICATION SECURITY PROJECT 13''' | ||
| − | 1.1 | + | ===1.1 Structure and Licensing 13 === |
| − | 1.2 | + | ===1.2 Participation and Membership 13 === |
| − | 1.3 | + | ===1.3 Projects 14 === |
'''2''' '''INTRODUCTION 15''' | '''2''' '''INTRODUCTION 15''' | ||
| − | 2.1 | + | ===2.1 Developing Secure Applications 15 === |
| − | 2.2 | + | ===2.2 Improvements in this edition 15 === |
| − | 2.3 | + | ===2.3 How to use this Guide 16 === |
| − | 2.4 | + | ===2.4 Updates and errata 16 === |
| − | 2.5 | + | ===2.5 With thanks 16 === |
'''3''' '''WHAT ARE WEB APPLICATIONS? 17''' | '''3''' '''WHAT ARE WEB APPLICATIONS? 17''' | ||
| − | 3.1 | + | ===3.1 Technologies 18 === |
| − | 3.2 | + | ===3.2 First generation – CGI 18 === |
| − | 3.3 | + | ===3.3 Filters 18 === |
| − | 3.4 | + | ===3.4 Scripting 19 === |
| − | 3.5 | + | ===3.5 Web application frameworks – J2EE and ASP.NET 20 === |
| − | 3.6 | + | ===3.6 Small to medium scale applications 21 === |
| − | 3.7 | + | ===3.7 Large scale applications 22 === |
| − | 3.8 | + | ===3.8 View 22 === |
| − | 3.9 | + | ===3.9 Controller 22 === |
| − | 3.10 | + | ===3.10 Model 23 === |
| − | 3.11 | + | ===3.11 Conclusion 24 === |
'''4''' '''POLICY FRAMEWORKS 25''' | '''4''' '''POLICY FRAMEWORKS 25''' | ||
| − | 4.1 | + | ===4.1 Organizational commitment to security 25 === |
| − | 4.2 | + | ===4.2 OWASP’s Place at the Framework table 26 === |
| − | 4.3 | + | ===4.3 Development Methodology 28 === |
| − | 4.4 | + | ===4.4 Coding Standards 29 === |
| − | 4.5 | + | ===4.5 Source Code Control 29 === |
| − | 4.6 | + | ===4.6 Summary 30 === |
'''5''' '''SECURE CODING PRINCIPLES 31''' | '''5''' '''SECURE CODING PRINCIPLES 31''' | ||
| − | 5.1 | + | ===5.1 Asset Classification 31 === |
| − | 5.2 | + | ===5.2 About attackers 31 === |
| − | 5.3 | + | ===5.3 Core pillars of information security 32 === |
| − | 5.4 | + | ===5.4 Security Architecture 32 === |
| − | 5.5 | + | ===5.5 Security Principles 33 === |
'''6''' '''THREAT RISK MODELING 37''' | '''6''' '''THREAT RISK MODELING 37''' | ||
| − | 6.1 | + | ===6.1 Threat Risk Modeling 37 === |
| − | 6.2 | + | ===6.2 Performing threat risk modeling using the Microsoft Threat Modeling Process 37 === |
| − | 6.3 | + | ===6.3 Alternative Threat Modeling Systems 44 === |
| − | 6.4 | + | ===6.4 Trike 44 === |
| − | 6.5 AS/NZS 4360:2004 | + | ===6.5 AS/NZS 4360:2004 Risk Management 44 === |
| − | 6.6 CVSS 45 | + | ===6.6 CVSS 45 === |
| − | 6.7 OCTAVE 46 | + | ===6.7 OCTAVE 46 === |
| − | 6.8 | + | ===6.8 Conclusion 47 === |
| − | 6.9 | + | ===6.9 Further Reading 47 === |
'''7''' '''HANDLING E-COMMERCE PAYMENTS 49''' | '''7''' '''HANDLING E-COMMERCE PAYMENTS 49''' | ||
| − | 7.1 | + | ===7.1 Objectives 49 === |
| − | 7.2 | + | ===7.2 Compliance and Laws 49 === |
| − | 7.3 PCI | + | ===7.3 PCI Compliance 49 === |
| − | 7.4 | + | ===7.4 Handling Credit Cards 50 === |
| − | 7.5 | + | ===7.5 Further Reading 53 === |
'''8''' '''PHISHING 55''' | '''8''' '''PHISHING 55''' | ||
| − | 8.1 | + | ===8.1 What is phishing? 55 === |
| − | 8.2 | + | ===8.2 User Education 56 === |
| − | 8.3 | + | ===8.3 Make it easy for your users to report scams 57 === |
| − | 8.4 | + | ===8.4 Communicating with customers via e-mail 57 === |
| − | 8.5 | + | ===8.5 Never ask your customers for their secrets 58 === |
| − | 8.6 | + | ===8.6 Fix all your XSS issues 58 === |
| − | 8.7 | + | ===8.7 Do not use pop-ups 59 === |
| − | 8.8 | + | ===8.8 Don’t be framed 59 === |
| − | 8.9 | + | ===8.9 Move your application one link away from your front page 59 === |
| − | 8.10 | + | ===8.10 Enforce local referrers for images and other resources 59 === |
| − | 8.11 | + | ===8.11 Keep the address bar, use SSL, do not use IP addresses 60 === |
| − | 8.12 | + | ===8.12 Don’t be the source of identity theft 60 === |
| − | 8.13 | + | ===8.13 Implement safe-guards within your application 61 === |
| − | 8.14 | + | ===8.14 Monitor unusual account activity 61 === |
| − | 8.15 | + | ===8.15 Get the phishing target servers offline pronto 62 === |
| − | 8.16 | + | ===8.16 Take control of the fraudulent domain name 62 === |
| − | 8.17 | + | ===8.17 Work with law enforcement 63 === |
| − | 8.18 | + | ===8.18 When an attack happens 63 === |
| − | 8.19 | + | ===8.19 Further Reading 63 === |
'''9''' '''WEB SERVICES 64''' | '''9''' '''WEB SERVICES 64''' | ||
| − | + | ===Securing Web Services 64 === | |
| − | + | ===Communication security 65 === | |
| − | + | ===Passing credentials 65 === | |
| − | + | ===Ensuring message freshness 66 === | |
| − | + | ===Protecting message integrity 66 === | |
| − | + | ===Protecting message confidentiality 67 === | |
| − | + | ===Access control 67 === | |
| − | + | ===Audit 68 === | |
| − | + | ===Web Services Security Hierarchy 68 === | |
| − | SOAP 69 | + | ===SOAP 69 === |
| − | WS- | + | ===WS-Security Standard 70 === |
| − | WS- | + | ===WS-Security Building Blocks 72 === |
| − | + | ===Communication Protection Mechanisms 78 === | |
| − | + | ===Access Control Mechanisms 80 === | |
| − | + | ===Forming Web Service Chains 82 === | |
| − | + | ===Available Implementations 83 === | |
| − | + | ===Problems 85 === | |
| − | + | ===Further Reading 87 === | |
'''10''' '''AJAX AND OTHER “RICH” INTERFACE TECHNOLOGIES 5''' | '''10''' '''AJAX AND OTHER “RICH” INTERFACE TECHNOLOGIES 5''' | ||
| − | 10.1 | + | ===10.1 Objective 5 === |
| − | 10.2 | + | ===10.2 Platforms Affected 5 === |
| − | 10.3 | + | ===10.3 Architecture 5 === |
| − | 10.4 | + | ===10.4 Access control: Authentication and Authorization 5 === |
| − | 10.5 | + | ===10.5 Silent transactional authorization 5 === |
| − | 10.6 | + | ===10.6 Untrusted or absent session data 5 === |
| − | 10.7 | + | ===10.7 State management 5 === |
| − | 10.8 | + | ===10.8 Tamper resistance 5 === |
| − | 10.9 | + | ===10.9 Privacy 5 === |
| − | 10.10 | + | ===10.10 Proxy Façade 5 === |
| − | 10.11 SOAP | + | ===10.11 SOAP Injection Attacks 5 === |
| − | 10.12 XMLRPC | + | ===10.12 XMLRPC Injection Attacks 5 === |
| − | 10.13 DOM | + | ===10.13 DOM Injection Attacks 5 === |
| − | 10.14 XML | + | ===10.14 XML Injection Attacks 5 === |
| − | 10.15 JSON ( | + | ===10.15 JSON (Javascript Object Notation) Injection Attacks 5 === |
| − | 10.16 | + | ===10.16 Encoding safety 5 === |
| − | 10.17 | + | ===10.17 Auditing 5 === |
| − | 10.18 | + | ===10.18 Error Handling 5 === |
| − | 10.19 | + | ===10.19 Accessibility 5 === |
| − | 10.20 | + | ===10.20 Further Reading 5 === |
'''11''' '''AUTHENTICATION 108''' | '''11''' '''AUTHENTICATION 108''' | ||
| − | 11.1 | + | ===11.1 Objective 108 === |
| − | 11.2 | + | ===11.2 Environments Affected 108 === |
| − | 11.3 | + | ===11.3 Relevant COBIT Topics 108 === |
| − | 11.4 | + | ===11.4 Best Practices 108 === |
| − | 11.5 | + | ===11.5 Common web authentication techniques 109 === |
| − | 11.6 | + | ===11.6 Strong Authentication 111 === |
| − | 11.7 | + | ===11.7 Federated Authentication 115 === |
| − | 11.8 | + | ===11.8 Client side authentication controls 117 === |
| − | 11.9 | + | ===11.9 Positive Authentication 118 === |
| − | 11.10 | + | ===11.10 Multiple Key Lookups 120 === |
| − | 11.11 | + | ===11.11 Referer Checks 122 === |
| − | 11.12 | + | ===11.12 Browser remembers passwords 123 === |
| − | 11.13 | + | ===11.13 Default accounts 124 === |
| − | 11.14 | + | ===11.14 Choice of usernames 125 === |
| − | 11.15 | + | ===11.15 Change passwords 126 === |
| − | 11.16 | + | ===11.16 Short passwords 126 === |
| − | 11.17 | + | ===11.17 Weak password controls 127 === |
| − | 11.18 | + | ===11.18 Reversible password encryption 128 === |
| − | 11.19 | + | ===11.19 Automated password resets 128 === |
| − | 11.20 | + | ===11.20 Brute Force 130 === |
| − | 11.21 | + | ===11.21 Remember Me 131 === |
| − | 11.22 | + | ===11.22 Idle Timeouts 132 === |
| − | 11.23 | + | ===11.23 Logout 132 === |
| − | 11.24 | + | ===11.24 Account Expiry 133 === |
| − | 11.25 | + | ===11.25 Self registration 134 === |
| − | 11.26 CAPTCHA 134 | + | ===11.26 CAPTCHA 134 === |
| − | 11.27 | + | ===11.27 Further Reading 135 === |
| − | 11.28 | + | ===11.28 Authentication 136 === |
'''12''' '''AUTHORIZATION 148''' | '''12''' '''AUTHORIZATION 148''' | ||
| − | 12.1 | + | ===12.1 Objectives 148 === |
| − | 12.2 | + | ===12.2 Environments Affected 148 === |
| − | 12.3 | + | ===12.3 Relevant COBIT Topics 148 === |
| − | 12.4 | + | ===12.4 Best Practices 148 === |
| − | 12.5 | + | ===12.5 Best Practices in Action 149 === |
| − | 12.6 | + | ===12.6 Principle of least privilege 150 === |
| − | 12.7 | + | ===12.7 Centralized authorization routines 152 === |
| − | 12.8 | + | ===12.8 Authorization matrix 152 === |
| − | 12.9 | + | ===12.9 Controlling access to protected resources 153 === |
| − | 12.10 | + | ===12.10 Protecting access to static resources 153 === |
| − | 12.11 | + | ===12.11 Reauthorization for high value activities or after idle out 154 === |
| − | 12.12 | + | ===12.12 Time based authorization 154 === |
| − | 12.13 | + | ===12.13 Be cautious of custom authorization controls 154 === |
| − | 12.14 | + | ===12.14 Never implement client-side authorization tokens 155 === |
| − | 12.15 | + | ===12.15 Further Reading 156 === |
'''13''' '''SESSION MANAGEMENT 157''' | '''13''' '''SESSION MANAGEMENT 157''' | ||
| − | 13.1 | + | ===13.1 Objective 157 === |
| − | 13.2 | + | ===13.2 Environments Affected 157 === |
| − | 13.3 | + | ===13.3 Relevant COBIT Topics 157 === |
| − | 13.4 | + | ===13.4 Description 157 === |
| − | 13.5 | + | ===13.5 Best practices 158 === |
| − | 13.6 | + | ===13.6 Exposed Session Variables 159 === |
| − | 13.7 | + | ===13.7 Page and Form Tokens 159 === |
| − | 13.8 | + | ===13.8 Weak Session Cryptographic Algorithms 160 === |
| − | 13.9 | + | ===13.9 Session Token Entropy 161 === |
| − | 13.10 | + | ===13.10 Session Time-out 161 === |
| − | 13.11 | + | ===13.11 Regeneration of Session Tokens 162 === |
| − | 13.12 | + | ===13.12 Session Forging/Brute-Forcing Detection and/or Lockout 163 === |
| − | 13.13 | + | ===13.13 Session Token Capture and Session Hijacking 163 === |
| − | 13.14 | + | ===13.14 Session Tokens on Logout 165 === |
| − | 13.15 | + | ===13.15 Session Validation Attacks 165 === |
| − | 13.16 PHP 166 | + | ===13.16 PHP 166 === |
| − | 13.17 | + | ===13.17 Sessions 166 === |
| − | 13.18 | + | ===13.18 Further Reading 167 === |
| − | 13.19 | + | ===13.19 Session Management 168 === |
'''14''' '''DATA VALIDATION 173''' | '''14''' '''DATA VALIDATION 173''' | ||
| − | 14.1 | + | ===14.1 Objective 173 === |
| − | 14.2 | + | ===14.2 Platforms Affected 173 === |
| − | 14.3 | + | ===14.3 Relevant COBIT Topics 173 === |
| − | 14.4 | + | ===14.4 Description 173 === |
| − | 14.5 | + | ===14.5 Definitions 173 === |
| − | 14.6 | + | ===14.6 Where to include integrity checks 174 === |
| − | 14.7 | + | ===14.7 Where to include validation 174 === |
| − | 14.8 | + | ===14.8 Where to include business rule validation 174 === |
| − | 14.9 | + | ===14.9 Data Validation Strategies 175 === |
| − | 14.10 | + | ===14.10 Prevent parameter tampering 177 === |
| − | 14.11 | + | ===14.11 Hidden fields 178 === |
| − | 14.12 ASP.NET | + | ===14.12 ASP.NET Viewstate 179 === |
| − | 14.13 URL | + | ===14.13 URL encoding 182 === |
| − | 14.14 HTML | + | ===14.14 HTML encoding 182 === |
| − | 14.15 | + | ===14.15 Encoded strings 183 === |
| − | 14.16 | + | ===14.16 Data Validation and Interpreter Injection 183 === |
| − | 14.17 186 | + | ===14.17 186 === |
| − | 14.18 | + | ===14.18 Delimiter and special characters 186 === |
| − | 14.19 | + | ===14.19 Further Reading 187 === |
'''15''' '''INTERPRETER INJECTION 188''' | '''15''' '''INTERPRETER INJECTION 188''' | ||
| − | 15.1 | + | ===15.1 Objective 188 === |
| − | 15.2 | + | ===15.2 Platforms Affected 188 === |
| − | 15.3 | + | ===15.3 Relevant COBIT Topics 188 === |
| − | 15.4 | + | ===15.4 User Agent Injection 188 === |
| − | 15.5 HTTP | + | ===15.5 HTTP Response Splitting 192 === |
| − | 15.6 SQL | + | ===15.6 SQL Injection 193 === |
| − | 15.7 ORM | + | ===15.7 ORM Injection 193 === |
| − | 15.8 LDAP | + | ===15.8 LDAP Injection 194 === |
| − | 15.9 XML | + | ===15.9 XML Injection 196 === |
| − | 15.10 | + | ===15.10 Code Injection 196 === |
| − | 15.11 | + | ===15.11 Further Reading 197 === |
| − | 15.12 SQL- | + | ===15.12 SQL-injection 199 === |
| − | 15.13 | + | ===15.13 Code Injection 202 === |
| − | 15.14 | + | ===15.14 Command injection 202 === |
'''16''' '''CANONCALIZATION, LOCALE AND UNICODE 203''' | '''16''' '''CANONCALIZATION, LOCALE AND UNICODE 203''' | ||
| − | 16.1 | + | ===16.1 Objective 203 === |
| − | 16.2 | + | ===16.2 Platforms Affected 203 === |
| − | 16.3 | + | ===16.3 Relevant COBIT Topics 203 === |
| − | 16.4 | + | ===16.4 Description 203 === |
| − | 16.5 | + | ===16.5 Unicode 204 === |
| − | 16.6 | + | ===16.6 http://www.ietf.org/rfc/rfc2279.txt?number=2279 206 === |
| − | 16.7 | + | ===16.7 Input Formats 206 === |
| − | 16.8 | + | ===16.8 Locale assertion 207 === |
| − | 16.9 | + | ===16.9 Double (or n-) encoding 207 === |
| − | 16.10 HTTP | + | ===16.10 HTTP Request Smuggling 208 === |
| − | 16.11 | + | ===16.11 Further Reading 208 === |
'''17''' '''ERROR HANDLING, AUDITING AND LOGGING 210''' | '''17''' '''ERROR HANDLING, AUDITING AND LOGGING 210''' | ||
| − | 17.1 | + | ===17.1 Objective 210 === |
| − | 17.2 | + | ===17.2 Environments Affected 210 === |
| − | 17.3 | + | ===17.3 Relevant COBIT Topics 210 === |
| − | 17.4 | + | ===17.4 Description 210 === |
| − | 17.5 | + | ===17.5 Best practices 211 === |
| − | 17.6 | + | ===17.6 Error Handling 211 === |
| − | 17.7 | + | ===17.7 Detailed error messages 212 === |
| − | 17.8 | + | ===17.8 Logging 213 === |
| − | 17.9 | + | ===17.9 Noise 216 === |
| − | 17.10 | + | ===17.10 Cover Tracks 216 === |
| − | 17.11 | + | ===17.11 False Alarms 217 === |
| − | 17.12 | + | ===17.12 Destruction 218 === |
| − | 17.13 | + | ===17.13 Audit Trails 218 === |
| − | 17.14 | + | ===17.14 Further Reading 219 === |
| − | 17.15 | + | ===17.15 Error Handling and Logging 219 === |
'''18''' '''FILE SYSTEM 226''' | '''18''' '''FILE SYSTEM 226''' | ||
| − | 18.1 | + | ===18.1 Objective 226 === |
| − | 18.2 | + | ===18.2 Environments Affected 226 === |
| − | 18.3 | + | ===18.3 Relevant COBIT Topics 226 === |
| − | 18.4 | + | ===18.4 Description 226 === |
| − | 18.5 | + | ===18.5 Best Practices 226 === |
| − | 18.6 | + | ===18.6 Defacement 226 === |
| − | 18.7 | + | ===18.7 Path traversal 227 === |
| − | 18.8 | + | ===18.8 Insecure permissions 228 === |
| − | 18.9 | + | ===18.9 Insecure Indexing 228 === |
| − | 18.10 | + | ===18.10 Unmapped files 229 === |
| − | 18.11 | + | ===18.11 Temporary files 229 === |
| − | 18.12 PHP 230 | + | ===18.12 PHP 230 === |
| − | 18.13 | + | ===18.13 Includes and Remote files 230 === |
| − | 18.14 | + | ===18.14 File upload 232 === |
| − | 18.15 | + | ===18.15 Old, unreferenced files 234 === |
| − | 18.16 | + | ===18.16 Second Order Injection 234 === |
| − | 18.17 | + | ===18.17 Further Reading 235 === |
| − | 18.18 | + | ===18.18 File System 235 === |
'''19''' '''DISTRIBUTED COMPUTING 237''' | '''19''' '''DISTRIBUTED COMPUTING 237''' | ||
| − | 19.1 | + | ===19.1 Objective 237 === |
| − | 19.2 | + | ===19.2 Environments Affected 237 === |
| − | 19.3 | + | ===19.3 Relevant COBIT Topics 237 === |
| − | 19.4 | + | ===19.4 Best Practices 237 === |
| − | 19.5 | + | ===19.5 Race conditions 237 === |
| − | 19.6 | + | ===19.6 Distributed synchronization 237 === |
| − | 19.7 | + | ===19.7 Further Reading 238 === |
'''20''' '''BUFFER OVERFLOWS 239''' | '''20''' '''BUFFER OVERFLOWS 239''' | ||
| − | 20.1 | + | ===20.1 Objective 239 === |
| − | 20.2 | + | ===20.2 Platforms Affected 239 === |
| − | 20.3 | + | ===20.3 Relevant COBIT Topics 239 === |
| − | 20.4 | + | ===20.4 Description 239 === |
| − | 20.5 | + | ===20.5 General Prevention Techniques 240 === |
| − | 20.6 | + | ===20.6 Stack Overflow 241 === |
| − | 20.7 | + | ===20.7 Heap Overflow 242 === |
| − | 20.8 | + | ===20.8 Format String 243 === |
| − | 20.9 | + | ===20.9 Unicode Overflow 245 === |
| − | 20.10 | + | ===20.10 Integer Overflow 246 === |
| − | 20.11 | + | ===20.11 Further reading 247 === |
'''21''' '''ADMINISTRATIVE INTERFACES 249''' | '''21''' '''ADMINISTRATIVE INTERFACES 249''' | ||
| − | 21.1 | + | ===21.1 Objective 249 === |
| − | 21.2 | + | ===21.2 Environments Affected 249 === |
| − | 21.3 | + | ===21.3 Relevant COBIT Topics 249 === |
| − | 21.4 | + | ===21.4 Best practices 249 === |
| − | 21.5 | + | ===21.5 Administrators are not users 250 === |
| − | 21.6 | + | ===21.6 Authentication for high value systems 250 === |
| − | 21.7 | + | ===21.7 Further Reading 251 === |
'''22''' '''CRYPTOGRAPHY 252''' | '''22''' '''CRYPTOGRAPHY 252''' | ||
| − | 22.1 | + | ===22.1 Objective 252 === |
| − | 22.2 | + | ===22.2 Platforms Affected 252 === |
| − | 22.3 | + | ===22.3 Relevant COBIT Topics 252 === |
| − | 22.4 | + | ===22.4 Description 252 === |
| − | 22.5 | + | ===22.5 Cryptographic Functions 253 === |
| − | 22.6 | + | ===22.6 Cryptographic Algorithms 253 === |
| − | 22.7 | + | ===22.7 Algorithm Selection 255 === |
| − | 22.8 | + | ===22.8 Key Storage 256 === |
| − | 22.9 | + | ===22.9 Insecure transmission of secrets 258 === |
| − | 22.10 | + | ===22.10 Reversible Authentication Tokens 259 === |
| − | 22.11 | + | ===22.11 Safe UUID generation 260 === |
| − | 22.12 | + | ===22.12 Summary 260 === |
| − | 22.13 | + | ===22.13 Further Reading 261 === |
| − | 22.14 | + | ===22.14 Cryptography 261 === |
'''23''' '''CONFIGURATION 266''' | '''23''' '''CONFIGURATION 266''' | ||
| − | 23.1 | + | ===23.1 Objective 266 === |
| − | 23.2 | + | ===23.2 Platforms Affected 266 === |
| − | 23.3 | + | ===23.3 Relevant COBIT Topics 266 === |
| − | 23.4 | + | ===23.4 Best Practices 266 === |
| − | 23.5 | + | ===23.5 Default passwords 266 === |
| − | 23.6 | + | ===23.6 Secure connection strings 267 === |
| − | 23.7 | + | ===23.7 Secure network transmission 267 === |
| − | 23.8 | + | ===23.8 Encrypted data 268 === |
| − | 23.9 PHP | + | ===23.9 PHP Configuration 268 === |
| − | 23.10 | + | ===23.10 Global variables 268 === |
| − | 23.11 | + | ===23.11 register_globals 269 === |
| − | 23.12 | + | ===23.12 Database security 272 === |
| − | 23.13 | + | ===23.13 Further Reading 273 === |
| − | 23.14 | + | ===23.14 ColdFusion Components (CFCs) 273 === |
| − | 23.15 | + | ===23.15 Configuration 274 === |
'''24''' '''SOFTWARE QUALITY ASSURANCE 281''' | '''24''' '''SOFTWARE QUALITY ASSURANCE 281''' | ||
| − | 24.1 | + | ===24.1 Objective 281 === |
| − | 24.2 | + | ===24.2 Platforms Affected 281 === |
| − | 24.3 | + | ===24.3 Best practices 281 === |
| − | 24.4 | + | ===24.4 Process 283 === |
| − | 24.5 | + | ===24.5 Metrics 283 === |
| − | 24.6 | + | ===24.6 Testing Activities 284 === |
'''25''' '''DEPLOYMENT 286''' | '''25''' '''DEPLOYMENT 286''' | ||
| − | 25.1 | + | ===25.1 Objective 286 === |
| − | 25.2 | + | ===25.2 Platforms Affected 286 === |
| − | 25.3 | + | ===25.3 Best Practices 286 === |
| − | 25.4 | + | ===25.4 Release Management 287 === |
| − | 25.5 | + | ===25.5 Secure delivery of code 287 === |
| − | 25.6 | + | ===25.6 Code signing 288 === |
| − | 25.7 | + | ===25.7 Permissions are set to least privilege 288 === |
| − | 25.8 | + | ===25.8 Automated packaging 288 === |
| − | 25.9 | + | ===25.9 Automated deployment 289 === |
| − | 25.10 | + | ===25.10 Automated removal 289 === |
| − | 25.11 | + | ===25.11 No backup or old files 289 === |
| − | 25.12 | + | ===25.12 Unnecessary features are off by default 289 === |
| − | 25.13 | + | ===25.13 Setup log files are clean 289 === |
| − | 25.14 | + | ===25.14 No default accounts 290 === |
| − | 25.15 | + | ===25.15 Easter eggs 290 === |
| − | 25.16 | + | ===25.16 Malicious software 291 === |
| − | 25.17 | + | ===25.17 Further Reading 292 === |
'''26''' '''MAINTENANCE 294''' | '''26''' '''MAINTENANCE 294''' | ||
| − | 26.1 | + | ===26.1 Objective 294 === |
| − | 26.2 | + | ===26.2 Platforms Affected 294 === |
| − | 26.3 | + | ===26.3 Relevant COBIT Topics 294 === |
| − | 26.4 | + | ===26.4 Best Practices 294 === |
| − | 26.5 | + | ===26.5 Security Incident Response 295 === |
| − | 26.6 | + | ===26.6 Fix Security Issues Correctly 295 === |
| − | 26.7 | + | ===26.7 Update Notifications 296 === |
| − | 26.8 | + | ===26.8 Regularly check permissions 296 === |
| − | 26.9 | + | ===26.9 Further Reading 297 === |
| − | 26.10 297 | + | ===26.10 297 === |
| − | 26.11 | + | ===26.11 Maintenance 297 === |
'''27''' ''''''GNU FREE DOCUMENTATION LICENSE 301'''''' | '''27''' ''''''GNU FREE DOCUMENTATION LICENSE 301'''''' | ||
| − | 27.1 PREAMBLE 301 | + | ===27.1 PREAMBLE 301 === |
| − | 27.2 APPLICABILITY AND DEFINITIONS 301 | + | ===27.2 APPLICABILITY AND DEFINITIONS 301 === |
| − | 27.3 VERBATIM COPYING 302 | + | ===27.3 VERBATIM COPYING 302 === |
| − | 27.4 COPYING IN QUANTITY 303 | + | ===27.4 COPYING IN QUANTITY 303 === |
| − | 27.5 MODIFICATIONS 303 | + | ===27.5 MODIFICATIONS 303 === |
| − | 27.6 COMBINING DOCUMENTS 305 | + | ===27.6 COMBINING DOCUMENTS 305 === |
| − | 27.7 COLLECTIONS OF DOCUMENTS 305 | + | ===27.7 COLLECTIONS OF DOCUMENTS 305 === |
| − | 27.8 AGGREGATION WITH INDEPENDENT WORKS 306 | + | ===27.8 AGGREGATION WITH INDEPENDENT WORKS 306 === |
| − | 27.9 TRANSLATION 306 | + | ===27.9 TRANSLATION 306 === |
| − | 27.10 TERMINATION 306 | + | ===27.10 TERMINATION 306 === |
| − | 27.11 FUTURE REVISIONS OF THIS LICENSE 306 | + | ===27.11 FUTURE REVISIONS OF THIS LICENSE 306 === |
Revision as of 11:54, 18 May 2006
A Guide to Building Secure Web Applications and Web Services
2.1 (DRAFT 3) February 2006
A Guide to Building Secure Web Applications and
Web Services
2.1 (DRAFT 3) February 2006
OWASP Foundation
- 1 =========Frontispiece =========
- 2 Dedication
- 3 Copyright and license
- 4 Editors
- 5 Authors and Reviewers
- 6 Revision History
- 6.1 =========Table of Contents =========
- 6.2 1.1 Structure and Licensing 13
- 6.3 1.2 Participation and Membership 13
- 6.4 1.3 Projects 14
- 6.5 2.1 Developing Secure Applications 15
- 6.6 2.2 Improvements in this edition 15
- 6.7 2.3 How to use this Guide 16
- 6.8 2.4 Updates and errata 16
- 6.9 2.5 With thanks 16
- 6.10 3.1 Technologies 18
- 6.11 3.2 First generation – CGI 18
- 6.12 3.3 Filters 18
- 6.13 3.4 Scripting 19
- 6.14 3.5 Web application frameworks – J2EE and ASP.NET 20
- 6.15 3.6 Small to medium scale applications 21
- 6.16 3.7 Large scale applications 22
- 6.17 3.8 View 22
- 6.18 3.9 Controller 22
- 6.19 3.10 Model 23
- 6.20 3.11 Conclusion 24
- 6.21 4.1 Organizational commitment to security 25
- 6.22 4.2 OWASP’s Place at the Framework table 26
- 6.23 4.3 Development Methodology 28
- 6.24 4.4 Coding Standards 29
- 6.25 4.5 Source Code Control 29
- 6.26 4.6 Summary 30
- 6.27 5.1 Asset Classification 31
- 6.28 5.2 About attackers 31
- 6.29 5.3 Core pillars of information security 32
- 6.30 5.4 Security Architecture 32
- 6.31 5.5 Security Principles 33
- 6.32 6.1 Threat Risk Modeling 37
- 6.33 6.2 Performing threat risk modeling using the Microsoft Threat Modeling Process 37
- 6.34 6.3 Alternative Threat Modeling Systems 44
- 6.35 6.4 Trike 44
- 6.36 6.5 AS/NZS 4360:2004 Risk Management 44
- 6.37 6.6 CVSS 45
- 6.38 6.7 OCTAVE 46
- 6.39 6.8 Conclusion 47
- 6.40 6.9 Further Reading 47
- 6.41 7.1 Objectives 49
- 6.42 7.2 Compliance and Laws 49
- 6.43 7.3 PCI Compliance 49
- 6.44 7.4 Handling Credit Cards 50
- 6.45 7.5 Further Reading 53
- 6.46 8.1 What is phishing? 55
- 6.47 8.2 User Education 56
- 6.48 8.3 Make it easy for your users to report scams 57
- 6.49 8.4 Communicating with customers via e-mail 57
- 6.50 8.5 Never ask your customers for their secrets 58
- 6.51 8.6 Fix all your XSS issues 58
- 6.52 8.7 Do not use pop-ups 59
- 6.53 8.8 Don’t be framed 59
- 6.54 8.9 Move your application one link away from your front page 59
- 6.55 8.10 Enforce local referrers for images and other resources 59
- 6.56 8.11 Keep the address bar, use SSL, do not use IP addresses 60
- 6.57 8.12 Don’t be the source of identity theft 60
- 6.58 8.13 Implement safe-guards within your application 61
- 6.59 8.14 Monitor unusual account activity 61
- 6.60 8.15 Get the phishing target servers offline pronto 62
- 6.61 8.16 Take control of the fraudulent domain name 62
- 6.62 8.17 Work with law enforcement 63
- 6.63 8.18 When an attack happens 63
- 6.64 8.19 Further Reading 63
- 6.65 Securing Web Services 64
- 6.66 Communication security 65
- 6.67 Passing credentials 65
- 6.68 Ensuring message freshness 66
- 6.69 Protecting message integrity 66
- 6.70 Protecting message confidentiality 67
- 6.71 Access control 67
- 6.72 Audit 68
- 6.73 Web Services Security Hierarchy 68
- 6.74 SOAP 69
- 6.75 WS-Security Standard 70
- 6.76 WS-Security Building Blocks 72
- 6.77 Communication Protection Mechanisms 78
- 6.78 Access Control Mechanisms 80
- 6.79 Forming Web Service Chains 82
- 6.80 Available Implementations 83
- 6.81 Problems 85
- 6.82 Further Reading 87
- 6.83 10.1 Objective 5
- 6.84 10.2 Platforms Affected 5
- 6.85 10.3 Architecture 5
- 6.86 10.4 Access control: Authentication and Authorization 5
- 6.87 10.5 Silent transactional authorization 5
- 6.88 10.6 Untrusted or absent session data 5
- 6.89 10.7 State management 5
- 6.90 10.8 Tamper resistance 5
- 6.91 10.9 Privacy 5
- 6.92 10.10 Proxy Façade 5
- 6.93 10.11 SOAP Injection Attacks 5
- 6.94 10.12 XMLRPC Injection Attacks 5
- 6.95 10.13 DOM Injection Attacks 5
- 6.96 10.14 XML Injection Attacks 5
- 6.97 10.15 JSON (Javascript Object Notation) Injection Attacks 5
- 6.98 10.16 Encoding safety 5
- 6.99 10.17 Auditing 5
- 6.100 10.18 Error Handling 5
- 6.101 10.19 Accessibility 5
- 6.102 10.20 Further Reading 5
- 6.103 11.1 Objective 108
- 6.104 11.2 Environments Affected 108
- 6.105 11.3 Relevant COBIT Topics 108
- 6.106 11.4 Best Practices 108
- 6.107 11.5 Common web authentication techniques 109
- 6.108 11.6 Strong Authentication 111
- 6.109 11.7 Federated Authentication 115
- 6.110 11.8 Client side authentication controls 117
- 6.111 11.9 Positive Authentication 118
- 6.112 11.10 Multiple Key Lookups 120
- 6.113 11.11 Referer Checks 122
- 6.114 11.12 Browser remembers passwords 123
- 6.115 11.13 Default accounts 124
- 6.116 11.14 Choice of usernames 125
- 6.117 11.15 Change passwords 126
- 6.118 11.16 Short passwords 126
- 6.119 11.17 Weak password controls 127
- 6.120 11.18 Reversible password encryption 128
- 6.121 11.19 Automated password resets 128
- 6.122 11.20 Brute Force 130
- 6.123 11.21 Remember Me 131
- 6.124 11.22 Idle Timeouts 132
- 6.125 11.23 Logout 132
- 6.126 11.24 Account Expiry 133
- 6.127 11.25 Self registration 134
- 6.128 11.26 CAPTCHA 134
- 6.129 11.27 Further Reading 135
- 6.130 11.28 Authentication 136
- 6.131 12.1 Objectives 148
- 6.132 12.2 Environments Affected 148
- 6.133 12.3 Relevant COBIT Topics 148
- 6.134 12.4 Best Practices 148
- 6.135 12.5 Best Practices in Action 149
- 6.136 12.6 Principle of least privilege 150
- 6.137 12.7 Centralized authorization routines 152
- 6.138 12.8 Authorization matrix 152
- 6.139 12.9 Controlling access to protected resources 153
- 6.140 12.10 Protecting access to static resources 153
- 6.141 12.11 Reauthorization for high value activities or after idle out 154
- 6.142 12.12 Time based authorization 154
- 6.143 12.13 Be cautious of custom authorization controls 154
- 6.144 12.14 Never implement client-side authorization tokens 155
- 6.145 12.15 Further Reading 156
- 6.146 13.1 Objective 157
- 6.147 13.2 Environments Affected 157
- 6.148 13.3 Relevant COBIT Topics 157
- 6.149 13.4 Description 157
- 6.150 13.5 Best practices 158
- 6.151 13.6 Exposed Session Variables 159
- 6.152 13.7 Page and Form Tokens 159
- 6.153 13.8 Weak Session Cryptographic Algorithms 160
- 6.154 13.9 Session Token Entropy 161
- 6.155 13.10 Session Time-out 161
- 6.156 13.11 Regeneration of Session Tokens 162
- 6.157 13.12 Session Forging/Brute-Forcing Detection and/or Lockout 163
- 6.158 13.13 Session Token Capture and Session Hijacking 163
- 6.159 13.14 Session Tokens on Logout 165
- 6.160 13.15 Session Validation Attacks 165
- 6.161 13.16 PHP 166
- 6.162 13.17 Sessions 166
- 6.163 13.18 Further Reading 167
- 6.164 13.19 Session Management 168
- 6.165 14.1 Objective 173
- 6.166 14.2 Platforms Affected 173
- 6.167 14.3 Relevant COBIT Topics 173
- 6.168 14.4 Description 173
- 6.169 14.5 Definitions 173
- 6.170 14.6 Where to include integrity checks 174
- 6.171 14.7 Where to include validation 174
- 6.172 14.8 Where to include business rule validation 174
- 6.173 14.9 Data Validation Strategies 175
- 6.174 14.10 Prevent parameter tampering 177
- 6.175 14.11 Hidden fields 178
- 6.176 14.12 ASP.NET Viewstate 179
- 6.177 14.13 URL encoding 182
- 6.178 14.14 HTML encoding 182
- 6.179 14.15 Encoded strings 183
- 6.180 14.16 Data Validation and Interpreter Injection 183
- 6.181 14.17 186
- 6.182 14.18 Delimiter and special characters 186
- 6.183 14.19 Further Reading 187
- 6.184 15.1 Objective 188
- 6.185 15.2 Platforms Affected 188
- 6.186 15.3 Relevant COBIT Topics 188
- 6.187 15.4 User Agent Injection 188
- 6.188 15.5 HTTP Response Splitting 192
- 6.189 15.6 SQL Injection 193
- 6.190 15.7 ORM Injection 193
- 6.191 15.8 LDAP Injection 194
- 6.192 15.9 XML Injection 196
- 6.193 15.10 Code Injection 196
- 6.194 15.11 Further Reading 197
- 6.195 15.12 SQL-injection 199
- 6.196 15.13 Code Injection 202
- 6.197 15.14 Command injection 202
- 6.198 16.1 Objective 203
- 6.199 16.2 Platforms Affected 203
- 6.200 16.3 Relevant COBIT Topics 203
- 6.201 16.4 Description 203
- 6.202 16.5 Unicode 204
- 6.203 16.6 http://www.ietf.org/rfc/rfc2279.txt?number=2279 206
- 6.204 16.7 Input Formats 206
- 6.205 16.8 Locale assertion 207
- 6.206 16.9 Double (or n-) encoding 207
- 6.207 16.10 HTTP Request Smuggling 208
- 6.208 16.11 Further Reading 208
- 6.209 17.1 Objective 210
- 6.210 17.2 Environments Affected 210
- 6.211 17.3 Relevant COBIT Topics 210
- 6.212 17.4 Description 210
- 6.213 17.5 Best practices 211
- 6.214 17.6 Error Handling 211
- 6.215 17.7 Detailed error messages 212
- 6.216 17.8 Logging 213
- 6.217 17.9 Noise 216
- 6.218 17.10 Cover Tracks 216
- 6.219 17.11 False Alarms 217
- 6.220 17.12 Destruction 218
- 6.221 17.13 Audit Trails 218
- 6.222 17.14 Further Reading 219
- 6.223 17.15 Error Handling and Logging 219
- 6.224 18.1 Objective 226
- 6.225 18.2 Environments Affected 226
- 6.226 18.3 Relevant COBIT Topics 226
- 6.227 18.4 Description 226
- 6.228 18.5 Best Practices 226
- 6.229 18.6 Defacement 226
- 6.230 18.7 Path traversal 227
- 6.231 18.8 Insecure permissions 228
- 6.232 18.9 Insecure Indexing 228
- 6.233 18.10 Unmapped files 229
- 6.234 18.11 Temporary files 229
- 6.235 18.12 PHP 230
- 6.236 18.13 Includes and Remote files 230
- 6.237 18.14 File upload 232
- 6.238 18.15 Old, unreferenced files 234
- 6.239 18.16 Second Order Injection 234
- 6.240 18.17 Further Reading 235
- 6.241 18.18 File System 235
- 6.242 19.1 Objective 237
- 6.243 19.2 Environments Affected 237
- 6.244 19.3 Relevant COBIT Topics 237
- 6.245 19.4 Best Practices 237
- 6.246 19.5 Race conditions 237
- 6.247 19.6 Distributed synchronization 237
- 6.248 19.7 Further Reading 238
- 6.249 20.1 Objective 239
- 6.250 20.2 Platforms Affected 239
- 6.251 20.3 Relevant COBIT Topics 239
- 6.252 20.4 Description 239
- 6.253 20.5 General Prevention Techniques 240
- 6.254 20.6 Stack Overflow 241
- 6.255 20.7 Heap Overflow 242
- 6.256 20.8 Format String 243
- 6.257 20.9 Unicode Overflow 245
- 6.258 20.10 Integer Overflow 246
- 6.259 20.11 Further reading 247
- 6.260 21.1 Objective 249
- 6.261 21.2 Environments Affected 249
- 6.262 21.3 Relevant COBIT Topics 249
- 6.263 21.4 Best practices 249
- 6.264 21.5 Administrators are not users 250
- 6.265 21.6 Authentication for high value systems 250
- 6.266 21.7 Further Reading 251
- 6.267 22.1 Objective 252
- 6.268 22.2 Platforms Affected 252
- 6.269 22.3 Relevant COBIT Topics 252
- 6.270 22.4 Description 252
- 6.271 22.5 Cryptographic Functions 253
- 6.272 22.6 Cryptographic Algorithms 253
- 6.273 22.7 Algorithm Selection 255
- 6.274 22.8 Key Storage 256
- 6.275 22.9 Insecure transmission of secrets 258
- 6.276 22.10 Reversible Authentication Tokens 259
- 6.277 22.11 Safe UUID generation 260
- 6.278 22.12 Summary 260
- 6.279 22.13 Further Reading 261
- 6.280 22.14 Cryptography 261
- 6.281 23.1 Objective 266
- 6.282 23.2 Platforms Affected 266
- 6.283 23.3 Relevant COBIT Topics 266
- 6.284 23.4 Best Practices 266
- 6.285 23.5 Default passwords 266
- 6.286 23.6 Secure connection strings 267
- 6.287 23.7 Secure network transmission 267
- 6.288 23.8 Encrypted data 268
- 6.289 23.9 PHP Configuration 268
- 6.290 23.10 Global variables 268
- 6.291 23.11 register_globals 269
- 6.292 23.12 Database security 272
- 6.293 23.13 Further Reading 273
- 6.294 23.14 ColdFusion Components (CFCs) 273
- 6.295 23.15 Configuration 274
- 6.296 24.1 Objective 281
- 6.297 24.2 Platforms Affected 281
- 6.298 24.3 Best practices 281
- 6.299 24.4 Process 283
- 6.300 24.5 Metrics 283
- 6.301 24.6 Testing Activities 284
- 6.302 25.1 Objective 286
- 6.303 25.2 Platforms Affected 286
- 6.304 25.3 Best Practices 286
- 6.305 25.4 Release Management 287
- 6.306 25.5 Secure delivery of code 287
- 6.307 25.6 Code signing 288
- 6.308 25.7 Permissions are set to least privilege 288
- 6.309 25.8 Automated packaging 288
- 6.310 25.9 Automated deployment 289
- 6.311 25.10 Automated removal 289
- 6.312 25.11 No backup or old files 289
- 6.313 25.12 Unnecessary features are off by default 289
- 6.314 25.13 Setup log files are clean 289
- 6.315 25.14 No default accounts 290
- 6.316 25.15 Easter eggs 290
- 6.317 25.16 Malicious software 291
- 6.318 25.17 Further Reading 292
- 6.319 26.1 Objective 294
- 6.320 26.2 Platforms Affected 294
- 6.321 26.3 Relevant COBIT Topics 294
- 6.322 26.4 Best Practices 294
- 6.323 26.5 Security Incident Response 295
- 6.324 26.6 Fix Security Issues Correctly 295
- 6.325 26.7 Update Notifications 296
- 6.326 26.8 Regularly check permissions 296
- 6.327 26.9 Further Reading 297
- 6.328 26.10 297
- 6.329 26.11 Maintenance 297
- 6.330 27.1 PREAMBLE 301
- 6.331 27.2 APPLICABILITY AND DEFINITIONS 301
- 6.332 27.3 VERBATIM COPYING 302
- 6.333 27.4 COPYING IN QUANTITY 303
- 6.334 27.5 MODIFICATIONS 303
- 6.335 27.6 COMBINING DOCUMENTS 305
- 6.336 27.7 COLLECTIONS OF DOCUMENTS 305
- 6.337 27.8 AGGREGATION WITH INDEPENDENT WORKS 306
- 6.338 27.9 TRANSLATION 306
- 6.339 27.10 TERMINATION 306
- 6.340 27.11 FUTURE REVISIONS OF THIS LICENSE 306
=========Frontispiece =========
Dedication
To my fellow procrastinators and TiVo addicts, this book proves that given enough “tomorrows,” anything is possible. Andrew van der Stock
Copyright and license
© 2001 – 2006 OWASP Foundation. The Guide is licensed under the Free Documentation License, a copy of which is found in the Appendix. PERMISSION IS GRANTED TO COPY, DISTRIBUTE, AND/OR MODIFY THIS DOCUMENT PROVIDED THIS COPYRIGHT NOTICE AND ATTRIBUTION TO OWASP IS RETAINED.
Editors
The Guide has had several editors over various editions, all of whom have contributed immensely as authors, project managers, and editors over the lengthy period of the Guide’s gestation. Guide 2.x series editors:
Andrew van der Stock Adrian Wiesmann
Authors and Reviewers
The Guide would not be where it is today without the generous gift of volunteer time and effort from many individuals. The following people helped develop Guide 2.x:
Abraham Kang
Adrian Wiesmann
Amit Klein
Andrew van der Stock
Brian Greidanus
Christopher Todd
Darrel Grundy
Daniel Cornell
David Endler
Denis Pilipchuk
Dennis Groves
Derek Browne
Eoin Keary
Erik Lee
Ernesto Arroyo
Frank Lemmon
Gene McKenna
Hal Lockhart
Izhar By-Gad
Jeremy Poteet
José Pedro Arroyo
K.K. Mookhey
Kevin McLaughlin
Martin Eizner
Michael Howard
Michael Scovetta
Mikael Simonsson
Neal Krawetz
Nigel Tranter
Raoul Endres
Ray Stirbei
Richard Parke
Robert Hansen
Roy McNamara
Steve Taylor
Sverre Huseby
Tim Smith
William Hau
Revision History
Date Version Pages Notes July 26, 2005 2.0 Blackhat Edition 280 pages Andrew van der Stock, Guide Lead July 27, 2005 2.0.1 Blackhat Edition++ 293 pages Cryptography chapter review from Michael Howard incorporated September 12, 2005 2.1 DRAFT 1 X pages Changes from many sources New SQA chapter from Frank Lemmon January 2006 2.1 DRAFT 2 X pages Changes from Bill Pollock New chapters from Erick Lee New revisions from Dan Cornell February 2006 2.1 DRAFT 3 X pages Ajax chapter Many chapters back from reviewers
| Date | Version | Pages | Notes |
| July 26, 2005 | 2.0 Blackhat Edition | 280 pages | Andrew van der Stock, Guide Lead |
| July 27, 2005 | 2.0.1 Blackhat Edition++ | 293 pages | Cryptography chapter review
from Michael Howard incorporated |
| September 12, 2005 | 2.1 DRAFT 1 | X pages | Changes from many sources
New SQA chapter from Frank Lemmon |
| January 2006 | 2.1 DRAFT 2 | X pages | Changes from Bill Pollock
New chapters from Erick Lee New revisions from Dan Cornell |
| February 2006 | 2.1 DRAFT 3 | X pages | Ajax chapter
Many chapters back from reviewers |
=========Table of Contents =========
1 ABOUT THE OPEN WEB APPLICATION SECURITY PROJECT 13
1.1 Structure and Licensing 13
1.2 Participation and Membership 13
1.3 Projects 14
2 INTRODUCTION 15
2.1 Developing Secure Applications 15
2.2 Improvements in this edition 15
2.3 How to use this Guide 16
2.4 Updates and errata 16
2.5 With thanks 16
3 WHAT ARE WEB APPLICATIONS? 17
3.1 Technologies 18
3.2 First generation – CGI 18
3.3 Filters 18
3.4 Scripting 19
3.5 Web application frameworks – J2EE and ASP.NET 20
3.6 Small to medium scale applications 21
3.7 Large scale applications 22
3.8 View 22
3.9 Controller 22
3.10 Model 23
3.11 Conclusion 24
4 POLICY FRAMEWORKS 25
4.1 Organizational commitment to security 25
4.2 OWASP’s Place at the Framework table 26
4.3 Development Methodology 28
4.4 Coding Standards 29
4.5 Source Code Control 29
4.6 Summary 30
5 SECURE CODING PRINCIPLES 31
5.1 Asset Classification 31
5.2 About attackers 31
5.3 Core pillars of information security 32
5.4 Security Architecture 32
5.5 Security Principles 33
6 THREAT RISK MODELING 37
6.1 Threat Risk Modeling 37
6.2 Performing threat risk modeling using the Microsoft Threat Modeling Process 37
6.3 Alternative Threat Modeling Systems 44
6.4 Trike 44
6.5 AS/NZS 4360:2004 Risk Management 44
6.6 CVSS 45
6.7 OCTAVE 46
6.8 Conclusion 47
6.9 Further Reading 47
7 HANDLING E-COMMERCE PAYMENTS 49
7.1 Objectives 49
7.2 Compliance and Laws 49
7.3 PCI Compliance 49
7.4 Handling Credit Cards 50
7.5 Further Reading 53
8 PHISHING 55
8.1 What is phishing? 55
8.2 User Education 56
8.3 Make it easy for your users to report scams 57
8.4 Communicating with customers via e-mail 57
8.5 Never ask your customers for their secrets 58
8.6 Fix all your XSS issues 58
8.7 Do not use pop-ups 59
8.8 Don’t be framed 59
8.9 Move your application one link away from your front page 59
8.10 Enforce local referrers for images and other resources 59
8.11 Keep the address bar, use SSL, do not use IP addresses 60
8.12 Don’t be the source of identity theft 60
8.13 Implement safe-guards within your application 61
8.14 Monitor unusual account activity 61
8.15 Get the phishing target servers offline pronto 62
8.16 Take control of the fraudulent domain name 62
8.17 Work with law enforcement 63
8.18 When an attack happens 63
8.19 Further Reading 63
9 WEB SERVICES 64
Securing Web Services 64
Communication security 65
Passing credentials 65
Ensuring message freshness 66
Protecting message integrity 66
Protecting message confidentiality 67
Access control 67
Audit 68
Web Services Security Hierarchy 68
SOAP 69
WS-Security Standard 70
WS-Security Building Blocks 72
Communication Protection Mechanisms 78
Access Control Mechanisms 80
Forming Web Service Chains 82
Available Implementations 83
Problems 85
Further Reading 87
10 AJAX AND OTHER “RICH” INTERFACE TECHNOLOGIES 5
10.1 Objective 5
10.2 Platforms Affected 5
10.3 Architecture 5
10.4 Access control: Authentication and Authorization 5
10.5 Silent transactional authorization 5
10.6 Untrusted or absent session data 5
10.7 State management 5
10.8 Tamper resistance 5
10.9 Privacy 5
10.10 Proxy Façade 5
10.11 SOAP Injection Attacks 5
10.12 XMLRPC Injection Attacks 5
10.13 DOM Injection Attacks 5
10.14 XML Injection Attacks 5
10.15 JSON (Javascript Object Notation) Injection Attacks 5
10.16 Encoding safety 5
10.17 Auditing 5
10.18 Error Handling 5
10.19 Accessibility 5
10.20 Further Reading 5
11 AUTHENTICATION 108
11.1 Objective 108
11.2 Environments Affected 108
11.3 Relevant COBIT Topics 108
11.4 Best Practices 108
11.5 Common web authentication techniques 109
11.6 Strong Authentication 111
11.7 Federated Authentication 115
11.8 Client side authentication controls 117
11.9 Positive Authentication 118
11.10 Multiple Key Lookups 120
11.11 Referer Checks 122
11.12 Browser remembers passwords 123
11.13 Default accounts 124
11.14 Choice of usernames 125
11.15 Change passwords 126
11.16 Short passwords 126
11.17 Weak password controls 127
11.18 Reversible password encryption 128
11.19 Automated password resets 128
11.20 Brute Force 130
11.21 Remember Me 131
11.22 Idle Timeouts 132
11.23 Logout 132
11.24 Account Expiry 133
11.25 Self registration 134
11.26 CAPTCHA 134
11.27 Further Reading 135
11.28 Authentication 136
12 AUTHORIZATION 148
12.1 Objectives 148
12.2 Environments Affected 148
12.3 Relevant COBIT Topics 148
12.4 Best Practices 148
12.5 Best Practices in Action 149
12.6 Principle of least privilege 150
12.7 Centralized authorization routines 152
12.8 Authorization matrix 152
12.9 Controlling access to protected resources 153
12.10 Protecting access to static resources 153
12.11 Reauthorization for high value activities or after idle out 154
12.12 Time based authorization 154
12.13 Be cautious of custom authorization controls 154
12.14 Never implement client-side authorization tokens 155
12.15 Further Reading 156
13 SESSION MANAGEMENT 157
13.1 Objective 157
13.2 Environments Affected 157
13.3 Relevant COBIT Topics 157
13.4 Description 157
13.5 Best practices 158
13.6 Exposed Session Variables 159
13.7 Page and Form Tokens 159
13.8 Weak Session Cryptographic Algorithms 160
13.9 Session Token Entropy 161
13.10 Session Time-out 161
13.11 Regeneration of Session Tokens 162
13.12 Session Forging/Brute-Forcing Detection and/or Lockout 163
13.13 Session Token Capture and Session Hijacking 163
13.14 Session Tokens on Logout 165
13.15 Session Validation Attacks 165
13.16 PHP 166
13.17 Sessions 166
13.18 Further Reading 167
13.19 Session Management 168
14 DATA VALIDATION 173
14.1 Objective 173
14.2 Platforms Affected 173
14.3 Relevant COBIT Topics 173
14.4 Description 173
14.5 Definitions 173
14.6 Where to include integrity checks 174
14.7 Where to include validation 174
14.8 Where to include business rule validation 174
14.9 Data Validation Strategies 175
14.10 Prevent parameter tampering 177
14.11 Hidden fields 178
14.12 ASP.NET Viewstate 179
14.13 URL encoding 182
14.14 HTML encoding 182
14.15 Encoded strings 183
14.16 Data Validation and Interpreter Injection 183
14.17 186
14.18 Delimiter and special characters 186
14.19 Further Reading 187
15 INTERPRETER INJECTION 188
15.1 Objective 188
15.2 Platforms Affected 188
15.3 Relevant COBIT Topics 188
15.4 User Agent Injection 188
15.5 HTTP Response Splitting 192
15.6 SQL Injection 193
15.7 ORM Injection 193
15.8 LDAP Injection 194
15.9 XML Injection 196
15.10 Code Injection 196
15.11 Further Reading 197
15.12 SQL-injection 199
15.13 Code Injection 202
15.14 Command injection 202
16 CANONCALIZATION, LOCALE AND UNICODE 203
16.1 Objective 203
16.2 Platforms Affected 203
16.3 Relevant COBIT Topics 203
16.4 Description 203
16.5 Unicode 204
16.6 http://www.ietf.org/rfc/rfc2279.txt?number=2279 206
16.7 Input Formats 206
16.8 Locale assertion 207
16.9 Double (or n-) encoding 207
16.10 HTTP Request Smuggling 208
16.11 Further Reading 208
17 ERROR HANDLING, AUDITING AND LOGGING 210
17.1 Objective 210
17.2 Environments Affected 210
17.3 Relevant COBIT Topics 210
17.4 Description 210
17.5 Best practices 211
17.6 Error Handling 211
17.7 Detailed error messages 212
17.8 Logging 213
17.9 Noise 216
17.10 Cover Tracks 216
17.11 False Alarms 217
17.12 Destruction 218
17.13 Audit Trails 218
17.14 Further Reading 219
17.15 Error Handling and Logging 219
18 FILE SYSTEM 226
18.1 Objective 226
18.2 Environments Affected 226
18.3 Relevant COBIT Topics 226
18.4 Description 226
18.5 Best Practices 226
18.6 Defacement 226
18.7 Path traversal 227
18.8 Insecure permissions 228
18.9 Insecure Indexing 228
18.10 Unmapped files 229
18.11 Temporary files 229
18.12 PHP 230
18.13 Includes and Remote files 230
18.14 File upload 232
18.15 Old, unreferenced files 234
18.16 Second Order Injection 234
18.17 Further Reading 235
18.18 File System 235
19 DISTRIBUTED COMPUTING 237
19.1 Objective 237
19.2 Environments Affected 237
19.3 Relevant COBIT Topics 237
19.4 Best Practices 237
19.5 Race conditions 237
19.6 Distributed synchronization 237
19.7 Further Reading 238
20 BUFFER OVERFLOWS 239
20.1 Objective 239
20.2 Platforms Affected 239
20.3 Relevant COBIT Topics 239
20.4 Description 239
20.5 General Prevention Techniques 240
20.6 Stack Overflow 241
20.7 Heap Overflow 242
20.8 Format String 243
20.9 Unicode Overflow 245
20.10 Integer Overflow 246
20.11 Further reading 247
21 ADMINISTRATIVE INTERFACES 249
21.1 Objective 249
21.2 Environments Affected 249
21.3 Relevant COBIT Topics 249
21.4 Best practices 249
21.5 Administrators are not users 250
21.6 Authentication for high value systems 250
21.7 Further Reading 251
22 CRYPTOGRAPHY 252
22.1 Objective 252
22.2 Platforms Affected 252
22.3 Relevant COBIT Topics 252
22.4 Description 252
22.5 Cryptographic Functions 253
22.6 Cryptographic Algorithms 253
22.7 Algorithm Selection 255
22.8 Key Storage 256
22.9 Insecure transmission of secrets 258
22.10 Reversible Authentication Tokens 259
22.11 Safe UUID generation 260
22.12 Summary 260
22.13 Further Reading 261
22.14 Cryptography 261
23 CONFIGURATION 266
23.1 Objective 266
23.2 Platforms Affected 266
23.3 Relevant COBIT Topics 266
23.4 Best Practices 266
23.5 Default passwords 266
23.6 Secure connection strings 267
23.7 Secure network transmission 267
23.8 Encrypted data 268
23.9 PHP Configuration 268
23.10 Global variables 268
23.11 register_globals 269
23.12 Database security 272
23.13 Further Reading 273
23.14 ColdFusion Components (CFCs) 273
23.15 Configuration 274
24 SOFTWARE QUALITY ASSURANCE 281
24.1 Objective 281
24.2 Platforms Affected 281
24.3 Best practices 281
24.4 Process 283
24.5 Metrics 283
24.6 Testing Activities 284
25 DEPLOYMENT 286
25.1 Objective 286
25.2 Platforms Affected 286
25.3 Best Practices 286
25.4 Release Management 287
25.5 Secure delivery of code 287
25.6 Code signing 288
25.7 Permissions are set to least privilege 288
25.8 Automated packaging 288
25.9 Automated deployment 289
25.10 Automated removal 289
25.11 No backup or old files 289
25.12 Unnecessary features are off by default 289
25.13 Setup log files are clean 289
25.14 No default accounts 290
25.15 Easter eggs 290
25.16 Malicious software 291
25.17 Further Reading 292
26 MAINTENANCE 294
26.1 Objective 294
26.2 Platforms Affected 294
26.3 Relevant COBIT Topics 294
26.4 Best Practices 294
26.5 Security Incident Response 295
26.6 Fix Security Issues Correctly 295
26.7 Update Notifications 296
26.8 Regularly check permissions 296
26.9 Further Reading 297
26.10 297
26.11 Maintenance 297
27 'GNU FREE DOCUMENTATION LICENSE 301'
