Revision as of 12:10, 18 May 2006

A Guide to Building Secure Web Applications and Web Services

2.1 (DRAFT 3) February 2006

OWASP Foundation

1 Frontispiece
2 Table of Contents

Frontispiece

Dedication

To my fellow procrastinators and TiVo addicts, this book proves that given enough “tomorrows,” anything is possible. Andrew van der Stock

Copyright and license

© 2001 – 2006 OWASP Foundation. The Guide is licensed under the Free Documentation License, a copy of which is found in the Appendix. PERMISSION IS GRANTED TO COPY, DISTRIBUTE, AND/OR MODIFY THIS DOCUMENT PROVIDED THIS COPYRIGHT NOTICE AND ATTRIBUTION TO OWASP IS RETAINED.

Editors

The Guide has had several editors over various editions, all of whom have contributed immensely as authors, project managers, and editors over the lengthy period of the Guide’s gestation. Guide 2.x series editors:

Andrew van der Stock Adrian Wiesmann

Authors and Reviewers

The Guide would not be where it is today without the generous gift of volunteer time and effort from many individuals. The following people helped develop Guide 2.x:

Abraham Kang Adrian Wiesmann Amit Klein Andrew van der Stock Brian Greidanus Christopher Todd Darrel Grundy Daniel Cornell David Endler Denis Pilipchuk Dennis Groves Derek Browne Eoin Keary Erik Lee Ernesto Arroyo Frank Lemmon Gene McKenna Hal Lockhart Izhar By-Gad Jeremy Poteet José Pedro Arroyo K.K. Mookhey Kevin McLaughlin Martin Eizner Michael Howard Michael Scovetta Mikael Simonsson Neal Krawetz Nigel Tranter Raoul Endres Ray Stirbei Richard Parke Robert Hansen Roy McNamara Steve Taylor Sverre Huseby Tim Smith William Hau

Revision History

Date Version Pages Notes July 26, 2005 2.0 Blackhat Edition 280 pages Andrew van der Stock, Guide Lead July 27, 2005 2.0.1 Blackhat Edition++ 293 pages Cryptography chapter review from Michael Howard incorporated September 12, 2005 2.1 DRAFT 1 X pages Changes from many sources New SQA chapter from Frank Lemmon January 2006 2.1 DRAFT 2 X pages Changes from Bill Pollock New chapters from Erick Lee New revisions from Dan Cornell February 2006 2.1 DRAFT 3 X pages Ajax chapter Many chapters back from reviewers

Date	Version	Pages	Notes
July 26, 2005	2.0 Blackhat Edition	280 pages	Andrew van der Stock, Guide Lead
July 27, 2005	2.0.1 Blackhat Edition++	293 pages	Cryptography chapter review from Michael Howard incorporated
September 12, 2005	2.1 DRAFT 1	X pages	Changes from many sources New SQA chapter from Frank Lemmon
January 2006	2.1 DRAFT 2	X pages	Changes from Bill Pollock New chapters from Erick Lee New revisions from Dan Cornell
February 2006	2.1 DRAFT 3	X pages	Ajax chapter Many chapters back from reviewers

@@ Line 1: / Line 1: @@
-A Guide to Building Secure Web Applications and Web Services
+A Guide to Building Secure Web Applications and
+Web Services
-.1 (DRAFT 3)
+.1 	(DRAFT 3)
 February 2006
 OWASP Foundation
@@ Line 99: / Line 102: @@
 =Table of Contents =
-'''1'''	'''ABOUT THE OPEN WEB APPLICATION SECURITY PROJECT	13'''
+==ABOUT THE OPEN WEB APPLICATION SECURITY PROJECT==
-===1.1	Structure and Licensing	13 ===
+===Structure and Licensing	13 ===
-===1.2	Participation and Membership	13 ===
+===Participation and Membership	13 ===
-===1.3	Projects	14 ===
+===Projects	14 ===
-'''2'''	'''INTRODUCTION	15'''
+==INTRODUCTION	==
-===2.1	Developing Secure Applications	15 ===
+===Developing Secure Applications	15 ===
-===2.2	Improvements in this edition	15 ===
+===Improvements in this edition	15 ===
-===2.3	How to use this Guide	16 ===
+===How to use this Guide	16 ===
-===2.4	Updates and errata	16 ===
+===Updates and errata	16 ===
-===2.5	With thanks	16 ===
+===With thanks	16 ===
-'''3'''	'''WHAT ARE WEB APPLICATIONS?	17'''
+==WHAT ARE WEB APPLICATIONS?	==
-===3.1	Technologies	18 ===
+===Technologies	18 ===
-===3.2	First generation – CGI	18 ===
+===First generation – CGI	18 ===
-===3.3	Filters	18 ===
+===Filters	18 ===
-===3.4	Scripting	19 ===
+===Scripting	19 ===
-===3.5	Web application frameworks – J2EE and ASP.NET	20 ===
+===Web application frameworks – J2EE and ASP.NET	20 ===
-===3.6	Small to medium scale applications	21 ===
+===Small to medium scale applications	21 ===
-===3.7	Large scale applications	22 ===
+===Large scale applications	22 ===
-===3.8	View	22 ===
+===View	22 ===
-===3.9	Controller	22 ===
+===Controller	22 ===
-===3.10	Model	23 ===
+===Model	23 ===
-===3.11	Conclusion	24 ===
+===Conclusion	24 ===
-'''4'''	'''POLICY FRAMEWORKS	25'''
+==POLICY FRAMEWORKS	==
-===4.1	Organizational commitment to security	25 ===
+===Organizational commitment to security	25 ===
-===4.2	OWASP’s Place at the Framework table	26 ===
+===OWASP’s Place at the Framework table	26 ===
-===4.3	Development Methodology	28 ===
+===Development Methodology	28 ===
-===4.4	Coding Standards	29 ===
+===Coding Standards	29 ===
-===4.5	Source Code Control	29 ===
+===Source Code Control	29 ===
-===4.6	Summary	30 ===
+===Summary	30 ===
-'''5'''	'''SECURE CODING PRINCIPLES	31'''
+==SECURE CODING PRINCIPLES	==
-===5.1	Asset Classification	31 ===
+===Asset Classification	31 ===
-===5.2	About attackers	31 ===
+===About attackers	31 ===
-===5.3	Core pillars of information security	32 ===
+===Core pillars of information security	32 ===
-===5.4	Security Architecture	32 ===
+===Security Architecture	32 ===
-===5.5	Security Principles	33 ===
+===Security Principles	33 ===
-'''6'''	'''THREAT RISK MODELING	37'''
+==THREAT RISK MODELING	==
-===6.1	Threat Risk Modeling	37 ===
+===Threat Risk Modeling	37 ===
-===6.2	Performing threat risk modeling using the Microsoft Threat Modeling Process	37 ===
+===Performing threat risk modeling using the Microsoft Threat Modeling Process	37 ===
-===6.3	Alternative Threat Modeling Systems	44 ===
+===Alternative Threat Modeling Systems	44 ===
-===6.4	Trike	44 ===
+===Trike	44 ===
-===6.5	AS/NZS 4360:2004 Risk Management	44 ===
+===AS/NZS 4360:2004 Risk Management	44 ===
-===6.6	CVSS	45 ===
+===CVSS	45 ===
-===6.7	OCTAVE	46 ===
+===OCTAVE	46 ===
-===6.8	Conclusion	47 ===
+===Conclusion	47 ===
-===6.9	Further Reading	47 ===
+===Further Reading	47 ===
-'''7'''	'''HANDLING E-COMMERCE PAYMENTS	49'''
+==HANDLING E-COMMERCE PAYMENTS	==
-===7.1	Objectives	49 ===
+===Objectives	49 ===
-===7.2	Compliance and Laws	49 ===
+===Compliance and Laws	49 ===
-===7.3	PCI Compliance	49 ===
+===PCI Compliance	49 ===
-===7.4	Handling Credit Cards	50 ===
+===Handling Credit Cards	50 ===
-===7.5	Further Reading	53 ===
+===Further Reading	53 ===
-'''8'''	'''PHISHING	55'''
+==PHISHING	==
-===8.1	What is phishing?	55 ===
+===What is phishing?	55 ===
-===8.2	User Education	56 ===
+===User Education	56 ===
-===8.3	Make it easy for your users to report scams	57 ===
+===Make it easy for your users to report scams	57 ===
-===8.4	Communicating with customers via e-mail	57 ===
+===Communicating with customers via e-mail	57 ===
-===8.5	Never ask your customers for their secrets	58 ===
+===Never ask your customers for their secrets	58 ===
-===8.6	Fix all your XSS issues	58 ===
+===Fix all your XSS issues	58 ===
-===8.7	Do not use pop-ups	59 ===
+===Do not use pop-ups	59 ===
-===8.8	Don’t be framed	59 ===
+===Don’t be framed	59 ===
-===8.9	Move your application one link away from your front page	59 ===
+===Move your application one link away from your front page	59 ===
-===8.10	Enforce local referrers for images and other resources	59 ===
+===Enforce local referrers for images and other resources	59 ===
-===8.11	Keep the address bar, use SSL, do not use IP addresses	60 ===
+===Keep the address bar, use SSL, do not use IP addresses	60 ===
-===8.12	Don’t be the source of identity theft	60 ===
+===Don’t be the source of identity theft	60 ===
-===8.13	Implement safe-guards within your application	61 ===
+===Implement safe-guards within your application	61 ===
-===8.14	Monitor unusual account activity	61 ===
+===Monitor unusual account activity	61 ===
-===8.15	Get the phishing target servers offline pronto	62 ===
+===Get the phishing target servers offline pronto	62 ===
-===8.16	Take control of the fraudulent domain name	62 ===
+===Take control of the fraudulent domain name	62 ===
-===8.17	Work with law enforcement	63 ===
+===Work with law enforcement	63 ===
-===8.18	When an attack happens	63 ===
+===When an attack happens	63 ===
-===8.19	Further Reading	63 ===
+===Further Reading	63 ===
-'''9'''	'''WEB SERVICES	64'''
+==WEB SERVICES	==
 ===Securing Web Services	64 ===
 ===Communication security	65 ===
@@ Line 189: / Line 192: @@
 ===Problems	85 ===
 ===Further Reading	87 ===
-'''10'''	'''AJAX AND OTHER “RICH” INTERFACE TECHNOLOGIES	5'''
+==AJAX AND OTHER “RICH” INTERFACE TECHNOLOGIES	5'''
-===10.1	Objective	5 ===
+===Objective	5 ===
-===10.2	Platforms Affected	5 ===
+===Platforms Affected	5 ===
-===10.3	Architecture	5 ===
+===Architecture	5 ===
-===10.4	Access control: Authentication and Authorization	5 ===
+===Access control: Authentication and Authorization	5 ===
-===10.5	Silent transactional authorization	5 ===
+===Silent transactional authorization	5 ===
-===10.6	Untrusted or absent session data	5 ===
+===Untrusted or absent session data	5 ===
-===10.7	State management	5 ===
+===State management	5 ===
-===10.8	Tamper resistance	5 ===
+===Tamper resistance	5 ===
-===10.9	Privacy	5 ===
+===Privacy	5 ===
-===10.10	Proxy Façade	5 ===
+===Proxy Façade	5 ===
-===10.11	SOAP Injection Attacks	5 ===
+===SOAP Injection Attacks	5 ===
-===10.12	XMLRPC Injection Attacks	5 ===
+===XMLRPC Injection Attacks	5 ===
-===10.13	DOM Injection Attacks	5 ===
+===DOM Injection Attacks	5 ===
-===10.14	XML Injection Attacks	5 ===
+===XML Injection Attacks	5 ===
-===10.15	JSON (Javascript Object Notation) Injection Attacks	5 ===
+===JSON (Javascript Object Notation) Injection Attacks	5 ===
-===10.16	Encoding safety	5 ===
+===Encoding safety	5 ===
-===10.17	Auditing	5 ===
+===Auditing	5 ===
-===10.18	Error Handling	5 ===
+===Error Handling	5 ===
-===10.19	Accessibility	5 ===
+===Accessibility	5 ===
-===10.20	Further Reading	5 ===
+===Further Reading	5 ===
-'''11'''	'''AUTHENTICATION	108'''
+==AUTHENTICATION	==
-===11.1	Objective	108 ===
+===Objective	108 ===
-===11.2	Environments Affected	108 ===
+===Environments Affected	108 ===
-===11.3	Relevant COBIT Topics	108 ===
+===Relevant COBIT Topics	108 ===
-===11.4	Best Practices	108 ===
+===Best Practices	108 ===
-===11.5	Common web authentication techniques	109 ===
+===Common web authentication techniques	109 ===
-===11.6	Strong Authentication	111 ===
+===Strong Authentication	111 ===
-===11.7	Federated Authentication	115 ===
+===Federated Authentication	115 ===
-===11.8	Client side authentication controls	117 ===
+===Client side authentication controls	117 ===
-===11.9	Positive Authentication	118 ===
+===Positive Authentication	118 ===
-===11.10	Multiple Key Lookups	120 ===
+===Multiple Key Lookups	120 ===
-===11.11	Referer Checks	122 ===
+===Referer Checks	122 ===
-===11.12	Browser remembers passwords	123 ===
+===Browser remembers passwords	123 ===
-===11.13	Default accounts	124 ===
+===Default accounts	124 ===
-===11.14	Choice of usernames	125 ===
+===Choice of usernames	125 ===
-===11.15	Change passwords	126 ===
+===Change passwords	126 ===
-===11.16	Short passwords	126 ===
+===Short passwords	126 ===
-===11.17	Weak password controls	127 ===
+===Weak password controls	127 ===
-===11.18	Reversible password encryption	128 ===
+===Reversible password encryption	128 ===
-===11.19	Automated password resets	128 ===
+===Automated password resets	128 ===
-===11.20	Brute Force	130 ===
+===Brute Force	130 ===
-===11.21	Remember Me	131 ===
+===Remember Me	131 ===
-===11.22	Idle Timeouts	132 ===
+===Idle Timeouts	132 ===
-===11.23	Logout	132 ===
+===Logout	132 ===
-===11.24	Account Expiry	133 ===
+===Account Expiry	133 ===
-===11.25	Self registration	134 ===
+===Self registration	134 ===
-===11.26	CAPTCHA	134 ===
+===CAPTCHA	134 ===
-===11.27	Further Reading	135 ===
+===Further Reading	135 ===
-===11.28	Authentication	136 ===
+===Authentication	136 ===
-'''12'''	'''AUTHORIZATION	148'''
+==AUTHORIZATION	==
-===12.1	Objectives	148 ===
+===Objectives	148 ===
-===12.2	Environments Affected	148 ===
+===Environments Affected	148 ===
-===12.3	Relevant COBIT Topics	148 ===
+===Relevant COBIT Topics	148 ===
-===12.4	Best Practices	148 ===
+===Best Practices	148 ===
-===12.5	Best Practices in Action	149 ===
+===Best Practices in Action	149 ===
-===12.6	Principle of least privilege	150 ===
+===Principle of least privilege	150 ===
-===12.7	Centralized authorization routines	152 ===
+===Centralized authorization routines	152 ===
-===12.8	Authorization matrix	152 ===
+===Authorization matrix	152 ===
-===12.9	Controlling access to protected resources	153 ===
+===Controlling access to protected resources	153 ===
-===12.10	Protecting access to static resources	153 ===
+===Protecting access to static resources	153 ===
-===12.11	Reauthorization for high value activities or after idle out	154 ===
+===Reauthorization for high value activities or after idle out	154 ===
-===12.12	Time based authorization	154 ===
+===Time based authorization	154 ===
-===12.13	Be cautious of custom authorization controls	154 ===
+===Be cautious of custom authorization controls	154 ===
-===12.14	Never implement client-side authorization tokens	155 ===
+===Never implement client-side authorization tokens	155 ===
-===12.15	Further Reading	156 ===
+===Further Reading	156 ===
-'''13'''	'''SESSION MANAGEMENT	157'''
+==SESSION MANAGEMENT	==
-===13.1	Objective	157 ===
+===Objective	157 ===
-===13.2	Environments Affected	157 ===
+===Environments Affected	157 ===
-===13.3	Relevant COBIT Topics	157 ===
+===Relevant COBIT Topics	157 ===
-===13.4	Description	157 ===
+===Description	157 ===
-===13.5	Best practices	158 ===
+===Best practices	158 ===
-===13.6	Exposed Session Variables	159 ===
+===Exposed Session Variables	159 ===
-===13.7	Page and Form Tokens	159 ===
+===Page and Form Tokens	159 ===
-===13.8	Weak Session Cryptographic Algorithms	160 ===
+===Weak Session Cryptographic Algorithms	160 ===
-===13.9	Session Token Entropy	161 ===
+===Session Token Entropy	161 ===
-===13.10	Session Time-out	161 ===
+===Session Time-out	161 ===
-===13.11	Regeneration of Session Tokens	162 ===
+===Regeneration of Session Tokens	162 ===
-===13.12	Session Forging/Brute-Forcing Detection and/or Lockout	163 ===
+===Session Forging/Brute-Forcing Detection and/or Lockout	163 ===
-===13.13	Session Token Capture and Session Hijacking	163 ===
+===Session Token Capture and Session Hijacking	163 ===
-===13.14	Session Tokens on Logout	165 ===
+===Session Tokens on Logout	165 ===
-===13.15	Session Validation Attacks	165 ===
+===Session Validation Attacks	165 ===
-===13.16	PHP	166 ===
+===PHP	166 ===
-===13.17	Sessions	166 ===
+===Sessions	166 ===
-===13.18	Further Reading	167 ===
+===Further Reading	167 ===
-===13.19	Session Management	168 ===
+===Session Management	168 ===
-'''14'''	'''DATA VALIDATION	173'''
+==DATA VALIDATION	==
-===14.1	Objective	173 ===
+===Objective	173 ===
-===14.2	Platforms Affected	173 ===
+===Platforms Affected	173 ===
-===14.3	Relevant COBIT Topics	173 ===
+===Relevant COBIT Topics	173 ===
-===14.4	Description	173 ===
+===Description	173 ===
-===14.5	Definitions	173 ===
+===Definitions	173 ===
-===14.6	Where to include integrity checks	174 ===
+===Where to include integrity checks	174 ===
-===14.7	Where to include validation	174 ===
+===Where to include validation	174 ===
-===14.8	Where to include business rule validation	174 ===
+===Where to include business rule validation	174 ===
-===14.9	Data Validation Strategies	175 ===
+===Data Validation Strategies	175 ===
-===14.10	Prevent parameter tampering	177 ===
+===Prevent parameter tampering	177 ===
-===14.11	Hidden fields	178 ===
+===Hidden fields	178 ===
-===14.12	ASP.NET Viewstate	179 ===
+===ASP.NET Viewstate	179 ===
-===14.13	URL encoding	182 ===
+===URL encoding	182 ===
-===14.14	HTML encoding	182 ===
+===HTML encoding	182 ===
-===14.15	Encoded strings	183 ===
+===Encoded strings	183 ===
-===14.16	Data Validation and Interpreter Injection	183 ===
+===Data Validation and Interpreter Injection	183 ===
-===14.17	186 ===
+===Delimiter and special characters	186 ===
-===14.18	Delimiter and special characters	186 ===
+===Further Reading	187 ===
-===14.19	Further Reading	187 ===
+==INTERPRETER INJECTION	==
-'''15'''	'''INTERPRETER INJECTION	188'''
+===Objective	188 ===
-===15.1	Objective	188 ===
+===Platforms Affected	188 ===
-===15.2	Platforms Affected	188 ===
+===Relevant COBIT Topics	188 ===
-===15.3	Relevant COBIT Topics	188 ===
+===User Agent Injection	188 ===
-===15.4	User Agent Injection	188 ===
+===HTTP Response Splitting	192 ===
-===15.5	HTTP Response Splitting	192 ===
+===SQL Injection	193 ===
-===15.6	SQL Injection	193 ===
+===ORM Injection	193 ===
-===15.7	ORM Injection	193 ===
+===LDAP Injection	194 ===
-===15.8	LDAP Injection	194 ===
+===XML Injection	196 ===
-===15.9	XML Injection	196 ===
+===Code Injection	196 ===
-===15.10	Code Injection	196 ===
+===Further Reading	197 ===
-===15.11	Further Reading	197 ===
+===SQL-injection	199 ===
-===15.12	SQL-injection	199 ===
+===Code Injection	202 ===
-===15.13	Code Injection	202 ===
+===Command injection	202 ===
-===15.14	Command injection	202 ===
+==CANONCALIZATION, LOCALE AND UNICODE	==
-'''16'''	'''CANONCALIZATION, LOCALE AND UNICODE	203'''
+===Objective	203 ===
-===16.1	Objective	203 ===
+===Platforms Affected	203 ===
-===16.2	Platforms Affected	203 ===
+===Relevant COBIT Topics	203 ===
-===16.3	Relevant COBIT Topics	203 ===
+===Description	203 ===
-===16.4	Description	203 ===
+===Unicode	204 ===
-===16.5	Unicode	204 ===
+===http://www.ietf.org/rfc/rfc2279.txt?number=2279	206 ===
-===16.6	http://www.ietf.org/rfc/rfc2279.txt?number=2279	206 ===
+===Input Formats	206 ===
-===16.7	Input Formats	206 ===
+===Locale assertion	207 ===
-===16.8	Locale assertion	207 ===
+===Double (or n-) encoding	207 ===
-===16.9	Double (or n-) encoding	207 ===
+===	HTTP Request Smuggling	208 ===
-===16.10	HTTP Request Smuggling	208 ===
+===	Further Reading	208 ===
-===16.11	Further Reading	208 ===
+==ERROR HANDLING, AUDITING AND LOGGING	==
-'''17'''	'''ERROR HANDLING, AUDITING AND LOGGING	210'''
+===Objective	210 ===
-===17.1	Objective	210 ===
+===Environments Affected	210 ===
-===17.2	Environments Affected	210 ===
+===Relevant COBIT Topics	210 ===
-===17.3	Relevant COBIT Topics	210 ===
+===Description	210 ===
-===17.4	Description	210 ===
+===Best practices	211 ===
-===17.5	Best practices	211 ===
+===Error Handling	211 ===
-===17.6	Error Handling	211 ===
+===Detailed error messages	212 ===
-===17.7	Detailed error messages	212 ===
+===Logging	213 ===
-===17.8	Logging	213 ===
+===Noise	216 ===
-===17.9	Noise	216 ===
+===Cover Tracks	216 ===
-===17.10	Cover Tracks	216 ===
+===False Alarms	217 ===
-===17.11	False Alarms	217 ===
+===Destruction	218 ===
-===17.12	Destruction	218 ===
+===Audit Trails	218 ===
-===17.13	Audit Trails	218 ===
+===Further Reading	219 ===
-===17.14	Further Reading	219 ===
+===Error Handling and Logging	219 ===
-===17.15	Error Handling and Logging	219 ===
+==FILE SYSTEM	==
-'''18'''	'''FILE SYSTEM	226'''
+===Objective	226 ===
-===18.1	Objective	226 ===
+===Environments Affected	226 ===
-===18.2	Environments Affected	226 ===
+===Relevant COBIT Topics	226 ===
-===18.3	Relevant COBIT Topics	226 ===
+===Description	226 ===
-===18.4	Description	226 ===
+===Best Practices	226 ===
-===18.5	Best Practices	226 ===
+===Defacement	226 ===
-===18.6	Defacement	226 ===
+===Path traversal	227 ===
-===18.7	Path traversal	227 ===
+===Insecure permissions	228 ===
-===18.8	Insecure permissions	228 ===
+===Insecure Indexing	228 ===
-===18.9	Insecure Indexing	228 ===
+===Unmapped files	229 ===
-===18.10	Unmapped files	229 ===
+===Temporary files	229 ===
-===18.11	Temporary files	229 ===
+===PHP	230 ===
-===18.12	PHP	230 ===
+===Includes and Remote files	230 ===
-===18.13	Includes and Remote files	230 ===
+===File upload	232 ===
-===18.14	File upload	232 ===
+===Old, unreferenced files	234 ===
-===18.15	Old, unreferenced files	234 ===
+===Second Order Injection	234 ===
-===18.16	Second Order Injection	234 ===
+===Further Reading	235 ===
-===18.17	Further Reading	235 ===
+===File System	235 ===
-===18.18	File System	235 ===
+==DISTRIBUTED COMPUTING	==
-'''19'''	'''DISTRIBUTED COMPUTING	237'''
+===Objective	237 ===
-===19.1	Objective	237 ===
+===Environments Affected	237 ===
-===19.2	Environments Affected	237 ===
+===Relevant COBIT Topics	237 ===
-===19.3	Relevant COBIT Topics	237 ===
+===Best Practices	237 ===
-===19.4	Best Practices	237 ===
+===Race conditions	237 ===
-===19.5	Race conditions	237 ===
+===Distributed synchronization	237 ===
-===19.6	Distributed synchronization	237 ===
+===Further Reading	238 ===
-===19.7	Further Reading	238 ===
+==BUFFER OVERFLOWS	==
-'''20'''	'''BUFFER OVERFLOWS	239'''
+===Objective	239 ===
-===20.1	Objective	239 ===
+===Platforms Affected	239 ===
-===20.2	Platforms Affected	239 ===
+===Relevant COBIT Topics	239 ===
-===20.3	Relevant COBIT Topics	239 ===
+===Description	239 ===
-===20.4	Description	239 ===
+===General Prevention Techniques	240 ===
-===20.5	General Prevention Techniques	240 ===
+===Stack Overflow	241 ===
-===20.6	Stack Overflow	241 ===
+===Heap Overflow	242 ===
-===20.7	Heap Overflow	242 ===
+===Format String	243 ===
-===20.8	Format String	243 ===
+===Unicode Overflow	245 ===
-===20.9	Unicode Overflow	245 ===
+===Integer Overflow	246 ===
-===20.10	Integer Overflow	246 ===
+===Further reading	247 ===
-===20.11	Further reading	247 ===
+==ADMINISTRATIVE INTERFACES	==
-'''21'''	'''ADMINISTRATIVE INTERFACES	249'''
+===Objective	249 ===
-===21.1	Objective	249 ===
+===Environments Affected	249 ===
-===21.2	Environments Affected	249 ===
+===Relevant COBIT Topics	249 ===
-===21.3	Relevant COBIT Topics	249 ===
+===Best practices	249 ===
-===21.4	Best practices	249 ===
+===Administrators are not users	250 ===
-===21.5	Administrators are not users	250 ===
+===Authentication for high value systems	250 ===
-===21.6	Authentication for high value systems	250 ===
+===Further Reading	251 ===
-===21.7	Further Reading	251 ===
+==CRYPTOGRAPHY	==
-'''22'''	'''CRYPTOGRAPHY	252'''
+===Objective	252 ===
-===22.1	Objective	252 ===
+===Platforms Affected	252 ===
-===22.2	Platforms Affected	252 ===
+===Relevant COBIT Topics	252 ===
-===22.3	Relevant COBIT Topics	252 ===
+===Description	252 ===
-===22.4	Description	252 ===
+===Cryptographic Functions	253 ===
-===22.5	Cryptographic Functions	253 ===
+===Cryptographic Algorithms	253 ===
-===22.6	Cryptographic Algorithms	253 ===
+===Algorithm Selection	255 ===
-===22.7	Algorithm Selection	255 ===
+===Key Storage	256 ===
-===22.8	Key Storage	256 ===
+===Insecure transmission of secrets	258 ===
-===22.9	Insecure transmission of secrets	258 ===
+===Reversible Authentication Tokens	259 ===
-===22.10	Reversible Authentication Tokens	259 ===
+===Safe UUID generation	260 ===
-===22.11	Safe UUID generation	260 ===
+===Summary	260 ===
-===22.12	Summary	260 ===
+===Further Reading	261 ===
-===22.13	Further Reading	261 ===
+===Cryptography	261 ===
-===22.14	Cryptography	261 ===
+==CONFIGURATION	==
-'''23'''	'''CONFIGURATION	266'''
+===Objective	266 ===
-===23.1	Objective	266 ===
+===Platforms Affected	266 ===
-===23.2	Platforms Affected	266 ===
+===Relevant COBIT Topics	266 ===
-===23.3	Relevant COBIT Topics	266 ===
+===Best Practices	266 ===
-===23.4	Best Practices	266 ===
+===Default passwords	266 ===
-===23.5	Default passwords	266 ===
+===Secure connection strings	267 ===
-===23.6	Secure connection strings	267 ===
+===Secure network transmission	267 ===
-===23.7	Secure network transmission	267 ===
+===Encrypted data	268 ===
-===23.8	Encrypted data	268 ===
+===PHP Configuration	268 ===
-===23.9	PHP Configuration	268 ===
+===Global variables	268 ===
-===23.10	Global variables	268 ===
+===register_globals	269 ===
-===23.11	register_globals	269 ===
+===Database security	272 ===
-===23.12	Database security	272 ===
+===Further Reading	273 ===
-===23.13	Further Reading	273 ===
+===ColdFusion Components (CFCs)	273 ===
-===23.14	ColdFusion Components (CFCs)	273 ===
+===Configuration	274 ===
-===23.15	Configuration	274 ===
+==SOFTWARE QUALITY ASSURANCE	==
-'''24'''	'''SOFTWARE QUALITY ASSURANCE	281'''
+===Objective	281 ===
-===24.1	Objective	281 ===
+===Platforms Affected	281 ===
-===24.2	Platforms Affected	281 ===
+===Best practices	281 ===
-===24.3	Best practices	281 ===
+===Process	283 ===
-===24.4	Process	283 ===
+===Metrics	283 ===
-===24.5	Metrics	283 ===
+===Testing Activities	284 ===
-===24.6	Testing Activities	284 ===
+==DEPLOYMENT	==
-'''25'''	'''DEPLOYMENT	286'''
+===Objective	286 ===
-===25.1	Objective	286 ===
+===Platforms Affected	286 ===
-===25.2	Platforms Affected	286 ===
+===Best Practices	286 ===
-===25.3	Best Practices	286 ===
+===Release Management	287 ===
-===25.4	Release Management	287 ===
+===Secure delivery of code	287 ===
-===25.5	Secure delivery of code	287 ===
+===Code signing	288 ===
-===25.6	Code signing	288 ===
+===Permissions are set to least privilege	288 ===
-===25.7	Permissions are set to least privilege	288 ===
+===Automated packaging	288 ===
-===25.8	Automated packaging	288 ===
+===Automated deployment	289 ===
-===25.9	Automated deployment	289 ===
+===Automated removal	289 ===
-===25.10	Automated removal	289 ===
+===No backup or old files	289 ===
-===25.11	No backup or old files	289 ===
+===Unnecessary features are off by default	289 ===
-===25.12	Unnecessary features are off by default	289 ===
+===Setup log files are clean	289 ===
-===25.13	Setup log files are clean	289 ===
+===No default accounts	290 ===
-===25.14	No default accounts	290 ===
+===Easter eggs	290 ===
-===25.15	Easter eggs	290 ===
+===Malicious software	291 ===
-===25.16	Malicious software	291 ===
+===Further Reading	292 ===
-===25.17	Further Reading	292 ===
+==MAINTENANCE	==
-'''26'''	'''MAINTENANCE	294'''
+===Objective	294 ===
-===26.1	Objective	294 ===
+===Platforms Affected	294 ===
-===26.2	Platforms Affected	294 ===
+===Relevant COBIT Topics	294 ===
-===26.3	Relevant COBIT Topics	294 ===
+===Best Practices	294 ===
-===26.4	Best Practices	294 ===
+===Security Incident Response	295 ===
-===26.5	Security Incident Response	295 ===
+===Fix Security Issues Correctly	295 ===
-===26.6	Fix Security Issues Correctly	295 ===
+===Update Notifications	296 ===
-===26.7	Update Notifications	296 ===
+===Regularly check permissions	296 ===
-===26.8	Regularly check permissions	296 ===
+===Further Reading	297 ===
-===26.9	Further Reading	297 ===
+===Maintenance	297 ===
-===26.10	297 ===
+==GNU FREE DOCUMENTATION LICENSE	==
-===26.11	Maintenance	297 ===
+===PREAMBLE	301 ===
-'''27'''	''''''GNU FREE DOCUMENTATION LICENSE	301''''''
+===APPLICABILITY AND DEFINITIONS	301 ===
-===27.1	PREAMBLE	301 ===
+===VERBATIM COPYING	302 ===
-===27.2	APPLICABILITY AND DEFINITIONS	301 ===
+===COPYING IN QUANTITY	303 ===
-===27.3	VERBATIM COPYING	302 ===
+===MODIFICATIONS	303 ===
-===27.4	COPYING IN QUANTITY	303 ===
+===COMBINING DOCUMENTS	305 ===
-===27.5	MODIFICATIONS	303 ===
+===COLLECTIONS OF DOCUMENTS	305 ===
-===27.6	COMBINING DOCUMENTS	305 ===
+===AGGREGATION WITH INDEPENDENT WORKS	306 ===
-===27.7	COLLECTIONS OF DOCUMENTS	305 ===
+===TRANSLATION	306 ===
-===27.8	AGGREGATION WITH INDEPENDENT WORKS	306 ===
+===TERMINATION	306 ===
-===27.9	TRANSLATION	306 ===
+===FUTURE REVISIONS OF THIS LICENSE	306 ===
-===27.10	TERMINATION	306 ===
-===27.11	FUTURE REVISIONS OF THIS LICENSE	306 ===

Difference between revisions of "Guide:Frontispiece"

Revision as of 12:10, 18 May 2006

Frontispiece

Dedication

Copyright and license

Editors

Authors and Reviewers

Revision History

Table of Contents

ABOUT THE OPEN WEB APPLICATION SECURITY PROJECT

Structure and Licensing 13

Participation and Membership 13

Projects 14

INTRODUCTION

Developing Secure Applications 15

Improvements in this edition 15

How to use this Guide 16

Updates and errata 16

With thanks 16

WHAT ARE WEB APPLICATIONS?

Technologies 18

First generation – CGI 18

Filters 18

Scripting 19

Web application frameworks – J2EE and ASP.NET 20

Small to medium scale applications 21

Large scale applications 22

View 22

Controller 22

Model 23

Conclusion 24

POLICY FRAMEWORKS

Organizational commitment to security 25

OWASP’s Place at the Framework table 26

Development Methodology 28

Coding Standards 29

Source Code Control 29

Summary 30

SECURE CODING PRINCIPLES

Asset Classification 31

About attackers 31

Core pillars of information security 32

Security Architecture 32

Security Principles 33

THREAT RISK MODELING

Threat Risk Modeling 37

Performing threat risk modeling using the Microsoft Threat Modeling Process 37

Alternative Threat Modeling Systems 44

Trike 44

AS/NZS 4360:2004 Risk Management 44

CVSS 45

OCTAVE 46

Conclusion 47

Further Reading 47

HANDLING E-COMMERCE PAYMENTS

Objectives 49

Compliance and Laws 49

PCI Compliance 49

Handling Credit Cards 50

Further Reading 53

PHISHING

What is phishing? 55

User Education 56

Make it easy for your users to report scams 57

Communicating with customers via e-mail 57

Never ask your customers for their secrets 58

Fix all your XSS issues 58

Do not use pop-ups 59

Don’t be framed 59

Move your application one link away from your front page 59

Enforce local referrers for images and other resources 59

Keep the address bar, use SSL, do not use IP addresses 60

Don’t be the source of identity theft 60

Implement safe-guards within your application 61

Monitor unusual account activity 61

Get the phishing target servers offline pronto 62

Take control of the fraudulent domain name 62

Work with law enforcement 63

When an attack happens 63

Further Reading 63