This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Difference between revisions of "Guide:Frontispiece"
Weilin Zhong (talk | contribs) |
Weilin Zhong (talk | contribs) |
||
Line 1: | Line 1: | ||
− | A Guide to Building Secure Web Applications and Web Services | + | A Guide to Building Secure Web Applications and |
+ | Web Services | ||
− | 2.1 (DRAFT 3) | + | 2.1 (DRAFT 3) |
February 2006 | February 2006 | ||
+ | |||
+ | |||
OWASP Foundation | OWASP Foundation | ||
Line 99: | Line 102: | ||
=Table of Contents = | =Table of Contents = | ||
− | + | ==ABOUT THE OPEN WEB APPLICATION SECURITY PROJECT== | |
− | === | + | ===Structure and Licensing 13 === |
− | === | + | ===Participation and Membership 13 === |
− | === | + | ===Projects 14 === |
− | + | ==INTRODUCTION == | |
− | === | + | ===Developing Secure Applications 15 === |
− | === | + | ===Improvements in this edition 15 === |
− | === | + | ===How to use this Guide 16 === |
− | === | + | ===Updates and errata 16 === |
− | === | + | ===With thanks 16 === |
− | + | ==WHAT ARE WEB APPLICATIONS? == | |
− | === | + | ===Technologies 18 === |
− | === | + | ===First generation – CGI 18 === |
− | === | + | ===Filters 18 === |
− | === | + | ===Scripting 19 === |
− | === | + | ===Web application frameworks – J2EE and ASP.NET 20 === |
− | === | + | ===Small to medium scale applications 21 === |
− | === | + | ===Large scale applications 22 === |
− | === | + | ===View 22 === |
− | === | + | ===Controller 22 === |
− | === | + | ===Model 23 === |
− | === | + | ===Conclusion 24 === |
− | + | ==POLICY FRAMEWORKS == | |
− | === | + | ===Organizational commitment to security 25 === |
− | === | + | ===OWASP’s Place at the Framework table 26 === |
− | === | + | ===Development Methodology 28 === |
− | === | + | ===Coding Standards 29 === |
− | === | + | ===Source Code Control 29 === |
− | === | + | ===Summary 30 === |
− | + | ==SECURE CODING PRINCIPLES == | |
− | === | + | ===Asset Classification 31 === |
− | === | + | ===About attackers 31 === |
− | === | + | ===Core pillars of information security 32 === |
− | === | + | ===Security Architecture 32 === |
− | === | + | ===Security Principles 33 === |
− | + | ==THREAT RISK MODELING == | |
− | === | + | ===Threat Risk Modeling 37 === |
− | === | + | ===Performing threat risk modeling using the Microsoft Threat Modeling Process 37 === |
− | === | + | ===Alternative Threat Modeling Systems 44 === |
− | === | + | ===Trike 44 === |
− | === | + | ===AS/NZS 4360:2004 Risk Management 44 === |
− | === | + | ===CVSS 45 === |
− | === | + | ===OCTAVE 46 === |
− | === | + | ===Conclusion 47 === |
− | === | + | ===Further Reading 47 === |
− | + | ==HANDLING E-COMMERCE PAYMENTS == | |
− | === | + | ===Objectives 49 === |
− | === | + | ===Compliance and Laws 49 === |
− | === | + | ===PCI Compliance 49 === |
− | === | + | ===Handling Credit Cards 50 === |
− | === | + | ===Further Reading 53 === |
− | + | ==PHISHING == | |
− | === | + | ===What is phishing? 55 === |
− | === | + | ===User Education 56 === |
− | === | + | ===Make it easy for your users to report scams 57 === |
− | === | + | ===Communicating with customers via e-mail 57 === |
− | === | + | ===Never ask your customers for their secrets 58 === |
− | === | + | ===Fix all your XSS issues 58 === |
− | === | + | ===Do not use pop-ups 59 === |
− | === | + | ===Don’t be framed 59 === |
− | === | + | ===Move your application one link away from your front page 59 === |
− | === | + | ===Enforce local referrers for images and other resources 59 === |
− | === | + | ===Keep the address bar, use SSL, do not use IP addresses 60 === |
− | === | + | ===Don’t be the source of identity theft 60 === |
− | === | + | ===Implement safe-guards within your application 61 === |
− | === | + | ===Monitor unusual account activity 61 === |
− | === | + | ===Get the phishing target servers offline pronto 62 === |
− | === | + | ===Take control of the fraudulent domain name 62 === |
− | === | + | ===Work with law enforcement 63 === |
− | === | + | ===When an attack happens 63 === |
− | === | + | ===Further Reading 63 === |
− | + | ==WEB SERVICES == | |
===Securing Web Services 64 === | ===Securing Web Services 64 === | ||
===Communication security 65 === | ===Communication security 65 === | ||
Line 189: | Line 192: | ||
===Problems 85 === | ===Problems 85 === | ||
===Further Reading 87 === | ===Further Reading 87 === | ||
− | + | ==AJAX AND OTHER “RICH” INTERFACE TECHNOLOGIES 5''' | |
− | === | + | ===Objective 5 === |
− | === | + | ===Platforms Affected 5 === |
− | === | + | ===Architecture 5 === |
− | === | + | ===Access control: Authentication and Authorization 5 === |
− | === | + | ===Silent transactional authorization 5 === |
− | === | + | ===Untrusted or absent session data 5 === |
− | === | + | ===State management 5 === |
− | === | + | ===Tamper resistance 5 === |
− | === | + | ===Privacy 5 === |
− | === | + | ===Proxy Façade 5 === |
− | === | + | ===SOAP Injection Attacks 5 === |
− | === | + | ===XMLRPC Injection Attacks 5 === |
− | === | + | ===DOM Injection Attacks 5 === |
− | === | + | ===XML Injection Attacks 5 === |
− | === | + | ===JSON (Javascript Object Notation) Injection Attacks 5 === |
− | === | + | ===Encoding safety 5 === |
− | === | + | ===Auditing 5 === |
− | === | + | ===Error Handling 5 === |
− | === | + | ===Accessibility 5 === |
− | === | + | ===Further Reading 5 === |
− | + | ==AUTHENTICATION == | |
− | === | + | ===Objective 108 === |
− | === | + | ===Environments Affected 108 === |
− | === | + | ===Relevant COBIT Topics 108 === |
− | === | + | ===Best Practices 108 === |
− | === | + | ===Common web authentication techniques 109 === |
− | === | + | ===Strong Authentication 111 === |
− | === | + | ===Federated Authentication 115 === |
− | === | + | ===Client side authentication controls 117 === |
− | === | + | ===Positive Authentication 118 === |
− | === | + | ===Multiple Key Lookups 120 === |
− | === | + | ===Referer Checks 122 === |
− | === | + | ===Browser remembers passwords 123 === |
− | === | + | ===Default accounts 124 === |
− | === | + | ===Choice of usernames 125 === |
− | === | + | ===Change passwords 126 === |
− | === | + | ===Short passwords 126 === |
− | === | + | ===Weak password controls 127 === |
− | === | + | ===Reversible password encryption 128 === |
− | === | + | ===Automated password resets 128 === |
− | === | + | ===Brute Force 130 === |
− | === | + | ===Remember Me 131 === |
− | === | + | ===Idle Timeouts 132 === |
− | === | + | ===Logout 132 === |
− | === | + | ===Account Expiry 133 === |
− | === | + | ===Self registration 134 === |
− | === | + | ===CAPTCHA 134 === |
− | === | + | ===Further Reading 135 === |
− | === | + | ===Authentication 136 === |
− | + | ==AUTHORIZATION == | |
− | === | + | ===Objectives 148 === |
− | === | + | ===Environments Affected 148 === |
− | === | + | ===Relevant COBIT Topics 148 === |
− | === | + | ===Best Practices 148 === |
− | === | + | ===Best Practices in Action 149 === |
− | === | + | ===Principle of least privilege 150 === |
− | === | + | ===Centralized authorization routines 152 === |
− | === | + | ===Authorization matrix 152 === |
− | === | + | ===Controlling access to protected resources 153 === |
− | === | + | ===Protecting access to static resources 153 === |
− | === | + | ===Reauthorization for high value activities or after idle out 154 === |
− | === | + | ===Time based authorization 154 === |
− | === | + | ===Be cautious of custom authorization controls 154 === |
− | === | + | ===Never implement client-side authorization tokens 155 === |
− | === | + | ===Further Reading 156 === |
− | + | ==SESSION MANAGEMENT == | |
− | === | + | ===Objective 157 === |
− | === | + | ===Environments Affected 157 === |
− | === | + | ===Relevant COBIT Topics 157 === |
− | === | + | ===Description 157 === |
− | === | + | ===Best practices 158 === |
− | === | + | ===Exposed Session Variables 159 === |
− | === | + | ===Page and Form Tokens 159 === |
− | === | + | ===Weak Session Cryptographic Algorithms 160 === |
− | === | + | ===Session Token Entropy 161 === |
− | === | + | ===Session Time-out 161 === |
− | === | + | ===Regeneration of Session Tokens 162 === |
− | === | + | ===Session Forging/Brute-Forcing Detection and/or Lockout 163 === |
− | === | + | ===Session Token Capture and Session Hijacking 163 === |
− | === | + | ===Session Tokens on Logout 165 === |
− | === | + | ===Session Validation Attacks 165 === |
− | === | + | ===PHP 166 === |
− | === | + | ===Sessions 166 === |
− | === | + | ===Further Reading 167 === |
− | === | + | ===Session Management 168 === |
− | + | ==DATA VALIDATION == | |
− | === | + | ===Objective 173 === |
− | === | + | ===Platforms Affected 173 === |
− | === | + | ===Relevant COBIT Topics 173 === |
− | === | + | ===Description 173 === |
− | === | + | ===Definitions 173 === |
− | === | + | ===Where to include integrity checks 174 === |
− | === | + | ===Where to include validation 174 === |
− | === | + | ===Where to include business rule validation 174 === |
− | === | + | ===Data Validation Strategies 175 === |
− | === | + | ===Prevent parameter tampering 177 === |
− | === | + | ===Hidden fields 178 === |
− | === | + | ===ASP.NET Viewstate 179 === |
− | === | + | ===URL encoding 182 === |
− | === | + | ===HTML encoding 182 === |
− | === | + | ===Encoded strings 183 === |
− | === | + | ===Data Validation and Interpreter Injection 183 === |
− | === | + | ===Delimiter and special characters 186 === |
− | + | ===Further Reading 187 === | |
− | === | + | ==INTERPRETER INJECTION == |
− | + | ===Objective 188 === | |
− | === | + | ===Platforms Affected 188 === |
− | === | + | ===Relevant COBIT Topics 188 === |
− | === | + | ===User Agent Injection 188 === |
− | === | + | ===HTTP Response Splitting 192 === |
− | === | + | ===SQL Injection 193 === |
− | === | + | ===ORM Injection 193 === |
− | === | + | ===LDAP Injection 194 === |
− | === | + | ===XML Injection 196 === |
− | === | + | ===Code Injection 196 === |
− | === | + | ===Further Reading 197 === |
− | === | + | ===SQL-injection 199 === |
− | === | + | ===Code Injection 202 === |
− | === | + | ===Command injection 202 === |
− | === | + | ==CANONCALIZATION, LOCALE AND UNICODE == |
− | + | ===Objective 203 === | |
− | === | + | ===Platforms Affected 203 === |
− | === | + | ===Relevant COBIT Topics 203 === |
− | === | + | ===Description 203 === |
− | === | + | ===Unicode 204 === |
− | === | + | ===http://www.ietf.org/rfc/rfc2279.txt?number=2279 206 === |
− | === | + | ===Input Formats 206 === |
− | === | + | ===Locale assertion 207 === |
− | === | + | ===Double (or n-) encoding 207 === |
− | === | + | === HTTP Request Smuggling 208 === |
− | === | + | === Further Reading 208 === |
− | === | + | ==ERROR HANDLING, AUDITING AND LOGGING == |
− | + | ===Objective 210 === | |
− | === | + | ===Environments Affected 210 === |
− | === | + | ===Relevant COBIT Topics 210 === |
− | === | + | ===Description 210 === |
− | === | + | ===Best practices 211 === |
− | === | + | ===Error Handling 211 === |
− | === | + | ===Detailed error messages 212 === |
− | === | + | ===Logging 213 === |
− | === | + | ===Noise 216 === |
− | === | + | ===Cover Tracks 216 === |
− | === | + | ===False Alarms 217 === |
− | === | + | ===Destruction 218 === |
− | === | + | ===Audit Trails 218 === |
− | === | + | ===Further Reading 219 === |
− | === | + | ===Error Handling and Logging 219 === |
− | === | + | ==FILE SYSTEM == |
− | + | ===Objective 226 === | |
− | === | + | ===Environments Affected 226 === |
− | === | + | ===Relevant COBIT Topics 226 === |
− | === | + | ===Description 226 === |
− | === | + | ===Best Practices 226 === |
− | === | + | ===Defacement 226 === |
− | === | + | ===Path traversal 227 === |
− | === | + | ===Insecure permissions 228 === |
− | === | + | ===Insecure Indexing 228 === |
− | === | + | ===Unmapped files 229 === |
− | === | + | ===Temporary files 229 === |
− | === | + | ===PHP 230 === |
− | === | + | ===Includes and Remote files 230 === |
− | === | + | ===File upload 232 === |
− | === | + | ===Old, unreferenced files 234 === |
− | === | + | ===Second Order Injection 234 === |
− | === | + | ===Further Reading 235 === |
− | === | + | ===File System 235 === |
− | === | + | ==DISTRIBUTED COMPUTING == |
− | + | ===Objective 237 === | |
− | === | + | ===Environments Affected 237 === |
− | === | + | ===Relevant COBIT Topics 237 === |
− | === | + | ===Best Practices 237 === |
− | === | + | ===Race conditions 237 === |
− | === | + | ===Distributed synchronization 237 === |
− | === | + | ===Further Reading 238 === |
− | === | + | ==BUFFER OVERFLOWS == |
− | + | ===Objective 239 === | |
− | === | + | ===Platforms Affected 239 === |
− | === | + | ===Relevant COBIT Topics 239 === |
− | === | + | ===Description 239 === |
− | === | + | ===General Prevention Techniques 240 === |
− | === | + | ===Stack Overflow 241 === |
− | === | + | ===Heap Overflow 242 === |
− | === | + | ===Format String 243 === |
− | === | + | ===Unicode Overflow 245 === |
− | === | + | ===Integer Overflow 246 === |
− | === | + | ===Further reading 247 === |
− | === | + | ==ADMINISTRATIVE INTERFACES == |
− | + | ===Objective 249 === | |
− | === | + | ===Environments Affected 249 === |
− | === | + | ===Relevant COBIT Topics 249 === |
− | === | + | ===Best practices 249 === |
− | === | + | ===Administrators are not users 250 === |
− | === | + | ===Authentication for high value systems 250 === |
− | === | + | ===Further Reading 251 === |
− | === | + | ==CRYPTOGRAPHY == |
− | + | ===Objective 252 === | |
− | === | + | ===Platforms Affected 252 === |
− | === | + | ===Relevant COBIT Topics 252 === |
− | === | + | ===Description 252 === |
− | === | + | ===Cryptographic Functions 253 === |
− | === | + | ===Cryptographic Algorithms 253 === |
− | === | + | ===Algorithm Selection 255 === |
− | === | + | ===Key Storage 256 === |
− | === | + | ===Insecure transmission of secrets 258 === |
− | === | + | ===Reversible Authentication Tokens 259 === |
− | === | + | ===Safe UUID generation 260 === |
− | === | + | ===Summary 260 === |
− | === | + | ===Further Reading 261 === |
− | === | + | ===Cryptography 261 === |
− | === | + | ==CONFIGURATION == |
− | + | ===Objective 266 === | |
− | === | + | ===Platforms Affected 266 === |
− | === | + | ===Relevant COBIT Topics 266 === |
− | === | + | ===Best Practices 266 === |
− | === | + | ===Default passwords 266 === |
− | === | + | ===Secure connection strings 267 === |
− | === | + | ===Secure network transmission 267 === |
− | === | + | ===Encrypted data 268 === |
− | === | + | ===PHP Configuration 268 === |
− | === | + | ===Global variables 268 === |
− | === | + | ===register_globals 269 === |
− | === | + | ===Database security 272 === |
− | === | + | ===Further Reading 273 === |
− | === | + | ===ColdFusion Components (CFCs) 273 === |
− | === | + | ===Configuration 274 === |
− | === | + | ==SOFTWARE QUALITY ASSURANCE == |
− | + | ===Objective 281 === | |
− | === | + | ===Platforms Affected 281 === |
− | === | + | ===Best practices 281 === |
− | === | + | ===Process 283 === |
− | === | + | ===Metrics 283 === |
− | === | + | ===Testing Activities 284 === |
− | === | + | ==DEPLOYMENT == |
− | + | ===Objective 286 === | |
− | === | + | ===Platforms Affected 286 === |
− | === | + | ===Best Practices 286 === |
− | === | + | ===Release Management 287 === |
− | === | + | ===Secure delivery of code 287 === |
− | === | + | ===Code signing 288 === |
− | === | + | ===Permissions are set to least privilege 288 === |
− | === | + | ===Automated packaging 288 === |
− | === | + | ===Automated deployment 289 === |
− | === | + | ===Automated removal 289 === |
− | === | + | ===No backup or old files 289 === |
− | === | + | ===Unnecessary features are off by default 289 === |
− | === | + | ===Setup log files are clean 289 === |
− | === | + | ===No default accounts 290 === |
− | === | + | ===Easter eggs 290 === |
− | === | + | ===Malicious software 291 === |
− | === | + | ===Further Reading 292 === |
− | === | + | ==MAINTENANCE == |
− | + | ===Objective 294 === | |
− | === | + | ===Platforms Affected 294 === |
− | === | + | ===Relevant COBIT Topics 294 === |
− | === | + | ===Best Practices 294 === |
− | === | + | ===Security Incident Response 295 === |
− | === | + | ===Fix Security Issues Correctly 295 === |
− | === | + | ===Update Notifications 296 === |
− | === | + | ===Regularly check permissions 296 === |
− | === | + | ===Further Reading 297 === |
− | === | + | ===Maintenance 297 === |
− | === | + | ==GNU FREE DOCUMENTATION LICENSE == |
− | == | + | ===PREAMBLE 301 === |
− | + | ===APPLICABILITY AND DEFINITIONS 301 === | |
− | === | + | ===VERBATIM COPYING 302 === |
− | === | + | ===COPYING IN QUANTITY 303 === |
− | === | + | ===MODIFICATIONS 303 === |
− | === | + | ===COMBINING DOCUMENTS 305 === |
− | === | + | ===COLLECTIONS OF DOCUMENTS 305 === |
− | === | + | ===AGGREGATION WITH INDEPENDENT WORKS 306 === |
− | === | + | ===TRANSLATION 306 === |
− | === | + | ===TERMINATION 306 === |
− | === | + | ===FUTURE REVISIONS OF THIS LICENSE 306 === |
− | === | ||
− | === |
Revision as of 12:10, 18 May 2006
A Guide to Building Secure Web Applications and Web Services
2.1 (DRAFT 3) February 2006
OWASP Foundation
- 1 Frontispiece
- 2 Table of Contents
- 2.1 ABOUT THE OPEN WEB APPLICATION SECURITY PROJECT
- 2.2 INTRODUCTION
- 2.3 WHAT ARE WEB APPLICATIONS?
- 2.4 POLICY FRAMEWORKS
- 2.5 SECURE CODING PRINCIPLES
- 2.6 THREAT RISK MODELING
- 2.7 HANDLING E-COMMERCE PAYMENTS
- 2.8 PHISHING
- 2.8.1 What is phishing? 55
- 2.8.2 User Education 56
- 2.8.3 Make it easy for your users to report scams 57
- 2.8.4 Communicating with customers via e-mail 57
- 2.8.5 Never ask your customers for their secrets 58
- 2.8.6 Fix all your XSS issues 58
- 2.8.7 Do not use pop-ups 59
- 2.8.8 Don’t be framed 59
- 2.8.9 Move your application one link away from your front page 59
- 2.8.10 Enforce local referrers for images and other resources 59
- 2.8.11 Keep the address bar, use SSL, do not use IP addresses 60
- 2.8.12 Don’t be the source of identity theft 60
- 2.8.13 Implement safe-guards within your application 61
- 2.8.14 Monitor unusual account activity 61
- 2.8.15 Get the phishing target servers offline pronto 62
- 2.8.16 Take control of the fraudulent domain name 62
- 2.8.17 Work with law enforcement 63
- 2.8.18 When an attack happens 63
- 2.8.19 Further Reading 63
- 2.9 WEB SERVICES
- 2.9.1 Securing Web Services 64
- 2.9.2 Communication security 65
- 2.9.3 Passing credentials 65
- 2.9.4 Ensuring message freshness 66
- 2.9.5 Protecting message integrity 66
- 2.9.6 Protecting message confidentiality 67
- 2.9.7 Access control 67
- 2.9.8 Audit 68
- 2.9.9 Web Services Security Hierarchy 68
- 2.9.10 SOAP 69
- 2.9.11 WS-Security Standard 70
- 2.9.12 WS-Security Building Blocks 72
- 2.9.13 Communication Protection Mechanisms 78
- 2.9.14 Access Control Mechanisms 80
- 2.9.15 Forming Web Service Chains 82
- 2.9.16 Available Implementations 83
- 2.9.17 Problems 85
- 2.9.18 Further Reading 87
- 2.9.19 Objective 5
- 2.9.20 Platforms Affected 5
- 2.9.21 Architecture 5
- 2.9.22 Access control: Authentication and Authorization 5
- 2.9.23 Silent transactional authorization 5
- 2.9.24 Untrusted or absent session data 5
- 2.9.25 State management 5
- 2.9.26 Tamper resistance 5
- 2.9.27 Privacy 5
- 2.9.28 Proxy Façade 5
- 2.9.29 SOAP Injection Attacks 5
- 2.9.30 XMLRPC Injection Attacks 5
- 2.9.31 DOM Injection Attacks 5
- 2.9.32 XML Injection Attacks 5
- 2.9.33 JSON (Javascript Object Notation) Injection Attacks 5
- 2.9.34 Encoding safety 5
- 2.9.35 Auditing 5
- 2.9.36 Error Handling 5
- 2.9.37 Accessibility 5
- 2.9.38 Further Reading 5
- 2.10 AUTHENTICATION
- 2.10.1 Objective 108
- 2.10.2 Environments Affected 108
- 2.10.3 Relevant COBIT Topics 108
- 2.10.4 Best Practices 108
- 2.10.5 Common web authentication techniques 109
- 2.10.6 Strong Authentication 111
- 2.10.7 Federated Authentication 115
- 2.10.8 Client side authentication controls 117
- 2.10.9 Positive Authentication 118
- 2.10.10 Multiple Key Lookups 120
- 2.10.11 Referer Checks 122
- 2.10.12 Browser remembers passwords 123
- 2.10.13 Default accounts 124
- 2.10.14 Choice of usernames 125
- 2.10.15 Change passwords 126
- 2.10.16 Short passwords 126
- 2.10.17 Weak password controls 127
- 2.10.18 Reversible password encryption 128
- 2.10.19 Automated password resets 128
- 2.10.20 Brute Force 130
- 2.10.21 Remember Me 131
- 2.10.22 Idle Timeouts 132
- 2.10.23 Logout 132
- 2.10.24 Account Expiry 133
- 2.10.25 Self registration 134
- 2.10.26 CAPTCHA 134
- 2.10.27 Further Reading 135
- 2.10.28 Authentication 136
- 2.11 AUTHORIZATION
- 2.11.1 Objectives 148
- 2.11.2 Environments Affected 148
- 2.11.3 Relevant COBIT Topics 148
- 2.11.4 Best Practices 148
- 2.11.5 Best Practices in Action 149
- 2.11.6 Principle of least privilege 150
- 2.11.7 Centralized authorization routines 152
- 2.11.8 Authorization matrix 152
- 2.11.9 Controlling access to protected resources 153
- 2.11.10 Protecting access to static resources 153
- 2.11.11 Reauthorization for high value activities or after idle out 154
- 2.11.12 Time based authorization 154
- 2.11.13 Be cautious of custom authorization controls 154
- 2.11.14 Never implement client-side authorization tokens 155
- 2.11.15 Further Reading 156
- 2.12 SESSION MANAGEMENT
- 2.12.1 Objective 157
- 2.12.2 Environments Affected 157
- 2.12.3 Relevant COBIT Topics 157
- 2.12.4 Description 157
- 2.12.5 Best practices 158
- 2.12.6 Exposed Session Variables 159
- 2.12.7 Page and Form Tokens 159
- 2.12.8 Weak Session Cryptographic Algorithms 160
- 2.12.9 Session Token Entropy 161
- 2.12.10 Session Time-out 161
- 2.12.11 Regeneration of Session Tokens 162
- 2.12.12 Session Forging/Brute-Forcing Detection and/or Lockout 163
- 2.12.13 Session Token Capture and Session Hijacking 163
- 2.12.14 Session Tokens on Logout 165
- 2.12.15 Session Validation Attacks 165
- 2.12.16 PHP 166
- 2.12.17 Sessions 166
- 2.12.18 Further Reading 167
- 2.12.19 Session Management 168
- 2.13 DATA VALIDATION
- 2.13.1 Objective 173
- 2.13.2 Platforms Affected 173
- 2.13.3 Relevant COBIT Topics 173
- 2.13.4 Description 173
- 2.13.5 Definitions 173
- 2.13.6 Where to include integrity checks 174
- 2.13.7 Where to include validation 174
- 2.13.8 Where to include business rule validation 174
- 2.13.9 Data Validation Strategies 175
- 2.13.10 Prevent parameter tampering 177
- 2.13.11 Hidden fields 178
- 2.13.12 ASP.NET Viewstate 179
- 2.13.13 URL encoding 182
- 2.13.14 HTML encoding 182
- 2.13.15 Encoded strings 183
- 2.13.16 Data Validation and Interpreter Injection 183
- 2.13.17 Delimiter and special characters 186
- 2.13.18 Further Reading 187
- 2.14 INTERPRETER INJECTION
- 2.14.1 Objective 188
- 2.14.2 Platforms Affected 188
- 2.14.3 Relevant COBIT Topics 188
- 2.14.4 User Agent Injection 188
- 2.14.5 HTTP Response Splitting 192
- 2.14.6 SQL Injection 193
- 2.14.7 ORM Injection 193
- 2.14.8 LDAP Injection 194
- 2.14.9 XML Injection 196
- 2.14.10 Code Injection 196
- 2.14.11 Further Reading 197
- 2.14.12 SQL-injection 199
- 2.14.13 Code Injection 202
- 2.14.14 Command injection 202
- 2.15 CANONCALIZATION, LOCALE AND UNICODE
- 2.15.1 Objective 203
- 2.15.2 Platforms Affected 203
- 2.15.3 Relevant COBIT Topics 203
- 2.15.4 Description 203
- 2.15.5 Unicode 204
- 2.15.6 http://www.ietf.org/rfc/rfc2279.txt?number=2279 206
- 2.15.7 Input Formats 206
- 2.15.8 Locale assertion 207
- 2.15.9 Double (or n-) encoding 207
- 2.15.10 HTTP Request Smuggling 208
- 2.15.11 Further Reading 208
- 2.16 ERROR HANDLING, AUDITING AND LOGGING
- 2.16.1 Objective 210
- 2.16.2 Environments Affected 210
- 2.16.3 Relevant COBIT Topics 210
- 2.16.4 Description 210
- 2.16.5 Best practices 211
- 2.16.6 Error Handling 211
- 2.16.7 Detailed error messages 212
- 2.16.8 Logging 213
- 2.16.9 Noise 216
- 2.16.10 Cover Tracks 216
- 2.16.11 False Alarms 217
- 2.16.12 Destruction 218
- 2.16.13 Audit Trails 218
- 2.16.14 Further Reading 219
- 2.16.15 Error Handling and Logging 219
- 2.17 FILE SYSTEM
- 2.17.1 Objective 226
- 2.17.2 Environments Affected 226
- 2.17.3 Relevant COBIT Topics 226
- 2.17.4 Description 226
- 2.17.5 Best Practices 226
- 2.17.6 Defacement 226
- 2.17.7 Path traversal 227
- 2.17.8 Insecure permissions 228
- 2.17.9 Insecure Indexing 228
- 2.17.10 Unmapped files 229
- 2.17.11 Temporary files 229
- 2.17.12 PHP 230
- 2.17.13 Includes and Remote files 230
- 2.17.14 File upload 232
- 2.17.15 Old, unreferenced files 234
- 2.17.16 Second Order Injection 234
- 2.17.17 Further Reading 235
- 2.17.18 File System 235
- 2.18 DISTRIBUTED COMPUTING
- 2.19 BUFFER OVERFLOWS
- 2.19.1 Objective 239
- 2.19.2 Platforms Affected 239
- 2.19.3 Relevant COBIT Topics 239
- 2.19.4 Description 239
- 2.19.5 General Prevention Techniques 240
- 2.19.6 Stack Overflow 241
- 2.19.7 Heap Overflow 242
- 2.19.8 Format String 243
- 2.19.9 Unicode Overflow 245
- 2.19.10 Integer Overflow 246
- 2.19.11 Further reading 247
- 2.20 ADMINISTRATIVE INTERFACES
- 2.21 CRYPTOGRAPHY
- 2.21.1 Objective 252
- 2.21.2 Platforms Affected 252
- 2.21.3 Relevant COBIT Topics 252
- 2.21.4 Description 252
- 2.21.5 Cryptographic Functions 253
- 2.21.6 Cryptographic Algorithms 253
- 2.21.7 Algorithm Selection 255
- 2.21.8 Key Storage 256
- 2.21.9 Insecure transmission of secrets 258
- 2.21.10 Reversible Authentication Tokens 259
- 2.21.11 Safe UUID generation 260
- 2.21.12 Summary 260
- 2.21.13 Further Reading 261
- 2.21.14 Cryptography 261
- 2.22 CONFIGURATION
- 2.22.1 Objective 266
- 2.22.2 Platforms Affected 266
- 2.22.3 Relevant COBIT Topics 266
- 2.22.4 Best Practices 266
- 2.22.5 Default passwords 266
- 2.22.6 Secure connection strings 267
- 2.22.7 Secure network transmission 267
- 2.22.8 Encrypted data 268
- 2.22.9 PHP Configuration 268
- 2.22.10 Global variables 268
- 2.22.11 register_globals 269
- 2.22.12 Database security 272
- 2.22.13 Further Reading 273
- 2.22.14 ColdFusion Components (CFCs) 273
- 2.22.15 Configuration 274
- 2.23 SOFTWARE QUALITY ASSURANCE
- 2.24 DEPLOYMENT
- 2.24.1 Objective 286
- 2.24.2 Platforms Affected 286
- 2.24.3 Best Practices 286
- 2.24.4 Release Management 287
- 2.24.5 Secure delivery of code 287
- 2.24.6 Code signing 288
- 2.24.7 Permissions are set to least privilege 288
- 2.24.8 Automated packaging 288
- 2.24.9 Automated deployment 289
- 2.24.10 Automated removal 289
- 2.24.11 No backup or old files 289
- 2.24.12 Unnecessary features are off by default 289
- 2.24.13 Setup log files are clean 289
- 2.24.14 No default accounts 290
- 2.24.15 Easter eggs 290
- 2.24.16 Malicious software 291
- 2.24.17 Further Reading 292
- 2.25 MAINTENANCE
- 2.25.1 Objective 294
- 2.25.2 Platforms Affected 294
- 2.25.3 Relevant COBIT Topics 294
- 2.25.4 Best Practices 294
- 2.25.5 Security Incident Response 295
- 2.25.6 Fix Security Issues Correctly 295
- 2.25.7 Update Notifications 296
- 2.25.8 Regularly check permissions 296
- 2.25.9 Further Reading 297
- 2.25.10 Maintenance 297
- 2.26 GNU FREE DOCUMENTATION LICENSE
- 2.26.1 PREAMBLE 301
- 2.26.2 APPLICABILITY AND DEFINITIONS 301
- 2.26.3 VERBATIM COPYING 302
- 2.26.4 COPYING IN QUANTITY 303
- 2.26.5 MODIFICATIONS 303
- 2.26.6 COMBINING DOCUMENTS 305
- 2.26.7 COLLECTIONS OF DOCUMENTS 305
- 2.26.8 AGGREGATION WITH INDEPENDENT WORKS 306
- 2.26.9 TRANSLATION 306
- 2.26.10 TERMINATION 306
- 2.26.11 FUTURE REVISIONS OF THIS LICENSE 306
Frontispiece
Dedication
To my fellow procrastinators and TiVo addicts, this book proves that given enough “tomorrows,” anything is possible. Andrew van der Stock
Copyright and license
© 2001 – 2006 OWASP Foundation. The Guide is licensed under the Free Documentation License, a copy of which is found in the Appendix. PERMISSION IS GRANTED TO COPY, DISTRIBUTE, AND/OR MODIFY THIS DOCUMENT PROVIDED THIS COPYRIGHT NOTICE AND ATTRIBUTION TO OWASP IS RETAINED.
Editors
The Guide has had several editors over various editions, all of whom have contributed immensely as authors, project managers, and editors over the lengthy period of the Guide’s gestation. Guide 2.x series editors:
Andrew van der Stock Adrian Wiesmann
Authors and Reviewers
The Guide would not be where it is today without the generous gift of volunteer time and effort from many individuals. The following people helped develop Guide 2.x:
Abraham Kang
Adrian Wiesmann
Amit Klein
Andrew van der Stock
Brian Greidanus
Christopher Todd
Darrel Grundy
Daniel Cornell
David Endler
Denis Pilipchuk
Dennis Groves
Derek Browne
Eoin Keary
Erik Lee
Ernesto Arroyo
Frank Lemmon
Gene McKenna
Hal Lockhart
Izhar By-Gad
Jeremy Poteet
José Pedro Arroyo
K.K. Mookhey
Kevin McLaughlin
Martin Eizner
Michael Howard
Michael Scovetta
Mikael Simonsson
Neal Krawetz
Nigel Tranter
Raoul Endres
Ray Stirbei
Richard Parke
Robert Hansen
Roy McNamara
Steve Taylor
Sverre Huseby
Tim Smith
William Hau
Revision History
Date Version Pages Notes July 26, 2005 2.0 Blackhat Edition 280 pages Andrew van der Stock, Guide Lead July 27, 2005 2.0.1 Blackhat Edition++ 293 pages Cryptography chapter review from Michael Howard incorporated September 12, 2005 2.1 DRAFT 1 X pages Changes from many sources New SQA chapter from Frank Lemmon January 2006 2.1 DRAFT 2 X pages Changes from Bill Pollock New chapters from Erick Lee New revisions from Dan Cornell February 2006 2.1 DRAFT 3 X pages Ajax chapter Many chapters back from reviewers
Date | Version | Pages | Notes |
July 26, 2005 | 2.0 Blackhat Edition | 280 pages | Andrew van der Stock, Guide Lead |
July 27, 2005 | 2.0.1 Blackhat Edition++ | 293 pages | Cryptography chapter review
from Michael Howard incorporated |
September 12, 2005 | 2.1 DRAFT 1 | X pages | Changes from many sources
New SQA chapter from Frank Lemmon |
January 2006 | 2.1 DRAFT 2 | X pages | Changes from Bill Pollock
New chapters from Erick Lee New revisions from Dan Cornell |
February 2006 | 2.1 DRAFT 3 | X pages | Ajax chapter
Many chapters back from reviewers |
Table of Contents
ABOUT THE OPEN WEB APPLICATION SECURITY PROJECT
Structure and Licensing 13
Participation and Membership 13
Projects 14
INTRODUCTION
Developing Secure Applications 15
Improvements in this edition 15
How to use this Guide 16
Updates and errata 16
With thanks 16
WHAT ARE WEB APPLICATIONS?
Technologies 18
First generation – CGI 18
Filters 18
Scripting 19
Web application frameworks – J2EE and ASP.NET 20
Small to medium scale applications 21
Large scale applications 22
View 22
Controller 22
Model 23
Conclusion 24
POLICY FRAMEWORKS
Organizational commitment to security 25
OWASP’s Place at the Framework table 26
Development Methodology 28
Coding Standards 29
Source Code Control 29
Summary 30
SECURE CODING PRINCIPLES
Asset Classification 31
About attackers 31
Core pillars of information security 32
Security Architecture 32
Security Principles 33
THREAT RISK MODELING
Threat Risk Modeling 37
Performing threat risk modeling using the Microsoft Threat Modeling Process 37
Alternative Threat Modeling Systems 44
Trike 44
AS/NZS 4360:2004 Risk Management 44
CVSS 45
OCTAVE 46
Conclusion 47
Further Reading 47
HANDLING E-COMMERCE PAYMENTS
Objectives 49
Compliance and Laws 49
PCI Compliance 49
Handling Credit Cards 50
Further Reading 53
PHISHING
What is phishing? 55
User Education 56
Make it easy for your users to report scams 57
Communicating with customers via e-mail 57
Never ask your customers for their secrets 58
Fix all your XSS issues 58
Do not use pop-ups 59
Don’t be framed 59
Move your application one link away from your front page 59
Enforce local referrers for images and other resources 59
Keep the address bar, use SSL, do not use IP addresses 60
Don’t be the source of identity theft 60
Implement safe-guards within your application 61
Monitor unusual account activity 61
Get the phishing target servers offline pronto 62
Take control of the fraudulent domain name 62
Work with law enforcement 63
When an attack happens 63
Further Reading 63
WEB SERVICES
Securing Web Services 64
Communication security 65
Passing credentials 65
Ensuring message freshness 66
Protecting message integrity 66
Protecting message confidentiality 67
Access control 67
Audit 68
Web Services Security Hierarchy 68
SOAP 69
WS-Security Standard 70
WS-Security Building Blocks 72
Communication Protection Mechanisms 78
Access Control Mechanisms 80
Forming Web Service Chains 82
Available Implementations 83
Problems 85
Further Reading 87
==AJAX AND OTHER “RICH” INTERFACE TECHNOLOGIES 5