This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Guide:Frontispiece

From OWASP
Revision as of 11:34, 18 May 2006 by Weilin Zhong (talk | contribs)

Jump to: navigation, search

A Guide to Building Secure Web Applications and Web Services

2.1 (DRAFT 3) February 2006


Frontispiece

Dedication To my fellow procrastinators and TiVo addicts, this book proves that given enough “tomorrows,” anything is possible. Andrew van der Stock

Copyright and license © 2001 – 2006 OWASP Foundation. The Guide is licensed under the Free Documentation License, a copy of which is found in the Appendix. PERMISSION IS GRANTED TO COPY, DISTRIBUTE, AND/OR MODIFY THIS DOCUMENT PROVIDED THIS COPYRIGHT NOTICE AND ATTRIBUTION TO OWASP IS RETAINED. Editors The Guide has had several editors over various editions, all of whom have contributed immensely as authors, project managers, and editors over the lengthy period of the Guide’s gestation. Guide 2.x series editors:

Andrew van der Stock Adrian Wiesmann


Authors and Reviewers The Guide would not be where it is today without the generous gift of volunteer time and effort from many individuals. The following people helped develop Guide 2.x:


Abraham Kang Adrian Wiesmann Amit Klein Andrew van der Stock Brian Greidanus Christopher Todd Darrel Grundy Daniel Cornell David Endler Denis Pilipchuk Dennis Groves Derek Browne Eoin Keary Erik Lee Ernesto Arroyo Frank Lemmon Gene McKenna Hal Lockhart Izhar By-Gad Jeremy Poteet José Pedro Arroyo K.K. Mookhey Kevin McLaughlin Martin Eizner Michael Howard Michael Scovetta Mikael Simonsson Neal Krawetz Nigel Tranter Raoul Endres Ray Stirbei Richard Parke Robert Hansen Roy McNamara Steve Taylor Sverre Huseby Tim Smith William Hau


Revision History

Date Version Pages Notes July 26, 2005 2.0 Blackhat Edition 280 pages Andrew van der Stock, Guide Lead July 27, 2005 2.0.1 Blackhat Edition++ 293 pages Cryptography chapter review from Michael Howard incorporated September 12, 2005 2.1 DRAFT 1 X pages Changes from many sources New SQA chapter from Frank Lemmon January 2006 2.1 DRAFT 2 X pages Changes from Bill Pollock New chapters from Erick Lee New revisions from Dan Cornell February 2006 2.1 DRAFT 3 X pages Ajax chapter Many chapters back from reviewers


After here:::


A Guide to Building Secure Web Applications and Web Services

2.1 (DRAFT 3) February 2006


OWASP Foundation

Frontispiece Dedication To my fellow procrastinators and TiVo addicts, this book proves that given enough “tomorrows,” anything is possible. Andrew van der Stock Copyright and license © 2001 – 2006 OWASP Foundation. The Guide is licensed under the Free Documentation License, a copy of which is found in the Appendix. PERMISSION IS GRANTED TO COPY, DISTRIBUTE, AND/OR MODIFY THIS DOCUMENT PROVIDED THIS COPYRIGHT NOTICE AND ATTRIBUTION TO OWASP IS RETAINED. Editors The Guide has had several editors over various editions, all of whom have contributed immensely as authors, project managers, and editors over the lengthy period of the Guide’s gestation. Guide 2.x series editors:

Andrew van der Stock Adrian Wiesmann

Authors and Reviewers The Guide would not be where it is today without the generous gift of volunteer time and effort from many individuals. The following people helped develop Guide 2.x:


Abraham Kang Adrian Wiesmann Amit Klein Andrew van der Stock Brian Greidanus Christopher Todd Darrel Grundy Daniel Cornell David Endler Denis Pilipchuk Dennis Groves Derek Browne Eoin Keary Erik Lee Ernesto Arroyo Frank Lemmon Gene McKenna Hal Lockhart Izhar By-Gad Jeremy Poteet José Pedro Arroyo K.K. Mookhey Kevin McLaughlin Martin Eizner Michael Howard Michael Scovetta Mikael Simonsson Neal Krawetz Nigel Tranter Raoul Endres Ray Stirbei Richard Parke Robert Hansen Roy McNamara Steve Taylor Sverre Huseby Tim Smith William Hau

Revision History

Date Version Pages Notes July 26, 2005 2.0 Blackhat Edition 280 pages Andrew van der Stock, Guide Lead July 27, 2005 2.0.1 Blackhat Edition++ 293 pages Cryptography chapter review from Michael Howard incorporated September 12, 2005 2.1 DRAFT 1 X pages Changes from many sources New SQA chapter from Frank Lemmon January 2006 2.1 DRAFT 2 X pages Changes from Bill Pollock New chapters from Erick Lee New revisions from Dan Cornell February 2006 2.1 DRAFT 3 X pages Ajax chapter Many chapters back from reviewers

Date Version Pages Notes
July 26, 2005 2.0 Blackhat Edition 280 pages Andrew van der Stock, Guide Lead
July 27, 2005 2.0.1 Blackhat Edition++ 293 pages Cryptography chapter review

from Michael Howard incorporated

September 12, 2005 2.1 DRAFT 1 X pages Changes from many sources

New SQA chapter from Frank Lemmon

January 2006 2.1 DRAFT 2 X pages Changes from Bill Pollock

New chapters from Erick Lee New revisions from Dan Cornell

February 2006 2.1 DRAFT 3 X pages Ajax chapter

Many chapters back from reviewers



Table of Contents 1 ABOUT THE OPEN WEB APPLICATION SECURITY PROJECT 13 1.1 STRUCTURE AND LICENSING 13 1.2 PARTICIPATION AND MEMBERSHIP 13 1.3 PROJECTS 14 2 INTRODUCTION 15 2.1 DEVELOPING SECURE APPLICATIONS 15 2.2 IMPROVEMENTS IN THIS EDITION 15 2.3 HOW TO USE THIS GUIDE 16 2.4 UPDATES AND ERRATA 16 2.5 WITH THANKS 16 3 WHAT ARE WEB APPLICATIONS? 17 3.1 TECHNOLOGIES 18 3.2 FIRST GENERATION – CGI 18 3.3 FILTERS 18 3.4 SCRIPTING 19 3.5 WEB APPLICATION FRAMEWORKS – J2EE AND ASP.NET 20 3.6 SMALL TO MEDIUM SCALE APPLICATIONS 21 3.7 LARGE SCALE APPLICATIONS 22 3.8 VIEW 22 3.9 CONTROLLER 22 3.10 MODEL 23 3.11 CONCLUSION 24 4 POLICY FRAMEWORKS 25 4.1 ORGANIZATIONAL COMMITMENT TO SECURITY 25 4.2 OWASP’S PLACE AT THE FRAMEWORK TABLE 26 4.3 DEVELOPMENT METHODOLOGY 28 4.4 CODING STANDARDS 29 4.5 SOURCE CODE CONTROL 29 4.6 SUMMARY 30 5 SECURE CODING PRINCIPLES 31 5.1 ASSET CLASSIFICATION 31 5.2 ABOUT ATTACKERS 31 5.3 CORE PILLARS OF INFORMATION SECURITY 32 5.4 SECURITY ARCHITECTURE 32 5.5 SECURITY PRINCIPLES 33 6 THREAT RISK MODELING 37 6.1 THREAT RISK MODELING 37 6.2 PERFORMING THREAT RISK MODELING USING THE MICROSOFT THREAT MODELING PROCESS 37 6.3 ALTERNATIVE THREAT MODELING SYSTEMS 44 6.4 TRIKE 44 6.5 AS/NZS 4360:2004 RISK MANAGEMENT 44 6.6 CVSS 45 6.7 OCTAVE 46 6.8 CONCLUSION 47 6.9 FURTHER READING 47 7 HANDLING E-COMMERCE PAYMENTS 49 7.1 OBJECTIVES 49 7.2 COMPLIANCE AND LAWS 49 7.3 PCI COMPLIANCE 49 7.4 HANDLING CREDIT CARDS 50 7.5 FURTHER READING 53 8 PHISHING 55 8.1 WHAT IS PHISHING? 55 8.2 USER EDUCATION 56 8.3 MAKE IT EASY FOR YOUR USERS TO REPORT SCAMS 57 8.4 COMMUNICATING WITH CUSTOMERS VIA E-MAIL 57 8.5 NEVER ASK YOUR CUSTOMERS FOR THEIR SECRETS 58 8.6 FIX ALL YOUR XSS ISSUES 58 8.7 DO NOT USE POP-UPS 59 8.8 DON’T BE FRAMED 59 8.9 MOVE YOUR APPLICATION ONE LINK AWAY FROM YOUR FRONT PAGE 59 8.10 ENFORCE LOCAL REFERRERS FOR IMAGES AND OTHER RESOURCES 59 8.11 KEEP THE ADDRESS BAR, USE SSL, DO NOT USE IP ADDRESSES 60 8.12 DON’T BE THE SOURCE OF IDENTITY THEFT 60 8.13 IMPLEMENT SAFE-GUARDS WITHIN YOUR APPLICATION 61 8.14 MONITOR UNUSUAL ACCOUNT ACTIVITY 61 8.15 GET THE PHISHING TARGET SERVERS OFFLINE PRONTO 62 8.16 TAKE CONTROL OF THE FRAUDULENT DOMAIN NAME 62 8.17 WORK WITH LAW ENFORCEMENT 63 8.18 WHEN AN ATTACK HAPPENS 63 8.19 FURTHER READING 63 9 WEB SERVICES 64 SECURING WEB SERVICES 64 COMMUNICATION SECURITY 65 PASSING CREDENTIALS 65 ENSURING MESSAGE FRESHNESS 66 PROTECTING MESSAGE INTEGRITY 66 PROTECTING MESSAGE CONFIDENTIALITY 67 ACCESS CONTROL 67 AUDIT 68 WEB SERVICES SECURITY HIERARCHY 68 SOAP 69 WS-SECURITY STANDARD 70 WS-SECURITY BUILDING BLOCKS 72 COMMUNICATION PROTECTION MECHANISMS 78 ACCESS CONTROL MECHANISMS 80 FORMING WEB SERVICE CHAINS 82 AVAILABLE IMPLEMENTATIONS 83 PROBLEMS 85 FURTHER READING 87 10 AJAX AND OTHER “RICH” INTERFACE TECHNOLOGIES 5 10.1 OBJECTIVE 5 10.2 PLATFORMS AFFECTED 5 10.3 ARCHITECTURE 5 10.4 ACCESS CONTROL: AUTHENTICATION AND AUTHORIZATION 5 10.5 SILENT TRANSACTIONAL AUTHORIZATION 5 10.6 UNTRUSTED OR ABSENT SESSION DATA 5 10.7 STATE MANAGEMENT 5 10.8 TAMPER RESISTANCE 5 10.9 PRIVACY 5 10.10 PROXY FAÇADE 5 10.11 SOAP INJECTION ATTACKS 5 10.12 XMLRPC INJECTION ATTACKS 5 10.13 DOM INJECTION ATTACKS 5 10.14 XML INJECTION ATTACKS 5 10.15 JSON (JAVASCRIPT OBJECT NOTATION) INJECTION ATTACKS 5 10.16 ENCODING SAFETY 5 10.17 AUDITING 5 10.18 ERROR HANDLING 5 10.19 ACCESSIBILITY 5 10.20 FURTHER READING 5 11 AUTHENTICATION 108 11.1 OBJECTIVE 108 11.2 ENVIRONMENTS AFFECTED 108 11.3 RELEVANT COBIT TOPICS 108 11.4 BEST PRACTICES 108 11.5 COMMON WEB AUTHENTICATION TECHNIQUES 109 11.6 STRONG AUTHENTICATION 111 11.7 FEDERATED AUTHENTICATION 115 11.8 CLIENT SIDE AUTHENTICATION CONTROLS 117 11.9 POSITIVE AUTHENTICATION 118 11.10 MULTIPLE KEY LOOKUPS 120 11.11 REFERER CHECKS 122 11.12 BROWSER REMEMBERS PASSWORDS 123 11.13 DEFAULT ACCOUNTS 124 11.14 CHOICE OF USERNAMES 125 11.15 CHANGE PASSWORDS 126 11.16 SHORT PASSWORDS 126 11.17 WEAK PASSWORD CONTROLS 127 11.18 REVERSIBLE PASSWORD ENCRYPTION 128 11.19 AUTOMATED PASSWORD RESETS 128 11.20 BRUTE FORCE 130 11.21 REMEMBER ME 131 11.22 IDLE TIMEOUTS 132 11.23 LOGOUT 132 11.24 ACCOUNT EXPIRY 133 11.25 SELF REGISTRATION 134 11.26 CAPTCHA 134 11.27 FURTHER READING 135 11.28 AUTHENTICATION 136 12 AUTHORIZATION 148 12.1 OBJECTIVES 148 12.2 ENVIRONMENTS AFFECTED 148 12.3 RELEVANT COBIT TOPICS 148 12.4 BEST PRACTICES 148 12.5 BEST PRACTICES IN ACTION 149 12.6 PRINCIPLE OF LEAST PRIVILEGE 150 12.7 CENTRALIZED AUTHORIZATION ROUTINES 152 12.8 AUTHORIZATION MATRIX 152 12.9 CONTROLLING ACCESS TO PROTECTED RESOURCES 153 12.10 PROTECTING ACCESS TO STATIC RESOURCES 153 12.11 REAUTHORIZATION FOR HIGH VALUE ACTIVITIES OR AFTER IDLE OUT 154 12.12 TIME BASED AUTHORIZATION 154 12.13 BE CAUTIOUS OF CUSTOM AUTHORIZATION CONTROLS 154 12.14 NEVER IMPLEMENT CLIENT-SIDE AUTHORIZATION TOKENS 155 12.15 FURTHER READING 156 13 SESSION MANAGEMENT 157 13.1 OBJECTIVE 157 13.2 ENVIRONMENTS AFFECTED 157 13.3 RELEVANT COBIT TOPICS 157 13.4 DESCRIPTION 157 13.5 BEST PRACTICES 158 13.6 EXPOSED SESSION VARIABLES 159 13.7 PAGE AND FORM TOKENS 159 13.8 WEAK SESSION CRYPTOGRAPHIC ALGORITHMS 160 13.9 SESSION TOKEN ENTROPY 161 13.10 SESSION TIME-OUT 161 13.11 REGENERATION OF SESSION TOKENS 162 13.12 SESSION FORGING/BRUTE-FORCING DETECTION AND/OR LOCKOUT 163 13.13 SESSION TOKEN CAPTURE AND SESSION HIJACKING 163 13.14 SESSION TOKENS ON LOGOUT 165 13.15 SESSION VALIDATION ATTACKS 165 13.16 PHP 166 13.17 SESSIONS 166 13.18 FURTHER READING 167 13.19 SESSION MANAGEMENT 168 14 DATA VALIDATION 173 14.1 OBJECTIVE 173 14.2 PLATFORMS AFFECTED 173 14.3 RELEVANT COBIT TOPICS 173 14.4 DESCRIPTION 173 14.5 DEFINITIONS 173 14.6 WHERE TO INCLUDE INTEGRITY CHECKS 174 14.7 WHERE TO INCLUDE VALIDATION 174 14.8 WHERE TO INCLUDE BUSINESS RULE VALIDATION 174 14.9 DATA VALIDATION STRATEGIES 175 14.10 PREVENT PARAMETER TAMPERING 177 14.11 HIDDEN FIELDS 178 14.12 ASP.NET VIEWSTATE 179 14.13 URL ENCODING 182 14.14 HTML ENCODING 182 14.15 ENCODED STRINGS 183 14.16 DATA VALIDATION AND INTERPRETER INJECTION 183 14.17 186 14.18 DELIMITER AND SPECIAL CHARACTERS 186 14.19 FURTHER READING 187 15 INTERPRETER INJECTION 188 15.1 OBJECTIVE 188 15.2 PLATFORMS AFFECTED 188 15.3 RELEVANT COBIT TOPICS 188 15.4 USER AGENT INJECTION 188 15.5 HTTP RESPONSE SPLITTING 192 15.6 SQL INJECTION 193 15.7 ORM INJECTION 193 15.8 LDAP INJECTION 194 15.9 XML INJECTION 196 15.10 CODE INJECTION 196 15.11 FURTHER READING 197 15.12 SQL-INJECTION 199 15.13 CODE INJECTION 202 15.14 COMMAND INJECTION 202 16 CANONCALIZATION, LOCALE AND UNICODE 203 16.1 OBJECTIVE 203 16.2 PLATFORMS AFFECTED 203 16.3 RELEVANT COBIT TOPICS 203 16.4 DESCRIPTION 203 16.5 UNICODE 204 16.6 HTTP://WWW.IETF.ORG/RFC/RFC2279.TXT?NUMBER=2279 206 16.7 INPUT FORMATS 206 16.8 LOCALE ASSERTION 207 16.9 DOUBLE (OR N-) ENCODING 207 16.10 HTTP REQUEST SMUGGLING 208 16.11 FURTHER READING 208 17 ERROR HANDLING, AUDITING AND LOGGING 210 17.1 OBJECTIVE 210 17.2 ENVIRONMENTS AFFECTED 210 17.3 RELEVANT COBIT TOPICS 210 17.4 DESCRIPTION 210 17.5 BEST PRACTICES 211 17.6 ERROR HANDLING 211 17.7 DETAILED ERROR MESSAGES 212 17.8 LOGGING 213 17.9 NOISE 216 17.10 COVER TRACKS 216 17.11 FALSE ALARMS 217 17.12 DESTRUCTION 218 17.13 AUDIT TRAILS 218 17.14 FURTHER READING 219 17.15 ERROR HANDLING AND LOGGING 219 18 FILE SYSTEM 226 18.1 OBJECTIVE 226 18.2 ENVIRONMENTS AFFECTED 226 18.3 RELEVANT COBIT TOPICS 226 18.4 DESCRIPTION 226 18.5 BEST PRACTICES 226 18.6 DEFACEMENT 226 18.7 PATH TRAVERSAL 227 18.8 INSECURE PERMISSIONS 228 18.9 INSECURE INDEXING 228 18.10 UNMAPPED FILES 229 18.11 TEMPORARY FILES 229 18.12 PHP 230 18.13 INCLUDES AND REMOTE FILES 230 18.14 FILE UPLOAD 232 18.15 OLD, UNREFERENCED FILES 234 18.16 SECOND ORDER INJECTION 234 18.17 FURTHER READING 235 18.18 FILE SYSTEM 235 19 DISTRIBUTED COMPUTING 237 19.1 OBJECTIVE 237 19.2 ENVIRONMENTS AFFECTED 237 19.3 RELEVANT COBIT TOPICS 237 19.4 BEST PRACTICES 237 19.5 RACE CONDITIONS 237 19.6 DISTRIBUTED SYNCHRONIZATION 237 19.7 FURTHER READING 238 20 BUFFER OVERFLOWS 239 20.1 OBJECTIVE 239 20.2 PLATFORMS AFFECTED 239 20.3 RELEVANT COBIT TOPICS 239 20.4 DESCRIPTION 239 20.5 GENERAL PREVENTION TECHNIQUES 240 20.6 STACK OVERFLOW 241 20.7 HEAP OVERFLOW 242 20.8 FORMAT STRING 243 20.9 UNICODE OVERFLOW 245 20.10 INTEGER OVERFLOW 246 20.11 FURTHER READING 247 21 ADMINISTRATIVE INTERFACES 249 21.1 OBJECTIVE 249 21.2 ENVIRONMENTS AFFECTED 249 21.3 RELEVANT COBIT TOPICS 249 21.4 BEST PRACTICES 249 21.5 ADMINISTRATORS ARE NOT USERS 250 21.6 AUTHENTICATION FOR HIGH VALUE SYSTEMS 250 21.7 FURTHER READING 251 22 CRYPTOGRAPHY 252 22.1 OBJECTIVE 252 22.2 PLATFORMS AFFECTED 252 22.3 RELEVANT COBIT TOPICS 252 22.4 DESCRIPTION 252 22.5 CRYPTOGRAPHIC FUNCTIONS 253 22.6 CRYPTOGRAPHIC ALGORITHMS 253 22.7 ALGORITHM SELECTION 255 22.8 KEY STORAGE 256 22.9 INSECURE TRANSMISSION OF SECRETS 258 22.10 REVERSIBLE AUTHENTICATION TOKENS 259 22.11 SAFE UUID GENERATION 260 22.12 SUMMARY 260 22.13 FURTHER READING 261 22.14 CRYPTOGRAPHY 261 23 CONFIGURATION 266 23.1 OBJECTIVE 266 23.2 PLATFORMS AFFECTED 266 23.3 RELEVANT COBIT TOPICS 266 23.4 BEST PRACTICES 266 23.5 DEFAULT PASSWORDS 266 23.6 SECURE CONNECTION STRINGS 267 23.7 SECURE NETWORK TRANSMISSION 267 23.8 ENCRYPTED DATA 268 23.9 PHP CONFIGURATION 268 23.10 GLOBAL VARIABLES 268 23.11 REGISTER_GLOBALS 269 23.12 DATABASE SECURITY 272 23.13 FURTHER READING 273 23.14 COLDFUSION COMPONENTS (CFCS) 273 23.15 CONFIGURATION 274 24 SOFTWARE QUALITY ASSURANCE 281 24.1 OBJECTIVE 281 24.2 PLATFORMS AFFECTED 281 24.3 BEST PRACTICES 281 24.4 PROCESS 283 24.5 METRICS 283 24.6 TESTING ACTIVITIES 284 25 DEPLOYMENT 286 25.1 OBJECTIVE 286 25.2 PLATFORMS AFFECTED 286 25.3 BEST PRACTICES 286 25.4 RELEASE MANAGEMENT 287 25.5 SECURE DELIVERY OF CODE 287 25.6 CODE SIGNING 288 25.7 PERMISSIONS ARE SET TO LEAST PRIVILEGE 288 25.8 AUTOMATED PACKAGING 288 25.9 AUTOMATED DEPLOYMENT 289 25.10 AUTOMATED REMOVAL 289 25.11 NO BACKUP OR OLD FILES 289 25.12 UNNECESSARY FEATURES ARE OFF BY DEFAULT 289 25.13 SETUP LOG FILES ARE CLEAN 289 25.14 NO DEFAULT ACCOUNTS 290 25.15 EASTER EGGS 290 25.16 MALICIOUS SOFTWARE 291 25.17 FURTHER READING 292 26 MAINTENANCE 294 26.1 OBJECTIVE 294 26.2 PLATFORMS AFFECTED 294 26.3 RELEVANT COBIT TOPICS 294 26.4 BEST PRACTICES 294 26.5 SECURITY INCIDENT RESPONSE 295 26.6 FIX SECURITY ISSUES CORRECTLY 295 26.7 UPDATE NOTIFICATIONS 296 26.8 REGULARLY CHECK PERMISSIONS 296 26.9 FURTHER READING 297 26.10 297 26.11 MAINTENANCE 297 27 'GNU FREE DOCUMENTATION LICENSE 301' 27.1 PREAMBLE 301 27.2 APPLICABILITY AND DEFINITIONS 301 27.3 VERBATIM COPYING 302 27.4 COPYING IN QUANTITY 303 27.5 MODIFICATIONS 303 27.6 COMBINING DOCUMENTS 305 27.7 COLLECTIONS OF DOCUMENTS 305 27.8 AGGREGATION WITH INDEPENDENT WORKS 306 27.9 TRANSLATION 306 27.10 TERMINATION 306 27.11 FUTURE REVISIONS OF THIS LICENSE 306