This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Guide:Frontispiece

From OWASP
Revision as of 12:10, 18 May 2006 by Weilin Zhong (talk | contribs)

Jump to: navigation, search

A Guide to Building Secure Web Applications and Web Services

2.1 (DRAFT 3) February 2006


OWASP Foundation

Frontispiece

Dedication

To my fellow procrastinators and TiVo addicts, this book proves that given enough “tomorrows,” anything is possible. Andrew van der Stock

Copyright and license

© 2001 – 2006 OWASP Foundation. The Guide is licensed under the Free Documentation License, a copy of which is found in the Appendix. PERMISSION IS GRANTED TO COPY, DISTRIBUTE, AND/OR MODIFY THIS DOCUMENT PROVIDED THIS COPYRIGHT NOTICE AND ATTRIBUTION TO OWASP IS RETAINED.

Editors

The Guide has had several editors over various editions, all of whom have contributed immensely as authors, project managers, and editors over the lengthy period of the Guide’s gestation. Guide 2.x series editors:

Andrew van der Stock Adrian Wiesmann

Authors and Reviewers

The Guide would not be where it is today without the generous gift of volunteer time and effort from many individuals. The following people helped develop Guide 2.x:


Abraham Kang Adrian Wiesmann Amit Klein Andrew van der Stock Brian Greidanus Christopher Todd Darrel Grundy Daniel Cornell David Endler Denis Pilipchuk Dennis Groves Derek Browne Eoin Keary Erik Lee Ernesto Arroyo Frank Lemmon Gene McKenna Hal Lockhart Izhar By-Gad Jeremy Poteet José Pedro Arroyo K.K. Mookhey Kevin McLaughlin Martin Eizner Michael Howard Michael Scovetta Mikael Simonsson Neal Krawetz Nigel Tranter Raoul Endres Ray Stirbei Richard Parke Robert Hansen Roy McNamara Steve Taylor Sverre Huseby Tim Smith William Hau

Revision History

Date Version Pages Notes July 26, 2005 2.0 Blackhat Edition 280 pages Andrew van der Stock, Guide Lead July 27, 2005 2.0.1 Blackhat Edition++ 293 pages Cryptography chapter review from Michael Howard incorporated September 12, 2005 2.1 DRAFT 1 X pages Changes from many sources New SQA chapter from Frank Lemmon January 2006 2.1 DRAFT 2 X pages Changes from Bill Pollock New chapters from Erick Lee New revisions from Dan Cornell February 2006 2.1 DRAFT 3 X pages Ajax chapter Many chapters back from reviewers

Date Version Pages Notes
July 26, 2005 2.0 Blackhat Edition 280 pages Andrew van der Stock, Guide Lead
July 27, 2005 2.0.1 Blackhat Edition++ 293 pages Cryptography chapter review

from Michael Howard incorporated

September 12, 2005 2.1 DRAFT 1 X pages Changes from many sources

New SQA chapter from Frank Lemmon

January 2006 2.1 DRAFT 2 X pages Changes from Bill Pollock

New chapters from Erick Lee New revisions from Dan Cornell

February 2006 2.1 DRAFT 3 X pages Ajax chapter

Many chapters back from reviewers



Table of Contents

ABOUT THE OPEN WEB APPLICATION SECURITY PROJECT

Structure and Licensing 13

Participation and Membership 13

Projects 14

INTRODUCTION

Developing Secure Applications 15

Improvements in this edition 15

How to use this Guide 16

Updates and errata 16

With thanks 16

WHAT ARE WEB APPLICATIONS?

Technologies 18

First generation – CGI 18

Filters 18

Scripting 19

Web application frameworks – J2EE and ASP.NET 20

Small to medium scale applications 21

Large scale applications 22

View 22

Controller 22

Model 23

Conclusion 24

POLICY FRAMEWORKS

Organizational commitment to security 25

OWASP’s Place at the Framework table 26

Development Methodology 28

Coding Standards 29

Source Code Control 29

Summary 30

SECURE CODING PRINCIPLES

Asset Classification 31

About attackers 31

Core pillars of information security 32

Security Architecture 32

Security Principles 33

THREAT RISK MODELING

Threat Risk Modeling 37

Performing threat risk modeling using the Microsoft Threat Modeling Process 37

Alternative Threat Modeling Systems 44

Trike 44

AS/NZS 4360:2004 Risk Management 44

CVSS 45

OCTAVE 46

Conclusion 47

Further Reading 47

HANDLING E-COMMERCE PAYMENTS

Objectives 49

Compliance and Laws 49

PCI Compliance 49

Handling Credit Cards 50

Further Reading 53

PHISHING

What is phishing? 55

User Education 56

Make it easy for your users to report scams 57

Communicating with customers via e-mail 57

Never ask your customers for their secrets 58

Fix all your XSS issues 58

Do not use pop-ups 59

Don’t be framed 59

Move your application one link away from your front page 59

Enforce local referrers for images and other resources 59

Keep the address bar, use SSL, do not use IP addresses 60

Don’t be the source of identity theft 60

Implement safe-guards within your application 61

Monitor unusual account activity 61

Get the phishing target servers offline pronto 62

Take control of the fraudulent domain name 62

Work with law enforcement 63

When an attack happens 63

Further Reading 63

WEB SERVICES

Securing Web Services 64

Communication security 65

Passing credentials 65

Ensuring message freshness 66

Protecting message integrity 66

Protecting message confidentiality 67

Access control 67

Audit 68

Web Services Security Hierarchy 68

SOAP 69

WS-Security Standard 70

WS-Security Building Blocks 72

Communication Protection Mechanisms 78

Access Control Mechanisms 80

Forming Web Service Chains 82

Available Implementations 83

Problems 85

Further Reading 87

==AJAX AND OTHER “RICH” INTERFACE TECHNOLOGIES 5

Objective 5

Platforms Affected 5

Architecture 5

Access control: Authentication and Authorization 5

Silent transactional authorization 5

Untrusted or absent session data 5

State management 5

Tamper resistance 5

Privacy 5

Proxy Façade 5

SOAP Injection Attacks 5

XMLRPC Injection Attacks 5

DOM Injection Attacks 5

XML Injection Attacks 5

JSON (Javascript Object Notation) Injection Attacks 5

Encoding safety 5

Auditing 5

Error Handling 5

Accessibility 5

Further Reading 5

AUTHENTICATION

Objective 108

Environments Affected 108

Relevant COBIT Topics 108

Best Practices 108

Common web authentication techniques 109

Strong Authentication 111

Federated Authentication 115

Client side authentication controls 117

Positive Authentication 118

Multiple Key Lookups 120

Referer Checks 122

Browser remembers passwords 123

Default accounts 124

Choice of usernames 125

Change passwords 126

Short passwords 126

Weak password controls 127

Reversible password encryption 128

Automated password resets 128

Brute Force 130

Remember Me 131

Idle Timeouts 132

Logout 132

Account Expiry 133

Self registration 134

CAPTCHA 134

Further Reading 135

Authentication 136

AUTHORIZATION

Objectives 148

Environments Affected 148

Relevant COBIT Topics 148

Best Practices 148

Best Practices in Action 149

Principle of least privilege 150

Centralized authorization routines 152

Authorization matrix 152

Controlling access to protected resources 153

Protecting access to static resources 153

Reauthorization for high value activities or after idle out 154

Time based authorization 154

Be cautious of custom authorization controls 154

Never implement client-side authorization tokens 155

Further Reading 156

SESSION MANAGEMENT

Objective 157

Environments Affected 157

Relevant COBIT Topics 157

Description 157

Best practices 158

Exposed Session Variables 159

Page and Form Tokens 159

Weak Session Cryptographic Algorithms 160

Session Token Entropy 161

Session Time-out 161

Regeneration of Session Tokens 162

Session Forging/Brute-Forcing Detection and/or Lockout 163

Session Token Capture and Session Hijacking 163

Session Tokens on Logout 165

Session Validation Attacks 165

PHP 166

Sessions 166

Further Reading 167

Session Management 168

DATA VALIDATION

Objective 173

Platforms Affected 173

Relevant COBIT Topics 173

Description 173

Definitions 173

Where to include integrity checks 174

Where to include validation 174

Where to include business rule validation 174

Data Validation Strategies 175

Prevent parameter tampering 177

Hidden fields 178

ASP.NET Viewstate 179

URL encoding 182

HTML encoding 182

Encoded strings 183

Data Validation and Interpreter Injection 183

Delimiter and special characters 186

Further Reading 187

INTERPRETER INJECTION

Objective 188

Platforms Affected 188

Relevant COBIT Topics 188

User Agent Injection 188

HTTP Response Splitting 192

SQL Injection 193

ORM Injection 193

LDAP Injection 194

XML Injection 196

Code Injection 196

Further Reading 197

SQL-injection 199

Code Injection 202

Command injection 202

CANONCALIZATION, LOCALE AND UNICODE

Objective 203

Platforms Affected 203

Relevant COBIT Topics 203

Description 203

Unicode 204

http://www.ietf.org/rfc/rfc2279.txt?number=2279 206

Input Formats 206

Locale assertion 207

Double (or n-) encoding 207

HTTP Request Smuggling 208

Further Reading 208

ERROR HANDLING, AUDITING AND LOGGING

Objective 210

Environments Affected 210

Relevant COBIT Topics 210

Description 210

Best practices 211

Error Handling 211

Detailed error messages 212

Logging 213

Noise 216

Cover Tracks 216

False Alarms 217

Destruction 218

Audit Trails 218

Further Reading 219

Error Handling and Logging 219

FILE SYSTEM

Objective 226

Environments Affected 226

Relevant COBIT Topics 226

Description 226

Best Practices 226

Defacement 226

Path traversal 227

Insecure permissions 228

Insecure Indexing 228

Unmapped files 229

Temporary files 229

PHP 230

Includes and Remote files 230

File upload 232

Old, unreferenced files 234

Second Order Injection 234

Further Reading 235

File System 235

DISTRIBUTED COMPUTING

Objective 237

Environments Affected 237

Relevant COBIT Topics 237

Best Practices 237

Race conditions 237

Distributed synchronization 237

Further Reading 238

BUFFER OVERFLOWS

Objective 239

Platforms Affected 239

Relevant COBIT Topics 239

Description 239

General Prevention Techniques 240

Stack Overflow 241

Heap Overflow 242

Format String 243

Unicode Overflow 245

Integer Overflow 246

Further reading 247

ADMINISTRATIVE INTERFACES

Objective 249

Environments Affected 249

Relevant COBIT Topics 249

Best practices 249

Administrators are not users 250

Authentication for high value systems 250

Further Reading 251

CRYPTOGRAPHY

Objective 252

Platforms Affected 252

Relevant COBIT Topics 252

Description 252

Cryptographic Functions 253

Cryptographic Algorithms 253

Algorithm Selection 255

Key Storage 256

Insecure transmission of secrets 258

Reversible Authentication Tokens 259

Safe UUID generation 260

Summary 260

Further Reading 261

Cryptography 261

CONFIGURATION

Objective 266

Platforms Affected 266

Relevant COBIT Topics 266

Best Practices 266

Default passwords 266

Secure connection strings 267

Secure network transmission 267

Encrypted data 268

PHP Configuration 268

Global variables 268

register_globals 269

Database security 272

Further Reading 273

ColdFusion Components (CFCs) 273

Configuration 274

SOFTWARE QUALITY ASSURANCE

Objective 281

Platforms Affected 281

Best practices 281

Process 283

Metrics 283

Testing Activities 284

DEPLOYMENT

Objective 286

Platforms Affected 286

Best Practices 286

Release Management 287

Secure delivery of code 287

Code signing 288

Permissions are set to least privilege 288

Automated packaging 288

Automated deployment 289

Automated removal 289

No backup or old files 289

Unnecessary features are off by default 289

Setup log files are clean 289

No default accounts 290

Easter eggs 290

Malicious software 291

Further Reading 292

MAINTENANCE

Objective 294

Platforms Affected 294

Relevant COBIT Topics 294

Best Practices 294

Security Incident Response 295

Fix Security Issues Correctly 295

Update Notifications 296

Regularly check permissions 296

Further Reading 297

Maintenance 297

GNU FREE DOCUMENTATION LICENSE

PREAMBLE 301

APPLICABILITY AND DEFINITIONS 301

VERBATIM COPYING 302

COPYING IN QUANTITY 303

MODIFICATIONS 303

COMBINING DOCUMENTS 305

COLLECTIONS OF DOCUMENTS 305

AGGREGATION WITH INDEPENDENT WORKS 306

TRANSLATION 306

TERMINATION 306

FUTURE REVISIONS OF THIS LICENSE 306

Retrieved from "https://wiki.owasp.org/index.php?title=Guide:Frontispiece&oldid=2535"