Revision as of 12:50, 22 May 2006

Frontispiece

1. Dedication
2. Copyright and license
3. Editors
4. Authors and Reviewers
5. Revision History

About The Open Web Application Security Project

1. Structure and Licensing
2. Participation and Membership
3. Projects

Introduction

1. Developing Secure Applications
2. Improvements in this edition
3. How to use this Guide
4. Updates and errata
5. With thanks

What are web applications?

1. Technologies
2. First generation – CGI
3. Filters
4. Scripting
5. Web application frameworks – J
6. Small to medium scale applications
7. Large scale applications
8. View
9. Controller
10. Model
11. Conclusion

Policy Frameworks

1. Organizational commitment to security
2. OWASP’s Place at the Framework table
3. Development Methodology
4. Coding Standards
5. Source Code Control
6. Summary

Secure Coding Principles

1. Asset Classification
2. About attackers
3. Core pillars of information security
4. Security Architecture
5. Security Principles

Threat Risk Modeling

1. Threat Risk Modeling
2. Performing threat risk modeling using the Microsoft Threat Modeling Process
3. Alternative Threat Modeling Systems
4. Trike
5. AS/NZS
6. CVSS
7. OCTAVE
8. Conclusion
9. Further Reading

Handling E-Commerce Payments

1. Objectives
2. Compliance and Laws
3. PCI Compliance
4. Handling Credit Cards
5. Further Reading

Phishing

1. What is phishing?
2. User Education
3. Make it easy for your users to report scams
4. Communicating with customers via e-mail
5. Never ask your customers for their secrets
6. Fix all your XSS issues
7. Do not use pop-ups
8. Don’t be framed
9. Move your application one link away from your front page
10. Enforce local referrers for images and other resources
11. Keep the address bar, use SSL, do not use IP addresses
12. Don’t be the source of identity theft
13. Implement safe-guards within your application
14. Monitor unusual account activity
15. Get the phishing target servers offline pronto
16. Take control of the fraudulent domain name
17. Work with law enforcement
18. When an attack happens
19. Further Reading

Web Services

1. Securing Web Services
2. Communication security
3. Passing credentials
4. Ensuring message freshness
5. Protecting message integrity
6. Protecting message confidentiality
7. Access control
8. Audit
9. Web Services Security Hierarchy
10. SOAP
11. WS-Security Standard
12. WS-Security Building Blocks
13. Communication Protection Mechanisms
14. Access Control Mechanisms
15. Forming Web Service Chains
16. Available Implementations
17. Problems
18. Further Reading

Ajax and Other "Rich" Interface Technologies

1. Objective
2. Platforms Affected
3. Architecture
4. Access control: Authentication and Authorization
5. Silent transactional authorization
6. Untrusted or absent session data
7. State management
8. Tamper resistance
9. Privacy
10. Proxy Façade
11. SOAP Injection Attacks
12. XMLRPC Injection Attacks
13. DOM Injection Attacks
14. XML Injection Attacks
15. JSON (Javascript Object Notation) Injection Attacks
16. Encoding safety
17. Auditing
18. Error Handling
19. Accessibility
20. Further Reading

Authentication

1. Objective
2. Environments Affected
3. Relevant COBIT Topics
4. Best Practices
5. Common web authentication techniques
6. Strong Authentication
7. Federated Authentication
8. Client side authentication controls
9. Positive Authentication
10. Multiple Key Lookups
11. Referer Checks
12. Browser remembers passwords
13. Default accounts
14. Choice of usernames
15. Change passwords
16. Short passwords
17. Weak password controls
18. Reversible password encryption
19. Automated password resets
20. Brute Force
21. Remember Me
22. Idle Timeouts
23. Logout
24. Account Expiry
25. Self registration
26. CAPTCHA
27. Further Reading
28. Authentication

Authorization

1. Objectives
2. Environments Affected
3. Relevant COBIT Topics
4. Best Practices
5. Best Practices in Action
6. Principle of least privilege
7. Centralized authorization routines
8. Authorization matrix
9. Controlling access to protected resources
10. Protecting access to static resources
11. Reauthorization for high value activities or after idle out
12. Time based authorization
13. Be cautious of custom authorization controls
14. Never implement client-side authorization tokens
15. Further Reading

Session Management

1. Objective
2. Environments Affected
3. Relevant COBIT Topics
4. Description
5. Best practices
6. Exposed Session Variables
7. Page and Form Tokens
8. Weak Session Cryptographic Algorithms
9. Session Token Entropy
10. Session Time-out
11. Regeneration of Session Tokens
12. Session Forging/Brute-Forcing Detection and/or Lockout
13. Session Token Capture and Session Hijacking
14. Session Tokens on Logout
15. Session Validation Attacks
16. PHP
17. Sessions
18. Further Reading
19. Session Management

Data Validation

1. Objective
2. Platforms Affected
3. Relevant COBIT Topics
4. Description
5. Definitions
6. Where to include integrity checks
7. Where to include validation
8. Where to include business rule validation
9. Data Validation Strategies
10. Prevent parameter tampering
11. Hidden fields
12. ASP.NET Viewstate
13. URL encoding
14. HTML encoding
15. Encoded strings
16. Data Validation and Interpreter Injection
17. Delimiter and special characters
18. Further Reading

Interpreter Injection

1. Objective
2. Platforms Affected
3. Relevant COBIT Topics
4. User Agent Injection
5. HTTP Response Splitting
6. SQL Injection
7. ORM Injection
8. LDAP Injection
9. XML Injection
10. Code Injection
11. Further Reading
12. SQL-injection
13. Code Injection
14. Command injection

Canoncalization, locale and Unicode

1. Objective
2. Platforms Affected
3. Relevant COBIT Topics
4. Description
5. Unicode
6. http://www.ietf.org/rfc/rfc#
7. Input Formats
8. Locale assertion
9. Double (or n-) encoding
10. HTTP Request Smuggling
11. Further Reading

Error Handling, Auditing and Logging

1. Objective
2. Environments Affected
3. Relevant COBIT Topics
4. Description
5. Best practices
6. Error Handling
7. Detailed error messages
8. Logging
9. Noise
10. Cover Tracks
11. False Alarms
12. Destruction
13. Audit Trails
14. Further Reading
15. Error Handling and Logging

File System

1. Objective
2. Environments Affected
3. Relevant COBIT Topics
4. Description
5. Best Practices
6. Defacement
7. Path traversal
8. Insecure permissions
9. Insecure Indexing
10. Unmapped files
11. Temporary files
12. PHP
13. Includes and Remote files
14. File upload
15. Old, unreferenced files
16. Second Order Injection
17. Further Reading
18. File System

Distributed Computing

1. Objective
2. Environments Affected
3. Relevant COBIT Topics
4. Best Practices
5. Race conditions
6. Distributed synchronization
7. Further Reading

Buffer Overflows

1. Objective
2. Platforms Affected
3. Relevant COBIT Topics
4. Description
5. General Prevention Techniques
6. Stack Overflow
7. Heap Overflow
8. Format String
9. Unicode Overflow
10. Integer Overflow
11. Further reading

Administrative Interface

1. Objective
2. Environments Affected
3. Relevant COBIT Topics
4. Best practices
5. Administrators are not users
6. Authentication for high value systems
7. Further Reading

Cryptography

1. Objective
2. Platforms Affected
3. Relevant COBIT Topics
4. Description
5. Cryptographic Functions
6. Cryptographic Algorithms
7. Algorithm Selection
8. Key Storage
9. Insecure transmission of secrets
10. Reversible Authentication Tokens
11. Safe UUID generation
12. Summary
13. Further Reading
14. Cryptography

Configuration

1. Objective
2. Platforms Affected
3. Relevant COBIT Topics
4. Best Practices
5. Default passwords
6. Secure connection strings
7. Secure network transmission
8. Encrypted data
9. PHP Configuration
10. Global variables
11. register_globals
12. Database security
13. Further Reading
14. ColdFusion Components (CFCs)
15. Configuration

Software Quality Assurance

1. Objective
2. Platforms Affected
3. Best practices
4. Process
5. Metrics
6. Testing Activities

Deployment

1. Objective
2. Platforms Affected
3. Best Practices
4. Release Management
5. Secure delivery of code
6. Code signing
7. Permissions are set to least privilege
8. Automated packaging
9. Automated deployment
10. Automated removal
11. No backup or old files
12. Unnecessary features are off by default
13. Setup log files are clean
14. No default accounts
15. Easter eggs
16. Malicious software
17. Further Reading

Maintenance

1. Objective
2. Platforms Affected
3. Relevant COBIT Topics
4. Best Practices
5. Security Incident Response
6. Fix Security Issues Correctly
7. Update Notifications
8. Regularly check permissions
9. Further Reading
10. Maintenance

GNU Free Documentation License

1. PREAMBLE
2. APPLICABILITY AND DEFINITIONS
3. VERBATIM COPYING
4. COPYING IN QUANTITY
5. MODIFICATIONS
6. COMBINING DOCUMENTS
7. COLLECTIONS OF DOCUMENTS
8. AGGREGATION WITH INDEPENDENT WORKS
9. TRANSLATION
10. TERMINATION
11. FUTURE REVISIONS OF THIS LICENSE