This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Guide Table of Contents
From OWASP
- 1 Frontispiece
- 2 About The Open Web Application Security Project
- 3 Introduction
- 4 What are web applications?
- 5 Policy Frameworks
- 6 Secure Coding Principles
- 7 Threat Risk Modeling
- 8 Handling E-Commerce Payments
- 9 Phishing
- 10 Web Services
- 11 Ajax and Other "Rich" Interface Technologies
- 12 Authentication
- 13 Authorization
- 14 Session Management
- 15 Data Validation
- 16 Interpreter Injection
- 17 Canoncalization, locale and Unicode
- 18 Error Handling, Auditing and Logging
- 19 File System
- 20 Distributed Computing
- 21 Buffer Overflows
- 22 Administrative Interface
- 23 Cryptography
- 24 Configuration
- 25 Software Quality Assurance
- 26 Deployment
- 27 Maintenance
- 28 GNU Free Documentation License
- 29 About The Open Web Application Security Project
- 30 Introduction
Frontispiece
- Dedication
- Copyright and license
- Editors
- Authors and Reviewers
- Revision History
About The Open Web Application Security Project
- Structure and Licensing
- Participation and Membership
- Projects
Introduction
- Developing Secure Applications
- Improvements in this edition
- How to use this Guide
- Updates and errata
- With thanks
What are web applications?
- Technologies
- First generation – CGI
- Filters
- Scripting
- Web application frameworks – J
- Small to medium scale applications
- Large scale applications
- View
- Controller
- Model
- Conclusion
Policy Frameworks
- Organizational commitment to security
- OWASP’s Place at the Framework table
- Development Methodology
- Coding Standards
- Source Code Control
- Summary
Secure Coding Principles
- Asset Classification
- About attackers
- Core pillars of information security
- Security Architecture
- Security Principles
Threat Risk Modeling
- Threat Risk Modeling
- Performing threat risk modeling using the Microsoft Threat Modeling Process
- Alternative Threat Modeling Systems
- Trike
- AS/NZS
- CVSS
- OCTAVE
- Conclusion
- Further Reading
Handling E-Commerce Payments
- Objectives
- Compliance and Laws
- PCI Compliance
- Handling Credit Cards
- Further Reading
Phishing
- What is phishing?
- User Education
- Make it easy for your users to report scams
- Communicating with customers via e-mail
- Never ask your customers for their secrets
- Fix all your XSS issues
- Do not use pop-ups
- Don’t be framed
- Move your application one link away from your front page
- Enforce local referrers for images and other resources
- Keep the address bar, use SSL, do not use IP addresses
- Don’t be the source of identity theft
- Implement safe-guards within your application
- Monitor unusual account activity
- Get the phishing target servers offline pronto
- Take control of the fraudulent domain name
- Work with law enforcement
- When an attack happens
- Further Reading
Web Services
- Securing Web Services
- Communication security
- Passing credentials
- Ensuring message freshness
- Protecting message integrity
- Protecting message confidentiality
- Access control
- Audit
- Web Services Security Hierarchy
- SOAP
- WS-Security Standard
- WS-Security Building Blocks
- Communication Protection Mechanisms
- Access Control Mechanisms
- Forming Web Service Chains
- Available Implementations
- Problems
- Further Reading
Ajax and Other "Rich" Interface Technologies
- Objective
- Platforms Affected
- Architecture
- Access control: Authentication and Authorization
- Silent transactional authorization
- Untrusted or absent session data
- State management
- Tamper resistance
- Privacy
- Proxy Façade
- SOAP Injection Attacks
- XMLRPC Injection Attacks
- DOM Injection Attacks
- XML Injection Attacks
- JSON (Javascript Object Notation) Injection Attacks
- Encoding safety
- Auditing
- Error Handling
- Accessibility
- Further Reading
Authentication
- Objective
- Environments Affected
- Relevant COBIT Topics
- Best Practices
- Common web authentication techniques
- Strong Authentication
- Federated Authentication
- Client side authentication controls
- Positive Authentication
- Multiple Key Lookups
- Referer Checks
- Browser remembers passwords
- Default accounts
- Choice of usernames
- Change passwords
- Short passwords
- Weak password controls
- Reversible password encryption
- Automated password resets
- Brute Force
- Remember Me
- Idle Timeouts
- Logout
- Account Expiry
- Self registration
- CAPTCHA
- Further Reading
- Authentication
Authorization
- Objectives
- Environments Affected
- Relevant COBIT Topics
- Best Practices
- Best Practices in Action
- Principle of least privilege
- Centralized authorization routines
- Authorization matrix
- Controlling access to protected resources
- Protecting access to static resources
- Reauthorization for high value activities or after idle out
- Time based authorization
- Be cautious of custom authorization controls
- Never implement client-side authorization tokens
- Further Reading
Session Management
- Objective
- Environments Affected
- Relevant COBIT Topics
- Description
- Best practices
- Exposed Session Variables
- Page and Form Tokens
- Weak Session Cryptographic Algorithms
- Session Token Entropy
- Session Time-out
- Regeneration of Session Tokens
- Session Forging/Brute-Forcing Detection and/or Lockout
- Session Token Capture and Session Hijacking
- Session Tokens on Logout
- Session Validation Attacks
- PHP
- Sessions
- Further Reading
- Session Management
Data Validation
- Objective
- Platforms Affected
- Relevant COBIT Topics
- Description
- Definitions
- Where to include integrity checks
- Where to include validation
- Where to include business rule validation
- Data Validation Strategies
- Prevent parameter tampering
- Hidden fields
- ASP.NET Viewstate
- URL encoding
- HTML encoding
- Encoded strings
- Data Validation and Interpreter Injection
- Delimiter and special characters
- Further Reading
Interpreter Injection
- Objective
- Platforms Affected
- Relevant COBIT Topics
- User Agent Injection
- HTTP Response Splitting
- SQL Injection
- ORM Injection
- LDAP Injection
- XML Injection
- Code Injection
- Further Reading
- SQL-injection
- Code Injection
- Command injection
Canoncalization, locale and Unicode
- Objective
- Platforms Affected
- Relevant COBIT Topics
- Description
- Unicode
- http://www.ietf.org/rfc/rfc##
- Input Formats
- Locale assertion
- Double (or n-) encoding
- HTTP Request Smuggling
- Further Reading
Error Handling, Auditing and Logging
- Objective
- Environments Affected
- Relevant COBIT Topics
- Description
- Best practices
- Error Handling
- Detailed error messages
- Logging
- Noise
- Cover Tracks
- False Alarms
- Destruction
- Audit Trails
- Further Reading
- Error Handling and Logging
File System
- Objective
- Environments Affected
- Relevant COBIT Topics
- Description
- Best Practices
- Defacement
- Path traversal
- Insecure permissions
- Insecure Indexing
- Unmapped files
- Temporary files
- PHP
- Includes and Remote files
- File upload
- Old, unreferenced files
- Second Order Injection
- Further Reading
- File System
Distributed Computing
- Objective
- Environments Affected
- Relevant COBIT Topics
- Best Practices
- Race conditions
- Distributed synchronization
- Further Reading
Buffer Overflows
- Objective
- Platforms Affected
- Relevant COBIT Topics
- Description
- General Prevention Techniques
- Stack Overflow
- Heap Overflow
- Format String
- Unicode Overflow
- Integer Overflow
- Further reading
Administrative Interface
- Objective
- Environments Affected
- Relevant COBIT Topics
- Best practices
- Administrators are not users
- Authentication for high value systems
- Further Reading
Cryptography
- Objective
- Platforms Affected
- Relevant COBIT Topics
- Description
- Cryptographic Functions
- Cryptographic Algorithms
- Algorithm Selection
- Key Storage
- Insecure transmission of secrets
- Reversible Authentication Tokens
- Safe UUID generation
- Summary
- Further Reading
- Cryptography
Configuration
- Objective
- Platforms Affected
- Relevant COBIT Topics
- Best Practices
- Default passwords
- Secure connection strings
- Secure network transmission
- Encrypted data
- PHP Configuration
- Global variables
- register_globals
- Database security
- Further Reading
- ColdFusion Components (CFCs)
- Configuration
Software Quality Assurance
- Objective
- Platforms Affected
- Best practices
- Process
- Metrics
- Testing Activities
Deployment
- Objective
- Platforms Affected
- Best Practices
- Release Management
- Secure delivery of code
- Code signing
- Permissions are set to least privilege
- Automated packaging
- Automated deployment
- Automated removal
- No backup or old files
- Unnecessary features are off by default
- Setup log files are clean
- No default accounts
- Easter eggs
- Malicious software
- Further Reading
Maintenance
- Objective
- Platforms Affected
- Relevant COBIT Topics
- Best Practices
- Security Incident Response
- Fix Security Issues Correctly
- Update Notifications
- Regularly check permissions
- Further Reading
- Maintenance
GNU Free Documentation License
- PREAMBLE
- APPLICABILITY AND DEFINITIONS
- VERBATIM COPYING
- COPYING IN QUANTITY
- MODIFICATIONS
- COMBINING DOCUMENTS
- COLLECTIONS OF DOCUMENTS
- AGGREGATION WITH INDEPENDENT WORKS
- TRANSLATION
- TERMINATION
- FUTURE REVISIONS OF THIS LICENSE
About The Open Web Application Security Project
##Structure and Licensing ##Participation and Membership ##Projects
Introduction
##Developing Secure Applications ##Improvements in this edition ##How to use this Guide ##Updates and errata ##With thanks =What are web applications?= ##Technologies ##First generation – CGI ##Filters ##Scripting ##Web application frameworks – J ##Small to medium scale applications ##Large scale applications ##View ##Controller ##Model ##Conclusion =Policy Frameworks= ##Organizational commitment to security ##OWASP’s Place at the Framework table ##Development Methodology ##Coding Standards ##Source Code Control ##Summary =Secure Coding Principles= ##Asset Classification ##About attackers ##Core pillars of information security ##Security Architecture ##Security Principles =Threat Risk Modeling= ##Threat Risk Modeling ##Performing threat risk modeling using the Microsoft Threat Modeling Process ##Alternative Threat Modeling Systems ##Trike ##AS/NZS ##CVSS ##OCTAVE ##Conclusion ##Further Reading =Handling E-Commerce Payments= ##Objectives ##Compliance and Laws ##PCI Compliance ##Handling Credit Cards ##Further Reading =Phishing= ##What is phishing? ##User Education ##Make it easy for your users to report scams ##Communicating with customers via e-mail ##Never ask your customers for their secrets ##Fix all your XSS issues ##Do not use pop-ups ##Don’t be framed ##Move your application one link away from your front page ##Enforce local referrers for images and other resources ##Keep the address bar, use SSL, do not use IP addresses ##Don’t be the source of identity theft ##Implement safe-guards within your application ##Monitor unusual account activity ##Get the phishing target servers offline pronto ##Take control of the fraudulent domain name ##Work with law enforcement ##When an attack happens ##Further Reading =Web Services= ##Securing Web Services ##Communication security ##Passing credentials ##Ensuring message freshness ##Protecting message integrity ##Protecting message confidentiality ##Access control ##Audit ##Web Services Security Hierarchy ##SOAP ##WS-Security Standard ##WS-Security Building Blocks ##Communication Protection Mechanisms ##Access Control Mechanisms ##Forming Web Service Chains ##Available Implementations ##Problems ##Further Reading =Ajax and Other "Rich" Interface Technologies= ##Objective ##Platforms Affected ##Architecture ##Access control: Authentication and Authorization ##Silent transactional authorization ##Untrusted or absent session data ##State management ##Tamper resistance ##Privacy ##Proxy Façade ##SOAP Injection Attacks ##XMLRPC Injection Attacks ##DOM Injection Attacks ##XML Injection Attacks ##JSON (Javascript Object Notation) Injection Attacks ##Encoding safety ##Auditing ##Error Handling ##Accessibility ##Further Reading =Authentication= ##Objective ##Environments Affected ##Relevant COBIT Topics ##Best Practices ##Common web authentication techniques ##Strong Authentication ##Federated Authentication ##Client side authentication controls ##Positive Authentication ##Multiple Key Lookups ##Referer Checks ##Browser remembers passwords ##Default accounts ##Choice of usernames ##Change passwords ##Short passwords ##Weak password controls ##Reversible password encryption ##Automated password resets ##Brute Force ##Remember Me ##Idle Timeouts ##Logout ##Account Expiry ##Self registration ##CAPTCHA ##Further Reading ##Authentication =Authorization= ##Objectives ##Environments Affected ##Relevant COBIT Topics ##Best Practices ##Best Practices in Action ##Principle of least privilege ##Centralized authorization routines ##Authorization matrix ##Controlling access to protected resources ##Protecting access to static resources ##Reauthorization for high value activities or after idle out ##Time based authorization ##Be cautious of custom authorization controls ##Never implement client-side authorization tokens ##Further Reading =Session Management= ##Objective ##Environments Affected ##Relevant COBIT Topics ##Description ##Best practices ##Exposed Session Variables ##Page and Form Tokens ##Weak Session Cryptographic Algorithms ##Session Token Entropy ##Session Time-out ##Regeneration of Session Tokens ##Session Forging/Brute-Forcing Detection and/or Lockout ##Session Token Capture and Session Hijacking ##Session Tokens on Logout ##Session Validation Attacks ##PHP ##Sessions ##Further Reading ##Session Management =Data Validation= ##Objective ##Platforms Affected ##Relevant COBIT Topics ##Description ##Definitions ##Where to include integrity checks ##Where to include validation ##Where to include business rule validation ##Data Validation Strategies ##Prevent parameter tampering ##Hidden fields ##ASP.NET Viewstate ##URL encoding ##HTML encoding ##Encoded strings ##Data Validation and Interpreter Injection ##Delimiter and special characters ##Further Reading =Interpreter Injection= ##Objective ##Platforms Affected ##Relevant COBIT Topics ##User Agent Injection ##HTTP Response Splitting ##SQL Injection ##ORM Injection ##LDAP Injection ##XML Injection ##Code Injection ##Further Reading ##SQL-injection ##Code Injection ##Command injection =Canoncalization, locale and Unicode= ##Objective ##Platforms Affected ##Relevant COBIT Topics ##Description ##Unicode ##http://www.ietf.org/rfc/rfc## ##Input Formats ##Locale assertion ##Double (or n-) encoding ## HTTP Request Smuggling ## Further Reading =Error Handling, Auditing and Logging= ##Objective ##Environments Affected ##Relevant COBIT Topics ##Description ##Best practices ##Error Handling ##Detailed error messages ##Logging ##Noise ##Cover Tracks ##False Alarms ##Destruction ##Audit Trails ##Further Reading ##Error Handling and Logging =File System= ##Objective ##Environments Affected ##Relevant COBIT Topics ##Description ##Best Practices ##Defacement ##Path traversal ##Insecure permissions ##Insecure Indexing ##Unmapped files ##Temporary files ##PHP ##Includes and Remote files ##File upload ##Old, unreferenced files ##Second Order Injection ##Further Reading ##File System =Distributed Computing= ##Objective ##Environments Affected ##Relevant COBIT Topics ##Best Practices ##Race conditions ##Distributed synchronization ##Further Reading =Buffer Overflows= ##Objective ##Platforms Affected ##Relevant COBIT Topics ##Description ##General Prevention Techniques ##Stack Overflow ##Heap Overflow ##Format String ##Unicode Overflow ##Integer Overflow ##Further reading =Administrative Interface= ##Objective ##Environments Affected ##Relevant COBIT Topics ##Best practices ##Administrators are not users ##Authentication for high value systems ##Further Reading =Cryptography= ##Objective ##Platforms Affected ##Relevant COBIT Topics ##Description ##Cryptographic Functions ##Cryptographic Algorithms ##Algorithm Selection ##Key Storage ##Insecure transmission of secrets ##Reversible Authentication Tokens ##Safe UUID generation ##Summary ##Further Reading ##Cryptography =Configuration= ##Objective ##Platforms Affected ##Relevant COBIT Topics ##Best Practices ##Default passwords ##Secure connection strings ##Secure network transmission ##Encrypted data ##PHP Configuration ##Global variables ##register_globals ##Database security ##Further Reading ##ColdFusion Components (CFCs) ##Configuration =Software Quality Assurance= ##Objective ##Platforms Affected ##Best practices ##Process ##Metrics ##Testing Activities =Deployment= ##Objective ##Platforms Affected ##Best Practices ##Release Management ##Secure delivery of code ##Code signing ##Permissions are set to least privilege ##Automated packaging ##Automated deployment ##Automated removal ##No backup or old files ##Unnecessary features are off by default ##Setup log files are clean ##No default accounts ##Easter eggs ##Malicious software ##Further Reading =Maintenance= ##Objective ##Platforms Affected ##Relevant COBIT Topics ##Best Practices ##Security Incident Response ##Fix Security Issues Correctly ##Update Notifications ##Regularly check permissions ##Further Reading ##Maintenance =GNU Free Documentation License= ##PREAMBLE ##APPLICABILITY AND DEFINITIONS ##VERBATIM COPYING ##COPYING IN QUANTITY ##MODIFICATIONS ##COMBINING DOCUMENTS ##COLLECTIONS OF DOCUMENTS ##AGGREGATION WITH INDEPENDENT WORKS ##TRANSLATION ##TERMINATION ##FUTURE REVISIONS OF THIS LICENSE