This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Difference between revisions of "OWASP Cheat Sheet Series"

From OWASP
Jump to: navigation, search
(added Dominique Righetto as lead)
m (Remove Dominique from the contact messages)
 
(88 intermediate revisions by 3 users not shown)
Line 1: Line 1:
 
= Main =  
 
= Main =  
<div style="width:100%;height:90px;border:0,margin:0;overflow: hidden;">[[File: lab_big.jpg|link=OWASP_Project_Stages#tab.3DLab_Projects]]</div>
+
<div style="width:100%;height:90px;border:0,margin:0;overflow: hidden;">[[File: flagship_big.jpg|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Flagship_Projects]]</div>
 
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:Cheatsheets-header.jpg|link=]]</div>
 
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:Cheatsheets-header.jpg|link=]]</div>
  
 
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
 
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top"  style="border-right: 1px dotted gray;padding-right:25px;" |
+
| style="border-right: 1px dotted gray;padding-right:25px;" valign="top" |
  
The OWASP Cheat Sheet Series was created to provide a concise collection of high value information on specific web application security topics. These cheat sheets were created by various application security professionals who have expertise in specific topics. We hope that the OWASP Cheat Sheet Series provides you with excellent security guidance in an easy to read format.
+
== Our goal ==
  
If you have any questions about the OWASP Cheat Sheet Series, please email the project leader [mailto:[email protected] Jim Manico] or subscribe to our [https://lists.owasp.org/mailman/listinfo/owasp-cheat-sheets project email list].
+
The OWASP Cheat Sheet Series was created to provide a concise collection of high value information on specific application security topics. These cheat sheets were created by various application security professionals who have expertise in specific topics. We hope that the OWASP Cheat Sheet Series provides you with excellent security guidance in an easy to read format.
  
== Authors ==
+
If you have any questions about the OWASP Cheat Sheet Series, please email the project leader [mailto:[email protected] Jim Manico], contact us on the project's Slack channel, or on our [https://groups.google.com/a/owasp.org/forum/#!forum/cheat-sheets-project Google Group] ('''Slack is highly preferred over the Google Group''').
  
Project Leaders: [https://www.owasp.org/index.php/User:Jmanico Jim Manico] and  [https://www.owasp.org/index.php/User:Dominique_RIGHETTO Dominique Righetto] [mailto:dominique.righetto@owasp.org @]
+
The archives of the old mailing list can be consulted [https://lists.owasp.org/pipermail/owasp-cheat-sheets/index here].
Contributors: Paweł Krawczyk, Mishra Dhiraj, Shruti Kulkarni, Torsten Gigler, Michael Coates, Jeff Williams, Dave Wichers, Kevin Wall, Jeffrey Walton, Eric Sheridan, Kevin Kenan, David Rook, Fred Donovan, Abraham Kang, Dave Ferguson, Shreeraj Shah, Raul Siles, Colin Watson, Neil Matatall and <b>many more</b>!
 
  
== OWASP Cheat Sheets ==
+
== Official website ==
  
{{Cheatsheet_Navigation_Body}}
+
The official website on which all the cheat sheets are hosted is https://cheatsheetseries.owasp.org .
  
| valign="top"  style="padding-left:25px;width:200px;" |
+
== Migration to GitHub ==
  
== Quick Access ==
+
Project has been fully migrated to [https://github.com/OWASP/CheatSheetSeries GitHub].
OWASP Cheatsheet Series Book : April 2015 [https://www.owasp.org/images/9/9a/OWASP_Cheatsheets_Book.pdf PDF download].
 
  
== Email List ==
+
This page is used as the OWASP homepage of the project, all the project content is hosted on the [https://github.com/OWASP/CheatSheetSeries GitHub repository] and we work '''only from''' this repository, '''wiki is not used anymore'''.
[https://lists.owasp.org/mailman/listinfo/owasp-cheat-sheets Project Email List]
 
  
== Licensing ==
+
The [https://github.com/OWASP/CheatSheetSeries GitHub] repository is used for the work on the cheat sheets and the released ones are deployed on the [https://cheatsheetseries.owasp.org official website].
The OWASP <i>Cheat Sheet Series</i> is free to use under the [https://creativecommons.org/licenses/by-sa/3.0/us/ Creative Commons ShareAlike 3 License].
+
 
 +
So, from now, only a GitHub account is needed to contribute :)
 +
 
 +
== Bridge between the projects OWASP Proactive Controls/OWASP Application Security Verification Standard and OWASP Cheat Sheet Series ==
 +
 
 +
A work channel has been created between these 2 projects and the Cheat Sheet Series using the following process (''OPC = OWASP Proactive Controls / OASVS = OWASP Application Security Verification Standard / OCS = OWASP Cheat Sheet''):
 +
 
 +
* When a Cheat Sheet is missing for a point in OPC/OASVS then the OCS will handle the missing and create one. When the Cheat Sheet is ready then the reference is added by OPC/OASVS.
 +
* If a Cheat Sheet exists for an OPC/OASVS point but the content do not provide the expected help then the Cheat Sheet is updated to provide the content needed/expected.
 +
 
 +
The reason of the creation of this bridge is to help the OCS/OASVS projects by providing them:
 +
 
 +
* A consistent source for the requests regarding new Cheat Sheets.
 +
* Same approach about the update of the existing Cheat Sheets.
 +
* A usage context for the Cheat Sheet and a quick source of feedack about the quality and the efficiency of the Cheat Sheet.
 +
 
 +
It is not mandatory that a request for a new Cheat Sheet (or for an update) come only from OPC/OASVS, it is just a extra channel.
 +
 
 +
<pre>Requests from OPC/OASVS are flagged with a special label in the GitHub repository issues list in order to identify them and set them as a top level priority.</pre>
 +
 
 +
== Project leaders ==
 +
 
 +
* [https://www.owasp.org/index.php/User:Jmanico Jim Manico] [mailto:jim.manico@owasp.org @]
 +
 
 +
== Core team ==
 +
 
 +
* [https://github.com/ThunderSon Elie Saad]
 +
* [https://github.com/mackowski Jakub Maćkowski]
 +
* [https://github.com/rbsec Robin Bailey]
 +
* [https://www.owasp.org/index.php/User:Jmanico Jim Manico]
 +
 
 +
== Contributors of the V1 of the project ==
 +
 
 +
Paweł Krawczyk, Mishra Dhiraj, Shruti Kulkarni, Torsten Gigler, Michael Coates, Jeff Williams, Dave Wichers, Kevin Wall, Jeffrey Walton, Eric Sheridan, Kevin Kenan, David Rook, Fred Donovan, Abraham Kang, Dave Ferguson, Shreeraj Shah, Raul Siles, Colin Watson, Neil Matatall, Zaur Molotnikov, Manideep Konakandla, Santhosh Tuppad and '''many more'''!
 +
 
 +
== Contributors of the V2 of the project ==
 +
 
 +
See [https://github.com/OWASP/CheatSheetSeries/graphs/contributors here] for a complete list.
 +
 
 +
| style="padding-left:25px;width:200px;" valign="top" |
 +
 
 +
== Official website ==
 +
 
 +
Website of the [https://cheatsheetseries.owasp.org here].
 +
 
 +
== GitHub repository ==
 +
 
 +
Repository is [https://github.com/OWASP/CheatSheetSeries here].
 +
 
 +
== Offline Cheat Sheets collection ==
 +
 
 +
A offline website of all Cheat Sheets can be obtained [https://github.com/OWASP/CheatSheetSeries#offline-website here].
 +
 
 +
== Slack & Twitter ==
 +
 
 +
Slack channel information:
 +
* Server <code>owasp.slack.com</code>
 +
* Channel <code>cheatsheets</code>
 +
 
 +
Twitter hash tag: '''#[https://twitter.com/search?q=%23owaspcheatsheetseries&src=typd owaspcheatsheetseries]'''
 +
 
 +
== Google Group ==
  
== Related Projects ==
+
[https://groups.google.com/a/owasp.org/forum/#!forum/cheat-sheets-project Project Google Group], click [https://groups.google.com/a/owasp.org/forum/#!forum/cheat-sheets-project/join here] to join it.
* [[OWASP Proactive Controls]]
 
* [https://www.owasp.org/index.php/Category:OWASP_Application_Security_Verification_Standard_Project OWASP Application Security Verification Standard Project]
 
  
== News and Events ==
+
Still used for technical discussion '''but we highly prefer''':
* [Jan 17 2017] [https://www.owasp.org/index.php/XML_Security_Cheat_Sheet XML Security Cheat Sheet] added to project
+
* The Slack channel for announcement and technical discussion.
* [Feb 6 2016] New navigation template rolled out project-wide
+
* The Twitter hash tag for announcement only.
* [Jun 11 2015] [https://www.owasp.org/index.php/SAML_Security_Cheat_Sheet SAML Cheat Sheet] added to project
 
* [Feb 11 2015] [https://www.owasp.org/images/9/9a/OWASP_Cheatsheets_Book.pdf Cheat Sheet "book"] added to project
 
* [Apr 4 2014] All non-draft cheat sheets moved to new wiki template!
 
* [Feb 4 2014] Project-wide cleanup started
 
  
==Classifications==
+
== Project classifications ==
  
 
   {| width="200" cellpadding="2"
 
   {| width="200" cellpadding="2"
 
   |-
 
   |-
   | align="center" valign="top" width="50%" rowspan="2"| [[File:Owasp-labs-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Labs_Projects]]
+
   | rowspan="3" width="50%" valign="top" align="center" | [[File:Owasp-flagship-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Flagship_Projects]]
   | align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]]
+
   | width="50%" valign="top" align="center" | [[File:Owasp-builders-small.png|link=Builders]] 
 +
  |-
 +
  | width="50%" valign="top" align="center" | [[File:Owasp-defenders-small.png|link=Defenders]]
 
   |-
 
   |-
   | align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=]]
+
   | width="50%" valign="center" align="center" |  
 
   |-
 
   |-
   | colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]
+
   | colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]
 
   |-
 
   |-
   | colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]]
+
   | colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]]
 
   |}
 
   |}
 +
 +
== Licensing ==
 +
 +
The OWASP <i>Cheat Sheet Series</i> is free to use under the [https://creativecommons.org/licenses/by-sa/3.0/us/ Creative Commons ShareAlike 3 License].
 +
 +
== Related Projects ==
 +
 +
* [[OWASP Proactive Controls]]
 +
* [https://www.owasp.org/index.php/Category:OWASP_Application_Security_Verification_Standard_Project OWASP Application Security Verification Standard Project]
  
 
|}
 
|}
  
= Master Cheat Sheet =
+
= Roadmap =
  
==Authentication==
+
Roadmap is managed using the [https://github.com/OWASP/CheatSheetSeries/projects/1 GitHub feature] of the repository.
Ensure all entities go through an appropriate and adequate form of authentication. All the application non-public resource must be protected and shouldn't be bypassed.
 
  
For more information, check [https://www.owasp.org/index.php/Authentication_Cheat_Sheet Authentication Cheat Sheet]
+
= Project Logo =
  
==Session Management==
+
'''Project is now finished, we let the specification online for further evolution of the logo.'''
  
Use secure session management practices that ensure that authenticated users have a robust and cryptographically secure association with their session.  
+
Big thanks to Amélie Didion for the design work.
  
For more information, check [https://www.owasp.org/index.php/Session_Management_Cheat_Sheet Session Management Cheat Sheet]
+
== Logo files ==
  
==Access Control==
+
Logo files are hosted on the official OWASP dedicated [https://github.com/OWASP/owasp-swag/tree/master/projects/cheat-sheet-series Github repository].
  
Ensure that a user has access only to the resources they are entitled to. Perform access control checks on the server side on every request. All user-controlled parameters should be validated for entitlemens checks. Check if user name or role name is passed through the URL or through hidden variables. Prepare an ACL containing the Role-to-Function mapping and validate if the users are granted access as per the ACL.
+
Logo n°1:
  
For more information, check [https://www.owasp.org/index.php/Access_Control_Cheat_Sheet Access Control Cheat Sheet]
+
[https://github.com/OWASP/owasp-swag/blob/master/projects/cheat-sheet-series/owasp-1.png]
  
==Input Validation==
+
Logo n°2:
  
Input validation is performed to minimize malformed data from entering the system. Input Validation is NOT the primary method of preventing XSS, SQL Injection. These are covered in output encoding below.
+
[https://github.com/OWASP/owasp-swag/blob/master/projects/cheat-sheet-series/owasp-2.png]
  
For more information, check [https://www.owasp.org/index.php/Input_Validation_Cheat_Sheet Input Validation Cheat Sheet]
+
== Objective ==
  
==Output Encoding==
+
This section contains the information that we have gathered and plan to use for the creation of the project logo and related design materials.
  
Output encoding is the primary method of preventing XSS and injection attacks. Input validation helps minimize the introduction of malformed data, but it is a secondary control.
+
The first phase of the work is to commission a project logo.
  
For more information, check [https://www.owasp.org/index.php/XSS_Prevention_Cheat_Sheet XSS (Cross Site Scripting) Prevention Cheat Sheet].
+
== Phase 1: Logo ==
  
==Cross Domain==
+
=== Introduction ===
  
Ensure that adequate controls are present to prevent against Cross-site Request Forgery, Clickjacking and other 3rd Party Malicious scripts.
+
The project requires a logo which will comprise three components:
  
For more information, check [https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet Cross Site Request Forgery]
+
* Graphical element indicating the idea or use of the cheat sheets
 +
* The project title
 +
* Motto/straplines.
  
==Secure Transmission==
+
Not all of these will necessarily be shown together at the same time. Phase 1 requires the creation of a logo, which may be used with one, two or all three of these components.
  
Ensure that all the applications pages are served over cryptographically secure HTTPs protocols. Prohibit the transmission of session cookies over HTTP.
+
The logo will be used in many ways such as on a website banner, or just the graphical element on a bag, or the graphical element and a motto/strapline on a t-shirt. These other outputs are not included in the scope of Phase 1.
  
For more information, check [https://www.owasp.org/index.php/Transport_Layer_Protection_Cheat_Sheet Transport Protection Cheat Sheet]
+
=== Project Name ===
  
==Logging==
+
The project name is ''OWASP Cheat Sheet Series project''. The project name will be positioned next to the graphical element in some outputs, and this layout must be provided. In other cases, the project name will not be included beside the logo.
  
Ensure that all the security related events are logged. Events include: User log-in (success/fail); view; update; create, delete, file upload/download, attempt to access through URL, URL tampering. Audit logs should be immutable and write only and must be protected from unauthorized access.
+
=== Motto/Strapline ===
  
For more information, check [https://www.owasp.org/index.php/Logging_Cheat_Sheet Logging Cheat Sheet]
+
Three mottos/straplines will be used in the logo - they are context dependent:
  
==Uploads==
+
* ''Life is too short, AppSec is tough, Cheat!''
 +
* ''Its not cheating if you do it for the right reasons''
 +
* ''Sometimes the only good thing to do is cheat''.
  
Ensure that the size, type, contents and name of the uploaded files are validated. Uploaded files must not be accessible to users by direct browsing. Preferably store all the uploaded files in a different file server/drive on the server. All files must be virus scanned using a regularly updated scanner.
+
The logo layout must allow for any of these or none to be included.
  
= Roadmap =
+
=== Layout, Media Formats and Colours ===
 +
 
 +
Some media or placements may mean the motto/strapline does not fit or is not needed. Therefore the logo must be usable with, or without, the motto/strapline.
 +
 
 +
The logo will need to be used at multiple scales. For example, if the logo is square excluding the motto/strapline, the following formats must work
 +
 
 +
* Low-resolution use on web pages (e.g. as small as 100x100 pixels excluding moto/strapline)
 +
* Medium resolution use on fabric such as t-sirts or bags (e.g. 900x900 pixels at 150 dpi)
 +
* High-resolution use on large posters and banners (e.g. as large as 5,000x5,000 pixels at 300dpi).
 +
 
 +
The logo may be printed in CMYK for physical media, but must also have RGB colours for screen use. Additionally the logo must also be available in grayscale, and separately as single colour (i.e. black and white without any tones).
 +
 
 +
=== Deliverables Required ===
 +
 
 +
All outputs must be provided digitally:
 +
 
 +
# Logo demonstrating how it looks with just the graphical element, the graphical element with the project title, and the graphical element with each of the mottos/straplines, and everything together
 +
# Source layered vector graphic files created in Adobe Illustrator
 +
# Exported versions for quick use low, medium and high resolution full-colour PNG/JPEGs in RGB and CMYK
 +
# Colour and font specification.
 +
 
 +
Rights/licensing:
 +
 
 +
# The designer will not retain any rights - all design and use rights will be given to OWASP, who will publish the logo and files using am open source licence, and OWASP will be able to use the logo, source files, ideas, designs in any manner it desires in any media in any quantity, without any additional payments, commission or royalties to the designer or anyone else
 +
# All fonts used in the design must be provided to OWASP and comply with the above requirements
 +
 
 +
 
 +
 
 +
== Future Phases: Other Graphical Elements ==
 +
 
 +
Scope TBC - Banners, t-shirts, etc
 +
 
 +
Background pictures (picture provider and designer will be cited on the project site):
 +
* ''A smart tech looking woman reading a piece of paper (the cheatsheet) while resting on a beach.''
 +
* ''A woman hand holding cards with an ace up the sleeve.''
 +
 
 +
Pictures proposal (just a proposal as bootstrap, others pictures can be used):
 +
* Cards:
 +
** https://www.pexels.com/photo/woman-holding-queen-of-hearts-and-diamonds-922706/
 +
** https://www.pexels.com/photo/ace-card-gambling-hand-274373/
 +
** https://www.pexels.com/photo/ace-bet-business-card-262333/
 +
* Beach:
 +
** https://www.pexels.com/photo/laptop-mockup-notebook-outside-4778/
 +
** https://www.pexels.com/photo/apple-check-computer-female-7079/
 +
** https://www.pexels.com/photo/beach-beach-chair-blur-casual-319921/
 +
** https://www.pexels.com/photo/close-up-of-woman-typing-on-keyboard-of-laptop-6352/
 +
** https://www.pexels.com/photo/black-and-gray-computer-laptop-159784/
  
* Bring all cheat sheets out of draft by December 2016
 
* Go through the cheat sheets to make sure what they recommend is consistent with ASVS (TBD).
 
  
 
__NOTOC__ <headertabs />
 
__NOTOC__ <headertabs />
  
[[Category:OWASP_Project|OWASP Cheat Sheets Project]]
+
[[Category:OWASP Project|OWASP Cheat Sheets Project]]
 
[[Category:OWASP_Document]]
 
[[Category:OWASP_Document]]
 
[[Category:OWASP_Alpha_Quality_Document]]
 
[[Category:OWASP_Alpha_Quality_Document]]
 
[[Category:SAMM-EG-1]]
 
[[Category:SAMM-EG-1]]

Latest revision as of 10:23, 29 September 2019

Flagship big.jpg
Cheatsheets-header.jpg

Our goal

The OWASP Cheat Sheet Series was created to provide a concise collection of high value information on specific application security topics. These cheat sheets were created by various application security professionals who have expertise in specific topics. We hope that the OWASP Cheat Sheet Series provides you with excellent security guidance in an easy to read format.

If you have any questions about the OWASP Cheat Sheet Series, please email the project leader Jim Manico, contact us on the project's Slack channel, or on our Google Group (Slack is highly preferred over the Google Group).

The archives of the old mailing list can be consulted here.

Official website

The official website on which all the cheat sheets are hosted is https://cheatsheetseries.owasp.org .

Migration to GitHub

Project has been fully migrated to GitHub.

This page is used as the OWASP homepage of the project, all the project content is hosted on the GitHub repository and we work only from this repository, wiki is not used anymore.

The GitHub repository is used for the work on the cheat sheets and the released ones are deployed on the official website.

So, from now, only a GitHub account is needed to contribute :)

Bridge between the projects OWASP Proactive Controls/OWASP Application Security Verification Standard and OWASP Cheat Sheet Series

A work channel has been created between these 2 projects and the Cheat Sheet Series using the following process (OPC = OWASP Proactive Controls / OASVS = OWASP Application Security Verification Standard / OCS = OWASP Cheat Sheet):

  • When a Cheat Sheet is missing for a point in OPC/OASVS then the OCS will handle the missing and create one. When the Cheat Sheet is ready then the reference is added by OPC/OASVS.
  • If a Cheat Sheet exists for an OPC/OASVS point but the content do not provide the expected help then the Cheat Sheet is updated to provide the content needed/expected.

The reason of the creation of this bridge is to help the OCS/OASVS projects by providing them:

  • A consistent source for the requests regarding new Cheat Sheets.
  • Same approach about the update of the existing Cheat Sheets.
  • A usage context for the Cheat Sheet and a quick source of feedack about the quality and the efficiency of the Cheat Sheet.

It is not mandatory that a request for a new Cheat Sheet (or for an update) come only from OPC/OASVS, it is just a extra channel. 

Requests from OPC/OASVS are flagged with a special label in the GitHub repository issues list in order to identify them and set them as a top level priority.

Project leaders

Core team

Contributors of the V1 of the project

Paweł Krawczyk, Mishra Dhiraj, Shruti Kulkarni, Torsten Gigler, Michael Coates, Jeff Williams, Dave Wichers, Kevin Wall, Jeffrey Walton, Eric Sheridan, Kevin Kenan, David Rook, Fred Donovan, Abraham Kang, Dave Ferguson, Shreeraj Shah, Raul Siles, Colin Watson, Neil Matatall, Zaur Molotnikov, Manideep Konakandla, Santhosh Tuppad and many more!

Contributors of the V2 of the project

See here for a complete list.

Official website

Website of the here.

GitHub repository

Repository is here.

Offline Cheat Sheets collection

A offline website of all Cheat Sheets can be obtained here.

Slack & Twitter

Slack channel information:

  • Server owasp.slack.com
  • Channel cheatsheets

Twitter hash tag: #owaspcheatsheetseries

Google Group

Project Google Group, click here to join it.

Still used for technical discussion but we highly prefer:

  • The Slack channel for announcement and technical discussion.
  • The Twitter hash tag for announcement only.

Project classifications

Owasp-flagship-trans-85.png Owasp-builders-small.png
Owasp-defenders-small.png
Cc-button-y-sa-small.png
Project Type Files DOC.jpg

Licensing

The OWASP Cheat Sheet Series is free to use under the Creative Commons ShareAlike 3 License.

Related Projects

Roadmap is managed using the GitHub feature of the repository.

Retrieved from "https://wiki.owasp.org/index.php?title=OWASP_Cheat_Sheet_Series&oldid=255006"