This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Difference between revisions of "OWASP Cheat Sheet Series"

From OWASP

Jump to: navigation, search

Revision as of 16:15, 9 April 2018

Main
Master Cheat Sheet
Roadmap
Cheat sheet Guideline
Project Logo

Our goal

The OWASP Cheat Sheet Series was created to provide a concise collection of high value information on specific application security topics. These cheat sheets were created by various application security professionals who have expertise in specific topics. We hope that the OWASP Cheat Sheet Series provides you with excellent security guidance in an easy to read format.

If you have any questions about the OWASP Cheat Sheet Series, please email the project leader Jim Manico, subscribe to our project email list or contact us on the project's Slack channel.

Authors

Project Leaders: Jim Manico and Dominique Righetto @

Contributors: Paweł Krawczyk, Mishra Dhiraj, Shruti Kulkarni, Torsten Gigler, Michael Coates, Jeff Williams, Dave Wichers, Kevin Wall, Jeffrey Walton, Eric Sheridan, Kevin Kenan, David Rook, Fred Donovan, Abraham Kang, Dave Ferguson, Shreeraj Shah, Raul Siles, Colin Watson, Neil Matatall, Zaur Molotnikov and many more!

OWASP Cheat Sheets

V - T - E Cheat Sheets
Developer / Builder	3rd Party Javascript Management Access Control AJAX Security Cheat Sheet Authentication (ES) Bean Validation Cheat Sheet Choosing and Using Security Questions Clickjacking Defense Credential Stuffing Prevention Cheat Sheet Cross-Site Request Forgery (CSRF) Prevention Cryptographic Storage C-Based Toolchain Hardening CSS Security Deserialization DOM based XSS Prevention Forgot Password HTML5 Security HTTP Strict Transport Security Injection Prevention Cheat Sheet Injection Prevention Cheat Sheet in Java JSON Web Token (JWT) Cheat Sheet for Java Input Validation Insecure Direct Object Reference Prevention JAAS Key Management LDAP Injection Prevention Logging Mass Assignment Cheat Sheet .NET Security OS Command Injection Defense Cheat Sheet OWASP Top Ten Password Storage Pinning Query Parameterization REST Security Ruby on Rails Session Management SAML Security SQL Injection Prevention Transaction Authorization Transport Layer Protection TLS Cipher String Configuration Unvalidated Redirects and Forwards User Privacy Protection Web Service Security XSS (Cross Site Scripting) Prevention XML External Entity (XXE) Prevention Cheat Sheet
Assessment / Breaker	Attack Surface Analysis REST Assessment Web Application Security Testing XML Security Cheat Sheet XSS Filter Evasion
Mobile	Android Testing IOS Developer Mobile Jailbreaking
OpSec / Defender	Virtual Patching Vulnerability Disclosure
Draft and Beta	Application Security Architecture Business Logic Security Content Security Policy Denial of Service Cheat Sheet Grails Secure Code Review IOS Application Security Testing PHP Security Regular Expression Security Cheatsheet Secure Coding Secure SDLC Threat Modeling
All Pages In This Category

Classifications

Slack & Twitter

Slack channel information:

Server owasp.slack.com
Channel cheatsheets

Twitter hash tag: #owaspcheatsheetseries

Email List

Project Email List

Licensing

The OWASP Cheat Sheet Series is free to use under the Creative Commons ShareAlike 3 License.

Related Projects

News and Events

[Mar 18 2018] Password Storage Cheat Sheet updated
[Feb 21 2018] HTML5 Security Cheat Sheet updated
[Feb 18 2018] Password Storage Cheat Sheet updated
[Jan 14 2018] Insecure Direct Object Reference Prevention Cheat Sheet updated
[Dec 04 2017] Ruby On Rails Cheat Sheet updated
[Nov 19 2017] JWT Cheat Sheet for Java updated
[Nov 17 2017] OS Command Injection Defense Cheat Sheet added to project
[Nov 04 2017] Authorization Testing Automation Cheat Sheet added to project
[Jan 17 2017] XML Security Cheat Sheet added to project
[Feb 06 2016] New navigation template rolled out project-wide
[Jun 11 2015] SAML Cheat Sheet added to project
[Feb 11 2015] Cheat Sheet "book" added to project
[Apr 04 2014] All non-draft cheat sheets moved to new wiki template!
[Feb 04 2014] Project-wide cleanup started

Authentication

Ensure all entities go through an appropriate and adequate form of authentication. All the application non-public resource must be protected and shouldn't be bypassed.

For more information, check Authentication Cheat Sheet

Session Management

Use secure session management practices that ensure that authenticated users have a robust and cryptographically secure association with their session.

For more information, check Session Management Cheat Sheet

Access Control

Ensure that a user has access only to the resources they are entitled to. Perform access control checks on the server side on every request. All user-controlled parameters should be validated for entitlemens checks. Check if user name or role name is passed through the URL or through hidden variables. Prepare an ACL containing the Role-to-Function mapping and validate if the users are granted access as per the ACL.

For more information, check Access Control Cheat Sheet

Input Validation

Input validation is performed to minimize malformed data from entering the system. Input Validation is NOT the primary method of preventing XSS, SQL Injection. These are covered in output encoding below.

For more information, check Input Validation Cheat Sheet

Output Encoding

Output encoding is the primary method of preventing XSS and injection attacks. Input validation helps minimize the introduction of malformed data, but it is a secondary control.

For more information, check XSS (Cross Site Scripting) Prevention Cheat Sheet.

Cross Domain

Ensure that adequate controls are present to prevent against Cross-site Request Forgery, Clickjacking and other 3rd Party Malicious scripts.

For more information, check Cross Site Request Forgery

Secure Transmission

Ensure that all the applications pages are served over cryptographically secure HTTPs protocols. Prohibit the transmission of session cookies over HTTP.

For more information, check Transport Protection Cheat Sheet

Logging

Ensure that all the security related events are logged. Events include: User log-in (success/fail); view; update; create, delete, file upload/download, attempt to access through URL, URL tampering. Audit logs should be immutable and write only and must be protected from unauthorized access.

For more information, check Logging Cheat Sheet

Uploads

Ensure that the size, type, contents, and name of the uploaded files are validated. Uploaded files must not be accessible to users by direct browsing. Preferably store all the uploaded files in a different file server/drive on the server. All files must be virus scanned using a regularly updated scanner.

For more information, check https://www.owasp.org/index.php/Input_Validation_Cheat_Sheet#File_Uploads

Global:

Bring all cheat sheets out of draft fin end of 2018.
Go through the cheat sheets to make sure what they recommend is consistent with ASVS.
Move all code snippets of CS from pre tag to syntaxhighlight tag to enhance CS readability.
Find a way to automate the generation of a PDF referential file gathering all CS.
Go through the cheat sheets to make sure they follow the CS guideline.
Create branding stickers for the project.
Remove CS that that do not bring added value.

Next work on Cheat Sheets (CS) and work assignment:

Ruby On Rails CS:
- Action: CS complete refactoring.
- People in charge: Zaur Molotnikov.
- Status: Work in progress.
Android and iOS CS:
- Action: Replace content of the following CS to pointer to the dedicated section in the OWASP Mobile Security Testing Guide project, motivation is explained here:
- People in charge: Dominique Righetto.
- Status: Work in progress.
General OAuth introduction CS:
- Action: Create it.
- People in charge: Simon Bennetts & Jim Manico.
- Status: Work in progress.
OAuth and OIDC for SPA Applications CS:
- Action: Create it.
- People in charge: Simon Bennetts & Jim Manico.
- Status: Work in progress.
Credential Stuffing Prevention CS:
- Action: Refresh it.
- People in charge: Not assigned.
- Status: In backlog.
Server Side Request Forgery Defense CS:
- Action: Create it.
- People in charge: Not assigned.
- Status: In backlog.
Forgot Password CS:
- Action: Add a POC in order to provide actionable code.
- People in charge: Not assigned.
- Status: In backlog.
OS Command Injection Defense CS:
- Action: Add information about system command escaping.
- People in charge: Not assigned.
- Status: In backlog.

Cheat sheet content

The key points that all cheat sheets (called CS) must provides are the following:

Address a single topic (ex: password storage, OS command injection, REST service, CSRF, HTML5 new features security...).
Be concise and focused: A cheat sheet must be directly actionable (a CS is not a guide) and must be directly useful for a developer.
Do not re-address topic handled by others CS. In this case, the target CS will be enhanced with missing points.
When applicable, provide a solution proposal implementation through a full documented POC on a public well know Git repository (GitHub is highly prefered), the POC can be used as a playground for a developer wanting to play/evaluate your solution proposal.

Cheat sheet structure

A CS must have these sections:

Introduction: Provide high level information about the topic in order to introduce it to people that do not know it. You can add pointer to external sources if needed but at least give an overview allowing a reader to continue on the CS. You can also add schema or diagram in any part of the CS but be sure to respect the copyright of the source file.
Context: Describe the security issues that are bring or commonly meet when someone must work on this topic.
Objective: Describe the objective of the CS. What the CS will bring to the reader?
Proposition:
1. Describe how to address the security issues in a possible technology agnostic approach.
2. Using your POC, describe your solution proposal in the more teaching possible way.
Sources of the prototype: Add pointer to the public GitHub repository on which the source code of POC is hosted.

For the code snippet, use the mediawiki tag syntaxhighlight:

Tag documentation.
Supported languages.

If you want to be careful in order to prevent to break something in the target existing CS, you can follow this contribution procedure:

Take a copy of the CS that you want to enhance (mediawiki syntax in the source tab).
Add your enhancement and publish the updated CS on the same GitHub repository than your POC (it support the mediawiki syntax).
Notify the CS Community using this mailing list and the CS Community will review the CS using GitHub comments system.
When the feedback loop is finished, the CS Community will help you to have right access to the wiki in order to update the CS.

Cheat sheet template

If the target CS is a new one then please use the following template struture.

It allow you to work:

Online by using the wiki Show preview option.
Offline by using an text editor like Atom with the mediawiki plugin.

__NOTOC__
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:Cheatsheets-header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |
Last revision (mm/dd/yy): '''{{REVISIONMONTH}}/{{REVISIONDAY}}/{{REVISIONYEAR}}'''

__TOC__{{TOC hidden}}

= Introduction =

<pre>
Provide high level information about the topic in order to introduce it to people that do not know it.
You can add pointer to external sources if needed but at least give an overview allowing a reader to continue on the CS.
You can also add schema or diagram in any part of the CS but be sure to respect the copyright of the source file.
</pre>

= Context =

<pre>
Describe the security issues that are bring or commonly meet when someone must work on this topic.
</pre>

= Objective =

<pre>
Describe the objective of the CS.
What the CS will bring to the reader.
</pre>

= Proposition =

<pre>
1. Describe how to address the security issues in a possible technology agnostic approach.
2. Using your POC, describe your solution proposal in the more teaching possible way. Use "syntaxhighlight" tag for code snippet.
</pre>

= Sources of the prototype =

<pre>
Add pointer to the public GitHub repository on which the source code of POC is hosted.
</pre>

= Authors and Primary Editors =

<pre>
Add your name and email.
</pre>

= Other Cheatsheets =

{{Cheatsheet_Navigation_Body}}

|}

[[Category:Cheatsheets]]

This section contains the information that we have gathered and plan to use for the creation of the project logo and related design materials.

The first phase of the work is to commission a project logo.

Phase 1: Logo

Introduction

The project requires a logo which will comprise three components:

Graphical element indicating the idea or use of the cheat sheets
The project title
Motto/straplines.

Not all of these will necessarily be shown together at the same time. Phase 1 requires the creation of a logo, which may be used with one, two or all three of these components.

The logo will be used in many ways such as on a website banner, or just the graphical element on a bag, or the graphical element and a motto/strapline on a t-shirt. These other outputs are not included in the scope of Phase 1.

Project Name

The project name is OWASP Cheat Sheet Series project. The project name will be positioned next to the graphical element in some outputs, and this layout must be provided. In other cases, the project name will not be included beside the logo.

Motto/Strapline

Three mottos/straplines will be used in the logo - they are context dependent:

Life is too short, AppSec is tough, Cheat!
Its not cheating if you do it for the right reasons
Sometimes the only good thing to do is cheat.

The logo layout must allow for any of these or none to be included.

Layout, Media Formats and Colours

Some media or placements may mean the motto/strapline does not fit or is not needed. Therefore the logo must be usable with, or without, the motto/strapline.

The logo will need to be used at multiple scales. For example, if the logo is square excluding the motto/strapline, the following formats must work

Low-resolution use on web pages (e.g. as small as 100x100 pixels excluding moto/strapline)
Medium resolution use on fabric such as t-sirts or bags (e.g. 900x900 pixels at 150 dpi)
High-resolution use on large posters and banners (e.g. as large as 5,000x5,000 pixels at 300dpi).

The logo may be printed in CMYK for physical media, but must also have RGB colours for screen use. Additionally the logo must also be available in grayscale, and separately as single colour (i.e. black and white without any tones).

Deliverables Required

All outputs must be provided digitally:

Logo demonstrating how it looks with just the graphical element, the graphical element with the project title, and the graphical element with each of the mottos/straplines, and everything together
Source layered vector graphic files created in Adobe Illustrator
Exported versions for quick use low, medium and high resolution full-colour PNG/JPEGs in RGB and CMYK
Colour and font specification.

Rights/licensing:

The designer will not retain any rights - all design and use rights will be given to OWASP, who will publish the logo and files using am open source licence, and OWASP will be able to use the logo, source files, ideas, designs in any manner it desires in any media in any quantity, without any additional payments, commission or royalties to the designer or anyone else
All fonts used in the design must be provided to OWASP and comply with the above requirements

Future Phases: Other Graphical Elements

Scope TBC - Banners, t-shirts, etc

Background pictures (picture provider and designer will be cited on the project site):

A smart tech looking woman reading a piece of paper (the cheatsheet) while resting on a beach.
A woman hand holding cards with an ace up the sleeve.

Pictures proposal (just a proposal as bootstrap, others pictures can be used):

Retrieved from "https://wiki.owasp.org/index.php?title=OWASP_Cheat_Sheet_Series&oldid=239509"

Categories:

@@ Line 291: / Line 291: @@
 = Project Logo =
-This section contains the information that we have gathered and plan to use for the creation of the project logo.
+This section contains the information that we have gathered and plan to use for the creation of the project logo and related design materials.
-Logo will be used for stickers, t-shirt, hoodies and any marketing action about the project.
+The first phase of the work is to commission a project logo.
-Big thanks to '''Colin Watson''' ([email protected]) for his precious help and advices.
+== Phase 1: Logo ==
+=== Introduction ===
+The project requires a logo which will comprise three components:
+* Graphical element indicating the idea or use of the cheat sheets
+* The project title
+* Motto/straplines.
+Not all of these will necessarily be shown together at the same time. Phase 1 requires the creation of a logo, which may be used with one, two or all three of these components.
+The logo will be used in many ways such as on a website banner, or just the graphical element on a bag, or the graphical element and a motto/strapline on a t-shirt. These other outputs are not included in the scope of Phase 1.
+=== Project Name ===
+The project name is ''OWASP Cheat Sheet Series project''. The project name will be positioned next to the graphical element in some outputs, and this layout must be provided. In other cases, the project name will not be included beside the logo.
+=== Motto/Strapline ===
+Three mottos/straplines will be used in the logo - they are context dependent:
-Moto proposed by the community, the project name ''OWASP Cheat Sheet Series project'' must appear along the moto:
 * ''Life is too short, AppSec is tough, Cheat!''
 * ''Its not cheating if you do it for the right reasons''
-* ''Sometimes the only good thing to do is cheat''
+* ''Sometimes the only good thing to do is cheat''.
+The logo layout must allow for any of these or none to be included.
+=== Layout, Media Formats and Colours ===
+Some media or placements may mean the motto/strapline does not fit or is not needed. Therefore the logo must be usable with, or without, the motto/strapline.
+The logo will need to be used at multiple scales. For example, if the logo is square excluding the motto/strapline, the following formats must work
+* Low-resolution use on web pages (e.g. as small as 100x100 pixels excluding moto/strapline)
+* Medium resolution use on fabric such as t-sirts or bags (e.g. 900x900 pixels at 150 dpi)
+* High-resolution use on large posters and banners (e.g. as large as 5,000x5,000 pixels at 300dpi).
+The logo may be printed in CMYK for physical media, but must also have RGB colours for screen use. Additionally the logo must also be available in grayscale, and separately as single colour (i.e. black and white without any tones).
+=== Deliverables Required ===
+All outputs must be provided digitally:
+# Logo demonstrating how it looks with just the graphical element, the graphical element with the project title, and the graphical element with each of the mottos/straplines, and everything together
+# Source layered vector graphic files created in Adobe Illustrator
+# Exported versions for quick use low, medium and high resolution full-colour PNG/JPEGs in RGB and CMYK
+# Colour and font specification.
+Rights/licensing:
+# The designer will not retain any rights - all design and use rights will be given to OWASP, who will publish the logo and files using am open source licence, and OWASP will be able to use the logo, source files, ideas, designs in any manner it desires in any media in any quantity, without any additional payments, commission or royalties to the designer or anyone else
+# All fonts used in the design must be provided to OWASP and comply with the above requirements
+== Future Phases: Other Graphical Elements ==
+Scope TBC - Banners, t-shirts, etc
 Background pictures (picture provider and designer will be cited on the project site):
 * ''A smart tech looking woman reading a piece of paper (the cheatsheet) while resting on a beach.''
 * ''A woman hand holding cards with an ace up the sleeve.''
 Pictures proposal (just a proposal as bootstrap, others pictures can be used):