This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Web Services Cheat Sheet
From OWASP
- 1 ACTIVE WORK IN PROGRESS AUGUST 2011
- 2 Introduction
- 2.1 Transport Confidentiality
- 2.2 Transport Authentication
- 2.3 Transport Encoding
- 2.4 Message Authentication
- 2.5 Message Integrity
- 2.6 Message Confidentiality
- 2.7 Authorization
- 2.8 Schema Validation
- 2.9 Content Validation
- 2.10 Output Encoding
- 2.11 Virus Protection
- 2.12 Message Size
- 2.13 Message Throughput
- 2.14 Identity, key, cert, provisioning
- 2.15 Endpoint Security Profile
- 2.16 Audit Logging
- 2.17 Software Engineering Assurance
- 2.18 XML Denial of Service Protection
- 2.19 Testing
ACTIVE WORK IN PROGRESS AUGUST 2011
Introduction
This article is focused on providing guidance to securing web services and preventing web services related attacks.
Transport Confidentiality
All communication between web services and their clients must be encrypted using
Transport Authentication
Transport Encoding
Message Authentication
Message Integrity
Message Confidentiality
Authorization
Depending on the functionality. A web service should authorize its clients whether they have access to the method in question. This can be done using one of the following methods:
- Having clients to authorize to the web service using username and password - Having clients to authorize to the web service using client certificates
Schema Validation
Content Validation
Output Encoding
Virus Protection
Message Size
Message Throughput
Identity, key, cert, provisioning
Endpoint Security Profile
Audit Logging
Software Engineering Assurance
XML Denial of Service Protection
Testing
OWASP Cheat Sheets Project Homepage