This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Guide Table of Contents

From OWASP
Jump to: navigation, search

Frontispiece

  1. Dedication
  2. Copyright and license
  3. Editors
  4. Authors and Reviewers
  5. Revision History

About The Open Web Application Security Project

  1. Structure and Licensing
  2. Participation and Membership
  3. Projects

Introduction

  1. Developing Secure Applications
  2. Improvements in this edition
  3. How to use this Guide
  4. Updates and errata
  5. With thanks

What are web applications?

  1. Technologies
  2. First generation – CGI
  3. Filters
  4. Scripting
  5. Web application frameworks – J
  6. Small to medium scale applications
  7. Large scale applications
  8. View
  9. Controller
  10. Model
  11. Conclusion

Policy Frameworks

  1. Organizational commitment to security
  2. OWASP’s Place at the Framework table
  3. Development Methodology
  4. Coding Standards
  5. Source Code Control
  6. Summary

Secure Coding Principles

  1. Asset Classification
  2. About attackers
  3. Core pillars of information security
  4. Security Architecture
  5. Security Principles

Threat Risk Modeling

  1. Threat Risk Modeling
  2. Performing threat risk modeling using the Microsoft Threat Modeling Process
  3. Alternative Threat Modeling Systems
  4. Trike
  5. AS/NZS
  6. CVSS
  7. OCTAVE
  8. Conclusion
  9. Further Reading

Handling E-Commerce Payments

  1. Objectives
  2. Compliance and Laws
  3. PCI Compliance
  4. Handling Credit Cards
  5. Further Reading

Phishing

  1. What is phishing?
  2. User Education
  3. Make it easy for your users to report scams
  4. Communicating with customers via e-mail
  5. Never ask your customers for their secrets
  6. Fix all your XSS issues
  7. Do not use pop-ups
  8. Don’t be framed
  9. Move your application one link away from your front page
  10. Enforce local referrers for images and other resources
  11. Keep the address bar, use SSL, do not use IP addresses
  12. Don’t be the source of identity theft
  13. Implement safe-guards within your application
  14. Monitor unusual account activity
  15. Get the phishing target servers offline pronto
  16. Take control of the fraudulent domain name
  17. Work with law enforcement
  18. When an attack happens
  19. Further Reading

Web Services

  1. Securing Web Services
  2. Communication security
  3. Passing credentials
  4. Ensuring message freshness
  5. Protecting message integrity
  6. Protecting message confidentiality
  7. Access control
  8. Audit
  9. Web Services Security Hierarchy
  10. SOAP
  11. WS-Security Standard
  12. WS-Security Building Blocks
  13. Communication Protection Mechanisms
  14. Access Control Mechanisms
  15. Forming Web Service Chains
  16. Available Implementations
  17. Problems
  18. Further Reading

Ajax and Other "Rich" Interface Technologies

  1. Objective
  2. Platforms Affected
  3. Architecture
  4. Access control: Authentication and Authorization
  5. Silent transactional authorization
  6. Untrusted or absent session data
  7. State management
  8. Tamper resistance
  9. Privacy
  10. Proxy Façade
  11. SOAP Injection Attacks
  12. XMLRPC Injection Attacks
  13. DOM Injection Attacks
  14. XML Injection Attacks
  15. JSON (Javascript Object Notation) Injection Attacks
  16. Encoding safety
  17. Auditing
  18. Error Handling
  19. Accessibility
  20. Further Reading

Guide to Authentication

  1. Objective
  2. Environments Affected
  3. Relevant COBIT Topics
  4. Best Practices
  5. Common web authentication techniques
  6. Strong Authentication
  7. Federated Authentication
  8. Client side authentication controls
  9. Positive Authentication
  10. Multiple Key Lookups
  11. Referer Checks
  12. Browser remembers passwords
  13. Default accounts
  14. Choice of usernames
  15. Change passwords
  16. Short passwords
  17. Weak password controls
  18. Reversible password encryption
  19. Automated password resets
  20. Brute Force
  21. Remember Me
  22. Idle Timeouts
  23. Logout
  24. Account Expiry
  25. Self registration
  26. CAPTCHA
  27. Further Reading
  28. Authentication

Guide to Authorization

  1. Objectives
  2. Environments Affected
  3. Relevant COBIT Topics
  4. Best Practices
  5. Best Practices in Action
  6. Principle of least privilege
  7. Centralized authorization routines
  8. Authorization matrix
  9. Controlling access to protected resources
  10. Protecting access to static resources
  11. Reauthorization for high value activities or after idle out
  12. Time based authorization
  13. Be cautious of custom authorization controls
  14. Never implement client-side authorization tokens
  15. Further Reading

Session Management

  1. Objective
  2. Environments Affected
  3. Relevant COBIT Topics
  4. Description
  5. Best practices
  6. Exposed Session Variables
  7. Page and Form Tokens
  8. Weak Session Cryptographic Algorithms
  9. Session Token Entropy
  10. Session Time-out
  11. Regeneration of Session Tokens
  12. Session Forging/Brute-Forcing Detection and/or Lockout
  13. Session Token Capture and Session Hijacking
  14. Session Tokens on Logout
  15. Session Validation Attacks
  16. PHP
  17. Sessions
  18. Further Reading
  19. Session Management

Data Validation

  1. Objective
  2. Platforms Affected
  3. Relevant COBIT Topics
  4. Description
  5. Definitions
  6. Where to include integrity checks
  7. Where to include validation
  8. Where to include business rule validation
  9. Data Validation Strategies
  10. Prevent parameter tampering
  11. Hidden fields
  12. ASP.NET Viewstate
  13. URL encoding
  14. HTML encoding
  15. Encoded strings
  16. Data Validation and Interpreter Injection
  17. Delimiter and special characters
  18. Further Reading

Interpreter Injection

  1. Objective
  2. Platforms Affected
  3. Relevant COBIT Topics
  4. User Agent Injection
  5. HTTP Response Splitting
  6. SQL Injection
  7. ORM Injection
  8. LDAP Injection
  9. XML Injection
  10. Code Injection
  11. Further Reading
  12. SQL-injection
  13. Code Injection
  14. Command injection

Canonicalization, locale and Unicode

  1. Objective
  2. Platforms Affected
  3. Relevant COBIT Topics
  4. Description
  5. Unicode
  6. http://www.ietf.org/rfc/rfc#
  7. Input Formats
  8. Locale assertion
  9. Double (or n-) encoding
  10. HTTP Request Smuggling
  11. Further Reading

Error Handling, Auditing and Logging

  1. Objective
  2. Environments Affected
  3. Relevant COBIT Topics
  4. Description
  5. Best practices
  6. Error Handling
  7. Detailed error messages
  8. Logging
  9. Noise
  10. Cover Tracks
  11. False Alarms
  12. Destruction
  13. Audit Trails
  14. Further Reading
  15. Error Handling and Logging

File System

  1. Objective
  2. Environments Affected
  3. Relevant COBIT Topics
  4. Description
  5. Best Practices
  6. Defacement
  7. Path traversal
  8. Insecure permissions
  9. Insecure Indexing
  10. Unmapped files
  11. Temporary files
  12. PHP
  13. Includes and Remote files
  14. File upload
  15. Old, unreferenced files
  16. Second Order Injection
  17. Further Reading
  18. File System

Distributed Computing

  1. Objective
  2. Environments Affected
  3. Relevant COBIT Topics
  4. Best Practices
  5. Race conditions
  6. Distributed synchronization
  7. Further Reading

Buffer Overflows

  1. Objective
  2. Platforms Affected
  3. Relevant COBIT Topics
  4. Description
  5. General Prevention Techniques
  6. Stack Overflow
  7. Heap Overflow
  8. Format String
  9. Unicode Overflow
  10. Integer Overflow
  11. Further reading

Administrative Interface

  1. Objective
  2. Environments Affected
  3. Relevant COBIT Topics
  4. Best practices
  5. Administrators are not users
  6. Authentication for high value systems
  7. Further Reading

Guide to Cryptography

  1. Objective
  2. Platforms Affected
  3. Relevant COBIT Topics
  4. Description
  5. Cryptographic Functions
  6. Cryptographic Algorithms
  7. Algorithm Selection
  8. Key Storage
  9. Insecure transmission of secrets
  10. Reversible Authentication Tokens
  11. Safe UUID generation
  12. Summary
  13. Further Reading
  14. Cryptography

Configuration

  1. Objective
  2. Platforms Affected
  3. Relevant COBIT Topics
  4. Best Practices
  5. Default passwords
  6. Secure connection strings
  7. Secure network transmission
  8. Encrypted data
  9. PHP Configuration
  10. Global variables
  11. register_globals
  12. Database security
  13. Further Reading
  14. ColdFusion Components (CFCs)
  15. Configuration

Software Quality Assurance

  1. Objective
  2. Platforms Affected
  3. Best practices
  4. Process
  5. Metrics
  6. Testing Activities

Deployment

  1. Objective
  2. Platforms Affected
  3. Best Practices
  4. Release Management
  5. Secure delivery of code
  6. Code signing
  7. Permissions are set to least privilege
  8. Automated packaging
  9. Automated deployment
  10. Automated removal
  11. No backup or old files
  12. Unnecessary features are off by default
  13. Setup log files are clean
  14. No default accounts
  15. Easter eggs
  16. Malicious software
  17. Further Reading

Maintenance

  1. Objective
  2. Platforms Affected
  3. Relevant COBIT Topics
  4. Best Practices
  5. Security Incident Response
  6. Fix Security Issues Correctly
  7. Update Notifications
  8. Regularly check permissions
  9. Further Reading
  10. Maintenance

GNU Free Documentation License

  1. PREAMBLE
  2. APPLICABILITY AND DEFINITIONS
  3. VERBATIM COPYING
  4. COPYING IN QUANTITY
  5. MODIFICATIONS
  6. COMBINING DOCUMENTS
  7. COLLECTIONS OF DOCUMENTS
  8. AGGREGATION WITH INDEPENDENT WORKS
  9. TRANSLATION
  10. TERMINATION
  11. FUTURE REVISIONS OF THIS LICENSE

Reference