OWASP Cheat Sheet Series

= Main =  

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
 * valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

The OWASP Cheat Sheet Series was created to provide a concise collection of high value information on specific web application security topics. These cheat sheets were created by various application security professionals who have expertise in specific topics. We hope that the OWASP Cheat Sheet Series provides you with excellent security guidance in an easy to read format.

If you have any questions about the OWASP Cheat Sheet Series, please email the project leader [mailto:jim.manico@owasp.org Jim Manico] or subscribe to our project email list.

Authors
Project Leaders: Jim Manico and Dominique Righetto [mailto:dominique.righetto@owasp.org @] Contributors: Paweł Krawczyk, Mishra Dhiraj, Shruti Kulkarni, Torsten Gigler, Michael Coates, Jeff Williams, Dave Wichers, Kevin Wall, Jeffrey Walton, Eric Sheridan, Kevin Kenan, David Rook, Fred Donovan, Abraham Kang, Dave Ferguson, Shreeraj Shah, Raul Siles, Colin Watson, Neil Matatall and many more!

OWASP Cheat Sheets

 * valign="top" style="padding-left:25px;width:200px;" |

Quick Access
OWASP Cheatsheet Series Book : April 2015 PDF download.

Email List
Project Email List

Licensing
The OWASP Cheat Sheet Series is free to use under the Creative Commons ShareAlike 3 License.

Related Projects

 * OWASP Proactive Controls
 * OWASP Application Security Verification Standard Project

News and Events

 * [Nov 19 2017] JWT Cheat Sheet for Java updated
 * [Nov 17 2017] OS Command Injection Defense Cheat Sheet added to project
 * [Nov 04 2017] Authorization Testing Automation Cheat Sheet added to project
 * [Jan 17 2017] XML Security Cheat Sheet added to project
 * [Feb 06 2016] New navigation template rolled out project-wide
 * [Jun 11 2015] SAML Cheat Sheet added to project
 * [Feb 11 2015] Cheat Sheet "book" added to project
 * [Apr 04 2014] All non-draft cheat sheets moved to new wiki template!
 * [Feb 04 2014] Project-wide cleanup started

Classifications

 * }

= Master Cheat Sheet =

Authentication
Ensure all entities go through an appropriate and adequate form of authentication. All the application non-public resource must be protected and shouldn't be bypassed.

For more information, check Authentication Cheat Sheet

Session Management
Use secure session management practices that ensure that authenticated users have a robust and cryptographically secure association with their session.

For more information, check Session Management Cheat Sheet

Access Control
Ensure that a user has access only to the resources they are entitled to. Perform access control checks on the server side on every request. All user-controlled parameters should be validated for entitlemens checks. Check if user name or role name is passed through the URL or through hidden variables. Prepare an ACL containing the Role-to-Function mapping and validate if the users are granted access as per the ACL.

For more information, check Access Control Cheat Sheet

Input Validation
Input validation is performed to minimize malformed data from entering the system. Input Validation is NOT the primary method of preventing XSS, SQL Injection. These are covered in output encoding below.

For more information, check Input Validation Cheat Sheet

Output Encoding
Output encoding is the primary method of preventing XSS and injection attacks. Input validation helps minimize the introduction of malformed data, but it is a secondary control.

For more information, check XSS (Cross Site Scripting) Prevention Cheat Sheet.

Cross Domain
Ensure that adequate controls are present to prevent against Cross-site Request Forgery, Clickjacking and other 3rd Party Malicious scripts.

For more information, check Cross Site Request Forgery

Secure Transmission
Ensure that all the applications pages are served over cryptographically secure HTTPs protocols. Prohibit the transmission of session cookies over HTTP.

For more information, check Transport Protection Cheat Sheet

Logging
Ensure that all the security related events are logged. Events include: User log-in (success/fail); view; update; create, delete, file upload/download, attempt to access through URL, URL tampering. Audit logs should be immutable and write only and must be protected from unauthorized access.

For more information, check Logging Cheat Sheet

Uploads
Ensure that the size, type, contents and name of the uploaded files are validated. Uploaded files must not be accessible to users by direct browsing. Preferably store all the uploaded files in a different file server/drive on the server. All files must be virus scanned using a regularly updated scanner.

= Roadmap =


 * Bring all cheat sheets out of draft by December 2016
 * Go through the cheat sheets to make sure what they recommend is consistent with ASVS (TBD).

= Cheat sheet Guideline =

Cheat sheet content
The key points that all cheat sheets (called CS) must provides are the following:

1) Address a single topic (ex: password storage, OS command injection, REST service, CSRF, HTML5 new features security...).

2) Be concise and focused: A cheat sheet must be directly actionable (a CS is not a guide) and must be directly useful for a developer.

3) Do not re-address topic handled by others CS. In this case, the target CS will be enhanced with missing points.

4) When applicable, provide a solution proposal implementation through a full documented POC on a public well know Git repository (GitHub is highly prefered), the POC can be used as a playground for a developer wanting to play/evaluate your solution proposal.

Cheat sheet structure
A CS must have these sections:

1) Introduction: Describe the topic adressed by the CS and the security issues bring by the topic.

2) How to address the issues: Describe how the issues presented in the Introduction can be adressed in a possible technology agnostic approach.

3) Solution proposal implementation: In this section, using your POC, you describe your solution proposal in the more teaching possible way.

For the code snippet, use the mediawiki tag syntaxhighlight:
 * Tag documentation.
 * Supported languages.