Guide Table of Contents

=Frontispiece= =About The Open Web Application Security Project= = Introduction= =What are web applications?= =Policy Frameworks= =Secure Coding Principles= =Threat Risk Modeling= =Handling E-Commerce Payments= =Phishing= =Web Services= =Ajax and Other "Rich" Interface Technologies= =Guide to Authentication=
 * 1) Dedication
 * 2) Copyright and license
 * 3) Editors
 * 4) Authors and Reviewers
 * 5) Revision History
 * 1) Structure and Licensing
 * 2) Participation and Membership
 * 3) Projects
 * 1) Developing Secure Applications
 * 2) Improvements in this edition
 * 3) How to use this Guide
 * 4) Updates and errata
 * 5) With thanks
 * 1) Technologies
 * 2) First generation – CGI
 * 3) Filters
 * 4) Scripting
 * 5) Web application frameworks – J
 * 6) Small to medium scale applications
 * 7) Large scale applications
 * 8) View
 * 9) Controller
 * 10) Model
 * 11) Conclusion
 * 1) Organizational commitment to security
 * 2) OWASP’s Place at the Framework table
 * 3) Development Methodology
 * 4) Coding Standards
 * 5) Source Code Control
 * 6) Summary
 * 1) Asset Classification
 * 2) About attackers
 * 3) Core pillars of information security
 * 4) Security Architecture
 * 5) Security Principles
 * 1) Threat Risk Modeling
 * 2) Performing threat risk modeling using the Microsoft Threat Modeling Process
 * 3) Alternative Threat Modeling Systems
 * 4) Trike
 * 5) AS/NZS
 * 6) CVSS
 * 7) OCTAVE
 * 8) Conclusion
 * 9) Further Reading
 * 1) Objectives
 * 2) Compliance and Laws
 * 3) PCI Compliance
 * 4) Handling Credit Cards
 * 5) Further Reading
 * 1) What is phishing?
 * 2) User Education
 * 3) Make it easy for your users to report scams
 * 4) Communicating with customers via e-mail
 * 5) Never ask your customers for their secrets
 * 6) Fix all your XSS issues
 * 7) Do not use pop-ups
 * 8) Don’t be framed
 * 9) Move your application one link away from your front page
 * 10) Enforce local referrers for images and other resources
 * 11) Keep the address bar, use SSL, do not use IP addresses
 * 12) Don’t be the source of identity theft
 * 13) Implement safe-guards within your application
 * 14) Monitor unusual account activity
 * 15) Get the phishing target servers offline pronto
 * 16) Take control of the fraudulent domain name
 * 17) Work with law enforcement
 * 18) When an attack happens
 * 19) Further Reading
 * 1) Securing Web Services
 * 2) Communication security
 * 3) Passing credentials
 * 4) Ensuring message freshness
 * 5) Protecting message integrity
 * 6) Protecting message confidentiality
 * 7) Access control
 * 8) Audit
 * 9) Web Services Security Hierarchy
 * 10) SOAP
 * 11) WS-Security Standard
 * 12) WS-Security Building Blocks
 * 13) Communication Protection Mechanisms
 * 14) Access Control Mechanisms
 * 15) Forming Web Service Chains
 * 16) Available Implementations
 * 17) Problems
 * 18) Further Reading
 * 1) Objective
 * 2) Platforms Affected
 * 3) Architecture
 * 4) Access control: Authentication and Authorization
 * 5) Silent transactional authorization
 * 6) Untrusted or absent session data
 * 7) State management
 * 8) Tamper resistance
 * 9) Privacy
 * 10) Proxy Façade
 * 11) SOAP Injection Attacks
 * 12) XMLRPC Injection Attacks
 * 13) DOM Injection Attacks
 * 14) XML Injection Attacks
 * 15) JSON (Javascript Object Notation) Injection Attacks
 * 16) Encoding safety
 * 17) Auditing
 * 18) Error Handling
 * 19) Accessibility
 * 20) Further Reading
 * 1) Objective
 * 2) Environments Affected
 * 3) Relevant COBIT Topics
 * 4) Best Practices
 * 5) Common web authentication techniques
 * 6) Strong Authentication
 * 7) Federated Authentication
 * 8) Client side authentication controls
 * 9) Positive Authentication
 * 10) Multiple Key Lookups
 * 11) Referer Checks
 * 12) Browser remembers passwords
 * 13) Default accounts
 * 14) Choice of usernames
 * 15) Change passwords
 * 16) Short passwords
 * 17) Weak password controls
 * 18) Reversible password encryption
 * 19) Automated password resets
 * 20) Brute Force
 * 21) Remember Me
 * 22) Idle Timeouts
 * 23) Logout
 * 24) Account Expiry
 * 25) Self registration
 * 26) CAPTCHA
 * 27) Further Reading
 * 28) Authentication

=Authorization= =Session Management= =Data Validation= =Interpreter Injection= =Canonicalization, locale and Unicode=
 * 1) Objectives
 * 2) Environments Affected
 * 3) Relevant COBIT Topics
 * 4) Best Practices
 * 5) Best Practices in Action
 * 6) Principle of least privilege
 * 7) Centralized authorization routines
 * 8) Authorization matrix
 * 9) Controlling access to protected resources
 * 10) Protecting access to static resources
 * 11) Reauthorization for high value activities or after idle out
 * 12) Time based authorization
 * 13) Be cautious of custom authorization controls
 * 14) Never implement client-side authorization tokens
 * 15) Further Reading
 * 1) Objective
 * 2) Environments Affected
 * 3) Relevant COBIT Topics
 * 4) Description
 * 5) Best practices
 * 6) Exposed Session Variables
 * 7) Page and Form Tokens
 * 8) Weak Session Cryptographic Algorithms
 * 9) Session Token Entropy
 * 10) Session Time-out
 * 11) Regeneration of Session Tokens
 * 12) Session Forging/Brute-Forcing Detection and/or Lockout
 * 13) Session Token Capture and Session Hijacking
 * 14) Session Tokens on Logout
 * 15) Session Validation Attacks
 * PHP
 * 1) Sessions
 * 2) Further Reading
 * 3) Session Management
 * 1) Objective
 * 2) Platforms Affected
 * 3) Relevant COBIT Topics
 * 4) Description
 * 5) Definitions
 * 6) Where to include integrity checks
 * 7) Where to include validation
 * 8) Where to include business rule validation
 * 9) Data Validation Strategies
 * 10) Prevent parameter tampering
 * 11) Hidden fields
 * 12) ASP.NET Viewstate
 * 13) URL encoding
 * 14) HTML encoding
 * 15) Encoded strings
 * 16) Data Validation and Interpreter Injection
 * 17) Delimiter and special characters
 * 18) Further Reading
 * 1) Objective
 * 2) Platforms Affected
 * 3) Relevant COBIT Topics
 * 4) User Agent Injection
 * 5) HTTP Response Splitting
 * 6) SQL Injection
 * 7) ORM Injection
 * 8) LDAP Injection
 * 9) XML Injection
 * 10) Code Injection
 * 11) Further Reading
 * 12) SQL-injection
 * 13) Code Injection
 * 14) Command injection
 * 1) Objective
 * 2) Platforms Affected
 * 3) Relevant COBIT Topics
 * 4) Description
 * 5) Unicode
 * 6) http://www.ietf.org/rfc/rfc#
 * 7) Input Formats
 * 8) Locale assertion
 * 9) Double (or n-) encoding
 * 10) 	HTTP Request Smuggling
 * 11) 	Further Reading

=Error Handling, Auditing and Logging= =File System= =Distributed Computing= =Buffer Overflows= =Administrative Interface= =Cryptography= =Configuration= =Software Quality Assurance= =Deployment= =Maintenance= =GNU Free Documentation License= =Reference=
 * 1) Objective
 * 2) Environments Affected
 * 3) Relevant COBIT Topics
 * 4) Description
 * 5) Best practices
 * 6) Error Handling
 * 7) Detailed error messages
 * 8) Logging
 * 9) Noise
 * 10) Cover Tracks
 * 11) False Alarms
 * 12) Destruction
 * 13) Audit Trails
 * 14) Further Reading
 * 15) Error Handling and Logging
 * 1) Objective
 * 2) Environments Affected
 * 3) Relevant COBIT Topics
 * 4) Description
 * 5) Best Practices
 * 6) Defacement
 * 7) Path traversal
 * 8) Insecure permissions
 * 9) Insecure Indexing
 * 10) Unmapped files
 * 11) Temporary files
 * PHP
 * 1) Includes and Remote files
 * 2) File upload
 * Old, unreferenced files
 * 1) Second Order Injection
 * 2) Further Reading
 * 3) File System
 * 1) Objective
 * 2) Environments Affected
 * 3) Relevant COBIT Topics
 * 4) Best Practices
 * 5) Race conditions
 * 6) Distributed synchronization
 * 7) Further Reading
 * 1) Objective
 * 2) Platforms Affected
 * 3) Relevant COBIT Topics
 * 4) Description
 * 5) General Prevention Techniques
 * 6) Stack Overflow
 * 7) Heap Overflow
 * 8) Format String
 * 9) Unicode Overflow
 * 10) Integer Overflow
 * 11) Further reading
 * 1) Objective
 * 2) Environments Affected
 * 3) Relevant COBIT Topics
 * 4) Best practices
 * 5) Administrators are not users
 * 6) Authentication for high value systems
 * 7) Further Reading
 * 1) Objective
 * 2) Platforms Affected
 * 3) Relevant COBIT Topics
 * 4) Description
 * 5) Cryptographic Functions
 * 6) Cryptographic Algorithms
 * 7) Algorithm Selection
 * 8) Key Storage
 * 9) Insecure transmission of secrets
 * 10) Reversible Authentication Tokens
 * 11) Safe UUID generation
 * 12) Summary
 * 13) Further Reading
 * 14) Cryptography
 * 1) Objective
 * 2) Platforms Affected
 * 3) Relevant COBIT Topics
 * 4) Best Practices
 * 5) Default passwords
 * 6) Secure connection strings
 * 7) Secure network transmission
 * 8) Encrypted data
 * 9) PHP Configuration
 * 10) Global variables
 * 11) register_globals
 * 12) Database security
 * 13) Further Reading
 * 14) ColdFusion Components (CFCs)
 * 15) Configuration
 * 1) Objective
 * 2) Platforms Affected
 * 3) Best practices
 * 4) Process
 * 5) Metrics
 * 6) Testing Activities
 * 1) Objective
 * 2) Platforms Affected
 * 3) Best Practices
 * 4) Release Management
 * 5) Secure delivery of code
 * 6) Code signing
 * 7) Permissions are set to least privilege
 * 8) Automated packaging
 * 9) Automated deployment
 * 10) Automated removal
 * 11) No backup or old files
 * 12) Unnecessary features are off by default
 * 13) Setup log files are clean
 * 14) No default accounts
 * 15) Easter eggs
 * 16) Malicious software
 * 17) Further Reading
 * 1) Objective
 * 2) Platforms Affected
 * 3) Relevant COBIT Topics
 * 4) Best Practices
 * 5) Security Incident Response
 * 6) Fix Security Issues Correctly
 * 7) Update Notifications
 * 8) Regularly check permissions
 * 9) Further Reading
 * 10) Maintenance
 * 1) PREAMBLE
 * 2) APPLICABILITY AND DEFINITIONS
 * 3) VERBATIM COPYING
 * 4) COPYING IN QUANTITY
 * 5) MODIFICATIONS
 * 6) COMBINING DOCUMENTS
 * 7) COLLECTIONS OF DOCUMENTS
 * 8) AGGREGATION WITH INDEPENDENT WORKS
 * 9) TRANSLATION
 * 10) TERMINATION
 * 11) FUTURE REVISIONS OF THIS LICENSE