Difference between revisions of "Cheat Sheets"

From OWASP
Jump to: navigation, search
m
(14 intermediate revisions by one user not shown)
Line 1: Line 1:
<div style="font-size:7pt;text-align:right">
+
= Main =
<div align="right"> <owaspbanner/><br>
+
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>
<b>Disclaimer: Banner ads are not endorsements and reflect the messages of the advertiser only. | [https://www.owasp.org/index.php/Advertising More Information]</b></div></div>
+
  
=Cheat Sheets=
+
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
The OWASP Prevention Cheat Sheet Series was created to provide a concise collection of high value information on specific web application security topics. These cheat sheets were created by multiple application security experts and provide excellent security guidance in an easy to read format.
+
| valign="top"  style="border-right: 1px dotted gray;padding-right:25px;" |
 +
 
 +
== OWASP Cheat Sheet Series ==
 +
 
 +
The OWASP Cheat Sheet Series was created to provide a concise collection of high value information on specific web application security topics. These cheat sheets were created by multiple application security experts and provide excellent security guidance in an easy to read format.
  
 
{{Cheatsheet_Navigation}}
 
{{Cheatsheet_Navigation}}
  
=Project Overview=
+
== Licensing ==
{{:Projects/OWASP Cheat Sheets Project | Project About}}  
+
The OWASP Proactive Controls document is free to use under the [https://creativecommons.org/licenses/by-sa/3.0/us/ Creative Commons ShareAlike 3 License].
 +
 
 +
| valign="top"  style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |
 +
 
 +
== What is this? ==
 +
 
 +
The OWASP Proactive Controls
 +
 
 +
* This document was written by developers for developers, to assist those new to secure development.
 +
 
 +
== Email List ==
 +
 
 +
[https://lists.owasp.org/mailman/listinfo/owasp-cheat-sheets Project Email List ]
 +
 
 +
== Project Leader ==
 +
 
 +
Project Leader:<br/>Jim Manico<br/>
 +
<br/>
 +
Contributors: <br/>
 +
Michael Coates<br/>
 +
Jeff Williams<br/>
 +
Dave Wichers<br/>
 +
Kevin Wall<br/>
 +
Jeffrey Walton<br/>
 +
Eric Sheridan<br/>
 +
Kevin Kenan<br/>
 +
David Rook<br/>
 +
Fred Donovan<br/>
 +
Abraham Kang<br/>
 +
Dave Ferguson<br/>
 +
Shreeraj Shah<br/>
 +
Raul Siles<br/>
 +
Colin Watson<br/>
 +
.. and many more!
 +
 
 +
== Related Projects ==
 +
 
 +
* [[OWASP Proactive Controls]]
 +
 
 +
| valign="top"  style="padding-left:25px;width:200px;" |
 +
 
 +
== News and Events ==
 +
* [Feb 4 2014] New Wiki Template!
 +
 
 +
 
 +
==Classifications==
 +
 
 +
  {| width="200" cellpadding="2"
 +
  |-
 +
  | align="center" valign="top" width="50%" rowspan="2"| [[File:Owasp-incubator-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]
 +
  | align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]] 
 +
  |-
 +
  | align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=]]
 +
  |-
 +
  | colspan="2" align="center"  | [https://creativecommons.org/licenses/by-sa/3.0/us/ CC BY-SA 3.0 US]
 +
  |-
 +
  | colspan="2" align="center"  | [[File:Project_Type_Files_DOC.jpg|link=]]
 +
  |}
 +
 
 +
|}
  
<br>
+
= Master Cheat Sheet =
  
=Master Cheat Sheet=
 
 
==Authentication==
 
==Authentication==
 
Ensure all entities go through an appropriate and adequate form of authentication. All the application non-public resource must be protected and shouldn't be bypassed.
 
Ensure all entities go through an appropriate and adequate form of authentication. All the application non-public resource must be protected and shouldn't be bypassed.
Line 29: Line 90:
 
Ensure that a user has access only to the resources they are entitled to. Perform access control checks on the server side on every request. All user-controlled parameters should be validated for entitlemens checks. Check if user name or role name is passed through the URL or through hidden variables. Prepare a ACL containing the Role-to-Function mapping and validate if the users are granted access as per the ACL.
 
Ensure that a user has access only to the resources they are entitled to. Perform access control checks on the server side on every request. All user-controlled parameters should be validated for entitlemens checks. Check if user name or role name is passed through the URL or through hidden variables. Prepare a ACL containing the Role-to-Function mapping and validate if the users are granted access as per the ACL.
  
For more information, check [Access Control Cheat Sheet]
+
For more information, check [https://www.owasp.org/index.php/Access_Control_Cheat_Sheet Access Control Cheat Sheet]
  
 
==Input Validation==
 
==Input Validation==
Line 63: Line 124:
 
==Uploads==
 
==Uploads==
  
Ensure that the size, type, contents and name of the uploaded files are validated. Uploaded files must not be accessible to users by direct browsing. Preferably store all the uploaded files in a different file server/drive on the server. All files must be virus scanned using a regularily updated scanner.
+
Ensure that the size, type, contents and name of the uploaded files are validated. Uploaded files must not be accessible to users by direct browsing. Preferably store all the uploaded files in a different file server/drive on the server. All files must be virus scanned using a regularly updated scanner.
 +
 
 +
= Roadmap =
 +
 
 +
* By June 2014 : Bring Access Control, Business Logic and four other draft cheat sheets into release status
 +
* By End of 2014: Do an editorial pass of all cheat-sheets and release a print publication
 +
 
 +
= About=
 +
 
 +
{{:Projects/OWASP Cheat Sheets Project | Project About}}
  
<br> __NOTOC__ <headertabs />  
+
__NOTOC__ <headertabs />
  
[[Category:OWASP_Project|OWASP Cheat Sheets Project]] [[Category:OWASP_Document]] [[Category:OWASP_Alpha_Quality_Document]]
+
[[Category:OWASP_Project|OWASP Cheat Sheets Project]]
 +
[[Category:OWASP_Document]]
 +
[[Category:OWASP_Alpha_Quality_Document]]

Revision as of 14:04, 5 February 2014

[edit]

OWASP Project Header.jpg

OWASP Cheat Sheet Series

The OWASP Cheat Sheet Series was created to provide a concise collection of high value information on specific web application security topics. These cheat sheets were created by multiple application security experts and provide excellent security guidance in an easy to read format.

OWASP Cheat Sheets Project Homepage

Developer Cheat Sheets (Builder)

Assessment Cheat Sheets (Breaker)

Mobile Cheat Sheets

OpSec Cheat Sheets (Defender)

Draft Cheat Sheets

Licensing

The OWASP Proactive Controls document is free to use under the Creative Commons ShareAlike 3 License.

What is this?

The OWASP Proactive Controls

  • This document was written by developers for developers, to assist those new to secure development.

Email List

Project Email List

Project Leader

Project Leader:
Jim Manico

Contributors:
Michael Coates
Jeff Williams
Dave Wichers
Kevin Wall
Jeffrey Walton
Eric Sheridan
Kevin Kenan
David Rook
Fred Donovan
Abraham Kang
Dave Ferguson
Shreeraj Shah
Raul Siles
Colin Watson
.. and many more!

Related Projects

News and Events

  • [Feb 4 2014] New Wiki Template!


Classifications

Owasp-incubator-trans-85.png Owasp-builders-small.png
Owasp-defenders-small.png
CC BY-SA 3.0 US
Project Type Files DOC.jpg

Authentication

Ensure all entities go through an appropriate and adequate form of authentication. All the application non-public resource must be protected and shouldn't be bypassed.

For more information, check Authentication Cheat Sheet

Session Management

Use secure session management practices that ensure that users authenticated users have a robust and cryptographically secure association with their session.

For more information, check Session Management Cheat Sheet

Access Control

Ensure that a user has access only to the resources they are entitled to. Perform access control checks on the server side on every request. All user-controlled parameters should be validated for entitlemens checks. Check if user name or role name is passed through the URL or through hidden variables. Prepare a ACL containing the Role-to-Function mapping and validate if the users are granted access as per the ACL.

For more information, check Access Control Cheat Sheet

Input Validation

Input validation is performed to minimize malformed data from entering the system. Input Validation is NOT the primary method of preventing XSS, SQL Injection. These are covered in output encoding below.

For more information, check Input Validation Cheat Sheet

Output Encoding

Output encoding is the primary method of preventing XSS and injection attacks. Input validation helps minimize the introduction of malformed data, but it is a secondary control.

For more information, check XSS (Cross Site Scripting) Prevention Cheat Sheet.

Cross Domain

Ensure that adequate controls are present to prevent against Cross-site Request Forgery, Clickjacking and other 3rd Party Malicious scripts.

For more information, check Cross Site Request Forgery

Secure Transmission

Ensure that all the applications pages are served over cryptographically secure HTTPs protocols. Prohibit the transmission of session cookies over HTTP.

For more information, check Transport Protection Cheat Sheet

Logging

Ensure that all the security related events are logged. Events include: User log-in (success/fail); view; update; create, delete, file upload/download, attempt to access through URL, URL tampering. Audit logs should be immutable and write only and must be protected from unauthorized access.

For more information, check Logging Cheat Sheet

Uploads

Ensure that the size, type, contents and name of the uploaded files are validated. Uploaded files must not be accessible to users by direct browsing. Preferably store all the uploaded files in a different file server/drive on the server. All files must be virus scanned using a regularly updated scanner.

  • By June 2014 : Bring Access Control, Business Logic and four other draft cheat sheets into release status
  • By End of 2014: Do an editorial pass of all cheat-sheets and release a print publication

PROJECT INFO
What does this OWASP project offer you?
RELEASE(S) INFO
What releases are available for this project?
what is this project?
Name: OWASP Cheat Sheets Project (home page)
Purpose: This project was created to provide a concise collection of high value information on specific application security topics. These cheat sheets were created by multiple application security experts and provide excellent security guidance in an easy to read format.
License: Creative Commons Attribution ShareAlike 3.0 license
who is working on this project?
Project Leader(s):
Project Contributor(s):
  • Michael Coates
  • Eric Sheridan
  • Dave Wichers
  • Jeff Williams
  • Kevin Keenan
  • Abraham Kang
  • Dave Ferguson
  • Shreeraj Shah
  • Raul Siles
  • Colin Watson
how can you learn more?
Project Pamphlet: Not Yet Created
Project Presentation:
Mailing list: Mailing List Archives
Project Roadmap: View
Key Contacts
  • Contact the GPC to report a problem or concern about this project or to update information.
current release
Not Yet Published
last reviewed release
Not Yet Reviewed


other releases