Difference between revisions of "Guide Table of Contents"

From OWASP
Jump to: navigation, search
Line 1: Line 1:
#[[Guide Frontispiece|Frontispiece]]
+
[[Guide Frontispiece|Frontispiece]]  
## Dedication
+
 
## Copyright and license
+
== Dedication
## Editors  
+
 
## Authors and Reviewers
+
== Copyright and license
## Revision History
+
 
#[[About The Open Web Application Security Project]]
+
== Editors  
##Structure and Licensing
+
 
##Participation and Membership
+
== Authors and Reviewers
##Projects
+
 
#[[Guide Introduction | Introduction]]
+
== Revision History
##Developing Secure Applications
+
 
##Improvements in this edition
+
=[[About The Open Web Application Security Project]]
##How to use this Guide
+
 
##Updates and errata
+
==Structure and Licensing
##With thanks
+
 
#[[What are web applications?]]
+
==Participation and Membership
##Technologies
+
 
##First generation – CGI
+
==Projects
##Filters
+
 
##Scripting
+
=[[Guide Introduction | Introduction]]
##Web application frameworks – J
+
 
##Small to medium scale applications
+
==Developing Secure Applications
##Large scale applications
+
 
##View
+
==Improvements in this edition
##Controller
+
 
##Model
+
==How to use this Guide
##Conclusion
+
 
#[[Policy Frameworks]]
+
==Updates and errata
##Organizational commitment to security
+
 
##OWASP’s Place at the Framework table
+
==With thanks
##Development Methodology
+
 
##Coding Standards
+
=[[What are web applications?]]
##Source Code Control
+
 
##Summary
+
==Technologies
#[[Secure Coding Principles]]
+
 
##Asset Classification
+
==First generation – CGI
##About attackers
+
 
##Core pillars of information security
+
==Filters
##Security Architecture
+
 
##Security Principles
+
==Scripting
#[[Threat Risk Modeling]]
+
 
##Threat Risk Modeling
+
==Web application frameworks – J
##Performing threat risk modeling using the Microsoft Threat Modeling Process
+
 
##Alternative Threat Modeling Systems
+
==Small to medium scale applications
##Trike
+
 
##AS/NZS
+
==Large scale applications
##CVSS
+
 
##OCTAVE
+
==View
##Conclusion
+
 
##Further Reading
+
==Controller
#[[Handling E-Commerce Payments]]
+
 
##Objectives
+
==Model
##Compliance and Laws
+
 
##PCI Compliance
+
==Conclusion
##Handling Credit Cards
+
 
##Further Reading
+
=[[Policy Frameworks]]
#[[Phishing]]
+
 
##What is phishing?
+
==Organizational commitment to security
##User Education
+
 
##Make it easy for your users to report scams
+
==OWASP’s Place at the Framework table
##Communicating with customers via e-mail
+
 
##Never ask your customers for their secrets
+
==Development Methodology
##Fix all your XSS issues
+
 
##Do not use pop-ups
+
==Coding Standards
##Don’t be framed
+
 
##Move your application one link away from your front page
+
==Source Code Control
##Enforce local referrers for images and other resources
+
 
##Keep the address bar, use SSL, do not use IP addresses
+
==Summary
##Don’t be the source of identity theft
+
 
##Implement safe-guards within your application
+
=[[Secure Coding Principles]]
##Monitor unusual account activity
+
 
##Get the phishing target servers offline pronto
+
==Asset Classification
##Take control of the fraudulent domain name
+
 
##Work with law enforcement
+
==About attackers
##When an attack happens
+
 
##Further Reading
+
==Core pillars of information security
#[[Web Services]]
+
 
##Securing Web Services
+
==Security Architecture
##Communication security
+
 
##Passing credentials
+
==Security Principles
##Ensuring message freshness
+
 
##Protecting message integrity
+
=[[Threat Risk Modeling]]
##Protecting message confidentiality
+
 
##Access control
+
==Threat Risk Modeling
##Audit
+
 
##Web Services Security Hierarchy
+
==Performing threat risk modeling using the Microsoft Threat Modeling Process
##SOAP
+
 
##WS-Security Standard
+
==Alternative Threat Modeling Systems
##WS-Security Building Blocks
+
 
##Communication Protection Mechanisms
+
==Trike
##Access Control Mechanisms
+
 
##Forming Web Service Chains
+
==AS/NZS
##Available Implementations
+
 
##Problems
+
==CVSS
##Further Reading
+
 
#[[Ajax and Other "Rich" Interface Technologies]]
+
==OCTAVE
##Objective
+
 
##Platforms Affected
+
==Conclusion
##Architecture
+
 
##Access control: Authentication and Authorization
+
==Further Reading
##Silent transactional authorization
+
 
##Untrusted or absent session data
+
=[[Handling E-Commerce Payments]]
##State management
+
 
##Tamper resistance
+
==Objectives
##Privacy
+
 
##Proxy Façade
+
==Compliance and Laws
##SOAP Injection Attacks
+
 
##XMLRPC Injection Attacks
+
==PCI Compliance
##DOM Injection Attacks
+
 
##XML Injection Attacks
+
==Handling Credit Cards
##JSON (Javascript Object Notation) Injection Attacks
+
 
##Encoding safety
+
==Further Reading
##Auditing
+
 
##Error Handling
+
=[[Phishing]]
##Accessibility
+
 
##Further Reading
+
==What is phishing?
#[[Authentication]]
+
 
##Objective
+
==User Education
##Environments Affected
+
 
##Relevant COBIT Topics
+
==Make it easy for your users to report scams
##Best Practices
+
 
##Common web authentication techniques
+
==Communicating with customers via e-mail
##Strong Authentication
+
 
##Federated Authentication
+
==Never ask your customers for their secrets
##Client side authentication controls
+
 
##Positive Authentication
+
==Fix all your XSS issues
##Multiple Key Lookups
+
 
##Referer Checks
+
==Do not use pop-ups
##Browser remembers passwords
+
 
##Default accounts
+
==Don’t be framed
##Choice of usernames
+
 
##Change passwords
+
==Move your application one link away from your front page
##Short passwords
+
 
##Weak password controls
+
==Enforce local referrers for images and other resources
##Reversible password encryption
+
 
##Automated password resets
+
==Keep the address bar, use SSL, do not use IP addresses
##Brute Force
+
 
##Remember Me
+
==Don’t be the source of identity theft
##Idle Timeouts
+
 
##Logout
+
==Implement safe-guards within your application
##Account Expiry
+
 
##Self registration
+
==Monitor unusual account activity
##CAPTCHA
+
 
##Further Reading
+
==Get the phishing target servers offline pronto
##Authentication
+
 
#[[Authorization]]
+
==Take control of the fraudulent domain name
##Objectives
+
 
##Environments Affected
+
==Work with law enforcement
##Relevant COBIT Topics
+
 
##Best Practices
+
==When an attack happens
##Best Practices in Action
+
 
##Principle of least privilege
+
==Further Reading
##Centralized authorization routines
+
 
##Authorization matrix
+
=[[Web Services]]
##Controlling access to protected resources
+
 
##Protecting access to static resources
+
==Securing Web Services
##Reauthorization for high value activities or after idle out
+
 
##Time based authorization
+
==Communication security
##Be cautious of custom authorization controls
+
 
##Never implement client-side authorization tokens
+
==Passing credentials
##Further Reading
+
 
#[[Session Management]]
+
==Ensuring message freshness
##Objective
+
 
##Environments Affected
+
==Protecting message integrity
##Relevant COBIT Topics
+
 
##Description
+
==Protecting message confidentiality
##Best practices
+
 
##Exposed Session Variables
+
==Access control
##Page and Form Tokens
+
 
##Weak Session Cryptographic Algorithms
+
==Audit
##Session Token Entropy
+
 
##Session Time-out
+
==Web Services Security Hierarchy
##Regeneration of Session Tokens
+
 
##Session Forging/Brute-Forcing Detection and/or Lockout
+
==SOAP
##Session Token Capture and Session Hijacking
+
 
##Session Tokens on Logout
+
==WS-Security Standard
##Session Validation Attacks
+
 
##PHP
+
==WS-Security Building Blocks
##Sessions
+
 
##Further Reading
+
==Communication Protection Mechanisms
##Session Management
+
 
#[[Data Validation]]
+
==Access Control Mechanisms
##Objective
+
 
##Platforms Affected
+
==Forming Web Service Chains
##Relevant COBIT Topics
+
 
##Description
+
==Available Implementations
##Definitions
+
 
##Where to include integrity checks
+
==Problems
##Where to include validation
+
 
##Where to include business rule validation
+
==Further Reading
##Data Validation Strategies
+
 
##Prevent parameter tampering
+
=[[Ajax and Other "Rich" Interface Technologies]]
##Hidden fields
+
 
##ASP.NET Viewstate
+
==Objective
##URL encoding
+
 
##HTML encoding
+
==Platforms Affected
##Encoded strings
+
 
##Data Validation and Interpreter Injection
+
==Architecture
##Delimiter and special characters
+
 
##Further Reading
+
==Access control: Authentication and Authorization
#[[Interpreter Injection]]
+
 
##Objective
+
==Silent transactional authorization
##Platforms Affected
+
 
##Relevant COBIT Topics
+
==Untrusted or absent session data
##User Agent Injection
+
 
##HTTP Response Splitting
+
==State management
##SQL Injection
+
 
##ORM Injection
+
==Tamper resistance
##LDAP Injection
+
 
##XML Injection
+
==Privacy
##Code Injection
+
 
##Further Reading
+
==Proxy Façade
##SQL-injection
+
 
##Code Injection
+
==SOAP Injection Attacks
##Command injection
+
 
#[[Canoncalization, locale and Unicode]]
+
==XMLRPC Injection Attacks
##Objective
+
 
##Platforms Affected
+
==DOM Injection Attacks
##Relevant COBIT Topics
+
 
##Description
+
==XML Injection Attacks
##Unicode
+
 
##http://www.ietf.org/rfc/rfc##
+
==JSON (Javascript Object Notation) Injection Attacks
##Input Formats
+
 
##Locale assertion
+
==Encoding safety
##Double (or n-) encoding
+
 
## HTTP Request Smuggling
+
==Auditing
## Further Reading
+
 
#[[Error Handling, Auditing and Logging]]
+
==Error Handling
##Objective
+
 
##Environments Affected
+
==Accessibility
##Relevant COBIT Topics
+
 
##Description
+
==Further Reading
##Best practices
+
 
##Error Handling
+
=[[Authentication]]
##Detailed error messages
+
 
##Logging
+
==Objective
##Noise
+
 
##Cover Tracks
+
==Environments Affected
##False Alarms
+
 
##Destruction
+
==Relevant COBIT Topics
##Audit Trails
+
 
##Further Reading
+
==Best Practices
##Error Handling and Logging
+
 
#[[File System]]
+
==Common web authentication techniques
##Objective
+
 
##Environments Affected
+
==Strong Authentication
##Relevant COBIT Topics
+
 
##Description
+
==Federated Authentication
##Best Practices
+
 
##Defacement
+
==Client side authentication controls
##Path traversal
+
 
##Insecure permissions
+
==Positive Authentication
##Insecure Indexing
+
 
##Unmapped files
+
==Multiple Key Lookups
##Temporary files
+
 
##PHP
+
==Referer Checks
##Includes and Remote files
+
 
##File upload
+
==Browser remembers passwords
##Old, unreferenced files
+
 
##Second Order Injection
+
==Default accounts
##Further Reading
+
 
##File System
+
==Choice of usernames
#[[Distributed Computing]]
+
 
##Objective
+
==Change passwords
##Environments Affected
+
 
##Relevant COBIT Topics
+
==Short passwords
##Best Practices
+
 
##Race conditions
+
==Weak password controls
##Distributed synchronization
+
 
##Further Reading
+
==Reversible password encryption
#[[Buffer Overflows]]
+
 
##Objective
+
==Automated password resets
##Platforms Affected
+
 
##Relevant COBIT Topics
+
==Brute Force
##Description
+
 
##General Prevention Techniques
+
==Remember Me
##Stack Overflow
+
 
##Heap Overflow
+
==Idle Timeouts
##Format String
+
 
##Unicode Overflow
+
==Logout
##Integer Overflow
+
 
##Further reading
+
==Account Expiry
#[[Administrative Interface]]
+
 
##Objective
+
==Self registration
##Environments Affected
+
 
##Relevant COBIT Topics
+
==CAPTCHA
##Best practices
+
 
##Administrators are not users
+
==Further Reading
##Authentication for high value systems
+
 
##Further Reading
+
==Authentication
#[[Cryptography]]
+
 
##Objective
+
=[[Authorization]]
##Platforms Affected
+
 
##Relevant COBIT Topics
+
==Objectives
##Description
+
 
##Cryptographic Functions
+
==Environments Affected
##Cryptographic Algorithms
+
 
##Algorithm Selection
+
==Relevant COBIT Topics
##Key Storage
+
 
##Insecure transmission of secrets
+
==Best Practices
##Reversible Authentication Tokens
+
 
##Safe UUID generation
+
==Best Practices in Action
##Summary
+
 
##Further Reading
+
==Principle of least privilege
##Cryptography
+
 
#[[Configuration]]
+
==Centralized authorization routines
##Objective
+
 
##Platforms Affected
+
==Authorization matrix
##Relevant COBIT Topics
+
 
##Best Practices
+
==Controlling access to protected resources
##Default passwords
+
 
##Secure connection strings
+
==Protecting access to static resources
##Secure network transmission
+
 
##Encrypted data
+
==Reauthorization for high value activities or after idle out
##PHP Configuration
+
 
##Global variables
+
==Time based authorization
##register_globals
+
 
##Database security
+
==Be cautious of custom authorization controls
##Further Reading
+
 
##ColdFusion Components (CFCs)
+
==Never implement client-side authorization tokens
##Configuration
+
 
#[[Software Quality Assurance]]
+
==Further Reading
##Objective
+
 
##Platforms Affected
+
=[[Session Management]]
##Best practices
+
 
##Process
+
==Objective
##Metrics
+
 
##Testing Activities
+
==Environments Affected
#[[Deployment]]
+
 
##Objective
+
==Relevant COBIT Topics
##Platforms Affected
+
 
##Best Practices
+
==Description
##Release Management
+
 
##Secure delivery of code
+
==Best practices
##Code signing
+
 
##Permissions are set to least privilege
+
==Exposed Session Variables
##Automated packaging
+
 
##Automated deployment
+
==Page and Form Tokens
##Automated removal
+
 
##No backup or old files
+
==Weak Session Cryptographic Algorithms
##Unnecessary features are off by default
+
 
##Setup log files are clean
+
==Session Token Entropy
##No default accounts
+
 
##Easter eggs
+
==Session Time-out
##Malicious software
+
 
##Further Reading
+
==Regeneration of Session Tokens
#[[Maintenance]]
+
 
##Objective
+
==Session Forging/Brute-Forcing Detection and/or Lockout
##Platforms Affected
+
 
##Relevant COBIT Topics
+
==Session Token Capture and Session Hijacking
##Best Practices
+
 
##Security Incident Response
+
==Session Tokens on Logout
##Fix Security Issues Correctly
+
 
##Update Notifications
+
==Session Validation Attacks
##Regularly check permissions
+
 
##Further Reading
+
==PHP
##Maintenance
+
 
#[[GNU Free Documentation License]]
+
==Sessions
##PREAMBLE
+
 
##APPLICABILITY AND DEFINITIONS
+
==Further Reading
##VERBATIM COPYING
+
 
##COPYING IN QUANTITY
+
==Session Management
##MODIFICATIONS
+
 
##COMBINING DOCUMENTS
+
=[[Data Validation]]
##COLLECTIONS OF DOCUMENTS
+
 
##AGGREGATION WITH INDEPENDENT WORKS
+
==Objective
##TRANSLATION
+
 
##TERMINATION
+
==Platforms Affected
##FUTURE REVISIONS OF THIS LICENSE
+
 
 +
==Relevant COBIT Topics
 +
 
 +
==Description
 +
 
 +
==Definitions
 +
 
 +
==Where to include integrity checks
 +
 
 +
==Where to include validation
 +
 
 +
==Where to include business rule validation
 +
 
 +
==Data Validation Strategies
 +
 
 +
==Prevent parameter tampering
 +
 
 +
==Hidden fields
 +
 
 +
==ASP.NET Viewstate
 +
 
 +
==URL encoding
 +
 
 +
==HTML encoding
 +
 
 +
==Encoded strings
 +
 
 +
==Data Validation and Interpreter Injection
 +
 
 +
==Delimiter and special characters
 +
 
 +
==Further Reading
 +
 
 +
=[[Interpreter Injection]]
 +
 
 +
==Objective
 +
 
 +
==Platforms Affected
 +
 
 +
==Relevant COBIT Topics
 +
 
 +
==User Agent Injection
 +
 
 +
==HTTP Response Splitting
 +
 
 +
==SQL Injection
 +
 
 +
==ORM Injection
 +
 
 +
==LDAP Injection
 +
 
 +
==XML Injection
 +
 
 +
==Code Injection
 +
 
 +
==Further Reading
 +
 
 +
==SQL-injection
 +
 
 +
==Code Injection
 +
 
 +
==Command injection
 +
 
 +
=[[Canoncalization, locale and Unicode]]
 +
 
 +
==Objective
 +
 
 +
==Platforms Affected
 +
 
 +
==Relevant COBIT Topics
 +
 
 +
==Description
 +
 
 +
==Unicode
 +
 
 +
==http://www.ietf.org/rfc/rfc==
 +
 
 +
==Input Formats
 +
 
 +
==Locale assertion
 +
 
 +
==Double (or n-) encoding
 +
 
 +
== HTTP Request Smuggling
 +
 
 +
== Further Reading
 +
 
 +
=[[Error Handling, Auditing and Logging]]
 +
 
 +
==Objective
 +
 
 +
==Environments Affected
 +
 
 +
==Relevant COBIT Topics
 +
 
 +
==Description
 +
 
 +
==Best practices
 +
 
 +
==Error Handling
 +
 
 +
==Detailed error messages
 +
 
 +
==Logging
 +
 
 +
==Noise
 +
 
 +
==Cover Tracks
 +
 
 +
==False Alarms
 +
 
 +
==Destruction
 +
 
 +
==Audit Trails
 +
 
 +
==Further Reading
 +
 
 +
==Error Handling and Logging
 +
 
 +
=[[File System]]
 +
 
 +
==Objective
 +
 
 +
==Environments Affected
 +
 
 +
==Relevant COBIT Topics
 +
 
 +
==Description
 +
 
 +
==Best Practices
 +
 
 +
==Defacement
 +
 
 +
==Path traversal
 +
 
 +
==Insecure permissions
 +
 
 +
==Insecure Indexing
 +
 
 +
==Unmapped files
 +
 
 +
==Temporary files
 +
 
 +
==PHP
 +
 
 +
==Includes and Remote files
 +
 
 +
==File upload
 +
 
 +
==Old, unreferenced files
 +
 
 +
==Second Order Injection
 +
 
 +
==Further Reading
 +
 
 +
==File System
 +
 
 +
=[[Distributed Computing]]
 +
 
 +
==Objective
 +
 
 +
==Environments Affected
 +
 
 +
==Relevant COBIT Topics
 +
 
 +
==Best Practices
 +
 
 +
==Race conditions
 +
 
 +
==Distributed synchronization
 +
 
 +
==Further Reading
 +
 
 +
=[[Buffer Overflows]]
 +
 
 +
==Objective
 +
 
 +
==Platforms Affected
 +
 
 +
==Relevant COBIT Topics
 +
 
 +
==Description
 +
 
 +
==General Prevention Techniques
 +
 
 +
==Stack Overflow
 +
 
 +
==Heap Overflow
 +
 
 +
==Format String
 +
 
 +
==Unicode Overflow
 +
 
 +
==Integer Overflow
 +
 
 +
==Further reading
 +
 
 +
=[[Administrative Interface]]
 +
 
 +
==Objective
 +
 
 +
==Environments Affected
 +
 
 +
==Relevant COBIT Topics
 +
 
 +
==Best practices
 +
 
 +
==Administrators are not users
 +
 
 +
==Authentication for high value systems
 +
 
 +
==Further Reading
 +
 
 +
=[[Cryptography]]
 +
 
 +
==Objective
 +
 
 +
==Platforms Affected
 +
 
 +
==Relevant COBIT Topics
 +
 
 +
==Description
 +
 
 +
==Cryptographic Functions
 +
 
 +
==Cryptographic Algorithms
 +
 
 +
==Algorithm Selection
 +
 
 +
==Key Storage
 +
 
 +
==Insecure transmission of secrets
 +
 
 +
==Reversible Authentication Tokens
 +
 
 +
==Safe UUID generation
 +
 
 +
==Summary
 +
 
 +
==Further Reading
 +
 
 +
==Cryptography
 +
 
 +
=[[Configuration]]
 +
 
 +
==Objective
 +
 
 +
==Platforms Affected
 +
 
 +
==Relevant COBIT Topics
 +
 
 +
==Best Practices
 +
 
 +
==Default passwords
 +
 
 +
==Secure connection strings
 +
 
 +
==Secure network transmission
 +
 
 +
==Encrypted data
 +
 
 +
==PHP Configuration
 +
 
 +
==Global variables
 +
 
 +
==register_globals
 +
 
 +
==Database security
 +
 
 +
==Further Reading
 +
 
 +
==ColdFusion Components (CFCs)
 +
 
 +
==Configuration
 +
 
 +
=[[Software Quality Assurance]]
 +
 
 +
==Objective
 +
 
 +
==Platforms Affected
 +
 
 +
==Best practices
 +
 
 +
==Process
 +
 
 +
==Metrics
 +
 
 +
==Testing Activities
 +
 
 +
=[[Deployment]]
 +
 
 +
==Objective
 +
 
 +
==Platforms Affected
 +
 
 +
==Best Practices
 +
 
 +
==Release Management
 +
 
 +
==Secure delivery of code
 +
 
 +
==Code signing
 +
 
 +
==Permissions are set to least privilege
 +
 
 +
==Automated packaging
 +
 
 +
==Automated deployment
 +
 
 +
==Automated removal
 +
 
 +
==No backup or old files
 +
 
 +
==Unnecessary features are off by default
 +
 
 +
==Setup log files are clean
 +
 
 +
==No default accounts
 +
 
 +
==Easter eggs
 +
 
 +
==Malicious software
 +
 
 +
==Further Reading
 +
 
 +
=[[Maintenance]]
 +
 
 +
==Objective
 +
 
 +
==Platforms Affected
 +
 
 +
==Relevant COBIT Topics
 +
 
 +
==Best Practices
 +
 
 +
==Security Incident Response
 +
 
 +
==Fix Security Issues Correctly
 +
 
 +
==Update Notifications
 +
 
 +
==Regularly check permissions
 +
 
 +
==Further Reading
 +
 
 +
==Maintenance
 +
 
 +
=[[GNU Free Documentation License]]
 +
 
 +
==PREAMBLE
 +
 
 +
==APPLICABILITY AND DEFINITIONS
 +
 
 +
==VERBATIM COPYING
 +
 
 +
==COPYING IN QUANTITY
 +
 
 +
==MODIFICATIONS
 +
 
 +
==COMBINING DOCUMENTS
 +
 
 +
==COLLECTIONS OF DOCUMENTS
 +
 
 +
==AGGREGATION WITH INDEPENDENT WORKS
 +
 
 +
==TRANSLATION
 +
 
 +
==TERMINATION
 +
 
 +
==FUTURE REVISIONS OF THIS LICENSE

Revision as of 07:40, 22 May 2006

Frontispiece

== Dedication

== Copyright and license

== Editors

== Authors and Reviewers

== Revision History

=About The Open Web Application Security Project

==Structure and Licensing

==Participation and Membership

==Projects

= Introduction

==Developing Secure Applications

==Improvements in this edition

==How to use this Guide

==Updates and errata

==With thanks

=What are web applications?

==Technologies

==First generation – CGI

==Filters

==Scripting

==Web application frameworks – J

==Small to medium scale applications

==Large scale applications

==View

==Controller

==Model

==Conclusion

=Policy Frameworks

==Organizational commitment to security

==OWASP’s Place at the Framework table

==Development Methodology

==Coding Standards

==Source Code Control

==Summary

=Secure Coding Principles

==Asset Classification

==About attackers

==Core pillars of information security

==Security Architecture

==Security Principles

=Threat Risk Modeling

==Threat Risk Modeling

==Performing threat risk modeling using the Microsoft Threat Modeling Process

==Alternative Threat Modeling Systems

==Trike

==AS/NZS

==CVSS

==OCTAVE

==Conclusion

==Further Reading

=Handling E-Commerce Payments

==Objectives

==Compliance and Laws

==PCI Compliance

==Handling Credit Cards

==Further Reading

=Phishing

==What is phishing?

==User Education

==Make it easy for your users to report scams

==Communicating with customers via e-mail

==Never ask your customers for their secrets

==Fix all your XSS issues

==Do not use pop-ups

==Don’t be framed

==Move your application one link away from your front page

==Enforce local referrers for images and other resources

==Keep the address bar, use SSL, do not use IP addresses

==Don’t be the source of identity theft

==Implement safe-guards within your application

==Monitor unusual account activity

==Get the phishing target servers offline pronto

==Take control of the fraudulent domain name

==Work with law enforcement

==When an attack happens

==Further Reading

=Web Services

==Securing Web Services

==Communication security

==Passing credentials

==Ensuring message freshness

==Protecting message integrity

==Protecting message confidentiality

==Access control

==Audit

==Web Services Security Hierarchy

==SOAP

==WS-Security Standard

==WS-Security Building Blocks

==Communication Protection Mechanisms

==Access Control Mechanisms

==Forming Web Service Chains

==Available Implementations

==Problems

==Further Reading

=Ajax and Other "Rich" Interface Technologies

==Objective

==Platforms Affected

==Architecture

==Access control: Authentication and Authorization

==Silent transactional authorization

==Untrusted or absent session data

==State management

==Tamper resistance

==Privacy

==Proxy Façade

==SOAP Injection Attacks

==XMLRPC Injection Attacks

==DOM Injection Attacks

==XML Injection Attacks

==JSON (Javascript Object Notation) Injection Attacks

==Encoding safety

==Auditing

==Error Handling

==Accessibility

==Further Reading

=Authentication

==Objective

==Environments Affected

==Relevant COBIT Topics

==Best Practices

==Common web authentication techniques

==Strong Authentication

==Federated Authentication

==Client side authentication controls

==Positive Authentication

==Multiple Key Lookups

==Referer Checks

==Browser remembers passwords

==Default accounts

==Choice of usernames

==Change passwords

==Short passwords

==Weak password controls

==Reversible password encryption

==Automated password resets

==Brute Force

==Remember Me

==Idle Timeouts

==Logout

==Account Expiry

==Self registration

==CAPTCHA

==Further Reading

==Authentication

=Authorization

==Objectives

==Environments Affected

==Relevant COBIT Topics

==Best Practices

==Best Practices in Action

==Principle of least privilege

==Centralized authorization routines

==Authorization matrix

==Controlling access to protected resources

==Protecting access to static resources

==Reauthorization for high value activities or after idle out

==Time based authorization

==Be cautious of custom authorization controls

==Never implement client-side authorization tokens

==Further Reading

=Session Management

==Objective

==Environments Affected

==Relevant COBIT Topics

==Description

==Best practices

==Exposed Session Variables

==Page and Form Tokens

==Weak Session Cryptographic Algorithms

==Session Token Entropy

==Session Time-out

==Regeneration of Session Tokens

==Session Forging/Brute-Forcing Detection and/or Lockout

==Session Token Capture and Session Hijacking

==Session Tokens on Logout

==Session Validation Attacks

==PHP

==Sessions

==Further Reading

==Session Management

=Data Validation

==Objective

==Platforms Affected

==Relevant COBIT Topics

==Description

==Definitions

==Where to include integrity checks

==Where to include validation

==Where to include business rule validation

==Data Validation Strategies

==Prevent parameter tampering

==Hidden fields

==ASP.NET Viewstate

==URL encoding

==HTML encoding

==Encoded strings

==Data Validation and Interpreter Injection

==Delimiter and special characters

==Further Reading

=Interpreter Injection

==Objective

==Platforms Affected

==Relevant COBIT Topics

==User Agent Injection

==HTTP Response Splitting

==SQL Injection

==ORM Injection

==LDAP Injection

==XML Injection

==Code Injection

==Further Reading

==SQL-injection

==Code Injection

==Command injection

=Canoncalization, locale and Unicode

==Objective

==Platforms Affected

==Relevant COBIT Topics

==Description

==Unicode

http://www.ietf.org/rfc/rfc

==Input Formats

==Locale assertion

==Double (or n-) encoding

== HTTP Request Smuggling

== Further Reading

=Error Handling, Auditing and Logging

==Objective

==Environments Affected

==Relevant COBIT Topics

==Description

==Best practices

==Error Handling

==Detailed error messages

==Logging

==Noise

==Cover Tracks

==False Alarms

==Destruction

==Audit Trails

==Further Reading

==Error Handling and Logging

=File System

==Objective

==Environments Affected

==Relevant COBIT Topics

==Description

==Best Practices

==Defacement

==Path traversal

==Insecure permissions

==Insecure Indexing

==Unmapped files

==Temporary files

==PHP

==Includes and Remote files

==File upload

==Old, unreferenced files

==Second Order Injection

==Further Reading

==File System

=Distributed Computing

==Objective

==Environments Affected

==Relevant COBIT Topics

==Best Practices

==Race conditions

==Distributed synchronization

==Further Reading

=Buffer Overflows

==Objective

==Platforms Affected

==Relevant COBIT Topics

==Description

==General Prevention Techniques

==Stack Overflow

==Heap Overflow

==Format String

==Unicode Overflow

==Integer Overflow

==Further reading

=Administrative Interface

==Objective

==Environments Affected

==Relevant COBIT Topics

==Best practices

==Administrators are not users

==Authentication for high value systems

==Further Reading

=Cryptography

==Objective

==Platforms Affected

==Relevant COBIT Topics

==Description

==Cryptographic Functions

==Cryptographic Algorithms

==Algorithm Selection

==Key Storage

==Insecure transmission of secrets

==Reversible Authentication Tokens

==Safe UUID generation

==Summary

==Further Reading

==Cryptography

=Configuration

==Objective

==Platforms Affected

==Relevant COBIT Topics

==Best Practices

==Default passwords

==Secure connection strings

==Secure network transmission

==Encrypted data

==PHP Configuration

==Global variables

==register_globals

==Database security

==Further Reading

==ColdFusion Components (CFCs)

==Configuration

=Software Quality Assurance

==Objective

==Platforms Affected

==Best practices

==Process

==Metrics

==Testing Activities

=Deployment

==Objective

==Platforms Affected

==Best Practices

==Release Management

==Secure delivery of code

==Code signing

==Permissions are set to least privilege

==Automated packaging

==Automated deployment

==Automated removal

==No backup or old files

==Unnecessary features are off by default

==Setup log files are clean

==No default accounts

==Easter eggs

==Malicious software

==Further Reading

=Maintenance

==Objective

==Platforms Affected

==Relevant COBIT Topics

==Best Practices

==Security Incident Response

==Fix Security Issues Correctly

==Update Notifications

==Regularly check permissions

==Further Reading

==Maintenance

=GNU Free Documentation License

==PREAMBLE

==APPLICABILITY AND DEFINITIONS

==VERBATIM COPYING

==COPYING IN QUANTITY

==MODIFICATIONS

==COMBINING DOCUMENTS

==COLLECTIONS OF DOCUMENTS

==AGGREGATION WITH INDEPENDENT WORKS

==TRANSLATION

==TERMINATION

==FUTURE REVISIONS OF THIS LICENSE