Difference between revisions of "Guide Table of Contents"

Jump to: navigation, search
Line 1: Line 1:
[[Guide Frontispiece|Frontispiece]]  
=[[Guide Frontispiece|Frontispiece]]  
== Dedication
== Dedication

Revision as of 07:41, 22 May 2006


== Dedication

== Copyright and license

== Editors

== Authors and Reviewers

== Revision History

=About The Open Web Application Security Project

==Structure and Licensing

==Participation and Membership


= Introduction

==Developing Secure Applications

==Improvements in this edition

==How to use this Guide

==Updates and errata

==With thanks

=What are web applications?


==First generation – CGI



==Web application frameworks – J

==Small to medium scale applications

==Large scale applications





=Policy Frameworks

==Organizational commitment to security

==OWASP’s Place at the Framework table

==Development Methodology

==Coding Standards

==Source Code Control


=Secure Coding Principles

==Asset Classification

==About attackers

==Core pillars of information security

==Security Architecture

==Security Principles

=Threat Risk Modeling

==Threat Risk Modeling

==Performing threat risk modeling using the Microsoft Threat Modeling Process

==Alternative Threat Modeling Systems






==Further Reading

=Handling E-Commerce Payments


==Compliance and Laws

==PCI Compliance

==Handling Credit Cards

==Further Reading


==What is phishing?

==User Education

==Make it easy for your users to report scams

==Communicating with customers via e-mail

==Never ask your customers for their secrets

==Fix all your XSS issues

==Do not use pop-ups

==Don’t be framed

==Move your application one link away from your front page

==Enforce local referrers for images and other resources

==Keep the address bar, use SSL, do not use IP addresses

==Don’t be the source of identity theft

==Implement safe-guards within your application

==Monitor unusual account activity

==Get the phishing target servers offline pronto

==Take control of the fraudulent domain name

==Work with law enforcement

==When an attack happens

==Further Reading

=Web Services

==Securing Web Services

==Communication security

==Passing credentials

==Ensuring message freshness

==Protecting message integrity

==Protecting message confidentiality

==Access control


==Web Services Security Hierarchy


==WS-Security Standard

==WS-Security Building Blocks

==Communication Protection Mechanisms

==Access Control Mechanisms

==Forming Web Service Chains

==Available Implementations


==Further Reading

=Ajax and Other "Rich" Interface Technologies


==Platforms Affected


==Access control: Authentication and Authorization

==Silent transactional authorization

==Untrusted or absent session data

==State management

==Tamper resistance


==Proxy Façade

==SOAP Injection Attacks

==XMLRPC Injection Attacks

==DOM Injection Attacks

==XML Injection Attacks

==JSON (Javascript Object Notation) Injection Attacks

==Encoding safety


==Error Handling


==Further Reading



==Environments Affected

==Relevant COBIT Topics

==Best Practices

==Common web authentication techniques

==Strong Authentication

==Federated Authentication

==Client side authentication controls

==Positive Authentication

==Multiple Key Lookups

==Referer Checks

==Browser remembers passwords

==Default accounts

==Choice of usernames

==Change passwords

==Short passwords

==Weak password controls

==Reversible password encryption

==Automated password resets

==Brute Force

==Remember Me

==Idle Timeouts


==Account Expiry

==Self registration


==Further Reading




==Environments Affected

==Relevant COBIT Topics

==Best Practices

==Best Practices in Action

==Principle of least privilege

==Centralized authorization routines

==Authorization matrix

==Controlling access to protected resources

==Protecting access to static resources

==Reauthorization for high value activities or after idle out

==Time based authorization

==Be cautious of custom authorization controls

==Never implement client-side authorization tokens

==Further Reading

=Session Management


==Environments Affected

==Relevant COBIT Topics


==Best practices

==Exposed Session Variables

==Page and Form Tokens

==Weak Session Cryptographic Algorithms

==Session Token Entropy

==Session Time-out

==Regeneration of Session Tokens

==Session Forging/Brute-Forcing Detection and/or Lockout

==Session Token Capture and Session Hijacking

==Session Tokens on Logout

==Session Validation Attacks



==Further Reading

==Session Management

=Data Validation


==Platforms Affected

==Relevant COBIT Topics



==Where to include integrity checks

==Where to include validation

==Where to include business rule validation

==Data Validation Strategies

==Prevent parameter tampering

==Hidden fields

==ASP.NET Viewstate

==URL encoding

==HTML encoding

==Encoded strings

==Data Validation and Interpreter Injection

==Delimiter and special characters

==Further Reading

=Interpreter Injection


==Platforms Affected

==Relevant COBIT Topics

==User Agent Injection

==HTTP Response Splitting

==SQL Injection

==ORM Injection

==LDAP Injection

==XML Injection

==Code Injection

==Further Reading


==Code Injection

==Command injection

=Canoncalization, locale and Unicode


==Platforms Affected

==Relevant COBIT Topics




==Input Formats

==Locale assertion

==Double (or n-) encoding

== HTTP Request Smuggling

== Further Reading

=Error Handling, Auditing and Logging


==Environments Affected

==Relevant COBIT Topics


==Best practices

==Error Handling

==Detailed error messages



==Cover Tracks

==False Alarms


==Audit Trails

==Further Reading

==Error Handling and Logging

=File System


==Environments Affected

==Relevant COBIT Topics


==Best Practices


==Path traversal

==Insecure permissions

==Insecure Indexing

==Unmapped files

==Temporary files


==Includes and Remote files

==File upload

==Old, unreferenced files

==Second Order Injection

==Further Reading

==File System

=Distributed Computing


==Environments Affected

==Relevant COBIT Topics

==Best Practices

==Race conditions

==Distributed synchronization

==Further Reading

=Buffer Overflows


==Platforms Affected

==Relevant COBIT Topics


==General Prevention Techniques

==Stack Overflow

==Heap Overflow

==Format String

==Unicode Overflow

==Integer Overflow

==Further reading

=Administrative Interface


==Environments Affected

==Relevant COBIT Topics

==Best practices

==Administrators are not users

==Authentication for high value systems

==Further Reading



==Platforms Affected

==Relevant COBIT Topics


==Cryptographic Functions

==Cryptographic Algorithms

==Algorithm Selection

==Key Storage

==Insecure transmission of secrets

==Reversible Authentication Tokens

==Safe UUID generation


==Further Reading




==Platforms Affected

==Relevant COBIT Topics

==Best Practices

==Default passwords

==Secure connection strings

==Secure network transmission

==Encrypted data

==PHP Configuration

==Global variables


==Database security

==Further Reading

==ColdFusion Components (CFCs)


=Software Quality Assurance


==Platforms Affected

==Best practices



==Testing Activities



==Platforms Affected

==Best Practices

==Release Management

==Secure delivery of code

==Code signing

==Permissions are set to least privilege

==Automated packaging

==Automated deployment

==Automated removal

==No backup or old files

==Unnecessary features are off by default

==Setup log files are clean

==No default accounts

==Easter eggs

==Malicious software

==Further Reading



==Platforms Affected

==Relevant COBIT Topics

==Best Practices

==Security Incident Response

==Fix Security Issues Correctly

==Update Notifications

==Regularly check permissions

==Further Reading


=GNU Free Documentation License