Difference between revisions of "Guide Table of Contents"

From OWASP
Jump to: navigation, search
Line 1: Line 1:
__TOC__
+
=[[Guide Frontispiece|Frontispiece]]=
  
=[[Guide Frontispiece|Frontispiece]] =
+
## Dedication
  
== Dedication
+
## Copyright and license
  
== Copyright and license
+
## Editors
  
== Editors
+
## Authors and Reviewers
  
== Authors and Reviewers
+
## Revision History
  
== Revision History
+
=[[About The Open Web Application Security Project]]=
  
=[[About The Open Web Application Security Project]]
+
##Structure and Licensing
  
==Structure and Licensing
+
##Participation and Membership
  
==Participation and Membership
+
##Projects
  
==Projects
+
=[[Guide Introduction | Introduction]]=
  
=[[Guide Introduction | Introduction]]
+
##Developing Secure Applications
  
==Developing Secure Applications
+
##Improvements in this edition
  
==Improvements in this edition
+
##How to use this Guide
  
==How to use this Guide
+
##Updates and errata
  
==Updates and errata
+
##With thanks
  
==With thanks
+
=[[What are web applications?]]=
  
=[[What are web applications?]]
+
##Technologies
  
==Technologies
+
##First generation – CGI
  
==First generation – CGI
+
##Filters
  
==Filters
+
##Scripting
  
==Scripting
+
##Web application frameworks – J
  
==Web application frameworks – J
+
##Small to medium scale applications
  
==Small to medium scale applications
+
##Large scale applications
  
==Large scale applications
+
##View
  
==View
+
##Controller
  
==Controller
+
##Model
  
==Model
+
##Conclusion
  
==Conclusion
+
=[[Policy Frameworks]]=
  
=[[Policy Frameworks]]
+
##Organizational commitment to security
  
==Organizational commitment to security
+
##OWASP’s Place at the Framework table
  
==OWASP’s Place at the Framework table
+
##Development Methodology
  
==Development Methodology
+
##Coding Standards
  
==Coding Standards
+
##Source Code Control
  
==Source Code Control
+
##Summary
  
==Summary
+
=[[Secure Coding Principles]]=
  
=[[Secure Coding Principles]]
+
##Asset Classification
  
==Asset Classification
+
##About attackers
  
==About attackers
+
##Core pillars of information security
  
==Core pillars of information security
+
##Security Architecture
  
==Security Architecture
+
##Security Principles
  
==Security Principles
+
=[[Threat Risk Modeling]]=
  
=[[Threat Risk Modeling]]
+
##Threat Risk Modeling
  
==Threat Risk Modeling
+
##Performing threat risk modeling using the Microsoft Threat Modeling Process
  
==Performing threat risk modeling using the Microsoft Threat Modeling Process
+
##Alternative Threat Modeling Systems
  
==Alternative Threat Modeling Systems
+
##Trike
  
==Trike
+
##AS/NZS
  
==AS/NZS
+
##CVSS
  
==CVSS
+
##OCTAVE
  
==OCTAVE
+
##Conclusion
  
==Conclusion
+
##Further Reading
  
==Further Reading
+
=[[Handling E-Commerce Payments]]=
  
=[[Handling E-Commerce Payments]]
+
##Objectives
  
==Objectives
+
##Compliance and Laws
  
==Compliance and Laws
+
##PCI Compliance
  
==PCI Compliance
+
##Handling Credit Cards
  
==Handling Credit Cards
+
##Further Reading
  
==Further Reading
+
=[[Phishing]]=
  
=[[Phishing]]
+
##What is phishing?
  
==What is phishing?
+
##User Education
  
==User Education
+
##Make it easy for your users to report scams
  
==Make it easy for your users to report scams
+
##Communicating with customers via e-mail
  
==Communicating with customers via e-mail
+
##Never ask your customers for their secrets
  
==Never ask your customers for their secrets
+
##Fix all your XSS issues
  
==Fix all your XSS issues
+
##Do not use pop-ups
  
==Do not use pop-ups
+
##Don’t be framed
  
==Don’t be framed
+
##Move your application one link away from your front page
  
==Move your application one link away from your front page
+
##Enforce local referrers for images and other resources
  
==Enforce local referrers for images and other resources
+
##Keep the address bar, use SSL, do not use IP addresses
  
==Keep the address bar, use SSL, do not use IP addresses
+
##Don’t be the source of identity theft
  
==Don’t be the source of identity theft
+
##Implement safe-guards within your application
  
==Implement safe-guards within your application
+
##Monitor unusual account activity
  
==Monitor unusual account activity
+
##Get the phishing target servers offline pronto
  
==Get the phishing target servers offline pronto
+
##Take control of the fraudulent domain name
  
==Take control of the fraudulent domain name
+
##Work with law enforcement
  
==Work with law enforcement
+
##When an attack happens
  
==When an attack happens
+
##Further Reading
  
==Further Reading
+
=[[Web Services]]=
  
=[[Web Services]]
+
##Securing Web Services
  
==Securing Web Services
+
##Communication security
  
==Communication security
+
##Passing credentials
  
==Passing credentials
+
##Ensuring message freshness
  
==Ensuring message freshness
+
##Protecting message integrity
  
==Protecting message integrity
+
##Protecting message confidentiality
  
==Protecting message confidentiality
+
##Access control
  
==Access control
+
##Audit
  
==Audit
+
##Web Services Security Hierarchy
  
==Web Services Security Hierarchy
+
##SOAP
  
==SOAP
+
##WS-Security Standard
  
==WS-Security Standard
+
##WS-Security Building Blocks
  
==WS-Security Building Blocks
+
##Communication Protection Mechanisms
  
==Communication Protection Mechanisms
+
##Access Control Mechanisms
  
==Access Control Mechanisms
+
##Forming Web Service Chains
  
==Forming Web Service Chains
+
##Available Implementations
  
==Available Implementations
+
##Problems
  
==Problems
+
##Further Reading
  
==Further Reading
+
=[[Ajax and Other "Rich" Interface Technologies]]=
  
=[[Ajax and Other "Rich" Interface Technologies]]
+
##Objective
  
==Objective
+
##Platforms Affected
  
==Platforms Affected
+
##Architecture
  
==Architecture
+
##Access control: Authentication and Authorization
  
==Access control: Authentication and Authorization
+
##Silent transactional authorization
  
==Silent transactional authorization
+
##Untrusted or absent session data
  
==Untrusted or absent session data
+
##State management
  
==State management
+
##Tamper resistance
  
==Tamper resistance
+
##Privacy
  
==Privacy
+
##Proxy Façade
  
==Proxy Façade
+
##SOAP Injection Attacks
  
==SOAP Injection Attacks
+
##XMLRPC Injection Attacks
  
==XMLRPC Injection Attacks
+
##DOM Injection Attacks
  
==DOM Injection Attacks
+
##XML Injection Attacks
  
==XML Injection Attacks
+
##JSON (Javascript Object Notation) Injection Attacks
  
==JSON (Javascript Object Notation) Injection Attacks
+
##Encoding safety
  
==Encoding safety
+
##Auditing
  
==Auditing
+
##Error Handling
  
==Error Handling
+
##Accessibility
  
==Accessibility
+
##Further Reading
  
==Further Reading
+
=[[Authentication]]=
  
=[[Authentication]]
+
##Objective
  
==Objective
+
##Environments Affected
  
==Environments Affected
+
##Relevant COBIT Topics
  
==Relevant COBIT Topics
+
##Best Practices
  
==Best Practices
+
##Common web authentication techniques
  
==Common web authentication techniques
+
##Strong Authentication
  
==Strong Authentication
+
##Federated Authentication
  
==Federated Authentication
+
##Client side authentication controls
  
==Client side authentication controls
+
##Positive Authentication
  
==Positive Authentication
+
##Multiple Key Lookups
  
==Multiple Key Lookups
+
##Referer Checks
  
==Referer Checks
+
##Browser remembers passwords
  
==Browser remembers passwords
+
##Default accounts
  
==Default accounts
+
##Choice of usernames
  
==Choice of usernames
+
##Change passwords
  
==Change passwords
+
##Short passwords
  
==Short passwords
+
##Weak password controls
  
==Weak password controls
+
##Reversible password encryption
  
==Reversible password encryption
+
##Automated password resets
  
==Automated password resets
+
##Brute Force
  
==Brute Force
+
##Remember Me
  
==Remember Me
+
##Idle Timeouts
  
==Idle Timeouts
+
##Logout
  
==Logout
+
##Account Expiry
  
==Account Expiry
+
##Self registration
  
==Self registration
+
##CAPTCHA
  
==CAPTCHA
+
##Further Reading
  
==Further Reading
+
##Authentication
  
==Authentication
+
=[[Authorization]]=
  
=[[Authorization]]
+
##Objectives
  
==Objectives
+
##Environments Affected
  
==Environments Affected
+
##Relevant COBIT Topics
  
==Relevant COBIT Topics
+
##Best Practices
  
==Best Practices
+
##Best Practices in Action
  
==Best Practices in Action
+
##Principle of least privilege
  
==Principle of least privilege
+
##Centralized authorization routines
  
==Centralized authorization routines
+
##Authorization matrix
  
==Authorization matrix
+
##Controlling access to protected resources
  
==Controlling access to protected resources
+
##Protecting access to static resources
  
==Protecting access to static resources
+
##Reauthorization for high value activities or after idle out
  
==Reauthorization for high value activities or after idle out
+
##Time based authorization
  
==Time based authorization
+
##Be cautious of custom authorization controls
  
==Be cautious of custom authorization controls
+
##Never implement client-side authorization tokens
  
==Never implement client-side authorization tokens
+
##Further Reading
  
==Further Reading
+
=[[Session Management]]=
  
=[[Session Management]]
+
##Objective
  
==Objective
+
##Environments Affected
  
==Environments Affected
+
##Relevant COBIT Topics
  
==Relevant COBIT Topics
+
##Description
  
==Description
+
##Best practices
  
==Best practices
+
##Exposed Session Variables
  
==Exposed Session Variables
+
##Page and Form Tokens
  
==Page and Form Tokens
+
##Weak Session Cryptographic Algorithms
  
==Weak Session Cryptographic Algorithms
+
##Session Token Entropy
  
==Session Token Entropy
+
##Session Time-out
  
==Session Time-out
+
##Regeneration of Session Tokens
  
==Regeneration of Session Tokens
+
##Session Forging/Brute-Forcing Detection and/or Lockout
  
==Session Forging/Brute-Forcing Detection and/or Lockout
+
##Session Token Capture and Session Hijacking
  
==Session Token Capture and Session Hijacking
+
##Session Tokens on Logout
  
==Session Tokens on Logout
+
##Session Validation Attacks
  
==Session Validation Attacks
+
##PHP
  
==PHP
+
##Sessions
  
==Sessions
+
##Further Reading
  
==Further Reading
+
##Session Management
  
==Session Management
+
=[[Data Validation]]=
  
=[[Data Validation]]
+
##Objective
  
==Objective
+
##Platforms Affected
  
==Platforms Affected
+
##Relevant COBIT Topics
  
==Relevant COBIT Topics
+
##Description
  
==Description
+
##Definitions
  
==Definitions
+
##Where to include integrity checks
  
==Where to include integrity checks
+
##Where to include validation
  
==Where to include validation
+
##Where to include business rule validation
  
==Where to include business rule validation
+
##Data Validation Strategies
  
==Data Validation Strategies
+
##Prevent parameter tampering
  
==Prevent parameter tampering
+
##Hidden fields
  
==Hidden fields
+
##ASP.NET Viewstate
  
==ASP.NET Viewstate
+
##URL encoding
  
==URL encoding
+
##HTML encoding
  
==HTML encoding
+
##Encoded strings
  
==Encoded strings
+
##Data Validation and Interpreter Injection
  
==Data Validation and Interpreter Injection
+
##Delimiter and special characters
  
==Delimiter and special characters
+
##Further Reading
  
==Further Reading
+
=[[Interpreter Injection]]=
  
=[[Interpreter Injection]]
+
##Objective
  
==Objective
+
##Platforms Affected
  
==Platforms Affected
+
##Relevant COBIT Topics
  
==Relevant COBIT Topics
+
##User Agent Injection
  
==User Agent Injection
+
##HTTP Response Splitting
  
==HTTP Response Splitting
+
##SQL Injection
  
==SQL Injection
+
##ORM Injection
  
==ORM Injection
+
##LDAP Injection
  
==LDAP Injection
+
##XML Injection
  
==XML Injection
+
##Code Injection
  
==Code Injection
+
##Further Reading
  
==Further Reading
+
##SQL-injection
  
==SQL-injection
+
##Code Injection
  
==Code Injection
+
##Command injection
  
==Command injection
+
=[[Canoncalization, locale and Unicode]]=
  
=[[Canoncalization, locale and Unicode]]
+
##Objective
  
==Objective
+
##Platforms Affected
  
==Platforms Affected
+
##Relevant COBIT Topics
  
==Relevant COBIT Topics
+
##Description
  
==Description
+
##Unicode
  
==Unicode
+
##http://www.ietf.org/rfc/rfc##
  
==http://www.ietf.org/rfc/rfc==
+
##Input Formats
  
==Input Formats
+
##Locale assertion
  
==Locale assertion
+
##Double (or n-) encoding
  
==Double (or n-) encoding
+
## HTTP Request Smuggling
  
== HTTP Request Smuggling
+
## Further Reading
  
== Further Reading
+
=[[Error Handling, Auditing and Logging]]=
  
=[[Error Handling, Auditing and Logging]]
+
##Objective
  
==Objective
+
##Environments Affected
  
==Environments Affected
+
##Relevant COBIT Topics
  
==Relevant COBIT Topics
+
##Description
  
==Description
+
##Best practices
  
==Best practices
+
##Error Handling
  
==Error Handling
+
##Detailed error messages
  
==Detailed error messages
+
##Logging
  
==Logging
+
##Noise
  
==Noise
+
##Cover Tracks
  
==Cover Tracks
+
##False Alarms
  
==False Alarms
+
##Destruction
  
==Destruction
+
##Audit Trails
  
==Audit Trails
+
##Further Reading
  
==Further Reading
+
##Error Handling and Logging
  
==Error Handling and Logging
+
=[[File System]]=
  
=[[File System]]
+
##Objective
  
==Objective
+
##Environments Affected
  
==Environments Affected
+
##Relevant COBIT Topics
  
==Relevant COBIT Topics
+
##Description
  
==Description
+
##Best Practices
  
==Best Practices
+
##Defacement
  
==Defacement
+
##Path traversal
  
==Path traversal
+
##Insecure permissions
  
==Insecure permissions
+
##Insecure Indexing
  
==Insecure Indexing
+
##Unmapped files
  
==Unmapped files
+
##Temporary files
  
==Temporary files
+
##PHP
  
==PHP
+
##Includes and Remote files
  
==Includes and Remote files
+
##File upload
  
==File upload
+
##Old, unreferenced files
  
==Old, unreferenced files
+
##Second Order Injection
  
==Second Order Injection
+
##Further Reading
  
==Further Reading
+
##File System
  
==File System
+
=[[Distributed Computing]]=
  
=[[Distributed Computing]]
+
##Objective
  
==Objective
+
##Environments Affected
  
==Environments Affected
+
##Relevant COBIT Topics
  
==Relevant COBIT Topics
+
##Best Practices
  
==Best Practices
+
##Race conditions
  
==Race conditions
+
##Distributed synchronization
  
==Distributed synchronization
+
##Further Reading
  
==Further Reading
+
=[[Buffer Overflows]]=
  
=[[Buffer Overflows]]
+
##Objective
  
==Objective
+
##Platforms Affected
  
==Platforms Affected
+
##Relevant COBIT Topics
  
==Relevant COBIT Topics
+
##Description
  
==Description
+
##General Prevention Techniques
  
==General Prevention Techniques
+
##Stack Overflow
  
==Stack Overflow
+
##Heap Overflow
  
==Heap Overflow
+
##Format String
  
==Format String
+
##Unicode Overflow
  
==Unicode Overflow
+
##Integer Overflow
  
==Integer Overflow
+
##Further reading
  
==Further reading
+
=[[Administrative Interface]]=
  
=[[Administrative Interface]]
+
##Objective
  
==Objective
+
##Environments Affected
  
==Environments Affected
+
##Relevant COBIT Topics
  
==Relevant COBIT Topics
+
##Best practices
  
==Best practices
+
##Administrators are not users
  
==Administrators are not users
+
##Authentication for high value systems
  
==Authentication for high value systems
+
##Further Reading
  
==Further Reading
+
=[[Cryptography]]=
  
=[[Cryptography]]
+
##Objective
  
==Objective
+
##Platforms Affected
  
==Platforms Affected
+
##Relevant COBIT Topics
  
==Relevant COBIT Topics
+
##Description
  
==Description
+
##Cryptographic Functions
  
==Cryptographic Functions
+
##Cryptographic Algorithms
  
==Cryptographic Algorithms
+
##Algorithm Selection
  
==Algorithm Selection
+
##Key Storage
  
==Key Storage
+
##Insecure transmission of secrets
  
==Insecure transmission of secrets
+
##Reversible Authentication Tokens
  
==Reversible Authentication Tokens
+
##Safe UUID generation
  
==Safe UUID generation
+
##Summary
  
==Summary
+
##Further Reading
  
==Further Reading
+
##Cryptography
  
==Cryptography
+
=[[Configuration]]=
  
=[[Configuration]]
+
##Objective
  
==Objective
+
##Platforms Affected
  
==Platforms Affected
+
##Relevant COBIT Topics
  
==Relevant COBIT Topics
+
##Best Practices
  
==Best Practices
+
##Default passwords
  
==Default passwords
+
##Secure connection strings
  
==Secure connection strings
+
##Secure network transmission
  
==Secure network transmission
+
##Encrypted data
  
==Encrypted data
+
##PHP Configuration
  
==PHP Configuration
+
##Global variables
  
==Global variables
+
##register_globals
  
==register_globals
+
##Database security
  
==Database security
+
##Further Reading
  
==Further Reading
+
##ColdFusion Components (CFCs)
  
==ColdFusion Components (CFCs)
+
##Configuration
  
==Configuration
+
=[[Software Quality Assurance]]=
  
=[[Software Quality Assurance]]
+
##Objective
  
==Objective
+
##Platforms Affected
  
==Platforms Affected
+
##Best practices
  
==Best practices
+
##Process
  
==Process
+
##Metrics
  
==Metrics
+
##Testing Activities
  
==Testing Activities
+
=[[Deployment]]=
  
=[[Deployment]]
+
##Objective
  
==Objective
+
##Platforms Affected
  
==Platforms Affected
+
##Best Practices
  
==Best Practices
+
##Release Management
  
==Release Management
+
##Secure delivery of code
  
==Secure delivery of code
+
##Code signing
  
==Code signing
+
##Permissions are set to least privilege
  
==Permissions are set to least privilege
+
##Automated packaging
  
==Automated packaging
+
##Automated deployment
  
==Automated deployment
+
##Automated removal
  
==Automated removal
+
##No backup or old files
  
==No backup or old files
+
##Unnecessary features are off by default
  
==Unnecessary features are off by default
+
##Setup log files are clean
  
==Setup log files are clean
+
##No default accounts
  
==No default accounts
+
##Easter eggs
  
==Easter eggs
+
##Malicious software
  
==Malicious software
+
##Further Reading
  
==Further Reading
+
=[[Maintenance]]=
  
=[[Maintenance]]
+
##Objective
  
==Objective
+
##Platforms Affected
  
==Platforms Affected
+
##Relevant COBIT Topics
  
==Relevant COBIT Topics
+
##Best Practices
  
==Best Practices
+
##Security Incident Response
  
==Security Incident Response
+
##Fix Security Issues Correctly
  
==Fix Security Issues Correctly
+
##Update Notifications
  
==Update Notifications
+
##Regularly check permissions
  
==Regularly check permissions
+
##Further Reading
  
==Further Reading
+
##Maintenance
  
==Maintenance
+
=[[GNU Free Documentation License]]=
  
=[[GNU Free Documentation License]]
+
##PREAMBLE
  
==PREAMBLE
+
##APPLICABILITY AND DEFINITIONS
  
==APPLICABILITY AND DEFINITIONS
+
##VERBATIM COPYING
  
==VERBATIM COPYING
+
##COPYING IN QUANTITY
  
==COPYING IN QUANTITY
+
##MODIFICATIONS
  
==MODIFICATIONS
+
##COMBINING DOCUMENTS
  
==COMBINING DOCUMENTS
+
##COLLECTIONS OF DOCUMENTS
  
==COLLECTIONS OF DOCUMENTS
+
##AGGREGATION WITH INDEPENDENT WORKS
  
==AGGREGATION WITH INDEPENDENT WORKS
+
##TRANSLATION
  
==TRANSLATION
+
##TERMINATION
  
==TERMINATION
+
##FUTURE REVISIONS OF THIS LICENSE
 
+
==FUTURE REVISIONS OF THIS LICENSE
+

Revision as of 07:45, 22 May 2006

Frontispiece

    1. Dedication
    1. Copyright and license
    1. Editors
    1. Authors and Reviewers
    1. Revision History

About The Open Web Application Security Project

    1. Structure and Licensing
    1. Participation and Membership
    1. Projects

Introduction

    1. Developing Secure Applications
    1. Improvements in this edition
    1. How to use this Guide
    1. Updates and errata
    1. With thanks

What are web applications?

    1. Technologies
    1. First generation – CGI
    1. Filters
    1. Scripting
    1. Web application frameworks – J
    1. Small to medium scale applications
    1. Large scale applications
    1. View
    1. Controller
    1. Model
    1. Conclusion

Policy Frameworks

    1. Organizational commitment to security
    1. OWASP’s Place at the Framework table
    1. Development Methodology
    1. Coding Standards
    1. Source Code Control
    1. Summary

Secure Coding Principles

    1. Asset Classification
    1. About attackers
    1. Core pillars of information security
    1. Security Architecture
    1. Security Principles

Threat Risk Modeling

    1. Threat Risk Modeling
    1. Performing threat risk modeling using the Microsoft Threat Modeling Process
    1. Alternative Threat Modeling Systems
    1. Trike
    1. AS/NZS
    1. CVSS
    1. OCTAVE
    1. Conclusion
    1. Further Reading

Handling E-Commerce Payments

    1. Objectives
    1. Compliance and Laws
    1. PCI Compliance
    1. Handling Credit Cards
    1. Further Reading

Phishing

    1. What is phishing?
    1. User Education
    1. Make it easy for your users to report scams
    1. Communicating with customers via e-mail
    1. Never ask your customers for their secrets
    1. Fix all your XSS issues
    1. Do not use pop-ups
    1. Don’t be framed
    1. Move your application one link away from your front page
    1. Enforce local referrers for images and other resources
    1. Keep the address bar, use SSL, do not use IP addresses
    1. Don’t be the source of identity theft
    1. Implement safe-guards within your application
    1. Monitor unusual account activity
    1. Get the phishing target servers offline pronto
    1. Take control of the fraudulent domain name
    1. Work with law enforcement
    1. When an attack happens
    1. Further Reading

Web Services

    1. Securing Web Services
    1. Communication security
    1. Passing credentials
    1. Ensuring message freshness
    1. Protecting message integrity
    1. Protecting message confidentiality
    1. Access control
    1. Audit
    1. Web Services Security Hierarchy
    1. SOAP
    1. WS-Security Standard
    1. WS-Security Building Blocks
    1. Communication Protection Mechanisms
    1. Access Control Mechanisms
    1. Forming Web Service Chains
    1. Available Implementations
    1. Problems
    1. Further Reading

Ajax and Other "Rich" Interface Technologies

    1. Objective
    1. Platforms Affected
    1. Architecture
    1. Access control: Authentication and Authorization
    1. Silent transactional authorization
    1. Untrusted or absent session data
    1. State management
    1. Tamper resistance
    1. Privacy
    1. Proxy Façade
    1. SOAP Injection Attacks
    1. XMLRPC Injection Attacks
    1. DOM Injection Attacks
    1. XML Injection Attacks
    1. JSON (Javascript Object Notation) Injection Attacks
    1. Encoding safety
    1. Auditing
    1. Error Handling
    1. Accessibility
    1. Further Reading

Authentication

    1. Objective
    1. Environments Affected
    1. Relevant COBIT Topics
    1. Best Practices
    1. Common web authentication techniques
    1. Strong Authentication
    1. Federated Authentication
    1. Client side authentication controls
    1. Positive Authentication
    1. Multiple Key Lookups
    1. Referer Checks
    1. Browser remembers passwords
    1. Default accounts
    1. Choice of usernames
    1. Change passwords
    1. Short passwords
    1. Weak password controls
    1. Reversible password encryption
    1. Automated password resets
    1. Brute Force
    1. Remember Me
    1. Idle Timeouts
    1. Logout
    1. Account Expiry
    1. Self registration
    1. CAPTCHA
    1. Further Reading
    1. Authentication

Authorization

    1. Objectives
    1. Environments Affected
    1. Relevant COBIT Topics
    1. Best Practices
    1. Best Practices in Action
    1. Principle of least privilege
    1. Centralized authorization routines
    1. Authorization matrix
    1. Controlling access to protected resources
    1. Protecting access to static resources
    1. Reauthorization for high value activities or after idle out
    1. Time based authorization
    1. Be cautious of custom authorization controls
    1. Never implement client-side authorization tokens
    1. Further Reading

Session Management

    1. Objective
    1. Environments Affected
    1. Relevant COBIT Topics
    1. Description
    1. Best practices
    1. Exposed Session Variables
    1. Page and Form Tokens
    1. Weak Session Cryptographic Algorithms
    1. Session Token Entropy
    1. Session Time-out
    1. Regeneration of Session Tokens
    1. Session Forging/Brute-Forcing Detection and/or Lockout
    1. Session Token Capture and Session Hijacking
    1. Session Tokens on Logout
    1. Session Validation Attacks
    1. PHP
    1. Sessions
    1. Further Reading
    1. Session Management

Data Validation

    1. Objective
    1. Platforms Affected
    1. Relevant COBIT Topics
    1. Description
    1. Definitions
    1. Where to include integrity checks
    1. Where to include validation
    1. Where to include business rule validation
    1. Data Validation Strategies
    1. Prevent parameter tampering
    1. Hidden fields
    1. ASP.NET Viewstate
    1. URL encoding
    1. HTML encoding
    1. Encoded strings
    1. Data Validation and Interpreter Injection
    1. Delimiter and special characters
    1. Further Reading

Interpreter Injection

    1. Objective
    1. Platforms Affected
    1. Relevant COBIT Topics
    1. User Agent Injection
    1. HTTP Response Splitting
    1. SQL Injection
    1. ORM Injection
    1. LDAP Injection
    1. XML Injection
    1. Code Injection
    1. Further Reading
    1. SQL-injection
    1. Code Injection
    1. Command injection

Canoncalization, locale and Unicode

    1. Objective
    1. Platforms Affected
    1. Relevant COBIT Topics
    1. Description
    1. Unicode
    1. http://www.ietf.org/rfc/rfc##
    1. Input Formats
    1. Locale assertion
    1. Double (or n-) encoding
    1. HTTP Request Smuggling
    1. Further Reading

Error Handling, Auditing and Logging

    1. Objective
    1. Environments Affected
    1. Relevant COBIT Topics
    1. Description
    1. Best practices
    1. Error Handling
    1. Detailed error messages
    1. Logging
    1. Noise
    1. Cover Tracks
    1. False Alarms
    1. Destruction
    1. Audit Trails
    1. Further Reading
    1. Error Handling and Logging

File System

    1. Objective
    1. Environments Affected
    1. Relevant COBIT Topics
    1. Description
    1. Best Practices
    1. Defacement
    1. Path traversal
    1. Insecure permissions
    1. Insecure Indexing
    1. Unmapped files
    1. Temporary files
    1. PHP
    1. Includes and Remote files
    1. File upload
    1. Old, unreferenced files
    1. Second Order Injection
    1. Further Reading
    1. File System

Distributed Computing

    1. Objective
    1. Environments Affected
    1. Relevant COBIT Topics
    1. Best Practices
    1. Race conditions
    1. Distributed synchronization
    1. Further Reading

Buffer Overflows

    1. Objective
    1. Platforms Affected
    1. Relevant COBIT Topics
    1. Description
    1. General Prevention Techniques
    1. Stack Overflow
    1. Heap Overflow
    1. Format String
    1. Unicode Overflow
    1. Integer Overflow
    1. Further reading

Administrative Interface

    1. Objective
    1. Environments Affected
    1. Relevant COBIT Topics
    1. Best practices
    1. Administrators are not users
    1. Authentication for high value systems
    1. Further Reading

Cryptography

    1. Objective
    1. Platforms Affected
    1. Relevant COBIT Topics
    1. Description
    1. Cryptographic Functions
    1. Cryptographic Algorithms
    1. Algorithm Selection
    1. Key Storage
    1. Insecure transmission of secrets
    1. Reversible Authentication Tokens
    1. Safe UUID generation
    1. Summary
    1. Further Reading
    1. Cryptography

Configuration

    1. Objective
    1. Platforms Affected
    1. Relevant COBIT Topics
    1. Best Practices
    1. Default passwords
    1. Secure connection strings
    1. Secure network transmission
    1. Encrypted data
    1. PHP Configuration
    1. Global variables
    1. register_globals
    1. Database security
    1. Further Reading
    1. ColdFusion Components (CFCs)
    1. Configuration

Software Quality Assurance

    1. Objective
    1. Platforms Affected
    1. Best practices
    1. Process
    1. Metrics
    1. Testing Activities

Deployment

    1. Objective
    1. Platforms Affected
    1. Best Practices
    1. Release Management
    1. Secure delivery of code
    1. Code signing
    1. Permissions are set to least privilege
    1. Automated packaging
    1. Automated deployment
    1. Automated removal
    1. No backup or old files
    1. Unnecessary features are off by default
    1. Setup log files are clean
    1. No default accounts
    1. Easter eggs
    1. Malicious software
    1. Further Reading

Maintenance

    1. Objective
    1. Platforms Affected
    1. Relevant COBIT Topics
    1. Best Practices
    1. Security Incident Response
    1. Fix Security Issues Correctly
    1. Update Notifications
    1. Regularly check permissions
    1. Further Reading
    1. Maintenance

GNU Free Documentation License

    1. PREAMBLE
    1. APPLICABILITY AND DEFINITIONS
    1. VERBATIM COPYING
    1. COPYING IN QUANTITY
    1. MODIFICATIONS
    1. COMBINING DOCUMENTS
    1. COLLECTIONS OF DOCUMENTS
    1. AGGREGATION WITH INDEPENDENT WORKS
    1. TRANSLATION
    1. TERMINATION
    1. FUTURE REVISIONS OF THIS LICENSE