Difference between revisions of "OWASP Cheat Sheet Series"

From OWASP
Jump to: navigation, search
m (Add Serverless CS to the roadmap)
m (Add section "Bridge between the projects OWASP Proactive Controls and OWASP Cheat Sheet Series")
(5 intermediate revisions by the same user not shown)
Line 13: Line 13:
 
If you have any questions about the OWASP Cheat Sheet Series, please email the project leader [mailto:jim.manico@owasp.org Jim Manico], subscribe to our [https://lists.owasp.org/mailman/listinfo/owasp-cheat-sheets project email list] or contact us on the project's Slack channel.
 
If you have any questions about the OWASP Cheat Sheet Series, please email the project leader [mailto:jim.manico@owasp.org Jim Manico], subscribe to our [https://lists.owasp.org/mailman/listinfo/owasp-cheat-sheets project email list] or contact us on the project's Slack channel.
  
== Important notice about project cleanup ==
+
== Bridge between the projects OWASP Proactive Controls and OWASP Cheat Sheet Series ==
  
In order to made the collection of Cheat Sheet more consistant and more easy to maintains, we have decided to remove a set of CS.
+
A work channel has been created between these 2 projects using the following process (''OPC = OWASP Proactive Controls / OCS = OWASP Cheat Sheet''):
  
 +
* When a Cheat Sheet is missing for a Control in OPC then the OCS will handle the missing and create one. When the Cheat Sheet is ready then the reference is added by OPC.
 +
* If a Cheat Sheet exists for an OPC Control but the content do not provide the expected help about the Control then the Cheat Sheet is updated to provide the content needed/expected by the Control.
  
The set have been defined using the following criteria:
+
The reason of the creation of this bridge is to add more consistency to the OCS project by providing it:
* The CS is in draft since a long time (at least 1 year).
 
* The current content of the CS do not bring a direct pragmatic/practical added value to developers or architects.
 
  
 +
* A consistent source for the requests regarding new Cheat Sheets.
 +
* Same approach about the update of the existing Cheat Sheets.
 +
* A usage context for the Cheat Sheet and a quick source of feedack about the quality and the efficiency of the Cheat Sheet.
  
'''If you want to cancel the removal of a CS then contact the project leaders using Mail or Slack channel.'''
+
It is not mandatory that a request for a new Cheat Sheet (or for an update) come only from OPC but it will become, with the time, the main input source.
  
 
+
<pre>Requests from OPC are flagged with the label "OWASP Proactive Controls Request" in the roadmap in order to identify them and set them as a top level priority.</pre>
'''We let 1 month to the community to contact us before to start the cleanup.'''
 
 
 
 
 
The set is composed by the following CS:
 
* [[AJAX_Security_Cheat_Sheet]]
 
** Content do not bring useful infos.
 
* [[Authentication_Cheat_Sheet_Espa%C3%B1ol]]
 
** We have an english version.
 
* [[Denial_of_Service_Cheat_Sheet]]
 
** DOS should be handled by a dedicated external service or device.
 
* [[DRAFT_Denial_of_Service_Cheat_Sheet]]
 
** Draft
 
* [[OWASP_Top_Ten_Cheat_Sheet]]
 
** Usage of the OWASP TOP 10 is preferred.
 
* [[Query_Parameterization_Cheat_Sheet_(Hawaiian_Pidgin_English)]]
 
** We have an english version.
 
* [[Secure_Coding_Cheat_Sheet]]
 
** Usage of OWASP ASVS and MASVS is preferred.
 
* [[Secure_SDLC_Cheat_Sheet]]
 
** Usage of OWASP Open SAMM is preferred.
 
* [[Security_Testing_Cheat_Sheet]]
 
** Usage of OWASP OTG and MSTG is preferred.
 
* [[Threat_Modeling_Cheat_Sheet]]
 
** Usage of OWASP Threat Dragon or dedicated OWASP project is preferred.
 
* [[Web_Application_Security_Testing_Cheat_Sheet]]
 
** Usage of OWASP OTG and MSTG is preferred.
 
* [[Web_Service_Security_Cheat_Sheet]]
 
** Same remark like above.
 
* [[Web_Service_Security_Testing_Cheat_Sheet]]
 
** Same remark like above.
 
* [[Application_Security_Architecture_Cheat_Sheet]]
 
** Draft.
 
* [[AppSensor_Cheat_Sheet]]
 
** Draft.
 
* [[Business_Logic_Security_Cheat_Sheet]]
 
** Draft.
 
* [[Grails_Secure_Code_Review_Cheat_Sheet]]
 
** Draft.
 
* [[PHP_Security_Cheat_Sheet]]
 
** Draft.
 
  
 
== Authors ==
 
== Authors ==
Line 124: Line 87:
 
== News and Events ==
 
== News and Events ==
  
 +
* [Aug 25 2018] Cleanup of Cheat Sheets finished
 
* [Jul 15 2018] [[Error_Handling_Cheat_Sheet|Error Handling Cheat Sheet]] added to project
 
* [Jul 15 2018] [[Error_Handling_Cheat_Sheet|Error Handling Cheat Sheet]] added to project
 
* [Jun 12 2018] Made available the PDF book of all Cheat Sheets
 
* [Jun 12 2018] Made available the PDF book of all Cheat Sheets
Line 207: Line 171:
 
* Go through the cheat sheets to make sure what they recommend is consistent with ASVS.
 
* Go through the cheat sheets to make sure what they recommend is consistent with ASVS.
 
* Move all code snippets of CS from '''pre''' tag to '''syntaxhighlight''' tag to enhance CS readability.
 
* Move all code snippets of CS from '''pre''' tag to '''syntaxhighlight''' tag to enhance CS readability.
* Find a way to automate the generation of a PDF referential file gathering all CS (<span style="background:#008000;color:#ffffff">Work in progress by Dominique Righetto</span>).
 
 
* Go through the cheat sheets to make sure they follow the CS guideline.
 
* Go through the cheat sheets to make sure they follow the CS guideline.
 
* Create branding stickers for the project.
 
* Create branding stickers for the project.
Line 215: Line 178:
 
'''Next work on Cheat Sheets (CS) and work assignment:'''
 
'''Next work on Cheat Sheets (CS) and work assignment:'''
  
* [[Ruby_on_Rails_Cheatsheet|Ruby On Rails]] CS:  
+
Roadmap is now managed via this [https://trello.com/b/w020m3jQ Trello Board].
** '''Action:''' CS complete refactoring.
+
 
** '''People in charge:''' Zaur Molotnikov.
+
If you want to contribute on a CS, please create a [https://trello.com/signup Trello account] and notify the project leaders (by Email or by Slack) in order that we affect you on a CS task (represented as a Trello Card).
** '''Status:''' <span style="background:#008000;color:#ffffff">Work in progress</span>.
 
* General OAuth introduction CS:
 
** '''Action:''' Create it.
 
** '''People in charge:''' Simon Bennetts & Jim Manico.
 
** '''Status:''' <span style="background:#008000;color:#ffffff">Work in progress</span>.
 
* OAuth and OIDC for SPA Applications CS:
 
** '''Action:''' Create it.
 
** '''People in charge:''' Simon Bennetts & Jim Manico.
 
** '''Status:''' <span style="background:#008000;color:#ffffff">Work in progress</span>.
 
* [[Credential_Stuffing_Prevention_Cheat_Sheet|Credential Stuffing Prevention]] CS:
 
** '''Action:''' Refresh it.
 
** '''People in charge:''' Michael Coates & Jim Manico.
 
** '''Status:''' <span style="background:#008000;color:#ffffff">Work in progress</span>.
 
* Serverless CS:
 
** '''Action:''' Create it.
 
** '''People in charge:''' Paul Ionescu.
 
** '''Status:''' <span style="background:#008000;color:#ffffff">Work in progress</span>.
 
* Server Side Request Forgery Defense CS:
 
** '''Action:''' Create it.
 
** '''People in charge:''' Not assigned.
 
** '''Status:''' <span style="background:#ff9933;color:#ffffff">In backlog</span>.
 
* [[Forgot_Password_Cheat_Sheet|Forgot Password]] CS:
 
** '''Action:''' Add a POC in order to provide actionable code.
 
** '''People in charge:''' Not assigned.
 
** '''Status:''' <span style="background:#ff9933;color:#ffffff">In backlog</span>.
 
* [[OS_Command_Injection_Defense_Cheat_Sheet|OS Command Injection Defense]] CS:
 
** '''Action:''' Add information about system command escaping.
 
** '''People in charge:''' Not assigned.
 
** '''Status:''' <span style="background:#ff9933;color:#ffffff">In backlog</span>.
 
* Best practices about security handling in a Source Code Management system (ex: GitHub, GitLab, Bitbucket...) CS:
 
** '''Action:''' Create it.
 
** '''People in charge:''' Not assigned.
 
** '''Status:''' <span style="background:#ff9933;color:#ffffff">In backlog</span>.
 
** '''Sources (among others):''' https://snyk.io/blog/ten-git-hub-security-best-practices/
 
** '''SNYK source usage authorization:''' https://twitter.com/righettod/status/1006558576289177600
 
  
 
= Cheat sheet Guideline =
 
= Cheat sheet Guideline =

Revision as of 04:21, 2 September 2018

Lab big.jpg
Cheatsheets-header.jpg

Our goal

The OWASP Cheat Sheet Series was created to provide a concise collection of high value information on specific application security topics. These cheat sheets were created by various application security professionals who have expertise in specific topics. We hope that the OWASP Cheat Sheet Series provides you with excellent security guidance in an easy to read format.


If you have any questions about the OWASP Cheat Sheet Series, please email the project leader Jim Manico, subscribe to our project email list or contact us on the project's Slack channel.

Bridge between the projects OWASP Proactive Controls and OWASP Cheat Sheet Series

A work channel has been created between these 2 projects using the following process (OPC = OWASP Proactive Controls / OCS = OWASP Cheat Sheet):

  • When a Cheat Sheet is missing for a Control in OPC then the OCS will handle the missing and create one. When the Cheat Sheet is ready then the reference is added by OPC.
  • If a Cheat Sheet exists for an OPC Control but the content do not provide the expected help about the Control then the Cheat Sheet is updated to provide the content needed/expected by the Control.

The reason of the creation of this bridge is to add more consistency to the OCS project by providing it:

  • A consistent source for the requests regarding new Cheat Sheets.
  • Same approach about the update of the existing Cheat Sheets.
  • A usage context for the Cheat Sheet and a quick source of feedack about the quality and the efficiency of the Cheat Sheet.

It is not mandatory that a request for a new Cheat Sheet (or for an update) come only from OPC but it will become, with the time, the main input source.

Requests from OPC are flagged with the label "OWASP Proactive Controls Request" in the roadmap in order to identify them and set them as a top level priority.

Authors

Project Leaders: Jim Manico and Dominique Righetto @


Contributors: Paweł Krawczyk, Mishra Dhiraj, Shruti Kulkarni, Torsten Gigler, Michael Coates, Jeff Williams, Dave Wichers, Kevin Wall, Jeffrey Walton, Eric Sheridan, Kevin Kenan, David Rook, Fred Donovan, Abraham Kang, Dave Ferguson, Shreeraj Shah, Raul Siles, Colin Watson, Neil Matatall, Zaur Molotnikov and many more!


OWASP Cheat Sheets

Classifications

Lab Project Owasp-builders-small.png
Owasp-defenders-small.png
Cc-button-y-sa-small.png
Project Type Files DOC.jpg

Slack & Twitter

Slack channel information:

  • Server owasp.slack.com
  • Channel cheatsheets

Twitter hash tag: #owaspcheatsheetseries

Book

A PDF book of all Cheat Sheets can be downloaded here.

Email List

Project Email List

Licensing

The OWASP Cheat Sheet Series is free to use under the Creative Commons ShareAlike 3 License.

Related Projects

News and Events


Authentication

Ensure all entities go through an appropriate and adequate form of authentication. All the application non-public resource must be protected and shouldn't be bypassed.

For more information, check Authentication Cheat Sheet

Session Management

Use secure session management practices that ensure that authenticated users have a robust and cryptographically secure association with their session.

For more information, check Session Management Cheat Sheet

Access Control

Ensure that a user has access only to the resources they are entitled to. Perform access control checks on the server side on every request. All user-controlled parameters should be validated for entitlemens checks. Check if user name or role name is passed through the URL or through hidden variables. Prepare an ACL containing the Role-to-Function mapping and validate if the users are granted access as per the ACL.

For more information, check Access Control Cheat Sheet

Input Validation

Input validation is performed to minimize malformed data from entering the system. Input Validation is NOT the primary method of preventing XSS, SQL Injection. These are covered in output encoding below.

For more information, check Input Validation Cheat Sheet

Output Encoding

Output encoding is the primary method of preventing XSS and injection attacks. Input validation helps minimize the introduction of malformed data, but it is a secondary control.

For more information, check XSS (Cross Site Scripting) Prevention Cheat Sheet.

Cross Domain

Ensure that adequate controls are present to prevent against Cross-site Request Forgery, Clickjacking and other 3rd Party Malicious scripts.

For more information, check Cross Site Request Forgery

Secure Transmission

Ensure that all the applications pages are served over cryptographically secure HTTPs protocols. Prohibit the transmission of session cookies over HTTP.

For more information, check Transport Protection Cheat Sheet

Logging

Ensure that all the security related events are logged. Events include: User log-in (success/fail); view; update; create, delete, file upload/download, attempt to access through URL, URL tampering. Audit logs should be immutable and write only and must be protected from unauthorized access.

For more information, check Logging Cheat Sheet

Uploads

Ensure that the size, type, contents, and name of the uploaded files are validated. Uploaded files must not be accessible to users by direct browsing. Preferably store all the uploaded files in a different file server/drive on the server. All files must be virus scanned using a regularly updated scanner.

For more information, check https://www.owasp.org/index.php/Input_Validation_Cheat_Sheet#File_Uploads

Global:

  • Bring all cheat sheets out of draft fin end of 2018.
  • Go through the cheat sheets to make sure what they recommend is consistent with ASVS.
  • Move all code snippets of CS from pre tag to syntaxhighlight tag to enhance CS readability.
  • Go through the cheat sheets to make sure they follow the CS guideline.
  • Create branding stickers for the project.
  • Remove CS that that do not bring added value.


Next work on Cheat Sheets (CS) and work assignment:

Roadmap is now managed via this Trello Board.

If you want to contribute on a CS, please create a Trello account and notify the project leaders (by Email or by Slack) in order that we affect you on a CS task (represented as a Trello Card).

Cheat sheet content

The key points that all cheat sheets (called CS) must provides are the following:

  1. Address a single topic (ex: password storage, OS command injection, REST service, CSRF, HTML5 new features security...).
  2. Be concise and focused: A cheat sheet must be directly actionable (a CS is not a guide) and must be directly useful for a developer.
  3. Do not re-address topic handled by others CS. In this case, the target CS will be enhanced with missing points.
  4. When applicable, provide a solution proposal implementation through a full documented POC on a public well know Git repository (GitHub is highly prefered), the POC can be used as a playground for a developer wanting to play/evaluate your solution proposal.

Cheat sheet structure

A CS must have these sections:

  1. Introduction: Provide high level information about the topic in order to introduce it to people that do not know it. You can add pointer to external sources if needed but at least give an overview allowing a reader to continue on the CS. You can also add schema or diagram in any part of the CS but be sure to respect the copyright of the source file.
  2. Context: Describe the security issues that are bring or commonly meet when someone must work on this topic.
  3. Objective: Describe the objective of the CS. What the CS will bring to the reader?
  4. Proposition:
    1. Describe how to address the security issues in a possible technology agnostic approach.
    2. Using your POC, describe your solution proposal in the more teaching possible way.
  5. Sources of the prototype: Add pointer to the public GitHub repository on which the source code of POC is hosted.


For the code snippet, use the mediawiki tag syntaxhighlight:


If you want to be careful in order to prevent to break something in the target existing CS, you can follow this contribution procedure:

  1. Take a copy of the CS that you want to enhance (mediawiki syntax in the source tab).
  2. Add your enhancement and publish the updated CS on the same GitHub repository than your POC (it support the mediawiki syntax).
  3. Notify the CS Community using this mailing list and the CS Community will review the CS using GitHub comments system.
  4. When the feedback loop is finished, the CS Community will help you to have right access to the wiki in order to update the CS.

Cheat sheet template

If the target CS is a new one then please use the following template struture.

It allow you to work:

  • Online by using the wiki Show preview option.
  • Offline by using an text editor like Atom with the mediawiki plugin.
__NOTOC__
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:Cheatsheets-header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |
Last revision (mm/dd/yy): '''{{REVISIONMONTH}}/{{REVISIONDAY}}/{{REVISIONYEAR}}'''

__TOC__{{TOC hidden}}

= Introduction =

<pre>
Provide high level information about the topic in order to introduce it to people that do not know it.
You can add pointer to external sources if needed but at least give an overview allowing a reader to continue on the CS.
You can also add schema or diagram in any part of the CS but be sure to respect the copyright of the source file.
</pre>

= Context =

<pre>
Describe the security issues that are bring or commonly meet when someone must work on this topic.
</pre>

= Objective =

<pre>
Describe the objective of the CS.
What the CS will bring to the reader.
</pre>

= Proposition =

<pre>
1. Describe how to address the security issues in a possible technology agnostic approach.
2. Using your POC, describe your solution proposal in the more teaching possible way. Use "syntaxhighlight" tag for code snippet.
</pre>

= Sources of the prototype =

<pre>
Add pointer to the public GitHub repository on which the source code of POC is hosted.
</pre>

= Authors and Primary Editors =

<pre>
Add your name and email.
</pre>

= Other Cheatsheets =

{{Cheatsheet_Navigation_Body}}

|}

[[Category:Cheatsheets]]