Difference between revisions of "OWASP Cheat Sheet Series"

From OWASP
Jump to: navigation, search
m (Header swapped / Fixed CC3 logo)
(News and Events)
 
(30 intermediate revisions by 3 users not shown)
Line 1: Line 1:
 
= Main =  
 
= Main =  
 +
<div style="width:100%;height:90px;border:0,margin:0;overflow: hidden;">[[File: lab_big.jpg|link=OWASP_Project_Stages#tab.3DLab_Projects]]</div>
 
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:Cheatsheets-header.jpg|link=]]</div>
 
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:Cheatsheets-header.jpg|link=]]</div>
  
Line 8: Line 9:
  
 
If you have any questions about the OWASP Cheat Sheet Series, please email the project leader [mailto:jim.manico@owasp.org Jim Manico] or subscribe to our [https://lists.owasp.org/mailman/listinfo/owasp-cheat-sheets project email list].
 
If you have any questions about the OWASP Cheat Sheet Series, please email the project leader [mailto:jim.manico@owasp.org Jim Manico] or subscribe to our [https://lists.owasp.org/mailman/listinfo/owasp-cheat-sheets project email list].
 +
 +
== Authors ==
 +
 +
Project Leader: [https://www.owasp.org/index.php/User:Jmanico Jim Manico] [mailto:jim.manico@owasp.org @]<br/>
 +
Contributors: Shruti Kulkarni, Torsten Gigler, Michael Coates, Jeff Williams, Dave Wichers, Kevin Wall, Jeffrey Walton, Eric Sheridan, Kevin Kenan, David Rook, Fred Donovan, Abraham Kang, Dave Ferguson, Shreeraj Shah, Raul Siles, Colin Watson, Neil Matatall and <b>many more</b>!
  
 
== OWASP Cheat Sheets ==
 
== OWASP Cheat Sheets ==
Line 13: Line 19:
 
{{Cheatsheet_Navigation_Body}}
 
{{Cheatsheet_Navigation_Body}}
  
== Licensing ==
+
| valign="top"  style="padding-left:25px;width:200px;" |
The OWASP Proactive Controls document is free to use under the [https://creativecommons.org/licenses/by-sa/3.0/us/ Creative Commons ShareAlike 3 License].
+
  
| valign="top"  style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |
+
== Quick Access ==
 
+
OWASP Cheatsheet Series Book : April 2015 [https://www.owasp.org/images/9/9a/OWASP_Cheatsheets_Book.pdf PDF download].
== What is this? ==
+
 
+
The OWASP Cheat Sheet Series is a concise collection of high value information on specific web application security topics.
+
  
 
== Email List ==
 
== Email List ==
 
 
[https://lists.owasp.org/mailman/listinfo/owasp-cheat-sheets Project Email List]
 
[https://lists.owasp.org/mailman/listinfo/owasp-cheat-sheets Project Email List]
  
== Project Leader ==
+
== Licensing ==
 
+
The OWASP <i>Cheat Sheet Series</i> is free to use under the [https://creativecommons.org/licenses/by-sa/3.0/us/ Creative Commons ShareAlike 3 License].
Project Leader:<br/>[https://www.owasp.org/index.php/User:Jmanico Jim Manico] [mailto:jim.manico@owasp.org @]<br/>
+
<br/>
+
Contributors: <br/>
+
Michael Coates<br/>
+
Jeff Williams<br/>
+
Dave Wichers<br/>
+
Kevin Wall<br/>
+
Jeffrey Walton<br/>
+
Eric Sheridan<br/>
+
Kevin Kenan<br/>
+
David Rook<br/>
+
Fred Donovan<br/>
+
Abraham Kang<br/>
+
Dave Ferguson<br/>
+
Shreeraj Shah<br/>
+
Raul Siles<br/>
+
Colin Watson<br/>
+
.. and many more!
+
  
 
== Related Projects ==
 
== Related Projects ==
 
 
* [[OWASP Proactive Controls]]
 
* [[OWASP Proactive Controls]]
 
+
* [https://www.owasp.org/index.php/Category:OWASP_Application_Security_Verification_Standard_Project OWASP Application Security Verification Standard Project]
| valign="top"  style="padding-left:25px;width:200px;" |
+
  
 
== News and Events ==
 
== News and Events ==
* [Feb 4 2014] New Wiki Template!
+
* [Feb 6 2016] New navigation template rolled out project-wide
 +
* [Jun 11 2015] [https://www.owasp.org/index.php/SAML_Security_Cheat_Sheet SAML Cheat Sheet] added to project
 +
* [Feb 11 2015] [https://www.owasp.org/images/9/9a/OWASP_Cheatsheets_Book.pdf Cheat Sheet "book"] added to project
 +
* [Apr 4 2014] All non-draft cheat sheets moved to new wiki template!
 +
* [Feb 4 2014] Project-wide cleanup started
  
 
==Classifications==
 
==Classifications==
Line 60: Line 45:
 
   {| width="200" cellpadding="2"
 
   {| width="200" cellpadding="2"
 
   |-
 
   |-
   | align="center" valign="top" width="50%" rowspan="2"| [[File:Owasp-incubator-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]
+
   | align="center" valign="top" width="50%" rowspan="2"| [[File:Owasp-labs-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Labs_Projects]]
 
   | align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]]   
 
   | align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]]   
 
   |-
 
   |-
Line 127: Line 112:
 
= Roadmap =
 
= Roadmap =
  
* By June 2014 : Bring Access Control, Business Logic and four other draft cheat sheets into release status
+
* Bring all cheat sheets out of draft by June 2016
* By End of 2014: Do an editorial pass of all cheat-sheets and release a print publication
+
 
+
= About=
+
 
+
{{:Projects/OWASP Cheat Sheets Project | Project About}}
+
  
 
__NOTOC__ <headertabs />
 
__NOTOC__ <headertabs />
Line 139: Line 119:
 
[[Category:OWASP_Document]]
 
[[Category:OWASP_Document]]
 
[[Category:OWASP_Alpha_Quality_Document]]
 
[[Category:OWASP_Alpha_Quality_Document]]
 +
[[Category:SAMM-EG-1]]

Latest revision as of 03:35, 7 February 2016

[edit]

Lab big.jpg
Cheatsheets-header.jpg

The OWASP Cheat Sheet Series was created to provide a concise collection of high value information on specific web application security topics. These cheat sheets were created by various application security professionals who have expertise in specific topics. We hope that the OWASP Cheat Sheet Series provides you with excellent security guidance in an easy to read format.

If you have any questions about the OWASP Cheat Sheet Series, please email the project leader Jim Manico or subscribe to our project email list.

Authors

Project Leader: Jim Manico @
Contributors: Shruti Kulkarni, Torsten Gigler, Michael Coates, Jeff Williams, Dave Wichers, Kevin Wall, Jeffrey Walton, Eric Sheridan, Kevin Kenan, David Rook, Fred Donovan, Abraham Kang, Dave Ferguson, Shreeraj Shah, Raul Siles, Colin Watson, Neil Matatall and many more!

OWASP Cheat Sheets

Quick Access

OWASP Cheatsheet Series Book : April 2015 PDF download.

Email List

Project Email List

Licensing

The OWASP Cheat Sheet Series is free to use under the Creative Commons ShareAlike 3 License.

Related Projects

News and Events

  • [Feb 6 2016] New navigation template rolled out project-wide
  • [Jun 11 2015] SAML Cheat Sheet added to project
  • [Feb 11 2015] Cheat Sheet "book" added to project
  • [Apr 4 2014] All non-draft cheat sheets moved to new wiki template!
  • [Feb 4 2014] Project-wide cleanup started

Classifications

Owasp-labs-trans-85.png Owasp-builders-small.png
Owasp-defenders-small.png
Cc-button-y-sa-small.png
Project Type Files DOC.jpg

Authentication

Ensure all entities go through an appropriate and adequate form of authentication. All the application non-public resource must be protected and shouldn't be bypassed.

For more information, check Authentication Cheat Sheet

Session Management

Use secure session management practices that ensure that users authenticated users have a robust and cryptographically secure association with their session.

For more information, check Session Management Cheat Sheet

Access Control

Ensure that a user has access only to the resources they are entitled to. Perform access control checks on the server side on every request. All user-controlled parameters should be validated for entitlemens checks. Check if user name or role name is passed through the URL or through hidden variables. Prepare a ACL containing the Role-to-Function mapping and validate if the users are granted access as per the ACL.

For more information, check Access Control Cheat Sheet

Input Validation

Input validation is performed to minimize malformed data from entering the system. Input Validation is NOT the primary method of preventing XSS, SQL Injection. These are covered in output encoding below.

For more information, check Input Validation Cheat Sheet

Output Encoding

Output encoding is the primary method of preventing XSS and injection attacks. Input validation helps minimize the introduction of malformed data, but it is a secondary control.

For more information, check XSS (Cross Site Scripting) Prevention Cheat Sheet.

Cross Domain

Ensure that adequate controls are present to prevent against Cross-site Request Forgery, Clickjacking and other 3rd Party Malicious scripts.

For more information, check Cross Site Request Forgery

Secure Transmission

Ensure that all the applications pages are served over cryptographically secure HTTPs protocols. Prohibit the transmission of session cookies over HTTP.

For more information, check Transport Protection Cheat Sheet

Logging

Ensure that all the security related events are logged. Events include: User log-in (success/fail); view; update; create, delete, file upload/download, attempt to access through URL, URL tampering. Audit logs should be immutable and write only and must be protected from unauthorized access.

For more information, check Logging Cheat Sheet

Uploads

Ensure that the size, type, contents and name of the uploaded files are validated. Uploaded files must not be accessible to users by direct browsing. Preferably store all the uploaded files in a different file server/drive on the server. All files must be virus scanned using a regularly updated scanner.

  • Bring all cheat sheets out of draft by June 2016