Difference between revisions of "OWASP Cheat Sheet Series"

From OWASP
Jump to: navigation, search
m (Add migration event)
m (Prepare release)
Line 10: Line 10:
 
The OWASP Cheat Sheet Series was created to provide a concise collection of high value information on specific application security topics. These cheat sheets were created by various application security professionals who have expertise in specific topics. We hope that the OWASP Cheat Sheet Series provides you with excellent security guidance in an easy to read format.
 
The OWASP Cheat Sheet Series was created to provide a concise collection of high value information on specific application security topics. These cheat sheets were created by various application security professionals who have expertise in specific topics. We hope that the OWASP Cheat Sheet Series provides you with excellent security guidance in an easy to read format.
  
 +
If you have any questions about the OWASP Cheat Sheet Series, please email the project leaders [mailto:jim.manico@owasp.org Jim Manico] or [mailto:dominique.righetto@owasp.org Dominique Righetto], contact us on the project's Slack channel or on our [https://lists.owasp.org/mailman/listinfo/owasp-cheat-sheets project email list] (Slack is highly preferred over the email list).
  
If you have any questions about the OWASP Cheat Sheet Series, please email the project leader [mailto:jim.manico@owasp.org Jim Manico], subscribe to our [https://lists.owasp.org/mailman/listinfo/owasp-cheat-sheets project email list] or contact us on the project's Slack channel.
+
== Migration to GitHub ==
  
== Migration pending ==
+
Project has been fully migrated to [https://github.com/OWASP/CheatSheetSeries GitHub].
  
A mass conversion from Mediawiki to GitHub flavored Markdown format has been performed on '''26th of december 2018''' on all OWASP wiki pages flagged as [https://www.owasp.org/index.php/Category:Cheatsheets Cheatsheets].
+
This page is used as the OWASP homepage of the project, all the project content is hosted on the [https://github.com/OWASP/CheatSheetSeries GitHub repository] and we work '''only from''' this repository, '''wiki is not used anymore'''.
  
'''Cheat Sheets content is now frozen from this date''':
+
So, from now, only a GitHub account is needed to contribute :)
  
* No modification will be performed anymore on the wiki content.
+
== Bridge between the projects OWASP Proactive Controls/OWASP Application Security Verification Standard and OWASP Cheat Sheet Series ==
* Any modification will be made on the project [https://github.com/OWASP/CheatSheetSeries GitHub official repository] using the contribution issue templates defined in this repository.
 
  
== Bridge between the projects OWASP Proactive Controls and OWASP Cheat Sheet Series ==
+
A work channel has been created between these 2 projects and the Cheat Sheet Series using the following process (''OPC = OWASP Proactive Controls / OASVS = OWASP Application Security Verification Standard / OCS = OWASP Cheat Sheet''):
  
A work channel has been created between these 2 projects using the following process (''OPC = OWASP Proactive Controls / OCS = OWASP Cheat Sheet''):
+
* When a Cheat Sheet is missing for a point in OPC/OASVS then the OCS will handle the missing and create one. When the Cheat Sheet is ready then the reference is added by OPC/OASVS.
 +
* If a Cheat Sheet exists for an OPC/OASVS point but the content do not provide the expected help then the Cheat Sheet is updated to provide the content needed/expected.
  
* When a Cheat Sheet is missing for a Control in OPC then the OCS will handle the missing and create one. When the Cheat Sheet is ready then the reference is added by OPC.
+
The reason of the creation of this bridge is to help the OCS/OASVS projects by providing them:
* If a Cheat Sheet exists for an OPC Control but the content do not provide the expected help about the Control then the Cheat Sheet is updated to provide the content needed/expected by the Control.
 
 
 
The reason of the creation of this bridge is to add more consistency to the OCS project by providing it:
 
  
 
* A consistent source for the requests regarding new Cheat Sheets.
 
* A consistent source for the requests regarding new Cheat Sheets.
Line 35: Line 33:
 
* A usage context for the Cheat Sheet and a quick source of feedack about the quality and the efficiency of the Cheat Sheet.
 
* A usage context for the Cheat Sheet and a quick source of feedack about the quality and the efficiency of the Cheat Sheet.
  
It is not mandatory that a request for a new Cheat Sheet (or for an update) come only from OPC but it will become, with the time, the main input source.
+
It is not mandatory that a request for a new Cheat Sheet (or for an update) come only from OPC/OASVS, it is just a extra channel.
  
<pre>Requests from OPC are flagged with the label "OWASP Proactive Controls Request" in the roadmap in order to identify them and set them as a top level priority.</pre>
+
<pre>Requests from OPC/OASVS are flagged with a special label in the GitHub repository issues list in order to identify them and set them as a top level priority.</pre>
  
 
== Project Leaders ==
 
== Project Leaders ==
Line 44: Line 42:
 
* [https://www.owasp.org/index.php/User:Dominique_RIGHETTO Dominique Righetto] [mailto:dominique.righetto@owasp.org @]
 
* [https://www.owasp.org/index.php/User:Dominique_RIGHETTO Dominique Righetto] [mailto:dominique.righetto@owasp.org @]
  
== Contributors ==  
+
== Contributors of the V1 of the project ==  
  
 
Paweł Krawczyk, Mishra Dhiraj, Shruti Kulkarni, Torsten Gigler, Michael Coates, Jeff Williams, Dave Wichers, Kevin Wall, Jeffrey Walton, Eric Sheridan, Kevin Kenan, David Rook, Fred Donovan, Abraham Kang, Dave Ferguson, Shreeraj Shah, Raul Siles, Colin Watson, Neil Matatall, Zaur Molotnikov, Manideep Konakandla, Santhosh Tuppad and '''many more'''!
 
Paweł Krawczyk, Mishra Dhiraj, Shruti Kulkarni, Torsten Gigler, Michael Coates, Jeff Williams, Dave Wichers, Kevin Wall, Jeffrey Walton, Eric Sheridan, Kevin Kenan, David Rook, Fred Donovan, Abraham Kang, Dave Ferguson, Shreeraj Shah, Raul Siles, Colin Watson, Neil Matatall, Zaur Molotnikov, Manideep Konakandla, Santhosh Tuppad and '''many more'''!
 +
 +
== Contributors of the V2 of the project ==
 +
 +
See [https://github.com/OWASP/CheatSheetSeries/graphs/contributors here] for a complete list.
  
 
== OWASP Cheat Sheets ==
 
== OWASP Cheat Sheets ==
Line 54: Line 56:
 
| valign="top"  style="padding-left:25px;width:200px;" |
 
| valign="top"  style="padding-left:25px;width:200px;" |
  
== Classifications ==
+
== GitHub repository ==
  
  {| width="200" cellpadding="2"
+
Repository is [https://github.com/OWASP/CheatSheetSeries here].
  |-
+
 
  | rowspan="3" align="center" valign="top" width="50%" | [[File:Midlevel_projects.png|130px|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Lab_Projects|Lab Project]]
+
== Offline Cheat Sheets collection ==
  | align="center" valign="top" width="50%" | [[File:Owasp-builders-small.png|link=Builders]] 
+
 
  |-
+
A offline website of all Cheat Sheets can be obtained [https://github.com/OWASP/CheatSheetSeries#offline-website here].
  | align="center" valign="top" width="50%" | [[File:Owasp-defenders-small.png|link=Defenders]]
 
  |-
 
  | align="center" valign="center" width="50%" |
 
  |-
 
  | colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]
 
  |-
 
  | colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]]
 
  |}
 
  
 
== Slack & Twitter ==
 
== Slack & Twitter ==
Line 77: Line 71:
  
 
Twitter hash tag: '''#[https://twitter.com/search?q=%23owaspcheatsheetseries&src=typd owaspcheatsheetseries]'''
 
Twitter hash tag: '''#[https://twitter.com/search?q=%23owaspcheatsheetseries&src=typd owaspcheatsheetseries]'''
 
== Book ==
 
 
A PDF book of all Cheat Sheets can be downloaded [https://github.com/righettod/owasp-cs-book/releases here].
 
  
 
== Email List ==
 
== Email List ==
Line 86: Line 76:
 
[https://lists.owasp.org/mailman/listinfo/owasp-cheat-sheets Project Email List]
 
[https://lists.owasp.org/mailman/listinfo/owasp-cheat-sheets Project Email List]
  
Still used for technical discussion but we highly prefer:
+
Still used for technical discussion '''but we highly prefer''':
 
* The Slack channel for announcement and technical discussion.
 
* The Slack channel for announcement and technical discussion.
 
* The Twitter hash tag for announcement only.
 
* The Twitter hash tag for announcement only.
 +
 +
== Project classifications ==
 +
 +
  {| width="200" cellpadding="2"
 +
  |-
 +
  | rowspan="3" align="center" valign="top" width="50%" | [[File:Midlevel_projects.png|130px|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Lab_Projects|Lab Project]]
 +
  | align="center" valign="top" width="50%" | [[File:Owasp-builders-small.png|link=Builders]] 
 +
  |-
 +
  | align="center" valign="top" width="50%" | [[File:Owasp-defenders-small.png|link=Defenders]]
 +
  |-
 +
  | align="center" valign="center" width="50%" |
 +
  |-
 +
  | colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]
 +
  |-
 +
  | colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]]
 +
  |}
  
 
== Licensing ==
 
== Licensing ==
Line 100: Line 106:
  
 
== News and Events ==
 
== News and Events ==
 +
* [Feb 22 2019] Migration to [https://github.com/OWASP/CheatSheetSeries GitHub] finished.
 
* [Dec 28 2018] Start migration of the cheat sheets collection to [https://github.com/OWASP/CheatSheetSeries GitHub].
 
* [Dec 28 2018] Start migration of the cheat sheets collection to [https://github.com/OWASP/CheatSheetSeries GitHub].
 
* [Dec 01 2018] [[Injection_Prevention_Cheat_Sheet_in_Java|Injection Prevention Cheat Sheet in Java]] updated
 
* [Dec 01 2018] [[Injection_Prevention_Cheat_Sheet_in_Java|Injection Prevention Cheat Sheet in Java]] updated
Line 127: Line 134:
  
 
|}
 
|}
 
= Master Cheat Sheet =
 
 
==Authentication==
 
Ensure all entities go through an appropriate and adequate form of authentication. All the application non-public resource must be protected and shouldn't be bypassed.
 
 
For more information, check [https://www.owasp.org/index.php/Authentication_Cheat_Sheet Authentication Cheat Sheet]
 
 
==Session Management==
 
 
Use secure session management practices that ensure that authenticated users have a robust and cryptographically secure association with their session.
 
 
For more information, check [https://www.owasp.org/index.php/Session_Management_Cheat_Sheet Session Management Cheat Sheet]
 
 
==Access Control==
 
 
Ensure that a user has access only to the resources they are entitled to. Perform access control checks on the server side on every request. All user-controlled parameters should be validated for entitlemens checks. Check if user name or role name is passed through the URL or through hidden variables. Prepare an ACL containing the Role-to-Function mapping and validate if the users are granted access as per the ACL.
 
 
For more information, check [https://www.owasp.org/index.php/Access_Control_Cheat_Sheet Access Control Cheat Sheet]
 
 
==Input Validation==
 
 
Input validation is performed to minimize malformed data from entering the system. Input Validation is NOT the primary method of preventing XSS, SQL Injection. These are covered in output encoding below.
 
 
For more information, check [https://www.owasp.org/index.php/Input_Validation_Cheat_Sheet Input Validation Cheat Sheet]
 
 
==Output Encoding==
 
 
Output encoding is the primary method of preventing XSS and injection attacks. Input validation helps minimize the introduction of malformed data, but it is a secondary control.
 
 
For more information, check [https://www.owasp.org/index.php/XSS_Prevention_Cheat_Sheet XSS (Cross Site Scripting) Prevention Cheat Sheet].
 
 
==Cross Domain==
 
 
Ensure that adequate controls are present to prevent against Cross-site Request Forgery, Clickjacking and other 3rd Party Malicious scripts.
 
 
For more information, check [https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet Cross Site Request Forgery]
 
 
==Secure Transmission==
 
 
Ensure that all the applications pages are served over cryptographically secure HTTPs protocols. Prohibit the transmission of session cookies over HTTP.
 
 
For more information, check [https://www.owasp.org/index.php/Transport_Layer_Protection_Cheat_Sheet Transport Protection Cheat Sheet]
 
 
==Logging==
 
 
Ensure that all the security related events are logged. Events include: User log-in (success/fail); view; update; create, delete, file upload/download, attempt to access through URL, URL tampering. Audit logs should be immutable and write only and must be protected from unauthorized access.
 
 
For more information, check [https://www.owasp.org/index.php/Logging_Cheat_Sheet Logging Cheat Sheet]
 
 
==Uploads==
 
 
Ensure that the size, type, contents, and name of the uploaded files are validated. Uploaded files must not be accessible to users by direct browsing. Preferably store all the uploaded files in a different file server/drive on the server. All files must be virus scanned using a regularly updated scanner.
 
 
For more information, check https://www.owasp.org/index.php/Input_Validation_Cheat_Sheet#File_Uploads
 
  
 
= Roadmap =
 
= Roadmap =
  
'''For 2019:'''
+
Roadmap is managed using the [https://github.com/OWASP/CheatSheetSeries/projects/1 GitHub feature] of the repository.
 
 
# Move the entire project to an OWASP owned GITHUB project: We will follow the same approach than the one use by the OWASP MSTG project.
 
#* Made the CS more readable and more efficient possible for the reader.
 
#* Review the PDF book generation process because the rendering is not OK for all.
 
#* Enhance the management of the delivery planning and process for the CS.
 
# Ensure that the all controls points of the OWASP Proactive Controls project are covered by different cheat sheet.
 
# Same thing for the OWASP Application Security Verification Standard project.
 
# Create a "marketing" PowerPoint presentation in order to allow any people to talk about the project during an event.
 
 
 
'''Cheat Sheet delivery planning management:'''
 
 
 
Delivery planning is now managed via this [https://trello.com/b/w020m3jQ Trello Board].
 
 
 
If you want to contribute on a CS, please create a [https://trello.com/signup Trello account] and notify the project leaders (by Email or by Slack) in order that we initiate the delivery process together.
 
 
 
= Cheat sheet Guideline =
 
 
 
== Cheat sheet creation workflow ==
 
 
 
[[File:NewCheatSheetCreationWorkflow.png|center]]
 
 
 
Note:
 
* The schema has been created using https://www.draw.io site.
 
* XML source file of the schema is [[Media:NewCheatSheetCreationWorkflow.zip|here]], use this file to edit the schema with Draw.io site.
 
 
 
== Cheat sheet content ==
 
 
 
The key points that all cheat sheets (called '''CS''') must provides are the following:
 
 
 
# Address a single topic (ex: password storage, OS command injection, REST service, CSRF, HTML5 new features security...).
 
# Be concise and focused: A cheat sheet must be directly actionable (a CS is not a guide) and must be directly useful for a developer.
 
# Do not re-address topic handled by others CS. In this case, the target CS will be enhanced with missing points.
 
# When applicable, provide a solution proposal implementation through a full documented POC on a public well know Git repository (GitHub is highly prefered), the POC can be used as a '''playground''' for a developer wanting to play/evaluate your solution proposal.
 
 
 
== Cheat sheet structure ==
 
 
 
A CS must have these sections:
 
 
 
# '''Introduction''': Provide high level information about the topic in order to introduce it to people that do not know it. You can add pointer to external sources if needed but at least give an overview allowing a reader to continue on the CS. You can also add schema or diagram in any part of the CS but be sure to respect the copyright of the source file.
 
# '''Context''': Describe the security issues that are bring or commonly meet when someone must work on this topic.
 
# '''Objective''': Describe the objective of the CS. What the CS will bring to the reader?
 
# '''Proposition''':
 
## Describe how to address the security issues in a possible technology agnostic approach.
 
## Using your POC, describe your solution proposal in the more teaching possible way.
 
# '''Sources of the prototype''': Add pointer to the public GitHub repository on which the source code of POC is hosted.
 
 
 
 
 
For the code snippet, use the mediawiki tag '''syntaxhighlight''':
 
* Tag [https://www.mediawiki.org/wiki/Extension:SyntaxHighlight documentation].
 
* Supported [http://pygments.org/languages languages].
 
 
 
 
 
If you want to be careful in order to prevent to break something in the target existing CS, you can follow this contribution procedure:
 
# Take a copy of the CS that you want to enhance (mediawiki syntax in the source tab).
 
# Add your enhancement and publish the updated CS on the same GitHub repository than your POC (it support the mediawiki syntax).
 
# Notify the CS Community using this mailing [https://lists.owasp.org/mailman/listinfo/owasp-cheat-sheets list] and the CS Community will review the CS using GitHub comments system.
 
# When the feedback loop is finished, the CS Community will help you to have right access to the wiki in order to update the CS.
 
 
 
== Cheat sheet template ==
 
 
 
If the target CS is a new one then please use the following template struture.
 
 
 
It allow you to work:
 
* Online by using the wiki ''Show preview'' option.
 
* Offline by using an text editor like:
 
** [https://atom.io/ Atom] with the [https://atom.io/packages/language-mediawiki mediawiki plugin].
 
** [https://wiki.gnome.org/Apps/Gedit Gedit] with the [https://github.com/jpfleury/gedit-mediawiki syntax highlighting] extension.
 
 
 
<syntaxhighlight lang="html" highlight="10,18,24,31,38,44">
 
__NOTOC__
 
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:Cheatsheets-header.jpg|link=]]</div>
 
 
 
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
 
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |
 
Last revision (mm/dd/yy): '''{{REVISIONMONTH}}/{{REVISIONDAY}}/{{REVISIONYEAR}}'''
 
 
 
__TOC__{{TOC hidden}}
 
 
 
= Introduction =
 
 
 
<pre>
 
Provide high level information about the topic in order to introduce it to people that do not know it.
 
You can add pointer to external sources if needed but at least give an overview allowing a reader to continue on the CS.
 
You can also add schema or diagram in any part of the CS but be sure to respect the copyright of the source file.
 
</pre>
 
 
 
= Context =
 
 
 
<pre>
 
Describe the security issues that are bring or commonly meet when someone must work on this topic.
 
</pre>
 
 
 
= Objective =
 
 
 
<pre>
 
Describe the objective of the CS.
 
What the CS will bring to the reader.
 
</pre>
 
 
 
= Proposition =
 
 
 
<pre>
 
1. Describe how to address the security issues in a possible technology agnostic approach.
 
2. Using your POC, describe your solution proposal in the more teaching possible way. Use "syntaxhighlight" tag for code snippet.
 
</pre>
 
 
 
= Sources of the prototype =
 
 
 
<pre>
 
Add pointer to the public GitHub repository on which the source code of POC is hosted.
 
</pre>
 
 
 
= Authors and Primary Editors =
 
 
 
<pre>
 
Add your name and email.
 
</pre>
 
 
 
= Other Cheatsheets =
 
 
 
{{Cheatsheet_Navigation_Body}}
 
 
 
|}
 
 
 
[[Category:Cheatsheets]]
 
</syntaxhighlight>
 
  
 
= Project Logo =
 
= Project Logo =

Revision as of 00:00, 22 February 2019

Lab big.jpg
Cheatsheets-header.jpg

Our goal

The OWASP Cheat Sheet Series was created to provide a concise collection of high value information on specific application security topics. These cheat sheets were created by various application security professionals who have expertise in specific topics. We hope that the OWASP Cheat Sheet Series provides you with excellent security guidance in an easy to read format.

If you have any questions about the OWASP Cheat Sheet Series, please email the project leaders Jim Manico or Dominique Righetto, contact us on the project's Slack channel or on our project email list (Slack is highly preferred over the email list).

Migration to GitHub

Project has been fully migrated to GitHub.

This page is used as the OWASP homepage of the project, all the project content is hosted on the GitHub repository and we work only from this repository, wiki is not used anymore.

So, from now, only a GitHub account is needed to contribute :)

Bridge between the projects OWASP Proactive Controls/OWASP Application Security Verification Standard and OWASP Cheat Sheet Series

A work channel has been created between these 2 projects and the Cheat Sheet Series using the following process (OPC = OWASP Proactive Controls / OASVS = OWASP Application Security Verification Standard / OCS = OWASP Cheat Sheet):

  • When a Cheat Sheet is missing for a point in OPC/OASVS then the OCS will handle the missing and create one. When the Cheat Sheet is ready then the reference is added by OPC/OASVS.
  • If a Cheat Sheet exists for an OPC/OASVS point but the content do not provide the expected help then the Cheat Sheet is updated to provide the content needed/expected.

The reason of the creation of this bridge is to help the OCS/OASVS projects by providing them:

  • A consistent source for the requests regarding new Cheat Sheets.
  • Same approach about the update of the existing Cheat Sheets.
  • A usage context for the Cheat Sheet and a quick source of feedack about the quality and the efficiency of the Cheat Sheet.

It is not mandatory that a request for a new Cheat Sheet (or for an update) come only from OPC/OASVS, it is just a extra channel.

Requests from OPC/OASVS are flagged with a special label in the GitHub repository issues list in order to identify them and set them as a top level priority.

Project Leaders

Contributors of the V1 of the project

Paweł Krawczyk, Mishra Dhiraj, Shruti Kulkarni, Torsten Gigler, Michael Coates, Jeff Williams, Dave Wichers, Kevin Wall, Jeffrey Walton, Eric Sheridan, Kevin Kenan, David Rook, Fred Donovan, Abraham Kang, Dave Ferguson, Shreeraj Shah, Raul Siles, Colin Watson, Neil Matatall, Zaur Molotnikov, Manideep Konakandla, Santhosh Tuppad and many more!

Contributors of the V2 of the project

See here for a complete list.

OWASP Cheat Sheets

GitHub repository

Repository is here.

Offline Cheat Sheets collection

A offline website of all Cheat Sheets can be obtained here.

Slack & Twitter

Slack channel information:

  • Server owasp.slack.com
  • Channel cheatsheets

Twitter hash tag: #owaspcheatsheetseries

Email List

Project Email List

Still used for technical discussion but we highly prefer:

  • The Slack channel for announcement and technical discussion.
  • The Twitter hash tag for announcement only.

Project classifications

Lab Project Owasp-builders-small.png
Owasp-defenders-small.png
Cc-button-y-sa-small.png
Project Type Files DOC.jpg

Licensing

The OWASP Cheat Sheet Series is free to use under the Creative Commons ShareAlike 3 License.

Related Projects

News and Events


Roadmap is managed using the GitHub feature of the repository.