Difference between revisions of "OWASP Top Ten Cheat Sheet"

From OWASP
Jump to: navigation, search
m (UI Cleanup)
(14 intermediate revisions by 3 users not shown)
Line 1: Line 1:
 
= Introduction =
 
= Introduction =
  
The following is a developer-centric defensive cheat sheet for the [[OWASP Top Ten Project]].
+
The following is a developer-centric defensive cheat sheet for the [[OWASP Top Ten Project]]. It also presents a quick reference based on [[OWASP Testing Project]] to help how to identify the risks.
  
 
= OWASP Top Ten Cheat Sheet =
 
= OWASP Top Ten Cheat Sheet =
Line 10: Line 10:
 
||'''Controller'''
 
||'''Controller'''
 
||'''Model'''
 
||'''Model'''
 +
||'''Testing (OWASP Testing Guide V3)'''
  
 
|-
 
|-
Line 16: Line 17:
  
 
''Render:''
 
''Render:''
Set a correct content type
+
*Set a correct content type
Set safe character set (UTF-8)
+
*Set safe character set (UTF-8)
Set correct locale
+
*Set correct locale
  
 
''On Submit:''
 
''On Submit:''
Enforce input field type and lengths  
+
*Enforce input field type and lengths.
Validate fields and provide feedback
+
*Validate fields and provide feedback.
Ensure option selects and radio contain only sent values
+
*Ensure option selects and radio contain only sent values.
 
||'''Canonicalize using correct character set'''
 
||'''Canonicalize using correct character set'''
 
'''Positive input validation using correct character set'''
 
'''Positive input validation using correct character set'''
  
(NR) Negative input validation  
+
(NR) Negative input validation.
(LR) Sanitize input  
+
(LR) Sanitize input.
  
 
''Tip: updating a negative list (such as looking for "script", "sCrIpT", "ßCrîpt", etc) will require expensive and constant deployments and will '''always '''fail as attackers work out your list of "bad" words. Positive validation is simpler, faster and usually more secure and needs updating far less than any other validation mechanism. ''
 
''Tip: updating a negative list (such as looking for "script", "sCrIpT", "ßCrîpt", etc) will require expensive and constant deployments and will '''always '''fail as attackers work out your list of "bad" words. Positive validation is simpler, faster and usually more secure and needs updating far less than any other validation mechanism. ''
||'''[https://www.owasp.org/index.php/Query_Parameterization_Cheat_Sheet Parameterized queries]'''
+
||*'''[https://www.owasp.org/index.php/Query_Parameterization_Cheat_Sheet Parameterized queries]'''
Object relational model (Hibernate)
+
Active Record design pattern
+
Stored procedures
+
  
Escape mechanisms such as ESAPI's Encoder.EncodeForLDAP() or Encoder.EncodeforOS()
+
*Object relational model (Hibernate).
 +
*Active Record design pattern.
 +
*Stored procedures.
 +
 
 +
*Escape mechanisms such as ESAPI's Encoder:
 +
**EncodeForLDAP()
 +
**Encoder.EncodeforOS()
  
 
''Tip: '''All '''SQL Injection is due to dynamic SQL queries. Strongly consider prohibiting dynamic SQL queries within your organization ''
 
''Tip: '''All '''SQL Injection is due to dynamic SQL queries. Strongly consider prohibiting dynamic SQL queries within your organization ''
 +
 +
||''4.8.5 SQL Injection (OWASP-DV-005)''
 +
''4.8.6 LDAP Injection (OWASP-DV-006)''
 +
''4.8.7 ORM Injection (OWASP-DV-007)''
 +
''4.8.8 XML Injection (OWASP-DV-008)''
 +
''4.8.9 SSI Injection (OWASP-DV-009)''
 +
''4.8.10 XPath Injection (OWASP-DV-010)''
 +
''4.8.11 IMAP/SMTP Injection (OWASP-DV-011)''
 +
''4.8.12 Code Injection (OWASP-DV-012)''
 +
''4.8.13 OS Commanding (OWASP-DV-013)''
 +
''4.8.14 Buffer overflow (OWASP-DV-014)''
 +
  
 
|-
 
|-
Line 44: Line 60:
 
||
 
||
  
''Render''
+
''Render:''
'''Set correct content type'''
+
*Set correct content type
'''Set safe character set (UTF-8) '''
+
*Set safe character set (UTF-8)
'''Set correct locale'''
+
*Set correct locale
'''Output encode all user data as per output context'''
+
*Output encode all user data as per output context
'''Set input constraints '''
+
*Set input constraints
  
''On Submit''
+
''On Submit:''
Enforce input field type and lengths
+
*Enforce input field type and lengths.
Validate fields and provide feedback
+
*Validate fields and provide feedback.
Ensure option selects and radio contain only sent values
+
*Ensure option selects and radio contain only sent values.
 
||'''Canonicalize using correct character set'''
 
||'''Canonicalize using correct character set'''
 
'''Positive input validation using correct character set'''
 
'''Positive input validation using correct character set'''
Line 65: Line 81:
  
 
''Tip: Use OWASP Scrubbr to clean tainted or hostile data from legacy data''
 
''Tip: Use OWASP Scrubbr to clean tainted or hostile data from legacy data''
 +
 +
||''4.8.1 Testing for Reflected Cross Site Scripting (OWASP-DV-001)''
 +
''4.8.2 Testing for Stored Cross Site Scripting (OWASP-DV-002)''
 +
''4.8.3 Testing for DOM based Cross Site Scripting (OWASP-DV-003)''
 +
''4.8.4 Testing for Cross Site Flashing (OWASP-DV004)''
 +
  
 
|-
 
|-
 
|'''A3 Weak authentication and session management'''
 
|'''A3 Weak authentication and session management'''
||''Render''
+
||''Render:''
'''Validate user is authenticated'''
+
*Validate user is authenticated.
'''Validate role is sufficient for this view'''
+
*Validate role is sufficient for this view.
'''Set "secure" and "HttpOnly" flags for session cookies'''
+
*Set "secure" and "HttpOnly" flags for session cookies.
Send CSRF token with forms
+
*Send CSRF token with forms.
  
||''Design''
+
||''Design:''
'''Only use inbuilt session management'''
+
*Only use inbuilt session management.
'''Store secondary SSO / framework / custom session identifiers in native session object – do not send as additional headers or cookies'''
+
*Store secondary SSO / framework / custom session identifiers in native session object – do not send as additional headers or cookies.
  
'''Validate user is authenticated'''
+
*Validate user is authenticated.
'''Validate role is sufficient to perform this action'''
+
*Validate role is sufficient to perform this action.
Validate CSRF token
+
*Validate CSRF token.
 
||Validate role is sufficient to create, read, update, or delete data
 
||Validate role is sufficient to create, read, update, or delete data
  
 
''Tip: Consider the use of a "governor" to regulate the maximum number of requests per second / minute / hour that this user may perform. For example, a typical banking user should not perform more than ten transactions a minute, and one hundred per second is dangerous and should be blocked.''
 
''Tip: Consider the use of a "governor" to regulate the maximum number of requests per second / minute / hour that this user may perform. For example, a typical banking user should not perform more than ten transactions a minute, and one hundred per second is dangerous and should be blocked.''
 +
 +
||''4.4.2 Testing for user enumeration (OWASP-AT-002)''
 +
''4.4.3 Testing for Guessable (Dictionary) User Account (OWASP-AT-003)''
 +
''4.4.4 Brute Force Testing (OWASP-AT-004)''
 +
''4.4.6 Testing for vulnerable remember password and pwd reset (OWASP-AT-006)''
 +
''4.4.5 Testing for bypassing authentication schema (OWASP-AT-005)''
 +
''4.4.7 Testing for Logout and Browser Cache Management (OWASP-AT-007)''
 +
''4.4.8 Testing for CAPTCHA (OWASP-AT-008)''
 +
''4.4.9 Testing Multiple Factors Authentication (OWASP-AT-009)''
 +
''4.4.10 Testing for Race Conditions (OWASP-AT-010)''
 +
''4.5.1 Testing for Session Management Schema (OWASP-SM-001)''
 +
''4.5.2 Testing for Cookies attributes (OWASP-SM-002)''
 +
''4.5.3 Testing for Session Fixation (OWASP-SM_003)''
 +
''4.5.4 Testing for Exposed Session Variables (OWASP-SM-004)''
 +
''4.5.5 Testing for CSRF (OWASP-SM-005)''
 +
''4.6.2 Testing for bypassing authorization schema (OWASP-AZ-002)''
 +
''4.6.3 Testing for Privilege Escalation (OWASP-AZ-003)''
 +
  
 
|-
 
|-
 
|'''A4 Insecure Direct Object Reference'''
 
|'''A4 Insecure Direct Object Reference'''
||'''If data is from internal trusted sources, no data is sent'''
+
||If data is from internal trusted sources, no data is sent.
  
''Or''
+
Or
  
''Render''
+
''Render:''
'''Send indirect random access reference map value'''
+
*Send indirect random access reference map value.
||'''Obtain data from internal, trusted sources'''
+
||Obtain data from internal, trusted sources.
  
''Or ''
+
Or
  
'''Obtain direct value from random access reference access map'''
+
Obtain direct value from random access reference access map.
||Validate role is sufficient to create, read, update, or delete data
+
||Validate role is sufficient to create, read, update, or delete data.
  
 +
||''4.6.1 Testing for Path Traversal (OWASP-AZ-001)''
  
 
|-
 
|-
 
|'''A5 Cross Site Request Forgery'''
 
|'''A5 Cross Site Request Forgery'''
||''Pre-render''
+
||''Pre-render:''
Validate user is authenticated
+
*Validate user is authenticated
Validate role is sufficient for this view
+
*Validate role is sufficient for this view
  
''Render''
+
''Render:''
'''Send CSRF token '''
+
*Send CSRF token.
Set "secure" and "HttpOnly" flags for session cookies
+
*Set "secure" and "HttpOnly" flags for session cookies.
||'''Validate CSRF token'''
+
||
Validate role is sufficient to perform this action
+
*Validate CSRF token.
Validate role is sufficient  
+
*Validate role is sufficient to perform this action.
 +
*Validate role is sufficient.
  
 
''Tip: CSRF is '''always '''possible if there is XSS, so make sure XSS is eliminated within your application.''
 
''Tip: CSRF is '''always '''possible if there is XSS, so make sure XSS is eliminated within your application.''
 
||Validate role is sufficient to create, read, update, or delete data
 
||Validate role is sufficient to create, read, update, or delete data
  
 +
||''4.5.5 Testing for CSRF (OWASP-SM-005)''
  
 
|-
 
|-
 
|'''A6 Security Misconfiguration'''
 
|'''A6 Security Misconfiguration'''
||Ensure web servers and application servers are hardened
+
||Ensure web servers and application servers are hardened.
  
PHP Ensure allow_url_fopen and allow_url_include are both disabled in php.ini. Consider the use of Suhosin extension  
+
PHP: Ensure allow_url_fopen and allow_url_include are both disabled in php.ini. Consider the use of Suhosin extension  
 
||Ensure web servers and application servers are hardened  
 
||Ensure web servers and application servers are hardened  
  
XML Ensure common web attacks (remote XSLT transforms, hostile XPath queries, recursive DTDs, and so on) are protected by your XML stack. Do not hand craft XML documents or queries – use the XML layer.  
+
XML: Ensure common web attacks (remote XSLT transforms, hostile XPath queries, recursive DTDs, and so on) are protected by your XML stack. Do not hand craft XML documents or queries – use the XML layer.  
 
||Ensure database servers are hardened  
 
||Ensure database servers are hardened  
 +
 +
||''4.2.6 Analysis of Error Codes (OWASP-IG-006)''
 +
''4.3.2 DB Listener Testing (OWASP-CM-002)''
 +
''4.3.3 Infrastructure Configuration Management Testing (OWASP-CM-003)''
 +
''4.3.4 Application Configuration Management Testing (OWASP-CM-004)''
 +
''4.3.5 Testing for File Extensions Handling (OWASP-CM-005)''
 +
''4.3.6 Old, Backup and Unreferenced Files (OWASP-CM-006)''
 +
''4.3.7 Infrastructure and Application Admin Interfaces (OWASP-CM-007)''
 +
''4.3.8 Testing for HTTP Methods and XST (OWASP-CM-008)''
 +
  
 
|-
 
|-
 
|'''A7 Insufficient Cryptographic Storage'''
 
|'''A7 Insufficient Cryptographic Storage'''
||''Design''
+
||''Design:''
'''Use strong ciphers (AES 128 or better)'''
+
*Use strong ciphers (AES 128 or better).
'''Use strong hashes (SHA 256 or better) with salts for passwords'''
+
*Use strong hashes (SHA 256 or better) with salts for passwords.
'''Protect keys more than any other asset'''
+
*Protect keys more than any other asset.
  
''Render''
+
''Render:''
Do not send keys or hashes to the browser
+
*Do not send keys or hashes to the browser.
  
||''Design''
+
||''Design:''
'''Use strong ciphers (AES 128 or better)'''
+
*Use strong ciphers (AES 128 or better).
'''Use strong hashes (SHA 256 or better) with salts for passwords'''
+
*Use strong hashes (SHA 256 or better) with salts for passwords.
'''Protect keys more than any other asset'''
+
*Protect keys more than any other asset.
  
 
''Tip: Only certain personally identifiable information and sensitive values MUST be encrypted. Encrypt data that would be embarrassing or costly if it was leaked or stolen. ''
 
''Tip: Only certain personally identifiable information and sensitive values MUST be encrypted. Encrypt data that would be embarrassing or costly if it was leaked or stolen. ''
Line 147: Line 200:
 
''Tip: It is best to encrypt data on the application server, rather than the database server.''
 
''Tip: It is best to encrypt data on the application server, rather than the database server.''
  
||''Design''
+
||''Design:''
  
 
''Tip: Do not use RDBMS database, row or table level encryption. The data can be retrieved in the clear by anyone with direct access to the server, or over the network using the application credentials. It might even traverse the network in the clear despite being "encrypted" on disk. ''
 
''Tip: Do not use RDBMS database, row or table level encryption. The data can be retrieved in the clear by anyone with direct access to the server, or over the network using the application credentials. It might even traverse the network in the clear despite being "encrypted" on disk. ''
 +
 +
||
 +
  
 
|-
 
|-
 
|'''A8 Failure to Restrict URL access'''
 
|'''A8 Failure to Restrict URL access'''
||''Design''
+
||''Design:''
'''Ensure all non-web data is outside the web root (logs, configuration, etc)'''
+
*Ensure all non-web data is outside the web root (logs, configuration, etc).
'''Use octet byte streaming instead of providing access to real files such as PDFs or CSVs or similar'''
+
*Use octet byte streaming instead of providing access to real files such as PDFs or CSVs or similar.
'''Ensure every page requires a role, even if it is "guest"'''
+
*Ensure every page requires a role, even if it is "guest".
'' ''
+
''Pre-render''
+
'''Validate user is authenticated'''
+
'''Validate role is sufficient to view secured URL'''
+
  
''Render''
+
''Pre-render:''
'''Send CSRF token '''
+
*Validate user is authenticated.
||'''Validate user is authenticated'''
+
*Validate role is sufficient to view secured URL.
'''Validate role is sufficient to perform secured action'''
+
 
'''Validate CSRF token'''
+
''Render:''
 +
*Send CSRF token.
 +
||
 +
*Validate user is authenticated.
 +
*Validate role is sufficient to perform secured action.
 +
*Validate CSRF token.
  
 
''Tip: It's impossible to control access to secured resources that the web application server does not directly serve. Therefore, PDF reports or similar should be served by the web application server using binary octet streaming. ''
 
''Tip: It's impossible to control access to secured resources that the web application server does not directly serve. Therefore, PDF reports or similar should be served by the web application server using binary octet streaming. ''
Line 172: Line 229:
 
''Tip: Assume attackers '''will''' learn where "hidden" directories and "random" filenames are, so do not store these files in the web root, even if they are not directly linked.''
 
''Tip: Assume attackers '''will''' learn where "hidden" directories and "random" filenames are, so do not store these files in the web root, even if they are not directly linked.''
 
||Validate role is sufficient to create, read, update, or delete data
 
||Validate role is sufficient to create, read, update, or delete data
 +
 +
||''4.4.5 Testing for bypassing authentication schema (OWASP-AT-005)''
 +
''4.6.1 Testing for Path Traversal (OWASP-AZ-001)''
 +
''4.6.2 Testing for bypassing authorization schema (OWASP-AZ-002)''
  
 
|-
 
|-
 
|'''A9 Insufficient Transport Layer Protection'''
 
|'''A9 Insufficient Transport Layer Protection'''
||Use TLS 1.2 or later for all web communications  
+
||
Buy extended validation (EV) certificates for public web servers
+
*Use TLS 1.2 or later for all web communications.
 +
*Buy extended validation (EV) certificates for public web servers.
  
 
''Tip: Use TLS 1.2 always – even internally. Most snooping is done within corporate networks – and it is as easy and unethical as fishing with dynamite.''
 
''Tip: Use TLS 1.2 always – even internally. Most snooping is done within corporate networks – and it is as easy and unethical as fishing with dynamite.''
||Mandate strong encrypted communications between web and database servers and any other servers or administrative users
+
||
||Mandate strong encrypted communications with application servers and any other servers or administrative users
+
*Mandate strong encrypted communications between web and database servers and any other servers or administrative users.
 +
||
 +
*Mandate strong encrypted communications with application servers and any other servers or administrative users.
  
 +
||''4.3.1 SSL/TLS Testing (OWASP-CM-001)''
 +
''4.4.1 Credentials transport over an encrypted channel (OWASP-AT-001)''
  
 
|-
 
|-
 
|'''A10 Unvalidated Redirects and Forwards'''
 
|'''A10 Unvalidated Redirects and Forwards'''
||'''Design the app without URL redirection parameters'''
+
||
 +
*Design the app without URL redirection parameters.
  
''or''
+
or
  
''Render''
+
''Render:''
Use random indirect object references for redirection parameters
+
*Use random indirect object references for redirection parameters.
  
||'''Design the app without URL redirection parameters'''
+
||
 +
*Design the app without URL redirection parameters.
  
''or''
+
or
  
Obtain direct redirection parameter from random indirect reference access map
+
*Obtain direct redirection parameter from random indirect reference access map.
(LR) Positive validation of redirection parameter  
+
*(LR) Positive validation of redirection parameter.
(NR) Java – Do not forward() requests as this prevents SSO access control mechanisms  
+
*(NR) Java – Do not forward() requests as this prevents SSO access control mechanisms.
  
||Validate role is sufficient to create, read, update, or delete data
+
||
 +
*Validate role is sufficient to create, read, update, or delete data.
 +
 
 +
||
  
 
|-
 
|-
Line 209: Line 280:
 
Andrew van der Stock vanderaj[at]owasp.org
 
Andrew van der Stock vanderaj[at]owasp.org
  
[[Category:Cheatsheets]]
+
Ismael Rocha Gonçalves ismaelrg[at]gmail.com
 +
 
 +
Jorge Correa jacorream@gmail.com
 +
 
 +
= Other Cheatsheets =
 
{{Cheatsheet_Navigation}}
 
{{Cheatsheet_Navigation}}
 +
 +
[[Category:Cheatsheets]]

Revision as of 19:00, 10 October 2012

Contents

Introduction

The following is a developer-centric defensive cheat sheet for the OWASP Top Ten Project. It also presents a quick reference based on OWASP Testing Project to help how to identify the risks.

OWASP Top Ten Cheat Sheet

Presentation Controller Model Testing (OWASP Testing Guide V3)
A1 Injection

Render:

  • Set a correct content type
  • Set safe character set (UTF-8)
  • Set correct locale

On Submit:

  • Enforce input field type and lengths.
  • Validate fields and provide feedback.
  • Ensure option selects and radio contain only sent values.
Canonicalize using correct character set

Positive input validation using correct character set

(NR) Negative input validation. (LR) Sanitize input.

Tip: updating a negative list (such as looking for "script", "sCrIpT", "ßCrîpt", etc) will require expensive and constant deployments and will always fail as attackers work out your list of "bad" words. Positive validation is simpler, faster and usually more secure and needs updating far less than any other validation mechanism.

*Parameterized queries
  • Object relational model (Hibernate).
  • Active Record design pattern.
  • Stored procedures.
  • Escape mechanisms such as ESAPI's Encoder:
    • EncodeForLDAP()
    • Encoder.EncodeforOS()

Tip: All SQL Injection is due to dynamic SQL queries. Strongly consider prohibiting dynamic SQL queries within your organization

4.8.5 SQL Injection (OWASP-DV-005)

4.8.6 LDAP Injection (OWASP-DV-006) 4.8.7 ORM Injection (OWASP-DV-007) 4.8.8 XML Injection (OWASP-DV-008) 4.8.9 SSI Injection (OWASP-DV-009) 4.8.10 XPath Injection (OWASP-DV-010) 4.8.11 IMAP/SMTP Injection (OWASP-DV-011) 4.8.12 Code Injection (OWASP-DV-012) 4.8.13 OS Commanding (OWASP-DV-013) 4.8.14 Buffer overflow (OWASP-DV-014)


A2 XSS

Render:

  • Set correct content type
  • Set safe character set (UTF-8)
  • Set correct locale
  • Output encode all user data as per output context
  • Set input constraints

On Submit:

  • Enforce input field type and lengths.
  • Validate fields and provide feedback.
  • Ensure option selects and radio contain only sent values.
Canonicalize using correct character set

Positive input validation using correct character set

(NR) Negative input validation (LR) Sanitize input

Tip: Only process data that is 100% trustworthy. Everything else is hostile and should be rejected.

Tip: Do not store data HTML encoded in the database. This prevents new uses for the data, such as web services, RSS feeds, FTP batches, data warehousing, cloud computing, and so on.

Tip: Use OWASP Scrubbr to clean tainted or hostile data from legacy data

4.8.1 Testing for Reflected Cross Site Scripting (OWASP-DV-001)

4.8.2 Testing for Stored Cross Site Scripting (OWASP-DV-002) 4.8.3 Testing for DOM based Cross Site Scripting (OWASP-DV-003) 4.8.4 Testing for Cross Site Flashing (OWASP-DV004)


A3 Weak authentication and session management Render:
  • Validate user is authenticated.
  • Validate role is sufficient for this view.
  • Set "secure" and "HttpOnly" flags for session cookies.
  • Send CSRF token with forms.
Design:
  • Only use inbuilt session management.
  • Store secondary SSO / framework / custom session identifiers in native session object – do not send as additional headers or cookies.
  • Validate user is authenticated.
  • Validate role is sufficient to perform this action.
  • Validate CSRF token.
Validate role is sufficient to create, read, update, or delete data

Tip: Consider the use of a "governor" to regulate the maximum number of requests per second / minute / hour that this user may perform. For example, a typical banking user should not perform more than ten transactions a minute, and one hundred per second is dangerous and should be blocked.

4.4.2 Testing for user enumeration (OWASP-AT-002)

4.4.3 Testing for Guessable (Dictionary) User Account (OWASP-AT-003) 4.4.4 Brute Force Testing (OWASP-AT-004) 4.4.6 Testing for vulnerable remember password and pwd reset (OWASP-AT-006) 4.4.5 Testing for bypassing authentication schema (OWASP-AT-005) 4.4.7 Testing for Logout and Browser Cache Management (OWASP-AT-007) 4.4.8 Testing for CAPTCHA (OWASP-AT-008) 4.4.9 Testing Multiple Factors Authentication (OWASP-AT-009) 4.4.10 Testing for Race Conditions (OWASP-AT-010) 4.5.1 Testing for Session Management Schema (OWASP-SM-001) 4.5.2 Testing for Cookies attributes (OWASP-SM-002) 4.5.3 Testing for Session Fixation (OWASP-SM_003) 4.5.4 Testing for Exposed Session Variables (OWASP-SM-004) 4.5.5 Testing for CSRF (OWASP-SM-005) 4.6.2 Testing for bypassing authorization schema (OWASP-AZ-002) 4.6.3 Testing for Privilege Escalation (OWASP-AZ-003)


A4 Insecure Direct Object Reference If data is from internal trusted sources, no data is sent.

Or

Render:

  • Send indirect random access reference map value.
Obtain data from internal, trusted sources.

Or

Obtain direct value from random access reference access map.

Validate role is sufficient to create, read, update, or delete data. 4.6.1 Testing for Path Traversal (OWASP-AZ-001)
A5 Cross Site Request Forgery Pre-render:
  • Validate user is authenticated
  • Validate role is sufficient for this view

Render:

  • Send CSRF token.
  • Set "secure" and "HttpOnly" flags for session cookies.
  • Validate CSRF token.
  • Validate role is sufficient to perform this action.
  • Validate role is sufficient.

Tip: CSRF is always possible if there is XSS, so make sure XSS is eliminated within your application.

Validate role is sufficient to create, read, update, or delete data 4.5.5 Testing for CSRF (OWASP-SM-005)
A6 Security Misconfiguration Ensure web servers and application servers are hardened.

PHP: Ensure allow_url_fopen and allow_url_include are both disabled in php.ini. Consider the use of Suhosin extension

Ensure web servers and application servers are hardened

XML: Ensure common web attacks (remote XSLT transforms, hostile XPath queries, recursive DTDs, and so on) are protected by your XML stack. Do not hand craft XML documents or queries – use the XML layer.

Ensure database servers are hardened 4.2.6 Analysis of Error Codes (OWASP-IG-006)

4.3.2 DB Listener Testing (OWASP-CM-002) 4.3.3 Infrastructure Configuration Management Testing (OWASP-CM-003) 4.3.4 Application Configuration Management Testing (OWASP-CM-004) 4.3.5 Testing for File Extensions Handling (OWASP-CM-005) 4.3.6 Old, Backup and Unreferenced Files (OWASP-CM-006) 4.3.7 Infrastructure and Application Admin Interfaces (OWASP-CM-007) 4.3.8 Testing for HTTP Methods and XST (OWASP-CM-008)


A7 Insufficient Cryptographic Storage Design:
  • Use strong ciphers (AES 128 or better).
  • Use strong hashes (SHA 256 or better) with salts for passwords.
  • Protect keys more than any other asset.

Render:

  • Do not send keys or hashes to the browser.
Design:
  • Use strong ciphers (AES 128 or better).
  • Use strong hashes (SHA 256 or better) with salts for passwords.
  • Protect keys more than any other asset.

Tip: Only certain personally identifiable information and sensitive values MUST be encrypted. Encrypt data that would be embarrassing or costly if it was leaked or stolen.

Tip: It is best to encrypt data on the application server, rather than the database server.

Design:

Tip: Do not use RDBMS database, row or table level encryption. The data can be retrieved in the clear by anyone with direct access to the server, or over the network using the application credentials. It might even traverse the network in the clear despite being "encrypted" on disk.


A8 Failure to Restrict URL access Design:
  • Ensure all non-web data is outside the web root (logs, configuration, etc).
  • Use octet byte streaming instead of providing access to real files such as PDFs or CSVs or similar.
  • Ensure every page requires a role, even if it is "guest".

Pre-render:

  • Validate user is authenticated.
  • Validate role is sufficient to view secured URL.

Render:

  • Send CSRF token.
  • Validate user is authenticated.
  • Validate role is sufficient to perform secured action.
  • Validate CSRF token.

Tip: It's impossible to control access to secured resources that the web application server does not directly serve. Therefore, PDF reports or similar should be served by the web application server using binary octet streaming.

Tip: Assume attackers will learn where "hidden" directories and "random" filenames are, so do not store these files in the web root, even if they are not directly linked.

Validate role is sufficient to create, read, update, or delete data 4.4.5 Testing for bypassing authentication schema (OWASP-AT-005)

4.6.1 Testing for Path Traversal (OWASP-AZ-001) 4.6.2 Testing for bypassing authorization schema (OWASP-AZ-002)

A9 Insufficient Transport Layer Protection
  • Use TLS 1.2 or later for all web communications.
  • Buy extended validation (EV) certificates for public web servers.

Tip: Use TLS 1.2 always – even internally. Most snooping is done within corporate networks – and it is as easy and unethical as fishing with dynamite.

  • Mandate strong encrypted communications between web and database servers and any other servers or administrative users.
  • Mandate strong encrypted communications with application servers and any other servers or administrative users.
4.3.1 SSL/TLS Testing (OWASP-CM-001)

4.4.1 Credentials transport over an encrypted channel (OWASP-AT-001)

A10 Unvalidated Redirects and Forwards
  • Design the app without URL redirection parameters.

or

Render:

  • Use random indirect object references for redirection parameters.
  • Design the app without URL redirection parameters.

or

  • Obtain direct redirection parameter from random indirect reference access map.
  • (LR) Positive validation of redirection parameter.
  • (NR) Java – Do not forward() requests as this prevents SSO access control mechanisms.
  • Validate role is sufficient to create, read, update, or delete data.

Authors and Primary Editors

Andrew van der Stock vanderaj[at]owasp.org

Ismael Rocha Gonçalves ismaelrg[at]gmail.com

Jorge Correa jacorream@gmail.com

Other Cheatsheets

OWASP Cheat Sheets Project Homepage

Developer Cheat Sheets (Builder)

Assessment Cheat Sheets (Breaker)

Mobile Cheat Sheets

OpSec Cheat Sheets (Defender)

Draft Cheat Sheets