OWASP Cheat Sheets PDF Free Download

2y ago

362 Views

0 Downloads

1.11 MB

315 Pages

Report/dmca

Download PDF

Transcription

OWASP Cheat SheetsMartin Woschek, owasp@jesterweb.deApril 9, 2015

ContentsIDeveloper Cheat Sheets (Builder)111 Authentication Cheat Sheet1.1 Introduction . . . . . . . . . . . . . . . . . .1.2 Authentication General Guidelines . . . . .1.3 Use of authentication protocols that require1.4 Session Management General Guidelines .1.5 Password Managers . . . . . . . . . . . . . .1.6 Authors and Primary Editors . . . . . . . . .1.7 References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .no password. . . . . . . . . . . . . . . . . . . . . . . . . . . . .2 Choosing and Using Security Questions Cheat Sheet2.1 Introduction . . . . . . . . . . . . . . . . . . . . . .2.2 The Problem . . . . . . . . . . . . . . . . . . . . . .2.3 Choosing Security Questions and/or Identity Data2.4 Using Security Questions . . . . . . . . . . . . . . .2.5 Related Articles . . . . . . . . . . . . . . . . . . . . .2.6 Authors and Primary Editors . . . . . . . . . . . . .2.7 References . . . . . . . . . . . . . . . . . . . . . . .3 Clickjacking Defense Cheat Sheet3.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3.2 Defending with Content Security Policy frame-ancestors directive3.3 Defending with X-Frame-Options Response Headers . . . . . . . .3.4 Best-for-now Legacy Browser Frame Breaking Script . . . . . . . .3.5 window.confirm() Protection . . . . . . . . . . . . . . . . . . . . . .3.6 Non-Working Scripts . . . . . . . . . . . . . . . . . . . . . . . . . . .3.7 Authors and Primary Editors . . . . . . . . . . . . . . . . . . . . . .3.8 References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4 C-Based Toolchain Hardening Cheat Sheet4.1 Introduction . . . . . . . . . . . . . . . .4.2 Actionable Items . . . . . . . . . . . . . .4.3 Build Configurations . . . . . . . . . . .4.4 Library Integration . . . . . . . . . . . . .4.5 Static Analysis . . . . . . . . . . . . . . .4.6 Platform Security . . . . . . . . . . . . .4.7 Authors and Editors . . . . . . . . . . . .4.8 References . . . . . . . . . . . . . . . . 232.3434343436373838385 Cross-Site Request Forgery (CSRF) Prevention Cheat Sheet5.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . .5.2 Prevention Measures That Do NOT Work . . . . . . . . .5.3 General Recommendation: Synchronizer Token Pattern5.4 CSRF Prevention without a Synchronizer Token . . . .5.5 Client/User Prevention . . . . . . . . . . . . . . . . . . .4040404144452.

Contents5.65.75.8No Cross-Site Scripting (XSS) Vulnerabilities . . . . . . . . . . . . . . . . . 45Authors and Primary Editors . . . . . . . . . . . . . . . . . . . . . . . . . . . 46References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 466 Cryptographic Storage Cheat Sheet6.1 Introduction . . . . . . . . . . . . . . .6.2 Providing Cryptographic Functionality6.3 Related Articles . . . . . . . . . . . . . .6.4 Authors and Primary Editors . . . . . .6.5 References . . . . . . . . . . . . . . . 7070717171727210 Input Validation Cheat Sheet10.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .10.2 Authors and Primary Editors . . . . . . . . . . . . . . . . . . . . . . . . . . .10.3 References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7373747411 JAAS Cheat Sheet11.1 Introduction . . . . . . . . .11.2 Related Articles . . . . . . . .11.3 Disclosure . . . . . . . . . . .11.4 Authors and Primary Editors11.5 References . . . . . . . . . .7 DOM based XSS Prevention Cheat Sheet7.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7.2 Guidelines for Developing Secure Applications Utilizing JavaScript7.3 Common Problems Associated with Mitigating DOM Based XSS . .7.4 Authors and Contributing Editors . . . . . . . . . . . . . . . . . . . .7.5 References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .8 Forgot Password Cheat Sheet8.1 Introduction . . . . . . . . .8.2 The Problem . . . . . . . . .8.3 Steps . . . . . . . . . . . . . .8.4 Authors and Primary Editors8.5 References . . . . . . . . . .9 HTML5 Security Cheat Sheet9.1 Introduction . . . . . . . . . . . . . . . .9.2 Communication APIs . . . . . . . . . . .9.3 Storage APIs . . . . . . . . . . . . . . . .9.4 Geolocation . . . . . . . . . . . . . . . . .9.5 Web Workers . . . . . . . . . . . . . . . .9.6 Sandboxed frames . . . . . . . . . . . . .9.7 Offline Applications . . . . . . . . . . . .9.8 Progressive Enhancements and Graceful9.9 HTTP Headers to enhance security . . .9.10 Authors and Primary Editors . . . . . . .9.11 References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Degradation Risks. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .75757878797912 Logging Cheat Sheet12.1 Introduction . . . . . . . . . . . . .12.2 Purpose . . . . . . . . . . . . . . . .12.3 Design, implementation and testing12.4 Deployment and operation . . . . .8080808187.3

Contents12.5 Related articles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8912.6 Authors and Primary Contributors . . . . . . . . . . . . . . . . . . . . . . . 8912.7 References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8913 .NET Security Cheat Sheet13.1 Introduction . . . . . . . . . . .13.2 .NET Framework Guidance . . .13.3 ASP.NET Web Forms Guidance13.4 ASP.NET MVC Guidance . . . .13.5 XAML Guidance . . . . . . . . .13.6 Windows Forms Guidance . . .13.7 WCF Guidance . . . . . . . . . .13.8 Authors and Primary Editors . .13.9 References . . . . . . . . . . . .9191919295969696969614 Password Storage Cheat Sheet14.1 Introduction . . . . . . . . .14.2 Guidance . . . . . . . . . . .14.3 Related Articles . . . . . . . .14.4 Authors and Primary Editors14.5 References . . . . . . . . . .98989810110110115 Pinning Cheat Sheet15.1 Introduction . . . . . . .15.2 What’s the problem? . . .15.3 What Is Pinning? . . . . .15.4 What Should Be Pinned?15.5 Examples of Pinning . . .15.6 Related Articles . . . . . .15.7 Authors and Editors . . .15.8 References . . . . . . . .10210210210210310410510510516 Query Parameterization Cheat Sheet16.1 Introduction . . . . . . . . . . . .16.2 Parameterized Query Examples .16.3 Related Articles . . . . . . . . . . .16.4 Authors and Primary Editors . . .16.5 References . . . . . . . . . . . . .107107107110110110.17 Ruby on Rails Cheatsheet17.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .17.2 Items . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .17.3 Updating Rails and Having a Process for Updating Dependencies17.4 Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .17.5 Further Information . . . . . . . . . . . . . . . . . . . . . . . . . . .17.6 Authors and Primary Editors . . . . . . . . . . . . . . . . . . . . . .17.7 References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .11111111111711811811811918 REST Security Cheat Sheet18.1 Introduction . . . . . . . .18.2 Authentication and session18.3 Authorization . . . . . . . .18.4 Input validation . . . . . .18.5 Output encoding . . . . . .18.6 Cryptography . . . . . . . .120120120121122123124. . . . . . . . .management. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4.

Contents18.7 Authors and primary editors . . . . . . . . . . . . . . . . . . . . . . . . . . . 12418.8 References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12419 Session Management Cheat Sheet19.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . .19.2 Session ID Properties . . . . . . . . . . . . . . . . . . . . .19.3 Session Management Implementation . . . . . . . . . . .19.4 Cookies . . . . . . . . . . . . . . . . . . . . . . . . . . . . .19.5 Session ID Life Cycle . . . . . . . . . . . . . . . . . . . . .19.6 Session Expiration . . . . . . . . . . . . . . . . . . . . . . .19.7 Additional Client-Side Defenses for Session Management19.8 Session Attacks Detection . . . . . . . . . . . . . . . . . .19.9 Related Articles . . . . . . . . . . . . . . . . . . . . . . . . .19.10 Authors and Primary Editors . . . . . . . . . . . . . . . . .19.11 References . . . . . . . . . . . . . . . . . . . . . . . . . . .20 SQL Injection Prevention Cheat Sheet20.1 Introduction . . . . . . . . . . . .20.2 Primary Defenses . . . . . . . . .20.3 Additional Defenses . . . . . . . .20.4 Related Articles . . . . . . . . . . .20.5 Authors and Primary Editors . . .20.6 References . . . . . . . . . . . . 14614714721 Transport Layer Protection Cheat Sheet14921.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14921.2 Providing Transport Layer Protection with SSL/TLS . . . . . . . . . . . . . 14921.3 Providing Transport Layer Protection for Back End and Other Connections 16121.4 Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16121.5 Related Articles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16121.6 Authors and Primary Editors . . . . . . . . . . . . . . . . . . . . . . . . . . . 16321.7 References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16322 Unvalidated Redirects and Forwards Cheat Sheet22.1 Introduction . . . . . . . . . . . . . . . . . . . . .22.2 Safe URL Redirects . . . . . . . . . . . . . . . . .22.3 Dangerous URL Redirects . . . . . . . . . . . . . .22.4 Preventing Unvalidated Redirects and Forwards22.5 Related Articles . . . . . . . . . . . . . . . . . . . .22.6 Authors and Primary Editors . . . . . . . . . . . .22.7 References . . . . . . . . . . . . . . . . . . . . . .16616616616616816816916923 User Privacy Protection Cheat Sheet23.1 Introduction . . . . . . . . . . .23.2 Guidelines . . . . . . . . . . . .23.3 Authors and Primary Editors . .23.4 References . . . . . . . . . . . .17017017017317324 Web Service Security Cheat Sheet24.1 Introduction . . . . . . . . . .24.2 Transport Confidentiality . . .24.3 Server Authentication . . . . .24.4 User Authentication . . . . . .24.5 Transport Encoding . . . . . .24.6 Message Integrity . . . . . . .175175175175175176176.5

Contents24.7 Message Confidentiality . . .24.8 Authorization . . . . . . . . .24.9 Schema Validation . . . . . .24.10 Content Validation . . . . . .24.11 Output Encoding . . . . . . .24.12 Virus Protection . . . . . . .24.13 Message Size . . . . . . . . .24.14 Availability . . . . . . . . . .24.15 Endpoint Security Profile . .24.16 Authors and Primary Editors24.17 References . . . . . . . . . .25 XSS (Cross Site Scripting) Prevention Cheat Sheet25.1 Introduction . . . . . . . . . . . . . . . . . . .25.2 XSS Prevention Rules . . . . . . . . . . . . . .25.3 XSS Prevention Rules Summary . . . . . . . .25.4 Output Encoding Rules Summary . . . . . . .25.5 Related Articles . . . . . . . . . . . . . . . . . .25.6 Authors and Primary Editors . . . . . . . . . .25.7 References . . . . . . . . . . . . . . . . . . . .II.

20 SQL Injection Prevention Cheat Sheet 139 20.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139 20.2 Primary Defenses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 140