owasp:owasp_top_ten_cheat_sheet
Differences
This shows you the differences between two versions of the page.
| Both sides previous revisionPrevious revisionNext revision | Previous revision | ||
| owasp:owasp_top_ten_cheat_sheet [2016/10/11 14:27] – peter | owasp:owasp_top_ten_cheat_sheet [2019/12/01 11:42] (current) – removed peter | ||
|---|---|---|---|
| Line 1: | Line 1: | ||
| - | ====== OWASP - OWASP Top Ten Cheat Sheet ====== | ||
| - | |||
| - | ^ Issue ^ Presentation ^ Solution | ||
| - | | Injection | ||
| - | | ::: | ::: | Set safe character set (UTF-8). | Canonicalize using correct character set. | | ||
| - | | ::: | ::: | Set correct locale. | | | ||
| - | | ::: | On Submit: | ||
| - | | ::: | ::: | Validate fields and provide feedback. | Use Parameterized queries and Stored Procedures. | | ||
| - | | ::: | ::: | Ensure option selects and radio contain only sent values. | ::: | | ||
| - | | Weak authentication and session management | ||
| - | | ::: | ::: | Validate role is sufficient for this view. | Validate role is sufficient to create, read, update, or delete data. | | ||
| - | | ::: | ::: | ::: | Consider the use of a " | ||
| - | | ::: | ::: | Set " | ||
| - | | ::: | ::: | Send CSRF token with forms. | | | ||
| - | | XSS | Render | Set correct content type. | | | ||
| - | | ::: | ::: | Set safe character set (UTF-8). | Canonicalize using correct character set. | | ||
| - | | ::: | ::: | Set correct locale. | | | ||
| - | | ::: | ::: | Output encode all user data as per output context. | | | ||
| - | | ::: | ::: | Set input constraints. | Positive input validation using correct character set. | | ||
| - | | ::: | ::: | ::: | Only process data that is 100% trustworthy. Everything else is hostile and should be rejected. | | ||
| - | | ::: | ::: | ::: | Do not store data HTML-encoded in the database. This prevents new uses for the data. | | ||
| - | | Insecure Direct Object References | If data is from internal trusted sources, no data is sent. | Obtain data from internal, trusted sources. | | | ||
| - | | ::: | Render | Send indirect random access reference map value. | Obtain direct value from random access reference access map. | | ||
| - | | ::: | ::: | ::: | Validate role is sufficient to create, read, update, or delete data. | | ||
| - | | Security Misconfiguration | Web servers and application servers. | Ensure web servers and application servers are hardened. | | | ||
| - | | ::: | Database Servers | Ensure database servers are hardened. | | | ||
| - | | ::: | PHP | Ensure allow_url_fopen and allow_url_include are both disabled in php.ini. Consider the use of Suhosin extension. | | ||
| - | | ::: | XML | Ensure common web attacks (remote XSLT transforms, hostile XPath queries, recursive DTDs, and so on) are protected by your XML stack. Do not hand craft XML documents or queries – use the XML layer. | ::: | | ||
| - | | Sensitive Data Exposure | Design | Use strong ciphers (AES 128 or better) with secure mode of operations (do not use ECB). | | | ||
| - | | ::: | ::: | Use strong hashes (SHA 256 or better) with salts for passwords. | | | ||
| - | | ::: | ::: | Protect keys more than any other asset. | Mandate strong encrypted communications between web and database servers and any other servers or administrative users. | | ||
| - | | ::: | ::: | ::: | Do not use RDBMS database, row or table level encryption. | ||
| - | | ::: | ::: | ::: | It is best to encrypt data on the application server, rather than the database server. | | ||
| - | | ::: | ::: | Use TLS 1.2 or later for all web communications. | Use TLS 1.2 always – even internally. | | ||
| - | | ::: | ::: | Buy extended validation (EV) certificates for public web servers. | | | ||
owasp/owasp_top_ten_cheat_sheet.1476196076.txt.gz · Last modified: 2020/07/15 09:30 (external edit)