Differences

This shows you the differences between two versions of the page.

--- owasp:owasp_top_ten_cheat_sheet [2016/10/11 14:35] – peter
+++ owasp:owasp_top_ten_cheat_sheet [2019/12/01 11:42] (current) – removed peter
@@ Line 1: / Line 1: @@
-====== OWASP - OWASP Top Ten Cheat Sheet ======
-^ Issue      ^ Presentation ^ Solution          ^ Comments ^
-| Injection    | Render | Set a correct content type. | All SQL Injection is due to dynamic SQL queries. Strongly consider prohibiting dynamic SQL queries. |
-| :::    | :::                        | Set safe character set (UTF-8). | Canonicalize using correct character set. |
-| :::    | :::                        | Set correct locale. |  |
-| :::    | On Submit:                 | Enforce input field type and lengths. | Positive input validation using correct character set. |
-| :::    | :::                        | Validate fields and provide feedback. | Use Parameterized queries and Stored Procedures. |
-| :::    | :::                        | Ensure option selects and radio contain only sent values. | ::: |
-| Weak authentication and session management  | Render | Validate user is authenticated. | |
-| :::    | :::                        | Validate role is sufficient for this view. | Validate role is sufficient to create, read, update, or delete data. |
-| ::: | ::: | ::: | Consider the use of a "governor" to regulate the maximum number of requests per second / minute / hour that this user may perform. |
-| :::    | :::                        | Set "secure" and "HttpOnly" flags for session cookies. |  |
-| :::    | :::                        | Send CSRF token with forms. | |
-| XSS | Render | Set correct content type. | |
-| ::: | ::: | Set safe character set (UTF-8). | Canonicalize using correct character set. |
-| ::: | ::: | Set correct locale. | |
-| ::: | ::: | Output encode all user data as per output context. | |
-| ::: | ::: | Set input constraints. | Positive input validation using correct character set. |
-| ::: | ::: | ::: | Only process data that is 100% trustworthy. Everything else is hostile and should be rejected. |
-| ::: | ::: | ::: | Do not store data HTML-encoded in the database. This prevents new uses for the data. |
-| Insecure Direct Object References | If data is from internal trusted sources, no data is sent. | Obtain data from internal, trusted sources. | |
-| ::: | Render | Send indirect random access reference map value. | Obtain direct value from random access reference access map. |
-| ::: | ::: | ::: | Validate role is sufficient to create, read, update, or delete data. |
-| Security Misconfiguration | Web servers and application servers. | Ensure web servers and application servers are hardened. | |
-| ::: | Database Servers | Ensure database servers are hardened. | |
-| ::: | PHP | Ensure allow_url_fopen and allow_url_include are both disabled in php.ini. Consider the use of Suhosin extension. |
-| ::: | XML | Ensure common web attacks (remote XSLT transforms, hostile XPath queries, recursive DTDs, and so on) are protected by your XML stack. Do not hand craft XML documents or queries – use the XML layer. | ::: |
-| Sensitive Data Exposure | Design | Use strong ciphers (AES 128 or better) with secure mode of operations (do not use ECB). | |
-| ::: | ::: | Use strong hashes (SHA 256 or better) with salts for passwords. | |
-| ::: | ::: | Protect keys more than any other asset. | Mandate strong encrypted communications between web and database servers and any other servers or administrative users. |
-| ::: | ::: | ::: | Do not use RDBMS database, row or table level encryption.  The data can be retrieved in the clear by anyone with direct access to the server, or over the network using the application credentials.  It might even traverse the network in the clear despite being "encrypted" on disk. |
-| ::: | ::: | Use TLS 1.2 or later for all web communications. | Use TLS 1.2 always – even internally. |
-| ::: | ::: | Buy extended validation (EV) certificates for public web servers. | |
-| ::: | Render | Do not send keys or hashes to the browser. | It is best to encrypt data on the application server, rather than the database server. |
-| Missing Function Level Access Control | Design | Ensure all non-web data is outside the web root (logs, configuration, etc). | |
-| ::: | ::: | Use octet byte streaming instead of providing access to real files such as PDFs or CSVs or similar. | |
-| ::: | ::: | Ensure every page requires a role, even if it is "guest". | |
-| ::: | Pre-render | Validate user is authenticated. | |
-| ::: | ::: | Validate role is sufficient to view secured URL. | |
-| ::: | Render | Send CSRF token. | |