owasp:owasp_top_ten_cheat_sheet
This is an old revision of the document!
OWASP - OWASP Top Ten Cheat Sheet
| Issue | Presentation | Solution | Comments |
|---|---|---|---|
| Injection | Render | Set a correct content type. | All SQL Injection is due to dynamic SQL queries. Strongly consider prohibiting dynamic SQL queries. |
| Set safe character set (UTF-8). | Canonicalize using correct character set. | ||
| Set correct locale. | |||
| On Submit: | Enforce input field type and lengths. | Positive input validation using correct character set. | |
| Validate fields and provide feedback. | Use Parameterized queries and Stored Procedures. | ||
| Ensure option selects and radio contain only sent values. | |||
| Weak authentication and session management | Render | Validate user is authenticated. | |
| Validate role is sufficient for this view. | Validate role is sufficient to create, read, update, or delete data. | ||
| Consider the use of a “governor” to regulate the maximum number of requests per second / minute / hour that this user may perform. | |||
| Set “secure” and “HttpOnly” flags for session cookies. | |||
| Send CSRF token with forms. | |||
| XSS | Render | Set correct content type. | |
| Set safe character set (UTF-8). | Canonicalize using correct character set. | ||
| Set correct locale. | |||
| Output encode all user data as per output context. | |||
| Set input constraints. | Positive input validation using correct character set. | ||
| Only process data that is 100% trustworthy. Everything else is hostile and should be rejected. | |||
| Do not store data HTML-encoded in the database. This prevents new uses for the data. | |||
| Insecure Direct Object References | If data is from internal trusted sources, no data is sent. | Obtain data from internal, trusted sources. | |
| Render | Send indirect random access reference map value. | Obtain direct value from random access reference access map. | |
| Validate role is sufficient to create, read, update, or delete data. | |||
| Security Misconfiguration | Ensure web servers and application servers are hardened. | Ensure web servers and application servers are hardened. | Ensure database servers are hardened. |
owasp/owasp_top_ten_cheat_sheet.1476195422.txt.gz · Last modified: 2020/07/15 09:30 (external edit)