A Guide to Building Secure Web Applications
ï¿½	ï¿½	ï¿½Next

A Guide to Building Secure Web Applications

The Open Web Application Security Project

Mark Curphey

The Open Web Application Security Project

David Endler

iDefense

William Hau

Steve Taylor

Predictive Solutions

Tim Smith

The Open Web Application Security Project

Alex Russell

OWASP Filters project

SecurePipe Inc.

netWindows.org

Gene McKenna

Richard Parke

Kevin McLaughlin

Nigel Tranter

Amit Klien

Dennis Groves

Izhar By-Gad

Sverre Huseby

Martin Eizner

Michael Hill

Roy McNamara

Version 1.1 Final

Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.1 or any later version published by the Free Software Foundation.

Sun Sep 22 2002

Table of Contents

I. A Guide to Building Secure Web Applications

1. Introduction

Foreword

About OWASP
Purpose Of This Document
Intended Audience
How to Use This Document
What This Document Is Not
How to Contribute
Future Content

2. Overview

What Are Web Applications?
What Are Web Services?

3. How Much Security Do You Really Need?

What are Risks, Threats and Vulnerabilities?
Measuring the Risk

4. Security Guidelines

Validate Input and Output
Fail Securely (Closed)
Keep it Simple
Use and Reuse Trusted Components
Defense in Depth
Only as Secure as the Weakest Link
Security By Obscurity Won't Work
Least Privilege
Compartmentalization (Separation of Privileges)

5. Architecture

General Considerations

Security from the Operating System
Security from the Network Infrastructure

6. Authentication

What is Authentication?

Types of Authentication
Browser Limitations
HTTP Basic
HTTP Digest
Forms Based Authentication
Digital Certificates (SSL and TLS)
Entity Authentication
Infrastructure Authentication
Password Based Authentication Systems

7. Managing User Sessions

Cookies

Persistent vs. Non-Persistent
Secure vs. Non-Secure
How do Cookies work?
What's in a cookie?

Session Tokens

Cryptographic Algorithms for Session Tokens
Appropriate Key Space

Session Management Schemes

Session Time-out
Regeneration of Session Tokens
Session Forging/Brute-Forcing Detection and/or Lockout
Session Re-Authentication
Session Token Transmission
Session Tokens on Logout
Page Tokens

SSL and TLS

How do SSL and TLS Work?

8. Access Control and Authorization

Discretionary Access Control
Mandatory Access Control
Role Based Access Control

9. Event Logging

What to Log
Log Management

10. Data Validation

Validation Strategies

Accept Only Known Valid Data
Reject Known Bad Data
Sanitize All Data

Never Rely on Client-Side Data Validation

11. Preventing Common Problems

The Generic Meta-Characters Problem

Attacks on The Users

Cross-Site Scripting

Attacks on the System

Direct SQL Commands
Direct OS Commands
Path Traversal and Path Disclosure
Null Bytes
Canonicalization
URL Encoding

Parameter Manipulation

Cookie Manipulation
HTTP Header Manipulation
HTML Form Field Manipulation
URL Manipulation

Miscellaneous

Vendors Patches
System Configuration
Comments in HTML
Old, Backup and Un-referenced Files
Debug Commands
Default Accounts

12. Privacy Considerations

The Dangers of Communal Web Browsers
Using personal data
Enhanced Privacy Login Options
Browser History

13. Cryptography

Overview

Symmetric Cryptography

Asymmetric, or Public Key, Cryptography

Digital Signatures

Hash Values

Implementing Cryptography

Cryptographic Toolkits and Libraries
Key Generation
Random Number Generation
Key Lengths

II. Appendixes

A. GNU Free Documentation License

0. PREAMBLE
1. APPLICABILITY AND DEFINITIONS
2. VERBATIM COPYING
3. COPYING IN QUANTITY
4. MODIFICATIONS
5. COMBINING DOCUMENTS
6. COLLECTIONS OF DOCUMENTS
7. AGGREGATION WITH INDEPENDENT WORKS
8. TRANSLATION
9. TERMINATION
10. FUTURE REVISIONS OF THIS LICENSE
How to use this License for your documents

List of Tables

7.1. Structure Of A Cookie
11.1.