Partï¿½I.ï¿½A Guide to Building Secure Web Applications
Prevï¿½	ï¿½	ï¿½Next

A Guide to Building Secure Web Applications

Table of Contents

1. Introduction

Foreword

About OWASP
Purpose Of This Document
Intended Audience
How to Use This Document
What This Document Is Not
How to Contribute
Future Content

2. Overview

What Are Web Applications?
What Are Web Services?

3. How Much Security Do You Really Need?

What are Risks, Threats and Vulnerabilities?
Measuring the Risk

4. Security Guidelines

Validate Input and Output
Fail Securely (Closed)
Keep it Simple
Use and Reuse Trusted Components
Defense in Depth
Only as Secure as the Weakest Link
Security By Obscurity Won't Work
Least Privilege
Compartmentalization (Separation of Privileges)

5. Architecture

General Considerations

Security from the Operating System
Security from the Network Infrastructure

6. Authentication

What is Authentication?

Types of Authentication
Browser Limitations
HTTP Basic
HTTP Digest
Forms Based Authentication
Digital Certificates (SSL and TLS)
Entity Authentication
Infrastructure Authentication
Password Based Authentication Systems

7. Managing User Sessions

Cookies

Persistent vs. Non-Persistent
Secure vs. Non-Secure
How do Cookies work?
What's in a cookie?

Session Tokens

Cryptographic Algorithms for Session Tokens
Appropriate Key Space

Session Management Schemes

Session Time-out
Regeneration of Session Tokens
Session Forging/Brute-Forcing Detection and/or Lockout
Session Re-Authentication
Session Token Transmission
Session Tokens on Logout
Page Tokens

SSL and TLS

How do SSL and TLS Work?

8. Access Control and Authorization

Discretionary Access Control
Mandatory Access Control
Role Based Access Control

9. Event Logging

What to Log
Log Management

10. Data Validation

Validation Strategies

Accept Only Known Valid Data
Reject Known Bad Data
Sanitize All Data

Never Rely on Client-Side Data Validation

11. Preventing Common Problems

The Generic Meta-Characters Problem

Attacks on The Users

Cross-Site Scripting

Attacks on the System

Direct SQL Commands
Direct OS Commands
Path Traversal and Path Disclosure
Null Bytes
Canonicalization
URL Encoding

Parameter Manipulation

Cookie Manipulation
HTTP Header Manipulation
HTML Form Field Manipulation
URL Manipulation

Miscellaneous

Vendors Patches
System Configuration
Comments in HTML
Old, Backup and Un-referenced Files
Debug Commands
Default Accounts

12. Privacy Considerations

The Dangers of Communal Web Browsers
Using personal data
Enhanced Privacy Login Options
Browser History

13. Cryptography

Overview

Symmetric Cryptography

Asymmetric, or Public Key, Cryptography

Digital Signatures

Hash Values

Implementing Cryptography

Cryptographic Toolkits and Libraries
Key Generation
Random Number Generation
Key Lengths

Prevï¿½	Up	ï¿½Next
A Guide to Building Secure Web Applicationsï¿½	Home	ï¿½Chapterï¿½1.ï¿½Introduction