OWASP Cheat Sheets
OWASP Cheat SheetsMartin Woschek, owasp@jesterweb.deApril 9, 2015
ContentsIDeveloper Cheat Sheets (Builder)111 Authentication Cheat Sheet1.1 Introduction . . . . . . . . . . . . . . . . . .1.2 Authentication General Guidelines . . . . .1.3 Use of authentication protocols that require1.4 Session Management General Guidelines .1.5 Password Managers . . . . . . . . . . . . . .1.6 Authors and Primary Editors . . . . . . . . .1.7 References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .no password. . . . . . . . . . . . . . . . . . . . . . . . . . . . .2 Choosing and Using Security Questions Cheat Sheet2.1 Introduction . . . . . . . . . . . . . . . . . . . . . .2.2 The Problem . . . . . . . . . . . . . . . . . . . . . .2.3 Choosing Security Questions and/or Identity Data2.4 Using Security Questions . . . . . . . . . . . . . . .2.5 Related Articles . . . . . . . . . . . . . . . . . . . . .2.6 Authors and Primary Editors . . . . . . . . . . . . .2.7 References . . . . . . . . . . . . . . . . . . . . . . .3 Clickjacking Defense Cheat Sheet3.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3.2 Defending with Content Security Policy frame-ancestors directive3.3 Defending with X-Frame-Options Response Headers . . . . . . . .3.4 Best-for-now Legacy Browser Frame Breaking Script . . . . . . . .3.5 window.confirm() Protection . . . . . . . . . . . . . . . . . . . . . .3.6 Non-Working Scripts . . . . . . . . . . . . . . . . . . . . . . . . . . .3.7 Authors and Primary Editors . . . . . . . . . . . . . . . . . . . . . .3.8 References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4 C-Based Toolchain Hardening Cheat Sheet4.1 Introduction . . . . . . . . . . . . . . . .4.2 Actionable Items . . . . . . . . . . . . . .4.3 Build Configurations . . . . . . . . . . .4.4 Library Integration . . . . . . . . . . . . .4.5 Static Analysis . . . . . . . . . . . . . . .4.6 Platform Security . . . . . . . . . . . . .4.7 Authors and Editors . . . . . . . . . . . .4.8 References . . . . . . . . . . . . . . . . 232.3434343436373838385 Cross-Site Request Forgery (CSRF) Prevention Cheat Sheet5.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . .5.2 Prevention Measures That Do NOT Work . . . . . . . . .5.3 General Recommendation: Synchronizer Token Pattern5.4 CSRF Prevention without a Synchronizer Token . . . .5.5 Client/User Prevention . . . . . . . . . . . . . . . . . . .4040404144452.
Contents5.65.75.8No Cross-Site Scripting (XSS) Vulnerabilities . . . . . . . . . . . . . . . . . 45Authors and Primary Editors . . . . . . . . . . . . . . . . . . . . . . . . . . . 46References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 466 Cryptographic Storage Cheat Sheet6.1 Introduction . . . . . . . . . . . . . . .6.2 Providing Cryptographic Functionality6.3 Related Articles . . . . . . . . . . . . . .6.4 Authors and Primary Editors . . . . . .6.5 References . . . . . . . . . . . . . . . 7070717171727210 Input Validation Cheat Sheet10.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .10.2 Authors and Primary Editors . . . . . . . . . . . . . . . . . . . . . . . . . . .10.3 References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7373747411 JAAS Cheat Sheet11.1 Introduction . . . . . . . . .11.2 Related Articles . . . . . . . .11.3 Disclosure . . . . . . . . . . .11.4 Authors and Primary Editors11.5 References . . . . . . . . . .7 DOM based XSS Prevention Cheat Sheet7.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7.2 Guidelines for Developing Secure Applications Utilizing JavaScript7.3 Common Problems Associated with Mitigating DOM Based XSS . .7.4 Authors and Contributing Editors . . . . . . . . . . . . . . . . . . . .7.5 References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .8 Forgot Password Cheat Sheet8.1 Introduction . . . . . . . . .8.2 The Problem . . . . . . . . .8.3 Steps . . . . . . . . . . . . . .8.4 Authors and Primary Editors8.5 References . . . . . . . . . .9 HTML5 Security Cheat Sheet9.1 Introduction . . . . . . . . . . . . . . . .9.2 Communication APIs . . . . . . . . . . .9.3 Storage APIs . . . . . . . . . . . . . . . .9.4 Geolocation . . . . . . . . . . . . . . . . .9.5 Web Workers . . . . . . . . . . . . . . . .9.6 Sandboxed frames . . . . . . . . . . . . .9.7 Offline Applications . . . . . . . . . . . .9.8 Progressive Enhancements and Graceful9.9 HTTP Headers to enhance security . . .9.10 Authors and Primary Editors . . . . . . .9.11 References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Degradation Risks. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .75757878797912 Logging Cheat Sheet12.1 Introduction . . . . . . . . . . . . .12.2 Purpose . . . . . . . . . . . . . . . .12.3 Design, implementation and testing12.4 Deployment and operation . . . . .8080808187.3
Contents12.5 Related articles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8912.6 Authors and Primary Contributors . . . . . . . . . . . . . . . . . . . . . . . 8912.7 References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8913 .NET Security Cheat Sheet13.1 Introduction . . . . . . . . . . .13.2 .NET Framework Guidance . . .13.3 ASP.NET Web Forms Guidance13.4 ASP.NET MVC Guidance . . . .13.5 XAML Guidance . . . . . . . . .13.6 Windows Forms Guidance . . .13.7 WCF Guidance . . . . . . . . . .13.8 Authors and Primary Editors . .13.9 References . . . . . . . . . . . .9191919295969696969614 Password Storage Cheat Sheet14.1 Introduction . . . . . . . . .14.2 Guidance . . . . . . . . . . .14.3 Related Articles . . . . . . . .14.4 Authors and Primary Editors14.5 References . . . . . . . . . .98989810110110115 Pinning Cheat Sheet15.1 Introduction . . . . . . .15.2 What’s the problem? . . .15.3 What Is Pinning? . . . . .15.4 What Should Be Pinned?15.5 Examples of Pinning . . .15.6 Related Articles . . . . . .15.7 Authors and Editors . . .15.8 References . . . . . . . .10210210210210310410510510516 Query Parameterization Cheat Sheet16.1 Introduction . . . . . . . . . . . .16.2 Parameterized Query Examples .16.3 Related Articles . . . . . . . . . . .16.4 Authors and Primary Editors . . .16.5 References . . . . . . . . . . . . .107107107110110110.17 Ruby on Rails Cheatsheet17.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .17.2 Items . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .17.3 Updating Rails and Having a Process for Updating Dependencies17.4 Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .17.5 Further Information . . . . . . . . . . . . . . . . . . . . . . . . . . .17.6 Authors and Primary Editors . . . . . . . . . . . . . . . . . . . . . .17.7 References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .11111111111711811811811918 REST Security Cheat Sheet18.1 Introduction . . . . . . . .18.2 Authentication and session18.3 Authorization . . . . . . . .18.4 Input validation . . . . . .18.5 Output encoding . . . . . .18.6 Cryptography . . . . . . . .120120120121122123124. . . . . . . . .management. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4.
Contents18.7 Authors and primary editors . . . . . . . . . . . . . . . . . . . . . . . . . . . 12418.8 References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12419 Session Management Cheat Sheet19.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . .19.2 Session ID Properties . . . . . . . . . . . . . . . . . . . . .19.3 Session Management Implementation . . . . . . . . . . .19.4 Cookies . . . . . . . . . . . . . . . . . . . . . . . . . . . . .19.5 Session ID Life Cycle . . . . . . . . . . . . . . . . . . . . .19.6 Session Expiration . . . . . . . . . . . . . . . . . . . . . . .19.7 Additional Client-Side Defenses for Session Management19.8 Session Attacks Detection . . . . . . . . . . . . . . . . . .19.9 Related Articles . . . . . . . . . . . . . . . . . . . . . . . . .19.10 Authors and Primary Editors . . . . . . . . . . . . . . . . .19.11 References . . . . . . . . . . . . . . . . . . . . . . . . . . .20 SQL Injection Prevention Cheat Sheet20.1 Introduction . . . . . . . . . . . .20.2 Primary Defenses . . . . . . . . .20.3 Additional Defenses . . . . . . . .20.4 Related Articles . . . . . . . . . . .20.5 Authors and Primary Editors . . .20.6 References . . . . . . . . . . . . 14614714721 Transport Layer Protection Cheat Sheet14921.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14921.2 Providing Transport Layer Protection with SSL/TLS . . . . . . . . . . . . . 14921.3 Providing Transport Layer Protection for Back End and Other Connections 16121.4 Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16121.5 Related Articles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16121.6 Authors and Primary Editors . . . . . . . . . . . . . . . . . . . . . . . . . . . 16321.7 References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16322 Unvalidated Redirects and Forwards Cheat Sheet22.1 Introduction . . . . . . . . . . . . . . . . . . . . .22.2 Safe URL Redirects . . . . . . . . . . . . . . . . .22.3 Dangerous URL Redirects . . . . . . . . . . . . . .22.4 Preventing Unvalidated Redirects and Forwards22.5 Related Articles . . . . . . . . . . . . . . . . . . . .22.6 Authors and Primary Editors . . . . . . . . . . . .22.7 References . . . . . . . . . . . . . . . . . . . . . .16616616616616816816916923 User Privacy Protection Cheat Sheet23.1 Introduction . . . . . . . . . . .23.2 Guidelines . . . . . . . . . . . .23.3 Authors and Primary Editors . .23.4 References . . . . . . . . . . . .17017017017317324 Web Service Security Cheat Sheet24.1 Introduction . . . . . . . . . .24.2 Transport Confidentiality . . .24.3 Server Authentication . . . . .24.4 User Authentication . . . . . .24.5 Transport Encoding . . . . . .24.6 Message Integrity . . . . . . .175175175175175176176.5
Contents24.7 Message Confidentiality . . .24.8 Authorization . . . . . . . . .24.9 Schema Validation . . . . . .24.10 Content Validation . . . . . .24.11 Output Encoding . . . . . . .24.12 Virus Protection . . . . . . .24.13 Message Size . . . . . . . . .24.14 Availability . . . . . . . . . .24.15 Endpoint Security Profile . .24.16 Authors and Primary Editors24.17 References . . . . . . . . . .25 XSS (Cross Site Scripting) Prevention Cheat Sheet25.1 Introduction . . . . . . . . . . . . . . . . . . .25.2 XSS Prevention Rules . . . . . . . . . . . . . .25.3 XSS Prevention Rules Summary . . . . . . . .25.4 Output Encoding Rules Summary . . . . . . .25.5 Related Articles . . . . . . . . . . . . . . . . . .25.6 Authors and Primary Editors . . . . . . . . . .25.7 References . . . . . . . . . . . . . . . . . . . 188189190190Assessment Cheat Sheets (Breaker)19126 Attack Surface Analysis Cheat Sheet26.1 What is Attack Surface Analysis and Why is it Important?26.2 Defining the Attack Surface of an Application . . . . . . . .26.3 Identifying and Mapping the Attack Surface . . . . . . . . .26.4 Measuring and Assessing the Attack Surface . . . . . . . .26.5 Managing the Attack Surface . . . . . . . . . . . . . . . . . .26.6 Related Articles . . . . . . . . . . . . . . . . . . . . . . . . . .26.7 Authors and Primary Editors . . . . . . . . . . . . . . . . . .26.8 References . . . . . . . . . . . . . . . . . . . . . . . . . . . .19219219219319419519619619627 XSS Filter Evasion Cheat Sheet27.1 Introduction . . . . . . . . . . . . . . . . . . . . . . .27.2 Tests . . . . . . . . . . . . . . . . . . . . . . . . . . . .27.3 Character Encoding and IP Obfuscation Calculators27.4 Authors and Primary Editors . . . . . . . . . . . . . .27.5 References . . . . . . . . . . . . . . . . . . . . . . . .19719719721921922028 REST Assessment Cheat Sheet28.1 About RESTful Web Services . . . . . . . . . . . . . . . .28.2 Key relevant properties of RESTful web services . . . . .28.3 The challenge of security testing RESTful web services .28.4 How to pen test a RESTful web service? . . . . . . . . .28.5 Related Resources . . . . . . . . . . . . . . . . . . . . . .28.6 Authors and Primary Editors . . . . . . . . . . . . . . . .28.7 References . . . . . . . . . . . . . . . . . . . . . . . . . .221221221221222223223223III Mobile Cheat Sheets.22429 IOS Developer Cheat Sheet22529.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2256
Contents29.229.329.429.529.6Basics . . . . . . . . . . . . . . .Remediation’s to OWASP MobileRelated Articles . . . . . . . . . .Authors and Primary Editors . .References . . . . . . . . . . . . . . . . . . .Top 10 Risks. . . . . . . . . . . . . . . . . . . . . .22522522922923030 Mobile Jailbreaking Cheat Sheet30.1 What is "jailbreaking", "rooting" and "unlocking"? .30.2 Why do they occur? . . . . . . . . . . . . . . . . . .30.3 What are the common tools used? . . . . . . . . . .30.4 Why can it be dangerous? . . . . . . . . . . . . . .30.5 Conclusion . . . . . . . . . . . . . . . . . . . . . . .30.6 Authors and Primary Editors . . . . . . . . . . . . .30.7 References . . . . . . . . . . . . . . . . . . . . . . .231231232233235238238239IV OpSec Cheat Sheets (Defender)24031 Virtual Patching Cheat Sheet31.1 Introduction . . . . . . . . . . .31.2 Definition: Virtual Patching . .31.3 Why Not Just Fix the Code? . .31.4 Value of Virtual Patching . . . .31.5 Virtual Patching Tools . . . . . .31.6 A Virtual Patching Methodology31.7 Example Public Vulnerability . .31.8 Preparation Phase . . . . . . . .31.9 Identification Phase . . . . . . .31.10 Analysis Phase . . . . . . . . . .31.11 Virtual Patch Creation Phase . .31.12 Implementation/Testing Phase31.13 Recovery/Follow-Up Phase . . .31.14 Related Articles . . . . . . . . . .31.15 Authors and Primary Editors . .31.16 References . . . . . . . . . . . 48V.Draft Cheat Sheets24932 OWASP Top Ten Cheat Sheet25133 Access Control Cheat Sheet33.1 Introduction . . . . . . . . . . . . . . . . .33.2 Attacks on Access Control . . . . . . . . .33.3 Access Control Issues . . . . . . . . . . . .33.4 Access Control Anti-Patterns . . . . . . . .33.5 Attacking Access Controls . . . . . . . . .33.6 Testing for Broken Access Control . . . . .33.7 Defenses Against Access Control Attacks .33.8 Best Practices . . . . . . . . . . . . . . . .33.9 SQL Integrated Access Control . . . . . . .33.10 Access Control Positive Patterns . . . . . .33.11 Data Contextual Access Control . . . . . .33.12 Authors and Primary Editors . . . . . . . .2522522542542552562562572572582592592597.
Contents34 Application Security Architecture Cheat Sheet34.1 Introduction . . . . . . . . . . . . . . . . . .34.2 Business Requirements . . . . . . . . . . . .34.3 Infrastructure Requirements . . . . . . . . .34.4 Application Requirements . . . . . . . . . .34.5 Security Program Requirements . . . . . . .34.6 Authors and Primary Editors . . . . . . . . .26026026026126226326435 Business Logic Security Cheat Sheet35.1 Introduction . . . . . . . . . . . . . . . .35.2 What is a Business Logic Vulnerability?35.3 Related Articles . . . . . . . . . . . . . . .35.4 Authors and Primary Editors . . . . . . .36 PHP Security Cheat Sh
Contents I Developer Cheat Sheets (Builder) 11 1 Authentication Cheat Sheet 12 1.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
OWASP Code review guide, V1.1 The Ruby on Rails Security Guide v2 OWASP UI Component Verification Project (a.k.a. OWASP JSP Testing Tool) Internationalization Guidelines and OWASP-Spanish Project OWASP Application Security Desk Reference (ASDR) OWASP .NET Project Leader OWASP Education Project
Cissp cheat sheet all domains. Cissp cheat sheet 2022 pdf. Cissp cheat sheet 2022. Cissp cheat sheet domain 4. Cissp cheat sheet pdf. Cissp cheat sheet 2021. Cissp cheat sheet domain 1. Cissp cheat sheet reddit. We use cookies to offer you a better browsing experience, analyze site traffic, personalize content, and serve targeted advertisements.
Google Slides Cheat Sheet p. 15-18 Google Sheets Cheat Sheet p. 19-22 Google Drawings Cheat Sheet p. 23-26 Google Drive for iOS Cheat Sheet p. 27-29 Google Chrome Cheat Sheet p. 30-32 ShakeUpLearning.com Google Cheat Sheets - By Kasey Bell 3
Git-cheat-sheet Optional Reading: Bourbon-cheat-sheet CLI-cheat-sheet Git-for-subversion-cheat-sheet Tower-cheat-sheet (for Mac or Windows depending on your computer) Website_optimization-cheat-sheet Workflow-of-version-control Xcode-cheat-sheet _tower-git-client (
work with clients, we also find that the OWASP Top 10 vulnerabilities are some of the most prevalent. This tells us that all companies should at least be looking for the OWASP Top 10 on a regular basis. A1 - Injection OWASP Top 10 -2013 OWASP Top 10 -2017 A2 - Broken Authentication and Session Managament A3 - Cross-Site Scripting (XSS)
Threat Prevention Coverage – OWASP Top 10 Analysis of Check Point Coverage for OWASP Top 10 Website Vulnerability Classes The Open Web Application Security Project (OWASP) is a worldwide not-for-profit charitable organization focused on improving the security of software. OWASP mission is to make software security visible, so that individuals and
OWASP effort. This shows how much passion the community has for the OWASP Top 10, and thus how critical it is for OWASP to get the Top 10 right for the majority of use cases. Although the original goal of the OWASP Top 10 project was simply to raise awareness amongst developers and managers, it has become . the. de facto application security .
The OWASP Top 10 Proactive Controls is similar to the OWASP Top 10 but is focused on defensive techniques and controls as opposed to risks. Each technique or control in this document will . OWASP Mobile Application Security Verification Standard (MASVS) OWASP Top Ten .
