OWASP Cheat Sheets Martin Woschek, [email protected] April 9, 2015 Contents I Developer Cheat Sheets (Builder) 11 1 Authentication Cheat Sheet 12 1.1 Introduction . 12 1.2 Authentication General Guidelines . 12 1.3 Use of authentication protocols that require no password . 17 1.4 Session Management General Guidelines . 19 1.5 Password Managers . 19 1.6 Authors and Primary Editors . 19 1.7 References . 19 2 Choosing and Using Security Questions Cheat Sheet 20 2.1 Introduction . 20 2.2 The Problem . 20 2.3 Choosing Security Questions and/or Identity Data . 20 2.4 Using Security Questions . 23 2.5 Related Articles . 25 2.6 Authors and Primary Editors . 25 2.7 References . 25 3 Clickjacking Defense Cheat Sheet 26 3.1 Introduction . 26 3.2 Defending with Content Security Policy frame-ancestors directive . 26 3.3 Defending with X-Frame-Options Response Headers . 26 3.4 Best-for-now Legacy Browser Frame Breaking Script . 28 3.5 window.confirm() Protection . 29 3.6 Non-Working Scripts . 29 3.7 Authors and Primary Editors . 32 3.8 References . 32 4 C-Based Toolchain Hardening Cheat Sheet 34 4.1 Introduction . 34 4.2 Actionable Items . 34 4.3 Build Configurations . 34 4.4 Library Integration . 36 4.5 Static Analysis . 37 4.6 Platform Security . 38 4.7 Authors and Editors . 38 4.8 References . 38 5 Cross-Site Request Forgery (CSRF) Prevention Cheat Sheet 40 5.1 Introduction . 40 5.2 Prevention Measures That Do NOT Work . 40 5.3 General Recommendation: Synchronizer Token Pattern . 41 5.4 CSRF Prevention without a Synchronizer Token . 44 5.5 Client/User Prevention . 45 2 Contents 5.6 No Cross-Site Scripting (XSS) Vulnerabilities . 45 5.7 Authors and Primary Editors . 46 5.8 References . 46 6 Cryptographic Storage Cheat Sheet 47 6.1 Introduction . 47 6.2 Providing Cryptographic Functionality . 47 6.3 Related Articles . 52 6.4 Authors and Primary Editors . 52 6.5 References . 52 7 DOM based XSS Prevention Cheat Sheet 54 7.1 Introduction . 54 7.2 Guidelines for Developing Secure Applications Utilizing JavaScript . 59 7.3 Common Problems Associated with Mitigating DOM Based XSS . 62 7.4 Authors and Contributing Editors . 63 7.5 References . 64 8 Forgot Password Cheat Sheet 65 8.1 Introduction . 65 8.2 The Problem . 65 8.3 Steps . 65 8.4 Authors and Primary Editors . 66 8.5 References . 66 9 HTML5 Security Cheat Sheet 67 9.1 Introduction . 67 9.2 Communication APIs . 67 9.3 Storage APIs . 69 9.4 Geolocation . 70 9.5 Web Workers . 70 9.6 Sandboxed frames . 70 9.7 Offline Applications . 71 9.8 Progressive Enhancements and Graceful Degradation Risks . 71 9.9 HTTP Headers to enhance security . 71 9.10 Authors and Primary Editors . 72 9.11 References . 72 10 Input Validation Cheat Sheet 73 10.1 Introduction . 73 10.2 Authors and Primary Editors . 74 10.3 References . 74 11 JAAS Cheat Sheet 75 11.1 Introduction . 75 11.2 Related Articles . 78 11.3 Disclosure . 78 11.4 Authors and Primary Editors . 79 11.5 References . 79 12 Logging Cheat Sheet 80 12.1 Introduction . 80 12.2 Purpose . 80 12.3 Design, implementation and testing . 81 12.4 Deployment and operation . 87 3 Contents 12.5 Related articles . 89 12.6 Authors and Primary Contributors . 89 12.7 References . 89 13 .NET Security Cheat Sheet 91 13.1 Introduction . 91 13.2 .NET Framework Guidance . 91 13.3 ASP.NET Web Forms Guidance . 92 13.4 ASP.NET MVC Guidance . 95 13.5 XAML Guidance . 96 13.6 Windows Forms Guidance . 96 13.7 WCF Guidance . 96 13.8 Authors and Primary Editors . 96 13.9 References . 96 14 Password Storage Cheat Sheet 98 14.1 Introduction . 98 14.2 Guidance . 98 14.3 Related Articles . 101 14.4 Authors and Primary Editors . 101 14.5 References . 101 15 Pinning Cheat Sheet 102 15.1 Introduction . 102 15.2 What’s the problem? . 102 15.3 What Is Pinning? . 102 15.4 What Should Be Pinned? . 103 15.5 Examples of Pinning . 104 15.6 Related Articles . 105 15.7 Authors and Editors . 105 15.8 References . ..