A Guide to Building Secure WebApplicationsThe Open Web Application Security Projectby Mark Curphey, David Endler, William Hau, Steve Taylor, Tim Smith, Alex Rus-sell, Gene McKenna, Richard Parke, Kevin McLaughlin, Nigel Tranter, Amit Klien,Dennis Groves, Izhar By-Gad, Sverre Huseby, Martin Eizner, Martin Eizner, andRoy McNamaraA Guide to Building Secure Web Applications: The Open Web Appli-cation Security Projectby Mark Curphey, David Endler, William Hau, Steve Taylor, Tim Smith, Alex Russell, Gene McKenna, RichardParke, Kevin McLaughlin, Nigel Tranter, Amit Klien, Dennis Groves, Izhar By-Gad, Sverre Huseby, Martin Eizner,Martin Eizner, and Roy McNamaraPublished Mon Sept 11 15:23:02 CDT 2002Copyright © 2002 The Open Web Application Security Project (OWASP). All rights reserved.Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.1 orany later version published by the Free Software Foundation.Table of ContentsI. A Guide to Building Secure Web Applications ..................................................................................1.Introduction .......................................................................................................................Foreword......................................................................................................................2AboutOWASP ......................................................................................................2PurposeOfThisDocument ......................................................................................2IntendedAudience .................................................................................................3How to Use This Document ..................................................................................... 3What This Document Is Not ..................................................................................... 3Howto Contribute ..................................................................................................3FutureContent.......................................................................................................32.Overview ..........................................................................................................................WhatAreWebApplications? ...........................................................................................5WhatAreWebServices? .................................................................................................63. How Much Security Do You Really Need? ..................................................................................................................................................................................................................7What are Risks, Threats and Vulnerabilities? ............................................................... 7Measuringthe Risk .................................................................................................84.Security Guidelines .............................................................................................................ValidateInputandOutput ................................................................................................10FailSecurely (Closed) .....................................................................................................10Keepit Simple ...............................................................................................................10Use and Reuse Trusted Components .................................................................................. 10Defensein Depth ...........................................................................................................10Only as Secure as the Weakest Link ................................................................................... 10Security By Obscurity Won't Work .................................................................................... 11LeastPrivilege...............................................................................................................11Compartmentalization(SeparationofPrivileges) ..................................................................115.Architecture .......................................................................................................................GeneralConsiderations ...................................................................................................12Security from the Operating System ...........................................................................14Security from the Network Infrastructure .................................................................... 146.Authentication....................................................................................................................Whatis Authentication? ..................................................................................................16Typesof Authentication ..........................................................................................16BrowserLimitations ...............................................................................................16HTTPBasic ..........................................................................................................16HTTPDigest .........................................................................................................16FormsBased Authentication.....................................................................................17Digital Certificates (SSL and TLS) ............................................................................ 18EntityAuthentication ..............................................................................................18InfrastructureAuthentication ....................................................................................19PasswordBasedAuthenticationSystems ....................................................................197.ManagingUserSessions ......................................................................................................Cookies........................................................................................................................22Persistentvs. Non-Persistent ....................................................................................22Securevs. Non-Secure