[Owasp-guide] Mistake in Authentication document

Andrew van der Stock vanderaj at owasp.org
Mon Nov 24 11:48:16 EST 2008


Sandeep,

Thanks for the offer, and sorry for the delay.

Following the same process as for session management (see the other  
mail), can I get you to please look at the Database Security chapter?

Remember - this is about what to DO if you're a dev, dev lead, or  
architect. It's nothing at all about SQL injection or direct object  
references as that's dealt with in other places. This is HOW to write  
SAFE database interfaces and queries. In particular, I'm going to be  
be relatively hard core - the day of dynamic queries has passed. OWASP  
is going to take a stand against them as they are practically  
impossible to make safe.

The basic outline should be:

* Architectural Goals (uninjectable interfaces only should be the  
primary effort)
   - Common DAO pattern - data access should be in one place only
   - Strong typing for SQL - do not use VARCHAR for everything
   - Perform input validation prior to sending data to the database  
(look up SQL truncation attacks before you write this section)
   - Don't trust data from existing databases
   - Use a low privilege account to access the database
   - Connection strings should be outside the code, and stored  
securely (use ESAPI's encrypted configuration)
   - Ensure error handling and logging is adequate upon query failure
   - Pass identity in queries for traceability
   - Verify access control prior to performing query (link to access  
control chapter, do not repeat heavily)
* Writing safe parameterized queries
* Writing safe stored procedures
* Writing safe Active Record (RoR, others)
* Using ORMs (Hibernate, Spring) safely
* Encrypting PII in the database (use ESAPI for this)
* Things NOT to do
    - Use dynamic queries
* References
   - ADSR node for SQL injection
   - Code Review Guide for SQL injection
   - Testing Guide for SQL injection
   - Top 10 2007 #A2
   - Scrubbr (I'll provide more info on this as time goes on)

All code examples should use ESAPI if possible, but if not, use the  
most well known version in your preferred language. The code must be  
literate - i.e. easily understood by others who are unfamiliar with  
your platform. If your platform is PHP, please use PDO rather than  
another PECL extension or PEAR library.

Again, please do not delete the old content yet - just move it to the  
bottom of the page. We'll clean that up later once the new material  
has been written as folks may need the old material until the new  
material is in place.

Let me know if you need any help. I will check up on a weekly basis  
and see how you're going.

thanks,
Andrew

On Sep 6, 2008, at 11:09 PM, Sandeep Singh Nain wrote:

> Hi Andrew
>
> I am willing to help you out in this. Please let me know if I can be  
> of any help?
>
> Regards
> Sandeep
>
>
> On Sat, Sep 6, 2008 at 1:56 AM, Andrew van der Stock <vanderaj at owasp.org 
> > wrote:
> Thanks - we'll adjust it in the Wiki, which is about to start  
> getting a lot of attention.
>
> I'm dedicating Wednesday and Friday mornings to editing the Guide.
>
> Anyone else want to help?
>
> thanks,
> Andrew
>
>
>
> On Sep 5, 2008, at 9:46 AM, Danilo Nascimento wrote:
>
> Hi Guys!
>
> When i was reading the OWASPGuide2.0.1 i found a mistake in
> Authentication document,
> the php code sample in "Multiple Key Lookups" is actually the php code
> sample for "Referer Checks".
>
>
> The code below appears twice:
>
> PHP
> if ( $_SERVER['HTTP_REFERER'] != 'http://www.example.com/ 
> index.php' ) {
>      throw …
> }
>
>
> Regards,
> Danilo Nascimento
> _______________________________________________
> Owasp-guide mailing list
> Owasp-guide at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-guide
>
>
> thanks,
> Andrew van der Stock
> Lead Author, OWASP Guide and OWASP Top 10
>
>
>
>
>
> _______________________________________________
> Owasp-guide mailing list
> Owasp-guide at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-guide
>
>


thanks,
Andrew van der Stock
Lead Author, OWASP Guide and OWASP Top 10






More information about the Owasp-guide mailing list