diff --git a/.github/ISSUE_TEMPLATE/content.md b/.github/ISSUE_TEMPLATE/content.md
new file mode 100644
index 00000000..48622967
--- /dev/null
+++ b/.github/ISSUE_TEMPLATE/content.md
@@ -0,0 +1,16 @@
+---
+name: Create content
+about: Suggest content for the Developer Guide
+title: 'Provide content'
+labels: 'content'
+assignees: ''
+
+---
+
+**Describe what content should be added** :
+
+
+**Context** :
+Section: (eg '02-foundations/03-security-principles')
+
+
diff --git a/.github/ISSUE_TEMPLATE/request.md b/.github/ISSUE_TEMPLATE/request.md
new file mode 100644
index 00000000..36bccddf
--- /dev/null
+++ b/.github/ISSUE_TEMPLATE/request.md
@@ -0,0 +1,16 @@
+---
+name: Change request
+about: Suggest a change for the Developer Guide
+title: ''
+labels: 'enhancement'
+assignees: ''
+
+---
+
+**Describe what change you would like** :
+
+
+**Context** :
+Section: (eg '02-foundations/03-security-principles')
+
+
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
new file mode 100644
index 00000000..d7812cdd
--- /dev/null
+++ b/.github/dependabot.yml
@@ -0,0 +1,21 @@
+version: 2
+updates:
+ - package-ecosystem: "github-actions"
+ directory: ".github/workflows"
+ schedule:
+ interval: "monthly"
+ groups:
+ version-update:
+ applies-to: version-updates
+ patterns:
+ - "*"
+ update-types:
+ - "minor"
+ - "patch"
+ security-update:
+ applies-to: security-updates
+ patterns:
+ - "*"
+ update-types:
+ - "patch"
+ - "minor"
diff --git a/.github/funding.yaml b/.github/funding.yaml
new file mode 100644
index 00000000..b5fe0f5e
--- /dev/null
+++ b/.github/funding.yaml
@@ -0,0 +1,2 @@
+custom: https://owasp.org/donate/?reponame=www-project-developer-guide&title=OWASP+Developer+Guide
+github: OWASP
diff --git a/.github/pull_request_template.md b/.github/pull_request_template.md
new file mode 100644
index 00000000..dcbde2b6
--- /dev/null
+++ b/.github/pull_request_template.md
@@ -0,0 +1,29 @@
+**Summary** :
+
+If this closes an existing issue then add "closes #xxxx", where xxxx is the issue number
+
+**Description for the changelog** :
+
+
+**Declaration**:
+
+- [ ] content meets the [license](../license.txt) for this project
+- [ ] AI has not been used, or has been declared, in this pull request
+
+**Other info** :
+
+
+Thanks for submitting a pull request!
+
+Please make sure you follow our [Code of Conduct](../code_of_conduct.md)
+and our [contributing guidelines](../contributing.md)
+
+Automated tests are run to check links, markdown and spelling
+
+The pull request must pass these tests before it can be merged
diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
new file mode 100644
index 00000000..158d2f05
--- /dev/null
+++ b/.github/workflows/ci.yaml
@@ -0,0 +1,180 @@
+name: CI pipeline
+
+on:
+ push:
+ branches:
+ - main
+ workflow_dispatch:
+
+permissions:
+ contents: write
+
+concurrency:
+ group: "pages"
+ cancel-in-progress: false
+
+# for security reasons the github actions are pinned to specific release versions
+jobs:
+ link_checker:
+ name: Link checker
+ runs-on: ubuntu-24.04
+ steps:
+ - name: Checkout markdown
+ uses: actions/checkout@v5.0.0
+
+ - name: Link Checker
+ uses: lycheeverse/lychee-action@v2.6.1
+ with:
+ args: >-
+ --no-progress
+ --max-retries 1
+ --retry-wait-time 10
+ --max-concurrency 2
+ '**/*.md'
+ '*.md'
+ fail: true
+ env:
+ GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}}
+
+ md_linter:
+ name: Lint web doc
+ runs-on: ubuntu-24.04
+ steps:
+ - name: Checkout markdown
+ uses: actions/checkout@v5.0.0
+
+ - name: Lint markdown
+ uses: DavidAnson/markdownlint-cli2-action@v20.0.0
+ with:
+ config: '.markdownlint.yaml'
+ globs: |
+ docs/**/*.md
+ docs/*.md
+ *.md
+
+ spell_checker:
+ name: Check spelling
+ runs-on: ubuntu-24.04
+ steps:
+ - name: Checkout markdown
+ uses: actions/checkout@v5.0.0
+
+ - name: Spell check EN language
+ uses: rojopolis/spellcheck-github-actions@0.52.0
+ with:
+ config_path: .spellcheck-en.yaml
+
+ - name: Spell check ES language
+ uses: rojopolis/spellcheck-github-actions@0.52.0
+ with:
+ config_path: .spellcheck-es.yaml
+
+ # rojopolis/spellcheck-github-actions does not support PT-BR,
+ # only PT, and PT-BR is too different to pass a PT spellcheck
+ - name: Set up Python for PT-BR
+ uses: actions/setup-python@v6.0.0
+ with:
+ python-version: '3.10'
+
+ - name: Install pyspelling for PT-BR
+ run: |
+ python -m pip install --upgrade pip setuptools
+ python -m pip install pyspelling
+ sudo apt-get install aspell aspell-pt
+
+ - name: Spell check PT-BR language
+ run: |
+ python -m pyspelling --config .spellcheck-pt-br.yaml
+
+ deploy:
+ name: Deploy web doc
+ runs-on: ubuntu-latest
+ needs: [md_linter, spell_checker]
+ steps:
+ - name: Checkout markdown
+ uses: actions/checkout@v5.0.0
+
+ - name: Install python
+ uses: actions/setup-python@v6.0.0
+ with:
+ python-version: 3.x
+
+ - name: Install python packages
+ run: |
+ python -m pip install --upgrade pip setuptools wheel
+ pip install mkdocs
+ pip install mkdocs-material
+ pip install mkdocs-open-in-new-tab
+ pip install mkdocs-with-pdf
+
+ - name: Copy contributing tab files
+ run: |
+ cp code_of_conduct.md docs/.
+ cp contributing.md docs/.
+ cp license.txt docs/.
+
+ - name: Build check
+ run: mkdocs build
+
+ - name: Deploy
+ run: mkdocs gh-deploy --force --verbose
+
+ export_pdf:
+ name: Export PDFs
+ runs-on: ubuntu-latest
+ needs: [md_linter, spell_checker]
+ steps:
+ - name: Checkout markdown
+ uses: actions/checkout@v5.0.0
+
+ - name: Install python
+ uses: actions/setup-python@v6.0.0
+ with:
+ python-version: 3.x
+
+ - name: Install python packages
+ run: |
+ python -m pip install --upgrade pip setuptools wheel
+ pip install mkdocs
+ pip install mkdocs-material
+ pip install mkdocs-open-in-new-tab
+ pip install mkdocs-with-pdf
+
+ - name: Build check
+ run: mkdocs build
+
+ - name: Create EN PDF
+ run: mkdocs build --config-file mkdocs-pdf-en.yaml
+
+ - name: Upload EN PDF
+ uses: actions/upload-artifact@v4.6.2
+ with:
+ name: pdf-export-en
+ path: site/OWASP_Developer_Guide.pdf
+
+ - name: Create ES PDF
+ run: mkdocs build --config-file mkdocs-pdf-es.yaml
+
+ - name: Upload ES PDF
+ uses: actions/upload-artifact@v4.6.2
+ with:
+ name: pdf-export-es
+ path: site/OWASP_Developer_Guide-ES.pdf
+
+ - name: Create FA PDF
+ run: mkdocs build --config-file mkdocs-pdf-fa.yaml
+
+ - name: Upload FA PDF
+ uses: actions/upload-artifact@v4.6.2
+ with:
+ name: pdf-export-fa
+ path: site/OWASP_Developer_Guide-FA.pdf
+
+ - name: Create PT-BR PDF
+ run: mkdocs build --config-file mkdocs-pdf-pt-br.yaml
+
+ - name: Upload PT-BR PDF
+ uses: actions/upload-artifact@v4.6.2
+ with:
+ name: pdf-export-pt-br
+ path: site/OWASP_Developer_Guide-PT-BR.pdf
diff --git a/.github/workflows/housekeeping.yaml b/.github/workflows/housekeeping.yaml
new file mode 100644
index 00000000..fc72c7fb
--- /dev/null
+++ b/.github/workflows/housekeeping.yaml
@@ -0,0 +1,73 @@
+name: Housekeeping
+# checks are on all directories
+
+on:
+ # Run daily at 6:15
+ schedule:
+ - cron: '15 6 * * *'
+ workflow_dispatch:
+
+# for security reasons the github actions are pinned to specific release versions
+jobs:
+ chores:
+ name: Tidy workflows
+ runs-on: ubuntu-24.04
+ permissions:
+ actions: write
+
+ steps:
+ - name: Delete stale workflow runs
+ uses: Mattraks/delete-workflow-runs@v2.0.6
+ with:
+ token: ${{ github.token }}
+ repository: ${{ github.repository }}
+ retain_days: 28
+ keep_minimum_runs: 10
+
+ - name: Delete unused workflows
+ uses: otto-de/purge-deprecated-workflow-runs@v3.0.4
+ with:
+ token: ${{ github.token }}
+
+ link_checker:
+ name: Link checker
+ runs-on: ubuntu-24.04
+ steps:
+ - name: Checkout markdown
+ uses: actions/checkout@v5.0.0
+
+ - name: Link Checker
+ uses: lycheeverse/lychee-action@v2.6.1
+ with:
+ # skip the jekyll files under '_includes' directory, check all other directories
+ args: >-
+ --no-progress
+ --max-retries 1
+ --retry-wait-time 10
+ --max-concurrency 2
+ '**/*.md'
+ '*.md'
+ fail: true
+ env:
+ GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}}
+
+ stale:
+ name: Tidy pull requests
+ runs-on: ubuntu-24.04
+ permissions:
+ pull-requests: write
+ issues: write
+
+ steps:
+ - name: Tidy stale PRs and issues
+ uses: actions/stale@v10.1.0
+ with:
+ days-before-issue-stale: 183
+ days-before-issue-close: -1
+ stale-issue-message: 'This issue is stale because it has been open for 6 months with no activity.'
+ stale-issue-label: stale
+ remove-issue-stale-when-updated: true
+ days-before-pr-stale: 42
+ days-before-pr-close: 7
+ stale-pr-message: 'This PR is stale because it has been open 42 days with no activity. Remove stale label, or add a comment, otherwise it will be closed in 7 days.'
+ close-pr-message: 'This PR was closed because it has been stalled for 8 weeks with no activity.'
diff --git a/.github/workflows/pr.yaml b/.github/workflows/pr.yaml
new file mode 100644
index 00000000..c868bfd5
--- /dev/null
+++ b/.github/workflows/pr.yaml
@@ -0,0 +1,157 @@
+name: Pull request pipeline
+
+on:
+ pull_request:
+ branches:
+ - main
+ workflow_dispatch:
+
+# for security reasons the github actions are pinned to specific release versions
+jobs:
+ link_checker:
+ name: Link checker
+ runs-on: ubuntu-24.04
+ steps:
+ - name: Checkout markdown
+ uses: actions/checkout@v5.0.0
+
+ - name: Link Checker
+ uses: lycheeverse/lychee-action@v2.6.1
+ with:
+ args: >-
+ --no-progress
+ --max-retries 1
+ --retry-wait-time 10
+ --max-concurrency 2
+ '**/*.md'
+ '*.md'
+ fail: true
+ env:
+ GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}}
+
+ md_linter:
+ name: Lint markdown
+ runs-on: ubuntu-24.04
+ steps:
+ - name: Checkout markdown
+ uses: actions/checkout@v5.0.0
+
+ - name: Lint markdown
+ uses: DavidAnson/markdownlint-cli2-action@v20.0.0
+ with:
+ config: '.markdownlint.yaml'
+ globs: |
+ docs/**/*.md
+ docs/*.md
+ *.md
+
+ spell_checker_en:
+ name: Check EN spelling
+ runs-on: ubuntu-24.04
+ steps:
+ - name: Checkout markdown
+ uses: actions/checkout@v5.0.0
+
+ - name: Spell check EN language
+ uses: rojopolis/spellcheck-github-actions@0.52.0
+ with:
+ config_path: .spellcheck-en.yaml
+
+ spell_checker_es:
+ name: Check ES spelling
+ runs-on: ubuntu-24.04
+ steps:
+ - name: Checkout markdown
+ uses: actions/checkout@v5.0.0
+
+ - name: Spell check ES language
+ uses: rojopolis/spellcheck-github-actions@0.52.0
+ with:
+ config_path: .spellcheck-es.yaml
+
+ spell_checker_pt-br:
+ name: Check PT-BR spelling
+ runs-on: ubuntu-24.04
+ steps:
+ - name: Checkout markdown
+ uses: actions/checkout@v5.0.0
+
+ # rojopolis/spellcheck-github-actions does not support PT-BR,
+ # only PT, and PT-BR is too different to pass a PT spellcheck
+ - name: Set up Python
+ uses: actions/setup-python@v6.0.0
+ with:
+ python-version: '3.10'
+
+ - name: Install pyspelling
+ run: |
+ python -m pip install --upgrade pip setuptools
+ python -m pip install pyspelling
+ sudo apt-get install aspell aspell-pt
+
+ - name: Spell check PT-BR release
+ run: |
+ python -m pyspelling --config .spellcheck-pt-br.yaml
+
+ build_check:
+ name: Build check
+ runs-on: ubuntu-24.04
+ needs: [md_linter, spell_checker_en, spell_checker_es, spell_checker_pt-br]
+ steps:
+ - name: Checkout markdown
+ uses: actions/checkout@v5.0.0
+
+ - name: Install python
+ uses: actions/setup-python@v6.0.0
+ with:
+ python-version: 3.x
+
+ - name: Install python packages
+ run: |
+ python -m pip install --upgrade pip setuptools wheel
+ pip install mkdocs
+ pip install mkdocs-material
+ pip install mkdocs-open-in-new-tab
+ pip install mkdocs-with-pdf
+
+ - name: Copy contributing tab files
+ run: |
+ cp code_of_conduct.md docs/.
+ cp contributing.md docs/.
+ cp license.txt docs/.
+
+ - name: Build docs
+ run: mkdocs build
+
+ export_pdf:
+ name: Export PDFs
+ runs-on: ubuntu-24.04
+ needs: [build_check]
+ steps:
+ - name: Checkout markdown
+ uses: actions/checkout@v5.0.0
+
+ - name: Install python
+ uses: actions/setup-python@v6.0.0
+ with:
+ python-version: 3.x
+
+ - name: Install python packages
+ run: |
+ python -m pip install --upgrade pip setuptools wheel
+ pip install mkdocs
+ pip install mkdocs-material
+ pip install mkdocs-open-in-new-tab
+ pip install mkdocs-with-pdf
+
+ - name: Build pdf for EN
+ run: mkdocs build --config-file mkdocs-pdf-en.yaml
+
+ - name: Build pdf for ES
+ run: mkdocs build --config-file mkdocs-pdf-es.yaml
+
+ - name: Build pdf for FA
+ run: mkdocs build --config-file mkdocs-pdf-fa.yaml
+
+ - name: Build pdf for PT-BR
+ run: mkdocs build --config-file mkdocs-pdf-pt-br.yaml
diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
new file mode 100644
index 00000000..c09db037
--- /dev/null
+++ b/.github/workflows/release.yaml
@@ -0,0 +1,70 @@
+name: Release docs
+# checks are only on the draft directory because the release directory will be overwritten
+
+on:
+ push:
+ # tagged x.x.x releases as well as release candidates
+ tags:
+ - ?.?.?*
+ workflow_dispatch:
+
+# for security reasons the github actions are pinned to specific release versions
+jobs:
+ export_pdf:
+ name: Export PDF
+ runs-on: ubuntu-24.04
+ steps:
+ - name: Checkout markdown
+ uses: actions/checkout@v5.0.0
+
+ - name: Install python
+ uses: actions/setup-python@v6.0.0
+ with:
+ python-version: 3.x
+
+ - name: Install python packages
+ run: |
+ python -m pip install --upgrade pip setuptools wheel
+ pip install mkdocs
+ pip install mkdocs-material
+ pip install mkdocs-open-in-new-tab
+ pip install mkdocs-with-pdf
+
+ - name: Build
+ run: mkdocs build
+
+ - name: Upload PDF
+ uses: actions/upload-artifact@v4.6.2
+ with:
+ name: 'pdf-export'
+ path: 'site/OWASP_Developer_Guide.pdf'
+
+ draft_release:
+ name: Create draft release
+ runs-on: ubuntu-24.04
+ needs: [export_pdf]
+ steps:
+ - name: Check out
+ uses: actions/checkout@v5.0.0
+
+ - name: Fetch prepared SBOM artifacts
+ uses: actions/download-artifact@v5.0.0
+ with:
+ name: 'pdf-export'
+ path: 'site/OWASP_Developer_Guide.pdf'
+
+ - name: Prepare release notes
+ run: |
+ releaseVersion=${{ github.ref_name }}
+ sed -e s/x.x.x/${releaseVersion:1}/g .release-note-template.md > ./release-notes.txt
+
+ - name: Create release notes
+ uses: softprops/action-gh-release@v2.3.3
+ with:
+ draft: true
+ name: "${releaseVersion:1}"
+ append_body: true
+ body_path: ./release-notes.txt
+ generate_release_notes: true
+ files: |
+ site/OWASP_Developer_Guide.pdf
diff --git a/.gitignore b/.gitignore
new file mode 100644
index 00000000..b7b756bd
--- /dev/null
+++ b/.gitignore
@@ -0,0 +1,61 @@
+# uses allow-list, so ignore everything
+*
+
+# project files
+!.lintcheck.yaml
+!.lycheeignore
+!.markdownlint.yaml
+!.spellcheck*.yaml
+!.wordlist*.txt
+!mkdocs*.yaml
+!CNAME
+!*.md
+!license.txt
+
+# allow github, workflows and templates
+!.github/
+!.github/*.yaml
+!.github/issue_template/
+!.github/issue_template/*.md
+!.github/workflows/
+!.github/workflows/*.yaml
+!.gitignore
+
+# docs site
+!docs/
+!docs/index.md
+!docs/assets/
+!docs/assets/images/
+!docs/assets/images/*.png
+!docs/assets/images/logos/
+!docs/assets/images/logos/*.png
+!docs/en/
+!docs/en/index.md
+!docs/en/**/
+!docs/en/**/*.md
+!docs/es/
+!docs/es/index.md
+!docs/es/**/
+!docs/es/**/*.md
+!docs/fa/
+!docs/fa/index.md
+!docs/fa/**/
+!docs/fa/**/*.md
+!docs/hi/
+!docs/hi/index.md
+!docs/hi/**/
+!docs/hi/**/*.md
+!docs/pt-br/
+!docs/pt-br/index.md
+!docs/pt-br/**/
+!docs/pt-br/**/*.md
+!docs/fa/
+!docs/fa/index.md
+!docs/fa/**/
+!docs/fa/**/*.md
+!docs/CNAME
+
+# ignore symbolic links
+docs/license.txt
+docs/code_of_conduct.md
+docs/contributing.md
diff --git a/.lycheeignore b/.lycheeignore
new file mode 100644
index 00000000..ab13e9cf
--- /dev/null
+++ b/.lycheeignore
@@ -0,0 +1,36 @@
+# ignore these false positives from the link checker housekeeper
+
+# some sites that are examples only, no intention of being real
+myfriend.site.com/
+
+# Lockheed Martin has trouble with SSL certificates, temporarily ignore
+www.lockheedmartin.com
+
+# github gets upset if too many requests are made to create new issues
+github.com/OWASP/DevGuide/issues/new
+github.com/OWASP/DevGuide/pulls
+
+# at times github gets upset full stop
+github.com
+
+# ignore LINDDUN site because it occasionally times out
+www.linddun.org/
+
+# automated access to esapi is forbidden
+mvnrepository.com/artifact/org.owasp.esapi/esapi
+
+# do not harass dockerhub
+hub.docker.com/r/bkimminich/juice-shop
+hub.docker.com/r/pygoat/pygoat
+hub.docker.com/r/owasp/threat-dragon/tags
+hub.docker.com/r/securityrat/securityrat
+hub.docker.com/r/webgoat/webgoat
+
+# Google drive tends to need permissions that the link checker does not have
+drive.google.com/
+
+# SAMM training site blocks automated access
+owaspsamm.thinkific.com/courses/samm
+
+# the BLT site blocks bots
+owaspblt.org
diff --git a/.markdownlint.yaml b/.markdownlint.yaml
new file mode 100644
index 00000000..bbff44d4
--- /dev/null
+++ b/.markdownlint.yaml
@@ -0,0 +1,17 @@
+---
+no-trailing-punctuation: false
+no-inline-html: false
+first-line-heading: false
+link-fragments: false
+
+# MD013 - Line length
+MD013:
+ code_block_line_length: 125
+ code_blocks: true
+ heading_line_length: 100
+ headings: true
+ line_length: 125
+ stern: true
+ strict: false
+ tables: true
+
diff --git a/.spellcheck-en.yaml b/.spellcheck-en.yaml
new file mode 100644
index 00000000..a0f8c78e
--- /dev/null
+++ b/.spellcheck-en.yaml
@@ -0,0 +1,22 @@
+matrix:
+- name: Markdown
+ aspell:
+ lang: en
+ d: en_US
+ dictionary:
+ wordlists:
+ - .wordlist-en.txt
+ output: wordlist.dic
+ encoding: utf-8
+ pipeline:
+ - pyspelling.filters.markdown:
+ - pyspelling.filters.html:
+ comments: false
+ ignores:
+ - code
+ - pre
+ sources:
+ - 'docs/en/**/*.md'
+ - 'docs/*.md'
+ - '*.md'
+ default_encoding: utf-8
diff --git a/.spellcheck-es.yaml b/.spellcheck-es.yaml
new file mode 100644
index 00000000..ec509e71
--- /dev/null
+++ b/.spellcheck-es.yaml
@@ -0,0 +1,20 @@
+matrix:
+- name: Markdown
+ aspell:
+ lang: es
+ dictionary:
+ wordlists:
+ - .wordlist-es.txt
+ output: wordlist.dic
+ encoding: utf-8
+ pipeline:
+ - pyspelling.filters.markdown:
+ - pyspelling.filters.html:
+ comments: false
+ ignores:
+ - code
+ - pre
+ sources:
+ - 'docs/es/**/*.md'
+ - 'docs/es/*.md'
+ default_encoding: utf-8
diff --git a/.spellcheck-pt-br.yaml b/.spellcheck-pt-br.yaml
new file mode 100644
index 00000000..c97d4065
--- /dev/null
+++ b/.spellcheck-pt-br.yaml
@@ -0,0 +1,20 @@
+matrix:
+- name: Markdown
+ aspell:
+ lang: pt_BR
+ dictionary:
+ wordlists:
+ - .wordlist-pt-br.txt
+ output: wordlist.dic
+ encoding: utf-8
+ pipeline:
+ - pyspelling.filters.markdown:
+ - pyspelling.filters.html:
+ comments: false
+ ignores:
+ - code
+ - pre
+ sources:
+ - 'docs/pt-br/**/*.md'
+ - 'docs/pt-br/*.md'
+ default_encoding: utf-8
diff --git a/.wordlist-en.txt b/.wordlist-en.txt
new file mode 100644
index 00000000..837786d6
--- /dev/null
+++ b/.wordlist-en.txt
@@ -0,0 +1,565 @@
+ACM
+AEAD
+AES
+APIT
+APIs
+APK
+ARP
+ASVS
+AUTH
+Adoptium
+Amauri
+Analyser
+Andra
+Andreas
+AngularJS
+AppArmor
+AppSec
+AppSensor
+Arithmatex
+Atlassian
+BOLA
+BOM
+BOMs
+BOPLA
+BOV
+BetterEm
+Bizerra
+Bluesky
+Brømsø
+CAPEC
+CCM
+CEC
+CFB
+CISO
+CMS
+CMSeeK
+COE
+CP
+CPE
+CRL
+CRS
+CSP
+CSPRNG
+CSRF
+CSRFGuard
+CSV
+CTF
+CVE
+CVEs
+CVSS
+CWE
+Canonicalisation
+Cavalcanti
+ChaCha
+ChartMuseum
+Cheatsheet
+Cheatsheets
+ClickJacking
+Clickjacking
+CodeQL
+Copi
+Coraza
+Crackmes
+Cryptographic
+Customizable
+CycloneDX
+DAST
+DCT
+DES
+DNS
+DOM
+DPO
+DRM
+DSS
+DefectDojo
+DevGuide
+DevOps
+DevSecOps
+Diffie
+DoS
+DocX
+DockerHub
+Dojo
+Don'ts
+Dont's
+DotNet
+DrHEADer
+Dracon
+ECB
+EE
+ENISA
+ESAPI
+Ebihara
+Ecommerce
+Elie
+EscapeAll
+Exploitability
+FIPS
+FV
+Flaxman
+GCM
+GCP
+GDPR
+GHSL
+GRC
+GRPC
+Gasteratos
+GitHub
+Gitleaks
+Gradle
+GraphQL
+Graphviz
+HAPI
+HAProxy
+HBOM
+HMAC
+HSM
+Haan
+Happe
+IAM
+IAST
+IDOR
+IIS
+IPC
+InlineHilite
+Istio
+JA
+JDK
+JEA
+JIRA
+JIT
+JSON
+JSONP
+JSP
+JSR
+JWA
+JWKS
+JWT
+JWTs
+Janca
+JavaEE
+JavaScript
+Johan
+Joomla
+KDF
+KMS
+Katana
+Keyczar
+Kube
+Kubeaudit
+Kubernetes
+Kulkarni
+LDAP
+LF
+LFD
+LINDDUN
+LINNDUN
+LLM
+LSMs
+Laravel
+Lezza
+LifeCycle
+Lifecycle
+MACs
+MASTG
+MASVS
+MASWE
+MBOM
+MITRE
+MITRE's
+MOBI
+MSTG
+MacOS
+Macdonald
+MagicLink
+Matteo
+Microservices
+Misconfiguration
+MLSec
+ModSecurity
+Multifactor
+NIST
+NVD
+Namespaces
+Ncrack
+Nettacker
+Nginx
+Nikto
+Nmap
+NoSQL
+Node.js
+NodeJS
+NuGets
+OAuth
+OBOM
+ODF
+OFB
+OOXML
+OSHP
+OSS
+OTMP
+OWASP
+OWASP's
+OWTF
+Okta
+Oliveira
+OpenAPI
+OpenCRE
+OpenID
+OpenJDK
+PCI
+PDFs
+PDR
+PID
+PIDs
+PKI
+PKIX
+PRNG
+PathConverter
+PlantUML
+Playbook
+Porreca
+ProgressBar
+PyGoat
+PyPi
+PySpelling
+PyYAML
+Pythonic
+README
+RRA
+RSA
+RansomWare
+Recx
+Riccardo
+Roxana
+Ruleset
+SAFEcode
+SAML
+SAMM
+SAMMwise
+SAST
+SBOM
+SBOMs
+SBT
+SCA
+SCM
+SCP
+SDA
+SDC
+SDLC
+SDLCs
+SECCOMP
+SELinux
+SFL
+SIEM
+SKF
+SL
+SLD
+SMS
+SNYK
+SPOA
+SSDLC
+SSL
+SSLyze
+SSO
+SSP
+SSRF
+SSV
+SVG
+SaaSBOM
+Saad
+SamuraiWTF
+SaneHeaders
+Screenshooter
+SecurityCAT
+SecurityHeaders
+SecurityRAT
+Sehgal
+Semgrep
+Serverless
+Shiro
+Shostack
+Shostack's
+Shruti
+Skipenes
+SmartSymbols
+Sonatype
+Spyros
+Starov
+StripHTML
+SuperFences
+Sydseter
+Symfony
+TCP
+TLS
+TOCTOU
+TPM
+TPS
+Tasklist
+Tesauro
+Threagile
+Tink
+ToC
+Trivy
+TrustWave
+UEFI
+UI
+URDP
+UTF
+UUID
+UnCrackable
+Unvalidated
+VDR
+VM
+VPN
+VPNs
+VSD
+VWAD
+Vandana
+VerSprite
+VerSprite's
+Verma
+VirtualBox
+Volkman
+VulnDB
+WAF
+WASM
+WEBDav
+WHATWG
+WPScan
+WSTG
+Wayfinder
+WebDAV
+WebGoat
+WebGoat's
+WebHook
+WebSQL
+WebView
+WebWolf
+Whatweb
+Wordlist
+Wordpress
+WrongSecrets
+XML
+XSS
+XXE
+YAML
+Yuuki
+ZH
+aSemy
+ai
+algorithmically
+alirezakkt
+allowlist
+angularjs
+api
+architected
+asvs
+backdoors
+backend
+backrefs
+baselining
+blt
+br
+bracex
+bruteforcing
+caddy
+canonicalization
+centric
+cgroup
+cgroups
+cheatsheets
+checksums
+chrooted
+ciphertext
+clickjacking
+codebox
+codefences
+config
+coraza
+crs
+crypto
+cryptographic
+cryptographically
+cryptosystems
+csp
+csrf
+csrfguard
+customizable
+cyber
+cybersecurity
+cybersquatting
+cyclonedx
+dast
+dataflow
+dataflows
+de
+declutter
+decrypt
+decrypts
+deduplication
+defacto
+defectdojo
+deliverables
+dependabot
+deserialization
+deserialize
+deserializes
+deserializing
+dev
+devguide
+devsecops
+devsite
+doggo
+dojo
+donts
+dracon
+ePub
+eXchange
+edumco
+encodings
+endif
+enum
+eop
+esapi
+executables
+exfiltrate
+exfiltration
+facelessuser
+faq
+ffuf
+filesystem
+frontend
+frontends
+gamification
+gamifies
+gamify
+git
+github
+gitlab
+gmail
+golang
+hardcode
+hostnames
+hsecscan
+html
+http
+https
+iFrame
+incrementing
+integrations
+intel
+interoperate
+io
+ip
+iteratively
+javascript
+js
+json
+kali
+kalikali
+katana
+kubernetes
+lifecycle
+lifecycles
+linddun
+linter
+linters
+linux
+localhost
+lxml
+lychee
+mastg
+maswe
+misconfiguration
+mlsec
+mitigations
+modsecurity
+modularized
+namespace
+namespaces
+nettacker
+nightlies
+nist
+npm
+opencre
+oshp
+owasp
+owtf
+pandoc
+parameterization
+parsers
+pentesters
+pentesting
+permalink
+personalization
+plaintext
+pre
+printf
+programmatically
+proscriptive
+px
+pygoat
+pymdown
+pyspelling
+pytm
+rebranding
+referer
+remediations
+repo
+roadmap
+runtime
+runtimes
+samm
+samuraiwtf
+sanitization
+sbates
+scalability
+scalable
+schemas
+scp
+seclang
+secureCodeBox
+serializer
+sexualized
+skf
+socio
+soupsieve
+stacktrace
+strcat
+strcpy
+subcommand
+subcommands
+subdirectories
+subdirectory
+svn
+synchronizer
+templating
+testbed
+testssl
+threatspec
+toolchain
+transactional
+tunable
+txt
+typosquatting
+unencrypted
+unforgeable
+unicode
+unkeyed
+unmanaged
+untrusted
+url
+userland
+waf
+wcmatch
+webapp
+webgoat
+weightage
+writeups
+wrongsecrets
+wstg
+wtf
+www
+xsaero
\ No newline at end of file
diff --git a/.wordlist-es.txt b/.wordlist-es.txt
new file mode 100644
index 00000000..737ccddc
--- /dev/null
+++ b/.wordlist-es.txt
@@ -0,0 +1,544 @@
+AAA
+accederse
+Adoptium
+AES
+ai
+AJAX
+algorítmicamente
+align
+amass
+Amass
+Analyser
+Analysis
+and
+And
+Android
+Ant
+API
+APIs
+APIT
+Application
+ARC
+Assurance
+ASVS
+Atlassian
+Attack
+audit
+AUTH
+automatizable
+Bean
+Benchmark
+Bill
+bin
+BOM
+BOMs
+BOV
+Breaker
+búfer
+búferes
+Buffers
+Builder
+canonicalización
+CAPEC
+catch
+categorizarse
+CBC
+CD
+CFB
+ChartMuseum
+Chat
+Cheat
+Check
+CI
+CIA
+Clickjacking
+Clobbering
+clústeres
+CMS
+CMSeeK
+code
+Code
+CODE
+com
+Common
+Compartmentalization
+compose
+Composition
+concientiza
+confiabilidad
+Connect
+contextualmente
+contramedidas
+Contras
+cookie
+cookies
+CPE
+Credential
+criptográficamente
+criptosistemas
+Cross
+crypto
+CRYPTO
+csp
+CSRF
+CSRFGuard
+CSS
+cstm
+CSV
+CTR
+CVE
+CVEs
+CVSS
+CWE
+Cyber
+CycloneDX
+dashboard
+DAST
+Database
+db
+deduplicación
+Defect
+DefectDojo
+Dependency
+desactualizadas
+desactualizado
+Desactualizados
+descargable
+desencriptación
+desencriptan
+desencriptar
+deserializa
+deserialización
+Deserialización
+deserializan
+despues
+development
+DevOps
+DevSecOps
+diagramación
+diagramática
+diagramáticos
+DIE
+Diffie
+Django
+DNS
+docker
+Docker
+DockerHub
+DocX
+doggo
+Dojo
+DOM
+DoS
+dot
+DotNet
+Dragon
+DrHEADer
+DRM
+DSS
+DVDs
+Dynamic
+ECB
+Elevation
+Elie
+Encoder
+encripta
+encriptación
+Encriptación
+encriptada
+encriptado
+encriptan
+encriptándolo
+end
+engagements
+Enterprise
+enum
+enumeracion
+Enumeration
+ePub
+ESAPI
+escalación
+escaneos
+evaluator
+Exchange
+exploit
+Exploit
+Exploitability
+exploits
+Explotabilidad
+Exposure
+facto
+ffuf
+findings
+FIPS
+firewall
+Flagship
+Flow
+for
+Fortify
+framework
+Framework
+frameworks
+Frameworks
+frontend
+gamifica
+gamificación
+Gasteratos
+GDPR
+Gestionabilidad
+Git
+github
+GitHub
+gitlab
+Gitleaks
+Go
+Gobernanza
+Google
+Gradle
+granularidad
+GraphQL
+Graphviz
+GRC
+Group
+guide
+Hack
+hackers
+HAPI
+hard
+hash
+hashes
+Hashes
+HBOM
+Headers
+Hellman
+Helm
+HOja
+hsecscan
+html
+HTML
+HTTP
+HTTPS
+humble
+Hunter
+IAM
+IAST
+IDOR
+image
+information
+Integration
+intel
+Interactive
+interoperabilidad
+interoperan
+iOS
+issue
+IV
+Janca
+jar
+JAR
+JavaEE
+Javascript
+JDK
+Jenkins
+Joomla
+js
+JSON
+JSR
+Juice
+JWT
+Kali
+KDF
+Keyczar
+Knowledge
+Kube
+Kubeaudit
+Kubernetes
+Ladders
+Laravel
+LDAP
+leaks
+learning
+left
+Left
+LFD
+library
+LINDDUN
+Link
+Lockheed
+Low
+Machine
+MacOS
+MACs
+Main
+malware
+Manejabilidad
+mapeos
+markdown
+Markdown
+MASTG
+MASVS
+MASWE
+Materials
+Matt
+Maturity
+Maven
+MBOM
+merges
+metadatos
+MFA
+Microservicios
+Microsoft
+ML
+MOBI
+Mobile
+model
+Model
+Modeling
+modularizada
+monitorear
+Monitorear
+monitoreo
+Monitoreo
+Mozilla
+MSTG
+multi
+Multi
+Multifactor
+multiplataforma
+Ncrack
+Nettacker
+NETWORK
+newpage
+Nexus
+Nikto
+NIST
+Nmap
+Node
+NodeJS
+NoSQL
+Nótese
+NPM
+Nuclei
+NVD
+OAuth
+OBOM
+Observatory
+of
+Of
+OFB
+Offensive
+on
+Open
+OpenAPI
+OpenCRE
+OpenID
+OpenJDK
+org
+organizacional
+organizacionales
+originadora
+OSHP
+OSS
+OTMP
+OWASP
+OWTF
+pandoc
+parametrización
+Parametrización
+parametrizadas
+parchar
+PCI
+PDF
+pentesters
+PHP
+pipelines
+PKI
+PlantUML
+Platform
+PLATFORM
+PLOT
+plugin
+Plugin
+plugins
+practical
+precompiladas
+preregistrada
+prevenibles
+priorización
+PRIVACY
+Privileges
+proactivamente
+proactivo
+Proactivo
+proactivos
+Proactivos
+programáticamente
+Project
+Protocol
+Proxy
+pull
+Purple
+python
+Python
+Pythónico
+pytm
+Pytm
+Rails
+RansomWare
+RC
+reautenticación
+Recx
+reelaborada
+ref
+refactorización
+referenciado
+regulatorios
+releases
+remediación
+Remediación
+remediaciones
+Repo
+Request
+requests
+RESILIENCE
+resiliencia
+REST
+right
+RRA
+RSA
+Ruby
+Rust
+Saad
+SaaSBOM
+salt
+SAML
+SAMM
+sandbox
+sanitización
+Sanitización
+sanitizadas
+Sanitizer
+SAST
+SBOM
+SBOMs
+SBT
+SCA
+Scan
+Scanner
+SCP
+Screenshooter
+script
+scripts
+SDLC
+Secure
+secureCodeBox
+security
+Security
+SecurityCAT
+SecurityHeaders
+SecurityRAT
+Semgrep
+serializados
+Serverless
+sh
+Sheets
+Shepherd
+shift
+Shift
+Shiro
+Shop
+Shostack
+sincronizador
+site
+Site
+SKF
+Slack
+Snakes
+Sonatype
+Spotlight
+Spring
+Spyros
+SQL
+SSDLC
+SSH
+SSL
+SSLyze
+SSO
+SSRF
+stack
+Standards
+Static
+STORAGE
+STRIDE
+Stuffing
+sub
+subcomandos
+subdominios
+Symfony
+tamano
+tambien
+TAME
+Tanya
+teams
+Teams
+testeadores
+Testing
+testssl
+The
+Threagile
+threat
+Threat
+threatspec
+Tink
+tipadas
+TLS
+to
+Tool
+Top
+TPM
+Track
+Trivy
+try
+tutorial
+Typo
+Ubuntu
+UE
+UEFI
+unicode
+URL
+URLs
+usabilidad
+Usabilidad
+UTF
+UUID
+Validation
+VDR
+Version
+VerSprite
+VEX
+video
+VM
+VPN
+VPNs
+Vulnerability
+Wayfinder
+We
+WebGoat
+Whatweb
+WHATWG
+width
+wiki
+Wikipedia
+Windows
+Word
+Wordpress
+Worldwide
+WPScan
+WSTG
+XML
+XS
+XSS
+XXE
+YAML
+ZAP
+Zed
diff --git a/.wordlist-pt-br.txt b/.wordlist-pt-br.txt
new file mode 100644
index 00000000..31a66b15
--- /dev/null
+++ b/.wordlist-pt-br.txt
@@ -0,0 +1,90 @@
+AAA
+align
+and
+API
+Application
+Applications
+Assurance
+Body
+bugs
+Cascading
+Cheat
+Clickjacking
+Clobbering
+Consortium
+Content
+Controls
+Credential
+Cross-site
+CSS
+CWE
+Cyber
+Database
+Deserialization
+DevOps
+DoS
+Exploit
+exploits
+firewall
+frameworks
+GitHub
+Headers
+HTML
+image-right-small
+Injection
+issue
+JSON
+JWTs
+Knowledge
+Language
+Large
+LDAP
+leaks
+Living
+LLM
+Low-Code
+Model
+NIST
+No-Code
+Of
+Open
+OpenCRE
+our
+OWASP
+path
+Policy
+Privacy
+Proactive
+Project
+queries
+right
+Risks
+SAMM
+Schools
+scripts
+Securing
+Security
+Serverless
+Sheet
+Sheets
+SQL
+SSRF
+Standard
+Strict
+Stuffing
+Style
+Ten
+The
+Token
+Transport
+traversal
+upload
+Upload
+URLs
+VPN
+Wayfinder
+WHATWG
+width
+Worldwide
+XSS
+XXE
diff --git a/CNAME b/CNAME
new file mode 100644
index 00000000..b130b532
--- /dev/null
+++ b/CNAME
@@ -0,0 +1 @@
+devguide.owasp.org
\ No newline at end of file
diff --git a/DevGuide1-xml/README.md b/DevGuide1-xml/README.md
deleted file mode 100644
index b1215f2e..00000000
--- a/DevGuide1-xml/README.md
+++ /dev/null
@@ -1,21 +0,0 @@
-This is the last version of the 1.1.1 tree, that is showing the thinking of the original founders of OWASP.
-
-As you can see, it's in XML format, which basically killed the project. There was a restart prior to my taking over the project in 2003, and this text is that restart.
-
-## History
-
-This is the abandoned 2.0 alpha XML branch. Do not use this version.
-
-* 2.0 alpha - never published DO NOT USE
-
-## Building this edition
-
-This version of the Guide is written in an old DocBook format, so generating a copy on anything other than Linux is non-trivial. And on Linux, it's basically not possible in 2013 without porting the Guide to modern DocBook or DAPS.
-
-It should be possible to build using xsltproc to fop format, and using fop2pdf to finish building it into a PDF.
-
-If you can help build this version, please let us know.
-
-## Contact
-
-Please contact Andrew van der Stock vanderaj@owasp.org for any queries about this edition.
\ No newline at end of file
diff --git a/DevGuide1-xml/VERSION.xml b/DevGuide1-xml/VERSION.xml
deleted file mode 100755
index d93c8fa9..00000000
--- a/DevGuide1-xml/VERSION.xml
+++ /dev/null
@@ -1,4 +0,0 @@
-
-
-Version 2.0 Pre-Alpha
-Tuesday 25th March, 2003
diff --git a/DevGuide1-xml/about_designing_web_sec.xml b/DevGuide1-xml/about_designing_web_sec.xml
deleted file mode 100755
index d0cd7622..00000000
--- a/DevGuide1-xml/about_designing_web_sec.xml
+++ /dev/null
@@ -1,24 +0,0 @@
-
-
-
-
-
- Adrian
- Wiesmann
-
-
-
-What's in this chapter
-
- Overview
-
- When designing an application, the architect needs to have a deep knowledge of all the technologies in use. This chapter gives you an overview of what security in web applications and web services is all about.
-
-
- Seasoned software architects may know the content of this chapter, while others can find out about the fundamentals of the design of secure applications.
-
-
- This chapter covers design methods, design principles, architectures and application frameworks. It also contains some information about threading and general design of environments where web applications and web services are run within.
-
-
-
diff --git a/DevGuide1-xml/access_n_authorization.xml b/DevGuide1-xml/access_n_authorization.xml
deleted file mode 100755
index fbd98484..00000000
--- a/DevGuide1-xml/access_n_authorization.xml
+++ /dev/null
@@ -1,333 +0,0 @@
-
-
-
-Access Control and Authorization
-
-
-Access control mechanisms are a necessary and crucial design element to any
-application's security. In general, a web application should protect front-end
-and back-end data and system resources by implementing access control
-restrictions on what users can do, which resources they have access to, and what
-functions they are allowed to perform on the data. Ideally, an access control
-scheme should protect against the unauthorized viewing, modification, or copying
-of data. Additionally, access control mechanisms can also help limit malicious
-code execution, or unauthorized actions through an attacker exploiting
-infrastructure dependencies (DNS server, ACE server, etc.).
-
-
-Authorization and Access Control are terms often mistakenly interchanged.
-Authorization is the act of checking to see if a user has the proper permission
-to access a particular file or perform a particular action, assuming that user
-has successfully authenticated himself. Authorization is very much credential
-focused and dependent on specific rules and access control lists preset by the
-web application administrator(s) or data owners. Typical authorization checks
-involve querying for membership in a particular user group, possession of a
-particular clearance, or looking for that user on a resource's approved access
-control list, akin to a bouncer at an exclusive nightclub. Any access control
-mechanism is clearly dependent on effective and forge-resistant authentication
-controls used for authorization.
-
-
-Access Control refers to the much more general way of controlling access to web
-resources, including restrictions based on things like the time of day, the IP
-address of the HTTP client browser, the domain of the HTTP client browser, the
-type of encryption the HTTP client can support, number of times the user has
-authenticated that day, the possession of any number of types of
-hardware/software tokens, or any other derived variables that can be extracted
-or calculated easily.
-
-
-Before choosing the access control mechanisms specific to your web application,
-several preparatory steps can help expedite and clarify the design process;
-
-
-
-
- Try to quantify the relative value of information to be
- protected in terms of Confidentiality, Sensitivity,
- Classification, Privacy, and Integrity related to the
- organization as well as the individual users. Consider the
- worst case financial loss that unauthorized disclosure,
- modification, or denial of service of the information could
- cause. Designing elaborate and inconvenient access controls
- around unclassified or non-sensitive data can be
- counterproductive to the ultimate goal or purpose of the web
- application.
-
-
-
-
- Determine the relative interaction that data owners and creators
- will have within the web application. Some applications may
- restrict any and all creation or ownership of data to anyone but
- the administrative or built-in system users. Are specific roles
- required to further codify the interactions between different
- types of users and administrators?
-
-
-
-
- Specify the process for granting and revoking user access
- control rights on the system, whether it be a manual process,
- automatic upon registration or account creation, or through an
- administrative front-end tool.
-
-
-
-
- Clearly delineate the types of role driven functions the
- application will support. Try to determine which specific user
- functions should be built into the web application (logging in,
- viewing their information, modifying their information, sending
- a help request, etc.) as well as administrative functions
- (changing passwords, viewing any users data, performing
- maintenance on the application, viewing transaction logs, etc.).
-
-
-
-
- Try to align your access control mechanisms as closely as
- possible to your organization's security policy. Many things
- from the policy can map very well over to the implementation
- side of access control (acceptable time of day of certain data
- access, types of users allowed to see certain data or perform
- certain tasks, etc.). These types of mappings usually work the
- best with Role Based Access Control.
-
-
-
-
-There are a plethora of accepted access control models in the information
-security realm. Many of these contain aspects that translate very well into the
-web application space, while others do not. A successful access control
-protection mechanism will likely combine aspects of each of the following models
-and should be applied not only to user management, but code and application
-integration of certain functions.
-
-
-
- Discretionary Access Control
-
-
- Discretionary Access Control (DAC) is a means of restricting access to
- information based on the identity of users and/or membership in certain
- groups. Access decisions are typically based on the authorizations
- granted to a user based on the credentials he presented at the time of
- authentication (user name, password, hardware/software token, etc.). In
- most typical DAC models, the owner of information or any resource is
- able to change its permissions at his discretion (thus the name). DAC
- has the drawback of the administrators not being able to centrally
- manage these permissions on files/information stored on the web server.
- A DAC access control model often exhibits one or more of the following
- attributes.
-
-
-
-
- Data Owners can transfer ownership of information to
- other users
-
-
-
-
- Data Owners can determine the type of access given to
- other users (read, write, copy, etc.)
-
-
-
-
- Repetitive authorization failures to access the same
- resource or object generates an alarm and/or restricts
- the user's access
-
-
-
-
- Special add-on or plug-in software required to apply to
- an HTTP client to prevent indiscriminant copying by users
- ("cutting and pasting" of information)
-
-
-
-
- Users who do not have access to information should not
- be able to determine its characteristics (file size,
- file name, directory path, etc.)
-
-
-
-
- Access to information is determined based on
- authorizations to access control lists based on user
- identifier and group membership.
-
-
-
-
-
-
- Mandatory Access Control
-
-
- Mandatory Access Control (MAC) ensures that the enforcement of
- organizational security policy does not rely on voluntary web
- application user compliance. MAC secures information by assigning
- sensitivity labels on information and comparing this to the level of
- sensitivity a user is operating at. In general, MAC access control
- mechanisms are more secure than DAC yet have trade offs in performance
- and convenience to users. MAC mechanisms assign a security level to all
- information, assign a security clearance to each user, and ensure that
- all users only have access to that data for which they have a clearance.
- MAC is usually appropriate for extremely secure systems including
- multilevel secure military applications or mission critical data
- applications. A MAC access control model often exhibits one or more of
- the following attributes.
-
-
-
-
- Only administrators, not data owners, make changes to a
- resource's security label.
-
-
-
-
- All data is assigned security level that reflects its
- relative sensitivity, confidentiality, and protection
- value.
-
-
-
-
- All users can read from a lower classification than the
- one they are granted (A "secret" user can read an
- unclassified document).
-
-
-
-
- All users can write to a higher classification (A
- "secret" user can post information to a Top Secret
- resource).
-
-
-
-
- All users are given read/write access to objects only of
- the same classification (a "secret" user can only
- read/write to a secret document).
-
-
-
-
- Access is authorized or restricted to objects based on
- the time of day depending on the labeling on the
- resource and the user's credentials (driven by policy).
-
-
-
-
- Access is authorized or restricted to objects based on
- the security characteristics of the HTTP client (e.g.
- SSL bit length, version information, originating IP
- address or domain, etc.)
-
-
-
-
-
-
- Role Based Access Control
-
-
- In Role-Based Access Control (RBAC), access decisions are based on an
- individual's roles and responsibilities within the organization or user
- base. The process of defining roles is usually based on analyzing the
- fundamental goals and structure of an organization and is usually linked
- to the security policy. For instance, in a medical organization, the
- different roles of users may include those such as doctor, nurse,
- attendant, nurse, patients, etc. Obviously, these members require
- different levels of access in order to perform their functions, but also
- the types of web transactions and their allowed context vary greatly
- depending on the security policy and any relevant regulations (HIPAA,
- Gramm-Leach-Bliley, etc.).
-
-
- An RBAC access control framework should provide web application security
- administrators with the ability to determine who can perform what
- actions, when, from where, in what order, and in some cases under what
- relational circumstances. http://csrc.nist.gov/rbac/ provides some great
- resources for RBAC implementation. The following aspects exhibit RBAC
- attributes to an access control model.
-
-
-
-
- Roles are assigned based on organizational structure
- with emphasis on the organizational security policy
-
-
-
-
- Roles are assigned by the administrator based on
- relative relationships within the organization or user
- base. For instance, a manager would have certain
- authorized transactions over his employees. An
- administrator would have certain authorized transactions
- over his specific realm of duties (backup, account
- creation, etc.)
-
-
-
-
- Each role is designated a profile that includes all
- authorized commands, transactions, and allowable
- information access.
-
-
-
-
- Roles are granted permissions based on the principle of
- least privilege.
-
-
-
-
- Roles are determined with a separation of duties in mind
- so that a developer Role should not overlap a QA tester
- Role.
-
-
-
-
- Roles are activated statically and dynamically as
- appropriate to certain relational triggers (help desk
- queue, security alert, initiation of a new project,
- etc.)
-
-
-
-
- Roles can be only be transferred or delegated using
- strict sign-offs and procedures.
-
-
-
-
- Roles are managed centrally by a security administrator
- or project leader.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
diff --git a/DevGuide1-xml/appa.xml b/DevGuide1-xml/appa.xml
deleted file mode 100755
index 28968025..00000000
--- a/DevGuide1-xml/appa.xml
+++ /dev/null
@@ -1,445 +0,0 @@
-
-
-GNU Free Documentation License
-
-Version 1.1, March 2000
-
-
-Copyright (C) 2000 Free Software Foundation, Inc.
-59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
-Everyone is permitted to copy and distribute verbatim copies
-of this license document, but changing it is not allowed.
-
-
-
-PREAMBLE
-
-The purpose of this License is to make a manual, textbook,
-or other written document "free" in the sense of freedom: to
-assure everyone the effective freedom to copy and redistribute it,
-with or without modifying it, either commercially or
-noncommercially. Secondarily, this License preserves for the
-author and publisher a way to get credit for their work, while not
-being considered responsible for modifications made by
-others.
-
-This License is a kind of "copyleft", which means that
-derivative works of the document must themselves be free in the
-same sense. It complements the GNU General Public License, which
-is a copyleft license designed for free software.
-
-We have designed this License in order to use it for manuals
-for free software, because free software needs free documentation:
-a free program should come with manuals providing the same
-freedoms that the software does. But this License is not limited
-to software manuals; it can be used for any textual work,
-regardless of subject matter or whether it is published as a
-printed book. We recommend this License principally for works
-whose purpose is instruction or reference.
-
-
-
-APPLICABILITY AND DEFINITIONS
-
-This License applies to any manual or other work that
-contains a notice placed by the copyright holder saying it can be
-distributed under the terms of this License. The "Document",
-below, refers to any such manual or work. Any member of the
-public is a licensee, and is addressed as "you".
-
-A "Modified Version" of the Document means any work
-containing the Document or a portion of it, either copied
-verbatim, or with modifications and/or translated into another
-language.
-
-A "Secondary Section" is a named appendix or a front-matter
-section of the Document that deals exclusively with the
-relationship of the publishers or authors of the Document to the
-Document's overall subject (or to related matters) and contains
-nothing that could fall directly within that overall subject.
-(For example, if the Document is in part a textbook of
-mathematics, a Secondary Section may not explain any mathematics.)
-The relationship could be a matter of historical connection with
-the subject or with related matters, or of legal, commercial,
-philosophical, ethical or political position regarding
-them.
-
-The "Invariant Sections" are certain Secondary Sections
-whose titles are designated, as being those of Invariant Sections,
-in the notice that says that the Document is released under this
-License.
-
-The "Cover Texts" are certain short passages of text that
-are listed, as Front-Cover Texts or Back-Cover Texts, in the
-notice that says that the Document is released under this
-License.
-
-A "Transparent" copy of the Document means a
-machine-readable copy, represented in a format whose specification
-is available to the general public, whose contents can be viewed
-and edited directly and straightforwardly with generic text
-editors or (for images composed of pixels) generic paint programs
-or (for drawings) some widely available drawing editor, and that
-is suitable for input to text formatters or for automatic
-translation to a variety of formats suitable for input to text
-formatters. A copy made in an otherwise Transparent file format
-whose markup has been designed to thwart or discourage subsequent
-modification by readers is not Transparent. A copy that is not
-"Transparent" is called "Opaque".
-
-Examples of suitable formats for Transparent copies include
-plain ASCII without markup, Texinfo input format, LaTeX input
-format, SGML or XML using a publicly available DTD, and
-standard-conforming simple HTML designed for human modification.
-Opaque formats include PostScript, PDF, proprietary formats that
-can be read and edited only by proprietary word processors, SGML
-or XML for which the DTD and/or processing tools are not generally
-available, and the machine-generated HTML produced by some word
-processors for output purposes only.
-
-The "Title Page" means, for a printed book, the title page
-itself, plus such following pages as are needed to hold, legibly,
-the material this License requires to appear in the title page.
-For works in formats which do not have any title page as such,
-"Title Page" means the text near the most prominent appearance of
-the work's title, preceding the beginning of the body of the
-text.
-
-
-
-VERBATIM COPYING
-
-You may copy and distribute the Document in any medium,
-either commercially or noncommercially, provided that this
-License, the copyright notices, and the license notice saying this
-License applies to the Document are reproduced in all copies, and
-that you add no other conditions whatsoever to those of this
-License. You may not use technical measures to obstruct or
-control the reading or further copying of the copies you make or
-distribute. However, you may accept compensation in exchange for
-copies. If you distribute a large enough number of copies you
-must also follow the conditions in section 3.
-
-You may also lend copies, under the same conditions stated
-above, and you may publicly display copies.
-
-
-
-COPYING IN QUANTITY
-
-If you publish printed copies of the Document numbering more
-than 100, and the Document's license notice requires Cover Texts,
-you must enclose the copies in covers that carry, clearly and
-legibly, all these Cover Texts: Front-Cover Texts on the front
-cover, and Back-Cover Texts on the back cover. Both covers must
-also clearly and legibly identify you as the publisher of these
-copies. The front cover must present the full title with all
-words of the title equally prominent and visible. You may add
-other material on the covers in addition. Copying with changes
-limited to the covers, as long as they preserve the title of the
-Document and satisfy these conditions, can be treated as verbatim
-copying in other respects.
-
-If the required texts for either cover are too voluminous to
-fit legibly, you should put the first ones listed (as many as fit
-reasonably) on the actual cover, and continue the rest onto
-adjacent pages.
-
-If you publish or distribute Opaque copies of the Document
-numbering more than 100, you must either include a
-machine-readable Transparent copy along with each Opaque copy, or
-state in or with each Opaque copy a publicly-accessible
-computer-network location containing a complete Transparent copy
-of the Document, free of added material, which the general
-network-using public has access to download anonymously at no
-charge using public-standard network protocols. If you use the
-latter option, you must take reasonably prudent steps, when you
-begin distribution of Opaque copies in quantity, to ensure that
-this Transparent copy will remain thus accessible at the stated
-location until at least one year after the last time you
-distribute an Opaque copy (directly or through your agents or
-retailers) of that edition to the public.
-
-It is requested, but not required, that you contact the
-authors of the Document well before redistributing any large
-number of copies, to give them a chance to provide you with an
-updated version of the Document.
-
-
-
-MODIFICATIONS
-
-You may copy and distribute a Modified Version of the
-Document under the conditions of sections 2 and 3 above, provided
-that you release the Modified Version under precisely this
-License, with the Modified Version filling the role of the
-Document, thus licensing distribution and modification of the
-Modified Version to whoever possesses a copy of it. In addition,
-you must do these things in the Modified Version:
-
-
-Use in the Title Page
-(and on the covers, if any) a title distinct from that of the
-Document, and from those of previous versions (which should, if
-there were any, be listed in the History section of the
-Document). You may use the same title as a previous version if
-the original publisher of that version gives permission.
-
-
-List on the Title Page,
-as authors, one or more persons or entities responsible for
-authorship of the modifications in the Modified Version,
-together with at least five of the principal authors of the
-Document (all of its principal authors, if it has less than
-five).
-
-
-State on the Title page
-the name of the publisher of the Modified Version, as the
-publisher.
-
-
-Preserve all the
-copyright notices of the Document.
-
-
-Add an appropriate
-copyright notice for your modifications adjacent to the other
-copyright notices.
-
-
-Include, immediately
-after the copyright notices, a license notice giving the public
-permission to use the Modified Version under the terms of this
-License, in the form shown in the Addendum below.
-
-
-Preserve in that license
-notice the full lists of Invariant Sections and required Cover
-Texts given in the Document's license notice.
-
-
-Include an unaltered
-copy of this License.
-
-
-Preserve the section
-entitled "History", and its title, and add to it an item stating
-at least the title, year, new authors, and publisher of the
-Modified Version as given on the Title Page. If there is no
-section entitled "History" in the Document, create one stating
-the title, year, authors, and publisher of the Document as given
-on its Title Page, then add an item describing the Modified
-Version as stated in the previous sentence.
-
-
-Preserve the network
-location, if any, given in the Document for public access to a
-Transparent copy of the Document, and likewise the network
-locations given in the Document for previous versions it was
-based on. These may be placed in the "History" section. You
-may omit a network location for a work that was published at
-least four years before the Document itself, or if the original
-publisher of the version it refers to gives permission.
-
-
-In any section entitled
-"Acknowledgements" or "Dedications", preserve the section's
-title, and preserve in the section all the substance and tone of
-each of the contributor acknowledgements and/or dedications
-given therein.
-
-
-Preserve all the
-Invariant Sections of the Document, unaltered in their text and
-in their titles. Section numbers or the equivalent are not
-considered part of the section titles.
-
-
-Delete any section
-entitled "Endorsements". Such a section may not be included in
-the Modified Version.
-
-
-Do not retitle any
-existing section as "Endorsements" or to conflict in title with
-any Invariant Section.
-
-
-
-If the Modified Version includes new front-matter sections
-or appendices that qualify as Secondary Sections and contain no
-material copied from the Document, you may at your option
-designate some or all of these sections as invariant. To do this,
-add their titles to the list of Invariant Sections in the Modified
-Version's license notice. These titles must be distinct from any
-other section titles.
-
-You may add a section entitled "Endorsements", provided it
-contains nothing but endorsements of your Modified Version by
-various parties--for example, statements of peer review or that
-the text has been approved by an organization as the authoritative
-definition of a standard.
-
-You may add a passage of up to five words as a Front-Cover
-Text, and a passage of up to 25 words as a Back-Cover Text, to the
-end of the list of Cover Texts in the Modified Version. Only one
-passage of Front-Cover Text and one of Back-Cover Text may be
-added by (or through arrangements made by) any one entity. If the
-Document already includes a cover text for the same cover,
-previously added by you or by arrangement made by the same entity
-you are acting on behalf of, you may not add another; but you may
-replace the old one, on explicit permission from the previous
-publisher that added the old one.
-
-The author(s) and publisher(s) of the Document do not by
-this License give permission to use their names for publicity for
-or to assert or imply endorsement of any Modified Version.
-
-
-
-COMBINING DOCUMENTS
-
-You may combine the Document with other documents released
-under this License, under the terms defined in section 4 above for
-modified versions, provided that you include in the combination
-all of the Invariant Sections of all of the original documents,
-unmodified, and list them all as Invariant Sections of your
-combined work in its license notice.
-
-The combined work need only contain one copy of this
-License, and multiple identical Invariant Sections may be replaced
-with a single copy. If there are multiple Invariant Sections with
-the same name but different contents, make the title of each such
-section unique by adding at the end of it, in parentheses, the
-name of the original author or publisher of that section if known,
-or else a unique number. Make the same adjustment to the section
-titles in the list of Invariant Sections in the license notice of
-the combined work.
-
-In the combination, you must combine any sections entitled
-"History" in the various original documents, forming one section
-entitled "History"; likewise combine any sections entitled
-"Acknowledgements", and any sections entitled "Dedications". You
-must delete all sections entitled "Endorsements."
-
-
-
-COLLECTIONS OF DOCUMENTS
-
-You may make a collection consisting of the Document and
-other documents released under this License, and replace the
-individual copies of this License in the various documents with a
-single copy that is included in the collection, provided that you
-follow the rules of this License for verbatim copying of each of
-the documents in all other respects.
-
-You may extract a single document from such a collection,
-and distribute it individually under this License, provided you
-insert a copy of this License into the extracted document, and
-follow this License in all other respects regarding verbatim
-copying of that document.
-
-
-
-AGGREGATION WITH INDEPENDENT WORKS
-
-A compilation of the Document or its derivatives with other
-separate and independent documents or works, in or on a volume of
-a storage or distribution medium, does not as a whole count as a
-Modified Version of the Document, provided no compilation
-copyright is claimed for the compilation. Such a compilation is
-called an "aggregate", and this License does not apply to the
-other self-contained works thus compiled with the Document, on
-account of their being thus compiled, if they are not themselves
-derivative works of the Document.
-
-If the Cover Text requirement of section 3 is applicable to
-these copies of the Document, then if the Document is less than
-one quarter of the entire aggregate, the Document's Cover Texts
-may be placed on covers that surround only the Document within the
-aggregate. Otherwise they must appear on covers around the whole
-aggregate.
-
-
-
-TRANSLATION
-
-Translation is considered a kind of modification, so you may
-distribute translations of the Document under the terms of section
-4. Replacing Invariant Sections with translations requires
-special permission from their copyright holders, but you may
-include translations of some or all Invariant Sections in addition
-to the original versions of these Invariant Sections. You may
-include a translation of this License provided that you also
-include the original English version of this License. In case of
-a disagreement between the translation and the original English
-version of this License, the original English version will
-prevail.
-
-
-
-TERMINATION
-
-You may not copy, modify, sublicense, or distribute the
-Document except as expressly provided for under this License. Any
-other attempt to copy, modify, sublicense or distribute the
-Document is void, and will automatically terminate your rights
-under this License. However, parties who have received copies, or
-rights, from you under this License will not have their licenses
-terminated so long as such parties remain in full
-compliance.
-
-
-
-FUTURE REVISIONS OF THIS LICENSE
-
-The Free Software Foundation may publish new, revised
-versions of the GNU Free Documentation License from time to time.
-Such new versions will be similar in spirit to the present
-version, but may differ in detail to address new problems or
-concerns. See http://www.gnu.org/copyleft/.
-
-Each version of the License is given a distinguishing
-version number. If the Document specifies that a particular
-numbered version of this License "or any later version" applies to
-it, you have the option of following the terms and conditions
-either of that specified version or of any later version that has
-been published (not as a draft) by the Free Software Foundation.
-If the Document does not specify a version number of this License,
-you may choose any version ever published (not as a draft) by the
-Free Software Foundation.
-
-
-
-How to use this License for your documents
-
-To use this License in a document you have written, include
-a copy of the License in the document and put the following
-copyright and license notices just after the title page:
-
-
-Copyright (c) YEAR YOUR NAME.
-Permission is granted to copy, distribute and/or modify this document
-under the terms of the GNU Free Documentation License, Version 1.1
-or any later version published by the Free Software Foundation;
-with the Invariant Sections being LIST THEIR TITLES, with the
-Front-Cover Texts being LIST, and with the Back-Cover Texts being LIST.
-A copy of the license is included in the section entitled "GNU
-Free Documentation License".
-
-
-If you have no Invariant Sections, write "with no Invariant
-Sections" instead of saying which ones are invariant. If you have
-no Front-Cover Texts, write "no Front-Cover Texts" instead of
-"Front-Cover Texts being LIST"; likewise for Back-Cover
-Texts.
-
-If your document contains nontrivial examples of program
-code, we recommend releasing these examples in parallel under your
-choice of free software license, such as the GNU General Public
-License, to permit their use in free software.
-
-
-
diff --git a/DevGuide1-xml/appb.xml b/DevGuide1-xml/appb.xml
deleted file mode 100755
index b5f7dc5a..00000000
--- a/DevGuide1-xml/appb.xml
+++ /dev/null
@@ -1,232 +0,0 @@
-
-
-
-
- GeneMcKenna
-
-
-
- Appendix B - Source Code Samples
-
- CGI Input Data Validation - Rejection of Known Bad Data
-
- As mentioned in Chapter 11, a well designed system should
- validate all user input data. If all requests come in to a
- central location and leave from a central location then the
- problem is easier to solve with a common component.
-
-
- The following code samples show a simple component for data
- validation for J2EE servlets and another for Perl CGI scripts.
- In both cases, the samples test the user input to see if it
- matches a certain regular expression. The regular expression
- defines any HTML tag and if it is matched, the input is
- considered invalid. Other regular expressions, can, of course,
- be used to meet one's needs.
-
-
- The samples are not intended to serve as production code ready
- to meet any specific data validation need. Different
- applications will have different data validation needs and no
- one component could work in all situations. Rather these
- samples are code "snippets" that demonstrate the basic
- concept.
-
-
- J2EE - Input Validation With Servlets
-
-
-import java.util.* ;
-import javax.servlet.* ;
-import javax.servlet.http.* ;
-import javax.servlet.jsp.* ;
-import org.apache.oro.text.regex.* ; // regular expression package
-import org.apache.oro.text.* ; // used for matching input data
-
-/**
- * This servlet will match all user input for GET and POST
- * requests and validate that the input does not contain
- * any html tags that might be used to encapsulate malicious
- * JavaScript.
- *
- * This sample program relies on the ORO regular expression package
- * version 2.0.4 from the Apache group. http://jakarta.apache.org
- */
-public class TestServlet
- extends HttpServlet
-{
- private static Perl5Compiler sCompiler ; // a pattern compiler
- private static String sTag = "(<.*?>)" ; // regular expression matching any HTML tag
- private static Perl5Pattern sTagPattern ; // a compiled pattern for above
-
- /**
- * Things in here will only happen once for each instance of
- * ESPServlet. Therefore, only the static variables should be
- * set here. This is called by the Web Server when the first
- * instance of this servlet class is invoked for the first time.
- */
- public void init( ServletConfig config )
- throws ServletException
- {
- super.init( config ) ;
-
- // Create Perl5Compiler and Perl5Matcher instances.
- sCompiler = new Perl5Compiler() ;
-
- try
- {
- sTagPattern = (Perl5Pattern)
- sCompiler.compile( sTag, Perl5Compiler.READ_ONLY_MASK ) ;
- }
- catch( MalformedPatternException e )
- {
- System.out.println( "Malformed Pattern " + sTag ) ;
- }
- }
-
- /**
- * Method to handle requests of type POST. Check the length
- * and forward to the doGet method.
- */
- public void doPost( HttpServletRequest request,
- HttpServletResponse response )
- throws java.io.IOException, ServletException
- {
- // check the length of the post to make sure it isn't too big
- int length = request.getContentLength() ;
- if ( length > 1024 ) // > 1024 bytes is considered too big
- {
- try { response.getOutputStream().println( "POST exceeds 1024 bytes - not accepted." ) ; }
- catch( java.io.IOException ioe ) { ; }
- return ;
- }
- else // everything is fine, forward request to the doGet method
- {
- doGet( request, response ) ;
- }
- }
-
- /**
- * Method to handle requests of type GET
- */
- public void doGet( HttpServletRequest request,
- HttpServletResponse response )
- throws java.io.IOException, ServletException
- {
- // validate input data before processing
- try { validateInput( request ) ; }
- catch( DataValidationException e )
- {
- try
- {
- response.getOutputStream().println( "This request contained invalid input data." ) ;
- response.getOutputStream().println( "It will nt be processed." ) ;
- }
- catch( java.io.IOException ioe ) { ; }
- return ;
- }
-
- // do whatever it is this servlet is supposed to do
- try { response.getOutputStream().println( "Hello World" ) ; }
- catch( java.io.IOException ioe ) { ; }
-
- return ;
- }
-
-
- /**
- * Iterates through all the input variables and ensures
- * that their values meet validation requirements by
- * calling the validateString method on each value.
- */
- public void validateInput( HttpServletRequest request )
- throws DataValidationException
- {
- // Loop through all variables in the request and validate their values
- for ( Enumeration e = request.getParameterNames() ; e.hasMoreElements() ; )
- {
- // get the name of the first input variable
- String name = (String) e.nextElement() ;
- // each variable can have zero or more values
- String[] vals = request.getParameterValues( name ) ;
- if ( vals != null )
- {
- StringBuffer sb = new StringBuffer() ;
- for ( int i = 0 ; i < vals.length ; i++ )
- sb.append( vals[i] + "\n" ) ;
-
- // validate the string
- validateString( sb.toString() ) ;
- }
- }
- }
-
- /**
- * Ensure that the submitted string does not match the
- * test pattern. In this case, the test pattern is a
- * a regular expression coding for any HTML tag. If
- * match is found, the exception DataValidationException
- * is thrown.
- */
- public void validateString( String s )
- throws DataValidationException
- {
- PatternMatcherInput input = new PatternMatcherInput( s ) ;
- Perl5Matcher matcher = new Perl5Matcher() ;
-
- int pos = input.getCurrentOffset() ;
- if ( matcher.contains( input, sTagPattern ) )
- throw new DataValidationException( "Bad input: " + s ) ;
- }
-}
-
-
-
- Perl - Input Validation For CGI Scripts
-
- Perl scripts are not necessarily as standardized as their J2EE
- servlet counterparts. Nonetheless, most Perl CGI scripts have
- a subroutine that is used to place the submitted CGI data
- into an associative array (similar to hashtable).
-
-
- In the example below, the method &parseCGI which is not included
- is assumed to return the name/value pairs submitted with
- the request (whether it is a GET or POST request) as the
- associative array, %input.
-
-
-
-#!/usr/bin/perl
-use strict ;
-
-my %input = &parseCGI ;
-
-print "Content-type: text/html\n\n" ;
-
-$validated = &validateInput() ;
-if ( $validated eq "0" )
-{
- print "Request contains invalid data. Request will not be processed.\n" ;
-}
-
-# data is validated, continue on with CGI script.
-print "Hello world\n" ;
-
-exit 1 ;
-
-sub validateInput
-{
- my $key ;
- my $value ;
- foreach $key (keys %input)
- {
- $value = $input{ $key } ;
- if ( $value =~ /\<.*\>/ ) { return 0 ;}
- }
- return 1 ;
-}
-
-
-
-
diff --git a/DevGuide1-xml/appc.xml b/DevGuide1-xml/appc.xml
deleted file mode 100755
index fb3ab5a3..00000000
--- a/DevGuide1-xml/appc.xml
+++ /dev/null
@@ -1,163 +0,0 @@
-
-
-
-
- GeneMcKenna
-
-
-
- Appendix C - SQL Injection Mitigation
-
- Using Prepared Statements
-
- As mentioned in Chapter 11, a well designed system should not
- allow the user to change the nature of a query that is being
- executed. Typically this could be done if the user input
- contains special characters, such as " or '.
-
-
- The following code samples show the proper way to execute
- queries using JDBC and the Perl DBI module. Both use a technique
- known as a Prepared Statement which automatically escapes
- special characters to preserve the intent of the query. Both
- also allow for faster execution by allowing the database to
- reuse the query plan for each prepared statement.
-
-
- J2EE - JDBC Queries With Prepared Statements
-
- The following code shows how an EJB Session Bean might
- be used to set a user password.
-
-
- public class UserServerBean
- implements SessionBean
- {
- private static DataSource sDataSource = null;
-
- public void ejbCreate() throws javax.ejb.CreateException,
- java.rmi.RemoteException
- {
- if ( sDataSource == null)
- {
- try
- {
- Context ctx = new InitialContext();
- sDataSource = (DataSource) ctx.lookup( "jdbc/sample" ) ;
- if( sDataSource == null)
- System.out.println( "No data source found" ) ;
- }
- }
- catch (Exception e)
- {
- System.out.println( "Naming service exception: " +
- e.getMessage() ) ;
- }
- }
-
- public ResultSet getUserList( String keywords )
- {
- java.sql.Connection con = sDataSource.getConnection() ;
-
- PreparedStatement selectUsers = con.prepareStatement(
- "SELECT id, name FROM app_user WHERE name LIKE ? " ) ;
-
- // Note, the parameters in the query are numbered starting at 1, not 0
- selectUsers.setString( 1, "%"+keywords+"%" ) ;
-
- // execute the query
- return selectUsers.executeQuery() ;
- }
-
- public int setUserPassword( int userId, String newPassword )
- {
- int count = 0 ;
- try
- {
- java.sql.Connection con = sDataSource.getConnection() ;
-
- PreparedStatement setPassword = con.prepareStatement(
- "UPDATE app_user SET password = ? WHERE id = ? " ) ;
-
- // Note, the parameters in the query are numbered starting at 1, not 0
- setPassword.setString( 1, newPassword ) ;
- setPassword.setInt( 2, userId ) ;
-
- // execute the query
- count = setPassword.executeUpdate() ;
- }
- catch( SQLException e )
- {
- System.out.println( "SQLException in setUserPassword " + e ) ;
- }
- return count ;
- }
-
-
-
- Perl - ODBC Queries With Prepared Statements
-
- The Perl examples below show similar queries made using
- the Perl DBI module interface. The DBI interface allows
- for easy variable binding as arguments to the execute
- function, as shown below. Advanced binding with more
- control over the binding type is also available.
-
-
-#!/usr/bin/perl
-
-use strict ;
-use DBI ;
-
-my $id ;
-my $name ;
-
-my $dbh = DBI->connect( "DBI:Oracle:$dbInstance", "$dbUserName", "$dbPassword" )
- or die "Couldn't connect to database: " . DBI->errstr ;
-
-my $userUpdate = "UPDATE app_user SET password = ? WHERE id = ?" ;
-my $userList = "SELECT id,name FROM app_user WHERE upper(name) LIKE '%'\|\|?\|\|'%'" ;
-
-my $sthUserList = $dbh->prepare( $userList )
- or die "Couldn't prepare user list query " . $dbh->errstr;
-my $sthUserUpdate = $dbh->prepare( $userUpdate )
- or die "Couldn't prepare user update query " . $dbh->errstr;
-
-# find all users whose name contains the string "mith" in any case
-&userList( "mith" ) ;
-
-# set the password for user 100 to superSecret
-&userUpdate( 100, "superSecret" ) ;
-
-exit 1 ;
-
-#
-# select a list of users whose last name contains the keyword
-#
-sub userList
-{
- my ( $keyword ) = @_ ;
-
- # translate the keyword to all upper case
- $keyword =~ tr/a-z/A-Z/ ;
-
- $sthUserList->execute( $keyword ) ;
- while( ( $id, $name ) = $sthUserList->fetchrow_array() )
- {
- print "$id, $name\n" ;
- }
-}
-
-#
-# set the password for the user specified
-#
-sub userUpdate
-{
- my ( $userId, $password ) = @_ ;
-
- $sthUserUpdate->execute( $password, $userId ) ;
-}
-
-
-
-
diff --git a/DevGuide1-xml/architecture.xml b/DevGuide1-xml/architecture.xml
deleted file mode 100755
index 937ce2ff..00000000
--- a/DevGuide1-xml/architecture.xml
+++ /dev/null
@@ -1,301 +0,0 @@
-
-
-Architecture
-
- General Considerations
-
-
- Web applications pose unique security challenges to businesses and
- security professionals in that they expose the integrity of their data
- to the public. A solid 'extrastructure' is not a controllable criterion
- for any business. Stringent security must be placed around how users
- are managed (for example, in agreement with an 'appropriate use'
- policy) and controls must be commensurate with the value of the
- information protected. Exposure to public networks may require
- more robust security features than would normally be present in
- the internal 'corporate' environment that may have additional
- compensating security.
-
-
-
- Several best practices have evolved across the Internet for the
- governance of public and private data in tiered approaches. In the most
- stringently secured systems, separate tiers differentiate between
- content presentation, security and control of the user session, and the
- downstream data storage services and protection. What is clear is that
- to secure private or confidential data, a firewall or 'packet filter' is
- no longer sufficient to provide for data integrity over a public
- interface.
-
-
-
- Where it is possible, sensible, and economic, architectural solutions to
- security problems should be favored over technical band-aids. While it
- is possible to put "protections" in place for most critical data, a much
- better solution than protecting it is to simply keep it off systems
- connected to public networks. Thinking critically about what data is
- important and what worst-case scenarios might entail is central to
- securing web applications. Special attention should be given to the
- introduction of "choke" points at which data flows can be analyzed and
- anomalies quickly addressed.
-
-
-
- Most firewalls do a decent job of appropriately filtering network
- packets of a certain construction to predefined data flow paths;
- however, many of the latest infiltrations of networks occur through the
- firewall using the ports that the firewall allows through by design or
- default. It remains critically important that only the content delivery
- services a firm wishes to provide are allowed to service incoming user
- requests. Firewalls alone cannot prevent a port-based attack (across an
- approved port) from succeeding when the targeted application has been
- poorly written or avoided input filters for the sake of the almighty
- performance gain. The tiered approach allows the architect the ability
- to move key pieces of the architecture into different 'compartments'
- such that the security registry that is not on the same platform as the
- data store or the content server. Because different services are
- contained in different 'compartments', a successful exploit of one
- container does not necessarily mean a total system compromise.
-
-
-
- A typical tiered approach to security is presented for the presentation
- of data to public networks.
-
-
-
- A standalone content server provides public access to static
- repositories. The content server is hosted on a 'hardened' platform in
- which only the required network listeners and services are running on
- the platform. Firewalls are optional but a very good idea.
-
-
-
-
-
-
-
- Seperation of Content Services from Storage
-
-
-
-
- Content services are separated from security repositories and downstream
- data storage because the use of user credentials is required. The
- principle at work is to place the controls and content in different
- compartments and protect the transmission of these confidential tokens
- using encryption. The user credentials are stored away from the content
- services and the data repositories such that a compromise of the web
- tier (content service) doesn't compromise the user registry or the data
- stores (although the user registry is commonly one of the collections of
- information in a data store). Segregating the "Security Registry" from
- the "Content Servers" also allows for more robust controls to be
- engineered into the functions that validate passwords, record user
- activity, and define authority roles to data, and additionally provides
- for some shared resource pooling for common activities such as
- maintaining a persistent database connection.
-
-
-
-
-
-
-
- Firewall with Content Tunnel
-
-
-
-
- As an example, processing financial transactions typically requires a
- level of security that is more complex and stringent. Two tiers of
- firewalls may be needed as a minimal network control, and the content
- services may be further separated into presentation and control.
- Auditing of transactions may provide for an 'end-to-end' audit trail in
- which changes to financial transaction systems are logged with session
- keys that encapsulate the user identity, originating source network
- address, time-of-day and other information, and pass this information
- with the transaction data to the systems that clear the transactions
- with financial institutions. Encryption may be a requirement for
- electronic transmissions throughout each of the tiers of this
- architecture and for the storage of tokens, credentials and other
- sensitive information.
-
-
-
- Digital signing of certain transactions may also be enforced if required
- by materiality, statutory or legal constraints. Defined conduits are
- also required between each of the tiers of the services to provide only
- for those protocols that are required by the architecture. Middleware
- is a key component; however, middle tier Application Servers can
- alternatively provide many of the services provided by traditional
- middleware.
-
-
-
-
-
-
-
- External Financial Connection
-
-
-
-
- Security from the Operating System
-
-
- In general, relying on the operating system for security
- services is not a good strategy. That is not to say the
- operating system is not expected to provide a secure
- operating environment. Services like authentication and
- authorization are generally not appropriately handled for
- an application by the operating system. Of course this
- flies in the face of Microsoft's .NET platform strategy and
- Sun's JAAS. There are times when it is appropriate, but in
- general you should abstract the security services you need
- away from the operating system. History shows that too many
- system compromises have been caused by applications with
- direct access to parts of the operating system. Kernels
- generally don't protect themselves. Thus if a bad enough
- security flaw is found in a part of the operating system,
- the whole operating system can be compromised and the
- applications fall victim to the attacker. If the purpose of
- an operating system is to provide a secure environment for
- running applications, exposing its security interfaces is not a
- strategically sound idea.
-
-
-
-
- Security from the Network Infrastructure
-
-
- Web applications run on operating systems that depend on
- networks to share data with peers and service providers. Each
- layer of these services should build upon the layers below it.
- The bottom and fundamental layer of security and control is the
- network layer. Network controls can range from Access Control
- Lists at the minimalist approach to clustered stateful firewall
- solutions at the top end. The primary two types of commercial
- firewalls are proxy-based and packet inspectors, and the
- differences seem to be blurring with each new product release.
- The proxies now have packet inspection and the packet inspectors
- are supporting HTTP and SOCKS proxies.
-
-
-
- Proxy firewalls primarily stop a transaction on one interface,
- inspect the packet in the application layer and then forward the
- packets out another interface. Proxy firewalls aren't
- necessarily dual-homed as they can be implemented solely to stop
- stateful sessions and provide the forwarding features on the
- same interface; however, the key feature of a proxy is that it
- breaks the state into two distinct phases. A key benefit of
- proxy-based solutions is that users may be forced to
- authenticate to the proxy before their request is serviced,
- thereby providing for a level of control that is stronger than
- that afforded simply by the requestor's TCP/IP address.
-
-
-
- Packet inspectors receive incoming requests and attempt to match
- the header portions of packets (along with other possible
- feature sets) with known traffic signatures. If the traffic
- signatures match an 'allowed' rule the packets are allowed to
- pass through the firewall. If the traffic signatures match
- 'deny' rules, or they don't match 'allowed' rules, they should
- be rejected or dropped. Packet inspectors can be further broken
- into two categories: stateful and non-stateful. A stateful
- packet inspection firewall learns a session characteristic when
- the initial session is built after it passes the rulebase, and
- requires no return rule. The outbound and inbound rules must be
- programmed into a non-stateful packet inspection firewall.
-
-
-
- Regardless of the firewall platform adopted for each specific
- business need, the general rule is to restrict traffic between
- web clients and web content servers by allowing only external
- inbound connections to be formed over ports 80 and 443.
- Additional firewall rulesets may be required to pass traffic
- between Application Servers and RDBMS engines such as port 1521.
- Segmenting the network and providing for routing 'chokes' and
- 'gateways' is the key to providing for robust security at the
- network layers.
-
-
-
-
-
- You are the weakest link, goodbye!
-
-
- When talking about web application or web services security
- we talk sometimes about some proxy systems allowing us to filter
- inputs from requests. Some security vendors already implemented
- firewall which can be used to protect web applications from common
- attacks. There are several guidelines or books which tell us what
- we have to do in which phases of a software project to stay secure.
- One of the risks missing from these guidelines and sources is the
- thread coming from networked applications as example a centralized
- authentication service.
-
-
- Let's look at an example of a centralized authentication service in
- the kind of Passport. We will call this Service Authentikator for this
- example. Authentikator let's programmers include it's service in their
- own applications. So users as developers can profit from one single
- place of profile storage and manipulation. If a user want's to log
- on a site using Authentikator, this website makes a simple check on
- the Authentikators system and then acts according the answer it gets. This
- makes the developers live easier and helps the users wrangle with
- multiple usernames and passwords, since only one is used anymore.
-
-
- So in theory this is a winner situation. The centralized database
- contains sensitive informations about it's users, but this central
- database and service can be nailed down for maximum security. There will
- be most probably some errors and holes in the security mechanisms used
- to nail down Authentikator, but these can be fixed easily on notification.
- But whats missing here is unfortunately the fact, that the whole Authentikator
- service is only as good as the badest developer using the Authentikators
- services.
-
-
- There is a possibility, that the interface which can be used by developers
- to use the functionality of Authentikator leaves possibilities for the
- developers to make errors and open points for attack like that. While
- the Authentikator service can check for Software Fault Injections, penetration
- via Network or some similar attack, it can not be protected for requests it
- is built in the first place. This means, that every developer using the
- Authentikators service can post a request, which in itself is valid, but
- contains wrong data. Not planned, but incidentally, because an attacking
- user found a way of forging the request.
-
-
- This leaves us with the quintessence of this subchapter: If attackers can't
- attack a central service because it is protected well enough, they can try
- to attack it from within it's own lines. This was exactly what happened with
- the Passport service, when a security problem in Hotmail existed. Instead of
- hacking Passport directly, attackers could hack Hotmail, gain the Passports
- users credentials (Hotmail uses Passport for authentication) and then once
- authenticated as attacked user can log in on any Passport authenticated site,
- including Passport itselfs.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
diff --git a/DevGuide1-xml/architectures.xml b/DevGuide1-xml/architectures.xml
deleted file mode 100755
index c4273ca4..00000000
--- a/DevGuide1-xml/architectures.xml
+++ /dev/null
@@ -1,151 +0,0 @@
-
-
-
-
-
- Christopher
- Todd
-
-
-
- Web Application Architectures
- Early in the history of dynamic web applications, developers, designers, and
- architects began to realize that complex web applications were no different from
- complex stand-alone applications, and that the stability and maintainability of a web
- application depended critically on its architecture. Furthermore, as web applications
- became more complex and web interfaces became increasingly graphic design-intensive,
- a split developed between the types of people involved in the creation of a web application.
- Web designers often worked with graphical design issues, page layout, user interface
- design, etc., while web developers worked with the application logic, the processing
- of web forms, and the interaction of the web application with its data stores (databases,
- filesystems, and directories). A mechanism was needed that would allow web designers
- and web developers to do their own thing without stepping on each other's toes. Many
- potential solutions were developed (and are still being developed), but they can all be
- traced to an architectural pattern developed many years ago: the Model-View-Controller
- design pattern.
-
- Model-View-Controller (MVC)
- Originally described by the "Gang of Four" (Erich Gamma, Richard Helm, Ralph
- Johnson, and John Vlissides) in their seminal work Design Patterns: Elements of Reusable
- Object-Oriented Software, the Model-View-Controller pattern involves separating the
- three primary duties every program must perform: maintain a model of the application
- data, decide what data will be displayed (based on user input and application state),
- and display data to the user. The MVC pattern has been successfully applied in many
- programming languages and paradigms, but it works particularly well in Object-Oriented
- languages such as Java, C++, Python, and Smalltalk.
- The MVC pattern is based on three components: the Controller, the Model, and
- the View. The View is responsible for presenting data to the user in an appropriate
- manner. The Model is responsible for processing the data and maintaining the application
- state and an internal representation of the application data. The Controller is responsible
- for determining what actions need to take place as a result of a particular user input (or
- change in the applications internal state). By clearly separating these three aspects of
- an application, it becomes easier for web designers to concentrate solely on the user
- interface, without having to worry about screwing up the data processing, and it allows
- developers to concentrate on the application logic and data storage without having to
- worry about screwing up the presentation layer.
-
-
- Model 1 and Model 2
- In the early days of Java Server Pages (JSP), two approaches to JSP design were
- described and named (somewhat uncreatively) Model 1 and Model 2. Model 1 JSP page designs
- encapsulated the View and the Controller parts of the MVC pattern within the same JSP page
- (or pages), and the data underlying the application (the Model) was represented using JavaBeans.
- While this design was originally discussed only in the context of JSP pages, a great many web
- developers will recognize this pattern from their own work in Active Server Pages, PHP, Perl CGI
- scripts, or similar scripting page-based web application development systems. The major problem
- with this approach, of course, is that before too long the script page becomes unmanageably
- complex, with HTML-based display code being intermingled with data processing code, wedged in
- between application flow-processing code. For all but the simplest web applications, Model 1 is
- frowned upon as a sustainable design approach.
-
- Model 2 is essentially the MVC pattern, with a servlet acting as the Controller, and
- JSP pages acting as the View, with JavaBeans acting as the model. While this approach does
- not completely hide programming details from page designers, it is a vast improvement over Model 1.
- The result is an application that is well designed, maintainable, and which separates (to a great extent)
- the duties assigned to page designers and web developers.
-
-
-
- Applying these architectures to security
- One might argue that the primary advantage to using design patterns is to make code easier
- to understand, easier to modify, and easier to maintain. The end result is software that works more
- reliably and is easier to fix when bugs are discovered. So what does any of this have
- to do with web application security? It has a lot to do with security. Well designed code is less
- likely to contain fundamental design-related security flaws. Code that is easy to understand because
- it is designed well is less likely to be screwed up by new developers on the team. Code that is easier
- to maintain will contain fewer bugs, and bugs are the primary cause of many security problems.
-
- Furthermore, the web application architectures discussed above can improve web
- application security by clearly delineating the paths through which application data travel,
- how they are processed in each step, and how they are finally displayed to the user.
- Thinking of each portion of the application as a "boundary" allows a separation of responsibilities
- among developers, and provides tremendous flexibility in determining how best to secure the
- application and its data at that point in the processing. For example, it has been stated repeatedly
- throughout this guide that the single most important security-related task a developer must
- perform is to filter user input. But deciding what to filter out is dependant on how the data is
- about to be processed. For example, if the data is about to be used in a database query, then
- you would want to filter characters such as ' and - that can be used in SQL injection attacks.
- But if the data is about to be displayed to the user, then filtering ' and - might mean that Cynthia
- O'Neill-Jones is going to make a call to customer support to ask why her name is spelled wrong.
-
- Applying appropriate data processing at various times is greatly facilitated by the use of
- MVC and similar design patterns, because the Model knows how to handle data as it moves through
- the various stages of processing within the application. This kind of modularity is a hallmark of good
- software design, and well designed software has a much better chance of being secure than poorly
- designed software.
-
- An additional advantage of the MVC pattern is that the Controller acts as a gate-keeper,
- making it a natural candidate for handling session management, authentication and authorization.
- Since all requests will go through the Controller before being sent to the appropriate View or Model
- component, developers can determine whether the request is part of a session, and if so, whether
- the user that correpsonds to that session is authorized to make that request. If the request is not
- part of a session, the Controller can return the login page.
-
-
-
- MVC Frameworks
- The first time a web application developer sees how useful the MVC pattern can be in
- designing a web application, it often feels like an epiphany. The joyous feeling of understanding
- wears off pretty quickly when the developer realizes that understanding an idea in the abstract,
- and implementing the idea in the real, are two different things, and implementation is often more
- difficult than understanding. The amount of work required to implement a robust, easy to use MVC
- based application can seem daunting, and this process must be repeated for each new web application
- you develop. Given that laziness is a virtue for most programmers, a number of groups of open-source
- software developers have created generic, reusable, MVC-based web application development frameworks.
-
-
- Jakarta Struts
-
- Jakarta Struts is probably the most well known and widely adopted of the MVC frameworks. Based
- on Java Servlet and Java Server Pages technologies, it is most commonly used with the Tomcat servlet container,
- but it can be used with any compliant servlet container. It is highly flexible and configurable, capable of
- using practically any kind of data store for maintaining the Model.
- For the View component, it is flexible enough to support JSP pages, the Velocity templating system, XSLT,
- and more. The basic Controller is an ActionServlet that uses ActionMappings to map request URIs to particular
- Action classes. These Action classes (part of the Model) then process the request, act appropriately on the
- application data, and return the result to the View.
-
-
-
- Maverick and derivatives
- Maverick is an MVC-based web application development framework that is similar in design to Struts,
- but designed to be a little simpler and easier to use. Maverick is based on Java and J2EE, but has also been
- ported to .NET (Maverick.NET) and PHP (Ambivalence).
-
-
-
- OWASP .NET MVC
- OWASP is in the process of creating an MVC framework for use on the .NET development
- platform. If you would like to contribute, contact Mark Curphey.
-
-
-
- php.MVC
- On it's website at http://www.phpmvc.net/, php.MVC is described like this:
- php.MVC implements the Model-View-Controller (MVC) design pattern, and encourages application design based on the Model 2 paradigm. This design model allows the Web page or other contents (View) to be mostly separated from the internal application code (Controller/Model), making it easier for designers and programmers to focus on their respective areas of expertise.
- The framework provides a single entry point Controller. The Controller is responsible for allocating HTTP requests to the appropriate Action handler (Model) based on configuration mappings.
- The Model contains the business logic for the application. The Controller then forwards the request to the appropriate View component, which is usually implemented using a combination of HTML with PHP tags in the form of templates. The resulting contents are returned to the client browser, or via another protocol such as SMTP.
- php.MVC is a PHP port of Jakarta Struts. It currently supports many features of Struts, including declarative application configuration via the XML digester. For example, mappings from the various Action business logic components to appropriate results pages can be specified declaratively in the XML configuration file
-
-
-
diff --git a/DevGuide1-xml/authentication.xml b/DevGuide1-xml/authentication.xml
deleted file mode 100755
index 871a2dda..00000000
--- a/DevGuide1-xml/authentication.xml
+++ /dev/null
@@ -1,1147 +0,0 @@
-
-
-
-
-
- Abraham
- Kang
- abrahamkang@earthlink.net
-
-
- Andrew van der Stock
- van der Stock
- ajv@greebo.net
-
-
-
-
- Authentication
-
- SAML
-
- SAML stands for Security Assertions Markup Language. SAML provides an
- interoperable XML schema for exchanging authentication, authorization, and user
- attribute related information. It allows different security infrastructures and applications
- to shared authentication, authorization, and attribute related information. SAML is
- important because it is the first time that all of the major vendors (IBM, Microsoft,
- Oracle, Sun, BEA, SAP, etc.) have come together to support a single security standard.
-
-
-
- SAML is made up of three parts. The first part is the SAML element schema, which
- represents authentication, authorization, and user attribute related information. The
- second part is the XML schema that defines the SAML protocol in which the
- authentication, authorization, and user attribute related information is requested and
- supplied. The third part represents the SAML profiles and bindings. A SAML profile
- describes the rules used to extract and embed SAML Assertions into a framework or
- protocol. SAML Bindings explain how SAML messages work with standard messaging
- or communication protocols. Although it is important to understand which elements go
- where and what each element represents it is import to first get the big picture. Lets look
- at the actual scenarios where SAML can be used.
-
-
- SAML Usage Senarios
-
- In order to understand the usage scenarios we will need to go over some vocabulary.
- Authorities are the sites or entities that hold user related information, or the sites the user
- has authenticated to. There are three types of Authorities: Attribute, Authentication, and
- Authorization. An Attribute authority could provide credit limit information. An
- Authentication authority would provide information on when a user was authenticated and
- by what means. An Authorization authority could vouch for different access rights that an
- authenticated user possesses.
-
-
-
-SSO Pull Scenario
-
- In this scenario the user has already authenticated to a Web site (Attribute and
- Authentication Authority) and is trying to access a partner site (Policy Decision Point and
- Policy Enforcement Point). All of the links to the partner site reference an inter-site
- transfer URL. When the user clicks the URL to the partner site, the source site receives
- the request (through the inter-site URL) and places an artifact in the HTTP 302 response
- or places an assertion in the HTML page returned. The user is then redirected to the
- destination siteÂ’s artifact or assertion consumer URL. The destination verifies the artifact
- or assertion and returns the requested HTML resource.
-
-
-
-
-Distributed Transaction Scenario
-
- Basically a SOAP client authenticates to a SOAP service that participates within a set of
- loosely couple B2B Web Service Supply Chain Services. A supplier or buyer has to only
- setup their contractual agreements once and can seamlessly access all other member Web
- Service interfaces to buy and sell products. Within the supply chain consortium there is a
- centralized Authentication, Authorization, and Attribute Authority. All members initially
- login to this service and receive the associated Assertions to interact with other supply
- chain partners. Whenever a user wants to create a transaction with another partner they
- attach their assertion to the transaction request. The receiver then confirms the assertion
- with the centralized authority or verifies and accepts the assertion if the assertion is
- signed. After confirming the request a response is sent to the message initiator to confirm
- or deny the transaction.
-
-
-
- A different spin of this is where the user authenticates to a site, which can make orders on
- behalf of the logged in user at another site. When a user needs to initiate a transaction at
- the partner site, the appropriate assertions are generated and sent to the other site on
- behalf of the user. The assertions are used to validate the user credentials, credit limits,
- and commit the transaction.
-
- Now that you understand where SAML can be used, lets look
- at the core SAML elements that define the authentication, authorization, and user
- attribute related information.
-
-
-
-SAML Assertions
-
-
- The Assertion element represents the core container element within SAML. The
- Assertion element is the main element because is represents a statement of proof about a
- Subject. Assertions hold any number of three different "Statement" types. The
- "Statement" types (Authentication, Attribute, and AuthorizationDecision) correspond
- with the three different types of information that can be conveyed between an
- "Asserting" and "Relying" (RP) party. A "Relying" party requests authentication,
- authorization, and attribute related information from an "Asserting" party (AP). A
- "Relying" party relies on the assertions provided by the "Asserting" party to make
- authentication, authorization, and attribute related decisions. "Asserting" parties are also
- referred to as Authorities. The different types of information that can be passed between
- a RP and AP also categorize authorities. Authorities can be any combination of
- Authentication, Authorization, and Attribute Authorities.
-
-
-
- A SAML Assertion is made up of required and optional elements and attributes. The
- mandatory attributes are:
-
-
-
- AssertionID -- The AssertionID must be a globally unique identifier with less than
- 2^-128 (2^-160 recommended) probability of creating duplicates for different
- Assertions.
-
- MajorVersion -- "1" for SAML 1.0
-
- MinorVersion -- "0" for SAML 1.0
-
- Issuer -- String that represents the issuer of the assertion (authority). This can be any
- string that is known to identify the Issuer of the Assertion.
-
- IssueInstant -- The date and time in UTC format when the assertion was created.
- UTC is sometimes called GMT. All time is relative to UTC (or GMT) and the format
- is "YYYY-MM-DDTHH:MM:SSZ". An example is "2003-01-04T14:36:04Z". T is
- the date time separator. Z stands for "Zulu" or GMT time zone.
-
-
-
- The optional elements are:
-
-
-
-
- Conditions:
-
-
- Give additional restrictions on determining the validity of an assertion. The attributes
- of the saml:Conditions element define the validity period using NotBefore and
- NotOnOrAfter attribute. If there is a saml:Conditions element with no sub elements
- or attributes then the assertion is valid without further investigation. If the
- saml:Conditions element has nested saml:Condition elements then the validity of the
- assertion is based on the folowing rules:
-
-
-
- If any saml:Condition or saml:AudienceRestrictionCondition element within the
- saml:Conditions element is invalid or if the current dateTime falls outside of the
- NotBefore or NotOnOrAfter attributes then the assertion is invalid.
-
- If any saml:Condition or saml:AudienceRestrictionCondition element within the
- saml:Conditions element cannot be verified as valid or invalid then the Assertion
- is Indeterminate.
-
- Only when all saml:Condition and/or saml:AudienceRestrictionCondition
- elements nested within the saml:Conditions element are valid is the Assertion
- valid.
-
-
-
-
-
-Advice:
-Holds additional information that the issuer wishes to provide in the form of any
-number of saml:AssertionIDReference, saml:Assertion, and/or any valid and well
-formed XML element that’s namespace resides outside the target namespace (
-
-]]>
-).
-
-
-
-Statement Type
-Any mix of one or more saml:Statement types (saml:Statement,
-saml:SubjectStatement, saml:AuthenticationStatement,
-saml:AuthorizationDecisionStatement, saml:AttributeStatement).
-
-
- The saml:Statement’s type serves as a base type to extend from when you want to
-create your Statement types. The saml:Statement element does not define any
-nested elements or attributes and therefore have little practical value on its own.
-Here is the XML schema that describes this element:
-
-]]>
-
- The saml:SubjectStatement’s type serves as a base type to extend from when you
-want to create your SubjectStatement types. The only difference between a
-saml:Statement and saml:SubjectStatement is that the saml:SubjectStatement has
-a nested saml:Subject element.
-Here is the XML Schema that describes this element:
-
-
-
-
-
-
-
-
-
-
-]]>
-
-The saml:AuthenticationStatement can be extended but it is typically used as-is.
-A saml:AuthenticationStatement asserts that a subject was authenticated using a
-specific method (Kerberos, password, X509 Cert, etc.) at a specific time.
-Here is a sample assertion with a saml:AuthenticationStatement:
-
-
-
-
-joeuser@smithco.com
-
-
-
-]]>
-
-
-The saml:AttributeStatement can also be extended but it is typically used as-is.
-The saml:AttributeStatement asserts that a subject has a set of attributes
-(A,B,C,etc.) with associated values ("a","b","c",etc.). Here is an example:
-
-
-
-joeuser@smithco.com
-
-
-
-
- Engineering
-
-
-
-
- 500.00
-
-
-
-]]>
-
-The saml:AuthorizationDecisionStatement can also be extended but is typically
-used as-is. The saml:AuthorizationDecisionStatement asserts that a subject should
-be granted or denied access to a specific resource. Here is an example:
-
-
-
-joeuser@smithco.com
-
-
-Read
-
-
-
-]]>
-
-
-
-
-
-
-
- SAML Protocol
-
-The SAML Protocol is pretty simple. A relying party makes a request and an asserting
-party (Authority) provides the response. The Relying Party sends a samlp:Request to the
-Asserting Party. If successful, the Asserting Party includes an Assertion in the samlp:Response.
-If unsuccessful, the Asserting Party does NOT return an Assertion and returns the status instead.
-
-
- The samlp:Request
-
- The samlp:Request element is extended from the samlp:RequestAbstractType. XML
-extension allows a target XML element which gets its type from a parent base type to add
-additional attributes or elements to a defined child type which extends the parent base
-type as long as the instance of the target XML element specifies the child type as a
-xsi:type attribute (That was a mouthful. Look at the "Extending SAML Elements" section
-for an example). The samlp:RequestAbstractType looks like the following:
-
-
-
-
-
-
-
-
-
-]]>
-
-The samlp:Request inherits four mandatory attributes and two optional elements from the
-RequestAbstractType. The samlp:Request is defined as follows:
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-]]>
-
- So the samlp:Request has all of the attributes and elements of the
-samlp:RequestAbstractType and only adds a choice of the following elements:
-samlp:Query, samlp:SubjectQuery, samlp:AuthenticationQuery, samlp:AttributeQuery,
-samlp:AuthorizationDecisionQuery, saml:AssertionIDReference (one or more) or
-samlp:AssertionArtifact (one or more). Lets look at the attributes and sub-elements in
-more detail.
-
- The samlp:Request contains four mandatory attributes:
-
-
- RequestID -- The RequestID must be a globally unique identifier with less than
-2^-128 (2^-160 recommended) probability of creating duplicates for different Requests.
-
- MajorVersion -- "1" for SAML 1.0
- MinorVersion -- "0" for SAML 1.0
- IssueInstant -- The date and time in UTC format when the request was initiated.
-UTC is sometimes called GMT. All time is relative to UTC (or GMT) and the format
-is "YYYY-MM-DDTHH:MM:SSZ". An example is "2003-01-04T14:36:04Z". T is
-the date time separator. Z stands for "Zulu" or GMT time zone.
-
-
- The samlp:Request also has optional sub-elements:
-
- samlp:RespondWith
- This allows you specify what type of Statement you are
-requesting. The only requirement is that you specify QNames. A QName is an XML
-element that includes its namespace prefix. The format of a QName is
-prefix:elementName. If you do not specify anything you will get all Statements that
-are associated with the subject that you are verifying. You can specify one or more of
-these. Here is an example:
-saml:AttributeStatement
-saml:AuthenticationStatement]]>
-
-
-
-ds:Signature
-This element allows you to sign the request to verify that the request
-was generated by a specific signer. Please refer to the chapter on XML Signature to
-get the details of this element.
-
- Finally the samlp:Request has to have a Query or Assertion pointer associated with
-it. The Query has to determine what type of Statement to return so it mimics the saml:Statement
-element’s hierarchy. The Assertion pointer is a reference to an AssertionID or Artifact.
-Here are the seven different Query types:
-
-
-samlp:Query
-The Query element has a similar structure to the saml:Statement. The
-Query element is based on an abstract type, is empty, and is primarily used as an
-XML extension point. Here is XML Schema definition:
-
-]]>
-
-samlp:SubjectQueryThe SubjectQuery element has a similar structure to the
-saml:SubjectStatement. The SubjectQuery’s type serves as a base type to extend from
-when you want to create your SubjectQuery types. The only difference between a
-samlp:Query and samlp:SubjectQuery is the samlp:SubjectQuery has a nested
-saml:Subject element. Here is XML Schema definition:
-
-
-
-
-
-
-
-
-
-]]>
-
-samlp:AuthenticationQueryThe AuthenticationQuery can
-be extended but it is typically used as-is. A samlp:AuthenticationQuery asks for
-all the Authentication Assertions related to a specific subject that define
-previous authentication acts between the specified subject and the
-Authentication authority. It looks just like a samlp:SubjectQuery but adds an
-optional samlp:AuthenticationMethod element that is of type anyURI. The
-samlp:AuthenticationMethod element serves as a filter and will only retrieve
-saml:AuthenticationStatements with the noted AuthenticationMethod. The
-authentcation method can be one of the following values:
-
-Here is XML Schema definition:
-
-
-
-
-
-
-
-]]>
-Here is an example of an authentication query:
-
-saml:AuthenticationStatement
-
-...
-
-
-
-joeuser@smithco.com
-
-
-
-]]>
-
-
-samlp:AttributeQuery
-The AttributeQuery can be extended but it is typically used
-as-is. A saml:AttributeQuery asks for the attributes related to a specific subject. It
-looks just like a samlp:SubjectQuery but adds an optional saml:AttributeDesignator
-element and an optional Resource attribute. The saml:AttributeDesignator acts as a
-filter in the same way the AuthenticationMethod worked. If no AttributeDesignator
-is mentioned then all attributes related to the subject are returned. The resource
-attribute allows you to tell the Attribute Authority that the attribute request is being
-made in response to a specific authorization decision relating to a resource. Here is
-the XML Schema:
-
-
-
-
-
-
-
-
-
-
-]]>
-Just as a reminder here is the definition of saml:AttributeDesignator:
-
-
-
-
- ]]>
-
-Here is an example of an AttributeQuery:
-
-
-
-
-joeuser@smithco.com
-
-
-
-
-]]>
-
-
-samlp:AuthorizationDecisionQueryThe AuthorizationDecisionQuery can be
-extended but it is typically used as-is. A saml:AuthorizationDecisionQuery asks if a
-subject can execute certain actions on a specific resource given some evidence. It
-looks just like a samlp:SubjectQuery but adds a required saml:Action element, an
-optional saml:Evidence element, and an optional Resource attribute. The
-saml:Action defines what the subject wants to do. The saml:Evidence defines the
-additional Assertions that the subject is providing to the Authorization Authority to
-help it make its decision. The resource is an URI which defines the object that the
-authorization query is related to. Lets take a closer look at each of these elements.
-The saml:Action is defined as follows:
-
-
-
-
-
-
-
-]]>
-
-SAML defines a set of Action Namespaces and their associated values. They are as
-follows:
-
-
-
-Here is an example AuthorizationDecisionQuery:
-
-
-
-
-joeuser@smithco.com
-
-
-
-Read
-
-
-
-...
-
-
-]]>
-
-
-
-The last two elements define alternate methods of fetching assertions by presenting an
-artifact (samlp:AssertionArtifact) or by presenting an AssertionID
-(saml:AssertionIDReference). You could have one or more of the following elements.
-
-saml:AssertionIDReferenceThe saml:AssertionIDReference is of type
-IDType and basically points to an assertion that it is requesting. Here is an example:
-128.14.234.20.12345678]]>
-
-samlp:AssertionArtifactThe samlp:AssertionArtifact is based on the xsi:type
-String. It holds an 8 byte Base 64 encoded string that indirectly points to an Assertion. Here is an example:
-128.14.234.20.12345678]]>
-
-
-Once the request is received, the Authority has to send a response. Coincidentally, the
-element returned is samlp:Response.
-
- The samlp:Response
- The samlp:Response contains a set of assertions ( if successful) or status code (when
-things go wrong). The samlp:Response, like the samlp:Request, extends an abstract type
-samlp:ResponseAbstractType. A samlp:Response can be signed to verify the sending
-party to the relying party. The samlp:ResonseAbstractType looks like the following:
-
-
-
-
-
-
-
-
-
-
-
-]]>
-
-The ResponseAbstractType defines an optional ds:Signature element which allows the
-Response to be signed. There are 4 required attributes and 2 optional attributes.
-
-The 4 required attributes of the samlp:ResponseAbstractType are:
-
-
-
- ResponseID -- The ResponseID must be a globally unique identifier with less than
-2^-128 (2^-160 recommended) probability of creating duplicates for different Requests.
- MajorVersion -- "1" for SAML 1.0
- MinorVersion -- "0" for SAML 1.0
- IssueInstant -- The date and time in UTC format when the assertion was created.
- UTC is sometimes called GMT. All time is relative to UTC (or GMT) and the format
- is "YYYY-MM-DDTHH:MM:SSZ". An example is "2003-01-04T14:36:04Z". T is
- the date time separator. Z stands for "Zulu" or GMT time zone.
-
- The 2 required attributes of the samlp:ResponseAbstractType are:
-
-
- InResponseToThis holds the RequestID of the samlp:Request that generated this
-samlp:Response.
-RecipientA URI that represents a recipient or a resource managed by a recipient. This value if present must be verified by the recipient.
-
-
-
-The samlp:Request extends the samlp:ResponseAbstractType by adding a required
-samlp:Status element and optional saml:Assertion element. If the Status is "success" the
-response includes an Assertion. If the Status is "failure" then the Response will NOT
-contain an assertion. Here is XML schema definition for samlp:Response:
-
-
-
-
-
-
-
-
-
-
-
-
-
-]]>
-
-
-You should be familiar with saml:Assertion. The samlp:Status probably needs more
-explaining. The samlp:Status describes the result of the samlp:Request. The
-samlp:Status has the following XML Schema definition:
-
-
-
-
-
-
-
-
-
-
-]]>
-
-
- The samlp:Status has a complex structure where its sub-element, samlp:StatusCode, can
- have nested samlp:StatusCode elements. Each of the samlp:StatusCode elements has a
- single required Value attribute. Here is the XML Schema that describes the
- samlp:StatusCode element:
-
-
-
-
-
-
-
-
-
-]]>
-
-The Value attribute of the top level samlp:StatusCode has to have one of the following values:
-
-
-
-Success -- The request succeeded.
-VersionMismatch -- The version was incorrect.
-Requester -- There was an error at the requester.
-Responder -- There was an error at the responder.
-
-
- The second-level status codes can be one of the following:
-
-
-
-RequestVersionTooHigh -- The request’s version is not supported by the responder
- because it is too high.
-RequestVersionTooLow -- The request’s version is not supported by the responder
- because it is too low.
-RequestVersionDeprecated -- The responder does not accept the version of the
- protocol specified.
-TooManyResponses -- The response could only return a subset of all the value elements.
-RequestDenied -- The responder has elected not to respond due to an insecure environment
- or protocol resonse.
-ResourceNotRecognized -- The responder does not acknowledge the resource provided
- because it is invalid or unrecognized.
-
-
- All of the samlp:Status values above are Qnames (qualified names) in the
- urn:oasis:names:tc:SAML:1.0:protocol namespace. If you wanted to create your own
- samlp:Status values, they have to be in their own namespace and be fully qualified.
- Here is an example:
-
-
-
-
-]]>
-
-
- The samlp:StatusMessage serves as a generalized error description corresponding to the
- state of the top level samlp:Status. The samlp:StatusDetail allows you to provide any
- well formed XML that can be processed further by the Relying party.
-
-
-
- Here is an example of a samlp:Response:
-
-
-
-
-
-Some message
-
-
-
-
-
-
-]]>
-
-
-
-Bindings and Profiles
-
-
- A binding defines how SAML Requests and Responses are mapped into a transport
- protocol for transport between a relying and asserting party. A profile defines how a
- framework or protocol can use SAML to make assertions about components or parts of
- that protocol or framework. SAML over SOAP is the only binding defined in the SAML
- spec. Although SOAP can be transferred over many transports, HTTP is the only
- required binding for SOAP. So SAML over SOAP over HTTP is a baseline.
-
-
-
- SOAP is a XML based RPC (Remote Procedure Call) protocol. It is made up of three
- major XML elements: a root level Envelope element, a Header element that is a sub-
- element of Envelope, and a Body element that follows the Header element and is a sub-
- element of Envelope. Here is an example of how a SAML Request is passed over SOAP:
-
-
-
-
-
- ...
-
- ...
-
-
-
-]]>
-
-
- Here is how the SAML Response is returned within a SOAP Envelope:
-
-
-
-
-
-
-
-
- ...
-
-
-...
-
-
-
-
-]]>
-
-
-There are two browser profiles for single sign-on (SSO) defined in SAML: artifact and
-POST. The browser/artifact profile of SAML mandates the usage of a SAML artifact in
-the URL of the HTTP 302 (redirect) status. The browser/POST profile of SAML uses an
-HTML ]]> to pass assertions directly to a destination site.
-
-
-
-An artifact is a pointer to an assertion. A SAML artifact is the base 64 encoding of the
-TypeCode and RemainingArtifact ( B64(TypeCode RemainingArtifact) ). The TypeCode is a 2
-byte number in hex notation (example 0x0001). The TypeCode value determines the
-format of the RemainingArtificact. 0x0001 is the only mandated TypeCode and is
-associated with a RemainingArtifact with the following format:
-
-
-
-RemainingArtifact := SourceID AssertionHandle
-SourceID := 20-byte_sequence
-AssertionHandle := 20-byte_sequence
-
-The SourceID has to be unique among all possible source sites. The SourceID is similar
-to an IP address but you should not use an IP address or anything that can help an
-attacker infer your identity. The AssertionHandle can be any value that identifies an
-assertion but it MUST be infeasible to construct or guess the value of a valid
-assertion or any part of an assertion from the AssertionHandle. An artifact is used
-because most Web/application servers have limitations on URL length. Lets look at the
-SSO profile in more depth.
-
-
-The Web browser SSO profile of SAML defines a scenario where an authenticated user
-from a source site wants to access a resource at a destination site without having to log in
-again. When the user wants to access the destination site he/she selects a link which
-references an inter-site transfer URL. The inter-site transfer URL is located on the source
-site and has a mandatory Target parameter in its query string. The value that the target
-equals (http://www.sourcesite.com/interSiteURL?Target=ebay_Auctions_Cars) is a logical key for a
-resource at the destination site. The Target is a name that the source site uses to reference
-the resource at the destination site. The source site uses the logical key to identify the
-URL to the Assertion consumer at the destination site as well as the destination site’s
-name for that resource. If the artifact profile is being used, the source site returns a
-HTTP 302 status to the browser with a URL that points to the assertion consumer and a
-TARGET parameter which defines the name for the requested resource that the
-destination site uses. The destination site receives the artifact and then makes an out-of-
-band request to the source site’s artifact consumer and receives an assertion from the
-source site. If the destination site accepts the returned assertion, the user is allowed
-access to the resource.
-
-
-When the POST profile is being used, the inter-site URL returns an HTML page to the
-browser that contains a SAML assertion. The page with the SAML assertion is then
-posted (by JavaScript) to the destination site assertion consumer URL. Here is an
-example:
-
-
-
-