From dfcfe140b1ee965de788e7640ebd1b1ef5aecf54 Mon Sep 17 00:00:00 2001 From: sydseter Date: Thu, 3 Jul 2025 12:05:37 +0200 Subject: [PATCH 1/3] Fixes #129 SCP [198, 201, 143, 144, 145, 146, 147, 148, 150] Cornucopia - Data Protection --- .wordlist-en.txt | 3 +++ .../02-web-app-checklist/08-protect-data.md | 22 ++++++++++++++++++- 2 files changed, 24 insertions(+), 1 deletion(-) diff --git a/.wordlist-en.txt b/.wordlist-en.txt index b70114a8..5042489c 100644 --- a/.wordlist-en.txt +++ b/.wordlist-en.txt @@ -536,3 +536,6 @@ BOLA WebDAV tunable allowlist +printf +strcat +strcpy diff --git a/docs/en/04-design/02-web-app-checklist/08-protect-data.md b/docs/en/04-design/02-web-app-checklist/08-protect-data.md index c37fcfa3..18b30936 100644 --- a/docs/en/04-design/02-web-app-checklist/08-protect-data.md +++ b/docs/en/04-design/02-web-app-checklist/08-protect-data.md @@ -3,7 +3,10 @@ require extra protection, particularly if that data falls under privacy laws (EU financial data protection rules such as PCI Data Security Standard (PCI DSS) or other regulations. Refer to proactive control [C2: Use Cryptography the proper way][control2] and its [cheatsheets][csproactive-c8] -for more context from the OWASP Top 10 Proactive Controls project, +for memory management, especially in relation to mobile development, refer to +[Secret Management Cheat Sheet][secretmanagement] and MASTG on testing [Mobile App Code Quality][mobilecodequality]. + +more context from the OWASP Top 10 Proactive Controls project, and use the list below as suggestions for a checklist that has been tailored for the individual project. #### 1. Data protection @@ -22,6 +25,8 @@ and use the list below as suggestions for a checklist that has been tailored for 12. Purge those temporary copies of sensitive data as soon as they are no longer required 13. Do not include sensitive information in the URL or query string, such as an API key or session token 14. Disable client side caching on pages containing sensitive information (e.g. Cache-Control: no-store) +15. Set a referrer policy to prevent leakage of sensitive data to third-party services via the 'Referer' HTTP request header + field. This can be done using the Referrer-Policy HTTP response header field or via HTML element attributes #### 2. Memory management @@ -33,12 +38,24 @@ and use the list below as suggestions for a checklist that has been tailored for 6. Properly free allocated memory upon the completion of functions and at all exit points 7. Overwrite any sensitive information stored in allocated memory at all exit points from the function 8. Protect shared variables and resources from inappropriate concurrent access +9. Avoid the use of known vulnerable functions (e.g., printf, strcat, strcpy etc.) + +#### 3. Encrypting Data in Transit + +1. Utilize TLS connections for all connectivity between a client and external-facing, HTTP-based services +2. Ensure the TLS connections do not fall back to insecure or unencrypted communication +3. Utilize a single standard TLS implementation with (preferably the latest) secure version of TLS +4. Ensure the TLS connections are configured appropriately to validate certificates received before communicating and + checking revocation status #### References * OWASP [Cheat Sheet: Cryptographic Storage][cscs] * OWASP [Cheat Sheet: Secrets Management][cssm] +* OWASP [Cheat Sheet: Transport Layer Security][cstls] * OWASP [Top 10 Proactive Controls][proactive10] +* OWASP [Secret Management Cheat Sheet][secretmanagement] +* OWASP [MASTG: Mobile App Code Quality][mobilecodequality] ---- @@ -49,6 +66,9 @@ then [submit an issue][issue060208] or [edit on GitHub][edit060208]. [control2]: https://top10proactive.owasp.org/the-top-10/c2-crypto/ [cscs]: https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet [cssm]: https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet +[cstls]: https://cheatsheetseries.owasp.org/cheatsheets/Transport_Layer_Security_Cheat_Sheet.html [edit060208]: https://github.com/OWASP/DevGuide/blob/main/docs/en/04-design/02-web-app-checklist/08-protect-data.md [issue060208]: https://github.com/OWASP/DevGuide/issues/new?labels=enhancement&template=request.md&title=Update:%2004-design/02-web-app-checklist/08-protect-data [proactive10]: https://top10proactive.owasp.org/ +[secretmanagement]: https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html#25-handling-secrets-in-memory +[mobilecodequality]: https://mas.owasp.org/MASTG/0x04h-Testing-Code-Quality From 3922805b7a736c31ff46dba5082d1f6794779c43 Mon Sep 17 00:00:00 2001 From: sydseter Date: Thu, 3 Jul 2025 12:48:59 +0200 Subject: [PATCH 2/3] Fixes #129 SCP [198, 201, 143, 144, 145, 146, 147, 148, 150] Cornucopia - Data Protection --- .wordlist-en.txt | 1 + 1 file changed, 1 insertion(+) diff --git a/.wordlist-en.txt b/.wordlist-en.txt index 5042489c..a1df4599 100644 --- a/.wordlist-en.txt +++ b/.wordlist-en.txt @@ -539,3 +539,4 @@ allowlist printf strcat strcpy +unencrypted From 4fd31d9848d6321b6b87036e8fc2230a17614344 Mon Sep 17 00:00:00 2001 From: sydseter Date: Fri, 4 Jul 2025 11:51:27 +0200 Subject: [PATCH 3/3] Fixes #129 remove mobile references --- .../en/04-design/02-web-app-checklist/08-protect-data.md | 9 +-------- 1 file changed, 1 insertion(+), 8 deletions(-) diff --git a/docs/en/04-design/02-web-app-checklist/08-protect-data.md b/docs/en/04-design/02-web-app-checklist/08-protect-data.md index 18b30936..9f47130b 100644 --- a/docs/en/04-design/02-web-app-checklist/08-protect-data.md +++ b/docs/en/04-design/02-web-app-checklist/08-protect-data.md @@ -3,10 +3,7 @@ require extra protection, particularly if that data falls under privacy laws (EU financial data protection rules such as PCI Data Security Standard (PCI DSS) or other regulations. Refer to proactive control [C2: Use Cryptography the proper way][control2] and its [cheatsheets][csproactive-c8] -for memory management, especially in relation to mobile development, refer to -[Secret Management Cheat Sheet][secretmanagement] and MASTG on testing [Mobile App Code Quality][mobilecodequality]. - -more context from the OWASP Top 10 Proactive Controls project, +for more context from the OWASP Top 10 Proactive Controls project, and use the list below as suggestions for a checklist that has been tailored for the individual project. #### 1. Data protection @@ -54,8 +51,6 @@ and use the list below as suggestions for a checklist that has been tailored for * OWASP [Cheat Sheet: Secrets Management][cssm] * OWASP [Cheat Sheet: Transport Layer Security][cstls] * OWASP [Top 10 Proactive Controls][proactive10] -* OWASP [Secret Management Cheat Sheet][secretmanagement] -* OWASP [MASTG: Mobile App Code Quality][mobilecodequality] ---- @@ -70,5 +65,3 @@ then [submit an issue][issue060208] or [edit on GitHub][edit060208]. [edit060208]: https://github.com/OWASP/DevGuide/blob/main/docs/en/04-design/02-web-app-checklist/08-protect-data.md [issue060208]: https://github.com/OWASP/DevGuide/issues/new?labels=enhancement&template=request.md&title=Update:%2004-design/02-web-app-checklist/08-protect-data [proactive10]: https://top10proactive.owasp.org/ -[secretmanagement]: https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html#25-handling-secrets-in-memory -[mobilecodequality]: https://mas.owasp.org/MASTG/0x04h-Testing-Code-Quality