-
Notifications
You must be signed in to change notification settings - Fork 25
/
Copy pathwebapp-cards-2.00-en.yaml
1344 lines (1344 loc) · 54.5 KB
/
webapp-cards-2.00-en.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
---
meta:
edition: "webapp"
component: "cards"
language: "EN"
version: "2.00"
suits:
-
id: "VE"
name: "DATA VALIDATION & ENCODING"
cards:
-
id: "VE2"
value: "2"
url: "https://cornucopia.owasp.org/cards/VE2"
desc: "Brian can gather information about the underlying configurations, schemas, logic, code, software, services and infrastructure due to the content of error messages, or poor configuration, or the presence of default installation files or old, test, backup or copies of resources, or exposure of source code"
-
id: "VE3"
value: "3"
url: "https://cornucopia.owasp.org/cards/VE3"
desc: "Robert can input malicious data because the allowed protocol format is not being checked, or duplicates are accepted, or the structure is not being verified, or the individual data elements are not being validated for format, type, range, length and a whitelist of allowed characters or formats"
-
id: "VE4"
value: "4"
url: "https://cornucopia.owasp.org/cards/VE4"
desc: "Dave can input malicious field names or data because it is not being checked within the context of the current user and process"
-
id: "VE5"
value: "5"
url: "https://cornucopia.owasp.org/cards/VE5"
desc: "Jee can bypass the centralized encoding routines since they are not being used everywhere, or the wrong encodings are being used"
-
id: "VE6"
value: "6"
url: "https://cornucopia.owasp.org/cards/VE6"
desc: "Jason can bypass the centralized validation routines since they are not being used on all inputs"
-
id: "VE7"
value: "7"
url: "https://cornucopia.owasp.org/cards/VE7"
desc: "Jan can craft special payloads to foil input validation because the character set is not specified/enforced, or the data is encoded multiple times, or the data is not fully converted into the same format the application uses (e.g. canonicalization) before being validated, or variables are not strongly typed"
-
id: "VE8"
value: "8"
url: "https://cornucopia.owasp.org/cards/VE8"
desc: "Oana can bypass the centralized sanitization routines since they are not being used comprehensively"
-
id: "VE9"
value: "9"
url: "https://cornucopia.owasp.org/cards/VE9"
desc: "Shamun can bypass input validation or output validation checks because validation failures are not rejected and/or sanitized"
-
id: "VEX"
value: "10"
url: "https://cornucopia.owasp.org/cards/VEX"
desc: "Darío can exploit the trust the application places in a source of data (e.g. user-definable data, manipulation of locally stored data, alteration to state data on a client device, lack of verification of identity during data validation such as Darío can pretend to be Colin)"
-
id: "VEJ"
value: "J"
url: "https://cornucopia.owasp.org/cards/VEJ"
desc: "Toby has control over input validation, output validation or output encoding code or routines so they can be bypassed"
-
id: "VEQ"
value: "Q"
url: "https://cornucopia.owasp.org/cards/VEQ"
desc: "Xavier can inject data into a client or device side interpreter because a parameterised interface is not being used, or has not been implemented correctly, or the data has not been encoded correctly for the context, or there is no restrictive policy on code or data includes"
-
id: "VEK"
value: "K"
url: "https://cornucopia.owasp.org/cards/VEK"
desc: "Gabe can inject data into an server-side interpreter (e.g. SQL, OS commands, Xpath, Server JavaScript, SMTP) because a strongly typed parameterised interface is not being used or has not been implemented correctly"
-
id: "VEA"
value: "A"
url: "https://cornucopia.owasp.org/cards/VEA"
desc: "You have invented a new attack against Data Validation and Encoding"
misc: "Read more about this topic in OWASP's free Cheat Sheets on Input Validation, XSS Prevention, DOM-based XSS Prevention, SQL Injection Prevention, and Query Parameterization"
-
id: "AT"
name: "AUTHENTICATION"
cards:
-
id: "AT2"
value: "2"
url: "https://cornucopia.owasp.org/cards/AT2"
desc: "James can undertake authentication functions without the real user ever being aware this has occurred (e.g. attempt to log in, log in with stolen credentials, reset the password) "
-
id: "AT3"
value: "3"
url: "https://cornucopia.owasp.org/cards/AT3"
desc: "Muhammad can obtain a user's password or other secrets such as security questions, by observation during entry, or from a local cache, or from memory, or in transit, or by reading it from some unprotected location, or because it is widely known, or because it never expires, or because the user cannot change her own password"
-
id: "AT4"
value: "4"
url: "https://cornucopia.owasp.org/cards/AT4"
desc: "Sebastien can easily identify user names or can enumerate them"
-
id: "AT5"
value: "5"
url: "https://cornucopia.owasp.org/cards/AT5"
desc: "Javier can use default, test or easily guessable credentials to authenticate, or can use an old account or an account not necessary for the application"
-
id: "AT6"
value: "6"
url: "https://cornucopia.owasp.org/cards/AT6"
desc: "Sven can reuse a temporary password because the user does not have to change it on first use, or it has too long or no expiry, or it does not use an out-of-band delivery method (e.g. post, mobile app, SMS)"
-
id: "AT7"
value: "7"
url: "https://cornucopia.owasp.org/cards/AT7"
desc: "Cecilia can use brute force and dictionary attacks against one or many accounts without limit, or these attacks are simplified due to insufficient complexity, length, expiration and re-use requirements for passwords"
-
id: "AT8"
value: "8"
url: "https://cornucopia.owasp.org/cards/AT8"
desc: "Kate can bypass authentication because it does not fail secure (i.e. it defaults to allowing unauthenticated access)"
-
id: "AT9"
value: "9"
url: "https://cornucopia.owasp.org/cards/AT9"
desc: "Claudia can undertake more critical functions because authentication requirements are too weak (e.g. do not use strong authentication such as two factor), or there is no requirement to re-authenticate for these"
-
id: "ATX"
value: "10"
url: "https://cornucopia.owasp.org/cards/ATX"
desc: "Pravin can bypass authentication controls because a centralized standard, tested, proven and approved authentication module/framework/service, separate to the resource being requested, is not being used"
-
id: "ATJ"
value: "J"
url: "https://cornucopia.owasp.org/cards/ATJ"
desc: "Mark can access resources or services because there is no authentication requirement, or it was mistakenly assumed authentication would be undertaken by some other system or performed in some previous action"
-
id: "ATQ"
value: "Q"
url: "https://cornucopia.owasp.org/cards/ATQ"
desc: "Johan can bypass authentication because it is not enforced with equal rigor for all types of authentication functionality (e.g. register, password change, password recovery, log out, administration) or across all versions/channels (e.g. mobile website, mobile app, full website, API, call centre)"
-
id: "ATK"
value: "K"
url: "https://cornucopia.owasp.org/cards/ATK"
desc: "Olga can influence or alter authentication code/routines so they can be bypassed"
-
id: "ATA"
value: "A"
url: "https://cornucopia.owasp.org/cards/ATA"
desc: "You have invented a new attack against Authentication"
misc: "Read more about this topic in OWASP's free Authentication Cheat Sheet"
-
id: "SM"
name: "SESSION MANAGEMENT"
cards:
-
id: "SM2"
value: "2"
url: "https://cornucopia.owasp.org/cards/SM2"
desc: "William has control over the generation of session identifiers"
-
id: "SM3"
value: "3"
url: "https://cornucopia.owasp.org/cards/SM3"
desc: "Ryan can use a single account in parallel since concurrent sessions are allowed"
-
id: "SM4"
value: "4"
url: "https://cornucopia.owasp.org/cards/SM4"
desc: "Alison can set session identification cookies on another web application because the domain and path are not restricted sufficiently"
-
id: "SM5"
value: "5"
url: "https://cornucopia.owasp.org/cards/SM5"
desc: "John can predict or guess session identifiers because they are not changed when the user's role alters (e.g. pre and post authentication) and when switching between non-encrypted and encrypted communications, or are not sufficiently long and random, or are not changed periodically"
-
id: "SM6"
value: "6"
url: "https://cornucopia.owasp.org/cards/SM6"
desc: "Gary can take over a user's session because there is a long or no inactivity timeout, or a long or no overall session time limit, or the same session can be used from more than one device/location"
-
id: "SM7"
value: "7"
url: "https://cornucopia.owasp.org/cards/SM7"
desc: "Graham can utilize Adam's session after he has finished, because there is no log out function, or he cannot easily log out, or log out does not properly terminate the session"
-
id: "SM8"
value: "8"
url: "https://cornucopia.owasp.org/cards/SM8"
desc: "Matt can abuse long sessions because the application does not require periodic re-authentication to check if privileges have changed"
-
id: "SM9"
value: "9"
url: "https://cornucopia.owasp.org/cards/SM9"
desc: "Ivan can steal session identifiers because they are sent over insecure channels, or are logged, or are revealed in error messages, or are included in URLs, or are accessible un-necessarily by code which the attacker can influence or alter"
-
id: "SMX"
value: "10"
url: "https://cornucopia.owasp.org/cards/SMX"
desc: "Marce can forge requests because per-session, or per-request for more critical actions, strong random tokens (i.e. anti-CSRF tokens) or similar are not being used for actions that change state"
-
id: "SMJ"
value: "J"
url: "https://cornucopia.owasp.org/cards/SMJ"
desc: "Jeff can resend an identical repeat interaction (e.g. HTTP request, signal, button press) and it is accepted, not rejected"
-
id: "SMQ"
value: "Q"
url: "https://cornucopia.owasp.org/cards/SMQ"
desc: "Salim can bypass session management because it is not applied comprehensively and consistently across the application"
-
id: "SMK"
value: "K"
url: "https://cornucopia.owasp.org/cards/SMK"
desc: "Peter can bypass the session management controls because they have been self-built and/or are weak, instead of using a standard framework or approved tested module"
-
id: "SMA"
value: "A"
url: "https://cornucopia.owasp.org/cards/SMA"
desc: "You have invented a new attack against Session Management"
misc: "Read more about this topic in OWASP's free Cheat Sheets on Session Management, and Cross Site Request Forgery (CSRF) Prevention"
-
id: "AZ"
name: "AUTHORIZATION"
cards:
-
id: "AZ2"
value: "2"
url: "https://cornucopia.owasp.org/cards/AZ2"
desc: "Tim can influence where data is sent or forwarded to"
-
id: "AZ3"
value: "3"
url: "https://cornucopia.owasp.org/cards/AZ3"
desc: "Christian can access information, which he should not have permission to, through another mechanism that does have permission (e.g. search indexer, logger, reporting), or because it is cached, or kept for longer than necessary, or through other information leakage"
-
id: "AZ4"
value: "4"
url: "https://cornucopia.owasp.org/cards/AZ4"
desc: "Kelly can bypass authorization controls because they do not fail securely (i.e. they default to allowing access)"
-
id: "AZ5"
value: "5"
url: "https://cornucopia.owasp.org/cards/AZ5"
desc: "Chad can access resources (including services, processes, AJAX, Flash, video, images, documents, temporary files, session data, system properties, configuration data, registry settings, logs) he should not be able to due to missing authorization, or due to excessive privileges (e.g. not using the principle of least privilege)"
-
id: "AZ6"
value: "6"
url: "https://cornucopia.owasp.org/cards/AZ6"
desc: "Eduardo can access data he does not have permission to, even though he has permission to the form/page/URL/entry point"
-
id: "AZ7"
value: "7"
url: "https://cornucopia.owasp.org/cards/AZ7"
desc: "Yuanjing can access application functions, objects, or properties he is not authorized to access"
-
id: "AZ8"
value: "8"
url: "https://cornucopia.owasp.org/cards/AZ8"
desc: "Tom can bypass business rules by altering the usual process sequence or flow, or by undertaking the process in the incorrect order, or by manipulating date and time values used by the application, or by using valid features for unintended purposes, or by otherwise manipulating control data"
-
id: "AZ9"
value: "9"
url: "https://cornucopia.owasp.org/cards/AZ9"
desc: "Mike can misuse an application by using a valid feature too fast, or too frequently, or other way that is not intended, or consumes the application's resources, or causes race conditions, or over-utilizes a feature"
-
id: "AZX"
value: "10"
url: "https://cornucopia.owasp.org/cards/AZX"
desc: "Richard can bypass the centralized authorization controls since they are not being used comprehensively on all interactions"
-
id: "AZJ"
value: "J"
url: "https://cornucopia.owasp.org/cards/AZJ"
desc: "Dinis can access security configuration information, or access control lists"
-
id: "AZQ"
value: "Q"
url: "https://cornucopia.owasp.org/cards/AZQ"
desc: "Christopher can inject a command that the application will run at a higher privilege level"
-
id: "AZK"
value: "K"
url: "https://cornucopia.owasp.org/cards/AZK"
desc: "Ryan can influence or alter authorization controls and permissions, and can therefore bypass them"
-
id: "AZA"
value: "A"
url: "https://cornucopia.owasp.org/cards/AZA"
desc: "You have invented a new attack against Authorization"
misc: "Read more about this topic in OWASP's Development and Testing Guides"
-
id: "CR"
name: "CRYPTOGRAPHY"
cards:
-
id: "CR2"
value: "2"
url: "https://cornucopia.owasp.org/cards/CR2"
desc: "Kyun can access data because it has been obfuscated rather than using an approved cryptographic function"
-
id: "CR3"
value: "3"
url: "https://cornucopia.owasp.org/cards/CR3"
desc: "Axel can modify transient or permanent data (stored or in transit), or source code, or updates/patches, or configuration data, because it is not subject to integrity checking"
-
id: "CR4"
value: "4"
url: "https://cornucopia.owasp.org/cards/CR4"
desc: "Paulo can access data in transit that is not encrypted, even though the channel is encrypted"
-
id: "CR5"
value: "5"
url: "https://cornucopia.owasp.org/cards/CR5"
desc: "Kyle can bypass cryptographic controls because they do not fail securely (i.e. they default to unprotected)"
-
id: "CR6"
value: "6"
url: "https://cornucopia.owasp.org/cards/CR6"
desc: "Romain can read and modify unencrypted data in memory or in transit (e.g. cryptographic secrets, credentials, session identifiers, personal and commercially-sensitive data), in use or in communications within the application, or between the application and users, or between the application and external systems"
-
id: "CR7"
value: "7"
url: "https://cornucopia.owasp.org/cards/CR7"
desc: "Gunter can intercept or modify encrypted data in transit because the protocol is poorly deployed, or weakly configured, or certificates are invalid, or certificates are not trusted, or the connection can be degraded to a weaker or un-encrypted communication"
-
id: "CR8"
value: "8"
url: "https://cornucopia.owasp.org/cards/CR8"
desc: "Eoin can access stored business data (e.g. passwords, session identifiers, PII, cardholder data) because it is not securely encrypted or securely hashed"
-
id: "CR9"
value: "9"
url: "https://cornucopia.owasp.org/cards/CR9"
desc: "Andy can bypass random number generation, random GUID generation, hashing and encryption functions because they have been self-built and/or are weak"
-
id: "CRX"
value: "10"
url: "https://cornucopia.owasp.org/cards/CRX"
desc: "Susanna can break the cryptography in use because it is not strong enough for the degree of protection required, or it is not strong enough for the amount of effort the attacker is willing to make"
-
id: "CRJ"
value: "J"
url: "https://cornucopia.owasp.org/cards/CRJ"
desc: "Justin can read credentials for accessing internal or external resources, services and others systems because they are stored in an unencrypted format, or saved in the source code"
-
id: "CRQ"
value: "Q"
url: "https://cornucopia.owasp.org/cards/CRQ"
desc: "Artim can access or predict the master cryptographic secrets"
-
id: "CRK"
value: "K"
url: "https://cornucopia.owasp.org/cards/CRK"
desc: "Dan can influence or alter cryptography code/routines (encryption, hashing, digital signatures, random number and GUID generation) and can therefore bypass them"
-
id: "CRA"
value: "A"
url: "https://cornucopia.owasp.org/cards/CRA"
desc: "You have invented a new attack against Cryptography"
misc: "Read more about this topic in OWASP's free Cheat Sheets on Cryptographic Storage, and Transport Layer Protection"
-
id: "C"
name: "CORNUCOPIA"
cards:
-
id: "C2"
value: "2"
url: "https://cornucopia.owasp.org/cards/C2"
desc: "Lee can bypass application controls because dangerous/risky programming language functions have been used instead of safer alternatives, or there are type conversion errors, or because the application is unreliable when an external resource is unavailable, or there are race conditions, or there are resource initialization or allocation issues, or overflows can occur"
-
id: "C3"
value: "3"
url: "https://cornucopia.owasp.org/cards/C3"
desc: "Andrew can access source code, or decompile, or otherwise access business logic to understand how the application works and any secrets contained"
-
id: "C4"
value: "4"
url: "https://cornucopia.owasp.org/cards/C4"
desc: "Keith can perform an action and it is not possible to attribute it to him"
-
id: "C5"
value: "5"
url: "https://cornucopia.owasp.org/cards/C5"
desc: "Larry can influence the trust other parties including users have in the application, or abuse that trust elsewhere (e.g. in another application)"
-
id: "C6"
value: "6"
url: "https://cornucopia.owasp.org/cards/C6"
desc: "Aaron can bypass controls because error/exception handling is missing, or is implemented inconsistently or partially, or does not deny access by default (i.e. errors should terminate access/execution), or relies on handling by some other service or system"
-
id: "C7"
value: "7"
url: "https://cornucopia.owasp.org/cards/C7"
desc: "Mwengu's actions cannot be investigated because there is not an adequate accurately time-stamped record of security events, or there is not a full audit trail, or these can be altered or deleted by Mwengu, or there is no centralized logging service"
-
id: "C8"
value: "8"
url: "https://cornucopia.owasp.org/cards/C8"
desc: "David can bypass the application to gain access to data because the network and host infrastructure, and supporting services/applications, have not been securely configured, the configuration rechecked periodically and security patches applied, or the data is stored locally, or the data is not physically protected"
-
id: "C9"
value: "9"
url: "https://cornucopia.owasp.org/cards/C9"
desc: "Michael can bypass the application to gain access to data because administrative tools or administrative interfaces are not secured adequately"
-
id: "CX"
value: "10"
url: "https://cornucopia.owasp.org/cards/CX"
desc: "Spyros can circumvent the application's controls because code frameworks, libraries and components contain malicious code or vulnerabilities (e.g. in-house, commercial off the shelf, outsourced, open source, externally-located)"
-
id: "CJ"
value: "J"
url: "https://cornucopia.owasp.org/cards/CJ"
desc: "Roman can exploit the application because it was compiled using out-of-date tools, or its configuration is not secure by default, or security information was not documented and passed on to operational teams"
-
id: "CQ"
value: "Q"
url: "https://cornucopia.owasp.org/cards/CQ"
desc: "Jim can undertake malicious, non-normal, actions without real-time detection and response by the application"
-
id: "CK"
value: "K"
url: "https://cornucopia.owasp.org/cards/CK"
desc: "Grant can utilize the application to deny service to some or all of its users"
-
id: "CA"
value: "A"
url: "https://cornucopia.owasp.org/cards/CA"
desc: "You have invented a new attack of any type"
misc: "Read more about application security in OWASP's free Guides on Requirements, Development, Code Review and Testing, the Cheat Sheet series, and the Open Software Assurance Maturity Model"
-
id: "WC"
name: "WILD CARD"
cards:
-
id: "JOA"
value: "A"
url: "https://cornucopia.owasp.org/cards/JOA"
card: "Joker"
desc: "Alice can utilize the application to attack users' systems and data"
misc: "Have you thought about becoming an individual OWASP member? All tools, guidance and local meetings are free for everyone, but individual membership helps support OWASP's work"
-
id: "JOB"
value: "B"
url: "https://cornucopia.owasp.org/cards/JOB"
card: "Joker"
desc: "Bob can influence, alter or affect the application so that it no longer complies with legal, regulatory, contractual or other organizational mandates"
misc: "Examine vulnerabilities and discover how they can be fixed using the free OWASP® Juice Shop, Security Shepherd, or using the online challenges in the free OWASP® Hacking-lab"
paragraphs:
-
id: "Common"
name: "Common"
sentences:
-
id: "NoCard"
text: "No Card"
-
id: "Title"
text: "Website App Edition v2.00-EN"
-
id: "Title_full"
text: "OWASP® Cornucopia Website App Edition v2.00-EN"
-
id: "T00005"
text: "Index"
-
id: "T00005"
text: "Index"
-
id: "T00010"
text: "OWASP® Cornucopia is a mechanism to assist software development teams identify security requirements in Agile, conventional and formal development processes."
-
id: "T00020"
text: "Author"
-
id: "T00030"
text: "Project Leaders"
-
id: "T00100"
text: "Acknowledgements"
-
id: "T00110"
text: "Adam Shostack and the Microsoft SDL Team for the “Elevation of Privilege Threat Modelling Game”, published under a Creative Commons Attribution license, as the inspiration for Cornucopia and from which many ideas, especially the game theory, were copied."
-
id: "T00120"
text: "Keith Turpin and contributors to the OWASP® “Secure Coding Practices - Quick Reference Guide”, originally donated to OWASP by Boeing, which is used as the primary source of security requirements information to formulate the content of the cards."
-
id: "T00130"
text: "Contributors, supporters, sponsors and volunteers to the OWASP® ASVS, AppSensor and Web Framework Security Matrix projects, Mitre's Common Attack Pattern Enumeration and Classification (CAPEC), and SAFECode's “Practical Security Stories and Security Tasks for Agile Development Environments” which are all used in the cross-references provided."
-
id: "T00140"
text: "Playgen for providing an illuminating afternoon seminar on task gamification, and tartanmaker.com for the online tool to help create the card back pattern."
-
id: "T00145"
text: "Current and past OWASP® Cornucopia project contributors and leaders, especially those involved most recently updating the cross-references, creating online versions, and writing scripts to dynamically generate Cornucopia's output files."
-
id: "T00150"
text: "Blackfoot (UK) Limited for creating and donating print-ready design files, Tom Brennan and the OWASP® Foundation for instigating the creation of an OWASP-branded box and leaflet, and Secure Delivery Ltd for developing and donating Copi, the platform to play Cornucopia and EoP online."
-
id: "T00161"
text: "(continued on page 20)"
-
id: "T00162"
text: "(continued from page 10)"
-
id: "T00170"
text: "Colin Watson as author and co-project leader with Grant Ongers along with other OWASP volunteers who have helped in many ways."
-
id: "T00180"
text: "OWASP® does not endorse or recommend commercial products or services © 2012-2025 OWASP® Foundation This document is licensed under the Creative Commons Attribution-ShareAlike 3.0 license"
-
id: "T00200"
text: "Introduction"
-
id: "T00210"
text: "The idea behind Cornucopia is to help development teams, especially those using Agile methodologies, to identify application security requirements and develop security-based user stories."
-
id: "T00220"
text: "Although the idea had been waiting for enough time to progress it, the final motivation came when SAFECode published its Practical Security Stories and Security Tasks for Agile Development Environments in July 2012."
-
id: "T00230"
text: "The Microsoft SDL team had already published its super Elevation of Privilege: The Threat Modeling Game (EoP) but that did not seem to address the most appropriate kind of issues that web application development teams mostly have to address."
-
id: "T00240"
text: "EoP is a great concept and game strategy, and was published under a Creative Commons Attribution License."
-
id: "T00250"
text: "Cornucopia Website App Edition is based the concepts and game ideas in EoP, but those have been modified to be more relevant to the types of issues webapp website developers encounter."
-
id: "T00260"
text: "It attempts to introduce threat-modelling ideas into development teams that use Agile methodologies, or are more focused on web application weaknesses than other types of software vulnerabilities or are not familiar with STRIDE and DREAD."
-
id: "T00270"
text: "Cornucopia Website App Edition is referenced as an information resource in the PCI Security Standard Council's Information Supplement PCI DSS E-commerce Guidelines, v2, January 2013."
-
id: "T00300"
text: "The card deck (pack)"
-
id: "T00310"
text: "Instead of EoP's STRIDE suits (sets of cards with matching designs), Cornucopia suits are based on the structure of the OWASP® Secure Coding Practices - Quick Reference Guide (SCP), but with additional consideration of sections in the OWASP® Application Security Verification Standard, the Web Security Testing Guide (WSTG) and David Rook's Principles of Secure Development. "
-
id: "T00320"
text: "These provided five suits, and a sixth called “Cornucopia” was created for everything else: "
-
id: "T00330"
text: "Data Validation and Encoding (VE)"
-
id: "T00340"
text: "Authentication (AT)"
-
id: "T00350"
text: "Session Management (SM)"
-
id: "T00360"
text: "Authorization (AZ)"
-
id: "T00370"
text: "Cryptography (CR)"
-
id: "T00380"
text: "Cornucopia (C)"
-
id: "T00390"
text: "Similar to poker-playing cards, each suit contains 13 cards (Ace, 2-10, Jack, Queen and King) but, unlike EoP, there are also two Joker cards."
-
id: "T00400"
text: "The content was mainly drawn from the SCP."
-
id: "T00500"
text: "Mappings"
-
id: "T00510"
text: "The other driver for Cornucopia is to link the attacks with requirements and verification techniques."
-
id: "T00520"
text: "An initial aim had been to reference CWE weakness IDs, but these proved too numerous, and instead it was decided to map each card to CAPEC software attack pattern IDs which themselves are mapped to CWEs, so the desired result is achieved."
-
id: "T00530"
text: "Each card is also mapped to the 36 primary security stories in the SAFECode document, as well as to the OWASP® SCP v2, ASVS v4.0 and AppSensor (application attack detection and response) to help teams create their own security-related stories for use in Agile processes."
-
id: "T00600"
text: "Game strategy"
-
id: "T00610"
text: "Apart from the content differences, the game rules are virtually identical to those for EoP."
-
id: "T00700"
text: "Printing the cards"
-
id: "T00710"
text: "Check the Cornucopia project page for how to obtain pre-printed decks on glossy card."
-
id: "T00720"
text: "The cards can be printed from this document in black & white but are more effective in color."
-
id: "T00730"
text: "The cards in the later pages of this document have been laid out to fit on one type of pre-scored business A4 card sheets. "
-
id: "T00740"
text: "This appeared to be the quickest way to initially provide to create playing cards quickly. "
-
id: "T00750"
text: "Avery product codes C32015 and C32030 have been tested successfully, but any 10 up 85mm x 54 mm cards on A4 paper should work with a little adjustment."
-
id: "T00760"
text: "Other stationery suppliers like Ryman and Sigel produce similar sheets"
-
id: "T00770"
text: "These card sheets are not inexpensive, so care should be taken in deciding what to print and using what media and printer type."
-
id: "T00780"
text: "The cards can of course just be printed on any size of paper or card and then cut-up manually, or a commercial printer would be able to print larger volumes and cut the cards to size. "
-
id: "T00790"
text: "The cut lines are shown on the penultimate page of this document, but Avery also produce a landscape A4 template (A-0017-01_L.doc) that can be used as a guide."
-
id: "T00800"
text: "Printing and cutting up can take an hour or so, and using a faster printer helps."
-
id: "T00810"
text: "Try to print add higher quality to increase legibility."
-
id: "T00820"
text: "An optional card back design (in OWASP® tartan) has been provided as the last page of this document."
-
id: "T00830"
text: "There is no special alignment needed. "
-
id: "T00840"
text: "Dual-sided printing needs special care taken. "
-
id: "T00850"
text: "You could customize the card faces or the backs for your own organization's preferences."
-
id: "T00900"
text: "Customization"
-
id: "T00910"
text: "After you have used Cornucopia a few times, you may feel that some cards are less relevant to your applications, or the threats are different for your organization."
-
id: "T00920"
text: "Edit this document yourself to make the cards more suitable for your teams, or create new decks completely."
-
id: "T01000"
text: "Provide feedback"
-
id: "T01010"
text: "If you have ideas or feedback on the use of OWASP® Cornucopia, please share them."
-
id: "T01020"
text: "Even better if you create alternative versions of the cards, or produce professional print-ready versions, please share that with the volunteers who created this edition and with the wider application development and application security community."
-
id: "T01030"
text: "The best place to use to discuss or contribute is the list/group for the OWASP project:"
-
id: "T01040"
text: "List/Group"
-
id: "T01050"
text: "Project home page"
-
id: "T01060"
text: "All OWASP documents and tools are free to download and use."
-
id: "T01070"
text: "OWASP® Cornucopia is licensed under the Creative Commons Attribution-ShareAlike 3.0 license."
-
id: "T01100"
text: "Instructions"
-
id: "T01110"
text: "The text on each card describes an attack, but the attacker is given a name, which are unique across all the cards."
-
id: "T01120"
text: "The name can represent a computer system (e.g. the database, the file system, another application, a related service, a botnet), an individual person (e.g. a citizen, a customer, a client, an employee, a criminal, a spy), or even a group of people (e.g. a competitive organization, activists with a common cause)."
-
id: "T01130"
text: "The attacker might be remote in some other device/location, or local/internal with access to the same device, host or network as the application is running on."
-
id: "T01140"
text: "The attacker is always named at the start of each description"
-
id: "T01150"
text: "An example is:"
-
id: "T01160"
text: "William has control over the generation of session identifiers."
-
id: "T01170"
text: "This means the attacker (William) can create new session identifiers that the application accepts."
-
id: "T01180"
text: "The attacks were primarily drawn from the security requirements listed in the SCP, v2 but then supplemented with verification objectives from the OWASP® “Application Security Verification Standard”, the security focused stories in SAFECode's “Practical Security Stories and Security Tasks for Agile Development Environments”, and finally a review of the cards in EOP."
-
id: "T01190"
text: "Further guidance about each card is available in the online Wiki Deck at "
-
id: "T01200"
text: "Lookups between the attacks and five resources are provided on most cards:"
-
id: "T01210"
text: "Requirements in “Secure Coding Practices (SCP) - Quick Reference Guide”, v2, OWASP®, November 2010 "
-
id: "T01220"
text: "Verification IDs in OWASP® “Application Security Verification Standard”"
-
id: "T01230"
text: "Attack detection points IDs in “AppSensor”, OWASP®, August 2010-2015"
-
id: "T01240"
text: "IDs in “Common Attack Pattern Enumeration and Classification (CAPEC)”, v2.8, Mitre Corporation, November 2015"
-
id: "T01250"
text: "Security-focused stories in 'Practical Security Stories and Security Tasks for Agile Development Environments', SAFECode, July 2012"
-
id: "T01260"
text: "A look-up means the attack is included within the referenced item, but does not necessarily encompass the whole of its intent. "
-
id: "T01270"
text: "For structured data like CAPEC, the most specific reference is provided but sometimes a cross-reference is provided that also has more specific (child) examples."
-
id: "T01280"
text: "There are no lookups on the six Aces and two Jokers. "
-
id: "T01290"
text: "Instead these cards have some general tips in italicized text."
-
id: "T01300"
text: "It is possible to play Cornucopia in many different ways. "
-
id: "T01301"
text: "For how to play, read pages: 11-19."
-
id: "T01310"
text: "Here is one way, demonstrated online in a video at "
-
id: "T01311"
text: " which uses the new (May 2015) score/record sheet at "
-
id: "T01400"
text: "Preparations"
-
id: "T01410"
text: "Obtain a deck, or print your own deck of Cornucopia cards (see page 2 of this document) and separate/cut out the cards"
-
id: "T01411"
text: "Use the cards in this pack"
-
id: "T01420"
text: "Identify an application or application process to review; this might be a concept, design or an actual implementation"
-
id: "T01430"
text: "Create a data flow diagram, user stories, or other artefacts to help the review"
-
id: "T01440"
text: "Identify and invite a group of 3-6 architects, developers, testers and other business stakeholders together and sit around a table (try to include someone fairly familiar with application security)"
-
id: "T01450"
text: "Have some prizes to hand (gold stars, chocolate, pizza, beer or flowers depending upon your office culture)"
-
id: "T01500"
text: "Play"
-
id: "T01510"
text: "One suit - Cornucopia - acts as trumps."
-
id: "T01520"
text: "Aces are high (i.e. they beat Kings)."
-
id: "T01530"
text: "It helps if there is a non-player to document the issues and scores."
-
id: "T01540"
text: "Remove the Jokers and a few low-score (2, 3, 4) cards from Cornucopia suit to ensure each player will have the same number of cards"
-
id: "T01550"
text: "Shuffle the deck and deal all the cards"
-
id: "T01560"
text: "To begin, choose a player randomly who will play the first card - they can play any card from their hand except from the trump suit - Cornucopia"
-
id: "T01570"
text: "To play a card, each player must read it out aloud, and explain (see the online Wiki Deck for tips) how the threat could apply (the player gets a point for attacks that might work which the group thinks is an actionable bug) - do not try to think of mitigations at this stage, and do not exclude a threat just because of a belief that it is already mitigated - someone note the card and record the issues raised"
-
id: "T01580"
text: "Play clockwise, each person must play a card in the same way; if you have any card of the matching lead suit you must play one of those, otherwise they can play a card from any other suit. "
-
id: "T01590"
text: "Only a higher card of the same suit, or the highest card in the trump suit Cornucopia, wins the hand."
-
id: "T01600"
text: "The person who wins the round, leads the next round (i.e. they play first), and thus defines the next lead suit"
-
id: "T01610"
text: "Repeat until all the cards are played"
-
id: "T01700"
text: "Scoring"
-
id: "T01710"
text: "The objective is to identify applicable threats, and win hands (rounds):"
-
id: "T01720"
text: "Score +1 for each card you can identify as a valid threat to the application under consideration"
-
id: "T01730"
text: "Score +1 if you win a round"
-
id: "T01740"
text: "Once all cards have been played, whoever has the most points wins"
-
id: "T01800"
text: "Closure"
-
id: "T01810"
text: "Review all the applicable threats and the matching security requirements"
-
id: "T01820"
text: "Create user stories, specifications and test cases as required for your development methodology."
-
id: "T01900"
text: "Alternative game rules"
-
id: "T01910"
text: "If you are new to the game, remove the Aces and two Joker cards to begin with."
-
id: "T01920"
text: "Add the Joker cards back in once people become more familiar with the process."
-
id: "T01930"
text: "Apart from the “trumps card game” rules described above which are very similar to the EoP, the deck can also be played as the “twenty-one card game” (also known as “pontoon” or “blackjack”) which normally reduces the number of cards played in each round."
-
id: "T01940"
text: "Practice on an imaginary application, or even a future planned application, rather than trying to find fault with existing applications until the participants are happy with the usefulness of the game."
-
id: "T01950"
text: "Consider just playing with one suit to make a shorter session - but try to cover all the suits for every project. "
-
id: "T01960"
text: "Or even better just play one hand with some pre-selected cards, and score only on the ability to identify security requirements. "
-
id: "T01970"
text: "Perhaps have one game of each suit each day for a week or so, if the participants cannot spare long enough for a full deck."
-
id: "T01980"
text: "Some teams have preferred to play a full hand of cards, and then discuss what is on the cards after each round (instead of after each person plays a card)."
-
id: "T01990"
text: "Another suggestion is that if a player fails to identify the card is relevant, allow other players to suggest ideas, and potentially let them gain the point for the card. "
-
id: "T02000"
text: "Consider allowing extra points for especially good contributions."
-
id: "T02010"
text: "You can even play by yourself. "
-
id: "T02020"
text: "Just use the cards to act as thought-provokers. "
-
id: "T02030"
text: "Involving more people will be beneficial though."
-
id: "T02040"
text: "In Microsoft's EoP guidance, they recommend cheating as a good game strategy."
-
id: "T02100"
text: "Development framework-specific modified card decks"
-
id: "T02110"
text: "There can be built in security controls in some commonly used languages and frameworks for web and mobile application development."
-
id: "T02120"
text: "With certain provisos it is useful to consider how using these controls can simplify the identification of additional requirements – provided of course the controls are included, enabled and configured correctly."
-
id: "T02130"
text: "Consider removing cards from the decks if you are confident they are addressed by the way you are using the language/framework."
-
id: "T02140"
text: "Items in parentheses are “maybes”."
-
id: "T02200"
text: "Internal coding standards and libraries"
-
id: "T02210"
text: "Add your own list of excluded cards based on your organisation's coding standards (provided they are confirmed by appropriate verification steps in the development lifecycle)."
-
id: "T02220"
text: "Your coding standards and libraries"
-
id: "T02230"
text: "Data Validation and Encoding"
-
id: "T02240"
text: "[your list]"
-
id: "T02250"
text: "Authentication"
-
id: "T02260"
text: "[your list]"
-
id: "T02270"
text: "Session Management"
-
id: "T02280"
text: "[your list]"
-
id: "T02290"
text: "Authorization"
-
id: "T02300"
text: "[your list]"
-
id: "T02310"
text: "Cryptography"
-
id: "T02320"
text: "[your list]"
-
id: "T02330"
text: "Cornucopia"
-
id: "T02340"
text: "[your list]"
-
id: "T02400"
text: "Compliance requirement decks"
-
id: "T02410"
text: "Create a smaller deck by only including cards for a particular compliance requirement."
-
id: "T02420"
text: "Compliance requirement"
-
id: "T02430"
text: "Data validation and Encoding"
-
id: "T02440"
text: "[compliance list]"
-
id: "T02450"
text: "Authentication"
-
id: "T02460"
text: "[compliance list]"
-
id: "T02470"
text: "Session Management"
-
id: "T02480"
text: "[compliance list]"
-
id: "T02490"
text: "Authorization"
-
id: "T02500"
text: "[compliance list]"
-
id: "T02510"
text: "Cryptography"
-
id: "T02520"
text: "[compliance list]"
-
id: "T02530"
text: "Cornucopia"
-
id: "T02540"
text: "[compliance list]"
-
id: "T02600"
text: "Frequently asked questions"
-
id: "T02610"
text: "1. Can I copy or edit the game?"
-
id: "T02620"
text: "Yes of course."
-
id: "T02630"
text: "All OWASP materials are free to do with as you like provided you comply with the Creative Commons Attribution-ShareAlike 3.0 license. "
-
id: "T02640"
text: "Perhaps if you create a new version, you might donate it to the OWASP® Cornucopia Project?"
-
id: "T02650"
text: "2. How can I get involved?"
-
id: "T02660"
text: "Please send ideas or offers of help to the project's mailing list."
-
id: "T02670"
text: "3. How were the attackers' names chosen?"
-
id: "T02680"
text: "EoP begins every description with words like 'An attacker can...'. "
-
id: "T02690"
text: "These have to be phrased as an attack but I was not keen on the anonymous terminology, wanting something more engaging, and therefore used personal names. "
-
id: "T02700"
text: "These can be thought of as external or internal people or aliases for computer systems. But instead of just random names, I thought how they might reflect the OWASP community aspect. "
-