diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS index 65fa895303..61edd093d0 100644 --- a/.github/CODEOWNERS +++ b/.github/CODEOWNERS @@ -1,13 +1,12 @@ -# See https://help.github.com/en/articles/about-code-owners +# See [https://help.github.com/en/articles/about-code-owners](https://help.github.com/en/articles/about-code-owners) -# These owners will be the default owners for everything in the repo. -* @mackowski @jmanico @szh +## These owners will be the default owners for everything in the repo -# commjoen have full access to Secrets_Management_CheatSheet -* /cheatsheets_draft/Secrets_Management_CheatSheet.md @commjoen +- @mackowski @jmanico @szh -# Kevin W. Wall (kwwall) -/cheatsheets/Authentication_Cheat_Sheet.md kevin.w.wall@gmail.com @mackowski @jmanico @szh +## Kevin W. Wall (kwwall) + +/cheatsheets/Authentication_Cheat_Sheet.md @kwwall @mackowski @jmanico @szh /cheatsheets/Authorization_Cheat_Sheet.md @kwwall @mackowski @jmanico @szh /cheatsheets/C-Based_Toolchain_Hardening_Cheat_Sheet.md @kwwall @mackowski @jmanico @szh /cheatsheets/Choosing_and_Using_Security_Questions_Cheat_Sheet.md @kwwall @mackowski @jmanico @szh diff --git a/.github/ISSUE_TEMPLATE/new_cheatsheet_proposal.md b/.github/ISSUE_TEMPLATE/new_cheatsheet_proposal.md index 468124256a..f50377fc88 100644 --- a/.github/ISSUE_TEMPLATE/new_cheatsheet_proposal.md +++ b/.github/ISSUE_TEMPLATE/new_cheatsheet_proposal.md @@ -12,22 +12,15 @@ assignees: '' ## What is the proposed Cheat Sheet about? - ## What security issues are commonly encountered related to this area? - - ## What is the objective of the Cheat Sheet? - - ## What other resources exist in this area? - - diff --git a/.github/pull_request_template.md b/.github/pull_request_template.md index 8b25101b27..3ca446ee36 100644 --- a/.github/pull_request_template.md +++ b/.github/pull_request_template.md @@ -1,4 +1,6 @@ -Thank you for submitting a Pull Request (PR) to the Cheat Sheet Series. +# You're A Rockstar + +Thank you for submitting a Pull Request (PR) to the Cheat Sheet Series. > :triangular_flag_on_post: If your PR is related to grammar/typo mistakes, please double-check the file for other mistakes in order to fix all the issues in the current cheat sheet. @@ -15,6 +17,6 @@ Please make sure that for your contribution: If your PR is related to an issue, please finish your PR text with the following line: -This PR covers issue #. +This PR covers issue #``. Thank you again for your contribution :smiley: diff --git a/CODE_OF_CONDUCT.md b/CODE_OF_CONDUCT.md index 89c2ec939f..d5ca8de723 100644 --- a/CODE_OF_CONDUCT.md +++ b/CODE_OF_CONDUCT.md @@ -14,21 +14,21 @@ appearance, race, religion, or sexual identity and orientation. Examples of behavior that contributes to creating a positive environment include: -* Using welcoming and inclusive language -* Being respectful of differing viewpoints and experiences -* Gracefully accepting constructive criticism -* Focusing on what is best for the community -* Showing empathy towards other community members +- Using welcoming and inclusive language +- Being respectful of differing viewpoints and experiences +- Gracefully accepting constructive criticism +- Focusing on what is best for the community +- Showing empathy towards other community members Examples of unacceptable behavior by participants include: -* The use of sexualized language or imagery and unwelcome sexual attention or +- The use of sexualized language or imagery and unwelcome sexual attention or advances -* Trolling, insulting/derogatory comments, and personal or political attacks -* Public or private harassment -* Publishing others' private information, such as a physical or electronic +- Trolling, insulting/derogatory comments, and personal or political attacks +- Public or private harassment +- Publishing others' private information, such as a physical or electronic address, without explicit permission -* Other conduct which could reasonably be considered inappropriate in a +- Other conduct which could reasonably be considered inappropriate in a professional setting ## Our Responsibilities @@ -55,7 +55,7 @@ further defined and clarified by project maintainers. ## Enforcement Instances of abusive, harassing, or otherwise unacceptable behavior may be -reported by contacting the project team at dominique.righetto@owasp.org or jim@owasp.org. +reported by contacting the project team at [dominique.righetto@owasp.org](mailto:dominique.righetto@owasp.org) or [jim@owasp.org](mailto:jim@owasp.org). All complaints will be reviewed and investigated and will result in a response that is deemed necessary and appropriate to the circumstances. The project team is @@ -69,9 +69,9 @@ members of the project's leadership. ## Attribution This Code of Conduct is adapted from the [Contributor Covenant][homepage], version 1.4, -available at https://www.contributor-covenant.org/version/1/4/code-of-conduct.html +available at [https://www.contributor-covenant.org/version/1/4/code-of-conduct.html](https://www.contributor-covenant.org/version/1/4/code-of-conduct.html) [homepage]: https://www.contributor-covenant.org For answers to common questions about this code of conduct, see -https://www.contributor-covenant.org/faq +[https://www.contributor-covenant.org/faq](https://www.contributor-covenant.org/faq) diff --git a/CONTRIBUTOR-V1.md b/CONTRIBUTOR-V1.md index 98773ed580..6898fbacbb 100644 --- a/CONTRIBUTOR-V1.md +++ b/CONTRIBUTOR-V1.md @@ -4,336 +4,397 @@ If you want to modify something regarding the mention made to you (typo/link to Sorting applied on the name is an alphabetical one. -**[AJAX Security Cheat Sheet](https://github.com/OWASP/CheatSheetSeries/tree/master/cheatsheets/AJAX_Security_Cheat_Sheet.md)** -* Michael Eddington -* Til Mas - -**[Abuse Case Cheat Sheet](https://github.com/OWASP/CheatSheetSeries/tree/master/cheatsheets/Abuse_Case_Cheat_Sheet.md)** -* Dominique Righetto - dominique.righetto@owasp.org -* James Robinson - jrobinson@netskope.com -* Rick Mitchell - -**[Access Control Cheat Sheet](https://github.com/OWASP/CheatSheetSeries/tree/master/cheatsheets/Access_Control_Cheat_Sheet.md)** -* Adinath Raveendra Raj - adinath@acciente.com -* Jim Manico - jim@owasp.org -* Mennouchi Islam Azeddine - azeddine.mennouchi@owasp.org -* Shruti Kulkarni - shruti.kulkarni@owasp.org - -**[Attack Surface Analysis Cheat Sheet](https://github.com/OWASP/CheatSheetSeries/tree/master/cheatsheets/Attack_Surface_Analysis_Cheat_Sheet.md)** -* Jim Bird - jim.bird@owasp.org -* Jim Manico - jim@owasp.org - -**[Authentication Cheat Sheet](https://github.com/OWASP/CheatSheetSeries/tree/master/cheatsheets/Authentication_Cheat_Sheet.md)** -* Eoin Keary eoinkeary -* Jim Manico - jim@owasp.org -* Manuel Aude Morales -* Pawel Krawczyk -* Sven Neuhaus -* Timo Goosen - -**[Authorization Testing Automation Cheat Sheet](https://github.com/OWASP/CheatSheetSeries/tree/master/cheatsheets/Authorization_Testing_Automation.md)** -* Dominique Righetto - dominique.righetto@owasp.org - -**[Bean Validation Cheat Sheet](https://github.com/OWASP/CheatSheetSeries/tree/master/cheatsheets/Bean_Validation_Cheat_Sheet.md)** -* Anton Abashkin - abashkin.anton@gmail.com - -**[C-Based Toolchain Hardening Cheat Sheet](https://github.com/OWASP/CheatSheetSeries/tree/master/cheatsheets/C-Based_Toolchain_Hardening.md)** -* Jeffrey Walton - jeffrey@owasp.org -* Jim Manico - jim@owasp.org -* Kevin Wall - kevin@owasp.org - -**[C-Based Toolchain Hardening Cheat Sheet](https://github.com/OWASP/CheatSheetSeries/tree/master/cheatsheets/C-Based_Toolchain_Hardening_Cheat_Sheet.md)** -* Jeffrey Walton - jeffrey@owasp.org -* Jim Manico - jim@owasp.org -* Kevin Wall - kevin@owasp.org - -**[Choosing and Using Security Questions Cheat Sheet](https://github.com/OWASP/CheatSheetSeries/tree/master/cheatsheets/Choosing_and_Using_Security_Questions_Cheat_Sheet.md)** -* Kevin Wall - kevin.w.wall@gmail com - -**[Clickjacking Defense Cheat Sheet](https://github.com/OWASP/CheatSheetSeries/tree/master/cheatsheets/Clickjacking_Defense_Cheat_Sheet.md)** -* Aabashkin -* Dave Wichers - dwichers@gmail.com -* Eelgheez -* Jeffrey Walton -* Jim Manico - jim@owasp.org -* Michael Brook -* Santhosh Tuppad - santhosh.tuppad@gmail.com -* Shruti kulkarni -* Till Maas -* Tom Parker -* Yozo - -**[Content Security Policy Cheat Sheet](https://github.com/OWASP/CheatSheetSeries/tree/master/cheatsheets/Content_Security_Policy_Cheat_Sheet.md)** -* Elie Saad - eliesaad7@gmail.com - -**[Credential Stuffing Prevention Cheat Sheet](https://github.com/OWASP/CheatSheetSeries/tree/master/cheatsheets/Credential_Stuffing_Prevention_Cheat_Sheet.md)** -* Brad Causey - -**[Cross-Site Request Forgery Prevention Cheat Sheet](https://github.com/OWASP/CheatSheetSeries/tree/master/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.md)** -* Dave Wichers - dave.wichers@owasp.org -* Dominique Righetto - dominique.righetto@owasp.org -* Eric Sheridan - eric.sheridan@owasp.org -* Paul Petefish -* [Manideep Konakandla (Amazon Application Security Team)](http://www.manideepk.com) - -**[Cross Site Scripting Prevention Cheat Sheet](https://github.com/OWASP/CheatSheetSeries/tree/master/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.md)** -* Jeff Williams - jeff.williams@contrastsecurity.com -* Jim Manico - jim@owasp.org -* Neil Matatall - neil@owasp.org - -**[Cryptographic Storage Cheat Sheet](https://github.com/OWASP/CheatSheetSeries/tree/master/cheatsheets/Cryptographic_Storage_Cheat_Sheet.md)** -* David Rook - david.a.rook@gmail.com -* Fred Donovan - fred.donovan@owasp.org -* Jim Manico - jim@owasp.org -* Kevin Kenan - kevin@k2dd.com -* Kevin Wall - kevin.w.wall@gmail.com -* Tony Hsu - hsiang_chih@yahoo.com - -**[DOM based XSS Prevention Cheat Sheet](https://github.com/OWASP/CheatSheetSeries/tree/master/cheatsheets/DOM_based_XSS_Prevention_Cheat_Sheet.md)** -* Abraham Kang - abraham.kang@owasp.org -* Achim Hoffmann - achim@owasp.org -* Chris (Chris BEEF) Schmidt -* Dhiraj Mishra - mishra.dhiraj@owasp.org -* Eduardo (SirDarkCat) Alberto Vela Nava -* Erlend Oftedal -* Gareth (Gaz) Heyes -* Jeff Williams - jeff.williams@owasp.org -* Jeremy Long -* Jim Manico - jim@owasp.org -* John Steven -* Mario Heiderich -* Mike Samuel -* Robert (RSnake) Hansen -* Stefano Di Paola - -**[Denial of Service Cheat Sheet](https://github.com/OWASP/CheatSheetSeries/tree/master/cheatsheets/Denial_of_Service_Cheat_Sheet.md)** -* Liviu Rombauts -* Stephen Corbiaux - stephen.corbiaux@owasp.org - -**[Deserialization Cheat Sheet](https://github.com/OWASP/CheatSheetSeries/tree/master/cheatsheets/Deserialization_Cheat_Sheet.md)** -* Arshan Dabirsiaghi - arshan@contrastsecurity.org -* Tony Hsu (Hsiang-Chih) Shane Murnion - -**[Docker Security Cheat Sheet](https://github.com/OWASP/CheatSheetSeries/tree/master/cheatsheets/Docker_Security_Cheat_Sheet.md)** -* Jakub Maćkowski - jakub.mackowski@owasp.org - -**[DotNet Security Cheat Sheet](https://github.com/OWASP/CheatSheetSeries/tree/master/cheatsheets/DotNet_Security_Cheat_Sheet.md)** -* Bill Sempf - bill.sempf@owasp.org -* Jeremy Long - jeremy.long@owasp.org -* John Staveley -* Sam Ferree -* Shane Murnion -* Steve Bamelis -* Troy Hunt - troyhunt@hotmail.com -* Xander Sherry - -**[Error Handling Cheat Sheet](https://github.com/OWASP/CheatSheetSeries/tree/master/cheatsheets/Error_Handling_Cheat_Sheet.md)** -* Dominique Righetto - dominique.righetto@owasp.org - -**[Forgot Password Cheat Sheet](https://github.com/OWASP/CheatSheetSeries/tree/master/cheatsheets/Forgot_Password_Cheat_Sheet.md)** -* Dave Ferguson - gmdavef@gmail.com -* James McGovern - james.mcgovern@hp.com -* Jim Manico - jim@owasp.org -* Kevin Wall - kevin.w.wall@gmail.com -* Wesley Philip - wphilip@ca.ibm.com - -**[HTML5 Security Cheat Sheet](https://github.com/OWASP/CheatSheetSeries/tree/master/cheatsheets/HTML5_Security_Cheat_Sheet.md)** -* Dominique Righetto dominique.righetto@owasp.org -* Juan Galiana Lara jgaliana@owasp.org -* Krzysztof Kotowicz krzysztof@kotowicz.net -* Mark Roxberry mark.roxberry@owasp.org -* Shreeraj Shah shreeraj.shah@blueinfy.net -* Will Stranathan will@cltnc.us - -**[HTTP Strict Transport Security Cheat Sheet](https://github.com/OWASP/CheatSheetSeries/tree/master/cheatsheets/HTTP_Strict_Transport_Security_Cheat_Sheet.md)** -* Daniel Black -* Jim Manico -* Michael Coates -* Pawel Krawczyk -* Til Maas - -**[Injection Prevention Cheat Sheet](https://github.com/OWASP/CheatSheetSeries/tree/master/cheatsheets/Injection_Prevention_Cheat_Sheet.md)** -* Alexander Meisel - alexander.meisel@owasp.org -* Erlend Oftedal - erlend.oftedal@owasp.org -* Jim Manico - jim@owasp.org -* Sherif Mansour - sherif.mansour@owasp.org - -**[Injection Prevention Cheat Sheet in Java](https://github.com/OWASP/CheatSheetSeries/tree/master/cheatsheets/Injection_Prevention_Cheat_Sheet_in_Java.md)** -* Dave Wichers - dave.wichers@owasp.org -* Dominique Righetto - dominique.righetto@owasp.org - -**[Input Validation Cheat Sheet](https://github.com/OWASP/CheatSheetSeries/tree/master/cheatsheets/Input_Validation_Cheat_Sheet.md)** -* Dave Wichers - dave.wichers@aspectsecurity.com - -**[Insecure Direct Object Reference Prevention Cheat Sheet](https://github.com/OWASP/CheatSheetSeries/tree/master/cheatsheets/Insecure_Direct_Object_Reference_Prevention_Cheat_Sheet.md)** -* Dominique Righetto - dominique.righetto@owasp.org -* Eric Sheridan - eric.sheridan@owasp.org -* Jeff Williams - jeff.williams@contrastsecurity.com - -**[JAAS Cheat Sheet](https://github.com/OWASP/CheatSheetSeries/tree/master/cheatsheets/JAAS_Cheat_Sheet.md)** -* Dr. A.L. Gottlieb - AnthonyG@owasp.org - -**[JSON Web Token Cheat Sheet for Java](https://github.com/OWASP/CheatSheetSeries/tree/master/cheatsheets/JSON_Web_Token_Cheat_Sheet_for_Java.md)** -* Dominique Righetto - dominique.righetto@owasp.org -* Jim Manico - jim.manico@owasp.org -* Paul Ionescu - paul.ionescu@owasp.org - -**[Key Management Cheat Sheet](https://github.com/OWASP/CheatSheetSeries/tree/master/cheatsheets/Key_Management_Cheat_Sheet.md)** -* Brian Russell - russellbri@leidos.com -* Drew Van Duren - drew.f.van.duren@leidos.com -* Susanna Bezold – BezoldCISSP@aol.com -* Vanessa Amador - vanessa.c.amador@leidos.com - -**[LDAP Injection Prevention Cheat Sheet](https://github.com/OWASP/CheatSheetSeries/tree/master/cheatsheets/LDAP_Injection_Prevention_Cheat_Sheet.md)** -* Ben Weintraub - Ben@bluetalon.com -* Jim Manico - jim@owasp.org - -**[Logging Cheat Sheet](https://github.com/OWASP/CheatSheetSeries/tree/master/cheatsheets/Logging_Cheat_Sheet.md)** -* Alexis Fitzgerald - alexis.fitzgerald@owasp.org -* Colin Watson - colin.watson@owasp.org -* Eoin Keary - eoin.keary@owasp.org - -**[Mass Assignment Cheat Sheet](https://github.com/OWASP/CheatSheetSeries/tree/master/cheatsheets/Mass_Assignment_Cheat_Sheet.md)** -* Abashkin Anton - abashkin.anton@gmail.com - -**[OS Command Injection Defense Cheat Sheet](https://github.com/OWASP/CheatSheetSeries/tree/master/cheatsheets/OS_Command_Injection_Defense_Cheat_Sheet.md)** -* Jim Manico - jim.manico@owasp.org -* Katy Anton - katy.anton@owasp.org - -**[PHP Configuration Cheat Sheet](https://github.com/OWASP/CheatSheetSeries/tree/master/cheatsheets/PHP_Configuration_Cheat_Sheet.md)** -* Abbas Naderi - abbas.naderi@owasp.org -* Achim Hoffmann - Achim@owasp.org -* Dan Ehrlich - dan.ehrlich@owasp.org -* Tony Hsu HsiangChih - -**[Password Storage Cheat Sheet](https://github.com/OWASP/CheatSheetSeries/tree/master/cheatsheets/Password_Storage_Cheat_Sheet.md)** -* Dominique Righetto - dominique.righetto@owasp.org -* Jim Manico - jim@owasp.org -* John Steven - john.steven@owasp.org - -**[Pinning Cheat Sheet](https://github.com/OWASP/CheatSheetSeries/tree/master/cheatsheets/Pinning_Cheat_Sheet.md)** -* Jeffrey Walton - jeffrey@owasp.org -* Jim Manico - jim@owasp.org -* John Steven - john@owasp.org -* Kevin Wall - kevin@owasp.org -* Ricardo Iramar - ricardo.iramar@gmail.com - -**Protect FileUpload Against Malicious File** -* Dominique Righetto - dominique.righetto@owasp.org - -**[Query Parameterization Cheat Sheet](https://github.com/OWASP/CheatSheetSeries/tree/master/cheatsheets/Query_Parameterization_Cheat_Sheet.md)** -* Dave Wichers - dave.wichers@owasp.org -* Jim Manico - jim@owasp.org -* Neil Matatall - neil@owasp.org - -**[REST Assessment Cheat Sheet](https://github.com/OWASP/CheatSheetSeries/tree/master/cheatsheets/REST_Assessment_Cheat_Sheet.md)** -* Ofer Shezaf - ofer@shezaf.com - -**[REST Security Cheat Sheet](https://github.com/OWASP/CheatSheetSeries/tree/master/cheatsheets/REST_Security_Cheat_Sheet.md)** -* Andrew van der Stock - vanderaj@owasp.org -* Erlend Oftedal - erlend.oftedal@owasp.org -* Jan Wolff - jan.wolff@owasp.org -* Johan Peeters - yo@johanpeeters.com -* Manh Pham - manhpt2811@gmail.com -* Rocco Gränitz - rocco.graenitz@owasp.org -* Tony Hsu Hsiang Chih- Hsiang_chihi@yahoo.com - -**[Ruby on Rails Cheatsheet](https://github.com/OWASP/CheatSheetSeries/tree/master/cheatsheets/Ruby_on_Rails_Cheatsheet.md)** -* Aaron Bedra - aaron@aaronbedra.com -* Egor Homakov - homakov@gmail.com -* Jim Manico - jim@owasp.org -* Jon Claudius - jonathan.claudius@gmail.com -* Jon Rose - jrose400@gmail.com -* Justin Collins - justin@presidentbeef.com -* Ken Johnson - cktricky@gmail.com -* Lance Vaughn - lance@cabforward.com -* Matt Konda - mkonda@jemurai.com -* Neil Matatall - neil@matatall.com -* Zaur Molotnikov - qutorial@gmail.com - -**[SAML Security Cheat Sheet](https://github.com/OWASP/CheatSheetSeries/tree/master/cheatsheets/SAML_Security_Cheat_Sheet.md)** -* Gunnar Peterson -* James McGovern -* [Brad Broulik](http://bradbroulik.blogspot.dk/2010/01/bulletproof-sso-with-saml-20.html) -* [Paweł Krawczyk](https://ipsec.pl/) - -**[SQL Injection Prevention Cheat Sheet](https://github.com/OWASP/CheatSheetSeries/tree/master/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.md)** -* Dave Wichers - dave.wichers@owasp.org -* Dhiraj Mishra - mishra.dhiraj@owasp.org -* Jim Manico - jim@owasp.org -* Matt Seil - mseil@acm.org - -**[Secure Cloud Architecture Cheat Sheet](https://github.com/OWASP/CheatSheetSeries/tree/master/cheatsheets/Secure_Cloud_Architecture_Cheat_Sheet.md)** -* [Joshua Beck](https://josh-beck.github.io) -* Matthew Wright - -**[Securing Cascading Style Sheets Cheat Sheet](https://github.com/OWASP/CheatSheetSeries/tree/master/cheatsheets/Securing_Cascading_Style_Sheets_Cheat_Sheet.md)** -* [Santhosh Tuppad](https://twitter.com/santhoshst) - -**[Session Management Cheat Sheet](https://github.com/OWASP/CheatSheetSeries/tree/master/cheatsheets/Session_Management_Cheat_Sheet.md)** -* Raul Siles (DinoSec) - raul@dinosec.com - -**[Third Party Javascript Management Cheat Sheet](https://github.com/OWASP/CheatSheetSeries/tree/master/cheatsheets/Third_Party_Javascript_Management_Cheat_Sheet.md)** -* Jim Weiler - Jim.Weiler@owasp.org - -**[Threat Modeling Cheat Sheet](https://github.com/OWASP/CheatSheetSeries/tree/master/cheatsheets/Threat_Modeling_Cheat_Sheet.md)** -* Ahmed Kanoma -* Mohamed Alfateh - -**[Transaction Authorization Cheat Sheet](https://github.com/OWASP/CheatSheetSeries/tree/master/cheatsheets/Transaction_Authorization_Cheat_Sheet.md)** -* Adam Lange -* Adam Zachara, SecuRing -* Andrzej Kleśnicki, Qualys -* Francois-Eric Guyomarch, HID Global -* James Holland, HID Global -* Milan Khan, HID Global -* Steven Wierckx, Toreon -* Sven Thomassin, PwC BE - Technology Consulting -* Sławomir Jasek, SecuRing -* Wojciech Dworakowski - wojciech.dworakowski@securing.pl - -**[Transport Layer Security Cheat Sheet](https://github.com/OWASP/CheatSheetSeries/tree/master/cheatsheets/Transport_Layer_Security_Cheat_Sheet.md)** -* Dave Wichers - dave.wichers@owasp.org -* Michael Coates - michael.coates@owasp.org -* Tony Hsu - hsiang_chih@yahoo.com -* Torsten Gigler - torsten.gigler@owasp.org -* Tyler Reguly - treguly@sslfail.com - -**[Unvalidated Redirects and Forwards Cheat Sheet](https://github.com/OWASP/CheatSheetSeries/tree/master/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.md)** -* Jim Manico - jim@owasp.org -* Johanna Curiel - johanna.curiel@owasp.org -* Susanna Bezold - susanna.bezold@owasp.org - -**[User Privacy Protection Cheat Sheet](https://github.com/OWASP/CheatSheetSeries/tree/master/cheatsheets/User_Privacy_Protection_Cheat_Sheet.md)** -* Mohammed ALDOUB - -**[Virtual Patching Cheat Sheet](https://github.com/OWASP/CheatSheetSeries/tree/master/cheatsheets/Virtual_Patching_Cheat_Sheet.md)** -* Christian Folini - christian.folini@netnea.com -* Josh Zlatin - jamuse@gmail.com -* Ryan Barnett - ryan.barnett@owasp.org - -**[Vulnerability Disclosure Cheat Sheet](https://github.com/OWASP/CheatSheetSeries/tree/master/cheatsheets/Vulnerability_Disclosure_Cheat_Sheet.md)** -* [OWASP Montréal](https://owasp.org/www-chapter-montreal/) chapter -* [@el_d33](https://twitter.com/el_d33) -* [gosecure.ca](https://gosecure.net/) - -**[Vulnerable Dependency Management Cheat Sheet](https://github.com/OWASP/CheatSheetSeries/tree/master/cheatsheets/Vulnerable_Dependency_Management_Cheat_Sheet.md)** -* Dominique Righetto - dominique.righetto@owasp.org -* Elie Saad - eliesaad7@gmail.com -* Jakub Maćkowski - jakub.mackowski@owasp.org - -**[Web Service Security Cheat Sheet](https://github.com/OWASP/CheatSheetSeries/tree/master/cheatsheets/Web_Service_Security_Cheat_Sheet.md)** -* Dave Wichers - dave.wichers@owasp.org -* Jim Manico - jim@owasp.org -* Sherif Koussa - sherif.koussa@owasp.org -* [Gunnar Peterson](https://twitter.com/oneraindrop) - -**[XML External Entity Prevention Cheat Sheet](https://github.com/OWASP/CheatSheetSeries/tree/master/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.md)** -* Dave Wichers - dave.wichers@owasp.org -* Dean Fleming -* James Jardine - james@jardinesoftware.com -* Tony Hsu (Hsiang-Chih) -* Xiaoran Wang - xiaoran@attacker-domain.com - -**[XML Security Cheat Sheet](https://github.com/OWASP/CheatSheetSeries/tree/master/cheatsheets/XML_Security_Cheat_Sheet.md)** -* Fernando Arnaboldi - fernando.arnaboldi@ioactive.com +## [AJAX Security Cheat Sheet](https://github.com/OWASP/CheatSheetSeries/tree/master/cheatsheets/AJAX_Security_Cheat_Sheet.md) + +- Michael Eddington +- Til Mas + +## [Abuse Case Cheat Sheet](https://github.com/OWASP/CheatSheetSeries/tree/master/cheatsheets/Abuse_Case_Cheat_Sheet.md) + +- Dominique Righetto - [dominique.righetto@owasp.org](mailto:dominique.righetto@owasp.org) +- James Robinson - [jrobinson@netskope.com](mailto:jrobinson@netskope.com) +- Rick Mitchell + +## [Access Control Cheat Sheet](https://github.com/OWASP/CheatSheetSeries/tree/master/cheatsheets/Access_Control_Cheat_Sheet.md) + +- Adinath Raveendra Raj - [adinath@acciente.com](mailto:adinath@acciente.com) +- Jim Manico - [jim@owasp.org](mailto:jim@owasp.org) +- Mennouchi Islam Azeddine - [azeddine.mennouchi@owasp.org](mailto:azeddine.mennouchi@owasp.org) +- Shruti Kulkarni - [shruti.kulkarni@owasp.org](mailto:shruti.kulkarni@owasp.org) + +## [Attack Surface Analysis Cheat Sheet](https://github.com/OWASP/CheatSheetSeries/tree/master/cheatsheets/Attack_Surface_Analysis_Cheat_Sheet.md) + +- Jim Bird - [jim.bird@owasp.org](mailto:jim.bird@owasp.org) +- Jim Manico - [jim@owasp.org](mailto:jim@owasp.org) + +## [Authentication Cheat Sheet](https://github.com/OWASP/CheatSheetSeries/tree/master/cheatsheets/Authentication_Cheat_Sheet.md) + +- Eoin Keary eoinkeary +- Jim Manico - [jim@owasp.org](mailto:jim@owasp.org) +- Manuel Aude Morales +- Pawel Krawczyk +- Sven Neuhaus +- Timo Goosen + +## [Authorization Testing Automation Cheat Sheet](https://github.com/OWASP/CheatSheetSeries/tree/master/cheatsheets/Authorization_Testing_Automation.md) + +- Dominique Righetto - [dominique.righetto@owasp.org](mailto:dominique.righetto@owasp.org) + +## [Bean Validation Cheat Sheet](https://github.com/OWASP/CheatSheetSeries/tree/master/cheatsheets/Bean_Validation_Cheat_Sheet.md) + +- Anton Abashkin - [abashkin.anton@gmail.com](mailto:abashkin.anton@gmail.com) + +## [C-Based Toolchain Hardening Cheat Sheet](https://github.com/OWASP/CheatSheetSeries/tree/master/cheatsheets/C-Based_Toolchain_Hardening.md) + +- Jeffrey Walton - [jeffrey@owasp.org](mailto:jeffrey@owasp.org) +- Jim Manico - [jim@owasp.org](mailto:jim@owasp.org) +- Kevin Wall - [kevin@owasp.org](mailto:kevin@owasp.org) + +## [C-Based Toolchain Hardening Cheat Sheet](https://github.com/OWASP/CheatSheetSeries/tree/master/cheatsheets/C-Based_Toolchain_Hardening_Cheat_Sheet.md) + +- Jeffrey Walton - jeffrey@owasp.org +- Jim Manico - jim@owasp.org +- Kevin Wall - kevin@owasp.org + +## [Choosing and Using Security Questions Cheat Sheet](https://github.com/OWASP/CheatSheetSeries/tree/master/cheatsheets/Choosing_and_Using_Security_Questions_Cheat_Sheet.md) + +- Kevin Wall - kevin.w.wall@gmail com + +## [Clickjacking Defense Cheat Sheet](https://github.com/OWASP/CheatSheetSeries/tree/master/cheatsheets/Clickjacking_Defense_Cheat_Sheet.md) + +- Aabashkin +- Dave Wichers - dwichers@gmail.com +- Eelgheez +- Jeffrey Walton +- Jim Manico - jim@owasp.org +- Michael Brook +- Santhosh Tuppad - santhosh.tuppad@gmail.com +- Shruti kulkarni +- Till Maas +- Tom Parker +- Yozo + +## [Content Security Policy Cheat Sheet](https://github.com/OWASP/CheatSheetSeries/tree/master/cheatsheets/Content_Security_Policy_Cheat_Sheet.md) + +- Elie Saad - [eliesaad7@gmail.com](mailto:eliesaad7@gmail.com) + +## [Credential Stuffing Prevention Cheat Sheet](https://github.com/OWASP/CheatSheetSeries/tree/master/cheatsheets/Credential_Stuffing_Prevention_Cheat_Sheet.md) + +- Brad Causey + +## [Cross-Site Request Forgery Prevention Cheat Sheet](https://github.com/OWASP/CheatSheetSeries/tree/master/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.md) + +- Dave Wichers - [dave.wichers@owasp.org](mailto:dave.wichers@owasp.org) +- Dominique Righetto - [dominique.righetto@owasp.org](mailto:dominique.righetto@owasp.org) +- Eric Sheridan - [eric.sheridan@owasp.org](mailto:eric.sheridan@owasp.org) +- Paul Petefish +- [Manideep Konakandla (Amazon Application Security Team)](http://www.manideepk.com) + +## [Cross Site Scripting Prevention Cheat Sheet](https://github.com/OWASP/CheatSheetSeries/tree/master/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.md) + +- Jeff Williams - [jeff.williams@contrastsecurity.com](mailto:jeff.williams@contrastsecurity.com) +- Jim Manico - [jim@owasp.org](mailto:jim@owasp.org) +- Neil Matatall - [neil@owasp.org](mailto:neil@owasp.org) + +## [Cryptographic Storage Cheat Sheet](https://github.com/OWASP/CheatSheetSeries/tree/master/cheatsheets/Cryptographic_Storage_Cheat_Sheet.md) + +- David Rook - [david.a.rook@gmail.com](mailto:david.a.rook@gmail.com) +- Fred Donovan - [fred.donovan@owasp.org](mailto:fred.donovan@owasp.org) +- Jim Manico - [jim@owasp.org](mailto:jim@owasp.org) +- Kevin Kenan - [kevin@k2dd.com](mailto:kevin@k2dd.com) +- Kevin Wall - [kevin.w.wall@gmail.com](mailto:kevin.w.wall@gmail.com) +- Tony Hsu - [hsiang_chih@yahoo.com](mailto:hsiang_chih@yahoo.com) + +## [DOM based XSS Prevention Cheat Sheet](https://github.com/OWASP/CheatSheetSeries/tree/master/cheatsheets/DOM_based_XSS_Prevention_Cheat_Sheet.md) + +- Abraham Kang - [abraham.kang@owasp.org](mailto:abraham.kang@owasp.org) +- Achim Hoffmann - [achim@owasp.org](mailto:achim@owasp.org) +- Chris (Chris BEEF) Schmidt +- Dhiraj Mishra - [mishra.dhiraj@owasp.org](mailto:mishra.dhiraj@owasp.org) +- Eduardo (SirDarkCat) Alberto Vela Nava +- Erlend Oftedal +- Gareth (Gaz) Heyes +- Jeff Williams - [jeff.williams@owasp.org](mailto:jeff.williams@owasp.org) +- Jeremy Long +- Jim Manico - [jim@owasp.org](mailto:jim@owasp.org) +- John Steven +- Mario Heiderich +- Mike Samuel +- Robert (RSnake) Hansen +- Stefano Di Paola + +## [Denial of Service Cheat Sheet](https://github.com/OWASP/CheatSheetSeries/tree/master/cheatsheets/Denial_of_Service_Cheat_Sheet.md) + +- Liviu Rombauts +- Stephen Corbiaux - [stephen.corbiaux@owasp.org](mailto:stephen.corbiaux@owasp.org) + +## [Deserialization Cheat Sheet](https://github.com/OWASP/CheatSheetSeries/tree/master/cheatsheets/Deserialization_Cheat_Sheet.md) + +- Arshan Dabirsiaghi - [arshan@contrastsecurity.org](mailto:arshan@contrastsecurity.org) +- Tony Hsu (Hsiang-Chih) Shane Murnion + +## [Docker Security Cheat Sheet](https://github.com/OWASP/CheatSheetSeries/tree/master/cheatsheets/Docker_Security_Cheat_Sheet.md) + +- Jakub Maćkowski - [jakub.mackowski@owasp.org](mailto:jakub.mackowski@owasp.org) + +## [DotNet Security Cheat Sheet](https://github.com/OWASP/CheatSheetSeries/tree/master/cheatsheets/DotNet_Security_Cheat_Sheet.md) + +- Bill Sempf - [bill.sempf@owasp.org](mailto:bill.sempf@owasp.org) +- Jeremy Long - [jeremy.long@owasp.org](mailto:jeremy.long@owasp.org) +- John Staveley +- Sam Ferree +- Shane Murnion +- Steve Bamelis +- Troy Hunt - [troyhunt@hotmail.com](mailto:troyhunt@hotmail.com) +- Xander Sherry + +## [Error Handling Cheat Sheet](https://github.com/OWASP/CheatSheetSeries/tree/master/cheatsheets/Error_Handling_Cheat_Sheet.md) + +- Dominique Righetto - [dominique.righetto@owasp.org](mailto:dominique.righetto@owasp.org) + +## [Forgot Password Cheat Sheet](https://github.com/OWASP/CheatSheetSeries/tree/master/cheatsheets/Forgot_Password_Cheat_Sheet.md) + +- Dave Ferguson - [gmdavef@gmail.com](mailto:gmdavef@gmail.com) +- James McGovern - [james.mcgovern@hp.com](mailto:james.mcgovern@hp.com) +- Jim Manico - [jim@owasp.org](mailto:jim@owasp.org) +- Kevin Wall - [kevin.w.wall@gmail.com](mailto:kevin.w.wall@gmail.com) +- Wesley Philip - [wphilip@ca.ibm.com](mailto:wphilip@ca.ibm.com) + +## [HTML5 Security Cheat Sheet](https://github.com/OWASP/CheatSheetSeries/tree/master/cheatsheets/HTML5_Security_Cheat_Sheet.md) + +- Dominique Righetto - [dominique.righetto@owasp.org](mailto:dominique.righetto@owasp.org) +- Juan Galiana Lara - [jgaliana@owasp.org](mailto:jgaliana@owasp.org) +- Krzysztof Kotowicz - [krzysztof@kotowicz.net](mailto:krzysztof@kotowicz.net) +- Mark Roxberry - [mark.roxberry@owasp.org](mailto:mark.roxberry@owasp.org) +- Shreeraj Shah - [shreeraj.shah@blueinfy.net](mailto:shreeraj.shah@blueinfy.net) +- Will Stranathan - [will@cltnc.us](mailto:will@cltnc.us) + +## [HTTP Strict Transport Security Cheat Sheet](https://github.com/OWASP/CheatSheetSeries/tree/master/cheatsheets/HTTP_Strict_Transport_Security_Cheat_Sheet.md) + +- Daniel Black +- Jim Manico +- Michael Coates +- Pawel Krawczyk +- Til Maas + +## [Injection Prevention Cheat Sheet](https://github.com/OWASP/CheatSheetSeries/tree/master/cheatsheets/Injection_Prevention_Cheat_Sheet.md) + +- Alexander Meisel - [alexander.meisel@owasp.org](mailto:alexander.meisel@owasp.org) +- Erlend Oftedal - [erlend.oftedal@owasp.org](mailto:erlend.oftedal@owasp.org) +- Jim Manico - [jim@owasp.org](mailto:jim@owasp.org) +- Sherif Mansour - [sherif.mansour@owasp.org](mailto:sherif.mansour@owasp.org) + +## [Injection Prevention Cheat Sheet in Java](https://github.com/OWASP/CheatSheetSeries/tree/master/cheatsheets/Injection_Prevention_Cheat_Sheet_in_Java.md) + +- Dave Wichers - [dave.wichers@owasp.org](mailto:dave.wichers@owasp.org) +- Dominique Righetto - [dominique.righetto@owasp.org](mailto:dominique.righetto@owasp.org) + +## [Input Validation Cheat Sheet](https://github.com/OWASP/CheatSheetSeries/tree/master/cheatsheets/Input_Validation_Cheat_Sheet.md) + +- Dave Wichers - [dave.wichers@aspectsecurity.com](mailto:dave.wichers@aspectsecurity.com) + +## [Insecure Direct Object Reference Prevention Cheat Sheet](https://github.com/OWASP/CheatSheetSeries/tree/master/cheatsheets/Insecure_Direct_Object_Reference_Prevention_Cheat_Sheet.md) + +- Dominique Righetto - [dominique.righetto@owasp.org](mailto:dominique.righetto@owasp.org) +- Eric Sheridan - [eric.sheridan@owasp.org](mailto:eric.sheridan@owasp.org) +- Jeff Williams - [jeff.williams@contrastsecurity.com](mailto:jeff.williams@contrastsecurity.com) + +## [JAAS Cheat Sheet](https://github.com/OWASP/CheatSheetSeries/tree/master/cheatsheets/JAAS_Cheat_Sheet.md) + +- Dr. A.L. Gottlieb - [AnthonyG@owasp.org](mailto:AnthonyG@owasp.org) + +## [JSON Web Token Cheat Sheet for Java](https://github.com/OWASP/CheatSheetSeries/tree/master/cheatsheets/JSON_Web_Token_Cheat_Sheet_for_Java.md) + +- Dominique Righetto - [dominique.righetto@owasp.org](mailto:dominique.righetto@owasp.org) +- Jim Manico - [jim.manico@owasp.org](mailto:jim.manico@owasp.org) +- Paul Ionescu - [paul.ionescu@owasp.org](mailto:paul.ionescu@owasp.org) + +## [Key Management Cheat Sheet](https://github.com/OWASP/CheatSheetSeries/tree/master/cheatsheets/Key_Management_Cheat_Sheet.md) + +- Brian Russell - [russellbri@leidos.com](mailto:russellbri@leidos.com) +- Drew Van Duren - [drew.f.van.duren@leidos.com](mailto:drew.f.van.duren@leidos.com) +- Susanna Bezold – [BezoldCISSP@aol.com](mailto:BezoldCISSP@aol.com) +- Vanessa Amador - [vanessa.c.amador@leidos.com](mailto:vanessa.c.amador@leidos.com) + +## [LDAP Injection Prevention Cheat Sheet](https://github.com/OWASP/CheatSheetSeries/tree/master/cheatsheets/LDAP_Injection_Prevention_Cheat_Sheet.md) + +- Ben Weintraub - [Ben@bluetalon.com](mailto:Ben@bluetalon.com) +- Jim Manico - [jim@owasp.org](mailto:jim@owasp.org) + +## [Logging Cheat Sheet](https://github.com/OWASP/CheatSheetSeries/tree/master/cheatsheets/Logging_Cheat_Sheet.md) + +- Alexis Fitzgerald - [alexis.fitzgerald@owasp.org](mailto:alexis.fitzgerald@owasp.org) +- Colin Watson - [colin.watson@owasp.org](mailto:colin.watson@owasp.org) +- Eoin Keary - [eoin.keary@owasp.org](mailto:eoin.keary@owasp.org) + +## [Mass Assignment Cheat Sheet](https://github.com/OWASP/CheatSheetSeries/tree/master/cheatsheets/Mass_Assignment_Cheat_Sheet.md) + +- Abashkin Anton - [abashkin.anton@gmail.com](mailto:abashkin.anton@gmail.com) + +## [OS Command Injection Defense Cheat Sheet](https://github.com/OWASP/CheatSheetSeries/tree/master/cheatsheets/OS_Command_Injection_Defense_Cheat_Sheet.md) + +- Jim Manico - [jim.manico@owasp.org](mailto:jim.manico@owasp.org) +- Katy Anton - [katy.anton@owasp.org](mailto:katy.anton@owasp.org) + +## [PHP Configuration Cheat Sheet](https://github.com/OWASP/CheatSheetSeries/tree/master/cheatsheets/PHP_Configuration_Cheat_Sheet.md) + +- Abbas Naderi - [abbas.naderi@owasp.org](mailto:abbas.naderi@owasp.org) +- Achim Hoffmann - [Achim@owasp.org](mailto:Achim@owasp.org) +- Dan Ehrlich - [dan.ehrlich@owasp.org](mailto:dan.ehrlich@owasp.org) +- Tony Hsu HsiangChih + +## [Password Storage Cheat Sheet](https://github.com/OWASP/CheatSheetSeries/tree/master/cheatsheets/Password_Storage_Cheat_Sheet.md) + +- Dominique Righetto - [dominique.righetto@owasp.org](mailto:dominique.righetto@owasp.org) +- Jim Manico - [jim@owasp.org](mailto:jim@owasp.org) +- John Steven - [john.steven@owasp.org](mailto:john.steven@owasp.org) + +## [Pinning Cheat Sheet](https://github.com/OWASP/CheatSheetSeries/tree/master/cheatsheets/Pinning_Cheat_Sheet.md) + +- Jeffrey Walton - [jeffrey@owasp.org](mailto:jeffrey@owasp.org) +- Jim Manico - [jim@owasp.org](mailto:jim@owasp.org) +- John Steven - [john@owasp.org](mailto:john@owasp.org) +- Kevin Wall - [kevin@owasp.org](mailto:kevin@owasp.org) +- Ricardo Iramar - [ricardo.iramar@gmail.com](mailto:ricardo.iramar@gmail.com) + +## Protect FileUpload Against Malicious File + +- Dominique Righetto - dominique.righetto@owasp.org + +## [Query Parameterization Cheat Sheet](https://github.com/OWASP/CheatSheetSeries/tree/master/cheatsheets/Query_Parameterization_Cheat_Sheet.md) + +- Dave Wichers - [dave.wichers@owasp.org](mailto:dave.wichers@owasp.org) +- Jim Manico - [jim@owasp.org](mailto:jim@owasp.org) +- Neil Matatall - [neil@owasp.org](mailto:neil@owasp.org) + +## [REST Assessment Cheat Sheet](https://github.com/OWASP/CheatSheetSeries/tree/master/cheatsheets/REST_Assessment_Cheat_Sheet.md) + +- Ofer Shezaf - [ofer@shezaf.com](mailto:ofer@shezaf.com) + +## [REST Security Cheat Sheet](https://github.com/OWASP/CheatSheetSeries/tree/master/cheatsheets/REST_Security_Cheat_Sheet.md) + +- Andrew van der Stock - [vanderaj@owasp.org](mailto:vanderaj@owasp.org) +- Erlend Oftedal - [erlend.oftedal@owasp.org](mailto:erlend.oftedal@owasp.org) +- Jan Wolff - [jan.wolff@owasp.org](mailto:jan.wolff@owasp.org) +- Johan Peeters - [yo@johanpeeters.com](mailto:yo@johanpeeters.com) +- Manh Pham - [manhpt2811@gmail.com](mailto:manhpt2811@gmail.com) +- Rocco Gränitz - [rocco.graenitz@owasp.org](mailto:rocco.graenitz@owasp.org) +- Tony Hsu Hsiang Chih- [Hsiang_chihi@yahoo.com](mailto:Hsiang_chihi@yahoo.com) + +## [Ruby on Rails Cheatsheet](https://github.com/OWASP/CheatSheetSeries/tree/master/cheatsheets/Ruby_on_Rails_Cheatsheet.md) + +- Aaron Bedra - [aaron@aaronbedra.com](mailto:aaron@aaronbedra.com) +- Egor Homakov - [homakov@gmail.com](mailto:homakov@gmail.com) +- Jim Manico - [jim@owasp.org](mailto:jim@owasp.org) +- Jon Claudius - [jonathan.claudius@gmail.com](mailto:jonathan.claudius@gmail.com) +- Jon Rose - [jrose400@gmail.com](mailto:jrose400@gmail.com) +- Justin Collins - [justin@presidentbeef.com](mailto:justin@presidentbeef.com) +- Ken Johnson - [cktricky@gmail.com](mailto:cktricky@gmail.com) +- Lance Vaughn - [lance@cabforward.com](mailto:lance@cabforward.com) +- Matt Konda - [mkonda@jemurai.com](mailto:mkonda@jemurai.com) +- Neil Matatall - [neil@matatall.com](mailto:neil@matatall.com) +- Zaur Molotnikov - [qutorial@gmail.com](mailto:qutorial@gmail.com) + +## [SAML Security Cheat Sheet](https://github.com/OWASP/CheatSheetSeries/tree/master/cheatsheets/SAML_Security_Cheat_Sheet.md) + +- Gunnar Peterson +- James McGovern +- [Brad Broulik](http://bradbroulik.blogspot.dk/2010/01/bulletproof-sso-with-saml-20.html) +- [Paweł Krawczyk](https://ipsec.pl/) + +## [SQL Injection Prevention Cheat Sheet](https://github.com/OWASP/CheatSheetSeries/tree/master/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.md) + +- Dave Wichers - [dave.wichers@owasp.org](mailto:dave.wichers@owasp.org) +- Dhiraj Mishra - [mishra.dhiraj@owasp.org](mailto:mishra.dhiraj@owasp.org) +- Jim Manico - [jim@owasp.org](mailto:jim@owasp.org) +- Matt Seil - [mseil@acm.org](mailto:mseil@acm.org) + +## [Secure Cloud Architecture Cheat Sheet](https://github.com/OWASP/CheatSheetSeries/tree/master/cheatsheets/Secure_Cloud_Architecture_Cheat_Sheet.md) + +- [Joshua Beck](https://josh-beck.github.io) +- Matthew Wright + +## [Securing Cascading Style Sheets Cheat Sheet](https://github.com/OWASP/CheatSheetSeries/tree/master/cheatsheets/Securing_Cascading_Style_Sheets_Cheat_Sheet.md) + +- [Santhosh Tuppad](https://twitter.com/santhoshst) + +## [Session Management Cheat Sheet](https://github.com/OWASP/CheatSheetSeries/tree/master/cheatsheets/Session_Management_Cheat_Sheet.md) + +- Raul Siles (DinoSec) - [raul@dinosec.com](mailto:raul@dinosec.com) + +## [Third Party Javascript Management Cheat Sheet](https://github.com/OWASP/CheatSheetSeries/tree/master/cheatsheets/Third_Party_Javascript_Management_Cheat_Sheet.md) + +- Jim Weiler - [Jim.Weiler@owasp.org](mailto:Jim.Weiler@owasp.org) + +## [Threat Modeling Cheat Sheet](https://github.com/OWASP/CheatSheetSeries/tree/master/cheatsheets/Threat_Modeling_Cheat_Sheet.md) + +- Ahmed Kanoma +- Mohamed Alfateh + +## [Transaction Authorization Cheat Sheet](https://github.com/OWASP/CheatSheetSeries/tree/master/cheatsheets/Transaction_Authorization_Cheat_Sheet.md) + +- Adam Lange +- Adam Zachara, SecuRing +- Andrzej Kleśnicki, Qualys +- Francois-Eric Guyomarch, HID Global +- James Holland, HID Global +- Milan Khan, HID Global +- Steven Wierckx, Toreon +- Sven Thomassin, PwC BE - Technology Consulting +- Sławomir Jasek, SecuRing +- Wojciech Dworakowski - [wojciech.dworakowski@securing.pl](mailto:wojciech.dworakowski@securing.pl) + +## [Transport Layer Security Cheat Sheet](https://github.com/OWASP/CheatSheetSeries/tree/master/cheatsheets/Transport_Layer_Security_Cheat_Sheet.md) + +- Dave Wichers - [dave.wichers@owasp.org](mailto:dave.wichers@owasp.org) +- Michael Coates - [michael.coates@owasp.org](mailto:michael.coates@owasp.org) +- Tony Hsu - [hsiang_chih@yahoo.com](mailto:hsiang_chih@yahoo.com) +- Torsten Gigler - [torsten.gigler@owasp.org](mailto:torsten.gigler@owasp.org) +- Tyler Reguly - [treguly@sslfail.com](mailto:treguly@sslfail.com) + +## [Unvalidated Redirects and Forwards Cheat Sheet](https://github.com/OWASP/CheatSheetSeries/tree/master/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.md) + +- Jim Manico - [jim@owasp.org](mailto:jim@owasp.org) +- Johanna Curiel - [johanna.curiel@owasp.org](mailto:johanna.curiel@owasp.org) +- Susanna Bezold - [susanna.bezold@owasp.org](mailto:susanna.bezold@owasp.org) + +## [User Privacy Protection Cheat Sheet](https://github.com/OWASP/CheatSheetSeries/tree/master/cheatsheets/User_Privacy_Protection_Cheat_Sheet.md) + +- Mohammed ALDOUB + +## [Virtual Patching Cheat Sheet](https://github.com/OWASP/CheatSheetSeries/tree/master/cheatsheets/Virtual_Patching_Cheat_Sheet.md) + +- Christian Folini - [christian.folini@netnea.com](mailto:christian.folini@netnea.com) +- Josh Zlatin - [jamuse@gmail.com](mailto:jamuse@gmail.com) +- Ryan Barnett - [ryan.barnett@owasp.org](mailto:ryan.barnett@owasp.org) + +## [Vulnerability Disclosure Cheat Sheet](https://github.com/OWASP/CheatSheetSeries/tree/master/cheatsheets/Vulnerability_Disclosure_Cheat_Sheet.md) + +- [OWASP Montréal](https://owasp.org/www-chapter-montreal/) chapter +- [@el_d33](https://twitter.com/el_d33) +- [gosecure.ca](https://gosecure.net/) + +## [Vulnerable Dependency Management Cheat Sheet](https://github.com/OWASP/CheatSheetSeries/tree/master/cheatsheets/Vulnerable_Dependency_Management_Cheat_Sheet.md) + +- Dominique Righetto - [dominique.righetto@owasp.org](mailto:dominique.righetto@owasp.org) +- Elie Saad - [eliesaad7@gmail.com](mailto:eliesaad7@gmail.com) +- Jakub Maćkowski - [jakub.mackowski@owasp.org](mailto:jakub.mackowski@owasp.org) + +## [Web Service Security Cheat Sheet](https://github.com/OWASP/CheatSheetSeries/tree/master/cheatsheets/Web_Service_Security_Cheat_Sheet.md) + +- Dave Wichers - [dave.wichers@owasp.org](mailto:dave.wichers@owasp.org) +- Jim Manico - [jim@owasp.org](mailto:jim@owasp.org) +- Sherif Koussa - [sherif.koussa@owasp.org](mailto:sherif.koussa@owasp.org) +- [Gunnar Peterson](https://twitter.com/oneraindrop) + +## [XML External Entity Prevention Cheat Sheet](https://github.com/OWASP/CheatSheetSeries/tree/master/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.md) + +- Dave Wichers - [dave.wichers@owasp.org](mailto:dave.wichers@owasp.org) +- Dean Fleming +- James Jardine - [james@jardinesoftware.com](mailto:james@jardinesoftware.com) +- Tony Hsu (Hsiang-Chih) +- Xiaoran Wang - [xiaoran@attacker-domain.com](mailto:xiaoran@attacker-domain.com) + +## [XML Security Cheat Sheet](https://github.com/OWASP/CheatSheetSeries/tree/master/cheatsheets/XML_Security_Cheat_Sheet.md) + +- Fernando Arnaboldi - [fernando.arnaboldi@ioactive.com](mailto:fernando.arnaboldi@ioactive.com) diff --git a/Dockerfile b/Dockerfile new file mode 100644 index 0000000000..aeb377ac06 --- /dev/null +++ b/Dockerfile @@ -0,0 +1,9 @@ +FROM python:latest +WORKDIR /usr/src/app +COPY . . + +EXPOSE 8000 + +RUN make install-python-requirements +RUN make generate-site +ENTRYPOINT ["make", "serve"] \ No newline at end of file diff --git a/HelpGuide.md b/HelpGuide.md index f4700bd6ce..f8babff5ca 100644 --- a/HelpGuide.md +++ b/HelpGuide.md @@ -5,6 +5,7 @@ Welcome to the Cheat Sheet Help Guide. This guide is designed to help you navigate the website and make the most of the features and resources offered. The cheat sheets are packed with valuable information, and we want to ensure you have all the tools you need to use them effectively. ### What's Inside This Guide + 1. [Basic Navigation](#Basic-Navigation) 2. [Features](#Features) 3. [FAQ](#FAQ) @@ -14,22 +15,30 @@ Welcome to the Cheat Sheet Help Guide. This guide is designed to help you naviga ## Guides ### Basic Navigation + Navigation is easy. Just click on any cheat sheet or cheat sheet series you wish to see on the left side of the site. These links won't go away as you navigate so click away without getting lost. ![Help_Nav](https://github.com/tylersnel/CheatSheetSeries/assets/67352917/020de84c-e18f-477a-acd4-889617666308) ### Features + #### Search -Use the search bar located at the top of the page to search for certain cheat sheets and keywords in cheat sheets. + +Use the search bar located at the top of the page to search for certain cheat sheets and keywords in cheat sheets. ![Capture2](https://github.com/tylersnel/CheatSheetSeries/assets/67352917/5af0a995-ef96-42e3-90f6-e7cc8a18cfd1) + #### Dark Mode + If you prefer a darker theme, there is a dark mode option for the cheat sheets. Click the light/dark mode button, located next to the search bar, to switch between modes. ![Dark_Mode](https://github.com/tylersnel/CheatSheetSeries/assets/67352917/ce753a58-c34e-4384-a726-e947d851e21f) + #### GitHub Repository + If you wish to visit the project's GitHub repository, click on the repository link next to the search bar. ![Repository_Link](https://github.com/tylersnel/CheatSheetSeries/assets/67352917/8582725d-941f-4d2d-b38d-7986e2659cc6) ### FAQ + Here are some frequently asked questions (FAQs) for the OWASP Cheat Sheet Series: #### General Information @@ -59,7 +68,6 @@ A: Yes, the cheat sheets are periodically reviewed and updated to reflect the la **Q: Can I contribute to the cheat sheet series?** A: Yes, contributions from the community are welcome. You can contribute by suggesting new topics, providing feedback, or updating existing cheat sheets. Create an issue or pull request on our [GitHub repository](https://github.com/OWASP/CheatSheetSeries/). - #### Licensing and Usage Rights **Q: Under what license are the cheat sheets available?** @@ -71,11 +79,12 @@ A: Yes, you can use the cheat sheets in commercial projects, provided you adhere These FAQs should help users understand the purpose, usage, and contributions related to the OWASP Cheat Sheet Series website. ### Troubleshooting Guide -* Refreshing the web page will fix most issues encountered. If the problem persists, close the browser, reopen the browser, and return to the cheat sheet website. -* Clear your cache and cookies or try a different browser. -* If the website is not loading, please check your internet connection. + +- Refreshing the web page will fix most issues encountered. If the problem persists, close the browser, reopen the browser, and return to the cheat sheet website. +- Clear your cache and cookies or try a different browser. +- If the website is not loading, please check your internet connection. ### Feedback and Support -admin@owasp.com -https://owasp.org/slack/invite +- [admin@owasp.com](mailto:admin@owasp.com) +- [https://owasp.org/slack/invite](https://owasp.org/slack/invite) diff --git a/Preface.md b/Preface.md index 82f88fd828..60f03c23ca 100644 --- a/Preface.md +++ b/Preface.md @@ -1,4 +1,4 @@ -![OWASPHeader](assets/Preface_Cheatsheet_Header.png) +# ![OWASPHeader](assets/Preface_Cheatsheet_Header.png) ![ProjectLogoOfficial](assets/Preface_Cheatsheet_Logo.png) diff --git a/README.md b/README.md index c689041732..223bece127 100644 --- a/README.md +++ b/README.md @@ -44,7 +44,7 @@ This project is only possible thanks to the work of many dedicated volunteers. E This [link](https://cheatsheetseries.owasp.org/bundle.zip) allows you to download a build (ZIP archive) of the offline website. -### Local build [![pyVersion3x](https://img.shields.io/badge/python-3.x-blue.svg)](https://www.python.org/downloads/) +### Local Build [![pyVersion3x](https://img.shields.io/badge/python-3.x-blue.svg)](https://www.python.org/downloads/) The OWASP Cheat Sheet Series website can be built and tested locally by issuing the following commands: @@ -54,6 +54,24 @@ make generate-site make serve # Binds port 8000 ``` +### Container Build + +The OWASP Cheat Sheet Series website can be built and tested locally inside a container by issuing the following commands: + +#### Docker + +```sh +docker build -t cheatsheetseries . +docker run --name cheatsheetseries -p 8000:8000 cheatsheetseries +``` + +#### Podman + +```sh +podman build -t cheatsheetseries . +podman run --name cheatsheetseries -p 8000:8000 localhost/cheatsheetseries +``` + ## Contributors - **From 2014 to 2018:** [V1](CONTRIBUTOR-V1.md) - Initial version of the project hosted on the [OWASP WIKI](https://wiki.owasp.org). diff --git a/cheatsheets/File_Upload_Cheat_Sheet.md b/cheatsheets/File_Upload_Cheat_Sheet.md index 8d941fcbd5..9ed41fe211 100644 --- a/cheatsheets/File_Upload_Cheat_Sheet.md +++ b/cheatsheets/File_Upload_Cheat_Sheet.md @@ -16,6 +16,7 @@ In short, the following principles should be followed to reach a secure file upl - **Store the files on a different server. If that's not possible, store them outside of the webroot** - **In the case of public access to the files, use a handler that gets mapped to filenames inside the application (someid -> file.ext)** - **Run the file through an antivirus or a sandbox if available to validate that it doesn't contain malicious data** +- **Run the file through CDR (Content Disarm & Reconstruct) if applicable type (PDF, DOCX, etc...)** - **Ensure that any libraries used are securely configured and kept up to date** - **Protect the file upload from [CSRF](Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.md) attacks** diff --git a/cheatsheets/Input_Validation_Cheat_Sheet.md b/cheatsheets/Input_Validation_Cheat_Sheet.md index 660c4cbe63..934c553ae9 100644 --- a/cheatsheets/Input_Validation_Cheat_Sheet.md +++ b/cheatsheets/Input_Validation_Cheat_Sheet.md @@ -225,7 +225,7 @@ If it is essential that disposable email addresses are blocked, then registratio #### Sub-Addressing -Sub-addressing allows a user to specify a _tag_ in the local part of the email address (before the `@` sign), which will be ignored by the mail server. For example, if that `example.org` domain supports sub-addressing, then the following email addresses are equivalent: +Sub-addressing allows a user to specify a *tag* in the local part of the email address (before the `@` sign), which will be ignored by the mail server. For example, if that `example.org` domain supports sub-addressing, then the following email addresses are equivalent: - `user@example.org` - `user+site1@example.org` @@ -233,7 +233,7 @@ Sub-addressing allows a user to specify a _tag_ in the local part of the email a Many mail providers (such as Microsoft Exchange) do not support sub-addressing. The most notable provider who does is Gmail, although there are many others that also do. -Some users will use a different _tag_ for each website they register on, so that if they start receiving spam to one of the sub-addresses they can identify which website leaked or sold their email address. +Some users will use a different *tag* for each website they register on, so that if they start receiving spam to one of the sub-addresses they can identify which website leaked or sold their email address. Because it could allow users to register multiple accounts with a single email address, some sites may wish to block sub-addressing by stripping out everything between the `+` and `@` signs. This is not generally recommended, as it suggests that the website owner is either unaware of sub-addressing or wishes to prevent users from identifying them when they leak or sell email addresses. Additionally, it can be trivially bypassed by using [disposable email addresses](#disposable-email-addresses), or simply registering multiple email accounts with a trusted provider. diff --git a/cheatsheets_draft/OAuth_Cheat_Sheet.md b/cheatsheets_draft/OAuth_Cheat_Sheet.md index 0f7e25c9ad..91776664ec 100644 --- a/cheatsheets_draft/OAuth_Cheat_Sheet.md +++ b/cheatsheets_draft/OAuth_Cheat_Sheet.md @@ -9,24 +9,24 @@ This Cheat Sheet provides guidance for application builders on how to deploy OAu ## Contents - [Terminology](#terminology) - - [Roles](#roles) - - [Access Tokens](#access-tokens) - - [Refresh Tokens](#refresh-tokens) - - [Tokens TTL](#tokens-ttl) - - [Managing Tokens](#managing-tokens) - - [Redirect URI](#redirect-uri) + - [Roles](#roles) + - [Access Tokens](#access-tokens) + - [Refresh Tokens](#refresh-tokens) + - [Tokens TTL](#tokens-ttl) + - [Managing Tokens](#managing-tokens) + - [Redirect URI](#redirect-uri) - [Security Protective Measures](#security-protective-measures) - - [Client Credentials Protection](#client-credentials-protection) - - [CSRF Protection](#csrf-protection) - - [Referer Header Leaks Protection](#referer-header-leaks-protection) - - [Token Logging Protection](#token-logging-protection) - - [Authorization Server Mix-Up Protection](#authorization-server-mix-up-protection) - - [PKCE Considerations](#pkce-considerations) + - [Client Credentials Protection](#client-credentials-protection) + - [CSRF Protection](#csrf-protection) + - [Referer Header Leaks Protection](#referer-header-leaks-protection) + - [Token Logging Protection](#token-logging-protection) + - [Authorization Server Mix-Up Protection](#authorization-server-mix-up-protection) + - [PKCE Considerations](#pkce-considerations) - [Use Cases](#use-cases) - - [Classic Web Application](#classic-web-application) - - [Single Page Application](#single-page-application) - - [Mobile Application](#mobile-application) - - [Backend Service](#backend-service) + - [Classic Web Application](#classic-web-application) + - [Single Page Application](#single-page-application) + - [Mobile Application](#mobile-application) + - [Backend Service](#backend-service) ## Terminology @@ -169,4 +169,4 @@ For more information on this flow, refer to [section 4.4](https://tools.ietf.org [Client]: #client [Authorization Server]: #authorization-server [Access Tokens]: #access-tokens -[RFC6749]: https://tools.ietf.org/html/rfc6749 \ No newline at end of file +[RFC6749]: https://tools.ietf.org/html/rfc6749 diff --git a/cheatsheets_draft/Webhook_Security_Guidelines_CheatSheet.md b/cheatsheets_draft/Webhook_Security_Guidelines_CheatSheet.md index 6abc74ed27..26511421bc 100644 --- a/cheatsheets_draft/Webhook_Security_Guidelines_CheatSheet.md +++ b/cheatsheets_draft/Webhook_Security_Guidelines_CheatSheet.md @@ -2,12 +2,11 @@ ## Introduction -Webhooks provide a mechanism where a Server-side application can notify a client-side application when a new even (that the client-side application might be interested in) has occurred on the server. Webhooks are incredibly useful and a resource-light way to implement event reactions. However, webhooks can also be abused and the following considerations must be taken into account to secure Webhooks. It should also be noted that webhook security considerations apply to both publisher/server and subscriber/client. +Webhooks provide a mechanism where a Server-side application can notify a client-side application when a new even (that the client-side application might be interested in) has occurred on the server. Webhooks are incredibly useful and a resource-light way to implement event reactions. However, webhooks can also be abused and the following considerations must be taken into account to secure Webhooks. It should also be noted that webhook security considerations apply to both publisher/server and subscriber/client. At the core of webhooks fundamental security best practices are available however are not enabled by default. This is a gap in the “default secure” principle however with focus and configuration this gap can be addressed. One item to note is webhook urls by default carry a high level of confidentiality. This comes from the lack of default secure principle mentioned above. With this webhook urls should be kept secret and while the security community has generally accepted that obscurity is not security it is a best practice to follow. If your webhooks are sharing sensitive information the following considerations should be reviewed and implemented. -At high level, the following requirements outline the security mechanisms in various ways. These high level requirements allow engineers and developers to properly implement security controls. - +At high level, the following requirements outline the security mechanisms in various ways. These high level requirements allow engineers and developers to properly implement security controls. - Webhook URLs should be treated like any other secrets like password, Keys, API token and should NOT be hardcoded in source code. - It's important to secure Webhook URLs in Vault than storing it in Version Control System. @@ -15,157 +14,148 @@ At high level, the following requirements outline the security mechanisms in var - Webhook requests should be signed and signature should be validated. - Follow Payload best practices for Payload, HTTP Methods and prevent from Attacks. - ## Contents Controls for Securing Webhooks - Treat Webhooks as Secrets -- Enable SSL/TLS -- Authentication -- OAuth Authorization -- Crude Authorized Access -- Message Protection and Secrecy -- Cross Site Request Forgery -- Revocation -- Pass Secrets in Request header -- Fail Safe and Secure -- Replay Protections -- Payload best practices -- HTTP Methods best practices - +- Enable SSL/TLS +- Authentication +- OAuth Authorization +- Crude Authorized Access +- Message Protection and Secrecy +- Cross Site Request Forgery +- Revocation +- Pass Secrets in Request header +- Fail Safe and Secure +- Replay Protections +- Payload best practices +- HTTP Methods best practices ## Treat Webhooks as Secrets -Secure Webhook tokens - Keep Webhook Authentication tokens(in URL) out of source code, configuration files and keep them out of logs. Do not print Webhook URLs with token in logs, Do not store write URLs with token or hard code it in source. Webhook Authentication tokens should be securely stored in Vault. +Secure Webhook tokens - Keep Webhook Authentication tokens(in URL) out of source code, configuration files and keep them out of logs. Do not print Webhook URLs with token in logs, Do not store write URLs with token or hard code it in source. Webhook Authentication tokens should be securely stored in Vault. + +Abuse Case: -Abuse Case: - Find a Webhook URL with token in github and try to post a simple message to it. +## Transport Security -## Transport Security +Enable SSL/TLS - The first step you should take to secure web application is to ensure that you are using HTTPS for web application's end point. Data transmitted over the Internet should always be encrypted. Your endpoint URL should support HTTPS, and you should add that secure URL to your webhook settings. Avoid connecting to an HTTPS URL with a self-signed certificate and weak Ciphers. Server must be correctly configured to support HTTPS with a valid server certificate. -Enable SSL/TLS - The first step you should take to secure web application is to ensure that you are using HTTPS for web application's end point. Data transmitted over the Internet should always be encrypted. Your endpoint URL should support HTTPS, and you should add that secure URL to your webhook settings. Avoid connecting to an HTTPS URL with a self-signed certificate and weak Ciphers. Server must be correctly configured to support HTTPS with a valid server certificate. +Abuse Case: -Abuse Case: -- Use an existing webhook and try to make a request to it using http://. -- Alternative abuse case is to negotiate weak SSL/TLS when making a webhook request. +- Use an existing webhook and try to make a request to it using http://. +- Alternative abuse case is to negotiate weak SSL/TLS when making a webhook request. - Alternative abuse case is to look at the certificate and see if it is self-signed. If it does not follow a strong chain of trust it should not be trusted for sensitive data or production traffic unless other mechanisms are in place - ## Authentication -TLS Authentication +TLS Authentication + +Mutual TLS - Mutual TLS to authenticate the client, it builds upon normal TLS by adding client Authentication in addition to Server Authentication to ensure traffic is both secure and trusted in both directions. Mutual TLS guarantees that both Client and Webhook Server present a certificate during TLS handshake which mutually proves identity. -Mutual TLS - Mutual TLS to authenticate the client, it builds upon normal TLS by adding client Authentication in addition to Server Authentication to ensure traffic is both secure and trusted in both directions. Mutual TLS guarantees that both Client and Webhook Server present a certificate during TLS handshake which mutually proves identity. +Abuse Case: -Abuse Case: -- TLS hardening (do not use TLS 1.0 or 1.1) +- TLS hardening (do not use TLS 1.0 or 1.1) - Certificate theft from system -Basic Auth - HTTP Basic Authentication will require Username and Password along with Webhook URL to Authenticate against Web Server. In an effort to enforce the high security standards, refrain from using Basic Auth and go for request signatures. If it becomes inevitable, make sure Intruder lockout is enabled and Strong password policy is enforced. +Basic Auth - HTTP Basic Authentication will require Username and Password along with Webhook URL to Authenticate against Web Server. In an effort to enforce the high security standards, refrain from using Basic Auth and go for request signatures. If it becomes inevitable, make sure Intruder lockout is enabled and Strong password policy is enforced. + +Abuse Case: -Abuse Case: - Brute force Attack - Disclosure from information in logs +## OAuth Token -## OAuth Token +OAuth Authorization - When you build your own endpoint for Authentication, make sure OAuth is set for Authorization OAuth 2.0 requires an Authentication token, which can be issued by Authorization server in order to connect to Webhook endpoint. OAuth token should be included in the Authorization header. Make sure that OAuth token has lifetime/Expiry set. -OAuth Authorization - When you build your own endpoint for Authentication, make sure OAuth is set for Authorization OAuth 2.0 requires an Authentication token, which can be issued by Authorization server in order to connect to Webhook endpoint. OAuth token should be included in the Authorization header. Make sure that OAuth token has lifetime/Expiry set. +Abuse Case: -Abuse Case: -- Session hijacking +- Session hijacking - Other OAuth attacks +## Crude Authorized Access -## Crude Authorized Access +IP Whitelisting - When designing network architecture, you may wish to have one set of servers and a load balancer in a DMZ that receive webhook requests from Server, and then proxy those requests to your private network. Have proper whitelist configured to allow inbound traffic to be whitelisted in Firewall with host name which list the egress IPs under the host's A record. This can be technically complex to manage, especially when the IP addresses of the webhook provider change. If you’re processing webhooks using an app developed by the webhook provider, or the open source community, and you don’t own the code, make sure to review their docs or ask them questions to confirm they abide by security best practices. -IP Whitelisting - When designing network architecture, you may wish to have one set of servers and a load balancer in a DMZ that receive webhook requests from Server, and then proxy those requests to your private network. Have proper whitelist configured to allow inbound traffic to be whitelisted in Firewall with host name which list the egress IPs under the host's A record. This can be technically complex to manage, especially when the IP addresses of the webhook provider change. If you’re processing webhooks using an app developed by the webhook provider, or the open source community, and you don’t own the code, make sure to review their docs or ask them questions to confirm they abide by security best practices. +Abuse Case: -Abuse Case: - Using a targeted webhook with IP whitelisting go to a system that would not be in the whitelist and try to use it. If you can GET or POST the control is not in place. +## Message Protection and Secrecy -## Message Protection and Secrecy - -Get your Web Authentication Key setup - By default, a webhook URL is open and may receive a payload from anybody who knows the URL. The Key is the only thing that protects the webhook and should be handled with the highest secrecy. For security reasons, we recommend you to accept requests only from trusted sources. This is accomplished by signing your requests with a Hash-based Message Authentication Code (or HMAC). Once you defined a secret HMAC, Server will only accept signed requests for that webhook. To sign a request you need to generate hash digests of your request body using the sha512 algorithm and send it in HTTP header. If it is tampered or left blank then Server would respond with HTTP/1.1 400 Bad Request header and message like "The request is expected to be signed". +Get your Web Authentication Key setup - By default, a webhook URL is open and may receive a payload from anybody who knows the URL. The Key is the only thing that protects the webhook and should be handled with the highest secrecy. For security reasons, we recommend you to accept requests only from trusted sources. This is accomplished by signing your requests with a Hash-based Message Authentication Code (or HMAC). Once you defined a secret HMAC, Server will only accept signed requests for that webhook. To sign a request you need to generate hash digests of your request body using the sha512 algorithm and send it in HTTP header. If it is tampered or left blank then Server would respond with HTTP/1.1 400 Bad Request header and message like "The request is expected to be signed". -It’s recommended to include a signature header as part of POST request, this allows additional layer of security to ensure requests are originating from legitimate source. You can have your own solution for this or leverage official libraries from third party integration. +It’s recommended to include a signature header as part of POST request, this allows additional layer of security to ensure requests are originating from legitimate source. You can have your own solution for this or leverage official libraries from third party integration. -Abuse Case: +Abuse Case: - Using a targeted webhook capture a message and replay it with a removed or replaced HMAC. If the service accepts the message it is vulnerable to this attack as it is not validating the HMAC +## Cross Site Request Forgery -## Cross Site Request Forgery +CSRF protection - CSRF Protection for webhooks is an important Security feature to prevent Cross Site Request Forgery. If you’re using Rails, Django, or another web framework, your site might automatically check that every POST request contains a CSRF token. However, this security measure might also prevent your site from processing legitimate requests. If so, you might need to exempt the webhooks route from CSRF protection and handle them. -CSRF protection - CSRF Protection for webhooks is an important Security feature to prevent Cross Site Request Forgery. If you’re using Rails, Django, or another web framework, your site might automatically check that every POST request contains a CSRF token. However, this security measure might also prevent your site from processing legitimate requests. If so, you might need to exempt the webhooks route from CSRF protection and handle them. - -Abuse Case: +Abuse Case: - Using a targeted webhook try sending a webhook POST request with a known list of malformed Cross-Site Request Forgery payloads. - ## Revocation -Revocation - Have provision to reset a webhook's authentication key. To ensure that you do not lose any webhook requests between the time you reset your key and when you update your application to start using that new key, your webhook processor should reject requests with failed signatures with custom Status code. +Revocation - Have provision to reset a webhook's authentication key. To ensure that you do not lose any webhook requests between the time you reset your key and when you update your application to start using that new key, your webhook processor should reject requests with failed signatures with custom Status code. -Abuse Case: +Abuse Case: - Using a targeted webhook, capture HTTP Request with Auth key. Generate new Authkey for the Webhook URL, try POST ing with expired Auth key, Invalid Authkey, payload and validate. +## Pass Secrets in Request Header -## Pass Secrets in Request Header +Protection from repudiation attacks - Most webhook providers allow you to pass a secret or a "token" in every webhook request. Example Github. The secret is typically passed as an HTTP header, as a field in the JSON payload or appended to the request URL. When you confirm the token you received is the one you expected, it helps validate the request was sent by the webhook publisher. -Protection from repudiation attacks - Most webhook providers allow you to pass a secret or a "token" in every webhook request. Example Github. The secret is typically passed as an HTTP header, as a field in the JSON payload or appended to the request URL. When you confirm the token you received is the one you expected, it helps validate the request was sent by the webhook publisher. - -Abuse Case: +Abuse Case: - Using a targeted webhook capture a known good message. Tamper or remove the Token from Request Header and POST the message to target URL. The webhook should respond that the message was invalid. If it does not it is vulnerable to repudiation attacks - -## Fail Safe and Secure +## Fail Safe and Secure Event Handling - Handling webhook events correctly is crucial to making sure your integration's business logic works as expected. Webhook endpoints might occasionally receive the same event more than once or Webhook Receivers might receive crafted or malicious payload. We advise you to guard against duplicated event receipts and crafted messages by making your event processing idempotent. One way of doing this is logging the events you’ve processed, and then not processing already-logged events. In any case of failures, do not display detailed errors that can reveal sensitive information to Attacker. -Abuse Case: +Abuse Case: - Using a targeted webhook try to send incorrect, corrupted or flawed messages to the webhook targeting processing flaws in the webhook service or any services processing webhook messages. If the service does not handle the corrupt/flawed message it is vulnerable to this attack. +## Replay protections -## Replay protections +Replay Attacks - Anyone who is sniffing traffic can intercept the request and replay it. To protect against replay attacks, you can rely on adding timestamp for when the webhook event was generated. These should be added to the header. Timestamps are typically used as a seed for computing and verifying a signature. If you try to just change the timestamp, the signature verification will fail because it's not valid. -Replay Attacks - Anyone who is sniffing traffic can intercept the request and replay it. To protect against replay attacks, you can rely on adding timestamp for when the webhook event was generated. These should be added to the header. Timestamps are typically used as a seed for computing and verifying a signature. If you try to just change the timestamp, the signature verification will fail because it's not valid. - -Abuse Case: +Abuse Case: - Using a targeted webhook capture a webhook message and POST and replay the same message without modification. If you can do this, replay attacks are possible +## Payload best practices -## Payload best practices - -Service Attack Vector - In most cases webhooks are being used as input for a service account. In these scenarios you need to be mindful to validate the data coming using tight validations of the payload for injection, DDOS, XSS, and other attacks that can be found in the OWASP TOP 10. +Service Attack Vector - In most cases webhooks are being used as input for a service account. In these scenarios you need to be mindful to validate the data coming using tight validations of the payload for injection, DDOS, XSS, and other attacks that can be found in the OWASP TOP 10. -Abuse Case: +Abuse Case: - Using a targeted webhook use POST method to the webhook trying to take advantage of security weaknesses in the service or application that is receiving webhook messages. This can include simple attacks such as sending large amounts of data to complex attacks like injection. +## HTTP Methods best practices -## HTTP Methods best practices +Supported HTTP methods- While writing or exposing Webhook. Make sure only enable selected HTTP methods like GET and POST. Other methods like PUT, DELETE and even OPTIONS and HEAD should be disabled if not required. -Supported HTTP methods- While writing or exposing Webhook. Make sure only enable selected HTTP methods like GET and POST. Other methods like PUT, DELETE and even OPTIONS and HEAD should be disabled if not required. - -Abuse Case: +Abuse Case: - Using a targeted webhook URL, try sending payloads using different HTTP methods like DELETE and PUT and observe the HTTP response. - ## Reference Docs -- Python Webhook Tester: https://webhook.site/ -- https://www.fullstackpython.com/webhooks.html -- https://www.nexmo.com/blog/2019/06/28/using-message-signatures-to-ensure-secure-incoming-webhooks-dr -- https://community.spinnaker.io/t/how-to-secure-webhooks/1122 -- https://stripe.com/docs/webhooks/signatures#replay-attacks -- https://developer.box.com/guides/webhooks/handle/setup-signatures/ +- Python Webhook Tester: [https://webhook.site](https://webhook.site/) +- [https://www.fullstackpython.com/webhooks.html](https://www.fullstackpython.com/webhooks.html) +- [https://www.nexmo.com/blog/2019/06/28/using-message-signatures-to-ensure-secure-incoming-webhooks-dr](https://www.nexmo.com/blog/2019/06/28/using-message-signatures-to-ensure-secure-incoming-webhooks-dr) +- [https://community.spinnaker.io/t/how-to-secure-webhooks/1122](https://community.spinnaker.io/t/how-to-secure-webhooks/1122) +- [https://stripe.com/docs/webhooks/signatures#replay-attacks](https://stripe.com/docs/webhooks/signatures#replay-attacks) +- [https://developer.box.com/guides/webhooks/handle/setup-signatures/](https://developer.box.com/guides/webhooks/handle/setup-signatures/) diff --git a/package.json b/package.json index edef38f10d..62051a268d 100644 --- a/package.json +++ b/package.json @@ -14,7 +14,7 @@ "scripts": { "test": "npm run lint-markdown && npm run lint-terminology", "lint-terminology": "textlint ./cheatsheets/", - "lint-markdown": "markdownlint ./cheatsheets/ --ignore node_modules", + "lint-markdown": "markdownlint ./ -c .markdownlint.json --ignore node_modules --ignore cheatsheets_excluded", "link-check": "find cheatsheets -name \\*.md -exec markdown-link-check -c markdown-link-check-config.json 1> log 2> err {} \\; && if [ -e err ] && grep -q \"ERROR:\" err ; then exit 113 ; else echo -e \"All good\"; fi" }, "repository": { diff --git a/templates/New_CheatSheet.md b/templates/New_CheatSheet.md index e7ecd27f7b..791c8f46b4 100644 --- a/templates/New_CheatSheet.md +++ b/templates/New_CheatSheet.md @@ -1,13 +1,15 @@ -# Mandatory Markdown Format Rules +# `Topic` Cheat Sheet -**!!! REMOVE THIS SECTION BEFORE TO SUBMIT YOUR CHEAT SHEET VIA PULL REQUEST !!!** +**Replace `Topic` with the topic you're tackling, such as `Authentication` and remove this line** -* Use this [editor and validation policy](https://github.com/OWASP/CheatSheetSeries#editor--validation-policy). -* Use these [format rules](https://github.com/OWASP/CheatSheetSeries#conversion-rules). +```markdown +# Mandatory Markdown Format Rules -# `Topic` Cheat Sheet +**!!! REMOVE THIS BLOCK BEFORE TO SUBMIT YOUR CHEAT SHEET VIA PULL REQUEST !!!** -**Replace `Topic` with the topic you're tackling, such as `Authentication` and remove this line** +- Use this [editor and validation policy](https://github.com/OWASP/CheatSheetSeries#editor--validation-policy). +- Use these [format rules](https://github.com/OWASP/CheatSheetSeries#conversion-rules). +``` ## Introduction