mackowski
commented
4 years ago Merge DOM based XSS Prevention Cheat Sheet with Cross Site Scripting Prevention Cheat Sheet
Closed rbsec closed 3 years ago
mackowski
commented
4 years ago Merge DOM based XSS Prevention Cheat Sheet with Cross Site Scripting Prevention Cheat Sheet
rbsec
commented
4 years ago @mackowski good call.
ThunderSon
commented
4 years ago In general, how I see the naming could be followed is as such:
<Technology> Security Cheat Sheet<Mechanism> Cheat Sheet<Threat> Prevention Cheat SheetTechnology is for example languages, objects, libraries, etc. Mechanism is for example CSP, Modeling, etc. Higher level security focused processes. Threat is what could put a technology or mechanism in a pinch.
As for the table above, I'll be giving it another look and updating it in the coming days.
ThunderSon
commented
4 years ago | Current name | Proposed New Name |
|---|---|
| AJAX Security Cheat Sheet | Same-Technology |
| Abuse Case Cheat Sheet | Abuse Cases Cheat Sheet |
| Access Control Cheat Sheet | Archive |
| Attack Surface Analysis Cheat Sheet | Archive - WSTG covers this topic |
| Authentication Cheat Sheet | Same-Mechanism |
| Authorization Testing Automation | Archive |
| Bean Validation Cheat Sheet | Archive |
| Choosing and Using Security Questions Cheat Sheet | Security Questions Cheat Sheet |
| Clickjacking Defense Cheat Sheet | Clickjacking Prevention Cheat Sheet |
| Content Security Policy Cheat Sheet | Same-Mechanism |
| Credential Stuffing Prevention Cheat Sheet | Same-Threat |
| Cross-Site Request Forgery Prevention Cheat Sheet | Same-Threat |
| Cross Site Scripting Prevention Cheat Sheet | Same-Threat |
| Cryptographic Storage Cheat Sheet | Same-Mechanism |
| C-Based Toolchain Hardening | Archive |
| C-Based Toolchain Hardening Cheat Sheet | Archive |
| DOM based XSS Prevention Cheat Sheet | Merge into XSS Prevention CS |
| Database Security Cheat Sheet | Same-Technology |
| Denial of Service Prevention Cheat Sheet | Same-Threat |
| Deserialization Cheat Sheet | Insecure Deserialization Prevention Cheat Sheet |
| Docker Security Cheat Sheet | Same-Technology |
| DotNet Security Cheat Sheet | Same-Technology |
| Error Handling Cheat Sheet | Same-Mechanism |
| File Upload Cheat Sheet | File Upload Security Cheat Sheet |
| Forgot Password Cheat Sheet | Password and MFA Recovery Security Cheat Sheet |
| HTML5 Security Cheat Sheet | Same-Technology |
| HTTP Strict Transport Security Cheat Sheet | Merge into Transport Layer Security CS |
| Injection Prevention Cheat Sheet | Same-Threat |
| Injection Prevention Cheat Sheet in Java | Archive |
| Input Validation Cheat Sheet | Same-Mechanism |
| Insecure Direct Object Reference Prevention Cheat Sheet | Authorization Cheat Sheet |
| JAAS Cheat Sheet | Archive |
| JSON Web Token Cheat Sheet for Java | JSON Web Token Cheat Sheet |
| Key Management Cheat Sheet | Same-Mechanism |
| LDAP Injection Prevention Cheat Sheet | Same-Threat |
| Logging Cheat Sheet | Same-Mechanism |
| Mass Assignment Cheat Sheet | Mass Assignment Prevention Cheat Sheet |
| Microservices based Security Arch Doc Cheat Sheet | Archive? Microservice Architecture Cheat Sheet? |
| Multifactor Authentication Cheat Sheet | Same-Mechanism |
| Nodejs security cheat sheet | Same-Technology |
| OS Command Injection Defense Cheat Sheet | OS Command Injection Prevention Cheat Sheet |
| PHP Configuration Cheat Sheet | Archive? |
| Password Storage Cheat Sheet | Same-Mechanism |
| Pinning Cheat Sheet | Same-Mechanism |
| Query Parameterization Cheat Sheet | Archive |
| REST Assessment Cheat Sheet | Archive |
| REST Security Cheat Sheet | Same-Technology |
| Ruby on Rails Cheatsheet | Ruby on Rails Security Cheat Sheet |
| SAML Security Cheat Sheet | Same-Technology |
| SQL Injection Prevention Cheat Sheet | Same-Threat |
| Securing Cascading Style Sheets Cheat Sheet | Cascading Style Sheets Security Cheat Sheet |
| Server Side Request Forgery Prevention Cheat Sheet | Same-Threat |
| Session Management Cheat Sheet | Same-Mechanism |
| TLS Cipher String Cheat Sheet | Merge with transport layer security |
| Third Party Javascript Management Cheat Sheet | Third Party JavaScript Management Cheat Sheet |
| Threat Modeling Cheat Sheet | Same-Mechanism |
| Transaction Authorization Cheat Sheet | This is a bit weird? |
| Transport Layer Protection Cheat Sheet | Transport Layer Security Cheat Sheet |
| Unvalidated Redirects and Forwards Cheat Sheet | ?? Should be part of Input Validation? |
| User Privacy Protection Cheat Sheet | Archive? |
| Virtual Patching Cheat Sheet | Same-Mechanism |
| Vulnerability Disclosure Cheat Sheet | Split into two (researchers vs organisations)? |
| Vulnerable Dependency Management Cheat Sheet | Same-Mechanism |
| Web Service Security Cheat Sheet | Same-Technology |
| XML External Entity (XXE) Prevention Cheat Sheet | XML External Entity Prevention Cheat Sheet -- This is a threat, it can stay and reference XML Security CS |
| XML Security Cheat Sheet | Same-Technology |
ThunderSon
commented
4 years ago Let's leave the first table for the final decision
jmanico
commented
4 years ago Wow a lot of good thought went into this name change. I like it! :)
-- Jim Manico @Manicode Secure Coding Education +1 (808) 652-3805
On Apr 10, 2020, at 5:42 AM, ThunderSon notifications@github.com wrote:
Let's leave the first table for the final decision
— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub, or unsubscribe.
hazanasec
commented
4 years ago Merge
DOM based XSS Prevention Cheat SheetwithCross Site Scripting Prevention Cheat Sheet
Agreed, XSS is either reflected or stored, it's just in some conditions it happens within the DOM
jmanico
commented
4 years ago If we merge I suggest getting some of the BS out of these, these should really be lean and actionable cheatsheets not books. :)
-- Jim Manico @Manicode
On Apr 19, 2020, at 6:29 AM, hazanasec notifications@github.com wrote:
Merge DOM based XSS Prevention Cheat Sheet with Cross Site Scripting Prevention Cheat Sheet
Agreed, XSS is either reflected or stored, it's just in some conditions it happens within the DOM
— You are receiving this because you commented. Reply to this email directly, view it on GitHub, or unsubscribe.
ThunderSon
commented
4 years ago @rbsec @mackowski Would love your input on this issue this weekend.
rbsec
commented
4 years ago Those suggestions seem reasonable
ThunderSon
commented
4 years ago Something to help us from having these break would be front-matter headers since we're using gh-pages and Jekyll. Once full agreement has been achieved, I'll work on this. We can set redirection on every page to keep them working properly.
mackowski
commented
4 years ago I also like this changes
rbsec
commented
4 years ago Actually, on reflection I think the (JWT) shouldn't be in the title. Brackets are liable to break things, and we don't do it with any of the others cheat sheets.
ThunderSon
commented
4 years ago Glad you raised that point. Updated. A question. How would that sound if we actually looked at Tokens in general, instead of JWTs? Or that would turn out to be big?
jmanico
commented
4 years ago I think one cheatsheet on JWT's, one on OAuth tokens, another on OIDC - are better written and maintained aseparately.
On 5/11/20 1:14 PM, ThunderSon wrote:
Glad you raised that point. Updated. A question. How would that sound if we actually looked at Tokens in general, instead of JWTs? Or that would turn out to be big?
— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/OWASP/CheatSheetSeries/issues/369#issuecomment-626834465, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAEBYCPVSKBSLDDARKXFE7TRRAXBDANCNFSM4LD36YNQ.
-- Jim Manico Manicode Security https://www.manicode.com
rbsec
commented
4 years ago I think that JWT has enough issues and things that get screwed up to have a cheat sheet in its own right. Trying to cover all different kinds of tokens (including just random ones) in one place sounds like it'd get very big and messy.
jmanico
commented
4 years ago I think that JWT has enough issues and things that get screwed up to have a cheat sheet in its own right. Trying to cover all different kinds of tokens (including just random ones) in one place sounds like it'd get very big and messy.
I agree!
On 5/11/20 2:16 PM, rbsec wrote:
I think that JWT has enough issues and things that get screwed up to have a cheat sheet in its own right. Trying to cover all different kinds of tokens (including just random ones) in one place sounds like it'd get very big and messy.
— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/OWASP/CheatSheetSeries/issues/369#issuecomment-626869002, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAEBYCPZU4QJONHHF7QS4ULRRA6GVANCNFSM4LD36YNQ.
-- Jim Manico Manicode Security https://www.manicode.com
mackowski
commented
4 years ago I also agree, I prefer shorter and more focused cheatsheets - they are easier to read, write, reference and maintain for me.
calabacito
commented
4 years ago We are not able to have expanded/collapsed groups in the view right? That could solve some of the issues like different Tokens. Have that category and then the CSs inside them. Just for organization, instead of keep scrolling.
ThunderSon
commented
4 years ago @calabacito That's all based on the presentation part, and currently we are not stable on that, so let's not consider it till we're stable.
jmanico
commented
4 years ago Can we please bring the xss filter evasion and other attack centric cheatsheet back into the project? We can out them in a different category. All AppSec cheatsheets should be welcome here.
mackowski
commented
4 years ago I believe that @ThunderSon was/is working on merging attack centric content to testing guide
We've spoken a few times about renaming cheat sheets - it's painful to do (as it'll break links) - but I think we do need to sort some of them out, and the later we leave it the harder it's going to be. I've made a table below with some ideas of what I think would be good to rename - @mackowski and @ThunderSon please add any comments for additional changes you think would be good.
If we're going to do this, we should try and do it all in one go, rather than having lots of separate renames and moves.