├── .github ├── CODEOWNERS ├── ISSUE_TEMPLATE │ ├── new_cheatsheet_proposal.md │ └── update_cheatsheet_proposal.md ├── pull_request_template.md └── workflows │ ├── build-and-deploy-website.yml │ ├── identify-old-issues-and-pr.yml │ ├── md-link-check.yml │ ├── md_lint_check.yml │ └── publishing-check.yml ├── .gitignore ├── .markdownlint.json ├── .textlintrc ├── CODE_OF_CONDUCT.md ├── CONTRIBUTING.md ├── CONTRIBUTOR-V1.md ├── Dockerfile ├── HelpGuide.md ├── Index.md ├── IndexASVS.md ├── IndexMASVS.md ├── IndexProactiveControls.md ├── IndexTopTen.md ├── LICENSE.md ├── Makefile ├── Preface.md ├── Project.code-workspace ├── README.md ├── assets ├── Abuse_Case_Cheat_Sheet_Overview.png ├── Abuse_Case_Cheat_Sheet_SchemaBundle.zip ├── Authorization_Testing_Automation_AutomationRendering.png ├── Bean_Validation_Cheat_Sheet_JSR.png ├── Bean_Validation_Cheat_Sheet_Typical.png ├── C-Based_Toolchain_Hardening_AdditionalPlatformLibraryMacrosTable.png ├── C-Based_Toolchain_Hardening_GCCCPPWarningOptionsTable.png ├── C-Based_Toolchain_Hardening_GCCCWarningOptionsTable.png ├── C-Based_Toolchain_Hardening_GCCObjectiveCWarningOptionsTable.png ├── C-Based_Toolchain_Hardening_VStudioWarningOptionsTable.png ├── C-Based_Toolchain_Hardening_Windows1.png ├── C-Based_Toolchain_Hardening_Windows2.png ├── C-Based_Toolchain_Hardening_XCode1.png ├── C-Based_Toolchain_Hardening_XCode2.png ├── Clickjacking_Defense_Cheat_Sheet_NestedFrames.png ├── Dec_pattern_HLD.png ├── Denial_of_Service_Cheat_Sheet_FlowDDOS.png ├── Deserialization_Cheat_Sheet_GOD16Deserialization.pdf ├── Embed_PDP_HLD.png ├── Error_Handling_Cheat_Sheet_Overview.png ├── Help_Nav.png ├── ID_propogation.png ├── Index_Bash.svg ├── Index_C.svg ├── Index_Coldfusion.svg ├── Index_Cpp.svg ├── Index_Csharp.svg ├── Index_Html.svg ├── Index_Java.svg ├── Index_Javascript.svg ├── Index_Json.svg ├── Index_Perl.svg ├── Index_Php.svg ├── Index_Python.svg ├── Index_Ruby.svg ├── Index_Shell.svg ├── Index_Sql.svg ├── Index_Vbnet.svg ├── Index_Xml.svg ├── Kubernetes_Architecture.png ├── Logging_Cheat_Sheet.drawio ├── Logging_Cheat_Sheet.drawio.png ├── NIST_ABAC.png ├── Netflix_AC.png ├── Netflix_ID_prop.png ├── Network_Segmentation_Cheat_Sheet_BACKEND.drawio ├── Network_Segmentation_Cheat_Sheet_BACKEND.drawio.png ├── Network_Segmentation_Cheat_Sheet_FRONTEND.drawio ├── Network_Segmentation_Cheat_Sheet_FRONTEND.drawio.png ├── Network_Segmentation_Cheat_Sheet_MIDDLEWARE.drawio ├── Network_Segmentation_Cheat_Sheet_MIDDLEWARE.drawio.png ├── Network_Segmentation_Cheat_Sheet_Monitoring.drawio ├── Network_Segmentation_Cheat_Sheet_Monitoring.drawio.png ├── Network_Segmentation_Cheat_Sheet_Schematic_symbols.drawio ├── Network_Segmentation_Cheat_Sheet_Schematic_symbols.drawio.png ├── Network_Segmentation_Cheat_Sheet_TIER_Example.drawio ├── Network_Segmentation_Cheat_Sheet_TIER_Example.drawio.png ├── Network_Segmentation_Cheat_Sheet_firewall_1.drawio ├── Network_Segmentation_Cheat_Sheet_firewall_1.drawio.png ├── Network_Segmentation_Cheat_Sheet_firewall_2.drawio ├── Network_Segmentation_Cheat_Sheet_firewall_2.drawio.png ├── Network_Segmentation_Cheat_Sheet_interservice.drawio ├── Network_Segmentation_Cheat_Sheet_interservice.drawio.png ├── Network_Segmentation_Cheat_Sheet_interservice_balancer.drawio ├── Network_Segmentation_Cheat_Sheet_interservice_balancer.drawio.png ├── Network_Segmentation_Cheat_Sheet_interservice_deny.drawio ├── Network_Segmentation_Cheat_Sheet_interservice_deny.drawio.png ├── Network_Segmentation_Cheat_Sheet_logs.drawio ├── Network_Segmentation_Cheat_Sheet_logs.drawio.png ├── Network_Segmentation_Cheat_Sheet_repo.drawio ├── Network_Segmentation_Cheat_Sheet_repo.drawio.png ├── OS_Command_Injection_Defense_Cheat_Sheet_CmdInjection.png ├── OWASP_Logo.svg ├── OWASP_Logo_Transp.png ├── Password_Storage_Cheat_Sheet_Test_PBKDF2_Iterations.java ├── Pinning_Cheat_Sheet_Certificate.png ├── Pinning_Cheat_Sheet_Certificate_DotNetSample.zip ├── Pinning_Cheat_Sheet_Certificate_OpenSSLSample.zip ├── Pinning_Cheat_Sheet_PublicKey.png ├── Pinning_Cheat_Sheet_RandomOrgDERDump.png ├── Preface_Cheatsheet_Header.png ├── Preface_Cheatsheet_Logo.png ├── README_FlagshipCombinedReviews.pdf ├── README_PluginWarningUI.png ├── REST_Security_Cheat_Sheet_Bypassing_VBAAC_with_HTTP_Verb_Tampering.pdf ├── Secure_Cloud_Architecture_Shared_Responsibility_Model.png ├── Secure_Cloud_Architecture_Trust_Boundaries_1.png ├── Secure_Cloud_Architecture_Trust_Boundaries_2.png ├── Secure_Cloud_Architecture_Trust_Boundaries_3.png ├── Secure_Cloud_Architecture_Trust_Boundaries_4.png ├── Secure_Cloud_Architecture_VPC.png ├── Server_Side_Request_Forgery_Prevention_Cheat_Sheet_Case1_NetworkLayer_PreventFlow.png ├── Server_Side_Request_Forgery_Prevention_Cheat_Sheet_Case1_NetworkLayer_PreventFlow.xml ├── Server_Side_Request_Forgery_Prevention_Cheat_Sheet_Orange_Tsai_Talk.pdf ├── Server_Side_Request_Forgery_Prevention_Cheat_Sheet_SSRF_Bible.pdf ├── Server_Side_Request_Forgery_Prevention_Cheat_Sheet_SSRF_Common_Flow.png ├── Session_Management_Cheat_Sheet_Diagram.png ├── Signed_ID_propogation.png ├── Single_PDP_HLD.png ├── TLS_Cipher_String_Cheat_Sheet_CipherTable01.png ├── TLS_Cipher_String_Cheat_Sheet_CipherTable02.png ├── Threat_Modeling_Cheat_Sheet_dfd.png ├── Token_validation.png ├── WebSite_Favicon.ico ├── WebSite_Favicon.png ├── XS_Attack_Vector.png ├── XS_Leaks_Cache_Attack.png ├── XS_Leaks_Frame_Counting.png ├── XS_Leaks_ID.png ├── XS_Leaks_Sec_Fetch_Dest.png ├── XS_Leaks_eTLD.png ├── cost-of-breach-2024.png └── ms_logging_pattern.png ├── book.json ├── cheatsheets ├── AJAX_Security_Cheat_Sheet.md ├── Abuse_Case_Cheat_Sheet.md ├── Access_Control_Cheat_Sheet.md ├── Attack_Surface_Analysis_Cheat_Sheet.md ├── Authentication_Cheat_Sheet.md ├── Authorization_Cheat_Sheet.md ├── Authorization_Testing_Automation_Cheat_Sheet.md ├── Automotive_Security.md ├── Bean_Validation_Cheat_Sheet.md ├── Browser_Extension_Vulnerabilities_Cheat_Sheet.md ├── C-Based_Toolchain_Hardening_Cheat_Sheet.md ├── CI_CD_Security_Cheat_Sheet.md ├── Choosing_and_Using_Security_Questions_Cheat_Sheet.md ├── Clickjacking_Defense_Cheat_Sheet.md ├── Content_Security_Policy_Cheat_Sheet.md ├── Cookie_Theft_Mitigation_Cheat_Sheet.md ├── Credential_Stuffing_Prevention_Cheat_Sheet.md ├── Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.md ├── Cross_Site_Scripting_Prevention_Cheat_Sheet.md ├── Cryptographic_Storage_Cheat_Sheet.md ├── DOM_Clobbering_Prevention_Cheat_Sheet.md ├── DOM_based_XSS_Prevention_Cheat_Sheet.md ├── Database_Security_Cheat_Sheet.md ├── Denial_of_Service_Cheat_Sheet.md ├── Deserialization_Cheat_Sheet.md ├── Django_REST_Framework_Cheat_Sheet.md ├── Django_Security_Cheat_Sheet.md ├── Docker_Security_Cheat_Sheet.md ├── DotNet_Security_Cheat_Sheet.md ├── Drone_Security_Cheat_Sheet.md ├── Error_Handling_Cheat_Sheet.md ├── File_Upload_Cheat_Sheet.md ├── Forgot_Password_Cheat_Sheet.md ├── GraphQL_Cheat_Sheet.md ├── HTML5_Security_Cheat_Sheet.md ├── HTTP_Headers_Cheat_Sheet.md ├── HTTP_Strict_Transport_Security_Cheat_Sheet.md ├── Infrastructure_as_Code_Security_Cheat_Sheet.md ├── Injection_Prevention_Cheat_Sheet.md ├── Injection_Prevention_in_Java_Cheat_Sheet.md ├── Input_Validation_Cheat_Sheet.md ├── Insecure_Direct_Object_Reference_Prevention_Cheat_Sheet.md ├── JAAS_Cheat_Sheet.md ├── JSON_Web_Token_for_Java_Cheat_Sheet.md ├── Java_Security_Cheat_Sheet.md ├── Key_Management_Cheat_Sheet.md ├── Kubernetes_Security_Cheat_Sheet.md ├── LDAP_Injection_Prevention_Cheat_Sheet.md ├── LLM_Prompt_Injection_Prevention_Cheat_Sheet.md ├── Laravel_Cheat_Sheet.md ├── Legacy_Application_Management_Cheat_Sheet.md ├── Logging_Cheat_Sheet.md ├── Logging_Vocabulary_Cheat_Sheet.md ├── Mass_Assignment_Cheat_Sheet.md ├── Microservices_Security_Cheat_Sheet.md ├── Microservices_based_Security_Arch_Doc_Cheat_Sheet.md ├── Mobile_Application_Security_Cheat_Sheet.md ├── Multifactor_Authentication_Cheat_Sheet.md ├── NPM_Security_Cheat_Sheet.md ├── Network_Segmentation_Cheat_Sheet.md ├── NodeJS_Docker_Cheat_Sheet.md ├── Nodejs_Security_Cheat_Sheet.md ├── OAuth2_Cheat_Sheet.md ├── OS_Command_Injection_Defense_Cheat_Sheet.md ├── PHP_Configuration_Cheat_Sheet.md ├── Password_Storage_Cheat_Sheet.md ├── Pinning_Cheat_Sheet.md ├── Prototype_Pollution_Prevention_Cheat_Sheet.md ├── Query_Parameterization_Cheat_Sheet.md ├── REST_Assessment_Cheat_Sheet.md ├── REST_Security_Cheat_Sheet.md ├── Ruby_on_Rails_Cheat_Sheet.md ├── SAML_Security_Cheat_Sheet.md ├── SQL_Injection_Prevention_Cheat_Sheet.md ├── Secrets_Management_Cheat_Sheet.md ├── Secure_Cloud_Architecture_Cheat_Sheet.md ├── Secure_Product_Design_Cheat_Sheet.md ├── Securing_Cascading_Style_Sheets_Cheat_Sheet.md ├── Server_Side_Request_Forgery_Prevention_Cheat_Sheet.md ├── Session_Management_Cheat_Sheet.md ├── Software_Supply_Chain_Security_Cheat_Sheet.md ├── Symfony_Cheat_Sheet.md ├── TLS_Cipher_String_Cheat_Sheet.md ├── Third_Party_Javascript_Management_Cheat_Sheet.md ├── Threat_Modeling_Cheat_Sheet.md ├── Transaction_Authorization_Cheat_Sheet.md ├── Transport_Layer_Protection_Cheat_Sheet.md ├── Transport_Layer_Security_Cheat_Sheet.md ├── Unvalidated_Redirects_and_Forwards_Cheat_Sheet.md ├── User_Privacy_Protection_Cheat_Sheet.md ├── Virtual_Patching_Cheat_Sheet.md ├── Vulnerability_Disclosure_Cheat_Sheet.md ├── Vulnerable_Dependency_Management_Cheat_Sheet.md ├── Web_Service_Security_Cheat_Sheet.md ├── XML_External_Entity_Prevention_Cheat_Sheet.md ├── XML_Security_Cheat_Sheet.md ├── XSS_Filter_Evasion_Cheat_Sheet.md └── XS_Leaks_Cheat_Sheet.md ├── cheatsheets_draft ├── OAuth_Cheat_Sheet.md └── Webhook_Security_Guidelines_Cheat_Sheet.md ├── cheatsheets_excluded ├── .gitkeep ├── PL_SQL_Security_Cheat_Sheet.md ├── Secure_SDLC_Cheat_Sheet.md ├── Security_Testing_Cheat_Sheet.md ├── Web_Application_Security_Testing_Cheat_Sheet.md └── Web_Service_Security_Testing_Cheat_Sheet.md ├── exploit-protection-guard.png ├── markdown-link-check-config.json ├── mkdocs.yml ├── package.json ├── requirements.txt ├── scripts ├── 404.html ├── Apply_Link_Check.sh ├── Generate_CheatSheets_TOC.py ├── Generate_RSS_Feed.py ├── Generate_Site.sh ├── Generate_Site_mkDocs.sh ├── Generate_Technologies_JSON.py ├── Identify_Old_Issue_And_PR.py └── Update_CheatSheets_Index.py └── templates └── New_CheatSheet.md /.github/CODEOWNERS: -------------------------------------------------------------------------------- 1 | # See [https://help.github.com/en/articles/about-code-owners](https://help.github.com/en/articles/about-code-owners) 2 | 3 | ## These owners will be the default owners for everything in the repo 4 | 5 | - @mackowski @jmanico @szh 6 | 7 | ## Kevin W. Wall (kwwall) 8 | 9 | /cheatsheets/Authentication_Cheat_Sheet.md @kwwall @mackowski @jmanico @szh 10 | /cheatsheets/Authorization_Cheat_Sheet.md @kwwall @mackowski @jmanico @szh 11 | /cheatsheets/C-Based_Toolchain_Hardening_Cheat_Sheet.md @kwwall @mackowski @jmanico @szh 12 | /cheatsheets/Choosing_and_Using_Security_Questions_Cheat_Sheet.md @kwwall @mackowski @jmanico @szh 13 | /cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.md @kwwall @mackowski @jmanico @szh 14 | /cheatsheets/Clickjacking_Defense_Cheat_Sheet.md @kwwall @mackowski @jmanico @szh 15 | /cheatsheets/Cryptographic_Storage_Cheat_Sheet.md @kwwall @mackowski @jmanico @szh 16 | /cheatsheets/Deserialization_Cheat_Sheet.md @kwwall @mackowski @jmanico @szh 17 | /cheatsheets/Forgot_Password_Cheat_Sheet.md @kwwall @mackowski @jmanico @szh 18 | /cheatsheets/JAAS_Cheat_Sheet.md @kwwall @mackowski @jmanico @szh 19 | /cheatsheets/Key_Management_Cheat_Sheet.md @kwwall @mackowski @jmanico @szh 20 | /cheatsheets/Logging_Cheat_Sheet.md @kwwall @mackowski @jmanico @szh 21 | /cheatsheets/Mass_Assignment_Cheat_Sheet.md @kwwall @mackowski @jmanico @szh 22 | /cheatsheets/OS_Command_Injection_Defense_Cheat_Sheet.md @kwwall @mackowski @jmanico @szh 23 | /cheatsheets/Password_Storage_Cheat_Sheet.md @kwwall @mackowski @jmanico @szh 24 | /cheatsheets/Pinning_Cheat_Sheet.md @kwwall @mackowski @jmanico @szh 25 | /cheatsheets/Session_Management_Cheat_Sheet.md @kwwall @mackowski @jmanico @szh 26 | /cheatsheets/SAML_Security_Cheat_Sheet.md @kwwall @mackowski @jmanico @szh 27 | /cheatsheets/Secrets_Management_Cheat_Sheet.md @kwwall @mackowski @jmanico @szh 28 | /cheatsheets/TLS_Cipher_String_Cheat_Sheet.md @kwwall @mackowski @jmanico @szh 29 | -------------------------------------------------------------------------------- /.github/ISSUE_TEMPLATE/new_cheatsheet_proposal.md: -------------------------------------------------------------------------------- 1 | --- 2 | name: New Cheat Sheet Proposal 3 | about: Used to create a proposal to add a new cheat sheet to the project. 4 | title: 'New CS proposal: [PUT_TARGET_CS_NAME_HERE]' 5 | labels: ACK_WAITING, HELP_WANTED, NEW_CS 6 | assignees: '' 7 | 8 | --- 9 | 10 | 11 | 12 | ## What is the proposed Cheat Sheet about? 13 | 14 | 15 | ## What security issues are commonly encountered related to this area? 16 | 17 | 18 | ## What is the objective of the Cheat Sheet? 19 | 20 | 21 | ## What other resources exist in this area? 22 | 23 | 24 | 25 | 26 | 27 | -------------------------------------------------------------------------------- /.github/ISSUE_TEMPLATE/update_cheatsheet_proposal.md: -------------------------------------------------------------------------------- 1 | --- 2 | name: Cheat Sheet Update 3 | about: Used to create a proposal to update or refactor a existing cheat sheet. 4 | title: 'Update: [PUT_TARGET_CS_NAME_HERE]' 5 | labels: ACK_WAITING, UPDATE_CS, HELP_WANTED 6 | assignees: '' 7 | 8 | --- 9 | 10 | 11 | 12 | ## What is missing or needs to be updated? 13 | 14 | 15 | 16 | 17 | ## How should this be resolved? 18 | 19 | 20 | 21 | 22 | 23 | -------------------------------------------------------------------------------- /.github/pull_request_template.md: -------------------------------------------------------------------------------- 1 | # You're A Rockstar 2 | 3 | Thank you for submitting a Pull Request (PR) to the Cheat Sheet Series. 4 | 5 | > :triangular_flag_on_post: If your PR is related to grammar/typo mistakes, please double-check the file for other mistakes in order to fix all the issues in the current cheat sheet. 6 | 7 | Please make sure that for your contribution: 8 | 9 | - [ ] In case of a new Cheat Sheet, you have used the [Cheat Sheet template](https://github.com/OWASP/CheatSheetSeries/blob/master/templates/New_CheatSheet.md). 10 | - [ ] All the markdown files do not raise any validation policy violation, see the [policy](https://github.com/OWASP/CheatSheetSeries/actions?query=workflow%3A%22Markdown+Link+Check%22). 11 | - [ ] All the markdown files follow these [format rules](https://github.com/OWASP/CheatSheetSeries/blob/master/CONTRIBUTING.md#markdown). 12 | - [ ] All your assets are stored in the **assets** folder. 13 | - [ ] All the images used are in the **PNG** format. 14 | - [ ] Any references to websites have been formatted as `[TEXT](URL)` 15 | - [ ] You verified/tested the effectiveness of your contribution (e.g., the defensive code proposed is really an effective remediation? Please verify it works!). 16 | - [ ] The CI build of your PR pass, see the build status [here](https://github.com/OWASP/CheatSheetSeries/actions). 17 | 18 | If your PR is related to an issue, please finish your PR text with the following line: 19 | 20 | This PR fixes issue #``. 21 | 22 | Thank you again for your contribution :smiley: 23 | -------------------------------------------------------------------------------- /.github/workflows/build-and-deploy-website.yml: -------------------------------------------------------------------------------- 1 | name: Build and deploy offline website 2 | 3 | on: 4 | push: 5 | branches: 6 | - master 7 | 8 | jobs: 9 | build: 10 | name: Build offline website 11 | runs-on: ubuntu-24.04 12 | env: 13 | CI: true 14 | WORKFLOW_GOOGLE_ANALYTICS_KEY: ${{ secrets.GOOGLE_ANALYTICS_KEY }} 15 | steps: 16 | - name: Setup Action 17 | uses: actions/checkout@v4 18 | - name: Setup Node 19 | uses: actions/setup-node@v4 20 | with: 21 | node-version: 20.x 22 | - name: Setup Python 23 | uses: actions/setup-python@v5 24 | with: 25 | python-version: '3.x' 26 | - name: Install Python dependencies 27 | run: make install-python-requirements 28 | - name: Run build script 29 | run: cd scripts && bash Generate_Site_mkDocs.sh 30 | - name: List generated files 31 | run: ls -al generated/site/ 32 | - name: Create bundle 33 | run: cd generated && zip -r ../bundle.zip site 34 | - name: Test bundle 35 | run: zip -T bundle.zip 36 | - name: Upload bundle as artifact 37 | uses: actions/upload-artifact@v4 38 | with: 39 | name: Bundle 40 | path: bundle.zip 41 | deploy: 42 | name: Deploy offline website 43 | needs: build 44 | runs-on: ubuntu-latest 45 | env: 46 | CI: true 47 | steps: 48 | - name: Setup Action 49 | uses: actions/checkout@v4 50 | with: 51 | fetch-depth: 0 # fetch all branches 52 | - name: Install dependencies 53 | run: sudo apt-get install -y unzip zip 54 | - name: Switch to offline website (gh-pages) branch 55 | run: git checkout gh-pages 56 | - name: Remove previous version website files 57 | run: | 58 | shopt -s extglob 59 | rm -rdfv !("CNAME"|"robots.txt"|"_config.yml") 60 | - name: Download new build from artifact 61 | uses: actions/download-artifact@v4 62 | with: 63 | name: Bundle 64 | - name: Display structure of downloaded files 65 | run: ls -R 66 | # - name: Replace bundle with new build 67 | # run: | 68 | # mv Bundle.zip bundle.zip 69 | # rm -rf Bundle 1>/dev/null 2>&1 70 | - name: Test new bundle 71 | run: zip -T bundle.zip 72 | - name: Extract new bundle 73 | run: | 74 | unzip bundle.zip 75 | mv site/* . 76 | upd=`date +"%Y-%m-%d at %T"`; echo "Website last update: $upd." > README.md 77 | rm -rf site 78 | - name: Commit changes to gh-pages 79 | run: | 80 | git config --global user.email "action@github.com" 81 | git config --global user.name "GitHub Action" 82 | git add --all . 83 | git commit -a -m "Deploy the generated website via GitHub Actions" 84 | - name: Publish the build to gh-pages 85 | uses: ad-m/github-push-action@master 86 | with: 87 | github_token: ${{ secrets.GITHUB_TOKEN }} 88 | branch: gh-pages 89 | - name: Send update to Slack 90 | uses: innocarpe/actions-slack@v1 91 | with: 92 | status: ${{ job.status }} 93 | success_text: 'Offline website deployment: **success**' 94 | failure_text: 'Offline website deployment: **fail**' 95 | cancelled_text: 'Offline website deployment **cancelled**' 96 | env: 97 | GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} 98 | SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK }} 99 | -------------------------------------------------------------------------------- /.github/workflows/identify-old-issues-and-pr.yml: -------------------------------------------------------------------------------- 1 | name: Identify old issues and PR 2 | 3 | on: 4 | schedule: 5 | - cron: "0 0 * * 0" 6 | 7 | jobs: 8 | build: 9 | name: Identify old issues and PR 10 | runs-on: ubuntu-24.04 11 | env: 12 | CI: true 13 | steps: 14 | - name: Setup Action 15 | uses: actions/checkout@v4 16 | - name: SetUp python 17 | uses: actions/setup-python@v5 18 | with: 19 | python-version: '3.x' 20 | - name: Install python dependencies 21 | run: pip install requests 22 | - name: Set Permission 23 | run: chmod +x scripts/Identify_Old_Issue_And_PR.py 24 | - name: Run Script 25 | run: python scripts/Identify_Old_Issue_And_PR.py ${{ secrets.SLACK_WEBHOOK }} 26 | -------------------------------------------------------------------------------- /.github/workflows/md-link-check.yml: -------------------------------------------------------------------------------- 1 | name: Markdown Link Check 2 | 3 | on: 4 | push: 5 | pull_request: 6 | branches: 7 | - master 8 | 9 | jobs: 10 | link-check: 11 | runs-on: ubuntu-24.04 12 | env: 13 | CI: true 14 | steps: 15 | - name: Setup Action 16 | uses: actions/checkout@v4 17 | - name: Setup Node 18 | uses: actions/setup-node@v4 19 | with: 20 | node-version: 20.x 21 | - name: Install dependencies 22 | run: npm install 23 | - name: Run link check 24 | run: npm run link-check 25 | - name: Show broken links 26 | if: failure() 27 | run: | 28 | cat log | awk -v RS="FILE:" 'match($0, /(\S*\.md).*\[✖\].*(\d*\slinks\schecked\.)(.*)/, arr ) { print "FILE:"arr[1] arr[3] > "brokenlinks"}' 29 | rm -f err log 30 | cat brokenlinks 31 | links=`cat brokenlinks` 32 | links="${links//'%'/'%25'}" 33 | links="${links//$'\n'/'%0A'}" 34 | links="${links//$'\r'/'%0D'}" 35 | echo ::set-output name=links::**Following links are broken:** %0A$links 36 | - name: Send comment to PR with broken links 37 | if: failure() && github.event_name == 'pull_request' 38 | uses: thollander/actions-comment-pull-request@main 39 | with: 40 | message: ${{ steps.brokenlinks.outputs.links }} 41 | GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} 42 | -------------------------------------------------------------------------------- /.github/workflows/md_lint_check.yml: -------------------------------------------------------------------------------- 1 | name: Markdown Lint Check 2 | 3 | on: 4 | push: 5 | pull_request: 6 | branches: 7 | - master 8 | 9 | jobs: 10 | lint: 11 | runs-on: ubuntu-24.04 12 | env: 13 | CI: true 14 | steps: 15 | - name: Setup Action 16 | uses: actions/checkout@v4 17 | - name: Setup Node 18 | uses: actions/setup-node@v4 19 | with: 20 | node-version: 20.x 21 | - name: Install dependencies 22 | run: npm install 23 | - name: Run linter 24 | run: npm test 25 | -------------------------------------------------------------------------------- /.github/workflows/publishing-check.yml: -------------------------------------------------------------------------------- 1 | name: Build website 2 | 3 | on: [push, pull_request] 4 | 5 | jobs: 6 | build: 7 | name: Build website 8 | runs-on: ubuntu-24.04 9 | env: 10 | CI: true 11 | steps: 12 | - name: Clone repository 13 | uses: actions/checkout@v4 14 | - name: Set up Python 3 15 | uses: actions/setup-python@v5 16 | with: 17 | python-version: '3.12' 18 | - name: Install Python dependencies 19 | run: make install-python-requirements 20 | - name: Build website 21 | run: (cd scripts && bash Generate_Site_mkDocs.sh) 22 | - name: List generated files 23 | run: ls -lah generated/site/ 24 | -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | # VS Code Configuration File 2 | .vscode 3 | # Audit result files 4 | *.out 5 | # Website generation stuff 6 | TOC.md 7 | node_modules/ 8 | site/ 9 | generated/ 10 | .DS_Store 11 | news.xml 12 | package-lock.json 13 | yarn.lock 14 | venv 15 | -------------------------------------------------------------------------------- /.markdownlint.json: -------------------------------------------------------------------------------- 1 | { 2 | "default": true, 3 | "MD004": { "style": "dash"}, 4 | "MD007": {"indent": 4}, 5 | "MD013": false, 6 | "MD024": { "siblings_only": true}, 7 | "MD029": false, 8 | "MD033": { "allowed_elements": [ "details" , "summary" ]}, 9 | "MD040": false 10 | } 11 | -------------------------------------------------------------------------------- /CODE_OF_CONDUCT.md: -------------------------------------------------------------------------------- 1 | # Contributor Covenant Code of Conduct 2 | 3 | ## Our Pledge 4 | 5 | In the interest of fostering an open and welcoming environment, we as 6 | contributors and maintainers pledge to making participation in our project and 7 | our community a harassment-free experience for everyone, regardless of age, body 8 | size, disability, ethnicity, sex characteristics, gender identity and expression, 9 | level of experience, education, socio-economic status, nationality, personal 10 | appearance, race, religion, or sexual identity and orientation. 11 | 12 | ## Our Standards 13 | 14 | Examples of behavior that contributes to creating a positive environment 15 | include: 16 | 17 | - Using welcoming and inclusive language 18 | - Being respectful of differing viewpoints and experiences 19 | - Gracefully accepting constructive criticism 20 | - Focusing on what is best for the community 21 | - Showing empathy towards other community members 22 | 23 | Examples of unacceptable behavior by participants include: 24 | 25 | - The use of sexualized language or imagery and unwelcome sexual attention or 26 | advances 27 | - Trolling, insulting/derogatory comments, and personal or political attacks 28 | - Public or private harassment 29 | - Publishing others' private information, such as a physical or electronic 30 | address, without explicit permission 31 | - Other conduct which could reasonably be considered inappropriate in a 32 | professional setting 33 | 34 | ## Our Responsibilities 35 | 36 | Project maintainers are responsible for clarifying the standards of acceptable 37 | behavior and are expected to take appropriate and fair corrective action in 38 | response to any instances of unacceptable behavior. 39 | 40 | Project maintainers have the right and responsibility to remove, edit, or 41 | reject comments, commits, code, wiki edits, issues, and other contributions 42 | that are not aligned to this Code of Conduct, or to ban temporarily or 43 | permanently any contributor for other behaviors that they deem inappropriate, 44 | threatening, offensive, or harmful. 45 | 46 | ## Scope 47 | 48 | This Code of Conduct applies both within project spaces and in public spaces 49 | when an individual is representing the project or its community. Examples of 50 | representing a project or community include using an official project e-mail 51 | address, posting via an official social media account, or acting as an appointed 52 | representative at an online or offline event. Representation of a project may be 53 | further defined and clarified by project maintainers. 54 | 55 | ## Enforcement 56 | 57 | Instances of abusive, harassing, or otherwise unacceptable behavior may be 58 | reported by contacting the project team at [dominique.righetto@owasp.org](mailto:dominique.righetto@owasp.org) or [jim@owasp.org](mailto:jim@owasp.org). 59 | 60 | All complaints will be reviewed and investigated and will result in a response that 61 | is deemed necessary and appropriate to the circumstances. The project team is 62 | obligated to maintain confidentiality with regard to the reporter of an incident. 63 | Further details of specific enforcement policies may be posted separately. 64 | 65 | Project maintainers who do not follow or enforce the Code of Conduct in good 66 | faith may face temporary or permanent repercussions as determined by other 67 | members of the project's leadership. 68 | 69 | ## Attribution 70 | 71 | This Code of Conduct is adapted from the [Contributor Covenant][homepage], version 1.4, 72 | available at [https://www.contributor-covenant.org/version/1/4/code-of-conduct.html](https://www.contributor-covenant.org/version/1/4/code-of-conduct.html) 73 | 74 | [homepage]: https://www.contributor-covenant.org 75 | 76 | For answers to common questions about this code of conduct, see 77 | [https://www.contributor-covenant.org/faq](https://www.contributor-covenant.org/faq) 78 | -------------------------------------------------------------------------------- /Dockerfile: -------------------------------------------------------------------------------- 1 | FROM python:latest 2 | WORKDIR /usr/src/app 3 | 4 | COPY requirements.txt Makefile ./ 5 | RUN make install-python-requirements 6 | 7 | COPY . . 8 | RUN make generate-site 9 | 10 | EXPOSE 8000 11 | ENTRYPOINT ["make", "serve"] 12 | -------------------------------------------------------------------------------- /HelpGuide.md: -------------------------------------------------------------------------------- 1 | # Cheat Sheet Help Guide 2 | 3 | ## Introduction 4 | 5 | Welcome to the Cheat Sheet Help Guide. This guide is designed to help you navigate the website and make the most of the features and resources offered. The cheat sheets are packed with valuable information, and we want to ensure you have all the tools you need to use them effectively. 6 | 7 | ### What's Inside This Guide 8 | 9 | 1. [Basic Navigation](#Basic-Navigation) 10 | 2. [Features](#Features) 11 | 3. [FAQ](#FAQ) 12 | 4. [Troubleshooting Guide](#Troubleshooting-Guide) 13 | 5. [Feedback and Support](#Feedback-and-Support) 14 | 15 | ## Guides 16 | 17 | ### Basic Navigation 18 | 19 | Navigation is easy. Just click on any cheat sheet or cheat sheet series you wish to see on the left side of the site. These links won't go away as you navigate so click away without getting lost. 20 | ![Help_Nav](https://github.com/tylersnel/CheatSheetSeries/assets/67352917/020de84c-e18f-477a-acd4-889617666308) 21 | 22 | ### Features 23 | 24 | #### Search 25 | 26 | Use the search bar located at the top of the page to search for certain cheat sheets and keywords in cheat sheets. 27 | ![Capture2](https://github.com/tylersnel/CheatSheetSeries/assets/67352917/5af0a995-ef96-42e3-90f6-e7cc8a18cfd1) 28 | 29 | #### Dark Mode 30 | 31 | If you prefer a darker theme, there is a dark mode option for the cheat sheets. Click the light/dark mode button, located next to the search bar, to switch between modes. 32 | 33 | ![Dark_Mode](https://github.com/tylersnel/CheatSheetSeries/assets/67352917/ce753a58-c34e-4384-a726-e947d851e21f) 34 | 35 | #### GitHub Repository 36 | 37 | If you wish to visit the project's GitHub repository, click on the repository link next to the search bar. 38 | ![Repository_Link](https://github.com/tylersnel/CheatSheetSeries/assets/67352917/8582725d-941f-4d2d-b38d-7986e2659cc6) 39 | 40 | ### FAQ 41 | 42 | Here are some frequently asked questions (FAQs) for the OWASP Cheat Sheet Series: 43 | 44 | #### General Information 45 | 46 | **Q: What is the OWASP Cheat Sheet Series?** 47 | A: The OWASP Cheat Sheet Series is a collection of concise, high-value informational articles on specific application security topics, created by various experts in the field. 48 | 49 | **Q: Who creates the cheat sheets?** 50 | A: The cheat sheets are created by application security professionals who have expertise in the specific topics covered. They are open source and anyone is welcome to contribute by submitting a pull request on the [GitHub repository](https://github.com/OWASP/CheatSheetSeries/). 51 | 52 | **Q: What topics do the cheat sheets cover?** 53 | A: The cheat sheets cover a wide range of application security topics, including but not limited to authentication, data validation, secure coding practices, and more. 54 | 55 | #### Access and Usage 56 | 57 | **Q: How can I access the cheat sheets?** 58 | A: You can access the cheat sheets directly on the OWASP Cheat Sheet Series website. They are available for free to view and download. 59 | 60 | **Q: Can I use the cheat sheets in my projects?** 61 | A: Yes, the cheat sheets are designed to be practical resources that you can use in your projects to enhance security practices. 62 | 63 | **Q: Are the cheat sheets regularly updated?** 64 | A: Yes, the cheat sheets are periodically reviewed and updated to reflect the latest security practices and emerging threats. 65 | 66 | #### Contributions and Community 67 | 68 | **Q: Can I contribute to the cheat sheet series?** 69 | A: Yes, contributions from the community are welcome. You can contribute by suggesting new topics, providing feedback, or updating existing cheat sheets. Create an issue or pull request on our [GitHub repository](https://github.com/OWASP/CheatSheetSeries/). 70 | 71 | #### Licensing and Usage Rights 72 | 73 | **Q: Under what license are the cheat sheets available?** 74 | A: Creative Commons Attribution-Share Alike 4.0 International 75 | 76 | **Q: Can I use the cheat sheets in my commercial projects?** 77 | A: Yes, you can use the cheat sheets in commercial projects, provided you adhere to the terms of the open-source license under which they are released. 78 | 79 | These FAQs should help users understand the purpose, usage, and contributions related to the OWASP Cheat Sheet Series website. 80 | 81 | ### Troubleshooting Guide 82 | 83 | - Refreshing the web page will fix most issues encountered. If the problem persists, close the browser, reopen the browser, and return to the cheat sheet website. 84 | - Clear your cache and cookies or try a different browser. 85 | - If the website is not loading, please check your internet connection. 86 | 87 | ### Feedback and Support 88 | 89 | - [admin@owasp.com](mailto:admin@owasp.com) 90 | - [https://owasp.org/slack/invite](https://owasp.org/slack/invite) 91 | -------------------------------------------------------------------------------- /IndexMASVS.md: -------------------------------------------------------------------------------- 1 | # MASVS Index 2 | 3 | ## Table of Contents 4 | 5 | - [Objective](#objective) 6 | - [MASVS-STORAGE](#masvs-storage) 7 | - [MASVS-CRYPTO](#masvs-crypto) 8 | - [MASVS-AUTH](#masvs-auth) 9 | - [MASVS-NETWORK](#masvs-network) 10 | - [MASVS-PLATFORM](#masvs-platform) 11 | - [MASVS-CODE](#masvs-code) 12 | - [MASVS-RESILIENCE](#masvs-resilience) 13 | - [MASVS-PRIVACY](#masvs-privacy) 14 | 15 | ## Objective 16 | 17 | The objective of this index is to help OWASP [Mobile Application Security Verification Standard](https://github.com/OWASP/owasp-masvs) (MASVS) users clearly identify which cheat sheets are useful for each section during their usage of the MASVS. 18 | 19 | This index is based on version [2.1.0](https://github.com/OWASP/owasp-masvs/releases/tag/v2.1.0) of the MASVS. 20 | 21 | ## MASVS-STORAGE 22 | 23 | [Password Storage Cheat Sheet](cheatsheets/Password_Storage_Cheat_Sheet.md) 24 | 25 | [Logging Cheat Sheet](cheatsheets/Logging_Cheat_Sheet.md) 26 | 27 | [Cryptographic Storage Cheat Sheet](cheatsheets/Cryptographic_Storage_Cheat_Sheet.md) 28 | 29 | [Secrets Management Cheat Sheet](cheatsheets/Secrets_Management_Cheat_Sheet.md) 30 | 31 | ## MASVS-CRYPTO 32 | 33 | [Cryptographic Storage Cheat Sheet](cheatsheets/Cryptographic_Storage_Cheat_Sheet.md) 34 | 35 | [Key Management Cheat Sheet](cheatsheets/Key_Management_Cheat_Sheet.md) 36 | 37 | ## MASVS-AUTH 38 | 39 | [Authentication Cheat Sheet](cheatsheets/Authentication_Cheat_Sheet.md) 40 | 41 | [Authorization Cheat Sheet](cheatsheets/Authorization_Cheat_Sheet.md) 42 | 43 | [Session Management Cheat Sheet](cheatsheets/Session_Management_Cheat_Sheet.md) 44 | 45 | [Transaction Authorization Cheat Sheet](cheatsheets/Transaction_Authorization_Cheat_Sheet.md) 46 | 47 | [Access Control Cheat Sheet](cheatsheets/Access_Control_Cheat_Sheet.md) 48 | 49 | [JSON Web Token Cheat Sheet for Java](cheatsheets/JSON_Web_Token_for_Java_Cheat_Sheet.md) 50 | 51 | [Credential Stuffing Prevention Cheat Sheet](cheatsheets/Credential_Stuffing_Prevention_Cheat_Sheet.md) 52 | 53 | ## MASVS-NETWORK 54 | 55 | [Transport Layer Security Cheat Sheet](cheatsheets/Transport_Layer_Security_Cheat_Sheet.md) 56 | 57 | [HTTP Strict Transport Security Cheat Sheet](cheatsheets/HTTP_Strict_Transport_Security_Cheat_Sheet.md) 58 | 59 | [REST Security Cheat Sheet](cheatsheets/REST_Security_Cheat_Sheet.md) 60 | 61 | [Web Service Security Cheat Sheet](cheatsheets/Web_Service_Security_Cheat_Sheet.md) 62 | 63 | [Pinning Cheat Sheet](cheatsheets/Pinning_Cheat_Sheet.md) 64 | 65 | ## MASVS-PLATFORM 66 | 67 | [Attack Surface Analysis Cheat Sheet](cheatsheets/Attack_Surface_Analysis_Cheat_Sheet.md) 68 | 69 | ## MASVS-CODE 70 | 71 | [Vulnerable Dependency Management Cheat Sheet](cheatsheets/Vulnerable_Dependency_Management_Cheat_Sheet.md) 72 | 73 | [Error Handling Cheat Sheet](cheatsheets/Error_Handling_Cheat_Sheet.md) 74 | 75 | [Deserialization Cheat Sheet](cheatsheets/Deserialization_Cheat_Sheet.md) 76 | 77 | [Logging Cheat Sheet](cheatsheets/Logging_Cheat_Sheet.md) 78 | 79 | [Insecure Direct Object Reference Prevention Cheat Sheet](cheatsheets/Insecure_Direct_Object_Reference_Prevention_Cheat_Sheet.md) 80 | 81 | [Input Validation Cheat Sheet](cheatsheets/Input_Validation_Cheat_Sheet.md) 82 | 83 | [Injection Prevention Cheat Sheet](cheatsheets/Injection_Prevention_Cheat_Sheet.md) 84 | 85 | [Injection Prevention Cheat Sheet in Java](cheatsheets/Injection_Prevention_in_Java_Cheat_Sheet.md) 86 | 87 | [OS Command Injection Defense Cheat Sheet](cheatsheets/OS_Command_Injection_Defense_Cheat_Sheet.md) 88 | 89 | [Query Parameterization Cheat Sheet](cheatsheets/Query_Parameterization_Cheat_Sheet.md) 90 | 91 | [SQL Injection Prevention Cheat Sheet](cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.md) 92 | 93 | [XXE Prevention Cheat Sheet](cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.md) 94 | 95 | [XML Security Cheat Sheet](cheatsheets/XML_Security_Cheat_Sheet.md) 96 | 97 | ## MASVS-RESILIENCE 98 | 99 | [Threat Modeling Cheat Sheet](cheatsheets/Threat_Modeling_Cheat_Sheet.md) 100 | 101 | [Abuse Case Cheat Sheet](cheatsheets/Abuse_Case_Cheat_Sheet.md) 102 | 103 | [Attack Surface Analysis Cheat Sheet](cheatsheets/Attack_Surface_Analysis_Cheat_Sheet.md) 104 | 105 | [Mobile Application Security Cheat Sheet](cheatsheets/Mobile_Application_Security_Cheat_Sheet.md) 106 | 107 | ## MASVS-PRIVACY 108 | 109 | [User Privacy Protection Cheat Sheet](cheatsheets/User_Privacy_Protection_Cheat_Sheet.md) 110 | -------------------------------------------------------------------------------- /IndexTopTen.md: -------------------------------------------------------------------------------- 1 | # OWASP Top Ten 2021 : Related Cheat Sheets 2 | 3 | The [OWASP Top Ten](https://owasp.org/www-project-top-ten/) is a standard awareness document for developers and web application security. It represents a broad consensus about the most critical security risks to web applications. 4 | 5 | This cheat sheet will help users of the [OWASP Top Ten](https://owasp.org/Top10/) identify which cheat sheets map to each security category. This mapping is based the [OWASP Top Ten 2021 version](https://owasp.org/Top10/#welcome-to-the-owasp-top-10-2021). 6 | 7 | ## [A01:2021 – Broken Access Control](https://owasp.org/Top10/A01_2021-Broken_Access_Control/) 8 | 9 | - [Authorization Cheat Sheet](cheatsheets/Authorization_Cheat_Sheet.md) 10 | - [Insecure Direct Object Reference Prevention Cheat Sheet](cheatsheets/Insecure_Direct_Object_Reference_Prevention_Cheat_Sheet.md) 11 | - [Transaction Authorization Cheat Sheet](cheatsheets/Transaction_Authorization_Cheat_Sheet.md) 12 | - [Cross-Site Request Forgery Prevention Cheat Sheet](cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.md) 13 | 14 | ## [A02:2021 – Cryptographic Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures/) 15 | 16 | - [Cryptographic Storage Cheat Sheet](cheatsheets/Cryptographic_Storage_Cheat_Sheet.md) 17 | - [Transport Layer Security Cheat Sheet](cheatsheets/Transport_Layer_Security_Cheat_Sheet.md) 18 | - [HTTP Strict Transport Security Cheat Sheet](cheatsheets/HTTP_Strict_Transport_Security_Cheat_Sheet.md) 19 | - [Secrets Management Cheat Sheet](cheatsheets/Secrets_Management_Cheat_Sheet.md) 20 | - [Key Management Cheat Sheet](cheatsheets/Key_Management_Cheat_Sheet.md) 21 | - [Pinning Cheat Sheet](cheatsheets/Pinning_Cheat_Sheet.md) 22 | 23 | ## [A03:2021 – Injection](https://owasp.org/Top10/A03_2021-Injection/) 24 | 25 | - [Injection Prevention Cheat Sheet](cheatsheets/Injection_Prevention_Cheat_Sheet.md) 26 | - [LDAP Injection Prevention Cheat Sheet](cheatsheets/LDAP_Injection_Prevention_Cheat_Sheet.md) 27 | - [OS Command Injection Defense Cheat Sheet](cheatsheets/OS_Command_Injection_Defense_Cheat_Sheet.md) 28 | - [Injection Prevention in Java Cheat Sheet](cheatsheets/Injection_Prevention_in_Java_Cheat_Sheet.md) 29 | - [SQL Injection Prevention Cheat Sheet](cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.md) 30 | - [Query Parameterization Cheat Sheet](cheatsheets/Query_Parameterization_Cheat_Sheet.md) 31 | - [Cross Site Scripting Prevention Cheat_Sheet](cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.md) 32 | - [DOM based XSS Prevention Cheat Sheet](cheatsheets/DOM_based_XSS_Prevention_Cheat_Sheet.md) 33 | - [XSS Filter Evasion Cheat Sheet](cheatsheets/XSS_Filter_Evasion_Cheat_Sheet.md) 34 | - [Content Security Policy Cheat Sheet](cheatsheets/Content_Security_Policy_Cheat_Sheet.md) 35 | 36 | ## [A04:2021 – Insecure Design](https://owasp.org/Top10/A04_2021-Insecure_Design/) 37 | 38 | - [Threat Modeling Cheat Sheet](cheatsheets/Threat_Modeling_Cheat_Sheet.md) 39 | - [Abuse Case Cheat Sheet](cheatsheets/Abuse_Case_Cheat_Sheet.md) 40 | - [Attack Surface Analysis Cheat Sheet](cheatsheets/Attack_Surface_Analysis_Cheat_Sheet.md) 41 | 42 | ## [A05:2021 – Security Misconfiguration](https://owasp.org/Top10/A05_2021-Security_Misconfiguration/) 43 | 44 | - [Infrastructure as Code Security Cheat Sheet](cheatsheets/Infrastructure_as_Code_Security_Cheat_Sheet.md) 45 | - [XML External Entity Prevention Cheat Sheet](cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.md) 46 | - [PHP Configuration Cheat Sheet](cheatsheets/PHP_Configuration_Cheat_Sheet.md) 47 | - [Docker Security Cheat Sheet](cheatsheets/Docker_Security_Cheat_Sheet.md) 48 | 49 | ## [A06:2021 – Vulnerable and Outdated Components](https://owasp.org/Top10/A06_2021-Vulnerable_and_Outdated_Components/) 50 | 51 | - [Vulnerable Dependency Management Cheat Sheet](cheatsheets/Vulnerable_Dependency_Management_Cheat_Sheet.md) 52 | - [Third Party JavaScript Management Cheat Sheet](cheatsheets/Third_Party_Javascript_Management_Cheat_Sheet.md) 53 | - [npm Security best practices](cheatsheets/NPM_Security_Cheat_Sheet.md) 54 | 55 | ## [A07:2021 – Identification and Authentication Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures/) 56 | 57 | - [Authentication Cheat Sheet](cheatsheets/Authentication_Cheat_Sheet.md) 58 | - [Session Management Cheat Sheet](cheatsheets/Session_Management_Cheat_Sheet.md) 59 | - [Forgot Password Cheat Sheet](cheatsheets/Forgot_Password_Cheat_Sheet.md) 60 | - [Choosing and Using Security Questions Cheat Sheet](cheatsheets/Choosing_and_Using_Security_Questions_Cheat_Sheet.md) 61 | - [Credential Stuffing Prevention Cheat Sheet](cheatsheets/Credential_Stuffing_Prevention_Cheat_Sheet.md) 62 | - [Denial of Service Cheat Sheet](cheatsheets/Denial_of_Service_Cheat_Sheet.md) 63 | - [JSON Web Token for Java Cheat Sheet](cheatsheets/JSON_Web_Token_for_Java_Cheat_Sheet.md) 64 | - [Multifactor Authentication Cheat Sheet](cheatsheets/Multifactor_Authentication_Cheat_Sheet.md) 65 | - [Password Storage Cheat Sheet](cheatsheets/Password_Storage_Cheat_Sheet.md) 66 | - [SAML Security Cheat Sheet](cheatsheets/SAML_Security_Cheat_Sheet.md) 67 | 68 | ## [A08:2021 – Software and Data Integrity Failures](https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures/) 69 | 70 | - [Deserialization Cheat Sheet](cheatsheets/Deserialization_Cheat_Sheet.md) 71 | 72 | ## [A09:2021 – Security Logging and Monitoring Failures](https://owasp.org/Top10/A09_2021-Security_Logging_and_Monitoring_Failures/) 73 | 74 | - [Logging Cheat Sheet](cheatsheets/Logging_Cheat_Sheet.md) 75 | - [Application Logging Vocabulary Cheat Sheet](cheatsheets/Logging_Vocabulary_Cheat_Sheet.md) 76 | 77 | ## [A10:2021 – Server-Side Request Forgery (SSRF)](https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29/) 78 | 79 | - [Server Side Request Forgery Prevention Cheat Sheet](cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.md) 80 | 81 | ## [A11:2021 – Next Steps](https://owasp.org/Top10/A11_2021-Next_Steps/) 82 | 83 | - [Denial of Service Cheat Sheet](cheatsheets/Denial_of_Service_Cheat_Sheet.md) 84 | -------------------------------------------------------------------------------- /Makefile: -------------------------------------------------------------------------------- 1 | .PHONY: help 2 | .SILENT: 3 | 4 | help: 5 | @grep -E '^[a-zA-Z_-]+:.*?# .*$$' $(MAKEFILE_LIST) | sort | awk 'BEGIN {FS = ":.*?# "}; {printf "\033[36m%-30s\033[0m %s\n", $$1, $$2}' 6 | 7 | install-python-requirements: # Install Python 3 required libraries 8 | python -m pip install --user virtualenv; \ 9 | virtualenv venv; \ 10 | source venv/bin/activate; \ 11 | python -m pip install -r requirements.txt 12 | 13 | generate-site: install-python-requirements # Use custom-script to generate the website 14 | source venv/bin/activate; \ 15 | (cd scripts && bash Generate_Site_mkDocs.sh) 16 | 17 | serve: # Start's a Python http.server on port 8000 serving the content of ./generated/site 18 | # venv not required here as it's simply html 19 | python -m http.server -d generated/site 20 | 21 | clean: # Clean up ephemeral build directories from the repo 22 | rm -rf generated venv 23 | -------------------------------------------------------------------------------- /Preface.md: -------------------------------------------------------------------------------- 1 | # ![OWASPHeader](assets/Preface_Cheatsheet_Header.png) 2 | 3 | ![ProjectLogoOfficial](assets/Preface_Cheatsheet_Logo.png) 4 | 5 | The **OWASP Cheat Sheet Series** was created to provide a concise collection of high value information on specific application security topics. These cheat sheets were created by various application security professionals who have expertise in specific topics. 6 | 7 | We hope that this project provides you with excellent security guidance in an easy to read format. :smile: 8 | 9 | You can download this site [here](bundle.zip). 10 | 11 | An ATOM feed is available [here](News.xml) with the latest updates. 12 | 13 | Project leaders: 14 | 15 | - [Jim Manico](https://github.com/jmanico) 16 | - [Jakub Maćkowski](https://github.com/mackowski) 17 | - [Shlomo Zalman Heigh](https://github.com/szh) 18 | 19 | Core team: 20 | 21 | - [Kevin W. Wall](https://github.com/kwwall) 22 | 23 | Project links: 24 | 25 | - [Homepage](https://owasp.org/www-project-cheat-sheets/) 26 | - [GitHub repository](https://github.com/OWASP/CheatSheetSeries) 27 | - [How to contribute?](https://github.com/OWASP/CheatSheetSeries/blob/master/CONTRIBUTING.md) 28 | - [Logo](https://github.com/OWASP/owasp-swag/tree/master/projects/cheat-sheet-series) 29 | -------------------------------------------------------------------------------- /Project.code-workspace: -------------------------------------------------------------------------------- 1 | { 2 | "folders": [ 3 | { 4 | "path": "." 5 | } 6 | ], 7 | "settings": {} 8 | } -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # Welcome to the OWASP Cheat Sheet Series 2 | 3 | [![OWASP Flagship](https://img.shields.io/badge/owasp-flagship%20project-48A646.svg)](https://www.owasp.org/index.php/OWASP_Project_Inventory#tab=Flagship_Projects) 4 | [![Creative Commons License](https://img.shields.io/github/license/OWASP/CheatSheetSeries)](https://creativecommons.org/licenses/by-sa/4.0/ "CC BY-SA 4.0") 5 | 6 | Welcome to the official repository for the Open Worldwide Application Security Project® (OWASP) Cheat Sheet Series project. The project focuses on providing good security practices for builders in order to secure their applications. 7 | 8 | In order to read the cheat sheets and **reference** them, use the project [official website](https://cheatsheetseries.owasp.org). The project details can be viewed on the [OWASP main website](https://owasp.org/www-project-cheat-sheets/) without the cheat sheets. 9 | 10 | :triangular_flag_on_post: Markdown files are the working sources and aren't intended to be referenced in any external documentation, books or websites. 11 | 12 | ## Cheat Sheet Series Team 13 | 14 | ### Project Leaders 15 | 16 | - [Jim Manico](https://github.com/jmanico) 17 | - [Jakub Maćkowski](https://github.com/mackowski) 18 | - [Shlomo Zalman Heigh](https://github.com/szh) 19 | 20 | ### Core team 21 | 22 | - [Kevin W. Wall](https://github.com/kwwall) 23 | 24 | ## Chat With Us 25 | 26 | We're easy to find on Slack: 27 | 28 | 1. Join the OWASP Group Slack with this [invitation link](https://owasp.org/slack/invite). 29 | 2. Join the [#cheatsheets channel](https://owasp.slack.com/messages/C073YNUQG). 30 | 31 | Feel free to ask questions, suggest ideas, or share your best recipes. 32 | 33 | ## Contributions, Feature Requests, and Feedback 34 | 35 | We are actively inviting new contributors! To start, please read the [contribution guide](CONTRIBUTING.md). 36 | 37 | This project is only possible thanks to the work of many dedicated volunteers. Everyone is encouraged to help in ways large and small. Here are a few ways you can help: 38 | 39 | - Read the current content and help us fix any spelling mistakes or grammatical errors. 40 | - Choose an existing [issue](https://github.com/OWASP/CheatSheetSeries/issues) on GitHub and submit a pull request to fix it. 41 | - Open a new issue to report an opportunity for improvement. 42 | 43 | ### Automated Build 44 | 45 | This [link](https://cheatsheetseries.owasp.org/bundle.zip) allows you to download a build (ZIP archive) of the offline website. 46 | 47 | ### Local Build [![pyVersion3x](https://img.shields.io/badge/python-3.x-blue.svg)](https://www.python.org/downloads/) 48 | 49 | The OWASP Cheat Sheet Series website can be built and tested locally by issuing the following commands: 50 | 51 | ```sh 52 | make install-python-requirements 53 | make generate-site 54 | make serve # Binds port 8000 55 | ``` 56 | 57 | ### Container Build 58 | 59 | The OWASP Cheat Sheet Series website can be built and tested locally inside a container by issuing the following commands: 60 | 61 | #### Docker 62 | 63 | ```sh 64 | docker build -t cheatsheetseries . 65 | docker run --name cheatsheetseries -p 8000:8000 cheatsheetseries 66 | ``` 67 | 68 | #### Podman 69 | 70 | ```sh 71 | podman build -t cheatsheetseries . 72 | podman run --name cheatsheetseries -p 8000:8000 localhost/cheatsheetseries 73 | ``` 74 | 75 | ## Contributors 76 | 77 | - **From 2014 to 2018:** [V1](CONTRIBUTOR-V1.md) - Initial version of the project hosted on the [OWASP WIKI](https://wiki.owasp.org). 78 | - **From 2019:** [V2](https://github.com/OWASP/CheatSheetSeries/graphs/contributors) - Hosted on [GitHub](https://github.com/OWASP/CheatSheetSeries). 79 | 80 | ## Special thanks 81 | 82 | A special thank you to the following people for their help provided during the migration: 83 | 84 | - [Dominique Righetto](https://github.com/righettod): For his special leadership and guidance. 85 | - [Elie Saad](https://github.com/ThunderSon): For valuable help in updating the OWASP Wiki links for all the migrated cheat sheets and for years of leadership and other project support. 86 | - [Jakub Maćkowski](https://github.com/mackowski): For valuable help in updating the OWASP Wiki links for all the migrated cheat sheets. 87 | 88 | Open Worldwide Application Security Project and OWASP are registered trademarks of the OWASP Foundation, Inc. 89 | -------------------------------------------------------------------------------- /assets/Abuse_Case_Cheat_Sheet_Overview.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/CheatSheetSeries/d5e64fdb76a6c9d9b45ea1f5ecb0fed13349aabf/assets/Abuse_Case_Cheat_Sheet_Overview.png -------------------------------------------------------------------------------- /assets/Abuse_Case_Cheat_Sheet_SchemaBundle.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/CheatSheetSeries/d5e64fdb76a6c9d9b45ea1f5ecb0fed13349aabf/assets/Abuse_Case_Cheat_Sheet_SchemaBundle.zip -------------------------------------------------------------------------------- /assets/Authorization_Testing_Automation_AutomationRendering.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/CheatSheetSeries/d5e64fdb76a6c9d9b45ea1f5ecb0fed13349aabf/assets/Authorization_Testing_Automation_AutomationRendering.png -------------------------------------------------------------------------------- /assets/Bean_Validation_Cheat_Sheet_JSR.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/CheatSheetSeries/d5e64fdb76a6c9d9b45ea1f5ecb0fed13349aabf/assets/Bean_Validation_Cheat_Sheet_JSR.png -------------------------------------------------------------------------------- /assets/Bean_Validation_Cheat_Sheet_Typical.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/CheatSheetSeries/d5e64fdb76a6c9d9b45ea1f5ecb0fed13349aabf/assets/Bean_Validation_Cheat_Sheet_Typical.png -------------------------------------------------------------------------------- /assets/C-Based_Toolchain_Hardening_AdditionalPlatformLibraryMacrosTable.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/CheatSheetSeries/d5e64fdb76a6c9d9b45ea1f5ecb0fed13349aabf/assets/C-Based_Toolchain_Hardening_AdditionalPlatformLibraryMacrosTable.png -------------------------------------------------------------------------------- /assets/C-Based_Toolchain_Hardening_GCCCPPWarningOptionsTable.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/CheatSheetSeries/d5e64fdb76a6c9d9b45ea1f5ecb0fed13349aabf/assets/C-Based_Toolchain_Hardening_GCCCPPWarningOptionsTable.png -------------------------------------------------------------------------------- /assets/C-Based_Toolchain_Hardening_GCCCWarningOptionsTable.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/CheatSheetSeries/d5e64fdb76a6c9d9b45ea1f5ecb0fed13349aabf/assets/C-Based_Toolchain_Hardening_GCCCWarningOptionsTable.png -------------------------------------------------------------------------------- /assets/C-Based_Toolchain_Hardening_GCCObjectiveCWarningOptionsTable.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/CheatSheetSeries/d5e64fdb76a6c9d9b45ea1f5ecb0fed13349aabf/assets/C-Based_Toolchain_Hardening_GCCObjectiveCWarningOptionsTable.png -------------------------------------------------------------------------------- /assets/C-Based_Toolchain_Hardening_VStudioWarningOptionsTable.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/CheatSheetSeries/d5e64fdb76a6c9d9b45ea1f5ecb0fed13349aabf/assets/C-Based_Toolchain_Hardening_VStudioWarningOptionsTable.png -------------------------------------------------------------------------------- /assets/C-Based_Toolchain_Hardening_Windows1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/CheatSheetSeries/d5e64fdb76a6c9d9b45ea1f5ecb0fed13349aabf/assets/C-Based_Toolchain_Hardening_Windows1.png -------------------------------------------------------------------------------- /assets/C-Based_Toolchain_Hardening_Windows2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/CheatSheetSeries/d5e64fdb76a6c9d9b45ea1f5ecb0fed13349aabf/assets/C-Based_Toolchain_Hardening_Windows2.png -------------------------------------------------------------------------------- /assets/C-Based_Toolchain_Hardening_XCode1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/CheatSheetSeries/d5e64fdb76a6c9d9b45ea1f5ecb0fed13349aabf/assets/C-Based_Toolchain_Hardening_XCode1.png -------------------------------------------------------------------------------- /assets/C-Based_Toolchain_Hardening_XCode2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/CheatSheetSeries/d5e64fdb76a6c9d9b45ea1f5ecb0fed13349aabf/assets/C-Based_Toolchain_Hardening_XCode2.png -------------------------------------------------------------------------------- /assets/Clickjacking_Defense_Cheat_Sheet_NestedFrames.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/CheatSheetSeries/d5e64fdb76a6c9d9b45ea1f5ecb0fed13349aabf/assets/Clickjacking_Defense_Cheat_Sheet_NestedFrames.png -------------------------------------------------------------------------------- /assets/Dec_pattern_HLD.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/CheatSheetSeries/d5e64fdb76a6c9d9b45ea1f5ecb0fed13349aabf/assets/Dec_pattern_HLD.png -------------------------------------------------------------------------------- /assets/Denial_of_Service_Cheat_Sheet_FlowDDOS.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/CheatSheetSeries/d5e64fdb76a6c9d9b45ea1f5ecb0fed13349aabf/assets/Denial_of_Service_Cheat_Sheet_FlowDDOS.png -------------------------------------------------------------------------------- /assets/Deserialization_Cheat_Sheet_GOD16Deserialization.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/CheatSheetSeries/d5e64fdb76a6c9d9b45ea1f5ecb0fed13349aabf/assets/Deserialization_Cheat_Sheet_GOD16Deserialization.pdf -------------------------------------------------------------------------------- /assets/Embed_PDP_HLD.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/CheatSheetSeries/d5e64fdb76a6c9d9b45ea1f5ecb0fed13349aabf/assets/Embed_PDP_HLD.png -------------------------------------------------------------------------------- /assets/Error_Handling_Cheat_Sheet_Overview.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/CheatSheetSeries/d5e64fdb76a6c9d9b45ea1f5ecb0fed13349aabf/assets/Error_Handling_Cheat_Sheet_Overview.png -------------------------------------------------------------------------------- /assets/Help_Nav.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/CheatSheetSeries/d5e64fdb76a6c9d9b45ea1f5ecb0fed13349aabf/assets/Help_Nav.png -------------------------------------------------------------------------------- /assets/ID_propogation.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/CheatSheetSeries/d5e64fdb76a6c9d9b45ea1f5ecb0fed13349aabf/assets/ID_propogation.png -------------------------------------------------------------------------------- /assets/Index_Bash.svg: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /assets/Index_C.svg: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /assets/Index_Coldfusion.svg: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /assets/Index_Cpp.svg: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /assets/Index_Csharp.svg: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /assets/Index_Html.svg: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /assets/Index_Java.svg: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /assets/Index_Javascript.svg: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /assets/Index_Json.svg: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /assets/Index_Python.svg: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /assets/Index_Ruby.svg: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /assets/Index_Shell.svg: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /assets/Index_Sql.svg: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /assets/Index_Vbnet.svg: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /assets/Index_Xml.svg: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /assets/Kubernetes_Architecture.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/CheatSheetSeries/d5e64fdb76a6c9d9b45ea1f5ecb0fed13349aabf/assets/Kubernetes_Architecture.png -------------------------------------------------------------------------------- /assets/Logging_Cheat_Sheet.drawio.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/CheatSheetSeries/d5e64fdb76a6c9d9b45ea1f5ecb0fed13349aabf/assets/Logging_Cheat_Sheet.drawio.png -------------------------------------------------------------------------------- /assets/NIST_ABAC.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/CheatSheetSeries/d5e64fdb76a6c9d9b45ea1f5ecb0fed13349aabf/assets/NIST_ABAC.png -------------------------------------------------------------------------------- /assets/Netflix_AC.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/CheatSheetSeries/d5e64fdb76a6c9d9b45ea1f5ecb0fed13349aabf/assets/Netflix_AC.png -------------------------------------------------------------------------------- /assets/Netflix_ID_prop.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/CheatSheetSeries/d5e64fdb76a6c9d9b45ea1f5ecb0fed13349aabf/assets/Netflix_ID_prop.png -------------------------------------------------------------------------------- /assets/Network_Segmentation_Cheat_Sheet_BACKEND.drawio: -------------------------------------------------------------------------------- 1 | 7VvblqJYEv2afKxcXE199C7ZgOktTXyphUAhiOIoivD1s+McvFvVWVNZ1Tmzprpn9NziROyIHRFI14NcX+zba3s1M2LXix4kwd0/yI0HSRJVVcAHzWR8piJV+IS/Dtxi02liEOReMVmc87eB620uNiZxHCXB6nLSiZdLz0ku5uz1Ok4vt32Lo8tbV7bv3UwMHDu6nR0HbjLjs2Xp6TTf8QJ/drhZLBX2LezD5sKSzcx24/RsSm4+yPV1HCf822Jf9yIC74ALP9f6zupRsbW3TN5zYLJUBvOSXK8Ky9ao5Xy128a3L6LExezsaFtYXGibZAcI0lmQeIOV7dA4hZsf5NosWUQYifga2VMvqtnO3F/H26Vbj6N4zQ7KLfYHWzZzL3EIDQEDOwr8Jb470NvDztrOWycBEK8WC0lMN2ySdTz3DtKW8RK3125tLmAgGd7+bKrAoO3FCy9ZZ9hSrMqFO4p4VJVinJ559xC0szPPSuVi0i4iyj+KPoGOLwXu931gtMxeyeys07eFvo++fMsrivelfOOCWrX+V9NsfBJPfAfhO374LuhPyiXqJeEWdVG6g7pY+l2o3wa+oTUaenNc7Tf/d4BXhb8HXhJ+F/D3U45wg7xmDpt9szn8VLj/UpZR3xHvvw120c7s0pP6ZRv/Swu+vD3n3tb7It6g3up3gfsnSzO/hLpYeUe0P/3RaL8tp56LBqMYxutkFvvx0o6ap9kag9VzC/hOe/SYgGI+CL0kyYpuyd4m8aWHgOA6e8Pgi/AoiKXDjEUSH5Vy+TDR2Bd38FF2Pnrx1gEgIIexye+6ZxNv1473I8LzfYm99r3kB/uKlorw+aGz115kJ8HuskG757ji6EscQOVjkEiy+Cipl3FSLj+WL+VwbYujVzFw1OUXkuANG+tR4BV3nUeLvVnxtvZbsKeQOHfzirRj+qq1B7Vxj2rBgvW3tW/xMinCBS3fcb4RLHzoHwVT/L+db9cemYqOe5kECTBsjTbeevO42fkfQ9An5bFcuoS+JD4+qTcsVYXHw4PCOU9V9Td1A8o/QdO78f6fcUy55dhdO+VfpNQv5ULlJujH3pSs89YIoRsPXBaRP8eDxcaxPXzWt5skXjTihR0sP44CcvmqRoEAsnSHAeUjL84ZoFQe5Q8gwV3/VP7xWlUSL2uVqpT+bK0qvbNWKR9dq37JcaVbYlVbn6KULL0kjdfzYElrYPvX6moVofdLgnj5tRWsvdSOoq8vMeYCb/MVan8c06SK9HhV59XK4z2qPT3eYdpp9sP9Vf7HiSbJV0QTn/4s0Z7eSbTSpyLa0w3RwBN76XzC6qXHtvv1oN3Xb56dgJIfSC7xuowpd5q4O6z6bT8riDcu+ADKuFX6Dfnh+AMkZloBKcZEuvZmxuTT5m+YP3sWdlWv7Co3P2RipSxN5VLpR2743Y9A4tPVj6DXj7+cvjdPP38rqCxcCfq4x6i77ex/q8//vuf/cJ8r5Q/y+bWgP+3zp3+0eB5LYVE3//Oq+bPPfd9/nnvHc5/6h6rmj5Q8q5rVFw0TZ73gp2hWV2tvF3gpvg0SaOVQs3r48eMUQaTB8V3e6TH+136ml6+rqfzOLlUp/San3amnn5hnH0gp9Z2UEoX7Lv0znFJvOfV/NhUHStKnY9PtTyv/b1S+0188SR/UqFwL+uPN6e2Lzoad2FN7491EAyiw4kziTDu8ItPpXdtLvAkYreXGNE6SePHwo5dw39ifh++9ZrtJBezK6mFWOKO1C20f5CofSi2irlTbIwCl+kvHlCZZTZmO91snX82tXAjsTl9wGvFOl2uis0i3U/l5qUv9UJdeN5OxGE2X/VzPm1tjUA60ziyZttW8uzDDl8Fz7Hb6aTco7yz5ObLe+it38RpOJTGZSmquLyrZJKtsncw4nVs+zyfh+Z2u7GaqbGTqzlk4O2M4V7uDcmoEZZwSs0nbShw52rrtlqKP1VzLNN9ri5vp0ig58mR5rgMkyfrSKe7F+UY11WWy93imoi1mgtuplvSsgt3O1s0Nbm+updi/I5lacMQnn0r9ldOuzO3huc7mbtKOUlrTl+bOfXsOJ+MJ9HcjfaFGbr3SfG32do6Ec2817J0nRl2du+3eGX7R1pbN0HqrRTc2nK0dMLTgBwdpxJJec106rUNXafL2nNvjyvZloO31sBlo7WgOmbm7cFQzrypmXfPtsbp2JHPmtEcl+ChzpGg3hR+MuqIagZJrdT8zG1XRHPYkvV4Fdk1FH1Zzfdjc/zXQ/DNbSpN2JZwuWskEmDhya/Mm9WfwT2C9mRHw4Hg3ILtTU6CfCr1Sp+PD9slq8ubWp7Jf0cKqb9SrsjlQRCOo7oH91hg2OT6NVe60WyGT33mOHOk1cxcjrLmrSacfQx4/R7EydGDvLLLHbuzSnUP4PGzutVApT8evgjUm3ZqwvwffixH0nCNOZ8bQycwAzWztpUMRuRr0mxaN2mbYjVz4cuM7i/6iu2gFU/lVwJ3BS7gHX1YLxEtivfWw2x6Ls4k0YlHzl0yap0DIKE3gtem4JRQnBI88xe/JJm9FxAx/xLx+OB1H7JwumoI93m8G/K5Az5Uy3eG2I2HaHu1ewnRnSUbpVapkNtZ0+cKeeiWZwN5JuyVYQzr5unCy2moCrNj3vCkbYS94CazQazef6gP++RyYijXcPBefC02ezbrpnH9mv3lvb345n86fr849H+QdPz/4DHCbg9P5AZeX9mQ17fQjJyiwW0Qbt/2aveXaCbvhfjEZuTP3zQQfW9veYi+e9r92rLfXHLybTefPG/dNI26mBnFL7s/77VcJZ4SCx5kWlOG9QpuyLhW3hwrXNN+fZaYVyw4Txi7HtyhjQDNLqmymslbRAkNCrqD/gSnPiGzIWVRSa2yu3M4cTKSMMVm5dRFR/by0x0oCGYLbriTEXDB4Yb/1EsRzNkHm0cf7aLLsEYNvzjmLaGl37q9BXlrIW2IfsmFlg8w1my7MiDKXgSw1kV9X0F2YSnvo2Npa0oj0ozMMRZZ1xn0g9SqD+Wm3QTadsiGqkugsn1GxoG+7pU7eYD9lpHwuGw1fIDnTRZJbUiudDFchZSmdMl44R8bTJHNwmSktmfAxFD10cmMIDIPLdWSp5WR8jmX1Up9lDZx9zW1knansYF27WnehT3/nZmI8GR+wa6YGy2p39wHP2Qq5oTQZ9wrf3d0n2+O+YLOMCNuuKwD8iCwu62/IxIGgXOGCsyrpm3hDwse/umO1m0oC7h5tjbCpGnlTNZHxp9LzvyZjU7jnV46TuZu2KxnmwsmC/4N7gU1FnsjPBUtaGwc57sSo9LyKls79f9hz4AjuEOw6jxP2vUE+b974HJ3JlvQENxJLpsrSEpCPoyI2c7cTbSg3E8OnjThEZZKNhSFhjapqojWqG2NobM3Q990Aa4GCalQLad7MFNEcVPdmgKo6SPdGpkjdejXHvGwGh3FtrDWauR5aitY2UAXTVKsLhz2X3zsx5fuL7PjSqaGi+byiLdl3yiTUY13GrlTZTtGNwR+ZPiZeTGZu5zUj25hP5L6K+oGqiNzSTksaspGZP4cU44xrA6Z3ZtbTQ3X27TpV11HG9A6r225jtDFO9iWwGzaexgecXqnCc9s1rWHIeqgJWuvdtuXX8fvTtklFxIXJgmqpfuJsCR3Qnnj/2WzufpTNJ38W3dYxDs9jFnpb2+6weYxtfUg6O5J+iNUm7D/sCZ2tkVsUu5kxUDLYnx73kUyOyYEHKbefZFV9c+hDfnNz6v5S5N9mrjUckXA+ynk/VsJ1Xv752HcX1gJ5t37ESgIuCnTJ9NBXC54KqBMq+En4CeYgVfWwmhNfEUMpYuYwJrvF7oBzuVhLTPYJnHPEVaO30YdzfDK5tKYiTxzkJt2Bgieg6vFsMT7JbRiIyaqgN3okyz/I5PtqpYvu4dAxpOh74+LZgH2nCop+/7qC7qZ4hrHk/s4JxBCZUcJedKcjXt06puChA4AMxqRuYAbddk8wcqps8Mpc8OHdrckiCZ5uNP1eBjQHsAysggUKLD2gS4jKWsNCdPjYr227R+QdijRECyzMwTjMmSeWIUJ8nGPPO7LeMMBKx6c1RBNkzfeIpq2Za4VMHunI1ClkwKOGxM4MfR/65HpjRPr6pCPQTbBvD0/tmccyjMEQY4AMS3fXj2N4G3ojoslOI4SOAyUn+WzfgHQc7X8ig0u/nMFvGZ/BJhk2SLBlf2A87MOzDyKxrijACz6o7hGpwAWdUIOq+gjshw/DHtmUsajNFBX+YjjryAJmPqc18gnhJRSVS2AMrguIzp6IscT8A0YA81zrWDgL+bnmW8gO8BPJkIAlIllDrGiFP/h3rO0ZvgNFZZm1jkwTkP9GMr/DkmDPtlhDfFGmnm9Id84s6Mzudmgf5qsUEz59God9+YiNYRcbdxs+GyNL8f1Dg2OR83UjpPPIkMMRxhrusfg4NDZ8X5PZaDZonbPzNLZYzBHjixiDvg7pSPEsIp6hD90LjIY9slvs0l74ALygrFjYMxfAGextcp1pL3AzMsoMPR6LdYwHVZHJB0bEJXQrnG/twqaQn6cqx2xgWYnmrULn+dmYYUpZO2F+R9eCipYVcSPQHXwf8wf5nzJhWviYslfC/NEgjEas64FuIvnP4HFG3KG5nMcZ7QEf2b4eqgrOwUckC/kDd84lLmtOtoNzKXCpQh7lAo1ifG8wex3GdXSqLB7AS9pXyGP7KG4w18t4Nh35XqDt3tddOumvdpdnnXDRXY5IF8T9iJ46DpWHqtCe42kJnKM9n/u+SRWcVR34QyHuHGLSILyQq7CGODBUZl/e86fIv/TEoyOGTNad9ASGXTNFJZlTPGxM+r0vnFPuhl9SmVV56o4I/wHGdQU5HRUKd2MsdRmPkV843woO9go9NMYVk+UOyrs9zo2Qc607NAruNXmc5RR35EfjbGwx3xTcEXiscI5Rt0Jc0Vm+sfbkW3T+BTcMig/BGLC8LfCY0HKd5aqepLFY0476sjzHbBhJjGPsDqpnFsnZ8+oL3YcWcQzxNsJ5FuNUE/aH+MX9JAuxmjJ+aLxSb5CHc43x0eL5M2CxJ/B65JAdVCclni9jHzk8AebAmnhgUN5Mdc65Ih5YvoUtRsaxR9wwfzvFuCpye8gXWsFpxAjJpRwR8FzE9/qsQ2M+y1kOkXlO78ksrgaM+3vqIIv799SpcX75RU7xN6QvcE7ZmZzlYXSYVGeaKuMdMDVZbiPbqywnGJzHtC/j/KRYtVjN5vu4bhRvBs/36BPIl+AKw6Oacb8f8jrLn5LB6zf8RjKsnGMzEn6iLssf3YkP0eOALyL8TDxS+BPCiDgqai3LB09YrOPJg+Zkqpt4imf8wRzygp9d6J+n7BfIF59eJNC/l3+Ph97+nb1nENifm3dIrvfN3kbJ1Tun02x09Ubj+JLx5q3jR78WfHqq3PnvQW//c1BFvH0xqMo//WIQw9Nf7uXvlE5/RVpu/hs= -------------------------------------------------------------------------------- /assets/Network_Segmentation_Cheat_Sheet_BACKEND.drawio.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/CheatSheetSeries/d5e64fdb76a6c9d9b45ea1f5ecb0fed13349aabf/assets/Network_Segmentation_Cheat_Sheet_BACKEND.drawio.png -------------------------------------------------------------------------------- /assets/Network_Segmentation_Cheat_Sheet_FRONTEND.drawio: -------------------------------------------------------------------------------- 1 | 3Vjbcps6FP0aP5rhbvzoGznttGmmaac958WjwDaoFsgVcmzn6yuBAGPRNG3sNHPyEKPFlrS1lpYkNHBm2f6KoU36nsZABrYZ7wfOfGDb1tgeix+JHCqkARKGYxXUArf4ARRoKnSLYyg6gZxSwvGmC0Y0zyHiHQwxRnfdsBUl3V43KAENuI0Q0dEvOOZphQb2qMX/AZykdc+Wr8aXoTpYjaRIUUx3R5CzGDgzRimvnrL9DIgkr+alqhf+5G2TGIOcP6XCf7l7u/ad2cTMw89htERX71dDy66auUdkq0assuWHmoJdijncblAkyzsh88CZpjwjomSJR4LugExRtE4Y3ebxjBLKyopOWP6JkGINPJJsmKKACE5y8RyJvEFETu+BcSwYn6gXnMoeCs7oGurWcpqL3qf6mBUNsg3YH0GKgyugGXB2ECHq7dBXeqgJ6bmqvGvl9cYKS4+ktQMFIjWlkqbtlnXxoIj/HRFMTYQ3158WH68Xn16JGOfg3e3y7ps675bfw3sDPod3Cx2QP/KGW/r9DR5+ffsAWxhaGu3hxw+C+Ov5/4d2y/817Y53Kdp7p7u+wkAs1lxVpIynNKE5IosWnZa0Qqzoa2PeUUlUqcE34PygNhC05bSrkGCQHb6KwtA0TMuvkX9li4YbBDUw36s+qtLhuHQDDAsKpGAl+FN5CrplETzmeLWTIZYAfyRO7TKSn0fFZkAQx/fdPatPOFX1hmKRcjNJbMcybK87T4LACLrtVNmqqidzoMnlGaug5sYZwaD6Op4tqNhUO/0K7+WUOJZ5I7Mr8/WmA2/eZzWclVv+dEVzrqaL2AUbfI6zRORP8J34jx62DORQxSEk55gLDsPPBbDCKO6TMxnUNQK/S71vGZ6+J5lGfXQ6tqnnXcilribHF7iTQgATg9NE6S5vL6dQVkQIxO9sW3CazWmGcH4+cVzb1KRx7B5xAmPk6eK4Y8O5lD7jv76K+lZ3FfVc/2VXUf+Jq6h77lX0WcL5urEm4atY5HLgO8rWOJfvhNuXk82GiFMJxzRfhpjBDhGyvKECw1AsRdrnc5pj2sbJDuSNjT6rjYwep7Xo2fUK/rrRbOfEaNboZY02eqLR/FdltJFmNOETlEevcPd6R1G8rLNbrgBxYcnzmau5TWm2MbfnfNHjqot98VqaBGewTDyRFz6D5rZAICGWiZVNxqhIy/Zl8ErgR19psQdB7Gq3DuJNYN85vv+YDJc+nFsnH87e6YdZZV/tXP7LhgLzpKE/PuCLYnuPVYW3t4HO4gc= -------------------------------------------------------------------------------- /assets/Network_Segmentation_Cheat_Sheet_FRONTEND.drawio.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/CheatSheetSeries/d5e64fdb76a6c9d9b45ea1f5ecb0fed13349aabf/assets/Network_Segmentation_Cheat_Sheet_FRONTEND.drawio.png -------------------------------------------------------------------------------- /assets/Network_Segmentation_Cheat_Sheet_MIDDLEWARE.drawio: -------------------------------------------------------------------------------- 1 | 7Vnbdqs2EP0aP5rFTYAffSMnXYmbJuespH3xUkC2VQNyhXzL11cYcbOw4x5jx+1qHmI0SGK092xmJFpGP9zcUbiYPRIfBS1d9TctY9DSdd2wbf6TWLappaN3UsOUYj81aYXhBX8gYVSFdYl9FFc6MkIChhdVo0eiCHmsYoOUknW124QE1acu4BRJhhcPBrL1Fftsllod3S7s3xCezrIna5ZYXwizzmIl8Qz6ZF0yGcOW0aeEsPQq3PRRkICX4ZKOcw/czR2jKGKnDPgjMl/mltHvqpH7w/XG8O5x0tb0dJoVDJZixcJbts0gWM8wQy8L6CXtNae5ZfRmLAx4S+OXAXxHQQ968ykly8jvk4DQ3UDD3f3xLvEcMS9BQ+UNGOBpxK897jfiPXsrRBnmiHfFDUaSJ8SMkjnKZotIxJ/ek9csYEjmQJuSSWBwh0iIGN3yLuJu2xJ8iIAEpmivS/TawjYrUas7wghFSE3zuQvU+YUAvp6ER3f0mzX6Rtdv4cMmaE8+OiZqyxw83g8GD8PX7vPwRtg4gHINFweBB6AKvKXKwOtmDfCa1QDw9dGvSsjfj74Pn0fD7zeF+3kBb36Oew5x47hrcAstG7SX5K973H775QMtUVuTYHeff+XAjwb/Hdg163PYDXDVcJdf7cjnyU40CWUzMiURDIaFtbeDFfkCvqLPA0mA2nHwJ2JsKzI3XDJSZYgjSLdvvNFWFVWzMsvvyYyK6TiZYbARz0hb23LrCVHMIUgI2xkP0hOTJfXQMcWLEgLSKWJH+on0nuBzlGyKAsjwqlos1BEnhj4RzF3Og0Q3NEUH1ThxHMWpzpN6K4buxUDuyxlvQUmN/QAj8axytMB4kZZYE7xJQqJM8yLxbucv6LXAoE5qONzVWr0JiZgIF15+5PYBDqfc/wC/8//wY0lRslRe/UUMM46h+yNGNFbi1bQhgZqKY1WhtzQFSCIFqpLVrGWZAnChasD8CpXWhvvPScyUJVa7TuNMRZ31KjSlmH9F78nqEOURJDFQzSHXk0EYexDx3/4yZiQckBDiqDkFmPpeiuLxb+g1CnAUG8gKMDuK0YAIavnpfHmqsrRqqgKmdd1UZZ2YqsymU9VZxFmysLruTWSSCLE1oXMcJfe42sfdxSLgpR/DJBq7mKI1DILxE+E2jOIxd7s5pRmqruyledBR6qRmKzVKK6yN8+V8udB0Y09omn1dodknCs26KaHZktC4TmDk3WD2eiDQH2fejScIMi7J5sSVnxXmacysKeJqVHWxYwVNoqAByfjd5DizlZ+FcYuLE8d2U/ownu3mTzpPuL20FfYBcnxTOlPjdxz93bCsYzRcegek7Z1OgP3dbypfafPz6USOujdRc7uo2nL238r55zV/45wDoyHO9ye6Nuf2lybPPBWKvPnzWfOf7vsO7+dO2PeBK2XNY06Wsmb36Z4bSrXgTRSrC4pWGK351QvjXnlJsZqdfRQRlHiQf1YqtvHnHdM7+9nUOLFKNa0LkQZk0v6nSwywpeLngnTxZvG9Mn2JFl99jeHf -------------------------------------------------------------------------------- /assets/Network_Segmentation_Cheat_Sheet_MIDDLEWARE.drawio.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/CheatSheetSeries/d5e64fdb76a6c9d9b45ea1f5ecb0fed13349aabf/assets/Network_Segmentation_Cheat_Sheet_MIDDLEWARE.drawio.png -------------------------------------------------------------------------------- /assets/Network_Segmentation_Cheat_Sheet_Monitoring.drawio.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/CheatSheetSeries/d5e64fdb76a6c9d9b45ea1f5ecb0fed13349aabf/assets/Network_Segmentation_Cheat_Sheet_Monitoring.drawio.png -------------------------------------------------------------------------------- /assets/Network_Segmentation_Cheat_Sheet_Schematic_symbols.drawio: -------------------------------------------------------------------------------- 1 | 7Vxbe6JKFv01+b6Zh+mPaxIfvUXJAMZ4xTcEgiCKoyjCr5+1q8Bruk96utM5050zc45UUZe999pr7QLtvpHri31rba9mRux60Y0kuPsbuXEjSaIoSPignoz3VKQK7/DXgVsMOnb0gtwrOoWidxu43uZsYBLHURKszjudeLn0nOSsz16v4/R82Escne+6sn3vqqPn2NF17yhwkxnvvZfujv1tL/Bn5c7ibeHfwi4HF55sZrYbpyddcvNGrq/jOOFXi33diyh4ZVz4vIev3D0YtvaWyVsmaNX/PG5bzXzp7Nvi5M6xVsPkX8UqOzvaFg4XxiZZGYF0FiReb2U71E6B8o1cmyWLCC0Rl5E99aKa7cz9dbxduvU4itdsovzA/sGQzdxLHAqGgIYdBf4S1w7M9jCytvPWSYCAV4sbi8B1ae/aJlnHc69ccBkvqfPa69IFLOPtT7qKKLS8eOEl6wxDirslINl5Mz3Cq94WfbMTaBW56LSLlPIPKx+jjosi8K+DcCeOlt1mPhwve31Verrz1w3nX7dXIDwEUeS56Itin2LD6BFvV/iMXwgez18gABtcVs0G9SI4r4z+YCiTmHZ4gTPlWq73Ym+j5ArdY79rb2aeW1j0E9CWb8/hVq7hloRX4Jbu3wtu8Zp0b8f7E1FJvjtH9P4aUfH+FUTFdyPwNaCml6Txen6EDlf/GOpVE5/eF//LPz8cyYPM/gRElL+kmCi9Asjte+EhXeGhX/LqlqXmdI0rn64uZRXRxX+Smbe+ZuXH0/AA3scy8QJ3UXwj8O8mrfKnsv4InuLdXxP5VWVV3wtQ5U3KKv7W6no4nhSo3L2RZcp7gaK+CRTpjwJFfGvRezdU7j6pguBePNu98nD3a1G5/+TKNSofrmCVT65cofLm09u7oVIa8EmWU1huPxwW+SrAnut7vaIZr5NZ7MdLO2oee2sssuxsShEMt4tVOd5eO/S8dZilx3TyZcCEXpJkxTtge5vE57B5+yAZFwvStUXXX9Si1dif3GpkReMlXiYn+ArsH3aittdJld4P3xxeLbI+el4o5n4VzE28XTvetyJWPIBSmL6J+dqL7CTYnb9rfg3AYupTHDAKlJl0Xe6+CBVVku+L/96drwgHfS8pFrnIioNVP5Ao16f1zjbxsZ1//cC9LJl9ecN2HG9z/TxGsdSJuOdJ8XZurr1NkNtTth7Bu6IwsMCotRu18Y1kuU6Eb/LkiuuHbyeK3W9OvwB4TQOEL6D93Rm05TuNH8wY+f48Yc7nxy8vG+99UuP6lcwr0v4bybh08dr58LxwIuOVX6ri6m+u4k5kbzaBcyHkbMuleyH16Pk5Qn/3QUJ/dy70Fwu+t85ff2GlLaeUKn+EzJevPz5l/qt8+HNlXv1omb//lPnTQUel50MQ4/Fp48Quah4NY63Ssv+9QpRPalySvzVQ/JhSIisfWkq+8SbmaxXjsj9YYoFpDLpd3XKDNfQ4iJf/l4WmfHf4Ny40JX6/utBIb3pV9BsXGvmVN9u/tNAcXPhTEFD+bgBIn5X+b1XplbdWevVjKr0ifGSll65/m/FZ6S+o/Fnpv06rP6bOXFX6V37f+GsLzZt+7/EbIXBZ6T8cgOu3KsNgnWzZr9lW62BnJ/Tr78OrtgsoNjN7RZdOFgUo/msZUfoLeKb8mKBPDx0HqDrbBMt4Rf+GnwpE9X/A9OuHgNd/7fb6b+O+Q8bjxKYKgb4K7TOL10EOG+y/fA/8HamjqOcyWbZPf26uXufO4euBn588179A6bA/LMB+/pjM6HIV4wxFFUa6BRCiwGreCmUPgbCLonoy/jDokHGC6+0C5NLXUi9YsD9mc8CGleOneBMUeBww+noOvbB/voWvvVnxPwH0EuzpiFtju1bLXqHsofSxE/tGrvKm9LDZ+TdSbY/0l+pPbVOaZDVlOtpvnXw1t3IhsNvPgtOId7pcE51Fup3Kj0tdeg51abiZjMRounzO9by5NXr3gdaeJdOWmncWZvjUe4zd9nPaCe53lvwYWePnlbsYhlNJTKaSmuuLSjbJKlsnM47zlo/zSXi6pyu7mSobmbpzFs7O6M/VTu8+NYJ7zBKzSctKHDnauq0HRR+puZZpvtcSN9OlcevIk+WpDVhJ1pdOsS/mN6qpLpO/hzkVbTET3Hb1Vs8qGO1s3dzg/uZaivE7WlMLDvHJp9LzymlV5nb/1GZzN2lFKd3Tl+bOHT+Gk9EE9ruRvlAjt15pDpvdnSNh3riGsfPEqKtzt9U9iV+0tWUztMa16MqHk3tlDC3g4IDUljTMdel4H7ZKk/Fjbo8q26eettfDZqC1ojnWzN2Fo5p5VTHrmm+P1LUjmTOnNbgFRpkjRbspcDDqimoESq7V/cxsVEWz35X0ehWxayp6v5rr/eb+3z3NP/HldtKqhNPFQzJBTBz5YTOWnmfAJ7DGZoR48Hg3sHa7psA+FXalTtuH75PVZOzWp7Jf0cKqb9SrstlTRCOo7hH7rdFv8vg0VrnTegjZ+u3HyJGGmbsY4J67mrSfY6zH51Gu9B34O4vskRu7tGcfmIfNvRYq99PRULBGZFsT/neBvRjBzjnydGb0ncwMNPDiqU0Zueo9Ny1qtcywE7nAcuM7i+dFZ/EQTOWhgD2Dp3APvqwWyJfEGncx2h6Js4k0YFnzb5ksTxEh43YC1KajB6GYIXiEFN8nm4yLjOl/i3nP4XQUsXm6aAr2aL/p8b0CPVfuaQ+3FQnT1mD3FKY7SzJuh1Ils3FPl8/8qVeSCfydtB4Eq08zhwsnq60miBW7zpuyEXaDp8AKvVbzrt7jn4+BqVj9zWPxudDk2ayTzvln9s5ju/Pz/nT+eDHvsVzv8PmT5yBuc3A6L+Py1Jqspu3nyAmK2C2ijdsaZuNcO8auv19MBu7MHZvg48O2u9iLx/HDtjUe5uDdbDp/3LhjjbiZGsQt+Xn+3BpKmCMUPM60AIWtVlhzr0vF7qHCLc33J8q0YuowYexyfIsUA5ZZUmUzlbWKFhgStIL+BVMekdlYZ1FJrZG5cttzMJEUY7Jy6yKy+nFpj5QEawhuq5IQc8HghT3uJsjnbALl0Uf7aLLsEoOv5jmLaGm3X7+H9dJivSXGQQ0rGyjXbLowI1IuAyo1kYcr2C5MpT1sfNha0oDsozksikx1Rs+I1FAG89NOg3w6qiGqkugsH1GxYG/rQZ2M4T8pUj6XjYYv0DrTRZJb0kM66a9CUimdFC+cQ/E0yeydK6UlU3wMRQ+d3OgjhsH5fajUcjI6jWX13J5lDZwd5jZUZyo7uK9d3Hdhz/POzcR4Mipj10wNpmqvjkM8Zytow+1k1C2we3WcbI+eBZspIny7rADAESou62MocSAoF3HBXJXsTbw+xce/2GO1m0oC9h5sjbCpGnlTNaH4U+nxP5ORKbyGK4+TuZu2Khn6wsmC/w/7IjYVeSI/Fix52DjQuCOj0tMqenuKfzmm5Aj2EOw6zxN23SDMm1eY42SyJTvBjcSSqbI8CNDjqMjN3G1HG9JmYvi0EYeoTLKxMCTco6qaaI3qxugbWzP0fTfAvUBBNaqF1G9mimj2qnszQFXtpXsjU6ROvZqjXzaDsl0baY1mroeWorUMVME01epCOeb8uh2T3p+p41O7horm84q2ZNekJHTGOs9dqbKd4jQGPDJ9RLyYzNz2MCPfGCbys4r6gaoIbWmltxrUyMwfQ8pxxrUeszsz62lZnX27TtV1kDG7w+q20xhsjKN/CfyGj8d2GachVXjuu6Y1DFkPNUF7eLNv+WX+frdvUpFxYbKgWqofOXuLE9CeeP9387nzs3w+4lmctg55eJqzsNvadvrNQ27rfbLZkfQyV5vwvxwTOlsjtyh3M6OnZPA/PYyjNXlMSh6k3H9aq+qbfR/rNzfH018K/W3mWsMRKc6Hdd4eK+FSl78/992FtYDu1g+xkhAXBbZkeuirBU8F1AkV/KT4CWYvVfWwmhNfkUMpcqZsk99ip8e5XNxLTPaJOOfIq0Z3o/fn+GTr0j0VOlGum3R6Cp6Aqoe5Rfu4bsNATlYFvdGltfxyTT6udnt2eihPDCnOvXHxbMCuqYLivH9ZQXdTPMNY8vPOCcQQyihhLE6nA17d2qbg4QSANRiTOoEZdFpdwcipsgGVueAD3a3JMglIN5p+N0M0e/AMrIIHCjwto0sRlbWGhezwMV7bdg6RdyjTkC3wMAfj0GceWYYM8TGPPe/IesMAKx2f7iGbsNZ8j2zamrlWrMkzHUqdYg0gakhsTt/3YU+uNwZkr082IroJxu2B1J4hlqENhhg9KCztXT+0gTbsRkaTn0YIG3tKTuuzcT2ycbD/DgWXfljBrxmfwScZPkjwZV8yHv7h2QeZWFcUxAsYVPfIVMQFJ6EGVfUB2A8Mwy75lLGszRQVeLE461ABM5/TPcKE4iUUlUtgDK4LyM6uiLbE8AEjEPNca1uYi/VzzbegDsCJ1pAQS2SyhlzRCjz4Ne7tWXx7isqUtQ6lCQi/gcz3sCT4sy3uIb9Iqecbsp0zCzazvR0ah/4q5YRPn0Y5Lh+wNvxi7U7DZ22oFB/fN3gscn7fCGk+FLI/QFvDPhZvh8aGj2syH80G3efsPLYtlnPE+CLHYK9DNlI+i8hn2EP7Ikb9LvktdmgsMAAvSBULf+YCOIOxTW4zjUXcjIyUoctzsY52ryqy9REj4hJOK5xvrcKnkM+nKsd8YKpE/VZh8/ykzWJKqp0w3HFqQUXLirwRaA8+juFB+JMSpgXGpF4Jw6NBMRqwUw9sEwk/g+cZcYf6cp5nNAZ8ZOO6qCqYB4xoLegH9pxLfK05+Q7OpYhLFeuRFmiU43uD+eswruOkyvIBvKRxxXpsHOUN+roZV9OB7wXa7m2nSyf90dPlyUm4OF0OyBbk/YCeOsrKQ1Voz+NpCZyjXZ9j36QKzqoO8FCIO2VOGhQvaBXuIQ8MlfmXd/0p9JeeeHTkkMlOJ12Bxa6ZopLMKR82Jr3vC+ek3cAllVmVp9MRxb+Hdl2BpqNCYW+0pQ7jMfSF863gYLewQ2NcMZl2kO52OTdCzrVO3yi41+R5llPeEY7GSdti2BTcEXiucI7RaYW4ojO9sfaELU7+BTcMyg/B6DHdFnhOaLnOtKoraSzXtIO9TOeYDwOJcYztQfXMonX2vPrC9r5FHEO+DTCf5TjVhH2Zv9if1kKupowfGq/UG+hwrjE+Wlw/A5Z7Aq9HDvlBdVLiehn70PAEMUesiQcG6Waqc84V+cD0Fr4YGY898obh7RTtqsj9ISy0gtPIEVqXNCLgWsTH+uyExjDLmYbIXNO7MsurHuP+nk6Qxf57OqlxfvmFpvgbshdxTtmcnOkwTphUZ5oq4x1iajJtI9+rTBMMzmMal3F+Uq5arGbzcdw2yjeD6z3OCYQluMLiUc047qWuM/2UDF6/gRutYeU8NgPhO+qy/LNP4n2cccAXETgTjxT+hDAgjorag+WDJyzX8eRBfTLVTTzFM/6gD7rgZ2f25yl7A/nk03cJ9P/3+CYquvhSY82/3jl8QxV5L8nP+Zbp8u80kl/5A7WKeP0tkyp/95dMaB7/ijL+nf7xL3qTm/8F -------------------------------------------------------------------------------- /assets/Network_Segmentation_Cheat_Sheet_Schematic_symbols.drawio.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/CheatSheetSeries/d5e64fdb76a6c9d9b45ea1f5ecb0fed13349aabf/assets/Network_Segmentation_Cheat_Sheet_Schematic_symbols.drawio.png -------------------------------------------------------------------------------- /assets/Network_Segmentation_Cheat_Sheet_TIER_Example.drawio.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/CheatSheetSeries/d5e64fdb76a6c9d9b45ea1f5ecb0fed13349aabf/assets/Network_Segmentation_Cheat_Sheet_TIER_Example.drawio.png -------------------------------------------------------------------------------- /assets/Network_Segmentation_Cheat_Sheet_firewall_1.drawio: -------------------------------------------------------------------------------- 1 | 5Vprl5pKFv01/TF38dJuP/oWB7B9C1/uQiAIgjiKIvz62acKfLSdrGRu7kxmTSdpqapTVee19ylSvsjt+NI/2PuNnrhe9CIJ7uVF7rxI0ttbHb+pI+cdNVnkHf4hcHnXXcc0KLyyUyh7T4HrHR8E0ySJ0mD/2Okku53npA999uGQZI9iX5Pocde97XtPHVPHjp57l4GbbkqzpNdb/8AL/E21s1hv8JHYroRLS44b202yuy65+yK3D0mS8qf40vYi8l3lFz6v943Rq2IHb5f+yIQ/hS+113TsxltpM4wjPYlW4y8SX+VsR6fS4FLZNK88kG2C1JvubYfaGYL8Irc2aRyhJeIxstde1LKdrX9ITju3nUTJgU2Ue+wHIsetlzrkDAENOwr8HZ4dqO1BsnX2DmkAhzfLgTShHY7pIdl61Wq7ZIfdW6WymOBdvukF8epb5KSXxF56yCFSTVDKcFT5+Fq2s1t0a29l3+YuspJQdtplRvnXtW9Ox0Pp928Ezc7t+mvtyyn5pxp8WQ0L7+R9EZ9iYHhplhy2FAfPj8kySRB/k8B8w+GfhOXbMah/iEHjOQZXAriPwXXiL4/BMw4+i8HvAo5fEAOl8dvFoP4Ug46d2mv76D25HVy6p8cgZvR9dZNG/n5PjkEaJOSuOHBdmvOdQHxlP5+4+jrXPu55ZfkaXDwY0GK7NqteoerBswuFX+Qmb0q949l/kVoXpIPUfh8YkpW3lPXycnKK/dYshMAeTASnk5w1uSU6cXZay8OdJk1CTVocraUYrXeTQiu6J336FqiDTbru14pRbITv02HiDibZKHg7m/IwMleTvRsvwrUkpmupVmhxI7fyxsnJ9du83XBrhfd7urKb12Q9r52d2Dnrs21tNH3L9OANs8Tc6pupI0cnt99TtGWtUHPV9/ricb3T645s7e51wEqytnPKfTG/08w0mey9zmmo8UZwB826ljcg7ZzcQuf2FmoG+TOtqQZX/xRrabJ3+o2tPbvX2Thb/SijMW1nnN3VMLSWFvR3Iy2uRW670V10x2dHwrxVC7LbVG/Xtm5/fOe/6GTLRmiuWtGTDXdjlQ9NxMEBqE1pUWjSbRy6ShYy1142Tu9T9aKF3UDtR1usWbixUzOKpmK0Vd9e1g6OZGyc/ryOGOWOFJ3XiIPeVmp6oBRq28+NTlM0ZmNJazfhu66izZqFNute/jFV/Ttb6la/Ea7jXmrBJ47cO66kyQbxCcyVEcEf3N8drD1oKdCvBr0yZ+DDdmtvrdz2WvYbatj09XZTNqaKqAfNC3x/0mdd7p/OvnD6vZCtPxhGjrTI3XiOMXdvDSYJ1uPzKFdmDuzdRPbSTVzac4aYh92LGipv6+VCMJekWxf2jxF7MYKeW+TpRp85uRGowMX7gDJyP510TWr1jXAUuYjl0XfiSTyKe8FaXgjYM3gPL8DLPka+pOZqDGl7KW4sac6y5h8yaZ7BQ3rdQtTWy55QzhA8ihTfJ7dWZcbMvoe8SbheRmyeJhqCvbwcp3yvQCuUN9rD7UfCuj8/v4fZ2ZT0+kJq5DbGNPnBnnYjtWCv1e8J5oxmLmInb+0t+Io9F11ZD8fBe2CGXr/72p7yz2FgKObsOCw/Y1XebEbZln/mf7PsePvYn22HH+YNq/Wun794Dvy2BaaLyi/vfWu/HkwiJyh9F0dHt7/IV4V6893sEltzd+OuDOCxdxrHF/EmvxiYq0UB3G3W2+HRXamEzUwnbMmT7aS/kDBHKHGcq8Eboldq86ZJ5e6hwjUtLnfMtGfsYDF0Ob5JjAHNTKlxXMtqQw10CVxB/4CUITIb68SNzFwae3ewBRKJMay92xaR1cOdvVRSrCG4/UZKyAWCY3s1TpHPuQXm0ZaXyNqNCcFP85w42tmDz8ewXlaut4Mc2LBxBHNt1rEREXPpYClLXuyhu7CWLtCxdzKlOelHc5gXGessJ/DUQgbys1GHbLqxIaqS6OyGqFjQt9+rWSvYT4xUbGW94wu0zjpOC1PqZdZsHxJLacR44RaMp0rG9JEpTZn8oyta6BT6DD4MHsfBUjtree/L5qM+uxYwuyhssM5adjCufhh3oc/k7OZiYi0r33UznbHap3Lw52YPbqhby3EZu0/lZHs5EWzGiLDtYwVAHMHisrYCEweC8sEvmFsjfVNvRv7xP+yxP68lAXvPT3rYrelFt2aA8dfS8J/W0hA+iyv3k3Fe9xs5+kIr5n+wL3zTkC15WKKkd3TAcTdEZfdVtH4f/0qmwgj2EOw2zxP23KGYd59ijpPJifQENlJTpsrSE8DHUZmbhTuIjsTNhPB1JwlRmWQ91iWMUVVN1U7zqM/0kxH6vhtgLFBQjVoh9Ru5IhrT5sUIUFWn2UXPFWnUbhbol42gareWaqdbaKGpqH0dVTDL1LZQyTw+DxLi+wd2fB+0UNF8XtF27JmYhM5Yj7krNU5rnMYQj1xbEi6sjTtY5GQbi4k8qaF+oCqCW/pZXQUbGcUwpBxnWJsyvXOjnVXV2bfbVF3nOdM7bJ5GnflRv9mXwm7YeGtXflpQhee2q2pHl7VQFdTeD9tWfMzfn7ZNKjMuTGOqpdoNs3WcgC6E+9/N5tGvsvkWz/K0dc3D+5yF3uZpNOtec1ubkc6OpFW52oX9lUzonPTCpNzN9amSw/7sKkdrcp9UOMi4/bRW0zdmPtbvHm+nvwz82y3UjiOSn6/r/LivhI+8/PO578ZmDN5tX30lwS8KdMm10K+VOBVQJ2rAJ/lPMKZZTQubBeEVOZQhZ6o22S2OphzL5VhqsE/4uUBedcZHbbbFJ1uXxmrgiWrddDRV8AbUvM4t27d1OzpysilonTGt5VdrcrlW/eH0UJ0YMpx7k/LdgD1TBcV5/2MFPa/xDmPKk7MTiCGYUYIsTqdzXt0GhuDhBIA1GJJGgRGM+mNBL6iyISpbwUd0TwbLJES60/XHObw5hWVAFSxQYGnlXfKorHZMZIcPefU0unreoUxDtsDCAohDn3FDGTLExzz2viNrHR2odHwaQzZhre0F2XQyCrVck2c6mDrDGoioLrE5M9+HPoXWmZO+PukI76aQuyBSFxaxHG0gRJ+CYWnv9rWNaENvZDTZqYfQcaoUtD6Tm5KO88tPMLj0lxn8GfE5bJJhgwRbLhXiYR/efZCJbUWBvxCD5gWZCr/gJNShqj4H+hHDcEw25Sxrc6WGeDE/a2ABo9jSGMWE/CWUlUtgCG4LyM6xiLbE4gNEwOeFOjAxF+sXqm+CHRAnWkOCL5HJKnJFLePBnzF2Yf6dKjXGrG0wTUDxm8t8D1OCPadyDPlFTL09ku4cWdCZ7e2QHPqblBM+feqVXDFnbdjF2qOOz9pgKS4/07kvCj6uhzQfDDmbo61iH5O3Q/3I5brMRqND4xydt7bJco4QX+YY9HVIR8pnEfkMfWhf+Gg2JrvFEckiBsAFsWJpz1YAZiDb5TqTLPym58QMY56LbbSnTZGtDx8RlnBa4XjrlzaFfD5VOWYDYyXqN0udt3dt5lNi7ZTFHacWVLS8zBuB9uByLB4Uf2LCrIwxsVfK4tEhH83ZqQe6iRQ/necZYYf6Cp5nJAM8MrkxqgrmIUa0FvgDe24lvtaWbAfmMvilifWIC1TK8YvO7HUY1nFSZfkAXJJcuR6To7xB3zjnbDr3vUA9/9jp0sn+6uny7iRcni7npAvyfk5vHVXloSp04f40BY7Rsc9j36UKzqoO4qEQdqqc1Mlf4CqMIQ/0GrOvGPtr8C+98WjIIYOdTsYC8103QyXZUj4cDfr/vnBL3I24ZDKr8nQ6Iv9P0W4r4HRUKOyNtjRiOAa/cLyVGByXeqgMKwbjDuLdMcdGyLE2mukl9ro8zwrKO4qjftc2WWxK7Ag8VzjG6LRCWNEY35gXii1O/iU2dMoPQZ8y3hZ4TqiFxrhqLKks19SrvoznmA1ziWGM7UH1zKR1Lrz6QveZSRhDvs0xn+U41YRLlb/Yn9ZCrmYMHyqv1EfwcKEyPJqcPwOWewKvRw7ZQXVS4nyZ+ODwFD6HrwkHOvFmpnHMlfnA+Ba26Dn3PfKGxdsp202R20OxUEtMI0doXeKIgHMRl/XZCY3FrGAcInNOH8ssr6YM+xc6QZb7X+ikxvHll5ziH0lf+DljcwrGwzhhUp3p1hju4FODcRvZ3mScoHMck1zO8Um5arKazeW4bpRvOud7nBMolsAK80cz53GveJ3xp6Tz+o240RpmwX0zF36iLsu/+iQ+wxkHeBERZ8KRwt8Q5oRRUe2ZPnDCch1vHtQnU93EWzzDD/rAC37+oH+Rsf+BfPfpLoH+Pl7nfE126d1Vg8B+ni43Xe+rfYpSkg+i6Lk3+nCpceCXMdfLosj7Ss3r/bL4a26Iam/KH7WHO6J6Ta567m6JFPH5kqgm/113pcLTXZDn+t60bCaHdJP4yc6OurfeFrvyoZsbFpSbjJbQbRrzV+ilaV5++8A+pcnjNd43vXlMTgfH+46+5dcEUvvge+l35MovDZAt343NwYvsNDg/fjnhl3v59ekmrrf89Ar66Wrszmn7JNilTLNa66XW+ex2s7q+I5yUzhelu+u0IPahfxSs8dsuTgeP7Nrxi9lgR2NN6v2zFxy8zI6iP3V7h5mHP+ji7T7u4t+AD1lRPqDj+Qb19ZML1L/t/lR8js9/ABtw4CFflfNZw6QGiKJsdi73g528bP37mGr8IKbqvxWmGp9g6vn7BP/PgFI+fC3kvw8o5X+r2IjyDyLj9bdCRqX2HTSa+30UODY78PwOENkfvHPgZXiaptDK+RMKHv8joJBk8Q/p4zHs9QkXtdfqZHaPDKX+0yFD8/aVRDZ2971Oufsv -------------------------------------------------------------------------------- /assets/Network_Segmentation_Cheat_Sheet_firewall_1.drawio.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/CheatSheetSeries/d5e64fdb76a6c9d9b45ea1f5ecb0fed13349aabf/assets/Network_Segmentation_Cheat_Sheet_firewall_1.drawio.png -------------------------------------------------------------------------------- /assets/Network_Segmentation_Cheat_Sheet_firewall_2.drawio: -------------------------------------------------------------------------------- 1 | zVpZm6JIFv01+Vj9sWmmj+5iA6a78NIfAoUgiKMoy6+fcyNwS7N6qqaqZyq7qySCWO69555zw4p8kdtx3j/Y+42euF70Iglu/iJ3XiTptS7gb+ooeEddEXmHfwhc3nXXMQ1Kr+qs5vmnwPWODwPTJInSYP/Y6SS7neekD3324ZBkj8O+JtHjrnvb9546po4dPfcuAzfd8N436fXWP/ACf3PZWaw3+JvYvgyuPDlubDfJ7rrk7ovcPiRJyp/ivO1FFLtLXPi83jfeXg07eLv0eyaMhMOX7XDfMOqb17/evePmz0D8Uq1ytqNT5XBlbFpcIpBtgtSb7m2H2hlAfpFbmzSO0BLxGNlrL2rZztY/JKed206i5MAmyj32gyHHrZc6FAwBDTsK/B2eHZjtYWTr7B3SAAFvVi/ShHY4podk611W2yU77N6qjMUEL/9mFMRrbJGTXhJ76aHAkMsEpYKjysfaa9XObugqjapvc4esJFSddpVR/nXtW9DxUMX9G6DZhV1/rX05Jf9Sgy+rYemdvE8wMLw0Sw5bwsHzY/JMEsTfBJhvBPwTWL6NQf0DBo1nDK7hvsfgOvGXYyB9Fwa/Czl+AQaK+NthUH/CoGOn9to+ek9hh5bu6TGImXxfw6RRvN+TY5AGCYUrDlyX5vwNEF/Zzyehvs61j3teWb4GuQcHWmzX5qVXuPTg2YXBL3KTN6Xe8ey/SK0c6SC13weGZBUtZb3MT06535qlENiDieB0krMmt0Qnzk5rebjTpEmoSYujtRSj9W5SamX3pE/fAnWwSdf9WjmKjfB9OkzcwSQbBW9nUx5G5mqyd+NFuJbEdC3VSi1uFFbRODmFfpu3G26t8H5PV3aLmqwXtbMTO2d9tq2Npm+ZHrxhllhYfTN15Ojk9nuKtqyVaqH6Xl88rnd63ZGt3b0NWEnWdk61L+Z3mpkmk7/XOQ013gjuoFnXigZGOye31Lm/pZph/JnWVINrfMq1NNk7/cbWnt3bbJytfpTRO21nnN3VMLSWFux3Iy2uRW670V10x2dHwrxVC2O3qd6ubd3++C5+0cmWjdBctaInH+7eXWJoAgcHpDalRalJt/ewVbKQufaycXqfqrkWdgO1H22xZunGTs0om4rRVn17WTs4krFx+vM6MCocKTqvgYPeVmp6oJRq2y+MTlM0ZmNJazcRu66izZqlNuvmf05V/86XutVvhOu4l1qIiSP3jitpsgE+gbkyIsSDx7uDtQctBfbVYFfmDHz4bu2tldtey35DDZu+3m7KxlQR9aCZI/Ynfdbl8ensS6ffC9n6g2HkSIvCjed45+6twSTBenwe5crMgb+byF66iUt7zoB52M3VUHlbLxeCuSTbuvB/DOzFCHZukacbfeYURqCCF+8Dysj9dNI1qdU3wlHkAsuj78STeBT3grW8ELBn8B7m4Ms+Rr6k5mqM0fZS3FjSnGXNnzJZniFCet0CautlT6hmCB4hxfcprFWVMbO/Y94kXC8jNk8TDcFe5scp3yvQSuWN9nD7kbDuz8/vYXY2Jb2+kBqFjXea/OBPu5Fa8Nfq9wRzRjMXsVO09hZixZ7LrqyH4+A9MEOv331tT/nnMDAUc3YcVp+xKm82o2zLP4t/eOx4+9ifbYcf5g0v610/f/EcxG0LTpeXuLz3rf16MImcoIpdHB3d/qJYleotdrM8tubuxl0Z4GPvNI5z8TZ+MTBXixK826y3w6O7UombmU7ckifbSX8hYY5Q8bhQgzegV1nzpknV7qHCLS3zO2XaM3WwGLsc3yTFgGWm1DiuZbWhBroEraA/YMoQmY114kZmLo29O9iCiaQY1t5ti8jq4c5eKinWENx+IyXmgsGxvRqnyOfCgvJoyzyydmNi8NM8J4529uDzd1gvq9bbYRzUsHGEcm3WsRGRculQKUte7GG7sJZy2Ng7mdKc7KM5LIpMdZYTRGohg/nZqEM+3dQQVUl0dkNULNjb79WsFfwnRSq3st7xBVpnHaelKfUya7YPSaU0UrxwC8VTJWP6qJSmTPHRFS10Sn2GGAaP76FSO2t5H8vmoz27Fji7KG2ozlp28F798N6FPZOzW4iJtbzErpvpTNU+HYd4bvbQhrq1HFfYfTpOtpcTwWaKCN8+VgDgCBWXtRWUOBCUD3HB3BrZm3ozio//YY/9eS0J2Ht+0sNuTS+7NQOKv5aG/7KWhvAZrjxOxnndbxToC62Y/4d9EZuGbMnDiiW9owONuzEqu6+i9Xv8L2MuHMEegt3mecKeO4R59wlznExOZCe4kZoyVZaeAD2Oqtws3UF0JG0mhq87SYjKJOuxLuEdVdVU7TSP+kw/GaHvuwHeBQqqUSukfqNQRGPazI0AVXWa5XqhSKN2s0S/bASXdmupdrqlFpqK2tdRBbNMbQuXMY/Pg4T0/kEd3wctVDSfV7QdeyYloTPWY+5KjdMapzHgUWhL4oW1cQeLgnxjmMiTGuoHqiK0pZ/VVaiRUQ5DynHGtSmzuzDa2aU6+3abquu8YHaHzdOoMz/qN/9S+A0fb+1LnBZU4bnvqtrRZS1UBbX33b6VH/P3h32TqowL05hqqXbjbB0noJx4/7v5PPpVPt/wrE5b1zy8z1nYbZ5Gs+41t7UZ2exI2iVXu/D/MiZ0TnppUu4W+lQp4H92HUdr8phceJBx/2mtpm/MfKzfPd5Ofxn0t1uqHUekOF/X+f5YCR91+cdz343NGLrbvsZKQlwU2FJooV+reCqgTtTAT4qfYEyzmhY2S+IrcihDzlza5Lc4mnIuV+9Sg30iziXyqjM+arMtPtm69K4Gnbism46mCr4BNa9zq/Zt3Y6OnGwKWmdMa/mXNfm4Vv3h9HA5MWQ49ybVdwP2TBUU5/2PFfS8xncYU56cnUAMoYwSxuJ0OufVbWAIHk4AWIMxaRQYwag/FvSSKhtQ2Qo+0D0ZLJOAdKfrjwtEcwrPwCp4oMDTS3QporLaMZEdPsarp9E18g5lGrIFHpZgHPqMG8uQIT7mse87stbRwUrHp3fIJqy1zZFNJ6NUqzV5pkOpM6wBRHWJzZn5Puwptc6c7PXJRkQ3xbgcSOUMsQJtMESfQmFp7/a1DbRhNzKa/NRD2DhVSlqfjZuSjfP8BxRc+mkFf2Z8AZ9k+CDBl/zCePiH7z7IxLaiIF7AoJkjUxEXnIQ6VNXnYD8wDMfkU8GytlBqwIvFWYMKGOWW3hEmFC+hqlwCY3BbQHaORbQlhg8YgZiX6sDEXKxfqr4JdQBOtIaEWCKTVeSKWuHBn/EuZ/GdKjWmrG0oTUD4zWW+hynBn1P1DvlFSr09ku2cWbCZ7e3QOPQ3KSd8+tQv48o5a8Mv1h51fNaGSvHxM53HouTv9ZDmQyFnc7RV7GPydqgf+bgu89Ho0HvOzlvbZDlHjK9yDPY6ZCPls4h8hj20L2I0G5Pf4ojGAgPwglSx8mcrgDMY2+U201jETS9IGcY8F9toT5siWx8xIi7htML51q98Cvl8qnLMB6ZK1G9WNm/v2iympNopwx2nFlS0osobgfbg4xgehD8pYVZhTOqVMjw6FKM5O/XANpHw03meEXeor+R5RmPARzZujKqCecCI1oJ+YM+txNfaku/gXIa4NLEeaYFKOZ7rzF+HcR0nVZYP4CWNq9Zj4yhv0DcuuJrOfS9Qz993unSynz1d3p2Eq9PlnGxB3s/pW8el8lAVynk8TYFzdOxz7LtUwVnVAR4KceeSkzrFC1qFd8gDvcb8K8f+GvpL33g05JDBTidjgcWum6GSbCkfjgb9e1+4Je0GLpnMqjydjij+U7TbCjQdFQp7oy2NGI+hL5xvFQfHlR0q44rBtIN0d8y5EXKujWZ6xb0uz7OS8o5w1O/aJsOm4o7Ac4VzjE4rxBWN6Y2ZE7Y4+Vfc0Ck/BH3KdFvgOaGWGtOqsaSyXFOv9jKdYz7MJcYxtgfVM5PWyXn1he0zkziGfJtjPstxqgn5JX+xP62FXM0YP1ReqY/Q4VJlfDS5fgYs9wRejxzyg+qkxPUy8aHhKWKOWBMPdNLNTOOcq/KB6S180Qsee+QNw9up2k2R+0NYqBWnkSO0LmlEwLWIj/XZCY1hVjINkbmmj2WWV1PG/ZxOkNX+OZ3UOL/8SlP8I9mLOGdsTsl0GCdMqjPdGuMdYmowbSPfm0wTdM5jGldwflKumqxm83HcNso3nes9zgmEJbjC4tEsOO4XXWf6Kem8fgM3WsMseWzmwg/UZflXn8RnOOOALyJwJh4p/BvCnDgqqj3TB09YruObB/XJVDfxLZ7xB33QBb94sL/M2L9Avvt0l0D/P17nfE126d1Vg8B+ni43Xe+rfYpSGh9E0XNv9OFS48AvY66XRZH3lZrX+2XxF90QvSl/1B7uiOo1+dJzf1sqPl8S1eR/6I7o9emOqLf89HL06dLm7lZunwS7lFlWa73UOp/du10ulgjB6pcSROnuoieIfdgfBWv8bZeng0d+7fiVYbCjd03q/asXHLzMjqK/dHuHmYc/6EpIbrFLKDKL2fOrkZNr9Q+4Pd/tvX5ytfeP3eyJz/h4ru9Nq2ZySDeJn+zsqHvrvYsRUeY2RkvoDpTFKvTStKjgsU9p8ggzAngoVtV81jCpgRSump38/mWnqFrfROCYnA6O95+zM7UPvpf+zbgKHorB3+J58CI7Dc6Pv4ryGTrV1HdK7Fse1OTHO9762weAuUPVrA8YX834CdiV/wfs/z18ovyd+L3+avx+jl3ykyg29/socGxWMH4HZdwfvHPgZXiaprDK+QsGHv8nWijJ4h/SxzL2+iSHtddLZbsXRKX+w5ChefuVLk6k2+/Fyd1/Aw== -------------------------------------------------------------------------------- /assets/Network_Segmentation_Cheat_Sheet_firewall_2.drawio.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/CheatSheetSeries/d5e64fdb76a6c9d9b45ea1f5ecb0fed13349aabf/assets/Network_Segmentation_Cheat_Sheet_firewall_2.drawio.png -------------------------------------------------------------------------------- /assets/Network_Segmentation_Cheat_Sheet_interservice.drawio: -------------------------------------------------------------------------------- 1 | 7V1pd6JKE/418/HmQANGP7pLLmDcYvDLHAQGQRRfRRF+/VvVDS6QTDI3ZszMMffOkW56qe2pKpbSb0J9sW+vjdVMDSzb/0Y4a/9NaHwjhOc5Ah/YE7OeCqmwDmftWumgY8fATey0k0t7t65lb84GhkHgh+7qvNMMlkvbDM/6jPU6iM6H/Qj8811XhmMXOgam4Rd7x64Vzlhvmdwf+zu268yynflSyt/CyAannGxmhhVEJ11C85tQXwdByI4W+7rto/AyubB5rVfOHghb28vwPRP03n1XFErJsK4t//mRJNbKmfyTrrIz/G3KcEpsGGcSiGZuaA9WhontCLT8TajNwoUPLR4OfWNq+zXDnDvrYLu06oEfrOlEoUX/YMhmbocmCoODhuG7zhKOTSDbhpG1nb0OXRB4NT0RBrjDJlwHcztbbRksYfdaSixMsPevSoE/yBaM0g4WdriOYUg6QUi1kZqjVErb0YlypbRvdqJYiUs7jdSgnMPSR5nDQSr2X1ABKaigVq3/29TgiOO/iDYuIPh78VzyJa4oeZ68IHm+9FmSFwqSV+VGQ2mOq/3m3yX8g/X+RPiE+63CFwvCl7Vhs681h3+T2N82+ZekLpLPkrpUkHqr3wW5/23ehq+8w+Dvf6vBlwrStS1INdJmsA5ngRMsDb957K1RsdpWKr7jGCVAQVEdeHYYxmneZGzD4FxDIK51/AyNf7g7ji9lPTqueCeWy1lHY5/uwVrxaevRXrsgAlQY7WR8IPE/Vw7wGmzXpv22EwiNtWOHP0tThJe1vbZ9I3R354S8pLl06mPgAokHKyECf0ekc0Mpl+/K5+sw6tKppwlWbjU+D/dybiEmjsJC1JoOTP13Aytfw8AuaAyV9xrD/QeN4WNxi7uGmA845u6kMxC/AeANSDOs4nXQMYumfS0X2b40nvn36lC8BJ6BLyM+GbBCZG1eh3uplEv+y7krpjyguZ+OhwNGwUVRLBavwG729asu4irmJXKVr29elUICOLanKHp7DQlXwfTO07fNit1i+eHu0dhODSgVDkySat+kxkvJnrug91pqP4JlmBoiT479DXfhAEu+O0XGNqZhw2d9uwmDRSNYGO7ybrNzsqTzMdi4oRu8mEwquQEsqcynmtMghJUvdFOhnIv8Jf5OyBKLk4xTKt/dS8WcU6zcCdInhSv+uuEK084Sf+ZR7iSx9IZX+ey0k8/uJL7lRyrXzDQyKk+xWm0V1PkbUWkk27WNXC3tMArWc3eJ58CBfK+uVj6gCxH3veWu7cjw/e+PAfS59uY7kP11wUsq5C53DSBV7l5C7/3dC+A99l7eAK6bCiB2iZDDLiTfV8au8N7LhFfU/pvAW7y5CNgzluYXDLJKYFjfM+q+/7CNEGD+hQHL56OtWMTqi7fwP0vXYkGlF0ChlUuroeckqbaMzYyuj4N/QP/JzTdLssuWWHiIAmfKZCqUSr8AyIvfcuHvc0lvXiuv3CR5cyGeu8+t9Mp9m0tl0rx00/p7tS6WL6T1/EK/X+vXvY17iLBpOL52ML5/bzC+biZ9XwjG1UcZOk7S1i+RV6/W9s61IzgahECViXn1Jo3ERyNCCg5vExyew3ytIC0J+SAtvDOhFkufZQVXuUH+X6F7SZS+97bZh73/x/RTvDd1w+dn4bNEvhw+SfFW1S2heiUPuicXSqjyC/32hIoU73I1jNCYGhu7YA4AqhXDJsPuz+Hz+tsJP+jfzxBWcC50y2rWy504Cguo/SZUWZO00BmQ2h4skNQfOxqZxDVxOt5vzWQ11xPONTp9zmwEO0Wo8eYi2k6Fh6VC+p5CnjaTMe9Pl/1ESZpbdVB25c4snLalpLvQvMfBQ2B1+lHXLe904cHXn/sra/HkTQkfTomUKItKPIkrWzNWj/OWD/OJd7qnJVixJKixtDMX5k4dzqXuoBypbhlm8fGkrYem4G+tdktUxlIix7Jjt/nNdKmWTGGyPKUBVhKUpZnuC/Mb1UgRkN/DnIq8mHFWp1pS4gqMNrdWojJ+EzmC8TtcU3YP8kmmpL8y25W5MTylWdtN2n6E55SltrOeH7zJeAL0W76ykHyrXmk+NXs7k8C85xqMnYdqXZpb7d6J/PytIWie/lzzCzycnMtkqIMeTPAjOnlKFHI8D7SSyfNDYowr28eBvFe8piu3/TmsmVgLU9KSqqjVZccYS2uTaDOzPSqBjmKT+Lsp6EGti5Lqiolcd2KtUeW1YY8o9SrIrikqw2qiDJv7fweyc8JLadKueNNFK5yATEyhtXkm/Rnox9WfNR/kweTdgLU7NRHok4CuyOw4wPtkNXm26lPBqche1VHrVUEbiLzqVvcg+606bDL5NFaJ2W55dP3Og2+Sp9hajOCctZp0+gGsx+ahrQxN4HfmG2MrsHDPIejca+5lTyxPx0+cPkbamsB/D3TP+0DnHOx0pg7NWHMh4a49dtAiV4N+U8dWW/O6vgW63Djmor/oLlruVHjiYE/30dsDXlYLsJdQf+7BaGPMzyZkRK3mXwEpj0BCamkCWpuOW1w6g7NRU2yfePKcWszwZ8jre9OxT+cpvMYZ4/1mwPZylUQs4x5W2+em7dHu0Yt2OlFLT6QSG3BOEc74qVfCCfA7abc4fYgznxZmXFtNQFb0OGkKqtdzH13ds9vN+/qAfT64mqgPNw/p50IWZrNuNGef8SeP7c3P+6P5Q27eQ7be4fPCc0Buc8B0ksnlsT1ZTTt933RT2S38jdV+ip8T+Si74X4xGVkz61kDPLa2vcWeP45/6ujPTwngbjadP2ysZxmxGamILaE/77efCMzhUhzHsguXBrWUmrJC0t09kVGa7E8804p6hwlFl+no6DGAMp1UNlNBrsiuSsBX4D9AygNYNqyzqET6WFtZnTkgET3GZGXVebDqh6UxFkNYg7PalRCRCwheGM+9EOw5noDnUcZ7f7LsIYIL88yFvzQ6L5+D9aJ0vSWMA29Y2YDnmk0Xmo+eSwUvNRGeVkA7NyV7oLG11ckI6cM5VIrU64z7IKknAZAfdRvI09EbQlTizeUDRCygt92SJs/AP3qkZC6oDYfDdaaLMNFJK5oMVx56KQU9njcHjycTbXDuKXUB5aOKimcm6hBk6J6fBy+1nIxPZVk9p2dZA8w+JQZ4nalgwnk5d94Cevo7K+aDyTiTXTNSqVd7cRzIc7YC31CajHup7l4cJxjjPmdQjwi85SMA6BG8uKA8gyd2OTEnF5grIb2hPUT5OLk9Vrsp4WDv0Vb1mpKaNCUNPP6UPPxvMta4l/TK5KTtpu1KDH3eZMH+g31BNhVhIjykKGltTPBxR0RFp1G0dKr/bEyGEdiDM+rMTuhxA3XeLOgcMpMt0gnYCHUBI0uLA3/sp7aZWB1/g74ZET5tBB5EJkFdqATOYVQN5UZ1ow7VreY5juXCOVeEaFTzsF+LRV4bVPeaC1F1EO3VWCTdejWBfkFzs3ZtLDeaieLpotxWIQpGkVznsjHnx50A/f2Zd3zs1CCiOSyiLekxehLMsc5tl1S2U8jGQB+xMkZcTGZW5ylG3qhOhL4E8QOiIviWdlSSwRtpyYOHNk6xNqB0x1o9yqKzY9Qxuo5iSrdX3XYbo4165C8EvoHHYzuT0xNGeMa7LDdUQfFkTm69m7ckb7+/zBtJLc4LFxhLlSNmS5AB7RH3X43n7qV4PuozzbYOdnhqs0C3vu0OmwfbVoZIs0mUzFabwH82xjO3aqKj7cbqQIyB/+gwDtdkMslwEDH+ca2qow0dWL+5OWZ/EfjfZiI3TB7lfFjn/bLi8n75123fWugL8Lv1g6wIyEUEWmLFc6QUpxzECQnwifLjtEEkKV41QbyCDUVgM1kb+ea7A4bl9Fyo0U+QcwJ21ehtlOEcPum6eE4CP5GtG3YHIlwBVQ9z0/Zx3YYKNlnllEYP13KyNdm4Wukse8gyhgjy3iC9NqDHGEEh389H0N0UrmF0ob8zXd4Dz0hgLGSnIxbdOhpnQwYAa1AkdV3N7bZ7nJpgZAOtzDkHtLvVqCWBphtNpxeDNAfAGaAKOBCB00y6KFFBbuhgHQ6Ml7fdg+RNtDSwFuAwAcRBn3ZEGViIA/Po9Y6gNFRApengObAmWGu+B2vaaomcrsksHTx1BGuARlVC5wwdB+hJlMYI6XWQRpBuCOP2oKk91VgMbUCIOgAPi3vXD23QNtANFo18qh7QOBATXJ+OGyCNo/0veHDyYQ9eRHwMPAnAAwFe9hnigT+49gFLrIsiyAt0UN2DpYJcIBNqYFQfAfpBh14PeYqp1caiBPqiclbAC2jJHM+hTlBeXBq5OIrgOgfW2eOhTah+ABEg80Tu6DAX1k9kRwfvAHrCNQjIEixZBluRU32wYzi3p/IdiBL1rHXwNC7qbySwPXQC/GzTc2Bf6KnnG6SdIQtopnubOA76q2gTDn6q2bhkRNvAF213Gw5tg5di44cqk0XCzqsezgcPORxBW4Z9dNb21A0b16Q8ag08z9B5bOvU5hDxqY0BvSbSiPbMgz0DPbgvyGjYQ775Lo4FHQAu0Cum/Mw5wAyMbTKacSzITY3RM/SYLdahPajydH2QEWIJshWGt3bKk8fmY5SjPFCvhP16SvP8pE1lil47pHqHrAUiWpzaDYd7sHFUH6h/9IRRqmP0XiHVRwNlNKJZD9DGo/5UZmeIHexLmJ3hGMAjHdeDqALzQEe4FvgP2HNO2Fpz5B0wF4FcqrAe+gIZbXyvUn5NinXIVKk9AC5xXLoeHYd2A329mHnTkWO78u592aUZfTS7PMmE0+xyhLSA3Y/wqiOLPBiF9kyeOscw2nOY7psYwWnUAX2IiJ3MJlWUF/gqOAd2oEqUv6TnTMH/4hWPAjak0eykx1HZNSOIJHO0h42G9/u8Ofpu0Esk0CiP2RHKfwDtugg+HSIU7A1t0qU4Bv/C8JZisJfSIVOsaNR3oN/tMWx4DGvdoZpir8nsLEG7Qz2qJ22d6ibFDsdshWEMsxXEikL9jb5H3ULmn2JDRfvg1AH12xyzCTlRqK/qEZnamnygl/o5ysOIUIzRPTCe6bjOnkVfoH2oI8bA3kYwn9o4xoR9Zr+wP64FthpRfMgsUm/ADycyxaPO/KdLbY9j8chEPjBOEuYvAwd8eAgyB1kjDlT0m5HCMJfaA/W3wIsaM9mD3VB9m2m7yjN+UBdyimmwEVwXfYTLfBEb69AMjeosoT5EYD69J1C7GlDs7zGDTPffY6bG8OWkPsXZIL0g54jOSagfhgwT40xTorgDmWrUtyHvVeoTVIZjHBczfKKt6jRms3GMNrQ3lfl7yBNQl4AVKo9qzPSe+XXqP4nK4jfoDdfQEyabEfcLcVm4dCY+hBwH8MKDnhFHIrtCGCFGebmlO4ATautw5YF9AsZNuIqn+IE+8AtOfEZ/EtE7kI8OPkvA/89rHPF54smjBo7+FR4iWfYPY+uHuYdOx95XnxgWnmOePWi8wIPB+/vKC6/DFt+GFfnio0FJ+KxHg6TwkOhYJF98S/aPLVvNF8mXX/h6gt9cJE/eqJL/i6Sfr5J/Sfq/uUqeFMvkTwq2/yLZ5wu2X5T97y3YJsUXPP+sglqSvqnx5ns/AvngSwof+xqOyjXk/FrF4+Hc16h4FN5bIv8lKmp5Tvy1msf8hE+qqS1+s8XNwn7ZS3yJotovamGZEP/gutoLBPF8HWyFfJk62OwL2251sKdCKb8T+sy8r5UgZGT+TYWwF0BbsXC1wn+NwlVy3YzuaxauZgURb4OtfNVsnCuA7Y8sXL0EwPh8OLtyoalw5Tz225cqPhPIOwElfDRz/ZjSivcu/6riswsALV8sViFXL0YRhD8JapdE1XtvOLBU/WqoKt4YveHpteKur4Cn4jePfrjM51Ct8x8qfdiN61uZz63M51bmcyvzuZX53Mp8bmU+tzKfW5nPrcznVuZzK/O5lfncynxuZT63Mp9bmc+tzOdW5nMr87mV+dzKfG5lPrcyn7+5zAdfHrpymY9wlS/XPXvf1vSNzcY1c6/c/rdvB2Rnsp+NJZd9TvvuL/W88tsP1/3S1Rd/9q4k/pc3V+y9Gz5n68PxyZN5aB1XwsYnPJd/92N57oPqfvm1aoKvFnInf7kawUr5Tjw5m1v/3T+hl6snKPO5V6k++Sf0hKu8JfxnOqB3f6nwJ707DM3jj2czAzj+BLnQ/D8= -------------------------------------------------------------------------------- /assets/Network_Segmentation_Cheat_Sheet_interservice.drawio.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/CheatSheetSeries/d5e64fdb76a6c9d9b45ea1f5ecb0fed13349aabf/assets/Network_Segmentation_Cheat_Sheet_interservice.drawio.png -------------------------------------------------------------------------------- /assets/Network_Segmentation_Cheat_Sheet_interservice_balancer.drawio.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/CheatSheetSeries/d5e64fdb76a6c9d9b45ea1f5ecb0fed13349aabf/assets/Network_Segmentation_Cheat_Sheet_interservice_balancer.drawio.png -------------------------------------------------------------------------------- /assets/Network_Segmentation_Cheat_Sheet_interservice_deny.drawio.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/CheatSheetSeries/d5e64fdb76a6c9d9b45ea1f5ecb0fed13349aabf/assets/Network_Segmentation_Cheat_Sheet_interservice_deny.drawio.png -------------------------------------------------------------------------------- /assets/Network_Segmentation_Cheat_Sheet_logs.drawio: -------------------------------------------------------------------------------- 1 | 3VfbjtowEP2aPIJwTGDzSLhspdJtKypV25eVSUzixclEjrl+fe3EISSBvaiLVioPyD6esWfmzIwdC4/j/b0gafQNAsotuxfsLTyxbNtFd+pfA4cCGA77BRAKFhQQqoAFO1ID9gy6YQHNaoISgEuW1kEfkoT6soYRIWBXF1sBr5+akpC2gIVPeBv9zQIZFeidPazwL5SFUXkyGrjFSkxKYeNJFpEAdmcQnlp4LABkMYr3Y8p17Mq4FHqzK6snwwRN5FsUHn8Ov/fx4Phr/JB0VsdjkIZ/Oqh0ZEv4xrhszJWHMga7iEm6SImv5ztFs4W9SMZczZAacrKk3CP+OhSwSYIxcBC5Ip7lPyWSran0dTh6akI4CxM19pXhVEl6WyokUyEfmYUlSAmxWghIFtHAHJNJAWta7p5AoqzxjPFqA7q/Ghd0irbKUgoxleKgRIxCv0y1Q5l5dwbYVYRjx2DROdmuAYlJsvC0ecWDGhgq3kGL02+xMkq0zQmVOxDr7NM5kpA2CfoILnCTC3fYdVpsuJfIcJwbkeG2S2QOoQ4/FVumAv5/cuG4LS7aTKCLdXEzKhBGLS680fjr9GHy6SycutYHxH7Q7EnIbvckhC7FHt2qJyHbbcV+ccj4qRRUVJockCwtLuUV2+vcPCcgBZbI3EjHs5zJpRCzOL+dvRUk0jwNkF3hExars2ecLdU/OW4E1S5mEoRetmcTIsnTnKzp06LAnu5pgrrZNrxBuQyw20WDBmu4zZqDuuUT4Zy3vn2zkmlf6DRQbxwzBSEjCCEhfFqhXl4TeXh07j9v4rSUJ8JXSKU1B9198ig+UykPhieykVDnO5NEyJF+klXXd47NmPYoP6i448uHVsWMNvhlXpR/sBE+fcOlqs4MqXw909tUC8qJZNu6KZcYy1WVr+RwJmASvtr5hwbOGu6wWfQOqr/o3qmgBoUNVfacnPmXhMJX+8CFPJvrPlvPhFdbacyCoEhDmrEjWeb79S72jKuVaz4IjLJ1eoafZ85LBXO10Du9LsblZ42JfMfU2PsSpCK0sU2pAatVpjK12QJeJFFNq2+KQrz6MMPTvw== -------------------------------------------------------------------------------- /assets/Network_Segmentation_Cheat_Sheet_logs.drawio.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/CheatSheetSeries/d5e64fdb76a6c9d9b45ea1f5ecb0fed13349aabf/assets/Network_Segmentation_Cheat_Sheet_logs.drawio.png -------------------------------------------------------------------------------- /assets/Network_Segmentation_Cheat_Sheet_repo.drawio: -------------------------------------------------------------------------------- 1 | 5Vxbd9o4EP41PMbH8t2P4db2bJpmS3q63ZccYwtwYxDHFknIr1/JN2xJQCi2MV4ecvBYEvLM6JtvRnJ66mD59il01ouvyINBT5G9t5467CmKDSzylwq2icA0tUQwD30vEYGdYOK/w1Qop9KN78Go1BAjFGB/XRa6aLWCLi7JnDBEr+VmMxSUf3XtzCEnmLhOwEt/+h5eJFJLMXfyz9CfL7JfBoad3Fk6WeP0SaKF46HXgkgd9dRBiBBOvi3fBjCgusv0kvQb77mbTyyEK/yRDr/+Nr9pqvH+OLhf3cze3731/N8bkD3IixNs0kdOp4u3mQ5eFz6Gk7Xj0utXYuae2l/gZUCuAPkaOFMY9B33eR6izcoboACFcUd1HH9Ik+gZYpeqQyYXTuDPV+S7SyYOScv+CwyxT1R+m96YIozRktzwnGgBvfRnIhyiZ5iNvkIrMpt+OnkyAHzbqxeQa5t4KURLiMMtaZJ2UOzUQKmHGkZ6/bqzt2mlskXB1kZmWSf1sXk+9s4M5EtqiROsoqucUQZfyEiDITUMDF98Yop2WqkCg+hq2SCWyRtEVQUGUYzaDKJxBnkIkbdxsY9WRL6C+BWFz9HFjYLRugaLaCazRCzeIpoisAiobYko7YOtRPcVqNtk1G0CXt22QNt6Xcrm4ag7ys5RvC3K1jusbM06rmxRqK1N2Qrv2l+/DId3o5+330cX13seYquIqhoTVQUYDoAoqtZHcwCn/C9UEySaXlz1lbm8ChiXtz+GL6pWm9o7jTAMmzeVCyOMbnDaHn//dv84uh92R+u6zGhdvbTWW5jWVkdZ1OM+3ixlsdocRavTu3bcy5vVu91hLzdZrnhpL8+qCwVt928Hf3UKyE02fF7axS2NUy705nCSXqIQL9AcrZxgtJP2Y63GBRCqvd+b5Tpr74Qukex63SGqudgovyHG27QA7WwwKpsswk6Ib2lBuZcXH2PZ2KcPFP9QUqHMysS014zcLFh3NoOG63K1THLHM+2pLOc2pI94qgVDGDjYfyn3E9kj7fqAfDLiLoQzRQc7K9RnQ0RoE7ow7aUU6szMQKppSfrhoYje5hBzQ8UOkj/Rn/uMzReHhuh1FSDH6ylGQNTYn4bk25x+20RwtgmETnZHl2nZDY6uxKXveYkPwsh/d6bxeNSwa/q08fPr/Z4+PLRc072MtHMvT8CKTnBgsexd3LJkKBkdTU1zk/7kmc4DyqMq5f5oNotgLZYGAFwzPBBrhtt/6G1Jsa1M8IvelWSq7EQwfEtHSK62xasHGPpEi9QXY2F9iEOUHCPAIf9LqynJ+j5EXPY46rkYZpeBxwJMWKoZeAAQIA9cB2jbDXxJl9shgDEtSwQFf2rYrbBDfYBi8bWRh820l++68Ts8TrRO9p1n/hvFlKI1eZtw9vWX8QZ0f4ZWOEUXoOzkQ385Jw8S+GQOY+d9E0L6zM56/bSb0PiWXE7SSyl6mdewA6SqgA3qei4p7gKZPDfMZNVzQ7608snHi81UctGSM1S2kuJV94AiP967KxRZC4YT82vOeMItaQaBZbk/GlOLRgtnTaeyfJvTkxJSbE1pHk/4yUUezBwGhqMXmPgNqMWUZaIHZI3n+HqjHL/V5YMqi/Amu7V9+SK8xVfKvuEF0YQik8XE82WKO/TutayupxCu6XQQjQuVLybTYLImXRagYrOr6QNFodIKEIFOflhJLipNZknvcQMNx9ZAU7J1WXAMbr3t9ZwPugva4MBfkelkB8FkgVu8QOgsFWnpuyGK0Aw/YXIdVQWsZepjaQYfHzVBfNRq8oSsUHOdyVGdmczRBCVZRC0uslhckSWjrkdyHWIHZ1tolnLUvVNmz/5kU943M7a9ZViMIyczqLbiw+8kT+BKUO25R9ifETChGMNz+atMymy5dwiVZAloatlVzqz51J+F2eo1A1de1ckvaEWH8oKW1XOOo6DRFApKsqpplmLqlqHITL74cUzkEhu7lZAIZENvABP5M6sxoZfdgHpyN7BP7R726e3Avl1tugIUax8DrK6WnSTQZ4DkeRxfWAPr2CrXD67yG7LMzSyJqmhfq4F1ztddHmFEf7s1LxPU94YHG6mBLqiDmYKqCWB3dKpbSF0+S2MAJgoCwUtOjZ7rAHK3Xypg9S14h6lhffN0sHvnUA2W7QFBgb1ZvYNu5LInssDroG72udRNnO8Zsi4RgM0/oOSTFlAlXSmPuScxFY1cGsvWbckufKzysHsy51PzXfZYBclf5YPT1AGX8J7YQZEbyJAB4DGxW8c1jqXHVR/XyBh52V9uVKM8Qo3nN3hWcUt3AoloCF++rSO+JDwRb2iWI1hzhzyWketA6u902k/JpGs61MHV4QQsvNGtSwD44zc/JqPvk4szlNpSIZt5/VT0sjsQvuxu1mcFvqZwd3vfHhtUoXb2bcgPvpWn1JZ/guw/pVwnUWQIn+dAayYkfIZrwemsRC13bPJXiUyKqWWFRJGkZR9kivqeSHpaoDyVeOV7upmX6odplMGefy23r4tF8ZWTyeQzGev78KGnkEHlz4+PDzyGXymnso5wKsK6rq0Wma+DEhFO6BJjtEscd/U90t3HRDfjHxEM66JDtqFITJ3MlvmwoOmSCZokRTmctWVH6MR97WoCig4tTxMFFEuZqoZRcWDI8KChEsKpgcGy2QRbPRwZuA7NJNhZPlnAlS7FgiOAQmIBgYvWg3/2vGXw/78jvyAhaB75W3IW4HoRvPLarm0SV9EKJVcGhzVZkgsfps770aNMBlMPtdn/bFfRSaaz44h9pD33IGoTGYnCFzA6FXYOn4eoIuxkhVwgN1a6BUpLdsraznOFJ6wuQn7PPvp0SYxlX90h/qcd2kxrDeSaxuH2LOSW29cFufxWWgq53H4LrQ11A4ePnj49G4czG54PwuRy97+mk+a7f9itjv4D -------------------------------------------------------------------------------- /assets/Network_Segmentation_Cheat_Sheet_repo.drawio.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/CheatSheetSeries/d5e64fdb76a6c9d9b45ea1f5ecb0fed13349aabf/assets/Network_Segmentation_Cheat_Sheet_repo.drawio.png -------------------------------------------------------------------------------- /assets/OS_Command_Injection_Defense_Cheat_Sheet_CmdInjection.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/CheatSheetSeries/d5e64fdb76a6c9d9b45ea1f5ecb0fed13349aabf/assets/OS_Command_Injection_Defense_Cheat_Sheet_CmdInjection.png -------------------------------------------------------------------------------- /assets/OWASP_Logo.svg: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /assets/OWASP_Logo_Transp.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/CheatSheetSeries/d5e64fdb76a6c9d9b45ea1f5ecb0fed13349aabf/assets/OWASP_Logo_Transp.png -------------------------------------------------------------------------------- /assets/Password_Storage_Cheat_Sheet_Test_PBKDF2_Iterations.java: -------------------------------------------------------------------------------- 1 | import javax.crypto.SecretKeyFactory; 2 | import javax.crypto.spec.PBEKeySpec; 3 | import java.security.SecureRandom; 4 | 5 | // PLEASE RENAME THIS FILE TO PBKDF2ItEval.java BEFORE COMPILING. 6 | public class PBKDF2ItEval { 7 | 8 | public static void main(String[] args) throws Exception { 9 | //Initialization 10 | SecureRandom rnd = new SecureRandom(); 11 | byte[] salt = new byte[64]; 12 | SecretKeyFactory skf = SecretKeyFactory.getInstance("PBKDF2WithHmacSHA512"); 13 | char[] password = "mypassword".toCharArray(); 14 | //Test for 10.000 iterations 15 | rnd.nextBytes(salt); 16 | PBEKeySpec spec = new PBEKeySpec(password, salt, 10000, 256); 17 | long start = System.currentTimeMillis(); 18 | skf.generateSecret(spec); 19 | System.out.printf("Computation time is %s milliseconds for 10.000 iterations with a key size of 256 bits\n", (System.currentTimeMillis() - start)); 20 | //Test for 100.000 iterations 21 | rnd.nextBytes(salt); 22 | spec = new PBEKeySpec(password, salt, 100000, 256); 23 | start = System.currentTimeMillis(); 24 | skf.generateSecret(spec); 25 | System.out.printf("Computation time is %s milliseconds for 100.000 iterations with a key size of 256 bits\n", (System.currentTimeMillis() - start)); 26 | //Test for 500.000 iterations 27 | rnd.nextBytes(salt); 28 | spec = new PBEKeySpec(password, salt, 500000, 256); 29 | start = System.currentTimeMillis(); 30 | skf.generateSecret(spec); 31 | System.out.printf("Computation time is %s milliseconds for 500.000 iterations with a key size of 256 bits\n", (System.currentTimeMillis() - start)); 32 | //Test for 1.000.000 iterations 33 | rnd.nextBytes(salt); 34 | spec = new PBEKeySpec(password, salt, 1000000, 256); 35 | start = System.currentTimeMillis(); 36 | skf.generateSecret(spec); 37 | System.out.printf("Computation time is %s milliseconds for 1.000.000 iterations with a key size of 256 bits\n", (System.currentTimeMillis() - start)); 38 | } 39 | } -------------------------------------------------------------------------------- /assets/Pinning_Cheat_Sheet_Certificate.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/CheatSheetSeries/d5e64fdb76a6c9d9b45ea1f5ecb0fed13349aabf/assets/Pinning_Cheat_Sheet_Certificate.png -------------------------------------------------------------------------------- /assets/Pinning_Cheat_Sheet_Certificate_DotNetSample.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/CheatSheetSeries/d5e64fdb76a6c9d9b45ea1f5ecb0fed13349aabf/assets/Pinning_Cheat_Sheet_Certificate_DotNetSample.zip -------------------------------------------------------------------------------- /assets/Pinning_Cheat_Sheet_Certificate_OpenSSLSample.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/CheatSheetSeries/d5e64fdb76a6c9d9b45ea1f5ecb0fed13349aabf/assets/Pinning_Cheat_Sheet_Certificate_OpenSSLSample.zip -------------------------------------------------------------------------------- /assets/Pinning_Cheat_Sheet_PublicKey.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/CheatSheetSeries/d5e64fdb76a6c9d9b45ea1f5ecb0fed13349aabf/assets/Pinning_Cheat_Sheet_PublicKey.png -------------------------------------------------------------------------------- /assets/Pinning_Cheat_Sheet_RandomOrgDERDump.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/CheatSheetSeries/d5e64fdb76a6c9d9b45ea1f5ecb0fed13349aabf/assets/Pinning_Cheat_Sheet_RandomOrgDERDump.png -------------------------------------------------------------------------------- /assets/Preface_Cheatsheet_Header.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/CheatSheetSeries/d5e64fdb76a6c9d9b45ea1f5ecb0fed13349aabf/assets/Preface_Cheatsheet_Header.png -------------------------------------------------------------------------------- /assets/Preface_Cheatsheet_Logo.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/CheatSheetSeries/d5e64fdb76a6c9d9b45ea1f5ecb0fed13349aabf/assets/Preface_Cheatsheet_Logo.png -------------------------------------------------------------------------------- /assets/README_FlagshipCombinedReviews.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/CheatSheetSeries/d5e64fdb76a6c9d9b45ea1f5ecb0fed13349aabf/assets/README_FlagshipCombinedReviews.pdf -------------------------------------------------------------------------------- /assets/README_PluginWarningUI.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/CheatSheetSeries/d5e64fdb76a6c9d9b45ea1f5ecb0fed13349aabf/assets/README_PluginWarningUI.png -------------------------------------------------------------------------------- /assets/REST_Security_Cheat_Sheet_Bypassing_VBAAC_with_HTTP_Verb_Tampering.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/CheatSheetSeries/d5e64fdb76a6c9d9b45ea1f5ecb0fed13349aabf/assets/REST_Security_Cheat_Sheet_Bypassing_VBAAC_with_HTTP_Verb_Tampering.pdf -------------------------------------------------------------------------------- /assets/Secure_Cloud_Architecture_Shared_Responsibility_Model.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/CheatSheetSeries/d5e64fdb76a6c9d9b45ea1f5ecb0fed13349aabf/assets/Secure_Cloud_Architecture_Shared_Responsibility_Model.png -------------------------------------------------------------------------------- /assets/Secure_Cloud_Architecture_Trust_Boundaries_1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/CheatSheetSeries/d5e64fdb76a6c9d9b45ea1f5ecb0fed13349aabf/assets/Secure_Cloud_Architecture_Trust_Boundaries_1.png -------------------------------------------------------------------------------- /assets/Secure_Cloud_Architecture_Trust_Boundaries_2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/CheatSheetSeries/d5e64fdb76a6c9d9b45ea1f5ecb0fed13349aabf/assets/Secure_Cloud_Architecture_Trust_Boundaries_2.png -------------------------------------------------------------------------------- /assets/Secure_Cloud_Architecture_Trust_Boundaries_3.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/CheatSheetSeries/d5e64fdb76a6c9d9b45ea1f5ecb0fed13349aabf/assets/Secure_Cloud_Architecture_Trust_Boundaries_3.png -------------------------------------------------------------------------------- /assets/Secure_Cloud_Architecture_Trust_Boundaries_4.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/CheatSheetSeries/d5e64fdb76a6c9d9b45ea1f5ecb0fed13349aabf/assets/Secure_Cloud_Architecture_Trust_Boundaries_4.png -------------------------------------------------------------------------------- /assets/Secure_Cloud_Architecture_VPC.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/CheatSheetSeries/d5e64fdb76a6c9d9b45ea1f5ecb0fed13349aabf/assets/Secure_Cloud_Architecture_VPC.png -------------------------------------------------------------------------------- /assets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet_Case1_NetworkLayer_PreventFlow.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/CheatSheetSeries/d5e64fdb76a6c9d9b45ea1f5ecb0fed13349aabf/assets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet_Case1_NetworkLayer_PreventFlow.png -------------------------------------------------------------------------------- /assets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet_Case1_NetworkLayer_PreventFlow.xml: -------------------------------------------------------------------------------- 1 | 7Vldc5s6EP01nul9qAeQAfvRDk7buW0n086k7ZNHhg2oEYgrhG3y668EwoCN89WQpJ2Gh6CjlXbZPbuL8Aidxbt3HKfRJxYAHVlGsBshb2RZJnKn8p9CigqZTt0KCDkJKshogK/kBvTKGs1JAJnGKkgwRgVJu6DPkgR80cEw52zbFbtiNOgAKQ7hCPjqY1qjY7vBv5FARBo3nVkz8R5IGGnlU8upJtbYvw45yxOtMWEJVDMxrrfRT5lFOGDbFoSWI3TGGRPVXbw7A6oce+CzTBS1oSO0iERM5cCUt+X0+YnF5n0Wy+fikIi2ulP7uZ+dm8sv9pcPK7oiq+RfzxP47fRICQTSs3rIuIhYyBJMlw26KJ0FaldDjhqZj4yl2rafIEShaYJzwbqWS4N58V2vLwc/1GDsmJMa8Hbtaa9ojy6AkxgEcA1mgrPrfdRRr2tqZ7Kc+3CLP2ryYh6CuEXOquSUs1oKtOPfAZP28UIKcKBYkE2XvFizPdzLNWGTNzpyD4ii3neDaV5TxXKotH+xljehKF1SAVdMuqQdcOe/nNUTb7MyZHMpYNrprpmsd5kLIdNFel7vJq2tNuwqkXBL8QHB9lmkYhfgLNpTqUWRKqZnjDIV5TIn0YLiNdALlhFBWCJhX4ZXsWCxAS6IrAYfDwTWTAgWtwTmlIRqQiimLrAe7feRpqXKyngXqjo5xjc5h3GelZNXhNLaoJGFXE9dt5FNKYXdrfSoZ+tKocuvo6vZtqlkE12Qo1YNQ85AfHJeoio8ZRpb90xj9KrS2H1Nxdh+6VJ83xhOnjqG5dI557hoCaSMJCJr7XyhgCaF7ToZdQq7drcZ3yFu2fYBfSoDGjLtn+Tx/LKeq01c5jQBjtcU5mlKZeEt6/HQPWP49tDXlA57Rpz5GMZZkQmIV9XScQbyxTfAvFhJ3XDcS2xTXac0lNQDvtyAYuCpl78HNx1kdpvOxDhqOq5x3HRq7MmrHxqenfL8Ufu8AdHM9QzX7XnZaXPXkM403lAIidIsuUL/+Uvo10Vox31dhJ6cJPSvVddnSovzcyT/7koL9YRvZPBVYhB5YoZHZccJ0b9JM3zSON2k2X+0eKmsmfVkze97gqx4EIJ6HaJjPwL/Osb8+jj4M9OzbGO4ONsz+67iiMyeI+Zgnyz6vln8KXFOmFjJGsi2yuDDSHtLe2YMGml0Z0YjuyfUaKhQnz53BGSjNGrvNr2GwpV4hsZX7XJOOGyxeo7HdKzyEU40rL4I/3akZnGmWlfOiSh6mpahrqdh7mTmdphrm0fEtXtakf3wViSHzWf76njd/DCClv8D -------------------------------------------------------------------------------- /assets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet_Orange_Tsai_Talk.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/CheatSheetSeries/d5e64fdb76a6c9d9b45ea1f5ecb0fed13349aabf/assets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet_Orange_Tsai_Talk.pdf -------------------------------------------------------------------------------- /assets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet_SSRF_Bible.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/CheatSheetSeries/d5e64fdb76a6c9d9b45ea1f5ecb0fed13349aabf/assets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet_SSRF_Bible.pdf -------------------------------------------------------------------------------- /assets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet_SSRF_Common_Flow.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/CheatSheetSeries/d5e64fdb76a6c9d9b45ea1f5ecb0fed13349aabf/assets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet_SSRF_Common_Flow.png -------------------------------------------------------------------------------- /assets/Session_Management_Cheat_Sheet_Diagram.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/CheatSheetSeries/d5e64fdb76a6c9d9b45ea1f5ecb0fed13349aabf/assets/Session_Management_Cheat_Sheet_Diagram.png -------------------------------------------------------------------------------- /assets/Signed_ID_propogation.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/CheatSheetSeries/d5e64fdb76a6c9d9b45ea1f5ecb0fed13349aabf/assets/Signed_ID_propogation.png -------------------------------------------------------------------------------- /assets/Single_PDP_HLD.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/CheatSheetSeries/d5e64fdb76a6c9d9b45ea1f5ecb0fed13349aabf/assets/Single_PDP_HLD.png -------------------------------------------------------------------------------- /assets/TLS_Cipher_String_Cheat_Sheet_CipherTable01.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/CheatSheetSeries/d5e64fdb76a6c9d9b45ea1f5ecb0fed13349aabf/assets/TLS_Cipher_String_Cheat_Sheet_CipherTable01.png -------------------------------------------------------------------------------- /assets/TLS_Cipher_String_Cheat_Sheet_CipherTable02.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/CheatSheetSeries/d5e64fdb76a6c9d9b45ea1f5ecb0fed13349aabf/assets/TLS_Cipher_String_Cheat_Sheet_CipherTable02.png -------------------------------------------------------------------------------- /assets/Threat_Modeling_Cheat_Sheet_dfd.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/CheatSheetSeries/d5e64fdb76a6c9d9b45ea1f5ecb0fed13349aabf/assets/Threat_Modeling_Cheat_Sheet_dfd.png -------------------------------------------------------------------------------- /assets/Token_validation.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/CheatSheetSeries/d5e64fdb76a6c9d9b45ea1f5ecb0fed13349aabf/assets/Token_validation.png -------------------------------------------------------------------------------- /assets/WebSite_Favicon.ico: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/CheatSheetSeries/d5e64fdb76a6c9d9b45ea1f5ecb0fed13349aabf/assets/WebSite_Favicon.ico -------------------------------------------------------------------------------- /assets/WebSite_Favicon.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/CheatSheetSeries/d5e64fdb76a6c9d9b45ea1f5ecb0fed13349aabf/assets/WebSite_Favicon.png -------------------------------------------------------------------------------- /assets/XS_Attack_Vector.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/CheatSheetSeries/d5e64fdb76a6c9d9b45ea1f5ecb0fed13349aabf/assets/XS_Attack_Vector.png -------------------------------------------------------------------------------- /assets/XS_Leaks_Cache_Attack.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/CheatSheetSeries/d5e64fdb76a6c9d9b45ea1f5ecb0fed13349aabf/assets/XS_Leaks_Cache_Attack.png -------------------------------------------------------------------------------- /assets/XS_Leaks_Frame_Counting.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/CheatSheetSeries/d5e64fdb76a6c9d9b45ea1f5ecb0fed13349aabf/assets/XS_Leaks_Frame_Counting.png -------------------------------------------------------------------------------- /assets/XS_Leaks_ID.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/CheatSheetSeries/d5e64fdb76a6c9d9b45ea1f5ecb0fed13349aabf/assets/XS_Leaks_ID.png -------------------------------------------------------------------------------- /assets/XS_Leaks_Sec_Fetch_Dest.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/CheatSheetSeries/d5e64fdb76a6c9d9b45ea1f5ecb0fed13349aabf/assets/XS_Leaks_Sec_Fetch_Dest.png -------------------------------------------------------------------------------- /assets/XS_Leaks_eTLD.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/CheatSheetSeries/d5e64fdb76a6c9d9b45ea1f5ecb0fed13349aabf/assets/XS_Leaks_eTLD.png -------------------------------------------------------------------------------- /assets/cost-of-breach-2024.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/CheatSheetSeries/d5e64fdb76a6c9d9b45ea1f5ecb0fed13349aabf/assets/cost-of-breach-2024.png -------------------------------------------------------------------------------- /assets/ms_logging_pattern.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/CheatSheetSeries/d5e64fdb76a6c9d9b45ea1f5ecb0fed13349aabf/assets/ms_logging_pattern.png -------------------------------------------------------------------------------- /book.json: -------------------------------------------------------------------------------- 1 | { 2 | "root": "./cheatsheets", 3 | "plugins": [ 4 | "anchors" 5 | ], 6 | "structure": { 7 | "readme": "Preface.md", 8 | "summary": "TOC.md" 9 | }, 10 | "title": "OWASP Cheat Sheet Series", 11 | "language": "en", 12 | "description": "Website with the collection of all the cheat sheets of the project." 13 | } -------------------------------------------------------------------------------- /cheatsheets/AJAX_Security_Cheat_Sheet.md: -------------------------------------------------------------------------------- 1 | # AJAX Security Cheat Sheet 2 | 3 | ## Introduction 4 | 5 | This document will provide a starting point for AJAX security and will hopefully be updated and expanded reasonably often to provide more detailed information about specific frameworks and technologies. 6 | 7 | ### Client Side (JavaScript) 8 | 9 | #### Use `.innerText` instead of `.innerHTML` 10 | 11 | The use of `.innerText` will prevent most XSS problems as it will automatically encode the text. 12 | 13 | #### Don't use `eval()`, `new Function()` or other code evaluation tools 14 | 15 | `eval()` function is evil, never use it. Needing to use eval usually indicates a problem in your design. 16 | 17 | #### Canonicalize data to consumer (read: encode before use) 18 | 19 | When using data to build HTML, script, CSS, XML, JSON, etc. make sure you take into account how that data must be presented in a literal sense to keep its logical meaning. 20 | 21 | Data should be properly encoded before used in this manner to prevent injection style issues, and to make sure the logical meaning is preserved. 22 | 23 | [Check out the OWASP Java Encoder Project.](https://owasp.org/www-project-java-encoder/) 24 | 25 | #### Don't rely on client logic for security 26 | 27 | Don't forget that the user controls the client-side logic. A number of browser plugins are available to set breakpoints, skip code, change values, etc. Never rely on client logic for security. 28 | 29 | #### Don't rely on client business logic 30 | 31 | Just like the security one, make sure any interesting business rules/logic is duplicated on the server side lest a user bypasses needed logic and does something silly, or worse, costly. 32 | 33 | #### Avoid writing serialization code 34 | 35 | This is hard and even a small mistake can cause large security issues. There are already a lot of frameworks to provide this functionality. 36 | 37 | Take a look at the [JSON page](http://www.json.org/) for links. 38 | 39 | #### Avoid building XML or JSON dynamically 40 | 41 | Just like building HTML or SQL you will cause XML injection bugs, so stay away from this or at least use an encoding library or safe JSON or XML library to make attributes and element data safe. 42 | 43 | - [XSS (Cross Site Scripting) Prevention](Cross_Site_Scripting_Prevention_Cheat_Sheet.md) 44 | - [SQL Injection Prevention](SQL_Injection_Prevention_Cheat_Sheet.md) 45 | 46 | #### Never transmit secrets to the client 47 | 48 | Anything the client knows the user will also know, so keep all that secret stuff on the server please. 49 | 50 | #### Don't perform encryption in client side code 51 | 52 | Use TLS/SSL and encrypt on the server! 53 | 54 | #### Don't perform security impacting logic on client side 55 | 56 | This is the overall one that gets me out of trouble in case I missed something :) 57 | 58 | ### Server Side 59 | 60 | #### Use CSRF Protection 61 | 62 | Take a look at the [Cross-Site Request Forgery (CSRF) Prevention](Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.md) cheat sheet. 63 | 64 | #### Protect against JSON Hijacking for Older Browsers 65 | 66 | ##### Review AngularJS JSON Hijacking Defense Mechanism 67 | 68 | See the [JSON Vulnerability Protection](https://docs.angularjs.org/api/ng/service/$http#json-vulnerability-protection) section of the AngularJS documentation. 69 | 70 | ##### Always return JSON with an Object on the outside 71 | 72 | Always have the outside primitive be an object for JSON strings: 73 | 74 | **Exploitable:** 75 | 76 | ```json 77 | [{"object": "inside an array"}] 78 | ``` 79 | 80 | **Not exploitable:** 81 | 82 | ```json 83 | {"object": "not inside an array"} 84 | ``` 85 | 86 | **Also not exploitable:** 87 | 88 | ```json 89 | {"result": [{"object": "inside an array"}]} 90 | ``` 91 | 92 | #### Avoid writing serialization code Server Side 93 | 94 | Remember ref vs. value types! Look for an existing library that has been reviewed. 95 | 96 | #### Services can be called by users directly 97 | 98 | Even though you only expect your AJAX client side code to call those services the users can too. 99 | 100 | Make sure you validate inputs and treat them like they are under user control (because they are!). 101 | 102 | #### Avoid building XML or JSON by hand, use the framework 103 | 104 | Use the framework and be safe, do it by hand and have security issues. 105 | 106 | #### Use JSON And XML Schema for Webservices 107 | 108 | You need to use a third-party library to validate web services. 109 | -------------------------------------------------------------------------------- /cheatsheets/Access_Control_Cheat_Sheet.md: -------------------------------------------------------------------------------- 1 | # DEPRECATED: Access Control Cheatsheet 2 | 3 | The Access Control cheatsheet has been deprecated. 4 | 5 | Please visit the [Authorization Cheatsheet](Authorization_Cheat_Sheet.md) instead. 6 | -------------------------------------------------------------------------------- /cheatsheets/Automotive_Security.md: -------------------------------------------------------------------------------- 1 | # Top 10 Automotive Security Vulnerabilities 2 | 3 | This document outlines common security vulnerabilities found in automotive security and provides examples of how attackers can exploit these vulnerabilities. 4 | 5 | ## 1. Weak Vehicle Communication Protocols 6 | 7 | **Vulnerability**: Many vehicles use communication protocols like CAN (Controller Area Network) without adequate security measures. 8 | **Example**: An attacker could intercept messages on the CAN bus, leading to unauthorized commands being sent to critical vehicle systems (e.g., brakes, steering). 9 | **Attack Surface**: In-vehicle networks and any exposed diagnostic ports. 10 | 11 | ## 2. Insecure Over-the-Air (OTA) Updates 12 | 13 | **Vulnerability**: OTA updates may lack proper authentication and encryption, allowing attackers to inject malicious firmware. 14 | **Example**: An attacker could spoof an update server and deliver a malicious update that compromises the vehicle's control systems. 15 | **Attack Surface**: Wireless communication channels, including cellular and Wi-Fi. 16 | 17 | ## 3. Insecure Telematics Systems 18 | 19 | **Vulnerability**: Telematics units that connect vehicles to cloud services may have insufficient security controls. 20 | **Example**: An attacker exploiting weak API security could access sensitive vehicle data or manipulate vehicle settings remotely. 21 | **Attack Surface**: Cloud interfaces, telematics gateways, and mobile applications. 22 | 23 | ## 4. Software Supply Chain Vulnerabilities 24 | 25 | **Vulnerability**: Third-party software components may have known vulnerabilities that can be exploited. 26 | **Example**: If a vehicle’s infotainment system relies on a vulnerable third-party library, an attacker could exploit that vulnerability to execute arbitrary code. 27 | **Attack Surface**: Infotainment systems, vehicle software updates, and any integrated third-party applications. 28 | 29 | ## 5. Physical Access Exploits 30 | 31 | **Vulnerability**: Physical access to the vehicle can allow attackers to manipulate systems directly. 32 | **Example**: An attacker with physical access could connect a malicious device to the OBD-II port to alter vehicle settings or firmware. 33 | **Attack Surface**: Diagnostic ports, service stations, and unsecured vehicle access. 34 | 35 | ## 6. Inadequate Access Control Mechanisms 36 | 37 | **Vulnerability**: Weak or poorly implemented access control measures can allow unauthorized access to vehicle systems. 38 | **Example**: A driver might gain unauthorized access to administrative functions through a poorly secured mobile app. 39 | **Attack Surface**: Mobile applications, vehicle interfaces, and internal network connections. 40 | 41 | ## 7. Poorly Implemented Authentication Mechanisms 42 | 43 | **Vulnerability**: Many automotive systems use weak authentication methods, making it easier for attackers to gain unauthorized access. 44 | **Example**: If a vehicle’s mobile app uses easily guessable passwords, an attacker could log in and change vehicle settings or track location. 45 | **Attack Surface**: Mobile applications, web interfaces, and vehicle systems that allow remote access. 46 | 47 | ## 8. Data Leakage and Privacy Violations 48 | 49 | **Vulnerability**: Vehicles often collect extensive data, which can be inadequately protected. 50 | **Example**: An unsecured data transmission channel could expose sensitive user data, such as location history and personal preferences, to eavesdroppers. 51 | **Attack Surface**: Data transmission channels, cloud storage, and interfaces with third-party services. 52 | 53 | ## 9. Lack of Security in Integrated Systems 54 | 55 | **Vulnerability**: The integration of various systems (e.g., infotainment, navigation) can create vulnerabilities if not properly secured. 56 | **Example**: An attacker could exploit a vulnerability in the infotainment system to gain access to the vehicle’s control systems through interconnected components. 57 | **Attack Surface**: Interconnected vehicle systems, APIs, and communication channels between systems. 58 | 59 | ## 10. Insecure Legacy Systems 60 | 61 | **Vulnerability**: Many vehicles still use legacy systems with outdated security protocols. 62 | **Example**: An attacker could exploit known vulnerabilities in older vehicle models that have not been patched, gaining control over critical systems. 63 | **Attack Surface**: Older vehicle models, diagnostic tools, and maintenance interfaces. 64 | -------------------------------------------------------------------------------- /cheatsheets/HTTP_Strict_Transport_Security_Cheat_Sheet.md: -------------------------------------------------------------------------------- 1 | # HTTP Strict Transport Security Cheat Sheet 2 | 3 | ## Introduction 4 | 5 | HTTP [Strict Transport Security](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security) (also named **HSTS**) is an opt-in security enhancement that is specified by a web application through the use of a special response header. Once a supported browser receives this header that browser will prevent any communications from being sent over HTTP to the specified domain and will instead send all communications over HTTPS. It also prevents HTTPS click through prompts on browsers. 6 | 7 | The specification has been released and published end of 2012 as [RFC 6797](http://tools.ietf.org/html/rfc6797) (HTTP Strict Transport Security (HSTS)) by the IETF. 8 | 9 | ## Threats 10 | 11 | HSTS addresses the following threats: 12 | 13 | - User bookmarks or manually types `http://example.com` and is subject to a man-in-the-middle attacker 14 | - HSTS automatically redirects HTTP requests to HTTPS for the target domain 15 | - Web application that is intended to be purely HTTPS inadvertently contains HTTP links or serves content over HTTP 16 | - HSTS automatically redirects HTTP requests to HTTPS for the target domain 17 | - A man-in-the-middle attacker attempts to intercept traffic from a victim user using an invalid certificate and hopes the user will accept the bad certificate 18 | - HSTS does not allow a user to override the invalid certificate message 19 | 20 | ## Examples 21 | 22 | Simple example, using a long (1 year = 31536000 seconds) max-age. This example is dangerous since it lacks `includeSubDomains`: 23 | 24 | `Strict-Transport-Security: max-age=31536000` 25 | 26 | This example is useful if all present and future subdomains will be HTTPS. This is a more secure option but will block access to certain pages that can only be served over HTTP: 27 | 28 | `Strict-Transport-Security: max-age=31536000; includeSubDomains` 29 | 30 | This example is useful if all present and future subdomains will be HTTPS. In this example we set a very short max-age in case of mistakes during initial rollout: 31 | 32 | `Strict-Transport-Security: max-age=86400; includeSubDomains` 33 | 34 | **Recommended:** 35 | 36 | - If the site owner would like their domain to be included in the [HSTS preload list](https://hstspreload.org) maintained by Chrome (and used by Firefox and Safari), then use the header below. 37 | - Sending the `preload` directive from your site can have **PERMANENT CONSEQUENCES** and prevent users from accessing your site and any of its subdomains if you find you need to switch back to HTTP. Please read the details at [preload removal](https://hstspreload.org/#removal) before sending the header with `preload`. 38 | 39 | `Strict-Transport-Security: max-age=31536000; includeSubDomains; preload` 40 | 41 | The `preload` flag indicates the site owner's consent to have their domain preloaded. The site owner still needs to then go and submit the domain to the list. 42 | 43 | ## Problems 44 | 45 | Site owners can use HSTS to identify users without cookies. This can lead to a significant privacy leak. Take a look [here](http://www.leviathansecurity.com/blog/the-double-edged-sword-of-hsts-persistence-and-privacy) for more details. 46 | 47 | Cookies can be manipulated from sub-domains, so omitting the `includeSubDomains` option permits a broad range of cookie-related attacks that HSTS would otherwise prevent by requiring a valid certificate for a subdomain. Ensuring the `secure` flag is set on all cookies will also prevent, some, but not all, of the same attacks. 48 | 49 | ## Browser Support 50 | 51 | As of September 2019 HSTS is supported by [all modern browsers](https://caniuse.com/#feat=stricttransportsecurity), with the only notable exception being Opera Mini. 52 | 53 | ## References 54 | 55 | - [Chromium Projects/HSTS](https://www.chromium.org/hsts/) 56 | - [OWASP TLS Protection Cheat Sheet](Transport_Layer_Security_Cheat_Sheet.md) 57 | - [sslstrip](https://github.com/moxie0/sslstrip) 58 | - [AppSecTutorial Series - Episode 4](https://www.youtube.com/watch?v=zEV3HOuM_Vw) 59 | - [Nmap NSE script to detect HSTS configuration](https://github.com/icarot/NSE_scripts/blob/master/http-hsts-verify.nse) 60 | -------------------------------------------------------------------------------- /cheatsheets/Injection_Prevention_in_Java_Cheat_Sheet.md: -------------------------------------------------------------------------------- 1 | # Injection Prevention Cheat Sheet in Java 2 | 3 | This information has been moved to the dedicated [Java Security CheatSheet](Java_Security_Cheat_Sheet.md#injection-prevention-in-java) 4 | -------------------------------------------------------------------------------- /cheatsheets/Insecure_Direct_Object_Reference_Prevention_Cheat_Sheet.md: -------------------------------------------------------------------------------- 1 | # Insecure Direct Object Reference Prevention Cheat Sheet 2 | 3 | ## Introduction 4 | 5 | Insecure Direct Object Reference (IDOR) is a vulnerability that arises when attackers can access or modify objects by manipulating identifiers used in a web application's URLs or parameters. It occurs due to missing access control checks, which fail to verify whether a user should be allowed to access specific data. 6 | 7 | ## Examples 8 | 9 | For instance, when a user accesses their profile, the application might generate a URL like this: 10 | 11 | ``` 12 | https://example.org/users/123 13 | ``` 14 | 15 | The 123 in the URL is a direct reference to the user's record in the database, often represented by the primary key. If an attacker changes this number to 124 and gains access to another user's information, the application is vulnerable to Insecure Direct Object Reference. This happens because the app didn't properly check if the user had permission to view data for user 124 before displaying it. 16 | 17 | In some cases, the identifier may not be in the URL, but rather in the POST body, as shown in the following example: 18 | 19 | ``` 20 |
21 | 22 | 23 | 24 |
25 | ``` 26 | 27 | In this example, the application allows users to update their profiles by submitting a form with the user ID in a hidden field. If the app doesn't perform proper access control on the server-side, attackers can manipulate the "user_id" field to modify profiles of other users without authorization. 28 | 29 | ## Identifier complexity 30 | 31 | In some cases, using more complex identifiers like GUIDs can make it practically impossible for attackers to guess valid values. However, even with complex identifiers, access control checks are essential. If attackers obtain URLs for unauthorized objects, the application should still block their access attempts. 32 | 33 | ## Mitigation 34 | 35 | To mitigate IDOR, implement access control checks for each object that users try to access. Web frameworks often provide ways to facilitate this. Additionally, use complex identifiers as a defense-in-depth measure, but remember that access control is crucial even with these identifiers. 36 | 37 | Avoid exposing identifiers in URLs and POST bodies if possible. Instead, determine the currently authenticated user from session information. When using multi-step flows, pass identifiers in the session to prevent tampering. 38 | 39 | When looking up objects based on primary keys, use datasets that users have access to. For example, in Ruby on Rails: 40 | 41 | ``` 42 | // vulnerable, searches all projects 43 | @project = Project.find(params[:id]) 44 | // secure, searches projects related to the current user 45 | @project = @current_user.projects.find(params[:id]) 46 | ``` 47 | 48 | Verify the user's permission every time an access attempt is made. Implement this structurally using the recommended approach for your web framework. 49 | 50 | As an additional defense-in-depth measure, replace enumerable numeric identifiers with more complex, random identifiers. You can achieve this by adding a column with random strings in the database table and using those strings in the URLs instead of numeric primary keys. Another option is to use UUIDs or other long random values as primary keys. Avoid encrypting identifiers as it can be challenging to do so securely. 51 | -------------------------------------------------------------------------------- /cheatsheets/PHP_Configuration_Cheat_Sheet.md: -------------------------------------------------------------------------------- 1 | # PHP Configuration Cheat Sheet 2 | 3 | ## Introduction 4 | 5 | This page is meant to help those configuring PHP and the web server it is running on to be very secure. 6 | 7 | Below you will find information on the proper settings for the `php.ini` file and instructions on configuring Apache, Nginx, and Caddy web servers. 8 | 9 | For general PHP codebase security please refer to the two following great guides: 10 | 11 | - [Paragonie's 2018 PHP Security Guide](https://paragonie.com/blog/2017/12/2018-guide-building-secure-php-software) 12 | - [Awesome PHP Security](https://github.com/guardrailsio/awesome-php-security) 13 | 14 | ## PHP Configuration and Deployment 15 | 16 | ### php.ini 17 | 18 | Some of following settings need to be adapted to your system, in particular `session.save_path`, `session.cookie_path` (e.g. `/var/www/mysite`), and `session.cookie_domain` (e.g. `ExampleSite.com`). 19 | 20 | You should be running a [supported version of PHP](https://www.php.net/supported-versions.php) (as of this writing, 8.1 is the oldest version receiving security support from PHP, though distribution vendors often provide extended support). Review the [core `php.ini` directives](https://www.php.net/manual/ini.core.php) in the PHP Manual for a complete reference on every value in the `php.ini` configuration file. 21 | 22 | You can find a copy of the following values in a [ready-to-go `php.ini` file here](https://github.com/danehrlich1/very-secure-php-ini). 23 | 24 | #### PHP error handling 25 | 26 | ```text 27 | expose_php              = Off 28 | error_reporting         = E_ALL 29 | display_errors          = Off 30 | display_startup_errors  = Off 31 | log_errors              = On 32 | error_log               = /valid_path/PHP-logs/php_error.log 33 | ignore_repeated_errors  = Off 34 | ``` 35 | 36 | Keep in mind that you need to have `display_errors` to `Off` on a production server and it's a good idea to frequently notice the logs. 37 | 38 | #### PHP general settings 39 | 40 | ```text 41 | doc_root                = /path/DocumentRoot/PHP-scripts/ 42 | open_basedir            = /path/DocumentRoot/PHP-scripts/ 43 | include_path            = /path/PHP-pear/ 44 | extension_dir           = /path/PHP-extensions/ 45 | mime_magic.magicfile    = /path/PHP-magic.mime 46 | allow_url_fopen         = Off 47 | allow_url_include       = Off 48 | variables_order         = "GPCS" 49 | allow_webdav_methods    = Off 50 | session.gc_maxlifetime  = 600 51 | ``` 52 | 53 | `allow_url_*` prevents [LFI](https://www.acunetix.com/blog/articles/local-file-inclusion-lfi/)s to be easily escalated to [RFI](https://www.acunetix.com/blog/articles/remote-file-inclusion-rfi/)s. 54 | 55 | #### PHP file upload handling 56 | 57 | ```text 58 | file_uploads            = On 59 | upload_tmp_dir          = /path/PHP-uploads/ 60 | upload_max_filesize     = 2M 61 | max_file_uploads        = 2 62 | ``` 63 | 64 | If your application is not using file uploads, and say the only data the user will enter / upload is forms that do not require any document attachments, `file_uploads` should be turned `Off`. 65 | 66 | #### PHP executable handling 67 | 68 | ```text 69 | enable_dl               = Off 70 | disable_functions       = system, exec, shell_exec, passthru, phpinfo, show_source, highlight_file, popen, proc_open, fopen_with_path, dbmopen, dbase_open, putenv, move_uploaded_file, chdir, mkdir, rmdir, chmod, rename, filepro, filepro_rowcount, filepro_retrieve, posix_mkfifo 71 | disable_classes         = 72 | ``` 73 | 74 | These are dangerous PHP functions. You should disable all that you don't use. 75 | 76 | #### PHP session handling 77 | 78 | Session settings are some of the MOST important values to concentrate on in configuring. It is a good practice to change `session.name` to something new. 79 | 80 | ```text 81 | session.save_path = /path/PHP-session/ 82 | session.name = myPHPSESSID 83 | session.auto_start = Off 84 | session.use_trans_sid = 0 85 | session.cookie_domain = full.qualified.domain.name 86 | #session.cookie_path = /application/path/ 87 | session.use_strict_mode = 1 88 | session.use_cookies = 1 89 | session.use_only_cookies = 1 90 | session.cookie_lifetime = 14400 # 4 hours 91 | session.cookie_secure = 1 92 | session.cookie_httponly = 1 93 | session.cookie_samesite = Strict 94 | session.cache_expire = 30 95 | session.sid_length = 256 96 | session.sid_bits_per_character = 6 97 | ``` 98 | 99 | #### Some more security paranoid checks 100 | 101 | ```text 102 | session.referer_check   = /application/path 103 | memory_limit            = 50M 104 | post_max_size           = 20M 105 | max_execution_time      = 60 106 | report_memleaks         = On 107 | html_errors             = Off 108 | zend.exception_ignore_args = On 109 | ``` 110 | 111 | ### Snuffleupagus 112 | 113 | [Snuffleupagus](https://snuffleupagus.readthedocs.io) is the spiritual 114 | descendent of Suhosin for PHP 7 and onwards, with [modern 115 | features](https://snuffleupagus.readthedocs.io/features.html). It's considered 116 | stable, and is usable in production. 117 | -------------------------------------------------------------------------------- /cheatsheets/Prototype_Pollution_Prevention_Cheat_Sheet.md: -------------------------------------------------------------------------------- 1 | # Prototype Pollution Prevention Cheat Sheet 2 | 3 | ## Explanation 4 | 5 | Prototype Pollution is a critical vulnerability that can allow attackers to manipulate an application's JavaScript objects and properties, leading to serious security issues such as unauthorized access to data, privilege escalation, and even remote code execution. 6 | 7 | For examples of why this is dangerous, see the links in the [Other resources](#other-resources) section below. 8 | 9 | ## Suggested protection mechanisms 10 | 11 | ### Use "new Set()" or "new Map()" 12 | 13 | Developers should use `new Set()` or `new Map()` instead of using object literals: 14 | 15 | ```javascript 16 | let allowedTags = new Set(); 17 | allowedTags.add('b'); 18 | if(allowedTags.has('b')){ 19 | //... 20 | } 21 | 22 | let options = new Map(); 23 | options.set('spaces', 1); 24 | let spaces = options.get('spaces') 25 | ``` 26 | 27 | ### If objects or object literals are required 28 | 29 | If objects have to be used then they should be created using the `Object.create(null)` API to ensure they don't inherit from the Object prototype: 30 | 31 | ```javascript 32 | let obj = Object.create(null); 33 | ``` 34 | 35 | If object literals are required then as a last resort you could use the `__proto__` property: 36 | 37 | ```javascript 38 | let obj = {__proto__:null}; 39 | ``` 40 | 41 | ### Use object "freeze" and "seal" mechanisms 42 | 43 | You can also use the `Object.freeze()` and `Object.seal()` APIs to prevent built-in prototypes from being modified however this can break the application if the libraries they use modify the built-in prototypes. 44 | 45 | ### Node.js configuration flag 46 | 47 | Node.js also offers the ability to remove the `__proto__` property completely using the `--disable-proto=delete` flag. Note this is a defense in depth measure. 48 | 49 | Prototype pollution is still possible using `constructor.prototype` properties but removing `__proto__` helps reduce attack surface and prevent certain attacks. 50 | 51 | ### Other resources 52 | 53 | - [What is prototype pollution? (Portswigger Web Security Academy)](https://portswigger.net/web-security/prototype-pollution) 54 | - [Prototype pollution (Snyk Learn)](https://learn.snyk.io/lessons/prototype-pollution/javascript/) 55 | 56 | ### Credits 57 | 58 | Credit to [Gareth Hayes](https://garethheyes.co.uk/) for providing the original protection guidance [in this comment](https://github.com/OWASP/ASVS/issues/1563#issuecomment-1470027723). 59 | -------------------------------------------------------------------------------- /cheatsheets/REST_Assessment_Cheat_Sheet.md: -------------------------------------------------------------------------------- 1 | # REST Assessment Cheat Sheet 2 | 3 | ## About RESTful Web Services 4 | 5 | Web Services are an implementation of web technology used for machine to machine communication. As such they are used for Inter application communication, Web 2.0 and Mashups and by desktop and mobile applications to call a server. 6 | 7 | RESTful web services (often called simply REST) are a light weight variant of Web Services based on the RESTful design pattern. In practice RESTful web services utilizes HTTP requests that are similar to regular HTTP calls in contrast with other Web Services technologies such as SOAP which utilizes a complex protocol. 8 | 9 | ## Key relevant properties of RESTful web services 10 | 11 | - Use of HTTP methods (`GET`, `POST`, `PUT` and `DELETE`) as the primary verb for the requested operation. 12 | - Non-standard parameters specifications: 13 | - As part of the URL. 14 | - In headers. 15 | - Structured parameters and responses using JSON or XML in a parameter values, request body or response body. Those are required to communicate machine useful information. 16 | - Custom authentication and session management, often utilizing custom security tokens: this is needed as machine to machine communication does not allow for login sequences. 17 | - Lack of formal documentation. A [proposed standard for describing RESTful web services called WADL](http://www.w3.org/Submission/wadl/) was submitted by Sun Microsystems but was never officially adapted. 18 | 19 | ## The challenge of security testing RESTful web services 20 | 21 | - Inspecting the application does not reveal the attack surface, I.e. the URLs and parameter structure used by the RESTful web service. The reasons are: 22 | - No application utilizes all the available functions and parameters exposed by the service 23 | - Those used are often activated dynamically by client side code and not as links in pages. 24 | - The client application is often not a web application and does not allow inspection of the activating link or even relevant code. 25 | - The parameters are non-standard making it hard to determine what is just part of the URL or a constant header and what is a parameter worth [fuzzing](https://owasp.org/www-community/Fuzzing). 26 | - As a machine interface the number of parameters used can be very large, for example a JSON structure may include dozens of parameters. [fuzzing](https://owasp.org/www-community/Fuzzing) each one significantly lengthen the time required for testing. 27 | - Custom authentication mechanisms require reverse engineering and make popular tools not useful as they cannot track a login session. 28 | 29 | ## How to pentest a RESTful web service 30 | 31 | Determine the attack surface through documentation - RESTful pen testing might be better off if some level of clear-box testing is allowed and you can get information about the service. 32 | 33 | This information will ensure fuller coverage of the attack surface. Such information to look for: 34 | 35 | - Formal service description - While for other types of web services such as SOAP a formal description, usually in WSDL is often available, this is seldom the case for REST. That said, either WSDL 2.0 or WADL can describe REST and are sometimes used. 36 | - A developer guide for using the service may be less detailed but will commonly be found, and might even be considered *opaque-box* testing. 37 | - Application source or configuration - in many frameworks, including dotNet ,the REST service definition might be easily obtained from configuration files rather than from code. 38 | 39 | Collect full requests using a [proxy](https://www.zaproxy.org/) - while always an important pen testing step, this is more important for REST based applications as the application UI may not give clues on the actual attack surface. 40 | 41 | Note that the proxy must be able to collect full requests and not just URLs as REST services utilize more than just GET parameters. 42 | 43 | Analyze collected requests to determine the attack surface: 44 | 45 | - Look for non-standard parameters: 46 | - Look for abnormal HTTP headers - those would many times be header based parameters. 47 | - Determine if a URL segment has a repeating pattern across URLs. Such patterns can include a date, a number or an ID like string and indicate that the URL segment is a URL embedded parameter. 48 | - For example: `http://server/srv/2013-10-21/use.php` 49 | - Look for structured parameter values - those may be JSON, XML or a non-standard structure. 50 | - If the last element of a URL does not have an extension, it may be a parameter. This is especially true if the application technology normally uses extensions or if a previous segment does have an extension. 51 | - For example: `http://server/svc/Grid.asmx/GetRelatedListItems` 52 | - Look for highly varying URL segments - a single URL segment that has many values may be parameter and not a physical directory. 53 | - For example if the URL `http://server/src/XXXX/page` repeats with hundreds of value for `XXXX`, chances `XXXX` is a parameter. 54 | 55 | Verify non-standard parameters: in some cases (but not all), setting the value of a URL segment suspected of being a parameter to a value expected to be invalid can help determine if it is a path elements of a parameter. If a path element, the web server will return a *404* message, while for an invalid value to a parameter the answer would be an application level message as the value is legal at the web server level. 56 | 57 | Analyzing collected requests to optimize [fuzzing](https://owasp.org/www-community/Fuzzing) - after identifying potential parameters to fuzz, analyze the collected values for each to determine: 58 | 59 | - Valid vs. invalid values, so that [fuzzing](https://owasp.org/www-community/Fuzzing) can focus on marginal invalid values. 60 | - For example sending *0* for a value found to be always a positive integer. 61 | - Sequences allowing to fuzz beyond the range presumably allocated to the current user. 62 | 63 | Lastly, when [fuzzing](https://owasp.org/www-community/Fuzzing), don't forget to emulate the authentication mechanism used. 64 | 65 | ## Related Resources 66 | 67 | - [REST Security Cheat Sheet](REST_Security_Cheat_Sheet.md) - the other side of this cheat sheet 68 | - [YouTube: RESTful services, web security blind spot](https://www.youtube.com/watch?v=pWq4qGLAZHI) - a video presentation elaborating on most of the topics on this cheat sheet. 69 | -------------------------------------------------------------------------------- /cheatsheets/TLS_Cipher_String_Cheat_Sheet.md: -------------------------------------------------------------------------------- 1 | # DEPRECATED: TLS Cipher String Cheat Sheet 2 | 3 | The TLS Cipher String Cheat Sheet has been deprecated. 4 | 5 | Please visit the [Transport Layer Security Cheat Sheet](Transport_Layer_Security_Cheat_Sheet.md) instead. 6 | -------------------------------------------------------------------------------- /cheatsheets/Transport_Layer_Protection_Cheat_Sheet.md: -------------------------------------------------------------------------------- 1 | # DEPRECATED: Transport Layer Protection Cheat Sheet 2 | 3 | The Transport Layer Protection Cheat Sheet has been deprecated. 4 | 5 | Please visit the [Transport Layer Security Cheat Sheet](Transport_Layer_Security_Cheat_Sheet.md) instead. 6 | -------------------------------------------------------------------------------- /cheatsheets_excluded/.gitkeep: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/CheatSheetSeries/d5e64fdb76a6c9d9b45ea1f5ecb0fed13349aabf/cheatsheets_excluded/.gitkeep -------------------------------------------------------------------------------- /cheatsheets_excluded/PL_SQL_Security_Cheat_Sheet.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: PL SQL Security Cheat Sheet 3 | permalink: /PL/SQL_Security_Cheat_Sheet/ 4 | --- 5 | 6 | PL/SQL is a powerful procedural language built on top of Oracle SQL syntax. Extensive library of business-related and data-processing functions it incorporates makes it an attractive environment for building business-critical applications operating fully within the Oracle database. Introduction of PL/SQL Web Toolkit enabled Oracle developers to generate HTML straight from the PL/SQL code and build web applications fully residing from within the Oracle database. 7 | 8 | Just as any other web stack, PL/SQL web applications require careful input validation and other standard safeguards to prevent exploitable [OWASP Top 10](/OWASP_Top_10 "wikilink") vulnerabilities. Oracle `htp` (hypertext procedures) and `htf` (hypertext functions) packages contain the primary functions for generating output in PL/SQL web applications as well as output escaping functions. See [Oracle: The htp and htf Packages](https://docs.oracle.com/cd/B14099_19/web.1012/b15896/pshtp.htm) 9 | 10 | Escaping output data to prevent Cross-Site Scripting 11 | ---------------------------------------------------- 12 | 13 | Applications running on newer Oracle versions where APEX packages are available should use `apex_escape` for contextual escaping of output data in a manner similar to [ESAPI](/ESAPI "wikilink") validators. See [Oracle: apex_escape](https://docs.oracle.com/database/121/AEAPI/apex_escape.htm) 14 | 15 | - APEX_ESCAPE.HTML 16 | - APEX_ESCAPE.HTML_ATTRIBUTE 17 | - APEX_ESCAPE.HTML_TRUNC 18 | - APEX_ESCAPE.HTML_WHITELIST 19 | - APEX_ESCAPE.JS_LITERAL 20 | - APEX_ESCAPE.LDAP_DN 21 | - APEX_ESCAPE.LDAP_SEARCH_FILTER 22 | - APEX_ESCAPE.NOOP 23 | 24 | Applications should use `htp.prints` to output text blocks rather than `htp.print` as the former escapes potentially dangerous characters (<code><>"'). Note that the `htp.prints` cannot be used as a simple drop-in replacement for `htp.print` because it will also escape legitimate HTML but by `htp` usage model raw HTML shouldn't be generally entered in strings but rather generated with appropriate HTML functions (e.g. `htp.header(1,` `'Hello');` will output 25 | 26 |

27 | Hello 28 | 29 |

30 |
). 31 | 32 | Sample usage in typical PL/SQL code: 33 | 34 | `   htp.header(1, 'Details for user ' \|\| apex_escape.html(username)); -- outputs ` 35 | 36 |

37 | ... 38 | 39 |

40 | `   htp.print('Username: '); -- just a string literal, no need to escape` 41 | `   htp.italic(apex_escape.html(username), 'class=' \|\| apex_escape.html_attribute(userclass) );` 42 | `   htp.para();` 43 | `   htp.prints(address); -- escapes dangerous chars in address string` 44 | `   htp.script ('var username="' \|\| apex_escape.js_literal(username) \|\| '";');` 45 | 46 | On older Oracle platforms `htf.escape_sc` for output in HTML context can be used and the `utl_url.escape` function is available to escape URL characters (<code>&"<>%). URL escaping functionality is also provided by legacy `htf.escape_url` function. These functions are generally less robust than their `apex_escape` equivalents and not context-aware. 47 | 48 | Input validation and sanitization 49 | --------------------------------- 50 | 51 | ### Regular expression functions 52 | 53 | `   IF REGEXP_LIKE('untrusted input', '^[0-9a-zA-z]{2,6}$') THEN /* Match */ ELSE /* No match */ END IF;` 54 | `   select REGEXP_REPLACE('subject<<>>', '[<>]') from dual; -- returns: "subject"` 55 | 56 | ### DBMS_ASSERT 57 | 58 | - ENQUOTE_LITERAL — Enquotes a string literal 59 | - ENQUOTE_NAME — Encloses a name in double quotes 60 | - NOOP — Returns the unmodified value 61 | - QUALIFIED_SQL_NAME — Verifies that the input string is a qualified SQL name 62 | - SCHEMA_NAME — Verifies that the input string is an existing schema name 63 | - SIMPLE_SQL_NAME — Verifies that the input string is a simple SQL name 64 | - SQL_OBJECT_NAME — Verifies that the input parameter string is a qualified SQL identifier of an existing SQL object 65 | 66 | Example: 67 | 68 | `   SELECT SYS.DBMS_ASSERT.SIMPLE_SQL_NAME  ('Data with `` characters') FROM dual;` 69 | `   ORA-44003: invalid SQL name` 70 | 71 | See [Oracle: DBMS_ASSERT](https://docs.oracle.com/database/121/ARPLS/d_assert.htm#ARPLS231) 72 | 73 | References 74 | ---------- 75 | 76 | - [Oracle "How to write SQL injection proof PL/SQL"](http://www.oracle.com/technetwork/database/features/plsql/overview/how-to-write-injection-proof-plsql-1-129572.pdf) 77 | - [Security in Oracle ADF: Addressing the OWASP Top 10 Security Vulnerabilities](http://www.oracle.com/technetwork/developer-tools/adf/adfowasptop10-final-2348304.pdf) 78 | 79 | Authors 80 | ------- 81 | 82 | - Pawel Krawczyk 83 | 84 | Other Cheatsheets 85 | ----------------- 86 | 87 | [Category:Cheatsheets](/Category:Cheatsheets "wikilink") 88 | -------------------------------------------------------------------------------- /cheatsheets_excluded/Security_Testing_Cheat_Sheet.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: Security Testing Cheat Sheet 3 | permalink: /Security_Testing_Cheat_Sheet/ 4 | --- 5 | 6 | DRAFT CHEAT SHEET - WORK IN PROGRESS 7 | ------------------------------------ 8 | 9 | Introduction 10 | ------------ 11 | 12 | This page intends to provide quick basic security tips for quality assurance specialists. The goal of the cheat sheet is to act as a starting point for a comprehensive QA Test Plan for security of web applications. 13 | 14 | Testing Tools 15 | ------------- 16 | 17 | Testing web applications is difficult without tools. The following tools are the common set for QA professionals to accomplish all of the test cases in the security test plan. 18 | 19 | - Zed Attack Proxy 20 | - WebScarab 21 | 22 | Security Test Plan 23 | ------------------ 24 | 25 | Each major security surface in a web application has a known set of vulnerabilities that can be tested for using a set of test cases. 26 | 27 | ### Injection 28 | 29 | ### Authentication and Authorization 30 | 31 | ### Session management 32 | 33 | ### Configuration 34 | 35 | ### Compliance 36 | 37 | #### PCI 38 | 39 | #### HIPPA 40 | 41 | ### Handling data 42 | 43 | ### Technology Specific Tests 44 | 45 | #### PHP 46 | 47 | #### Microsoft 48 | 49 | #### Ruby on Rails 50 | 51 | #### Adobe 52 | 53 | #### Java 54 | 55 | #### JavaScript Frameworks 56 | 57 | ### Configuration 58 | 59 | ### Cross Site Request Forgery 60 | 61 | Authors and Primary Editors 62 | --------------------------- 63 | 64 | Bill Sempf - bill.sempf \[at\] owasp.org [User:Bill Sempf](/User:Bill_Sempf "wikilink") 65 | 66 | Other Cheatsheets 67 | ----------------- 68 | 69 | [Category:Cheatsheets](/Category:Cheatsheets "wikilink") -------------------------------------------------------------------------------- /exploit-protection-guard.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/CheatSheetSeries/d5e64fdb76a6c9d9b45ea1f5ecb0fed13349aabf/exploit-protection-guard.png -------------------------------------------------------------------------------- /markdown-link-check-config.json: -------------------------------------------------------------------------------- 1 | { 2 | "ignorePatterns": [ 3 | { 4 | "pattern": "^bundle.zip" 5 | }, 6 | { 7 | "pattern": "^News.xml" 8 | }, 9 | { 10 | "pattern": "^/" 11 | }, 12 | { 13 | "pattern": "vincent.bernat.im" 14 | }, 15 | { 16 | "pattern": "developer.android.com" 17 | }, 18 | { 19 | "pattern": "csrc.nist.gov" 20 | }, 21 | { 22 | "pattern": "www.exploit-db.com" 23 | } 24 | ], 25 | "httpHeaders": [ 26 | { 27 | "urls": ["https://", "http://"], 28 | "headers": { 29 | "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:64.0) Gecko/20100101 Firefox/64.0" 30 | } 31 | } 32 | ] 33 | } 34 | -------------------------------------------------------------------------------- /mkdocs.yml: -------------------------------------------------------------------------------- 1 | # Project information 2 | site_name: OWASP Cheat Sheet Series 3 | site_url: https://cheatsheetseries.owasp.org/ 4 | site_description: Website with the collection of all the cheat sheets of the project. 5 | # Repository 6 | repo_name: OWASP/CheatSheetSeries 7 | repo_url: https://github.com/OWASP/CheatSheetSeries 8 | 9 | # Copyright 10 | copyright: ©Copyright - Cheat Sheets Series Team - This work is licensed under Creative Commons Attribution-ShareAlike 4.0 International. 11 | 12 | #Config 13 | docs_dir: cheatsheets/ 14 | google_analytics: 15 | - !!python/object/apply:os.getenv ["WORKFLOW_GOOGLE_ANALYTICS_KEY", "none"] 16 | - auto 17 | use_directory_urls: false 18 | plugins: 19 | - search: 20 | # prebuild_index: true 21 | lang: 22 | - en 23 | #For read the docs 24 | # theme: 25 | # name: readthedocs 26 | # custom_dir: custom_theme/ 27 | # highlightjs: true 28 | # sticky_navigation: false 29 | # markdown_extensions: 30 | # - pymdownx.emoji: 31 | # emoji_index: !!python/name:pymdownx.emoji.twemoji 32 | # emoji_generator: !!python/name:pymdownx.emoji.to_alt 33 | # - toc: 34 | # permalink: true 35 | 36 | #For material 37 | theme: 38 | name: material 39 | custom_dir: custom_theme/ 40 | features: 41 | - navigation.sections 42 | - navigation.expand 43 | favicon: assets/WebSite_Favicon.png 44 | logo: "assets/OWASP_Logo.svg" 45 | palette: 46 | # Palette toggle for light mode 47 | - media: "(prefers-color-scheme: light)" 48 | scheme: default 49 | primary: indigo 50 | accent: indigo 51 | toggle: 52 | icon: material/brightness-7 53 | name: Switch to dark mode 54 | # Palette toggle for dark mode 55 | - media: "(prefers-color-scheme: dark)" 56 | scheme: slate 57 | primary: black 58 | accent: indigo 59 | toggle: 60 | icon: material/brightness-4 61 | name: Switch to light mode 62 | markdown_extensions: 63 | - pymdownx.highlight 64 | - pymdownx.superfences # Required by Pygments 65 | - pymdownx.inlinehilite 66 | - pymdownx.emoji: 67 | emoji_index: !!python/name:pymdownx.emoji.twemoji 68 | emoji_generator: !!python/name:pymdownx.emoji.to_svg 69 | - toc: 70 | permalink: true 71 | - sane_lists 72 | -------------------------------------------------------------------------------- /package.json: -------------------------------------------------------------------------------- 1 | { 2 | "name": "cheatsheetseries", 3 | "version": "1.0.1", 4 | "description": "OWASP CSS Project", 5 | "main": "index.js", 6 | "dependencies": {}, 7 | "devDependencies": { 8 | "markdownlint-cli": "^0.26.0", 9 | "textlint": "^11.6.3", 10 | "textlint-filter-rule-comments": "^1.2.2", 11 | "textlint-filter-rule-whitelist": "^2.0.0", 12 | "textlint-rule-terminology": "^2.1.4" 13 | }, 14 | "scripts": { 15 | "test": "npm run lint-markdown && npm run lint-terminology", 16 | "lint-terminology": "textlint ./cheatsheets/", 17 | "lint-markdown": "markdownlint ./ -c .markdownlint.json --ignore node_modules --ignore cheatsheets_excluded", 18 | "link-check": "find cheatsheets -name \\*.md -exec markdown-link-check -c markdown-link-check-config.json 1> log 2> err {} \\; && if [ -e err ] && grep -q \"ERROR:\" err ; then exit 113 ; else echo -e \"All good\"; fi" 19 | }, 20 | "repository": { 21 | "type": "git", 22 | "url": "git+https://github.com/OWASP/CheatSheetSeries.git" 23 | }, 24 | "author": "OWASP", 25 | "license": "CC-BY-SA-4.0", 26 | "bugs": { 27 | "url": "https://github.com/OWASP/CheatSheetSeries/issues" 28 | }, 29 | "homepage": "https://github.com/OWASP/CheatSheetSeries#readme" 30 | } 31 | -------------------------------------------------------------------------------- /requirements.txt: -------------------------------------------------------------------------------- 1 | Babel==2.16.0 2 | certifi==2024.8.30 3 | charset-normalizer==3.4.0 4 | click==8.1.7 5 | colorama==0.4.6 6 | feedgen==1.0.0 7 | ghp-import==2.1.0 8 | idna==3.10 9 | Jinja2==3.1.4 10 | lxml==5.3.0 11 | Markdown==3.7 12 | MarkupSafe==3.0.2 13 | mergedeep==1.3.4 14 | mkdocs==1.6.1 15 | mkdocs-material==9.5.42 16 | mkdocs-material-extensions==1.3.1 17 | packaging==24.1 18 | paginate==0.5.7 19 | pathspec==0.12.1 20 | platformdirs==4.3.6 21 | Pygments==2.18.0 22 | pymdown-extensions==10.12 23 | python-dateutil==2.9.0.post0 24 | PyYAML==6.0.2 25 | pyyaml_env_tag==0.1 26 | regex==2024.9.11 27 | requests==2.32.3 28 | six==1.16.0 29 | urllib3==2.2.3 30 | watchdog==5.0.3 31 | -------------------------------------------------------------------------------- /scripts/404.html: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | 404 7 | 8 | 215 | 216 | 217 | 218 | 219 |
220 |

221 |

WHOA THAT PAGE CANNOT BE FOUND

222 |
223 | 224 | 225 | 226 | -------------------------------------------------------------------------------- /scripts/Apply_Link_Check.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # Script in charge of auditing the released cheatsheets MD files 3 | # in order to detect dead links 4 | cd ../cheatsheets 5 | find . -name \*.md -exec markdown-link-check -c ../.markdownlinkcheck.json {} \; 1>../link-check-result.out 2>&1 6 | errors=`grep -c "ERROR:" ../link-check-result.out` 7 | content=`cat ../link-check-result.out` 8 | if [[ $errors != "0" ]] 9 | then 10 | echo "[!] Error(s) found by the Links validator: $errors CS have dead links !" 11 | exit $errors 12 | else 13 | echo "[+] No error found by the Links validator." 14 | fi -------------------------------------------------------------------------------- /scripts/Generate_CheatSheets_TOC.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | # -*- coding: utf-8 -*- 3 | """ 4 | Python3 script to generate the summary markdown page that is used 5 | by GitBook to generate the offline website. 6 | 7 | The summary markdown page is named "TOC.md" and is generated in the 8 | same location that the script in order to be moved later by the caller script. 9 | """ 10 | import os 11 | 12 | # Define templates 13 | cs_md_link_template = "* [%s](cheatsheets/%s)" 14 | 15 | # Scan all CS files 16 | cheatsheets = [f.name for f in os.scandir("../cheatsheets") if f.is_file()] 17 | cheatsheets.sort() 18 | 19 | # Generate the summary file 20 | with open("TOC.md", "w") as index_file: 21 | index_file.write("# Summary\n\n") 22 | index_file.write("### Cheatsheets\n\n") 23 | index_file.write(cs_md_link_template % ("Index Alphabetical", "Index.md")) 24 | index_file.write("\n") 25 | index_file.write(cs_md_link_template % ("Index ASVS", "IndexASVS.md")) 26 | index_file.write("\n") 27 | index_file.write(cs_md_link_template % ("Index ASVS", "IndexMASVS.md")) 28 | index_file.write("\n") 29 | index_file.write(cs_md_link_template % ("Index Proactive Controls", "IndexProactiveControls.md")) 30 | index_file.write("\n") 31 | for cheatsheet in cheatsheets: 32 | if cheatsheet != "Index.md" and cheatsheet != "IndexASVS.md" and cheatsheet != "IndexMASVS.md" and cheatsheet != "IndexProactiveControls.md" and cheatsheet != "TOC.md": 33 | cs_name = cheatsheet.replace("_"," ").replace(".md", "").replace("Cheat Sheet", "") 34 | index_file.write(cs_md_link_template % (cs_name, cheatsheet)) 35 | index_file.write("\n") 36 | print("Summary markdown page generated.") -------------------------------------------------------------------------------- /scripts/Generate_RSS_Feed.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | # -*- coding: utf-8 -*- 3 | """ 4 | Python3 script to generate an RSS feed XML file based on merged pull requests: 5 | See https://github.com/OWASP/CheatSheetSeries/issues/186 6 | Do not require to have a local copy of the GitHub repository. 7 | Dependencies: pip install requests feedgen 8 | """ 9 | import sys 10 | import json 11 | from datetime import datetime, timezone 12 | 13 | import requests 14 | from feedgen.feed import FeedGenerator 15 | 16 | # Define constants 17 | # API to retrieve the list of PR 18 | # See https://developer.github.com/v3/pulls/#list-pull-requests for explanation 19 | PR_API = "https://api.github.com/repos/OWASP/CheatSheetSeries/pulls?page=1&per_page=1000&state=closed" 20 | 21 | # Grab the list of open PR 22 | print("[+] Grab the list of closed PR via the GitHub API...") 23 | response = requests.get(PR_API) 24 | if response.status_code != 200: 25 | print("Cannot load the list of PR content: HTTP %s received!" % response.status_code) 26 | sys.exit(1) 27 | pull_requests = response.json() 28 | 29 | # Process the obtained list and generate the feed in memory 30 | print("[+] Process the obtained list and generate the feed in memory (%s) items)..." % len(pull_requests)) 31 | feed_generator = FeedGenerator() 32 | current_date = datetime.now(timezone.utc).strftime("%a, %d %B %Y %H:%M:%S GMT") # Sun, 19 May 2002 15:21:36 GMT 33 | feed_generator.id("https://cheatsheetseries.owasp.org/") 34 | feed_generator.title("OWASP Cheat Sheet Series update") 35 | feed_generator.description("List of the last updates on the content") 36 | feed_generator.author({"name": "Core team", "email": "dominique.righetto@owasp.org"}) 37 | feed_generator.link({"href": "https://cheatsheetseries.owasp.org", "rel": "self"}) 38 | feed_generator.link({"href": "https://github.com/OWASP/CheatSheetSeries", "rel": "alternate"}) 39 | feed_generator.language("en") 40 | feed_generator.icon("https://cheatsheetseries.owasp.org/gitbook/images/favicon.ico") 41 | feed_generator.pubDate(current_date) 42 | feed_generator.lastBuildDate(current_date) 43 | for pull_request in pull_requests: 44 | # Take only merged PR 45 | if pull_request["merged_at"] is None: 46 | continue 47 | # Convert merge date from 2019-08-25T06:36:35Z To Sun, 19 May 2002 15:21:36 GMT 48 | merge_date_src = pull_request["merged_at"] 49 | merge_date_dst = datetime.strptime(merge_date_src, "%Y-%m-%dT%H:%M:%SZ").strftime("%a, %d %B %Y %H:%M:%S GMT") 50 | feed_entry = feed_generator.add_entry() 51 | feed_entry.id(pull_request["html_url"]) 52 | feed_entry.title(pull_request["title"]) 53 | feed_entry.link({"href": pull_request["html_url"], "rel": "self"}) 54 | feed_entry.link({"href": pull_request["html_url"], "rel": "alternate"}) 55 | feed_entry.pubDate(merge_date_dst) 56 | feed_entry.updated(merge_date_dst) 57 | contributors = [] 58 | for assignee in pull_request["assignees"]: 59 | contributors.append({"name": assignee["login"], "uri": "https://github.com/%s" % assignee['login']}) 60 | feed_entry.contributor(contributors) 61 | 62 | # Save the feed to a XML file 63 | print("[+] Save the feed to a XML file...") 64 | feed_generator.atom_file("News.xml") 65 | print("[+] Feed saved to 'News.xml'.") 66 | -------------------------------------------------------------------------------- /scripts/Generate_Site.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # Dependencies: 3 | # sudo apt install -y nodejs 4 | # sudo npm install gitbook-cli -g 5 | # Note: 6 | # PDF generation is not possible because the content is cut in 7 | # some CS like for example the abuse case one 8 | GENERATED_SITE=site 9 | WORK=../generated 10 | echo "Generate a offline portable website with all the cheat sheets..." 11 | echo "Step 1/5: Init work folder." 12 | rm -rf $WORK 1>/dev/null 2>&1 13 | mkdir $WORK 14 | mkdir $WORK/cheatsheets 15 | echo "Step 2/5: Generate the summary markdown page and the RSS News feed." 16 | python Update_CheatSheets_Index.py 17 | python Generate_CheatSheets_TOC.py 18 | python Generate_RSS_Feed.py 19 | echo "Step 3/5: Create the expected GitBook folder structure." 20 | cp ../book.json $WORK/. 21 | cp ../Preface.md $WORK/cheatsheets/. 22 | mv TOC.md $WORK/cheatsheets/. 23 | mv News.xml $WORK/. 24 | cp -r ../cheatsheets $WORK/cheatsheets/cheatsheets 25 | cp -r ../assets $WORK/cheatsheets/assets 26 | cp ../Index.md $WORK/cheatsheets/cheatsheets/Index.md 27 | cp ../IndexASVS.md $WORK/cheatsheets/cheatsheets/IndexASVS.md 28 | cp ../IndexMASVS.md $WORK/cheatsheets/cheatsheets/IndexMASVS.md 29 | cp ../IndexProactiveControls.md $WORK/cheatsheets/cheatsheets/IndexProactiveControls.md 30 | cp ../IndexTopTen.md $WORK/cheatsheets/cheatsheets/IndexTopTen.md 31 | sed -i 's/assets\//..\/assets\//g' $WORK/cheatsheets/cheatsheets/Index.md 32 | sed -i 's/assets\//..\/assets\//g' $WORK/cheatsheets/cheatsheets/IndexASVS.md 33 | sed -i 's/assets\//..\/assets\//g' $WORK/cheatsheets/cheatsheets/IndexMASVS.md 34 | sed -i 's/assets\//..\/assets\//g' $WORK/cheatsheets/cheatsheets/IndexTopTen.md 35 | sed -i 's/cheatsheets\///g' $WORK/cheatsheets/cheatsheets/Index.md 36 | sed -i 's/cheatsheets\///g' $WORK/cheatsheets/cheatsheets/IndexASVS.md 37 | sed -i 's/cheatsheets\///g' $WORK/cheatsheets/cheatsheets/IndexMASVS.md 38 | sed -i 's/cheatsheets\///g' $WORK/cheatsheets/cheatsheets/IndexProactiveControls.md 39 | sed -i 's/cheatsheets\///g' $WORK/cheatsheets/cheatsheets/IndexTopTen.md 40 | echo "Step 4/5: Generate the site." 41 | cd $WORK 42 | gitbook install --log=error 43 | gitbook build . $WORK/$GENERATED_SITE --log=info 44 | if [[ $? != 0 ]] 45 | then 46 | echo "Error detected during the generation of the site, generation failed!" 47 | exit 1 48 | fi 49 | # Move the generated RSS feed 50 | mv News.xml site/. 51 | # Replace the default favicon by the OWASP one 52 | # I did not achieve to find a stable and "trustable" gitbook plugin to do that 53 | # So I only replace the default images: https://www.npmjs.com/search?q=gitbook%20favicon 54 | cp ../assets/WebSite_Favicon.png site/gitbook/images/apple-touch-icon-precomposed-152.png 55 | cp ../assets/WebSite_Favicon.ico site/gitbook/images/favicon.ico 56 | echo "Step 5/5: Cleanup." 57 | rm -rf cheatsheets 58 | rm -rf node_modules 59 | rm book.json 60 | echo "Generation finished to the folder: $WORK/$GENERATED_SITE" 61 | -------------------------------------------------------------------------------- /scripts/Generate_Technologies_JSON.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | # -*- coding: utf-8 -*- 3 | """ 4 | Python3 script to generate a JSON structure with the list of 5 | all cheatsheets classified by the technology used in the samples 6 | of code provided using the alphabetical index as source: 7 | https://raw.githubusercontent.com/OWASP/CheatSheetSeries/master/Index.md 8 | 9 | Do not require to have a local copy of the GitHub repository. 10 | 11 | Dependencies: pip install requests 12 | """ 13 | import sys 14 | import requests 15 | import json 16 | from collections import OrderedDict 17 | 18 | # Define templates 19 | CS_BASE_URL = "https://cheatsheetseries.owasp.org/cheatsheets/%s.html" 20 | 21 | # Grab the index MD source from the GitHub repository 22 | response = requests.get( 23 | "https://raw.githubusercontent.com/OWASP/CheatSheetSeries/master/Index.md") 24 | if response.status_code != 200: 25 | print("Cannot load the INDEX content: HTTP %s received!" % 26 | response.status_code) 27 | sys.exit(1) 28 | else: 29 | data = OrderedDict({}) 30 | for line in response.text.split("\n"): 31 | if "(assets/Index_" in line: 32 | work = line.strip() 33 | # Extract the name of the CS 34 | cs_name = work[1:work.index("]")] 35 | # Extract technologies and map the CS to them 36 | technologies = work.split("!")[1:] 37 | for technology in technologies: 38 | technology_name = technology[1:technology.index("]")].upper() 39 | if technology_name not in data: 40 | data[technology_name] = [] 41 | data[technology_name].append( 42 | {"CS_NAME": cs_name, "CS_URL": CS_BASE_URL % cs_name.replace(" ", "_")}) 43 | # Display the built structure and formatted JSON 44 | print(json.dumps(data, sort_keys=True, indent=1)) 45 | sys.exit(0) 46 | -------------------------------------------------------------------------------- /scripts/Identify_Old_Issue_And_PR.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | # -*- coding: utf-8 -*- 3 | """ 4 | Python3 script to identify any Issue or PR meeting the following criteria: 5 | - For Issue (Comments of the issue do not contain the info when a PR is referenced): 6 | - Has assignees 7 | - Has not the label HELP_WANTED or INTERNAL 8 | - Has not been updated since more than 1 month 9 | - For PR: 10 | - Has the label WAITING_UPDATE 11 | - Has not been updated since more than 1 month 12 | 13 | Do not require to have a local copy of the GitHub repository. 14 | 15 | Dependencies: pip install requests 16 | """ 17 | import sys 18 | import requests 19 | import json 20 | from datetime import datetime 21 | 22 | # Define constants 23 | ## API to retrieve the list of Issues/PR (GitHub REST API v3 considers every pull request an issue, but not every issue is a pull request) 24 | ## Ask to the API to sort the list by the updated date in order to have the oldest on the top on the list 25 | ## See https://developer.github.com/v3/issues/#list-issues-for-a-repository for explanation 26 | ISSUE_API = "https://api.github.com/repos/OWASP/CheatSheetSeries/issues?page=1&per_page=1000&sort=updated&direction=asc" 27 | ## Expiration delay 28 | MAX_MONTHS_ALLOWED = 1 29 | 30 | # Define utility function: Cf criteria in the comment of the script for the criteria 31 | def is_old_issue(issue): 32 | has_assignees = (len(issue["assignees"]) > 0) 33 | has_help_wanted_label = False 34 | has_internal_label = False 35 | labels = issue["labels"] 36 | for label in labels: 37 | if label["name"] == "HELP_WANTED": 38 | has_help_wanted_label = True 39 | elif label["name"] == "INTERNAL": 40 | has_internal_label = True 41 | return has_assignees and (not has_help_wanted_label and not has_internal_label) 42 | 43 | def is_old_pull_request(issue): 44 | has_waiting_for_update_label = False 45 | labels = issue["labels"] 46 | for label in labels: 47 | if label["name"] == "WAITING_UPDATE": 48 | has_waiting_for_update_label = True 49 | break 50 | return has_waiting_for_update_label 51 | 52 | # Grab the list of open Issues/PR 53 | buffer = "Grab the list of open Issues/PR via the GitHub API...\n" 54 | response = requests.get(ISSUE_API) 55 | if response.status_code != 200: 56 | print("Cannot load the list of Issues/PR content: HTTP %s received!" % response.status_code) 57 | sys.exit(1) 58 | issues = response.json() 59 | 60 | # Process the obtained list 61 | buffer += "Process the obtained list (%s items)...\n" % len(issues) 62 | issues = response.json() 63 | old_issues = {"PR":[], "ISSUE":[]} 64 | for issue in issues: 65 | # Date format is 2019-08-24T15:29:55Z 66 | last_update = datetime.strptime(issue["updated_at"], "%Y-%m-%dT%H:%M:%SZ") 67 | diff_in_months = round(abs((datetime.today() - last_update).days / 30)) 68 | if diff_in_months > MAX_MONTHS_ALLOWED: 69 | id = str(issue["number"]) 70 | if "pull_request" in issue and is_old_pull_request(issue): 71 | old_issues["PR"].append(id) 72 | elif is_old_issue(issue): 73 | old_issues["ISSUE"].append(id) 74 | 75 | # Render the result 76 | if (len(old_issues["PR"]) + len(old_issues["ISSUE"])) != 0: 77 | buffer += "State:\n" 78 | if len(old_issues["PR"]) > 0: 79 | buffer += "Old pull request identified (%s items): %s\n" % (len(old_issues["PR"]), " / ".join(old_issues["PR"])) 80 | if len(old_issues["ISSUE"]) > 0: 81 | buffer += "Old issue identified (%s items): %s\n" % (len(old_issues["ISSUE"]), " / ".join(old_issues["ISSUE"])) 82 | else: 83 | buffer += "State: Nothing identified!" 84 | print(buffer) 85 | 86 | # Send notification the project management channel on Slack if the url of the webhook is passed as unique first parameter 87 | if len(sys.argv) == 2: 88 | if (len(old_issues["PR"]) + len(old_issues["ISSUE"])) == 0: 89 | color = "good" 90 | else: 91 | color = "warning" 92 | message = "{\"text\": \"Old PR and Issue identification watchdog\",\"attachments\": [ {\"fallback\": \"%s\",\"color\":\"%s\",\"title\": \"Status\",\"text\": \"%s\"}]}" % (color, buffer, buffer) 93 | request_headers = {"Content-Type": "application/json"} 94 | response = requests.post(sys.argv[1], headers=request_headers, data=message) 95 | if response.status_code != 200: 96 | print("Cannot send notification to slack: HTTP %s received!" % response.status_code) 97 | sys.exit(2) -------------------------------------------------------------------------------- /scripts/Update_CheatSheets_Index.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | # -*- coding: utf-8 -*- 3 | """ 4 | Python3 script to generate the index markdown page that 5 | reference all cheat sheets grouped by the first letter. 6 | 7 | The index markdown page is located on the root folder 8 | and is named "Index.md". 9 | """ 10 | import os 11 | from collections import OrderedDict 12 | 13 | # Define utility functions 14 | def extract_languages_snippet_provided(cheatsheet): 15 | languages = [] 16 | markers = ["javascript", "java", "csharp", "c", "cpp", "html", "xml", "python", 17 | "ruby", "php", "json", "sql", "bash", "shell", "coldfusion", "perl", 18 | "vbnet"] 19 | with open("../cheatsheets/" + cheatsheet, encoding="utf8") as cs_file: 20 | cs_content = cs_file.read().lower().replace(" ","") 21 | for marker in markers: 22 | if "```" + marker + "\n" in cs_content: 23 | languages.append(marker.capitalize()) 24 | return languages 25 | 26 | # Define templates 27 | cs_md_link_template = "[%s](cheatsheets/%s)" 28 | language_md_link_template = "![%s](assets/Index_%s.svg)" 29 | header_template = "## %s\n\n" 30 | top_menu_template = "[%s](Index.md#%s)" 31 | cs_count_template = "**%s** cheat sheets available." 32 | cs_index_title_template = "# Index Alphabetical\n\n" 33 | 34 | # Scan all CS files 35 | index = {} 36 | cs_count = 0 37 | cheatsheets = [f.name for f in os.scandir("../cheatsheets") if f.is_file()] 38 | for cheatsheet in cheatsheets: 39 | letter = cheatsheet[0].upper() 40 | if letter not in index: 41 | index[letter] = [cheatsheet] 42 | else: 43 | index[letter].append(cheatsheet) 44 | cs_count += 1 45 | index = OrderedDict(sorted(index.items())) 46 | 47 | # Generate the index file 48 | with open("../Index.md", "w", encoding="utf-8") as index_file: 49 | index_file.write(cs_index_title_template) 50 | index_count = len(index) 51 | index_file.write(cs_count_template % cs_count) 52 | index_file.write("\n\n*Icons beside the cheat sheet name indicate in which language(s) code snippet(s) are provided.*") 53 | index_file.write("\n\n") 54 | # Generate the top menu 55 | for letter in index: 56 | index_file.write(top_menu_template % (letter, letter.lower())) 57 | index_file.write(" ") 58 | index_file.write("\n\n") 59 | # Generate letter sections 60 | j = 0 61 | for letter in index: 62 | cs_count = len(index[letter]) 63 | index_file.write(header_template % letter) 64 | i = 0 65 | for cs_file in index[letter]: 66 | cs_name = cs_file.replace("_", " ").replace(".md", "").strip() 67 | index_file.write(cs_md_link_template % (cs_name, cs_file)) 68 | languages = extract_languages_snippet_provided(cs_file) 69 | if len(languages) > 0: 70 | index_file.write(" ") 71 | for language in languages: 72 | index_file.write(language_md_link_template % (language, language)) 73 | index_file.write(" ") 74 | i += 1 75 | index_file.write("\n") 76 | if i != cs_count: 77 | index_file.write("\n") 78 | j += 1 79 | if j != index_count: 80 | index_file.write("\n") 81 | 82 | # Clean trailing whitespaces 83 | with open("../Index.md", "r", encoding="utf-8") as file: 84 | cleaned_lines = [line.rstrip() + "\n" for line in file] 85 | 86 | with open("../Index.md", "w", encoding="utf-8") as file: 87 | file.writelines(cleaned_lines) 88 | 89 | print("Index updated.") 90 | -------------------------------------------------------------------------------- /templates/New_CheatSheet.md: -------------------------------------------------------------------------------- 1 | # `Topic` Cheat Sheet 2 | 3 | **Replace `Topic` with the topic you're tackling, such as `Authentication` and remove this line** 4 | 5 | ```markdown 6 | # Mandatory Markdown Format Rules 7 | 8 | **!!! REMOVE THIS BLOCK BEFORE TO SUBMIT YOUR CHEAT SHEET VIA PULL REQUEST !!!** 9 | 10 | - Use this [editor and validation policy](https://github.com/OWASP/CheatSheetSeries#editor--validation-policy). 11 | - Use these [format rules](https://github.com/OWASP/CheatSheetSeries#conversion-rules). 12 | ``` 13 | 14 | ## Introduction 15 | 16 | Provide high level information about the topic in order to introduce it to people that do not know it. 17 | 18 | You can add pointer to external sources if needed but at least give an overview allowing a reader to continue on the CS. 19 | 20 | You can also add schema or diagram in any part of the CS but be sure to respect the copyright of the source file. 21 | 22 | ## Main Sections 23 | 24 | The main sections will vary based on the content of the cheat sheet. Generally there should be no more than half a dozen level 2 sections in the cheat sheet, with subsections created for these as required. 25 | 26 | ## References 27 | 28 | Any useful references to other useful resources that aren't linked inline elsewhere in the cheat sheet. 29 | --------------------------------------------------------------------------------