sql-cheat-sheet-for-data-scientists-by-tomi-mester.pdf
The ideal use case of this cheat sheet is that you print it in color and keep it next to you while you are learning and practicing SQL on your computer. Enjoy!
Python For Data Science Cheat Sheet
Python For Data Science Cheat Sheet. Python Basics. Learn More Python for Data Read and Write to SQL Query or Database Table. >>> from sqlalchemy import ...
SQL Window Functions Cheat Sheet (A4)
specifies the order of rows in each partition to which the window function is applied. LOGICAL ORDER OF OPERATIONS IN SQL. SYNTAX. Named Window Definition.
Data Wrangling - with pandas Cheat Sheet http://pandas.pydata.org
Use df.at[] and df.iat[] to access a single value by row and column. First index selects rows second index columns. Cheatsheet
ChatGPT-Cheat-Sheet.pdf
Simulate a job interview for a [position] by asking and answering questions as if Automate Data Science Tasks: Translate my Python code to R. Turn this SQL ...
Cheat Sheet: The pandas DataFrame Object
• merge (a database/SQL-like join operation). • concat (stack side by side or Version: This cheat sheet was last updated with. Python 3.6 and pandas 0.19.2 ...
Sql for data science
Sql for data science peer graded assignment. Sql interview questions for data science. Sql for data science great learning. Sql cheat sheet for data science pdf
SQL-Cheat-Sheet.pdf
If you want to learn everything SQL has to offer and become a SQL expert check out my Complete SQL Mastery Course. Use the coupon code CHEATSHEET upon checkout
base R cheat-sheet
Cheat Sheet. RStudio® is a trademark of RStudio Inc. • CC BY Mhairi McNeill • mhairihmcneill@gmail.com. Learn more at web page or vignette • package version
Product Case Interview Cheat Sheet
technical interviews like SQL and coding. That's what this cheat sheet is here to help fix! This sheet walks you through several sample problems and gives
Cheat sheet PySpark SQL Python.indd
Python For Data Science Cheat Sheet Spark SQL is Apache Spark's module for working with structured data. >>> from pyspark.sql import SparkSession.
Python For Data Science Cheat Sheet
Python For Data Science Cheat Sheet. Python Basics. Learn More Python for Data Science Interactively at Read and Write to SQL Query or Database Table.
PostgreSQL CHEAT SHEET http://www.postgresqltutorial.com
USING SQL OPERATORS. SELECT c1 c2 FROM t. ORDER BY c1. LIMIT n OFFSET offset;. Skip offset of rows and return the next n rows. SELECT c1
SQL Server Integration Service CHEAT SHEET
CHEAT SHEET. SSIS Basics SSDT: Referred to as SQL Server Data Tools which is used ... SSIS is a component of Microsoft SQL Server database which can be.
OWASP Cheat Sheets
Sep 27 2009 20 SQL Injection Prevention Cheat Sheet ... the application
Programming with mosh sql cheat sheet
Programming with mosh sql cheat sheet Each module contains information and activities related to real-life jobs or interview-related tasks.
OWASP 2012 Board Interviews – Jim Manico Adam: What are your
coding like query parameterizaon cheat sheet
PL/SQL Interview Questions - tutorialspoint
Dear readers these PL/SQL Interview Questions have been designed specially to get you acquainted with the nature of questions you may encounter during your
CODE REVIEW GUIDE
In this case the application will be vulnerable to SQL injection attack as identified word lengths see the OWASP Authentication Cheat Sheet.
133-29: Assessing SAS Skill Level During the Interviewing Process
Specific interviewing approaches suggested topics
SQL Cheat Sheet - Download in PDF & JPG Format - Intellipaat
10 jan 2023 · This part of the SQL tutorial includes the SQL cheat sheet Here you will learn various aspects of SQL that are possibly asked in the interviews
SQL Cheat Sheet (2023) - InterviewBit
Take a free mock interview get instant? feedback and recommendation You can download a PDF version of Sql Cheat Sheet Download PDF Download PDF
SQL Cheat Sheet free download
6 fév 2023 · This cheat sheet you can easily use in your student journey or professional journey too You can say that All SQL queries and its syntax on
SQL Cheat Sheet Download PDF it in PDF or PNG Format
This 3-page SQL Cheat Sheet provides you with the most commonly used SQL statements Download the SQL cheat sheet print it out and stick to your desk
SQL Cheat Sheet for Quick Reference [PDF Download] - Hackrio
28 mar 2023 · SQL knowledge is incredibly valuable Use our SQL cheat sheet as a quick reference for major SQL concepts or to boost your SQL skills and
[PDF] CHEAT SHEET - Data36com
Enjoy! Cheers Tomi Mester *The workshops and courses I mentioned: Online SQL tutorial (free): data36 com/
Ultimate SQL Cheat Sheet 2023 (Download PDF)
25 mar 2021 · Ultimate SQL Cheat Sheet 2023 (Download PDF): Queries Commands Etc This ultimate SQL Cheatsheet has been created to help you understand
SQL cheat sheetpdf - SlideShare
1 mai 2023 · Ultimate SQL Cheat Sheet What is a Database? Before we get started with SQL Cheat Sheet we need to understand what is a database and why do
Yuvraj Garg en LinkedIn: SQL CheatSheet 62 comentarios
SQL Cheatsheet ?You do not just need to write DSA code in interviews Below pdf of SQL interview questions covers a range of topics
SQL Cheat Sheet SQL Queries Revision in 5 Mins - GlobalSQA
So it's always good to have a brush up whenever needed like before going for an interview Thanks to the author for creating this SQL cheat sheet and helping
How do I prepare for SQL interview?
So try to memorise the following consecutive statements: SELECT?FROM?WHERE. Next, remember that the SELECT statement refers to the column names, the FROM keyword refers to the table/database used, and the WHERE clause refers to specific conditions that are investigated by the user.How can I memorize SQL queries easily?
17 Best Platforms to Practice SQL. Looking to level up your SQL skills? 2HackerRank. From software engineering to data analytics, HackerRank is one of the best platforms for practicing coding interview questions. 3SQLPad. 4StrataScratch. 5DataLemur. 6LeetCode. 7Mode. 8SQLZoo.How do I practice SQL questions?
Complex SQL Interview Questions for Practice
Define and describe the usage of a linked server.Name and explain the different types of Joins.Explain the different types of authentication modes.Which stored procedure would you run when adding a linked server?
OWASP Cheat Sheets
Martin Woschek, owasp@jesterweb.de
April 9, 2015
Contents
I Developer Cheat Sheets (Builder) 11
1 Authentication Cheat Sheet12
1.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
1.2 Authentication General Guidelines . . . . . . . . . . . . . . . . . . . . . . . 12
1.3 Use of authentication protocols that require no password . . . . . . . . . . 17
1.4 Session Management General Guidelines . . . . . . . . . . . . . . . . . . . 19
1.5 Password Managers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
1.6 Authors and Primary Editors . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
1.7 References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
2 Choosing and Using Security Questions Cheat Sheet20
2.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
2.2 The Problem . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
2.3 Choosing Security Questions and/or Identity Data . . . . . . . . . . . . . . 20
2.4 Using Security Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
2.5 Related Articles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
2.6 Authors and Primary Editors . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
2.7 References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
3 Clickjacking Defense Cheat Sheet26
3.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
3.2 Defending with Content Security Policy frame-ancestors directive . . . . . 26
3.3 Defending with X-Frame-Options Response Headers . . . . . . . . . . . . . 26
3.4 Best-for-now Legacy Browser Frame Breaking Script . . . . . . . . . . . . . 28
3.5 window.confirm() Protection . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
3.6 Non-Working Scripts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
3.7 Authors and Primary Editors . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
3.8 References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
4 C-Based Toolchain Hardening Cheat Sheet34
4.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
4.2 Actionable Items . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
4.3 Build Configurations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
4.4 Library Integration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36
4.5 Static Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
4.6 Platform Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
4.7 Authors and Editors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
4.8 References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
5 Cross-Site Request Forgery (CSRF) Prevention Cheat Sheet40
5.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
5.2 Prevention Measures That Do NOT Work . . . . . . . . . . . . . . . . . . . . 40
5.3 General Recommendation: Synchronizer Token Pattern . . . . . . . . . . . 41
5.4 CSRF Prevention without a Synchronizer Token . . . . . . . . . . . . . . . 44
5.5 Client/User Prevention . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
2Contents
5.6 No Cross-Site Scripting (XSS) Vulnerabilities . . . . . . . . . . . . . . . . . 45
5.7 Authors and Primary Editors . . . . . . . . . . . . . . . . . . . . . . . . . . . 46
5.8 References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46
6 Cryptographic Storage Cheat Sheet47
6.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
6.2 Providing Cryptographic Functionality . . . . . . . . . . . . . . . . . . . . . 47
6.3 Related Articles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52
6.4 Authors and Primary Editors . . . . . . . . . . . . . . . . . . . . . . . . . . . 52
6.5 References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52
7 DOM based XSS Prevention Cheat Sheet54
7.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54
7.2 Guidelines for Developing Secure Applications Utilizing JavaScript . . . . 59
7.3 Common Problems Associated with Mitigating DOM Based XSS . . . . . . 62
7.4 Authors and Contributing Editors . . . . . . . . . . . . . . . . . . . . . . . . 63
7.5 References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64
8 Forgot Password Cheat Sheet65
8.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65
8.2 The Problem . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65
8.3 Steps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65
8.4 Authors and Primary Editors . . . . . . . . . . . . . . . . . . . . . . . . . . . 66
8.5 References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66
9 HTML5 Security Cheat Sheet67
9.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67
9.2 Communication APIs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67
9.3 Storage APIs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69
9.4 Geolocation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70
9.5 Web Workers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70
9.6 Sandboxed frames . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70
9.7 Offline Applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71
9.8 Progressive Enhancements and Graceful Degradation Risks . . . . . . . . 71
9.9 HTTP Headers to enhance security . . . . . . . . . . . . . . . . . . . . . . . 71
9.10 Authors and Primary Editors . . . . . . . . . . . . . . . . . . . . . . . . . . . 72
9.11 References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72
10 Input Validation Cheat Sheet73
10.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73
10.2 Authors and Primary Editors . . . . . . . . . . . . . . . . . . . . . . . . . . . 74
10.3 References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74
11 JAAS Cheat Sheet75
11.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75
11.2 Related Articles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78
11.3 Disclosure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78
11.4 Authors and Primary Editors . . . . . . . . . . . . . . . . . . . . . . . . . . . 79
11.5 References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79
12 Logging Cheat Sheet80
12.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80
12.2 Purpose . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80
12.3 Design, implementation and testing . . . . . . . . . . . . . . . . . . . . . . . 81
12.4 Deployment and operation . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87
3Contents
12.5 Related articles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89
12.6 Authors and Primary Contributors . . . . . . . . . . . . . . . . . . . . . . . 89
12.7 References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89
13 .NET Security Cheat Sheet91
13.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91
13.2 .NET Framework Guidance . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91
13.3 ASP.NET Web Forms Guidance . . . . . . . . . . . . . . . . . . . . . . . . . 92
13.4 ASP.NET MVC Guidance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95
13.5 XAML Guidance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96
13.6 Windows Forms Guidance . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96
13.7 WCF Guidance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96
13.8 Authors and Primary Editors . . . . . . . . . . . . . . . . . . . . . . . . . . . 96
13.9 References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96
14 Password Storage Cheat Sheet98
14.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98
14.2 Guidance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98
14.3 Related Articles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101
14.4 Authors and Primary Editors . . . . . . . . . . . . . . . . . . . . . . . . . . . 101
14.5 References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101
15 Pinning Cheat Sheet102
15.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102
15.2 What"s the problem? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102
15.3 What Is Pinning? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102
15.4 What Should Be Pinned? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103
15.5 Examples of Pinning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104
15.6 Related Articles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105
15.7 Authors and Editors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105
15.8 References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105
16 Query Parameterization Cheat Sheet107
16.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107
16.2 Parameterized Query Examples . . . . . . . . . . . . . . . . . . . . . . . . . 107
16.3 Related Articles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110
16.4 Authors and Primary Editors . . . . . . . . . . . . . . . . . . . . . . . . . . . 110
16.5 References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110
17 Ruby on Rails Cheatsheet111
17.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111
17.2 Items . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111
17.3 Updating Rails and Having a Process for Updating Dependencies . . . . . 117
17.4 Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118
17.5 Further Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118
17.6 Authors and Primary Editors . . . . . . . . . . . . . . . . . . . . . . . . . . . 118
17.7 References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119
18 REST Security Cheat Sheet120
18.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 120
18.2 Authentication and session management . . . . . . . . . . . . . . . . . . . 120
18.3 Authorization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121
18.4 Input validation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 122
18.5 Output encoding . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123
18.6 Cryptography . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124
4Contents
18.7 Authors and primary editors . . . . . . . . . . . . . . . . . . . . . . . . . . . 124
18.8 References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124
19 Session Management Cheat Sheet126
19.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 126
19.2 Session ID Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 127
19.3 Session Management Implementation . . . . . . . . . . . . . . . . . . . . . 128
19.4 Cookies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 130
19.5 Session ID Life Cycle . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131
19.6 Session Expiration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 132
19.7 Additional Client-Side Defenses for Session Management . . . . . . . . . . 134
19.8 Session Attacks Detection . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135
19.9 Related Articles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137
19.10Authors and Primary Editors . . . . . . . . . . . . . . . . . . . . . . . . . . . 138
19.11References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138
20 SQL Injection Prevention Cheat Sheet139
20.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139
20.2 Primary Defenses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 140
20.3 Additional Defenses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 145
20.4 Related Articles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 146
20.5 Authors and Primary Editors . . . . . . . . . . . . . . . . . . . . . . . . . . . 147
20.6 References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147
21 Transport Layer Protection Cheat Sheet149
21.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 149
21.2 Providing Transport Layer Protection with SSL/TLS . . . . . . . . . . . . . 149
21.3 Providing Transport Layer Protection for Back End and Other Connections161
21.4 Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 161
21.5 Related Articles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 161
21.6 Authors and Primary Editors . . . . . . . . . . . . . . . . . . . . . . . . . . . 163
21.7 References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 163
22 Unvalidated Redirects and Forwards Cheat Sheet166
22.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 166
22.2 Safe URL Redirects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 166
22.3 Dangerous URL Redirects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 166
22.4 Preventing Unvalidated Redirects and Forwards . . . . . . . . . . . . . . . 168
22.5 Related Articles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 168
22.6 Authors and Primary Editors . . . . . . . . . . . . . . . . . . . . . . . . . . . 169
22.7 References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 169
23 User Privacy Protection Cheat Sheet170
23.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 170
23.2 Guidelines . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 170
23.3 Authors and Primary Editors . . . . . . . . . . . . . . . . . . . . . . . . . . . 173
23.4 References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 173
24 Web Service Security Cheat Sheet175
24.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 175
24.2 Transport Confidentiality . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 175
24.3 Server Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 175
24.4 User Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 175
24.5 Transport Encoding . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 176
24.6 Message Integrity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 176
5Contents
24.7 Message Confidentiality . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 176
24.8 Authorization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 176
24.9 Schema Validation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 176
24.10Content Validation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 177
24.11Output Encoding . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 177
24.12Virus Protection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 177
24.13Message Size . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 177
24.14Availability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 178
24.15Endpoint Security Profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 178
24.16Authors and Primary Editors . . . . . . . . . . . . . . . . . . . . . . . . . . . 178
24.17References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 178
25 XSS (Cross Site Scripting) Prevention Cheat Sheet179
25.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 179
25.2 XSS Prevention Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 180
25.3 XSS Prevention Rules Summary . . . . . . . . . . . . . . . . . . . . . . . . . 186
25.4 Output Encoding Rules Summary . . . . . . . . . . . . . . . . . . . . . . . . 188
25.5 Related Articles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 189
25.6 Authors and Primary Editors . . . . . . . . . . . . . . . . . . . . . . . . . . . 190
25.7 References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 190
II Assessment Cheat Sheets (Breaker) 191
26 Attack Surface Analysis Cheat Sheet192
26.1 What is Attack Surface Analysis and Why is it Important? . . . . . . . . . 192
26.2 Defining the Attack Surface of an Application . . . . . . . . . . . . . . . . . 192
26.3 Identifying and Mapping the Attack Surface . . . . . . . . . . . . . . . . . . 193
26.4 Measuring and Assessing the Attack Surface . . . . . . . . . . . . . . . . . 194
26.5 Managing the Attack Surface . . . . . . . . . . . . . . . . . . . . . . . . . . . 195
26.6 Related Articles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 196
26.7 Authors and Primary Editors . . . . . . . . . . . . . . . . . . . . . . . . . . . 196
26.8 References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 196
27 XSS Filter Evasion Cheat Sheet197
27.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 197
27.2 Tests . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 197
27.3 Character Encoding and IP Obfuscation Calculators . . . . . . . . . . . . . 219
27.4 Authors and Primary Editors . . . . . . . . . . . . . . . . . . . . . . . . . . . 219
27.5 References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 220
28 REST Assessment Cheat Sheet221
28.1 About RESTful Web Services . . . . . . . . . . . . . . . . . . . . . . . . . . . 221
28.2 Key relevant properties of RESTful web services . . . . . . . . . . . . . . . . 221
28.3 The challenge of security testing RESTful web services . . . . . . . . . . . . 221
28.4 How to pen test a RESTful web service? . . . . . . . . . . . . . . . . . . . . 222
28.5 Related Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 223
28.6 Authors and Primary Editors . . . . . . . . . . . . . . . . . . . . . . . . . . . 223
28.7 References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 223
III Mobile Cheat Sheets 224
29 IOS Developer Cheat Sheet225
29.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 225
6Contents
29.2 Basics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 225
29.3 Remediation"s to OWASP Mobile Top 10 Risks . . . . . . . . . . . . . . . . . 225
29.4 Related Articles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 229
29.5 Authors and Primary Editors . . . . . . . . . . . . . . . . . . . . . . . . . . . 229
29.6 References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 230
30 Mobile Jailbreaking Cheat Sheet231
30.1 What is "jailbreaking", "rooting" and "unlocking"? . . . . . . . . . . . . . . . 231
30.2 Why do they occur? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 232
30.3 What are the common tools used? . . . . . . . . . . . . . . . . . . . . . . . . 233
30.4 Why can it be dangerous? . . . . . . . . . . . . . . . . . . . . . . . . . . . . 235
30.5 Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 238
30.6 Authors and Primary Editors . . . . . . . . . . . . . . . . . . . . . . . . . . . 238
30.7 References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 239
IV OpSec Cheat Sheets (Defender) 240
31 Virtual Patching Cheat Sheet241
31.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 241
31.2 Definition: Virtual Patching . . . . . . . . . . . . . . . . . . . . . . . . . . . 241
31.3 Why Not Just Fix the Code? . . . . . . . . . . . . . . . . . . . . . . . . . . . 241
31.4 Value of Virtual Patching . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 241
31.5 Virtual Patching Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 242
31.6 A Virtual Patching Methodology . . . . . . . . . . . . . . . . . . . . . . . . . 242
31.7 Example Public Vulnerability . . . . . . . . . . . . . . . . . . . . . . . . . . . 242
31.8 Preparation Phase . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 243
31.9 Identification Phase . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 243
31.10Analysis Phase . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 244
31.11Virtual Patch Creation Phase . . . . . . . . . . . . . . . . . . . . . . . . . . . 245
31.12Implementation/Testing Phase . . . . . . . . . . . . . . . . . . . . . . . . . 247
31.13Recovery/Follow-Up Phase . . . . . . . . . . . . . . . . . . . . . . . . . . . . 247
31.14Related Articles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 248
31.15Authors and Primary Editors . . . . . . . . . . . . . . . . . . . . . . . . . . . 248
31.16References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 248
V Draft Cheat Sheets 249
32 OWASP Top Ten Cheat Sheet251
33 Access Control Cheat Sheet252
33.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 252
33.2 Attacks on Access Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . 254
33.3 Access Control Issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 254
33.4 Access Control Anti-Patterns . . . . . . . . . . . . . . . . . . . . . . . . . . . 255
33.5 Attacking Access Controls . . . . . . . . . . . . . . . . . . . . . . . . . . . . 256
33.6 Testing for Broken Access Control . . . . . . . . . . . . . . . . . . . . . . . . 256
33.7 Defenses Against Access Control Attacks . . . . . . . . . . . . . . . . . . . . 257
33.8 Best Practices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 257
33.9 SQL Integrated Access Control . . . . . . . . . . . . . . . . . . . . . . . . . . 258
33.10Access Control Positive Patterns . . . . . . . . . . . . . . . . . . . . . . . . . 259
33.11Data Contextual Access Control . . . . . . . . . . . . . . . . . . . . . . . . . 259
33.12Authors and Primary Editors . . . . . . . . . . . . . . . . . . . . . . . . . . . 259
7Contents
34 Application Security Architecture Cheat Sheet260
34.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 260
34.2 Business Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 260
34.3 Infrastructure Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . 261
34.4 Application Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . 262
34.5 Security Program Requirements . . . . . . . . . . . . . . . . . . . . . . . . . 263
34.6 Authors and Primary Editors . . . . . . . . . . . . . . . . . . . . . . . . . . . 264
35 Business Logic Security Cheat Sheet265
35.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 265
35.2 What is a Business Logic Vulnerability? . . . . . . . . . . . . . . . . . . . . 265
35.3 Related Articles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 267
35.4 Authors and Primary Editors . . . . . . . . . . . . . . . . . . . . . . . . . . . 267
36 PHP Security Cheat Sheet268
36.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 268
36.2 Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 271
36.3 Untrusted data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 272
36.4 Database Cheat Sheet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 272
36.5 Other Injection Cheat Sheet . . . . . . . . . . . . . . . . . . . . . . . . . . . 274
36.6 XSS Cheat Sheet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 275
36.7 CSRF Cheat Sheet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 276
36.8 Authentication and Session Management Cheat Sheet . . . . . . . . . . . . 277
36.9 Configuration and Deployment Cheat Sheet . . . . . . . . . . . . . . . . . . 280
36.10Authors and Primary Editors . . . . . . . . . . . . . . . . . . . . . . . . . . . 280
37 Secure Coding Cheat Sheet281
37.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 281
37.2 How To Use This Document . . . . . . . . . . . . . . . . . . . . . . . . . . . 281
37.3 Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 281
37.4 Session Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 282
37.5 Access Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 283
37.6 Input Validation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 283
37.7 Output Encoding . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 284
37.8 Cross Domain Request Forgery . . . . . . . . . . . . . . . . . . . . . . . . . 285
37.9 Secure Transmission . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 286
37.10File Uploads . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 286
37.11Authors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 287
38 Secure SDLC Cheat Sheet288
38.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 288
38.2 Purpose . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 288
38.3 Implementing a secure software development life cycle (S-SDLC) . . . . . . 288
38.4 Related articles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 291
38.5 Authors and primary contributors . . . . . . . . . . . . . . . . . . . . . . . . 292
39 Threat Modeling Cheat Sheet293
40 Web Application Security Testing Cheat Sheet294
40.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 294
40.2 Purpose . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 294
40.3 The Checklist . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 294
40.4 Other Formats . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 299
40.5 Authors and primary contributors . . . . . . . . . . . . . . . . . . . . . . . . 299
40.6 Other Contributors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 299
8Contents
40.7 Related articles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 300
41 Grails Secure Code Review Cheat Sheet301
42 IOS Application Security Testing Cheat Sheet302
42.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 302
42.2 Information gathering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 302
42.3 Application traffic analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . 303
42.4 Runtime analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 304
42.5 Insecure data storage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 304
42.6 Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 305
42.7 Related Articles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 306
42.8 Authors and Primary Editors . . . . . . . . . . . . . . . . . . . . . . . . . . . 306
43 Key Management Cheat Sheet307
44 Insecure Direct Object Reference Prevention Cheat Sheet308
44.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 308
44.2 Architectural Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 308
44.3 Authors and Primary Editors . . . . . . . . . . . . . . . . . . . . . . . . . . . 308
45 Content Security Policy Cheat Sheet309
45.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 309
45.2 CSP Basics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 309
45.3 CSP Sample Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 310
45.4 CSP Cheat Sheet - Guide for main technologies . . . . . . . . . . . . . . . . 311
45.5 Authors and Primary Editors . . . . . . . . . . . . . . . . . . . . . . . . . . . 314
45.6 References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 314
9Contents
These Cheat Sheets have been taken from the owasp project onhttps://www.owasp. org. While this document is static, the online source is continuously improved and expanded. So please visithttps://www.owasp.orgif you have any doubt in the accuracy or actuality of this pdf or simply if this document is too old. All the articles are licenced under the Creative Commons Attribution-ShareAlike 3.0Unported
1. I have slightly reformatted and/or resectioned them in this work (which
of course also is CC BY-SA 3.0).1 10Part I.
Developer Cheat Sheets (Builder)
111. Authentication Cheat Sheet
Last revision (mm/dd/yy): 02/24/2015
1.1. Introduction
Authenticationis the process of verification that an individual or an entity is who it claims to be. Authentication is commonly performed by submitting a user name or ID and one or more items of private information that only a given user should know. Session Managementis a process by which a server maintains the state of an entity interacting with it. This is required for a server to remember how to react to sub- sequent requests throughout a transaction. Sessions are maintained on the server by a session identifier which can be passed back and forward between the client and server when transmitting and receiving requests. Sessions should be unique per user and computationally very difficult to predict.1.2. Authentication General Guidelines
1.2.1. User IDs
Make sure your usernames/userids are case insensitive. Regardless, it would be very strange for user "smith" and user "Smith" to be different users. Could result in serious confusion.Email address as a User ID
Many sites use email addresses as a user id, which is a good mechanism for ensuring a unique identifier for each user without adding the burden of remembering a new username. However, many web applications do not treat email addresses correctly due to common misconceptions about what constitutes a valid address. Specifically, it is completely valid to have an mailbox address which: • Is case sensitive in the local-part • Has non-alphanumeric characters in the local-part (including + and @) • Has zero or more labels (though zero is admittedly not going to occur) The local-part is the part of the mailbox address to the left of the rightmost @ char- acter. The domain is the part of the mailbox address to the right of the rightmost @ character and consists of zero or more labels joined by a period character. At the time of writing, RFC 5321[2] is the current standard defining SMTP and what constitutes a valid mailbox address.Validation
Many web applications contain computationally expensive and inaccurate regular expressions that attempt to validate email addresses. Recent changes to the landscape mean that the number of false-negatives will in- crease, particularly due to: 121. Authentication Cheat Sheet
• Increased popularity of sub-addressing by providers such as Gmail (commonly using + as a token in the local-part to affect delivery) • New gTLDs with long names (many regular expressions check the number and length of each label in the domain) Following RFC 5321, best practice for validating an email address would be to: • Check for presence of at least one @ symbol in the address • Ensure the local-part is no longer than 64 octets • Ensure the domain is no longer than 255 octets • Ensure the address is deliverable To ensure an address is deliverable, the only way to check this is to send the user an email and have the user take action to confirm receipt. Beyond confirming that the email address is valid and deliverable, this also provides a positive acknowledgement that the user has access to the mailbox and is likely to be authorised to use it.Address Normalisation
As the local-part of email addresses are, in fact - case sensitive, it is important to store and compare email addresses correctly. To normalise an email address input, you would convert the domain part ONLY to lowercase. Unfortunately this does and will make input harder to normalise and correctly match to a users intent. It is reasonable to only accept one unique capitalisation of an otherwise identical address, however in this case it is critical to: • Store the user-part as provided and verified by user verification • Perform comparisons by lowercase(provided)==lowercase(persisted)1.2.2. Implement Proper Password Strength Controls
A key concern when using passwords for authentication is password strength. A "strong" password policy makes it difficult or even improbable for one to guess the password through either manual or automated means. The following characteristics define a strong password:1.2.2.1. Password Length
Longer passwords provide a greater combination of characters and consequently make it more difficult for an attacker to guess. • Minimum length of the passwords should beenforcedby the application. -Passwordsshorter than 10 charactersare considered to be weak [3]. While minimum length enforcement may cause problems with memorizing passwords among some users, applications should encourage them to set passphrases (sen- tences or combination of words) that can be much longer than typical passwords and yet much easier to remember. •Maximumpassword length should not be settoo low, as it will prevent users from creating passphrases. Typical maximum length is 128 characters. 131. Authentication Cheat Sheet
-Passphrases shorter than 20 characters are usually considered weak if they only consist of lower case Latin characters. • Every character counts!! -Make sure that every character the user types in is actually included in the password. We"ve seen systems that truncate the password at a length shorter than what the user provided (e.g., truncated at 15 characters when they entered 20). -This is usually handled by setting the length of ALL password input fields to be exactly the same length as the maximum length password. This is particularly important if your max password length is short, like 20-30 characters.1.2.2.2. Password Complexity
Applications should enforce password complexity rules to discourage easy to guess passwords. Password mechanisms should allow virtually any character the user can type to be part of their password, including the space character. Passwords should, obviously, be case sensitive in order to increase their complexity. Occasionally, we find systems where passwords aren"t case sensitive, frequently due to legacy system issues like old mainframes that didn"t have case sensitive passwords. The password change mechanism should require a minimum level of complexity that makes sense for the application and its user population. For example: • Password must meet at least 3 out of the following 4 complexity rules -at least 1 uppercase character (A-Z) -at least 1 lowercase character (a-z)quotesdbs_dbs10.pdfusesText_16[PDF] sql cheat sheet reddit
[PDF] sql date cheat sheet
[PDF] sql dimensional modeling
[PDF] sql exercises
[PDF] sql file naming conventions
[PDF] sql functions pdf
[PDF] sql interview questions for experienced professionals
[PDF] sql interview questions for testers
[PDF] sql interview questions pdf for freshers
[PDF] sql interview questions pdf tutorialspoint
[PDF] sql naming conventions github
[PDF] sql projects for practice
[PDF] sql queries examples pdf free download
[PDF] sql queries exercises with answers pdf