[PDF] OWASP Cheat Sheets Sep 27 2009 20 SQL





Previous PDF Next PDF



sql-cheat-sheet-for-data-scientists-by-tomi-mester.pdf

The ideal use case of this cheat sheet is that you print it in color and keep it next to you while you are learning and practicing SQL on your computer. Enjoy!



Python For Data Science Cheat Sheet

Python For Data Science Cheat Sheet. Python Basics. Learn More Python for Data Read and Write to SQL Query or Database Table. >>> from sqlalchemy import ...



SQL Window Functions Cheat Sheet (A4)

specifies the order of rows in each partition to which the window function is applied. LOGICAL ORDER OF OPERATIONS IN SQL. SYNTAX. Named Window Definition.



Data Wrangling - with pandas Cheat Sheet http://pandas.pydata.org

Use df.at[] and df.iat[] to access a single value by row and column. First index selects rows second index columns. Cheatsheet 



ChatGPT-Cheat-Sheet.pdf

Simulate a job interview for a [position] by asking and answering questions as if Automate Data Science Tasks: Translate my Python code to R. Turn this SQL ...



Cheat Sheet: The pandas DataFrame Object

• merge (a database/SQL-like join operation). • concat (stack side by side or Version: This cheat sheet was last updated with. Python 3.6 and pandas 0.19.2 ...



Sql for data science

Sql for data science peer graded assignment. Sql interview questions for data science. Sql for data science great learning. Sql cheat sheet for data science pdf 



SQL-Cheat-Sheet.pdf

If you want to learn everything SQL has to offer and become a SQL expert check out my Complete SQL Mastery Course. Use the coupon code CHEATSHEET upon checkout 



base R cheat-sheet

Cheat Sheet. RStudio® is a trademark of RStudio Inc. • CC BY Mhairi McNeill • mhairihmcneill@gmail.com. Learn more at web page or vignette • package version 



Product Case Interview Cheat Sheet

technical interviews like SQL and coding. That's what this cheat sheet is here to help fix! This sheet walks you through several sample problems and gives 



Cheat sheet PySpark SQL Python.indd

Python For Data Science Cheat Sheet Spark SQL is Apache Spark's module for working with structured data. >>> from pyspark.sql import SparkSession.



Python For Data Science Cheat Sheet

Python For Data Science Cheat Sheet. Python Basics. Learn More Python for Data Science Interactively at Read and Write to SQL Query or Database Table.



PostgreSQL CHEAT SHEET http://www.postgresqltutorial.com

USING SQL OPERATORS. SELECT c1 c2 FROM t. ORDER BY c1. LIMIT n OFFSET offset;. Skip offset of rows and return the next n rows. SELECT c1



SQL Server Integration Service CHEAT SHEET

CHEAT SHEET. SSIS Basics SSDT: Referred to as SQL Server Data Tools which is used ... SSIS is a component of Microsoft SQL Server database which can be.



OWASP Cheat Sheets

Sep 27 2009 20 SQL Injection Prevention Cheat Sheet ... the application



Programming with mosh sql cheat sheet

Programming with mosh sql cheat sheet Each module contains information and activities related to real-life jobs or interview-related tasks.



OWASP 2012 Board Interviews – Jim Manico Adam: What are your

coding like query parameterizaon cheat sheet



PL/SQL Interview Questions - tutorialspoint

Dear readers these PL/SQL Interview Questions have been designed specially to get you acquainted with the nature of questions you may encounter during your 



CODE REVIEW GUIDE

In this case the application will be vulnerable to SQL injection attack as identified word lengths see the OWASP Authentication Cheat Sheet.



133-29: Assessing SAS Skill Level During the Interviewing Process

Specific interviewing approaches suggested topics



SQL Cheat Sheet - Download in PDF & JPG Format - Intellipaat

10 jan 2023 · This part of the SQL tutorial includes the SQL cheat sheet Here you will learn various aspects of SQL that are possibly asked in the interviews 



SQL Cheat Sheet (2023) - InterviewBit

Take a free mock interview get instant? feedback and recommendation You can download a PDF version of Sql Cheat Sheet Download PDF Download PDF 



SQL Cheat Sheet free download

6 fév 2023 · This cheat sheet you can easily use in your student journey or professional journey too You can say that All SQL queries and its syntax on 



SQL Cheat Sheet Download PDF it in PDF or PNG Format

This 3-page SQL Cheat Sheet provides you with the most commonly used SQL statements Download the SQL cheat sheet print it out and stick to your desk



SQL Cheat Sheet for Quick Reference [PDF Download] - Hackrio

28 mar 2023 · SQL knowledge is incredibly valuable Use our SQL cheat sheet as a quick reference for major SQL concepts or to boost your SQL skills and 



[PDF] CHEAT SHEET - Data36com

Enjoy! Cheers Tomi Mester *The workshops and courses I mentioned: Online SQL tutorial (free): data36 com/ 



Ultimate SQL Cheat Sheet 2023 (Download PDF)

25 mar 2021 · Ultimate SQL Cheat Sheet 2023 (Download PDF): Queries Commands Etc This ultimate SQL Cheatsheet has been created to help you understand 



SQL cheat sheetpdf - SlideShare

1 mai 2023 · Ultimate SQL Cheat Sheet What is a Database? Before we get started with SQL Cheat Sheet we need to understand what is a database and why do 



Yuvraj Garg en LinkedIn: SQL CheatSheet 62 comentarios

SQL Cheatsheet ?You do not just need to write DSA code in interviews Below pdf of SQL interview questions covers a range of topics 



SQL Cheat Sheet SQL Queries Revision in 5 Mins - GlobalSQA

So it's always good to have a brush up whenever needed like before going for an interview Thanks to the author for creating this SQL cheat sheet and helping 

  • How do I prepare for SQL interview?

    So try to memorise the following consecutive statements: SELECT?FROM?WHERE. Next, remember that the SELECT statement refers to the column names, the FROM keyword refers to the table/database used, and the WHERE clause refers to specific conditions that are investigated by the user.

  • How can I memorize SQL queries easily?

    17 Best Platforms to Practice SQL. Looking to level up your SQL skills? 2HackerRank. From software engineering to data analytics, HackerRank is one of the best platforms for practicing coding interview questions. 3SQLPad. 4StrataScratch. 5DataLemur. 6LeetCode. 7Mode. 8SQLZoo.

  • How do I practice SQL questions?

    Complex SQL Interview Questions for Practice

    Define and describe the usage of a linked server.Name and explain the different types of Joins.Explain the different types of authentication modes.Which stored procedure would you run when adding a linked server?

OWASP Cheat Sheets

Martin Woschek, owasp@jesterweb.de

April 9, 2015

Contents

I Developer Cheat Sheets (Builder) 11

1 Authentication Cheat Sheet12

1.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12

1.2 Authentication General Guidelines . . . . . . . . . . . . . . . . . . . . . . . 12

1.3 Use of authentication protocols that require no password . . . . . . . . . . 17

1.4 Session Management General Guidelines . . . . . . . . . . . . . . . . . . . 19

1.5 Password Managers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19

1.6 Authors and Primary Editors . . . . . . . . . . . . . . . . . . . . . . . . . . . 19

1.7 References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19

2 Choosing and Using Security Questions Cheat Sheet20

2.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20

2.2 The Problem . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20

2.3 Choosing Security Questions and/or Identity Data . . . . . . . . . . . . . . 20

2.4 Using Security Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23

2.5 Related Articles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25

2.6 Authors and Primary Editors . . . . . . . . . . . . . . . . . . . . . . . . . . . 25

2.7 References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25

3 Clickjacking Defense Cheat Sheet26

3.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26

3.2 Defending with Content Security Policy frame-ancestors directive . . . . . 26

3.3 Defending with X-Frame-Options Response Headers . . . . . . . . . . . . . 26

3.4 Best-for-now Legacy Browser Frame Breaking Script . . . . . . . . . . . . . 28

3.5 window.confirm() Protection . . . . . . . . . . . . . . . . . . . . . . . . . . . 29

3.6 Non-Working Scripts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29

3.7 Authors and Primary Editors . . . . . . . . . . . . . . . . . . . . . . . . . . . 32

3.8 References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32

4 C-Based Toolchain Hardening Cheat Sheet34

4.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34

4.2 Actionable Items . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34

4.3 Build Configurations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34

4.4 Library Integration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36

4.5 Static Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37

4.6 Platform Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38

4.7 Authors and Editors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38

4.8 References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38

5 Cross-Site Request Forgery (CSRF) Prevention Cheat Sheet40

5.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40

5.2 Prevention Measures That Do NOT Work . . . . . . . . . . . . . . . . . . . . 40

5.3 General Recommendation: Synchronizer Token Pattern . . . . . . . . . . . 41

5.4 CSRF Prevention without a Synchronizer Token . . . . . . . . . . . . . . . 44

5.5 Client/User Prevention . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45

2

Contents

5.6 No Cross-Site Scripting (XSS) Vulnerabilities . . . . . . . . . . . . . . . . . 45

5.7 Authors and Primary Editors . . . . . . . . . . . . . . . . . . . . . . . . . . . 46

5.8 References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46

6 Cryptographic Storage Cheat Sheet47

6.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47

6.2 Providing Cryptographic Functionality . . . . . . . . . . . . . . . . . . . . . 47

6.3 Related Articles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52

6.4 Authors and Primary Editors . . . . . . . . . . . . . . . . . . . . . . . . . . . 52

6.5 References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52

7 DOM based XSS Prevention Cheat Sheet54

7.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54

7.2 Guidelines for Developing Secure Applications Utilizing JavaScript . . . . 59

7.3 Common Problems Associated with Mitigating DOM Based XSS . . . . . . 62

7.4 Authors and Contributing Editors . . . . . . . . . . . . . . . . . . . . . . . . 63

7.5 References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64

8 Forgot Password Cheat Sheet65

8.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65

8.2 The Problem . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65

8.3 Steps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65

8.4 Authors and Primary Editors . . . . . . . . . . . . . . . . . . . . . . . . . . . 66

8.5 References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66

9 HTML5 Security Cheat Sheet67

9.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67

9.2 Communication APIs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67

9.3 Storage APIs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69

9.4 Geolocation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70

9.5 Web Workers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70

9.6 Sandboxed frames . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70

9.7 Offline Applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71

9.8 Progressive Enhancements and Graceful Degradation Risks . . . . . . . . 71

9.9 HTTP Headers to enhance security . . . . . . . . . . . . . . . . . . . . . . . 71

9.10 Authors and Primary Editors . . . . . . . . . . . . . . . . . . . . . . . . . . . 72

9.11 References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72

10 Input Validation Cheat Sheet73

10.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73

10.2 Authors and Primary Editors . . . . . . . . . . . . . . . . . . . . . . . . . . . 74

10.3 References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74

11 JAAS Cheat Sheet75

11.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75

11.2 Related Articles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78

11.3 Disclosure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78

11.4 Authors and Primary Editors . . . . . . . . . . . . . . . . . . . . . . . . . . . 79

11.5 References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79

12 Logging Cheat Sheet80

12.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80

12.2 Purpose . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80

12.3 Design, implementation and testing . . . . . . . . . . . . . . . . . . . . . . . 81

12.4 Deployment and operation . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87

3

Contents

12.5 Related articles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89

12.6 Authors and Primary Contributors . . . . . . . . . . . . . . . . . . . . . . . 89

12.7 References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89

13 .NET Security Cheat Sheet91

13.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91

13.2 .NET Framework Guidance . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91

13.3 ASP.NET Web Forms Guidance . . . . . . . . . . . . . . . . . . . . . . . . . 92

13.4 ASP.NET MVC Guidance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95

13.5 XAML Guidance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96

13.6 Windows Forms Guidance . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96

13.7 WCF Guidance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96

13.8 Authors and Primary Editors . . . . . . . . . . . . . . . . . . . . . . . . . . . 96

13.9 References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96

14 Password Storage Cheat Sheet98

14.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98

14.2 Guidance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98

14.3 Related Articles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101

14.4 Authors and Primary Editors . . . . . . . . . . . . . . . . . . . . . . . . . . . 101

14.5 References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101

15 Pinning Cheat Sheet102

15.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102

15.2 What"s the problem? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102

15.3 What Is Pinning? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102

15.4 What Should Be Pinned? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103

15.5 Examples of Pinning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104

15.6 Related Articles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105

15.7 Authors and Editors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105

15.8 References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105

16 Query Parameterization Cheat Sheet107

16.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107

16.2 Parameterized Query Examples . . . . . . . . . . . . . . . . . . . . . . . . . 107

16.3 Related Articles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110

16.4 Authors and Primary Editors . . . . . . . . . . . . . . . . . . . . . . . . . . . 110

16.5 References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110

17 Ruby on Rails Cheatsheet111

17.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111

17.2 Items . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111

17.3 Updating Rails and Having a Process for Updating Dependencies . . . . . 117

17.4 Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118

17.5 Further Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118

17.6 Authors and Primary Editors . . . . . . . . . . . . . . . . . . . . . . . . . . . 118

17.7 References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119

18 REST Security Cheat Sheet120

18.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 120

18.2 Authentication and session management . . . . . . . . . . . . . . . . . . . 120

18.3 Authorization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121

18.4 Input validation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 122

18.5 Output encoding . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123

18.6 Cryptography . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124

4

Contents

18.7 Authors and primary editors . . . . . . . . . . . . . . . . . . . . . . . . . . . 124

18.8 References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124

19 Session Management Cheat Sheet126

19.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 126

19.2 Session ID Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 127

19.3 Session Management Implementation . . . . . . . . . . . . . . . . . . . . . 128

19.4 Cookies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 130

19.5 Session ID Life Cycle . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131

19.6 Session Expiration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 132

19.7 Additional Client-Side Defenses for Session Management . . . . . . . . . . 134

19.8 Session Attacks Detection . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135

19.9 Related Articles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137

19.10Authors and Primary Editors . . . . . . . . . . . . . . . . . . . . . . . . . . . 138

19.11References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138

20 SQL Injection Prevention Cheat Sheet139

20.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139

20.2 Primary Defenses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 140

20.3 Additional Defenses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 145

20.4 Related Articles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 146

20.5 Authors and Primary Editors . . . . . . . . . . . . . . . . . . . . . . . . . . . 147

20.6 References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147

21 Transport Layer Protection Cheat Sheet149

21.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 149

21.2 Providing Transport Layer Protection with SSL/TLS . . . . . . . . . . . . . 149

21.3 Providing Transport Layer Protection for Back End and Other Connections161

21.4 Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 161

21.5 Related Articles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 161

21.6 Authors and Primary Editors . . . . . . . . . . . . . . . . . . . . . . . . . . . 163

21.7 References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 163

22 Unvalidated Redirects and Forwards Cheat Sheet166

22.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 166

22.2 Safe URL Redirects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 166

22.3 Dangerous URL Redirects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 166

22.4 Preventing Unvalidated Redirects and Forwards . . . . . . . . . . . . . . . 168

22.5 Related Articles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 168

22.6 Authors and Primary Editors . . . . . . . . . . . . . . . . . . . . . . . . . . . 169

22.7 References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 169

23 User Privacy Protection Cheat Sheet170

23.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 170

23.2 Guidelines . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 170

23.3 Authors and Primary Editors . . . . . . . . . . . . . . . . . . . . . . . . . . . 173

23.4 References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 173

24 Web Service Security Cheat Sheet175

24.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 175

24.2 Transport Confidentiality . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 175

24.3 Server Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 175

24.4 User Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 175

24.5 Transport Encoding . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 176

24.6 Message Integrity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 176

5

Contents

24.7 Message Confidentiality . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 176

24.8 Authorization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 176

24.9 Schema Validation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 176

24.10Content Validation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 177

24.11Output Encoding . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 177

24.12Virus Protection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 177

24.13Message Size . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 177

24.14Availability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 178

24.15Endpoint Security Profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 178

24.16Authors and Primary Editors . . . . . . . . . . . . . . . . . . . . . . . . . . . 178

24.17References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 178

25 XSS (Cross Site Scripting) Prevention Cheat Sheet179

25.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 179

25.2 XSS Prevention Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 180

25.3 XSS Prevention Rules Summary . . . . . . . . . . . . . . . . . . . . . . . . . 186

25.4 Output Encoding Rules Summary . . . . . . . . . . . . . . . . . . . . . . . . 188

25.5 Related Articles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 189

25.6 Authors and Primary Editors . . . . . . . . . . . . . . . . . . . . . . . . . . . 190

25.7 References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 190

II Assessment Cheat Sheets (Breaker) 191

26 Attack Surface Analysis Cheat Sheet192

26.1 What is Attack Surface Analysis and Why is it Important? . . . . . . . . . 192

26.2 Defining the Attack Surface of an Application . . . . . . . . . . . . . . . . . 192

26.3 Identifying and Mapping the Attack Surface . . . . . . . . . . . . . . . . . . 193

26.4 Measuring and Assessing the Attack Surface . . . . . . . . . . . . . . . . . 194

26.5 Managing the Attack Surface . . . . . . . . . . . . . . . . . . . . . . . . . . . 195

26.6 Related Articles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 196

26.7 Authors and Primary Editors . . . . . . . . . . . . . . . . . . . . . . . . . . . 196

26.8 References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 196

27 XSS Filter Evasion Cheat Sheet197

27.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 197

27.2 Tests . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 197

27.3 Character Encoding and IP Obfuscation Calculators . . . . . . . . . . . . . 219

27.4 Authors and Primary Editors . . . . . . . . . . . . . . . . . . . . . . . . . . . 219

27.5 References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 220

28 REST Assessment Cheat Sheet221

28.1 About RESTful Web Services . . . . . . . . . . . . . . . . . . . . . . . . . . . 221

28.2 Key relevant properties of RESTful web services . . . . . . . . . . . . . . . . 221

28.3 The challenge of security testing RESTful web services . . . . . . . . . . . . 221

28.4 How to pen test a RESTful web service? . . . . . . . . . . . . . . . . . . . . 222

28.5 Related Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 223

28.6 Authors and Primary Editors . . . . . . . . . . . . . . . . . . . . . . . . . . . 223

28.7 References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 223

III Mobile Cheat Sheets 224

29 IOS Developer Cheat Sheet225

29.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 225

6

Contents

29.2 Basics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 225

29.3 Remediation"s to OWASP Mobile Top 10 Risks . . . . . . . . . . . . . . . . . 225

29.4 Related Articles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 229

29.5 Authors and Primary Editors . . . . . . . . . . . . . . . . . . . . . . . . . . . 229

29.6 References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 230

30 Mobile Jailbreaking Cheat Sheet231

30.1 What is "jailbreaking", "rooting" and "unlocking"? . . . . . . . . . . . . . . . 231

30.2 Why do they occur? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 232

30.3 What are the common tools used? . . . . . . . . . . . . . . . . . . . . . . . . 233

30.4 Why can it be dangerous? . . . . . . . . . . . . . . . . . . . . . . . . . . . . 235

30.5 Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 238

30.6 Authors and Primary Editors . . . . . . . . . . . . . . . . . . . . . . . . . . . 238

30.7 References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 239

IV OpSec Cheat Sheets (Defender) 240

31 Virtual Patching Cheat Sheet241

31.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 241

31.2 Definition: Virtual Patching . . . . . . . . . . . . . . . . . . . . . . . . . . . 241

31.3 Why Not Just Fix the Code? . . . . . . . . . . . . . . . . . . . . . . . . . . . 241

31.4 Value of Virtual Patching . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 241

31.5 Virtual Patching Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 242

31.6 A Virtual Patching Methodology . . . . . . . . . . . . . . . . . . . . . . . . . 242

31.7 Example Public Vulnerability . . . . . . . . . . . . . . . . . . . . . . . . . . . 242

31.8 Preparation Phase . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 243

31.9 Identification Phase . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 243

31.10Analysis Phase . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 244

31.11Virtual Patch Creation Phase . . . . . . . . . . . . . . . . . . . . . . . . . . . 245

31.12Implementation/Testing Phase . . . . . . . . . . . . . . . . . . . . . . . . . 247

31.13Recovery/Follow-Up Phase . . . . . . . . . . . . . . . . . . . . . . . . . . . . 247

31.14Related Articles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 248

31.15Authors and Primary Editors . . . . . . . . . . . . . . . . . . . . . . . . . . . 248

31.16References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 248

V Draft Cheat Sheets 249

32 OWASP Top Ten Cheat Sheet251

33 Access Control Cheat Sheet252

33.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 252

33.2 Attacks on Access Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . 254

33.3 Access Control Issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 254

33.4 Access Control Anti-Patterns . . . . . . . . . . . . . . . . . . . . . . . . . . . 255

33.5 Attacking Access Controls . . . . . . . . . . . . . . . . . . . . . . . . . . . . 256

33.6 Testing for Broken Access Control . . . . . . . . . . . . . . . . . . . . . . . . 256

33.7 Defenses Against Access Control Attacks . . . . . . . . . . . . . . . . . . . . 257

33.8 Best Practices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 257

33.9 SQL Integrated Access Control . . . . . . . . . . . . . . . . . . . . . . . . . . 258

33.10Access Control Positive Patterns . . . . . . . . . . . . . . . . . . . . . . . . . 259

33.11Data Contextual Access Control . . . . . . . . . . . . . . . . . . . . . . . . . 259

33.12Authors and Primary Editors . . . . . . . . . . . . . . . . . . . . . . . . . . . 259

7

Contents

34 Application Security Architecture Cheat Sheet260

34.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 260

34.2 Business Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 260

34.3 Infrastructure Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . 261

34.4 Application Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . 262

34.5 Security Program Requirements . . . . . . . . . . . . . . . . . . . . . . . . . 263

34.6 Authors and Primary Editors . . . . . . . . . . . . . . . . . . . . . . . . . . . 264

35 Business Logic Security Cheat Sheet265

35.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 265

35.2 What is a Business Logic Vulnerability? . . . . . . . . . . . . . . . . . . . . 265

35.3 Related Articles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 267

35.4 Authors and Primary Editors . . . . . . . . . . . . . . . . . . . . . . . . . . . 267

36 PHP Security Cheat Sheet268

36.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 268

36.2 Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 271

36.3 Untrusted data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 272

36.4 Database Cheat Sheet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 272

36.5 Other Injection Cheat Sheet . . . . . . . . . . . . . . . . . . . . . . . . . . . 274

36.6 XSS Cheat Sheet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 275

36.7 CSRF Cheat Sheet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 276

36.8 Authentication and Session Management Cheat Sheet . . . . . . . . . . . . 277

36.9 Configuration and Deployment Cheat Sheet . . . . . . . . . . . . . . . . . . 280

36.10Authors and Primary Editors . . . . . . . . . . . . . . . . . . . . . . . . . . . 280

37 Secure Coding Cheat Sheet281

37.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 281

37.2 How To Use This Document . . . . . . . . . . . . . . . . . . . . . . . . . . . 281

37.3 Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 281

37.4 Session Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 282

37.5 Access Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 283

37.6 Input Validation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 283

37.7 Output Encoding . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 284

37.8 Cross Domain Request Forgery . . . . . . . . . . . . . . . . . . . . . . . . . 285

37.9 Secure Transmission . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 286

37.10File Uploads . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 286

37.11Authors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 287

38 Secure SDLC Cheat Sheet288

38.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 288

38.2 Purpose . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 288

38.3 Implementing a secure software development life cycle (S-SDLC) . . . . . . 288

38.4 Related articles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 291

38.5 Authors and primary contributors . . . . . . . . . . . . . . . . . . . . . . . . 292

39 Threat Modeling Cheat Sheet293

40 Web Application Security Testing Cheat Sheet294

40.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 294

40.2 Purpose . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 294

40.3 The Checklist . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 294

40.4 Other Formats . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 299

40.5 Authors and primary contributors . . . . . . . . . . . . . . . . . . . . . . . . 299

40.6 Other Contributors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 299

8

Contents

40.7 Related articles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 300

41 Grails Secure Code Review Cheat Sheet301

42 IOS Application Security Testing Cheat Sheet302

42.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 302

42.2 Information gathering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 302

42.3 Application traffic analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . 303

42.4 Runtime analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 304

42.5 Insecure data storage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 304

42.6 Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 305

42.7 Related Articles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 306

42.8 Authors and Primary Editors . . . . . . . . . . . . . . . . . . . . . . . . . . . 306

43 Key Management Cheat Sheet307

44 Insecure Direct Object Reference Prevention Cheat Sheet308

44.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 308

44.2 Architectural Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 308

44.3 Authors and Primary Editors . . . . . . . . . . . . . . . . . . . . . . . . . . . 308

45 Content Security Policy Cheat Sheet309

45.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 309

45.2 CSP Basics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 309

45.3 CSP Sample Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 310

45.4 CSP Cheat Sheet - Guide for main technologies . . . . . . . . . . . . . . . . 311

45.5 Authors and Primary Editors . . . . . . . . . . . . . . . . . . . . . . . . . . . 314

45.6 References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 314

9

Contents

These Cheat Sheets have been taken from the owasp project onhttps://www.owasp. org. While this document is static, the online source is continuously improved and expanded. So please visithttps://www.owasp.orgif you have any doubt in the accuracy or actuality of this pdf or simply if this document is too old. All the articles are licenced under the Creative Commons Attribution-ShareAlike 3.0

Unported

1. I have slightly reformatted and/or resectioned them in this work (which

of course also is CC BY-SA 3.0).1 10

Part I.

Developer Cheat Sheets (Builder)

11

1. Authentication Cheat Sheet

Last revision (mm/dd/yy): 02/24/2015

1.1. Introduction

Authenticationis the process of verification that an individual or an entity is who it claims to be. Authentication is commonly performed by submitting a user name or ID and one or more items of private information that only a given user should know. Session Managementis a process by which a server maintains the state of an entity interacting with it. This is required for a server to remember how to react to sub- sequent requests throughout a transaction. Sessions are maintained on the server by a session identifier which can be passed back and forward between the client and server when transmitting and receiving requests. Sessions should be unique per user and computationally very difficult to predict.

1.2. Authentication General Guidelines

1.2.1. User IDs

Make sure your usernames/userids are case insensitive. Regardless, it would be very strange for user "smith" and user "Smith" to be different users. Could result in serious confusion.

Email address as a User ID

Many sites use email addresses as a user id, which is a good mechanism for ensuring a unique identifier for each user without adding the burden of remembering a new username. However, many web applications do not treat email addresses correctly due to common misconceptions about what constitutes a valid address. Specifically, it is completely valid to have an mailbox address which: • Is case sensitive in the local-part • Has non-alphanumeric characters in the local-part (including + and @) • Has zero or more labels (though zero is admittedly not going to occur) The local-part is the part of the mailbox address to the left of the rightmost @ char- acter. The domain is the part of the mailbox address to the right of the rightmost @ character and consists of zero or more labels joined by a period character. At the time of writing, RFC 5321[2] is the current standard defining SMTP and what constitutes a valid mailbox address.

Validation

Many web applications contain computationally expensive and inaccurate regular expressions that attempt to validate email addresses. Recent changes to the landscape mean that the number of false-negatives will in- crease, particularly due to: 12

1. Authentication Cheat Sheet

• Increased popularity of sub-addressing by providers such as Gmail (commonly using + as a token in the local-part to affect delivery) • New gTLDs with long names (many regular expressions check the number and length of each label in the domain) Following RFC 5321, best practice for validating an email address would be to: • Check for presence of at least one @ symbol in the address • Ensure the local-part is no longer than 64 octets • Ensure the domain is no longer than 255 octets • Ensure the address is deliverable To ensure an address is deliverable, the only way to check this is to send the user an email and have the user take action to confirm receipt. Beyond confirming that the email address is valid and deliverable, this also provides a positive acknowledgement that the user has access to the mailbox and is likely to be authorised to use it.

Address Normalisation

As the local-part of email addresses are, in fact - case sensitive, it is important to store and compare email addresses correctly. To normalise an email address input, you would convert the domain part ONLY to lowercase. Unfortunately this does and will make input harder to normalise and correctly match to a users intent. It is reasonable to only accept one unique capitalisation of an otherwise identical address, however in this case it is critical to: • Store the user-part as provided and verified by user verification • Perform comparisons by lowercase(provided)==lowercase(persisted)

1.2.2. Implement Proper Password Strength Controls

A key concern when using passwords for authentication is password strength. A "strong" password policy makes it difficult or even improbable for one to guess the password through either manual or automated means. The following characteristics define a strong password:

1.2.2.1. Password Length

Longer passwords provide a greater combination of characters and consequently make it more difficult for an attacker to guess. • Minimum length of the passwords should beenforcedby the application. -Passwordsshorter than 10 charactersare considered to be weak [3]. While minimum length enforcement may cause problems with memorizing passwords among some users, applications should encourage them to set passphrases (sen- tences or combination of words) that can be much longer than typical passwords and yet much easier to remember. •Maximumpassword length should not be settoo low, as it will prevent users from creating passphrases. Typical maximum length is 128 characters. 13

1. Authentication Cheat Sheet

-Passphrases shorter than 20 characters are usually considered weak if they only consist of lower case Latin characters. • Every character counts!! -Make sure that every character the user types in is actually included in the password. We"ve seen systems that truncate the password at a length shorter than what the user provided (e.g., truncated at 15 characters when they entered 20). -This is usually handled by setting the length of ALL password input fields to be exactly the same length as the maximum length password. This is particularly important if your max password length is short, like 20-30 characters.

1.2.2.2. Password Complexity

Applications should enforce password complexity rules to discourage easy to guess passwords. Password mechanisms should allow virtually any character the user can type to be part of their password, including the space character. Passwords should, obviously, be case sensitive in order to increase their complexity. Occasionally, we find systems where passwords aren"t case sensitive, frequently due to legacy system issues like old mainframes that didn"t have case sensitive passwords. The password change mechanism should require a minimum level of complexity that makes sense for the application and its user population. For example: • Password must meet at least 3 out of the following 4 complexity rules -at least 1 uppercase character (A-Z) -at least 1 lowercase character (a-z)quotesdbs_dbs10.pdfusesText_16
[PDF] sql cheat sheet github

[PDF] sql cheat sheet reddit

[PDF] sql date cheat sheet

[PDF] sql dimensional modeling

[PDF] sql exercises

[PDF] sql file naming conventions

[PDF] sql functions pdf

[PDF] sql interview questions for experienced professionals

[PDF] sql interview questions for testers

[PDF] sql interview questions pdf for freshers

[PDF] sql interview questions pdf tutorialspoint

[PDF] sql naming conventions github

[PDF] sql projects for practice

[PDF] sql queries examples pdf free download

[PDF] sql queries exercises with answers pdf