惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

aimingoo的专栏
aimingoo的专栏
Google DeepMind News
Google DeepMind News
S
SegmentFault 最新的问题
Project Zero
Project Zero
D
DataBreaches.Net
I
InfoQ
L
Lohrmann on Cybersecurity
OSCHINA 社区最新新闻
OSCHINA 社区最新新闻
酷 壳 – CoolShell
酷 壳 – CoolShell
Stack Overflow Blog
Stack Overflow Blog
The Register - Security
The Register - Security
Recorded Future
Recorded Future
Vercel News
Vercel News
博客园 - 司徒正美
freeCodeCamp Programming Tutorials: Python, JavaScript, Git & More
I
Intezer
The Hacker News
The Hacker News
F
Fortinet All Blogs
Microsoft Azure Blog
Microsoft Azure Blog
P
Proofpoint News Feed
Help Net Security
Help Net Security
cs.CV updates on arXiv.org
cs.CV updates on arXiv.org
Application and Cybersecurity Blog
Application and Cybersecurity Blog
Scott Helme
Scott Helme
T
Threatpost
爱范儿
爱范儿
N
Netflix TechBlog - Medium
D
Docker
云风的 BLOG
云风的 BLOG
C
Cisco Blogs
K
Kaspersky official blog
H
Help Net Security
S
Secure Thoughts
T
Threat Research - Cisco Blogs
钛媒体:引领未来商业与生活新知
钛媒体:引领未来商业与生活新知
S
Security @ Cisco Blogs
Cyberwarzone
Cyberwarzone
N
News and Events Feed by Topic
G
Google Developers Blog
Forbes - Security
Forbes - Security
博客园 - 三生石上(FineUI控件)
博客园 - 叶小钗
B
Blog
Google DeepMind News
Google DeepMind News
Recent Announcements
Recent Announcements
Simon Willison's Weblog
Simon Willison's Weblog
S
Securelist
P
Privacy International News Feed
Spread Privacy
Spread Privacy
The Last Watchdog
The Last Watchdog

Stonecharioteer on Tech

I Traced My Traffic Through a Home Tailscale Exit Node What Was I Reading Last? In Three Not-So-Easy Pieces Dogfooding Is Hard Code blocks in your books, finally GoForGo v0.9.0 Merrilin - We built an app to read books I use a Macbook now Data Structures & Algorithms - Preparing for Interviews Using a local DNS namespace for local service discovery Direction KOllector - Publishing KOReader Highlights gbt: branches touched in the last 24 hours A Soiree into Symbols in Ruby Some Smalltalk about Ruby Loops Ruby Blocks Returning from Ruby Blocks, Procs and Lambdas My Linux Laptop Finally Works: How Claude Helped Me Fix Years of Annoyances TIL: Watchexec - Modern File Watching for Development Workflows A Less Busy Mind GoForGo - Learn Go through live examples Migrating My Old Blog to Hugo with Claude The Qtile Window Manager: A Python-Powered Tiling Experience Read the RFCs that Built the Internet Py-x-Protobuf - Or How I Learned to Stop Worrying and Love Protocol Buffers Python Reverse a List New Beginnings Leaving ChainSafe Systems Screen Lock for Cinnamon Desktop using Zenity and Terminal Commands Crews Not Teams A System for Getting Better at LeetCode So Far So Rust Retrying HTTP Requests with Rust A Primer on Control Charts Learning Rust Explicit is Better than Implicit: Rust for Pythonistas Using Custom Delimiters in Jinja Templates TIL: Creating Fixed Length Iterables in Python Documentation Without Assumption Vagrant Python - A Reflection in 2022 Learning Golang No, A Virtual Machine Is Not Enough: Why Developers Need Native Linux Empathy in Tech For Those Who Came in Late A Weekend With PostgreSQL TIL: Gooey and Python Fire for Quick GUIs and CLIs TIL: 2ality - Dr. Axel Rauschmayer's JavaScript Blog TIL: MassDNS - High-Performance Bulk DNS Lookups TIL: Matomo Analytics, Google Tech Writing, Memory Programming, and NES TV Signals TIL: MontyDB - MongoDB Implemented in Python Returning to the Craft of Programming TIL: CPUFetch, OneFetch, and Learn CSS TIL: DNS Performance Testing and Pi-hole with Unbound TIL: Eli Bendersky's Blog, Awesome By Example, NoCoDB, and Martin Kleppmann TIL: CRDTs, Extreme HTTP Performance, and BYTEPATH Game TIL: AutoInvent, ASGI, Python Packaging, RAPIDS GPU Computing, and FlaskCon TIL: MangaDesk - Terminal Client for MangaDex TIL: McFly - Smart Shell History Search TIL: Siege Load Testing and Awesome FastAPI Resources TIL: Ventoy Bootable USB and Justniffer Network Analysis TIL: CLI Code Review, Git Split Diffs, and Internal Combustion Engine TIL: Benford's Law, Web Security Headers, Event Sourcing, and Mozilla Security Guidelines How to Write Documentation - The README.md File The Importance of Documentation TIL: NNgroup UX Research, SponsorBlock, and Labella Python Library TIL: The Little Book of Rust Macros and Rust Performance Book TIL: Git-Bug Distributed Issue Tracker and Omni Kubernetes Monitoring TIL: Zellij - Modern Terminal Multiplexer TIL: How Discord Handles 2.5 Million Concurrent Voice Users TIL: Volumio - The Audiophile Music Player TIL: Areopagitica - Milton's Defense of Free Speech TIL: Fast Node Manager, Zoxide Smart CD, Technical Writing, PyO3, and Qubes OS TIL: Slurm Workload Manager for HPC Clusters TIL: Data Visualization Guide and Oso Authorization Academy TIL: CORS Deep Dive, Piku Tiny PaaS, Rust Strings, and Deno Standard Library TIL: Raspberry Pi OS Development, Vim Beginner Guide, Password Management, and QueryBook TIL: uBlock Origin Performance Optimization on Firefox TIL: Breaking PostgreSQL at Scale and LeetCode Problem Patterns TIL: Awesome Tmux Resources for Terminal Multiplexing TIL: Grit - A Multitree-Based Personal Task Manager TIL: Lens 4.2 Kubernetes IDE, Shell Scripting Guide, and Dark HTTP Server Do The Job You Hate So You Won't Hate The Job You Love TIL: Innernet VPN Solution and NoteCalc Calculator App TIL: Argo CD for GitOps and Lens Kubernetes IDE TIL: Modern Rust CLI Tools - System Monitoring, HTTP Requests, and DNS TIL: tz - A Time Zone Helper Tool TIL: Distributed Systems Education, Fallacies, and Self-Hosted Internet Archiving TIL: Real-Time Voice Cloning Technology TIL: ChartMuseum for Helm, AMD's Corporate Journey, and Kubernetes Pod Scaling TIL: Docker and Kubernetes Tools - Whaler, Descheduler, and Dive TIL: Post-Mortem Collection, Terminal Plotting, and Technical Twitter TIL: Dark Mode Toggle Web Component by Google Chrome Labs TIL: Python eval(), exec(), and compile() Functions TIL: Camelot PDF Tables, PostgreSQL Row Level Security, Zerodha Varsity, and Write Yourself a Git TIL: fuser Command for Process and File Investigation TIL: i Hate Regex - The Ultimate Regex Cheat Sheet TIL: Dolt - Git for Data and Database Version Control TIL: x86 Assembly Programming and SafeEyes Break Reminder TIL: Comprehensive Distributed Systems Reading List TIL: Cosmopolitan C Library, Distributed Systems Book, High Performance Browser Networking, and Rust Roguelike Tutorial
TIL: OWASP Security Resources - Cheat Sheets, Top 10, and Testing Guide
2020-11-11 · via Stonecharioteer on Tech

Today I discovered a treasure trove of security resources from OWASP (Open Web Application Security Project) that provide practical guidance for secure development and testing.

OWASP Cheat Sheet Series

OWASP Cheat Sheets offer concise, actionable security guidance for developers and security professionals.

Key Cheat Sheets:

Authentication and Session Management:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
// Secure session configuration example
app.use(
  session({
    name: "sessionId",
    secret: process.env.SESSION_SECRET, // Strong, unique secret
    resave: false,
    saveUninitialized: false,
    cookie: {
      secure: true, // HTTPS only
      httpOnly: true, // Prevent XSS access
      maxAge: 1800000, // 30 minutes
      sameSite: "strict", // CSRF protection
    },
    store: new RedisStore({
      host: "localhost",
      port: 6379,
    }),
  }),
);

Input Validation:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
# Secure input validation patterns
import re
from html import escape

def validate_email(email):
    pattern = r'^[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\.[a-zA-Z]{2,}$'
    return bool(re.match(pattern, email)) and len(email) <= 254

def sanitize_html_input(user_input):
    # Escape HTML entities
    escaped = escape(user_input)
    # Remove potential script tags
    cleaned = re.sub(r'<script.*?</script>', '', escaped, flags=re.IGNORECASE)
    return cleaned

# Parameterized queries for SQL injection prevention
cursor.execute(
    "SELECT * FROM users WHERE email = %s AND status = %s",
    (validated_email, 'active')
)

Cryptography Guidelines:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
# Secure password hashing
import bcrypt
import secrets

def hash_password(password):
    # Generate salt with sufficient rounds
    salt = bcrypt.gensalt(rounds=12)
    return bcrypt.hashpw(password.encode('utf-8'), salt)

def verify_password(password, hashed):
    return bcrypt.checkpw(password.encode('utf-8'), hashed)

# Secure random token generation
def generate_csrf_token():
    return secrets.token_urlsafe(32)

OWASP Top 10 Web Application Security Risks

OWASP Top 10 identifies the most critical web application security risks based on industry data and expert consensus.

2021 Top 10 Breakdown:

A01: Broken Access Control

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
// Vulnerable: Direct object reference
app.get("/user/:id/profile", (req, res) => {
  const userId = req.params.id;
  // No authorization check!
  const profile = database.getProfile(userId);
  res.json(profile);
});

// Secure: Proper authorization
app.get("/user/:id/profile", authenticate, (req, res) => {
  const userId = req.params.id;
  const currentUser = req.user;

  // Verify user can access this profile
  if (currentUser.id !== userId && !currentUser.isAdmin) {
    return res.status(403).json({ error: "Access denied" });
  }

  const profile = database.getProfile(userId);
  res.json(profile);
});

A02: Cryptographic Failures

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
# Secure data encryption at rest
from cryptography.fernet import Fernet
import os

def encrypt_sensitive_data(data):
    # Use environment variable for key
    key = os.environ.get('ENCRYPTION_KEY').encode()
    cipher_suite = Fernet(key)

    encrypted_data = cipher_suite.encrypt(data.encode())
    return encrypted_data

def decrypt_sensitive_data(encrypted_data):
    key = os.environ.get('ENCRYPTION_KEY').encode()
    cipher_suite = Fernet(key)

    decrypted_data = cipher_suite.decrypt(encrypted_data)
    return decrypted_data.decode()

A03: Injection Attacks

1
2
3
4
5
-- Vulnerable: SQL injection
SELECT * FROM users WHERE username = '" + user_input + "'

-- Secure: Parameterized query
SELECT * FROM users WHERE username = ?

Risk Assessment Matrix:

  • Broken Access Control: Prevalence: High, Impact: High
  • Cryptographic Failures: Prevalence: Medium, Impact: High
  • Injection: Prevalence: Medium, Impact: High
  • Insecure Design: Prevalence: Medium, Impact: High
  • Security Misconfiguration: Prevalence: High, Impact: Medium

OWASP Web Security Testing Guide provides systematic methodology for testing web application security.

Testing Framework:

Information Gathering:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
# Subdomain enumeration
subfinder -d example.com -o subdomains.txt

# Technology stack identification
whatweb https://example.com

# Directory and file discovery
dirb https://example.com /usr/share/dirb/wordlists/common.txt

# SSL/TLS configuration testing
sslscan example.com

Authentication Testing:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
# Automated authentication bypass testing
import requests

def test_authentication_bypass(base_url):
    test_cases = [
        # SQL injection attempts
        {"username": "admin' OR '1'='1", "password": "anything"},
        {"username": "admin'--", "password": ""},

        # Default credentials
        {"username": "admin", "password": "admin"},
        {"username": "administrator", "password": "password"},

        # Empty authentication
        {"username": "", "password": ""},
    ]

    for case in test_cases:
        response = requests.post(
            f"{base_url}/login",
            data=case,
            allow_redirects=False
        )

        if response.status_code == 302:  # Redirect might indicate success
            print(f"Potential bypass: {case}")

Session Management Testing:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
// Session testing checklist
const sessionTests = {
  // Test session token entropy
  checkTokenRandomness: (tokens) => {
    const uniqueTokens = new Set(tokens);
    return uniqueTokens.size === tokens.length;
  },

  // Test session fixation
  checkSessionFixation: async (sessionId) => {
    const loginResponse = await fetch("/login", {
      method: "POST",
      headers: { Cookie: `SESSIONID=${sessionId}` },
      body: JSON.stringify({ username: "test", password: "test" }),
    });

    const newSessionId = extractSessionFromResponse(loginResponse);
    return newSessionId !== sessionId; // Should be different
  },

  // Test session timeout
  checkSessionTimeout: async (sessionId) => {
    await new Promise((resolve) => setTimeout(resolve, 1800000)); // 30 minutes

    const response = await fetch("/protected", {
      headers: { Cookie: `SESSIONID=${sessionId}` },
    });

    return response.status === 401; // Should be unauthorized
  },
};

Testing Categories:

Technical Testing:

  • Input validation: Boundary value analysis, fuzz testing
  • Error handling: Information disclosure through error messages
  • Cryptography: Weak algorithms, key management issues
  • Business logic: Workflow bypasses, race conditions

Infrastructure Testing:

  • Network security: Port scanning, SSL/TLS configuration
  • Web server configuration: Default accounts, unnecessary services
  • Database security: Privilege escalation, data exposure

These OWASP resources provide a comprehensive foundation for implementing security throughout the software development lifecycle, from secure coding practices to thorough security testing methodologies.