Changes

New

• A04:2021 - Insecure Design
• A08:2017 - Insecure Deserialization -> A08:2021 - Software and Data Integrity Failures
• A10:2021 - Server-Side Request Forgery (SSRF)

Relocate

• A05:2017 - Broken Access Control -> A01:2021 - Broken Access Control
• A03:2017 - Sensitive Data Exposure -> A02-2021 - Cryptographic Failures
• A09:2017 - Using Components with Known Vulnerabilities -> A06:2021 - Vulnerable and Outdated Components
• A10:2017 - Insufficient Logging & Monitoring -> A09:2021 - Security Logging and Monitor Failures

Mix

• A01:2017 - Injection & A07:2017 - Cross-site Scripting (XSS) -> A03:2021 - Injection
• A04:2017 - XML External Entities (XXE) & A06:2017 - Security Misconfiguration -> A05:2021 - Security Misconfiguration

Todo

• Add licence file
• Add CoC
• Add Contributing.md
• Add CI for deploy and URL

Fix

• Support emojis in .mdx files

TODO

• Add and classify the OWASP Lists

Todo:

• Explain the guide
• Add red to Contributing, CoC...
• Add references to sources
• Explain the sections
• Add references to hacker movies 😎

Dependencies:

• Contributing
• Shields, url, description, tags... metadata in general
• Add content cool quotes 💪

Release v2.0.0 codename: Blue Box

Image from Wikipedia: Blue Box

A blue box is an electronic device that generates the in-band signaling tones formerly generated by telephone operator consoles to control telephone switches. Developed during the 1960s, blue boxes allowed private individuals to control long-distance call routing and to bypass the toll-collection mechanisms of telephone companies,[2] enabling the user to place free long-distance telephone calls on national and international circuits.

At first the use of these techniques was limited to a small group of "phreakers", which included, among others, Steve Wozniak. After the publication of "Secrets of the Blue Box" in October 1971's edition of Esquire, interest in the topic grew tremendously, both among end-users as well as the Bell System. The practice was ruled as telephone fraud by the Bell System and the courts, and prosecuted vigorously.

Blue boxes worked because the telephone system used tones in the existing voice lines to send routing instructions, and these tones were not filtered out at the handsets. Subsequent telephone switching technologies used out-of-band signaling methods in the form of Common Channel Interoffice Signaling (CCIS) in a separate channel not accessible to the caller. Blue boxing stopped working as these systems were deployed.
By Wikipedia

TODO:

• Intro
• Common Attacks
• Cyber Kill Chain (CKC)
• State of Open Source

This issue will guide us trough the growing backlog, user requests and releases.

Note: This is project that helps us to follow the day to day targets 👍

Current planned Releases

Release v0.1.0 (Cap'n Crunch whistle)

High Priority

• Complete section: Attacks explained. Details: #28
• Complete section: About Cybersecurity. Details: #26
• Complete section: Checklists (Minimal version). Details: #25
• Complete section: Testing Guides (Minimal version). Details: #16
• Complete section: Tooling. Details: #22
• Complete section: Resources. Details: #17
• Complete section: Welcome. Details: #19
• Complete section: Acknowledgments and credits. Details: #20
• Complete section: Best practices. Details: #24
• OWASP TOP 10 Refresh content and refactor to Nodejs. Details: #22
• Update Readme #21
• Basic Deploy (as /docs in GH Pages)
• We need a great banner/cover and logo (cc: @lovetacirupeca)
• Release it. See: #40

No priority

• Improve expect-ct hedader content
• Add route / with general.mdx for all sections
• Add Humor (xkcd, commit strip, Memes) 💪
• Add license details for content at handbook level
• Open External links in a separate tab and internal links in current tab.
• Improve Styles and components (cc: @inigomarquinez & @kevinccbsg)
• Check for internal links missing (refs to content)

Release v1.0.0 (Blue Box)

• Collect Feedback about v0.1.x
• Add CI to deploy in a friendly URL. Details: #13
• Section: Security Design. Details: #31
• Extend Section: Checklists
• Extend Section: Testing Guides
• Proactive Controls Refactor
  • Migrate examples to Nodejs
  • Simplify texts
• Release it. See: #30

Non planned yet

Topics:

• React
• React Native
• Cloud Development (AWS, Azure, Google...)
• Serverless and JAM Stack
• CWE TOP 25
• OWASP Application Security Verification Standard
• OWASP Web Security Testing Guide
• OWASP SAMM
• Conceptual:
  • STRIDE
  • DREAD (risk assessment model)
  • CIA triad
  • The 10 immutable laws of security revisited

TODO:

• Lockfile
• Buffer
• HTTP Parameter Pollution
• Prototype Pollution
• Cross-site scripting (XSS)
• Cross Site Request Forgery (CSRF)
• Regex Denial of Service (ReDoS)
• Open Redirections
• CSS Exfil
• Clickjacking
• Exhausting System Resources
• Insecure Randomness
• Leaking Application Secrets
• Path Traversal
• Symlink
• Review https://owasp.org/www-community/attacks/

Release v01.0.x (Cap'n Crunch whistle)

Image from Wikipedia: John_Draper

(...) Only one cereal box toy has that distinction: the Cap’n Crunch Bo’sun whistle. Meant to replicate the whistles used by sailing officials (boatswains) to signal mealtimes or commands, the multicolored whistles came along with boxes of Cap’n Crunch starting in the mid-1960s. One fell into the hands of John Draper, a former U.S. Air Force electronics technician. Draper was part of an underground culture that predated hacking as we know it: phone phreaks. These early hackers played certain tones through their telephones to bypass AT&T’s analog system and get free long-distance phone calls.
By Atlas Bbscura

Targets

• Nodejs
• NPM
• Docker

• Curate it
• Publish

TODO

• Add references to OWASP Testing Guide

TODO:

• Review tools
• Add new tools referenced in other sections
• Add nodejs examples
• Add videos
• Improve and curate content

• Review
• Add new resources

See: https://owasp.org/www-project-api-security/