False Assumptions

cognitive dissonance	Structure	problems	false assumptions	Idiom (Wikiquote)
assuming precision guarantees safety	assuming P leads to Q	trusting trust	In this scenario the reader assumes that careful work implies safe work and therefore omits verifying the trust chain which allows a substitution attack to succeed	Measure twice, cut once
believing correct output implies correct authority	assuming Q implies P	the confused deputy	Here the reader infers that correct results must come from a correct authority and therefore fails to separate capability from identity which enables unintended privilege use	Dont judge a book by its cover
thinking missing rigor only affects minor details	assuming not P leads to not Q	man in the middle	In this explanation the reader treats small lapses as harmless and therefore does not validate the communication path which allows an interceptor to alter or observe messages	The devil is in the details
treating bad outcomes as unrelated to flawed reasoning	assuming not Q implies not P	phishing	In this narrative the reader assumes that deception must be obvious and therefore does not examine subtle inconsistencies which allows an attacker to imitate a trusted source	Where theres smoke theres fire
assuming attention to detail can contradict results	assuming P leads to not Q	clickjacking	In this description the reader believes that visible interface elements reflect actual behavior and therefore does not inspect hidden overlays which allows an attacker to redirect actions	A wolf in sheeps clothing

Basics

• evaluating python code inside curly brackets
• put expressions in form fields
• see if an expression evaluates by looking for it in the dev tools
• if it does, try to grab data from that scope in the devtools
• if that works, try the equivalent in the form field

Offensive

• https://cheatsheetseries.owasp.org/cheatsheets/Securing_Cascading_Style_Sheets_Cheat_Sheet.html
• https://owasp.boireau.io/4-web_application_security_testing/11-client-side_testing/05-testing_for_css_injection

Tools

Framework-Specific Access Control Tools

Here are some access control tools for various frameworks, along with their GitHub repositories:

Flask

• Flask-Security: Provides authentication, authorization, and role-based access control (RBAC).
• Flask-Principal: Allows for role-based access control and permission management.
• Flask-User: Manages user accounts, roles, and permissions.

Django

• Django Guardian: A flexible, policy-based authorization framework.
• Django-Roles: Simplifies role-based access control.
• Django-Permissions: Provides a comprehensive permissions system.

FastAPI

• FastAPI-JWT: Provides JSON Web Token (JWT) based authentication and authorization.
• FastAPI-Auth: Offers various authentication methods including JWT and OAuth2.

Laravel

• Laravel Sanctum: Provides a lightweight authentication system for single-page applications, token-based APIs, and simple, token-based "Guard" implementations.
• Laravel Passport: An OAuth2 server implementation for Laravel.
• Laravel Gates and Policies (part of Laravel framework): Built-in features for authorization.

Drupal

• Drupal Access Control: Built-in access control system with roles and permissions.
• Rules Module: Allows for custom access control rules.
• Group Module: Manages user groups for access control.

Symfony

• Symfony Security: A comprehensive security component for authentication and authorization.
• Lexik JWT Authentication Bundle: Provides JWT-based authentication.
• HWIOAuthBundle: Supports OAuth2 authentication.

AEM

• Access Control Tool: AEM RBAC

Side Channel

Another type of non-intrusive but challenging-to-prevent attack is a "Side-Channel Attack". This attack gathers information from the physical implementation of a system rather than exploiting software vulnerabilities. Examples include:

• Power Analysis Attacks: Observing the power consumption of a device to extract cryptographic keys.
• Electromagnetic Attacks: Monitoring electromagnetic emissions from electronic devices to gather sensitive data.
• Timing Attacks: Analyzing the time taken to execute cryptographic algorithms to uncover private information.

Side-channel attacks can be particularly difficult to guard against because they exploit indirect information leaks rather than breaking through conventional security measures.

RCE

• https://medium.com/@akshukatkar/rce-with-flask-jinja-template-injection-ea5d0201b870
• https://royaljay.com/security/angular-expression-injections/
• https://www.reddit.com/r/webdev/comments/808ls4/mixing_vuejs_templates_with_serverside_templates/
• https://ryhanson.com/angular-expression-injection-walkthrough/
• https://blog.hackmetrix.com/should-you-care-about-xss-in-vuejs/
• https://github.com/dotboris/vuejs-serverside-template-xss
• https://snyk.io/vuln/npm:vue:20180802
• https://github.com/vuejs/vue/issues/7860
• https://vuejs.org/v2/guide/syntax.html#Using-JavaScript-Expressions

Specifications

Security Robustness Specifications

Here are some security robustness specifications from various standard organizations:

1. IETF
   • Specification: RFC 3365: Strong Security Requirements for Internet Engineering Task Force Standard Protocols
2. OASIS
   • Specification: Security Assertion Markup Language (SAML) v2.0
3. Open Group
   • Specification: O-RA 2.0.1: Risk Analysis Standard
4. W3C
   • Specification: Content Security Policy (CSP)
5. NIST
   • Specification: NIST Special Publication 800-37: Risk Management Framework (RMF)
6. ANSI
   • Specification: ANSI X9.119: Standard for Financial Services Security
7. ISO
   • Specification: ISO/IEC 27001: Information Security Management Systems

Obscurity

56k

• Use FOUC as a security measure by leveraging document.write if JavaScript permission checks fail

parse with awk, no worries:

• https://www.gnu.org/software/gawk/manual/html_node/Splitting-By-Content.html
• http://www.theunixschool.com/2012/06/awk-10-examples-to-group-data-in-csv-or.html

Process offline in batches; only use SMTP

• https://www.theguardian.com/technology/2008/oct/17/richard-stallman-computer-programming
• https://news.ycombinator.com/item?id=37699851
• https://cdevroe.com/2010/01/24/richard-stallman-s-approach-to-email/

Fax Machine CVE

• https://www.goldfax.com/pdf/7_ways_your_fax_machine_is_putting_you_at_risk-dpdwhitepaper.pdf

Man-in-the-Middle

• https://www.schneier.com/blog/archives/2017/07/a_man-in-the-mi.html
• https://medium.com/@Alibaba_Cloud/protect-your-website-how-to-avoid-sms-traffic-flooding-attacks-d8d9561dcdeb

Multi-Factor

• https://cheatsheetseries.owasp.org/cheatsheets/Multifactor_Authentication_Cheat_Sheet.html
• https://media.defense.gov/2019/Sep/09/2002180346/-1/-1/0/TRANSITION%20TO%20MULTI-FACTOR%20AUTHENTICATION.PDF

Fax Machine

• https://www.cnbc.com/2018/02/10/milllennial-doctors-forced-to-use-fax-machines-causing-puzzlement.html
• https://thehackernews.com/2018/08/hack-printer-fax-machine.html

Notifications

• https://notifications.spec.whatwg.org/

Passwordless

• https://breakingdefense.com/2019/05/end-of-passwords-disa-tests-walkabout-identity-system/
• https://www.usajobs.gov/Help/how-to/account/limited-access/

Sandboxing

• http://www.cse.chalmers.se/~dave/papers/SafeWrappers.pdf
• https://medium.com/nassec-cybersecurity-writeups/tips-from-a-security-researcher-to-a-qa-engineer-to-enhance-software-quality-assurance-80a01e2be194

AOP

• http://aspectes.tigris.org/

Culture

• https://www.adobe.com/content/dam/acom/en/security/pdfs/adb_security-culture-wp.pdf
• https://arxiv.org/pdf/1612.00766.pdf
• https://webkit.org/blog/8311/intelligent-tracking-prevention-2-0/
• https://clearcode.cc/blog/intelligent-tracking-prevention/
• https://moz.com/blog/machine-learning-and-link-spam-my-brush-with-insanity
• https://blog.acolyer.org/2019/07/08/software-engineering-for-machine-learning/
• https://publishedtodeath.blogspot.com/

OTP

http://www.quuxlabs.com/blog/2010/09/paper-token-gutenbergs-version-of-one-time-passwords/

Trusting Trust

https://dwheeler.com/trusting-trust/

References

• https://www.owasp.org/index.php/OWASP_Periodic_Table_of_Vulnerabilities
• https://owasp.org/www-pdf-archive/OWASP_Cheatsheets_Book.pdf
• https://www.mozilla.org/en-US/about/policy/lean-data/build-security/
• https://html5sec.org/
• https://blog.it-securityguard.com/bugbounty-papyal-xml-upload-cross-site-scripting-vulnerability/
• https://webstersprodigy.net/2012/02/04/serving-back-xml-for-xss/
• http://www.howtocreate.co.uk/crosssite.html
• https://labs.detectify.com/2018/09/04/xss-using-quirky-implementations-of-acme-http-01/
• http://www.dtic.mil/dtic/tr/fulltext/u2/1021683.pdf
• https://developer.android.com/docs/quality-guidelines/core-app-quality
• https://developer.android.com/guide/components/intents-filters#Types
• https://developer.android.com/training/articles/security-tips#DynamicCode
• https://arxiv.org/pdf/1704.03356.pdf
• https://cwe.mitre.org/data/index.html
• https://www.ncbi.nlm.nih.gov/pmc/articles/PMC4090456/
• https://arxiv.org/ftp/arxiv/papers/1304/1304.7451.pdf
• https://www.websand.eu
• https://www.us-cert.gov/bsi/articles/best-practices/assembly-integration-and-evolution--security-concept-challenge-and-design-considerations-web-services-integration
• http://bofh.nikhef.nl/events/HitB/hitb-2014-amsterdam/praatjes/D2T2-Exploring-and-Exploiting-iOS-Web-Browsers.pdf
• http://obem.be/2014/07/28/oauth-2-on-android.html
• https://docs.oracle.com/cd/E17952_01/mysql-utilities-1.6-en/utils-task-using-ssl.html
• http://nvlpubs.nist.gov/nistpubs/ir/2013/NIST.IR.7970.pdf
• https://www.owasp.org/index.php/Unvalidated_Redirects_and_Forwards_Cheat_Sheet
• https://www.owasp.org/index.php/Comprehensive_list_of_Threats_to_Authentication_Procedures_and_Data
• https://www.owasp.org/index.php/Phishing
• https://ethereum.stackexchange.com/questions/8565/lost-ethers-in-google-ad-phishing-scam
• https://webmasters.stackexchange.com/questions/85411/unable-to-locate-phishing-url-in-cpanel-file-manager
• https://www.owasp.org/images/a/ae/OWASP_Switzerland_Meeting_2015-06-17_XSLT_SSRF_ENG.pdf
• https://msdn.microsoft.com/en-us/library/ms537122
• https://www.linkedin.com/pulse/identity-bridge-how-api-gateway-bridges-oauth-jwt-saml-mark-o-neill/
• http://www.stearns.org/toolscd/current/ethereal/ethereal-user-guide.pdf
• https://www.oasis-open.org/committees/download.php/8958/sstc-saml-implementation-guidelines-draft-01.pdf
• http://canonical.org/~kragen/sw/netbook-misc-devel/wordlist
• https://www.iana.org/assignments/sip-parameters/sip-parameters.xhtml
• https://www.usenix.org/system/files/login/issues/usenix_dec11_login.pdf
• https://www.adobe.com/devnet-docs/acrobatetk/tools/AppSec/xdomain.html
• http://www.dtic.mil/docs/citations/ADA545053
• http://www.dtic.mil/docs/citations/ADA453238
• http://www.dtic.mil/docs/citations/AD1000434
• http://www.dtic.mil/docs/citations/AD1014839
• http://www.dtic.mil/docs/citations/AD1006391
• http://www.dtic.mil/docs/citations/AD1046295
• https://documentation.cpanel.net/display/CKB/OWASP+ModSecurity+CRS
• https://www.usenix.org/system/files/conference/usenixsecurity17/sec17-vila.pdf
• https://www.sans.org/reading-room/whitepapers/forensics/forensic-primer-usenet-evidence-32829

Basics

https://www.troyhunt.com/security-insanity-how-we-keep-failing-at-the-basics/

https://www.troyhunt.com/the-beginners-guide-to-breaking-website/

https://davidwalsh.name/disable-autocorrect

http://10rem.net/blog/2012/02/14/ux-anti-patterns-for-security-on-the-web-and-in-the-enterprise

https://developer.mozilla.org/en-US/docs/Web/Security/Securing_your_site/Turning_off_form_autocompletion

http://www.solomoncloudsolutions.com/uploads/5/2/7/9/52794453/microsoftdynamicsslsecurity.pdf

Binary

https://crypto.stackexchange.com/questions/63450/why-doesnt-steganography-increase-the-size-of-an-uncompressed-image

Templating

• https://html5sec.org
• https://nvd.nist.gov/vuln/detail/CVE-2000-1050
• http://tomcat.apache.org/security-4.html
• https://www.securityfocus.com/bid/4997
• https://docs.oracle.com/cd/A97688_16/generic.903/a97679/jspxml.htm
• https://www.developer.com/tech/article.php/626351/JavaServer-Pages-Comments-Declaration-and-Expressions.htm
• https://www.mindedsecurity.com/fileshare/ExpressionLanguageInjection.pdf
• http://www.oracle.com/technetwork/java/seccodeguide-139067.html
• https://github.com/facebook/react/issues/3473
• https://lolware.net/2015/08/19/reactjs-xss-testing.html
• https://vip.wordpress.com/2015/03/25/preventing-xss-in-javascript/
• https://labs.detectify.com/2017/01/18/stored-xss-ing-millions-of-sites-through-html-comment-box/
• https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180620-anyconnect-dos

Same Origin Policy

• https://marc.info/?l=bugtraq&m=102796732924658&w=2
• https://dev.to/rdegges/please-stop-using-local-storage-1i04
• https://labs.detectify.com/2016/12/15/postmessage-xss-on-a-million-sites/
• https://www.sec-1.com/blog/wp-content/uploads/2016/08/Hunting-postMessage-Vulnerabilities.pdf
• https://hackerone.com/reports/398054
• https://medium.com/bugbountywriteup/exploiting-post-message-to-steal-users-cookies-7df43a00289a

Service Worker

• https://github.com/w3c/ServiceWorker/issues/940
• https://ahussam.me/Amazon-leaking-csrf-token-using-service-worker/
• https://dzone.com/articles/using-csp-nonces-effectively-with-a-service-worker

Reflected XSS

https://dzone.com/articles/reflected-xss-explained-how-to-prevent-reflected-x

https://buer.haus/2015/01/21/admin-google-com-reflected-cross-site-scripting-xss/

https://www.theregister.co.uk/2017/05/12/googles_php_api_client_has_xss_vulnerability/

https://seclists.org/fulldisclosure/2017/May/42

https://medium.com/@protector47/how-to-hack-wordpress-website-via-xmlrpc-php-61c813fa3740

DOM XSS

https://hackerone.com/reports/46072

http://danlec.com/blog/xss-via-a-spoofed-react-element

https://cure53.de/fp170.pdf

https://www.securityweek.com/javascript-library-introduced-xss-flaw-google-search

https://www.slideshare.net/kseniadmitrieva/how-to-react-to-javascript-insecurity

https://medium.com/javascript-security/avoiding-xss-in-react-is-still-hard-d2b5c7ad9412

https://medium.com/dailyjs/exploiting-script-injection-flaws-in-reactjs-883fb1fe36c1

https://medium.com/@arkadiusz.machalica/how-to-render-static-markup-with-react-e0d192ac3a8c

https://www.owasp.org/images/f/f4/ASDC12-Unraveling_some_of_the_Mysteries_around_DOMbased_XSS.pdf

http://blog.k3170makan.com/2016/02/stealing-secrets-with-css-cross-origin.html

https://github.com/cure53/XSSChallengeWiki/wiki/ES6-Challenge

https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet

https://cure53.de/es6-for-penetration-testers.pdf

https://github.com/facebook/react/issues/10506

Research Papers

https://bok.idpro.org/article/41/galley/57/view/

https://www.cisa.gov/sites/default/files/publications/Cloud%20Security%20Technical%20Reference%20Architecture.pdf

https://www.azed.gov/sites/default/files/2020/11/NetworkSecurityIT11199900.pdf

https://www.govinfo.gov/content/pkg/GOVPUB-C13-5db24e87f9132e0807e4f9a92d2bc162/pdf/GOVPUB-C13-5db24e87f9132e0807e4f9a92d2bc162.pdf

https://www.hpc.mil/images/hpcdocs/ipv6/masterthesis_johannes_weber_ipv6securitytestlaboratory.pdf

https://www.govinfo.gov/content/pkg/GOVPUB-C13-3cee6719f04b98ad3d753a966b662c51/pdf/GOVPUB-C13-3cee6719f04b98ad3d753a966b662c51.pdf

https://www.govinfo.gov/content/pkg/GOVPUB-C13-14573868b226d8f4b535dea60dc6c1f7/pdf/GOVPUB-C13-14573868b226d8f4b535dea60dc6c1f7.pdf

https://www.govinfo.gov/media/Authentication_Definitions.pdf

https://apps.dtic.mil/sti/pdfs/AD1046565.pdf

https://armypubs.army.mil/epubs/DR_pubs/DR_a/pdf/web/p385_30.pdf

https://www.safety.marines.mil/Risk-Management/

https://www.spa.usace.army.mil/Portals/16/docs/business/smallbusiness/2021%20BOOH/B3-Cyber_Security.pdf?ver=B-E2odYFMUwjqankJCgFCA%3D%3D

https://armypubs.army.mil/epubs/DR_pubs/DR_a/pdf/web/ARN17343_P25_2_7_Admin_FINAL.pdf

https://nvlpubs.nist.gov/nistpubs/ir/2013/NIST.IR.7298r2.pdf

https://www.nccoe.nist.gov/sites/default/files/legacy-files/fs-pam-fact-sheet.pdf