• evaluating python code inside curly brackets
• put expressions in form fields
• see if an expression evaluates by looking for it in the dev tools
• if it does, try to grab data from that scope in the devtools
• if that works, try the equivalent in the form field

Tools

Framework-Specific Access Control Tools

Here are some access control tools for various frameworks, along with their GitHub repositories:

Flask

• Flask-Security: Provides authentication, authorization, and role-based access control (RBAC).
• Flask-Principal: Allows for role-based access control and permission management.
• Flask-User: Manages user accounts, roles, and permissions.

Django

• Django Guardian: A flexible, policy-based authorization framework.
• Django-Roles: Simplifies role-based access control.
• Django-Permissions: Provides a comprehensive permissions system.

FastAPI

• FastAPI-JWT: Provides JSON Web Token (JWT) based authentication and authorization.
• FastAPI-Auth: Offers various authentication methods including JWT and OAuth2.

Laravel

• Laravel Sanctum: Provides a lightweight authentication system for single-page applications, token-based APIs, and simple, token-based "Guard" implementations.
• Laravel Passport: An OAuth2 server implementation for Laravel.
• Laravel Gates and Policies (part of Laravel framework): Built-in features for authorization.

Drupal

• Drupal Access Control: Built-in access control system with roles and permissions.
• Rules Module: Allows for custom access control rules.
• Group Module: Manages user groups for access control.

Symfony

• Symfony Security: A comprehensive security component for authentication and authorization.
• Lexik JWT Authentication Bundle: Provides JWT-based authentication.
• HWIOAuthBundle: Supports OAuth2 authentication.

AEM

• Access Control Tool: AEM RBAC

Side Channel

Another type of non-intrusive but challenging-to-prevent attack is a "Side-Channel Attack". This attack gathers information from the physical implementation of a system rather than exploiting software vulnerabilities. Examples include:

• Power Analysis Attacks: Observing the power consumption of a device to extract cryptographic keys.
• Electromagnetic Attacks: Monitoring electromagnetic emissions from electronic devices to gather sensitive data.
• Timing Attacks: Analyzing the time taken to execute cryptographic algorithms to uncover private information.

Side-channel attacks can be particularly difficult to guard against because they exploit indirect information leaks rather than breaking through conventional security measures.

RCE

• https://medium.com/@akshukatkar/rce-with-flask-jinja-template-injection-ea5d0201b870
• https://royaljay.com/security/angular-expression-injections/
• https://www.reddit.com/r/webdev/comments/808ls4/mixing_vuejs_templates_with_serverside_templates/
• https://ryhanson.com/angular-expression-injection-walkthrough/
• https://blog.hackmetrix.com/should-you-care-about-xss-in-vuejs/
• https://github.com/dotboris/vuejs-serverside-template-xss
• https://snyk.io/vuln/npm:vue:20180802
• https://github.com/vuejs/vue/issues/7860
• https://vuejs.org/v2/guide/syntax.html#Using-JavaScript-Expressions

Specifications

Security Robustness Specifications

Here are some security robustness specifications from various standard organizations:

1. IETF
   • Specification: RFC 3365: Strong Security Requirements for Internet Engineering Task Force Standard Protocols
2. OASIS
   • Specification: Security Assertion Markup Language (SAML) v2.0
3. Open Group
   • Specification: O-RA 2.0.1: Risk Analysis Standard
4. W3C
   • Specification: Content Security Policy (CSP)
5. NIST
   • Specification: NIST Special Publication 800-37: Risk Management Framework (RMF)
6. ANSI
   • Specification: ANSI X9.119: Standard for Financial Services Security
7. ISO
   • Specification: ISO/IEC 27001: Information Security Management Systems

Obscurity

56k

• Use FOUC as a security measure by leveraging document.write if JavaScript permission checks fail

parse with awk, no worries:

• https://www.gnu.org/software/gawk/manual/html_node/Splitting-By-Content.html
• http://www.theunixschool.com/2012/06/awk-10-examples-to-group-data-in-csv-or.html

Process offline in batches; only use SMTP

• https://www.theguardian.com/technology/2008/oct/17/richard-stallman-computer-programming
• https://news.ycombinator.com/item?id=37699851
• https://cdevroe.com/2010/01/24/richard-stallman-s-approach-to-email/

Fax Machine CVE

• https://www.goldfax.com/pdf/7_ways_your_fax_machine_is_putting_you_at_risk-dpdwhitepaper.pdf

Man-in-the-Middle

• https://www.schneier.com/blog/archives/2017/07/a_man-in-the-mi.html
• https://medium.com/@Alibaba_Cloud/protect-your-website-how-to-avoid-sms-traffic-flooding-attacks-d8d9561dcdeb

Multi-Factor

• https://cheatsheetseries.owasp.org/cheatsheets/Multifactor_Authentication_Cheat_Sheet.html
• https://media.defense.gov/2019/Sep/09/2002180346/-1/-1/0/TRANSITION%20TO%20MULTI-FACTOR%20AUTHENTICATION.PDF

Fax Machine

• https://www.cnbc.com/2018/02/10/milllennial-doctors-forced-to-use-fax-machines-causing-puzzlement.html
• https://thehackernews.com/2018/08/hack-printer-fax-machine.html

Notifications

• https://notifications.spec.whatwg.org/

Passwordless

• https://breakingdefense.com/2019/05/end-of-passwords-disa-tests-walkabout-identity-system/
• https://www.usajobs.gov/Help/how-to/account/limited-access/

Sandboxing

• http://www.cse.chalmers.se/~dave/papers/SafeWrappers.pdf
• https://medium.com/nassec-cybersecurity-writeups/tips-from-a-security-researcher-to-a-qa-engineer-to-enhance-software-quality-assurance-80a01e2be194

AOP

• http://aspectes.tigris.org/

Culture

• https://www.adobe.com/content/dam/acom/en/security/pdfs/adb_security-culture-wp.pdf
• https://arxiv.org/pdf/1612.00766.pdf
• https://webkit.org/blog/8311/intelligent-tracking-prevention-2-0/
• https://clearcode.cc/blog/intelligent-tracking-prevention/
• https://moz.com/blog/machine-learning-and-link-spam-my-brush-with-insanity
• https://blog.acolyer.org/2019/07/08/software-engineering-for-machine-learning/

OTP

http://www.quuxlabs.com/blog/2010/09/paper-token-gutenbergs-version-of-one-time-passwords/

Trusting Trust

https://dwheeler.com/trusting-trust/

References

• https://www.owasp.org/index.php/OWASP_Periodic_Table_of_Vulnerabilities
• https://owasp.org/www-pdf-archive/OWASP_Cheatsheets_Book.pdf
• https://www.mozilla.org/en-US/about/policy/lean-data/build-security/
• https://html5sec.org/
• https://blog.it-securityguard.com/bugbounty-papyal-xml-upload-cross-site-scripting-vulnerability/
• https://webstersprodigy.net/2012/02/04/serving-back-xml-for-xss/
• http://www.howtocreate.co.uk/crosssite.html
• https://labs.detectify.com/2018/09/04/xss-using-quirky-implementations-of-acme-http-01/
• http://www.dtic.mil/dtic/tr/fulltext/u2/1021683.pdf
• https://developer.android.com/docs/quality-guidelines/core-app-quality
• https://developer.android.com/guide/components/intents-filters#Types
• https://developer.android.com/training/articles/security-tips#DynamicCode
• https://arxiv.org/pdf/1704.03356.pdf
• https://cwe.mitre.org/data/index.html
• https://www.ncbi.nlm.nih.gov/pmc/articles/PMC4090456/
• https://arxiv.org/ftp/arxiv/papers/1304/1304.7451.pdf
• https://www.websand.eu
• https://www.us-cert.gov/bsi/articles/best-practices/assembly-integration-and-evolution--security-concept-challenge-and-design-considerations-web-services-integration
• http://bofh.nikhef.nl/events/HitB/hitb-2014-amsterdam/praatjes/D2T2-Exploring-and-Exploiting-iOS-Web-Browsers.pdf
• http://obem.be/2014/07/28/oauth-2-on-android.html
• https://docs.oracle.com/cd/E17952_01/mysql-utilities-1.6-en/utils-task-using-ssl.html
• http://nvlpubs.nist.gov/nistpubs/ir/2013/NIST.IR.7970.pdf
• https://www.owasp.org/index.php/Unvalidated_Redirects_and_Forwards_Cheat_Sheet
• https://www.owasp.org/index.php/Comprehensive_list_of_Threats_to_Authentication_Procedures_and_Data
• https://www.owasp.org/index.php/Phishing
• https://ethereum.stackexchange.com/questions/8565/lost-ethers-in-google-ad-phishing-scam
• https://webmasters.stackexchange.com/questions/85411/unable-to-locate-phishing-url-in-cpanel-file-manager
• https://www.owasp.org/images/a/ae/OWASP_Switzerland_Meeting_2015-06-17_XSLT_SSRF_ENG.pdf
• https://msdn.microsoft.com/en-us/library/ms537122
• https://www.linkedin.com/pulse/identity-bridge-how-api-gateway-bridges-oauth-jwt-saml-mark-o-neill/
• http://www.stearns.org/toolscd/current/ethereal/ethereal-user-guide.pdf
• https://www.oasis-open.org/committees/download.php/8958/sstc-saml-implementation-guidelines-draft-01.pdf
• http://canonical.org/~kragen/sw/netbook-misc-devel/wordlist
• https://www.iana.org/assignments/sip-parameters/sip-parameters.xhtml
• https://www.usenix.org/system/files/login/issues/usenix_dec11_login.pdf
• https://www.adobe.com/devnet-docs/acrobatetk/tools/AppSec/xdomain.html
• http://www.dtic.mil/docs/citations/ADA545053
• http://www.dtic.mil/docs/citations/ADA453238
• http://www.dtic.mil/docs/citations/AD1000434
• http://www.dtic.mil/docs/citations/AD1014839
• http://www.dtic.mil/docs/citations/AD1006391
• http://www.dtic.mil/docs/citations/AD1046295
• https://documentation.cpanel.net/display/CKB/OWASP+ModSecurity+CRS
• https://www.usenix.org/system/files/conference/usenixsecurity17/sec17-vila.pdf
• https://www.sans.org/reading-room/whitepapers/forensics/forensic-primer-usenet-evidence-32829

Basics

https://www.troyhunt.com/security-insanity-how-we-keep-failing-at-the-basics/

https://www.troyhunt.com/the-beginners-guide-to-breaking-website/

https://davidwalsh.name/disable-autocorrect

http://10rem.net/blog/2012/02/14/ux-anti-patterns-for-security-on-the-web-and-in-the-enterprise

https://developer.mozilla.org/en-US/docs/Web/Security/Securing_your_site/Turning_off_form_autocompletion

http://www.solomoncloudsolutions.com/uploads/5/2/7/9/52794453/microsoftdynamicsslsecurity.pdf

Binary

https://crypto.stackexchange.com/questions/63450/why-doesnt-steganography-increase-the-size-of-an-uncompressed-image

Templating

• https://html5sec.org
• https://nvd.nist.gov/vuln/detail/CVE-2000-1050
• http://tomcat.apache.org/security-4.html
• https://www.securityfocus.com/bid/4997
• https://docs.oracle.com/cd/A97688_16/generic.903/a97679/jspxml.htm
• https://www.developer.com/tech/article.php/626351/JavaServer-Pages-Comments-Declaration-and-Expressions.htm
• https://www.mindedsecurity.com/fileshare/ExpressionLanguageInjection.pdf
• http://www.oracle.com/technetwork/java/seccodeguide-139067.html
• https://github.com/facebook/react/issues/3473
• https://lolware.net/2015/08/19/reactjs-xss-testing.html
• https://vip.wordpress.com/2015/03/25/preventing-xss-in-javascript/
• https://labs.detectify.com/2017/01/18/stored-xss-ing-millions-of-sites-through-html-comment-box/
• https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180620-anyconnect-dos

Same Origin Policy

• https://marc.info/?l=bugtraq&m=102796732924658&w=2
• https://dev.to/rdegges/please-stop-using-local-storage-1i04
• https://labs.detectify.com/2016/12/15/postmessage-xss-on-a-million-sites/
• https://www.sec-1.com/blog/wp-content/uploads/2016/08/Hunting-postMessage-Vulnerabilities.pdf
• https://hackerone.com/reports/398054
• https://medium.com/bugbountywriteup/exploiting-post-message-to-steal-users-cookies-7df43a00289a

Service Worker

• https://github.com/w3c/ServiceWorker/issues/940
• https://ahussam.me/Amazon-leaking-csrf-token-using-service-worker/
• https://dzone.com/articles/using-csp-nonces-effectively-with-a-service-worker

Reflected XSS

https://dzone.com/articles/reflected-xss-explained-how-to-prevent-reflected-x

https://buer.haus/2015/01/21/admin-google-com-reflected-cross-site-scripting-xss/

https://www.theregister.co.uk/2017/05/12/googles_php_api_client_has_xss_vulnerability/

https://seclists.org/fulldisclosure/2017/May/42

https://medium.com/@protector47/how-to-hack-wordpress-website-via-xmlrpc-php-61c813fa3740

DOM XSS

https://hackerone.com/reports/46072

http://danlec.com/blog/xss-via-a-spoofed-react-element

https://cure53.de/fp170.pdf

https://www.securityweek.com/javascript-library-introduced-xss-flaw-google-search

https://www.slideshare.net/kseniadmitrieva/how-to-react-to-javascript-insecurity

https://medium.com/javascript-security/avoiding-xss-in-react-is-still-hard-d2b5c7ad9412

https://medium.com/dailyjs/exploiting-script-injection-flaws-in-reactjs-883fb1fe36c1

https://medium.com/@arkadiusz.machalica/how-to-render-static-markup-with-react-e0d192ac3a8c

https://www.owasp.org/images/f/f4/ASDC12-Unraveling_some_of_the_Mysteries_around_DOMbased_XSS.pdf

http://blog.k3170makan.com/2016/02/stealing-secrets-with-css-cross-origin.html

https://github.com/cure53/XSSChallengeWiki/wiki/ES6-Challenge

https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet

https://cure53.de/es6-for-penetration-testers.pdf

https://github.com/facebook/react/issues/10506

Research Papers

https://bok.idpro.org/article/41/galley/57/view/

https://www.cisa.gov/sites/default/files/publications/Cloud%20Security%20Technical%20Reference%20Architecture.pdf

https://www.azed.gov/sites/default/files/2020/11/NetworkSecurityIT11199900.pdf

https://www.govinfo.gov/content/pkg/GOVPUB-C13-5db24e87f9132e0807e4f9a92d2bc162/pdf/GOVPUB-C13-5db24e87f9132e0807e4f9a92d2bc162.pdf

https://www.hpc.mil/images/hpcdocs/ipv6/masterthesis_johannes_weber_ipv6securitytestlaboratory.pdf

https://www.govinfo.gov/content/pkg/GOVPUB-C13-3cee6719f04b98ad3d753a966b662c51/pdf/GOVPUB-C13-3cee6719f04b98ad3d753a966b662c51.pdf

https://www.govinfo.gov/content/pkg/GOVPUB-C13-14573868b226d8f4b535dea60dc6c1f7/pdf/GOVPUB-C13-14573868b226d8f4b535dea60dc6c1f7.pdf

https://www.govinfo.gov/media/Authentication_Definitions.pdf

https://apps.dtic.mil/sti/pdfs/AD1046565.pdf

https://armypubs.army.mil/epubs/DR_pubs/DR_a/pdf/web/p385_30.pdf

https://www.safety.marines.mil/Risk-Management/

https://www.spa.usace.army.mil/Portals/16/docs/business/smallbusiness/2021%20BOOH/B3-Cyber_Security.pdf?ver=B-E2odYFMUwjqankJCgFCA%3D%3D

https://armypubs.army.mil/epubs/DR_pubs/DR_a/pdf/web/ARN17343_P25_2_7_Admin_FINAL.pdf

https://nvlpubs.nist.gov/nistpubs/ir/2013/NIST.IR.7298r2.pdf

https://www.nccoe.nist.gov/sites/default/files/legacy-files/fs-pam-fact-sheet.pdf