from Hacker News

OWASP Cheat Sheet Series

by MalcolmDiggs on 8/3/19, 8:59 PM with 14 comments

  • by rarecoil on 8/4/19, 4:03 AM

    I'm a product security engineer. I reference these all of the time during my own work to make sure I didn't miss something stupid, but I also hand links out to them to engineers when we do find bugs in their code. Most of the time I think they're ignored.

    If most engineers just took a second to read the ones that were directly pertinent to their projects and tried to be cognisant of some mitigations, I'd find substantially less low-hanging-fruit vulnerabilities in the first review pass. Doing so actually makes my job significantly more difficult, and forces me to dig deeper - which is a good thing. Instead of writing up for the 100th time some input validation spiel, I can spend time searching for more complex bugs, writing protocol fuzzers, and doing real analysis in the time I have for the review.

  • by bluepnume on 8/4/19, 7:04 AM

    The thing that I find difficult with OWASP: there doesn't always seem to be comprehensive examples provided for what these attack surfaces could be used for. That makes it difficult to both understand the impact of a particular issue, and test for it.

    As an example: https://cheatsheetseries.owasp.org/cheatsheets/AJAX_Security...

    I'm fascinated to know how this could actually be exploited. But there's no hint or reference to that. It's just "don't do this".