📡
Daniel Serbu's CyberSecurity Blog
  • 🔧Welcome
  • 💾Writeups
    • PWNEDLABS Identify the AWS Account ID from a Public S3 Bucket
    • TryHackMe Anthem
    • TryHackMe AttacktiveDirectory
    • TryHackMe Vulnnet: Active
    • TryHackMe Ice
    • TryHackMe Blueprint
    • TryHackMe VulnNet: Roasted
    • TryHackMe Post-Exploitation Basics
    • TryHackMe Lookback
    • MobileHackingLab Food Store
    • MobileHackingLab Notekeeper
    • MobileHackingLab IOT Connect
  • DevSecOps
    • Container Security
      • Kubernetes
    • Infrastructure as Code - IaC
    • Dynamic Application Security Testing - DAST
    • Static Application Security Testing - SAST
    • Software Bill of Materials - SBOM
    • Software Composition Analysis - SCA
    • Source Code Audit
      • PHP Code Review
      • Secure By Design Libraries
    • IDE Plugins for Developers
    • Security Hardening
    • Secure Coding
    • Cheatsheets
    • Mobile
    • Cloud Security
  • OSINT
Powered by GitBook
On this page
  • Resources
  • Learn by doing
  • Input Validation Mechanisms
  • Cross-Site Scripting / XSS
  • SQL Injection / SQLi
  • XML External Entity attack / XXE
  • Cross-Site Request Forgery / CSRF / XSRF
  • Encoding, Encryption and Hashing
  • Authentication related Vulnerabilities
  • Understanding of OWASP Top 10 Vulnerabilities
  • Security Best Practices and Hardening Mechanisms.
  • TLS security
  • Server-Side Request Forgery
  • Authorization and Session Management related flaws
  • Insecure File Uploads
  • Code Injection Vulnerabilities
  • Business Logic Flaws
  • Directory Traversal Vulnerabilities
  • Security Misconfigurations.
  • Information Disclosure.
  • Vulnerable and Outdated Components.
  • Common Supply Chain Attacks and Prevention Methods.
  1. Penetration Testing
  2. Certification Prep
  3. SecOps CAP

Overview

Last updated 1 month ago

Resources

Learn by doing

Certification syllabus. The exam will cover the following topics

Input Validation Mechanisms

  • Blacklisting

  • Whitelisting

----------------------------------------------------------------

Cross-Site Scripting / XSS

----------------------------------------------------------------

SQL Injection / SQLi

https://owasp.org/Top10/A03_2021-Injection/

https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html

https://www.hacksplaining.com/prevention/sql-injection

https://blogs.appsecworld.com/2022/12/owasp-api-security-top-10-api8-2019-injection.html

----------------------------------------------------------------

XML External Entity attack / XXE

https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html

----------------------------------------------------------------

Cross-Site Request Forgery / CSRF / XSRF

https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html

https://learn.microsoft.com/en-us/aspnet/core/security/anti-request-forgery?view=aspnetcore-7.0

----------------------------------------------------------------

Encoding, Encryption and Hashing

----------------------------------------------------------------

Authentication related Vulnerabilities

https://cheatsheetseries.owasp.org/cheatsheets/Authentication_Cheat_Sheet.html

https://blogs.appsecworld.com/2022/11/owasp-api-top-10-api2-2019-broken-user-authentication.html

  • Brute force Attacks

  • Password Storage and Password Policy

----------------------------------------------------------------

Understanding of OWASP Top 10 Vulnerabilities

----------------------------------------------------------------

Security Best Practices and Hardening Mechanisms.

Checkout hacksplaining/prevention stuff on the other topics and owasp prevention pages.

  • Same Origin Policy

  • Security Headers.

----------------------------------------------------------------

TLS security

  • TLS Certificate Misconfiguration

  • Symmetric and Asymmetric Ciphers

----------------------------------------------------------------

Server-Side Request Forgery

https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29/https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html

https://www.hacksplaining.com/prevention/ssrf

https://hideandsec.sh/books/web-03c/page/ssrf-series

----------------------------------------------------------------

Authorization and Session Management related flaws

https://cheatsheetseries.owasp.org/cheatsheets/Authorization_Cheat_Sheet.html

https://blogs.appsecworld.com/2022/11/owasp-api-security-top-10-api5-2019-broken-function-level-authorization.html

https://secops.group/blog/exploiting-idors-a-compilation-of-some-neat-new-and-crazy-examples/

  • Insecure Direct Object Reference (IDOR) / BOLA

  • Privilege Escalation

  • Parameter Manipulation attacks

  • Securing Cookies.

----------------------------------------------------------------

Insecure File Uploads

https://cheatsheetseries.owasp.org/cheatsheets/File_Upload_Cheat_Sheet.html

https://www.hacksplaining.com/prevention/file-upload

https://owasp.org/www-community/vulnerabilities/Unrestricted_File_Upload

----------------------------------------------------------------

Code Injection Vulnerabilities

https://portswigger.net/research/server-side-template-injection

Not code injection, but similar topic https://www.hacksplaining.com/prevention/command-execution

----------------------------------------------------------------

Business Logic Flaws

----------------------------------------------------------------

Directory Traversal Vulnerabilities

----------------------------------------------------------------

Security Misconfigurations.

----------------------------------------------------------------

Information Disclosure.

----------------------------------------------------------------

Vulnerable and Outdated Components.

----------------------------------------------------------------

Common Supply Chain Attacks and Prevention Methods.

LogoLearning Resources for Application Security and Penetration TestingLearning Resources for Application Security and Penetration Testing
LogoLearning Resources for Application Security and Penetration TestingLearning Resources for Application Security and Penetration Testing
LogoIntroduction - OWASP Cheat Sheet Series
LogoVulnerabilities | OWASP Foundation
LogoPick a Vulnerability to Learn AboutHacksplaining
LogoTryHackMe | OWASP Top 10TryHackMe
LogoTryHackMe | OWASP Top 10TryHackMe
LogoAll learning materials | Web Security AcademyWebSecAcademy
LogoInput Validation - OWASP Cheat Sheet Series
LogoCross Site Scripting Prevention - OWASP Cheat Sheet Series
LogoWhat is cross-site scripting (XSS) and how to prevent it? | Web Security AcademyWebSecAcademy
LogoHow to prevent XSS | Web Security AcademyWebSecAcademy
LogoProtecting Your Users Against Cross-site ScriptingHacksplaining
LogoProtecting Your Users Against Reflected XSSHacksplaining
LogoXML External Entity (XXE) Vulnerability - Part 1 (XML Basics)Learning Resources for Application Security and Penetration Testing
LogoXML External Entity (XXE) Vulnerability - Part 2 (XXE Basics)Learning Resources for Application Security and Penetration Testing
LogoXML External Entity (XXE) Vulnerability - Part 3 (Local DTD Enumeration)Learning Resources for Application Security and Penetration Testing
LogoProtecting Your Users Against CSRFHacksplaining
LogoOWASP API Security Top 10
LogoIndex Top 10 - OWASP Cheat Sheet Series
LogoOWASP Top 10 Vulnerabilities Cheat SheetCheatography
LogoWhat Is OWASP and What Are OWASP Top 10 for Web/API/Mobile?Bright Security
LogoThe 8 HTTP Security Headers Best Practices | GlobalDotsGlobalDots
LogoHTTP Headers - OWASP Cheat Sheet Series
LogoHTTP Security Headers and Precautionary Measures for Websites
LogoSecurity Headers - How to enable them to prevent attacksCrashtest Security
LogoHTTP Security Headers - A Complete GuideNull Sweep
LogoHardening security with HTTP security headers - SAML Single Sign On
LogoHow HTTP security headers can help harden web applicationsSC Media
LogoComplete guide to HTTP Headers for securing websites (Cheat Sheet)TheSmartScanner
LogoSecurityTrails | 6 Tips to harden your HTTP Security Headerssecuritytrails
LogoCheatSheetSeries/Content_Security_Policy_Cheat_Sheet.md at master · OWASP/CheatSheetSeriesGitHub
LogoHTTP Security Headers | Administration Guidefortinet
LogoSecurity headers quick referenceweb.dev
LogoHardening Your HTTP Security Headers - KeyCDNKeyCDN
LogoHardening Server Security By Implementing Security HeadersHardening Server Security By Implementing Security Headers
LogoHTTP security headers: An easy way to harden your web applications | InvictiInvicti
LogoHTTP Security Headers and How They Work: White paper | InvictiInvicti
LogoWhat is directory traversal, and how to prevent it? | Web Security AcademyWebSecAcademy
LogoOWASP API Security Top 10 API7:2019 Security Misconfiguration with ExampleLearning Resources for Application Security and Penetration Testing
LogoOWASP API Security Top 10 API3:2019 Excessive Data Exposure with ExampleLearning Resources for Application Security and Penetration Testing
LogoInformation disclosure vulnerabilities | Web Security AcademyWebSecAcademy
LogoA06 Vulnerable and Outdated Components - OWASP Top 10:2021