Overview

Resources

Learning Resources for Application Security and Penetration TestingLearning Resources for Application Security and Penetration Testing

Introduction - OWASP Cheat Sheet Series

Vulnerabilities | OWASP Foundation

Learn by doing

Pick a Vulnerability to Learn AboutHacksplaining

TryHackMe | OWASP Top 10TryHackMe

All learning materials | Web Security AcademyWebSecAcademy

Certification syllabus. The exam will cover the following topics

Input Validation Mechanisms

Input Validation - OWASP Cheat Sheet Series

• Blacklisting

• Whitelisting

----------------------------------------------------------------

Cross-Site Scripting / XSS

Cross Site Scripting Prevention - OWASP Cheat Sheet Series

What is cross-site scripting (XSS) and how to prevent it? | Web Security AcademyWebSecAcademy

How to prevent XSS | Web Security AcademyWebSecAcademy

Protecting Your Users Against Cross-site ScriptingHacksplaining

Protecting Your Users Against Reflected XSSHacksplaining

----------------------------------------------------------------

SQL Injection / SQLi

https://owasp.org/Top10/A03_2021-Injection/

https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html

https://www.hacksplaining.com/prevention/sql-injection

https://blogs.appsecworld.com/2022/12/owasp-api-security-top-10-api8-2019-injection.html

----------------------------------------------------------------

XML External Entity attack / XXE

https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html

XML External Entity (XXE) Vulnerability - Part 1 (XML Basics)Learning Resources for Application Security and Penetration Testing

XML External Entity (XXE) Vulnerability - Part 2 (XXE Basics)Learning Resources for Application Security and Penetration Testing

XML External Entity (XXE) Vulnerability - Part 3 (Local DTD Enumeration)Learning Resources for Application Security and Penetration Testing

----------------------------------------------------------------

Cross-Site Request Forgery / CSRF / XSRF

https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html

https://learn.microsoft.com/en-us/aspnet/core/security/anti-request-forgery?view=aspnetcore-7.0

Protecting Your Users Against CSRFHacksplaining

----------------------------------------------------------------

Encoding, Encryption and Hashing

----------------------------------------------------------------

Authentication related Vulnerabilities

https://cheatsheetseries.owasp.org/cheatsheets/Authentication_Cheat_Sheet.html

https://blogs.appsecworld.com/2022/11/owasp-api-top-10-api2-2019-broken-user-authentication.html

• Brute force Attacks

• Password Storage and Password Policy

----------------------------------------------------------------

Understanding of OWASP Top 10 Vulnerabilities

TryHackMe | OWASP Top 10TryHackMe

Learning Resources for Application Security and Penetration TestingLearning Resources for Application Security and Penetration Testing

OWASP API Security Top 10

Index Top 10 - OWASP Cheat Sheet Series

OWASP Top 10 Vulnerabilities Cheat SheetCheatography

What Is OWASP and What Are OWASP Top 10 for Web/API/Mobile?Bright Security

----------------------------------------------------------------

Security Best Practices and Hardening Mechanisms.

Checkout hacksplaining/prevention stuff on the other topics and owasp prevention pages.

The 8 HTTP Security Headers Best Practices | GlobalDotsGlobalDots

HTTP Headers - OWASP Cheat Sheet Series

HTTP Security Headers and Precautionary Measures for Websites

Security Headers - How to enable them to prevent attacksCrashtest Security

HTTP Security Headers - A Complete GuideNull Sweep

Hardening security with HTTP security headers - SAML Single Sign On

How HTTP security headers can help harden web applicationsSC Media

Complete guide to HTTP Headers for securing websites (Cheat Sheet)TheSmartScanner

SecurityTrails | 6 Tips to harden your HTTP Security Headerssecuritytrails

CheatSheetSeries/Content_Security_Policy_Cheat_Sheet.md at master · OWASP/CheatSheetSeriesGitHub

HTTP Security Headers | Administration Guidefortinet

Security headers quick referenceweb.dev

Hardening Your HTTP Security Headers - KeyCDNKeyCDN

Hardening Server Security By Implementing Security HeadersHardening Server Security By Implementing Security Headers

HTTP security headers: An easy way to harden your web applications | InvictiInvicti

HTTP Security Headers and How They Work: White paper | InvictiInvicti

• Same Origin Policy

• Security Headers.

----------------------------------------------------------------

TLS security

• TLS Certificate Misconfiguration

• Symmetric and Asymmetric Ciphers

----------------------------------------------------------------

Server-Side Request Forgery

https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29/https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html

https://www.hacksplaining.com/prevention/ssrf

https://hideandsec.sh/books/web-03c/page/ssrf-series

----------------------------------------------------------------

Authorization and Session Management related flaws

https://cheatsheetseries.owasp.org/cheatsheets/Authorization_Cheat_Sheet.html

https://blogs.appsecworld.com/2022/11/owasp-api-security-top-10-api5-2019-broken-function-level-authorization.html

https://secops.group/blog/exploiting-idors-a-compilation-of-some-neat-new-and-crazy-examples/

• Insecure Direct Object Reference (IDOR) / BOLA

• Privilege Escalation

• Parameter Manipulation attacks

• Securing Cookies.

----------------------------------------------------------------

Insecure File Uploads

https://cheatsheetseries.owasp.org/cheatsheets/File_Upload_Cheat_Sheet.html

https://www.hacksplaining.com/prevention/file-upload

https://owasp.org/www-community/vulnerabilities/Unrestricted_File_Upload

----------------------------------------------------------------

Code Injection Vulnerabilities

https://portswigger.net/research/server-side-template-injection

Not code injection, but similar topic https://www.hacksplaining.com/prevention/command-execution

----------------------------------------------------------------

Business Logic Flaws

----------------------------------------------------------------

Directory Traversal Vulnerabilities

What is directory traversal, and how to prevent it? | Web Security AcademyWebSecAcademy

----------------------------------------------------------------

Security Misconfigurations.

OWASP API Security Top 10 API7:2019 Security Misconfiguration with ExampleLearning Resources for Application Security and Penetration Testing

----------------------------------------------------------------

Information Disclosure.

OWASP API Security Top 10 API3:2019 Excessive Data Exposure with ExampleLearning Resources for Application Security and Penetration Testing

Information disclosure vulnerabilities | Web Security AcademyWebSecAcademy

----------------------------------------------------------------

Vulnerable and Outdated Components.

A06 Vulnerable and Outdated Components - OWASP Top 10:2021

----------------------------------------------------------------

Common Supply Chain Attacks and Prevention Methods.