# Links for AppSec Jan 6, 2022 For OCLUG meeting ## OWASP Main site - https://owasp.org/ Cheatsheets - https://cheatsheetseries.owasp.org/index.html - Web (some of) - https://cheatsheetseries.owasp.org/cheatsheets/HTTP_Headers_Cheat_Sheet.html - https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html - https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html - https://cheatsheetseries.owasp.org/cheatsheets/HTTP_Headers_Cheat_Sheet.html - Languages - https://cheatsheetseries.owasp.org/cheatsheets/C-Based_Toolchain_Hardening_Cheat_Sheet.html - https://cheatsheetseries.owasp.org/cheatsheets/Bean_Validation_Cheat_Sheet.html - https://cheatsheetseries.owasp.org/cheatsheets/DotNet_Security_Cheat_Sheet.html - https://cheatsheetseries.owasp.org/cheatsheets/Injection_Prevention_in_Java_Cheat_Sheet.html - https://cheatsheetseries.owasp.org/cheatsheets/NPM_Security_Cheat_Sheet.html - https://cheatsheetseries.owasp.org/cheatsheets/Nodejs_Security_Cheat_Sheet.html - https://cheatsheetseries.owasp.org/cheatsheets/PHP_Configuration_Cheat_Sheet.html - https://cheatsheetseries.owasp.org/cheatsheets/Ruby_on_Rails_Cheat_Sheet.html - https://cheatsheetseries.owasp.org/cheatsheets/Third_Party_Javascript_Management_Cheat_Sheet.html - "The single greatest risk is a compromise of the third party JavaScript server, and the injection of malicious JavaScript into the original tag JavaScript. This has happened in 2018 and likely earlier." - "Typical defenses include, but are not restricted to: in-house script mirroring (to prevent alterations by 3rd parties), sub-resource integrity (to enable browser-level interception) and secure transmission of the third-party code (to prevent modifications while in-transit). See below for more details." ## SANS - https://www.sans.org/ - https://isc.sans.edu/podcast.html - Daily, short - https://holidayhackchallenge.com/2021/ - puzzles to solve! - Discord for chatting about the puzzles ## Reddit - https://www.reddit.com/r/netsec/