injection attacks

Unproperly sanitized input results in ability for attacker to get out from data context into command context. It results in injection attacks: SQL, XML/XXE, HTML/XSS, JS, CSS, XPath, …
Correct processing of user-input:

  • user-input checks must be done on server-side
  • Validation: no blacklists, “accept known good” (in particular cases: type conversions (to numbers, dates))
  • technology specified (e.g. precompiled expressions)

  • work with user’s files - harmful (use separate environment, disable execution, etc.)
  • serialization/deserialization user’s input - harmful
  • how to enable macros functionality? - very accurate filtration, anyway no reliability
network security

There is a lot of information channels ourdays: usb, ethernet, wifi, gsm, NFC, RFID, etc.

  • binary/reverse

    RCE (Remote Code Execution) - ability to execute code (any language: bash, PS, python, php, …) remotely.
    OS-commanding - an attack technique used for unauthorized execution of operating system commands (e.g. bash RCE).

  • cryptography
  • personal security - personal security: encryption, anonymity, fingerprinting, …
  • random notes (phpinfo LFI -> RCE)
  • default-passwords.json

How you can use this resource: sometimes you will find explanations or theory other times just use text search.

Other’s awesome cheatsheets


Links intresting for normal users

The only valid measurement of code quality: WTFs/minute

  • CADT - the new programming paradigm
  • - comics
  • SNMP - Security is Not My Problem