OWASP
diff --git a/‎.github/workflows/pr.yaml
Lines changed: 1 addition & 1 deletion b/‎.github/workflows/pr.yaml
Lines changed: 1 addition & 1 deletion
diff --git a/‎.lycheeignore
Lines changed: 4 additions & 0 deletions b/‎.lycheeignore
Lines changed: 4 additions & 0 deletions
diff --git a/‎.wordlist.txt
Lines changed: 10 additions & 0 deletions b/‎.wordlist.txt
Lines changed: 10 additions & 0 deletions
diff --git a/‎_data/draft.yaml
Lines changed: 2 additions & 2 deletions b/‎_data/draft.yaml
Lines changed: 2 additions & 2 deletions
diff --git a/‎_data/release.yaml
Lines changed: 2 additions & 2 deletions b/‎_data/release.yaml
Lines changed: 2 additions & 2 deletions
diff --git a/‎draft/02-toc.md
Lines changed: 2 additions & 2 deletions b/‎draft/02-toc.md
Lines changed: 2 additions & 2 deletions
diff --git a/‎draft/04-foundations/01-security-fundamentals.md
Lines changed: 55 additions & 4 deletions b/‎draft/04-foundations/01-security-fundamentals.md
Lines changed: 55 additions & 4 deletions
diff --git a/‎draft/04-foundations/02-secure-development.md
Lines changed: 8 additions & 6 deletions b/‎draft/04-foundations/02-secure-development.md
Lines changed: 8 additions & 6 deletions
diff --git a/‎draft/04-foundations/03-security-principles.md
Lines changed: 9 additions & 9 deletions b/‎draft/04-foundations/03-security-principles.md
Lines changed: 9 additions & 9 deletions
diff --git a/‎draft/04-foundations/04-crypto-principles.md
Lines changed: 26 additions & 20 deletions b/‎draft/04-foundations/04-crypto-principles.md
Lines changed: 26 additions & 20 deletions
@@ -47,7 +47,7 @@ jobs:
         uses: actions/[email protected]
 
       - name: spell_checker
-        uses: rojopolis/spellcheck-github-actions@0.38.0
+        uses: rojopolis/spellcheck-github-actions@0.40.0
 
   export_draft:
     name: Export epub and pdf (Draft)
 
@@ -27,3 +27,7 @@ www-project-developer-guide/assets/images/
 
 # Google drive tends to need permissions that the link checker does not have
 https://drive.google.com/
+
+# TMP: SamuraiWTF sites seem to be down :TMP
+https://www.samurai-wtf.org/
+https://www.samuraiwtf.org/
@@ -484,3 +484,13 @@ SAFEcode
 Ecommerce
 crs
 Matteo
+Laravel
+Symfony
+DoS
+IDOR
+GraphQL
+Microservices
+OAuth
+OpenID
+Multifactor
+XXE
@@ -151,8 +151,8 @@ docs:
 - title: '6.1.1 Web Security Testing Guide'
   url: verification/guides/web_security_testing_guide
 
-- title: '6.1.2 Mobile Application Security'
-  url: verification/guides/mobile_application_security
+- title: '6.1.2 MAS Testing Guide'
+  url: verification/guides/mas_testing_guide
 
 - title: '6.1.3 Application Security Verification Standard'
   url: verification/guides/application_security_verification_standard
 
@@ -178,8 +178,8 @@ docs:
 - title: '6.1.1 Web Security Testing Guide'
   url: verification/guides/web_security_testing_guide
 
-- title: '6.1.2 Mobile Application Security'
-  url: verification/guides/mobile_application_security
+- title: '6.1.2 MAS Testing Guide'
+  url: verification/guides/mas_testing_guide
 
 - title: '6.1.3 Application Security Verification Standard'
   url: verification/guides/application_security_verification_standard
 
@@ -68,8 +68,8 @@ permalink:
 
 6 **[Verification](#verification)**  
 6.1 [Guides](#verification-guides)  
-6.1.1 [Web Security Testing Guide](#web-security-testing Guide)  
-6.1.2 [Mobile Application Security](#mobile-application-security)  
+6.1.1 [Web Security Testing Guide](#web-security-testing-guide)  
+6.1.2 [MAS Testing Guide](#mas-testing-guide)  
 6.1.3 [Application Security Verification Standard](#application-security-verification-standard)  
 6.2 [Tools](#verification-tools)  
 6.2.1 [Zed Attack Proxy](#zed-attack-proxy)  
 
@@ -53,20 +53,20 @@ but also on the protection of the services that provide access to the data, for
 
 #### AAA
 
-CIA is often extended with Authentication, Authorization and Auditing as these are closely linked to CIA concepts.
+The CIA triad is often extended with Authentication, Authorization and Auditing as these are closely linked to CIA concepts.
 CIA has a strong dependency on Authentication and Authorization;
 the confidentiality and integrity of sensitive data can not be assured without them.
 Auditing is added as it can provide the mechanism to ensure proof of any interaction with the system.
 
 #### Authentication
 
-Authentication is about confirming the identity of the entity that wants to interact with a secure system.
+[Authentication][csauthn] is about confirming the identity of the entity that wants to interact with a secure system.
 For example the entity could be an automated client or a human actor;
 in either case authentication is required for a secure application.
 
 #### Authorization
 
-Authorization is about specifying access rights to secure resources (data, services, files, applications, etc).
+[Authorization][csauthz] is about specifying access rights to secure resources (data, services, files, applications, etc).
 These rights describe the privileges or access levels related to the resources that are being secured.
 Authorization is usually preceded by successful authentication.
 
@@ -80,7 +80,7 @@ The typical questions that are answered by auditing are "Who did What, When and
 
 #### Software Assurance Maturity Model
 
-The OWASP Software Assurance Maturity Model [(SAMM)][samm] provides a good context for the scope of software security,
+The OWASP Software Assurance Maturity Model ([SAMM][samm]) provides a good context for the scope of software security,
 and the foundations of SAMM rely on the security concepts in this section.
 The SAMM model describes the five fundamentals of software security, which it calls Business Functions:
 
@@ -103,11 +103,62 @@ Each of these five fundamentals are further split into three Business Practices:
 Each Business Practice is further subdivided into two streams,
 and the sections in the Developer Guide reference at least one of the Business Functions or Practices in SAMM.
 
+#### Vulnerabilities
+
+NIST defines a [vulnerability][definevuln] as 'Weakness in an information system, system security procedures,
+internal controls, or implementation that could be exploited or triggered by a threat source.'
+
+There are many weaknesses or bugs in every large application, but the term vulnerability is generally reserved
+for those weaknesses or bugs where there is a risk that a threat actor could exploit it using a threat vector.
+
+Well known security vulnerabilities are :
+
+* [Clickjacking][csclick]
+* [Credential Stuffing][cscreds]
+* [Cross-site leaks][csxsleaks]
+* [Denial of Service][csdos] (DoS) attacks
+* DOM based [XSS attacks][csdom] including [DOM Clobbering][csdomclub]
+* [IDOR][csidor] (Insecure Direct Object Reference)
+* [Injection][csinjection] including [OS Command injection][csosinjection] and [XXE][csxxe]
+* LDAP specific [injection attacks][csldap]
+* [Prototype pollution][csproto]
+* [SSRF][csssrf] attacks
+* [SQL injection][cssql] and the use of [Query Parameterization][csquery]
+* [Unvalidated redirects and forwards][csredirect]
+* [XSS attacks][csxss] and [XSS Filter Evasion][csxssevade]
+
+#### References
+
+* OWASP [Cheat Sheet Series][cheatsheets]
+* OWASP [Software Assurance Maturity Model][samm] (SAMM)
+
 ----
 
 The OWASP Developer Guide is a community effort; if there is something that needs changing
 then [submit an issue][issue0401] or [edit on GitHub][edit0401].
 
+[cheatsheets]: https://cheatsheetseries.owasp.org/
+[csclick]: https://cheatsheetseries.owasp.org/cheatsheets/Clickjacking_Defense_Cheat_Sheet
+[cscreds]: https://cheatsheetseries.owasp.org/cheatsheets/Credential_Stuffing_Prevention_Cheat_Sheet
+[csdom]: https://cheatsheetseries.owasp.org/cheatsheets/DOM_based_XSS_Prevention_Cheat_Sheet
+[csdomclub]: https://cheatsheetseries.owasp.org/cheatsheets/DOM_Clobbering_Prevention_Cheat_Sheet
+[csdos]: https://cheatsheetseries.owasp.org/cheatsheets/Denial_of_Service_Cheat_Sheet
+[csidor]: https://cheatsheetseries.owasp.org/cheatsheets/Insecure_Direct_Object_Reference_Prevention_Cheat_Sheet
+[csinjection]: https://cheatsheetseries.owasp.org/cheatsheets/Injection_Prevention_Cheat_Sheet
+[csosinjection]: https://cheatsheetseries.owasp.org/cheatsheets/OS_Command_Injection_Defense_Cheat_Sheet
+[csldap]: https://cheatsheetseries.owasp.org/cheatsheets/LDAP_Injection_Prevention_Cheat_Sheet
+[csproto]: https://cheatsheetseries.owasp.org/cheatsheets/Prototype_Pollution_Prevention_Cheat_Sheet
+[csauthn]: https://cheatsheetseries.owasp.org/cheatsheets/Authentication_Cheat_Sheet
+[csauthz]: https://cheatsheetseries.owasp.org/cheatsheets/Authorization_Cheat_Sheet
+[csredirect]: https://cheatsheetseries.owasp.org/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet
+[cssql]: https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet
+[csquery]: https://cheatsheetseries.owasp.org/cheatsheets/Query_Parameterization_Cheat_Sheet
+[csssrf]:  https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet
+[csxss]: https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet
+[csxsleaks]: https://cheatsheetseries.owasp.org/cheatsheets/XS_Leaks_Cheat_Sheet
+[csxssevade]: https://cheatsheetseries.owasp.org/cheatsheets/XSS_Filter_Evasion_Cheat_Sheet
+[csxxe]: https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet
+[definevuln]: https://csrc.nist.gov/glossary/term/vulnerability
 [issue0401]: https://github.com/OWASP/www-project-developer-guide/issues/new?labels=enhancement&template=request.md&title=Update:%2004-foundations/01-security-fundamentals
 [edit0401]: https://github.com/OWASP/www-project-developer-guide/blob/main/draft/04-foundations/01-security-fundamentals.md
 [samm]: https://owaspsamm.org/about/
 
@@ -78,8 +78,8 @@ There are many OWASP tools and resources to help build security into the SDLC.
     a high degree of confidence that the application or system will be reasonably secure.
     OWASP provides two libraries that can be incorporated in web applications,
     the [Enterprise Security API (ESAPI)][esapi-project] security control library
-    and [CSRFGuard][csrfguard] to mitigate the risk of Cross-Site Request Forgery (CSRF) attacks,
-    that help implement these proactive controls. In addition the OWASP [Cheat Sheet Series][cheatproject]
+    and [CSRFGuard][csrfguard] to mitigate the risk of [Cross-Site Request Forgery][cscsrf] (CSRF) attacks,
+    that help implement these proactive controls. In addition the OWASP [Cheat Sheet Series][csproject]
     is a valuable source of information and advice on all aspects of applications security.
 
 * **Verification**: OWASP provides a relatively large number of projects that help with testing and verification.
@@ -106,7 +106,7 @@ There are many OWASP tools and resources to help build security into the SDLC.
     and there have been several high profile of products being successfully exploited.
     A Software Bill of Materials (SBOM) is the first step in avoiding these attacks and
     it is well worth using the OWASP [CycloneDX][cyclone] full-stack Bill of Materials (BOM) standard
-    for risk reduction in the supply chain.
+    for [risk reduction in the supply chain][cschain].
     In addition the OWASP [Dependency-Track][deptrack] project is a Continuous SBOM Analysis Platform
     which can help prevent these supply chain exploits by providing control of the SBOM.
 
@@ -126,7 +126,7 @@ There are many OWASP tools and resources to help build security into the SDLC.
 
 #### Further reading from OWASP
 
-* [Cheat Sheet Series][cheatproject]
+* [Cheat Sheet Series][csproject]
 * [Cornucopia][cornucopia]
 * [CycloneDX][cyclone] Bill of Materials (BOM) standard
 * [DevSecOps Guideline][devsecops]
@@ -176,10 +176,12 @@ then [submit an issue][issue0402] or [edit on GitHub][edit0402].
 [amass]: https://owasp.org/www-project-amass/
 [apisec]: https://owasp.org/API-Security
 [asvs]: https://owasp.org/www-project-application-security-verification-standard/
-[cheatproject]: https://owasp.org/www-project-cheat-sheets/
+[champions]: https://owasp.org/www-project-security-champions-guidebook/
 [cornucopia]: https://owasp.org/www-project-cornucopia/
+[cschain]: https://cheatsheetseries.owasp.org/cheatsheets/Software_Supply_Chain_Security
+[cscsrf]: https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet
+[csproject]: https://owasp.org/www-project-cheat-sheets/
 [csrfguard]: https://owasp.org/www-project-csrfguard/
-[champions]: https://owasp.org/www-project-security-champions-guidebook/
 [culture]: https://owasp.org/www-project-security-culture/
 [cyclone]: https://owasp.org/www-project-cyclonedx/
 [depcheck]: https://owasp.org/www-project-dependency-check/
 
@@ -16,7 +16,7 @@ permalink: /draft/foundations/security_principles/
 
 This section is a very brief introduction to some concepts used within the software security domain,
 as these may not be familiar to many application developers.
-The OWASP [Cheat Sheet Series][cheatproject] provides more in depth explanations for these security principles,
+The OWASP [Cheat Sheet Series][csproject] provides more in depth explanations for these security principles,
 see the further reading at the end of this section.
 
 #### Overview
@@ -28,7 +28,7 @@ will also need this understanding to implement secure applications.
 
 #### No security guarantee
 
-One of the most important principles of software security is that **no** application or system is totally
+One of the most important principles of software security is that no application or system is totally
 100% guaranteed to be secure from all attacks. This may seem an unusually pessimistic starting point
 but it is merely acknowledging the real world; given enough time and enough resources any system can be compromised.
 The goal of software security is not '100% secure' but to make it hard enough and the rewards small enough
@@ -143,26 +143,26 @@ and also should have security patches available.
 In addition components developed within the open source community have the further benefit of 'many eyes'
 and are therefore likely to be even more secure.
 
-#### Further reading
+#### References
 
 * OWASP Cheat Sheet series
-  * [Authentication Cheat Sheet][ancs]
-  * [Authorization_Cheat_Sheet][azcs]
+  * [Authentication Cheat Sheet][csauthn]
+  * [Authorization Cheat Sheet][csauthz]
   * [Secure Product Design Cheat Sheet][spdcs]
 
 ----
 
 The OWASP Developer Guide is a community effort; if there is something that needs changing
 then [submit an issue][issue0403] or [edit on GitHub][edit0403].
 
-[ancs]: https://cheatsheetseries.owasp.org/cheatsheets/Authentication_Cheat_Sheet.html
-[azcs]: https://cheatsheetseries.owasp.org/cheatsheets/Authorization_Cheat_Sheet.html
-[cheatproject]: https://owasp.org/www-project-cheat-sheets/
+[csauthn]: https://cheatsheetseries.owasp.org/cheatsheets/Authentication_Cheat_Sheet
+[csauthz]: https://cheatsheetseries.owasp.org/cheatsheets/Authorization_Cheat_Sheet
+[csproject]: https://owasp.org/www-project-cheat-sheets/
 [did]: https://cheatsheetseries.owasp.org/cheatsheets/Secure_Product_Design_Cheat_Sheet.html#2-the-principle-of-defense-in-depth
 [issue0403]: https://github.com/OWASP/www-project-developer-guide/issues/new?labels=enhancement&template=request.md&title=Update:%2004-foundations/03-security-principles
 [elp]: https://cheatsheetseries.owasp.org/cheatsheets/Authorization_Cheat_Sheet.html#enforce-least-privileges
 [edit0403]: https://github.com/OWASP/www-project-developer-guide/blob/main/draft/04-foundations/03-security-principles.md
 [sop]: https://cheatsheetseries.owasp.org/cheatsheets/Secure_Product_Design_Cheat_Sheet.html#1-the-principle-of-least-privilege-and-separation-of-duties
-[spdcs]: https://cheatsheetseries.owasp.org/cheatsheets/Secure_Product_Design_Cheat_Sheet.html
+[spdcs]: https://cheatsheetseries.owasp.org/cheatsheets/Secure_Product_Design_Cheat_Sheet
 
 \newpage
@@ -15,7 +15,7 @@ permalink: /draft/foundations/crypto_principles/
 ### 2.4 Principles of cryptography
 
 Cryptography is fundamental to the Confidentiality and Integrity of applications and systems.
-The OWASP [Cheat Sheet][cheatproject] series describes the use of cryptography and some of these are
+The OWASP [Cheat Sheet][csproject] series describes the use of cryptography and some of these are
 listed in the further reading at the end of this section.
 
 #### Overview
@@ -56,15 +56,18 @@ Cryptographic hashes (secure, one way hashes) to prevent passwords from disclosu
 
 #### Authentication
 
-Authentication is the process of verifying a claim that a subject is who it says it is
+[Authentication][csauthn] is the process of verifying a claim that a subject is who it says it is
 via some provided corroborating evidence.
 Cryptography is central to authentication:
 
 1. to protect the provided corroborating evidence (for example hashing of passwords for subsequent storage)
 2. in authentication protocols often use cryptography to either directly authenticate entities
     or to exchange credentials in a secure manner
 3. to verify the identity one or both parties in exchanging messages,
-    for example identity verification within Transport Layer Security (TLS)
+    for example identity verification within [Transport Layer Security][tls] (TLS)
+
+OpenID Connect is widely used as an identity layer on top of the OAuth 2.0 protocol,
+see the [OAuth 2.0 Protocol][csoauth] Cheat Sheet.
 
 #### Integrity
 
@@ -179,7 +182,7 @@ which is only used for the duration of the encrypted communication.
 This random session key is then encrypted using an asymmetric cipher and the recipient's private key.
 The plaintext data itself is encrypted with the session key.
 Then the entire bundle (encrypted session key and encrypted message) is all sent together.
-Both TLS and S/MIME are common cryptosystems using hybrid cryptography.
+Both [TLS][tls] and S/MIME are common cryptosystems using hybrid cryptography.
 
 #### Digital signature
 
@@ -234,31 +237,34 @@ Key Agreement protocols are protocols whereby N parties (usually two) can agree
 with all parties contributing to the key value.
 These protocols prevent adversaries from learning the key or forcing their own key choice on the participating parties.
 
-#### Further reading
+#### References
 
 * OWASP Cheat Sheet series
-  * [Authentication Cheat Sheet][ancs]
-  * [Authorization_Cheat_Sheet][csaz]
-  * [Cryptographic Storage Cheat Sheet][cscs]
-  * [Key Management Cheat Sheet][kmcs]
-  * [SAML Security Cheat Sheet][sscs]
-  * [Secure Product Design Cheat Sheet][spdcs]
-  * [User Privacy Protection Cheat Sheet][uppcs]
+  * [Authentication][csauthn]
+  * [Authorization][csauthz]
+  * [Cryptographic Storage][cscs]
+  * [Key Management][kmcs]
+  * [OAuth 2.0 Protocol][csoauth]
+  * [SAML Security][sscs]
+  * [Secure Product Design][spdcs]
+  * [User Privacy Protection][uppcs]
 
 ----
 
 The OWASP Developer Guide is a community effort; if there is something that needs changing
 then [submit an issue][issue0404] or [edit on GitHub][edit0404].
 
-[ancs]: https://cheatsheetseries.owasp.org/cheatsheets/Authentication_Cheat_Sheet.html
-[csaz]: https://cheatsheetseries.owasp.org/cheatsheets/Authorization_Cheat_Sheet.html
-[cheatproject]: https://owasp.org/www-project-cheat-sheets/
-[cscs]: https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html
+[csauthn]: https://cheatsheetseries.owasp.org/cheatsheets/Authentication_Cheat_Sheet
+[csauthz]: https://cheatsheetseries.owasp.org/cheatsheets/Authorization_Cheat_Sheet
+[csoauth]: https://cheatsheetseries.owasp.org/cheatsheets/OAuth2_Cheat_Sheet
+[csproject]: https://owasp.org/www-project-cheat-sheets/
+[cscs]: https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet
 [issue0404]: https://github.com/OWASP/www-project-developer-guide/issues/new?labels=enhancement&template=request.md&title=Update:%2004-foundations/04-crypto-principles
-[kmcs]: https://cheatsheetseries.owasp.org/cheatsheets/Key_Management_Cheat_Sheet.html
+[kmcs]: https://cheatsheetseries.owasp.org/cheatsheets/Key_Management_Cheat_Sheet
 [edit0404]: https://github.com/OWASP/www-project-developer-guide/blob/main/draft/04-foundations/04-crypto-principles.md
-[sscs]: https://cheatsheetseries.owasp.org/cheatsheets/SAML_Security_Cheat_Sheet.html
-[spdcs]: https://cheatsheetseries.owasp.org/cheatsheets/Secure_Product_Design_Cheat_Sheet.html
-[uppcs]: https://cheatsheetseries.owasp.org/cheatsheets/User_Privacy_Protection_Cheat_Sheet.html
+[sscs]: https://cheatsheetseries.owasp.org/cheatsheets/SAML_Security_Cheat_Sheet
+[spdcs]: https://cheatsheetseries.owasp.org/cheatsheets/Secure_Product_Design_Cheat_Sheet
+[tls]: https://cheatsheetseries.owasp.org/cheatsheets/Transport_Layer_Security_Cheat_Sheet
+[uppcs]: https://cheatsheetseries.owasp.org/cheatsheets/User_Privacy_Protection_Cheat_Sheet
 
 \newpage