From 660da5c8ba4b339ebe4491d79f5061a9eaaca383 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alessandro=20Pezz=C3=A8?= Date: Thu, 9 Sep 2021 21:40:41 +0200 Subject: [PATCH 01/31] feat: extend website --- .gitignore | 3 + 2021/docs/0x00-notice.md | 5 +- 2021/docs/A00-about-owasp.md | 4 +- ...an_AppSec_program_with_the_OWASP_Top_10.md | 4 +- ...w_to_use_the_OWASP_Top_10_as_a_standard.md | 2 + 2021/docs/A00_2021_Introduction.md | 4 +- 2021/docs/assets/OWASP-logo-tm.jpg | Bin 0 -> 3924 bytes 2021/docs/assets/OWASP-logo.svg | 60 ++++++++++++++++++ 2021/docs/index.md | 9 ++- 2021/docs/stylesheets/extra.css | 3 + 2021/includes/abbreviations.md | 12 ++++ 2021/mkdocs.yml | 59 +++++++++++++++-- 2021/overrides/main.html | 22 +++++++ Makefile | 6 +- markdown-link-check-config.json | 33 ---------- mkdocs.yml | 51 --------------- requirements.txt | 1 + 17 files changed, 177 insertions(+), 101 deletions(-) create mode 100644 2021/docs/assets/OWASP-logo-tm.jpg create mode 100644 2021/docs/assets/OWASP-logo.svg create mode 100644 2021/docs/stylesheets/extra.css create mode 100644 2021/includes/abbreviations.md create mode 100644 2021/overrides/main.html delete mode 100644 markdown-link-check-config.json delete mode 100644 mkdocs.yml diff --git a/.gitignore b/.gitignore index b80531c9f..cc2150326 100644 --- a/.gitignore +++ b/.gitignore @@ -67,3 +67,6 @@ $RECYCLE.BIN/ # Visio autosave temporary files *.~vsd* 2017/pt-pt/.vscode/settings.json + +# MkDocs generated website +2021/site diff --git a/2021/docs/0x00-notice.md b/2021/docs/0x00-notice.md index 83fabe241..cd7a35604 100644 --- a/2021/docs/0x00-notice.md +++ b/2021/docs/0x00-notice.md @@ -1,8 +1,7 @@ # DRAFT -## DO NOT USE THIS UNTIL IT'S DONE! - -This is a draft. Do not use this version. The presence of an Axx does not mean it's going to be in the final or the ordering of the final version. +!!! warning "DO NOT USE THIS UNTIL IT'S DONE!" + This is a draft. Do not use this version. The presence of an Axx does not mean it's going to be in the final or the ordering of the final version. ## Current status diff --git a/2021/docs/A00-about-owasp.md b/2021/docs/A00-about-owasp.md index a426bcd50..b25e83917 100644 --- a/2021/docs/A00-about-owasp.md +++ b/2021/docs/A00-about-owasp.md @@ -32,4 +32,6 @@ Come join us! ![license](assets/license.png) -Copyright © 2003-2021 The OWASP&tm; Foundation. This document is released under the Creative Commons Attribution Share-Alike 4.0 license. For any reuse or distribution, you must make it clear to others the license terms of this work. +Copyright © 2003-2021 The OWASP Foundation. This document is released under the Creative Commons Attribution Share-Alike 4.0 license. For any reuse or distribution, you must make it clear to others the license terms of this work. + +--8<-- "includes/abbreviations.md" diff --git a/2021/docs/A00_2021-How_to_start_an_AppSec_program_with_the_OWASP_Top_10.md b/2021/docs/A00_2021-How_to_start_an_AppSec_program_with_the_OWASP_Top_10.md index baccaf761..6a9410e0e 100644 --- a/2021/docs/A00_2021-How_to_start_an_AppSec_program_with_the_OWASP_Top_10.md +++ b/2021/docs/A00_2021-How_to_start_an_AppSec_program_with_the_OWASP_Top_10.md @@ -1,4 +1,4 @@ -# How to start an AppSec Program with the OWASP Top 10 +# How to start an AppSec Program with the OWASP Top 10 Previously, the OWASP Top 10 was never designed to be the basis for an AppSec program. However, it's essential to start somewhere for many @@ -113,3 +113,5 @@ going if we're ever going to get on top of appsec vulnerabilities. limited impact, do something different. Just because we've done testing like desk checks since the 1970s doesn't mean it's a good idea. Measure, evaluate, and then build or improve. + +--8<-- "includes/abbreviations.md" diff --git a/2021/docs/A00_2021_How_to_use_the_OWASP_Top_10_as_a_standard.md b/2021/docs/A00_2021_How_to_use_the_OWASP_Top_10_as_a_standard.md index adb83b2d9..496cef13b 100644 --- a/2021/docs/A00_2021_How_to_use_the_OWASP_Top_10_as_a_standard.md +++ b/2021/docs/A00_2021_How_to_use_the_OWASP_Top_10_as_a_standard.md @@ -45,3 +45,5 @@ comprehensively detect, test, or protect against the OWASP Top 10 due to the nature of several of the OWASP Top 10 risks, with reference to A04:2021-Insecure Design. OWASP discourages any claims of full coverage of the OWASP Top 10, because it’s simply untrue. + +--8<-- "includes/abbreviations.md" diff --git a/2021/docs/A00_2021_Introduction.md b/2021/docs/A00_2021_Introduction.md index a9638d331..9c41cde2f 100644 --- a/2021/docs/A00_2021_Introduction.md +++ b/2021/docs/A00_2021_Introduction.md @@ -10,7 +10,7 @@ A huge thank you to everyone that contributed their time and data for this itera There are three new categories, four categories with naming and scoping changes, and some consolidation in the Top 10 for 2021. -![license](assets/mapping.png) +![mapping](assets/mapping.png) - **A01:2021-Broken Access Control** moves up from the fifth position; 94% of applications were tested for some form of broken access control. The 34 CWEs mapped to Broken Access Control had more occurrences in applications than any other category. - **A02:2021-Cryptographic Failures** shifts up one position to #2, previously known as Sensitive Data Exposure, which was broad symptom rather than a root cause. The renewed focus here is on failures related to cryptography which often leads to sensitive data exposure or system compromise. @@ -111,3 +111,5 @@ The following organizations (along with some anonymous donors) kindly donated da - Sqreen - Veracode - WhiteHat (NTT) + +--8<-- "includes/abbreviations.md" diff --git a/2021/docs/assets/OWASP-logo-tm.jpg b/2021/docs/assets/OWASP-logo-tm.jpg new file mode 100644 index 0000000000000000000000000000000000000000..7e249f60980befd99641d2b81656ce4d841ac5fd GIT binary patch literal 3924 zcmbW3c{mhY-^XVdVXR}jg@$Z{L0J-FFcmXn7-lSGNxE$#BW5Cm6p{)t#yWO0W2}*V zsk@R}W655Y5+Or)%9cu=?)!e9>w5lruj_rk=X0Gue&_tY=lj<==itr3dw@8`8f^^# z0s#QvuK_ri2Al@)^6>n{FM)o+C&0%C0`Yt$xxQNdoeTkbLFPfk~}=41QoZiHOs``Pj&KV zncl%6^>L`mn27n&s`df{1DIdyAl<b28l!!5gxjhoi` zIx*#Qa)YSrn}uE*M}`%Qc9q){@5*_Z%5U`gGkA-JF1*@_d-BaWu*fq@(r}U+n9#Ni zrA6wN?V^=UJ}>=jD{0?o*-gAa9__52<@0#P(&$?=x@8{i*IBlEf4n5xdAkVXC!5s< zn;HuQqlB_*=ynMU{uxA-B8z?@MGc{e1e>*o8(wz11UsIoiab&;hi7SxlPr*bndPif zd&KewYS5Gd`Up`1z6ucW7O*_}AC%QLW}~Ivvd#~Ta=r7IB@=RZc7~A2nW{*Y`9j46 zaU@~4SLLB&GHx=sjg{ z;cfGF;2I0dod~PbHZ!s$lZ)p8v9TA^P7S87;JhbQ0O9u;Z!BX;hFS6$@dpX2fXwoX zz)zsqdghIDU$>_-kki3-FL&>0^HFeUF7dDm_Ay!+SC=4Bz-j#p; z#HIz@J^kd&BmcJyv-u_~qR26rF`-}h=n%>r1vWNzSUp@);NRlA)o{fDZa^$?C*StQ z*o zCOjZxP+>mTEVb5ULZtO-zlV*BJXj%_zuZ-1Ax38*XWEIPn%ezRij7k}U>SXr2eoC0 z;#;KOlLq(8cdd{{U2hgTZ!<>Td_IB!klL#>m;K~$7wbn0c$*`si>m6F%SI_v-!@s! z?z-zNW_X%e>RnmUK2yZ=0XWoE!rtn~(_U4%Lu2_8dvDekuv9{2Mk}eU+kRvv1tv1^ zFsgYOTH!{f!RltwpDvoq^QO!7=uM}#;9DfiT*h}Xf<$S}(9im87i={rx=#NF=V53e zcM(xfEf!Bu`Ukjtip#?eY*SEyenvzY*CyMoqQqQ()XU`=uD8Y>4qam+#K1A&R<4{* zY~b5^I3|3LO~dOvVU9e~k_%wqXk>BA&*4D@ActSk~I`5lXvubySC*r!iUJ-2d} z`O@N33yyq=QJ>~a!8VNQ6OE#-p${qZ%{_zLSB`?CW;%3*BDGYr6h-Wti!#U()vptp2P5 z+mUr+c{i7&!=Xn}VH%E4@lG_=`zVsm+|#mlMY{^uI{z2TY?rZ3YBs=DAD^P?Q}v8L zyP3?OMaSJqtjnKhQ42mhvSswVaV=0GV~-GG5{xl9VQPb94t?-3nr*gn+*n)#rUa)f z&bk_XrZIk6we{%JF#&xfQTi90y(0c0mH!D5*fThEPO_A2! zQ$$Q84*q6(*I!@5cg)-#*-3?}a9Bbgp5ectQ<5Ypd9Z$8OpRa$*(+a4gy*hguYXfGc= z063ucRfc4gP9z)!{0$Hp?c%GD{cdq(zDH6IZXe43RvDdn0N`LfCSC{jyX;IeC=DxM zV&8@QTjt%5h$>r3cd83dxCJi4T!T91vO+c87+Unr_?9%?IajaT)4jYuZmYEjcAfj( zVW$XNqO(w06)@0c8*_Lw0^=B&n7+oDv;658m*-ewyw!gh@+dYx!4y~`{Tp{w`NGFq zDwd%E2a_<}WqkE9hCKE3vCVhiU<=ugK5*K`2P|StL~IQOmLkVv#$e{SI!k>Ngto)2Pr=L>c6V;# z;mxEI6`GuV&n8u4`nI-F2rKRMn77G#iOhIQ&7<@AflVUH6Pfsr>O9U4RRi7xLKU>i zwbUA?B^ihCS54rX?RhX9KHF>u9}R>jE}FaMR^SG;$+h9W+Mw3Y(D+rP-6twE$tIwDP&6uJd$_IbJHxIhzG->G zWd6$n{}O^B_^L$XnBrDWhj>UR@UeIT&)KqO;PgR`~#c z>L<)frQ91hfAYxbb3txI@?=Hpg}Po&nT1Wi#vYT$#*Yru`k@6IJ`KD=rUt$0JE5n$ zN|6{WHl7~P(1fE8gF#o7ZV9NoGxeP<4fi|%MB;U?XC)rHz#fq!IDK~L>$j!Ab8T%^ zzfkC~ek+922id#TbDQ04QyaCT%qfQc<_^Wjz_w1@gPfHSWw?A;>tYlnBlV5uA9hb1 z;bW_LRJe0FuFqMM8X(#?h;Gk5AIaa4(U>8ycSkhJT>tLTJ_BwCC-g^-WF0rg7GhRO}^eT{|e@0a33aw3D*ZkN)aDKn3faf|Q!iuTkE zfOnwGLuy;$sFv5_%g`=ek$x=6%vWjnYa)YiIAD5z$n}1Z=aezXe_oE zz(a9ehIfm`Zi^=vCTe0_0QT;#`Nm5A#&J1d2b6i}s+4p0YS@?Wi4#UO-=l)ClP<|* z7w4rxM-xMo*kgh9A`K+20h2U+f3jOFxwGrFEt|-E;3U)T^UPW2TzjsXqImo;7E|~m z;VPjh!UtBeWc=}VY>#?a0aa--EDOtgY4ZG*!scao#5t<8n`uh1_8n_vJj z59?(lP~dMA(39#~`e~ej<1_tL%LMy}UwDS*rH+@gVI?350rL;p0^ss@u7c;&PoBEA zOwkC-1{dZ%dK;qDe4VP%qyU*+$+S|uT9_=(!dyFAbIQEUk89}0u%8J_x>L|xrN83T z=2d6b5zi_6O6AniqmHZSrEL=|w>I3_+>FOHU{B5zKRkHwxLJ5o1Jqu@=0$Jrx4B&T%#?r@JKe(&nP2>J`U7D{jlz)r!cO zgqVGpSPNWeaw$dmO8)xm6kU{@dEa0t_tJQ> zAAW6Ds?d3$;dQd%`yIlnR_JNgrD{tT=3s>FMDXF2nAbHywP|OO@%>YzI!VffvU#VX z_r>3ep_DNwsyRwc0{OQ5j%X5Io>A3&^ literal 0 HcmV?d00001 diff --git a/2021/docs/assets/OWASP-logo.svg b/2021/docs/assets/OWASP-logo.svg new file mode 100644 index 000000000..e3aaac084 --- /dev/null +++ b/2021/docs/assets/OWASP-logo.svg @@ -0,0 +1,60 @@ + +image/svg+xmlTM + \ No newline at end of file diff --git a/2021/docs/index.md b/2021/docs/index.md index 71842b618..1819de7b9 100644 --- a/2021/docs/index.md +++ b/2021/docs/index.md @@ -6,14 +6,14 @@ infographic you can print or obtain from our home page. A huge thank you to everyone that contributed their time and data for this iteration. Without you, this installment would not happen. **THANK -YOU**. +YOU!** :pray: ## What's changed in the Top 10 for 2021 There are three new categories, four categories with naming and scoping changes, and some consolidation in the Top 10 for 2021. -Mapping of the relationship between the Top 10 2017 and the new Top 10 2021 +Mapping of the relationship between the Top 10 2017 and the new Top 10 2021 **A01:2021-Broken Access Control** moves up from the fifth position; 94% of applications were tested for some form of broken access control. The @@ -297,7 +297,7 @@ isn't any overlap. However, conceptually, there can be overlap or interactions based on the higher-level naming. Venn diagrams are many times used to show overlap like this. -Diagram Description automatically generated +Diagram Description automatically generated The Venn diagram above represents the interactions between the Top Ten 2017 risk categories. While doing so, a couple of essential points @@ -335,3 +335,6 @@ would not be possible. | AppSec Labs | GitLab | Micro Focus | Sqreen | | Cobalt.io | HackerOne | PenTest-Tools | Veracode | | Contrast Security | HCL Technologies | Probely | WhiteHat (NTT) | + + +--8<-- "includes/abbreviations.md" diff --git a/2021/docs/stylesheets/extra.css b/2021/docs/stylesheets/extra.css new file mode 100644 index 000000000..70f917509 --- /dev/null +++ b/2021/docs/stylesheets/extra.css @@ -0,0 +1,3 @@ +:root { + --md-text-font-family: Segoe UI,Frutiger,Frutiger Linotype,Dejavu Sans,Helvetica Neue,-apple-system,BlinkMacSystemFont,Helvetica,Arial,sans-serif; +} diff --git a/2021/includes/abbreviations.md b/2021/includes/abbreviations.md new file mode 100644 index 000000000..a17093698 --- /dev/null +++ b/2021/includes/abbreviations.md @@ -0,0 +1,12 @@ +*[W3C]: World Wide Web Consortium +*[CVE]: Common Vulnerabilities and Exposures +*[CWE]: Common Weakness Enumeration +*[XXE]: XML External Entity +*[XSS]: Cross Site Scripting +*[CVSS]: Common Vulnerability Scoring System +*[CSRF]: Cross Site Request Forgery +*[NVD]: National Vulnerability Database +*[GDPR]: General Data Protection Regulation +*[ASVS]: Application Security Verification Standard +*[QA]: Quality Assurance +*[CSP]: Content Security Policy diff --git a/2021/mkdocs.yml b/2021/mkdocs.yml index 52996f7df..85ddf4e69 100644 --- a/2021/mkdocs.yml +++ b/2021/mkdocs.yml @@ -6,9 +6,55 @@ copyright: © Copyright 2021 - OWASP Top 10 team - This work is licensed under a docs_dir: docs theme: name: material - language: en + custom_dir: overrides + favicon: assets/OWASP-logo.svg + logo: assets/OWASP-logo.svg + font: false features: - navigation.sections + - navigation.tracking + - navigation.top + - search.suggest + - search.highlight + - search.share + palette: + - media: "(prefers-color-scheme: dark)" + scheme: default + toggle: + icon: material/weather-night + name: Switch to dark mode + - media: "(prefers-color-scheme: light)" + scheme: slate + toggle: + icon: material/weather-sunny + name: Switch to light mode + +extra_css: + - stylesheets/extra.css + +extra: + social: + - icon: fontawesome/brands/github + link: https://github.com/OWASP/Top10/ + - icon: fontawesome/brands/twitter + link: https://twitter.com/owasp + - icon: fontawesome/brands/linkedin + link: https://www.linkedin.com/company/owasp/ + - icon: fontawesome/brands/youtube + link: https://www.youtube.com/user/owaspglobal + +markdown_extensions: + - abbr + - pymdownx.snippets + - admonition + - pymdownx.highlight + - pymdownx.superfences + - footnotes + - toc: + permalink: ⚓︎ + - pymdownx.emoji: + emoji_index: !!python/name:materialx.emoji.twemoji + emoji_generator: !!python/name:materialx.emoji.to_svg nav: - Home: index.md @@ -31,6 +77,8 @@ nav: - Next Steps: 'A11_2021-Next_Steps.md' plugins: + - search + - git-revision-date - i18n: default_language: en languages: @@ -40,14 +88,15 @@ plugins: nav_translations: fr: Home: Page d'accueil - About: À propos + About OWASP: À propos de l'OWASP How to use the OWASP Top 10 as a standard: Comment utiliser le Top 10 OWASP comme standard How to start an AppSec program with the OWASP Top 10: Comment démarrer un programme AppSec avec le Top 10 OWASP Top 10 List: Liste top 10 - A01 Broken Access Control: A01 Contrôle d'accès cassé + Next Steps: Prochaines étapes it: - About: Riguardo ad OWASP + About OWASP: Riguardo ad OWASP + Introduction: Introduzione How to use the OWASP Top 10 as a standard: Come utilizzare l'OWASP Top 10 come standard How to start an AppSec program with the OWASP Top 10: Come avviare un programma AppSec con OWASP Top 10 Top 10 List: Lista top 10 - A01 Broken Access Control: A01 Controllo accessi rotto + Next Steps: Passi successivi diff --git a/2021/overrides/main.html b/2021/overrides/main.html new file mode 100644 index 000000000..5855cc04b --- /dev/null +++ b/2021/overrides/main.html @@ -0,0 +1,22 @@ +{% extends "base.html" %} + +{% block announce %} + + + This is a draft. Do not use this version. The presence of an Axx does not mean it's going to be in the final or the ordering of the final version. + +{% endblock %} diff --git a/Makefile b/Makefile index be2d4ae66..e455a05cb 100644 --- a/Makefile +++ b/Makefile @@ -1,5 +1,5 @@ .PHONY: help -.SILENT: +.SILENT: help: @grep -E '^[a-zA-Z_-]+:.*?# .*$$' $(MAKEFILE_LIST) | sort | awk 'BEGIN {FS = ":.*?# "}; {printf "\033[36m%-30s\033[0m %s\n", $$1, $$2}' @@ -8,7 +8,7 @@ install-python-requirements: # Install Python 3 required libraries python3 -m pip install -r requirements.txt generate-site: # Use custom-script to generate the website - (cd scripts && bash Generate_Site_mkDocs.sh) + (cd 2021 && mkdocs build) serve: # Start's a Python http.server on port 8000 serving the content of ./generated/site - python3 -m http.server -d generated/site + (cd 2021 && mkdocs serve) diff --git a/markdown-link-check-config.json b/markdown-link-check-config.json deleted file mode 100644 index fcd15d16e..000000000 --- a/markdown-link-check-config.json +++ /dev/null @@ -1,33 +0,0 @@ -{ - "ignorePatterns": [ - { - "pattern": "^bundle.zip" - }, - { - "pattern": "^News.xml" - }, - { - "pattern": "^/" - }, - { - "pattern": "vincent.bernat.im" - }, - { - "pattern": "developer.android.com" - }, - { - "pattern": "csrc.nist.gov" - }, - { - "pattern": "www.exploit-db.com" - } - ], - "httpHeaders": [ - { - "urls": ["https://", "http://"], - "headers": { - "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:64.0) Gecko/20100101 Firefox/64.0" - } - } - ] -} diff --git a/mkdocs.yml b/mkdocs.yml deleted file mode 100644 index 7312e3688..000000000 --- a/mkdocs.yml +++ /dev/null @@ -1,51 +0,0 @@ -# Project information -site_name: OWASP Top 10 -site_url: https://owasp.org/Top10 -site_description: OWASP Top 10 2021 Draft -# Repository -repo_name: OWASP/Top10 -repo_url: https://github.com/OWASP/Top10 -edit_uri: "" - -# Copyright -copyright: © Copyright 2021 - OWASP Top 10 team - This work is licensed under a Creative Commons Attribution 3.0 Unported License. - -#Config -docs_dir: 2021/docs -google_analytics: - - !!python/object/apply:os.getenv ["WORKFLOW_GOOGLE_ANALYTICS_KEY", "none"] - - auto -use_directory_urls: false -plugins: - - search: - # prebuild_index: true - lang: - - en -#For read the docs -# theme: -# name: readthedocs -# custom_dir: custom_theme/ -# highlightjs: true -# sticky_navigation: false -# markdown_extensions: -# - pymdownx.emoji: -# emoji_index: !!python/name:pymdownx.emoji.twemoji -# emoji_generator: !!python/name:pymdownx.emoji.to_alt -# - toc: -# permalink: true - -#For material -theme: - name: material - custom_dir: custom_theme/ - favicon: assets/WebSite_Favicon.png - logo: "assets/OWASP_Logo_Transp.png" -markdown_extensions: - - pymdownx.highlight - - pymdownx.superfences # Required by Pygments - - pymdownx.inlinehilite - - pymdownx.emoji: - emoji_index: !!python/name:pymdownx.emoji.twemoji - emoji_generator: !!python/name:pymdownx.emoji.to_svg - - toc: - permalink: true diff --git a/requirements.txt b/requirements.txt index 041c9865c..196e91255 100644 --- a/requirements.txt +++ b/requirements.txt @@ -6,3 +6,4 @@ mkdocs-material pymdown-extensions Pygments mkdocs-static-i18n +mkdocs-git-revision-date-plugin From 15191eaacbcbd66cb35898a2cef212a3463bde7e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alessandro=20Pezz=C3=A8?= Date: Thu, 9 Sep 2021 21:46:49 +0200 Subject: [PATCH 02/31] chore: add deploy action --- .github/workflows/deploy.yml | 21 +++++++++++++++++++++ 1 file changed, 21 insertions(+) create mode 100644 .github/workflows/deploy.yml diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml new file mode 100644 index 000000000..e3cea7f46 --- /dev/null +++ b/.github/workflows/deploy.yml @@ -0,0 +1,21 @@ +name: Build and Deploy +on: + push: + branches: + - 'master' + - 'main' +jobs: + build-and-deploy: + runs-on: ubuntu-latest + steps: + - name: Checkout 🛎️ + uses: actions/checkout@v2.3.1 + - name: Install and Build + run: | + make install-python-requirements + make generate-site + - name: Deploy + uses: JamesIves/github-pages-deploy-action@4.1.5 + with: + branch: gh-pages + folder: 2021/site From fc40a6b39e6a4a1f504e2a45c4f1e24d16263493 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alessandro=20Pezz=C3=A8?= Date: Thu, 9 Sep 2021 21:50:00 +0200 Subject: [PATCH 03/31] chore: use python 3 --- .github/workflows/deploy.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml index e3cea7f46..55a6590ce 100644 --- a/.github/workflows/deploy.yml +++ b/.github/workflows/deploy.yml @@ -8,6 +8,9 @@ jobs: build-and-deploy: runs-on: ubuntu-latest steps: + - uses: actions/setup-python@v2 + with: + python-version: '3.9' - name: Checkout 🛎️ uses: actions/checkout@v2.3.1 - name: Install and Build From adb5dc2d0d64b00ef36aa05aa11fed3133058eaa Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alessandro=20Pezz=C3=A8?= Date: Thu, 9 Sep 2021 21:54:31 +0200 Subject: [PATCH 04/31] fix: visibility of Axx --- 2021/overrides/main.html | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/2021/overrides/main.html b/2021/overrides/main.html index 5855cc04b..a0be033ec 100644 --- a/2021/overrides/main.html +++ b/2021/overrides/main.html @@ -17,6 +17,6 @@ } - This is a draft. Do not use this version. The presence of an Axx does not mean it's going to be in the final or the ordering of the final version. + This is a draft. Do not use this version. The presence of an Axx does not mean it's going to be in the final or the ordering of the final version. {% endblock %} From 56727cb0612bc047f5b04deef9fc59b41c1e0da7 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alessandro=20Pezz=C3=A8?= Date: Mon, 13 Sep 2021 20:13:24 +0200 Subject: [PATCH 05/31] chore: check links --- .github/workflows/deploy.yml | 2 +- .github/workflows/test.yml | 18 ++++++++++++++++++ Makefile | 12 +++++++++--- requirements-test.txt | 1 + 4 files changed, 29 insertions(+), 4 deletions(-) create mode 100644 .github/workflows/test.yml create mode 100644 requirements-test.txt diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml index 55a6590ce..db588e944 100644 --- a/.github/workflows/deploy.yml +++ b/.github/workflows/deploy.yml @@ -11,7 +11,7 @@ jobs: - uses: actions/setup-python@v2 with: python-version: '3.9' - - name: Checkout 🛎️ + - name: Checkout uses: actions/checkout@v2.3.1 - name: Install and Build run: | diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml new file mode 100644 index 000000000..6d47d9bc1 --- /dev/null +++ b/.github/workflows/test.yml @@ -0,0 +1,18 @@ +name: Test +on: [push, pull_request] +jobs: + build-and-deploy: + runs-on: ubuntu-latest + steps: + - uses: actions/setup-python@v2 + with: + python-version: '3.9' + - name: Checkout + uses: actions/checkout@v2.3.1 + - name: Install and Build + run: | + make install-python-requirements + make install-python-requirements-test + make generate-site + - name: Links validation + run: make check-links diff --git a/Makefile b/Makefile index e455a05cb..7f7ed78ec 100644 --- a/Makefile +++ b/Makefile @@ -5,10 +5,16 @@ help: @grep -E '^[a-zA-Z_-]+:.*?# .*$$' $(MAKEFILE_LIST) | sort | awk 'BEGIN {FS = ":.*?# "}; {printf "\033[36m%-30s\033[0m %s\n", $$1, $$2}' install-python-requirements: # Install Python 3 required libraries - python3 -m pip install -r requirements.txt + python -m pip install -r requirements.txt -generate-site: # Use custom-script to generate the website +install-python-requirements-test: # Install Python 3 required libraries + python -m pip install -r requirements-test.txt + +generate-site: # Builds ./2021 (cd 2021 && mkdocs build) -serve: # Start's a Python http.server on port 8000 serving the content of ./generated/site +serve: # Build and hot-reloads ./2021 (cd 2021 && mkdocs serve) + +check-links: # Checks for dead links + python -m linkcheckmd -r 2021 diff --git a/requirements-test.txt b/requirements-test.txt new file mode 100644 index 000000000..da3b7f244 --- /dev/null +++ b/requirements-test.txt @@ -0,0 +1 @@ +linkcheckmd From eda25cc3347d705ced1928f097d1790859d1f4ad Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alessandro=20Pezz=C3=A8?= Date: Mon, 13 Sep 2021 20:13:39 +0200 Subject: [PATCH 06/31] fix: dead links --- .../A09_2021-Security_Logging_and_Monitoring_Failures.md | 5 +---- 2021/docs/index.md | 2 +- 2 files changed, 2 insertions(+), 5 deletions(-) diff --git a/2021/docs/A09_2021-Security_Logging_and_Monitoring_Failures.md b/2021/docs/A09_2021-Security_Logging_and_Monitoring_Failures.md index 4ae75a8cf..1cb33c60c 100644 --- a/2021/docs/A09_2021-Security_Logging_and_Monitoring_Failures.md +++ b/2021/docs/A09_2021-Security_Logging_and_Monitoring_Failures.md @@ -19,7 +19,7 @@ Insufficient Logging* to include *CWE-117 Improper Output Neutralization for Logs*, *CWE-223 Omission of Security-relevant Information*, and *CWE-532* *Insertion of Sensitive Information into Log File*. -## Description +## Description Returning to the OWASP Top 10 2021, this category is to help detect, escalate, and respond to active breaches. Without logging and @@ -113,9 +113,6 @@ result by the privacy regulator. - [OWASP Application Security Verification Standard: V8 Logging and Monitoring](https://owasp.org/www-project-application-security-verification-standard) -- [OWASP Testing Guide: Testing for Detailed Error - Code](https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/08-Testing_for_Error_Handling/01-Testing_for_Error_Code) - - [OWASP Cheat Sheet: Logging](https://cheatsheetseries.owasp.org/cheatsheets/Logging_Cheat_Sheet.html) diff --git a/2021/docs/index.md b/2021/docs/index.md index 1819de7b9..a787c2c91 100644 --- a/2021/docs/index.md +++ b/2021/docs/index.md @@ -239,7 +239,7 @@ us, both project and OWASP. On the [OWASP Project page](https://owasp.org/www-project-top-ten/#div-data_2020), we list the data elements and structure we are looking for and how to submit them. In the [GitHub -project](https://github.com/OWASP/Top10/tree/master/2020/Data), we have +project](https://github.com/OWASP/Top10/tree/master/2021/Data), we have example files that serve as templates. We work with organizations as needed to help figure out the structure and mapping to CWEs. From d7cebda4199815efcc11546f09b502e8082ebfa6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alessandro=20Pezz=C3=A8?= Date: Mon, 13 Sep 2021 20:51:06 +0200 Subject: [PATCH 07/31] chore: remove gitignored file --- 2021/site/0x00-notice/index.html | 723 ------------------------------- 1 file changed, 723 deletions(-) delete mode 100644 2021/site/0x00-notice/index.html diff --git a/2021/site/0x00-notice/index.html b/2021/site/0x00-notice/index.html deleted file mode 100644 index 1ce5937bf..000000000 --- a/2021/site/0x00-notice/index.html +++ /dev/null @@ -1,723 +0,0 @@ - - - - - - - - - - - - - - - - - - - Notice - OWASP Top 10:2021 (DRAFT FOR PEER REVIEW) - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- -
- -
- -
- -
- - - - -
-
- - - -
-
-
- - - - -
-
-
- - - -
-
-
- - -
-
-
- - -
-
- - - - - - - -

DRAFT

-

DO NOT USE THIS UNTIL IT'S DONE!

-

This is a draft. Do not use this version. The presence of an Axx does not mean it's going to be in the final or the ordering of the final version.

-

Current status

-

Taking comments on this draft, and preparing the graphic refresh in time for the official release on OWASP's 20th Anniversary.

-

Lead Authors

- -

Contributors

-
    -
  • Orange Tsai, Author of A10-2021: Server Side Request Forgery
    • -
  • Jim Manico and Jakub Maćkowski - OWASP CheatSheets Coordination
    • -
-

How you can help

-

At this stage, we are asking for

-
    -
  • Data scientists - please peer review our analysis
    • -
  • Web designers - we need to make a mobile friendly version
    • -
  • Translators - please review the English text to make sure it's translatable
    • -
  • ASVS, Testing Guide, and Code Review Guide leadership - please use our data and help us link our documents and standards together
    • -
-

Log issues and pull requests

-

Please log any corrections or issues:

- - - - - - - - -
-
-
- -
- - - - -
-
-
-
- - - - - - - - \ No newline at end of file From 126fa2cf1c5bae0b7b5d019ff56b39393655fb7f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alessandro=20Pezz=C3=A8?= Date: Thu, 16 Sep 2021 22:09:16 +0200 Subject: [PATCH 08/31] chore: change name --- .github/workflows/test.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 6d47d9bc1..272d0cdde 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -1,7 +1,7 @@ name: Test on: [push, pull_request] jobs: - build-and-deploy: + test: runs-on: ubuntu-latest steps: - uses: actions/setup-python@v2 From d989eed59a76ab3f0763b5d00b59827eb503a2c3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alessandro=20Pezz=C3=A8?= Date: Wed, 29 Sep 2021 23:58:59 +0200 Subject: [PATCH 09/31] fix: include abbrevieation at the end of file --- 2021/docs/index.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/2021/docs/index.md b/2021/docs/index.md index 5c2655f92..768ae7047 100644 --- a/2021/docs/index.md +++ b/2021/docs/index.md @@ -118,5 +118,6 @@ The OWASP Top 10 2021 team gratefully acknowledge the financial support of Secur | Cobalt.io | HackerOne | PenTest-Tools | Veracode | | Contrast Security | HCL Technologies | Probely | WhiteHat (NTT) | ---8<-- "includes/abbreviations.md" [![Secure Code Warrior](assets/securecodewarrior.png)](https://securecodewarrior.com)] + +--8<-- "includes/abbreviations.md" From 013782e024edfe13f68607a74208097c1e58d5c8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alessandro=20Pezz=C3=A8?= Date: Thu, 30 Sep 2021 00:17:57 +0200 Subject: [PATCH 10/31] fix: remove duplicate key --- 2021/mkdocs.yml | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/2021/mkdocs.yml b/2021/mkdocs.yml index 7e15bac80..4c41fe173 100644 --- a/2021/mkdocs.yml +++ b/2021/mkdocs.yml @@ -46,6 +46,7 @@ extra: markdown_extensions: - abbr + - attr_list - pymdownx.snippets - admonition - pymdownx.highlight @@ -77,9 +78,6 @@ nav: - A10 Server Side Request Forgery (SSRF): 'A10_2021-Server-Side_Request_Forgery_(SSRF).md' - Next Steps: 'A11_2021-Next_Steps.md' -markdown_extensions: - - attr_list - plugins: - search - git-revision-date From b2f2d3d7221a0b97c94af5530637e522c5c2fd90 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alessandro=20Pezz=C3=A8?= Date: Tue, 5 Oct 2021 12:10:07 +0200 Subject: [PATCH 11/31] Update test.yml --- .github/workflows/test.yml | 15 ++++++++++++++- 1 file changed, 14 insertions(+), 1 deletion(-) diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 272d0cdde..d2cca75b1 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -1,7 +1,20 @@ name: Test on: [push, pull_request] jobs: - test: + build: + runs-on: ubuntu-latest + steps: + - uses: actions/setup-python@v2 + with: + python-version: '3.9' + - name: Checkout + uses: actions/checkout@v2.3.1 + - name: Install and Build + run: | + make install-python-requirements + make install-python-requirements-test + make generate-site + check-links: runs-on: ubuntu-latest steps: - uses: actions/setup-python@v2 From e7725835f9f64e097b66dce9e37dc0dbb5204698 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alessandro=20Pezz=C3=A8?= Date: Tue, 19 Apr 2022 21:41:34 +0200 Subject: [PATCH 12/31] feat: remove notice --- 2021/overrides/main.html | 21 --------------------- 1 file changed, 21 deletions(-) diff --git a/2021/overrides/main.html b/2021/overrides/main.html index a0be033ec..94d9808cc 100644 --- a/2021/overrides/main.html +++ b/2021/overrides/main.html @@ -1,22 +1 @@ {% extends "base.html" %} - -{% block announce %} - - - This is a draft. Do not use this version. The presence of an Axx does not mean it's going to be in the final or the ordering of the final version. - -{% endblock %} From 9fcc365550dc978fa16898bf94811ff91afb054c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alessandro=20Pezz=C3=A8?= Date: Tue, 19 Apr 2022 21:51:18 +0200 Subject: [PATCH 13/31] chore: allow venvs --- .gitignore | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.gitignore b/.gitignore index c8752f874..8ff1cbdc5 100644 --- a/.gitignore +++ b/.gitignore @@ -76,3 +76,6 @@ $RECYCLE.BIN/ # Pipenv Pipfile + +env +venv From a950e2aa2bcc58b92e6eade20f8c9b9f1e66d1ec Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alessandro=20Pezz=C3=A8?= Date: Tue, 19 Apr 2022 21:51:30 +0200 Subject: [PATCH 14/31] chore: fix deps --- requirements-test.txt | 2 +- requirements.txt | 17 ++++++++--------- 2 files changed, 9 insertions(+), 10 deletions(-) diff --git a/requirements-test.txt b/requirements-test.txt index da3b7f244..6a524050b 100644 --- a/requirements-test.txt +++ b/requirements-test.txt @@ -1 +1 @@ -linkcheckmd +linkcheckmd==1.4.0 diff --git a/requirements.txt b/requirements.txt index 196e91255..2ea0ef7a3 100644 --- a/requirements.txt +++ b/requirements.txt @@ -1,9 +1,8 @@ -requests -feedgen -wheel -mkdocs -mkdocs-material -pymdown-extensions -Pygments -mkdocs-static-i18n -mkdocs-git-revision-date-plugin +requests==2.27.1 +feedgen==0.9.0 +mkdocs==1.3.0 +mkdocs-material==8.2.9 +pymdown-extensions==9.3 +Pygments==2.11.2 +mkdocs-static-i18n==0.44 +mkdocs-git-revision-date-plugin==0.3.2 From a9cc677303788de89f8a30927456304c4a1f758a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alessandro=20Pezz=C3=A8?= Date: Tue, 19 Apr 2022 21:58:23 +0200 Subject: [PATCH 15/31] docs: update installation/test docs --- 2021/README.md | 27 +++++++++++++++------------ 1 file changed, 15 insertions(+), 12 deletions(-) diff --git a/2021/README.md b/2021/README.md index c74625d49..44b266904 100644 --- a/2021/README.md +++ b/2021/README.md @@ -1,32 +1,35 @@ -OWASP Top 10 2021 - -Final Release +# OWASP Top 10 2021 ## Building a local copy -- Install Python 3 for your platform -- From the main folder, ... +Make sure Python 3 is installed. Optionally create a virtual environment. -```bash +```sh +# Install dependencies make install-python-requirements ``` +```sh +# Build HTML +make generate-site +# Browse /2021/site +``` + ### Test it locally -You should test your changes locally: +Alternatively you can spin up a hot-reloading server: -```bash -cd 2021 -mkdocs serve +```sh +make serve ``` Once you are happy, check in your changes as a branch / PR and let someone on the main team know. We'll review your changes, and merge and redeploy. -### Redeploy to gh-pages +### Deploy to gh-pages This only works if you have commit privileges on master and Git is correctly setup in your environment. -```bash +```sh cd 2021 mkdocs gh-deploy ``` From 424a966e10eb198cc683247529cfae064ae6019e Mon Sep 17 00:00:00 2001 From: Naramsim Date: Sun, 13 Jul 2025 17:09:31 +0200 Subject: [PATCH 16/31] fix deps --- 2021/requirements.txt | 19 +++++++++---------- 1 file changed, 9 insertions(+), 10 deletions(-) diff --git a/2021/requirements.txt b/2021/requirements.txt index 42ba73c42..99b202d29 100644 --- a/2021/requirements.txt +++ b/2021/requirements.txt @@ -1,11 +1,10 @@ -requests -feedgen -wheel -mkdocs -mkdocs-material -pymdown-extensions -Pygments -mkdocs-static-i18n[material] -mkdocs-macros-plugin -dacite +requests==2.27.1 +feedgen==0.9.0 +mkdocs==1.6.1 +mkdocs-material==9.6.15 +pymdown-extensions==10.16 +Pygments==2.19.2 +mkdocs-static-i18n[material]==1.3.0 +mkdocs-macros-plugin==1.3.7 +dacite==1.9.2 git+https://github.com/OWASP/OSIB.git#subdirectory=mkdocs_macro_osib_package From cfc6e48184320011751cc6db1de061463ecac1f7 Mon Sep 17 00:00:00 2001 From: Naramsim Date: Sun, 13 Jul 2025 17:12:14 +0200 Subject: [PATCH 17/31] update to new i18n/mkdocs --- 2021/README.md | 18 +-- 2021/mkdocs.yml | 398 ++++++++++++++++++++++++------------------------ 2 files changed, 203 insertions(+), 213 deletions(-) diff --git a/2021/README.md b/2021/README.md index ccb458e00..212c3445e 100644 --- a/2021/README.md +++ b/2021/README.md @@ -4,32 +4,20 @@ Final Release ## Building a local copy -Make sure Python 3 is installed. Optionally create a virtual environment. +Make sure Python 3 is installed. Create a virtual environment. -```sh -# Install dependencies -make install-python-requirements -``` -### Prepare a local virtual environment to manage the versions of the required Python libraries for mkdocs - -```bash$ +```bash # build and activate venv cd 2021 python3 -m venv . source ./bin/activate -# install all required library versions pip install -r requirements.txt -# optionally verify if OWASP OSIB is in your pip list -pip list | grep osib ``` -You might need to use ```--break-system-packages``` with pip if it gives you an error. - -This installs all requirements including the (OSIB Macro)[https://github.com/OWASP/OSIB] ```sh # Build HTML -make generate-site +mkdocs build # Browse /2021/site ``` diff --git a/2021/mkdocs.yml b/2021/mkdocs.yml index e08ccb05a..ee864ebe9 100644 --- a/2021/mkdocs.yml +++ b/2021/mkdocs.yml @@ -18,7 +18,7 @@ theme: - search.suggest - search.highlight - search.share - - navigation.instant + # - navigation.instant @ Unsupported by the i18n engine palette: - media: "(prefers-color-scheme: dark)" scheme: default @@ -45,8 +45,9 @@ markdown_extensions: - toc: permalink: ⚓︎ - pymdownx.emoji: - emoji_index: !!python/name:materialx.emoji.twemoji - emoji_generator: !!python/name:materialx.emoji.to_svg + emoji_index: !!python/name:material.extensions.emoji.twemoji + emoji_generator: !!python/name:material.extensions.emoji.to_svg + nav: - Home: index.md @@ -76,6 +77,7 @@ plugins: docs_structure: folder material_alternate: true reconfigure_material: true + reconfigure_search: true languages: - locale: en default: true @@ -84,228 +86,228 @@ plugins: - locale: ar name: ar - العربية build: true + nav_translations: + Home: الصفحة الرئيسية + Notice: ملاحظات + Introduction: المقدمة + How to use the OWASP Top 10 as a standard: كيف تستخدم إطار أعلى عشرة مخاطر من أواسب كنموذج معياري. + How to start an AppSec program with the OWASP Top 10: كيف تبدأ امن التطبيقات مع أعلى عشرة مخاطر من أواسب + About OWASP: عن أواسب + Top 10:2021 List: قائمة اعلى عشرة مخاطر لعام 2021 + A01 Broken Access Control: A01 تخطي صلاحيات الوصول + A02 Cryptographic Failures: A02 فشل آلية التشفير + A03 Injection: A03 الحقن + A04 Insecure Design: A04 التصميم الغير آمن + A05 Security Misconfiguration: A05 الإعدادات الأمنية الخاطئة + A06 Vulnerable and Outdated Components: A06 الثغرات و المكونات الغير المحدثة + A07 Identification and Authentication Failures: A07 الهوية و فشل عملية التحقق + A08 Software and Data Integrity Failures: A08 فشل سلامة البيانات والبرمجيات + A09 Security Logging and Monitoring Failures: A09 فشل في تسجيل السجلات الأمنية والمراقبة + A10 Server Side Request Forgery (SSRF): A10 تزوير الطلبات من جانب الخادم SSRF + Next Steps: الخطوات المقبلة - locale: de name: de - Deutsch build: true + nav_translations: + Home: Startseite + Notice: Anmerkung + Introduction: Einführung + How to use the OWASP Top 10 as a standard: Wie man die OWASP Top 10 als Standard verwendet + How to start an AppSec program with the OWASP Top 10: Wie man ein AppSec-Program mit den OWASP Top 10 beginnt + About OWASP: Über OWASP + Top 10:2021 List: Liste der Top 10:2021 + A01 Broken Access Control: A01 - Mangelhafte Zugriffskontrolle + A02 Cryptographic Failures: A02 - Fehlerhafter Einsatz von Kryptographie + A03 Injection: A03 - Injection + A04 Insecure Design: A04 - Unsicheres Anwendungsdesign + A05 Security Misconfiguration: A05 - Sicherheitsrelevante Fehlkonfiguration + A06 Vulnerable and Outdated Components: A06 - Unsichere oder veraltete Komponenten + A07 Identification and Authentication Failures: A07 - Fehlerhafte Authentifizierung + A08 Software and Data Integrity Failures: A08 - Fehlerhafte Prüfung der Software- und Datenintegrität + A09 Security Logging and Monitoring Failures: A09 - Unzureichendes Logging und Sicherheitsmonitoring + A10 Server Side Request Forgery (SSRF): A10 - Server-Side Request Forgery (SSRF) + Next Steps: Nächste Schritte - locale: es name: es - Español build: true + nav_translations: + Home: Inicio + Notice: Notas + Introduction: Introducción + How to use the OWASP Top 10 as a standard: Cómo utilizar el OWASP Top 10 como un estándar + How to start an AppSec program with the OWASP Top 10: Cómo iniciar un programa de AppSec con el OWASP Top 10 + About OWASP: Acerca de OWASP + Top 10:2021 List: 'Top 10: Lista 2021' + A01 Broken Access Control: A01 Pérdida de Control de Acceso + A02 Cryptographic Failures: A02 Fallas Criptográficas + A03 Injection: A03 Inyección + A04 Insecure Design: A04 Diseño Inseguro + A05 Security Misconfiguration: A05 Configuración de Seguridad Incorrecta + A06 Vulnerable and Outdated Components: A06 Componentes Vulnerables y Desactualizados + A07 Identification and Authentication Failures: A07 Fallas de Identificación y Autenticación + A08 Software and Data Integrity Failures: A08 Fallas en el Software y en la Integridad de los Datos + A09 Security Logging and Monitoring Failures: A09 Fallas en el Registro y Monitoreo + A10 Server Side Request Forgery (SSRF): A10 Falsificación de Solicitud del Lado del Servidor (SSRF) + Next Steps: Próximos pasos - locale: fr name: fr - Français build: true + nav_translations: + Home: Page d'accueil + Notice: Note + Introduction: Introduction + How to use the OWASP Top 10 as a standard: Comment utiliser le Top 10 OWASP comme standard + How to start an AppSec program with the OWASP Top 10: Comment démarrer un programme SecApp avec l'OWASP Top 10 + About OWASP: À propos de l'OWASP + Top 10:2021 List: Liste top 10:2021 + A01 Broken Access Control: A01 Contrôles d'accès défaillants + A02 Cryptographic Failures: A02 Défaillances cryptographiques + A03 Injection: A03 Injection + A04 Insecure Design: A04 Conception non sécurisée + A05 Security Misconfiguration: A05 Mauvaise configuration de sécurité + A06 Vulnerable and Outdated Components: A06 Composants vulnérables et obsolètes + A07 Identification and Authentication Failures: A07 Identification et authentification de mauvaise qualité + A08 Software and Data Integrity Failures: A08 Manque d'intégrité des données et du logiciel + A09 Security Logging and Monitoring Failures: A09 Carence des systèmes de contrôle et de journalisation + A10 Server Side Request Forgery (SSRF): A10 Falsification de requête côté serveur (SSRF) + Next Steps: Étapes suivantes - locale: id name: id - Indonesian build: true + nav_translations: + Home: Beranda + Notice: Pemberitahuan + Introduction: Pengenalan + How to use the OWASP Top 10 as a standard: Bagaimana cara menggunakan OWASP Top 10 sebagai sebuah standarisasi + How to start an AppSec program with the OWASP Top 10: Bagaimana cara untuk memulai program AppSec dengan OWASP Top 10 + About OWASP: Tentang OWASP + Top 10:2021 List: Daftar Top 10:2021 + A01 Broken Access Control: A01 Kerusakan Akses Kontrol + A02 Cryptographic Failures: A02 Kegagalan Kriptografi + A03 Injection: A03 Injeksi + A04 Insecure Design: A04 Insecure Design + A05 Security Misconfiguration: A05 Kesalahan Konfigurasi Keamanan + A06 Vulnerable and Outdated Components: A06 Komponen yang Rentan dan Kedaluwarsa + A07 Identification and Authentication Failures: A07 Kegagalan Identifikasi dan Otentikasi + A08 Software and Data Integrity Failures: A08 Kegagalan Integritas Data dan Perangkat Lunak + A09 Security Logging and Monitoring Failures: A09 Kegagalan dalam Keamanan Logging dan Monitoring + A10 Server Side Request Forgery (SSRF): A10 Server-Side Request Forgery (SSRF) + Next Steps: Langkah Selanjutnya - locale: it name: it - Italiano build: true + nav_translations: + Home: Home + Notice: Avvisi + Introduction: Introduzione + How to use the OWASP Top 10 as a standard: Come utilizzare la OWASP Top 10 come standard + How to start an AppSec program with the OWASP Top 10: Come avviare un programma di AppSec con la OWASP Top 10 + About OWASP: A proposito di OWASP + Top 10:2021 List: Lista top 10:2021 + A01 Broken Access Control: A01 Broken Access Control + A02 Cryptographic Failures: A02 Cryptographic Failures + A03 Injection: A03 Injection + A04 Insecure Design: A04 Insecure Design + A05 Security Misconfiguration: A05 Security Misconfiguration + A06 Vulnerable and Outdated Components: A06 Vulnerable and Outdated Components + A07 Identification and Authentication Failures: A07 Identification and Authentication Failures + A08 Software and Data Integrity Failures: A08 Software and Data Integrity Failures + A09 Security Logging and Monitoring Failures: A09 Security Logging and Monitoring Failures + A10 Server Side Request Forgery (SSRF): A10 Server Side Request Forgery (SSRF) + Next Steps: Prossimi passi - locale: ja name: ja - 日本語 build: true + nav_translations: + Home: ホーム + Notice: 注意事項 + Introduction: 導入 + How to use the OWASP Top 10 as a standard: OWASP Top 10 をスタンダードとして使うには + How to start an AppSec program with the OWASP Top 10: OWASP Top 10 を使ってアプリケーションセキュリティプログラムを始めるには + About OWASP: OWASPについて + Top 10:2021 List: Top 10:2021 一覧 + A01 Broken Access Control: A01 アクセス制御の不備 + A02 Cryptographic Failures: A02 暗号化の失敗 + A03 Injection: A03 インジェクション + A04 Insecure Design: A04 安全が確認されない不安な設計 + A05 Security Misconfiguration: A05 セキュリティの設定ミス + A06 Vulnerable and Outdated Components: A06 脆弱で古くなったコンポーネント + A07 Identification and Authentication Failures: A07 識別と認証の失敗 + A08 Software and Data Integrity Failures: A08 ソフトウェアとデータの整合性の不具合 + A09 Security Logging and Monitoring Failures: A09 セキュリティログとモニタリングの失敗 + A10 Server Side Request Forgery (SSRF): A10 サーバーサイドリクエストフォージェリ (SSRF) + Next Steps: Next Steps - locale: pt-BR name: pt-BR - Português (Brasil) build: true + nav_translations: + Home: Início + Notice: Notas + Introduction: Introdução + How to use the OWASP Top 10 as a standard: Como usar o OWASP Top 10 como padrão + How to start an AppSec program with the OWASP Top 10: Como iniciar um programa AppSec com o OWASP Top 10 + About OWASP: Sobre OWASP + Top 10:2021 List: Lista top 10:2021 + A01 Broken Access Control: A01 Quebra de Controle de Acesso + A02 Cryptographic Failures: A02 Falhas Criptográficas + A03 Injection: A03 Injeção + A04 Insecure Design: A04 Design Inseguro + A05 Security Misconfiguration: A05 Configuração Incorreta de Segurança + A06 Vulnerable and Outdated Components: A06 Componentes Vulneráveis e Desatualizados + A07 Identification and Authentication Failures: A07 Falhas de identificação e autenticação + A08 Software and Data Integrity Failures: A08 Falhas de Software e Integridade de Dados + A09 Security Logging and Monitoring Failures: A09 Falhas de registro e monitoramento de segurança + A10 Server Side Request Forgery (SSRF): A10 Falsificação de Solicitação do Lado do Servidor (SSRF) + Next Steps: Próximos passos - locale: zh-Hant name: zh-Hant - 简体中文 build: true + nav_translations: + Home: 首頁 + Notice: 注意事项 + Introduction: OWASP 2021 介紹 + How to use the OWASP Top 10 as a standard: 如何正确使用 OWASP Top 10 为标准 + How to start an AppSec program with the OWASP Top 10: 如何使用 OWASP Top 10 启动 AppSec + About OWASP: OWASP 相关 + Top 10:2021 List: Top 10:2021 名单 + A01 Broken Access Control: A01 权限控制失效 + A02 Cryptographic Failures: A02 加密机制失效 + A03 Injection: A03 注入式攻击 + A04 Insecure Design: A04 不安全设计 + A05 Security Misconfiguration: A05 安全设定缺陷 + A06 Vulnerable and Outdated Components: A06 危险或过旧的组件 + A07 Identification and Authentication Failures: A07 认证及体验机制失效 + A08 Software and Data Integrity Failures: A08 软体及资料完整性失效 + A09 Security Logging and Monitoring Failures: A09 安全记录及监控失效 + A10 Server Side Request Forgery (SSRF): A10 服务端请求伪造 + Next Steps: 下一步 - locale: zh-TW name: zh-TW - 繁體中文 build: true - nav_translations: - ar: - Home: الصفحة الرئيسية - Notice: ملاحظات - Introduction: المقدمة - How to use the OWASP Top 10 as a standard: كيف تستخدم إطار أعلى عشرة مخاطر من أواسب كنموذج معياري. - How to start an AppSec program with the OWASP Top 10: كيف تبدأ امن التطبيقات مع أعلى عشرة مخاطر من أواسب - About OWASP: عن أواسب - Top 10:2021 List: قائمة اعلى عشرة مخاطر لعام 2021 - A01 Broken Access Control: A01 تخطي صلاحيات الوصول - A02 Cryptographic Failures: A02 فشل آلية التشفير - A03 Injection: A03 الحقن - A04 Insecure Design: A04 التصميم الغير آمن - A05 Security Misconfiguration: A05 الإعدادات الأمنية الخاطئة - A06 Vulnerable and Outdated Components: A06 الثغرات و المكونات الغير المحدثة - A07 Identification and Authentication Failures: A07 الهوية و فشل عملية التحقق - A08 Software and Data Integrity Failures: A08 فشل سلامة البيانات والبرمجيات - A09 Security Logging and Monitoring Failures: A09 فشل في تسجيل السجلات الأمنية والمراقبة - A10 Server Side Request Forgery (SSRF): A10 تزوير الطلبات من جانب الخادم SSRF - Next Steps: الخطوات المقبلة - de: - Home: Startseite - Notice: Anmerkung - Introduction: Einführung - How to use the OWASP Top 10 as a standard: Wie man die OWASP Top 10 als Standard verwendet - How to start an AppSec program with the OWASP Top 10: Wie man ein AppSec-Program mit den OWASP Top 10 beginnt - About OWASP: Über OWASP - Top 10:2021 List: Liste der Top 10:2021 - A01 Broken Access Control: A01 - Mangelhafte Zugriffskontrolle - A02 Cryptographic Failures: A02 - Fehlerhafter Einsatz von Kryptographie - A03 Injection: A03 - Injection - A04 Insecure Design: A04 - Unsicheres Anwendungsdesign - A05 Security Misconfiguration: A05 - Sicherheitsrelevante Fehlkonfiguration - A06 Vulnerable and Outdated Components: A06 - Unsichere oder veraltete Komponenten - A07 Identification and Authentication Failures: A07 - Fehlerhafte Authentifizierung - A08 Software and Data Integrity Failures: A08 - Fehlerhafte Prüfung der Software- und Datenintegrität - A09 Security Logging and Monitoring Failures: A09 - Unzureichendes Logging und Sicherheitsmonitoring - A10 Server Side Request Forgery (SSRF): A10 - Server-Side Request Forgery (SSRF) - Next Steps: Nächste Schritte - es: - Home: Inicio - Notice: Notas - Introduction: Introducción - How to use the OWASP Top 10 as a standard: Cómo utilizar el OWASP Top 10 como un estándar - How to start an AppSec program with the OWASP Top 10: Cómo iniciar un programa de AppSec con el OWASP Top 10 - About OWASP: Acerca de OWASP - Top 10:2021 List: 'Top 10: Lista 2021' - A01 Broken Access Control: A01 Pérdida de Control de Acceso - A02 Cryptographic Failures: A02 Fallas Criptográficas - A03 Injection: A03 Inyección - A04 Insecure Design: A04 Diseño Inseguro - A05 Security Misconfiguration: A05 Configuración de Seguridad Incorrecta - A06 Vulnerable and Outdated Components: A06 Componentes Vulnerables y Desactualizados - A07 Identification and Authentication Failures: A07 Fallas de Identificación y Autenticación - A08 Software and Data Integrity Failures: A08 Fallas en el Software y en la Integridad de los Datos - A09 Security Logging and Monitoring Failures: A09 Fallas en el Registro y Monitoreo - A10 Server Side Request Forgery (SSRF): A10 Falsificación de Solicitud del Lado del Servidor (SSRF) - Next Steps: Próximos pasos - fr: - Home: Page d'accueil - Notice: Note - Introduction: Introduction - How to use the OWASP Top 10 as a standard: Comment utiliser le Top 10 OWASP comme standard - How to start an AppSec program with the OWASP Top 10: Comment démarrer un programme SecApp avec l'OWASP Top 10 - About OWASP: À propos de l'OWASP - Top 10:2021 List: Liste top 10:2021 - A01 Broken Access Control: A01 Contrôles d'accès défaillants - A02 Cryptographic Failures: A02 Défaillances cryptographiques - A03 Injection: A03 Injection - A04 Insecure Design: A04 Conception non sécurisée - A05 Security Misconfiguration: A05 Mauvaise configuration de sécurité - A06 Vulnerable and Outdated Components: A06 Composants vulnérables et obsolètes - A07 Identification and Authentication Failures: A07 Identification et authentification de mauvaise qualité - A08 Software and Data Integrity Failures: A08 Manque d'intégrité des données et du logiciel - A09 Security Logging and Monitoring Failures: A09 Carence des systèmes de contrôle et de journalisation - A10 Server Side Request Forgery (SSRF): A10 Falsification de requête côté serveur (SSRF) - Next Steps: Étapes suivantes - id: - Home: Beranda - Notice: Pemberitahuan - Introduction: Pengenalan - How to use the OWASP Top 10 as a standard: Bagaimana cara menggunakan OWASP Top 10 sebagai sebuah standarisasi - How to start an AppSec program with the OWASP Top 10: Bagaimana cara untuk memulai program AppSec dengan OWASP Top 10 - About OWASP: Tentang OWASP - Top 10:2021 List: Daftar Top 10:2021 - A01 Broken Access Control: A01 Kerusakan Akses Kontrol - A02 Cryptographic Failures: A02 Kegagalan Kriptografi - A03 Injection: A03 Injeksi - A04 Insecure Design: A04 Insecure Design - A05 Security Misconfiguration: A05 Kesalahan Konfigurasi Keamanan - A06 Vulnerable and Outdated Components: A06 Komponen yang Rentan dan Kedaluwarsa - A07 Identification and Authentication Failures: A07 Kegagalan Identifikasi dan Otentikasi - A08 Software and Data Integrity Failures: A08 Kegagalan Integritas Data dan Perangkat Lunak - A09 Security Logging and Monitoring Failures: A09 Kegagalan dalam Keamanan Logging dan Monitoring - A10 Server Side Request Forgery (SSRF): A10 Server-Side Request Forgery (SSRF) - Next Steps: Langkah Selanjutnya - it: - Home: Home - Notice: Avvisi - Introduction: Introduzione - How to use the OWASP Top 10 as a standard: Come utilizzare la OWASP Top 10 come standard - How to start an AppSec program with the OWASP Top 10: Come avviare un programma di AppSec con la OWASP Top 10 - About OWASP: A proposito di OWASP - Top 10:2021 List: Lista top 10:2021 - A01 Broken Access Control: A01 Broken Access Control - A02 Cryptographic Failures: A02 Cryptographic Failures - A03 Injection: A03 Injection - A04 Insecure Design: A04 Insecure Design - A05 Security Misconfiguration: A05 Security Misconfiguration - A06 Vulnerable and Outdated Components: A06 Vulnerable and Outdated Components - A07 Identification and Authentication Failures: A07 Identification and Authentication Failures - A08 Software and Data Integrity Failures: A08 Software and Data Integrity Failures - A09 Security Logging and Monitoring Failures: A09 Security Logging and Monitoring Failures - A10 Server Side Request Forgery (SSRF): A10 Server Side Request Forgery (SSRF) - Next Steps: Prossimi passi - ja: - Home: ホーム - Notice: 注意事項 - Introduction: 導入 - How to use the OWASP Top 10 as a standard: OWASP Top 10 をスタンダードとして使うには - How to start an AppSec program with the OWASP Top 10: OWASP Top 10 を使ってアプリケーションセキュリティプログラムを始めるには - About OWASP: OWASPについて - Top 10:2021 List: Top 10:2021 一覧 - A01 Broken Access Control: A01 アクセス制御の不備 - A02 Cryptographic Failures: A02 暗号化の失敗 - A03 Injection: A03 インジェクション - A04 Insecure Design: A04 安全が確認されない不安な設計 - A05 Security Misconfiguration: A05 セキュリティの設定ミス - A06 Vulnerable and Outdated Components: A06 脆弱で古くなったコンポーネント - A07 Identification and Authentication Failures: A07 識別と認証の失敗 - A08 Software and Data Integrity Failures: A08 ソフトウェアとデータの整合性の不具合 - A09 Security Logging and Monitoring Failures: A09 セキュリティログとモニタリングの失敗 - A10 Server Side Request Forgery (SSRF): A10 サーバーサイドリクエストフォージェリ (SSRF) - Next Steps: Next Steps - pt-BR: - Home: Início - Notice: Notas - Introduction: Introdução - How to use the OWASP Top 10 as a standard: Como usar o OWASP Top 10 como padrão - How to start an AppSec program with the OWASP Top 10: Como iniciar um programa AppSec com o OWASP Top 10 - About OWASP: Sobre OWASP - Top 10:2021 List: Lista top 10:2021 - A01 Broken Access Control: A01 Quebra de Controle de Acesso - A02 Cryptographic Failures: A02 Falhas Criptográficas - A03 Injection: A03 Injeção - A04 Insecure Design: A04 Design Inseguro - A05 Security Misconfiguration: A05 Configuração Incorreta de Segurança - A06 Vulnerable and Outdated Components: A06 Componentes Vulneráveis e Desatualizados - A07 Identification and Authentication Failures: A07 Falhas de identificação e autenticação - A08 Software and Data Integrity Failures: A08 Falhas de Software e Integridade de Dados - A09 Security Logging and Monitoring Failures: A09 Falhas de registro e monitoramento de segurança - A10 Server Side Request Forgery (SSRF): A10 Falsificação de Solicitação do Lado do Servidor (SSRF) - Next Steps: Próximos passos - zh-TW: - Home: 首頁 - Notice: 注意事項 - Introduction: OWASP 2021 介紹 - How to use the OWASP Top 10 as a standard: 如何正確使用 OWASP Top 10 為標準 - How to start an AppSec program with the OWASP Top 10: 如何使用 OWASP Top 10 啟動 AppSec - About OWASP: OWASP 相關 - Top 10:2021 List: Top 10:2021 名單 - A01 Broken Access Control: A01 權限控制失效 - A02 Cryptographic Failures: A02 加密機制失效 - A03 Injection: A03 注入式攻擊 - A04 Insecure Design: A04 不安全設計 - A05 Security Misconfiguration: A05 安全設定缺陷 - A06 Vulnerable and Outdated Components: A06 危險或過舊的元件 - A07 Identification and Authentication Failures: A07 認證及驗證機制失效 - A08 Software and Data Integrity Failures: A08 軟體及資料完整性失效 - A09 Security Logging and Monitoring Failures: A09 資安記錄及監控失效 - A10 Server Side Request Forgery (SSRF): A10 伺服端請求偽造 - Next Steps: 下一步 - zh-Hant: - Home: 首頁 - Notice: 注意事项 - Introduction: OWASP 2021 介紹 - How to use the OWASP Top 10 as a standard: 如何正确使用 OWASP Top 10 为标准 - How to start an AppSec program with the OWASP Top 10: 如何使用 OWASP Top 10 启动 AppSec - About OWASP: OWASP 相关 - Top 10:2021 List: Top 10:2021 名单 - A01 Broken Access Control: A01 权限控制失效 - A02 Cryptographic Failures: A02 加密机制失效 - A03 Injection: A03 注入式攻击 - A04 Insecure Design: A04 不安全设计 - A05 Security Misconfiguration: A05 安全设定缺陷 - A06 Vulnerable and Outdated Components: A06 危险或过旧的组件 - A07 Identification and Authentication Failures: A07 认证及体验机制失效 - A08 Software and Data Integrity Failures: A08 软体及资料完整性失效 - A09 Security Logging and Monitoring Failures: A09 安全记录及监控失效 - A10 Server Side Request Forgery (SSRF): A10 服务端请求伪造 - Next Steps: 下一步 - - macros: # needs to be the last plugin to export the final osib-YAML file for all languages + nav_translations: + Home: 首頁 + Notice: 注意事項 + Introduction: OWASP 2021 介紹 + How to use the OWASP Top 10 as a standard: 如何正確使用 OWASP Top 10 為標準 + How to start an AppSec program with the OWASP Top 10: 如何使用 OWASP Top 10 啟動 AppSec + About OWASP: OWASP 相關 + Top 10:2021 List: Top 10:2021 名單 + A01 Broken Access Control: A01 權限控制失效 + A02 Cryptographic Failures: A02 加密機制失效 + A03 Injection: A03 注入式攻擊 + A04 Insecure Design: A04 不安全設計 + A05 Security Misconfiguration: A05 安全設定缺陷 + A06 Vulnerable and Outdated Components: A06 危險或過舊的元件 + A07 Identification and Authentication Failures: A07 認證及驗證機制失效 + A08 Software and Data Integrity Failures: A08 軟體及資料完整性失效 + A09 Security Logging and Monitoring Failures: A09 資安記錄及監控失效 + A10 Server Side Request Forgery (SSRF): A10 伺服端請求偽造 + Next Steps: 下一步 + + - macros: # needs to be the last plugin to export the final osib-YAML file for all languages module_name: '../osib/osib_macro' include_dir: '../osib/include' - verbose: false # debug + verbose: false # debug on_error_fail: true extra: social: @@ -317,9 +319,9 @@ extra: link: https://www.linkedin.com/company/owasp/ - icon: fontawesome/brands/youtube link: https://www.youtube.com/user/owaspglobal - alternate: # see https://squidfunk.github.io/mkdocs-material/setup/changing-the-language/#site-language-selector + alternate: # see https://squidfunk.github.io/mkdocs-material/setup/changing-the-language/#site-language-selector - name: en - English - link: ./en/ + link: ./ lang: en - name: ar - ﺎﻠﻋﺮﺒﻳﺓ link: ./ar/ From ce90c214d830d39b5af2f684620d657dc8fda091 Mon Sep 17 00:00:00 2001 From: Naramsim Date: Mon, 14 Jul 2025 03:37:06 +0200 Subject: [PATCH 18/31] refactor: move makefile --- Makefile => 2021/Makefile | 6 +++--- requirements-test.txt => 2021/requirements-test.txt | 0 2 files changed, 3 insertions(+), 3 deletions(-) rename Makefile => 2021/Makefile (85%) rename requirements-test.txt => 2021/requirements-test.txt (100%) diff --git a/Makefile b/2021/Makefile similarity index 85% rename from Makefile rename to 2021/Makefile index 7f7ed78ec..e41ff20be 100644 --- a/Makefile +++ b/2021/Makefile @@ -11,10 +11,10 @@ install-python-requirements-test: # Install Python 3 required libraries python -m pip install -r requirements-test.txt generate-site: # Builds ./2021 - (cd 2021 && mkdocs build) + mkdocs build serve: # Build and hot-reloads ./2021 - (cd 2021 && mkdocs serve) + mkdocs serve check-links: # Checks for dead links - python -m linkcheckmd -r 2021 + python -m linkcheckmd diff --git a/requirements-test.txt b/2021/requirements-test.txt similarity index 100% rename from requirements-test.txt rename to 2021/requirements-test.txt From 1cec0928278ba1b084452b5bbe591adee5e2ff4e Mon Sep 17 00:00:00 2001 From: Naramsim Date: Mon, 14 Jul 2025 03:37:27 +0200 Subject: [PATCH 19/31] refactor: update actions/use official deploy action --- .github/workflows/deploy.yml | 11 ++++------ .github/workflows/test.yml | 42 ++++++++++++++++++++---------------- 2 files changed, 27 insertions(+), 26 deletions(-) diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml index db588e944..e208d5c40 100644 --- a/.github/workflows/deploy.yml +++ b/.github/workflows/deploy.yml @@ -8,17 +8,14 @@ jobs: build-and-deploy: runs-on: ubuntu-latest steps: - - uses: actions/setup-python@v2 + - uses: actions/setup-python@v5 with: - python-version: '3.9' + python-version: '3.13' - name: Checkout - uses: actions/checkout@v2.3.1 + uses: actions/checkout@v4 - name: Install and Build run: | make install-python-requirements make generate-site - name: Deploy - uses: JamesIves/github-pages-deploy-action@4.1.5 - with: - branch: gh-pages - folder: 2021/site + uses: actions/deploy-pages@v4 diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index d2cca75b1..ee3a009d4 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -1,31 +1,35 @@ -name: Test +name: Test 2021 on: [push, pull_request] jobs: build: runs-on: ubuntu-latest steps: - - uses: actions/setup-python@v2 + - uses: actions/setup-python@v5 with: - python-version: '3.9' + python-version: '3.13' - name: Checkout - uses: actions/checkout@v2.3.1 + uses: actions/checkout@v4 - name: Install and Build run: | + cd 2021 make install-python-requirements make install-python-requirements-test make generate-site - check-links: - runs-on: ubuntu-latest - steps: - - uses: actions/setup-python@v2 - with: - python-version: '3.9' - - name: Checkout - uses: actions/checkout@v2.3.1 - - name: Install and Build - run: | - make install-python-requirements - make install-python-requirements-test - make generate-site - - name: Links validation - run: make check-links + # check-links: + # runs-on: ubuntu-latest + # steps: + # - uses: actions/setup-python@v5 + # with: + # python-version: '3.13' + # - name: Checkout + # uses: actions/checkout@v4 + # - name: Install and Build + # run: | + # cd 2021 + # make install-python-requirements + # make install-python-requirements-test + # make generate-site + # - name: Links validation + # run: | + # cd 2021 + # make check-links From fd901e5ca6091cf1b05ac8049d1584f45d67c53a Mon Sep 17 00:00:00 2001 From: Naramsim Date: Mon, 14 Jul 2025 03:38:41 +0200 Subject: [PATCH 20/31] fix: use right folder --- .github/workflows/deploy.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml index e208d5c40..d38a60939 100644 --- a/.github/workflows/deploy.yml +++ b/.github/workflows/deploy.yml @@ -1,4 +1,4 @@ -name: Build and Deploy +name: Build and Deploy 2021 on: push: branches: @@ -15,6 +15,7 @@ jobs: uses: actions/checkout@v4 - name: Install and Build run: | + cd 2012 make install-python-requirements make generate-site - name: Deploy From a59af41867e937d3e4111527a2e56b3842d97471 Mon Sep 17 00:00:00 2001 From: Naramsim Date: Mon, 14 Jul 2025 03:38:58 +0200 Subject: [PATCH 21/31] fix: use 2021 folder --- .github/workflows/deploy.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml index d38a60939..0bd0970d6 100644 --- a/.github/workflows/deploy.yml +++ b/.github/workflows/deploy.yml @@ -15,7 +15,7 @@ jobs: uses: actions/checkout@v4 - name: Install and Build run: | - cd 2012 + cd 2021 make install-python-requirements make generate-site - name: Deploy From 8307a681ed38cd5ab78f7600348bf24f77a01014 Mon Sep 17 00:00:00 2001 From: Naramsim Date: Mon, 14 Jul 2025 03:40:42 +0200 Subject: [PATCH 22/31] fix: add dep --- 2021/requirements.txt | 1 + 1 file changed, 1 insertion(+) diff --git a/2021/requirements.txt b/2021/requirements.txt index 99b202d29..9544a840d 100644 --- a/2021/requirements.txt +++ b/2021/requirements.txt @@ -6,5 +6,6 @@ pymdown-extensions==10.16 Pygments==2.19.2 mkdocs-static-i18n[material]==1.3.0 mkdocs-macros-plugin==1.3.7 +mkdocs-git-revision-date-plugin==0.3.2 dacite==1.9.2 git+https://github.com/OWASP/OSIB.git#subdirectory=mkdocs_macro_osib_package From 0ea500abf7ea3c38d22fb3ab6514c081b0692321 Mon Sep 17 00:00:00 2001 From: Naramsim Date: Mon, 14 Jul 2025 03:43:08 +0200 Subject: [PATCH 23/31] fix: add permissions --- .github/workflows/deploy.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml index 0bd0970d6..374fe0aed 100644 --- a/.github/workflows/deploy.yml +++ b/.github/workflows/deploy.yml @@ -6,6 +6,9 @@ on: - 'main' jobs: build-and-deploy: + permissions: + pages: write + id-token: write runs-on: ubuntu-latest steps: - uses: actions/setup-python@v5 From c842767da6bdcbe0c01a81951adf5b01690fa852 Mon Sep 17 00:00:00 2001 From: Naramsim Date: Mon, 14 Jul 2025 04:04:38 +0200 Subject: [PATCH 24/31] fix: add upload artifact step --- .github/workflows/deploy.yml | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml index 374fe0aed..2c137a6f4 100644 --- a/.github/workflows/deploy.yml +++ b/.github/workflows/deploy.yml @@ -10,6 +10,9 @@ jobs: pages: write id-token: write runs-on: ubuntu-latest + environment: + name: github-pages + url: ${{ steps.deployment.outputs.page_url }} steps: - uses: actions/setup-python@v5 with: @@ -21,5 +24,9 @@ jobs: cd 2021 make install-python-requirements make generate-site + - name: Upload static files as artifact + uses: actions/upload-pages-artifact@v3 + with: + path: site/ - name: Deploy uses: actions/deploy-pages@v4 From 6acb988ff1e29fa4bc6fbf47f39007aad43bafca Mon Sep 17 00:00:00 2001 From: Naramsim Date: Mon, 14 Jul 2025 04:10:38 +0200 Subject: [PATCH 25/31] fix: path --- .github/workflows/deploy.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml index 2c137a6f4..3aa087774 100644 --- a/.github/workflows/deploy.yml +++ b/.github/workflows/deploy.yml @@ -27,6 +27,6 @@ jobs: - name: Upload static files as artifact uses: actions/upload-pages-artifact@v3 with: - path: site/ + path: 2021/site/ - name: Deploy uses: actions/deploy-pages@v4 From ad513a90914b4243f0413fea77986f45cca86996 Mon Sep 17 00:00:00 2001 From: Naramsim Date: Mon, 14 Jul 2025 04:21:36 +0200 Subject: [PATCH 26/31] trigger build From 767be19d8c7b025860c1e970b906301d5e8ea740 Mon Sep 17 00:00:00 2001 From: Naramsim Date: Mon, 14 Jul 2025 04:45:33 +0200 Subject: [PATCH 27/31] refactor: remove unused requirements.txt --- requirements.txt | 8 -------- 1 file changed, 8 deletions(-) delete mode 100644 requirements.txt diff --git a/requirements.txt b/requirements.txt deleted file mode 100644 index 2ea0ef7a3..000000000 --- a/requirements.txt +++ /dev/null @@ -1,8 +0,0 @@ -requests==2.27.1 -feedgen==0.9.0 -mkdocs==1.3.0 -mkdocs-material==8.2.9 -pymdown-extensions==9.3 -Pygments==2.11.2 -mkdocs-static-i18n==0.44 -mkdocs-git-revision-date-plugin==0.3.2 From e7a851884d064dc75bdb1e216d35a5b520d9a84d Mon Sep 17 00:00:00 2001 From: Naramsim Date: Mon, 14 Jul 2025 04:45:52 +0200 Subject: [PATCH 28/31] docs: update readme/add removed paragraph --- 2021/README.md | 18 +++++++++--------- ...Security_Logging_and_Monitoring_Failures.md | 5 ++++- 2 files changed, 13 insertions(+), 10 deletions(-) diff --git a/2021/README.md b/2021/README.md index 212c3445e..55447c3df 100644 --- a/2021/README.md +++ b/2021/README.md @@ -4,18 +4,16 @@ Final Release ## Building a local copy -Make sure Python 3 is installed. Create a virtual environment. +Make sure Python 3 is installed. ```bash -# build and activate venv -cd 2021 -python3 -m venv . -source ./bin/activate -pip install -r requirements.txt -``` +# Build and activate virtual environment +python3 -m venv ./venv +source .venv/bin/activate +# Install dependencies +pip install -r requirements.txt -```sh # Build HTML mkdocs build # Browse /2021/site @@ -33,7 +31,9 @@ Once you are happy, check in your changes as a branch / PR and let someone on th ### Deploy to gh-pages -This only works if you have commit privileges on master and Git is correctly setup in your environment. +When the `master` branch is pushed, a Github Action will take care of everything and publish the website as a Github Page. + +Alternatively `mkdocs` can be used to publish the website. This only works if you have commit privileges on master and Git is correctly setup in your environment. ```sh cd 2021 diff --git a/2021/docs/en/A09_2021-Security_Logging_and_Monitoring_Failures.md b/2021/docs/en/A09_2021-Security_Logging_and_Monitoring_Failures.md index 2aa6ef469..a5ed04087 100644 --- a/2021/docs/en/A09_2021-Security_Logging_and_Monitoring_Failures.md +++ b/2021/docs/en/A09_2021-Security_Logging_and_Monitoring_Failures.md @@ -54,7 +54,7 @@ events visible to a user or an attacker (see [A01:2021-Broken Access Control](A0 ## How to Prevent -Developers should implement some or all the following controls, +Developers should implement some or all the following controls, depending on the risk of the application: - Ensure all login, access control, and server-side input validation @@ -115,6 +115,9 @@ result by the privacy regulator. - [OWASP Application Security Verification Standard: V7 Logging and Monitoring](https://owasp.org/www-project-application-security-verification-standard) +- [OWASP Testing Guide: Testing for Detailed Error + Code](https://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/08-Testing_for_Error_Handling/01-Testing_for_Error_Code) + - [OWASP Cheat Sheet: Application Logging Vocabulary](https://cheatsheetseries.owasp.org/cheatsheets/Application_Logging_Vocabulary_Cheat_Sheet.html) From 98db44029b16210acf7ebf591a990c4b2730c5f0 Mon Sep 17 00:00:00 2001 From: Naramsim Date: Mon, 14 Jul 2025 05:09:53 +0200 Subject: [PATCH 29/31] feat: add automatic theme --- 2021/mkdocs.yml | 14 +++++++++----- 1 file changed, 9 insertions(+), 5 deletions(-) diff --git a/2021/mkdocs.yml b/2021/mkdocs.yml index ee864ebe9..e5d1db4e3 100644 --- a/2021/mkdocs.yml +++ b/2021/mkdocs.yml @@ -20,16 +20,20 @@ theme: - search.share # - navigation.instant @ Unsupported by the i18n engine palette: - - media: "(prefers-color-scheme: dark)" + - media: "(prefers-color-scheme)" + toggle: + icon: material/brightness-auto + name: Switch to light mode + - media: "(prefers-color-scheme: light)" scheme: default toggle: - icon: material/weather-night + icon: material/brightness-7 name: Switch to dark mode - - media: "(prefers-color-scheme: light)" + - media: "(prefers-color-scheme: dark)" scheme: slate toggle: - icon: material/weather-sunny - name: Switch to light mode + icon: material/brightness-4 + name: Switch to system preference extra_css: - stylesheets/extra.css From 98a2bb03bcd6c087ec5dc2f49870aa86110f680c Mon Sep 17 00:00:00 2001 From: Naramsim Date: Mon, 14 Jul 2025 05:12:44 +0200 Subject: [PATCH 30/31] refactor: remove unreconized options --- 2021/mkdocs.yml | 2 -- 1 file changed, 2 deletions(-) diff --git a/2021/mkdocs.yml b/2021/mkdocs.yml index e5d1db4e3..215e17444 100644 --- a/2021/mkdocs.yml +++ b/2021/mkdocs.yml @@ -77,9 +77,7 @@ plugins: - search - git-revision-date - i18n: - default_language: en docs_structure: folder - material_alternate: true reconfigure_material: true reconfigure_search: true languages: From 85b3fbadb88feec4db10df37e7c673e278d438ea Mon Sep 17 00:00:00 2001 From: Naramsim Date: Mon, 14 Jul 2025 07:17:53 +0200 Subject: [PATCH 31/31] feat: show only search results for current language --- 2021/docs/scripts/extra.js | 40 ++++++++++++++++++++++++++++++++++++++ 2021/mkdocs.yml | 3 +++ 2 files changed, 43 insertions(+) create mode 100644 2021/docs/scripts/extra.js diff --git a/2021/docs/scripts/extra.js b/2021/docs/scripts/extra.js new file mode 100644 index 000000000..fd5292e06 --- /dev/null +++ b/2021/docs/scripts/extra.js @@ -0,0 +1,40 @@ +window.addEventListener("DOMContentLoaded", _ => { + const MutationObserver = window.MutationObserver || window.WebKitMutationObserver; + const observer = new MutationObserver((mutations, _) => { + const nodesForRemoval = []; + for (const record of mutations) { + for (const liNode of record.addedNodes) { + let removeNode = false; + for (const anchor of liNode.querySelectorAll("a")) { + const searchResultLocale = getSearchResultLocaleFromAnchor(anchor); + const isSearchResultFromCurrentPageLocale = searchResultLocale === document.querySelector('html[lang]').lang; + if (!isSearchResultFromCurrentPageLocale) { + removeNode = true; + continue; + } + } + + if (removeNode) { + nodesForRemoval.push(liNode); + } + } + } + + for (const node of nodesForRemoval) { + node.remove(); + } + + const amountDisplay = document.querySelector(".md-search-result__meta"); + const result = document.querySelector('.md-search-result__list').childNodes.length + amountDisplay.textContent = amountDisplay.textContent.replace(/\d+/i, result.toString()); + }); + + observer.observe(document.querySelector(".md-search-result__list"), { childList: true }); +}); + +function getSearchResultLocaleFromAnchor(anchor) { + const localeSegment = anchor.href.split("/")[3]; + // Note that we make an assumption here that the only length 2 + // link segments will be the locale immediately after the site's base URL. + return (localeSegment.length === 2 || localeSegment.length === 5 || localeSegment.length === 7) ? localeSegment : 'en'; +} \ No newline at end of file diff --git a/2021/mkdocs.yml b/2021/mkdocs.yml index 215e17444..8f1b93c72 100644 --- a/2021/mkdocs.yml +++ b/2021/mkdocs.yml @@ -38,6 +38,9 @@ theme: extra_css: - stylesheets/extra.css +extra_javascript: + - scripts/extra.js + markdown_extensions: - abbr - attr_list