Skip to content

Add references to labs for XSS and hardcoded credentials #176

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 1 commit into from
Oct 11, 2024
Merged

Add references to labs for XSS and hardcoded credentials #176

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
12 changes: 12 additions & 0 deletions secure_software_development_fundamentals.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2246,6 +2246,12 @@ For outbound authentication, credentials should be stored outside the code in a

🔔 Hardcoded credentials are such a common cause of security vulnerabilities that they are 2021 CWE Top 25 #16 and 2019 CWE Top 25 #19. This weakness is [CWE-798](https://cwe.mitre.org/data/definitions/798.html), *Use of Hard-coded Credentials*. The related *Insufficiently Protected Credentials* is 2021 CWE Top 25 #21 and 2019 CWE Top 25 #27 as [CWE-522](https://cwe.mitre.org/data/definitions/522.html).

##### Lab: Hardcoded credentials

🧪 **Lab: Please try lab [hardcoded](https://best.openssf.org/labs/hardcoded.html), which lets you experiment with how to eliminate hardcoded credentials as a vulnerability.**

*Labs are optional, but you're strongly encouraged to try them!*

#### Quiz 2.2: Avoid Default & Hardcoded Credentials

\>\>Secret keys should be stored in source code so that they cannot be easily read, as they could be if they were stored in separate files. True or False?<<
Expand Down Expand Up @@ -3544,6 +3550,12 @@ A very mild hardening measure is to set the attribute **HttpOnly** on cookies. T

XSS is usually best countered by choosing a framework or library that automatically escapes output for you. However, programs often have many outputs. It would be best if we paired this solution with something else that limited the damage when a mistake *is* made. On the web there is a solution: the Content Security Policy (CSP). The next unit will discuss this.

#### Lab: Cross-Site Scripting (XSS)

🧪 **Lab: Please try lab [xss](https://best.openssf.org/labs/xss.html), which lets you experiment with how to counter cross-site scripting (XSS) vulnerabilitiesies.**

*Labs are optional, but you're strongly encouraged to try them!*

#### Quiz 4.2: Countering Cross-Site Scripting (XSS)

\>\>Choosing a framework or library that automatically escapes HTML output is often one of the best ways to counter XSS attacks. True or False?<<
Expand Down
Loading