### Example Dockerfile with dumb-init
Source: https://github.com/owasp/cheatsheetseries/blob/master/cheatsheets/NodeJS_Docker_Cheat_Sheet.md
A complete Dockerfile example demonstrating the setup with 'dumb-init' for managing Node.js applications, leveraging Docker's layer caching for the package installation.
```dockerfile
FROM node:lts-alpine@sha256:b2da3316acdc2bec442190a1fe10dc094e7ba4121d029cb32075ff59bb27390a
```
--------------------------------
### Fastify Server Start Function
Source: https://github.com/owasp/cheatsheetseries/blob/master/cheatsheets/NodeJS_Docker_Cheat_Sheet.md
This function starts the Fastify server and logs the process ID. It includes basic error handling to exit the process if the server fails to start.
```javascript
const start = async () => {
try {
await fastify.listen(PORT, HOST)
console.log(`*^!@4=> Process id: ${process.pid}`)
} catch (err) {
fastify.log.error(err)
process.exit(1)
}
}
```
--------------------------------
### Install Python Requirements
Source: https://github.com/owasp/cheatsheetseries/blob/master/README.md
Installs the necessary Python dependencies for building the website locally. Ensure you have Python 3.x installed.
```sh
make install-python-requirements
```
--------------------------------
### HTML Anchor Element Setup
Source: https://github.com/owasp/cheatsheetseries/blob/master/cheatsheets/DOM_based_XSS_Prevention_Cheat_Sheet.md
Provides a basic HTML anchor element structure used in subsequent JavaScript examples for setting event handlers.
```html
Test Me
```
--------------------------------
### Install SIGTRAP Handler
Source: https://github.com/owasp/cheatsheetseries/blob/master/cheatsheets/C-Based_Toolchain_Hardening_Cheat_Sheet.md
Installs a null SIGTRAP handler at program startup if no other handler is present. This is typically used to prevent unexpected program termination.
```c++
struct DebugTrapHandler
{
DebugTrapHandler()
{
struct sigaction new_handler, old_handler;
do
{
int ret = 0;
ret = sigaction (SIGTRAP, NULL, &old_handler);
if (ret != 0) break; // Failed
// Don't step on another's handler
if (old_handler.sa_handler != NULL) break;
new_handler.sa_handler = &DebugTrapHandler::NullHandler;
new_handler.sa_flags = 0;
ret = sigemptyset (&new_handler.sa_mask);
if (ret != 0) break; // Failed
ret = sigaction (SIGTRAP, &new_handler, NULL);
if (ret != 0) break; // Failed
} while(0);
}
static void NullHandler(int /*unused*/) { }
};
// We specify a relatively low priority, to make sure we run before other CTORs
// http://gcc.gnu.org/onlinedocs/gcc-4.7.2/gcc/C_002b_002b-Attributes.html#C_002b_002b-Attributes
static const DebugTrapHandler g_dummyHandler __attribute__ ((init_priority (110)));
```
--------------------------------
### Demonstrate basic command injection
Source: https://github.com/owasp/cheatsheetseries/blob/master/cheatsheets/OS_Command_Injection_Defense_Cheat_Sheet.md
Examples of how user input can alter the intended execution of a system command.
```shell
calc
```
```shell
calc & echo "test"
```
--------------------------------
### Execute Build with Custom Flags
Source: https://github.com/owasp/cheatsheetseries/blob/master/cheatsheets/C-Based_Toolchain_Hardening_Cheat_Sheet.md
Example command to pass security-related flags during the build process.
```bash
make CFLAGS="-fPIE" CXXFLAGS="-fPIE" LDFLAGS="-pie -z,noexecstack, -z,noexecheap"
```
--------------------------------
### Example Markdown Link Check Output
Source: https://github.com/owasp/cheatsheetseries/blob/master/CONTRIBUTING.md
This is an example of the output from the markdown-link-check command, indicating the status of checked links.
```bash
$ markdown-link-check -c .markdownlinkcheck.json cheatsheets/Transaction_Authorization_Cheat_Sheet.md
FILE: cheatsheets/Transaction_Authorization_Cheat_Sheet.md
[✓] https://en.wikipedia.org/wiki/Time-based_One-time_Password_Algorithm
[✓] https://en.wikipedia.org/wiki/Chip_Authentication_Program
[✓] http://www.cl.cam.ac.uk/~sjm217/papers/fc09optimised.pdf
...
```
--------------------------------
### Oracle PL/SQL Stored Procedure Examples
Source: https://github.com/owasp/cheatsheetseries/blob/master/cheatsheets/Query_Parameterization_Cheat_Sheet.md
Examples of standard parameter binding and secure dynamic SQL execution in Oracle.
```sql
PROCEDURE SafeGetBalanceQuery(UserID varchar, Dept varchar) AS BEGIN
SELECT balance FROM accounts_table WHERE user_ID = UserID AND department = Dept;
END;
```
```sql
PROCEDURE AnotherSafeGetBalanceQuery(UserID varchar, Dept varchar)
AS stmt VARCHAR(400); result NUMBER;
BEGIN
stmt := 'SELECT balance FROM accounts_table WHERE user_ID = :1
AND department = :2';
EXECUTE IMMEDIATE stmt INTO result USING UserID, Dept;
RETURN result;
END;
```
--------------------------------
### Install Nelmio CORS bundle
Source: https://github.com/owasp/cheatsheetseries/blob/master/cheatsheets/Symfony_Cheat_Sheet.md
Add the NelmioCorsBundle to the project using Composer.
```bash
composer require nelmio/cors-bundle
```
--------------------------------
### Good Example: Tenant-Scoped Resource Access with Repository
Source: https://github.com/owasp/cheatsheetseries/blob/master/cheatsheets/Multi_Tenant_Security_Cheat_Sheet.md
This example implements a `TenantScopedRepository` to enforce tenant isolation for all database operations. It ensures that resources are only accessed or modified if they belong to the current tenant. The `require_tenant` decorator and `TenantScopedRepository` usage in the endpoint are key to this secure pattern.
```python
from uuid import UUID
from typing import TypeVar, Generic, Type, Optional
from sqlalchemy.orm import Session
from fastapi import Depends, FastAPI, HTTPException
# Assume current_tenant, SecurityException, get_db, Document, require_tenant are defined elsewhere
T = TypeVar('T')
class TenantScopedRepository(Generic[T]):
"""Repository that enforces tenant isolation on all operations."""
def __init__(self, model: Type[T], session: Session):
self.model = model
self.session = session
@property
def tenant_id(self) -> str:
ctx = current_tenant.get()
if not ctx:
raise SecurityException("Tenant context required")
return ctx.tenant_id
def get_by_id(self, resource_id: UUID) -> Optional[T]:
"""Get resource only if it belongs to current tenant."""
return self.session.query(self.model).filter(
self.model.id == resource_id,
self.model.tenant_id == self.tenant_id # Always include tenant check
).first()
def list_all(self, limit: int = 100, offset: int = 0) -> list[T]:
"""List resources for current tenant only."""
return self.session.query(self.model).filter(
self.model.tenant_id == self.tenant_id
).limit(limit).offset(offset).all()
def create(self, **kwargs) -> T:
"""Create resource with tenant_id automatically set."""
if 'tenant_id' in kwargs and kwargs['tenant_id'] != self.tenant_id:
raise SecurityException("Cannot create resource for different tenant")
kwargs['tenant_id'] = self.tenant_id
instance = self.model(**kwargs)
self.session.add(instance)
return instance
def delete(self, resource_id: UUID) -> bool:
"""Delete resource only if it belongs to current tenant."""
result = self.session.query(self.model).filter(
self.model.id == resource_id,
self.model.tenant_id == self.tenant_id
).delete()
return result > 0
# Usage
app = FastAPI()
@app.get("/api/documents/{document_id}")
@require_tenant
async def get_document(document_id: UUID, db: Session = Depends(get_db)):
repo = TenantScopedRepository(Document, db)
doc = repo.get_by_id(document_id)
if not doc:
raise HTTPException(404, "Document not found") # Don't reveal if it exists for other tenant
return doc
```
--------------------------------
### HTML Encoded Example (Does Not Work - DNW)
Source: https://github.com/owasp/cheatsheetseries/blob/master/cheatsheets/DOM_based_XSS_Prevention_Cheat_Sheet.md
Shows an HTML encoded example that highlights the difference with JavaScript encoded values and does not render a link.
```html
<a href="..."
```
--------------------------------
### Hex Encoded Prompt Injection Example
Source: https://github.com/owasp/cheatsheetseries/blob/master/cheatsheets/LLM_Prompt_Injection_Prevention_Cheat_Sheet.md
Shows an example of prompt injection using hexadecimal encoding to hide malicious instructions from detection systems.
```text
49676e6f726520616c6c2070726576696f757320696e737472756374696f6e73
```
--------------------------------
### Install and Use ufw-docker Integration
Source: https://github.com/owasp/cheatsheetseries/blob/master/cheatsheets/Docker_Security_Cheat_Sheet.md
Integrate UFW firewall rules with Docker by installing the ufw-docker script. This allows standard UFW commands to manage traffic to containers.
```bash
# Install ufw-docker integration rules
sudo ufw-docker install
# Allow external access to a specific container port
sudo ufw-docker allow mycontainer 8000/tcp
```
--------------------------------
### Define manifest permissions
Source: https://github.com/owasp/cheatsheetseries/blob/master/cheatsheets/Browser_Extension_Vulnerabilities_Cheat_Sheet.md
Example of an extension manifest requesting broad host permissions.
```json
{
"manifest_version": 3,
"name": "My Extension",
"permissions": [
"tabs",
"http://*/*",
"https://*/*",
"storage"
]
}
```
--------------------------------
### Use NPM Registry for a Single Install
Source: https://github.com/owasp/cheatsheetseries/blob/master/cheatsheets/NPM_Security_Cheat_Sheet.md
Specify a registry to use for a single npm install command. This allows for temporary use of a different registry without changing the default.
```bash
npm install --registry
```
--------------------------------
### SQL Server Transact-SQL Stored Procedure Examples
Source: https://github.com/owasp/cheatsheetseries/blob/master/cheatsheets/Query_Parameterization_Cheat_Sheet.md
Examples of standard parameter binding and secure dynamic SQL execution using sp_executesql in SQL Server.
```sql
PROCEDURE SafeGetBalanceQuery(@UserID varchar(20), @Dept varchar(10)) AS BEGIN
SELECT balance FROM accounts_table WHERE user_ID = @UserID AND department = @Dept
END
```
```sql
PROCEDURE SafeGetBalanceQuery(@UserID varchar(20), @Dept varchar(10)) AS BEGIN
DECLARE @sql VARCHAR(200)
SELECT @sql = 'SELECT balance FROM accounts_table WHERE '
+ 'user_ID = @UID AND department = @DPT'
EXEC sp_executesql @sql,
'@UID VARCHAR(20), @DPT VARCHAR(10)',
@UID=@UserID, @DPT=@Dept
END
```
--------------------------------
### DOM-based XSS in JavaScript Example
Source: https://github.com/owasp/cheatsheetseries/blob/master/cheatsheets/XSS_Filter_Evasion_Cheat_Sheet.md
This snippet illustrates a DOM-based XSS vulnerability where user input from a GET parameter is passed to the eval() function in JavaScript. The exploitation example shows how to inject a payload to execute arbitrary JavaScript, such as accessing document.cookie.
```javascript
```
```javascript
/?xss=document.cookie
```
--------------------------------
### Log System Startup Event
Source: https://github.com/owasp/cheatsheetseries/blob/master/cheatsheets/Logging_Vocabulary_Cheat_Sheet.md
Log when a system instance is spawned, including the user who initiated it. Useful for serverless or containerized environments.
```json
{
"datetime": "2019-01-01 00:00:00,000",
"appid": "foobar.netportal_auth",
"event": "sys_startup:joebob1",
"level": "WARN",
"description": "User joebob1 spawned a new instance",
...
}
```
--------------------------------
### Reflected XSS in JavaScript Example
Source: https://github.com/owasp/cheatsheetseries/blob/master/cheatsheets/XSS_Filter_Evasion_Cheat_Sheet.md
This snippet demonstrates a reflected XSS vulnerability within a JavaScript setTimeout function, where user input from a GET parameter is directly used. The exploitation example shows how to inject a payload to execute arbitrary JavaScript.
```javascript
```
```javascript
/?xss=500);
alert(document.cookie);//
```
--------------------------------
### Time Delay Exploitation Example
Source: https://github.com/owasp/cheatsheetseries/blob/master/cheatsheets/Injection_Prevention_Cheat_Sheet.md
This example demonstrates how to use a time delay to detect blind SQL injection. It checks if the MySQL version starts with '5' and, if true, causes a 10-second delay. The tester can adjust the delay time and cancel requests.
```text
http://www.example.com/product.php?id=10 AND IF(version() like '5%', sleep(10), 'false'))--
```
--------------------------------
### Enable HTTPS Redirection (Startup.cs)
Source: https://github.com/owasp/cheatsheetseries/blob/master/cheatsheets/DotNet_Security_Cheat_Sheet.md
Use the UseHttpsRedirection middleware in Startup.cs to automatically redirect HTTP requests to HTTPS.
```csharp
app.UseHttpsRedirection();
```
--------------------------------
### Assess npm Installation Health
Source: https://github.com/owasp/cheatsheetseries/blob/master/cheatsheets/NPM_Security_Cheat_Sheet.md
Run the 'npm doctor' command to diagnose your npm environment and ensure a healthy setup. It checks registry reachability, Git availability, Node.js/npm versions, and file permissions.
```bash
npm doctor
```
--------------------------------
### Execute OS Functions Safely with System.Diagnostics.Process.Start
Source: https://github.com/owasp/cheatsheetseries/blob/master/cheatsheets/DotNet_Security_Cheat_Sheet.md
Use System.Diagnostics.Process.Start to call underlying OS functions. Ensure commands and arguments are validated before execution.
```csharp
var process = new System.Diagnostics.Process();
var startInfo = new System.Diagnostics.ProcessStartInfo();
startInfo.FileName = "validatedCommand";
startInfo.Arguments = "validatedArg1 validatedArg2 validatedArg3";
process.StartInfo = startInfo;
process.Start();
```
--------------------------------
### XSS via Request Redirection - Vulnerable PHP Code
Source: https://github.com/owasp/cheatsheetseries/blob/master/cheatsheets/XSS_Filter_Evasion_Cheat_Sheet.md
These PHP snippets show vulnerable code that redirects the user based on a GET parameter. The subsequent HTML examples demonstrate how requests might bypass a WAF and conduct an XSS attack.
```php
header('Location: '.$_GET['param']);
```
```php
header('Refresh: 0; URL='.$_GET['param']);
```
```html
/?param=
```
```html
/?param= command.
```
--------------------------------
### Monitor Domain Allowlist for IP Address Changes in Python
Source: https://github.com/owasp/cheatsheetseries/blob/master/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.md
This Python script serves as a starting point for monitoring a domain allowlist. It checks if domains in the allowlist resolve to local or internal IP addresses, which could indicate a DNS pinning vulnerability. Ensure you have the 'ipaddress' and 'dnspython' libraries installed.
```python
# Dependencies: pip install ipaddress dnspython
import ipaddress
import dns.resolver
# Configure the allowlist to check
DOMAINS_ALLOWLIST = ["owasp.org", "labslinux"]
```
--------------------------------
### Docker History Output
Source: https://github.com/owasp/cheatsheetseries/blob/master/cheatsheets/NodeJS_Docker_Cheat_Sheet.md
Example output showing how build arguments are exposed in the image history log.
```text
IMAGE CREATED CREATED BY SIZE COMMENT
b4c2c78acaba About a minute ago CMD ["dumb-init" "node" "server.js"] 0B buildkit.dockerfile.v0
About a minute ago USER node 0B buildkit.dockerfile.v0
About a minute ago RUN |1 NPM_TOKEN=1234 /bin/sh -c echo "//reg… 5.71MB buildkit.dockerfile.v0
About a minute ago ARG NPM_TOKEN 0B buildkit.dockerfile.v0
About a minute ago COPY . . # buildkit 15.3kB buildkit.dockerfile.v0
About a minute ago WORKDIR /usr/src/app 0B buildkit.dockerfile.v0
About a minute ago ENV NODE_ENV=production 0B buildkit.dockerfile.v0
About a minute ago RUN /bin/sh -c apk add dumb-init # buildkit 1.65MB buildkit.dockerfile.v0
```
--------------------------------
### Implement In-Memory Rate Limiting with Go's rate Package
Source: https://github.com/owasp/cheatsheetseries/blob/master/cheatsheets/gRPC_Security_Cheat_Sheet.md
Implement request rate limiting using `golang.org/x/time/rate` for managing client request frequency. This example uses a map to store per-client limiters and includes periodic cleanup of old entries.
```Go
// Go - Rate limiting with memory management
import (
"golang.org/x/time/rate"
"sync"
"time"
)
type RateLimiterStore struct {
limiters map[string]*rateLimiterEntry
mu sync.RWMutex
}
type rateLimiterEntry struct {
limiter *rate.Limiter
lastSeen time.Time
}
var store = &RateLimiterStore{
limiters: make(map[string]*rateLimiterEntry),
}
func rateLimitInterceptor(ctx context.Context, req interface{}, info *grpc.UnaryServerInfo, handler grpc.UnaryHandler) (interface{}, error) {
clientIP := getClientIP(ctx)
store.mu.Lock()
entry, exists := store.limiters[clientIP]
if !exists {
entry = &rateLimiterEntry{
limiter: rate.NewLimiter(rate.Limit(10), 20), // 10 req/sec, burst 20
lastSeen: time.Now(),
}
store.limiters[clientIP] = entry
}
entry.lastSeen = time.Now()
store.mu.Unlock()
if !entry.limiter.Allow() {
return nil, status.Errorf(codes.ResourceExhausted, "rate limit exceeded")
}
return handler(ctx, req)
}
// Cleanup old limiters periodically
func cleanupOldLimiters() {
store.mu.Lock()
defer store.mu.Unlock()
cutoff := time.Now().Add(-time.Hour)
for ip, entry := range store.limiters {
if entry.lastSeen.Before(cutoff) {
delete(store.limiters, ip)
}
}
}
```
--------------------------------
### Basic User Configuration
Source: https://github.com/owasp/cheatsheetseries/blob/master/cheatsheets/NodeJS_Docker_Cheat_Sheet.md
A minimal example of switching to the node user, which may result in file permission issues if files were copied as root.
```dockerfile
USER node
CMD "npm" "start"
```
--------------------------------
### Serve Website Locally
Source: https://github.com/owasp/cheatsheetseries/blob/master/README.md
Starts a local web server to view the generated website. The site will be accessible at http://localhost:8000.
```sh
make serve
```
--------------------------------
### Enforce Lockfile with Yarn
Source: https://github.com/owasp/cheatsheetseries/blob/master/cheatsheets/NPM_Security_Cheat_Sheet.md
Use the `yarn install --frozen-lockfile` command to ensure that dependencies are installed exactly as specified in the lockfile. This command will abort if any inconsistencies are detected between `package.json` and the lockfile, preventing unintended package version installations.
```bash
yarn install --frozen-lockfile
```
--------------------------------
### Dangerous URL Forwarding Example
Source: https://github.com/owasp/cheatsheetseries/blob/master/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.md
An example of a URL structure that allows user-controlled input to determine the destination of a forward.
```text
http://www.example.com/function.jsp?fwd=admin.jsp
```
--------------------------------
### Secure Service Discovery Configuration
Source: https://github.com/owasp/cheatsheetseries/blob/master/cheatsheets/gRPC_Security_Cheat_Sheet.md
Examples for securing service discovery using mTLS for Consul and RBAC for Kubernetes.
```go
consulConfig := &api.Config{
Address: "consul.example.com:8500",
Scheme: "https",
TLSConfig: &api.TLSConfig{
CertFile: "/path/to/client.crt",
KeyFile: "/path/to/client.key",
CAFile: "/path/to/ca.crt",
},
}
```
```yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: grpc-service-discovery
rules:
- apiGroups: [""]
resources: ["services", "endpoints"]
verbs: ["get", "list", "watch"]
```
--------------------------------
### DNS Resolution Example (Normal)
Source: https://github.com/owasp/cheatsheetseries/blob/master/cheatsheets/XML_Security_Cheat_Sheet.md
Demonstrates a normal DNS resolution where a hostname resolves to its expected IP address.
```bash
$ host example.com
example.com has address 1.1.1.1
```
--------------------------------
### Querying Databases with Rust SQLx
Source: https://github.com/owasp/cheatsheetseries/blob/master/cheatsheets/Query_Parameterization_Cheat_Sheet.md
Demonstrates using compile-time macros and runtime bind functions to safely execute queries in Rust.
```rust
// Input from CLI args but could be anything
let username = std::env::args().last().unwrap();
// Using build-in macros (compile time checks)
let users = sqlx::query_as!(
User,
"SELECT * FROM users WHERE name = ?",
username
)
.fetch_all(&pool)
.await
.unwrap();
// Using built-in functions
let users: Vec = sqlx::query_as::<_, User>(
"SELECT * FROM users WHERE name = ?"
)
.bind(&username)
.fetch_all(&pool)
.await
.unwrap();
```
--------------------------------
### Example of a Potentially Dangerous .NET Type
Source: https://github.com/owasp/cheatsheetseries/blob/master/cheatsheets/Deserialization_Cheat_Sheet.md
System.IO.FileInfo is an example of a native .NET type that can be dangerous when deserialized, as its properties can be modified.
```csharp
System.IO.FileInfo
```
--------------------------------
### Install Package Ignoring Scripts
Source: https://github.com/owasp/cheatsheetseries/blob/master/cheatsheets/NPM_Security_Cheat_Sheet.md
Append the `--ignore-scripts` flag when installing packages to reduce the risk of arbitrary command execution.
```bash
npm install my-malicious-package --ignore-scripts
```
--------------------------------
### Install Token Authentication Dependencies
Source: https://github.com/owasp/cheatsheetseries/blob/master/cheatsheets/Ruby_on_Rails_Cheat_Sheet.md
Add the required gems to your Gemfile to enable token-based authentication with omniauth support.
```bash
# token-based authentication
gem 'devise_token_auth'
gem 'omniauth'
```
--------------------------------
### Sign and Verify Artifacts with Sigstore
Source: https://github.com/owasp/cheatsheetseries/blob/master/cheatsheets/NPM_Security_Cheat_Sheet.md
Demonstrates signing an npm package artifact and verifying its signature using the sigstore library. Ensure you have the sigstore package installed.
```javascript
// sign-and-verify.js
// npm install sigstore fs
import * as fs from 'fs';
import * as sigstore from 'sigstore';
// Path to your built npm package (via `npm pack`)
const artifact = 'my-lib-1.0.0.tgz';
// --- Sign ---
const payload = fs.readFileSync(artifact);
const bundle = await sigstore.sign(payload);
fs.writeFileSync(`${artifact}.sigstore.json`, JSON.stringify(bundle, null, 2));
console.log('Signed:', artifact);
// --- Verify ---
await sigstore.verify(payload, bundle);
console.log('Verified OK!');
```
--------------------------------
### Install Verdaccio Private NPM Registry
Source: https://github.com/owasp/cheatsheetseries/blob/master/cheatsheets/NPM_Security_Cheat_Sheet.md
Install Verdaccio globally on your system. Verdaccio is a lightweight, zero-configuration private npm registry.
```bash
npm install --global verdaccio
```
--------------------------------
### JWT Structure Example
Source: https://github.com/owasp/cheatsheetseries/blob/master/cheatsheets/JSON_Web_Token_Cheat_Sheet.md
This is an example of a signed JSON Web Token (JWT). It consists of a header, claims, and a signature, separated by dots.
```text
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWUsImlhdCI6MTUxNjIzOTAyMn0.KMUFsIDTnFmyG3nMiGM6H9FNFUROf3wh7SmqJp-QV30
```
--------------------------------
### LDAP Distinguished Name and Search Filter Examples
Source: https://github.com/owasp/cheatsheetseries/blob/master/cheatsheets/Injection_Prevention_Cheat_Sheet.md
Examples of LDAP distinguished names and a search filter using prefix notation.
```text
cn=Richard Feynman, ou=Physics Department, dc=Caltech, dc=edu
```
```text
uid=inewton, ou=Mathematics Department, dc=Cambridge, dc=com
```
```text
(&(ou=Physics)(| (manager=cn=Freeman Dyson,ou=Physics,dc=Caltech,dc=edu)
(manager=cn=Albert Einstein,ou=Physics,dc=Princeton,dc=edu) ))
```
--------------------------------
### Example Malicious Payload
Source: https://github.com/owasp/cheatsheetseries/blob/master/cheatsheets/Virtual_Patching_Cheat_Sheet.md
This is an example of a malicious payload targeting a WordPress plugin, demonstrating SQL injection by appending SQL logic to a parameter.
```text
http://localhost/wordpress/wp-content/plugins/levelfourstorefront/scripts/administration/exportsubscribers.php?reqID=1' or 1='1
```
--------------------------------
### Demonstrate argument injection in PHP
Source: https://github.com/owasp/cheatsheetseries/blob/master/cheatsheets/OS_Command_Injection_Defense_Cheat_Sheet.md
Examples showing how escaping shell characters can still leave an application vulnerable to argument injection.
```php
system("curl " . escape($url));
```
```php
system("curl " . escape("--help"))
```
--------------------------------
### Run Django security deployment checks
Source: https://github.com/owasp/cheatsheetseries/blob/master/cheatsheets/Django_Security_Cheat_Sheet.md
Execute this command in the project root to identify potential security vulnerabilities and missing production-ready settings.
```bash
$ ./manage.py check --deploy
System check identified some issues:
WARNINGS:
?: (security.W004) You have not set a value for the SECURE_HSTS_SECONDS setting. If your entire site is served only over SSL, you may want to consider setting a value and enabling HTTP Strict Transport Security. Be sure to read the documentation first; enabling HSTS carelessly can cause serious, irreversible problems.
?: (security.W008) Your SECURE_SSL_REDIRECT setting is not set to True. Unless your site should be available over both SSL and non-SSL connections, you may want to either set this setting True or configure a load balancer or reverse-proxy server to redirect all connections to HTTPS.
?: (security.W009) Your SECRET_KEY has less than 50 characters, less than 5 unique characters, or it's prefixed with 'django-insecure-' indicating that it was generated automatically by Django. Please generate a long and random value, otherwise many of Django's security-critical features will be vulnerable to attack.
?: (security.W012) SESSION_COOKIE_SECURE is not set to True. Using a secure-only session cookie makes it more difficult for network traffic sniffers to hijack user sessions.
?: (security.W016) You have 'django.middleware.csrf.CsrfViewMiddleware' in your MIDDLEWARE, but you have not set CSRF_COOKIE_SECURE to True. Using a secure-only CSRF cookie makes it more difficult for network traffic sniffers to steal the CSRF token.
?: (security.W018) You should not have DEBUG set to True in deployment.
?: (security.W020) ALLOWED_HOSTS must not be empty in deployment.
System check identified 7 issues (0 silenced).
```
--------------------------------
### URL Encoding for GET Parameters
Source: https://github.com/owasp/cheatsheetseries/blob/master/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.md
Employ URL encoding to safely include untrusted string data in GET parameters. This is rule #5.
```HTML
clickme
```
--------------------------------
### Configure Autotools with Security Flags
Source: https://github.com/owasp/cheatsheetseries/blob/master/cheatsheets/C-Based_Toolchain_Hardening_Cheat_Sheet.md
Example of passing security-focused compiler and linker flags to the configure script.
```bash
$ configure CFLAGS="-Wall -Wextra -Wconversion -fPIE -Wno-unused-parameter
-Wformat=2 -Wformat-security -fstack-protector-all -Wstrict-overflow"
LDFLAGS="-pie -z,noexecstack -z,noexecheap -z,relro -z,now"
```
--------------------------------
### Vulnerable DOM XSS Example
Source: https://github.com/owasp/cheatsheetseries/blob/master/cheatsheets/DOM_based_XSS_Prevention_Cheat_Sheet.md
A basic example of vulnerable code where data from the URL hash is directly written to the document, leading to DOM XSS.
```javascript
var x = location.hash.split("#")[1];
document.write(x);
```
--------------------------------
### File Permissions Example
Source: https://github.com/owasp/cheatsheetseries/blob/master/cheatsheets/XML_Security_Cheat_Sheet.md
This shows the file permissions for a DTD file. Incorrect permissions like '-rw-rw-rw-' can allow any user to modify the schema, leading to vulnerabilities.
```text
-rw-rw-rw- 1 user staff 743 Jan 15 12:32 note.dtd
```
--------------------------------
### Vulnerable HTML/JavaScript Example
Source: https://github.com/owasp/cheatsheetseries/blob/master/cheatsheets/DOM_based_XSS_Prevention_Cheat_Sheet.md
This example demonstrates a common vulnerability where tainted data is directly inserted into the DOM via innerHTML, potentially leading to XSS.
```html
```
--------------------------------
### Example of a Batched GraphQL Query
Source: https://github.com/owasp/cheatsheetseries/blob/master/cheatsheets/GraphQL_Cheat_Sheet.md
Demonstrates requesting multiple instances of the same object type within a single GraphQL query.
```graphql
query {
droid(id: "2000") {
name
}
second:droid(id: "2001") {
name
}
third:droid(id: "2002") {
name
}
}
```
--------------------------------
### Install Symfony CSRF Component
Source: https://github.com/owasp/cheatsheetseries/blob/master/cheatsheets/Symfony_Cheat_Sheet.md
Install the `symfony/security-csrf` component using Composer if you are not using Symfony Forms but need to generate and validate CSRF tokens manually.
```bash
composer install symfony/security-csrf
```
--------------------------------
### Local XML Schema Example
Source: https://github.com/owasp/cheatsheetseries/blob/master/cheatsheets/XML_Security_Cheat_Sheet.md
This is an example of a local XML schema definition (DTD). Ensure correct file permissions are set to prevent unauthorized modifications.
```xml
Tove
Jani
Reminder
Don't forget me this weekend
```