Add session management, CORS, XXE patterns
Complete the security patterns collection: - session-management.md: fixation, hijacking, secure cookies, concurrent sessions - cors.md: origin validation, reflected origin attacks, preflight caching - xxe.md: external entities, DTD attacks, language-specific fixes Now 19 patterns covering comprehensive web application security.
This commit is contained in:
Rodin
@@ -20,13 +20,14 @@ Based on OWASP Top 10:2025 and recent security research.
|
||||
| [audit-logging.md](audit-logging.md) | What to log, what not to log | A09 |
|
||||
| [error-handling.md](error-handling.md) | Fail closed, no sensitive info in errors | A10 |
|
||||
|
||||
### Identity
|
||||
### Identity & Session
|
||||
|
||||
| File | Topic | OWASP 2025 |
|
||||
|------|-------|------------|
|
||||
| [authentication.md](authentication.md) | Passwords, tokens, MFA, brute force protection | A07 |
|
||||
| [authorization.md](authorization.md) | Permission checks, IDOR prevention, privilege escalation | A01 |
|
||||
| [jwt-security.md](jwt-security.md) | Algorithm confusion, weak secrets, expiration | A07 |
|
||||
| [session-management.md](session-management.md) | Session fixation, hijacking, secure cookies | A07 |
|
||||
|
||||
### Attack Prevention
|
||||
|
||||
@@ -34,10 +35,12 @@ Based on OWASP Top 10:2025 and recent security research.
|
||||
|------|-------|------------|
|
||||
| [injection-prevention.md](injection-prevention.md) | SQL, command, template, path traversal | A05 |
|
||||
| [ssrf.md](ssrf.md) | Server-side request forgery, metadata endpoints | A10 |
|
||||
| [xxe.md](xxe.md) | XML external entities, DTD attacks | A05 |
|
||||
| [dos-prevention.md](dos-prevention.md) | Rate limiting, resource bounds, algorithmic complexity | — |
|
||||
| [prompt-injection.md](prompt-injection.md) | LLM security, data/instruction separation | — |
|
||||
| [deserialization.md](deserialization.md) | Untrusted data deserialization, pickle, yaml | A08 |
|
||||
| [race-conditions.md](race-conditions.md) | TOCTOU, atomic check-and-act, database locks | — |
|
||||
| [cors.md](cors.md) | Origin validation, credential handling | A01 |
|
||||
|
||||
### Infrastructure
|
||||
|
||||
@@ -50,13 +53,13 @@ Based on OWASP Top 10:2025 and recent security research.
|
||||
|
||||
| # | Category | Pattern |
|
||||
|---|----------|---------|
|
||||
| A01 | Broken Access Control | authorization.md |
|
||||
| A01 | Broken Access Control | authorization.md, cors.md |
|
||||
| A02 | Security Misconfiguration | secure-defaults.md |
|
||||
| A03 | Software Supply Chain Failures | supply-chain.md |
|
||||
| A04 | Cryptographic Failures | cryptography.md |
|
||||
| A05 | Injection | injection-prevention.md |
|
||||
| A05 | Injection | injection-prevention.md, xxe.md |
|
||||
| A06 | Insecure Design | secure-defaults.md |
|
||||
| A07 | Authentication Failures | authentication.md, jwt-security.md |
|
||||
| A07 | Authentication Failures | authentication.md, jwt-security.md, session-management.md |
|
||||
| A08 | Software or Data Integrity Failures | deserialization.md |
|
||||
| A09 | Security Logging and Alerting Failures | audit-logging.md |
|
||||
| A10 | Mishandling of Exceptional Conditions | error-handling.md, ssrf.md |
|
||||
|
||||
Reference in New Issue
Block a user