OWASP Flagship
CSCounterBadge
LicenseBadge

ProjectLogoOfficial

Welcome to the OWASP Cheat Sheet Series

This repository contains all the cheat sheets of the project and represent the V2 of the OWASP Cheat Sheet Series project.

Links:

Table of Contents

Reference to the Cheat Sheets

When a reference to a cheat sheet needs to be created, then a link pointing to the project (generated) official web site hosted on https://cheatsheetseries.owasp.org must be used.

:triangular_flag_on_post: Markdown files are the working sources and are not intended to be referenced in any external documentation/book/website/etc.

Cheat Sheets index

The following indexes are provided:

  • This index references all released cheat sheets sorted alphabetically.
    • This index is automatically generated by this script.
  • This index references all released cheat sheets using the OWASP ASVS project as reading source.
    • This index is manually managed in order to allow contribution along with custom content.
  • This index references all released cheat sheets using the OWASP Proactive Controls project as the reading source.
    • This index is manually managed in order to allow contribution along with custom content.

The official website provides a search bar (top left corner) that can be used.

Cheat Sheet Series Team

Project Leaders

Core Team

The core team contains a set of knowledgeable people that assist the project leaders in maintaining the repository and take on actions on their own. The team follows a well documented process in issues and pull requests, whether in accepting or rejecting them.

Chat With Us

We’re easy to find on Slack:

  1. Join the OWASP Group Slack with this invitation link.
  2. Join this project’s channel, #cheatsheets.

Feel free to ask questions, suggest ideas, or share your best recipes.

Project Logo

The project’s official logo files are hosted here.

Folders

cheatsheets_excluded:

  • Contains the cheat sheets markdown files converted with PANDOC. Before inclusion into V2 of this project, a discussion must occur to decide if this content is still relevant, as it has not been recently updated. See this discussion.

cheatsheets:

  • Contains the final cheat sheets files.
  • Any .md file present in this folder is considered released.

assets:

  • Contains the assets used by the cheat sheets (images, PDF’s, ZIP files etc.).
    • Naming convention is [CHEAT_SHEET_MARKDOWN_FILE_NAME]_[IDENTIFIER].[EXTENSION]
    • Use PNG format for the images.

scripts:

  • Contains all the utility scripts used to operate the project (markdown linter audit, dead link identification etc.).

templates:

  • Contains templates used for different kinds of files (cheatsheets etc.).

.github:

  • Contains materials used to configure different behaviors of GitHub.

.circleci / .travis.yml (file):

  • Contains the definition of the integration jobs used to control the integrity and consistency of the whole project:
    • TravisCI is used to perform compliance check actions at each Push/Pull Request. It must be/stay the fastest possible (currently inferior to 2 minutes) in order to provide a rapid compliance feedback about the Push/Pull Request.
    • CircleCI is used to perform operations taking longer time like build, publish and deploy actions.

Offline Website

Unfortunately, a PDF file generation is not possible because the content is cut in some cheat sheets, for example, the abuse case one.

However, to propose the possibility the consult, in a full offline mode, the collection of all cheat sheets, a script to generate an offline site using GitBook has been created. The script is here.

  • book.json: Gitbook configuration file.
  • Preface.md: Project preface description applied to the generated site.

:information_source: It is this generated content that is hosted on the official web site of the project.

Automated Build

This link allows you to download a build (ZIP archive) of the offline website.

Manual Build

Use the commands below to generate the site:

  1. # Your python version must be >= 3.5
  2. $ python --version
  3. Python 3.5.3
  4. # Dependencies:
  5. # sudo apt install -y nodejs
  6. # sudo npm install gitbook-cli -g
  7. $ cd scripts
  8. $ bash Generate_Site.sh
  9. Generate a offline portable website with all the cheat sheets...
  10. Step 1/5: Init work folder.
  11. Step 2/5: Generate the summary markdown page.
  12. Index updated.
  13. Summary markdown page generated.
  14. Step 3/5: Create the expected GitBook folder structure.
  15. Step 4/5: Generate the site.
  16. info: found 45 pages
  17. info: found 86 asset files
  18. info: >> generation finished with success in 14.2s !
  19. Step 5/5: Cleanup.
  20. Generation finished to the folder: ../generated/site
  21. $ cd ../generated/site/
  22. $ ls -l
  23. drwxr-xr-x 1 Feb 3 11:05 assets
  24. drwxr-xr-x 1 Feb 3 11:05 cheatsheets
  25. drwxr-xr-x 1 Feb 3 11:05 gitbook
  26. -rw-r--r-- 1 Feb 3 11:05 index.html
  27. -rw-r--r-- 1 Feb 3 11:05 search_index.json

Conversion Rules

  • Use the markdown syntax described in this guide.
  • Use this sheet for superscript and subscript characters.
  • Use this sheet for arrows (left, right, top, down) characters.
  • Store all assets in the assets folder and use the following syntax:
    • ![ALTERNATE_NAME](../assets/ASSET_NAME.png) for the insertion of an image. Use PNG format for the images (this software can be used to handle format conversion).
    • [ALTERNATE_NAME](../assets/ASSET_NAME.EXT) for the insertion of other kinds of media (PDF, ZIP etc.).
  • Use ATX style (# syntax) for section head.
  • Use **bold** syntax for bold text.
  • Use *italic* syntax for italic text.
  • Use TAB for nested lists and not spaces.
  • Use code fencing syntax along syntax highlighting for code snippet (prevent when possible horizontal scrollbar).
  • If you use {{ or }} pattern in code fencing then add a space between both curly braces (ex: { {) otherwise it will break the GitBook generation process.
  • Same remark about the cheat sheet file name, only the following syntax is allowed: [a-zA-Z_]+.
  • No HTML code is allowed, only markdown syntax is allowed.
  • Use this site for generation of tables.
  • Use a single new line between a section head and the beginning of its content.

Editor & validation policy

Visual Studio Code is used for the work on the markdown files. It is also used for the work on the scripts.

The file Project.code-workspace is the workspace file in order to open the project in VSCode.

The following plugin is used to validate the markdown content.

The file .markdownlint.json defines the central validation policy applied at VSCode (IDE) and TravisCI (CI) levels.

Details about rules can be found here.

The file .markdownlinkcheck.json defines the configuration used to validate using this tool, at TravisCI level, all web and relatives links used in cheat sheets.

How to setup my contributor environment?

See here.

How to contribute?

See here.

Contributors

  • From 2014 to 2018: V1 - Initial version of the project hosted on the OWASP WIKI.
  • From 2019: V2 - Hosted on GitHub.

Special thanks

A special thank you to the following people for their help provided during the migration:

  • Dominique Righetto: For his special leadership and guidance.
  • Elie Saad: For valuable help in updating the OWASP Wiki links for all the migrated cheat sheets.
  • Jakub Maćkowski: For valuable help in updating the OWASP Wiki links for all the migrated cheat sheets.

License

The entire project content is under the Creative Commons v3.0 license.