Merge pull request #68 from OWASP/integrate-old-versions

Integrate old versions

.github/workflows/deploy.yml

@@ -21,5 +21,5 @@ jobs:
           key: ${{ github.ref }}
           path: .cache
       - name: Install Dependencies
-        run: pip install mkdocs-material
+        run: pip install mkdocs-material mkdocs-redirects
       - run: mkdocs gh-deploy --force --clean

.wordlist.txt

@@ -3,18 +3,27 @@ ABAC
 Abdessamad
 Adriaan
 AES
+allowlist
+allowlisting
+Allowlisting
 Andreas
 APIs
 AppSec
 Aref
 ASVS
+autobinding
+backend
 Baillon
 Braiterman
 BSIMM
 caniuse
 Caniuse
+Capellan
 Cassio
 cd
+cheatsheets
+cheatsheetseries
+Checkov
 Chih
 Chorzevski
 CLI
@@ -30,13 +39,17 @@ cryptographic
 CSP
 CSRF
 CSRF
+CVE
 CWE
 Cybuck
 Cyrille
 danielmiessler
 Datz
 de
 decrypt
+denylist
+denylisting
+Denylisting
 Der
 deserialization
 deserialize
@@ -45,10 +58,12 @@ DevOps
 DevOpsSec
 DevSecOps
 DevSlop
+DNS
 docx
 DOM
 Dracea
 DSS
+DTOs
 Elnaggar
 Estrin
 Eyal
@@ -73,22 +88,30 @@ Hiroshi
 Hsiang
 HSTS
 Hsu
+html
 httpOnly
+https
 HTTPS
 IaC
+ideation
 IDOR
+intransparency
+io
 ISC
 Ishaq
 Ivashchenko
 Jasmin
+JavaScript
 JEA
 JIT
 Joubert
+JS
 JSON
 JSR
 JWS
 JWT
 JWTs
+KICS
 KMS
 Koichiro
 Kubernetes
@@ -101,52 +124,75 @@ Mair
 Manico
 Massimiliano
 MASVS
+Microservices
+Miessler
+misconfigure
 mkdocs
 Mohammed
 Nagai
+NCSC
 NIST
 nonces
+NVD
+OAuth
 OKADA
 oneconsult's
 OpenSAMM
+OpenSSF
+ORM
 Osama
 OTP
 owasp
 OWASP
 Pagel
+parametrization
 PassKeys
 PCI
 pdf
+PHPNW
 PII
 pptx
+programmatically
+py
 RBAC
-ReDos
+RCE
+realtime
+ReDoS
+Referer
 Riotaro
+Ristic
 RNG
+runtime
+Saft
 SameSite
 SAMM
+sandbopxing
 Sanitization
 SAST
 SBOM
 SBOMs
 SCA
 SecLists
+securitypatterns
 Shaheed
 ShareAlike
 Snyk
 Soares
+SQLi
+Sqlmap
 SSL
 SSLLabs
 sslyze
 SSLyze
 SSO
 SSRF
-SSRFMap
+SSRFmap
 SSTI
 Taras
 TechBeacon
 Teil
 Temmar
+templating
 Terraform
 Terrascan
 testssl
@@ -155,18 +201,24 @@ ThreeHoolagins
 ThunderSon
 Timo
 TLS
+TLSv
 Transformative
 Trivy
 TruffleHog
 UCDavies
 UI
+unencrypted
 untrusted
 Validator
+Vanhilst
 venv
 Vries
 Watanabe
 WebAuthn
+webhooks
 WrongSecrets
+www
 XEE
+XFO
 XSS
 Zudilin

docs/about-top-10/in-the-news.md

@@ -48,7 +48,7 @@ The OWASP Top 10 Proactive Controls 2018 (v3) were released.
 
 ## 2016
 
-The OWASP Top 10 Proactive Controls 2016 (v2) were released on Jan, 14th 2016.
+The OWASP Top 10 Proactive Controls 2016 (v2) were released on Jan 14, 2016.
 
 - \[1 Oct 2016\] Presented at [PHPNW16](http://conference.phpnw.org.uk/phpnw16/speakers/katy-anton/)
 - \[5 July 2016\] Featured in [Incorporating Security Best Practices     into Agile   Teams](https://www.thoughtworks.com/insights/blog/incorporating-security-best-practices-agile-teams)

docs/about-top-10/old-versions-and-translations.md

@@ -6,7 +6,7 @@ We do encourage translators to create translated versions and host them themselv
 
 ## OWASP Top 10 Proactive Controls 2018 (v3)
 
-You can find the [OWASP Top 10 Proactive Controls 2018 (vv) on GitHub](https://github.com/OWASP/www-project-proactive-controls/tree/master/v3):
+You can find the [OWASP Top 10 Proactive Controls 2018 on GitHub](https://github.com/OWASP/www-project-proactive-controls/tree/master/v3):
 
 - English version: [pdf](https://github.com/OWASP/www-project-proactive-controls/blob/master/v3/OWASP_Top_10_Proactive_Controls_V3.pdf), [docx](https://github.com/OWASP/www-project-proactive-controls/blob/master/v3/OWASP_Top_10_Proactive_Controls_V3.docx), [pptx](https://github.com/OWASP/www-project-proactive-controls/blob/master/v3/OWASP_Top_Ten_Proactive_Controls_v3.pptx)
 - Available Translations (in alphabetical order):

docs/archive/2014/index.md

@@ -0,0 +1,12 @@
+# OWASP Top 10 Proactive Controls v1/2014
+
+- OWASP-2014-C1: Parameterize Queries
+- OWASP-2014-C2: Encode Data
+- OWASP-2014-C3: Validate All Inputs
+- OWASP-2014-C4: Implement Appropriate Access Controls
+- OWASP-2014-C5: Establish Identity and Authentication Controls
+- OWASP-2014-C6: Protect Data and Privacy
+- OWASP-2014-C7: Implement Logging, Error Handling and Intrusion Detection
+- OWASP-2014-C8: Leverage Security Features of Frameworks and Security Libraries
+- OWASP-2014-C9: Include Security-Specific Requirements
+- OWASP-2014-C10: Design and Architect Security In

docs/archive/2016/index.md

@@ -0,0 +1,12 @@
+# OWASP Top 10 Proactive Controls v2 (2016)
+
+- OWASP-2016-C1: Verify for Security Early and Often
+- OWASP-2016-C2: Parameterize Queries
+- OWASP-2016-C3: Encode Data
+- OWASP-2016-C4: Validate All Inputs
+- OWASP-2016-C5: Implement Identity and Authentication Controls
+- OWASP-2016-C6: Implement Appropriate Access Controls
+- OWASP-2016-C7: Protect Data
+- OWASP-2016-C8: Implement Logging and Intrusion Detection
+- OWASP-2016-C9: Leverage Security Frameworks and Libraries
+- OWASP-2016-C10: Error and Exception Handling

v3/en/0x04-introduction.md → docs/archive/2018/0x04-introduction.md

@@ -15,16 +15,16 @@ One of the main goals of this document is to provide concrete practical guidance
 ## The Top 10 Proactive Controls
 The list is ordered by importance with list item number 1 being the most important:
 
-* C1: Define Security Requirements
-* C2: Leverage Security Frameworks and Libraries
-* C3: Secure Database Access
-* C4: Encode and Escape Data
-* C5: Validate All Inputs
-* C6: Implement Digital Identity
-* C7: Enforce Access Controls
-* C8: Protect Data Everywhere
-* C9: Implement Security Logging and Monitoring
-* C10: Handle All Errors and Exceptions
+* OWASP-2018-C1: Define Security Requirements
+* OWASP-2018-C2: Leverage Security Frameworks and Libraries
+* OWASP-2018-C3: Secure Database Access
+* OWASP-2018-C4: Encode and Escape Data
+* OWASP-2018-C5: Validate All Inputs
+* OWASP-2018-C6: Implement Digital Identity
+* OWASP-2018-C7: Enforce Access Controls
+* OWASP-2018-C8: Protect Data Everywhere
+* OWASP-2018-C9: Implement Security Logging and Monitoring
+* OWASP-2018-C10: Handle All Errors and Exceptions
 
 ## How this List Was Created
 

docs/introduction/contributing.md

@@ -4,7 +4,7 @@ Please don’t hesitate to contact the OWASP Proactive Control project with your
 
 You can contact maintainers directly, use our [project-top10-proactive-controls OWASP slack channel](https://owasp.slack.com/archives/C07KNHZAN1H), or visit [our github page](https://github.com/OWASP/www-project-proactive-controls).
 
-You find the source code of the current version of the OWASP Top 10 Proactive Controls in the `docs/` directory within the git repository.
+You find the source code of the current version of the OWASP Top 10 Proactive Controls in the `docs/` directory within the git repository. Please focus upon contributions for the current version, not archived versions within `docs/archive`.
 
 When you check [our open issues on github](https://github.com/OWASP/www-project-proactive-controls/issues), you can see that some issues are tagged with `help wanted` or `good first issue`. Choose these if you want to help out the project!
 

docs/the-top-10/c10-stop-server-side-request-forgery.md

@@ -18,7 +18,7 @@ There multiple ways of preventing SSRF:
 
 - Input validation
 - If outgoing requests have to be made, check the target against an allow-list
-- If using XML, configure parsers securely to prevent XEE
+- If using XML, configure parser securely to prevent XEE
 Be aware of [Unicode and other Character transformations](https://cheatsheetseries.owasp.org/assets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet_Orange_Tsai_Talk.pdf) when performing input validation.
 
 ## Vulnerabilities Prevented

docs/the-top-10/c3-validate-input-and-handle-exceptions.md

@@ -14,7 +14,7 @@ Injection attacks commonly occur if an application confuses data input as execut
 
 An application should check that data is **syntactically** and **semantically** valid (in that order) before using it in any way (including displaying it back to the user).
 
-- **Syntactic validity** means that the data is in the expected form. For example, an application may allow users to select a four-digit “account ID” to perform some operation. The application should assume the user is entering a SQL injection payload and check that the data entered by the user is precisely four digits in length and consists only of numbers (in addition to utilizing proper query parameterization).
+- **Syntactic validity** means that the data is in the expected form. For example, an application may allow users to select a four-digit “account ID” to perform some operation. The application should assume the user is entering a SQL injection payload and check that the data entered by the user is precisely four digits in length and consists only of numbers (in addition to utilizing proper query parametrization).
 
 - **Semantic validity** includes only accepting input within an acceptable range for application functionality and context. For example, a start date must be before an end date when choosing date ranges.
 

docs/the-top-10/c7-implement-digital-identity.md

@@ -109,7 +109,7 @@ Browser cookies are a common method for web applications to store session identi
   - Please be aware, that while stating a path during cookie setup will limit the browser to only submit the cookie if the request lies within the stated path. This protects the cookie of one application from being accessed by another application within a different path on the same server. This protection is brittle: if the “other” application has an XSS vulnerability and the attacker can introduce iframes, the “path” protection can be circumvented.
 - The ‘secure’ flag should be set to ensure the transfer is done via secure channel only (TLS).
 - HttpOnly flag should be set to prevent the cookie from being accessed via JavaScript.
-- Adding “[samesite](https://owasp.org/www-community/SameSite)” attributes to cookies prevents [some modern browsers](https://caniuse.com/#search=samesite) from sending cookies with cross-site requests and provides protection against cross-site request forgery and information leakage attacks.
+- Adding “[SameSite](https://owasp.org/www-community/SameSite)” attributes to cookies prevents [some modern browsers](https://caniuse.com/#search=samesite) from sending cookies with cross-site requests and provides protection against cross-site request forgery and information leakage attacks.
 
 ## Vulnerabilities Prevented
 

docs/the-top-10/c8-help-the-browser-defend-the-user.md

@@ -4,7 +4,7 @@
 
 Browsers are the gateway to the web for most users. As such, it's critical to employ robust security measures to protect the user from various threats. This section outlines the techniques and policies that can be implemented to bolster browser security.
 
-While we are currently focusing upon traditional web browsers, please note that there is a diverse world of other client programs out there, ranging from API clients to smart-tvs.
+While we are currently focusing upon traditional web browsers, please note that there is a diverse world of other client programs out there, ranging from API clients to smart-TVs.
 
 ### Opportunistic Security and Browser-Support
 
@@ -99,4 +99,4 @@ Implementing these browser defenses can help mitigate a range of vulnerabilities
 - [Security Headers Quick Reference](https://web.dev/articles/security-headers)
 - [Fetch Metadata Request Headers](https://www.w3.org/TR/fetch-metadata/)
 - [Fetch Metadata Resource Isolation Policy](https://web.dev/articles/fetch-metadata)
-- [Canisue.com](https://caniuse.com/)
+- [Caniuse.com](https://caniuse.com/)