OWASP Cheat Sheet Series

I&#x27;m a product security engineer. I reference these all of the time during my own work to make sure I didn&#x27;t miss something stupid, but I also hand links out to them to engineers when we do find bugs in their code. Most of the time I think they&#x27;re ignored.<p>If most engineers just took a second to read the ones that were directly pertinent to their projects and tried to be cognisant of some mitigations, I&#x27;d find substantially less low-hanging-fruit vulnerabilities in the first review pass. Doing so actually makes my job significantly more difficult, and forces me to dig deeper - which is a <i>good</i> thing. Instead of writing up for the 100th time some input validation spiel, I can spend time searching for more complex bugs, writing protocol fuzzers, and doing <i>real</i> analysis in the time I have for the review.

The thing that I find difficult with OWASP: there doesn&#x27;t always seem to be comprehensive examples provided for what these attack surfaces could be used for. That makes it difficult to both understand the impact of a particular issue, and test for it.<p>As an example: <a href="https:&#x2F;&#x2F;cheatsheetseries.owasp.org&#x2F;cheatsheets&#x2F;AJAX_Security_Cheat_Sheet.html#always-return-json-with-an-object-on-the-outside" rel="nofollow">https:&#x2F;&#x2F;cheatsheetseries.owasp.org&#x2F;cheatsheets&#x2F;AJAX_Security...</a><p>I&#x27;m fascinated to know how this could actually be exploited. But there&#x27;s no hint or reference to that. It&#x27;s just &quot;don&#x27;t do this&quot;.