Merge pull request #176 from ossf/xss_hardcoded

Add references to labs for XSS and hardcoded credentials
ossf · Oct 11, 2024 · 340666a · 340666a
2 parents fae6f87 + 3e8ffd8
commit 340666a
Showing 1 changed file with 12 additions and 0 deletions.
diff --git a/secure_software_development_fundamentals.md b/secure_software_development_fundamentals.md
@@ -2246,6 +2246,12 @@ For outbound authentication, credentials should be stored outside the code in a
 
 🔔 Hardcoded credentials are such a common cause of security vulnerabilities that they are 2021 CWE Top 25 #16 and 2019 CWE Top 25 #19. This weakness is [CWE-798](https://cwe.mitre.org/data/definitions/798.html), *Use of Hard-coded Credentials*. The related *Insufficiently Protected Credentials* is 2021 CWE Top 25 #21 and 2019 CWE Top 25 #27 as [CWE-522](https://cwe.mitre.org/data/definitions/522.html).
 
+##### Lab: Hardcoded credentials
+
+🧪 **Lab: Please try lab [hardcoded](https://best.openssf.org/labs/hardcoded.html), which lets you experiment with how to eliminate hardcoded credentials as a vulnerability.**
+
+*Labs are optional, but you're strongly encouraged to try them!*
+
 #### Quiz 2.2: Avoid Default & Hardcoded Credentials
 
 \>\>Secret keys should be stored in source code so that they cannot be easily read, as they could be if they were stored in separate files. True or False?<<
@@ -3544,6 +3550,12 @@ A very mild hardening measure is to set the attribute **HttpOnly** on cookies. T
 
 XSS is usually best countered by choosing a framework or library that automatically escapes output for you. However, programs often have many outputs. It would be best if we paired this solution with something else that limited the damage when a mistake *is* made. On the web there is a solution: the Content Security Policy (CSP). The next unit will discuss this.
 
+#### Lab: Cross-Site Scripting (XSS)
+
+🧪 **Lab: Please try lab [xss](https://best.openssf.org/labs/xss.html), which lets you experiment with how to counter cross-site scripting (XSS) vulnerabilitiesies.**
+
+*Labs are optional, but you're strongly encouraged to try them!*
+
 #### Quiz 4.2: Countering Cross-Site Scripting (XSS)
 
 \>\>Choosing a framework or library that automatically escapes HTML output is often one of the best ways to counter XSS attacks. True or False?<<