Merge pull request #2 from 0xn3va/develop

Small updates
0xn3va · Aug 9, 2023 · e00911e · e00911e
2 parents 3c6e133 + cf4d1ec
commit e00911e
Show file tree

Hide file tree

Showing 3 changed files with 22 additions and 27 deletions.
diff --git a/INTRODUCTION.md b/INTRODUCTION.md
@@ -1,10 +1,8 @@
-# Application Security Handbook
-
 A knowledge base of best practices for application security.
 
 Feel free to point out mistakes and write your ideas [here](https://github.com/0xn3va/application-security-handbook/issues/new).
 
-## Overview
+# Overview
 
 This project contains a knowledge base of best practices for application security for software developers and application security engineers.
 
@@ -19,7 +17,7 @@ Required requirements represent a necessary minimum that must be taken into acco
 Please note that some requirements may have a negative impact on business processes or may not be applicable to an application. In this case, adapt them taking into account local conditions.
 {% endhint %}
 
-## Why does it exist?
+# Why does it exist?
 
 There are many resources where you can find the best practices for secure development like [OWASP Cheat Sheet Series](https://cheatsheetseries.owasp.org) or [OWASP Application Security Verification Standard](https://owasp.org/www-project-application-security-verification-standard/). However, all of these resources are more focused on the infosec guys. From the developer's point of view, these resources are too cumbersome and require their processing into understandable development requirements. This project exists precisely to facilitate this work and to provide best practices in the form of requirements that can be directly used in development tasks.
 

diff --git a/README.md b/README.md
@@ -1,6 +1,6 @@
 # Application Security Handbook
 
-A knowledge base of best practices for application security. You can find the Gitbook version [here]( ).
+A knowledge base of best practices for application security. You can find the Gitbook version [here](https://0xn3va.gitbook.io/application-security-handbook/).
 
 Feel free to point out mistakes and write your ideas [here](https://github.com/0xn3va/application-security-handbook/issues/new).
 

diff --git a/Web Application/Vulnerability Mitigation/Command Injection/README.md b/Web Application/Vulnerability Mitigation/Command Injection/README.md
@@ -32,7 +32,25 @@ For example, use `mkdir(name)` instead of `system('mkdir ${name}')`.
 
 - Use parameterized methods that allow automatically applying a separation between data and command, see the [Parameterized command execution implementation](#parameterized-command-execution-implementation) section.
 
-    Usually parameterized methods take a list as input (a command name and its arguments), **not** a string. So, if a method accepts a string, this method is most likely vulnerable to command injection.
+    - Usually parameterized methods take a list as input (a command name and its arguments), **not** a string. So, if a method accepts a string, this method is most likely vulnerable to command injection.
+
+- If it is not possible to use APIs or parameterized methods, you can use environment variables to pass user-controlled data.
+- Do **not** use user-controlled data as a name when setting environment variables. Instead, generate random names.
+
+<details>
+<summary>Clarification</summary>
+
+Environment variables can be used to inject commands and execute arbitrary code. You can find a list of dangerous environment variables at [Application Security Cheat Sheet: Command Injection](https://0xn3va.gitbook.io/cheat-sheets/web-application/command-injection).
+</details>
+
+- Implement comprehensive input validation, see the [Input Validation](/Web%20Application/Input%20Validation/README.md) page.
+
+    - Define an allow list of commands.
+    - Define an allow list of arguments.
+    - Define an allow list of characters (alphanumeric characters only) to validate commands, arguments and operands.
+    - Define an allow list of environment variable names.
+    - Define an allow list of environment variable values.
+    - Do **not** use block list validation.
 
 - Do **not** run commands inside of a shell.
 
@@ -53,13 +71,6 @@ For example, use `mkdir(name)` instead of `system('mkdir ${name}')`.
         const cmd = spawn('cmd arg1 arg2', { shell: true });
         ```
 
-- Implement comprehensive input validation, see the [Input Validation](/Web%20Application/Input%20Validation/README.md) page.
-
-    - Define an allow list of commands.
-    - Define an allow list of arguments.
-    - Define an allow list of characters (alphanumeric characters only) to validate commands, arguments and operands.
-    - Do **not** use block list validation.
-
 - Use `--` to separate operands from arguments.
 
 <details>
@@ -87,20 +98,6 @@ system('ls', '--', user_input)
 ```
 </details>
 
-- Do **not** use user-controlled data to set environment variables.
-
-<details>
-<summary>Clarification</summary>
-
-Environment variables can be used to inject commands and execute arbitrary code. You can find a list of dangerous environment variables at [Application Security Cheat Sheet: Command Injection](https://0xn3va.gitbook.io/cheat-sheets/web-application/command-injection).
-</details>
-
-- If it is necessary to set environment variables, implement comprehensive input validation, see the [Input Validation](/Web%20Application/Input%20Validation/README.md) page.
-
-    - Define an allow list of environment variable names.
-    - Define an allow list of environment variable values.
-    - Do **not** use block list validation.
-
 - Be aware that methods not directly related to executing OS commands can execute OS commands under the hood and be vulnerable to command injection.
 
 <details>