CheatSheetSeries icon indicating copy to clipboard operation
CheatSheetSeries copied to clipboard

Published 20 hours ago verified publisher icon OWASP

New cheat sheet: Incident Response for Web Applications.

Open ChaseOnTheWeb opened this issue 1 year ago • 6 comments

Credit goes to @aditya6298 for creating it, I'm just making the PR.

This PR covers issue #1235.

You're A Rockstar

Thank you for submitting a Pull Request (PR) to the Cheat Sheet Series.

:triangular_flag_on_post: If your PR is related to grammar/typo mistakes, please double-check the file for other mistakes in order to fix all the issues in the current cheat sheet.

Please make sure that for your contribution:

  • [x] In case of a new Cheat Sheet, you have used the Cheat Sheet template.
  • [ ] All the markdown files do not raise any validation policy violation, see the policy.
  • [x] All the markdown files follow these format rules.
  • [ ] All your assets are stored in the assets folder.
  • [ ] All the images used are in the PNG format.
  • [x] Any references to websites have been formatted as [TEXT](URL)
  • [ ] You verified/tested the effectiveness of your contribution (e.g., the defensive code proposed is really an effective remediation? Please verify it works!).
  • [ ] The CI build of your PR pass, see the build status here.

If your PR is related to an issue, please finish your PR text with the following line:

This PR covers issue #<REPLACE WITH ISSUE NUMBER>.

Thank you again for your contribution :smiley:

ChaseOnTheWeb avatar Aug 07 '24 21:08 ChaseOnTheWeb

That took care of the "IDS" issue! Now there's a new error: cheatsheets/Incident_Response_for_Web_Applications_Cheat_Sheet.md:18 MD032/blanks-around-lists Lists should be surrounded by blank lines [Context: "- Employ anomaly detection alg..."]

Also do you mean "Short" instead of "Snort"?

szh avatar Aug 08 '24 14:08 szh

Also do you mean "Short" instead of "Snort"?

Snort is an IDS product. That line looks to be a sample rule for it.

ChaseOnTheWeb avatar Aug 08 '24 14:08 ChaseOnTheWeb

FYI I opened a discussion in textlint-rule-terminology about the IDS/IDs trouble.

ChaseOnTheWeb avatar Aug 08 '24 16:08 ChaseOnTheWeb

@kwwall Any chance you can review this? Thanks!

szh avatar Aug 14 '24 13:08 szh

@kwwall Any chance you can review this? Thanks!

To @szh - Be careful what you ask for. :wink:

kwwall avatar Aug 15 '24 04:08 kwwall

@ChaseOnTheWeb can you respond to comments form @kwwall ;-)

mackowski avatar Aug 29 '24 06:08 mackowski

@ChaseOnTheWeb - Do you intend to respond? I've had unresolved comments since Aug 14, 2024. If you want a 2nd opinion, I'd sure I can get someone I know who specializes in IR to comment on it, but they'd likely have way more things they would want changed that the relatively minor things I've requested. Please let us know one way or another. It's okay to say "Never mind. I'm not interested in making the requested changes" or "I don't have time" or whatever. No one in this group will think any less of you. But at least then we can close this PR and move on. Thanks in advance for letting us know.

kwwall avatar Dec 20 '24 04:12 kwwall

I won't be able to work on this further at this time. My only involvement was to open the PR based on the work already done in #1235 during a hackathon.

ChaseOnTheWeb avatar Jan 02 '25 20:01 ChaseOnTheWeb

@ChaseOnTheWeb - Okay. No worries. @szh - I put a HELP_WANTED label on this. Let's give it a month or 2 and see if someone wants to pick this up. If not, I suppose we can just close it.

kwwall avatar Jan 27 '25 00:01 kwwall

Can you perhaps remove some of the controversial stuff and try to get at least a minimum version of this live soon?

jmanico avatar Apr 11 '25 22:04 jmanico

@jmanico wrote:

Can you perhaps remove some of the controversial stuff and try to get at least a minimum version of this live soon?

Jim,who exactly is the 'you' here? @ChaseOnTheWeb already responded about not being able to work on this further at this time, I already mentioned that I don't really have enough DFIR expertise, and to my knowledge, no one has responded to the 'HELP_WANTED' call.

If you wish, I can send out some emails to former colleagues of mine who used to do IR to see if they possibly could pitch in, but I'm not going to hold my breath. I suppose someone could put out a request for help on one of the OWASP Slack channels and possibly LinkedIn, if we want to carry this through. But I also suspect then might rather start from scratch rather than trying to carry this across the finish line.

Or we can just close this PR and be done with it. I'll leave that decision to @szh, @mackowski, and @jmanico.

kwwall avatar Apr 12 '25 15:04 kwwall

I would rather just clean up what we have and push a minimum DFIR cheatsheet out. These are cheatsheets and not meant to be comprehensive. And there is good stuff there already, I would hate to lose it.

jmanico avatar Apr 12 '25 16:04 jmanico

I see three options:

  1. Decide we're not qualified or willing to spend the time to fix it up and close the PR,
  2. Leave the PR open for a while to see if someone else wants to pick it up,
  3. Decide to take the time to remove anything we're unsure about and merge it.

If it were just me I'd probably pick option 1, but if others are willing to do option 3 I'm happy to help out.

szh avatar Apr 15 '25 12:04 szh

I surrender and agree to close this out until someone else wants to clean it up.

jmanico avatar Apr 15 '25 20:04 jmanico