Common web application threats




SQL Injection : Appends existing SQL of the application , and generate unexpected queries.

Avoid dynamically generated queries. ( use parameterised queries ). Always use properly tested libraries to access DB.

OS Command Injection : Change applications OS command executions

Implement strict input validation.

XSS – Cross-Site-Scripting : Inject javascript or any other executable.

Dont allow <script> tags as input

Classic Buffer Overflow : Application allows copying of input buffers larger than output buffer.

Always check destination buffer is large enough to accommodate the source buffer.

Accessing restricted paths/files : Attacker constructs a file/directory path that is not intended to access.

Store sensitive files outside web-root and and secure them by granting permission only to authorized parties.

Missing authentication : Lack of sufficient authentication for critical functions.

Identify communication channels and authenticate for all. Identify and implement authorization for user groups . Avoid custom authentications or use single…

View original post 94 mots de plus

Par défaut