Top 10 Web app security gotchas


  1. Unvalidated input

    Information from Web requests is not validated. Attackers can use these flaws to attack back-end components.


  2. Broken access control

    Restrictions on what authenticated users may do are not enforced properly. Attackers can exploit these flaws to access other users' accounts and view sensitive files.


  3. Broken authentication and session management

    Account credentials and session tokens are not protected properly. Attackers can compromise passwords, keys and session cookies and assume other users' identities.


  4. Cross-site scripting flaws

    The Web application can be used to transport an attack to a user's browser.


  5. Buffer overflows

    Web application components in some languages that do not properly validate input can be crashed and, in some cases, used to take control of a process.


  6. Injection flaws

    Web applications pass parameters when they access external systems. If an attacker can embed malicious commands in these parameters, the external system may execute those commands, letting the attacker spoof the Web site.


  7. Improper error handling

    If attackers can cause errors to occur that the Web application does not handle, they can gain detailed system information and deny service.


  8. Insecure storage

    Cryptographic functions and the code to integrate them have proven difficult to code properly, frequently resulting in weak protection.


  9. Denial of service

    Attackers can consume so many Web application resources that other legitimate users can no longer access or use the application.


  10. Insecure configuration management

    Lacking a strong server configuration standard, a site can have breaches from a variety of problems, such as unpatched security flaws in server software, default accounts with default passwords and misconfigured Secure Sockets Layer certificates.


Source: The Open Web Application Security Project

Reader Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

What is your e-mail address?

My e-mail address is:

Do you have a password?

Forgot your password? Click here
close
SEARCH
 Top 100 Slideshow
contracts DB

Trending

  • Dive into our Contract Award database

    In an exclusive for WT Insider members, we are collecting all of the contract awards we cover into a database that you can sort by contractor, agency, value and other parameters. You can also download it into a spreadsheet. Read More

  • Is SBA MIA on contractor fraud? Nick Wakeman

    Editor Nick Wakeman explores the puzzle of why SBA has been so silent on the latest contractor fraud scandal when it has been so quick to act in other cases. Read More

Webcasts