The Web Application Security Consortium is proud to present 'Common Security
Problems in the
Code of Dynamic Web Applications' written by Sverre H. Huseby.
"In the last few years an increasing number of web programmers have started
realizing that the
code they write for a living plays a major part in the overall security of a
web site. Even
though the administrators install state of the art firewalls, keep
off-the-shelf software
patched and protect communication with heavy encryption, there are many ways to
attack the
logic of the custom-made application code itself.
There is seemingly an infinite number of different logical glitches that may
lead to exploitable
security problems in a web application. But even though the number of glitches
may be infinite,
many of the most frequently occurring glitches may be put in one of the
following, rather limited
set of categories:
* Failure to deal with metacharacters of a subsystem
* Authorization problems due to giving too much trust in input
That's only two categories, and they cover much of the web application security
hype published in
the last eight years or so."
This document can be found at
http://www.webappsec.org/projects/articles/062105.shtml .
Regards,
- Robert Auger
articles_at_webappsec.org
http://www.webappsec.org
------------------------------------------------------------------------------------
Are you interested in writing a 'Guest Article' for the WASC? Additional
information
on article guidelines may be found at http://www.webappsec.org/articles/.
Inquires
can be sent to articles_at_webappsec.org
"Contributed articles may include industry best practices, technical
information about
current issues, innovative defense techniques, etc. NO VENDOR PITCHES OR
MARKETING
GIMMICKS PLEASE. We are only soliciting concrete information from the experts
on the
front lines of the web application security field."
<a href="http://www.webappsec.org";>http://www.webappsec.org</a>
------------------------------------------------------------------------------------
