Most Dangerous Web App Security Risks

Thursday, April 22, 2010

Injection Flaws
Injection flaws allow attackers to relay malicious code through Web apps to another system, such as backend databases or the operating system. To remedy this, organizations can use commercial WAFs (Web application firewalls), which can include negative security signatures to identify attack payloads, according to Ryan Barnett, director of application research at Breach Security. By analyzing the outbound pages, WAFs can also identify when an injection flaw is successful by identifying information leakages.
Cross-Site Scripting
Though listed separately, Cross-Site Scripting attacks are a type of injection problem that exists when malicious scripts are injected into legitimate Websites. To deal with the issue, organizations should focus on developing proper input validation policies.
Broken Authentication and Session Management
Strong authentication mechanisms can be undermined by poor credential management tied to functions such as password changes and recovery. Organizations should strive to create a single set of strong authentication and session management controls.
Insecure Direct Object Reference
A direct object reference is when a developer exposes a reference to an internal implementation object, such as a file or directory, as a URL or form parameter. An attacker can manipulate direct object references to access other objects without authorization.
Cross-Site Request Forgery
CSRF (Cross-site request forgery) occurs when a Web app fails to properly verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request. To prevent CSRF, include an unpredictable token in a hidden field as part of each transaction, OWASP recommends. There should be a unique token for every user session at minimum but can also be unique per request.
Security Misconfiguration
An unsecure configuration for the application, framework, Web server, application server and/or platform can spell disaster. These settings should be well-defined and relatively easy to deploy to another environment. Ideally, this process should be automated to minimize the effort required to set up a new, secure environment.
Insecure Cryptographic Storage
Web applications that do not use appropriate encryption for sensitive information such as social security numbers and credit card information leave users open to compromise in the event of an attack. Organizations should take stock of the threat landscape and make sure sensitive data is protected. Also off-site backups should be encrypted, with the keys managed and stored separately.
Failure to Restrict URL Access
According to OWASP, many Web applications check URL access rights before rendering protected links and buttons. However, applications should perform similar checks when these pages are accessed, or attackers will be able to forge URLs to access these hidden pages anyway. Controlling URL access also includes setting proper access rate thresholds (anti-automation) to identify/prevent denial of service, brute force and scraping attacks, said Ryan Barnett, director of application research at Breach Security.
Insufficient Transport Layer Protection
Applications frequently fail to encrypt network traffic when it is necessary to protect sensitive communications. When they do, they sometimes support weak algorithms, use expired or invalid certificates, or do not use them correctly. To prevent this, consider requiring SSL (Secure Sockets Layer) for certain pages and making non-SSL requests to those pages redirect to a SSL page.
Unvalidated Redirects and Forwards
This is new to OWASP's list. Web applications frequently redirect and forward users to other pages and Websites. If untrusted data is used to determine the destination pages, attackers could redirect victims to malicious sites. Again, the answer to this lies with proper validation.


Slickest Features in Visual Studio 2010

Thursday, April 15, 2010

IntelliTraceJustify FullThe IntelliTrace feature enables a developer to step back through a recorded history of his application’s execution to see what happened just before the application crashed, and refer to actionable bug reports that include the application's execution history.

Test Impact Analysis Window
This feature enables developers to fight regression errors with test impact analysis, which keeps developers informed about tests that need to rerun with every check-in, and improves application quality with real-time information about tests results.

Multi-Monitor Support
This feature enables developers to edit multiple files across multiple monitors, stretches their development workspace across multiple monitors and minimizes context switching between files.

C++ Improvements

This feature includes MSBUILD support for faster compilation. Also, multitargeting enables the use of multiple C++ compilers from VS2010. The new version of the tool set also includes improved IntelliSense in C++ projects.

JavaScript IntelliSense
This feature enables developers to get IntelliSense function code auto-completion support on dynamically generated JScript objects, to enjoy IntelliSense support for third-party JavaScript frameworks and also to enjoy faster IntelliSense support in client-side Web development situations.

Improved AJAX Support
This feature enables developers to easily add interactivity to their ASP.NET applications, to use the jQuery framework in their ASP.NET AJAX applications and to use client-side databound controls to improve Web application performance.

Start Page Extensibility
This feature enables developers to easily personalize their work environments and turn their start page into a custom application hosted in Visual Studio. Simply put, it enables developers to work the way they want to.

One-Click Deployment
This feature enables developers to move their database, registry and Web.config settings into production with one click, and to quickly push Website updates into production with one click. In addition, with Visual Studio 2010, xcopy deployment is much improved.

Business Connectivity Services
This feature enables developers to use Microsoft's Language Integrated Query (LINQ) with SharePoint to easily join multiple data sources. Developers also can pull in external data into SharePoint, and create Web parts and custom lists.

Silverlight Designer
With this feature developers can build one application to run on the Web and offline. Developers also can build broad-reaching Internet applications that can run offline, and get the best of both online and offline applications with new Silverlight design tools.

from: eweek


About Me

My photo
I am a woman with simple dreams. I'm easy to be with, friendly, most of the time jolly but sometimes moody, loving and sweet. I love sharing my stories of life and somehow I want other people to learn something from me.

Site Info and Links:

Blog Catalog

Related Posts with Thumbnails
Click here to view our Privacy Policy

  © Blogger template Foam by 2009

Back to TOP