Risk Rating Methodology
Discovering vulnerabilities is important, but being able to estimate the associated risk to the business is just as important. Early in the life cycle, one may identify security concerns in the ...
Rx iT World Hacking Tutorial
Variable Manipulation
What best practices I should remember while designing login pages?From login pages, users should be sent to a page for authentication. Once authenticated, the user should be sent to the next ...
Why Injection Happens to Good Developers
Injection is an attacker's attempt to send data to an application in a way that will change the meaning of commands being sent to an interpreter. For example, the most common example is SQL ...
Injection Flaws
An injection flaw is a vulnerability which allows an attacker to relay malicious code through an application to another system. This can include compromising both backend systems as well as other ...
Improper Error Handling
Improper handling of errors can introduce a variety of security problems for a web site. The most common problem is when detailed internal error messages such as stack traces, database dumps, and ...
What is HttpOnly?
According to a daily blog article by Jordan Wiens, “No cookie for you!”, HttpOnly cookies were first implemented in 2002 by Microsoft Internet Explorer developers for Internet Explorer 6 SP1.What ...
How to Write Insecure Code
In the interest of ensuring that there will be a future for hackers, criminals, and others who want to destroy the digital future, this paper captures tips from the masters on how to create insecure ...
Hibernate
Since ORM architecture isn't obvious, this document will explain some important things you need to know in order to analyze a Hibernate application in a security context. This document assumes some ...
Fuzz testing or Fuzzing
Fuzz testing or Fuzzing is a Black Box software testing technique, which basically consists in finding implementation bugs using malformed/semi-malformed data injection in an automated fashion.A ...
Free for Open Source Application Security Tools
OWASP's mission is to help the world improve the security of its software. One of the best ways OWASP can do that is to help Open Source developers improve the software they are producing that ...
Double Encoding
This attack technique consists of encoding user request parameters twice in hexadecimal format in order to bypass security controls or cause unexpected behavior from the application. It's possible ...
Component Analysis
Modern software is assembled using third-party and open source components, glued together in complex and unique ways, and integrated with original code to provide the desired functionality. ...
Broken Access Control
Access control, sometimes called authorization, is how a web application grants access to content and functions to some users and not others. These checks are performed after authentication, and ...
CSRF abuses
CSRF abuses the trust relationship between browser and server. This means that anything that a server uses in order to establish trust with a browser (e.g., cookies, but also HTTP/Windows ...
Access Control And Authorization
Access Control, also known as Authorization — is mediating access to resources on the basis of identity and is generally policy-driven (although the policy may be implicit). It is the primary ...
Validation for XSS Protection
Request validation is a feature in ASP.NET that examines HTTP requests and determines whether they contain potentially dangerous content. This check adds protection from mark-up or code in the URL ...
Follina vulnerability
The Follina vulnerability represents a significant risk within Microsoft Office products. It enables remote code execution (RCE) attacks, demanding immediate attention as Microsoft has released ...
XML External Entity attack
An XML External Entity attack is a type of attack against an application that parses XML input. This attack occurs when XML input containing a reference to an external entity is processed by a weakly ...
Using freed memory
Referencing memory after it has been freed can cause a program to crash. The use of heap allocated memory after it has been freed or deleted leads to undefined system behavior and, in many cases, to ...
Use of hard-coded password
The use of a hard-coded password increases the possibility of password guessing tremendously. ConsequencesAuthentication: If hard-coded passwords are used, it is almost certain that ...
