FW: Top Ten Web App Sec Problems

["Keith T. Morgan" <keith.morgan () terradon com>]

Here's what our lead web app developer had to say about it.

-----Original Message-----
From: Jeff Samples 
Sent: Monday, December 02, 2002 11:13 AM
To: Keith T. Morgan
Subject: RE: Top Ten Web App Sec Problems


1. SQL Injection via Forms & URL parameters
2. File Traversal "../" in file uploads
3. Leaving "Execute" Permissions on folders where uploaded files go
4. Unhanded errors revealing details about databases & source code
5. Failure to treat ALL submitted content as malicious, thus leading to numbers 1 & 2 (Input validation)
6. Unchecked control structures (Do/While looping for example)
7. Data type validation within code
8. Using non-expiring cookies for login authentication
9. Inappropriate user account permissions, one example would be using a domain account to run a site and connect to a 
database.
10. Using column names such as "LoginID" Username" "Password" to store authentication information in the database.