WebApp Sec mailing list archives
FW: Top Ten Web App Sec Problems
From: "Keith T. Morgan" <keith.morgan () terradon com>
Date: Mon, 2 Dec 2002 11:37:48 -0500
Here's what our lead web app developer had to say about it. -----Original Message----- From: Jeff Samples Sent: Monday, December 02, 2002 11:13 AM To: Keith T. Morgan Subject: RE: Top Ten Web App Sec Problems 1. SQL Injection via Forms & URL parameters 2. File Traversal "../" in file uploads 3. Leaving "Execute" Permissions on folders where uploaded files go 4. Unhanded errors revealing details about databases & source code 5. Failure to treat ALL submitted content as malicious, thus leading to numbers 1 & 2 (Input validation) 6. Unchecked control structures (Do/While looping for example) 7. Data type validation within code 8. Using non-expiring cookies for login authentication 9. Inappropriate user account permissions, one example would be using a domain account to run a site and connect to a database. 10. Using column names such as "LoginID" Username" "Password" to store authentication information in the database.
Current thread:
- Top Ten Web App Sec Problems Mark Curphey (Nov 30)
- Re: Top Ten Web App Sec Problems zeno (Nov 30)
- Re: Top Ten Web App Sec Problems Mark Curphey (Nov 30)
- Re: Top Ten Web App Sec Problems Matt Curtin (Nov 30)
- Re: Top Ten Web App Sec Problems bt (Nov 30)
- Re: Top Ten Web App Sec Problems Alex Russell (Dec 02)
- Re: Top Ten Web App Sec Problems Andrew Jaquith (Dec 02)
- Re: Top Ten Web App Sec Problems Alex Russell (Dec 02)
- Re: Top Ten Web App Sec Problems Mark Curphey (Nov 30)
- Re: Top Ten Web App Sec Problems zeno (Nov 30)
- <Possible follow-ups>
- FW: Top Ten Web App Sec Problems Keith T. Morgan (Dec 02)
- Re: Top Ten Web App Sec Problems Steven M. Christey (Dec 02)
- RE: Top Ten Web App Sec Problems Richard M. Smith (Dec 02)
- Re: Top Ten Web App Sec Problems Kevin Spett (Dec 02)
- Re: Top Ten Web App Sec Problems Alex Lambert (Dec 02)
- Re: Top Ten Web App Sec Problems Marc Slemko (Dec 02)
- RE: Top Ten Web App Sec Problems Richard M. Smith (Dec 02)
- RE: Top Ten Web App Sec Problems Richard M. Smith (Dec 03)