Five application security threats and how to counter them

TABLE OF CONTENTS
  [IMAGE] Threats

1. SQL injection
2. Cross-Site Scripting Attacks
3. Denial of Service
4. Buffer Overflows
5. Session Hijacking

1. SQL Injection
   (Return to Table of Contents)
   • SQL injection -- Whatis definition
   • Preventing SQL Injection attacks
   • Defense tactics for SQL injection attacks
   • SQL injection: Developers fight back
   • SQL Injection: Are your Web applications vulnerable? (PDF)
   • Automated SQL injection: What your enterprise needs to know -- Part 1
   • Automated SQL injection: What your enterprise needs to know -- Part 2
   • Blind SQL injection: Are your Web apps vulnerable? (PDF)
   • Free tool helps find SQL injection vulnerabilities
   • OWASP Guide to Building Secure Web Applications and Web Services, Chapter 13: Interpreter Injection

2. Cross-Site ...
   
   To continue reading for free, register below or login

   Requires Membership to View

   To gain access to this and all member only content, please provide the following information:

   Email Address:
   
   
   

   By joining SearchSoftwareQuality.com you agree to receive email updates from the TechTarget network of sites, including updates on new content, magazine or event notifications, new site launches and market research surveys. Please verify all information and selections above. You may unsubscribe at any time from one or more of the services you have selected by editing your profile or unsubscribing via email.
   
   TechTarget cares about your privacy. Read our Privacy Policy
   To read more you must become a member of SearchSoftwareQuality.com

   As an existing member of the TechTarget network please activate your SearchSoftwareQuality.com account 

   By joining SearchSoftwareQuality.com you agree to receive email updates from the TechTarget network of sites, including updates on new content, magazine or event notifications, new site launches and market research surveys. Please verify all information and selections above. You may unsubscribe at any time from one or more of the services you have selected by editing your profile or unsubscribing via email.
   
   TechTarget cares about your privacy. Read our Privacy Policy
   
   
   

   Digg This!     StumbleUpon     Del.icio.us

   
   
   
   

   RELATED CONTENT Threat modeling Web application security and the PCI DSS The essentials of Web application threat modeling How to implement security in Java EE and Java ME Application security shouldn't involve duct tape, Band-Aids or bubble gum Stop SQL injection attacks on applications How to counter XSS attacks Breaking the same origin barrier of JavaScript Protection against "zero-minute" exploits Denial of service and Ajax CSRF attack vector with Ajax serialization Building security into the SDLC (Software development life cycle) Problems caused by skipping analysis stage of SDLC Inexpensive phase of SDLC to catch and fix bugs GatherSpace beefs up cloud-based requirements management ALM: Best of breed vs. complete systems Software development life cycle phases, iterations, explained step by step The role of quality assurance (QA) pros in software security Common software security risks and oversights Why the quality assurance department should be involved in testing How to develop secure applications Secure software development practices 'not rocket science'

   RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary

   
   
   Scripting Attacks
   (Return to Table of Contents)

   • Cross-site scripting (XSS) -- a Whatis definition
   • Cross-site scripting: Intro to XSS
   • Deal with cross-site scripting
   • The Cross Site Scripting FAQ
   • Cross-site scripting
   • Preventing cross-site scripting attacks
   • Cross-site tracing (XST) (PDF)
   • DOM based cross-site scripting or XSS of the third kind
   • When output turns bad: Cross-site scripting explained
   • The anatomy of cross-site scripting (PDF)
   • Threat classification: Cross-site scripting

3. Denial of Service
   (Return to Table of Contents)
   • Denial of service (DoS) -- a Whatis definition
   • OWASP Guide to Building Secure Web Applications and Web Services, Chapter 22: Denial of Service
   • Application Level DoS Attacks (PDF}
   • Application Denial of Service
   • Threat Classification: Denial of Service
   • Denial of service via algorithmic complexity attacks

4. Buffer Overflows
   (Return to Table of Contents)
   • Buffer overflow -- a Whatis definition
   • How to prevent buffer overflow attacks
   • Myth-busting Web application buffer overflows
   • OWASP Guide to Building Secure Web Applications and Web Services, Chapter 17: Buffer Overflows
   • Exploiting Software: How to Break Code -- Chapter 7, Buffer Overflow
   • Perl taint mode can help prevent buffer overflow vulnerabilities
   • Defining and preventing buffer overflows
   • Inside the buffer overflow attack: Mechanism, method & prevention

5. Session Hijacking
   (Return to Table of Contents)
   • Session hijacking -- a Whatis definition
   • Session Hijacking
   • An overview of session hijacking at the network and application levels
   • OWASP guide to building secure Web applications and Web services, chapter 11: Session Management
   • Wicked code: Foiling session hijacking attempts
   • Web-based session management
   • Attacks illustrate need for stronger authentication
   • Theft on the Web: Prevent session hijacking
   • Book excerpt -- How to Break Web Software: Functional and security testing of Web applications and Web services – Chapter 4: State-based attacks
   • iAlert white paper – Brute-force exploitation of Web application session IDs(PDF)

[IMAGE]  More Useful Resources

[Return to Table of Contents]

[IMAGE]Expert advice on Web application threats

Do you have a question about Web application threats that you're having trouble getting answered? SearchAppSecurity.com expert Jeremiah Grossman can help. Read advice he has given or submit your own questions.

• More articles on application threats from SearchAppSecurity.com
• SearchSecurity.com
• Dark Reading
• CNet's Threats Section
• WASC's Web Security Threat Classification Project
• Improving Web Application Security: Threats and Countermeasures (Book)
• infosyssec site has three search engines to find the latest threats, exploits and vulnerabilities
• Web application security threats and countermeasures(PDF)
• Secure Programming Techniques Workshop (Course)
• A cheatsheet listing all major Web application vulnerabilities that should be checked during a penetration test assignment
• Microsoft Threat Analysis & Modeling 2.0 RC1

Send in your suggestions
Are there other topics you'd like to see learning guides on? Send SearchAppSecurity.com's editors an e-mail at editor@searchappsecurity.com and let them know what they are.