Five application security threats and how to counter them
New threats emerge every day. In order to be secure, you must be able to identify the major threats and understand how to counter them. Here is a guide to the five most common and insidious threats to applications -– and what you can do about them.
New security threats emerge every day. In order to be secure, you must be able to identify the major threats and...
Continue Reading This Article
Enjoy this article as well as all of our content, including E-Guides, news, tips and more.
understand how to counter them. Here is a guide to the five most common and insidious threats to application security –- and what you can do about them. The following links and articles will provide you with crucial information on application exploits and countermeasures. Are there other topics you'd like to see learning guides on? Send me an e-mail and let me know what they are. -- Jennette Mullaney, Assistant Editor.
Threats
SQL Injection
- SQL injection -- Whatis definition
- Preventing SQL Injection attacks
- Defense tactics for SQL injection attacks
- SQL injection: Developers fight back
- SQL Injection: Are your Web applications vulnerable? (PDF)
- Automated SQL injection: What your enterprise needs to know -- Part 1
- Automated SQL injection: What your enterprise needs to know -- Part 2
- Blind SQL injection: Are your Web apps vulnerable? (PDF)
- Free tool helps find SQL injection vulnerabilities
- OWASP Guide to Building Secure Web Applications and Web Services, Chapter 13: Interpreter Injection
Cross-Site Scripting Attacks
- Cross-site scripting (XSS) -- a Whatis definition
- Cross-site scripting: Intro to XSS
- Deal with cross-site scripting
- The Cross Site Scripting FAQ
- Cross-site scripting
- Preventing cross-site scripting attacks
- Cross-site tracing (XST) (PDF)
- DOM based cross-site scripting or XSS of the third kind
- When output turns bad: Cross-site scripting explained
- The anatomy of cross-site scripting (PDF)
- Threat classification: Cross-site scripting
Denial of Service
- Denial of service (DoS) -- a Whatis definition
- OWASP Guide to Building Secure Web Applications and Web Services, Chapter 22: Denial of Service
- Application Level DoS Attacks (PDF}
- Application Denial of Service
- Threat Classification: Denial of Service
- Denial of service via algorithmic complexity attacks
Buffer Overflows
- Buffer overflow -- a Whatis definition
- How to prevent buffer overflow attacks
- Myth-busting Web application buffer overflows
- OWASP Guide to Building Secure Web Applications and Web Services, Chapter 17: Buffer Overflows
- Exploiting Software: How to Break Code -- Chapter 7, Buffer Overflow
- Perl taint mode can help prevent buffer overflow vulnerabilities
- Defining and preventing buffer overflows
- Inside the buffer overflow attack: Mechanism, method & prevention
Session Hijacking
- Session hijacking -- a Whatis definition
- Session Hijacking
- An overview of session hijacking at the network and application levels
- OWASP guide to building secure Web applications and Web services, chapter 11: Session Management
- Wicked code: Foiling session hijacking attempts
- Web-based session management
- Attacks illustrate need for stronger authentication
- Theft on the Web: Prevent session hijacking
- Book excerpt -- How to Break Web Software: Functional and security testing of Web applications and Web services – Chapter 4: State-based attacks
- iAlert white paper – Brute-force exploitation of Web application session IDs(PDF)
More Useful Resources
- More articles on application threats from SearchAppSecurity.com
- SearchSecurity.com
- Dark Reading
- CNet's Threats Section
- WASC's Web Security Threat Classification Project
- Improving Web Application Security: Threats and Countermeasures (Book)
- infosyssec site has three search engines to find the latest threats, exploits and vulnerabilities
- Web application security threats and countermeasures(PDF)
- Secure Programming Techniques Workshop (Course)
- A cheatsheet listing all major Web application vulnerabilities that should be checked during a penetration test assignment
- Microsoft Threat Analysis & Modeling 2.0 RC1
Expert advice on Web application threats
Do you have a question about Web application threats that you're having trouble getting answered? SearchAppSecurity.com expert Jeremiah Grossman can help. Read advice he has given or submit your own questions.
Send in your suggestions
Are there other topics you'd like to see learning guides on? Send SearchAppSecurity.com's editors an e-mail at [email protected] and let them know what they are.