Tag Archives: owasp

Read that: Web Application Security Guidelines

This is a nice summary of web application security related technologies, processes, and development patterns: Design Guidelines for Secure Web Applications. A little .NET heavy, but most stuff is generally applicable.

If you read and like the above information, you should not miss the OWASP web security guidelines. This is a must read for every tester and developer. OWASP Guide Project:

Web application security is an essential component of any successful project, whether open source PHP applications, web services such as straight through processing, or proprietary business web sites. Hosters (rightly) shun insecure code, and users shun insecure services that lead to fraud. The aim of this Development Guide is to allow businesses, developers, designers and solution architects to produce secure web applications. If done from the earliest stages, secure applications cost about the same to develop as insecure applications, but are far more cost effective in the long run.

Unlike other forms of security (such as firewalls and secure lockdowns), web applications have the ability to make a skilled attacker rich, or make the life of a victim a complete misery. At this highest level of the OSI software map, traditional firewalls and other controls simply do not help. The application itself must be self-defending. The Development Guide can help you get there. The Development Guide has been written to cover all forms of web application security issues, from old hoary chestnuts such as SQL Injection, through modern concerns such as AJAX, phishing, credit card handling, session fixation, cross-site request forgeries, compliance, and privacy issues…

Lesepflicht – OWASP zu XSS

Heute gibt es einen Link über Cross-Site-Scripting (XSS), was es ist, was man dagegen tun kann oder kurz: Wie beugt man XSS vor?

Der Artikel stammt vom OWASP, der Authoriät im Sachen Internetsicherheit bzw. Informationen zur Sicherheit.

This article provides a simple positive model for preventing XSS using output escaping/encoding properly. While there are a huge number of XSS attack vectors, following a few simple rules can completely defend against this serious attack.

These rules apply to all the different varieties of XSS. Both reflected and stored XSS can be addressed by performing the appropriate escaping on the server-side. The use of an escaping/encoding library like the one in ESAPI is strongly recommended as there are many special cases. DOM Based XSS can be addressed by applying these rules on the client on untrusted data.

For a great cheatsheet on the attack vectors related to XSS, please refer to the excellent XSS Cheat Sheet by RSnake. More background on browser security and the various browsers can be found in the Browser Security Handbook.

Quelle: OWASP unter CC-BY-SA-3.0