Saturday, August 20, 2005
Application level vulnerabilities
I was cleaning up my computer and found a list on application level vulnerabilities and things that you need to consider when testing your application for security, that I had authored a couple years ago. It seems the items mentioned in the list are still relevant today and so I am publishing it on my blog. Here it is:
- Hidden form field manipulation
- Parameter tampering (Eg. invalid session id or an incremental user id)
- Bypassing client side input validation (turning off javascript on the browser)
- Developer defined application backdoors and debug options
- Cookie poisoning
- Cross site scripting and Session hijacking
- Buffer overflow
- Published known vulnerabilities for the components involved in the web application (For example if your application uses embedded software and a vulnerability is published for that embedded piece, then your application is vulnerable too)
- Sample applications or pages and known application paths (Eg. /logs or /admin)
- Examination of application-to-application interaction such as between your application and various other servers
- Brute force password attack, password guessing and password sniffing. Also of importance is the error message. The error message should only state a generic message, instead of giving out specific messages. This is bad user experience, but a better from the security standpoint.
- How well does the application handle client session cancellation and expiry
- Use of HTTP methods to send data over to the server. (GET requests become part of URL and are normally stored in the browse's history)
Copyright Anand Jain 2004, 2005. All rights
reserved.
Webmaster
