Getting Insecure

 

The Open Web Application Security Project (OWASP) is an all-volunteer group of IT security professionals that produces free, open-source documentation, tools and standards related to (as their name implies) the security of Web-based applications. For the past two years, OWASP has been publishing a Top 10 list of the most critical Web application security vulnerabilities.

The list for 2004 includes (drum roll please)…

1. Unvalidated input.
Many Web applications do not validate input before submitting it to their backend. And many that do only use JavaScript validation, which can easily be circumvented. Attackers are well aware of this No. 1 security flaw and can easily send invalid--and malicious--input to backend components.

2. Broken access control.
Applications don't always properly enforce access control rules and restrictions. As a result, attackers often have free access to files, information and/or functions that should have been forbidden.

3. Broken authentication.
Account credentials and session tokens aren't always properly protected and/or managed. A smart attacker can therefore compromise passwords, keys, session cookies or other tokens and easily bypass your system's authentication mechanism and assume another users' identity.

4. Cross-site scripting.
An attacker can use cross-site scripting (sometimes known as XSS) to transport or send…

Please log in or sign up below to read the rest of the article.