Secure code notes

satya - 5/24/2018, 1:32:07 PM

owasp: open web application security project

owasp

Search for: owasp

satya - 5/24/2018, 1:32:33 PM

Homepage of owasp: open web application security project

Homepage of owasp: open web application security project

satya - 5/24/2018, 1:34:23 PM

Top 10 PDF

Top 10 PDF

satya - 5/24/2018, 1:35:19 PM

Top 10 security flaws

Top 10 security flaws

satya - 5/24/2018, 1:36:45 PM

CWE: Common Weakness Enumeration, a community project

CWE: Common Weakness Enumeration, a community project

Search for: CWE: Common Weakness Enumeration, a community project

satya - 5/24/2018, 1:36:59 PM

CWE: Common Weakness Enumeration, a community project: home page

CWE: Common Weakness Enumeration, a community project: home page

satya - 5/24/2018, 1:39:26 PM

Here are some java errors listed in CWE

Here are some java errors listed in CWE

satya - 5/24/2018, 1:44:50 PM

Edit fields allowing scripts

A harmless edit field, when displayed back may become executable if it contains script code.

I take it one can escape the html characters so that they are displayed correctly as text but not interpreted as code!!

satya - 5/24/2018, 1:48:26 PM

Using literals as literals to avoid sql injection

Outside of executing compiled sql code to avoid sql injection, one can quote the literal string input.

what gets often missed is the numerical input fields where they are not automatically escaped. One can evaluate these fields for their length and their numerical-ness.

satya - 5/24/2018, 1:50:05 PM

Using innerText vs innerHTML for secuirty

Using innerText vs innerHTML for secuirty

Search for: Using innerText vs innerHTML for secuirty

satya - 5/24/2018, 1:54:26 PM

Input validation

it can be cumbersome to validate every field if one has to do this field by field. One has to figure out how to do this more globally at key entry points.

For instance for all the URLs coming in, the controllers can automatically check fields based on their specification or global dictionaries and global types.

Using these global specs and global names fields can be validated.

Further you on serverside you can define URL constraints as field1.int, field2.string etc, where these are further sanitized prior to processing before these fields are handed over the controller code.

satya - 5/24/2018, 1:59:21 PM

Do you have account locked feature?

Do you have account locked feature?

satya - 5/24/2018, 2:00:54 PM

Different connections for reads and writes: perhaps if the architecture allows

Different connections for reads and writes: perhaps if the architecture allows

satya - 5/24/2018, 2:02:34 PM

Details of SQL injection

See what are the general pattern of a SQL injection such as ' or --.

satya - 5/24/2018, 2:16:08 PM

Know that a session can be hijacked in non https traffic

Know that a session can be hijacked in non https traffic

satya - 5/24/2018, 2:19:30 PM

Preventing session hijacking scenarios

Preventing session hijacking scenarios

Search for: Preventing session hijacking scenarios

satya - 5/24/2018, 2:31:54 PM

Property files

perhaps key entries (like userid, password, servername etc) can be encrypted.

That leaves the encryption key to be needed.

At least the files in residence cannot be understood.