Tips and Tricks from SANS

by volkanuzun 11/6/2008 3:55:00 AM

i am taking sans web security training. here are some live tips and tricks :)

 

  • If you have file upload to the server, dont let users pick the filename (directory traversal)
  • if you have file upload to the server, dont upload the files to a folder where u can execute scripts (iis/wwww)
  • escape every input, sanitize everything, users are evil
  • there are some tools out on the internet, that lets attackers' life easier.
  • buffer overflow attacks can cause DoS so know the language you are using on the server side.
  • watch out for unicode attacks. dont just look for <> ...
  • once the user logins to your system, change the session id to prevent session hijacking.
  • remote file include attack is very common in php environments.n If you have a web site that lets the user to choose the templates. and you pass the template file in the querystring, this could be manipulated. check and sanitize the querystring .NET is stopping these kind of attacks, as a developer you have to try hard to write remote file attack vulnerable code.
  • try to have a centralized validation, try to have retrieve and validate in one function
  • javascript can be disabled very easily :) dont trust on javascript validation.

 

Tags:

Security

E-mail | Kick it! | DZone it! | del.icio.us
Permalink | Comments (0) | Post RSSRSS comment feed

Add comment


(Will show your Gravatar icon)  

  Country flag

biuquote
  • Comment
  • Preview
Loading



About the author

Volkan Uzun




E-mail me Send mail

Twitter

Calendar

<<  January 2009  >>
MoTuWeThFrSaSu
2930311234
567891011
12131415161718
19202122232425
2627282930311
2345678

View posts in large calendar

Pages

Flickr Badge

www.flickr.com
This is a Flickr badge showing public photos from volkanuzun. Make your own badge here.

Tags

Categories


Disclaimer

The opinions expressed herein are my own personal opinions and do not represent my employer's view in anyway.

© Copyright 2009

Sign in