This project is read-only.

Vulnerabilities for Web Applications

- J.D. Meier, Paul Enfield.

Category Vulnerabilities
Auditing and Logging * Failing to audit failed logons
* Failing to audit across application tiers
Authentication * Storing clear text credentials in configuration files
* Passing clear text credentials over the network
* Using weak passwords
* Permitting over-privileged accounts
* Permitting prolonged session lifetime
* Mixing personalization with authentication
Authorization * Relying on a single gatekeeper
* Failing to limit database access to specified stored procedures
* Using inadequate separation of privileges
Configuration Management * Using insecure configuration stores
* Storing clear text configuration data
* Using insecure administration interfaces
* Having too many administrators
Cryptography * Using custom cryptography
* Failing to secure encryption keys
* Using the wrong algorithm or a key size that is too small
* Using the same key for a prolonged period of time
* Distributing keys in an insecure manner
Exception Management * Failing to use structured exception handling
* Revealing too much information to the client
Input and Data Validation * Using non-validated input in the Hypertext Markup Language (HTML) output stream
* Failing to validate input from all sources including cookies, query string parameters, HTTP headers, databases, and network resources
* Failure to uniquely identify transactions
* Using non-validated input used to generate SQL queries
* Relying on client-side validation
* Using input file names, URLs, or user names for security decisions
* Using application-only filters for malicious input
* Looking for known bad patterns of input
* Trusting data read from databases, file shares, and other network resources
Sensitive Data * Storing secrets in code
* Storing secrets in clear text
* Storing secrets when you do not need to
* Passing sensitive data in clear text over networks
Session Management * Having insecure session state stores
* Permitting prolonged session lifetime
* Passing session identifiers over unencrypted channels
* Placing session identifiers in query strings

Last edited May 20, 2010 at 8:27 PM by paulenfield, version 2


No comments yet.