Friday, 28 October 2011

Week 7 - Web Application Security (OWASP, Mutillidae)

So for this weeks lab/class we talked about web application security and some of the various ways of exploiting vulnerabilities in web applications. We learned about how to execute basic cross-site scripting attacks (XSS), SQL injections, and cross-site request forgery (CSRF).

We also took a look into the OWASP Top 10 which is the the top 10 most common web application security vulnerabilities created by the OWASP. OWASP is a worldwide non-profit organization who's focus is to improve web application security by making it more visible so people know the types of issues that exist in web application security. Here is the OWASP Top 10 for 2010:

A1: Injection
A2: Cross-Site Scripting (XSS)
A3: Broken Authentication and Session Management
A4: Insecure Direct Object References
A5: Cross-Site Request Forgery (CSRF)
A6: Security Misconfiguration
A7: Insecure Cryptographic Storage
A8: Failure to Restrict URL Access
A9: Insufficient Transport Layer Protection
A10: Unvalidated Redirects and Forwards

Click here to see a .pdf file made by OWASP that details all the vulnerabilities, how they work, how to stop them, and other useful resources. If you are a web developer and have not read this document or some variation of it I strongly suggest you do.

Lastly we were assigned the lab for this week which required us to install Mutillidae. Mutillidae is a deliberately vulnerable set of .php scripts that form a website which can be exploited in various ways to illustrate the vulnerabilities that exist in the OWASP Top 10 and how to exploit them. The idea here being that the more you know about how to exploit the vulnerabilities, the easier it will be for you to stop them from happening.

No comments:

Post a Comment