OWASP Top 10 2013 – A3 – Cross-Site Scripting

> Is your address really street”/><script>doStuff();</script>? Cross-Site Scripting attacks are tremendously prevalent, which I find surprising because it is an easy problem to detect and to remediate. There are even a lot of decent mitigation alternatives out there as well. What is Cross-Site Scripting (or XSS, if you prefer)? Cross-Site Scripting occurs whenever someone else […]

OWASP Top 10 2013 – A4 – Insecure Direct Object References

> Hello, I’m user number fiftysev…. Fiftyeight. Insecure Direct Object References are types of authorization issues, where a user can access information (objects) which they are not supposed to. For example, imagine a bank application where you can view your personal info via: example.com/users/profile.php?id=57 Now, what does “57” refer to? Probably some kind of reference […]

OWASP Top 10 2013 – A9 – Using Components with Known Vulnerabilities

> I didn’t even know we had this old thing! You know, keeping things up to date is something you pretty much have to do, but the web doesn’t really make it easy. There’s a plethora of things to remember to patch: the proxies, the web server, the web application, any dependencies, and even the […]