Secure code notes


Search for: owasp

Homepage of owasp: open web application security project

Top 10 PDF

Top 10 security flaws

CWE: Common Weakness Enumeration, a community project

Search for: CWE: Common Weakness Enumeration, a community project

CWE: Common Weakness Enumeration, a community project: home page

Here are some java errors listed in CWE

A harmless edit field, when displayed back may become executable if it contains script code.

I take it one can escape the html characters so that they are displayed correctly as text but not interpreted as code!!

Outside of executing compiled sql code to avoid sql injection, one can quote the literal string input.

what gets often missed is the numerical input fields where they are not automatically escaped. One can evaluate these fields for their length and their numerical-ness.

Using innerText vs innerHTML for secuirty

Search for: Using innerText vs innerHTML for secuirty

it can be cumbersome to validate every field if one has to do this field by field. One has to figure out how to do this more globally at key entry points.

For instance for all the URLs coming in, the controllers can automatically check fields based on their specification or global dictionaries and global types.

Using these global specs and global names fields can be validated.

Further you on serverside you can define URL constraints as, field2.string etc, where these are further sanitized prior to processing before these fields are handed over the controller code.

Do you have account locked feature?

Different connections for reads and writes: perhaps if the architecture allows

See what are the general pattern of a SQL injection such as ' or --.

Know that a session can be hijacked in non https traffic

Preventing session hijacking scenarios

Search for: Preventing session hijacking scenarios

perhaps key entries (like userid, password, servername etc) can be encrypted.

That leaves the encryption key to be needed.

At least the files in residence cannot be understood.