Secure code notes
satya - 5/24/2018, 1:32:33 PM
Homepage of owasp: open web application security project
satya - 5/24/2018, 1:36:45 PM
CWE: Common Weakness Enumeration, a community project
CWE: Common Weakness Enumeration, a community project
Search for: CWE: Common Weakness Enumeration, a community project
satya - 5/24/2018, 1:36:59 PM
CWE: Common Weakness Enumeration, a community project: home page
CWE: Common Weakness Enumeration, a community project: home page
satya - 5/24/2018, 1:39:26 PM
Here are some java errors listed in CWE
satya - 5/24/2018, 1:44:50 PM
Edit fields allowing scripts
A harmless edit field, when displayed back may become executable if it contains script code.
I take it one can escape the html characters so that they are displayed correctly as text but not interpreted as code!!
satya - 5/24/2018, 1:48:26 PM
Using literals as literals to avoid sql injection
Outside of executing compiled sql code to avoid sql injection, one can quote the literal string input.
what gets often missed is the numerical input fields where they are not automatically escaped. One can evaluate these fields for their length and their numerical-ness.
satya - 5/24/2018, 1:50:05 PM
Using innerText vs innerHTML for secuirty
Using innerText vs innerHTML for secuirty
satya - 5/24/2018, 1:54:26 PM
Input validation
it can be cumbersome to validate every field if one has to do this field by field. One has to figure out how to do this more globally at key entry points.
For instance for all the URLs coming in, the controllers can automatically check fields based on their specification or global dictionaries and global types.
Using these global specs and global names fields can be validated.
Further you on serverside you can define URL constraints as field1.int, field2.string etc, where these are further sanitized prior to processing before these fields are handed over the controller code.
satya - 5/24/2018, 1:59:21 PM
Do you have account locked feature?
Do you have account locked feature?
satya - 5/24/2018, 2:00:54 PM
Different connections for reads and writes: perhaps if the architecture allows
Different connections for reads and writes: perhaps if the architecture allows
satya - 5/24/2018, 2:02:34 PM
Details of SQL injection
See what are the general pattern of a SQL injection such as ' or --.
satya - 5/24/2018, 2:16:08 PM
Know that a session can be hijacked in non https traffic
Know that a session can be hijacked in non https traffic
satya - 5/24/2018, 2:19:30 PM
Preventing session hijacking scenarios
Preventing session hijacking scenarios
satya - 5/24/2018, 2:31:54 PM
Property files
perhaps key entries (like userid, password, servername etc) can be encrypted.
That leaves the encryption key to be needed.
At least the files in residence cannot be understood.