Posts

Showing posts from 2014

WEBSITE SECURITY (BUSINESS LOGIC VULNERABILITIES)

Abuse of Functionality An attack that uses a website's own features and functionality to consume, defraud, or circumvent access control mechanisms. Some functions including security features may be abused to cause unexpected behavior, annoy other users, or perhaps defraud the system entirely. Abuse of Functionality techniques are often intertwined with other categories of Web application attacks, such as performing an encoding attack to introduce a query string that turns a web search function into a remote web proxy. Abuse of Functionality attacks are also commonly used as a force multiplier. For example, an attacker can inject a Cross-Site Scripting snippet into a web-chat session, then use the built-in broadcast function to propagate the malicious code site-wide. Brute Force An automated process of trial and error used to guess a person's username, password, credit-card number or cryptographic key. Many systems will allow the use of weak passwords or small cryptogr

18 Critical Oversights in Web Development

Image
Over the past years I had the opportunity to work on some interesting projects, complex in nature with an ongoing development, constantly upgrading, refactoring and adding new features to them. This article will cover the biggest coding oversights most PHP developers make, when dealing with medium and large projects. Oversights such as not differentiating between development environments or not implementing caching and backup. The examples below are in PHP, but the idea behind each problem is generic. The root of these problems lies mainly in developers’ knowledge and experience, especially the lack of it. I’m not trying to bash anybody, I do not consider myself the perfect developer who knows everything, so bear with me. In my experience we could categorize these problems in three main groups: design level, application level and database level oversights. We’ll break down each one separately. Application Level Oversights Developing with error reporting off The only