Five application security threats and how to counter them

• Published: 13 Jun 2006

New security threats emerge every day. In order to be secure, you must be able to identify the major threats and understand how to counter them. Here is a guide to the five most common and insidious threats to application security –- and what you can do about them.

The following links and articles will provide you with crucial information on application exploits and countermeasures.

Are there other topics you'd like to see learning guides on? Send me an e-mail and let me know what they are.
-- Jennette Mullaney, Assistant Editor.

TABLE OF CONTENTS    Threats SQL injection Cross-Site Scripting Attacks Denial of Service Buffer Overflows Session Hijacking    More Helpful Resources

Threats

1. SQL Injection
   (Return to Table of Contents)
   • SQL injection -- Whatis definition
   • Preventing SQL Injection attacks
   • Defense tactics for SQL injection attacks
   • SQL injection: Developers fight back
   • SQL Injection: Are your Web applications vulnerable? (PDF)
   • Automated SQL injection: What your enterprise needs to know -- Part 1
   • Automated SQL injection: What your enterprise needs to know -- Part 2
   • Blind SQL injection: Are your Web apps vulnerable? (PDF)
   • Free tool helps find SQL injection vulnerabilities
   • Raising risk prospects with a new SQL injection threat
   • OWASP Guide to Building Secure Web Applications and Web Services, Chapter 13: Interpreter Injection

1. Cross-Site Scripting Attacks
   (Return to Table of Contents)
   • Cross-site scripting (XSS) -- a Whatis definition
   • Cross-site scripting: Intro to XSS
   • Deal with cross-site scripting
   • The Cross Site Scripting FAQ
   • Cross-site scripting
   • Preventing cross-site scripting attacks
   • Cross-site tracing (XST) (PDF)
   • DOM based cross-site scripting or XSS of the third kind
   • When output turns bad: Cross-site scripting explained
   • The anatomy of cross-site scripting (PDF)
   • Threat classification: Cross-site scripting

1. Denial of Service
   (Return to Table of Contents)
   • Denial of service (DoS) -- a Whatis definition
   • Block and reroute denial-of-service attacks
   • OWASP Guide to Building Secure Web Applications and Web Services, Chapter 22: Denial of Service
   • Application Level DoS Attacks (PDF}
   • Application Denial of Service
   • Threat Classification: Denial of Service
   • How to avoid authentication bypass attacks
   • Denial of service via algorithmic complexity attacks

1. Buffer Overflows
   (Return to Table of Contents)
   • Buffer overflow -- a Whatis definition
   • You can prevent buffer overflow attacks
   • How to prevent buffer overflow attacks
   • Myth-busting Web application buffer overflows
   • OWASP Guide to Building Secure Web Applications and Web Services, Chapter 17: Buffer Overflows
   • Exploiting Software: How to Break Code -- Chapter 7, Buffer Overflow
   • Buffer overflow attacks: How do they work?
   • Perl taint mode can help prevent buffer overflow vulnerabilities
   • Defining and preventing buffer overflows
   • Inside the buffer overflow attack: Mechanism, method & prevention

1. Session Hijacking
   (Return to Table of Contents)
   • Session hijacking -- a Whatis definition
   • Session Hijacking
   • An overview of session hijacking at the network and application levels
   • OWASP guide to building secure Web applications and Web services, chapter 11: Session Management
   • Wicked code: Foiling session hijacking attempts
   • Web-based session management
   • Attacks illustrate need for stronger authentication
   • Theft on the Web: Prevent session hijacking
   • Book excerpt -- How to Break Web Software: Functional and security testing of Web applications and Web services – Chapter 4: State-based attacks
   • iAlert white paper – Brute-force exploitation of Web application session IDs(PDF)

More Useful Resources

[Return to Table of Contents]

Expert advice on Web application threats Do you have a question about Web application threats that you're having trouble getting answered? SearchAppSecurity.com expert Jeremiah Grossman can help. Read advice he has given or submit your own questions.

• More articles on application threats from SearchAppSecurity.com
• SearchSecurity.com
• Dark Reading
• CNet's Threats Section
• WASC's Web Security Threat Classification Project
• Improving Web Application Security: Threats and Countermeasures (Book)
• infosyssec site has three search engines to find the latest threats, exploits and vulnerabilities
• Web application security threats and countermeasures(PDF)
• Secure Programming Techniques Workshop (Course)
• A cheatsheet listing all major Web application vulnerabilities that should be checked during a penetration test assignment
• Microsoft Threat Analysis & Modeling 2.0 RC1

Send in your suggestions
Are there other topics you'd like to see learning guides on? Send SearchAppSecurity.com's editors an e-mail at editor@searchappsecurity.com and let them know what they are.