The Web Application Security Consortium is proud to present 'Common Security Problems in the Code of Dynamic Web Applications' written by Sverre H. Huseby.
"In the last few years an increasing number of web programmers have started realizing that the code they write for a living plays a major part in the overall security of a web site. Even though the administrators install state of the art firewalls, keep off-the-shelf software patched and protect communication with heavy encryption, there are many ways to attack the logic of the custom-made application code itself. There is seemingly an infinite number of different logical glitches that may lead to exploitable security problems in a web application. But even though the number of glitches may be infinite, many of the most frequently occurring glitches may be put in one of the following, rather limited set of categories: * Failure to deal with metacharacters of a subsystem * Authorization problems due to giving too much trust in input That's only two categories, and they cover much of the web application security hype published in the last eight years or so." This document can be found at http://www.webappsec.org/projects/articles/062105.shtml . Regards, - Robert Auger articles_at_webappsec.org http://www.webappsec.org ------------------------------------------------------------------------------------ Are you interested in writing a 'Guest Article' for the WASC? Additional information on article guidelines may be found at http://www.webappsec.org/articles/. Inquires can be sent to articles_at_webappsec.org "Contributed articles may include industry best practices, technical information about current issues, innovative defense techniques, etc. NO VENDOR PITCHES OR MARKETING GIMMICKS PLEASE. We are only soliciting concrete information from the experts on the front lines of the web application security field." <a href="http://www.webappsec.org";>http://www.webappsec.org</a> ------------------------------------------------------------------------------------
