[WEB SECURITY] WASC-Articles: 'Common Security Problems in the Code of Dynamic Web Applications' By Sverre H. Huseby

contact at webappsec.org contact at webappsec.org
Tue Jun 21 09:38:10 EDT 2005

The Web Application Security Consortium is proud to present 'Common Security Problems in the
Code of Dynamic Web Applications' written by Sverre H. Huseby.

"In the last few years an increasing number of web programmers have started realizing that the
code they write for a living plays a major part in the overall security of a web site. Even
though the administrators install state of the art firewalls, keep off-the-shelf software
patched and protect communication with heavy encryption, there are many ways to attack the
logic of the custom-made application code itself.

There is seemingly an infinite number of different logical glitches that may lead to exploitable
security problems in a web application. But even though the number of glitches may be infinite,
many of the most frequently occurring glitches may be put in one of the following, rather limited
set of categories:

* Failure to deal with metacharacters of a subsystem
* Authorization problems due to giving too much trust in input

That's only two categories, and they cover much of the web application security hype published in
the last eight years or so."

This document can be found at http://www.webappsec.org/projects/articles/062105.shtml . 


- Robert Auger


Are you interested in writing a 'Guest Article' for the WASC? Additional information
on article guidelines may be found at http://www.webappsec.org/articles/. Inquires
can be sent to articles_at_webappsec.org

"Contributed articles may include industry best practices, technical information about
current issues, innovative defense techniques, etc. NO VENDOR PITCHES OR MARKETING
GIMMICKS PLEASE. We are only soliciting concrete information from the experts on the
front lines of the web application security field."
<a href="http://www.webappsec.org">http://www.webappsec.org</a>

The Web Security Mailing List

The Web Security Mailing List Archives

More information about the websecurity mailing list