Risks, Weaknesses & Attacks Our tech team recently had a bit of a security review, not much more than a lunchtime sit-in over a few days to try and indentify the main security issues to be aware of in web development. We're looking to implement a security checklist for projects - mostly to keep the tech team on their toes during development and to keep security issues at the forefront when they tend to fall by the wayside sometimes.
I thought the list we brainstormed might be an interesting starting place for further discussion here and might help others become aware of certain things they might have overlooked or not been aware of.
Development
- Implicit trust of tainted data
- especially when used for commands/queries/includes/files/remote
- Trusing the scope of data, not just the content
- Be careful with eval()
- [PHP] Be careful when using register_globals = ON
- Web folder permissions, .. traversal
- Caching of sensitive information
- Buffer overruns [bounds checking]
- Code injection SQL, Javascript, File uploads
- Upload weaknessess cookie poisoning
- E.g. the myspace session hickaing cookie data ad posting code into other epoples pages
- Password Attacks Dictionary, Brute force, Defaults
- Admin addresses user management
- Protection of all sensitive pages, not just the gateway
- Remote code execution (e.g. php includes, JS ad-code)
- Common developer mistakes
- AJAX buggery (tween page exploits, API attacks)
- Cookie poisoning
- XSS
- Debug
- Error pages
- Email form hijacking, list theft
- Internal application warfare ie. Users targetting each other.
Hardware / Hostring
- Port Scans / firewall / VPNs
- Web server and application lockdown/hardening (removal of demos)
- Shared Hosting
- Patching
- Spam relaying, list theft
- Default config server, hardware, devices
Awarenewss / Management / Policies - Security bootstrapping
- Paswords defaults/weak
- Known Bug exploits 3rd Party, Known virii/trojans etc targetting our apps/devices
- 3rd Party Libraries (exploits, bug, and known locations)
- Phishing (domain theft/spoofing)
Feel free to add to the list or to ask for expansion of a particular topic or area: someone with far greater security credentials than myself will hopefully drop their thoughts in :)
Steerpike
