Injecting Code
The topic of code injection is a huge one, encompassing dozens of different languages and environments, and a wide variety
Read moreWeb Hosting
A Multi-Layered Privilege Model
Issues relating to access apply not only to the web application itself but also to the other infrastructure tiers which
Read moreSecuring Access Controls
Access controls are one of the easiest areas of web application security to understand, although a well-informed, thorough methodology must
Read moreAttacking Access Controls
Before starting to probe the application to detect any actual access control vulnerabilities, you should take a moment to review
Read moreAttacking Access Controls
Common Vulnerabilities Access controls can be divided into two broad categories: vertical and horizontal. Vertical access controls allow different types
Read moreLog, Monitor, and Alert
The application’s session management functionality should be closely integrated with its mechanisms for logging, monitoring, and alerting, in order to
Read moreLiberal Cookie Scope
The usual simple summary of how cookies work is that the server issues a cookie using the HTTP response header
Read moreDisclosure of Tokens in Logs
Aside from the clear-text transmission of session tokens in network communications, the most common place where tokens are simply disclosed
Read moreWeaknesses in Session Token Handling
No matter how effective an application is at ensuring that the session tokens it generates do not contain any meaningful
Read morePredictable Tokens
Some session tokens do not contain any meaningful data associating them with a particular user but are nevertheless guessable because
Read more