Top 10 Web Application Security Vulnerabilities

The Open Web Application Security Project (OWASP) has identified the most critical web application security vulnerabilities, writes blogger Carol McDonald in the posting The Top 10 Web Application Security Vulnerabilities Starting with XSS. McDonald writes that adopting the OWASP Top Ten is perhaps the most effective first step towards changing the software development culture within an organization into one that produces secure code.

The vulnerabilities were identified with OWASP's WebGoat a deliberately insecure J2EE web application maintained by OWASP designed to teach web application security lessons. Users must demonstrate their understanding of a security issue by exploiting a real vulnerability in the WebGoat application. For example, in one of the lessons the user must use SQL injection to steal fake credit card numbers. The application is a realistic teaching environment, providing users with hints and code to further explain the lesson.

Users can also employ the OWASP Enterprise Security API Toolkit to protect against these identified vulnerabilities. An Enterprise Security API (ESAPI) Swingset is also available. The Swingset/Apache Tomcat bundle contains everything you need to get Swingset up and running in a matter of minutes. No installation is necessary (assuming you have a Java JRE or JDK installed). One need only edit a single line of a batch file or shell script.

McDonald also writes in her blog OWASP Top 10 Number 3: Malicious File Execution about this security vulnerability, which occurs when attacker's files are executed or processed by the web server. This can happen when an input filename is compromised or an uploaded file is improperly trusted.

More Information

OWASP Main Page

Privacy, Trust, and Security in Technology [...read more...]

Keywords:

Other articles in the Security section of Volume 140, Issue 4:

Top 10 Web Application Security Vulnerabilities

See all archived articles in the Security section.

From the latest issue:

Top 10 Most Popular Articles in Current Issue (Vol 145, Issue 1)
Oracle-Sun and Hitachi Data Systems End Reseller Agreement The Keys to Combining Two Very Different Organizations Oracle Clarifies No End of Life Set for OpenSolaris IBM POWER7 SPECfp_rate2006 Scaling Results Scrutinized Virtual Machine Migration	Pondering the Dedup Process: Synchronous or Asynchronous Gartner and IDC Release Worldwide Server Market Reports Installing Sun Cluster Running Oracle RAC/CRS and Sun Storage 7000 Unified Storage Systems Oracle GlassFish Server 3 Oracle Leads in Predictive Analytics and Data Mining, Forrester Reports

Recent Blog Entries as of March 13, 2010, 6:32 pm
Can MySQL and Oracle Database Coexist Under Oracle? Glassfish Enterprise Server Version 3's Embedded Server Oracle's Third Fiscal Quarter Earnings Due March 25 Oracle's Open Source Initiatives Sun Unified Storage System 2010.02 Expected Soon	PeopleSoft Benchmark on Sun x64 Hardware Running Oracle Enterprise Linux Use the Deployment Toolkit for Successful Applet Launches Across Mixed Environments Oracle's Xen-based Server Virtualization Could Challenge Competitors Java EE, Oracle VM-VirtualBox Integration, Ops Center Sun Certification Under Oracle
Blog RSS Feed