The Open Web Application Security Project (OWASP) has identified the most critical web application security vulnerabilities, writes blogger Carol McDonald in the posting The Top 10 Web Application Security Vulnerabilities Starting with XSS. McDonald writes that adopting the OWASP Top Ten is perhaps the most effective first step towards changing the software development culture within an organization into one that produces secure code.

The vulnerabilities were identified with OWASP's WebGoat a deliberately insecure J2EE web application maintained by OWASP designed to teach web application security lessons. Users must demonstrate their understanding of a security issue by exploiting a real vulnerability in the WebGoat application. For example, in one of the lessons the user must use SQL injection to steal fake credit card numbers. The application is a realistic teaching environment, providing users with hints and code to further explain the lesson.

Users can also employ the OWASP Enterprise Security API Toolkit to protect against these identified vulnerabilities. An Enterprise Security API (ESAPI) Swingset is also available. The Swingset/Apache Tomcat bundle contains everything you need to get Swingset up and running in a matter of minutes. No installation is necessary (assuming you have a Java JRE or JDK installed). One need only edit a single line of a batch file or shell script.

McDonald also writes in her blog OWASP Top 10 Number 3: Malicious File Execution about this security vulnerability, which occurs when attacker's files are executed or processed by the web server. This can happen when an input filename is compromised or an uploaded file is improperly trusted.

More Information

OWASP Main Page

Privacy, Trust, and Security in Technology [...read more...]

		fullsource
Print Email Current Profile Archive Blog Generate newsletter