Helpful Links for Web Application Security
Oftentimes, web application developers are faced with the difficult challenge of writing code that directly interfaces with user-submitted data, yet doesn’t compromise the security of the application itself (either in processing the data or in displaying a response based on it). So to help, here are a few links that touch on the subject of identifying and securing possible security liabilities in web application code.
1) Google-caja project, Common Attack Vectors
This link gives an excellent breakdown of many methods by which a malicious user may try to break or exploit the page code. Information is given on both the JavaScript level and the DOM/environment/CSS level.
2) OWASP Application Security FAQ
The useful thing about the OWASP app. sec. FAQ is the way it’s written. The topics cover things that a web application developer might actually ask– “Should I really be concerned that my web server can be fingerprinted?” “What is Cross Site Tracing (XST)? How can it be prevented?”
In addition, the answers are informative without being too technical in nature. It’s almost as if the writers want to point you in the right direction and encourage independent research on the subjects… which is a very good thing.
3) Improving Web Application Security: Threats and Countermeasures
This MSDN Library document does an excellent job of outlining the *theory* behind web application security. From “best practices” to “threat modeling” this thing covers the multiple tiers and layers of web applications that are often targeted. Although a lot of focus is placed on .NET code, much of the stuff taught in this online document can generally be applied to other programming languages as well.
Each Tuesday, Security Musings features a topic to help educate our readers about security. For more information about Gemini Security Solutions’ security education capabilities, contact us!
