- OWASP Top 10
- Web Security: Are You Part Of The Problem?
- Common Security Mistakes in Web Applications
- Inside the Twisted Mind of the Security Professional
Specific Types of Vulnerabilities
- a special case of code injection
- SQL Injection (Wikipedia)
- OWASP Injection
- SQL Injection Attacks by Example
- Google News: “SQL injection”
- xkcd: “Exploits of a Mom”
Cross-site scripting (XSS)
- Cross-site scripting (Wikipedia)
- OWASP Cross-Site Scripting
- XSS game
- Google News: “XSS”
- Alternatives to use-entered HTML: Markdown, Textile, WikiCreole, other Lightweight markup languages. But make sure you don't allow XSS with these: some are insecure by default.
- Or consider an HTML sanitizer like Bleach or HTML Purifier.
- Insufficient Authentication
- OWASP Insecure Direct Object References
- Missing Function Level Access Control
- OWASP Broken Authentication and Session Management
- Threat classification: Credential and Session Prediction
- HTTPS is more secure, so why isn’t the Web using it?
Insecure Data Storage
- OWASP Sensitive Data Exposure
- You're Probably Storing Passwords Incorrectly
- Cache on Delivery: mining memcached for sensitive data
Cross-Site Request Forgery (CSRF)
Updated Mon Aug. 30 2021, 07:36 by ggbaker.