AppSec Blog: Category - defense

Weekly Roundup of @Risk Web Application Vulnerabilities

****************************************************************** @RISK: The Consensus Security Vulnerability Alert October 28th, 2010 Vol. 9. Week 44 ****************************************************************** Web Application - Cross Site Scripting 10.44.25 - sNews "snews.php" Cross-Site Scripting and HTML Injection Vulnerabilities 10.44.26 - IBM Tivoli Access Manager for e-business … Continue reading Weekly Roundup of @Risk Web Application Vulnerabilities


Some Thoughts About Passwords

Passwords don't work. Any password has a finite chance of being guessed. A good password is just less likely to be guessed then a simple password. But a strong password is not necessarily the one with many weird characters but the one that is least likely guessed. Continue reading Some Thoughts About Passwords


Top 25 Series - Rank 17 - Integer Overflow Or Wraparound

The author discussion integers, wraparound and how random numbers may very much be non random if you don't know how to read the manual. Continue reading Top 25 Series - Rank 17 - Integer Overflow Or Wraparound


Top 25 Series - Rank 16 - Information Exposure Through an Error Message

Error messages can leak everything from full path names to password. A user should never be exposed to them, unless you expect them to fix the problem for you. Continue reading Top 25 Series - Rank 16 - Information Exposure Through an Error Message


Top 25 Series - Rank 8 - Unrestricted Upload of Dangerous File Type

File uploads are a hard problem, and it is no surprise that they made it into the top 25 list. We covered some of the tactical issues in allowing file uploads in an earlier blog. This blog discusses how to use the SDL to your advantage to avoid some of the risks. Continue reading Top 25 Series - Rank 8 - Unrestricted Upload of Dangerous File Type