Attacks are the techniques that attackers use to exploit the vulnerabilities in applications. Attacks are often confused with vulnerabilities, so please try to be sure that the attack you are describing is something that an attacker would do, rather than a weakness in an application.
All attack articles should follow the Attack template.
We’re in the process of creating, organizing, and completing the attack articles. If you’d like to help, find some stub articles in this category and fill in the details.
Creating articles for the following topics:
- Unauthorized Access Attempts
- File location guessing (see Guessed or visible temporary file)
- URL Redirection
- … make sure the attack is listed for each vulnerability
Note: many of the items marked vulnerabilities from CLASP and other places are really attacks. Some of the more obvious are:
A vulnerability is a hole or a weakness in the application, which can be a design flaw or an implementation bug, that allows an attacker to cause harm to the stakeholders of an application. Stakeholders include the application owner, application users, and other entities that rely on the application. The term “vulnerability” is often used very loosely. However, here we need to distinguish threats, attacks, and countermeasures.
Please do not post any actual vulnerabilities in products, services, or web applications. Those disclosure reports should be posted to bugtraq or full-disclosure mailing lists.
- Lack of input validation on user input
- Lack of sufficient logging mechanism
- Fail-open error handling
- Not closing the database connection properly
For a great overview, check out the OWASP Top Ten Project. You can read about the top vulnerabilities and download a paper that covers them in detail. Many organizations and agencies use the Top Ten as a way of creating awareness about application security.
What’s an application security principle?
Application security principles are collections of desirable application properties, behaviors, designs and implementation practices that attempt to reduce the likelihood of threat realization and impact should that threat be realized. Security principles are language independent, architecturally neutral primitives that can be leveraged within most software development methodologies to design and construct applications.
Principles are important because they help us make security decisions in new situations with the same basic ideas. By considering each of these principles, we can derive security requirements, make architecture and implementation decisions, and identify possible weaknesses in systems.
The important thing to remember is that in order to be useful, principles must be evaluated, interpreted, and applied to address a specific problem. Although principles can serve as general guidelines, simply telling a software developer that their software must “fail securely” or that they should do “defense in depth” won’t mean that much.
Some proven application security principles
- Apply defense in depth (complete mediation)
- Use a positive security model (fail safe defaults)(minimize attack surface)
- Fail securely
- Run with least privilege
- Avoid security by obscurity (open design)
- Keep security simple (verifiable)(economy of mechanism)
- Detect intrusions (compromise recording)
- Don’t trust infrastructure
- Don’t trust services
- Establish secure defaults (psychological acceptability)
berisi segala sesuatu yang berhubungan dengan lan hacking
berisi segala sesuatu tentang cara hacking wireless
Bingung mau tulis apa???
Tanya donk ke OmGo!!!
goan : OmGo aku harus tulis apa???
OmGo : Yaa… tulis aja apa yang ada dipikiranmu sekarang
