- Input Validation Failures: Input should be validated both at the client end and the server end (before any processing). Validating both from trusted and untrusted sources is important. Otherwise code injection attack may happen. Validation should include: data type (string, integer), format, length, range, null-value handling, verifying for character-set, locale, patterns, context, legal values and validity, and so on.
- Output Sanitation: If you display the user entered values or if the generated output contains a significant use of the input values, in some cases, the user may be able to relate the output to the input. The user may provide malicious data to display say a pop up or an affiliate ad or to break the system.
- Buffer Overflow: Some users may try to cause buffer overflow and hence, break the system. This may be part of a denial of service attack. Suppose you have set a not null table column to be of size 50 and did not validate the input, then data > 50 chars may break the system based on the operations and platforms. Or a user can just insert huge amount of data to eat up your server resources.
- Data Injection Flaw: In this case, security intruders can try to pass sql queries as part of their data to get useful information or to break your system.
- Cross-Site Scripting (XSS):
- Improper Error Handling: In case of errors, such as, out of memory, null pointer exceptions, system call failure, database access failure, network timeout many applications display detailed internal error messages. Based on the error messages (weak points), hackers may be able to design an attack.
- Insecure Data Transit or Storage: Data in storage or transit when represented as plain text are vulnerable to attack. Encryption algorithms may help in these situations.
- Weak Session Identifiers: If you assign session identifiers before user authentication or display session identifier in plain text, hackers may spoof user identity and do harmful business transactions.
- Weak Security Tokens:
- Weak Password Exploits: Passwords, many times, can be guessed or watched or retrieved by using password-cracking tools to obtain data from password files. Strong authentication or multifactor authentication mechanisms using digital certificates, biometrics, or smart cards is strongly recommended.
- Weak Encryption:
- Session Theft:
- Insecure Configuration Data:
- Broken Authentication:
- Broken Access Control:
- Policy Failures:
- Audit and Logging Failures:
- Denial of Service (DoS) and Distributed DOS (DDoS):
- Man-in-the-Middle (MITM):
- Multiple Sign-On Issues:
- Deployment Problems:
- Coding Problems:
From: http://sitestree.com/?p=4886
Categories:Java Short Notes
Tags:
Post Data:2013-03-23 01:58:45
Shop Online: https://www.ShopForSoul.com/
(Big Data, Cloud, Security, Machine Learning): Courses: http://Training.SitesTree.com
In Bengali: http://Bangla.SaLearningSchool.com
http://SitesTree.com
8112223 Canada Inc./JustEtc: http://JustEtc.net (Software/Web/Mobile/Big-Data/Machine Learning)
Shop Online: https://www.ShopForSoul.com/
Medium: https://medium.com/@SayedAhmedCanada
