-
Top Design Flaws Introduction
-
Top Design Flaws Defense In Depth
-
Top Design Flaws Separation of Concerns
-
Top Design Flaws Single Responsibility
-
Top Design Flaws Least Knowledge
-
Top Design Flaws Don't Repeat Yourself
-
Developer Business Case
-
Developer Understanding the Attacker
-
Developer The Attack Process
-
Trust Nothing
-
Developer Threat Modeling
-
SDLC Introduction
-
Waterfall Model
-
Agile Development
-
DevOps
-
SDLC Conclusion
-
Injection
-
Broken Authentication
-
Session Management
-
Sensitive Data Exposure: Insecure Cryptographic Storage
-
Sensitive Data Exposure: Insufficient Transport Layer Protection
-
XML External Entity (XXE)
-
Broken Access Control
-
Security Misconfiguration
-
Cross-Site Scripting (XSS)
-
Insecure Deserialization
-
Using Components With Known Vulnerabilities
-
Insufficient Logging and Monitoring
-
Classic Issues-Introduction
-
Memory Inspection
-
Buffer Overflow
-
Cross Site Request Forgery
-
Improper Error Handling
-
Unvalidated Redirects and Forwards
Captive portals
redirect functions should warn the user and validate the redirects
complex phishing attack
Unvalidated redirects and forwards
- Insecure Data Storage
SQLite db's are not secure for a rooted device
Don't store usernames and passwords, instead store a token file.
- Unintended Data Leakage
Transition screens get stored to the filesystem and can be leaked on iOS
Keyboard autocorrect dictionaries capturing answers to security questions
Clipboard caches
Logging password failure attempts or typos
- Broken Cryptography
- Client-Side Injection
- Reverse Engineering
needle
QARK
IDA
drozer
Hopper
OWASP CSRFGuard, additional unique token beyond the session token, or reauthenticate before significant state change.