Skip to content

Instantly share code, notes, and snippets.

@zcaceres

zcaceres/defense-against-the-dark-arts.md

Last active April 14, 2017 14:30
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save zcaceres/b11350ac0acc1f352f7ebad3a362ef13 to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save zcaceres/b11350ac0acc1f352f7ebad3a362ef13 to your computer and use it in GitHub Desktop.
Download ZIP
web security
Raw
defense-against-the-dark-arts.md

Web Security: Defense Against the Dark Arts

  1. Authentication: are they who they say they are?
  2. Communication: transferring data through unreliable middleman
  3. Authorization: giving resource access to the right people
  4. Control: avoiding unexpected open-endedness in your app. Limiting capabilities of agents.

OWASP

  • Injection: server-side code execution
  • Broken Authentication: allows for impersonation
  • XSS: client-side code execution
  • Direct references: access control can be circumvented (Microsoft sharing private documents via link shortener)
  • Security misconfiguration: vulnerable default/inherited settings
  • Data exposure: data is insecurely transmitted or secured
  • Missing Access control: users can do things they shouldn't be allowed to do (access to actions rather than data)
  • XSRF: abuse the target website's trust in the browser (abusing cookies to impersonate users)
  • Vulnerable components: insecure third-party tools (heartbleed openSSL)
  • Unvalidated Redirects: abusable open-ended forwarding
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment