EP21 – Web Application Security 101
This week Arlo, Erick and Ryan talk about what they think every entry level developer should know about web application security and the minimal amount of effort that should be taken when developing. Keep in mind, there is much much more information out there about different types of web security vulnerablilities. This list is just a friendly discussion between developers and sharing experiences and knowledge with entry level developers.
Download: Direct Link
Itunes: itunes link
Who’s going to want to hack me?
- NOT WHO BUT HOW: Welcome to the world of robot
- scrapping. what you looking for?
- lots of automated tools
- lots online databases:
- exploit-db.com
- Automating form submissions
- Mail highjacking
- Unicode exploits (IE)
- XSS
- Persistent
- Non-Persistent
- Shell exploits
- SQL injections (BIGGEST ONE)
- SECURITY THROUGH OBSCURITY IS NOT SECURITY
What can I do as a Developer
- SQL Injections
- input sanitation
- DO
- mysql_real_escape_string
- look into prepared statements
- do it based on connection to database
- DON’T
- addslashes, etc…
- trust user input
- even if it is stored in database
- XSS
- Input sanitation
- Persistent
- Non-persistent
- Unicode Bugs (UTF8) (Erick?)
- PHP (mb_ functions)
- Shell exploits (Ryan?)
- vulnerable
- exec
- shell_exec
- system
- proc_open
- passthru
- “ – backticks
- protection
- escapeshellcmd
- escapeshellarg
