keyboard_security

Entry Level

EP21 – Web Application Security 101

12 Sep , 2012  

Play

This week Arlo, Erick and Ryan talk about what they think every entry level developer should know about web application security and the minimal amount of effort that should be taken when developing. Keep in mind, there is much much more information out there about different types of web security vulnerablilities. This list is just a friendly discussion between developers and sharing experiences and knowledge with entry level developers.

Download: Direct Link

Itunes: itunes link

Who’s going to want to hack me?

  • NOT WHO BUT HOW: Welcome to the world of robot
    • scrapping. what you looking for?
    • lots of automated tools
    • lots online databases:
    • exploit-db.com
  • Automating form submissions
    • Mail highjacking
    • Unicode exploits (IE)
    • XSS
    • Persistent
    • Non-Persistent
    • Shell exploits
    • SQL injections (BIGGEST ONE)
    • SECURITY THROUGH OBSCURITY IS NOT SECURITY

What can I do as a Developer

  • SQL Injections
    • input sanitation
    • DO
    • mysql_real_escape_string
    • look into prepared statements
    • do it based on connection to database
    • DON’T
    • addslashes, etc…
    • trust user input
    • even if it is stored in database
  • XSS
    • Input sanitation
    • Persistent
    • Non-persistent
  • Unicode Bugs (UTF8) (Erick?)
    • PHP (mb_ functions)
  • Shell exploits (Ryan?)
    • vulnerable
    • exec
    • shell_exec
    • system
    • proc_open
    • passthru
    • “ – backticks
    • protection
    • escapeshellcmd
    • escapeshellarg

Mentioned Links


Leave a Reply

Your email address will not be published. Required fields are marked *