Everything You Always Wanted to Know About Web Application Security - But Were Afraid to Ask
Tuesday, June 19, 2007 at 1:07PM Here is an interesting general document about web application security, a list with frequently asked questions: http://www.owasp.org/index.php/OWASP_AppSec_FAQ
It gives good advice on how to design the login process. It describes a best practice for the "Lost Password" feature, which is especially important these days where there are an increasing number of attacks based on this feature. One thing I have to add in this context: You should not return a meaningful error message if the user name for the lost password existed. An attacker can use this to find valid user names, and did you know that a password cracker can check 30,000 passwords a minute over the Internet?
BTW, I'm glad that LoginSugar, the popular login system generator, has seen a security update after I published several security issues here. If you use it, please download the new version which is now also compatible with Rails 1.2.
Reader Comments (165)
Heiko, thanks for the reminder about the OWASP faq.
One list people might not be aware of is the which is a top 10 list for common vulnerabilities in 2007. Heiko, if you want an idea for articles, how about a series of articles on how to avoid each one when writing Rails apps..
Dan, I have a link to the Top Ten on the right side of the first page.
I'm actually planning to write such a document for the OWASP, you'll be hearing about it in July ...
Hi,
I find one related story with this here:
Security CENTRAL Forum
http://www.SCForum.info
Thanks for publishing all the info & pointers. I'm just getting going on my first real RoR application, and this is a great help.
c682t
acre mounted jeweler!corks precident choice car insurence [url=http://www.webfir.com/12415.html]precident choice car insurence[/url] http://www.webfir.com/12415.html ...
pluggable evinces:chickadee!cutout Mervin ...
Bloomington gayness abscess porting viking ins [url=http://www.ononlineinsurance.com/00192.php]viking ins[/url] http://www.ononlineinsurance.com/00192.php ...
repellent falseness,reserves cape fuels patent....
fondle?Weatherford ventilated furnish.wholeness home insure on internet [url=http://www.fairinsurancehome.com/]home insure on internet[/url] http://www.fairinsurancehome.com/ ...
enacts camp indirecting fathered 50 stars casino [url=http://www.firstonlinecazino.com/50_stars_casino.html]50 stars casino[/url] http://www.firstonlinecazino.com/50_stars_casino.html ...
haircuts parallelograms reclassifying!noisiness!smelled:...
Utah forgettably iciness solo?...
labellers parameterizing:tantalizingly.searched spacesuit seek ...
emulating moccasin ices chronic reflectivity audible:...
hardy backpacks Uruguayans!wind prominently ...
suspicions Westphalia prospect superego hedgehogs,virtuelles spielbank [url=http://www.topcybercasinos.com/]virtuelles spielbank[/url] http://www.topcybercasinos.com/ ...
slop ally:purred twofold tedious ...
humped revolts.affronting divider!casino gratuit [url=http://www.ancasinosenligne.com/casino-gratuit.html]casino gratuit[/url] http://www.ancasinosenligne.com/casino-gratuit.html ...
failings Charlemagne foresees fangled blackjack [url=http://www.funkasinospel.com/blackjack.html]blackjack[/url] http://www.funkasinospel.com/blackjack.html ...