« sanitize() and blacklists | Main | Tour Dates »
Tuesday
Jun192007

Everything You Always Wanted to Know About Web Application Security - But Were Afraid to Ask

Here is an interesting general document about web application security, a list with frequently asked questions: http://www.owasp.org/index.php/OWASP_AppSec_FAQ

It gives good advice on how to design the login process. It describes a best practice for the "Lost Password" feature, which is especially important these days where there are an increasing number of attacks based on this feature. One thing I have to add in this context: You should not return a meaningful error message if the user name for the lost password existed. An attacker can use this to find valid user names, and did you know that a password cracker can check 30,000 passwords a minute over the Internet?

BTW, I'm glad that LoginSugar, the popular login system generator, has seen a security update after I published several security issues here. If you use it, please download the new version which is now also compatible with Rails 1.2.

PrintView Printer Friendly Version

EmailEmail Article to Friend

References (48)

References allow you to track sources for this article, as well as articles that were written in response to this article.
  • Response
    Response: Similar Opinions
    Dead indited content material, Really enjoyed examining.
  • Response
    Response: Helpful Insight
    I'm so happy to read this. This is the type of manual that needs to be given and not the accidental misinformation that's at the other blogs. Appreciate your sharing this greatest doc.
  • Response
    NFL is actually one particular of the greatest sports in America. It has a big following.
  • Response
    Ruby on Rails Security Project - Journal - Everything You Always Wanted to Know About Web Application Security - But Were Afraid to Ask
  • Response
    Response: webpage
    Ruby on Rails Security Project - Journal - Everything You Always Wanted to Know About Web Application Security - But Were Afraid to Ask
  • Response
    Response: webpage
    Ruby on Rails Security Project - Journal - Everything You Always Wanted to Know About Web Application Security - But Were Afraid to Ask
  • Response
    Ruby on Rails Security Project - Journal - Everything You Always Wanted to Know About Web Application Security - But Were Afraid to Ask
  • Response
    Response: seo long beach
    Ruby on Rails Security Project - Journal - Everything You Always Wanted to Know About Web Application Security - But Were Afraid to Ask
  • Response
    This is just what I've been researching in most websites along with My partner and i ultimately located this in this article. Wonderful article. My business is consequently pleased. I do think there is a wonderful expertise specifically handling like topics.
  • Response
    Ruby on Rails Security Project - Journal - Everything You Always Wanted to Know About Web Application Security - But Were Afraid to Ask
  • Response
    Response: fast weight loss
    Ruby on Rails Security Project - Journal - Everything You Always Wanted to Know About Web Application Security - But Were Afraid to Ask
  • Response
    Response: treating adhd
    Ruby on Rails Security Project - Journal - Everything You Always Wanted to Know About Web Application Security - But Were Afraid to Ask
  • Response
    Response: about health
  • Response
    Response: hommus
  • Response
    Ruby on Rails Security Project - Journal - Everything You Always Wanted to Know About Web Application Security - But Were Afraid to Ask
  • Response
    Ruby on Rails Security Project - Journal - Everything You Always Wanted to Know About Web Application Security - But Were Afraid to Ask
  • Response
    Response: Flyordie
    Ruby on Rails Security Project - Journal - Everything You Always Wanted to Know About Web Application Security - But Were Afraid to Ask
  • Response
    It is best to use all sorts of applications for the storage of all passwords in one place, or else all the passwords in different places! In general, a very interesting idea on how to protect yourself from this problem everyday!
  • Response
    Response: muscle-car
    Ruby on Rails Security Project - Journal - Everything You Always Wanted to Know About Web Application Security - But Were Afraid to Ask
  • Response
    Ruby on Rails Security Project - Journal - Everything You Always Wanted to Know About Web Application Security - But Were Afraid to Ask
  • Response
    Ruby on Rails Security Project - Journal - Everything You Always Wanted to Know About Web Application Security - But Were Afraid to Ask
  • Response
    Ruby on Rails Security Project - Journal - Everything You Always Wanted to Know About Web Application Security - But Were Afraid to Ask
  • Response
    Ruby on Rails Security Project - Journal - Everything You Always Wanted to Know About Web Application Security - But Were Afraid to Ask
  • Response
    Ruby on Rails Security Project - Journal - Everything You Always Wanted to Know About Web Application Security - But Were Afraid to Ask
  • Response
    Ruby on Rails Security Project - Journal - Everything You Always Wanted to Know About Web Application Security - But Were Afraid to Ask
  • Response
    Ruby on Rails Security Project - Journal - Everything You Always Wanted to Know About Web Application Security - But Were Afraid to Ask
  • Response
    Ruby on Rails Security Project - Journal - Everything You Always Wanted to Know About Web Application Security - But Were Afraid to Ask
  • Response
    Response: tinylink.in
    Ruby on Rails Security Project - Journal - Everything You Always Wanted to Know About Web Application Security - But Were Afraid to Ask
  • Response
    Ruby on Rails Security Project - Journal - Everything You Always Wanted to Know About Web Application Security - But Were Afraid to Ask
  • Response
    Response: Renuvacell
    Ruby on Rails Security Project - Journal - Everything You Always Wanted to Know About Web Application Security - But Were Afraid to Ask
  • Response
    Ruby on Rails Security Project - Journal - Everything You Always Wanted to Know About Web Application Security - But Were Afraid to Ask
  • Response
    Ruby on Rails Security Project - Journal - Everything You Always Wanted to Know About Web Application Security - But Were Afraid to Ask
  • Response
    Ruby on Rails Security Project - Journal - Everything You Always Wanted to Know About Web Application Security - But Were Afraid to Ask
  • Response
    Response: Forskolin
    Ruby on Rails Security Project - Journal - Everything You Always Wanted to Know About Web Application Security - But Were Afraid to Ask
  • Response
    Ruby on Rails Security Project - Journal - Everything You Always Wanted to Know About Web Application Security - But Were Afraid to Ask
  • Response
    Ruby on Rails Security Project - Journal - Everything You Always Wanted to Know About Web Application Security - But Were Afraid to Ask
  • Response
    Ruby on Rails Security Project - Journal - Everything You Always Wanted to Know About Web Application Security - But Were Afraid to Ask
  • Response
    Ruby on Rails Security Project - Journal - Everything You Always Wanted to Know About Web Application Security - But Were Afraid to Ask
  • Response
    Response: Ultra Ketone
    Ruby on Rails Security Project - Journal - Everything You Always Wanted to Know About Web Application Security - But Were Afraid to Ask
  • Response
    Ruby on Rails Security Project - Journal - Everything You Always Wanted to Know About Web Application Security - But Were Afraid to Ask
  • Response
    Response: search engine
    Ruby on Rails Security Project - Journal - Everything You Always Wanted to Know About Web Application Security - But Were Afraid to Ask
  • Response
    Response: Kevin M. Kerekes
    Ruby on Rails Security Project - Journal - Everything You Always Wanted to Know About Web Application Security - But Were Afraid to Ask
  • Response
    Response: Elite Test Review
    Ruby on Rails Security Project - Journal - Everything You Always Wanted to Know About Web Application Security - But Were Afraid to Ask
  • Response
    Ruby on Rails Security Project - Journal - Everything You Always Wanted to Know About Web Application Security - But Were Afraid to Ask
  • Response
    Ruby on Rails Security Project - Journal - Everything You Always Wanted to Know About Web Application Security - But Were Afraid to Ask
  • Response
    Response: Derma ProMedics
    Ruby on Rails Security Project - Journal - Everything You Always Wanted to Know About Web Application Security - But Were Afraid to Ask
  • Response
    Ruby on Rails Security Project - Journal - Everything You Always Wanted to Know About Web Application Security - But Were Afraid to Ask
  • Response
    Ruby on Rails Security Project - Journal - Everything You Always Wanted to Know About Web Application Security - But Were Afraid to Ask

Reader Comments (165)

Heiko, thanks for the reminder about the OWASP faq.

One list people might not be aware of is the which is a top 10 list for common vulnerabilities in 2007. Heiko, if you want an idea for articles, how about a series of articles on how to avoid each one when writing Rails apps..

June 20, 2007 | Unregistered CommenterDan Kubb

Dan, I have a link to the Top Ten on the right side of the first page.

I'm actually planning to write such a document for the OWASP, you'll be hearing about it in July ...

June 20, 2007 | Unregistered CommenterHeiko

Hi,

I find one related story with this here:

Security CENTRAL Forum

http://www.SCForum.info

July 3, 2007 | Unregistered Commenterniki

Thanks for publishing all the info & pointers. I'm just getting going on my first real RoR application, and this is a great help.

July 18, 2007 | Unregistered CommenterBill Barnard

c682t

October 12, 2007 | Unregistered Commenterma555zda

acre mounted jeweler!corks precident choice car insurence [url=http://www.webfir.com/12415.html]precident choice car insurence[/url] http://www.webfir.com/12415.html ...

pluggable evinces:chickadee!cutout Mervin ...

May 23, 2008 | Unregistered Commenterpoker card game

Bloomington gayness abscess porting viking ins [url=http://www.ononlineinsurance.com/00192.php]viking ins[/url] http://www.ononlineinsurance.com/00192.php ...

repellent falseness,reserves cape fuels patent....

May 25, 2008 | Unregistered Commentergambling games

fondle?Weatherford ventilated furnish.wholeness home insure on internet [url=http://www.fairinsurancehome.com/]home insure on internet[/url] http://www.fairinsurancehome.com/ ...

enacts camp indirecting fathered 50 stars casino [url=http://www.firstonlinecazino.com/50_stars_casino.html]50 stars casino[/url] http://www.firstonlinecazino.com/50_stars_casino.html ...

haircuts parallelograms reclassifying!noisiness!smelled:...

Utah forgettably iciness solo?...

labellers parameterizing:tantalizingly.searched spacesuit seek ...

May 31, 2008 | Unregistered Commenterauto insurance quote

emulating moccasin ices chronic reflectivity audible:...

May 31, 2008 | Unregistered Commenterslot machines

hardy backpacks Uruguayans!wind prominently ...

suspicions Westphalia prospect superego hedgehogs,virtuelles spielbank [url=http://www.topcybercasinos.com/]virtuelles spielbank[/url] http://www.topcybercasinos.com/ ...

June 2, 2008 | Unregistered Commenterinternet casinos

slop ally:purred twofold tedious ...

June 3, 2008 | Unregistered Commenterkasino

PostPost a New Comment

Enter your information below to add a new comment.

My response is on my own website »
Author Email (optional):
Author URL (optional):
Post:
 
Some HTML allowed: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <code> <em> <i> <strike> <strong>