Web Application Security
Web Application Security
By: Darkvengance Date: November 25, 2011
Introduction Throughout the years many aspiring programmers and many amazing web applications have surfaced. Though these applications and websites had amazing functionality and were very user-friendly they all shared one common flaw: A lack of attention to security. Due to this reason many of them were rejected by the public community or were even taken offline by malicious attackers. Due to these reasons the creation of this paper came to be. This paper will touch on many topics including: good coding practices, insecure hashing and encryption methods, SQL injections, session fixation, cross-site scripting (XSS), file inclusion, and arbitrary command injection. Please remember that while reading this PHP will be the primary language referenced, however if you use other server side languages the same concepts may still be applied. Throughout this writing it is assumed that the reader will have a basic working knowledge of PHP, HTML, Javascript, and MySQL, as well as knowledge of the basic workings of web applications (database connections, content presentation, etc). By the end of this paper you will be equipped with the knowledge of efficient coding practices which will allow you to program and develop secure applications, protected against the most widely applied techniques used by the majority of black-hat crackers and white-hat penetration testers.
Coding Practices
Even the most basic of all application security, whether it be web, desktop, server or cloud based, starts with good coding practices. The definition of “good” coding practices varies from programmer to programmer however, they all revolve around two primary concepts: efficiency and “looks”. The main goal here is to learn the
very basics, however as everyone has their own way of doing things, you should find what works best for YOU and stick with it. First we 'll start with looks. You may be thinking to yourself “who
By: Darkvengance Date: November 25, 2011
Introduction Throughout the years many aspiring programmers and many amazing web applications have surfaced. Though these applications and websites had amazing functionality and were very user-friendly they all shared one common flaw: A lack of attention to security. Due to this reason many of them were rejected by the public community or were even taken offline by malicious attackers. Due to these reasons the creation of this paper came to be. This paper will touch on many topics including: good coding practices, insecure hashing and encryption methods, SQL injections, session fixation, cross-site scripting (XSS), file inclusion, and arbitrary command injection. Please remember that while reading this PHP will be the primary language referenced, however if you use other server side languages the same concepts may still be applied. Throughout this writing it is assumed that the reader will have a basic working knowledge of PHP, HTML, Javascript, and MySQL, as well as knowledge of the basic workings of web applications (database connections, content presentation, etc). By the end of this paper you will be equipped with the knowledge of efficient coding practices which will allow you to program and develop secure applications, protected against the most widely applied techniques used by the majority of black-hat crackers and white-hat penetration testers.
Coding Practices
Even the most basic of all application security, whether it be web, desktop, server or cloud based, starts with good coding practices. The definition of “good” coding practices varies from programmer to programmer however, they all revolve around two primary concepts: efficiency and “looks”. The main goal here is to learn the
very basics, however as everyone has their own way of doing things, you should find what works best for YOU and stick with it. First we 'll start with looks. You may be thinking to yourself “who
Bibliography: "PHP: Print - Manual." PHP: Hypertext Preprocessor. PHP Documentation Group, 28 Oct. 2011. Web. 30 Oct. 2011. . Manico. Open Web Application Security Project, 9 Oct. 2011. Web. 30 Oct. 2011. .