[thelist] beefing up site security

Ken Schaefer Ken at adOpenStatic.com
Wed Sep 6 00:37:03 CDT 2006


: -----Original Message-----
: From: thelist-bounces at lists.evolt.org [mailto:thelist-
: bounces at lists.evolt.org] On Behalf Of Sarah Adams
: Sent: Wednesday, 6 September 2006 5:44 AM
: To: thelist at lists.evolt.org
: Subject: Re: [thelist] beefing up site security
: 
: >> I get an email from the site including details of the page request if
: >> "illegal" user input is detected.
: >
: > No offence but unless it is a very good system it might not be reliable.
: 
: Hence my desire to beef up security - I'm wondering if there are bad
: requests that might be getting through. I think I've covered the usual
: suspects, but I want to be sure.

What if there is a bug in one of your validation routines? That is why it is
almost impossible to be "sure" that nothing bad is getting through, because
there are very few ways that you can be sure that your code has no bugs.
People used to laugh at IIS vulnerabilities, but the URL Canonicalization
attacks that were used were reasonably sophisticated (relying on multiple
levels of encoding, non-ASCII characters etc).

You probably want to look at the OWASP (Open Web Application Security
Project) Guide to get a good idea of the threats that you face, and best
practices in mitigating them. Common threats include SQL Injection,
Cross-Site Scripting, session hijacking etc.
http://www.owasp.org/index.php/OWASP_Guide_Project

OWASP also has a mailing list currently hosted at www.securityfocus.com (the
same place that BugTraq is hosted)

Cheers
Ken




More information about the thelist mailing list