Ver Mensaje Individual
  #35 (permalink)  
Antiguo 04/02/2013, 13:52
webankenovi
Invitado
 
Mensajes: n/a
Puntos:
Respuesta: seguridad web

TOP 10 OWASP

1 - Injection - https://www.owasp.org/index.php/Top_10_2010-A1
2 - Cross-Site Scripting (XSS) - https://www.owasp.org/index.php/Top_10_2010-A2
3 - Broken Authentication and Session Management - https://www.owasp.org/index.php/Top_10_2010-A3
4 - Insecure Direct Object References - Insecure Direct Object References - https://www.owasp.org/index.php/Top_10_2010-A4
5 - Cross-Site Request Forgery (CSRF) - https://www.owasp.org/index.php/Top_10_2010-A5
6 - Security Misconfiguration - https://www.owasp.org/index.php/Top_10_2010-A6
7 - Insecure Cryptographic Storage - https://www.owasp.org/index.php/Top_10_2010-A7
8 - Failure to Restrict URL Access - https://www.owasp.org/index.php/Top_10_2010-A8
9 - Insufficient Transport Layer Protection - https://www.owasp.org/index.php/Top_10_2010-A9
10 - Unvalidated Redirects and Forwards - https://www.owasp.org/index.php/Top_10_2010-A10


testing

https://www.owasp.org/index.php/OWAS...le_of_Contents


De la A a la Z

A

Account lockout attack
Asymmetric resource consumption (amplification)

B

Binary planting
Blind SQL Injection
Blind XPath Injection
Brute force attack
Buffer overflow attack

C

Cache Poisoning
Cash Overflow
Code Injection
Command Injection
Comment Injection Attack
Content Security Policy
Content Spoofing
CORS OriginHeaderScrutiny
CORS RequestPreflighScrutiny
Cross Frame Scripting
Cross Site History Manipulation (XSHM)
Cross Site Tracing
Cross-Site Request Forgery (CSRF)
Cross-site Scripting (XSS)
Cross-User Defacement
Cryptanalysis


C cont.

CSRF
Custom Special Character Injection

D

Denial of Service
Direct Dynamic Code Evaluation ('Eval Injection')
Direct Static Code Injection
Double Encoding

E

Execution After Redirect (EAR)

F

Forced browsing
Format string attack
Full Path Disclosure

H

HTTP Request Smuggling
HTTP Response Splitting

I

Inyección SQL

L

LDAP injection

M

Man-in-the-browser attack
Man-in-the-middle attack
Mobile code: invoking untrusted mobile code
Mobile code: non-final public field
Mobile code: object hijack

O

One-Click Attack
Overflow Binary Resource File

P

Page Hijacking
Parameter Delimiter


P cont.

Path Manipulation
Path Traversal

R

Regular expression Denial of Service - ReDoS
Relative Path Traversal
Repudiation Attack
Resource Injection

S

Server-Side Includes (SSI) Injection
Session fixation
Session hijacking attack
Session Prediction
Setting Manipulation
Special Element Injection
Spyware
SQL Injection

T

Traffic flood
Trojan Horse

U

Unicode Encoding

W

Web Parameter Tampering
Windows ::DATA alternate data stream

X

XPATH Injection
XPATH Injection Java
XSRF


RECOMENDACIONES


nunca confiar en los usuarios
hasear contraseñas
autenticacion de usuarios
autorizacion usuarios niveles
Mensajes de error deben ser genéricos.no dar informacion (en ninguna pagina)
token formularios
habilitar captcha en formularios
Siempre inicializar las variables
consultas sql preparadas y saneamiento de datos
Restringir permisos a usuario de MySQL u otra base de datos
seguridad de puertos
proteger directorios .htaccess
nombres de tus archivos y carpetas delicados esten en lugares no muy previsibles
verificar codigo
realizar testing auditoria de tu codigo fuzzing

-----------------------------------
| aRmAtE dE vAlOr PaRa UnA dUrA bAtAllA |
-----------------------------------

Última edición por webankenovi; 04/02/2013 a las 14:01