Mastodon

OWASP

A 16-post collection

OWASP Top 10 for .NET developers part 6: Security Misconfiguration

This content is now available in the Pluralsight course "OWASP Top 10 Web Application Security Risks for ASP.NET" [http://www.pluralsight.com/courses/owasp-top10-aspdotnet-application-security-risks] If your app uses a web server, a framework, an app platform, a database, a network or contains any code, you’re at risk of security misconfiguration. So that would be all of us then. The truth is, software is complex business. It’s not so much that the practice of writing code is tricky (in fact I’...

OWASP Top 10 for .NET developers part 5: Cross-Site Request Forgery (CSRF)

This content is now available in the Pluralsight course "OWASP Top 10 Web Application Security Risks for ASP.NET" [http://www.pluralsight.com/courses/owasp-top10-aspdotnet-application-security-risks] If you’re anything like me (and if you’re reading this, you probably are), your browser looks a little like this right now: A bunch of different sites all presently authenticated to and sitting idly by waiting for your next HTTP instruction to update your status, accept your credit card or email...

OWASP Top 10 for .NET developers part 4: Insecure direct object reference

This content is now available in the Pluralsight course "OWASP Top 10 Web Application Security Risks for ASP.NET" [http://www.pluralsight.com/courses/owasp-top10-aspdotnet-application-security-risks] Consider for a moment the sheer volume of information that sits out there on the web and is accessible by literally anyone. No authentication required, no subversive techniques need be employed, these days just a simple Google search can turn up all sorts of things. And yes, that includes content wh...

OWASP Top 10 for .NET developers part 3: Broken authentication and session management

This content is now available in the Pluralsight course "OWASP Top 10 Web Application Security Risks for ASP.NET" [http://www.pluralsight.com/courses/owasp-top10-aspdotnet-application-security-risks] Authenticating to a website is something most of us probably do multiple times every day. Just looking at my open tabs right now I’ve got Facebook, Stack Overflow, Bit.ly, Hotmail, YouTube and a couple of non-technology forums all active, each one individually authenticated to. In each case I trust...

OWASP Top 10 for .NET developers part 2: Cross-Site Scripting (XSS)

This content is now available in the Pluralsight course "OWASP Top 10 Web Application Security Risks for ASP.NET" [http://www.pluralsight.com/courses/owasp-top10-aspdotnet-application-security-risks] In the first post of this series [https://www.troyhunt.com/2010/05/owasp-top-10-for-net-developers-part-1.html] I talked about injection and of most relevance for .NET developers, SQL injection. This exploit has some pretty severe consequences but fortunately many of the common practices employed wh...

OWASP Top 10 for .NET developers part 1: Injection

This content is now available in the Pluralsight courses "OWASP Top 10 Web Application Security Risks for ASP.NET" and "Ethical Hacking: SQL Injection" [http://www.pluralsight.com/courses/owasp-top10-aspdotnet-application-security-risks] There’s a harsh reality web application developers need to face up to; we don’t do security very well. A report from WhiteHat Security [http://www.slideshare.net/jeremiahgrossman/whitehat-security-8th-website-security-statistics-report] last year reported “83%...