Posts
Stage 1. Automation Auditing
Stage 2. Manual Auditing
Automation Tools:-
1. AppScan
2. Scando
3. Acunetix
etc..
Manual Testing Tools:-
1. Burp Suite
2. IE Tamper
3. Achilles
etc..
How to prevent via coding ? [Project should implement the following points]:-
Auto Completion for important controls like password
Salted hash for password fields
Sanitization to all the input controls
Browser Refresh [use captcha]
Steal Password via Refresh or back button [use redirection, clear cache]
Session Fixation [ use new session id before/after login ]
Brute Force [use captcha]
Guessing UserID
Always clear Browser cache
Insecure direct object reference [ in search result screens, avoid give action link with pk id ]
CSRF
Downloading Secure File [ dont take a path from parameter ]
Inproper Error Handling [use proper tr{} catch{}, move to custom error page]
XSS [use sanitization, check server side validation (type,size,input data) ]
SQL Injection [use sanitization]
Cross Account Access
Privileged Escalation
Login Trail
Audit Trail
Forgot Password [use security question, captcha, send a mail link to change password (one time link) ]
etc..
Stage 2. Manual Auditing
Automation Tools:-
1. AppScan
2. Scando
3. Acunetix
etc..
Manual Testing Tools:-
1. Burp Suite
2. IE Tamper
3. Achilles
etc..
How to prevent via coding ? [Project should implement the following points]:-
Auto Completion for important controls like password
Salted hash for password fields
Sanitization to all the input controls
Browser Refresh [use captcha]
Steal Password via Refresh or back button [use redirection, clear cache]
Session Fixation [ use new session id before/after login ]
Brute Force [use captcha]
Guessing UserID
Always clear Browser cache
Insecure direct object reference [ in search result screens, avoid give action link with pk id ]
CSRF
Downloading Secure File [ dont take a path from parameter ]
Inproper Error Handling [use proper tr{} catch{}, move to custom error page]
XSS [use sanitization, check server side validation (type,size,input data) ]
SQL Injection [use sanitization]
Cross Account Access
Privileged Escalation
Login Trail
Audit Trail
Forgot Password [use security question, captcha, send a mail link to change password (one time link) ]
etc..
No comments:
Post a Comment