Top Security Problems in Programming




Introduction: HTTP GET and POST

– Two HTTP Request Methods: GET and POST

Two commonly used methods for a request-response between a client and server are:

—GET – Requests data from a specified resource

—POST – Submits data to be processed to a specified resource

– The GET Method

—Note that the query string (name/value pairs) is sent in the URL of a GET request:


Some other notes on GET requests:

. GET requests can be cached

. GET requests remain in the browser history

. GET requests can be bookmarked

. GET requests should never be used when dealing with sensitive data

. GET requests have length restrictions

.GET requests should be used only to retrieve data

Note that the query string (name/value pairs) is sent in the HTTP message body of a POST request:

POST /test/demo_form.asp HTTP/1.1

– Some other notes on POST requests:

—. POST requests are never cached

—. POST requests do not remain in the browser history

—. POST requests cannot be bookmarked

—. POST requests have no restrictions on data length

Compare GET vs. POST

compare get

OWASP Top 10

OWASP: Open Web Application Security Project

The OWASP Foundation is a not-for-profit entity that ensures the project’s long-term success.

Historically, OWSP produces a new Top 10 every 3 years: 2004, 2007, 2010, 2013, 2016/2017 !?

A1- Injection

A2- Broken Authentication and Session Management

A3- Cross-Site Scripting (XSS)

A4- Insecure Direct Object References

A5- Security Misconfiguration

A6- Sensitive Data Exposure

A7- Missing Function Level Access Control

A8- Cross-Site Request Forgery (CSRF)

A9- Using Components with Known Vulnerabilities

A10- Unvalidated Redirects and Forwards



CWE/Sans Top 25 Most Dangerous Programming Errors

• The Common Weakness Enumeration (CWE):

—A formal list of software weakness types

—Sponsored by the National Cyber Security Division in the US Department of Homeland Security

• The SANS (SysAdmin, Audit, Network, Security) Institute

—Established in 1989 as a cooperative research and education organization—

• Source:

• Category of weaknesses:

—Insecure Interaction Among Components
(6 errors)

– Related to insecure ways in which data is sent and received between separate components, modules, programs, processes, threads, or systems

—Risky Resource Management (8 errors)

–  Related to ways in which software does not properly manage the creation, usage, transfer, or destruction of important system resources.

—Porous Defences (11 errors)

– Related to defensive techniques that are often misused, abused, or just plain ignored.

ادامه مطلب و دانلود مقاله