Common Security flaws

Through out my software development experience I found following common security pitfalls:

1. Relying on web browser supports, for example disabled, readonly or hidden html fields.
Some sites, (for example: spaces.live.com) keep user name inside a read only text field. Using FireBug or other DOM editor, anyone can alter those text fields.

2. Only JavaScript based content validation.
At anytime user can disable javascript feature. Keep security restriction support from server side.
3. No server side content sanitizing and validation
if you are missing server side data sanitizing and validation, it would worth a huge lost, when some people will introduce database injection or other problem.

4. If any button is used for single purpose, it should be disabled or hidden after performing its task.
Otherwise user may click on that button once again, perhaps that button will hit an unexpected server hit. Save server side hit. 🙂

5. Incase of own managed session, every session should commit to suicide after a certain life time. After session dead, every session ID must be invalidated.
Otherwise, user may use previous session id to perform any spamming.

6. Limit your controller to “POST” only.
All form submission and data changes request will be performed over “POST” request. And all data retrieval request will be performed over “GET” method.

7. Releasing product without proper security test.
Perform and verify all probable security pitfalls and development limitation, before opening for public.

8. Asynchronize ajax request for each function.
All functionality should be synchronized to perform each request. For example, a pipe can be used to handle one function, another pipe for handling another function. So whenever user double clicks on any button or function. It will wait until previous function is completed.

pipe process Functional pipe process

That’s all for today 🙂

Advertisements

One response to “Common Security flaws

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

w

Connecting to %s

my tweets

January 2007
S S M T W T F
« Dec   Feb »
 12345
6789101112
13141516171819
20212223242526
2728293031  

Flickr Photos

RSS my shared links on google reader

  • An error has occurred; the feed is probably down. Try again later.
%d bloggers like this: