It was recently identified, and Amazon was quick (2 days) to fix it, that one of their sites was vulnerable to cross-site scripting. Cross-site scripting is a vulnerability that allows an attacker to control the output in the user's browser. A more detailed look into cross-site scripting can be found on the OWASP site. Take-Aways QA could have found this Understand your input validation routines Check to make sure the proper output encoding is in place in every location user supplied … [Read more...] about Amazon XSS: Thoughts and Takeaways
security
Input Validation: Keep It Simple
Attackers take advantage of an application by manipulating the inputs to the system. For example, a first name field or even a request header like the user-agent. Applications wouldn't be very useful if they didn't accept any input from the end user. Unfortunately, this is the key attack vector. One of the basic techniques used to help protect a system is to us input validation, which assesses the input to determine if it is should be accepted. Many development groups have fought with the … [Read more...] about Input Validation: Keep It Simple
3rd Party CMS Security
One of the easiest ways to get content available on the Internet is to use a 3rd party content management system (CMS). These systems vary and are usually fairly simple to set up. There is no requirement for any technical knowledge and you can have content up and available within minutes in some cases. No need for that pesky HTML coding or web site management. One of the most common CMS platforms is WordPress (https://wordpress.com). Of course there are many other systems available, but it … [Read more...] about 3rd Party CMS Security
Black Lists and White Lists: Overview
I came across an interesting post on twitter the other day (https://twitter.com/suffert/status/567486188383379456) that depicts a sidewalk with a sign indicating what wasn't allowed on the sidewalk. You have seen these before: NO bicycles, skateboards, rollerblades, roller skates, scooters. In the information technology sector, this is known as a black list; a list that defines what is NOT allowed or permitted. You can see black lists all over the place, input validation, output encoding, … [Read more...] about Black Lists and White Lists: Overview
Sensitive Data and Storage Issues
Do you know what constitutes sensitive data in your organization? How about in your state or industry? As developers or business analysts we often do not follow the nitty gritty details of sensitive information regulations or laws. Not that we don't want to enforce them, but often times I think we often just don't know about them. It is often thought that the CIO, CISO or a privacy officer is responsible for understanding our data and to what level it needs to be protected. I completely … [Read more...] about Sensitive Data and Storage Issues
Verizon Email API Insecure Direct Object Reference Thoughts and Takeaways
It was recently announced that there was a flaw identified (and since fixed) in the Verizon API that allowed access to Verizon customer email accounts. The way this worked was that there was an ID parameter with the email account's user ID specified. If a user supplied a different user's ID name, that user's email account would be returned. This is known as an Insecure Direct Object Reference. It was also found that the attacker could not only read another user's email, but also send email … [Read more...] about Verizon Email API Insecure Direct Object Reference Thoughts and Takeaways