that looks vuln

common (web) application security issues,

and how to mitigate them

injection attacks

Allowing user input to leak to somewhere where it will be interpreted as code.

mandatory XKCD 327 link:


Username: "drevil' OR '1' = '1"

SELECT * FROM users WHERE is_admin = '1' and name ="drevil OR '1'='1';


injection attacks: mitigation

Validate all external input. 

Only allow exactly the kind of values you expect.

Disallowing common "dangerous" characters,

have maximum length

Always use context-aware escaping on output

SQL-safe escapes for sql,

HTML-safe escape for html etc.

There is no one-size-fits all here

Buffer overflow/invalid pointers

Very common coding mistake in languages with no safety guarantees

Use a safe language

(although it is not a guarantee, you might still use libraries/third-party tools that are vulnerable)

Impose explicit size limits in APIs
(there are most likely implicit ones anyway)

no crypto

Sensitive data should be encrypted.

If it is stored encrypted, it should be transmitted encrypted.

There is no good performance reason to not use SSL everywhere. 

Think "why should this be in cleartext",
not the other way around

incorrectly used crypto

Worse than no crypto, now the attacker knows where the sensitive data is.


unsalted passwords

broken random numbers in initialization

TOR with exit relay instead of end-end encryption


Don't roll your own.

Use NaCL or similar

WRONG crypto: mitigation

Don't roll your own!

Use high-level well known and trusted packages like

error handling

information leakage 

Sending too much data in errors back to clients can reveal important informaiton to an attacker.

(But don't overdo it, if done right, it can be perfectly fine to say why an error happened)

no/Broken access control

Lock down sensitive endpoints

Don't put session keys in urls so they might get logged

Negotiate per-session secrets

Implement timeouts for sessions

cross site scripting


Injected Javascript can take control over users action on a vulnerable website


Prevent injection at both input and output

Use CSP headers


Cross Site Request Forgery

Assuming that a logged-in browser can be trusted


   <img src="">

CSRF mitigation

Secret tokens in all requests (hidden form value)


Automatic logout

keep up to date

OWASP top 10 list

Watch CCC security nightmares,

don't repeat the mistakes of others

that looks vuln

By cortex

that looks vuln

  • 1,040
Loading comments...

More from cortex