parsonsisconsulting

Parsons Software Security Consulting Blog

Archive for June 2013

OWASP top 10 2013 Introduction

leave a comment »

OWASP top 10 2013

https://www.owasp.org/index.php/Top_10_2013-Table_of_Contents

   * A1-Injection

   * A2-Broken Authentication and Session Management

   * A3-Cross-Site Scripting (XSS)

   * A4-Insecure Direct Object References

   * A5-Security Misconfiguration

   * A6-Sensitive Data Exposure

   * A7-Missing Function Level Access Control

   * A8-Cross-Site Request Forgery (CSRF)

   * A9-Using Components with Known Vulnerabilities

   * A10-Unvalidated Redirects and Forwards

We are going to look at the new OWASP top 10 for 2013 starting with injection to unvalidated redirects and forwards.   We will go through each vulnerability and look at the attack vector, risks, how to exploit and how to remediate to protect an application from attackers. 

Thanks,

Matt Parsons, CISSP, MSM, CWASE

mparsons@parsonsisconsulting.com

Written by mparsons1980

June 27, 2013 at 12:26 pm

Posted in Uncategorized

Tagged with , , , ,

Cross Site Scripting and how to remediate

leave a comment »

When input isn’t properly validated and encoded Cross Site Scripting or XSS is possible.   This is when an attacker is able to execute a dynamic script.   To prove that a page is vulnerable to XSS I usually just do an alert pop up stating “XSS found by Matt”.   A black hat hacker can use this vulnerability to steal the user’s credentials or mounting phishing attacks or man in the middle attacks.   To remediate this vulnerability all input needs a white list validation scheme accepting only known good input and encode all output to prevent the script from running.  

Matt Parsons, CISSP, MSM, CWASE

mparsons@parsonsisconsulting.com

Image

Written by mparsons1980

June 25, 2013 at 2:27 pm

Posted in Uncategorized

Tagged with , , ,

Iphone programming getting started

leave a comment »

My new passion besides software security is Iphone and cocoa development.  I will guide you through a simple Hello World application.  

 

 

iphonev4

iphonev3

iphonev2

iphonev1

Written by mparsons1980

June 25, 2013 at 1:37 pm

Posted in iphone programming

Tagged with , , , , ,

Why it is important to set the secure attribute on session cookies?

leave a comment »

When I do application security assessments I often see the secure attribute not set on session cookies over HTTPS.  It is fine to have non sensitive session cookies like language setting not set to secure but something as sensitive as the session cookie need to be set to secure so an attacker does not steal the session or the victim’s cookies and log on as the victim.   

Image

 

Image

Written by mparsons1980

June 25, 2013 at 11:57 am

Posted in Uncategorized

Tagged with , , ,