http://simonwillison.net/2018-08-06T22:02:39+00:00Simon Willison2018-08-06T22:02:39+00:002018-08-06T22:02:39+00:00https://simonwillison.net/2018/Aug/6/owasp-csrf/#atom-tag

<p><strong><a href="https://nvisium.com/blog/2017/11/30/owasp-top-10-2007-2017-the-fall-of-csrf.html">OWASP Top 10 2007-2017: The Fall of CSRF</a></strong></p> I was surprised to learn recently that CSRF didn’t make it into the 2017 OWASP Top 10 security vulnerabilities (after featuring almost every year since the list started). The credited reason is that web frameworks do a good enough job protecting against CSRF by default that it’s no longer a top-ten problem. Defaults really do matter. <p>Tags: <a href="https://simonwillison.net/tags/csrf">csrf</a>, <a href="https://simonwillison.net/tags/owasp">owasp</a>, <a href="https://simonwillison.net/tags/security">security</a></p>

2009-01-24T23:58:44+00:002009-01-24T23:58:44+00:00https://simonwillison.net/2009/Jan/24/xss/#atom-tag

<p><strong><a href="https://www.owasp.org/index.php?title=XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet">OWASP: XSS Prevention Cheat Sheet</a></strong></p> Comprehensive set of rules for avoiding XSS—there’s a bit more to it than just escaping all output variables, since you have to take markup context in to account. <p>Tags: <a href="https://simonwillison.net/tags/markup">markup</a>, <a href="https://simonwillison.net/tags/owasp">owasp</a>, <a href="https://simonwillison.net/tags/security">security</a>, <a href="https://simonwillison.net/tags/xss">xss</a></p>

2003-02-08T23:53:25+00:002003-02-08T23:53:25+00:00https://simonwillison.net/2003/Feb/8/hashingClientsideData/#atom-tag

<p>Via <a href="http://radio.weblogs.com/0103807/2003/02/08.html#a1323" title="PHP and OWASP Security">Scott</a>, a clever <acronym title="PHP: Hypertext Preprocessor">PHP</acronym> technique for ensuring data sent to the browser as a cookie or hidden form variable isn't tampered with by the user:</p> <blockquote cite="http://www.sklar.com/page/article/owasp-top-ten"><p> If you're expecting to receive data in a cookie or a hidden form field that you've previously sent to a client, make sure it hasn't been tampered with by sending a hash of the data and a secret word along with the data. Put the hash in a hidden form field (or in the cookie) along with the data. When you receive the data and the hash, re-hash the data and make sure the new hash matches the old one. </p></blockquote> <p>A further explanation and example code can be found in <a href="http://www.sklar.com/page/article/owasp-top-ten">PHP and the OWASP Top Ten Security Vulnerabilities</a>, a handy article describing how <acronym title="PHP: Hypertext Preprocessor">PHP</acronym> coders can combat the top ten web application security problems highlighted by a recent report from <a href="http://www.owasp.org/">OWASP</a>. Incidentally, <acronym title="The Open Web Application Security Project">OWASP</acronym> still haven't fixed the cross site scripting vulnerability <a href="http://www.owasp.org/%3Cscript%3Ealert(%22boo%22)%3C/script%3E">on their own site</a>, discovered by <a href="http://tom.me.uk/blog/">Tom Gilder</a> several weeks ago.</p> <p>Incidentally, while the hashing method is clever and should be nice and secure I personally advocate not sending the user <em>any</em> information unless absolutely necessary - use sessions and store sensitive data on the server instead. I suppose you could always use the hash to add an extra layer of security to the session identifier though.</p> <p>Tags: <a href="https://simonwillison.net/tags/hashing">hashing</a>, <a href="https://simonwillison.net/tags/owasp">owasp</a>, <a href="https://simonwillison.net/tags/php">php</a>, <a href="https://simonwillison.net/tags/scott-johnson">scott-johnson</a>, <a href="https://simonwillison.net/tags/security">security</a></p>

2002-11-24T21:19:55+00:002002-11-24T21:19:55+00:00https://simonwillison.net/2002/Nov/24/owaspGuide/#atom-tag

<p>The <a href="http://www.owasp.org/">Open Web Application Security Project</a> (<acronym title="Open Web Application Security Project">OWASP</acronym>) have a <a href="http://www.owasp.org/guide/" title="About the OWASP Guide">free guide</a> to building secure web applications, which covers a large range of common problems such as cross site scripting and <acronym title="Structured Query Language">SQL</acronym> injection vulnerabilities. The report is a 60 page <acronym title="Portable Document Format">PDF</acronym> and although I haven't had time to go through it yet it looks like an excellent read.</p> <p>Tags: <a href="https://simonwillison.net/tags/owasp">owasp</a>, <a href="https://simonwillison.net/tags/security">security</a>, <a href="https://simonwillison.net/tags/sql-injection">sql-injection</a></p>