You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tapestry.apache.org by Gareth <g0...@yahoo.co.uk> on 2006/12/01 10:32:12 UTC
Web Security concerns
Hi,
Slightly off topic of "tapestry", but I recently came across a document I thought was really useful at highlighting all the potential issues with a website. It's quite long, but, if like me you haven't had to worry much about security on your web projects before - e.g. non public application, then its a good reference source.
Personally, I found the easiest way of attacking it was to scan through it from front to back, which is quicker than you might think (I covered just short of 200 pages in about an hour).
http://www.owasp.org/index.php/OWASP_Guide_Project
Kind Regards
Gareth Deli
___________________________________________________________
The all-new Yahoo! Mail goes wherever you go - free your email address from your Internet provider. http://uk.docs.yahoo.com/nowyoucan.html
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tapestry.apache.org
For additional commands, e-mail: users-help@tapestry.apache.org
Re: Web Security concerns
Posted by Sam Gendler <sg...@ideasculptor.com>.
I haven't read that document, but I think a discussion of security
within Tapestry is definitely in order, as it has some pretty
significant security vulnerabilities which are never even mentioned in
the docs. The fact that so much state is stored in the client page by
default really leaves the app open to manipulation by a malicious
client. You can change true and false values on the client side and
cause paths to execute during rewind that you should have absolutely
no access to. Of course, you can make those conditionals volatile,
but most people seem to be unaware of (or at least not bothered by)
this vulnerability. Personally, it scares the hell out of me, as it
is all too easy to leave yourself wide open to a security breach or
corruption problem.
--sam
On 12/1/06, Gareth <g0...@yahoo.co.uk> wrote:
> Hi,
>
> Slightly off topic of "tapestry", but I recently came across a document I thought was really useful at highlighting all the potential issues with a website. It's quite long, but, if like me you haven't had to worry much about security on your web projects before - e.g. non public application, then its a good reference source.
>
> Personally, I found the easiest way of attacking it was to scan through it from front to back, which is quicker than you might think (I covered just short of 200 pages in about an hour).
>
> http://www.owasp.org/index.php/OWASP_Guide_Project
>
> Kind Regards
>
> Gareth Deli
>
>
>
>
>
>
> ___________________________________________________________
> The all-new Yahoo! Mail goes wherever you go - free your email address from your Internet provider. http://uk.docs.yahoo.com/nowyoucan.html
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tapestry.apache.org
> For additional commands, e-mail: users-help@tapestry.apache.org
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tapestry.apache.org
For additional commands, e-mail: users-help@tapestry.apache.org