Professional Documents
Culture Documents
SECURITY
MEMBERS NAME: ANOOSH FATIMA(78)
FIZZA NAVEED( )
AYESHA MUSHTAQ( )
Software Security
Porous defenses.
Software Error Category: Insecure Interaction Between
Components
. Similarly, the Open Web Application Security Project Top Ten list of critical Web
application security flaws includes five related to insecure software code.
. These include unvalidated input ,cross-site scripting, buffer overflow, injection flaws, and
improper error handling.
These flaws occur as a consequence of insufficient checking and validation of data and
error codes in programs.
Awareness of these issues is a critical initial step in writing more secure program code.
Software Security cont ...
Both these sources emphasize the need for software developers to address
these known areas of concern, and provide guidance on how this is done.
Both these sources emphasize the need for software developers to address
these known areas of concern, and provide guidance on how this is done.
A program using such input should confirm that it meets these
assumptions.
Cross-site scripting Attacks
q. Such attacks are known as cross-site scripting (XSS) attacks because they are most
commonly seen in scripted Web applications.
q. The assumption is that all content from one site is equally trusted and hence is permitted
to interact with other content from that site.
Input Size and Buffer Overflow
If it does exceed the size of the buffer, then a buffer overflow
occurs, which can potentially compromise the execution of the
program.
Injection Attacks
The term injection attack refers to a wide variety of program flaws related to invalid
handling of input data.
.Specifically, this problem occurs when program input data can accidentally or
deliberately influence the flow of execution of the program.
In this attack, the user-supplied input is used to construct a SQL request to retrieve
information from a database.
Consider the excerpt of PHP code from a CGI script shown next:
Injection Attacks
<html><head><title>Finger User</title></head><body></html>
<h1>Finger User</h1>
<form method=post action="finger.cgi">
<b>Usernameto finger</b>: <input type=text name=user value="">
<p><input type=submit value="Finger User">
</form></body></html>
Injection Attacks
It uses this value to construct a request to retrieve the records relating to that
name from the database.
The code shown in following figure illustrates the use of a suitable PHP
function to correct this vulnerability.
Injection Attacks