13 Things a Web Application Attacker Won’t Tell You

September 30, 2009
Dan Cornell

I saw a great blog post the other day titled “13 Things a Burglar Won’t Tell You” and it got me thinking.  Here at Denim Group we train a lot of folks in secure development techniques and we still run into a lot of persistent misconceptions that just won’t go away because of developers’ assumptions about what attackers can and will do. Some of these may seem basic, but we still see them over and over.

So here they are – 13 things a web application attacker won’t tell you.

1.    Just because you moved something from being a GET parameter to a POST parameter so I couldn’t see it in the URL bar doesn’t mean that I don’t know it is there.  And it also doesn’t mean I can’t change it.  (Download WebScarab if you disagree)

2.    Just because you put something in a hidden FORM parameter doesn’t mean I can’t find it.  Or change it.  See #1.

3.    Ditto for cookies.  See #1.

4.    Validating things on the client side with JavaScript doesn’t prevent me from submitting whatever the heck I want.

5.    I love it when you say “That would never happen in production.”

6.    I really love it when you say “An attacker would never do that.”

7.    I really hate strong server side input validation.

8.    That page with the detailed error message – my job would be way harder without it.

9.    Most of those “Guaranteed Secure!” banners you put on your site only serve to tell me you don’t understand the first thing about security.

10.  That web application scanner you ran – it didn’t find everything.  Not even close.

11.  That network scanner you ran – it didn’t even start testing the security of your application.

12.  I understand AJAX (or fancy, new technology “XYZ”) better than you do.

13.  The more clever you think you are – the better I feel.

Anybody else have some favorite things web application attackers won’t tell you?

PS – See the follow up article: 5 More Things a Web Application Attacker Won’t Tell You

 

–Dan

dan _at_ denimgroup.com

@danielcornell

Posted via email from denimgroup’s posterous

About Dan Cornell

A globally recognized application security expert, Dan Cornell holds over 15 years of experience architecting, developing and securing web-based software systems. As the Chief Technology Officer and a Principal at Denim Group, Ltd., he leads the technology team to help Fortune 500 companies and government organizations integrate security throughout the development process. He is also the original creator of ThreadFix, Denim Group's industry leading application vulnerability management platform.
More Posts by Dan Cornell

Categories: Information Security Security Programs Web Application Security

2 Responses to “13 Things a Web Application Attacker Won’t Tell You”

  1. Gert Wallis

    My name is Sucker’;DROP Table Users;

  2. Spirovski Bozidar

    Here is anotherone

    “I love when you leave your subversion folders in your published web application”

    Spirovski Bozidar
    http://www.shortinfosec.net

Leave a Reply

Your email address will not be published. Required fields are marked *