| |
Web Application Security |
|
|
VESARiA Web Application Security Model
The VESARiA Web Application Security Model, the result of intensive
research by VESARiA into web application vulnerabilities and weaknesses, pinpoints
how web applications's are exploited, and shows how secure web apps defend themselves.
While the details of the model are proprietary, its top level breakdown is presented
here.
- Access Control
- Access Control Mechanism & Implementation
- Minimal Unauthenticated Access
- Authentication Mechanism
- Brute Force
- Authentication Token (Prediction & Fixation)
- Transport
- Cryptography & Randomness
- Confidentiality
- Authenticity: Modification, Insertion, and Deletion
- Information Leakage
- Willful Leakage
- Error Messages
- Timing & Delays
- Data Leakage
- HTTP Headers
- HTML Source: Comments, Scripts, Forms & URL’s
- Manipulation
- Trust
- Input Validation
- Session & State
- Low Level Manipulation
- Memory Overwrites
- Race Conditions
- High Level Manipulation
- File Names
- Parse Manipulations
- Insertion: SQL, Shell & Other
- Access Rights & Business Rules
- Manipulation of Users
- Output Manipulation (Cross Site Scripting)
- Input Manipulation: URL’s, Cookies, & Request
- Administration
- External Components
- Network Infrastructure: DNS, Routers & Firewalls
- Host Machines & Software
- Client PC’s & LAN’s
- User Knowledge & Awareness
- Robustness
- Redundancy & Fault Tolerance
- Least Privilege & Privilege Separation
- Least Trust
- Logging & Monitoring
- Attack Detection & Intrusion Detection
- Update Capability
- Denial of Service
- Resource Exhaustion
- Limit Exhaustion
- Protocol Violation
©2002 VESARiA Network Security Specialists.
This document may be reproduced, in whole or in part, provided
that it is not modified and that proper credit is given.
In addition, if it is made accessible via hypertext, a hyperlink
to VESARiA Network Security
Specialists (http://www.vesaria.com) must be included.
|
 |
Vesaria
722 Dulaney Valley Road, Suite 192
Towson, MD 21204
443 - 501 - 4044
|
