This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Difference between revisions of "User:Neil Smithline"
| Line 13: | Line 13: | ||
Everything below this line is test wiki markup and should be ignored. | Everything below this line is test wiki markup and should be ignored. | ||
| + | <div style=" | ||
| + | background-image: linear-gradient(bottom, #86E86A 34%, #CEF5D2 97%); | ||
| + | background-image: -o-linear-gradient(bottom, #86E86A 34%, #CEF5D2 97%); | ||
| + | background-image: -moz-linear-gradient(bottom, #86E86A 34%, #CEF5D2 97%); | ||
| + | background-image: -webkit-linear-gradient(bottom, #86E86A 34%, #CEF5D2 97%); | ||
| + | background-image: -ms-linear-gradient(bottom, #86E86A 34%, #CEF5D2 97%); | ||
| − | [[ | + | background-image: -webkit-gradient( |
| + | linear, | ||
| + | left bottom, | ||
| + | left top, | ||
| + | color-stop(0.34, #86E86A), | ||
| + | color-stop(0.97, #CEF5D2) | ||
| + | ); | ||
| + | padding: 5px 10px 5px 10px; | ||
| + | border:2px solid #A1A1A1; | ||
| + | border-radius:15px; | ||
| + | -moz-border-radius:15px; | ||
| + | font-size: 100%; | ||
| + | font-weight: normal; | ||
| + | text-align: left; | ||
| + | line-height: 1em; | ||
| + | position: relative; | ||
| + | "> | ||
| + | [[{{Top_10:LanguageFile|text=documentRootTop10|year=2013|language=en}}-A1-{{Top_10_2010:ByTheNumbers|1|year=2013|language=en}} | | ||
| + | A1-{{Top_10_2010:ByTheNumbers|1|year=2013|language=en}} | ||
| + | ]] | ||
| + | :Injection flaws, such as SQL, OS, and LDAP injection occur when untrusted data is sent to an interpreter as part of a command or query. The attacker’s hostile data can trick the interpreter into executing unintended commands or accessing data without proper authorization. | ||
| + | {{Top 10:GrayBoxEnd|year=2013}} | ||
| − | {{ | + | <hr/> |
| + | {| cellspacing="1" cellpadding="1" border="0" width="100%;" | ||
| + | | style="width: 173px;" | [[{{Top_10:LanguageFile|text=documentRootTop10|year=2013|language=en}}-A1-{{Top_10_2010:ByTheNumbers|1|year=2013|language=en}} | | ||
| + | |||
| + | <div style=" | ||
| + | background-image: linear-gradient(bottom, #86E86A 34%, #CEF5D2 97%); | ||
| + | background-image: -o-linear-gradient(bottom, #86E86A 34%, #CEF5D2 97%); | ||
| + | background-image: -moz-linear-gradient(bottom, #86E86A 34%, #CEF5D2 97%); | ||
| + | background-image: -webkit-linear-gradient(bottom, #86E86A 34%, #CEF5D2 97%); | ||
| + | background-image: -ms-linear-gradient(bottom, #86E86A 34%, #CEF5D2 97%); | ||
| + | |||
| + | background-image: -webkit-gradient( | ||
| + | linear, | ||
| + | left bottom, | ||
| + | left top, | ||
| + | color-stop(0.34, #86E86A), | ||
| + | color-stop(0.97, #CEF5D2) | ||
| + | ); | ||
| + | border:2px solid #a1a1a1; | ||
| + | padding: 5px 10px 5px 10px; | ||
| + | border-radius:15px; | ||
| + | -moz-border-radius:15px; | ||
| + | font-size: 100%; | ||
| + | font-weight: bold; | ||
| + | text-align: center; | ||
| + | "> | ||
| + | A1-{{Top_10_2010:ByTheNumbers|1|year=2013|language=en}} | ||
| + | {{Top 10:RoundedBoxLinkEnd|year=2013}} | ||
| + | |- | ||
| + | |<div style=" | ||
| + | background-color: #F2F2F2; | ||
| + | border:2px solid #A1A1A1; | ||
| + | padding: 5px 10px 5px 40px; | ||
| + | width: 80%; | ||
| + | margin-left: 10%; | ||
| + | border-radius:15px; | ||
| + | -moz-border-radius:15px; | ||
| + | font-size: 100%; | ||
| + | font-weight: normal; | ||
| + | text-align: left; | ||
| + | line-height: 1em; | ||
| + | position: relative; | ||
| + | "> | ||
| + | Injection flaws, such as SQL, OS, and LDAP injection occur when untrusted data is sent to an interpreter as part of a command or query. The attacker’s hostile data can trick the interpreter into executing unintended commands or accessing data without proper authorization. | ||
| + | |||
| + | {{Top 10:GrayBoxEnd|year=2013}} | ||
| + | |- | ||
| + | |{{Top 10:RoundedBoxLinkBegin|year=2013|risk=2|language=en}}<br/>A2-{{Top_10_2010:ByTheNumbers|2|year=2013|language=en}} | ||
| + | {{Top 10:RoundedBoxLinkEnd|year=2013}} | ||
| + | |- | ||
| + | |{{Top 10:GrayBoxBegin|year=2013}} | ||
| + | Application functions related to authentication and session management are often not implemented correctly, allowing attackers to compromise passwords, keys, or session tokens, or to exploit other implementation flaws to assume other users’ identities. | ||
| + | |||
| + | {{Top 10:GrayBoxEnd|year=2013}} | ||
| + | |- | ||
| + | |{{Top 10:RoundedBoxLinkBegin|year=2013|risk=3|language=en}}<br/>A3-{{Top_10_2010:ByTheNumbers|3|year=2013|language=en}} | ||
| + | {{Top 10:RoundedBoxLinkEnd|year=2013}} | ||
| + | |- | ||
| + | |{{Top 10:GrayBoxBegin|year=2013}} | ||
| + | XSS flaws occur whenever an application takes untrusted data and sends it to a web browser without proper validation or escaping. XSS allows attackers to execute scripts in the victim’s browser which can hijack user sessions, deface web sites, or redirect the user to malicious sites. | ||
| + | |||
| + | {{Top 10:GrayBoxEnd|year=2013}} | ||
| + | |||
| + | |} | ||
Revision as of 22:39, 27 August 2014
Neil Smithline has been writing client-server applications for nearly 20 years. Most recently he has specialized in application server security. Neil contributed to both the Top 10 2007 and Top 10 2010 documents. He was also the Wiki editor for both of them.
For more information about Neil, visit his homepage which includes contact information, a pointer to his resume, his blog, and other tidbits.
If you just wish to send him an email, you can contact him at [email protected] replacing username with neil.smithline.
Everything below this line is test wiki markup and should be ignored.
- Injection flaws, such as SQL, OS, and LDAP injection occur when untrusted data is sent to an interpreter as part of a command or query. The attacker’s hostile data can trick the interpreter into executing unintended commands or accessing data without proper authorization.
|
A1-Injection
|
Injection flaws, such as SQL, OS, and LDAP injection occur when untrusted data is sent to an interpreter as part of a command or query. The attacker’s hostile data can trick the interpreter into executing unintended commands or accessing data without proper authorization. |
|
A2-Broken Authentication and Session Management |
Application functions related to authentication and session management are often not implemented correctly, allowing attackers to compromise passwords, keys, or session tokens, or to exploit other implementation flaws to assume other users’ identities. |
|
A3-Cross-Site Scripting (XSS) |
XSS flaws occur whenever an application takes untrusted data and sends it to a web browser without proper validation or escaping. XSS allows attackers to execute scripts in the victim’s browser which can hijack user sessions, deface web sites, or redirect the user to malicious sites. |
