Top 10 web development mistakes leading to security vulnerabuilities

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view

Top 10 web development mistakes leading to security vulnerabuilities

Simon Slavin-3
This article gives details and pointers to examples.  The final list has not yet been announced, but this is about a late draft.


"Every few years, the Open Web Application Security Project releases its Top 10 list of the 10 biggest web development mistakes that often lead to security vulnerabilities. Nice idea. But many of the items on the list haven't changed since the 2013 and 2010 reports. In other words, we're still screwing up."

In just the last ten years I’ve seen four from the draft list involving SQLite:

1: injection
4: broken access control
8: cross-site forgery
10: exposing underprotected APIs

If you include other SQL engines I think I’ve seen all ten at least once, though many vulnerabilities appeared all in the same design, including one which accidentally allowed SQL commands to be encoded into the URL (/a la/ Little Bobby Tables).

Because the above makes me look holier-than-though, I admit to doing one of them myself.  For about two years one of my maintenance tools checked to see that it was being accessed from a DNS address /including/ "" when it should have checked for an address /ending/ in "".  Had that system been big, important, or well-known someone might have figured that out.

Be careful what you expose to the web, folks.  Don’t be a fool.  Wrap your tool.

sqlite-users mailing list
[hidden email]