varun sharma application consulting and engineering (ace) team, microsoft india
Post on 31-Dec-2015
215 Views
Preview:
TRANSCRIPT
Flaw – 1 Custom AuthenticationFlaw – 2 Lack of Rule based AuthorizationFlaw – 3 Black list input validationFlaw – 4 Improper use of CryptoFlaw – 5 App layer DOS attack
Principles:-Use well known and time tested, system provided methods for authentication. Avoid writing custom authentication code.
Principles:-Do not rely on UI for authorizationDisabled buttons is not authorizationConsider rule based authorization in your design
Principles:-Validate for valid allowed values (white list)If white list validation is not possible,
Encode to prevent XSSParameterize to prevent SQL Injection…
Not knowing what services are provided by what mechanisms
For example, what services do Digital Signatures provide?
Demo
Principles:-Know what service each mechanism providesDo not implement crypto mechanisms yourselfUse system provided methods
Book movie ticket Screen 2 for User 1
You have 7 minutes left
Enter Payment details:-
Name:-Credit Card Number:-Address:-….
Click to Book
top related