For question about OWASP products or the practices of the organization. Do not use just because the vulnerability you are asking about is included on the OWASP Top Ten list.
Questions tagged [owasp]
162 questions
56
votes
4 answers
Is the OWASP recommendation regarding localstorage still valid?
I am currently working on an Application which is a single page application built with Angular. It is served over HTTPS, using HSTS.
For authentication, we are using Auth0. The Auth0 documentation recommends storing the access token in…
JMK
- 2,436
- 7
- 27
- 38
44
votes
8 answers
Does an application purely for intranet use by employees need secure software design or to follow OWASP guidelines?
I'm developing an application over an intranet and is used only by an internal employee. There wouldn't be any external parties involved here and no external communication would be used by the application.
Does it need secure software design in…
Gaming
- 541
- 4
- 4
18
votes
3 answers
Any comments or advice on OWASP-2013 top 10 number A9
In this iteration of the OWASP top 10 application security vulnerabilities list (https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project), a new category 'A9 Using Components with Known Vulnerabilities' has been introduced. This appears to…
David Scholefield
- 1,824
- 12
- 21
16
votes
6 answers
Securely building a local pentest lab in a VM
I'd like to set up OWASP WebGoat or a similar vulnerable web app in a VM (probably VirtualBox on Linux). For convenience's sake, I'd like to get it running on one of the primary machines I use (say, a laptop with an internet connection). I realize…
jrdioko
- 13,011
- 7
- 29
- 38
16
votes
5 answers
Application security training for developers
I am trying to establish an application security group within an organization and although there is a plethora of courses for penetration testers, i fail to find an equal amount of training courses for developers / QA testers
The team i work with is…
Dimitrios Stergiou
- 391
- 3
- 7
14
votes
3 answers
How do I get started using ESAPI WAF?
I've been to the OWASP Enterprise Security API (Java Edition) Google Groups page and found this information missing.
Tim Troy
- 341
- 3
- 6
14
votes
2 answers
Detecting attempts to attack a website?
I am currently trying to implement some recommendations from OWASP AppSensor Project and I'd like to respond to the attacker when he tries to break into my website.
Is there any resource covering/analyzing specific attack vectors? With specific I…
bretik
- 1,840
- 13
- 22
12
votes
1 answer
Why does OWASP recommend security questions?
I was reading the OWASP Forgot Password Cheat Sheet when I stumbled upon the recommendation to use security questions.
There is even a dedicated page about what information to gather.
Whenever I see such a "feature" on a web site it strikes me as…
theDmi
- 395
- 2
- 10
11
votes
3 answers
Why does OWASP suggest using POST over PUT for file uploads?
When browsing the OWASP security recommandations for file uploads, I ticked reading the following :
Try to use POST method instead of PUT (or GET!)
I don't see how one method is better than another from security perspective. Could someone shed…
Zenklys
- 213
- 2
- 5
9
votes
2 answers
How dangerous are direct references to database keys?
An OWASP note suggests that direct object references are considered insecure in some contexts. They defined "direct object reference" as follows:
“A direct object reference occurs when a developer exposes a reference to an internal implementation…
user2398029
- 93
- 6
9
votes
3 answers
Usefulness of token sidejacking prevention mentioned by OWASP JWT Cheat Sheet
I was just reading through the "Token sidejacking" of the JWT Cheat Sheet of OWASP (https://cheatsheetseries.owasp.org/cheatsheets/JSON_Web_Token_Cheat_Sheet_for_Java.html#token-sidejacking)
At the moment I don't understand how the recommended…
Chris
- 91
- 2
9
votes
5 answers
How do small businesses handle web app security?
Everything on Owasp's top 10 list, how do current small businesses (< 1000 employees) handle web application security, along with mobile security of their applications?
Do they care about info/app security? Do businesses of this size pay for static…
CodeTalk
- 193
- 3
9
votes
4 answers
Why OWASP Top 10 (web application) hasn't changed since 2013 but Mobile Top 10 is as recent as 2016?
Latest edition of OWASP Top 10 for web application was in 2013 and for mobile applications, it is 2016. Why is it so?
Can we say that the pattern in the web application vulnerabilities is settled? Will same thing happen to mobile based applications?
one
- 1,781
- 3
- 18
- 45
8
votes
1 answer
Some doubts about SQL Injection examples, how exactly works?
I am a software developer starting studying application security and I have the following doubt related SQL injection.
I am following a video course and there are these two examples:
I have an insecure SQL query like this:
txtSql = "SELECT * FROM…
AndreaNobili
- 235
- 1
- 5
8
votes
2 answers
Canonicalization & Output Encoding
I'm reading OWASP's Secure Coding Practices Checklist and under their "Input Validation" section they have an item that reads:
If any potentially hazardous characters (<>"'%()&+\\'\") must be allowed as input, be sure you implement additional…
zharvey
- 911
- 3
- 10
- 14