La sécurité est un sujet majeur qui ne peut être ignoré. Chaque application doit prendre ce paramètre en compte. Le nouveau livre blanc d’Ippon, “Building Secure Web Applications”, traite de ce sujet. Citant une à une les 10 principales vulnérabilités rencontrées, il apporte non seulement une explication mais décrit aussi comment s’en protéger, ou à […]

Description Known software vulnerabilities are available to everyone on the Internet. If an attacker knows which components you use, he can retrieve these vulnerabilities and find a way to exploit them. Examples Somehow, an attacker found out my bank’s website uses Apache web server version 1.3.22 on Win32. This version has a critical vulnerability that […]

Description An attacker sends a request to a website you are authenticated on to execute an operation without your formal approval. Attackers usually use XSS to make you or your browser send this malicious request, but many other flaws exist to achieve the same goal. Examples Every month, to pay my rent, I authenticate on […]

Description In a web application with different user roles, authentication is not enough. Each request must be controlled against user’s role to ensure the user is authorized to use the requested function or access the requested page. Examples On my bank’s website, the clerk has a link in his navigation bar to manage the client […]

Description We have seen in the previous articles that an experienced attacker can easily intercept data in transit (e.g. on a public Wifi hotspot) or have access to data stored in your database (e.g. using SQL injection). If the stolen information is sensitive (password, credit card number, personal data…), it must have been encrypted. Examples […]

Description Nowadays, besides the operating system and the JRE, most of the Java applications are based on third-party frameworks, open-source or proprietary. Moreover, a web application is deployed on an application server (or a servlet container). All these components represent a lot of potential risks an attacker can use if he has enough information on […]