Re: Auditing Code (security wise)

Posted by Dave_L on 1197242711
As promised. here are my notes:

Notes from SPI Dynamics workshop, Richmond, VA, 2007-04-17

This free workshop was obviously intended to encourage people to buy SPI Dynamics' web security products. But the presenter, Brett Sagenich (brett.sagenich AT spidynamics DOT com), was a security engineer, not a salesman, and he provided much information of general use. His point was that web applications present numerous potential security vulnerabilities. He demonstrated actual techniques used by attackers. The reason that he discussed these details is that while they can all be addressed by proper software design, this is very labor-intensive, while SPI Dynamics' tools perform automated detection for these vulnerabilities.

Specific vulnerabilities discussed:

1. Extraneous files such as readme's, documentation, old files
- Provides info to attackers
- Old versions of scripts may have unpatched security issues.

2. Unvalidated user input

3. Visible error messages
- May reveal information useful to attackers
- Software in use
- File system paths
- Variation in error messages in response to an attacker's input can guide him.

4. SQL injection
- iterative (trial and error)
- with error messages
- blind (based on displayed output or presence/absence of output)

5. Session hijacking
- Exploit spoofable session ID, customer ID, etc.

6. XSS (or CSS, cross-site scripting)


I can elaborate on some of these items, if there are questions. I know that "Unvalidated user input" is a problem often encountered with XOOPS.


By the way, here's a good reference I found on this topic: Open Web Application Security Project (OWASP) <>

This Post was from: