Use LEFT and RIGHT arrow keys to navigate between flashcards;
Use UP and DOWN arrow keys to flip the card;
H to show hint;
A reads text to speech;
23 Cards in this Set
- Front
- Back
¿QUE ES CWE? |
The MITRE corporation manages the Common Weakness Enumeration (CWE), a community-developed dictionary of software weaknesses. |
|
|
The |
|
|
Do not log the user’s session ID because this could leak critical authentication data to insiders! |
|
|
HINT: USERNAME, IP ADDRESS, TIE ALL LOG ENTRIES FROM A PARTICULAR SESSION TOGETHER |
|
|
TIP |
|
|
HINT: APP-SPECIFIC SENSITIVE DATA THAT COULD ASSIST AN ATTACKER, E.G. SESSINO ID, PERSONAL INFORMATION |
|
|
HINT: FRAMEWORKS QUE INCLUYEN METODOS DE CONVENIENCIA PARA DESARROLLO QUE BITACOREA REQUESTS COMPLETOS, INCLUYENDO PASSWORDS, CREDIT CARD NUMBERS, SOCIAL SEC NUMBERS, ETC. |
|
|
HINT: ESAPI, LOGBACK (MARKERS, MAPPED DIAGNOSTIC CONTEXT MDCs, SLF4J) |
|
|
One of the earlier attempts at security-centric logging is the OWASP ESAPI project for Java. 5 ESAPI is a security library that includes specific and granular APIs for security-centric logging. Although this project is not necessarily production quality, it still provides a good example of the type of requirements that senior security professionals seek in logging software. |
|
|
The goal of ESAPI logging is simple: Provide an API that allows developers to easily make a log entry that includes a timestamp from a reliable source, severity level of the event, an indication that this is a security-relevant event |
|
|
P230 |
|
|
HINT: DEV LANGUAGE, LIBRARIES, EXACT VERSION OF SERVER, AND POSIBLE SQL INJECTION VULNERABILITY IN CASE ITS AN SQL ERROR |
|
|
HINT: USAR WEB.XML PARA MOSTRAR UNA PAGINA DEFAULT EN CASO DE EXCEPCIONES NO CAPTURADAS. |
|
|
HINT: |
|
|
SQLMAP |
|
|
SIMPLE TECHNIQUES FOR XSS |
|
|
OWASP ZAP |
|
|
HINT: RADIO BUTTONS |
|
|
CSRF TOKENS |
|
|
HINT: ATAQUES AUTOMATIZADOS. LOGIN FORM |
|
|
HINT: TEXT FIELD WITH CSS OFF-PAGE FOR AUTOMATED BOTS. |
|
|
The OWASP AppSensor project17 is an open-source framework for real-time attack detection and response. That means your application can actually detect intruders and protect itself! AppSensor performs a similar function to a network layer intrusion detection system, but operates at the application layer. |
|
|
DETECTION POINTS |