8Linux | LinuxBaGua

Secure Web 2.0 (& Drupal) Part 6

A7 Missing Functional Level Access Control

Most web applications verify function level access rights before making that functionality visible in the UI. However, applications need to perform the same access control checks on the server when each function is accessed. If requests are not verified, attackers will be able to forge requests in order to access functionality without proper authorization.

Drupal approach:

· Menu system uses access callback and access arguments

· Continually review permissions

Tags:

Drupal

Secure Web 2.0 (& Drupal) Part 5

A5 Security Misconfiguration

Good security requires having a secure configuration defined and deployed for the application, frameworks, application server, web server, database server, and platform. Secure settings should be defined, implemented, and maintained, as defaults are often insecure. Additionally, software should be kept up to date.

Check the Server Configuration:

· Check the Server hardening

· Avoid using FTP

Tags:

Secure Web 2.0 (& Drupal) Part 4

A3 XSS (Cross Site Scripting)

XSS flaws occur whenever an application takes untrusted data and sends it to a web browser without proper validation or escaping. XSS allows attackers to execute scripts in the victim’s browser which can hijack user sessions, deface web sites, or redirect the user to malicious sites.

Tags:

Search form

A7 Missing Functional Level Access Control

A5 Security Misconfiguration

A3 XSS (Cross Site Scripting)

Pages