PHP Security of CSRF: http://www.cyberciti.biz/tips/php-security-best-practices-tutorial.html
http://www.czoot.com/web-security-2/cross-site-request-forgery-malicious-attack/
Get your toolkit in order
Testing can be automated,. Must-have tools for focused manual testing include:
- Paros proxy (http://www.parosproxy.org) for intercepting HTTP traffic
- Fiddler (http://www.fiddlertool.com/fiddler) for intercepting HTTP traffic
- Burp proxy (http://www.portswigger.net/proxy/)
- TamperIE (http://www.bayden.com/dl/TamperIESetup.exe) for modifying GETs and POSTs
Reference:http://technet.microsoft.com/en-us/library/cc512662.aspx - XSS attacksDone on following basis:
- HTTP referrer objects
- The URL
- GET parameters
- POST parameters
- Window.location
- Document.referrer
- document.location
- document.URLUnencoded
- All headers
- Cookie data
- Potentially data from your own database
- https://www.golemtechnologies.com/articles/prevent-xss
- http://www.webappsec.org/projects/articles/071105.shtml
No comments:
Post a Comment