Biomedical Engineering Reference
In-Depth Information
software. For those that are particularly interested in this topic, a valuable
resource in this area plus a list of the current top 10 vulnerabilities can
be found at the Open Web Application Security Project (OWASP)
website [12].
■
Application allows uploading of malware
Whenever a fi le is being uploaded, at minimum the software should
check if this is the type of fi le it is expecting, and stop all others. A
further step could be taken by running a virus check on the fi le.
■
Insuffi cient account lockout
When a user has authenticated and gained access to the system there
should be a method to log out if the user has been inactive for a set
period of time.
■
Unauthorised read access
A common example of this is the ability once you have been given
access to a system to be able to fi nd access areas that you shouldn't by
manually entering a URL.
■
Cross site framing/scripting
This is when an attacker can use a bug to re-direct a user to a website
that the attacker controls. This will usually be made to look like the
original site, and can be used to harvest information like login IDs and
passwords.
■
Autocomplete not disabled
The system should not offer to remember passwords or similar security
tokens.
■
Web server directory indexing enabled
This is often left on by default, and can give an attacker some indication
of where weaknesses exist or where sensitive data may reside.
■
Sensitive information disclosed in URL
Some web-hosted software will place certain pieces of information,
such as search terms, in a URL (. . . . search=web+site+security+ . . .).
This could be viewed by an attacker if the connection is not
secured.
■
Verbose error messages
An error message should ideally be written so it is clear to the user an
error has occurred; however, it should not contain any information
that an attacker may fi nd useful (such as the user's login ID, software
Search WWH ::
Custom Search