Saturday, Sep 04, 2010
Login

TOP 25 Most Dangerous Programming Errors

Posted by gladwing in Missse Stuffs Tuesday, 2 March 2010 05:22 No Comments

The Top 25 Programming Errors are listed below in three categories:

Programming Error Category: Insecure Interaction Between Components

[1] CWE-79: Failure to Preserve Web Page Structure (‘Cross-site Scripting’)

Cross-site scripting (XSS) is one of the most prevalent, obstinate, and dangerous vulnerabilities in web applications…If you’re not careful, attackers can…MORE >>

[2] CWE-89: Failure to Preserve SQL Query Structure (aka ‘SQL Injection’)

If attackers can influence the SQL that you use to communicate with your database, then they can…MORE >>

[4] CWE-352: Cross-Site Request Forgery (CSRF)

With cross-site request forgery, the attacker gets the victim to activate a request that goes to your site. Thanks to scripting and the way the web works in general, the victim…MORE >>

[8] CWE-434: Unrestricted Upload of File with Dangerous Type

You may think you’re allowing uploads of innocent images…MORE >>

[9] CWE-78: Failure to Preserve OS Command Structure (aka ‘OS Command Injection’)

When you invoke another program on the operating system, but you allow untrusted inputs to be fed into the command string that you generate for executing the program, then you are inviting attackers…MORE >>

[17] CWE-209: Information Exposure Through an Error Message

If you use chatty error messages, then they could disclose secrets to any attacker who dares to misuse your software. The secrets could cover a wide range of valuable data…MORE >>

[23] CWE-601: URL Redirection to Untrusted Site (‘Open Redirect’)

While much of the power of the World Wide Web is in sharing and following links between web sites, typically there is…MORE >>

[25] CWE-362: Race Condition

Attackers will consciously look to exploit race conditions to cause chaos or get your application to cough up something valuable…MORE >>

Programming Error Category: Risky Resource Management

[3] CWE-120: Buffer Copy without Checking Size of Input (‘Classic Buffer Overflow’)

Buffer overflows are Mother Nature’s little reminder of that law of physics that says if you try to put more stuff into a container than it can hold, you’re…MORE >>

[7] CWE-22: Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’)

While data is often exchanged using files, sometimes you don’t intend to…MORE >>

[14] CWE-98: Improper Control of Filename for Include/Require Statement in PHP Program (‘PHP File Inclusion’)

Not a lot of Top 25 weaknesses are unique to a single programming language, but that just goes to show how special this one is. The idea…MORE >>

[12] CWE-805: Buffer Access with Incorrect Length Value

A popular insult is: “Take a long walk off a short pier.” One programming equivalent for this… MORE >>

[13] CWE-754: Improper Check for Unusual or Exceptional Conditions

Security-wise, it pays to be cynical. If you always expect the worst…MORE >>

[15] CWE-129: Improper Validation of Array Index

If you’ve allocated an array of 100 objects or structures, and an attacker provides an index that is…MORE >>

[16] CWE-190: Integer Overflow or Wraparound

In the real world, 255+1=256. But to a computer program, sometimes 255+1=…MORE >>

[18] CWE-131: Incorrect Calculation of Buffer Size

In languages such as C, where memory management is the programmer’s responsibility, there are many opportunities for error…MORE >>

[20] CWE-494: Download of Code Without Integrity Check

You don’t need to be a guru to realize that if you download code and execute it, you’re trusting that the source of that code isn’t malicious. But attackers can perform all sorts of tricks…MORE >>

[21] CWE-770: Allocation of Resources Without Limits or Throttling

If someone calls in and places an order for a thousand pizzas (with anchovies) to be delivered immediately, you’d quickly put a stop to that nonsense. But…MORE >>

Programming Error Category: Porous Defenses

[5] CWE-285: Improper Access Control (Authorization)

If you don’t ensure that your software’s users are only doing what they’re allowed to, then attackers will try to exploit your improper authorization and…MORE >>

[6] CWE-807: Reliance on Untrusted Inputs in a Security Decision

Driver’s licenses may require close scrutiny to identify fake licenses, or to determine if a person is using someone else’s license. Software developers…MORE >>

[10] CWE-311: Missing Encryption of Sensitive Data

If your software sends sensitive information across a network, such as private data or authentication credentials, that information…MORE >>

[11] CWE-798: Use of Hard-coded Credentials

Most of the CWE Top 25 can be explained away as an honest mistake; for this issue, though, customers…MORE >>

[19] CWE-306: Missing Authentication for Critical Function

In countless action movies, the villain breaks into a high-security building by crawling through heating ducts…MORE >>

[22] CWE-732: Incorrect Permission Assignment for Critical Resource

If you have critical programs, data stores, or configuration files with permissions that make your resources accessible to the world – well, that’s just what they’ll become…MORE >>

[24] CWE-327: Use of a Broken or Risky Cryptographic Algorithm

You may be tempted to develop your own encryption scheme in the hopes of making it difficult for attackers to crack. This kind of grow-your-own cryptography is a welcome sight to attackers…MORE >>

Top 10 JavaScript Frameworks

Posted by gladwing in Ajax, Javascript Thursday, 25 February 2010 04:45 2 Comments

1. jQuery: The Write Less, Do More, JavaScript Library

jQuery is a fast and concise JavaScript Library that simplifies HTML document traversing, event handling, animating, and Ajax interactions for rapid web development. jQuery is designed to change the way that you write JavaScript.

jQuery is really a new kind of JavaScript library, you can write less but do more; maybe jQuery is the JavaScript framework that have the biggest collection of plug-ins and add-ons. Some things you should know:

  • Current version: 1.4.2
  • Size: 24 KB (Minified and Gzipped) and 155 KB (Uncompressed Code)
  • Author: John Resig
  • Tutorials in 19 languages: 183 (data on 19 October, 2009)
  • Sites in use: 1000+
  • Plugins: 3.493 (data on 19 October, 2009)
  • Easy to learn
  • Support designers very well, by using CSS syntax
  • A lots of nice and lovely extensions
  • Great community, maybe largest
  • Used by millions of website and well known companies like Google, DELL, CBS, NBC, DIGG, Bank og America, WordPress, Drupal, Mozilla etc…

2. MooTools – a compact javascript framework

MooTools is a compact, modular, Object-Oriented JavaScript framework designed for the intermediate to advanced JavaScript developer. It allows you to write powerful, flexible, and cross-browser code with its elegant, well documented, and coherent API.

MooTools code respects strict standards and doesn’t throw any warnings. It’s extensively documented and has meaningful variable names: a joy to browse and a snap to understand.

  • Current version: 1.2.4
  • Uncompressed Size: 65 KB (client) and 23 KB (server)
  • Author: Valerio Proietti
  • Using: w3c, cnet, bing, …
  • Plugins on Official site: 4
  • Better OOP structure
  • The animations are smoother
  • The syntax and the handle of elements are more logical

3. Prototype: Easy Ajax and DOM manipulation for dynamic web applications

  • Lastest version: 1.6.1
  • Uncompressed Size: 136 KB
  • Creator: Sam Stephenson
  • Using: NASA, CNN, NBC, …
  • Plugins: 150+
  • Better for the big web apps, give you many choices to write custom code

4. Dojo Toolkit: great experiences for everyone
Unbeatable JavaScript Tools
Dojo saves you time, delivers powerful performance, and scales with your development process. It’s the toolkit experienced developers turn to for building great web experiences.

  • Lastest version: 1.4
  • Compressed Size: 26 KB (closely 5.000 code lines)
  • Foundation: Dojo Foundation
  • Dojo Users: AOL, IBM, Sun, …
  • Client-side data storage
  • Server-side data storage
  • Asynchronous communication

5. script.aculo.us: easy-to-use, cross-browser user interface JavaScript libraries

6. ExtJS: Cross-Browser Rich Internet Application Framework

ExtJS is a very cool cross-browser JavaScript framework for helping you build rich web applications, support all modern web browsers. Plus plenty of plugins and extensions, your ExtJS based web applications become more attractive by features such as well designed, documented and extensible Component model, high performance, easy-customizable UI widgets, …

7. UIZE: supporting widgets, AJAX, DOM, templates, and more

8. YUI Library: is proven, scalable, fast, and robust

UI is one of the biggest JavaScript frameworks in this list. YUI has all things to help you build interactive web applications using techniques such as DOM scripting, DHTML and AJAX by a set of powerful utilities and controls. YUI has countless powerful features, plugins, extensions that take you the very long time to learn.

9. Archetype

  • Lastest version: 0.10.0 (September 2009)
  • Size of package: 2.14 MB
  • Creator: Temsa & Swiip
  • In use: GifTeer, Meteo France, …

10. qooxdoo: the new era of web development

What’s qooxdoo? That’s great and powerfull JavaScript framework to create rich internet applications (RIAs) by taking the advantages of object-oriented JavaScript. qooxdoo includes a platform-independent development tool chain, a state-of-the-art GUI toolkit and an advanced client-server communication layer. It is open source under an LGPL/EPL dual license.