Security

Books and Articles

• Web Hacking Exposed
• Essential PHP Security by Shiflett
• How to Break Web Software
• Innocent Code
• Hacker helps applicants breach secuirty...
• HTML Code Injuction and Cross-site scripting
• Acunetix (Commercial)
• Ha.ckers.org

Tools / Online Resources

• Foundstone Free Tools
• Secunia Advisories
• Security focus
• Password Checker
• W3C Security Resources
• SANS - Information Security Training and Certification
• Paros Proxy
• IE HTTP Headers
• Regular Expressions Constructor
• Web Site Copier - HTTrack
• Spoof Stick
• Tiny URL

Principles

• Defense in Depth
• Least Privilege
• Simple is Beautiful
• Minimize Exposure

Practices

• Balance Risk and Usability
• Track Data
• Filter Input
• Escape Output

Types of Attacks on Forms and URLs

• Semantic URL Attacks
• File Upload Attacks
• Cross-Site Scripting (XSS)
• Wikipedia says...
• Cross-Site Request Forgeries (CSRF)
• Spoofed Form Submissions
• Spoofed HTTP Requests

Other Types of Attacks

• SQL Injection
• Cookie Theft
• Session Hijacking
• Code Injection
  • Wikipedia says...
• Command Injection
• Brute Force Attacks
• Password Sniffing
• Replay Attacks
• Session Injection

Summary

From Innocent Code: Summary of Rules

Amateurs hack systems, professionals hack people. — Bruce Schneier

In view of all the deadly computer viruses that have been spreading lately, Weekend Update would like to remind you: when you link up to another computer, you're linking up to every computer that that computer has ever linked up to. — Dennis Miller

Quis Custodiet ipsos custodes