O'Reilly logo

Web Security Testing Cookbook by Ben Walther, Paco Hope

Stay ahead with the world's most comprehensive technology and business learning platform.

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, tutorials, and more.

Start Free Trial

No credit card required

Chapter 9. Seeking Design Flaws

This is the rock-solid principle on which the whole of the corporation’s galaxy-wide success is founded. Their fundamental design flaws are completely hidden by their superficial design flaws.

T.H. Nelson

This chapter takes a look at common design flaws. We explore possibilities where an application may be used against itself. Up until this point, we have focused on manipulating the basic structure of web applications. We’ve taken apart HTTP and HTML, decoded encodings, and automated some of our methods. Now, we will focus on higher-level problems.

There are two kinds of security defects in the world: bugs and flaws. The difference between them is important to how we test and how we report our findings. The difference also factors into how they get fixed.

Bugs are the simplest kind of security problem. They’re a very local mistake. The software was specified and designed correctly, but the developer made a mistake in the implementation. Bugs can typically be fixed by applying a very localized change to a small subset of the software. Redesigning or changing requirements is not necessary. Many of the most popular security issues are bugs: SQL injection, cross-site scripting, buffer overflows, code injection, etc. All of these can be the result of bugs.

The other kind of security defect—flaws—are the result of a mistake in the design or requirements. The developer could write the code correctly and implement exactly what the design calls for, but there ...

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, interactive tutorials, and more.

Start Free Trial

No credit card required