The document discusses various web application security vulnerabilities such as hidden field manipulation, parameter tampering, cross-site scripting, and SQL injection. It provides examples of how attackers can exploit these vulnerabilities and recommendations for developers on how to prevent attacks, including sanitizing user input, encrypting cookies, and validating parameters.

1. Application Security Bill Chu August 2002

3. Anatomy of a web application Sanctum systems Data Database Backend systems frontend systems Web Server User interface code Valid Input Browser Custom code: e.g. html, forms, javascript Off the shelf application: e.g. websphere Custom code: e.g. servelet, jsp, asp Applications: e.g. SAP, ORACLE Applications: e.g. ORACLE, DB2

4. Web application threats Sanctum systems Data Database Backend systems frontend systems Web Server User interface code Invalid input Code Data Browser Code, Web server, Front end system, Back end system or database flaws resulting in unauthorized access of privileged accounts, the OS, network, or sensitive data and may result in denial of services.

5. Perfecto Technologies Survey

8. Original HTML Form

9. Modified HTML Form

14. Input Malicious Values

15. Original / Attacked Account File Newly created user Injected user with admin priv.

19. Original Website

20. Cookie Modification

21. Gain Access of Other User

26. Debug Script Example

27. Debug Script Information Leak

30. Debug Script Example

31. Debug Script Information Leak

37. Distribute Poisoned Link

38. User Follows Poisoned Link