R – Checklist for Web Site Programming Vulnerabilities


Watching SO come online has been quite an education for me. I'd like to make a checklist of various vunerabilities and exploits used against web sites, and what programming techniques can be used to defend against them.

  • What categories of vunerabilities?
  • What kind of defensive programming techniques?
  • etc…

Best Solution

From the Open Web Application Security Project:

  1. The OWASP Top Ten vulnerabilities (pdf)
  2. For a more painfully exhaustive list: Category:Vulnerability

The top ten are:

  1. Cross-site scripting (XSS)
  2. Injection flaws (SQL injection, script injection)
  3. Malicious file execution
  4. Insecure direct object reference
  5. Cross-site request forgery (XSRF)
  6. Information leakage and improper error handling
  7. Broken authentication and session management
  8. Insecure cryptographic storage
  9. Insecure communications
  10. Failure to restrict URL access