UrlBlogGrey

Scripting Vulnerabilities:
Research Cross-Site Scripting (XSS) vulnerabilities which could lead to Javascript and JSP injection through form fields. Such a vulnerability could allow an attacker to view the Session information and falsely assume someone else's identity.

Improper Error Handling Vulnerabilities:
Mishandling of errors can lead to access being defined, but operations partially or wholly succeeding. Error handling frequently exposes sensitive information. Always validate data going into error messages (beware XSS!). Ensure error checking occurs as early as possible. Ensure errors terminate operations - do not swallow exceptions.

Insecure Storage Vulnerabilities:
On-disk or in-memory artifacts improperly secured. Frequently leads to insecure passwords, caches and configurations. The 'phpAnyVote' module stores the username unencrypted in the a cookie, which allows user spoofing. This can be precented by using encryption & signing as needed. User OS security whenever available.

Injection Flaw Vulnerabilities:
User input is not validated, mornalized, or escaped and passed to a backend program. Closely related to XSS vulnerabilities. SQL injection is the most well-known example of injection. A way to mitigate the injection threat is to run the server with as few privileges (not root) as possible. Prevention includes normalizing user input early (remove %XX and \0xx escapes), and validate user input early (produce error messages when input invalid).

Denial of Service Vulnerabilities:
The site is rendered inaccessible or unusable. Comes in two forms: Distributed DOS, and Basic DOS. DDOS overwhelms the server(s) with intense network activity, and are difficult to defend against. DDOS are often orchestrated using zombie machines. Basic DOS seeks to use up all of a limited resource. Open connections but send no data or slow data. Disconnect or abandon connections abruptly.