i am taking sans web security training. here are some live tips and tricks :)
- If you have file upload to the server, dont let users pick the filename (directory traversal)
- if you have file upload to the server, dont upload the files to a folder where u can execute scripts (iis/wwww)
- escape every input, sanitize everything, users are evil
- there are some tools out on the internet, that lets attackers' life easier.
- buffer overflow attacks can cause DoS so know the language you are using on the server side.
- watch out for unicode attacks. dont just look for <> ...
- once the user logins to your system, change the session id to prevent session hijacking.
- remote file include attack is very common in php environments.n If you have a web site that lets the user to choose the templates. and you pass the template file in the querystring, this could be manipulated. check and sanitize the querystring .NET is stopping these kind of attacks, as a developer you have to try hard to write remote file attack vulnerable code.
- try to have a centralized validation, try to have retrieve and validate in one function
- javascript can be disabled very easily :) dont trust on javascript validation.