Comparing Common Vulnerabilities¶
Software Bugs & Buffer Overflow¶
An attacker can write over data and can also obtain unauthorised data.
Software Bug¶
Flaw in computer program that causes the program to behave in a way that was not intended.
Buffer Overflow¶
A Buffer is a reservation of memory for a specific size. An Overflow is when the size of data is greater than the reservation.
Weak Passwords & Hard Coded Passwords¶
Strong Passwords¶
Complex and long
12 to 16 character minimum
A-Z, a-z, 0-9, !@#$%
Also:
No dictionary words
Replacing letters with special characters or numbers doesn’t provide much security
Change passwords
Hard Coded Passwords¶
Passwords embedded in software code. Once attacker knows the password, they can compromise any system that uses the program.
Mitigations:
Store passwords outside of application in encrypted file
Could prompt for initial password
Match against hashes, not the actual password
Inbound HCP: Credentials used for access to program
Outbound HCP: Application uses password to access other application
Missing Encryption¶
Encryption¶
Provides confidentiality and integrity
VPNs are used for data in transit
Makes it difficult
to gain access
to manipulate data
If data is missing encryption, it leaves the data exposed
Path Traversal¶
Allows attacker to navigate outside of original directory (www.test.com/../../etc/password.file). Attacker can use error messages to figure out the structure.
Mitigations:
Work without user input if possible
Blacklist special characters
Mask the structure by using indexes
Enter ID 10
Back end will navigate to Nebraska directory
SQL Injection¶
Use a tool to inject malicious code into legitimate code.
Easy to discover - Internet search can provide a lot of info
Prevalence is common
Easy to exploit
Impacts can be severe
Impact:
Successful attack can reveal usernames and passwords, PII, and sensitive corporate info.
Can modify data
Create additional accounts
Create fake, damaging information
Can bring down the system
Attacker can remove necessary files
Cross Site Scripting & Cross Site Forgery Request¶
Cross Site Scripting¶
Inject malicious code in order to control behavior of the site
Embed the code in a link
Attacker sends the link to the victim
Can shorten the URL to disguise it
Persistent XSS
Changes the code on the server
Each visitor that visits the site runs the malicious code
Mitigations:
Use a security encoding library
Don’t allow untrusted data in vulnerable areas of website code
Cross Site Forgery Request¶
Takes advantage of legitimate Cross Site Requests
Causes victim to run actions on an already authenticated session
Runs code in the background unbeknownst to the victim
May transfer money from an online bank
Mitigations:
Mitigate XSS
Secure random tokens
Have users utilise a browser that supports SameSite cookie attributes