Application Vulnerabilities and Tools To Address Them
Published:
These were some notes that I took of February of this year about various cyber-security threats to applications that as a developer one should know about. I’m glad I’ve taken the opportunity to review and edit this; Andress’s book was an excellent introduction to this subject area.
Types of vulnerabilities
- Buffer overflows
- Occurs when you don’t properly account for the size of the data input. If you don’t set a limit to the amount of data you take in (a process called, bounds checking), attacks could exploit this to tamper with other apps or cause the OS to execute their own commands. Java and C# implement this automatically.
- Race conditions
- Occurs when multiple processes (or multiple threads within a process) control or share access to a resource and the correct handling of that resource depends on the proper ordering or timing of transactions.
- Input validation attacks
- Every time an end user sends data to the server via your app, it is necessary to validate their input. Ideally front and back end validation.
- Examples of these attacks could be format string attacks (crash your applications) or SQL injection attacks (access data)
- Authentication attacks
- An attempt to gain access without proper credentials to do so
- Avoids performing authentication client side
- Examples: brute force attack (automated password guessing)
- Authorization attacks
- Attacks that attempt to gain access to resources without the proper authorization to do so
- You never want to place authorization mechanisms client side
- Authorize upsteam wherever possible, e.g. remote server or hardware of the device
- Use the principle of least privilege
- Cryptographic attacks
- Never develop your own cryptographic scheme (use RSA and AES)
- Make it obsolete after a given period of time
Web Security Vulnerabilities:
- Client Side
- XSS (Cross Site Scripting) is an attack carried out by placing code written in a scripting language into a web page, that is displayed by a client browser. When other people view the web page, they execute the code automatically. (e.g. an attacker leaving a comments containing the attack in a blog which executes every time the page is visited.)
- Cross Site Request Forgery: attacker places a link on a web page that execute automatically which initiates an activity on another web page where the user is currently authenticated
- Clickjacking takes advantage of your browser’s graphical display to trick you into clicking something you might not click otherwise (This is usually thwarted by the newest versions on browsers)
- Server Side
- Lacking proper input validation (e.g. SQL injection or unauthorized access)
- Directory traversal attacks (e.g. not disabling directory access to files)
- Improper / inadequate permissions
- Extraneous files
- Database security
- Protocol issues (e.g. authentication flaws in network protocols)
- Unauthenticated access
- Arbitrary code execution in securable SQL elements or intrinsic elements
- Privilege escalation via SQL injection or local privilege escalation issues
Application Security Tools
How do we address these issues?
- Sniffers (Wireshark for HTTP) or Etherape for Linux
- Web app analysis tools:
- OWASP Zed Attack Proxy
- Burp Suite
- Fuzzers
- Works by sending weird data to your app and reporting what comes back Increasing application and server monitoring, in general, can provide excellent insight and provide additional context, if not already present.
Other common sense recommendations include storing your secrets and keys in secret management systems for production or .env files for development, making sure that you place it in a .gitignore file and making sure that your web server does not make it publicly accessible (e.g. apache). Remember to use linters like bandit to check for vulnerabilities, as well.
Source:
Foundations of Information Security- A Straightforward Introduction First edition Chapter 13 ( p. 171-184) By: Jason Andress No Starch Press, San Francisco California, 2019