This article deals with top known vulnerabilities that exists in systems. These are regularly published as OWASP (https://www.owasp.org) top 10. This article does not claim to be an original research work but essentially discusses the known top vulnerabilities from a programmer point of view.
OWASP or Open Web Application Security Project is a worldwide not-for-profit charitable organization focused on improving the security of software that regularly publishes top security holes across applications and suggestions on fixing the same. This article heavily borrows material from OWASP and presents the same from developer point of view.
The major cause of security issues is that security is an afterthought and approach towards solving security is patching, while security should be backed into design of the application. This article would provide inputs to provide a good security design.
The upcoming sections provide an overview of the vulnerability and point reader to detailed resources. We also describe possible technologies that are used and mark if they are a potential risk.
An injection attack occurs when user input by end user is entered such that executing code provides undesired data. This happens when user input is not validated and filtered. Such vulnerabilities have famously been in SQL injection but can also be applied to noSQL, ORM, LDAP. To prevent the same all sources of input data must be validated such as cookies, user form input, JSON fields, headers etc.
Consider the example of Login being implemented with the query
Select * From Users Where username = ? and password = ?;
What if a user enters in
user name ; Select * From Users;
This would evaluate and actually print all the users depending upon how code is written but filtering of code would ensure protection.
Insufficient Logging & Monitoring
Monitoring and alerts are a primary tools to find and take immediate corrective actions, When an attack does take place logs and alerts are the primary tool for alert and later a postmortem. Excellent logging not only helps prevention and circumvention of the attack but also informs of security problems that may be fixed.
Excellent tools such as Splunk, ELK, logstash and others may be employed to actively respond to attacks.
Broken authentication is exploited by one the many techniques such as brute force attack on known usernames and password databases, session hijacking. Simple mechanisms allow fixing broken authentication such as enforcing strong passwords, Single sign on, use of ssl, two factor authentication etc.
Sensitive Data Exposure
The idea here is if and when a data is intercepted it should not be usable. Man in the middle attack should be stopped. This requires sensitive data to be salted and or encrypted when in motion or rest. Data when shared such as credit cards in a DB table or data on FTP files all must be encrypted and be shared over TSL/SSL. Algorithms, keys etc must be strong.
XML External Entities
XML and JSON parsers can have vulnerabilities that may allow execution of unwanted code over unwanted data. In morder dynamic languages code script may be embedded in data which might be executed on server.
Broken Access Control
While authentication allows who is allowed access, however it does not inform what kind of access is allowed. With broken authentication unwanted and damaging features may be exposed to unprivileged users. It is a poor practice to have UI define access control and not implementing the same on api or business layer. Frameworks that allow claims based authorization or role based frameworks can greatly help develop secure against such attacks.
A number of vulnerabilities exist in system due to poor hardening, sometimes these items are let go in development environment for efficient debugging but on production these include things like running process in minimal required security and not as root, accessing DB not as root, not exposing stack trace, giving proper directory privileges and so on. Once these are patched the surface area for an attack is greatly reduced.
Cross Site Scripting
This attack occurs when serialized input when deserialized may exploit a underlying issues such as buffer overflow. This is a complex issue because it is difficult to contain in a disconnected world where inputs are received from unknown sources.
Strict type checks and deserialization in known entities allows safety against this issue. However issues like these are harder to manage in dynamic languages.
Using Components with Known Vulnerabilities
New issues and software and abilities are found in applications and libraries. It is imperative to patch them as and when available. Attackers bank on long cycles for issues being patched and fixed.
Share this Post