####Injection
-
Injection could be anything, It could be Sql, LADAP , XAPth, Mail Based injection or any other database.
-
Malicious request to modified query is an injection
-
Data exfiltration
-
Defences:
- Sanitize input/whitlist untrusted data, real_esacape_string() {some encoding difference can make this un reliable fix} {UTF-8 default_charset standard}
- Parameterized SQL Statments(prepared statements), Separate Query from input Data, Type Cast each Parameter.
- Pass ID as a parameter into the statement with that variable name, that keeps it seperate from the query.
- Fine Tune DB permissions, Segment account from public and admin, Apply the principle of least privilege.
- Sony attack example.
####Broken Authentication and Session management.
Session fixation aka session hijacking
-
An attacker is able to to log on to the system and impersonate the victim
- Hijack the user session
- Now attacker can send impersonated request
- Auth Cookie theft
- Exploit an XSS risk
- Retrive it from victim PC
- Sniff it over the Network
- Session ID Theft
- Share
- Logs
- Account Management attack
- Login, Registeration , password reset.
-
Defenses
- Protect the cookies
- HTTPonly flag
- Secure Flag
- Decrease Window of risk.
- Expire sessions quickly
- Rechallenge the user on key actions like , password reset , account delete.
- Hardening the account management.
- Allow or encourage strong password.
- Implement login rate limit and lockouts
- Exponentially
- Protect the cookies
-
Apple Hack, imessages, wifi
####XSS
-
Reflective : only to Webserver
<Script>alet(document.cookies)</Script>
-
Stored : deep into Database
-
Defenses:
-
Sanitize the input
-
Encode the use input
<
is called escape sequence
-
User Innertext or textContent instead of InnerHTML, (AngularJS does InnerHTML)
-
-
Example : Samy Myspace script.
####Insecure Direct object reference (IDOR)
Direct reference to account id
- Pulling records from the website that that never have access to.
- Change the ID in the URL
Mitigation
- Implement access controls: Be explicit about the who can access the resources
- Avoid Predictable keys
- Incremental numbers are enumerable
- Natural keys are guessable
Example : Citigroup Bank , username enumeration.
####Security Misconfiguration
- Exposure of gateway risk
- Software is out out date , anything like code libraries, OS, webapp DBMS etc
- Enabled unnecessary features eg. ports, services, pages, accounts, privileges
- Default accounts and their passwords still enables and unchanged
- error handling reveals information like code .
Defenses:
- Turn off features which are not required
- apply principle of least privileges
- getting all the packages up to date, Update software and libraries.
Example:
- Use google dork
- inurl:elmah.axd "error log for"
####Sensitive data Exposure
- If website is using HTTP, MITM is possible.
- Insufficient use of SSL
- Login not send over HTTPS
- Cookies not send securely
- Mixed MOde "CSS/js in http"
- Bad Crypto
- Insecure password storage (no hashing, use of symmetric encryption)
- Weak Algorithms (Prism case)
- poor protection of keys
- Other exposure keys
- Browser Auto complete
- Leaked via logs
- Disclosure via URL (GET requests)
Defences:
- Minimize sensitive data collection
- You can't lose something you dont have
- Reduce the window of storage
- Apply HTTPS everywhere
- Use Strong Algorithms Bcrypt
- Be very careful with Key Management
Example:
- Tunisia Gov. mass theft of gmail, yahoo and facebook logins - 2011
- Gov. Injecting password stealing javascript code into the login page via Internet agency that controls the entire country's internet gateway
####Missing functional level access control
- Does the UI shows navigation to unauthorized functions?
- Server side authentication and authorization checks missing.
- turn off jS to circumvent
- System logs are available without authorization
Defences:
- define a clear authorization modal
- use roles and membership
- Check for forced browsing
- Always test unprivileged roles
####Cross site request forgery
Defences:
- Employ anti-forgery tokens
- Validate the referer
- CORS- Cross origin resource origin
- Fraud detection techniques, Banks
-
Exploitation of vulnerable component,
- Lib
- LFI
-
Defences:
- Identify vesions and components
- keep them updated.
-
Example :
- Wordpress , brute force.
- No bruteforce protection
- Could be used to spread malware.
Defences:
- Use whiltelisted approach
- Use Indirect references, use id or natural names to map the urls.
- check for referer.
##Notes: CVE : Common vulnerabilities and exposures.