Thursday, July 21, 2016

application vulnerabilities

There are different classes of application vulnerabilities like SQL injection, Buffer Overflow, Stack overflow, Cross-Site scripting and so on.
Categories of dangerous software errors:
  • Insecure Interaction between Components, most frequent examples:
  1. SQL Injection (CWE-89) [A1 - Injection]
  2. OS Command Injection (CWE-78) [ A1 - Injection]
  3. Cross-site Scripting (CWE-79) [A3 - Cross Site Scripting (XSS)]
  4. Upload dangerous file in system to execute unwanted instructions in the target environment(CWE-434) [A4 - Insecure Direct Object References]
  5. Cross-Site Request Forgery (CWE-352) [A8 - Cross Site Request Forgery (CSRF)]
  6. Open Redirect (CWE-601) [A10 - Unvalidated Redirects and Forwards]

  • Risky Resource Management, most frequent examples:
  1. Classic Buffer Overflow(CWE-120)
  2. Path Traversal (CWE-22) [A4 - Insecure Direct Object References]
  3. Download of Code Without Integrity Check(CWE-494)
  4. Inclusion of Functionality from Untrusted Control Sphere (CWE-829) [A4 - Insecure Direct Object References]
  5. Use of Potentially Dangerous Function (CWE-676)
  6. Incorrect Calculation of Buffer Size(CWE-131)
  7. Uncontrolled Format String (CWE-134)
  8. Integer Overflow or Wraparound (CWE-190)

  • Porous Defenses, most frequent examples:
  1. Missing Authentication for Critical Function (CWE-306) [A2 - Broken Authentication and Session Management]
  2. Missing Authorization (CWE-862)[A4 - Insecure Direct Object References
  3. Use of Hard-coded Credentials (CWE-798) [A2 - Broken Authentication and Session Management]
  4. Missing Encryption of Sensitive Data (CWE-311) [A6 - Sensitive Data Exposure]
  5. Reliance on Untrusted Inputs in a Security Decision (CWE-807)
  6. Execution with Unnecessary Privileges (CWE-250) [A5 - Security Misconfiguration]
  7. Incorrect Authorization (CWE-863) [A4 - Insecure Direct Object References] [A7 - Missing Function Level Access Control]
  8. Incorrect Permission Assignment for Critical Resource (CWE-732) [A5 - Security Misconfiguration]
  9. Use of a Broken or Risky Cryptographic Algorithm (CWE-327) [A6 - Sensitive Data Exposure]
  10. Improper Restriction of Excessive Authentication Attempts (CWE-307) [A2 - Broken Authentication and Session Management]
  11. Use of a One-Way Hash without a Salt (CWE-759) [A6 - Sensitive Data Exposure]
Note: [A9 Using Components with Known Vulnerabilities] is not mapped to any Common Weakness Enumeration (CWE) documented.

Select at least two application vulnerabilities and explain what do they mean and discuss how you would mitigate them?

  • CWE-250: Execution with Unnecessary Privileges
This is on 11th rank in top 25 CWE list. In this, the software performs an operation at a privilege level that is higher than the minimum level required which creates new weaknesses or amplifies the consequences of other weaknesses. This counted under OWASP A5 - Security Misconfiguration.
  1. Under Architecture and Design; Operation phases, run code under lowest privileges. Create isolated accounts.
  2. Under Architecture and Design phase, identify the functionality that requires additional privileges.  Raise privileges as late as possible, and drop them as soon as possible, protecting all possible communication channels that could interact with the privileged code.
  3. Under phase Implementation,  extensive input validation for any privileged code
  4. Under Implementation phase, make sure calls to remove permissions will not break.
  5. Under Implementation phase, explicitly allow those actions while denying all else.
  6. Under Operation; System Configuration phases, follow hardened configuration guide to limit the attack surface and potential risk of deployed software.

  • CWE-601: URL Redirection to Untrusted Site ('Open Redirect')
This is 22 in top 25 list. If a website knowingly or unknowing allows user/attacker to input external website address and allow redirect then it is Open Redirect vulnerability. This comes under OWASP A10 - Unvalidated Redirects and Forwards
  1. Assume all inputs are malicious while implementation phase.
  2. During Architecture and Design phase user must be planned to be informed while leaving current application in a very clear and visible manner.
  3. During Architecture and Design phase, if possible inputs are limited, free to type inputs should be avoided.
  4. During Architecture and Design phase, ensure that redirects are confirmed to be originated from inside the app by using legitimate encryption/ random numbers.
  5. During Architecture and Design; Implementation, highlight all the possible input methods including indirect methods like api calls , external systems cookies and so on.
  6. During Operation phase, use application firewall.

How would you check for SQL Injections?

CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Detecting exploiting and avoiding SQL Injection is consider being simple and it’s No 1 in to CWE list, categorized under OWASP A1 - Injection. Without sanitizing inputs from external system/users, inputs may be interpreted as SQL commands and executed to reveal internal hidden information or change sensitive data.
SQL injection could be avoided using Parameterized Queries, using Stored Procedures, sanitizing user inputs, whitelist input validation and minimizing privileges assigned to every database account.
 Various automated dynamic/static analysis tools are available to detect SQL injection but it should be taken care of at Architecture and Design, Implementation and operation phases with due care.
 During Architecture and Design phase various frameworks maybe used which prevent SQL injection, separation b/w data and code could be enforced, least permission rule may be enforced, client side and server side validations could be enforced, inputs may be limited by from predefined options if possible and so on.
 During Implementation phase, all inputs must be assumed to be dirty, escape or filter all characters that do not pass predefined whitelist, strict error handling and error messages, legitimate output messages to operation which won't reveal internal specifications of the system and so on.
During Operation phase least permission rule may be enforced and appropriate firewall rules may be enforced.


CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection')
CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CWE-88: Argument Injection or Modification
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CWE-90: Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')
CWE-91: XML Injection (aka Blind XPath Injection)

A2-Broken Authentication and Session Management

CWE-256: Plaintext Storage of a Password
CWE-287: Improper Authentication
CWE-311: Missing Encryption of Sensitive Data
CWE-319: Cleartext Transmission of Sensitive Information
CWE-384: Session Fixation
CWE-522: Insufficiently Protected Credentials
CWE-523: Unprotected Transport of Credentials
CWE-613: Insufficient Session Expiration
CWE-620: Unverified Password Change
CWE-640: Weak Password Recovery Mechanism for Forgotten Password

A3-Cross-Site Scripting (XSS)

CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

A4-Insecure Direct Object References

CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CWE-99: Improper Control of Resource Identifiers ('Resource Injection')
CWE-639: Authorization Bypass Through User-Controlled Key

A5-Security Misconfiguration

CWE-2: Environment
CWE-16: Configuration
CWE-209: Information Exposure Through an Error Message
CWE-215: Information Exposure Through Debug Information
CWE-548: Information Exposure Through Directory Listing

A6-Sensitive Data Exposure

CWE-310: Cryptographic Issues
CWE-311: Missing Encryption of Sensitive Data
CWE-312: Cleartext Storage of Sensitive Information
CWE-319: Cleartext Transmission of Sensitive Information
CWE-320: Key Management Errors
CWE-325: Missing Required Cryptographic Step
CWE-326: Inadequate Encryption Strength
CWE-327: Use of a Broken or Risky Cryptographic Algorithm
CWE-328: Reversible One-Way Hash

A7-Missing Function Level Access Control

CWE-285: Improper Authorization
CWE-287: Improper Authentication

A8-Cross-Site Request Forgery (CSRF)

Cross-Site Request Forgery (CWE-352)

A9 - Using Components with Known Vulnerabilities

unusual human error

A10 - Unvalidated Redirects and Forwards

CWE-601: URL Redirection to Untrusted Site ('Open Redirect')

No comments:

Post a Comment