The article explains about the several common vulnerabilities in web applications and a detailed explanation about its risks, causes and recommendations.
Buffer Overflow:
Buffer Overflow vulnerability occurs when an attacker exploits buffer overflow issues by overwriting the memory fragments of an application. Due to this, there will be alterations in the execution path of the program that will damage files or reveal sensitive information.
Buffer Overflow error occurs when more data is added into a buffer than it can hold, which creates overflow into adjoining storage. This overflow basically affects a system crash, but also an attacker utilizes this error to run arbitrary code or manipulate the coding errors to induce malicious actions.
The exploitation can be performed for vulnerabilities ranges by architecture, by the operating system and by memory region. Coding errors are the major cause for buffer overflow and these mistakes are most complicated with C/C++ that doesn’t have built-in protection (handling memory dynamically) against buffer overflows and often targets.
Recommendations:
- The best practice to defend against buffer overflow vulnerabilities is to use automatic security protection at the code level, or by utilizing built-in protection languages where memory allocation is handled dynamically.
- While programming in C/C++ applications should avoid standard library functions such as gets, scanf and strcpy which are not bounds-checked.
- Using security feature Address space layout randomization (ASLR) that arranges the positions of key data areas randomly in address spaces.
- Bounds-checking imposed at the run time also restricts buffer overrun by automatically addressing that data written to a buffer is inside the allowable boundaries.
Unrestricted Upload of Dangerous File Types:
This security vulnerability occurs when a file is not properly validated before uploading into the application. Improper file-type validation controls while uploading, which leads to a malicious attacker sending an upload request with a crafted filename or mime type to execute arbitrary code. These exploits could bypass the authentication which eventually compromises the system.
The risk factor of Unrestricted File Upload varies from complete access to target systems, forwarding attacks to back-end systems, the web server can be compromised by uploading and executing a web shell that runs commands, overloading database or filesystem, attack other servers, phishing attack by adding malicious page into the website and adding permanent XSS in the website.
Recommendations:
- Check if one extension is used in the filename and avoid double extension files such as jpg.jpg that allows cross-site scripting possibility if the upload of HTML files is allowed.
- Ensure that uploaded files are placed outside of the web root directory and remove execute permission in the uploaded directory.
- Before uploading, check the correct MIME type of the file and utilize randomly generated filenames for the uploads.
- Utilize a whitelist approach and restrict file types to be uploaded. Check the file extension and allow permission for certain file extensions. Also, allow only files with alphanumeric characters and one dot for the file name and the extension.
Insecure Direct Object Reference (IDOR):
Insecure direct object references (IDOR) vulnerability occurs when an application programming uses an identifier for direct access to the internal execution object without inspecting access control or authentication checks.
For example, if a request transaction URL sent to a website uses enumerated unique identifiers that could be manipulated through client-side input for unintended access and exploits unauthorized data of another transaction.
This vulnerability frequently happens as most web applications use simple names or keys to reference objects when generating web pages. The application is not programmed to check whether the user is authorized to access the object or not. This vulnerability will be used by an attacker to exploit and can easily manipulate parameter values that enable it to gain access to other objects without authorization.
IDOR security vulnerabilities are generally related to horizontal privilege escalation, but they can also arise in connection to vertical privilege escalation.
Recommendations:
- Restrict exposing the private object references such as primary keys for filenames.
- Implementation of access control checks in all references including direct object reference and allow access on the basis of its privileged matrix.
- Validation of Parameters should be properly implemented.
- Tokens should be generated in such a way that they should only be mapped to the user and should not be public.
Privilege Escalation:
Privilege Escalation is a type of vulnerability attack that occurs when an attacker exploits a design flaw, bug or configuration error in an operating system or application to gain unauthorized elevated access to resources that are usually restricted from an application or user.
The attacker utilized this vulnerability to find loopholes in the application to obtain privileges and gain unauthorized access. The attacker can access and run administrator commands, exploit sensitive information or deploy malware and damage operation systems, servers applications, etc.
This vulnerability generally occurs when there is a failure to follow the principle of least privilege, insufficient security controls and users with more privileges than they actually authorized. Also, due to software vulnerabilities or using specific techniques to control an application’s permission mechanism, attackers can exploit and perform the attack.
Recommendations:
- Implement least privilege, give access to users and groups with the minimum required privileges and file access, restrict admin rights to users.
- Enforce secure password management policies for all users and implement strong credential management.
- Restrict programming errors in the application and follow best secure coding practices to avoid common vulnerabilities that are targeted by cyber criminals such as code injections, buffer overflow and unvalidated user input.
- Secure database and sanitize the user inputs as database stores all configuration settings, user data, login credentials which makes attractive targets for the attackers.
Session Hijacking:
Session Hijacking attack is performed when the attacker takes control of a user session after generating an authentication session ID. The attacker generally steals the user session token and utilizes it to unauthorized access of the user’s account.
The risk factor for this security vulnerability is an attacker can perform anything that the legitimate user is authorized while the session is in active state. For example, transferring money from a user’s bank account, stealing credit card information, purchasing from online stores, accessing personally identifiable information(PII), etc based on the application.
The attacker can perform this session hijacking in several ways by imposing the user’s device with malware that steals session data, using cross-site scripting techniques, man-in-the-middle attack, brute force, predictable session token ID, exploiting the vulnerability in the application coding, session side jacking and session fixation.
Recommendations:
- Encrypt the traffic to secure a cookie session by proper SSL/TLS certificate and use HTTPS, redirect any HTTP to HTTPS or HSTS (HTTP Strict Transport Security).
- Regenerate the session keys after the successful user authentication that prevents session fixation.
- Set up HttpOnly attribute to restrict access to stored cookies from the client-side script which prevents XSS attacks.
- Use long random numbers or strings for the session key which reduces the guessing of valid session keys through brute force attacks.
- Tag session ID to user’s device identity.
Weak Passwords:
A weak password is system default, short, common or quickly guessed by humans and computers. An attacker exploits this vulnerability in different ways such as executing a brute force attack using a subgroup of all possible passwords such as dictionary words, default usernames, keyboard patterns, default admin credentials, etc.
The risk factor on the weak password is that the attacker not only gains access to the computer but to the entire network and devices which are connected to the computer.
Weak passwords can be cracked in several ways, from phishing attacks, keylogging, brute force, shoulder surfing, unencrypted sensitive information and data breaches.
Recommendations:
- Ensure a strong password policy is implemented with a minimum of 8-12 chars, case-sensitive, highly recommended add punctuation, special characters and avoid dictionary words.
- Enable multi-factor authentication for critical information systems with OTP, smart cards, tokens, etc.
- The default password of all Information systems and applications shall be changed.
- Prevent users from choosing previously used passwords.
Page 2 – Common Vulnerabilities and Recommendations Part-2
Page 3 – Common Vulnerabilities and Recommendations Part-3
Page 4 – Common Vulnerabilities and Recommendations Part-4
Page 5 – Common Vulnerabilities and Recommendations Part-5
Page 6 – Common Vulnerabilities and Recommendations Part-6
Found this article interesting? Follow DefenseLead on Twitter, Facebook and LinkedIn to read more exclusive content.