This article deals with the top known vulnerabilities that exist in systems. These are regularly published as OWASP (https://www.owasp.org) top 10. This article does not claim to be an original research work but essentially discusses the known top vulnerabilities from a programmer’s point of view.
OWASP or Open Web Application Security Project is a worldwide not-for-profit charitable organization focused on improving the security of software that regularly publishes top security holes across applications and suggestions on fixing the same. This article heavily borrows material from OWASP and presents the same from a developer’s point of view.
The major cause of security issues is that security is an afterthought and the approach towards solving security is patching, while security should be backed into the design of the application. This article would provide inputs to provide a good security design.
The upcoming sections provide an overview of the vulnerability and point the reader to detailed resources. We also describe possible technologies that are used and mark if they are a potential risk.
An injection attack occurs when user input by the end user is entered such that executing code provides undesired data. This happens when user input is not validated and filtered. Such vulnerabilities have famously been in SQL injection but can also be applied to NoSQL, ORM, and LDAP. To prevent the same all sources of input data must be validated such as cookies, user form input, JSON fields, headers etc.
Consider the example of Login being implemented with the query
Select * From Users Where username = ? and password = ?;
What if a user enters in
user name ; Select * From Users;
This would evaluate and print all the users depending upon how the code is written but filtering code would ensure protection.
Insufficient Logging & Monitoring
Monitoring and alerts are primary tools to find and take immediate corrective actions, When an attack does take place logs and alerts are the primary tool for alert and later a postmortem. Excellent logging not only helps prevent and circumvents the attack but also informs of security problems that may be fixed.
Excellent tools such as Splunk, ELK, log stash, and others may be employed to actively respond to attacks.
Broken authentication is exploited by many techniques such as brute force attacks on known usernames and password databases, and session hijacking. Simple mechanisms allow fixing broken authentication such as enforcing strong passwords, Single sign-on, use of SSL, two-factor authentication, etc.
Sensitive Data Exposure
The idea here is if and when data is intercepted it should not be usable. Man in middle attack should be stopped. This requires sensitive data to be salted and or encrypted when in motion or at rest. Data when shared such as credit cards in a DB table or data on FTP files all must be encrypted and be shared over TSL/SSL. Algorithms, keys, etc must be strong.
XML External Entities
XML and JSON parsers can have vulnerabilities that may allow the execution of unwanted code over unwanted data. In modern dynamic languages, code scripts may be embedded in data that might be executed on the server.
Broken Access Control
While authentication allows who is allowed access, however, it does not inform what kind of access is allowed. With broken authentication, unwanted and damaging features may be exposed to unprivileged users. It is a poor practice to have UI define access control and not implement the same on API or business layer. Frameworks that allow claims-based authorization or role-based frameworks can greatly help develop security against such attacks.
Some vulnerabilities exist in the system due to poor hardening, sometimes these items are let go in the development environment for efficient debugging but on production these include things like running process in minimal required security and not as root, accessing DB not as root, not exposing stack trace, giving proper directory privileges and so on. Once these are patched the surface area for an attack is greatly reduced.
Cross Site Scripting
This attack occurs when serialized input when deserialized may exploit underlying issues such as buffer overflow. This is a complex issue because it is difficult to contain in a disconnected world where inputs are received from unknown sources.
Strict type checks and deserialization in known entities allow safety against this issue. However, issues like these are harder to manage in dynamic languages.
Using Components with Known Vulnerabilities
New issues and software and abilities are found in applications and libraries. It is imperative to patch them as and when available. Attackers bank on long cycles for issues being patched and fixed.