CH11 Software Security

Question 1

Business Logic Flaw: whats wrong here

@app.route(‘/payment’)
def pay():
customer = request.args.get(‘customerid’)
amount = request.args.get(‘amount’)
balance = get_balance(customer)
if amount <= balance:
update_balance(customer, balance - amount)
return SUCCESS
else:
return FAILURE

Answer 1

inputiting a negative amount will add to customer balance

Question 2

Common Weakness Enumeration (CWE)

Answer 2

Catalog of software weaknesses and vulnerabilities: A language for describing software vulnerabilities

Very fine-grained
new types continuously added

e.g. CWE 89 = SQLi attacks

Question 3

Common Vulnerabilities and Exposures (CVE)

Answer 3

A database of software vulnerabilities
each entry has a unique id
usually contains
- textual description of vulnerability
- description of the affected software and version
- type of vulnerability CWE
- patch/fix instructions
- availability of an exploit (proof of concept showing how to make use of a vulnerability)
- standardized risk assessment: Common Vulnerability Scoring System (CVSS)

Question 4

No obligation to register CVEs

Answer 4

vendors may apply for a CVE id
security researches may also apply
most FLOSS projects register CVEs

Question 5

The Common Vulnerability Scoring System

Answer 5

Industry standard for rating the severity of software vulnerabilities

CVSS 3.1 focuses on 3 main areas of concern:
- Base Score Metrics: assessing exploitability and impact

• Temporal Score Metric: assessing current status (may change over time)
• Environmental Score Metrics: assesses the environment of the vulnerable system

A numerical score is generated for each of these metric groups (often published as vector containing all three values)

Question 6

Attack Vectors - Access Vector (AV)

Answer 6

shows how a vulnerability may be exploited

Access vectors include:
Network(N) - Exploitable with network access (remotely exploitable)
Adjacent Network (A) - exploitable within same physical network
Local (L) - local access required
Physical (P) - physical access required

Question 7

Attack Vectors - Attack Complexity

Answer 7

how easy/difficult it is to exploit the discovered vulnerability

High (H) - specialised conditions must be fulfilled

Low(L)

Question 8

Attack Vectors - Privileges Required (PR)

Answer 8

How many layers of authentication an attacker needs to pass

None (N)
Low (L)
High (H)

Question 9

Attack Vectors - User interaction (UI)

Answer 9

An action by a user different than the attacker required

None (N) - no interaction required
Required (R) - e.g. user needs to click a link

Question 10

Attack Vectors - Scope (S)

Answer 10

Can the vulnerability impact other components or systems

Unchanged (U) - only affects one component or system
Changed (C) - Vulnerability can affect other components or systems

Question 11

Impact Metrics

Answer 11

Confidentiality (C) - impact on the confidentiality of the processed data (None, Low, High)

Integrity (I) - impact on the integrity of the system (None, Low, High)

Availability (A) - impact on the availability of the system (None, Low, High)

Question 12

CVSS Base Score metrics

Answer 12

Access Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability