Common Software Vulnerabilities and Controls Flashcards

Question

What are the defensive implementations of controls in code to avoid memory overflow?

Answer 1

Input size validation; double-checking buffer size to ensure that the buffer is sufficiently large to handle the input data copied into it; checking buffer boundaries to make sure that the functions in a loop don’t attempt to write past the allocated space; and performing integer type (size, precision, signed/unsigned) checks to make sure that they are within the expected range and values.

Answer 2

Choose a programming language that performs its own memory management and is type-safe; Use a proven and tested library or framework that include safer string manipulation functions (e.g. Safe C); Replace deprecated, insecure, and banned API functions that are susceptible to overflow issues with safer alternatives that perform size checks before performing its operations; ...

Answer 3

supplies data that is accepted as is and interpreted as a command or part of a command, thus allowing the attacker to execute commands using an injection vector.

Answer 4

Using code review and scanners, including fuzzing scans, can be employed to detect them.

Answer 5

the way in which database queries are constructed, the supply input becomes part of the (Structured Query Language) query that the database processes as a command.

Answer 6

1) Exploration by hypothesizing SQL queries to determine if the software is susceptible to SQL injection; 2) Experimenting to enumerate internal database schema by forcing database errors; 3) Exploiting the SQL injection vulnerability to bypass checks or modify, add, retrieve or delete data from the database.

Answer 7

instead of using information from error messages to facilitate SQL injection, the attacker constructs simple Boolean SQL expressions (true/false questions) to iteratively probe the target database; depending on whether the query was successfully executed or not, the attacker can determine the syntax and structure of the injection.

Answer 8

allows the execution of Operation System (OS) level commands using the supplied user input without sanitization or validation.

Answer 9

unsanitized and unvalidated input is used to construct or modify syntax, contents, and commands that are executed as an LDAP query.

Answer 10

does not properly filter or quote special characters or reserved words that are used in XML, allowing an attacker to modify the syntax, contents, or commands before execution. Two main types are XPATH injection and XQuery injection.

Answer 11

not validated or sanitized prior to processing and built dynamically using user-supplied input.; an attacker can take advantage of this weakness by injecting malformed XML expressions, allowing the attacker to perform malicious operations such as modifying and controlling logic flow, retrieving unauthorized data and/or circumventing authentication checks.

Answer 12

disclosure, alteration, or destruction of data; compromise of the Operating System; discovery of the internal structure (or schema) of the database or data store; enumeration of user accounts from a directory store; circumventing nested firewalls; bypassing authentication; execution of extended procedures and privileged commands.

Answer 13

consider all input to be untrusted and validate all user input; Encode output using the appropriate character set, escape special characters and quote input, besides disallowing meta-characters; Use structured mechanisms to separate data from code; avoid dynamic query construction; User parameterized queries; Display generic error messages that yield minimal to no additional information; Implement the least privilege by using views, and restricting tables, queries and procedures to only the authorized set of users and/or accounts.

Answer 14

run the code in a sandbox environment that enforces strict boundaries between the processes being executed and the Operating System.

Answer 15

filter or quote LDAP syntax from user-controlled input.

Answer 16

Allowing more than one set of authentication or session management controls that allow access to critical resources via multiple communication channels or paths; Transmitting authentication credentials and session IDs over the network in cleartext; Storing authentication credentials without hashing or encrypting them; Not using a random or pseudo-random mechanism to generate system-generated passwords or session IDsNot implementing transport protection or data encryption; improper/ insufficient timeouts.

Answer 17

built-in and proven authentication and session management mechanisms; Use a single and centralized authentication mechanism that supports multi-factor authentication and role-based access control; Using a unique, non-guessable, and random session identifier; encrypt or hash the credentials before storing them in a configuration file or data store; Do not hard code database connection strings, passwords or cryptographic keys in cleartext in the code; ...

Answer 18

Code review and testing.

Answer 19

Attacks in which the user supplied input script that is injected is not stored but merely included in the response from the web server, either in the results of a search or an error message.

Answer 20

(i) they provide the input script directly into your web application; (ii) they can send a link with the script embedded and hidden in it.

Answer 21

The injected script is permanently stored on the target servers, either in a database, a message forum, a visitor log or an input field (e.g. Samy Worm and the Flash worm).

Answer 22

The payload is executed in the victim’s browser as a result of DOM environment modifications on the client side. The HTTP response is not modified, but weaknesses in the client side allows the code contained in the web page client to be modified, so that the payload can be executed.

Answer 23

steal authentication information using the web application; hijack and compromise users sessions and accounts; tamper or poison state management and authentication cookies; cause Denial of Service (DoS); insert hostile content; ....

Answer 24

Handle the output to the client only after it is sanitized; Validating user-supplied input with a whitelist also provides additional protection against XSS; Disallow the upload of .htm or .html extensions; Use the innerText properties of HTML controls instead of the inner HTML property when storing the input supplied; Use secure libraries and encoding frameworks that provide protection against XSS issues; The client can be secured by disabling the active scripting option in the browser; Use the HTTPOnly flag on the session or any custom cookie so that the cookie cannot be accessed by any client side code or script (if the browser supports it) which mitigates XSS attacks.

Answer 25

Microsoft Anti-Cross Site Scripting, OWASP ESAPI Encoding module, Apache Wicket and the SAP Output Encoding framework.

Answer 26

An unauthorized user or process can invoke the internal functionality of the software by manipulating parameters and other object values that directly reference this functionality.

Answer 27

Data disclosure, privilege escalation, authentication and authorization checks bypass, and restricted resource access.

Answer 28

To avoid exposing internal functionality of the software using a direct object reference that can be easily manipulated.

Answer 29

Use indirect object reference by using an index of the value or a reference map; Do not expose internal objects directly via URLs or form parameters to the end user; Either mask or cryptographically protect (encrypt/hash) exposed parameters, especially querystring key value pairs; Validate the input to ensure that the change is allowed as per the whitelist; Perform multi access control and authorization checks each and every time a parameter is changed, according to the principle of complete mediation; Use RBAC to enforce roles at appropriate boundaries and reduce attack surface by mapping roles with the data and functionality.

Answer 30

Hardening software applications involves determining | the necessary and correct configuration settings and architecting the software to be secure by default.

Answer 31

Missing software and operating system patches; Lack of perimeter and host defensive controls such as firewalls, filters, etc.; Installation of software with default accounts and settings; Installation of the administrative console with de;fult configuration settings; Installation or configuration of unneeded services, ports and protocols, unused pages, and unprotected files and directories; Not disabling directory listing on the server; Not explicitly setting up error and exception handling; Leaving behind any sample applications; Deploying tightly coupled applications and system-of-systems.

Answer 32

Changing any default configuration settings; Removing any unneeded or unnecessary services and processes; Establishing and maintaining a configuration of the minimum level of security that is acceptable (MSB); Establishing a process that hardens (locks down) the OS and the applications that run on top of it; Establishing a controlled patching process; Establishing a scanning process to automatically detect and report on software and systems that are not compliant to the established MSB; Handling errors explicitly using redirects and error messages; Removing any sample applications from production systems after installation; Deploying applications and systems that have a loosely coupled and highly cohesive architecture.

Answer 33

Insufficient data-in-motion protection; Insufficient data-at-rest protection and Electronic social engineering.

Answer 34

Monitoring network traffic using a passive sniffer is a common means by which attackers steal information when the data is in motion (in transit).

Answer 35

It is insufficient to merely use SSL/TLS just during the authentication process; a 3-tier web architecture, transport layer protection needs to be from the client to the web server and from the web server to the database server.

Answer 36

Local storage; Browser settings; Cache; Backups, logs and configuration files; Comments in code; Hardcoded secrets in code; Unhandled exceptions and error messages; Backend data stores.

Answer 37

Phishing; Pharming; Vishing; SMSishing

Answer 38

A method of tricking users into submitting their personal information using electronic means such as deceptive emails and websites.

Answer 39

A scamming practice in which malicious code is installed on a system or server which misdirects users to fraudulent web sites without the user’s knowledge or consent.

Answer 40

The DNS table in the server is altered to point to fraudulent web sites even when the request to the legitimate ones is made.

Answer 41

An attacker steals sensitive information using deceptive social engineering techniques on VoIP networks.

Answer 42

The attackers sends a message to the victim, as if it originated from a reputable source (such as the victim’s bank), usually has a message to the victim, stating that they need to call back to verify some information, with a sense of urgency.

Answer 43

Human trust

Answer 44

Exploitable weaknesses such as no proper ACLs to host systems and servers; lack of spyware protection that can modify settings and weaknesses in software code.

Answer 45

To set the HTTPOnly flag, which instructs browsers to not allow Javascript access to the cookies.

Answer 46

Using “Private Browsing” mode in browsers and other plugins or extensions that don’t cache the visited pages; Disable autocomplete features in browser forms; Disable caching of sensitive data or ncrypt the cache and/or explicitly set cache timeouts;

Answer 47

bcrypt, PBKDF2 or scrypt

Answer 48

Ensure that the session cookie’s secure flag is set. This causes the browser cookie to be sent only over encrypted channels (HTTPS and not HTTP).

Answer 49

Sending bogus and faulty information to the phisher | with the intent to dilute the real information that the attacker is soliciting.

Answer 50

One of the most easily exploitable weaknesses in many applications is the failure to restrict access to privileged functionalities or URLs.

Answer 51

Role-Based Access Control (RBAC) of functions and URLs that denies access by default, along with requiring explicit grants to users and roles; Obfuscation of URLs provides some defense against attackers who attempt forced browsing by guessing the URL; Whitelisting valid functions and URLs and validating library files that are referenced.

Answer 52

JAAS authorization and the OWASP ESAPI.

Answer 53

Cross-Site Request Forgery - an attacker masquerades (forges) a malicious HTTP request as a legitimate one and tricks the victim into submitting that request. CSRF is also known by a number of other names, including XSRF, Session riding attack, sea surf attack, hostile linking, automation attack and Cross Site Reference Forgery.

Answer 54

(1) User authenticates into a legitimate web site and receives the authentication token associated with that site; (2) User is tricked into clicking a link that has a forged malicious HTTP request to be performed against the site that the user is already authenticated to; (3) Since the browser sends the malicious HTTP request, the authentication credentials, this request surfs or rides on top of the authenticated token and performs the action as if it was a legitimate action requested by the user.

Answer 55

Authentication bypass, identity compromise and phishing some examples;

Answer 56

To implement the software so that it is not dependent on the authenticated credentials that are automatically submitted by the browser.

Answer 57

To implement the software to use a unique session specific token that is generated in a random, non-predictable, non-guessable and/or sequential manner.; CAPTCHAs; The uniqueness of session tokens is to be validated on the server side; Use POST methods instead of GET requests; Use a double-submitted cookie; Check the URL referrer tag for the origin of request before processing the request; re-authenticate each and every time; Use transaction signing to assure that the request is genuine; Build in automated log out functionality; Leverage industry tools that aid with CSRF defense; Mitigate XSS vulnerabilities.

Answer 58

In situations where the target URL is supplied as an unvalidated parameter, an attacker can specify a malicious URL hosted in an external site and redirect users to that site. Once the victim lands on the malicious page the attacker can phish for sensitive and personal information.

Answer 59

a code review and making sure that the target URL is a valid and legitimate one.

Answer 60

The 3XX series HTTP response codes (300-307) are | the ones that deal with redirection.

Answer 61

Avoiding redirects and forwards (transfers) if possible; Use a whitelist target URLS that a user can be redirected to; Don’t allow the user to specify the target (destination) URL as a parameter; Use an index value to map to the target URL and use that mapped value as the parameter; Architect the software to inform the user using an intermediate page; Mitigate scripts attacks vulnerabilities that can be used to change document location.

Answer 62

Malicious file execution; Path traversals; Improper file includes; Download of code without integrity check.

Answer 63

Accepting user supplied file names and files without validating it; Not restricting files to non-executable types; Uploading hostile data to the file system via image uploads; Using compression or audio streams that allow the access of remote resources without the inspection of internal flags and settings; Using hostile Document Type Definitions (DTDs) that forces the XML parser to load a remote DTD and parse and process the results.

Answer 64

Use a whitelist of allowable file extensions; Allow only one extension to a file name; Use an indirect object reference map and/or an index for file names; Explicitly taint check; Automatically generate a filename instead of using the user supplied one; Avoid using file functions and streams-based APIs to construct filenames; Configure the application to demand appropriate file permissions;

Answer 65

Use a whitelist to validate acceptable file paths and locations; Limit character sets before accepting files for processing; Harden the servers by configuring them to not allow directory browsing or contents; Decode once and canonical file paths to internal representation so that dangerous inputs are not introduced after the checks are performed; Use a mapping of generic values to represent known internal actual file names and reject any values not configured explicitly.

Answer 66

Store library, include and utility files outside of the root or system directories; Restrict access to files within a specified directory; Limit the ability to include files from remote locations.

Answer 67

Use integrity checking on code downloaded from remote locations (e.g. hashing, code signing and authenticode technologies.); To detect DNS spoofing attacks, perform both forward and reverse DNS lookups; When source code is not developed by you or not available, the use of monitoring tools to examine the software’s interaction with the OS and the network can be used to detect code integrity issues.

Answer 68

There must be at least two threads or control flows executing concurrently.

Answer 69

The threads executing concurrently are both accessing the same object.

Answer 70

At least one of the control flows must alter the state of the shared object.

Answer 71

Identifying and eliminating race windows; performing atomic operations on shared resources; using mutex operations; using multi-threading and thread-safe capabilities and functions and abstractions on shared variables; minimizing the usage of shared resources and critical sections that can be repeatedly triggered; ...

Answer 72

Attackers can use non-conventional means to discover sensitive and secret information about our software and even a full-fledged implementation of the controls determined from the threat model can fall short to provide total software assurance.

Answer 73

Timing attacks; Power Analysis attacks; TEMPEST attacks (or radiation monitoring attack); Acoustic Cryptanalysis attacks; Differential Fault Analysis attacks; Distant Observation attacks; Cold Boot attacks.

Answer 74

Use a system where the time to compute an operation is independent of the input data or key size; Leverage standardized cryptographic algorithms that are known to be less prone to side channel information leakage; Avoid the usage of branching and conditional operational logic in critical code sections to compute operations; The most effective protection against timing attacks is to standardize on the time that each computation will take; Balancing power consumption independent of the type of operation; Adding noise is a known and proven control against acoustic analysis; ...