Weaknesses and Vulnerabilities - L1 Flashcards
Learn common weaknesses and vulnerabilities in software development (XSS, Buffer Overflow, Out-of-Bounds Read/Write, Improper Input Validation
Briefly explain software
Software by its nature is constantly running processes and interacting with the host system, whether it’s a server or the computer it’s installed on. As the software acts as a conduit to those resources or data it’s processing, we have to be careful and look at what happens if a user does something that we don’t want them to do (intentional or unintentional)
What is developing secure software primarily focused on?
Secure development along with vulnerability testing and mitigation. Many vulnerabilities are a result of poor programming practices
What are the 3 error categories of vulnerabilities?
Insecure interaction between components
Risky resource management
Porous defences
Explain what insecure interaction between components means
This is where two resources or programs or software running on different pieces of hardware are talking to each other for some reason. During that conversation, data or connections are exposed, and how they are exposed and the way in which the components are talking to each other will often create vulnerabilities or weaknesses
Explain what Risky Resource Management is
This is about including things in our software or applications which we aren’t sure about regarding the permissions, the source, or things being altered on the way into our application
Explain what Porous Defences are
This is partially configured defences (setting up permissions in one area but not the other or completing security test on landing page but not on subsequent pages in the application
What is the CWE?
Common Weakness Enumeration - A community developed list of software and hardware weakness types. Run by Mitre Corporation and funded by US Government. They maintain a ‘Top 25 Dangerous Software Weaknesses’ list
How does software appear to be changing?
Things are expected to be cross platform and there has been an increase in cloud based architectures. We are also seeing an emergence of IoT based technologies where people are putting systems on devices that essentially weren’t initially designed to have a computer put into them
What is Improper Neutralisation of Input During Web Page Generation (XSS)?
This is about injecting bad executable code into a webpage. Vulnerability includes being able to hijack sensitive information, inject further malicious requests or change user information, or take control of a computer or web server
Vulnerabilities from Improper Neutralisation of Input During Web Page Generation (XSS) occur when what happens
- Untrusted data enters application via a web request
- Application generates a page containing this untrusted data
- During page generation, application allows content to be included that is executable by a web browser, such as JavaScript
- A victim visits the web page
- Since the script comes from a webpage that was sent by the web server, the victim’s web browser executes the malicious script in the context of web server’s domain
- This can violate the browser’s same-origin policy to access external resources or even resources within the application
What are the 3 types of Cross Site Scripting (XSS)?
Type 1 - Reflected XSS (Non-persistent) - Server receives exploit code in a HTTP request and reflects it back in the HTTP response. An attacker must cause a victim to supply dangerous content to a vulnerable web application
Type 2 - Stored XSS (Persistent) - Attacker injects exploit code into a data storage in the application which is then included when a victim loads a web page which uses that resource
Type 0 - Dom-based - This attack injects malicious code directly into the page as opposed to injecting it into the server
What is Out-of-Bounds Read/Write (Buffer Overflow)?
This is where too much data has been placed in a buffer, resulting in adjacent memory locations being overwritten. Buffers are memory storage regions that hold data temporarily while it is being transferred from one location to another.
Impacts of this vulnerability include damage to system files, taking control of a machine, data exfiltration and privilege escalation
What are the 2 types of Buffer Overflow Attacks?
Stack-based Buffer Overflow - This is the most common and uses stack memory which exists only during the execution of a function. A stack is spun up as a buffer to hold a variable. The variable is read back out of it and then the buffer is collapsed.
Heap-based Buffer Overflow - Harder to carry out and involves flooding the memory space allocated to a program. This attacks the entire memory space allocated to a program
C++ particularly susceptible to buffer overflow due to low level of their operation. Languages such as JavaScript have some built in safeguards to protect from this kind of attack
What mitigations are there for Buffer Overflow Attacks?
JavaScript and others have built in safeguards. Address-based randomisation (ASLR) randomises the address locations and data regions of all of the libraries in the program at runtime so there is no way to predict what that space is going to be. Also Structured Exception Handling and Overwrite Protections (C-HOP) stops code from attacking any structured exception handling and prevents an attacker from making use of any overwrite exploitations because it will flag an exception rather than allowing things to write past the buffer
What is Improper Input Validation (Injection)?
Input validation is used to ensure that malicious input is filtered out prior to processing. Impacts of this vulnerability include damage to system files, enumeration, taking control of the machine, data exfiltration and privilege escalation