Reading About Common Cybersecurity Issues on the OWASP Website

I first heard about the Open Worldwide Application Security Project (OWASP) community when reading about possibly implementing Regular Expression search for this site. I have decided to read about some of the cybersecurity issues listed on the site just to keep them in mind when coding.

Date Created:
Last Edited:

References



Related

  • Account Lockout
    • Account lockout prevents any more login attempts for a period after a certain number of failed login attempts. The counter of failed logins should be associated with the account itself, rather than the source of the IP address, in order to prevent an attacker from making login attempts from a large number of different IP addresses.
    • Factors to consider with account lockout:
      • The number of failed attempts before the account is locked out
      • The time period that these attempts must occur within
      • How long the account is locked out for (lockout duration)
        • Rather than implementing a fixed lockout duration, some applications use an exponential lockout, where the lockout duration starts as a very short period (e.g., one second) but doubles after each failed login
    • When designing an account lockout system, care must be taken to prevent it from being used to cause a denial of service by locking out other users' accounts. (Maybe send the user an email after a period of time).


Attacks

Attacks are the techniques that attackers use to exploit the vulnerabilities in applications.

Binary Planting

  • Binary Planning
  • Binary planting is a general term for an attack where the attacker places (i.e., plants) a binary file containing malicious code to a local or remote file system in order for a vulnerable application to load and execute it.
  • Ways this attack can occur:
    • Insecure access permissions on a local directory allow a local attacker to plant the malicious binary in a trusted location.
    • One application may be used for planting a malicious binary in another application's trusted location.
    • The application searches for a binary in untrusted locations, possibly on remote file systems.


Blind SQL Injection

  • Bind SQL Injection
  • Blind SQL (Structured Query Language) injection is a type of SQL injection attack that asks the database true or false questions and determines the answer based on the applications response. This attack is often used when the web application is configured to show generic error messages, but has not mitigated the code that is vulnerable to SQL injection.
  • When an attacker exploits SQL injection, sometimes the web application displays error messages from the database complaining that the SQL Query's syntax is incorrect. Blind SQL injection is nearly identical to normal SQL Injection, the only difference being the way the data is retrieved from the database. When the database does not output data to the web page, an attacker is forced to steal data by asking the database a series of true or false questions. This makes exploiting the SQL injection vulnerability more difficult, but not impossible.


Blind XPath Injection

  • Blind XPath Injection
  • XPath is a type of query language that describes how to locate specific elements (including attributes, processing instructions, etc.) in an XML document. Since it is a query language, XPath is somewhat similar to Structured Query Language (SQL), however, XPath is different in that it can be used to reference almost any part of an XML document without access control restrictions. In SQL, a user may be restricted to certain databases, tables, columns, or queries. Using an XPATH Injection attack, an attack is able to modify the XPATH query to perform an action of their choosing.
  • Bling XPath Injection attacks can be used to extract data from an application that embeds user supplies data in an unsafe way. When input is not properly sanitized, an attack can supply valid XPath code that is executed. This type of attack is used in situations where the attacker has no knowledge about the structure of the XML document, or perhaps error message are suppressed, and is only able to pull once piece of information at a time by asking true/false questions (booleanized queries), like Blind SQL injection.


Brute Force Attack

  • Brute Force Attack
  • A brute force attack can manifest itself in many different ways, but primarily consists in an attack configuring predetermined values, making requests to a server using those values, and then analyzing the response. An attacker may use a dictionary attack or a traditional brute-force attack. Considering a given method, number of tries, efficiency of the system which conducts the attack, and estimated efficiency of the system which is attacked the attacker is able to calculate approximately how long it will take to submit all chosen predetermined values.
  • Brute-force attacks are often used for attacking authentication and discovering hidden content/pages within a web application. These attacks are usually sent via GET and POST requests to the server.


Buffer Overflow via Environment Variables

  • Buffer Overflow via Environment Variables
  • This attack pattern involves causing a buffer overflow through the manipulation of environment variables. Once the attacker finds out that they can modify an environment variable, they may try to overflow associated buffers. This attack leverages implicit trust often placed in environment variables.
  • The environment variable exposed to the user must be vulnerable to buffer overflow for this to occur. It might be a good idea to set some checks up even for environment variables.



Buffer Overflow Attack

  • Buffer Overflow Attack
  • Buffer overflow errors are characterized by the overwriting of memory fragments of the process, which should have never been modified intentionally or unintentionally. Overwriting values of the IP (Instruction Pointer), BP (Base Pointer) and other registers causes exceptions, segmentation faults, and other errors to occur. Buffer overflow errors occur when we operate on buffers of char type.
  • Buffer overflows can consist of overflowing the stack or overflowing the heap.


CORS OriginHeaderScrutiny

  • CORS OriginHeaderScrutiny
  • It is not not recommended to use the Origin header to authenticate requests as coming from your site since a web client can put aby value into the Origin request HTTP header in order to force the web application to provide it the target resource content. The browser usually sets the Origin header, but other clients, like curl, can be used.


CORS RequestPreflightScrutiny

  • CORS RequestPreflightScrutiny
  • A user can create/send a final HTTP request without previously sending the first request for preflight and then they can bypass the request preflight process in order to act on data in an unsafe way.
  • To protect against this, you have to ensure Request Preflight Process compliance on the server side.


CSV Injection

  • CSV Injection
  • CSV Injection, also known as Formula Injection, occurs when websites embed untrusted input inside CSV files. When a spreadsheet program such as Excel is used to open a CSV file, any cells starting with = will be interpreted by the software as a formula. Maliciously crafted formulas can be used to:
    • Highjack the user's computer by
      • exploiting vulnerabilities in the spreadsheet software
      • exploiting the user's tendency to ignore security warnings in spreadsheets that they downloaded form their own websites.
    • Exfiltrating contents form the spreadsheet, or other spreadsheets
  • You can prevent this attack by sanitizing the CSV file so that the content will be read as text by the spreadsheet editor.


Cache Poisoning

  • Cache Poisoning
  • The impact of a maliciously constructed response can be magnified if it is cached either by a web cache used by multiple user s or event the browser cache of a single user.
  • This attack is relatively difficult to carry out in a real environment.
  • It is crucial from the attacker's point of view that the application allows for filling the header filed with more than one header using CR (Carriage Return) and LF (Line Feed) characters.


Cash Overflow

  • Cache Overflow
  • A Cache overflow is a Denial of Service attack specifically aimed at exceeding the hosting costs for a cloud application, either essentially bankrupting the service owner or exceeding the application cost limits, leading the cloud service provider to disable the application.


Clickjacking

  • Clickjacking
  • Clickjacking, also known as a UI redress attack, us when an attack uses multiple transparent or opaque layers to trick a user into clicking on a button or link on another page when they were intending to click on the top level page. Thus, the attacker is hijacking clicks meant for their page and routing them to another page, most likely owned by another application, domain, or both.
  • Using a similar technique, keystrokes can also be hijacked. With a carefully crafted combination of stylesheets, iframes, and textboxes, a user can be led to believe they are typing in the password to their email or bank account, but they are instead typing into an invisible frame controlled by the attacker.
  • Defending Against Clicking jacking:
    • Send the proper Content Security Policy frame-ancestors directive response headers that instruct the browser to not allow framing from other domains.
    • Properly setting authentication cookies with SameSite=Strict unless they explicitly need None
    • Employing defensive code in the UI to ensure that the current frame is the most top level window.


Code Injection

  • Code Injection
  • Code injection is the general term for attack types which consist of injecting code that is then interpreted/executed by the application. This type of attack exploits poor handling of untrusted data. These types of attacks are usually made possible due to a lack of proper input/output validation, e.g.:
    • Allowed characters
    • Data Format
    • Amount of Expected Data
  • These attacks are usually moderately hard to exploit


Command Injection

  • Command Injection
  • Command injection is an attack in which the goal is execution of arbitrary commands on the host operating system via a vulnerable application. Command injection attacks are possible when an application passes unsafe user supplied data (forms, cookies, HTTP headers, etc. ) to a system shell. In this attack, the attacker-supplied operating system commands are usually executed with the privileges of the vulnerable application. Command injection attacks are possible largely due to their insufficient input validation.


Comment Injection Attack

  • Comment Injection Attack
  • Comments injected into an application through input can be used to compromise a system. As data is parsed, an injected/malformed comment may cause the process to take unexpected actions that result in an attack.


Content Spoofing

  • Content Spoofing
  • Also referred to as content injection is an attack targeting a user made possible by an injection vulnerability in a web application. When an application does not properly handle user-supplied data, an attacker can supply content to a web application, typically via a parameter value, that is reflected back to the user. This presents the user with a modified page under the context of the trusted domain. This attack is typically used as, or in conjunction with, social engineering because the attack is exploiting a code-based vulnerability and a user's trust.

Credential stuffing

  • Credential Stuffing
  • Credential stuffing is the automated injection of stolen username and password pairs (credentials) in to website login forms, in order to gain access to user accounts.
Since many users will re-use the same password and username/email, when those credentials are exposed (by a database breach or phishing attack, for example) submitting those sets of stolen credentials into dozens or hundreds of other sites cam allow an attacker to compromise those accounts too.
  • Credential stuffing is one of the most common techniques to take-over user accounts.
  • Multi-Factor Authentication is a primary counter measure against credential stuffing.

To avoid constantly annoying the user with MFA requests, you might develop an AI algorithm that detects whether user generated content is very dissimilar to what the user normally posts, and only ask for two factor authentication in this case.


Cross-User Defacement

  • Cross-User Defacement
  • An attacker can make a single request to a vulnerable server that will cause the server to create two responses, the second of which may be misinterpreted as a response to a different request, possibly one made by another user sharing the same TCP connection with the server.
  • This attack is difficult to carry out in a real environment.


Cross Site Scripting (XSS)

  • Cross Site Scripting
  • Cross site scripting attacks are a type of injection in which malicious scripts are injected into otherwise benign and trusted websites. XSS attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end user. Flaws that allow these attacks to succeed are widespread and occur anywhere a web application uses input from a user within the output it generates without validating or encoding it.
  • XSS attacks occur when:
    • Data enters a Web application through an untrusted source, most frequently a web request
    • The data included in dynamic content that is sent to a web user without being validated for malicious content
  • There are two categories of XSS attacks: reflected and stored.
    • Reflected attacks are those where the injected script is reflected off the web server, such as in an error message, search result, or any other response that includes some or all of the input sent to the server as a part of the request. Reflected attacks are delivered to victims via another route, such as in an e-mail message or some other website.
    • Stored attacks are those where the injected script is permanently stored on the target servers, such as in a database, in message forum, visitor log, comment field, etc. The victim retrieves the malicious script from the server when it requests the stored information. Stored CSS is also known as persistent XSS.


Cross Frame Scripting

  • Cross Frame Scripting
  • Cross Frame Scripting (XFS) is an attack that combines malicious JavaScript with an iframe that loads a legitimate page in an effort to steal data from an unsuspecting user. This attack is usually only successful when combined with social engineering.


Cross Site History Manipulation (XSHM)

  • Cross Site History Manipulation (XSHM)
  • XSHM is a Same Origin Policy security breach based on the fact that the client-side browser history object is not properly partitioned on a per-site basis. Manipulating browser history may lead to SOP compromising, allow bi-directional CSRF and other exploitations such as: user privacy violation, login status detection, resources mapping, sensitive information inferring, users' activity tracking and URL parameter stealing
  • Don't include sensitive information in the URL (i.e., in query parameters)


Cross Site Tracing

  • Cross Site Tracing
  • This attack involves the use of XSS and the TRACE HTTP method. The TRACE method, which allows the client to see what is being received at the other end of the request chain and use that data for testing or diagnostic information, while apparently harmless, can be successfully leveraged in some scenarios to steal legitimate users' credentials. The TRACE method can be used to override the HttpOnly property of cookies which disallows JavaScript from accessing the cookies. Most modern browsers now prevent TRACE requests being made via JavaScript. Maybe prevent this with CORS or in nginx.


Cryptanalysis

  • Cryptanalysis
  • Cryptanalysis is a process of finding weaknesses in cryptographic algorithms and using these weaknesses to decipher ciphertext without knowing the secret key (instance deduction). Sometimes the weakness is not the cryptographic algorithm itself, but how it is applied.
  • Ensure cryptographic algorithms are properly used - use a library.


Custom Special Character Injection

  • Custom Special Character Injection
  • The software does not properly filter or quote special characters or reserved words that are used in a custom or proprietary language or representation that is used by the product. That allows attackers to modify the syntax, content, or commands before they are processed by the system.


Denial of Service

  • Denial of Service
  • The Denial of Service attack is focused on making a resource unavailable for the purpose it was designed. There are many ways to make a service unavailable for legitimate users by manipulating network packets, programming, logical, or resources handling vulnerabilities, among others.
  • Sometimes the attacker can inject and execute arbitrary code while performing a DoS attack in order to access critical information or execute commands on the server.


Direct Dynamic Code Evaluation - Eval Injection

  • Direct Dynamic Code Evaluation - Eval Injection
  • The attack consists of a script that does not properly validate user inputs in the page parameter. A remote user can supply a specially crafted URL to pass arbitrary code to an eval() statement, which results in code execution.
    • This attack will execute the code with the same permission like the target web service, including operation system commands
    • Eval injection is prevalent in handler/dispatch procedures that might want to invoke a large number of functions, or set a large number of variables.


Embedding Null Code

  • Embedding Null Code
  • The Embedding NULL Bytes/characters technique exploits applications that don't properly handle postfix NULL terminators. This technique can be used to perform other attacks such as directory browsing, path traversal, SQL injection, execution of arbitrary code, and others. It can be found in lots of vulnerable applications and there are lots of exploits available to abuse systems.


Execution After Redirect (EAR)

  • Execution After Redirect (EAR)
  • Execution after Redirect is an attack where an attack ignores redirects and retrieves content intended for authenticated users. A successful EAR exploit can lead to complete compromise of the application.
  • Proper termination should be performed after redirects. In a function a retun should be perfomed. In other instances functions such as die() should be performed. This will tell the application to terminate regardless of if the page is redirected or not.


Forced browsing

  • Forced browsing
  • Forced browsing is an attack where the aim is to enumerate and access resources that are not referenced by the application, but are still accessible


Form action hijacking

  • Form Action Hijacking
  • Form action hijacking allows an attack to specify the action URL of a form via a parameter. An attacker can construct a URL that will modify the action URL of a form to point to the attacker's server. Form content including CSRF tokens, user entered parameter values, and any other of the forms content will be delivered to the attacker via the hijacked action URL.


Format string attack

  • Format String Attack
  • The Format String occurs when the submitted data of an input string is evaluated as a command by the application. In this way, the attacker could execute code, read the stack, or cause a segmentation fault in the running application, causing new behaviors that could compromise the security or the stability of the system.
  • This attack can happen when the input is not well validated.


Full Path Disclosure


Function Injection

  • Function Injection
  • This attack consists of insertion or injection of a function name from client to the application. A successful function injection exploit can execute any built-in or user defined function. Function injection attacks are a type of injection attack, in which arbitrary function names, in sometimes with parameters are injected into the application and executed. If parameters are passed to the injection function it leads to remote code execution.


HTTP Response Splitting

  • HTTP Response Splitting
  • This occurs when:
    • Data enters a web application through an untrusted source
    • The Data is included in an HTTP response header sent to a web user without being validated for malicious characters.
  • The attack is straightforward: an attacker passes malicious data to a vulnerable application, and the application includes the data in an HTTP response header.
  • To mount a successful exploit, the application must allow input that contains Carriage Return (\r) or Line Feed (\n) characters into the header and the underlying platform must be vulnerable to the injection of such characters.


LDAP Injection

  • LDAP Injection
  • LDAP injection is an attack used to exploit web based applications that construct LDAP statements based on user input. When an application fails to properly sanitize user input, it's possible to modify LDAP statements using a local proxy. This could result in the execution of arbitrary commands such as granting permissions to unauthorized queries, and content modification inside the LSAP tree.


Log Injection

Applications typically use log files to store a history of events or transactions for later review, statistics gathering, or debugging. Depending on the nature of the application, the task of reviewing log files may be performed manually or on an as-needed basis or automated with a tool that automatically culls logs for important events or trending information.
  • Writing invalidated user input to log files can allow an attacker to forge log entries or inject content into the logs. This is called log injection.


Man-in-the-browser attack

  • Man-in-the-browser attack
  • The man in the browser attack is like the manipulator in the middle attack, except this attack uses a Trojan Horse to intercept and manipulate calls between the main application's executable and its security mechanisms or libraries on the fly.
  • The most common objective of this attack is to cause financial fraud by manipulating transactions of Internet Banking Systems, even when other authentication factors are in use.


Manipulator-in-the-middle attack

  • Manipulator-in-the-middle attack
  • The Manipulator in the middle attack intercepts a communication between two systems. Using different techniques, the attacker splits the original TCP connection into 2 new connections, one between the client and the attacker and the other between the attacker and the server.


Mobile code invoking untrusted mobile code

  • Mobile code invoking untrusted mobile code
  • The attack consists of a manipulation of a mobile code in order to execute malicious operations at the client side. By intercepting client traffic using the man in the middle technique, a malicious user could modify the original mobile code with arbitrary operations that will be executed on the client's machine under their credentials.


Mobile code non-final public field

  • Mobile code non-final public field
  • The attack aims to manipulate non-final public variables used in mobile code, by injecting malicious values on it, mostly in Java and C++ applications.


Mobile code object hijack

  • Mobile Code Object Hijack
  • This attack consists of a technique to create objects without constructors' methods by taking advantage of the clone() method of Java-based applications.


Parameter Delimiter

  • Parameter Delimiter
  • This attack is based on the manipulation of parameter delimiters used by web application input vectors in order to cause unexpected behaviors like access control and authorization bypass and information disclosure, among others.


Password Spraying Attack

  • Password Spraying Attack
  • Type of brute force attack in which the attacker will brute force logins based on lists of usernames with default passwords on the application. This attack can be found commonly where the application or admin sets a default passsword for new users.


Path Traversal

  • Path Traversal
  • A path traversal attack aims to access files and directories that are stored outside the web root folder. It may be able to access arbitrary files on a file system by manipulating paths using the dot-dot-slash (../) sequences.


Qrljacking

  • Qurljacking
  • Quick Response Code Login Jacking is a simple social engineering attack vector capable of session hijacking affecting all applications that rely on Login with QR code feature as a secure way to login into accounts.


Reflected DOM Injection


Regular expression Denial of Service - ReDoS

  • Regular Expression Denial of Service - ReDOS
  • Exploits the fact that most regular expression implementations may reach extreme limitations that cause them to work slowly. An attacker may cause a program using a Regular Expression (Regex) to enter these extreme situations and then hang for a very long time.


Repudiation Attack

  • Repudiation Attack
  • A repudiation attack happens when an application or system does not adopy controls to properly track and log users' actions, thus permitting malicious manipulation or forging the identification of new actions. This attack can be used to change the authoring information of actions executed by a malicious user in order to log wrong data to log files. Its usage can be extended to general data manipulation in the name of others, in a similar manner as spoofing mail messages.


Resource Injection

  • Resource Injection
  • This attack consists of changing resource identifiers used by an application un order to perform a malicious task. When an application defines a resource type or location based on user input, this data can be manipulated to execute or access different resources.
  • The resource type affected by user input indicates the content type that may be exposed.


SQL Injection

  • SQL Injection
  • A SQL injection attack consists of insertion or injection of a SQL query via the input data from the client to the application. A successful SQL injection exploit can read sensitive data from the database, modify database data, execute administration operations on the database, recover the content of a given file present on the DBMS file system and in some cases issue commands to the operating system.


Server-Side Includes (SSI) Injection

  • Server Side Includes Injection
  • The Server-Side Includes attack allows the exploitation of a web application by injecting scripts in HTML pages or executing arbitrary codes remotely.


Server Side Request Forgery

  • Server Side Request Forgery
  • In this attack, the attacker can abuse functionality on the server to read or update internal resources. The attacker can supply or modify a URL which the code running on the server will read or submit data to, and by carefully selecting the URLs, the attacker may be able to read server configuration such as AWS metadata, connect to internal service like http enabled databases or perform post requests toward internal services which are not intended to be exposed.


Session Prediction

The session prediction attack focuses on predicting session ID values that permit an attacker to bypass the authentication schema of an application. By analyzing and understanding the session ID generation process, an attacker can predict a valid session ID value and get access to the application.


Session fixation

  • Session Fixation
  • Session Fixation is an attack that permits an attacker to hijack a valid user session. The attack explores a limitation in the way the web application manages the session ID, more specifically the vulnerable web application.


Setting Manipulation

  • Setting Manipulation
  • The attack aims to modify application settings in order to cause misleading data or advantages on the attacker's behalf. They may manipulate values in the system and manage specific user resources of the application or affect its functionalities.


Special Element Injection


Spyware

  • Spyware
  • This attack captures statistical information from a user's computer and sends it over the internet without user acceptance. This information is usually obtained from cookies and the web browser's history. Spyware can also install other software or redirect web browser activity.


Traffic flood

  • Traffic Flood
  • Type of DOS attack that consists of the generation of a lot of well-crafted TCP requestions with the objective to stop the Web Server or cause a performance decrease.


Trojan Horse

  • Trojan Horse
  • A Trojan Horse is a program that uses malicious code masqueraded as a trusted application, The malicious code can be injected on benign applications, masquerading in e-mail links, or sometimes hidden in JavaScript pages to make furtive attacks against vulnerable Internet Browsers.
  • There are seven main types of a Trojan Horse.


Unicode Encoding

  • Unicode Encoding
  • The attack aims to explore flaws in the decoding mechanism implemented on applications when decoding Unicode data format. An attacker can use this technique to encode certain characteristics in the URL to bypass application filters, thus accessing restricted resources on the web server or to force browsing to protected pages.


Web Parameter Tampering

  • Web Parameter Tampering
  • Based on the manipulation of parameters between client and server in order to modify application data, such as user credentials and permissions, price and quantity of products, etc. Usually, this information is stored in cookies, hidden form fields, or URL Query Strings, and is used to increase application functionality and control.


XPATH Injection

  • XPATH Injection
  • XPath injection attack occurs when a web site uses user-supplied information to construct an XPath query for XML data.


XSS in Converting File Content to Text


XSS in subtitle

  • XSS in Subtitle
  • It is possible for an attacker to execute JavaScript in a video's subtitle. This is also referred to as XSS. If a website loads subtitle separately in the browser then an attacker can run any HTML or JavaScript in video subtitles.


Cross Site Request Forgery (CSRF)

  • CSRF
  • Forces end user to execute unwanted action on a web application in which they are currently authenticated. With a little help of social engineering, an attacker may trick the users of a web application into executing actions of the attacker's choosing.


IP Spoofing via HTTP Headers

Comments

You must be logged in to post a comment!

Insert Math Markup

ESC
About Inserting Math Content
Display Style:

Embed News Content

ESC
About Embedding News Content

Embed Youtube Video

ESC
Embedding Youtube Videos

Embed TikTok Video

ESC
Embedding TikTok Videos

Embed X Post

ESC
Embedding X Posts

Embed Instagram Post

ESC
Embedding Instagram Posts

Insert Details Element

ESC

Example Output:

Summary Title
You will be able to insert content here after confirming the title of the <details> element.

Insert Table

ESC
Customization
Align:
Preview:

Insert Horizontal Rule

#000000

Preview:

Insert Chart

ESC

View Content At Different Sizes

ESC

Edit Style of Block Nodes

ESC

Edit the background color, default text color, margin, padding, and border of block nodes. Editable block nodes include paragraphs, headers, and lists.

#ffffff
#000000

Edit Selected Cells

Change the background color, vertical align, and borders of the cells in the current selection.

#ffffff
Vertical Align:
Border
#000000
Border Style:

Edit Table

ESC
Customization:
Align:

Upload Lexical State

ESC

Upload a .lexical file. If the file type matches the type of the current editor, then a preview will be shown below the file input.

Upload 3D Object

ESC

Upload Jupyter Notebook

ESC

Upload a Jupyter notebook and embed the resulting HTML in the text editor.

Insert Custom HTML

ESC

Edit Image Background Color

ESC
#ffffff

Insert Columns Layout

ESC
Column Type:

Select Code Language

ESC
Select Coding Language