When it comes to vulnerabilities in Application / software’s denotes the weakness persist in the SDLC cycle which could lead a way to exploit by the hackers. Here will discuss on those vulnerabilities underlined as critical by SANS Institute
This article will focus on the SANS top 20 errors that can make your software vulnerable to attack and some of the security controls you can implement to mitigate against these errors. There are more attacks to deal but here the top 20 is been discussed
Here a term CWE will get mentioned, The Common Weakness Enumeration (CWE) is a community accepted list of software and hardware vulnerabilities with identification code assigned for each weakness. Focus is to identify the flaws and mitigate the risk within it.
|Sl. No||CWE No||Vulnerability|
|1||CWE-119||Memory Buffer Error|
|3||CWE-20||Unvalidated Input Error|
|4||CWE-200||Sensitive Information Exposure Error|
|5||CWE-125||Out-of-bounds Read Error|
|7||CWE-416||Free Memory Error|
|8||CWE-190||Integer Overflow Error|
|9||CWE-352||Cross-Site Request Forgery|
|11||CWE-78||OS Command Injection|
|12||CWE-787||Out-of-bounds Write Error|
|13||CWE-287||Improper Authentication Error|
|14||CWE-476||Dereferencing NULL Pointer|
|15||CWE-732||Incorrect Permission Assignment|
|16||CWE-434||Unrestricted File Upload|
|17||CWE-611||Information Exposure through XML Entities|
|19||CWE-798||Hard-coded Access Key|
|20||CWE-400||Uncontrolled Resource Consumption|
Above vulnerabilities are discussed in detail chains . This article discusses on the first 5 vulnerabilities
Memory Buffer Error
This buffer overflow happens when an application process tries to store more data than it can hold in the memory. Since the buffers can only store some level of data and when that level is reached and exceeded, the data flows to another memory location which can corrupt the data already contained in that buffer. This incident sometimes happens accidentally through some programming error, but the aftereffect could be disastrous, as this can erase data, steal confidential information, and even the whole application could crash because of this buffer overflow.
Cross Site Scripting
Cross-site Scripting (XSS) is an injection attack that usually happens when a malicious actor or an attacker injects malicious or harmful script into a web application which can be executed through the web browsers. Once the malicious script finds its way into the compromised system, it can be used to perform different malicious activities like transferring private information like cookies that have the session information from the victim’s computer to the attacker’s computer.
Unvalidated Input Error
The application receives input, but fails to validate the input, whether it has all necessary details needed for it to be accepted into the system for processing. When there is input sanitization, this can be used to check any potentially dangerous inputs in order to ensure that the inputs are safe to be processed with the source code or when it’s an input that is needed to communicate with other components. if not validated it could pave a way for an attacker to send malicious input which could lead to a arbitrary code execution
Sensitive Information Exposure Error
This happens when the application knowingly and unknowingly exposes information that is confidential and sensitive to an attacker who does not have the authorization to access this information. Different errors lead to this information being exposed to an attacker. The severity of this error varies according to the context in which the application operates, the type of sensitive information that is revealed, and what the actor can gain from the exposed information.
There could be technical itches like database connectivity error, run-time error, and network error on our applications or websites. If not properly handled during development, i.e. when the application displays the error message it could display information to the public which an attacker may be able to use for malicious purposes like the image below.
Out-of-bounds Read Error
This usually occurs when the application reads data past the normal level, either to the end or before the beginning of the buffer. This gives unprivileged access to an attacker to read sensitive information from other memory locations, which can as well lead to a system or application crash.
A crash will certainly happen when the code reads data and thinks there is an indicator in place that stops the read operation like a NULL that is applied to a string
Here in the discussion we have seen the 5 Vulnerabilities .Rest will be continued in Sequential posts