June 7, 2023

When it comes to vulnerabilities in Application / software’s denotes the weakness persist in the SDLC cycle which could lead a way to exploit by the hackers. Here will discuss on those vulnerabilities underlined as critical by SANS Institute

This article will focus on the SANS top 20 errors that can make your software vulnerable to attack and some of the security controls you can implement to mitigate against these errors. There are more attacks to deal but here the top 20 is been discussed

Here a term CWE will get mentioned, The Common Weakness Enumeration (CWE) is a community accepted list of software and hardware vulnerabilities with identification code assigned for each weakness. Focus is to identify the flaws and mitigate the risk within it.

Sl. NoCWE NoVulnerability
1CWE-119 Memory Buffer Error
2CWE-79 Cross-site Scripting
3CWE-20 Unvalidated Input Error
4CWE-200 Sensitive Information Exposure Error
5CWE-125 Out-of-bounds Read Error
6CWE-89 SQL Injection
7CWE-416 Free Memory Error
8CWE-190 Integer Overflow Error
9CWE-352 Cross-Site Request Forgery
10CWE-22 Directory Traversal
11CWE-78 OS Command Injection
12CWE-787 Out-of-bounds Write Error
13CWE-287 Improper Authentication Error
14CWE-476 Dereferencing NULL Pointer
15CWE-732 Incorrect Permission Assignment
16CWE-434 Unrestricted File Upload
17CWE-611 Information Exposure through XML Entities
18CWE-94 Code Injection
19CWE-798 Hard-coded Access Key
20CWE-400 Uncontrolled Resource Consumption
SANS Top 20 Vulnerability Table

Above vulnerabilities are discussed in detail chains . This article discusses on the first 5 vulnerabilities

Memory Buffer Error

This buffer overflow happens when an application process tries to store more data than it can hold in the memory. Since the buffers can only store some level of data and when that level is reached and exceeded, the data flows to another memory location which can corrupt the data already contained in that buffer. This incident sometimes happens accidentally through some programming error, but the aftereffect could be disastrous, as this can erase data, steal confidential information, and even the whole application could crash because of this buffer overflow.

Buffer overFlow

Cross Site Scripting

Cross-site Scripting (XSS) is an injection attack that usually happens when a malicious actor or an attacker injects malicious or harmful script into a web application which can be executed through the web browsers. Once the malicious script finds its way into the compromised system, it can be used to perform different malicious activities like transferring private information like cookies that have the session information from the victim’s computer to the attacker’s computer.

Unvalidated Input Error

The application receives input, but fails to validate the input, whether it has all necessary details needed for it to be accepted into the system for processing. When there is input sanitization, this can be used to check any potentially dangerous inputs in order to ensure that the inputs are safe to be processed with the source code or when it’s an input that is needed to communicate with other components. if not validated it could pave a way for an attacker to send malicious input which could lead to a arbitrary code execution

Sensitive Information Exposure Error

This happens when the application knowingly and unknowingly exposes information that is confidential and sensitive to an attacker who does not have the authorization to access this information. Different errors lead to this information being exposed to an attacker. The severity of this error varies according to the context in which the application operates, the type of sensitive information that is revealed, and what the actor can gain from the exposed information.

There could be technical itches like database connectivity error, run-time error, and network error on our applications or websites. If not properly handled during development, i.e. when the application displays the error message it could display information to the public which an attacker may be able to use for malicious purposes like the image below.

Out-of-bounds Read Error

This usually occurs when the application reads data past the normal level, either to the end or before the beginning of the buffer. This gives unprivileged access to an attacker to read sensitive information from other memory locations, which can as well lead to a system or application crash.

A crash will certainly happen when the code reads data and thinks there is an indicator in place that stops the read operation like a NULL that is applied to a string

Improper Range for Index Value Field
Proper Range for Index Value

Here in the discussion we have seen the 5 Vulnerabilities .Rest will be continued in Sequential posts

Leave a Reply

%d bloggers like this: