Tips: "on controls to mitigate attacks and software vulnerabilities" If You Come Across... Verify For...

precious said:

1. Cross-Site Scripting (XSS)​

• If you come across: User input fields (like comments or search bars)
  • Verify for:
    • Reflected XSS: Injecting scripts in the input to see if they are executed in the user's browser.
    • Persistent XSS: Checking if scripts are stored on the server and reflected back to users.
  • Prevention: Implement input validation, output encoding, and Content Security Policy (CSP).

2. Overflow Vulnerabilities​

• If you come across: User input or data handling that may exceed allocated memory
  • Verify for:
    • Buffer Overflow: Sending oversized inputs to trigger memory corruption.
    • Integer Overflow: Providing inputs that exceed maximum integer values.
    • Heap Overflow: Manipulating dynamic memory allocation to corrupt memory.
    • Stack Overflow: Causing the call stack to exceed its limit.
  • Prevention: Use safe coding practices, input validation, and memory management techniques.

3. Data Poisoning​

• If you come across: User-modifiable data inputs
  • Verify for: Manipulating data to affect the application's behavior or outcomes.
  • Prevention: Validate inputs and implement strong data integrity checks.

4. Broken Access Control​

• If you come across: User permissions or roles within the application
  • Verify for: Accessing restricted resources or functions without proper authorization.
  • Prevention: Enforce strict role-based access control (RBAC) and regularly audit access permissions.

5. Cryptographic Failures​

• If you come across: Data stored or transmitted securely (e.g., passwords, personal data)
  • Verify for: Weak encryption algorithms or improper key management.
  • Prevention: Use strong encryption protocols and ensure proper key storage and lifecycle management.

6. Injection Flaws​

• If you come across: Input fields that interact with databases or APIs
  • Verify for:
    • SQL Injection: Manipulating SQL queries through input fields.
    • Command Injection: Executing arbitrary commands on the server.
  • Prevention: Use parameterized queries, prepared statements, and input validation.

7. Cross-Site Request Forgery (CSRF)​

• If you come across: Forms that perform state-changing actions
  • Verify for: Unauthenticated requests being accepted by the application.
  • Prevention: Implement anti-CSRF tokens and validate the origin of requests.

8. Directory Traversal​

• If you come across: File upload or retrieval functions
  • Verify for: Accessing restricted directories using path traversal techniques.
  • Prevention: Validate and sanitize file paths and restrict access to sensitive directories.

9. Insecure Design​

• If you come across: Flaws in the application's architecture
  • Verify for: Design weaknesses that expose the application to various attacks.
  • Prevention: Follow secure design principles and perform threat modeling.

10. Security Misconfiguration​

• If you come across: Default settings in applications or services
  • Verify for: Misconfigured security settings or unused features being enabled.
  • Prevention: Regularly review and harden security configurations, and conduct security audits.

11. End-of-Life or Outdated Components​

• If you come across: Use of libraries or software that are no longer supported
  • Verify for: Known vulnerabilities associated with outdated components.
  • Prevention: Regularly update and patch software components and replace end-of-life software.

12. Identification and Authentication Failures​

• If you come across: Login or authentication mechanisms
  • Verify for: Weak password policies, account enumeration, or failure to implement multi-factor authentication.
  • Prevention: Enforce strong password policies and implement multi-factor authentication.

13. Server-Side Request Forgery (SSRF)​

• If you come across: Applications making backend requests based on user input
  • Verify for: Manipulating requests to access internal services.
  • Prevention: Validate and sanitize user inputs, and restrict server-side requests.

14. Remote Code Execution (RCE)​

• If you come across: User inputs that are executed by the server
  • Verify for: Ability to execute arbitrary code on the server.
  • Prevention: Validate all inputs and use language features to limit code execution.

15. Privilege Escalation​

• If you come across: Role or permissions settings
  • Verify for: Users gaining unauthorized access to higher privilege levels.
  • Prevention: Implement the principle of least privilege and regularly review user roles.

16. Local File Inclusion (LFI) / Remote File Inclusion (RFI)​

• If you come across: File inclusion functionalities
  • Verify for: Ability to include local or remote files that could compromise the application.
  • Prevention: Validate and sanitize file paths and restrict the inclusion of sensitive files.

SHARE WITH US YOUR TIPS

Click to expand...

precious said:

1. Cross-Site Scripting (XSS)​

• If you come across: User input fields (like comments or search bars)
  • Verify for:
    • Reflected XSS: Injecting scripts in the input to see if they are executed in the user's browser.
    • Persistent XSS: Checking if scripts are stored on the server and reflected back to users.
  • Prevention: Implement input validation, output encoding, and Content Security Policy (CSP).

2. Overflow Vulnerabilities​

• If you come across: User input or data handling that may exceed allocated memory
  • Verify for:
    • Buffer Overflow: Sending oversized inputs to trigger memory corruption.
    • Integer Overflow: Providing inputs that exceed maximum integer values.
    • Heap Overflow: Manipulating dynamic memory allocation to corrupt memory.
    • Stack Overflow: Causing the call stack to exceed its limit.
  • Prevention: Use safe coding practices, input validation, and memory management techniques.

3. Data Poisoning​

• If you come across: User-modifiable data inputs
  • Verify for: Manipulating data to affect the application's behavior or outcomes.
  • Prevention: Validate inputs and implement strong data integrity checks.

4. Broken Access Control​

• If you come across: User permissions or roles within the application
  • Verify for: Accessing restricted resources or functions without proper authorization.
  • Prevention: Enforce strict role-based access control (RBAC) and regularly audit access permissions.

5. Cryptographic Failures​

• If you come across: Data stored or transmitted securely (e.g., passwords, personal data)
  • Verify for: Weak encryption algorithms or improper key management.
  • Prevention: Use strong encryption protocols and ensure proper key storage and lifecycle management.

6. Injection Flaws​

• If you come across: Input fields that interact with databases or APIs
  • Verify for:
    • SQL Injection: Manipulating SQL queries through input fields.
    • Command Injection: Executing arbitrary commands on the server.
  • Prevention: Use parameterized queries, prepared statements, and input validation.

7. Cross-Site Request Forgery (CSRF)​

• If you come across: Forms that perform state-changing actions
  • Verify for: Unauthenticated requests being accepted by the application.
  • Prevention: Implement anti-CSRF tokens and validate the origin of requests.

8. Directory Traversal​

• If you come across: File upload or retrieval functions
  • Verify for: Accessing restricted directories using path traversal techniques.
  • Prevention: Validate and sanitize file paths and restrict access to sensitive directories.

9. Insecure Design​

• If you come across: Flaws in the application's architecture
  • Verify for: Design weaknesses that expose the application to various attacks.
  • Prevention: Follow secure design principles and perform threat modeling.

10. Security Misconfiguration​

• If you come across: Default settings in applications or services
  • Verify for: Misconfigured security settings or unused features being enabled.
  • Prevention: Regularly review and harden security configurations, and conduct security audits.

11. End-of-Life or Outdated Components​

• If you come across: Use of libraries or software that are no longer supported
  • Verify for: Known vulnerabilities associated with outdated components.
  • Prevention: Regularly update and patch software components and replace end-of-life software.

12. Identification and Authentication Failures​

• If you come across: Login or authentication mechanisms
  • Verify for: Weak password policies, account enumeration, or failure to implement multi-factor authentication.
  • Prevention: Enforce strong password policies and implement multi-factor authentication.

13. Server-Side Request Forgery (SSRF)​

• If you come across: Applications making backend requests based on user input
  • Verify for: Manipulating requests to access internal services.
  • Prevention: Validate and sanitize user inputs, and restrict server-side requests.

14. Remote Code Execution (RCE)​

• If you come across: User inputs that are executed by the server
  • Verify for: Ability to execute arbitrary code on the server.
  • Prevention: Validate all inputs and use language features to limit code execution.

15. Privilege Escalation​

• If you come across: Role or permissions settings
  • Verify for: Users gaining unauthorized access to higher privilege levels.
  • Prevention: Implement the principle of least privilege and regularly review user roles.

16. Local File Inclusion (LFI) / Remote File Inclusion (RFI)​

• If you come across: File inclusion functionalities
  • Verify for: Ability to include local or remote files that could compromise the application.
  • Prevention: Validate and sanitize file paths and restrict the inclusion of sensitive files.

SHARE WITH US YOUR TIPS

Click to expand...