Tips: "on controls to mitigate attacks and software vulnerabilities" If You Come Across... Verify For...

precious

Well-known member
Apr 22, 2024
606
355
10,521

1. Cross-Site Scripting (XSS)​

  • If you come across: User input fields (like comments or search bars)
    • Verify for:
      • Reflected XSS: Injecting scripts in the input to see if they are executed in the user's browser.
      • Persistent XSS: Checking if scripts are stored on the server and reflected back to users.
    • Prevention: Implement input validation, output encoding, and Content Security Policy (CSP).

2. Overflow Vulnerabilities​

  • If you come across: User input or data handling that may exceed allocated memory
    • Verify for:
      • Buffer Overflow: Sending oversized inputs to trigger memory corruption.
      • Integer Overflow: Providing inputs that exceed maximum integer values.
      • Heap Overflow: Manipulating dynamic memory allocation to corrupt memory.
      • Stack Overflow: Causing the call stack to exceed its limit.
    • Prevention: Use safe coding practices, input validation, and memory management techniques.

3. Data Poisoning​

  • If you come across: User-modifiable data inputs
    • Verify for: Manipulating data to affect the application's behavior or outcomes.
    • Prevention: Validate inputs and implement strong data integrity checks.

4. Broken Access Control​

  • If you come across: User permissions or roles within the application
    • Verify for: Accessing restricted resources or functions without proper authorization.
    • Prevention: Enforce strict role-based access control (RBAC) and regularly audit access permissions.

5. Cryptographic Failures​

  • If you come across: Data stored or transmitted securely (e.g., passwords, personal data)
    • Verify for: Weak encryption algorithms or improper key management.
    • Prevention: Use strong encryption protocols and ensure proper key storage and lifecycle management.

6. Injection Flaws​

  • If you come across: Input fields that interact with databases or APIs
    • Verify for:
      • SQL Injection: Manipulating SQL queries through input fields.
      • Command Injection: Executing arbitrary commands on the server.
    • Prevention: Use parameterized queries, prepared statements, and input validation.

7. Cross-Site Request Forgery (CSRF)​

  • If you come across: Forms that perform state-changing actions
    • Verify for: Unauthenticated requests being accepted by the application.
    • Prevention: Implement anti-CSRF tokens and validate the origin of requests.

8. Directory Traversal​

  • If you come across: File upload or retrieval functions
    • Verify for: Accessing restricted directories using path traversal techniques.
    • Prevention: Validate and sanitize file paths and restrict access to sensitive directories.

9. Insecure Design​

  • If you come across: Flaws in the application's architecture
    • Verify for: Design weaknesses that expose the application to various attacks.
    • Prevention: Follow secure design principles and perform threat modeling.

10. Security Misconfiguration​

  • If you come across: Default settings in applications or services
    • Verify for: Misconfigured security settings or unused features being enabled.
    • Prevention: Regularly review and harden security configurations, and conduct security audits.

11. End-of-Life or Outdated Components​

  • If you come across: Use of libraries or software that are no longer supported
    • Verify for: Known vulnerabilities associated with outdated components.
    • Prevention: Regularly update and patch software components and replace end-of-life software.

12. Identification and Authentication Failures​

  • If you come across: Login or authentication mechanisms
    • Verify for: Weak password policies, account enumeration, or failure to implement multi-factor authentication.
    • Prevention: Enforce strong password policies and implement multi-factor authentication.

13. Server-Side Request Forgery (SSRF)​

  • If you come across: Applications making backend requests based on user input
    • Verify for: Manipulating requests to access internal services.
    • Prevention: Validate and sanitize user inputs, and restrict server-side requests.

14. Remote Code Execution (RCE)​

  • If you come across: User inputs that are executed by the server
    • Verify for: Ability to execute arbitrary code on the server.
    • Prevention: Validate all inputs and use language features to limit code execution.

15. Privilege Escalation​

  • If you come across: Role or permissions settings
    • Verify for: Users gaining unauthorized access to higher privilege levels.
    • Prevention: Implement the principle of least privilege and regularly review user roles.

16. Local File Inclusion (LFI) / Remote File Inclusion (RFI)​

  • If you come across: File inclusion functionalities
    • Verify for: Ability to include local or remote files that could compromise the application.
    • Prevention: Validate and sanitize file paths and restrict the inclusion of sensitive files.

SHARE WITH US YOUR TIPS
 

1. Cross-Site Scripting (XSS)​

  • If you come across: User input fields (like comments or search bars)
    • Verify for:
      • Reflected XSS: Injecting scripts in the input to see if they are executed in the user's browser.
      • Persistent XSS: Checking if scripts are stored on the server and reflected back to users.
    • Prevention: Implement input validation, output encoding, and Content Security Policy (CSP).

2. Overflow Vulnerabilities​

  • If you come across: User input or data handling that may exceed allocated memory
    • Verify for:
      • Buffer Overflow: Sending oversized inputs to trigger memory corruption.
      • Integer Overflow: Providing inputs that exceed maximum integer values.
      • Heap Overflow: Manipulating dynamic memory allocation to corrupt memory.
      • Stack Overflow: Causing the call stack to exceed its limit.
    • Prevention: Use safe coding practices, input validation, and memory management techniques.

3. Data Poisoning​

  • If you come across: User-modifiable data inputs
    • Verify for: Manipulating data to affect the application's behavior or outcomes.
    • Prevention: Validate inputs and implement strong data integrity checks.

4. Broken Access Control​

  • If you come across: User permissions or roles within the application
    • Verify for: Accessing restricted resources or functions without proper authorization.
    • Prevention: Enforce strict role-based access control (RBAC) and regularly audit access permissions.

5. Cryptographic Failures​

  • If you come across: Data stored or transmitted securely (e.g., passwords, personal data)
    • Verify for: Weak encryption algorithms or improper key management.
    • Prevention: Use strong encryption protocols and ensure proper key storage and lifecycle management.

6. Injection Flaws​

  • If you come across: Input fields that interact with databases or APIs
    • Verify for:
      • SQL Injection: Manipulating SQL queries through input fields.
      • Command Injection: Executing arbitrary commands on the server.
    • Prevention: Use parameterized queries, prepared statements, and input validation.

7. Cross-Site Request Forgery (CSRF)​

  • If you come across: Forms that perform state-changing actions
    • Verify for: Unauthenticated requests being accepted by the application.
    • Prevention: Implement anti-CSRF tokens and validate the origin of requests.

8. Directory Traversal​

  • If you come across: File upload or retrieval functions
    • Verify for: Accessing restricted directories using path traversal techniques.
    • Prevention: Validate and sanitize file paths and restrict access to sensitive directories.

9. Insecure Design​

  • If you come across: Flaws in the application's architecture
    • Verify for: Design weaknesses that expose the application to various attacks.
    • Prevention: Follow secure design principles and perform threat modeling.

10. Security Misconfiguration​

  • If you come across: Default settings in applications or services
    • Verify for: Misconfigured security settings or unused features being enabled.
    • Prevention: Regularly review and harden security configurations, and conduct security audits.

11. End-of-Life or Outdated Components​

  • If you come across: Use of libraries or software that are no longer supported
    • Verify for: Known vulnerabilities associated with outdated components.
    • Prevention: Regularly update and patch software components and replace end-of-life software.

12. Identification and Authentication Failures​

  • If you come across: Login or authentication mechanisms
    • Verify for: Weak password policies, account enumeration, or failure to implement multi-factor authentication.
    • Prevention: Enforce strong password policies and implement multi-factor authentication.

13. Server-Side Request Forgery (SSRF)​

  • If you come across: Applications making backend requests based on user input
    • Verify for: Manipulating requests to access internal services.
    • Prevention: Validate and sanitize user inputs, and restrict server-side requests.

14. Remote Code Execution (RCE)​

  • If you come across: User inputs that are executed by the server
    • Verify for: Ability to execute arbitrary code on the server.
    • Prevention: Validate all inputs and use language features to limit code execution.

15. Privilege Escalation​

  • If you come across: Role or permissions settings
    • Verify for: Users gaining unauthorized access to higher privilege levels.
    • Prevention: Implement the principle of least privilege and regularly review user roles.

16. Local File Inclusion (LFI) / Remote File Inclusion (RFI)​

  • If you come across: File inclusion functionalities
    • Verify for: Ability to include local or remote files that could compromise the application.
    • Prevention: Validate and sanitize file paths and restrict the inclusion of sensitive files.

SHARE WITH US YOUR TIPS
Thanks for Sharing @precious this is such amazing control to put in place!!!
 
  • Love
Reactions: precious

1. Cross-Site Scripting (XSS)​

  • If you come across: User input fields (like comments or search bars)
    • Verify for:
      • Reflected XSS: Injecting scripts in the input to see if they are executed in the user's browser.
      • Persistent XSS: Checking if scripts are stored on the server and reflected back to users.
    • Prevention: Implement input validation, output encoding, and Content Security Policy (CSP).

2. Overflow Vulnerabilities​

  • If you come across: User input or data handling that may exceed allocated memory
    • Verify for:
      • Buffer Overflow: Sending oversized inputs to trigger memory corruption.
      • Integer Overflow: Providing inputs that exceed maximum integer values.
      • Heap Overflow: Manipulating dynamic memory allocation to corrupt memory.
      • Stack Overflow: Causing the call stack to exceed its limit.
    • Prevention: Use safe coding practices, input validation, and memory management techniques.

3. Data Poisoning​

  • If you come across: User-modifiable data inputs
    • Verify for: Manipulating data to affect the application's behavior or outcomes.
    • Prevention: Validate inputs and implement strong data integrity checks.

4. Broken Access Control​

  • If you come across: User permissions or roles within the application
    • Verify for: Accessing restricted resources or functions without proper authorization.
    • Prevention: Enforce strict role-based access control (RBAC) and regularly audit access permissions.

5. Cryptographic Failures​

  • If you come across: Data stored or transmitted securely (e.g., passwords, personal data)
    • Verify for: Weak encryption algorithms or improper key management.
    • Prevention: Use strong encryption protocols and ensure proper key storage and lifecycle management.

6. Injection Flaws​

  • If you come across: Input fields that interact with databases or APIs
    • Verify for:
      • SQL Injection: Manipulating SQL queries through input fields.
      • Command Injection: Executing arbitrary commands on the server.
    • Prevention: Use parameterized queries, prepared statements, and input validation.

7. Cross-Site Request Forgery (CSRF)​

  • If you come across: Forms that perform state-changing actions
    • Verify for: Unauthenticated requests being accepted by the application.
    • Prevention: Implement anti-CSRF tokens and validate the origin of requests.

8. Directory Traversal​

  • If you come across: File upload or retrieval functions
    • Verify for: Accessing restricted directories using path traversal techniques.
    • Prevention: Validate and sanitize file paths and restrict access to sensitive directories.

9. Insecure Design​

  • If you come across: Flaws in the application's architecture
    • Verify for: Design weaknesses that expose the application to various attacks.
    • Prevention: Follow secure design principles and perform threat modeling.

10. Security Misconfiguration​

  • If you come across: Default settings in applications or services
    • Verify for: Misconfigured security settings or unused features being enabled.
    • Prevention: Regularly review and harden security configurations, and conduct security audits.

11. End-of-Life or Outdated Components​

  • If you come across: Use of libraries or software that are no longer supported
    • Verify for: Known vulnerabilities associated with outdated components.
    • Prevention: Regularly update and patch software components and replace end-of-life software.

12. Identification and Authentication Failures​

  • If you come across: Login or authentication mechanisms
    • Verify for: Weak password policies, account enumeration, or failure to implement multi-factor authentication.
    • Prevention: Enforce strong password policies and implement multi-factor authentication.

13. Server-Side Request Forgery (SSRF)​

  • If you come across: Applications making backend requests based on user input
    • Verify for: Manipulating requests to access internal services.
    • Prevention: Validate and sanitize user inputs, and restrict server-side requests.

14. Remote Code Execution (RCE)​

  • If you come across: User inputs that are executed by the server
    • Verify for: Ability to execute arbitrary code on the server.
    • Prevention: Validate all inputs and use language features to limit code execution.

15. Privilege Escalation​

  • If you come across: Role or permissions settings
    • Verify for: Users gaining unauthorized access to higher privilege levels.
    • Prevention: Implement the principle of least privilege and regularly review user roles.

16. Local File Inclusion (LFI) / Remote File Inclusion (RFI)​

  • If you come across: File inclusion functionalities
    • Verify for: Ability to include local or remote files that could compromise the application.
    • Prevention: Validate and sanitize file paths and restrict the inclusion of sensitive files.

SHARE WITH US YOUR TIPS
Thanks for sharing. I love the consolidated cheat sheet. :)
 
  • Love
Reactions: precious