1. Cross-Site Scripting (XSS)
- If you come across: User input fields (like comments or search bars)
- Verify for:
- Reflected XSS: Injecting scripts in the input to see if they are executed in the user's browser.
- Persistent XSS: Checking if scripts are stored on the server and reflected back to users.
- Prevention: Implement input validation, output encoding, and Content Security Policy (CSP).
- Verify for:
2. Overflow Vulnerabilities
- If you come across: User input or data handling that may exceed allocated memory
- Verify for:
- Buffer Overflow: Sending oversized inputs to trigger memory corruption.
- Integer Overflow: Providing inputs that exceed maximum integer values.
- Heap Overflow: Manipulating dynamic memory allocation to corrupt memory.
- Stack Overflow: Causing the call stack to exceed its limit.
- Prevention: Use safe coding practices, input validation, and memory management techniques.
- Verify for:
3. Data Poisoning
- If you come across: User-modifiable data inputs
- Verify for: Manipulating data to affect the application's behavior or outcomes.
- Prevention: Validate inputs and implement strong data integrity checks.
4. Broken Access Control
- If you come across: User permissions or roles within the application
- Verify for: Accessing restricted resources or functions without proper authorization.
- Prevention: Enforce strict role-based access control (RBAC) and regularly audit access permissions.
5. Cryptographic Failures
- If you come across: Data stored or transmitted securely (e.g., passwords, personal data)
- Verify for: Weak encryption algorithms or improper key management.
- Prevention: Use strong encryption protocols and ensure proper key storage and lifecycle management.
6. Injection Flaws
- If you come across: Input fields that interact with databases or APIs
- Verify for:
- SQL Injection: Manipulating SQL queries through input fields.
- Command Injection: Executing arbitrary commands on the server.
- Prevention: Use parameterized queries, prepared statements, and input validation.
- Verify for:
7. Cross-Site Request Forgery (CSRF)
- If you come across: Forms that perform state-changing actions
- Verify for: Unauthenticated requests being accepted by the application.
- Prevention: Implement anti-CSRF tokens and validate the origin of requests.
8. Directory Traversal
- If you come across: File upload or retrieval functions
- Verify for: Accessing restricted directories using path traversal techniques.
- Prevention: Validate and sanitize file paths and restrict access to sensitive directories.
9. Insecure Design
- If you come across: Flaws in the application's architecture
- Verify for: Design weaknesses that expose the application to various attacks.
- Prevention: Follow secure design principles and perform threat modeling.
10. Security Misconfiguration
- If you come across: Default settings in applications or services
- Verify for: Misconfigured security settings or unused features being enabled.
- Prevention: Regularly review and harden security configurations, and conduct security audits.
11. End-of-Life or Outdated Components
- If you come across: Use of libraries or software that are no longer supported
- Verify for: Known vulnerabilities associated with outdated components.
- Prevention: Regularly update and patch software components and replace end-of-life software.
12. Identification and Authentication Failures
- If you come across: Login or authentication mechanisms
- Verify for: Weak password policies, account enumeration, or failure to implement multi-factor authentication.
- Prevention: Enforce strong password policies and implement multi-factor authentication.
13. Server-Side Request Forgery (SSRF)
- If you come across: Applications making backend requests based on user input
- Verify for: Manipulating requests to access internal services.
- Prevention: Validate and sanitize user inputs, and restrict server-side requests.
14. Remote Code Execution (RCE)
- If you come across: User inputs that are executed by the server
- Verify for: Ability to execute arbitrary code on the server.
- Prevention: Validate all inputs and use language features to limit code execution.
15. Privilege Escalation
- If you come across: Role or permissions settings
- Verify for: Users gaining unauthorized access to higher privilege levels.
- Prevention: Implement the principle of least privilege and regularly review user roles.
16. Local File Inclusion (LFI) / Remote File Inclusion (RFI)
- If you come across: File inclusion functionalities
- Verify for: Ability to include local or remote files that could compromise the application.
- Prevention: Validate and sanitize file paths and restrict the inclusion of sensitive files.
SHARE WITH US YOUR TIPS
