Tips: "on controls to mitigate attacks and software vulnerabilities" If You Come Across... Verify For...

precious · Oct 14, 2024

1. Cross-Site Scripting (XSS)

If you come across: User input fields (like comments or search bars)
- Verify for:
  - Reflected XSS: Injecting scripts in the input to see if they are executed in the user's browser.
  - Persistent XSS: Checking if scripts are stored on the server and reflected back to users.
- Prevention: Implement input validation, output encoding, and Content Security Policy (CSP).

2. Overflow Vulnerabilities

If you come across: User input or data handling that may exceed allocated memory
- Verify for:
  - Buffer Overflow: Sending oversized inputs to trigger memory corruption.
  - Integer Overflow: Providing inputs that exceed maximum integer values.
  - Heap Overflow: Manipulating dynamic memory allocation to corrupt memory.
  - Stack Overflow: Causing the call stack to exceed its limit.
- Prevention: Use safe coding practices, input validation, and memory management techniques.

3. Data Poisoning

If you come across: User-modifiable data inputs
- Verify for: Manipulating data to affect the application's behavior or outcomes.
- Prevention: Validate inputs and implement strong data integrity checks.

4. Broken Access Control

If you come across: User permissions or roles within the application
- Verify for: Accessing restricted resources or functions without proper authorization.
- Prevention: Enforce strict role-based access control (RBAC) and regularly audit access permissions.

5. Cryptographic Failures

If you come across: Data stored or transmitted securely (e.g., passwords, personal data)
- Verify for: Weak encryption algorithms or improper key management.
- Prevention: Use strong encryption protocols and ensure proper key storage and lifecycle management.

6. Injection Flaws

If you come across: Input fields that interact with databases or APIs
- Verify for:
  - SQL Injection: Manipulating SQL queries through input fields.
  - Command Injection: Executing arbitrary commands on the server.
- Prevention: Use parameterized queries, prepared statements, and input validation.

7. Cross-Site Request Forgery (CSRF)

If you come across: Forms that perform state-changing actions
- Verify for: Unauthenticated requests being accepted by the application.
- Prevention: Implement anti-CSRF tokens and validate the origin of requests.

8. Directory Traversal

If you come across: File upload or retrieval functions
- Verify for: Accessing restricted directories using path traversal techniques.
- Prevention: Validate and sanitize file paths and restrict access to sensitive directories.

9. Insecure Design

If you come across: Flaws in the application's architecture
- Verify for: Design weaknesses that expose the application to various attacks.
- Prevention: Follow secure design principles and perform threat modeling.

10. Security Misconfiguration

If you come across: Default settings in applications or services
- Verify for: Misconfigured security settings or unused features being enabled.
- Prevention: Regularly review and harden security configurations, and conduct security audits.

11. End-of-Life or Outdated Components

If you come across: Use of libraries or software that are no longer supported
- Verify for: Known vulnerabilities associated with outdated components.
- Prevention: Regularly update and patch software components and replace end-of-life software.

12. Identification and Authentication Failures

If you come across: Login or authentication mechanisms
- Verify for: Weak password policies, account enumeration, or failure to implement multi-factor authentication.
- Prevention: Enforce strong password policies and implement multi-factor authentication.

13. Server-Side Request Forgery (SSRF)

If you come across: Applications making backend requests based on user input
- Verify for: Manipulating requests to access internal services.
- Prevention: Validate and sanitize user inputs, and restrict server-side requests.

14. Remote Code Execution (RCE)

If you come across: User inputs that are executed by the server
- Verify for: Ability to execute arbitrary code on the server.
- Prevention: Validate all inputs and use language features to limit code execution.

15. Privilege Escalation

If you come across: Role or permissions settings
- Verify for: Users gaining unauthorized access to higher privilege levels.
- Prevention: Implement the principle of least privilege and regularly review user roles.

16. Local File Inclusion (LFI) / Remote File Inclusion (RFI)

If you come across: File inclusion functionalities
- Verify for: Ability to include local or remote files that could compromise the application.
- Prevention: Validate and sanitize file paths and restrict the inclusion of sensitive files.

SHARE WITH US YOUR TIPS

Chukwunwike_Ndukaji · Oct 14, 2024

Great resource Precious

precious · Oct 14, 2024

Thanks @Chukwunwike_Ndukaji

Emmanuel Phakula Mandala · Oct 14, 2024

precious said:
1. Cross-Site Scripting (XSS)

If you come across: User input fields (like comments or search bars)

Verify for:

Reflected XSS: Injecting scripts in the input to see if they are executed in the user's browser.

Persistent XSS: Checking if scripts are stored on the server and reflected back to users.

Prevention: Implement input validation, output encoding, and Content Security Policy (CSP).

2. Overflow Vulnerabilities

If you come across: User input or data handling that may exceed allocated memory

Verify for:

Buffer Overflow: Sending oversized inputs to trigger memory corruption.

Integer Overflow: Providing inputs that exceed maximum integer values.

Heap Overflow: Manipulating dynamic memory allocation to corrupt memory.

Stack Overflow: Causing the call stack to exceed its limit.

Prevention: Use safe coding practices, input validation, and memory management techniques.

3. Data Poisoning

If you come across: User-modifiable data inputs

Verify for: Manipulating data to affect the application's behavior or outcomes.

Prevention: Validate inputs and implement strong data integrity checks.

4. Broken Access Control

If you come across: User permissions or roles within the application

Verify for: Accessing restricted resources or functions without proper authorization.

Prevention: Enforce strict role-based access control (RBAC) and regularly audit access permissions.

5. Cryptographic Failures

If you come across: Data stored or transmitted securely (e.g., passwords, personal data)

Verify for: Weak encryption algorithms or improper key management.

Prevention: Use strong encryption protocols and ensure proper key storage and lifecycle management.

6. Injection Flaws

If you come across: Input fields that interact with databases or APIs

Verify for:

SQL Injection: Manipulating SQL queries through input fields.

Command Injection: Executing arbitrary commands on the server.

Prevention: Use parameterized queries, prepared statements, and input validation.

7. Cross-Site Request Forgery (CSRF)

If you come across: Forms that perform state-changing actions

Verify for: Unauthenticated requests being accepted by the application.

Prevention: Implement anti-CSRF tokens and validate the origin of requests.

8. Directory Traversal

If you come across: File upload or retrieval functions

Verify for: Accessing restricted directories using path traversal techniques.

Prevention: Validate and sanitize file paths and restrict access to sensitive directories.

9. Insecure Design

If you come across: Flaws in the application's architecture

Verify for: Design weaknesses that expose the application to various attacks.

Prevention: Follow secure design principles and perform threat modeling.

10. Security Misconfiguration

If you come across: Default settings in applications or services

Verify for: Misconfigured security settings or unused features being enabled.

Prevention: Regularly review and harden security configurations, and conduct security audits.

11. End-of-Life or Outdated Components

If you come across: Use of libraries or software that are no longer supported

Verify for: Known vulnerabilities associated with outdated components.

Prevention: Regularly update and patch software components and replace end-of-life software.

12. Identification and Authentication Failures

If you come across: Login or authentication mechanisms

Verify for: Weak password policies, account enumeration, or failure to implement multi-factor authentication.

Prevention: Enforce strong password policies and implement multi-factor authentication.

13. Server-Side Request Forgery (SSRF)

If you come across: Applications making backend requests based on user input

Verify for: Manipulating requests to access internal services.

Prevention: Validate and sanitize user inputs, and restrict server-side requests.

14. Remote Code Execution (RCE)

If you come across: User inputs that are executed by the server

Verify for: Ability to execute arbitrary code on the server.

Prevention: Validate all inputs and use language features to limit code execution.

15. Privilege Escalation

If you come across: Role or permissions settings

Verify for: Users gaining unauthorized access to higher privilege levels.

Prevention: Implement the principle of least privilege and regularly review user roles.

16. Local File Inclusion (LFI) / Remote File Inclusion (RFI)

If you come across: File inclusion functionalities

Verify for: Ability to include local or remote files that could compromise the application.

Prevention: Validate and sanitize file paths and restrict the inclusion of sensitive files.

SHARE WITH US YOUR TIPS

Thanks for Sharing @precious this is such amazing control to put in place!!!

precious · Oct 14, 2024

Welcome @Emmanuel Phakula Mandala Just find out students struggle during practical fuzzing

Angel Waymer · Oct 16, 2024

precious said:
1. Cross-Site Scripting (XSS)

If you come across: User input fields (like comments or search bars)

Verify for:

Reflected XSS: Injecting scripts in the input to see if they are executed in the user's browser.

Persistent XSS: Checking if scripts are stored on the server and reflected back to users.

Prevention: Implement input validation, output encoding, and Content Security Policy (CSP).

2. Overflow Vulnerabilities

If you come across: User input or data handling that may exceed allocated memory

Verify for:

Buffer Overflow: Sending oversized inputs to trigger memory corruption.

Integer Overflow: Providing inputs that exceed maximum integer values.

Heap Overflow: Manipulating dynamic memory allocation to corrupt memory.

Stack Overflow: Causing the call stack to exceed its limit.

Prevention: Use safe coding practices, input validation, and memory management techniques.

3. Data Poisoning

If you come across: User-modifiable data inputs

Verify for: Manipulating data to affect the application's behavior or outcomes.

Prevention: Validate inputs and implement strong data integrity checks.

4. Broken Access Control

If you come across: User permissions or roles within the application

Verify for: Accessing restricted resources or functions without proper authorization.

Prevention: Enforce strict role-based access control (RBAC) and regularly audit access permissions.

5. Cryptographic Failures

If you come across: Data stored or transmitted securely (e.g., passwords, personal data)

Verify for: Weak encryption algorithms or improper key management.

Prevention: Use strong encryption protocols and ensure proper key storage and lifecycle management.

6. Injection Flaws

If you come across: Input fields that interact with databases or APIs

Verify for:

SQL Injection: Manipulating SQL queries through input fields.

Command Injection: Executing arbitrary commands on the server.

Prevention: Use parameterized queries, prepared statements, and input validation.

7. Cross-Site Request Forgery (CSRF)

If you come across: Forms that perform state-changing actions

Verify for: Unauthenticated requests being accepted by the application.

Prevention: Implement anti-CSRF tokens and validate the origin of requests.

8. Directory Traversal

If you come across: File upload or retrieval functions

Verify for: Accessing restricted directories using path traversal techniques.

Prevention: Validate and sanitize file paths and restrict access to sensitive directories.

9. Insecure Design

If you come across: Flaws in the application's architecture

Verify for: Design weaknesses that expose the application to various attacks.

Prevention: Follow secure design principles and perform threat modeling.

10. Security Misconfiguration

If you come across: Default settings in applications or services

Verify for: Misconfigured security settings or unused features being enabled.

Prevention: Regularly review and harden security configurations, and conduct security audits.

11. End-of-Life or Outdated Components

If you come across: Use of libraries or software that are no longer supported

Verify for: Known vulnerabilities associated with outdated components.

Prevention: Regularly update and patch software components and replace end-of-life software.

12. Identification and Authentication Failures

If you come across: Login or authentication mechanisms

Verify for: Weak password policies, account enumeration, or failure to implement multi-factor authentication.

Prevention: Enforce strong password policies and implement multi-factor authentication.

13. Server-Side Request Forgery (SSRF)

If you come across: Applications making backend requests based on user input

Verify for: Manipulating requests to access internal services.

Prevention: Validate and sanitize user inputs, and restrict server-side requests.

14. Remote Code Execution (RCE)

If you come across: User inputs that are executed by the server

Verify for: Ability to execute arbitrary code on the server.

Prevention: Validate all inputs and use language features to limit code execution.

15. Privilege Escalation

If you come across: Role or permissions settings

Verify for: Users gaining unauthorized access to higher privilege levels.

Prevention: Implement the principle of least privilege and regularly review user roles.

16. Local File Inclusion (LFI) / Remote File Inclusion (RFI)

If you come across: File inclusion functionalities

Verify for: Ability to include local or remote files that could compromise the application.

Prevention: Validate and sanitize file paths and restrict the inclusion of sensitive files.

SHARE WITH US YOUR TIPS

Thanks for sharing. I love the consolidated cheat sheet.

jarrelrivera · Oct 17, 2024

Thanks for the summary.

Tips: "on controls to mitigate attacks and software vulnerabilities" If You Come Across... Verify For...

precious

Well-known member

1. Cross-Site Scripting (XSS)​

2. Overflow Vulnerabilities​

3. Data Poisoning​

4. Broken Access Control​

5. Cryptographic Failures​

6. Injection Flaws​

7. Cross-Site Request Forgery (CSRF)​

8. Directory Traversal​

9. Insecure Design​

10. Security Misconfiguration​

11. End-of-Life or Outdated Components​

12. Identification and Authentication Failures​

13. Server-Side Request Forgery (SSRF)​

14. Remote Code Execution (RCE)​

15. Privilege Escalation​

16. Local File Inclusion (LFI) / Remote File Inclusion (RFI)​

Chukwunwike_Ndukaji

Member

precious

Well-known member

Emmanuel Phakula Mandala

Well-known member

1. Cross-Site Scripting (XSS)​

2. Overflow Vulnerabilities​

3. Data Poisoning​

4. Broken Access Control​

5. Cryptographic Failures​

6. Injection Flaws​

7. Cross-Site Request Forgery (CSRF)​

8. Directory Traversal​

9. Insecure Design​

10. Security Misconfiguration​

11. End-of-Life or Outdated Components​

12. Identification and Authentication Failures​

13. Server-Side Request Forgery (SSRF)​

14. Remote Code Execution (RCE)​

15. Privilege Escalation​

16. Local File Inclusion (LFI) / Remote File Inclusion (RFI)​

precious

Well-known member

Angel Waymer

Active member

1. Cross-Site Scripting (XSS)​

2. Overflow Vulnerabilities​

3. Data Poisoning​

4. Broken Access Control​

5. Cryptographic Failures​

6. Injection Flaws​

7. Cross-Site Request Forgery (CSRF)​

8. Directory Traversal​

9. Insecure Design​

10. Security Misconfiguration​

11. End-of-Life or Outdated Components​

12. Identification and Authentication Failures​

13. Server-Side Request Forgery (SSRF)​

14. Remote Code Execution (RCE)​

15. Privilege Escalation​

16. Local File Inclusion (LFI) / Remote File Inclusion (RFI)​

jarrelrivera

Well-known member

1. Cross-Site Scripting (XSS)

2. Overflow Vulnerabilities

3. Data Poisoning

4. Broken Access Control

5. Cryptographic Failures

6. Injection Flaws

7. Cross-Site Request Forgery (CSRF)

8. Directory Traversal

9. Insecure Design

10. Security Misconfiguration

11. End-of-Life or Outdated Components

12. Identification and Authentication Failures

13. Server-Side Request Forgery (SSRF)

14. Remote Code Execution (RCE)

15. Privilege Escalation

16. Local File Inclusion (LFI) / Remote File Inclusion (RFI)

1. Cross-Site Scripting (XSS)

2. Overflow Vulnerabilities

3. Data Poisoning

4. Broken Access Control

5. Cryptographic Failures

6. Injection Flaws

7. Cross-Site Request Forgery (CSRF)

8. Directory Traversal

9. Insecure Design

10. Security Misconfiguration

11. End-of-Life or Outdated Components

12. Identification and Authentication Failures

13. Server-Side Request Forgery (SSRF)

14. Remote Code Execution (RCE)

15. Privilege Escalation

16. Local File Inclusion (LFI) / Remote File Inclusion (RFI)

1. Cross-Site Scripting (XSS)

2. Overflow Vulnerabilities

3. Data Poisoning

4. Broken Access Control

5. Cryptographic Failures

6. Injection Flaws

7. Cross-Site Request Forgery (CSRF)

8. Directory Traversal

9. Insecure Design

10. Security Misconfiguration

11. End-of-Life or Outdated Components

12. Identification and Authentication Failures

13. Server-Side Request Forgery (SSRF)

14. Remote Code Execution (RCE)

15. Privilege Escalation

16. Local File Inclusion (LFI) / Remote File Inclusion (RFI)