SQL Injection

Arguably one of the easier attacks to prevent, SQL injection is also the most common software bug in applications. Attackers enter database commands into an online form to directly access the database and siphon away data. Developers need to build in logic to handle invalid input to block this type of attack.

Similar to SQL injection, attackers use the form to send operating system calls to the server. The server doesn’t realize the commands are coming from the form and executes them, with disastrous results.

Classic buffer overflow happens when programmers access the buffer, a section of memory, without checking the size of the input. The application may try to write more information than the buffer can handle, and the spillover gives attackers a foothold into the environment.

Another very common issue allows attackers to insert malicious logic into a program to interfere with the user experience. Users may wind up getting redirected to a different site. Attackers can exploit XSS to intercept sensitive data from a user session.

The SANS Institute grouped the following issues into a category called “Porous Defenses,” noting that the weaknesses are caused by defensive techniques that are often “misused, abused or just plain ignored.” If executed correctly, these methods would have secured the application. Incorrect implementation results in a gaping security flaw.

Developers may allow users to upload innocent images, but the attacker may be hiding a malicious file behind a different extension. If not handled properly, the server could execute PHP script or other executable code instead of simply displaying the image it expected, leading to a system compromise.

Another set of “Porous Defenses,” these flaws are related to access control and user privileges. SANS compared the errors to a bartender not always checking people’s IDs to verify age just because the customer “looks” fine. Attackers can intercept and modify the data being sent to the server and if the application doesn’t verify the data, attackers can bypass security. Attackers can also take advantage of extra privileges the application has that may not really be necessary to execute its job.

Cross-site request forgery attacks often result in data loss or code execution and are a popular technique. The attacker tricks a user into activating a request that the server thinks came from the user and therefore gives the attacker the privileges and access as the user. Internet worms that cripple very large Websites are often using CSRF. When combined with XSS, the damage can be extensive and devastating.

The “Risky Resource Management” category involves software that’s not properly managing the creation, usage, transfer or safe destruction of important system resources. The path traversal flaw exposes all the files on the system, giving attackers information that enables access to system files and other parts of the server they should never see. The second flaw occurs when developers allow external code to execute without verifying its legitimacy or whether or not it has been tampered with.

While not having any authorization to access code is a problem, putting in controls to certain resources that can easily be bypassed is just pointless. A common attack path takes advantage of the cookie a Web application places on the user’s computer that contains certain site permissions. An attacker modifies that cookie to access other resources.

Developers regularly insert code from third-party sources into large programs to get certain functionality. If they aren’t checking where the code is coming from and verifying it hasn’t been tampered with, someone else’s code is being imported, resulting in a security bypass. When potentially dangerous functions with lots of privileges aren’t handled correctly, “things can get real messy real quick,” according to SANS.

Files, programs and data stores should not have more permissions than they need. If they are world-readable or -writable, then don’t be surprised when the world takes advantage of that. The same thing applies to sensitive data. They shouldn’t be protected using cryptographic algorithms that are known to have issues or even worse, a home-brewed one. And as Sony and a number of companies this year should have learned, adding salt to a hash can make it difficult for attackers to crack passwords.

“If at first you don’t succeed, try try again” is not what the attackers should be thinking when trying to brute-force login credentials. Many major sites don’t lock out the user after several incorrect attempts. This allows attackers to repeatedly guess different passwords until they finally nail the correct one. Considering the extremely week passwords too many users cling to, it doesn’t take attackers many tries to get it right.

Attackers can specify an arbitrary URL that the user who clicks on a link gets redirected to. Victims can be redirected to a malicious site that attempts to download malware, or to a site designed for phishing sensitive information, or even causes a denial of service attack on the machine.

The final group of resource management issues involves ways memory and program variables are not protected. This allows attackers to modify input and output and execute code that wasn’t intended by the program.