Section 10: Secure Software Development
Design Vulnerabilities OBJ 1.3)
Vulnerabilities often arise from the general design of the software code. - Insecure components: any code that is used or invoked outside the main program development process. -Code Reuse, Third-party Library, SDK. - Insufficient Logging and Monitoring: any program that does not properly record or log detailed enough information for an analyst to perform their job. - Logging and monitoring must support your use case and answer who, what, when , where, and how. - Weak or Default Configurations: Any program that uses ineffective credentials or configurations, or one in which the defaults have not been changed for security. - Many applications choose to simply run as root or as a local admin. - Permissions may be too permissive on files or directories due to weak configurations. - Best Practices: utilize scripted installations and baseline configuration templates to secure applications during installation.
Buffer Overflow (OBJ 1.3)
Buffer Overflow: occurs when a process stores data outside the memory range allocated by the developer. Buffer: a temporary storage area that a program uses to store data. Over 85% of data breaches were caused by a buffer overflow. Stack: reserved area of memory where the program saves the return address when a function call instruction is received. "Smash the Stack" : occurs when an attacker fills up the buffer with NOP so that the return address may hit a NOP and continue on until it finds the attacker's code to run. Address Space Layout Randomization: method used by programmers to randomly arrange the different address spaces used by a program or process to prevent buffer overflow exploits. Buffer overflows: attempt to put more data into memory than it is designed to hold.
XSS & XSRF (OBJ 1.3)
- (XSS) Cross-Site Scripting: occurs when an attacker embeds malicious scripting commands on a trusted website. - Stored/Persistent: attempts to get data provided by the attacker to be saved on the web server by the victim. - Reflected: attempts to have a non-persistent effect activated by a victim clicking a link on the site. - DOM-based: Document Object Model, attempt to exploit the victim's web browser. - Prevent XSS with output encoding and proper input validation. - Cross-Site Request Forgery (XSRF/CSRF): occurs when an attacker forces a user to execute actions on a web server for which they are already authenticated. - Prevent XSRF with tokens, encryption, XML file scanning, and cookie verification.
Software Vulnerabilities and Exploits (OBJ 1.2, 1.3, & 1.6)
- Backdoors: code placed in computer programs to bypass normal authentication and other security mechanisms. - Backdoors are a poor coding practice and should not be utilized. -Directory Traversal: method of accessing unauthorized directories by moving through the directory structure on a remote server. - Arbitrary Code Execution: occurs when an attacker is able to execute or run commands on a victim computer. - Remote Code Execution (RCE): occurs when an attacker is able to execute or run commands on a remote computer. -Zero Day: attack against a vulnerability that is unknown to the original developer manufacturer.
SQL Injection (OBJ 1.3)
- SQL Injection: attack consisting of the insertion or injection of an SQL query via input data from the client to a web application. - Injection Attack: Insertion of additional information or code through data input from a client to an application. - Most common type is an SQL injection. How does a normal SQL request work? SQL injection is prevented through input validation and using least privilege when accessing a database.
XML Vulnerabilities (OBJ 1.3)
- XML data submitted without encryption or input validation is vulnerable to spoofing, request forgery, and injection of arbitrary code. - XML Bomb (Billion Laughs Attack): XML encodes entities that expand to exponential sizes, consuming memory on the host and potentially crashing it. - XML External Entity (XXE): an attack that embeds a request for a local resource. - To prevent XML vulnerabilities form being exploited, use proper input validation.
SDLC Principles (OBJ 1.6, 2.3, 3.2, & 5.3)
Developers should always remember confidentiality, integrity, and availability. - confidentiality: ensures that only authorized users can access the data. - integrity: ensures that the data is not modified or altered without permission. - availability: ensuring that data is available to authorized users when it is needed. threat modeling helps prioritize vulnerability identification and patching. Least Privilege: users and processes should be run using the least amount of access necessary to perform a given function. Defense in Depth: layering of security controls is more effective and secure than relying on a single control. Never Trust User Input: Any input that is received from a user should undergo input validation prior to allowing it to be utilized by an application. Minimize Attack Surface: reduce the amount of code used by a program, eliminate unneeded functionality, and require authentication prior to running additional plugins. Create Secure Defaults: default installations should include secure configurations instead of requiring an administrator or user to add in additional security. Authenticity and Integrity: applications should be deployed using code signing to ensure the program is not changed inadvertently or maliciously prior to delivery to an end user. Fail Securely: Applications should be coded to properly conduct error handling for exceptions in order to fail securely instead of crashing. Fix Security Issues: if a vulnerability is identified, then it should be quickly and correctly patched to remove the vulnerability. Rely on Trusted SDKs: SDKs must come from trusted sources to ensure no malicious code is being added.
Race Conditions (OBJ 1.3)
Race conditions: a software vulnerability when the resulting outcome from execution processes is directly dependent on the order and timing of certain events, and those events fail to execute in the order and timing intended by the developer. - RC vulnerability is found where multiple threads are attempting to write a variable or object at the same memory location. - Dereferencing: a software vulnerability that occurs when the code attempts to remove the relationship between a pointer and the thing it points to. - RC are difficult to detect and mitigate. They can also be used against databases and file systems. - (TOCTTOU) Time of Check to Time of Use: the potential vulnerability that occurs when there is a change between when an app checked a resource and when the app used the resource. - How can you prevent RC and TOCTTOU: 1. develop applications to not processs things seq. if possible. 2. Implement a locking mechanism to provide app with exclusive access.
Software Development (OBJ 2.1 & 2.3)
SDLC Software Development Life Cycle: is an organized process of developing a secure application throughout the life of the project. Waterfall method: linear approach. Project planning > Requirements > Analysis > Design > Coding > Testing > Deployment. SDLC Phases - Planning and Analysis - Software/Systems Design - Implementation - Testing - Integration - Deployment - Maintenance Agile method: flexible and fluid approach. Software development is performed in time-boxed or small increments to allow more adaptivity to change. Windows 10 v10.0.12425 DevOps : Software development and information technology operations.
You are reviewing the IDS logs and notice the following log entry:-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-(where [email protected] and password=' or 7==7')-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-What type of attack is being performed? - XML injection - SQL injection - Header manipulation - Cross-site scripting
SQL injection
Testing Methods (OBJ 2.3 & 3.2)
System Testing - Black-box Testing: occurs when a tester is not provided with any information about the system or program prior to conducting the test. - White-box Testing: occurs when a tester is provided full details of a system including the source code, diagrams, and user credentials in order to conduct the test. - Structured Exception Handling (SEH): provides control over what the application should do when faced with a runtime or syntax error. - Programs should use input validation when taking data from users. - Input Validation: Applications verify that information received from a user matches a specific format or range of values. - Static Analysis: Source code of an application is reviewed manually or with automatic tools without running the code. - Dynamic Analysis: analysis and testing of a program occurs while it is being executed or run. - Fuzzing: injection of randomized data into a software program in an attempt to find system failures, memory leaks, error handling issues, and improper input validation.
You are analyzing the SIEM for your company's ecommerce server when you notice the following URL in the logs of your SIEM:-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-https://www.diontraining.com/add_to_cart.php?itemId=5"+perItemPrice="0.00"+quantity="100"+/><item+id="5&quantity=0-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-Based on this line, what type of attack do you expect has been attempted? - SQL Injection - Buffer Overflow - XML Injection - Session Hijacking
XML Injection