Notice: Function _load_textdomain_just_in_time was called incorrectly. Translation loading for the wordpress-seo domain was triggered too early. This is usually an indicator for some code in the plugin or theme running too early. Translations should be loaded at the init action or later. Please see Debugging in WordPress for more information. (This message was added in version 6.7.0.) in /var/www/html/wp-includes/functions.php on line 6114
Education Archives - Page 2 of 2 - Cyber Security News
Secure Socket Layer (SSL) and its successor, Transport Layer Security (TLS), are widely used protocols for secure online communication. They provide encryption and authentication between two applications over a network, ensuring the confidentiality and integrity of data transmitted between them.
However, SSL/TLS is not invulnerable, and over the years, several vulnerabilities have been discovered that can compromise the security of online transactions. One of the most significant vulnerabilities is the POODLE attack, discovered in 2014, which affects the older versions of SSL/TLS. This vulnerability allows an attacker to exploit the way SSL/TLS handles padding in the encryption process, enabling them to read encrypted information, including sensitive information such as passwords and credit card numbers.
Another vulnerability is the BEAST attack, which exploits a vulnerability in the way SSL/TLS handles block ciphers in older versions of the protocol. This attack allows an attacker to intercept and decrypt secure HTTPS cookies, potentially giving them access to sensitive data.
A third vulnerability is known as the DROWN attack, which can exploit weak encryption protocols such as SSLv2. The attack allows an attacker to read encrypted data transmitted over an SSL/TLS connection by exploiting a flaw in the SSLv2 protocol. Even though SSLv2 is now considered obsolete and no longer used, some older systems may still have it enabled, leaving them vulnerable to attack.
To ensure the maximum security of your online transactions, it’s essential to be aware of the potential vulnerabilities of SSL/TLS and to take necessary precautions. To start with, it’s recommended to use the latest version of TLS, which is currently TLS 1.3, and to disable support for older, insecure protocols like SSLv2 and SSLv3.
It’s also important to use strong encryption ciphers and to regularly test your TLS configuration for potential vulnerabilities. This can be done using tools like SSL Labs’ SSL Server Test, which can check the strength of your TLS configuration and identify any potential vulnerabilities.
Another crucial step is to regularly update your TLS certificates, which verify the identity of the server you’re communicating with and ensure that your data is not intercepted by an attacker. TLS certificates have an expiration date, so it’s essential to keep them up to date to ensure maximum security.
Finally, consider using other security measures like firewalls, antivirus software, and two-factor authentication to provide an additional layer of protection.
By taking these necessary precautions, you can significantly reduce the risk of SSL/TLS vulnerabilities and ensure the maximum security of your online transactions.
CWE (Common Weakness Enumeration) is a list of common types of hardware and software defects that have security implications. The CWE list can be used as a framework to describe and communicate such vulnerabilities in terms of CWEs.
The goal is to support all those methods (including automatic ones) to control and prevent software errors. It can be used at the development stage, during the Code Review activity, and later on during the penetration test activity to classify and communicate the vulnerability type to developers. The system is at version 4.7 and contains over 600 categories of weaknesses and vulnerabilities
The CWE Top 25 Most Dangerous Software Weakness List is a list of the most common programming errors that can lead to software vulnerabilities. Vulnerabilities present in the CWE Top 25 are usually easy to detect and exploit. For example, the CWE-79 is related to Cross-Site Scripting while the CWE-89 to SQL Injection. A similar project is Top Ten Owasp (Open Web Application Security Project). Compared to the CWE Top 25, the Top Ten OWASP focuses solely on vulnerabilities of web applications. The CWE Most Important Hardware Weakness List serves the same purpose, but it focuses on hardware defects.
Description The Servlet does not catch all exceptions, which may reveal sensitive debugging information. When a Servlet throws an exception, the default error response the Servlet container sends back to the user typically includes debugging information. This information is of great value to an attacker. For example, a stack trace might show the attacker a…
Description A web application accepts a user-controlled input that specifies a link to an external site, and uses that link in a Redirect. This simplifies phishing attacks. An http parameter may contain a URL value and could cause the web application to redirect the request to the specified URL. By modifying the URL value to…
Description The application relies on the existence or values of cookies when performing security-critical operations, but it does not properly ensure that the setting is valid for the associated user. Attackers can easily modify cookies, within the browser or by implementing the client-side code outside of the browser. Reliance on cookies without detailed validation and…
Description The software uses a database table that includes records that should not be accessible to an actor, but it executes a SQL statement with a primary key that can be controlled by that actor. Modes of Introduction: – Architecture and Design Related Weaknesses CWE-639 Consequences Confidentiality, Integrity, Access Control: Read Application…
Description The product does not properly synchronize shared data, such as static variables across threads, which can lead to undefined behavior and unpredictable data changes. Modes of Introduction: – Architecture and Design Related Weaknesses CWE-820 CWE-662 CWE-662 CWE-488 Consequences Confidentiality, Integrity, Availability: Read Application Data, Modify Application Data, DoS: Instability, DoS: Crash,…
Description The software contains a finalize() method that does not call super.finalize(). The Java Language Specification states that it is a good practice for a finalize() method to call super.finalize(). Modes of Introduction: – Implementation Related Weaknesses CWE-573 CWE-459 Consequences Other: Quality Degradation Potential Mitigations Phase: Implementation Description: Call the super.finalize()…
Description The software contains protection mechanisms to restrict access to ‘realdir/filename’, but it constructs pathnames using external input in the form of ‘fakedir/../realdir/filename’ that are not handled by those mechanisms. This allows attackers to perform unauthorized actions against the targeted file. Modes of Introduction: – Implementation Related Weaknesses CWE-41 Consequences Confidentiality, Integrity:…
Description The software contains an expression that will always evaluate to false. Modes of Introduction: – Implementation Related Weaknesses CWE-710 CWE-561 Consequences Other: Quality Degradation, Varies by Context Potential Mitigations Phase: Testing Description: Use Static Analysis tools to spot such conditions. CVE References
Description The software contains an expression that will always evaluate to true. Modes of Introduction: – Implementation Related Weaknesses CWE-710 CWE-561 Consequences Other: Quality Degradation, Varies by Context Potential Mitigations Phase: Testing Description: Use Static Analysis tools to spot such conditions. CVE References
Description The program calls a thread’s run() method instead of calling start(), which causes the code to run in the thread of the caller instead of the callee. In most cases a direct call to a Thread object’s run() method is a bug. The programmer intended to begin a new thread of control, but accidentally…
Description The software does not follow or incorrectly follows the specifications as required by the implementation language, environment, framework, protocol, or platform. When leveraging external functionality, such as an API, it is important that the caller does so in accordance with the requirements of the external functionality or else unintended behaviors may result, possibly leaving…
Description The program violates the Enterprise JavaBeans (EJB) specification by using thread synchronization primitives. The Enterprise JavaBeans specification requires that every bean provider follow a set of programming guidelines designed to ensure that the bean will be portable and behave consistently in any EJB container. In this case, the program violates the following EJB guideline:…
Description The program violates the Enterprise JavaBeans (EJB) specification by using AWT/Swing. The Enterprise JavaBeans specification requires that every bean provider follow a set of programming guidelines designed to ensure that the bean will be portable and behave consistently in any EJB container. In this case, the program violates the following EJB guideline: “An enterprise…
Description The program violates the Enterprise JavaBeans (EJB) specification by using the java.io package. The Enterprise JavaBeans specification requires that every bean provider follow a set of programming guidelines designed to ensure that the bean will be portable and behave consistently in any EJB container. In this case, the program violates the following EJB guideline:…
Description The program violates the Enterprise JavaBeans (EJB) specification by using sockets. The Enterprise JavaBeans specification requires that every bean provider follow a set of programming guidelines designed to ensure that the bean will be portable and behave consistently in any EJB container. In this case, the program violates the following EJB guideline: “An enterprise…
Description The program violates the Enterprise JavaBeans (EJB) specification by using the class loader. The Enterprise JavaBeans specification requires that every bean provider follow a set of programming guidelines designed to ensure that the bean will be portable and behave consistently in any EJB container. In this case, the program violates the following EJB guideline:…
Description The application stores a non-serializable object as an HttpSession attribute, which can hurt reliability. A J2EE application can make use of multiple JVMs in order to improve application reliability and performance. In order to make the multiple JVMs appear as a single application to the end user, the J2EE container can replicate an HttpSession…
Description The software contains a protection mechanism that restricts access to a long filename on a Windows operating system, but the software does not properly restrict access to the equivalent short “8.3” filename. On later Windows operating systems, a file can have a “long name” and a short name that is compatible with older Windows…
Description The software contains a clone() method that does not call super.clone() to obtain the new object. All implementations of clone() should obtain the new object by calling super.clone(). If a class does not follow this convention, a subclass’s clone() method will return an object of the wrong type. Modes of Introduction: – Implementation …
Description The software does not maintain equal hashcodes for equal objects. Java objects are expected to obey a number of invariants related to equality. One of these invariants is that equal objects must have equal hashcodes. In other words, if a.equals(b) == true then a.hashCode() == b.hashCode(). Modes of Introduction: – Implementation Related…
Description The program declares an array public, final, and static, which is not sufficient to prevent the array’s contents from being modified. Because arrays are mutable objects, the final constraint requires that the array object itself be assigned only once, but makes no guarantees about the values of the array elements. Since the array is…
Description The program violates secure coding principles for mobile code by declaring a finalize() method public. A program should never call finalize explicitly, except to call super.finalize() inside an implementation of finalize(). In mobile code situations, the otherwise error prone practice of manual garbage collection can become a security threat if an attacker can maliciously…
Description This weakness has been deprecated because it partially overlaps CWE-470, it describes legitimate programmer behavior, and other portions will need to be integrated into other entries. Modes of Introduction: Related Weaknesses Consequences Potential Mitigations CVE References
Description The code contains comments that suggest the presence of bugs, incomplete functionality, or weaknesses. Many suspicious comments, such as BUG, HACK, FIXME, LATER, LATER2, TODO, in the code indicate missing security functionality and checking. Others indicate code problems that programmers should fix, such as hard-coded variables, error handling, not using stored procedures, and performance…
Description The program uses hard-coded constants instead of symbolic names for security-critical values, which increases the likelihood of mistakes during code maintenance or security policy change. If the developer does not find all occurrences of the hard-coded constants, an incorrect policy decision may be made if one of the constants is not changed. Making changes…
Description A directory listing is inappropriately exposed, yielding potentially sensitive information to attackers. A directory listing provides an attacker with the complete index of all the resources located inside of the directory. The specific risks and consequences vary depending on which files are listed and accessible. Modes of Introduction: – Implementation Related Weaknesses…
Description The software does not mask passwords during entry, increasing the potential for attackers to observe and capture passwords. Modes of Introduction: – Implementation Related Weaknesses CWE-522 Consequences Access Control: Bypass Protection Mechanism Potential Mitigations Phase: Implementation, Requirements Description: Recommendations include requiring all password fields in your web application be masked…
Description A software system that accepts path input in the form of single dot directory exploit (‘/./’) without appropriate validation can lead to ambiguous path resolution and allow an attacker to traverse the file system to unintended locations or access arbitrary files. Modes of Introduction: – Implementation Related Weaknesses CWE-41 Consequences Confidentiality,…
Description Certain conditions, such as network failure, will cause a server error message to be displayed. While error messages in and of themselves are not dangerous, per se, it is what an attacker can glean from them that might cause eventual problems. Modes of Introduction: – Implementation Related Weaknesses CWE-209 Consequences Confidentiality:…
Description If a web server does not fully parse requested URLs before it examines them for authorization, it may be possible for an attacker to bypass authorization protection. For instance, the character strings /./ and / both mean current directory. If /SomeDirectory is a protected directory and an attacker requests /./SomeDirectory, the attacker may be…
Description The product makes files or directories accessible to unauthorized actors, even though they should not be. Web servers, FTP servers, and similar servers may store a set of files underneath a “root” directory that is accessible to the server’s users. Applications may store sensitive files underneath this root without also using access control to…
Description A possible shell file exists in /cgi-bin/ or other accessible directories. This is extremely dangerous and can be used by an attacker to execute commands on the web server. Modes of Introduction: – Implementation Related Weaknesses CWE-552 Consequences Confidentiality, Integrity, Availability: Execute Unauthorized Code or Commands Potential Mitigations Phase: Installation,…
Description The ASP.NET application does not use an input validation framework. Modes of Introduction: – Architecture and Design Related Weaknesses CWE-1173 Consequences Integrity: Unexpected State Unchecked input leads to cross-site scripting, process control, and SQL injection vulnerabilities, among others. Potential Mitigations Phase: Architecture and Design Description: CVE References
Description The J2EE application stores a plaintext password in a configuration file. Storing a plaintext password in a configuration file allows anyone who can read the file to access the password-protected resource, making it an easy target for attackers. Modes of Introduction: – Architecture and Design Related Weaknesses CWE-260 Consequences Access Control:…
Description Configuring an ASP.NET application to run with impersonated credentials may give the application unnecessary privileges. The use of impersonated credentials allows an ASP.NET application to run with either the privileges of the client on whose behalf it is executing or with arbitrary privileges granted in its configuration. Modes of Introduction: – Implementation …
Description The application uses the getlogin() function in a multithreaded context, potentially causing it to return incorrect values. The getlogin() function returns a pointer to a string that contains the name of the user associated with the calling process. The function is not reentrant, meaning that if it is called from another process, the contents…
Description A software system that accepts path input in the form of asterisk wildcard (‘filedir*’) without appropriate validation can lead to ambiguous path resolution and allow an attacker to traverse the file system to unintended locations or access arbitrary files. Modes of Introduction: – Implementation Related Weaknesses CWE-41 CWE-155 Consequences Confidentiality, Integrity:…
Description The product calls umask() with an incorrect argument that is specified as if it is an argument to chmod(). Modes of Introduction: – Implementation Related Weaknesses CWE-687 Consequences Confidentiality, Integrity, Access Control: Read Files or Directories, Modify Files or Directories, Bypass Protection Mechanism Potential Mitigations Phase: Implementation Description: Use umask()…
Description The software contains dead code, which can never be executed. Dead code is source code that can never be executed in a running program. The surrounding code makes it impossible for a section of code to ever be executed. Modes of Introduction: – Implementation Related Weaknesses CWE-1164 Consequences Other: Quality Degradation…
Description A function returns the address of a stack variable, which will cause unintended program behavior, typically in the form of a crash. Because local variables are allocated on the stack, when a program returns a pointer to a local variable, it is returning a stack address. A subsequent function call is likely to re-use…
Description The variable’s value is assigned but never used, making it a dead store. After the assignment, the variable is either assigned another value or goes out of scope. It is likely that the variable is simply vestigial, but it is also possible that the unused variable points out a bug. Modes of Introduction: –…
Description Using Hibernate to execute a dynamic SQL statement built with user-controlled input can allow an attacker to modify the statement’s meaning or to execute arbitrary SQL commands. Modes of Introduction: – Architecture and Design Related Weaknesses CWE-89 CWE-89 CWE-89 Consequences Confidentiality, Integrity: Read Application Data, Modify Application Data Potential Mitigations…
Description The product stores a CVS, git, or other repository in a directory, archive, or other resource that is stored, transferred, or otherwise made accessible to unauthorized actors. Version control repositories such as CVS or git store version-specific metadata and other details within subdirectories. If these subdirectories are stored on a web server or added…
Description The product generates a core dump file in a directory, archive, or other resource that is stored, transferred, or otherwise made accessible to unauthorized actors. Modes of Introduction: – Operation Related Weaknesses CWE-552 Consequences Confidentiality: Read Application Data, Read Files or Directories Potential Mitigations Phase: System Configuration Description: Protect the…
Description The product stores access control list files in a directory or other container that is accessible to actors outside of the intended control sphere. Exposure of these access control list files may give the attacker information about the configuration of the site or system. This information may then be used to bypass the intended…
Description A software system that accepts path input in the form of multiple internal backslash (‘multipletrailing\slash’) without appropriate validation can lead to ambiguous path resolution and allow an attacker to traverse the file system to unintended locations or access arbitrary files. Modes of Introduction: – Implementation Related Weaknesses CWE-41 CWE-165 Consequences Confidentiality,…
Description A backup file is stored in a directory or archive that is made accessible to unauthorized actors. Often, older backup files are renamed with an extension such as .~bk to distinguish them from production files. The source code for old files that have been renamed in this manner and left in the webroot can…
Description Accessible test applications can pose a variety of security risks. Since developers or administrators rarely consider that someone besides themselves would even know about the existence of these applications, it is common for them to contain sensitive information or functions. Modes of Introduction: – Testing Related Weaknesses CWE-540 Consequences Confidentiality: Read…
Description Information written to log files can be of a sensitive nature and give valuable guidance to an attacker or expose sensitive user information. Modes of Introduction: – Architecture and Design Likelihood of Exploit: Medium Related Weaknesses CWE-538 CWE-200 Consequences Confidentiality: Read Application Data Logging sensitive user data often provides attackers with…
Description This entry has been deprecated because its abstraction was too low-level. See CWE-532. Modes of Introduction: Related Weaknesses Consequences Potential Mitigations CVE References
Description This entry has been deprecated because its abstraction was too low-level. See CWE-532. Modes of Introduction: Related Weaknesses Consequences Potential Mitigations CVE References
Description A command shell error message indicates that there exists an unhandled exception in the web application code. In many cases, an attacker can leverage the conditions that cause these errors in order to gain unauthorized access to the system. Modes of Introduction: – Architecture and Design Related Weaknesses CWE-211 Consequences Confidentiality:…
Description A servlet error message indicates that there exists an unhandled exception in your web application code and may provide useful information to an attacker. Modes of Introduction: – Implementation Related Weaknesses CWE-211 Consequences Confidentiality: Read Application Data The error message may contain the location of the file in which the offending…
Description In many cases, an attacker can leverage the conditions that cause unhandled exception errors in order to gain unauthorized access to the system. Modes of Introduction: – Implementation Related Weaknesses CWE-211 Consequences Confidentiality: Read Application Data Potential Mitigations Phase: Implementation Description: Do not expose sensitive error information to the user.…
Description The product places sensitive information into files or directories that are accessible to actors who are allowed to have access to the files, but not to the sensitive information. Modes of Introduction: – Implementation Related Weaknesses CWE-200 Consequences Confidentiality: Read Files or Directories Potential Mitigations Phase: Architecture and Design, Operation,…
Description The web application uses persistent cookies, but the cookies contain sensitive information. Cookies are small bits of data that are sent by the web application but stored locally in the browser. This lets the application use the cookie to pass information between pages and store variable information. The web application controls what information is…
Description A software system that accepts path input in the form of trailing backslash (‘filedir’) without appropriate validation can lead to ambiguous path resolution and allow an attacker to traverse the file system to unintended locations or access arbitrary files. Modes of Introduction: – Implementation Related Weaknesses CWE-41 CWE-162 Consequences Confidentiality, Integrity:…
Description Source code on a web server or repository often contains sensitive information and should generally not be accessible to users. There are situations where it is critical to remove source code from an area or server. For example, obtaining Perl source code on a system allows an attacker to understand the logic of the…
Description If an include file source is accessible, the file can contain usernames and passwords, as well as sensitive information pertaining to the application and system. Modes of Introduction: – Implementation Related Weaknesses CWE-540 Consequences Confidentiality: Read Application Data Potential Mitigations Phase: Architecture and Design Description: Do not store sensitive information…
Description This entry has been deprecated because its abstraction was too low-level. See CWE-532. Modes of Introduction: Related Weaknesses Consequences Potential Mitigations CVE References
Description The software uses the singleton pattern when creating a resource within a multithreaded environment. The use of a singleton pattern may not be thread-safe. Modes of Introduction: – Implementation Related Weaknesses CWE-820 CWE-662 CWE-662 Consequences Other, Integrity: Other, Modify Application Data Potential Mitigations Phase: Architecture and Design Description: Use the…
Description The software does not use a standardized method for handling errors throughout the code, which might introduce inconsistent error handling and resultant weaknesses. If the application handles error messages individually, on a one-by-one basis, this is likely to result in inconsistent error handling. The causes of errors may be lost. Also, detailed information about…
Description The application deserializes untrusted data without sufficiently verifying that the resulting data will be valid. Serialization and deserialization refer to the process of taking program-internal object-related data, packaging it in a way that allows the data to be externally stored or transferred (“serialization”), then extracting the serialized data to reconstruct the original object (“deserialization”).…
Description The application contains code that appears to be malicious in nature. Malicious flaws have acquired colorful names, including Trojan horse, trapdoor, timebomb, and logic-bomb. A developer might insert malicious code with the intent to subvert the security of an application or its host system at some time in the future. It generally refers to…
Description The software appears to contain benign or useful functionality, but it also contains code that is hidden from normal operation that violates the intended security policy of the user or the system administrator. Modes of Introduction: – Implementation Related Weaknesses CWE-506 Consequences Confidentiality, Integrity, Availability: Execute Unauthorized Code or Commands …
Description Non-replicating malicious code only resides on the target system or software that is attacked; it does not attempt to spread to other systems. Modes of Introduction: – Implementation Related Weaknesses CWE-507 Consequences Confidentiality, Integrity, Availability: Execute Unauthorized Code or Commands Potential Mitigations Phase: Operation Description: Antivirus software can help mitigate…
Description Replicating malicious code, including viruses and worms, will attempt to attack other systems once it has successfully compromised the target system or software. Modes of Introduction: – Implementation Related Weaknesses CWE-507 Consequences Confidentiality, Integrity, Availability: Execute Unauthorized Code or Commands Potential Mitigations Phase: Operation Description: Antivirus software scans for viruses…
Description A software system that accepts path input in the form of multiple internal slash (‘/multiple//internal/slash/’) without appropriate validation can lead to ambiguous path resolution and allow an attacker to traverse the file system to unintended locations or access arbitrary files. Modes of Introduction: – Implementation Related Weaknesses CWE-41 Consequences Confidentiality, Integrity:…
Description A trapdoor is a hidden piece of code that responds to a special input, allowing its user access to resources without passing through the normal security enforcement mechanism. Modes of Introduction: – Architecture and Design Related Weaknesses CWE-506 Consequences Confidentiality, Integrity, Availability, Access Control: Execute Unauthorized Code or Commands, Bypass Protection…
Description The software contains code that is designed to disrupt the legitimate operation of the software (or its environment) when a certain time passes, or when a certain logical condition is met. When the time bomb or logic bomb is detonated, it may perform a denial of service such as crashing the system, deleting critical…
Description The software collects personally identifiable information about a human user or the user’s activities, but the software accesses this information using other resources besides itself, and it does not require that user’s explicit approval or direct input into the software. “Spyware” is a commonly used term with many definitions and interpretations. In general, it…
Description A covert channel is a path that can be used to transfer information in a way not intended by the system’s designers. Typically the system has not given authorization for the transmission and has no knowledge of its occurrence. Modes of Introduction: – Implementation Related Weaknesses CWE-1229 Consequences Confidentiality, Access Control:…
Description A covert storage channel transfers information through the setting of bits by one program and the reading of those bits by another. What distinguishes this case from that of ordinary operation is that the bits are used to convey encoded information. Covert storage channels occur when out-of-band data is stored in messages for the…
Description A software system that accepts path input in the form of multiple trailing slash (‘/multiple/trailing/slash//’) without appropriate validation can lead to ambiguous path resolution and allow an attacker to traverse the file system to unintended locations or access arbitrary files. Modes of Introduction: – Implementation Related Weaknesses CWE-41 CWE-163 CWE-289 Consequences…
Description Allowing a .NET application to run at potentially escalated levels of access to the underlying operating and file systems can be dangerous and result in various forms of attacks. .NET server applications can optionally execute using the identity of the user authenticated to the client. The intention of this functionality is to bypass authentication…
Description The product does not require that users should have strong passwords, which makes it easier for attackers to compromise user accounts. Authentication mechanisms often rely on a memorized secret (also known as a password) to provide an assertion of identity for a user of a system. It is therefore important that this password be…
Description The product transmits or stores authentication credentials, but it uses an insecure method that is susceptible to unauthorized interception and/or retrieval. Modes of Introduction: – Architecture and Design Related Weaknesses CWE-287 CWE-287 CWE-668 Consequences Access Control: Gain Privileges or Assume Identity An attacker could gain access to user accounts and access…
Description Login pages do not use adequate measures to protect the user name and password while they are in transit from the client to the server. SSL (Secure Socket Layer) provides data confidentiality and integrity to HTTP. By encrypting HTTP messages, SSL protects from attackers eavesdropping or altering message contents. Modes of Introduction: – Architecture…
Description The code uses a cache that contains sensitive information, but the cache can be read by an actor outside of the intended control sphere. Applications may use caches to improve efficiency when communicating with remote entities or performing intensive calculations. A cache maintains a pool of objects, threads, connections, pages, financial data, passwords, or…
Description The web application does not use an appropriate caching policy that specifies the extent to which each web page and associated form fields should be cached. Modes of Introduction: – Implementation Related Weaknesses CWE-524 Consequences Confidentiality: Read Application Data Browsers often store information in a client-side cache, which can leave behind…
Description Environmental variables may contain sensitive information about a remote server. Modes of Introduction: – Architecture and Design Related Weaknesses CWE-497 Consequences Confidentiality: Read Application Data Potential Mitigations Phase: Architecture and Design Description: Protect information stored in environment variable from being exposed to the user. CVE References
Description The code does not explicitly delimit a block that is intended to contain 2 or more statements, creating a logic error. In some languages, braces (or other delimiters) are optional for blocks. When the delimiter is omitted, it is possible to insert a logic error in which a statement is thought to be in…
Description The program omits a break statement within a switch or similar construct, causing code associated with multiple conditions to execute. This can cause problems when the programmer only intended to execute code associated with one condition. This can lead to critical code executing in situations where it should not. Modes of Introduction: – Implementation…
Description The program compares classes by name, which can cause it to use the wrong class when multiple classes can have the same name. If the decision to trust the methods and data of an object is based on the name of a class, it is possible for malicious users to send objects of the…
Description Java packages are not inherently closed; therefore, relying on them for code security is not a good practice. The purpose of package scope is to prevent accidental access by other parts of a program. This is an ease-of-software-development feature but not a security feature. Modes of Introduction: – Implementation Likelihood of Exploit: Medium…
Description The product does not sufficiently enforce boundaries between the states of different sessions, causing data to be provided to, or used by, the wrong session. Modes of Introduction: – Implementation Related Weaknesses CWE-668 Consequences Confidentiality: Read Application Data Potential Mitigations Phase: Architecture and Design Description: Protect the application’s sessions from…
Description The application is deployed to unauthorized actors with debugging code still enabled or active, which can create unintended entry points or expose sensitive information. A common development practice is to add “back door” code specifically designed for debugging or testing purposes that is not intended to be shipped or deployed with the application. These…
Description A software system that accepts path input in the form of trailing slash (‘filedir/’) without appropriate validation can lead to ambiguous path resolution and allow an attacker to traverse the file system to unintended locations or access arbitrary files. Modes of Introduction: – Implementation Related Weaknesses CWE-41 CWE-162 Consequences Confidentiality, Integrity:…
Description A class has a cloneable() method that is not declared final, which allows an object to be created without calling the constructor. This can cause the object to be in an unexpected state. Modes of Introduction: – Implementation Related Weaknesses CWE-668 Consequences Integrity, Other: Unexpected State, Varies by Context Potential…
Description Inner classes are translated into classes that are accessible at package scope and may expose code that the programmer intended to keep private to attackers. Inner classes quietly introduce several security concerns because of the way they are translated into Java bytecode. In Java source code, it appears that an inner class can be…
Description The product has a critical public variable that is not final, which allows the variable to be modified to contain unexpected values. If a field is non-final and public, it can be changed once the value is set by any function that has access to the class which contains the field. This could lead…
Description The product downloads source code or an executable from a remote location and executes the code without sufficiently verifying the origin and integrity of the code. An attacker can execute malicious code by compromising the host server, performing DNS spoofing, or modifying the code in transit. Modes of Introduction: – Architecture and Design …
Description The product has a method that is declared public, but returns a reference to a private data structure, which could then be modified in unexpected ways. Modes of Introduction: – Implementation Related Weaknesses CWE-664 Consequences Integrity: Modify Application Data The contents of the data structure can be modified from outside the…
Description Assigning public data to a private array is equivalent to giving public access to the array. Modes of Introduction: – Implementation Related Weaknesses CWE-664 Consequences Integrity: Modify Application Data The contents of the array can be modified from outside the intended scope. Potential Mitigations Phase: Implementation Description: Do not allow…
Description The application does not properly prevent sensitive system-level information from being accessed by unauthorized actors who do not have the same level of access to the underlying system as the application does. Modes of Introduction: – Implementation Related Weaknesses CWE-200 Consequences Confidentiality: Read Application Data Potential Mitigations Phase: Architecture and…
Description The code contains a class with sensitive data, but the class is cloneable. The data can then be accessed by cloning the class. Cloneable classes are effectively open classes, since data cannot be hidden in them. Classes that do not explicitly deny cloning can be cloned by any other class without running the constructor.…
Description The code contains a class with sensitive data, but the class does not explicitly deny serialization. The data can be accessed by serializing the class through another class. Serializable classes are effectively open classes since data cannot be hidden in them. Classes that do not explicitly deny serialization can be serialized by any other…
Description Information sent over a network can be compromised while in transit. An attacker may be able to read or modify the contents if the data are sent in plaintext or are weakly encrypted. Modes of Introduction: – Implementation Related Weaknesses CWE-319 Consequences Confidentiality: Read Application Data Integrity: Modify Application Data …
Description A software system that accepts path input in the form of multiple leading slash (‘//multiple/leading/slash’) without appropriate validation can lead to ambiguous path resolution and allow an attacker to traverse the file system to unintended locations or access arbitrary files. Modes of Introduction: – Implementation Related Weaknesses CWE-41 CWE-161 Consequences Confidentiality,…
A vulnerability is a weakness in an information system, system security procedures, internal controls, or implementation that could be exploited or triggered by a threat source.
Vulnerability analysis includes the detection, assessment, classification and treatment based on the risk they pose to the company.
Vulnerability Identification
A security team can detect vulnerabilities following different approaches. As part of a vulnerability management process, it is good practice to subscribe to the mailing lists in which vulnerabilities and related countermeasures are disclosed. This service is usually offered by the vendor or, if not available, through third parties. It is a very time expensive but necessary task. You must perform it on a daily basis to promptly detect vulnerabilities and to comply with several standards/regulations. Other inputs could derive from the analysis of the hardening procedures reports/tasks, the periodic review of the access rules and of the company policies and procedures.
Tools
Thanks to tools like Nessus and OpenVAS, it is possible to partially automate the discovery and analysis of vulnerabilities. After verifying the active hosts and the related services, we can deepen our analysis and determine the operating system and application versions.
As shown in the figure, Nessus provides the list of vulnerabilities to which each analyzed host is potentially vulnerable. Potentially because the scanner does not attempt to exploit the vulnerability. This phase, often manual, is not part of the vulnerability analysis process and is normally carried out within a penetration test.
CVSS
In the report, vulnerabilities are classified according to the CVSS (Common Vulnerability Scoring System), a framework used to classify software vulnerabilities. CVSS is an important tool that simplifies the vulnerability management process.
Let’s pretend you are in a meeting with the company management and you have to share the results of your vulnerability analysis. The test results were not good: you need at least three system administrators for one month to implement the remediation plan. You need to install patches, implement countermeasures, and you have to do it fast. During the meeting, you could try to tell management that you found several RCE-type vulnerabilities on systems deployed in your DMZ. Attackers do not need system/applications credentials to perform the attack and exploits are readily available on the Internet. Or you could report the presence of several CVSS 10 vulnerabilities on critical systems. For more information on CVSS, in its two versions 2.0 and 3.0, I suggest reading our article.
CVE & NVD
Each vulnerability has a Common Vulnerability and Exposures (CVE) ID, in the form of CVE-YYYY-NNNN. The assignment of an ID to each vulnerability allows one to keep track of it and to automate/simplify the integration of the different tools available to an analyst.
Let’s say you have just detected a vulnerability on your firewall appliance. Since it is a well-known vulnerability, it has got a specific CVE-ID. Assuming that your firewall vendor catalogues their vulnerabilities and patches by CVE, it is going to be easy to ask the vendor for additional information, search for the relevant patches and to minimize the possible impacts of applying remediation on the infrastructure. Furthermore, it is going to be easy to find the relevant signature in your IDS/IPS. CVE is operated by “The Mitre Corporation“. More details can be obtained on the cve.org website.
NVD (National Vulnerability Database) is managed by NIST (National Institute of Standards and Technology). NVD is a vulnerability database: for each CVE information such as countermeasure, criticality and impact is provided.
CWE & OWASP
CWE (Common Weakness Enumeration) is a list of common types of hardware and software defects that have security implications. The CWE list can be used as a framework to describe and communicate such vulnerabilities in terms of CWEs. The CWE Top 25 Most Dangerous Software Weakness List is a list of the most common programming errors that can lead to software vulnerabilities. Vulnerabilities present in the CWE Top 25 are usually easy to detect and exploit. For example, the CWE-79 is related to Cross-Site Scripting while the CWE-89 to SQL Injection. A similar project is Top Ten Owasp (Open Web Application Security Project). Compared to the CWE Top 25, the Top Ten OWASP focuses solely on vulnerabilities of web applications. The CWE Most Important Hardware Weakness List serves the same purpose, but it focuses on hardware defects.
Vulnerabilty Analysis steps
Vulnerability analysis comprehends different phases.
Preparatory phase
it is not possible to carry out a thorough and reliable analysis without having a deep knowledge of the infrastructure/application under examination. If the procedure for managing IT services and their related assets is not implemented, it is not going to be possible to classify and prioritize vulnerabilities. Let’s say our vulnerability scanner found 300 vulnerabilities on approximately 30 hosts. Which vulnerabilities should I prioritize? Which one shall I remediate immediately? The answer relies not only on the vulnerability severity but also on how important are the hosts and services affected by it.
Discovery and analysis of vulnerabilities
You performed vulnerability scans, you analysed security advisories, system configurations, your company policies and procedures. You have a comprehensive list of vulnerabilities. You can now prioritise them, identify false positives (and false negatives), and improve the results with your knowledge of the infrastructure/application. At the end of this phase, your security team will produce a vulnerability scan report.
Post assessment
It is now possible to define a remediation plan. The remediation plan is not a mere list of the patches, countermeasures and IPS rules: if your analysis has shown the presence of several SQL Injection, CRSF and XSS vulnerabilities in the software developed internally (or by a specific supplier), you must immediately schedule secure programming training classes for your developers.
If these kinds of vulnerabilities are found on software purchased from third parties, you must tell the service owner to look for a new vendor.
While the first scenario is a symptom of a poor security awareness policy, the second one highlights a poor supplier policy: do you review your supplier security policies after you sign a contract? Do you ask to review their development procedures? Do they regularly perform code reviews? Is security fully integrated into their development life-cycle? Outsourcing has hidden costs that you always need to consider.
Once the remediation plan has been implemented, the security team shall verify it has been properly implemented. Depending on its size, the implementation of the remediation activities can take several weeks, if not months. It is crucial to plan periodic meetings to keep the team focused and to check the progress.
What’s next?
In the next articles, we will analyse the vulnerability management process and its implications for regulations like ISO27001 and PCI-DSS. In the meantime, we suggest reading our articles about CVSS and the Metasploit lab.
Regardless of your motivations (attacker or defender), you need to know the ports, hosts and services available within a network.
From a defender’s point of view, the task is a precondition of several keys procedure:
Asset Management – whoever manages the infrastructure (and its security) must know which devices are active and present within our infrastructure. Furthermore, it helps to detect unauthorized hosts that could derive from malicious activities (or more commonly, your system administrators forgot to document them… and maybe to apply the company’s hardenization procedures).
Network scanning is a fundamental step of a company vulnerability management procedure. Here is a non-comprehensive list of its possible benefits:
it allows the detection of unauthorized services and the presence of obsolete systems;
it helps to verify the correspondence between the specifications document and the actual implementation;
it helps to verify the correct application of the hardening procedures.
Penetration test – independently from the approach in use, it is necessary to determine the active hosts and the exposed services. You have to do it even in a white-box penetration test to confirm your client/colleagues inputs.
From an attacker point of view… Well, that goes without saying 🙂
The network scanning procedure aims to identify active hosts. On the other hand, port scanning seeks to detect the ports that hosts disclose and with which it is possible to interact. Starting from the output of a network/port scanning, an attacker, or a newly hired CISO, can outline different traits of a company security posture.
In these articles we will see:
the different steps of a network scan;
some examples with the NMAP tool.
Host discovery
Port scanning involves sending several packets to the host and verifying its response. Usually, the analysis is restricted to the 1024 most common ports (it depends on the available time and the final goal of the analysis). As you may expect, performing this task for all the hosts within a network/infrastructure is time-expensive and generates a lot of noise.
In most cases, only a tiny fraction of IP addresses are active at any given moment. To avoid wasting time, the tester first perform the host discovery phase to determine the active hosts in the tested networks and infrastructure.
There are several techniques:
ARP Ping scan;
ICMP Ping scan;
UDP Ping Scan;
TCP SYN/ACK Ping scan;
IP Protocol Ping scan.
As stated in the official documentation, the default NMAP host discovery strategy involves sending an ICMP echo request (-PE), a TCP SYN segment to port 443 (-PS443), a TCP ACK segment to port 80 (-PA80), and an ICMP timestamp request (-PP).
ARP ping scans are the most effective method to detect active hosts inside a LAN. Its limits are the impossibility of applying the technique on the subnet to which it does not belong. Even if you supply other -P* options to NMAP, the tool performs by default an ARP/Neighbor Discovery against targets on a local Ethernet network since it is the fastest and more reliable technique.
An ICMP scan consists of sending ICMP echo requests to hosts on the network. If a host is found to be active, it will return an ICMP echo response. The technique has limited usability as blocking ICMP requests is part of firewalls and systems’ basic hardening rules.
A TCP scan consists in sending TCP segment to the hosts and analysing the host response. There are two different modes: TCP SYN Ping scan and TCP ACK Ping Scan.
TCP SYN SCAN
As illustrated in the figure, a TCP Syn ping scan consists of the following steps:
The tester sends a TCP SYN segment to port 80.
If the port is closed, the host responds with an RST segment.
If the port is open, the host responds with a TCP SYN/ACK segment indicating that a connection can be established.
Afterwards, an RST segment is sent to reset this connection.
Since it is a normal attempt to establish a TCP connection, traffic is not blocked by firewalls and does not require administrator permissions.
A TCP ACK ping scan instead consists of the following steps:
The tester sends an empty TCP segment with the ACK flag set to port 80 (the nmap default port, but another port can be used).
If the host is offline, it should not respond to this request.
Otherwise, it will return an RST segment and will be treated as online. An RST is sent because the TCP ACK is not associated with any valid existing connection.
ACK Ping Scan requires administrator privileges. Since it is recognized and blocked by a stateful firewall, its main goal is to get information about the filter configurations, not port status.
Port Scan
Once the active hosts within a network have been determined, a portscan can be performed to determine exposed ports and services.
Several techniques are available:
TCP Scan (Connect and Half Open Scan);
UDP Scanning;
SCTP Scanning;
SSDP Scanning.
Only the first two strategies will be considered. Please see the NMAP manual for additional information on SCTP and SSDP Scanning.
TCP Scan
With a TCP Connect scan, a TCP connection is established with the host. That is, the whole 3-way handshake is performed.
The least expensive and most performing variant, the TCP Half Open scan (TCP SYN Scan) sends the SYN segment. If an open SYN+ACK segment is received, the port will be identified as open. In case of RST, the door will be judged closed.
A third typology, foresees the TCP FIN, NULL and Xmas Scans, foresees the modification of the flags of the TCP segment (FIN, URG, PSH, NULL) in an attempt to induce a response from the server.
The technical functionality exclusively on operating systems with implementations of the TCP/IP suite compliant with RFC793. For example, it does not work with Windows systems as these return an RST in both cases.
THE SEGMENT IS COMING
If the state is CLOSED (i.e., TCB does not exist), then all data in the incoming segment is deleted. An on the way the segment containing an RST is deleted. An incoming segment no containing an RST causes an RST to be sent in response. The confirmation and sequence field values are selected to render the recovery sequence acceptable to the TCP that sent the error segment.
If the port is open, the system will not produce any while the response will return an RST/ACK segment if it is closed.
To understand the origin of the name, just look at the image below. Nmap’s -sX flag “Sets the FIN, PSH, and URG flags, illuminating the package like a Christmas tree.”
UDP scan
UDP connection does not involve a handshake. If a UDP packet is sent to a port on which no service is listening, the system will respond with an ICMP Port Unreachable. In case of no answer, the port can be considered closed or filtered.
Contermeasures
To detect and prevent network scanning attempts, we suggest the following countermeasures:
carefully design your services to reduce your attack surface; exposing only necessary services and always keep in mind the principles of least privileges and need to know.
Configure your firewalls to block all traffic that has not got a business justifications;
Periodic reviews your firewall ruleset to keep it aligned to your business needs;
Harden your servers, disabling all unused services;
Perform network and port scans to ensure your firewall/server policies are aligned to your business needs.
Configure an IDS/IPS to promptly detect network and port scans.
The first step in a cyberattack, or a penetration test, is footprinting. The attacker/analyst tries to get information about the targeted infrastructure. Thanks to footprinting techniques, attackers can obtain information such as:
personal data, skills, experience and interests of company’s employees;
company headquarters;
technologies in use (middleware, operating systems);
suppliers and consultants who collaborate periodically with the company;
blocks and network topology;
DNS records.
We can divide footprinting techniques into two macro areas:
active: it involves the collection of information with direct interaction with the target. It is a more risky practice than the passive one, as it could leave traces. The systems of the attacked organization could (should) detect the information gathering attempt. Some examples of active footprinting are the use of web spiders, email tracking, traceroute and social engineering techniques.
passive: involves the collection of information without direct interaction with the target. Some examples are the usage of search engines, social networks, job posting sites, analysis of data received from providers that monitor website’s traffic, commercial performance or deliver reports about future commercial operations of the target.
Identifying the technologies adopted by the target drastically simplifies attackers’ jobs. The awareness about the usage of certain technologies, the lack of good security practices, or of a bad security posture increases the attacker’s chances of success.
When we perform a penetration test in which the company aims to identify chances of an attacker completely unrelated to the organization, footprinting activities heavily influence the success of the test.
Footprinting with search engines and social networks
Search engines offer a myriad of information to the attacker. The advanced functions available in Google, Bing and other search engines offer information that companies are not even aware to expose to the public.
The technique, combined with the most used search engine, has taken the name of Google Hacking. For more information, you can consult our article about the Google Hacking Database.
Thanks to search engines, an attacker gets to know technologies in use (web servers, firewalls, IDS, WAF, third-party applications), IoT devices, applications for internal use only and many other information about the target.
Like search engines, social networks provide an enormous quantity of information to attackers.
An attacker can dig LinkedIn to understand who the key people of the organization are, their experience and knowledge. You can get to know their interests, their religious and political beliefs, their weaknesses. Afterwards, attacker can exploit gathered information to perform a social engineering attack.
Tools like theHarvester and sublist3r simplify attackers’ job, reducing the manual work.
Footprinting through job posting sites
The following image shows the information revealed on a job advertisement post. The job post is real. I found it on the platform indeed.com.
The company is looking for an IT System Administrator with knowledge of Linux and Solaris. They even mention the Linux distribution names and the Solaris release version. You can bet they have got some LAMP servers, that they probably monitor their infrastructure using Nagios and are using Oracle and DB2 as RDBMS. Their infrastructure may include J2EE Containers like Glassfish and JBoss and servlet containers like Tomcat. Even if they reached the EOL over 5 and 2 years ago, they are still asking for people with experience on Windows XP and 7.
You are getting information not only about the used technologies but you are also outlining the security posture of the company.
Job posts can tell you a lot more. Are they searching for IT security specialists? Besides tools and countermeasures adopted, they may even tell you how big is their security team. Are they even trying to cover important roles like CIO or CISO?
Tools and services:
We suggest looking at the following tools. We wrote a brief description of them: Sublist3r, theHarvester, Shodan, Sherlock, Burp Suite, Metagofofil, Exitftool, DNSRecon, traceroute.
Contermeasures
Your employees/colleagues’ awareness about attackers’ behaviour and techniques is fundamental for your company’s safety. Every company must adopt a security awareness policy to inform its employees about the security risks they are exposed inside and outside the office.
The adoption of security policies (hardening of the systems, analysis and reviews of IDS/IPS and other monitoring tools, etc.), the definition of roles and responsibilities will allow a company to quickly detect and react to attackers’ attempts to gather information or to exploit the knowledge they previously gained through passive footprinting techniques.
The term hacker often takes on a negative connotation.
In the past, we often focused on the distinction between a hacker, a person with deep security knowledge who explores technologies, systems and related vulnerabilities out of pure passion, and crackers, the “malicious” counterpart, who uses his knowledge to cause damage and steal data. a certain value (for example, credit cards).
RFC1392 provides the following definitions:
hacker
A person who delights in having an intimate understanding of the internal workings of a system, computers and computer networks in particular. The term is often misused in a pejorative context, where “cracker” would be the correct term.
cracker
A cracker is an individual who attempts to access computer system without authorization. These individuals are often malicious, as opposed to hackers, and have many means at their disposal for breaking into a system.
Unfortunately, media have never bothered to understand the distinction and, for the masses, there is no difference between crackers and hackers.
In our opinion, here is the correct terminology to be used in the security sector:
Black hats (Crackers)
Crackers, or black hats, have got extraordinary computing skills but they lack ethics. They may violate laws by committing malicious or destructive acts.
Script Kiddies
An unskilled cracker who compromises systems using tools, scripts and software developed by others.
White Hats (Ethical Hacker)
An individual who uses his hacking skill for defensive purposes.
They analyse computer systems or networks to detect security issues and give recommendations for improvement to their owners.
A white hat will penetrate a system only with the authorisation and upon request of the infrastructure owner.
Gray Hats
Gray hats use their skills both offensively and defensively.
They often look for system vulnerabilities without the permission or knowledge of the owner. If they find a security issue, they may reveal it to the owner upon the payment of a small fee. Sometimes, their ultimate goal is to show their skills and create awareness about the intrinsic insecurity of the Internet.
It may be useful to know some additional terms. State-sponsored hackers are employed by the government to penetrate other government systems to damage or gain top-secret information. You have surely heard about Cyber Terrorists, individuals moved by political or religious beliefs to create fear among civilians and influence the policy of the targeted governments.
