Notice: Function _load_textdomain_just_in_time was called incorrectly. Translation loading for the wordpress-seo domain was triggered too early. This is usually an indicator for some code in the plugin or theme running too early. Translations should be loaded at the init action or later. Please see Debugging in WordPress for more information. (This message was added in version 6.7.0.) in /var/www/html/wp-includes/functions.php on line 6114
Education Archives - Page 2 of 2 - Cyber Security News
Secure Socket Layer (SSL) and its successor, Transport Layer Security (TLS), are widely used protocols for secure online communication. They provide encryption and authentication between two applications over a network, ensuring the confidentiality and integrity of data transmitted between them.
However, SSL/TLS is not invulnerable, and over the years, several vulnerabilities have been discovered that can compromise the security of online transactions. One of the most significant vulnerabilities is the POODLE attack, discovered in 2014, which affects the older versions of SSL/TLS. This vulnerability allows an attacker to exploit the way SSL/TLS handles padding in the encryption process, enabling them to read encrypted information, including sensitive information such as passwords and credit card numbers.
Another vulnerability is the BEAST attack, which exploits a vulnerability in the way SSL/TLS handles block ciphers in older versions of the protocol. This attack allows an attacker to intercept and decrypt secure HTTPS cookies, potentially giving them access to sensitive data.
A third vulnerability is known as the DROWN attack, which can exploit weak encryption protocols such as SSLv2. The attack allows an attacker to read encrypted data transmitted over an SSL/TLS connection by exploiting a flaw in the SSLv2 protocol. Even though SSLv2 is now considered obsolete and no longer used, some older systems may still have it enabled, leaving them vulnerable to attack.
To ensure the maximum security of your online transactions, it’s essential to be aware of the potential vulnerabilities of SSL/TLS and to take necessary precautions. To start with, it’s recommended to use the latest version of TLS, which is currently TLS 1.3, and to disable support for older, insecure protocols like SSLv2 and SSLv3.
It’s also important to use strong encryption ciphers and to regularly test your TLS configuration for potential vulnerabilities. This can be done using tools like SSL Labs’ SSL Server Test, which can check the strength of your TLS configuration and identify any potential vulnerabilities.
Another crucial step is to regularly update your TLS certificates, which verify the identity of the server you’re communicating with and ensure that your data is not intercepted by an attacker. TLS certificates have an expiration date, so it’s essential to keep them up to date to ensure maximum security.
Finally, consider using other security measures like firewalls, antivirus software, and two-factor authentication to provide an additional layer of protection.
By taking these necessary precautions, you can significantly reduce the risk of SSL/TLS vulnerabilities and ensure the maximum security of your online transactions.
CWE (Common Weakness Enumeration) is a list of common types of hardware and software defects that have security implications. The CWE list can be used as a framework to describe and communicate such vulnerabilities in terms of CWEs.
The goal is to support all those methods (including automatic ones) to control and prevent software errors. It can be used at the development stage, during the Code Review activity, and later on during the penetration test activity to classify and communicate the vulnerability type to developers. The system is at version 4.7 and contains over 600 categories of weaknesses and vulnerabilities
The CWE Top 25 Most Dangerous Software Weakness List is a list of the most common programming errors that can lead to software vulnerabilities. Vulnerabilities present in the CWE Top 25 are usually easy to detect and exploit. For example, the CWE-79 is related to Cross-Site Scripting while the CWE-89 to SQL Injection. A similar project is Top Ten Owasp (Open Web Application Security Project). Compared to the CWE Top 25, the Top Ten OWASP focuses solely on vulnerabilities of web applications. The CWE Most Important Hardware Weakness List serves the same purpose, but it focuses on hardware defects.
Description The software communicates with a host that provides a certificate, but the software does not properly ensure that the certificate is actually associated with that host. Modes of Introduction: – Architecture and Design Likelihood of Exploit: High Related Weaknesses CWE-923 CWE-295 Consequences Access Control: Gain Privileges or Assume Identity The data…
Description A certificate expiration is not validated or is incorrectly validated, so trust may be assigned to certificates that have been abandoned due to age. When the expiration of a certificate is not taken into account, no trust has necessarily been conveyed through it. Therefore, the validity of the certificate cannot be verified and all…
Description The software uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize “/dir/../filename” sequences that can resolve to a location that is outside of that directory. Modes of Introduction: – Implementation Related Weaknesses CWE-23 Consequences Confidentiality, Integrity: Read Files or Directories,…
Description The software stores a password in a configuration file that might be accessible to actors who do not know the password. This can result in compromise of the system for which the password is used. An attacker could gain access to this file and learn the stored password or worse yet, change the password…
Description Obscuring a password with a trivial encoding does not protect the password. Password management issues occur when a password is stored in plaintext in an application’s properties or configuration file. A programmer can attempt to remedy the password management problem by obscuring the password with an encoding function, such as base 64 encoding, but…
Description If no mechanism is in place for managing password aging, users will have no incentive to update passwords in a timely manner. Security experts have often recommended that users change their passwords regularly and avoid reusing passwords. Although this can be an effective mitigation, if the expiration window is too short, it can cause…
Description Allowing password aging to occur unchecked can result in the possibility of diminished password integrity. Just as neglecting to include functionality for the management of password aging is dangerous, so is allowing password aging to continue unchecked. Passwords must be given a maximum life span, after which a user is required to update with…
Description A product incorrectly assigns a privilege to a particular actor, creating an unintended sphere of control for that actor. Modes of Introduction: – Architecture and Design Related Weaknesses CWE-269 CWE-286 Consequences Access Control: Gain Privileges or Assume Identity A user can access restricted functionality and/or sensitive information that may include administrative…
Description A particular privilege, role, capability, or right can be used to perform unsafe actions that were not intended, even when it is assigned to the correct entity. Modes of Introduction: – Architecture and Design Related Weaknesses CWE-269 Consequences Access Control: Gain Privileges or Assume Identity A user can access restricted functionality…
Description Two distinct privileges, roles, capabilities, or rights can be combined in a way that allows an entity to perform unsafe actions that would not be allowed without that combination. Modes of Introduction: – Architecture and Design Likelihood of Exploit: High Related Weaknesses CWE-269 Consequences Access Control: Gain Privileges or Assume Identity…
Description The software does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor. Modes of Introduction: – Architecture and Design Likelihood of Exploit: Medium Related Weaknesses CWE-284 Consequences Access Control: Gain Privileges or Assume Identity Potential Mitigations Phase: Architecture and…
Description The software uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize multiple internal “../” sequences that can resolve to a location that is outside of that directory. Modes of Introduction: – Implementation Related Weaknesses CWE-23 Consequences Confidentiality, Integrity: Read Files…
Description The software does not properly manage privileges while it is switching between different contexts that have different privileges or spheres of control. Modes of Introduction: – Architecture and Design Related Weaknesses CWE-269 Consequences Access Control: Gain Privileges or Assume Identity A user can assume the identity of another user with separate…
Description The software does not drop privileges before passing control of a resource to an actor that does not have those privileges. In some contexts, a system executing with elevated permissions will hand off a process/file/etc. to another process or user. If the privileges of an entity are not reduced, then elevated privileges are spread…
Description The elevated privilege level required to perform operations such as chroot() should be dropped immediately after the operation is performed. Modes of Introduction: – Architecture and Design Related Weaknesses CWE-271 Consequences Access Control, Confidentiality: Gain Privileges or Assume Identity, Read Application Data, Read Files or Directories An attacker may be able…
Description The software attempts to drop privileges but does not check or incorrectly checks to see if the drop succeeded. If the drop fails, the software will continue to run with the raised privileges, which might provide additional access to unprivileged users. In Windows based environments that have access control, impersonation is used so that…
Description The software does not handle or incorrectly handles when it has insufficient privileges to perform an operation, leading to resultant weaknesses. Modes of Introduction: – Architecture and Design Related Weaknesses CWE-703 CWE-269 CWE-271 CWE-280 Consequences Other: Other, Alter Execution Logic Potential Mitigations CVE References CVE-2001-1564 System limits are not properly…
Description During installation, installed file permissions are set to allow anyone to modify those files. Modes of Introduction: – Architecture and Design Likelihood of Exploit: Medium Related Weaknesses CWE-732 CWE-732 Consequences Confidentiality, Integrity: Read Application Data, Modify Application Data Potential Mitigations Phase: Architecture and Design, Operation Description: The architecture needs to…
Description A product defines a set of insecure permissions that are inherited by objects that are created by the program. Modes of Introduction: – Architecture and Design Related Weaknesses CWE-732 Consequences Confidentiality, Integrity: Read Application Data, Modify Application Data Potential Mitigations Phase: Architecture and Design, Operation Description: Very carefully manage the…
Description A product inherits a set of insecure permissions for an object, e.g. when copying from an archive file, without user awareness or involvement. Modes of Introduction: – Architecture and Design Related Weaknesses CWE-732 Consequences Confidentiality, Integrity: Read Application Data, Modify Application Data Potential Mitigations Phase: Architecture and Design, Operation Description: …
Description While it is executing, the software sets the permissions of an object in a way that violates the intended permissions that have been specified by the user. Modes of Introduction: – Implementation Related Weaknesses CWE-732 Consequences Confidentiality, Integrity: Read Application Data, Modify Application Data Potential Mitigations Phase: Architecture and Design,…
Description The software uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize “..” sequences that can resolve to a location that is outside of that directory. Modes of Introduction: – Implementation Related Weaknesses CWE-23 Consequences Confidentiality, Integrity: Read Files or Directories,…
Description The software does not properly handle when a particular element is not completely specified. Modes of Introduction: – Architecture and Design Related Weaknesses CWE-237 CWE-404 Consequences Integrity, Other: Varies by Context, Unexpected State Potential Mitigations CVE References CVE-2002-1532 HTTP GET without rnrn CRLF sequences causes product to wait indefinitely and…
Description The software uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize “../” sequences that can resolve to a location that is outside of that directory. Modes of Introduction: – Architecture and Design Related Weaknesses CWE-23 Consequences Confidentiality, Integrity: Read Files…
Description The software does not handle or incorrectly handles when two or more structural elements should be consistent, but are not. Modes of Introduction: – Architecture and Design Related Weaknesses CWE-237 CWE-707 Consequences Integrity, Other: Varies by Context, Unexpected State Potential Mitigations CVE References
Description The software does not handle or incorrectly handles when a particular element is not the expected type, e.g. it expects a digit (0-9) but is provided with a letter (A-Z). Modes of Introduction: – Architecture and Design Related Weaknesses CWE-228 Consequences Integrity, Other: Varies by Context, Unexpected State Potential Mitigations…
Description The program calls a function that can never be guaranteed to work safely. Certain functions behave in dangerous ways regardless of how they are used. Functions in this category were often implemented without taking security concerns into account. The gets() function is unsafe because it does not perform bounds checking on the size of…
Description The program uses the chroot() system call to create a jail, but does not change the working directory afterward. This does not prevent access to files outside of the jail. Improper use of chroot() may allow attackers to escape from the chroot jail. The chroot() function call does not change the process’s current working…
Description Using realloc() to resize buffers that store sensitive information can leave the sensitive information exposed to attack, because it is not removed from memory. When sensitive data such as a password or an encryption key is not removed from memory, it could be exposed to an attacker using a “heap inspection” attack that reads…
Description The J2EE application directly manages connections, instead of using the container’s connection management facilities. The J2EE standard forbids the direct management of connections. It requires that applications use the container’s resource management facilities to obtain connections to resources. Every major web application container provides pooled database connection management as part of its resource management…
Description The J2EE application directly uses sockets instead of using framework method calls. Modes of Introduction: – Architecture and Design Related Weaknesses CWE-695 Consequences Other: Quality Degradation Potential Mitigations Phase: Architecture and Design Description: Use framework method calls instead of using sockets directly. CVE References
Description This entry has been deprecated because it was a duplicate of CWE-350. All content has been transferred to CWE-350. Modes of Introduction: Related Weaknesses Consequences Potential Mitigations CVE References
Description An exception is thrown from a function, but it is not caught. When an exception is not caught, it may cause the program to crash or expose sensitive information. Modes of Introduction: – Implementation Related Weaknesses CWE-705 CWE-703 CWE-703 CWE-703 Consequences Availability, Confidentiality: DoS: Crash, Exit, or Restart, Read Application Data…
Description This entry has been deprecated because of name confusion and an accidental combination of multiple weaknesses. Most of its content has been transferred to CWE-785. This entry was deprecated for several reasons. The primary reason is over-loading of the “path manipulation” term and the description. The original description for this entry was the same…
Description The software uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize “/../” sequences that can resolve to a location that is outside of that directory. Modes of Introduction: – Implementation Related Weaknesses CWE-23 Consequences Confidentiality, Integrity: Read Files or Directories,…
Description The software performs an operation at a privilege level that is higher than the minimum level required, which creates new weaknesses or amplifies the consequences of other weaknesses. Modes of Introduction: – Implementation Likelihood of Exploit: Medium Related Weaknesses CWE-657 CWE-269 Consequences Confidentiality, Integrity, Availability, Access Control: Gain Privileges or Assume…
Description The software does not check the return value from a method or function, which can prevent it from detecting unexpected states and conditions. Two common programmer assumptions are “this function call can never fail” and “it doesn’t matter if this function call fails”. If an attacker can force the function to fail or otherwise…
Description The software incorrectly checks a return value from a function, which prevents the software from detecting errors or exceptional conditions. Important and common functions will return some value about the success of its actions. This will alert the program whether or not to handle any errors caused by that function. Modes of Introduction: –…
Description Storing a password in plaintext may result in a system compromise. Password management issues occur when a password is stored in plaintext in an application’s properties, configuration file, or memory. Storing a plaintext password in a configuration file allows anyone who can read the file access to the password-protected resource. In some contexts, even…
Description The storage of passwords in a recoverable format makes them subject to password reuse attacks by malicious users. In fact, it should be noted that recoverable encrypted passwords provide no significant benefit over plaintext passwords since they are subject not only to reuse by malicious attackers but also by malicious insiders. If a system…
Description Using an empty string as a password is insecure. Modes of Introduction: – Architecture and Design Likelihood of Exploit: High Related Weaknesses CWE-260 CWE-521 Consequences Access Control: Gain Privileges or Assume Identity Potential Mitigations Phase: System Configuration Description: Passwords should be at least eight characters long — the longer the…
Description The software contains a hard-coded password, which it uses for its own inbound authentication or for outbound communication to external components. Modes of Introduction: – Implementation Likelihood of Exploit: High Related Weaknesses CWE-798 CWE-798 CWE-798 CWE-321 CWE-257 Consequences Access Control: Gain Privileges or Assume Identity If hard-coded passwords are used, it…
Description The software uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the software does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted…
Description The application stores sensitive data under the FTP server root with insufficient access control, which might make it accessible to untrusted parties. Various Unix FTP servers require a password file that is under the FTP root, due to use of chroot. Modes of Introduction: – Operation Related Weaknesses CWE-552 Consequences Confidentiality:…
Description The software does not record, or improperly records, security-relevant information that leads to an incorrect decision or hampers later analysis. This can be resultant, e.g. a buffer overflow might trigger a crash before the product can log the event. Modes of Introduction: – Architecture and Design Related Weaknesses CWE-664 Consequences Non-Repudiation:…
Description The application truncates the display, recording, or processing of security-relevant information in a way that can obscure the source or nature of an attack. Modes of Introduction: – Architecture and Design Related Weaknesses CWE-221 Consequences Non-Repudiation: Hide Activities The source of an attack will be difficult or impossible to determine. This…
Description The application does not record or display information that would be important for identifying the source or nature of an attack, or determining if an action is safe. Modes of Introduction: – Architecture and Design Related Weaknesses CWE-221 Consequences Non-Repudiation: Hide Activities The source of an attack will be difficult or…
Description The software records security-relevant information according to an alternate name of the affected entity, instead of the canonical name. Modes of Introduction: – Architecture and Design Related Weaknesses CWE-221 Consequences Non-Repudiation, Access Control: Hide Activities, Gain Privileges or Assume Identity Potential Mitigations CVE References CVE-2002-0725 Attacker performs malicious actions on…
Description The product releases a resource such as memory or a file so that it can be made available for reuse, but it does not clear or “zeroize” the information contained in the resource before the product performs a critical state transition or makes the resource available for reuse by other entities. Modes of Introduction:…
Description The product does not handle or incorrectly handles input that is not syntactically well-formed with respect to the associated specification. Modes of Introduction: – Implementation Related Weaknesses CWE-703 CWE-707 Consequences Integrity, Availability: Unexpected State, DoS: Crash, Exit, or Restart, DoS: Resource Consumption (CPU) If an input is syntactically invalid, then processing…
Description The software does not properly handle when the expected number of values for parameters, fields, or arguments is not provided in input, or if those values are undefined. Modes of Introduction: – Architecture and Design Related Weaknesses CWE-228 Consequences Integrity: Unexpected State Potential Mitigations CVE References
Description The software uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize sequences such as “..” that can resolve to a location that is outside of that directory. This allows attackers to traverse the file system to access files or directories that are outside…
Description The software does not handle or incorrectly handles when a parameter, field, or argument name is specified, but the associated value is missing, i.e. it is empty, blank, or null. Modes of Introduction: – Implementation Related Weaknesses CWE-229 Consequences Integrity: Unexpected State Potential Mitigations CVE References CVE-2002-0422 Blank Host header…
Description The software does not handle or incorrectly handles when more values are provided than expected. Modes of Introduction: – Implementation Related Weaknesses CWE-229 CWE-120 Consequences Integrity: Unexpected State Potential Mitigations CVE References
Description The software does not handle or incorrectly handles when a value is not defined or supported for the associated parameter, field, or argument name. Modes of Introduction: – Architecture and Design Related Weaknesses CWE-229 Consequences Integrity: Unexpected State Potential Mitigations CVE References CVE-2000-1003 Client crash when server returns unknown driver…
Description The software does not properly handle when the expected number of parameters, fields, or arguments is not provided in input, or if those parameters are undefined. Modes of Introduction: – Architecture and Design Related Weaknesses CWE-228 Consequences Integrity: Unexpected State Potential Mitigations CVE References
Description If too few arguments are sent to a function, the function will still pop the expected number of arguments from the stack. Potentially, a variable number of arguments could be exhausted in a function as well. Modes of Introduction: – Architecture and Design Likelihood of Exploit: High Related Weaknesses CWE-233 Consequences…
Description The software does not handle or incorrectly handles when the number of parameters, fields, or arguments with the same name exceeds the expected amount. Modes of Introduction: – Implementation Related Weaknesses CWE-233 Consequences Integrity: Unexpected State Potential Mitigations CVE References CVE-2003-1014 MIE. multiple gateway/security products allow restriction bypass using multiple…
Description The software does not handle or incorrectly handles when a particular parameter, field, or argument name is not defined or supported by the product. Modes of Introduction: – Architecture and Design Related Weaknesses CWE-233 Consequences Integrity: Unexpected State Potential Mitigations CVE References CVE-2002-1488 Crash in IRC client via PART message…
Description The software does not handle or incorrectly handles inputs that are related to complex structures. Modes of Introduction: Related Weaknesses CWE-228 Consequences Integrity: Unexpected State Potential Mitigations CVE References
Description The software does not handle or incorrectly handles when a particular structural element is not completely specified. Modes of Introduction: – Architecture and Design Related Weaknesses CWE-237 Consequences Integrity: Unexpected State Potential Mitigations CVE References
Description The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information. Modes of Introduction: – Architecture and Design Likelihood of Exploit: High Related Weaknesses CWE-668 Consequences Confidentiality: Read Application Data Potential Mitigations Phase: Architecture and Design Description: CVE References CVE-2001-1483 Enumeration of…
Description The code transmits data to another actor, but a portion of the data includes sensitive information that should not be accessible to that actor. Sensitive information could include data that is sensitive in and of itself (such as credentials or private messages), or otherwise useful in the further exploitation of the system (such as…
Description When trying to keep information confidential, an attacker can often infer some of the information by using statistics. In situations where data should not be tied to individual users, but a large number of users should be able to make queries that “scrub” the identity of users, it may be possible to get information…
Description The product behaves differently or sends different responses under different circumstances in a way that is observable to an unauthorized actor, which exposes security-relevant information about the state of the product, such as whether a particular operation was successful or not. Discrepancies can take many forms, and variations may be detectable in timing, control…
Description The product provides different responses to incoming requests in a way that reveals internal state information to an unauthorized actor outside of the intended control sphere. This issue frequently occurs during authentication, where a difference in failed-login messages could allow an attacker to determine if the username is valid or not. These exposures can…
Description The product’s behaviors indicate important differences that may be observed by unauthorized actors in a way that reveals (1) its internal state or decision process, or (2) differences from other products with equivalent functionality. Ideally, a product should provide as little information about its internal operations as possible. Otherwise, attackers could use knowledge of…
Description The product performs multiple behaviors that are combined to produce a single result, but the individual behaviors are observable separately in a way that allows attackers to reveal internal state or internal decision points. Ideally, a product should provide as little information as possible to an attacker. Any hints that the attacker may be…
Description The product operates in an environment in which its existence or specific identity should not be known, but it behaves differently than other products with equivalent functionality, in a way that is observable to an attacker. For many kinds of products, multiple products may be available that perform the same functionality, such as a…
Description Two separate operations in a product require different amounts of time to complete, in a way that is observable to an actor and reveals security-relevant information about the state of the product, such as whether a particular operation was successful or not. In security-relevant contexts, even small variations in timing can be exploited by…
Description The software generates an error message that includes sensitive information about its environment, users, or associated data. Modes of Introduction: – Architecture and Design Likelihood of Exploit: High Related Weaknesses CWE-200 CWE-200 CWE-755 Consequences Confidentiality: Read Application Data Often this will either reveal sensitive information which may be used for a…
Description The software identifies an error condition and creates its own diagnostic or error messages that contain sensitive information. Modes of Introduction: – Architecture and Design Related Weaknesses CWE-209 Consequences Confidentiality: Read Application Data Potential Mitigations Phase: Implementation, Build and Compilation Description: Debugging information should not make its way into a…
Description The application performs an operation that triggers an external diagnostic or error message that is not directly generated or controlled by the application, such as an error generated by the programming language interpreter that the software uses. The error can contain sensitive system information. Modes of Introduction: – Architecture and Design Related…
Description The product stores, transfers, or shares a resource that contains sensitive information, but it does not properly remove that information before the product makes the resource available to unauthorized actors. Modes of Introduction: – Architecture and Design Related Weaknesses CWE-669 CWE-669 CWE-201 Consequences Confidentiality: Read Files or Directories, Read Application Data…
Description The product’s intended functionality exposes information to certain actors in accordance with the developer’s security policy, but this information is regarded as sensitive according to the intended security policies of other stakeholders such as the product’s administrator, users, or others whose information is being processed. Modes of Introduction: – Policy Related Weaknesses…
Description A process is invoked with sensitive command-line arguments, environment variables, or other elements that can be seen by other processes on the operating system. Many operating systems allow a user to list information about processes that are owned by other users. Other users could see information such as command line arguments or environment variable…
Description The application inserts sensitive information into debugging code, which could expose this information if the debugging code is not disabled in production. When debugging, it may be necessary to report detailed information to the programmer. However, if the debugging code is not disabled when the application is operating in a production environment, then this…
Description This entry has been deprecated, as it was not effective as a weakness and was structured more like a category. In addition, the name is inappropriate, since the “container” term is widely understood by developers in different ways than originally intended by PLOVER, the original source for this entry. Modes of Introduction: …
Description This entry has been deprecated because it incorporated and confused multiple weaknesses. The issues formerly covered in this entry can be found at CWE-766 and CWE-767. Modes of Introduction: Related Weaknesses Consequences Potential Mitigations CVE References
Description This weakness has been deprecated because it was a duplicate of CWE-493. All content has been transferred to CWE-493. Modes of Introduction: Related Weaknesses Consequences Potential Mitigations CVE References
Description The application stores sensitive data under the web document root with insufficient access control, which might make it accessible to untrusted parties. Besides public-facing web pages and code, applications may store sensitive data, code that is not directly invoked, or other files under the web document root of the web server. If the server…
Description The software validates input before applying protection mechanisms that modify the input, which could allow an attacker to bypass the validation via dangerous inputs that only arise after the modification. Software needs to validate data at the proper time, after data has been canonicalized and cleansed. Early validation is susceptible to various manipulations that…
Description The software validates input before it is canonicalized, which prevents the software from detecting data that becomes invalid after the canonicalization step. This can be used by an attacker to bypass the validation and launch attacks that expose weaknesses that would otherwise be prevented, such as injection. Modes of Introduction: – Implementation …
Description The software validates data before it has been filtered, which prevents the software from detecting data that becomes invalid after the filtering step. This can be used by an attacker to bypass the validation and launch attacks that expose weaknesses that would otherwise be prevented, such as injection. Modes of Introduction: – Implementation …
Description The software filters data in a way that causes it to be reduced or “collapsed” into an unsafe value that violates an expected security property. Modes of Introduction: – Implementation Related Weaknesses CWE-693 CWE-33 CWE-34 CWE-35 Consequences Access Control: Bypass Protection Mechanism Potential Mitigations Phase: Architecture and Design Description: Avoid…
Description The product implements a protection mechanism that relies on a list of inputs (or properties of inputs) that are explicitly allowed by policy because the inputs are assumed to be safe, but the list is too permissive – that is, it allows an input that is unsafe, leading to resultant weaknesses. Modes of Introduction:…
Description The product implements a protection mechanism that relies on a list of inputs (or properties of inputs) that are not allowed by policy or otherwise require other action to neutralize before additional processing takes place, but the list is incomplete, leading to resultant weaknesses. Developers often try to protect their products against malicious input…
Description The software specifies a regular expression in a way that causes data to be improperly matched or compared. When the regular expression is used in protection mechanisms such as filtering or validation, this may allow an attacker to bypass the intended restrictions on the incoming data. Modes of Introduction: – Implementation Related…
Description A regular expression is overly restrictive, which prevents dangerous values from being detected. This weakness is not about regular expression complexity. Rather, it is about a regular expression that does not match all values that are intended. Consider the use of a regexp to identify acceptable values or to spot unwanted terms. An overly…
Description The software performs a comparison that only examines a portion of a factor before determining whether there is a match, such as a substring, leading to resultant weaknesses. For example, an attacker might succeed in authentication by providing a small password that matches the associated portion of the larger, correct password. Modes of Introduction:…
Description The software makes invalid assumptions about how protocol data or memory is organized at a lower level, resulting in unintended program behavior. Modes of Introduction: – Architecture and Design Likelihood of Exploit: Low Related Weaknesses CWE-1105 CWE-435 Consequences Integrity, Confidentiality: Modify Memory, Read Memory Can result in unintended modifications or exposure…
Description The software performs a calculation that can produce an integer overflow or wraparound, when the logic assumes that the resulting value will always be larger than the original value. This can introduce other weaknesses when the calculation is used for resource management or execution control. An integer overflow or wraparound occurs when an integer…
Description The product subtracts one value from another, such that the result is less than the minimum allowable integer value, which produces a value that is not equal to the correct result. This can happen in signed and unsigned cases. Modes of Introduction: – Implementation Related Weaknesses CWE-682 CWE-682 Consequences Availability: DoS:…
Description Integer coercion refers to a set of flaws pertaining to the type casting, extension, or truncation of primitive data types. Several flaws fall under the category of integer coercion errors. For the most part, these errors in and of themselves result only in availability and data integrity issues. However, in some circumstances, they may…
Description A product calculates or uses an incorrect maximum or minimum value that is 1 more, or 1 less, than the correct value. Modes of Introduction: – Implementation Related Weaknesses CWE-682 CWE-682 CWE-617 CWE-170 CWE-119 Consequences Availability: DoS: Crash, Exit, or Restart, DoS: Resource Consumption (CPU), DoS: Resource Consumption (Memory), DoS: Instability…
Description The software performs an operation on a number that causes it to be sign extended when it is transformed into a larger data type. When the original number is negative, this can produce unexpected values that lead to resultant weaknesses. Modes of Introduction: – Implementation Likelihood of Exploit: High Related Weaknesses CWE-681…
Description The software uses a signed primitive and performs a cast to an unsigned primitive, which can produce an unexpected value if the value of the signed primitive can not be represented using an unsigned primitive. Modes of Introduction: – Implementation Related Weaknesses CWE-681 CWE-681 CWE-681 CWE-119 Consequences Integrity: Unexpected State Conversion…
Description The software uses an unsigned primitive and performs a cast to a signed primitive, which can produce an unexpected value if the value of the unsigned primitive can not be represented using a signed primitive. Although less frequent an issue than signed-to-unsigned conversion, unsigned-to-signed conversion can be the perfect precursor to dangerous buffer underwrite…
Description Truncation errors occur when a primitive is cast to a primitive of a smaller size and data is lost in the conversion. When a primitive is cast to a smaller primitive, the high order bits of the large value are lost in the conversion, potentially resulting in an unexpected value that is not equal…
A vulnerability is a weakness in an information system, system security procedures, internal controls, or implementation that could be exploited or triggered by a threat source.
Vulnerability analysis includes the detection, assessment, classification and treatment based on the risk they pose to the company.
Vulnerability Identification
A security team can detect vulnerabilities following different approaches. As part of a vulnerability management process, it is good practice to subscribe to the mailing lists in which vulnerabilities and related countermeasures are disclosed. This service is usually offered by the vendor or, if not available, through third parties. It is a very time expensive but necessary task. You must perform it on a daily basis to promptly detect vulnerabilities and to comply with several standards/regulations. Other inputs could derive from the analysis of the hardening procedures reports/tasks, the periodic review of the access rules and of the company policies and procedures.
Tools
Thanks to tools like Nessus and OpenVAS, it is possible to partially automate the discovery and analysis of vulnerabilities. After verifying the active hosts and the related services, we can deepen our analysis and determine the operating system and application versions.
As shown in the figure, Nessus provides the list of vulnerabilities to which each analyzed host is potentially vulnerable. Potentially because the scanner does not attempt to exploit the vulnerability. This phase, often manual, is not part of the vulnerability analysis process and is normally carried out within a penetration test.
CVSS
In the report, vulnerabilities are classified according to the CVSS (Common Vulnerability Scoring System), a framework used to classify software vulnerabilities. CVSS is an important tool that simplifies the vulnerability management process.
Let’s pretend you are in a meeting with the company management and you have to share the results of your vulnerability analysis. The test results were not good: you need at least three system administrators for one month to implement the remediation plan. You need to install patches, implement countermeasures, and you have to do it fast. During the meeting, you could try to tell management that you found several RCE-type vulnerabilities on systems deployed in your DMZ. Attackers do not need system/applications credentials to perform the attack and exploits are readily available on the Internet. Or you could report the presence of several CVSS 10 vulnerabilities on critical systems. For more information on CVSS, in its two versions 2.0 and 3.0, I suggest reading our article.
CVE & NVD
Each vulnerability has a Common Vulnerability and Exposures (CVE) ID, in the form of CVE-YYYY-NNNN. The assignment of an ID to each vulnerability allows one to keep track of it and to automate/simplify the integration of the different tools available to an analyst.
Let’s say you have just detected a vulnerability on your firewall appliance. Since it is a well-known vulnerability, it has got a specific CVE-ID. Assuming that your firewall vendor catalogues their vulnerabilities and patches by CVE, it is going to be easy to ask the vendor for additional information, search for the relevant patches and to minimize the possible impacts of applying remediation on the infrastructure. Furthermore, it is going to be easy to find the relevant signature in your IDS/IPS. CVE is operated by “The Mitre Corporation“. More details can be obtained on the cve.org website.
NVD (National Vulnerability Database) is managed by NIST (National Institute of Standards and Technology). NVD is a vulnerability database: for each CVE information such as countermeasure, criticality and impact is provided.
CWE & OWASP
CWE (Common Weakness Enumeration) is a list of common types of hardware and software defects that have security implications. The CWE list can be used as a framework to describe and communicate such vulnerabilities in terms of CWEs. The CWE Top 25 Most Dangerous Software Weakness List is a list of the most common programming errors that can lead to software vulnerabilities. Vulnerabilities present in the CWE Top 25 are usually easy to detect and exploit. For example, the CWE-79 is related to Cross-Site Scripting while the CWE-89 to SQL Injection. A similar project is Top Ten Owasp (Open Web Application Security Project). Compared to the CWE Top 25, the Top Ten OWASP focuses solely on vulnerabilities of web applications. The CWE Most Important Hardware Weakness List serves the same purpose, but it focuses on hardware defects.
Vulnerabilty Analysis steps
Vulnerability analysis comprehends different phases.
Preparatory phase
it is not possible to carry out a thorough and reliable analysis without having a deep knowledge of the infrastructure/application under examination. If the procedure for managing IT services and their related assets is not implemented, it is not going to be possible to classify and prioritize vulnerabilities. Let’s say our vulnerability scanner found 300 vulnerabilities on approximately 30 hosts. Which vulnerabilities should I prioritize? Which one shall I remediate immediately? The answer relies not only on the vulnerability severity but also on how important are the hosts and services affected by it.
Discovery and analysis of vulnerabilities
You performed vulnerability scans, you analysed security advisories, system configurations, your company policies and procedures. You have a comprehensive list of vulnerabilities. You can now prioritise them, identify false positives (and false negatives), and improve the results with your knowledge of the infrastructure/application. At the end of this phase, your security team will produce a vulnerability scan report.
Post assessment
It is now possible to define a remediation plan. The remediation plan is not a mere list of the patches, countermeasures and IPS rules: if your analysis has shown the presence of several SQL Injection, CRSF and XSS vulnerabilities in the software developed internally (or by a specific supplier), you must immediately schedule secure programming training classes for your developers.
If these kinds of vulnerabilities are found on software purchased from third parties, you must tell the service owner to look for a new vendor.
While the first scenario is a symptom of a poor security awareness policy, the second one highlights a poor supplier policy: do you review your supplier security policies after you sign a contract? Do you ask to review their development procedures? Do they regularly perform code reviews? Is security fully integrated into their development life-cycle? Outsourcing has hidden costs that you always need to consider.
Once the remediation plan has been implemented, the security team shall verify it has been properly implemented. Depending on its size, the implementation of the remediation activities can take several weeks, if not months. It is crucial to plan periodic meetings to keep the team focused and to check the progress.
What’s next?
In the next articles, we will analyse the vulnerability management process and its implications for regulations like ISO27001 and PCI-DSS. In the meantime, we suggest reading our articles about CVSS and the Metasploit lab.
Regardless of your motivations (attacker or defender), you need to know the ports, hosts and services available within a network.
From a defender’s point of view, the task is a precondition of several keys procedure:
Asset Management – whoever manages the infrastructure (and its security) must know which devices are active and present within our infrastructure. Furthermore, it helps to detect unauthorized hosts that could derive from malicious activities (or more commonly, your system administrators forgot to document them… and maybe to apply the company’s hardenization procedures).
Network scanning is a fundamental step of a company vulnerability management procedure. Here is a non-comprehensive list of its possible benefits:
it allows the detection of unauthorized services and the presence of obsolete systems;
it helps to verify the correspondence between the specifications document and the actual implementation;
it helps to verify the correct application of the hardening procedures.
Penetration test – independently from the approach in use, it is necessary to determine the active hosts and the exposed services. You have to do it even in a white-box penetration test to confirm your client/colleagues inputs.
From an attacker point of view… Well, that goes without saying 🙂
The network scanning procedure aims to identify active hosts. On the other hand, port scanning seeks to detect the ports that hosts disclose and with which it is possible to interact. Starting from the output of a network/port scanning, an attacker, or a newly hired CISO, can outline different traits of a company security posture.
In these articles we will see:
the different steps of a network scan;
some examples with the NMAP tool.
Host discovery
Port scanning involves sending several packets to the host and verifying its response. Usually, the analysis is restricted to the 1024 most common ports (it depends on the available time and the final goal of the analysis). As you may expect, performing this task for all the hosts within a network/infrastructure is time-expensive and generates a lot of noise.
In most cases, only a tiny fraction of IP addresses are active at any given moment. To avoid wasting time, the tester first perform the host discovery phase to determine the active hosts in the tested networks and infrastructure.
There are several techniques:
ARP Ping scan;
ICMP Ping scan;
UDP Ping Scan;
TCP SYN/ACK Ping scan;
IP Protocol Ping scan.
As stated in the official documentation, the default NMAP host discovery strategy involves sending an ICMP echo request (-PE), a TCP SYN segment to port 443 (-PS443), a TCP ACK segment to port 80 (-PA80), and an ICMP timestamp request (-PP).
ARP ping scans are the most effective method to detect active hosts inside a LAN. Its limits are the impossibility of applying the technique on the subnet to which it does not belong. Even if you supply other -P* options to NMAP, the tool performs by default an ARP/Neighbor Discovery against targets on a local Ethernet network since it is the fastest and more reliable technique.
An ICMP scan consists of sending ICMP echo requests to hosts on the network. If a host is found to be active, it will return an ICMP echo response. The technique has limited usability as blocking ICMP requests is part of firewalls and systems’ basic hardening rules.
A TCP scan consists in sending TCP segment to the hosts and analysing the host response. There are two different modes: TCP SYN Ping scan and TCP ACK Ping Scan.
TCP SYN SCAN
As illustrated in the figure, a TCP Syn ping scan consists of the following steps:
The tester sends a TCP SYN segment to port 80.
If the port is closed, the host responds with an RST segment.
If the port is open, the host responds with a TCP SYN/ACK segment indicating that a connection can be established.
Afterwards, an RST segment is sent to reset this connection.
Since it is a normal attempt to establish a TCP connection, traffic is not blocked by firewalls and does not require administrator permissions.
A TCP ACK ping scan instead consists of the following steps:
The tester sends an empty TCP segment with the ACK flag set to port 80 (the nmap default port, but another port can be used).
If the host is offline, it should not respond to this request.
Otherwise, it will return an RST segment and will be treated as online. An RST is sent because the TCP ACK is not associated with any valid existing connection.
ACK Ping Scan requires administrator privileges. Since it is recognized and blocked by a stateful firewall, its main goal is to get information about the filter configurations, not port status.
Port Scan
Once the active hosts within a network have been determined, a portscan can be performed to determine exposed ports and services.
Several techniques are available:
TCP Scan (Connect and Half Open Scan);
UDP Scanning;
SCTP Scanning;
SSDP Scanning.
Only the first two strategies will be considered. Please see the NMAP manual for additional information on SCTP and SSDP Scanning.
TCP Scan
With a TCP Connect scan, a TCP connection is established with the host. That is, the whole 3-way handshake is performed.
The least expensive and most performing variant, the TCP Half Open scan (TCP SYN Scan) sends the SYN segment. If an open SYN+ACK segment is received, the port will be identified as open. In case of RST, the door will be judged closed.
A third typology, foresees the TCP FIN, NULL and Xmas Scans, foresees the modification of the flags of the TCP segment (FIN, URG, PSH, NULL) in an attempt to induce a response from the server.
The technical functionality exclusively on operating systems with implementations of the TCP/IP suite compliant with RFC793. For example, it does not work with Windows systems as these return an RST in both cases.
THE SEGMENT IS COMING
If the state is CLOSED (i.e., TCB does not exist), then all data in the incoming segment is deleted. An on the way the segment containing an RST is deleted. An incoming segment no containing an RST causes an RST to be sent in response. The confirmation and sequence field values are selected to render the recovery sequence acceptable to the TCP that sent the error segment.
If the port is open, the system will not produce any while the response will return an RST/ACK segment if it is closed.
To understand the origin of the name, just look at the image below. Nmap’s -sX flag “Sets the FIN, PSH, and URG flags, illuminating the package like a Christmas tree.”
UDP scan
UDP connection does not involve a handshake. If a UDP packet is sent to a port on which no service is listening, the system will respond with an ICMP Port Unreachable. In case of no answer, the port can be considered closed or filtered.
Contermeasures
To detect and prevent network scanning attempts, we suggest the following countermeasures:
carefully design your services to reduce your attack surface; exposing only necessary services and always keep in mind the principles of least privileges and need to know.
Configure your firewalls to block all traffic that has not got a business justifications;
Periodic reviews your firewall ruleset to keep it aligned to your business needs;
Harden your servers, disabling all unused services;
Perform network and port scans to ensure your firewall/server policies are aligned to your business needs.
Configure an IDS/IPS to promptly detect network and port scans.
The first step in a cyberattack, or a penetration test, is footprinting. The attacker/analyst tries to get information about the targeted infrastructure. Thanks to footprinting techniques, attackers can obtain information such as:
personal data, skills, experience and interests of company’s employees;
company headquarters;
technologies in use (middleware, operating systems);
suppliers and consultants who collaborate periodically with the company;
blocks and network topology;
DNS records.
We can divide footprinting techniques into two macro areas:
active: it involves the collection of information with direct interaction with the target. It is a more risky practice than the passive one, as it could leave traces. The systems of the attacked organization could (should) detect the information gathering attempt. Some examples of active footprinting are the use of web spiders, email tracking, traceroute and social engineering techniques.
passive: involves the collection of information without direct interaction with the target. Some examples are the usage of search engines, social networks, job posting sites, analysis of data received from providers that monitor website’s traffic, commercial performance or deliver reports about future commercial operations of the target.
Identifying the technologies adopted by the target drastically simplifies attackers’ jobs. The awareness about the usage of certain technologies, the lack of good security practices, or of a bad security posture increases the attacker’s chances of success.
When we perform a penetration test in which the company aims to identify chances of an attacker completely unrelated to the organization, footprinting activities heavily influence the success of the test.
Footprinting with search engines and social networks
Search engines offer a myriad of information to the attacker. The advanced functions available in Google, Bing and other search engines offer information that companies are not even aware to expose to the public.
The technique, combined with the most used search engine, has taken the name of Google Hacking. For more information, you can consult our article about the Google Hacking Database.
Thanks to search engines, an attacker gets to know technologies in use (web servers, firewalls, IDS, WAF, third-party applications), IoT devices, applications for internal use only and many other information about the target.
Like search engines, social networks provide an enormous quantity of information to attackers.
An attacker can dig LinkedIn to understand who the key people of the organization are, their experience and knowledge. You can get to know their interests, their religious and political beliefs, their weaknesses. Afterwards, attacker can exploit gathered information to perform a social engineering attack.
Tools like theHarvester and sublist3r simplify attackers’ job, reducing the manual work.
Footprinting through job posting sites
The following image shows the information revealed on a job advertisement post. The job post is real. I found it on the platform indeed.com.
The company is looking for an IT System Administrator with knowledge of Linux and Solaris. They even mention the Linux distribution names and the Solaris release version. You can bet they have got some LAMP servers, that they probably monitor their infrastructure using Nagios and are using Oracle and DB2 as RDBMS. Their infrastructure may include J2EE Containers like Glassfish and JBoss and servlet containers like Tomcat. Even if they reached the EOL over 5 and 2 years ago, they are still asking for people with experience on Windows XP and 7.
You are getting information not only about the used technologies but you are also outlining the security posture of the company.
Job posts can tell you a lot more. Are they searching for IT security specialists? Besides tools and countermeasures adopted, they may even tell you how big is their security team. Are they even trying to cover important roles like CIO or CISO?
Tools and services:
We suggest looking at the following tools. We wrote a brief description of them: Sublist3r, theHarvester, Shodan, Sherlock, Burp Suite, Metagofofil, Exitftool, DNSRecon, traceroute.
Contermeasures
Your employees/colleagues’ awareness about attackers’ behaviour and techniques is fundamental for your company’s safety. Every company must adopt a security awareness policy to inform its employees about the security risks they are exposed inside and outside the office.
The adoption of security policies (hardening of the systems, analysis and reviews of IDS/IPS and other monitoring tools, etc.), the definition of roles and responsibilities will allow a company to quickly detect and react to attackers’ attempts to gather information or to exploit the knowledge they previously gained through passive footprinting techniques.
The term hacker often takes on a negative connotation.
In the past, we often focused on the distinction between a hacker, a person with deep security knowledge who explores technologies, systems and related vulnerabilities out of pure passion, and crackers, the “malicious” counterpart, who uses his knowledge to cause damage and steal data. a certain value (for example, credit cards).
RFC1392 provides the following definitions:
hacker
A person who delights in having an intimate understanding of the internal workings of a system, computers and computer networks in particular. The term is often misused in a pejorative context, where “cracker” would be the correct term.
cracker
A cracker is an individual who attempts to access computer system without authorization. These individuals are often malicious, as opposed to hackers, and have many means at their disposal for breaking into a system.
Unfortunately, media have never bothered to understand the distinction and, for the masses, there is no difference between crackers and hackers.
In our opinion, here is the correct terminology to be used in the security sector:
Black hats (Crackers)
Crackers, or black hats, have got extraordinary computing skills but they lack ethics. They may violate laws by committing malicious or destructive acts.
Script Kiddies
An unskilled cracker who compromises systems using tools, scripts and software developed by others.
White Hats (Ethical Hacker)
An individual who uses his hacking skill for defensive purposes.
They analyse computer systems or networks to detect security issues and give recommendations for improvement to their owners.
A white hat will penetrate a system only with the authorisation and upon request of the infrastructure owner.
Gray Hats
Gray hats use their skills both offensively and defensively.
They often look for system vulnerabilities without the permission or knowledge of the owner. If they find a security issue, they may reveal it to the owner upon the payment of a small fee. Sometimes, their ultimate goal is to show their skills and create awareness about the intrinsic insecurity of the Internet.
It may be useful to know some additional terms. State-sponsored hackers are employed by the government to penetrate other government systems to damage or gain top-secret information. You have surely heard about Cyber Terrorists, individuals moved by political or religious beliefs to create fear among civilians and influence the policy of the targeted governments.
