Notice: Function _load_textdomain_just_in_time was called incorrectly. Translation loading for the wordpress-seo domain was triggered too early. This is usually an indicator for some code in the plugin or theme running too early. Translations should be loaded at the init action or later. Please see Debugging in WordPress for more information. (This message was added in version 6.7.0.) in /var/www/html/wp-includes/functions.php on line 6114
Education Archives - Page 2 of 2 - Cyber Security News
Secure Socket Layer (SSL) and its successor, Transport Layer Security (TLS), are widely used protocols for secure online communication. They provide encryption and authentication between two applications over a network, ensuring the confidentiality and integrity of data transmitted between them.
However, SSL/TLS is not invulnerable, and over the years, several vulnerabilities have been discovered that can compromise the security of online transactions. One of the most significant vulnerabilities is the POODLE attack, discovered in 2014, which affects the older versions of SSL/TLS. This vulnerability allows an attacker to exploit the way SSL/TLS handles padding in the encryption process, enabling them to read encrypted information, including sensitive information such as passwords and credit card numbers.
Another vulnerability is the BEAST attack, which exploits a vulnerability in the way SSL/TLS handles block ciphers in older versions of the protocol. This attack allows an attacker to intercept and decrypt secure HTTPS cookies, potentially giving them access to sensitive data.
A third vulnerability is known as the DROWN attack, which can exploit weak encryption protocols such as SSLv2. The attack allows an attacker to read encrypted data transmitted over an SSL/TLS connection by exploiting a flaw in the SSLv2 protocol. Even though SSLv2 is now considered obsolete and no longer used, some older systems may still have it enabled, leaving them vulnerable to attack.
To ensure the maximum security of your online transactions, it’s essential to be aware of the potential vulnerabilities of SSL/TLS and to take necessary precautions. To start with, it’s recommended to use the latest version of TLS, which is currently TLS 1.3, and to disable support for older, insecure protocols like SSLv2 and SSLv3.
It’s also important to use strong encryption ciphers and to regularly test your TLS configuration for potential vulnerabilities. This can be done using tools like SSL Labs’ SSL Server Test, which can check the strength of your TLS configuration and identify any potential vulnerabilities.
Another crucial step is to regularly update your TLS certificates, which verify the identity of the server you’re communicating with and ensure that your data is not intercepted by an attacker. TLS certificates have an expiration date, so it’s essential to keep them up to date to ensure maximum security.
Finally, consider using other security measures like firewalls, antivirus software, and two-factor authentication to provide an additional layer of protection.
By taking these necessary precautions, you can significantly reduce the risk of SSL/TLS vulnerabilities and ensure the maximum security of your online transactions.
CWE (Common Weakness Enumeration) is a list of common types of hardware and software defects that have security implications. The CWE list can be used as a framework to describe and communicate such vulnerabilities in terms of CWEs.
The goal is to support all those methods (including automatic ones) to control and prevent software errors. It can be used at the development stage, during the Code Review activity, and later on during the penetration test activity to classify and communicate the vulnerability type to developers. The system is at version 4.7 and contains over 600 categories of weaknesses and vulnerabilities
The CWE Top 25 Most Dangerous Software Weakness List is a list of the most common programming errors that can lead to software vulnerabilities. Vulnerabilities present in the CWE Top 25 are usually easy to detect and exploit. For example, the CWE-79 is related to Cross-Site Scripting while the CWE-89 to SQL Injection. A similar project is Top Ten Owasp (Open Web Application Security Project). Compared to the CWE Top 25, the Top Ten OWASP focuses solely on vulnerabilities of web applications. The CWE Most Important Hardware Weakness List serves the same purpose, but it focuses on hardware defects.
Description The software creates an immutable text string using string concatenation operations. Modes of Introduction: Related Weaknesses CWE-1176 Consequences Other: Reduce Performance Potential Mitigations CVE References
Description The software contains modules in which one module has references that cycle back to itself, i.e., there are circular dependencies. Modes of Introduction: Related Weaknesses CWE-1120 Consequences Other: Reduce Reliability Potential Mitigations CVE References
Description The software constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment. Modes of Introduction: – Architecture and Design Likelihood of Exploit: Medium Related Weaknesses CWE-74…
Description The software establishes a communication channel to handle an incoming request that has been initiated by an actor, but it does not properly verify that the request is coming from the expected origin. When an attacker can successfully establish a communication channel from an untrusted origin, the attacker may be able to gain privileges…
Description The software creates a communication channel to initiate an outgoing request to an actor, but it does not correctly specify the intended destination for that actor. Modes of Introduction: – Architecture and Design Likelihood of Exploit: Related Weaknesses CWE-923 CWE-406 Consequences Potential Mitigations CVE References CVE-2013-5211 composite: NTP feature generates…
Description The software uses a cross-domain policy file that includes domains that should not be trusted. Modes of Introduction: – Implementation Likelihood of Exploit: Related Weaknesses CWE-284 CWE-183 CWE-668 Consequences Confidentiality, Integrity, Availability, Access Control: Execute Unauthorized Code or Commands, Bypass Protection Mechanism, Read Application Data, Varies by Context An attacker may be…
Description The application generates a query intended to access or manipulate data in a data store such as a database, but it does not neutralize or incorrectly neutralizes special elements that can modify the intended logic of the query. Modes of Introduction: – Implementation Likelihood of Exploit: Related Weaknesses CWE-74 Consequences Confidentiality, Integrity,…
Description The software receives input from an upstream component, but it does not neutralize or incorrectly neutralizes code syntax before using the input in a dynamic evaluation call (e.g. “eval”). This may allow an attacker to execute arbitrary code, or at least modify what code can be executed. Modes of Introduction: – Architecture and Design…
Description The software receives input from an upstream component, but it does not neutralize or incorrectly neutralizes code syntax before inserting the input into an executable resource, such as a library, configuration file, or template. Modes of Introduction: – Architecture and Design Likelihood of Exploit: Related Weaknesses CWE-94 Consequences Confidentiality: Read Files or…
Description The software generates a web page, but does not neutralize or incorrectly neutralizes user-controllable input that could be interpreted as a server-side include (SSI) directive. Modes of Introduction: – Architecture and Design Likelihood of Exploit: Related Weaknesses CWE-96 Consequences Confidentiality, Integrity, Availability: Execute Unauthorized Code or Commands Potential Mitigations CVE References…
Description The PHP application receives input from an upstream component, but it does not restrict or incorrectly restricts the input before its usage in “require,” “include,” or similar functions. In certain versions and configurations of PHP, this can allow an attacker to specify a URL to a remote location from which the software will obtain…
Description The software receives input from an upstream component, but it does not restrict or incorrectly restricts the input before it is used as an identifier for a resource that may be outside the intended sphere of control. Modes of Introduction: – Architecture and Design Likelihood of Exploit: High Related Weaknesses CWE-74 CWE-706 CWE-73…
Description The software uses or accesses a file descriptor after it has been closed. After a file descriptor for a particular file or device has been released, it can be reused. The code might not write to the original file, since the reused file descriptor might reference a different file or device. Modes of Introduction:…
Description The software uses a reference count to manage a resource, but it does not update or incorrectly updates the reference count. Reference counts can be used when tracking how many objects contain a reference to a particular resource, such as in memory management or garbage collection. When the reference count reaches zero, the resource…
Description The software contains functionality that is not documented, not part of the specification, and not accessible through an interface or command sequence that is obvious to the software’s users or administrators. Hidden functionality can take many forms, such as intentionally malicious code, “Easter Eggs” that contain extraneous functionality such as games, developer-friendly shortcuts that…
Description The software does not properly restrict reading from or writing to dynamically-managed code resources such as variables, objects, classes, attributes, functions, or executable instructions or statements. Many languages offer powerful features that allow the programmer to dynamically create or modify existing code, or resources used by code such as variables and objects. While these…
Description The software does not properly restrict reading from or writing to dynamically-identified variables. Many languages offer powerful features that allow the programmer to access arbitrary variables that are specified by an input string. While these features can offer significant flexibility and reduce development time, they can be extremely dangerous if attackers can modify unintended…
Description The software receives input from an upstream component that specifies multiple attributes, properties, or fields that are to be initialized or updated in an object, but it does not properly control which attributes can be modified. Modes of Introduction: – Architecture and Design Likelihood of Exploit: Related Weaknesses CWE-913 CWE-502 Consequences Integrity:…
Description The software generates a hash for a password, but it uses a scheme that does not provide a sufficient level of computational effort that would make password cracking attacks infeasible or expensive. Modes of Introduction: – Architecture and Design Likelihood of Exploit: Related Weaknesses CWE-327 CWE-327 Consequences Access Control: Bypass Protection Mechanism,…
Description The software constructs all or part of an expression language (EL) statement in a Java Server Page (JSP) using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended EL statement before it is executed. Modes of Introduction: – Architecture and Design Likelihood…
Description The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination. By providing URLs to unexpected hosts or ports, attackers can make it appear that the server is sending…
Description This entry has been deprecated. It originally came from PLOVER, which sometimes defined “other” and “miscellaneous” categories in order to satisfy exhaustiveness requirements for taxonomies. Within the context of CWE, the use of a more abstract entry is preferred in mapping situations. CWE-75 is a more appropriate mapping. Modes of Introduction: Likelihood of Exploit:…
Description The software operates in an environment in which power is a limited resource that cannot be automatically replenished, but the software does not properly restrict the amount of power that its operation consumes. Modes of Introduction: – Architecture and Design Likelihood of Exploit: Related Weaknesses CWE-400 CWE-400 Consequences Availability: DoS: Resource Consumption…
Description The software stores sensitive information in a file system or device that does not have built-in access control. Modes of Introduction: – Architecture and Design Likelihood of Exploit: Related Weaknesses CWE-922 Consequences Confidentiality: Read Application Data, Read Files or Directories Attackers can read sensitive information by accessing the unrestricted storage mechanism. Integrity:…
Description The software stores sensitive information without properly limiting read or write access by unauthorized actors. If read access is not properly restricted, then attackers can steal the sensitive information. If write access is not properly restricted, then attackers can modify and possibly delete the data, causing incorrect results and possibly a denial of service.…
Description The software establishes a communication channel to (or from) an endpoint for privileged or protected operations, but it does not properly ensure that it is communicating with the correct endpoint. Modes of Introduction: – Architecture and Design Likelihood of Exploit: Related Weaknesses CWE-284 Consequences Integrity, Confidentiality: Gain Privileges or Assume Identity If…
Description The software establishes a communication channel with an endpoint and receives a message from that endpoint, but it does not sufficiently ensure that the message was not modified during transmission. Attackers might be able to modify the message and spoof the endpoint by interfering with the data as it crosses the network or by…
Description The Android application uses a Broadcast Receiver that receives an Intent but does not properly verify that the Intent came from an authorized source. Certain types of Intents, identified by action string, can only be broadcast by the operating system itself, not by third-party applications. However, when an application registers to receive these implicit…
Description The Android application exports a component for use by other applications, but does not properly restrict which applications can launch the component or access the data it contains. Modes of Introduction: – Architecture and Design Likelihood of Exploit: Related Weaknesses CWE-285 Consequences Availability, Integrity: Unexpected State, DoS: Crash, Exit, or Restart, DoS:…
Description The Android application uses an implicit intent for transmitting sensitive data to other applications. Modes of Introduction: – Architecture and Design Likelihood of Exploit: Related Weaknesses CWE-285 CWE-668 Consequences Confidentiality: Read Application Data Other applications, possibly untrusted, can read the data that is offered through the Intent. Integrity: Varies by Context The…
Description The software uses CRLF (carriage return line feeds) as a special element, e.g. to separate lines or records, but it does not neutralize or incorrectly neutralizes CRLF sequences from inputs. Modes of Introduction: – Architecture and Design Likelihood of Exploit: Related Weaknesses CWE-74 CWE-117 Consequences Integrity: Modify Application Data Potential Mitigations…
Description The software uses a handler for a custom URL scheme, but it does not properly restrict which actors can invoke the handler using the scheme. Mobile platforms and other architectures allow the use of custom URL schemes to facilitate communication between applications. In the case of iOS, this is the only method to do…
Description The software records password hashes in a data store, receives a hash of a password from a client, and compares the supplied hash to the hash obtained from the data store. Modes of Introduction: – Implementation Likelihood of Exploit: Related Weaknesses CWE-287 CWE-602 Consequences Access Control: Bypass Protection Mechanism, Gain Privileges or…
Description The software requires that an actor should only be able to perform an action once, or to have only one unique action, but the software does not enforce or improperly enforces this restriction. In various applications, a user is only expected to perform a certain action once, such as voting, requesting a refund, or…
Description The software uses or specifies an encoding when generating output to a downstream component, but the specified encoding is not the same as the encoding that is expected by the downstream component. Modes of Introduction: Likelihood of Exploit: Related Weaknesses CWE-116 CWE-116 Consequences Integrity, Confidentiality, Availability: Modify Application Data, Execute Unauthorized Code…
Description The program checks a value to ensure that it is less than or equal to a maximum, but it does not also verify that the value is greater than or equal to the minimum. Modes of Introduction: Likelihood of Exploit: Related Weaknesses CWE-1023 CWE-195 CWE-682 CWE-119 CWE-124 Consequences Integrity, Confidentiality, Availability: Modify…
Description The web application improperly neutralizes user-controlled input for executable script disguised with URI encodings. Modes of Introduction: – Architecture and Design Likelihood of Exploit: Related Weaknesses CWE-79 Consequences Integrity: Unexpected State Potential Mitigations Phase: Implementation Effectiveness: Description: Resolve all URIs to absolute or canonical representations before processing. Phase: Implementation Effectiveness: Description: …
Description The software supports a session in which more than one behavior must be performed by an actor, but it does not properly ensure that the actor performs the behaviors in the required sequence. Modes of Introduction: – Implementation Likelihood of Exploit: Related Weaknesses CWE-691 Consequences Other: Alter Execution Logic An attacker could…
Description The software or the administrator places a user into an incorrect group. If the incorrect group has more access or privileges than the intended group, the user might be able to bypass intended security policy to access unexpected resources or perform unexpected actions. The access-control system might not be able to detect malicious usage…
Description The program allocates or initializes a resource such as a pointer, object, or variable using one type, but it later accesses that resource using a type that is incompatible with the original type. Modes of Introduction: – Implementation Likelihood of Exploit: Related Weaknesses CWE-704 CWE-704 CWE-119 Consequences Availability, Integrity, Confidentiality: Read Memory,…
Description The web application does not filter user-controlled input for executable script disguised using doubling of the involved characters. Modes of Introduction: – Implementation Likelihood of Exploit: Related Weaknesses CWE-79 CWE-675 Consequences Confidentiality, Integrity, Availability: Read Application Data, Execute Unauthorized Code or Commands Potential Mitigations Phase: Implementation Effectiveness: Description: Resolve all filtered…
Description The software does not neutralize or incorrectly neutralizes invalid characters or byte sequences in the middle of tag names, URI schemes, and other identifiers. Some web browsers may remove these sequences, resulting in output that may have unintended control implications. For example, the software may attempt to remove a “javascript:” URI scheme, but a…
Description The software does not perform an authorization check when an actor attempts to access a resource or perform an action. An access control list (ACL) represents who/what has permissions to a given object. Different operating systems implement (ACLs) in different ways. In UNIX, there are three types of permissions: read, write, and execute. Users…
Description The software performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. This allows attackers to bypass intended access restrictions. An access control list (ACL) represents who/what has permissions to a given object. Different operating systems implement (ACLs) in different…
Description The software does not neutralize or incorrectly neutralizes user-controlled input for alternate script syntax. Modes of Introduction: – Implementation Likelihood of Exploit: Related Weaknesses CWE-79 Consequences Confidentiality, Integrity, Availability: Read Application Data, Execute Unauthorized Code or Commands Potential Mitigations Phase: Implementation Effectiveness: Description: Resolve all input to absolute or canonical representations…
Description The software constructs a string for a command to executed by a separate component in another control sphere, but it does not properly delimit the intended arguments, options, or switches within that command string. Modes of Introduction: – Architecture and Design Likelihood of Exploit: Related Weaknesses CWE-77 CWE-74 CWE-77 CWE-77 Consequences Confidentiality,…
Description The software constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Modes of Introduction: – Architecture and Design Likelihood of Exploit: High …
Description If elevated access rights are assigned to EJB methods, then an attacker can take advantage of the permissions to exploit the software system. If the EJB deployment descriptor contains one or more method permissions that grant access to the special ANYONE role, it indicates that access control for the application has not been fully…
Description The software constructs all or part of an LDAP query using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended LDAP query when it is sent to a downstream component. Modes of Introduction: – Architecture and Design Likelihood of Exploit: Related…
Description The software uses or accesses a resource that has not been initialized. When a resource has not been properly initialized, the software may behave unexpectedly. This may lead to a crash or invalid memory access, but the consequences vary depending on the type of resource and how it is used within the software. Modes…
Description The software does not initialize a critical resource. Many resources require initialization before they can be properly used. If a resource is not initialized, it could contain unpredictable or expired data, or it could be initialized to defaults that are invalid. This can have security implications when the resource is expected to have certain…
Description The software does not properly neutralize special elements that are used in XML, allowing attackers to modify the syntax, content, or commands of the XML before it is processed by an end system. Within XML, special elements could include reserved words or characters such as ““, “””, and “&”, which could then be used…
Description The application uses a protection mechanism that relies on the existence or values of an input, but the input can be modified by an untrusted actor in a way that bypasses the protection mechanism. Modes of Introduction: – Architecture and Design Likelihood of Exploit: High Related Weaknesses CWE-693 Consequences Confidentiality, Access Control,…
Description The software receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special characters that could be interpreted as web-scripting elements when they are sent to an error page. Modes of Introduction: – Implementation Likelihood of Exploit: Related Weaknesses CWE-79 CWE-209 CWE-390 Consequences Confidentiality, Integrity, Availability: Read Application…
Description The web application does not neutralize or incorrectly neutralizes scripting elements within attributes of HTML IMG tags, such as the src attribute. Attackers can embed XSS exploits into the values for IMG attributes (e.g. SRC) that is streamed and then executed in a victim’s browser. Note that when the page is loaded into a…
Description The software utilizes a shared resource in a concurrent manner but does not attempt to synchronize access to the resource. If access to a shared resource is not synchronized, then the resource may not be in a state that is expected by the software. This might lead to unexpected or insecure behaviors, especially if…
Description The software utilizes a shared resource in a concurrent manner, but it does not correctly synchronize access to the resource. If access to a shared resource is not correctly synchronized, then the resource may not be in a state that is expected by the software. This might lead to unexpected or insecure behaviors, especially…
Description The program obtains a value from an untrusted source, converts this value to a pointer, and dereferences the resulting pointer. Modes of Introduction: Likelihood of Exploit: Related Weaknesses CWE-119 CWE-119 CWE-119 CWE-125 CWE-787 Consequences Confidentiality: Read Memory If the untrusted pointer is used in a read operation, an attacker might be able…
Description The program performs pointer arithmetic on a valid pointer, but it uses an offset that can point outside of the intended range of valid memory locations for the resulting pointer. Modes of Introduction: Likelihood of Exploit: Related Weaknesses CWE-119 CWE-119 CWE-119 CWE-125 CWE-787 Consequences Confidentiality: Read Memory If the untrusted pointer is…
Description The program accesses or uses a pointer that has not been initialized. Modes of Introduction: Likelihood of Exploit: Related Weaknesses CWE-119 CWE-119 CWE-119 CWE-119 CWE-125 CWE-787 Consequences Confidentiality: Read Memory If the uninitialized pointer is used in a read operation, an attacker might be able to read sensitive portions of memory. Availability:…
Description The program dereferences a pointer that contains a location for memory that was previously valid, but is no longer valid. When a program releases memory, but it maintains a pointer to that memory, then the memory might be re-allocated at a later time. If the original pointer is accessed to read or write data,…
Description The program releases a resource that is still intended to be used by the program itself or another actor. Modes of Introduction: Likelihood of Exploit: Related Weaknesses CWE-666 CWE-672 Consequences Confidentiality: Read Application Data, Read Memory If the released resource is subsequently reused or reallocated, then a read operation on the original…
Description The software does not restrict a reference to a Document Type Definition (DTD) to the intended control sphere. This might allow attackers to reference arbitrary DTDs, possibly causing the software to expose files, consume excessive system resources, or execute arbitrary http requests on behalf of the attacker. Modes of Introduction: – Implementation Likelihood of…
Description The software defines a signal handler that contains code sequences that are not asynchronous-safe, i.e., the functionality is not reentrant, or it can be interrupted. Modes of Introduction: Likelihood of Exploit: Related Weaknesses CWE-364 Consequences Integrity, Confidentiality, Availability: DoS: Crash, Exit, or Restart, Execute Unauthorized Code or Commands The most common consequence…
Description The software imports, requires, or includes executable functionality (such as a library) from a source that is outside of the intended control sphere. Modes of Introduction: – Implementation Likelihood of Exploit: Related Weaknesses CWE-669 CWE-669 Consequences Confidentiality, Integrity, Availability: Execute Unauthorized Code or Commands An attacker could insert malicious functionality into the…
Description The software does not neutralize or incorrectly neutralizes “javascript:” or other URIs from dangerous attributes within tags, such as onmouseover, onload, onerror, or style. Modes of Introduction: – Implementation Likelihood of Exploit: Related Weaknesses CWE-79 Consequences Confidentiality, Integrity, Availability: Read Application Data, Execute Unauthorized Code or Commands Potential Mitigations Phase: Implementation…
Description The software includes web functionality (such as a web widget) from another domain, which causes it to operate within the domain of the software, potentially granting total access and control of the software to the untrusted source. Modes of Introduction: – Implementation Likelihood of Exploit: Related Weaknesses CWE-829 Consequences Confidentiality, Integrity, Availability:…
Description The software defines a function that is used as a handler for more than one signal. Modes of Introduction: Likelihood of Exploit: Related Weaknesses CWE-364 Consequences Availability, Integrity, Confidentiality, Access Control, Other: DoS: Crash, Exit, or Restart, Execute Unauthorized Code or Commands, Read Application Data, Gain Privileges or Assume Identity, Bypass Protection…
Description The software attempts to unlock a resource that is not locked. Depending on the locking functionality, an unlock of a non-locked resource might cause memory corruption or other modification to the resource (or its associated metadata that is used for tracking locks). Modes of Introduction: Likelihood of Exploit: Related Weaknesses CWE-667 Consequences…
Description The software contains multiple threads or executable segments that are waiting for each other to release a necessary lock, resulting in deadlock. Modes of Introduction: Likelihood of Exploit: Related Weaknesses CWE-667 CWE-662 Consequences Availability: DoS: Resource Consumption (CPU), DoS: Resource Consumption (Other), DoS: Crash, Exit, or Restart Each thread of execution will…
Description The software performs an iteration or loop without sufficiently limiting the number of times that the loop is executed. If the iteration can be influenced by an attacker, this weakness could allow attackers to consume excessive resources such as CPU or memory. In many cases, a loop does not need to be infinite in…
Description The program contains an iteration or loop with an exit condition that cannot be reached, i.e., an infinite loop. If the loop can be influenced by an attacker, this weakness could allow attackers to consume excessive resources such as CPU or memory. Modes of Introduction: Likelihood of Exploit: Related Weaknesses CWE-834 CWE-834 …
Description The software reads or writes to a buffer using an index or pointer that references a memory location prior to the beginning of the buffer. This typically occurs when a pointer or its index is decremented to a position before the buffer, when pointer arithmetic results in a position before the beginning of the…
Description The software writes data past the end, or before the beginning, of the intended buffer. Typically, this can result in corruption of data, a crash, or code execution. The software may modify an index or perform pointer arithmetic that references a memory location that is outside of the boundaries of the buffer. A subsequent…
Description The software reads or writes to a buffer using an index or pointer that references a memory location after the end of the buffer. This typically occurs when a pointer or its index is incremented to a position after the buffer; or when pointer arithmetic results in a position after the buffer. Modes of…
Description The product allocates memory based on an untrusted, large size value, but it does not ensure that the size is within expected limits, allowing arbitrary amounts of memory to be allocated. Modes of Introduction: – Implementation Likelihood of Exploit: Related Weaknesses CWE-770 CWE-1284 CWE-476 Consequences Availability: DoS: Resource Consumption (Memory) Not controlling…
Description The software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. Modes of Introduction: – Architecture and Design Likelihood of Exploit: High Related Weaknesses CWE-74 CWE-74 CWE-494 CWE-352 Consequences Access Control, Confidentiality: Bypass Protection…
Description The software receives data from an upstream component, but does not filter or incorrectly filters special elements before sending it to a downstream component. Modes of Introduction: – Implementation Likelihood of Exploit: Related Weaknesses CWE-138 Consequences Integrity: Unexpected State Potential Mitigations CVE References
Description The software receives data from an upstream component, but does not completely filter special elements before sending it to a downstream component. Modes of Introduction: – Implementation Likelihood of Exploit: Related Weaknesses CWE-790 Consequences Integrity: Unexpected State Potential Mitigations CVE References
Description The software receives data from an upstream component, but does not completely filter one or more instances of special elements before sending it to a downstream component. Modes of Introduction: – Implementation Likelihood of Exploit: Related Weaknesses CWE-791 Consequences Integrity: Unexpected State Potential Mitigations CVE References
Description The software receives data from an upstream component, but only filters a single instance of a special element before sending it to a downstream component. Incomplete filtering of this nature may be location-dependent, as in only the first or last element is filtered. Modes of Introduction: – Implementation Likelihood of Exploit: Related Weaknesses…
Description The software receives data from an upstream component, but does not filter all instances of a special element before sending it to a downstream component. Modes of Introduction: – Implementation Likelihood of Exploit: Related Weaknesses CWE-792 Consequences Integrity: Unexpected State Potential Mitigations CVE References
Description The software receives data from an upstream component, but only accounts for special elements at a specified location, thereby missing remaining special elements that may exist before sending it to a downstream component. Modes of Introduction: – Implementation Likelihood of Exploit: Related Weaknesses CWE-791 Consequences Integrity: Unexpected State Potential Mitigations CVE…
Description The software receives data from an upstream component, but only accounts for special elements positioned relative to a marker (e.g. “at the beginning/end of a string; the second argument”), thereby missing remaining special elements that may exist before sending it to a downstream component. Modes of Introduction: – Implementation Likelihood of Exploit: Related…
Description The software receives data from an upstream component, but only accounts for special elements at an absolute position (e.g. “byte number 10”), thereby missing remaining special elements that may exist before sending it to a downstream component. Modes of Introduction: – Implementation Likelihood of Exploit: Related Weaknesses CWE-795 Consequences Integrity: Unexpected State…
Description The software contains hard-coded credentials, such as a password or cryptographic key, which it uses for its own inbound authentication, outbound communication to external components, or encryption of internal data. Modes of Introduction: – Architecture and Design Likelihood of Exploit: High Related Weaknesses CWE-287 CWE-287 CWE-344 CWE-671 CWE-257 Consequences Access Control: Bypass…
Description The software does not properly limit the number or frequency of interactions that it has with an actor, such as the number of incoming requests. This can allow the actor to perform actions more frequently than expected. The actor could be a human or an automated process such as a virus or bot. This…
Description When an application exposes a remote interface for an entity bean, it might also expose methods that get or set the bean’s data. These methods could be leveraged to read sensitive information, or to change data in ways that violate the application’s expectations, potentially leading to other vulnerabilities. Modes of Introduction: – Architecture and…
Description The software receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special characters such as ““, and “&” that could be interpreted as web-scripting elements when they are sent to a downstream component that processes web pages. This may allow such characters to be treated as control characters, which…
Description The software uses a CAPTCHA challenge, but the challenge can be guessed or automatically recognized by a non-human actor. Modes of Introduction: – Architecture and Design Likelihood of Exploit: Related Weaknesses CWE-863 CWE-287 CWE-330 Consequences Access Control, Other: Bypass Protection Mechanism, Other When authorization, authentication, or another protection mechanism relies on CAPTCHA…
Description The software uses a sequential operation to read or write a buffer, but it uses an incorrect length value that causes it to access memory that is outside of the bounds of the buffer. When the length value exceeds the size of the destination, a buffer overflow could occur. Modes of Introduction: – Implementation…
Description The software uses the size of a source buffer when reading from or writing to a destination buffer, which may cause it to access memory that is outside of the bounds of the buffer. When the size of the destination is smaller than the size of the source, a buffer overflow could occur. Modes…
Description The software contains a conditional statement with multiple logical expressions in which one of the non-leading expressions may produce side effects. This may lead to an unexpected state in the program after the execution of the conditional, because short-circuiting logic may prevent the side effects from occurring. Modes of Introduction: – Implementation Likelihood of…
Description This entry has been deprecated because it was a duplicate of CWE-774. All content has been transferred to CWE-774. Modes of Introduction: Likelihood of Exploit: Related Weaknesses Consequences Potential Mitigations CVE References
Description The software constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component. Modes of Introduction: – Architecture and Design Likelihood of Exploit: High Related Weaknesses…
Description The software allocates a reusable resource or group of resources on behalf of an actor without imposing any restrictions on the size or number of resources that can be allocated, in violation of the intended security policy for that actor. Modes of Introduction: – Architecture and Design Likelihood of Exploit: High Related Weaknesses…
Description The software does not properly maintain a reference to a resource that has been allocated, which prevents the resource from being reclaimed. This does not necessarily apply in languages or frameworks that automatically perform garbage collection, since the removal of all references may act as a signal that the resource is ready to be…
Description The software does not release a resource after its effective lifetime has ended, i.e., after the resource is no longer needed. When a resource is not released after use, it can allow attackers to cause a denial of service by causing the allocation of resources without triggering their release. Frequently-affected resources include memory, CPU,…
Description The software does not properly maintain references to a file descriptor or handle, which prevents that file descriptor/handle from being reclaimed. This can cause the software to consume all available file descriptors or handles, which can prevent other processes from performing critical file processing operations. Modes of Introduction: – Architecture and Design Likelihood of…
Description The software allocates file descriptors or handles on behalf of an actor without imposing any restrictions on how many descriptors can be allocated, in violation of the intended security policy for that actor. This can cause the software to consume all available file descriptors or handles, which can prevent other processes from performing critical…
A vulnerability is a weakness in an information system, system security procedures, internal controls, or implementation that could be exploited or triggered by a threat source.
Vulnerability analysis includes the detection, assessment, classification and treatment based on the risk they pose to the company.
Vulnerability Identification
A security team can detect vulnerabilities following different approaches. As part of a vulnerability management process, it is good practice to subscribe to the mailing lists in which vulnerabilities and related countermeasures are disclosed. This service is usually offered by the vendor or, if not available, through third parties. It is a very time expensive but necessary task. You must perform it on a daily basis to promptly detect vulnerabilities and to comply with several standards/regulations. Other inputs could derive from the analysis of the hardening procedures reports/tasks, the periodic review of the access rules and of the company policies and procedures.
Tools
Thanks to tools like Nessus and OpenVAS, it is possible to partially automate the discovery and analysis of vulnerabilities. After verifying the active hosts and the related services, we can deepen our analysis and determine the operating system and application versions.
As shown in the figure, Nessus provides the list of vulnerabilities to which each analyzed host is potentially vulnerable. Potentially because the scanner does not attempt to exploit the vulnerability. This phase, often manual, is not part of the vulnerability analysis process and is normally carried out within a penetration test.
CVSS
In the report, vulnerabilities are classified according to the CVSS (Common Vulnerability Scoring System), a framework used to classify software vulnerabilities. CVSS is an important tool that simplifies the vulnerability management process.
Let’s pretend you are in a meeting with the company management and you have to share the results of your vulnerability analysis. The test results were not good: you need at least three system administrators for one month to implement the remediation plan. You need to install patches, implement countermeasures, and you have to do it fast. During the meeting, you could try to tell management that you found several RCE-type vulnerabilities on systems deployed in your DMZ. Attackers do not need system/applications credentials to perform the attack and exploits are readily available on the Internet. Or you could report the presence of several CVSS 10 vulnerabilities on critical systems. For more information on CVSS, in its two versions 2.0 and 3.0, I suggest reading our article.
CVE & NVD
Each vulnerability has a Common Vulnerability and Exposures (CVE) ID, in the form of CVE-YYYY-NNNN. The assignment of an ID to each vulnerability allows one to keep track of it and to automate/simplify the integration of the different tools available to an analyst.
Let’s say you have just detected a vulnerability on your firewall appliance. Since it is a well-known vulnerability, it has got a specific CVE-ID. Assuming that your firewall vendor catalogues their vulnerabilities and patches by CVE, it is going to be easy to ask the vendor for additional information, search for the relevant patches and to minimize the possible impacts of applying remediation on the infrastructure. Furthermore, it is going to be easy to find the relevant signature in your IDS/IPS. CVE is operated by “The Mitre Corporation“. More details can be obtained on the cve.org website.
NVD (National Vulnerability Database) is managed by NIST (National Institute of Standards and Technology). NVD is a vulnerability database: for each CVE information such as countermeasure, criticality and impact is provided.
CWE & OWASP
CWE (Common Weakness Enumeration) is a list of common types of hardware and software defects that have security implications. The CWE list can be used as a framework to describe and communicate such vulnerabilities in terms of CWEs. The CWE Top 25 Most Dangerous Software Weakness List is a list of the most common programming errors that can lead to software vulnerabilities. Vulnerabilities present in the CWE Top 25 are usually easy to detect and exploit. For example, the CWE-79 is related to Cross-Site Scripting while the CWE-89 to SQL Injection. A similar project is Top Ten Owasp (Open Web Application Security Project). Compared to the CWE Top 25, the Top Ten OWASP focuses solely on vulnerabilities of web applications. The CWE Most Important Hardware Weakness List serves the same purpose, but it focuses on hardware defects.
Vulnerabilty Analysis steps
Vulnerability analysis comprehends different phases.
Preparatory phase
it is not possible to carry out a thorough and reliable analysis without having a deep knowledge of the infrastructure/application under examination. If the procedure for managing IT services and their related assets is not implemented, it is not going to be possible to classify and prioritize vulnerabilities. Let’s say our vulnerability scanner found 300 vulnerabilities on approximately 30 hosts. Which vulnerabilities should I prioritize? Which one shall I remediate immediately? The answer relies not only on the vulnerability severity but also on how important are the hosts and services affected by it.
Discovery and analysis of vulnerabilities
You performed vulnerability scans, you analysed security advisories, system configurations, your company policies and procedures. You have a comprehensive list of vulnerabilities. You can now prioritise them, identify false positives (and false negatives), and improve the results with your knowledge of the infrastructure/application. At the end of this phase, your security team will produce a vulnerability scan report.
Post assessment
It is now possible to define a remediation plan. The remediation plan is not a mere list of the patches, countermeasures and IPS rules: if your analysis has shown the presence of several SQL Injection, CRSF and XSS vulnerabilities in the software developed internally (or by a specific supplier), you must immediately schedule secure programming training classes for your developers.
If these kinds of vulnerabilities are found on software purchased from third parties, you must tell the service owner to look for a new vendor.
While the first scenario is a symptom of a poor security awareness policy, the second one highlights a poor supplier policy: do you review your supplier security policies after you sign a contract? Do you ask to review their development procedures? Do they regularly perform code reviews? Is security fully integrated into their development life-cycle? Outsourcing has hidden costs that you always need to consider.
Once the remediation plan has been implemented, the security team shall verify it has been properly implemented. Depending on its size, the implementation of the remediation activities can take several weeks, if not months. It is crucial to plan periodic meetings to keep the team focused and to check the progress.
What’s next?
In the next articles, we will analyse the vulnerability management process and its implications for regulations like ISO27001 and PCI-DSS. In the meantime, we suggest reading our articles about CVSS and the Metasploit lab.
Regardless of your motivations (attacker or defender), you need to know the ports, hosts and services available within a network.
From a defender’s point of view, the task is a precondition of several keys procedure:
Asset Management – whoever manages the infrastructure (and its security) must know which devices are active and present within our infrastructure. Furthermore, it helps to detect unauthorized hosts that could derive from malicious activities (or more commonly, your system administrators forgot to document them… and maybe to apply the company’s hardenization procedures).
Network scanning is a fundamental step of a company vulnerability management procedure. Here is a non-comprehensive list of its possible benefits:
it allows the detection of unauthorized services and the presence of obsolete systems;
it helps to verify the correspondence between the specifications document and the actual implementation;
it helps to verify the correct application of the hardening procedures.
Penetration test – independently from the approach in use, it is necessary to determine the active hosts and the exposed services. You have to do it even in a white-box penetration test to confirm your client/colleagues inputs.
From an attacker point of view… Well, that goes without saying 🙂
The network scanning procedure aims to identify active hosts. On the other hand, port scanning seeks to detect the ports that hosts disclose and with which it is possible to interact. Starting from the output of a network/port scanning, an attacker, or a newly hired CISO, can outline different traits of a company security posture.
In these articles we will see:
the different steps of a network scan;
some examples with the NMAP tool.
Host discovery
Port scanning involves sending several packets to the host and verifying its response. Usually, the analysis is restricted to the 1024 most common ports (it depends on the available time and the final goal of the analysis). As you may expect, performing this task for all the hosts within a network/infrastructure is time-expensive and generates a lot of noise.
In most cases, only a tiny fraction of IP addresses are active at any given moment. To avoid wasting time, the tester first perform the host discovery phase to determine the active hosts in the tested networks and infrastructure.
There are several techniques:
ARP Ping scan;
ICMP Ping scan;
UDP Ping Scan;
TCP SYN/ACK Ping scan;
IP Protocol Ping scan.
As stated in the official documentation, the default NMAP host discovery strategy involves sending an ICMP echo request (-PE), a TCP SYN segment to port 443 (-PS443), a TCP ACK segment to port 80 (-PA80), and an ICMP timestamp request (-PP).
ARP ping scans are the most effective method to detect active hosts inside a LAN. Its limits are the impossibility of applying the technique on the subnet to which it does not belong. Even if you supply other -P* options to NMAP, the tool performs by default an ARP/Neighbor Discovery against targets on a local Ethernet network since it is the fastest and more reliable technique.
An ICMP scan consists of sending ICMP echo requests to hosts on the network. If a host is found to be active, it will return an ICMP echo response. The technique has limited usability as blocking ICMP requests is part of firewalls and systems’ basic hardening rules.
A TCP scan consists in sending TCP segment to the hosts and analysing the host response. There are two different modes: TCP SYN Ping scan and TCP ACK Ping Scan.
TCP SYN SCAN
As illustrated in the figure, a TCP Syn ping scan consists of the following steps:
The tester sends a TCP SYN segment to port 80.
If the port is closed, the host responds with an RST segment.
If the port is open, the host responds with a TCP SYN/ACK segment indicating that a connection can be established.
Afterwards, an RST segment is sent to reset this connection.
Since it is a normal attempt to establish a TCP connection, traffic is not blocked by firewalls and does not require administrator permissions.
A TCP ACK ping scan instead consists of the following steps:
The tester sends an empty TCP segment with the ACK flag set to port 80 (the nmap default port, but another port can be used).
If the host is offline, it should not respond to this request.
Otherwise, it will return an RST segment and will be treated as online. An RST is sent because the TCP ACK is not associated with any valid existing connection.
ACK Ping Scan requires administrator privileges. Since it is recognized and blocked by a stateful firewall, its main goal is to get information about the filter configurations, not port status.
Port Scan
Once the active hosts within a network have been determined, a portscan can be performed to determine exposed ports and services.
Several techniques are available:
TCP Scan (Connect and Half Open Scan);
UDP Scanning;
SCTP Scanning;
SSDP Scanning.
Only the first two strategies will be considered. Please see the NMAP manual for additional information on SCTP and SSDP Scanning.
TCP Scan
With a TCP Connect scan, a TCP connection is established with the host. That is, the whole 3-way handshake is performed.
The least expensive and most performing variant, the TCP Half Open scan (TCP SYN Scan) sends the SYN segment. If an open SYN+ACK segment is received, the port will be identified as open. In case of RST, the door will be judged closed.
A third typology, foresees the TCP FIN, NULL and Xmas Scans, foresees the modification of the flags of the TCP segment (FIN, URG, PSH, NULL) in an attempt to induce a response from the server.
The technical functionality exclusively on operating systems with implementations of the TCP/IP suite compliant with RFC793. For example, it does not work with Windows systems as these return an RST in both cases.
THE SEGMENT IS COMING
If the state is CLOSED (i.e., TCB does not exist), then all data in the incoming segment is deleted. An on the way the segment containing an RST is deleted. An incoming segment no containing an RST causes an RST to be sent in response. The confirmation and sequence field values are selected to render the recovery sequence acceptable to the TCP that sent the error segment.
If the port is open, the system will not produce any while the response will return an RST/ACK segment if it is closed.
To understand the origin of the name, just look at the image below. Nmap’s -sX flag “Sets the FIN, PSH, and URG flags, illuminating the package like a Christmas tree.”
UDP scan
UDP connection does not involve a handshake. If a UDP packet is sent to a port on which no service is listening, the system will respond with an ICMP Port Unreachable. In case of no answer, the port can be considered closed or filtered.
Contermeasures
To detect and prevent network scanning attempts, we suggest the following countermeasures:
carefully design your services to reduce your attack surface; exposing only necessary services and always keep in mind the principles of least privileges and need to know.
Configure your firewalls to block all traffic that has not got a business justifications;
Periodic reviews your firewall ruleset to keep it aligned to your business needs;
Harden your servers, disabling all unused services;
Perform network and port scans to ensure your firewall/server policies are aligned to your business needs.
Configure an IDS/IPS to promptly detect network and port scans.
The first step in a cyberattack, or a penetration test, is footprinting. The attacker/analyst tries to get information about the targeted infrastructure. Thanks to footprinting techniques, attackers can obtain information such as:
personal data, skills, experience and interests of company’s employees;
company headquarters;
technologies in use (middleware, operating systems);
suppliers and consultants who collaborate periodically with the company;
blocks and network topology;
DNS records.
We can divide footprinting techniques into two macro areas:
active: it involves the collection of information with direct interaction with the target. It is a more risky practice than the passive one, as it could leave traces. The systems of the attacked organization could (should) detect the information gathering attempt. Some examples of active footprinting are the use of web spiders, email tracking, traceroute and social engineering techniques.
passive: involves the collection of information without direct interaction with the target. Some examples are the usage of search engines, social networks, job posting sites, analysis of data received from providers that monitor website’s traffic, commercial performance or deliver reports about future commercial operations of the target.
Identifying the technologies adopted by the target drastically simplifies attackers’ jobs. The awareness about the usage of certain technologies, the lack of good security practices, or of a bad security posture increases the attacker’s chances of success.
When we perform a penetration test in which the company aims to identify chances of an attacker completely unrelated to the organization, footprinting activities heavily influence the success of the test.
Footprinting with search engines and social networks
Search engines offer a myriad of information to the attacker. The advanced functions available in Google, Bing and other search engines offer information that companies are not even aware to expose to the public.
The technique, combined with the most used search engine, has taken the name of Google Hacking. For more information, you can consult our article about the Google Hacking Database.
Thanks to search engines, an attacker gets to know technologies in use (web servers, firewalls, IDS, WAF, third-party applications), IoT devices, applications for internal use only and many other information about the target.
Like search engines, social networks provide an enormous quantity of information to attackers.
An attacker can dig LinkedIn to understand who the key people of the organization are, their experience and knowledge. You can get to know their interests, their religious and political beliefs, their weaknesses. Afterwards, attacker can exploit gathered information to perform a social engineering attack.
Tools like theHarvester and sublist3r simplify attackers’ job, reducing the manual work.
Footprinting through job posting sites
The following image shows the information revealed on a job advertisement post. The job post is real. I found it on the platform indeed.com.
The company is looking for an IT System Administrator with knowledge of Linux and Solaris. They even mention the Linux distribution names and the Solaris release version. You can bet they have got some LAMP servers, that they probably monitor their infrastructure using Nagios and are using Oracle and DB2 as RDBMS. Their infrastructure may include J2EE Containers like Glassfish and JBoss and servlet containers like Tomcat. Even if they reached the EOL over 5 and 2 years ago, they are still asking for people with experience on Windows XP and 7.
You are getting information not only about the used technologies but you are also outlining the security posture of the company.
Job posts can tell you a lot more. Are they searching for IT security specialists? Besides tools and countermeasures adopted, they may even tell you how big is their security team. Are they even trying to cover important roles like CIO or CISO?
Tools and services:
We suggest looking at the following tools. We wrote a brief description of them: Sublist3r, theHarvester, Shodan, Sherlock, Burp Suite, Metagofofil, Exitftool, DNSRecon, traceroute.
Contermeasures
Your employees/colleagues’ awareness about attackers’ behaviour and techniques is fundamental for your company’s safety. Every company must adopt a security awareness policy to inform its employees about the security risks they are exposed inside and outside the office.
The adoption of security policies (hardening of the systems, analysis and reviews of IDS/IPS and other monitoring tools, etc.), the definition of roles and responsibilities will allow a company to quickly detect and react to attackers’ attempts to gather information or to exploit the knowledge they previously gained through passive footprinting techniques.
The term hacker often takes on a negative connotation.
In the past, we often focused on the distinction between a hacker, a person with deep security knowledge who explores technologies, systems and related vulnerabilities out of pure passion, and crackers, the “malicious” counterpart, who uses his knowledge to cause damage and steal data. a certain value (for example, credit cards).
RFC1392 provides the following definitions:
hacker
A person who delights in having an intimate understanding of the internal workings of a system, computers and computer networks in particular. The term is often misused in a pejorative context, where “cracker” would be the correct term.
cracker
A cracker is an individual who attempts to access computer system without authorization. These individuals are often malicious, as opposed to hackers, and have many means at their disposal for breaking into a system.
Unfortunately, media have never bothered to understand the distinction and, for the masses, there is no difference between crackers and hackers.
In our opinion, here is the correct terminology to be used in the security sector:
Black hats (Crackers)
Crackers, or black hats, have got extraordinary computing skills but they lack ethics. They may violate laws by committing malicious or destructive acts.
Script Kiddies
An unskilled cracker who compromises systems using tools, scripts and software developed by others.
White Hats (Ethical Hacker)
An individual who uses his hacking skill for defensive purposes.
They analyse computer systems or networks to detect security issues and give recommendations for improvement to their owners.
A white hat will penetrate a system only with the authorisation and upon request of the infrastructure owner.
Gray Hats
Gray hats use their skills both offensively and defensively.
They often look for system vulnerabilities without the permission or knowledge of the owner. If they find a security issue, they may reveal it to the owner upon the payment of a small fee. Sometimes, their ultimate goal is to show their skills and create awareness about the intrinsic insecurity of the Internet.
It may be useful to know some additional terms. State-sponsored hackers are employed by the government to penetrate other government systems to damage or gain top-secret information. You have surely heard about Cyber Terrorists, individuals moved by political or religious beliefs to create fear among civilians and influence the policy of the targeted governments.
