Vulnerabilities
- Spectre
- Meltdown
- MDS (Microarchitectural Data Sampling) - https://www.redhat.com/en/blog/understanding-mds-vulnerability-what-it-why-it-works-and-how-mitigate-it
- HeartBleed (2014)
Heartbleed allows hackers to steal private keys from what should be secure servers. Infected servers were left wide open to let anyone on the Internet read the memory in systems being protected by a vulnerable version of OpenSSL. The breach let threat actors steal data from servers or listen in on conversations or even spoof services and other users.
https://access.redhat.com/security/vulnerabilities
Open Web Application Security Project (OWASP)
The Open Web Application Security Project (OWASP) is an online community that produces freely-available articles, methodologies, documentation, tools, and technologies in the field of web application security.
The History and Future of OWASP
OWASP API Security Top 10 Course - Secure Your Web Apps - YouTube
OWASP Top Ten
Injection
Injection flaws, such as SQL, NoSQL, OS, and LDAP injection, occur when untrusted data is sent to an interpreter as part of a command or query. The attacker's hostile data can trick the interpreter into executing unintended commands or accessing data without proper authorization.
Broken Authentication
Application functions related to authentication and session management are often implemented incorrectly, allowing attackers to compromise passwords, keys, or session tokens, or to exploit other implementation flaws to assume other users' identities temporarily or permanently.
Sensitive Data Exposure
Many web applications and APIs do not properly protect sensitive data, such as financial, healthcare, and PII. Attackers may steal or modify such weakly protected data to conduct credit card fraud, identity theft, or other crimes. Sensitive data may be compromised without extra protection, such as encryption at rest or in transit, and requires special precautions when exchanged with the browser.
XML External Entities (XXE)
Many older or poorly configured XML processors evaluate external entity references within XML documents. External entities can be used to disclose internal files using the file URI handler, internal file shares, internal port scanning, remote code execution, and denial of service attacks.
Broken Access Control
Restrictions on what authenticated users are allowed to do are often not properly enforced. Attackers can exploit these flaws to access unauthorized functionality and/or data, such as access other users' accounts, view sensitive files, modify other users' data, change access rights, etc.
Security Misconfiguration
Security misconfiguration is the most commonly seen issue. This is commonly a result of insecure default configurations, incomplete or ad hoc configurations, open cloud storage, misconfigured HTTP headers, and verbose error messages containing sensitive information. Not only must all operating systems, frameworks, libraries, and applications be securely configured, but they must be patched/upgraded in a timely fashion.
Cross-Site Scripting XSS
XSS flaws occur whenever an application includes untrusted data in a new web page without proper validation or escaping, or updates an existing web page with user-supplied data using a browser API that can create HTML or JavaScript. XSS allows attackers to execute scripts in the victim's browser which can hijack user sessions, deface web sites, or redirect the user to malicious sites.
A type of computer security vulnerability typically found in web applications. XSS enables attackers to inject client-side scripts into web pages viewed by other users. A cross-site scripting vulnerability may be used by attackers to bypass access controls such as the same-origin policy.- Reflected XSS
It depends on site immediately reflecting a user input (the search query) back onto the page.- Stored XSS
This happens when the malicious code (usually an injected script, like in our example) isstored on the target site's servers. A classic example is storing user-generated comments without sanitizing them. An attacker could leave a malicious comment that injects a script, andanyone who views that comment would be affected.
Prevention - Sanitize user inputs
XSRF/CSRF - Cross Site Request Forgery
Cross-site request forgery, also known as one-click attack or session riding and abbreviated as CSRF or XSRF, is a type of malicious exploit of a website where unauthorized commands are transmitted from a user that the web application trusts. There are many ways in which a malicious website can transmit such commands; specially-crafted image tags, hidden forms, and JavaScript XMLHttpRequests, for example, can all work without the user's interaction or even knowledge. Unlike cross-site scripting(XSS), which exploits the trust a user has for a particular site, CSRF exploits the trust that a site has in a user's browser
https://en.wikipedia.org/wiki/Cross-site_request_forgery
https://victorzhou.com/blog/csrf
https://www.freecodecamp.org/news/what-is-cross-site-request-forgery
https://victorzhou.com/blog/xss
Insecure Deserialization
Insecure deserialization often leads to remote code execution. Even if deserialization flaws do not result in remote code execution, they can be used to perform attacks, including replay attacks, injection attacks, and privilege escalation attacks.
Using Components with Known Vulnerabilities
Components, such as libraries, frameworks, and other software modules, run with the same privileges as the application. If a vulnerable component is exploited, such an attack can facilitate serious data loss or server takeover. Applications and APIs using components with known vulnerabilities may undermine application defenses and enable various attacks and impacts.
Insufficient Logging & Monitoring
Insufficient logging and monitoring, coupled with missing or ineffective integration with incident response, allows attackers to further attack systems, maintain persistence, pivot to more systems, and tamper, extract, or destroy data. Most breach studies show time to detect a breach is over 200 days, typically detected by external parties rather than internal processes or monitoring.
https://owasp.org/www-project-top-ten
https://www.cloudflare.com/learning/security/threats/owasp-top-10
https://www.toptal.com/security/owasp-top-10-changelog-2017-revision
OWASP Cheat Sheet
- AJAX Security
- Abuse Case
- Access Control
- Attack Surface Analysis
- Authentication
- Authorization Testing Automation
- Bean Validation
- Choosing and Using Security Questions
- Clickjacking Defense
- Content Security Policy
- Credential Stuffing Prevention
- Cross-Site Request Forgery Prevention
- Cross Site Scripting Prevention
- Cryptographic Storage
- DOM based XSS Prevention
- Database Security
- Denial of Service
- Deserialization
- Docker Security
- DotNet Security
- Error Handling
- File Upload
- Forgot Password
- HTML5 Security
- HTTP Strict Transport Security
- Injection Prevention
- Injection Prevention in Java
- Input Validation
- Insecure Direct Object Reference Prevention
- JAAS
- JSON Web Token for Java
- Key Management
- LDAP Injection Prevention
- Logging
- Mass Assignment
- Microservices based Security Arch Doc
- Multifactor Authentication
- Nodejs Security
- OS Command Injection Defense
- PHP Configuration
- Password Storage
- Pinning
- Query Parameterization
- REST Assessment
- REST Security
- Ruby on Rails
- SAML Security
- SQL Injection Prevention
- Securing Cascading Style Sheets
- Server Side Request Forgery Prevention
- Session Management
- TLS Cipher String
- Third Party Javascript Management
Threat Modeling
Threat modeling is a process by which potential threats, such as structural vulnerabilities or the absence of appropriate safeguards, can be identified, enumerated, and mitigations can be prioritized. The purpose of threat modeling is to provide defenders with a systematic analysis of what controls or defenses need to be included, given the nature of the system, the probable attacker's profile, the most likely attack vectors, and the assets most desired by an attacker. Threat modeling answers questions like"Where am I most vulnerable to attack?","What are the most relevant threats?", and"What do I need to do to safeguard against these threats?".
Threat modeling methodologies
STRIDE
STRIDE is a model of threats developed by Praerit Garg and Loren Kohnfelder at Microsoft for identifying computer securitythreats.It provides a mnemonic for security threats in six categories.
The threats are:
- Spoofing
- Tampering
- Non-Repudiation
- Non-repudiation means a user cannot deny (repudiate) having performed a transaction. It combines authentication and integrity: non-repudiation authenticates the identity of a user who performs a transaction, and ensures the integrity of that transaction.
- Information disclosure (privacy breach or data leak)
- Denial of service
- Elevation of privilege
https://en.wikipedia.org/wiki/STRIDE_(security)
PASTA
Process for Attack Simulation and Threat Analysis (PASTA) is a seven-step, risk-centric methodology.
Trike
https://en.wikipedia.org/wiki/Threat_model- Transaction Authorization
- Transport Layer Protection
- Unvalidated Redirects and Forwards
- User Privacy Protection
- Virtual Patching
- Vulnerability Disclosure
- Vulnerable Dependency Management
- Web Service Security
- XML External Entity Prevention
- XML Security
https://cheatsheetseries.owasp.org
Social Engineering
"Social engineering" refers to the use of humans as an attack vector to compromise a system. It involves fooling or otherwise manipulating human personnel into revealing information or performing actions on the attacker's behalf. Social engineering is known to be a very effective attack strategy, since even the strongest security system can be compromised by a single poor decision. In some cases, highly secure systems that cannot be penetrated by computer or cryptographic means, can be compromised by simply calling a member of the target organization on the phone and impersonating a colleague or IT professional. Common social engineering techniques include phishing, clickjacking, and baiting, although several other tricks are at an attacker's disposal.
Phishing
Spear Phishing
Spear phishing involves selectively targetting employees, and developers are especially vulnerable. Spear phishers will discover information about you, and then selectively use it against you.
Impersonating Services
This is the most well-known form of phishing. It involves posing as a business, often styling emails to look like what that business would typically send.
Smishing
Smishing (SMS phishing) is similar to standard phishing emails, but over SMS instead. Smishing texts will usually impersonate companies and encourage you to click on a link or give away your personal info.
Vishing
Vishing ("voice" and "phishing") involves phishing through phone calls. Of course, this isn't a big deal to us, because what kind of developer seriously answers the phone nowadays? Just send me a text, FFS.
https://dev.to/kathyra_/protect-yourself-from-social-engineering-3ihk
Kill Chain
The term kill chain was originally used as a military concept related to the structure of an attack; consisting of target identification, force dispatch to target, decision and order to attack the target, and finally the destruction of the target.Conversely, the idea of "breaking" an opponent's kill chain is a method of defense or preemptive action.More recently, Lockheed Martin adapted this concept to information security, using it as a method for modeling intrusions on a computer network.The cyber kill chain model has seen some adoption in the information security community.However, acceptance is not universal, with critics pointing to what they believe are fundamental flaws in the model.
https://en.wikipedia.org/wiki/Kill_chain
Tab Nabbing
Tabnabbing is a computer exploit which persuades users to submit their login details and passwords. The attack takes advantage of user trust and inattention to detail in regard totabs, and the ability of browsers to navigate across a page's origin in inactivetabsa long time after the page is loaded. This attack can be done even if JavaScript is disabled, using the "meta refresh" meta element, an HTML attribute used for page redirection that causes a reload of a specified new page after a given time interval. The attack takes advantage of the trust of the victim and the ability of modern web pages to rewritetabsand their contents for a long time after the page has been loaded.
Air Gap
An air gapped machine is simply one that cannot connect to any outside agents. From the highest level being the internet, to the lowest being an intranet or even bluetooth. Air gapped machines are isolated from other computers, and are important for storing sensitive data or carrying out critical tasks that should be immune from outside interference. For example, a nuclear power plant should be operated from computers that are behind a full air gap. For the most part, real world air gapped computers are usually connected to some form of intranet in order to make data transfer and process execution easier. However, every connection increases the risk that outside actors will be able to penetrate the system.