Tuesday, April 5, 2016

Application Vulnerabilities

 
Application Vulnerability
It’s a system flaw or weakness in an application that could be exploited to compromise the security of the system or application.
Once an attacker has found a flaw, or application vulnerability, and determined how to access it, the attacker has the potential to exploit the application vulnerability to facilitate a cyber crime. These crimes target the confidentiality, integrity, or availability (known as the “CIA triad”) of resources possessed by an application, its creators, and its users. Attackers typically rely on specific tools or methods to perform application vulnerability discovery and compromise. According to Gartner Security, the application layer currently contains 90% of all vulnerabilities.


SQL Failure to Restrict URL Access
If your application fails to appropriately restrict URL access, security can be compromised through a technique called forced browsing. Forced browsing can be a very serious problem if an attacker tries to gather sensitive data through a web browser by requesting specific pages, or data files.
Using this technique, an attacker can bypass website security by accessing files directly instead of following links. This enables the attacker to access data source files directly instead of using the web application. The attacker can then guess the names of backup files that contain sensitive information, locate and read source code, or other information left on the server, and bypass the "order" of web pages.  

Insufficient Transport Layer Protection
Insufficient Transport Layer Protection is a security weakness caused by applications not taking any measures to protect network traffic. During authentication applications may use SSL/TLS, but they often fail to make use of it elsewhere in the application, thereby leaving data and session ID's exposed. Exposed data and session ID's can be intercepted which means the application is vulnerable to exploit.
As OWASP states, "Applications frequently fail to authenticate, encrypt, and protect the confidentiality and integrity of sensitive network traffic. When they do, they sometimes support weak algorithms, use expired or invalid certificates, or do not use them correctly."

LDAP Injection
LDAP is a widely used open-standard protocol for both querying and manipulating information directories. The LDAP protocol runs over internet transport protocols, such as TCP. Web applications may use user-supplied input to create custom LDAP statements for dynamic web page requests. LDAP injection is the technique of exploiting web applications that use client-supplied data in LDAP statements without first stripping potentially harmful characters from the request.
When a web application fails to properly sanitize user-supplied input, it is possible for an attacker to alter the construction of an LDAP statement. When an attacker is able to modify an LDAP statement, the process will run with the same permissions as the component that executed the command (e.g., database server, web application server, web server, etc.). This can cause serious security problems where the permissions grant the rights to query, modify or remove anything inside the LDAP tree.

SQL Injection
SQL injection is a type of web application security vulnerability in which an attacker is able to submit a database SQL command that is executed by a web application, exposing the back-end database. A SQL injection attack can occur when a web application utilizes user-supplied data without proper validation or encoding as part of a command or query. The specially crafted user data tricks the application into executing unintended commands or changing data. SQL injection allows an attacker to create, read, update, alter or delete data stored in the back-end database. In its most common form, a SQL injection attack gives access to sensitive information such as social security numbers, credit card numbers or other financial data. According to Veracode’s State of Software Security Report, SQL injection is one of the most prevalent types of web application security vulnerability

Understanding SQL Injection, XML Injection, and LDAP Injection
 
Mobile Application Vulnerabilities
There are 2 main categories of mobile app risks.
A. Malicious Functionality
B. Vulnerabilities
The category of Malicious Functionality is a list of unwanted and dangerous behaviors that are stealthily placed in a Trojan app that the user is tricked into installing. The user thinks they are installing a game or utility and instead get hidden spyware, phishing UI, or unauthorized premium dialing.


Malicious Functionality
1.Activity monitoring and data retrieval
2.Unauthorized dialing, SMS, and payments
3.Unauthorized network connectivity (exfiltration or command & control)
4.UI Impersonation
5.System modification (rootkit, APN proxy config)
6.Logic or Time bomb

 
Vulnerabilities
The category of Vulnerabilities are errors in design or implementation that expose the mobile device data to interception and retrieval by attackers. Vulnerabilities can also expose the mobile device or the cloud applications used from the device to unauthorized access.
1.Sensitive data leakage (inadvertent or side channel)
2.Unsafe sensitive data storage
3.Unsafe sensitive data transmission
4.Hardcoded password/keys
 
Software Application Vulnerabilities
Microsoft Office
Adobe Flash
Adobe Reader
Java SE Runtime Environment
 
Zero-day exploits are known to target unpatched software flaws.
"In this scenario, attackers are able to identify a flaw that is not yet known or covered by vendors. An example
of this was the DUQU threat in the Middle East, which was dubbed as the next STUXNET. Based on analysis, the attackers behind DUQU used a .DOC file that exploits a previously unpatched vulnerability in Microsoft Word to drop either RTKT_DUQU.B or TROJ_DUQU.B onto the affected system. Duqu looks for information that could be useful in attacking industrial control systems. Its purpose is not to be destructive, the known components are trying to gather information.[12] However, based on the modular structure of Duqu, special payload could be used to attack any type of computer system by any means and thus cyber-physical attacks based on Duqu might be possible. However, use on personal computer systems has been
found to delete all recent information entered on the system, and in some cases total deletion of the computer's hard drive."
 
A software vulnerability is a security flaw, glitch, or weakness found in software or in an operating system (OS) that can lead to security concerns. An example of a software flaw is a buffer overflow. This is when software becomes unresponsive or crashes when users open a file that may be "too heavy" for the program to read.
 
Adobe Flash
Adobe Flash provided 8 of the Top 10 vulnerabilities used by exploit kits in 2015
Angler, the most popular exploit kit, it is currently tied with the malware known as Cryptolocker
Last known vulnerability was on March 11 of this year
Experts suggest that Adobe Flash is unreliable and should be disabled.
In 2015, 1,114 vulnerabilities were discovered in the five most popular browsers: Google Chrome, Mozilla Firefox, Internet Explorer, Opera and Safari. That represents a four percent increase from 2014.
Over the same period 147 vulnerabilities
were discovered in the five most popular PDF readers: Adobe Reader, Foxit
Reader, PDF-XChange Viewer, Sumatra PDF and Nitro PDF Reader.
There's some good news in the fact that 84
percent of vulnerabilities in all products had patches available on the day of
disclosure in 2015. The number of zero day vulnerabilities at 25 was the same
as in 2014.
 
Java SE Runtime Environment
The Java Runtime Environment is the engine from Java applications.


Ex. “Three weeks before hackers infiltrated Premera Blue Cross, federal auditors warned the company that its network-security procedures were inadequate. … In one part of the technology audit, federal officials conducted vulnerability scans and found Premera
wasn’t implementing critical patches and other software updates in a timely
manner. ....The auditors also found that several servers contained software
applications so old that they were no longer supported by the vendor and had
known security problems, that servers contained “insecure configurations” that
could grant hackers access to sensitive information, and that Premera needed
better physical controls to prevent unauthorized access to its data center.”


1 comment:

  1. Very good presentation, very enjoyable.

    ReplyDelete