Common Vulnerabilities & Suggested Fixes

  • Cross Site Scripting - Client side vulnerability, occurs when user input is rendered without any output encoding or input sanitization

    • Impact - Cookie Theft, Execute Malicious Javascript, Phishing, Open Redirect, Submit internal forms bypassing CORS/CSRF, If Electron app even RCE possible.

    • Fix - Input Sanitization & Output Encoding, Use Security Frameworks & Libraries, CSP, X-XSS-Protection header(no longer useful, uses browser's xss auditor which most browsers stopped)

    • Variants - Reflected, Stored, DOM Based, Post Message, HTML Injection, CSS Injection.

  • Cross Site Request Forgery - Victim is tricked into submitting a malicious cross site request from attacker's website, which causes unintended action's on a cross site website where victim is already logged in.

    • Impact - Attacker can perform unauthorized & undesired actions on a cross site website on behalf of the victim.

    • Fix - Use unique & long CSRF tokens for each forms/requests where important user action is performed, Use SameSite Cookies in Strict mode(Lax can bypass Top Level GET Requests like redirecting to cross site page), Referer based validation (Not recommended, some browsers do not send referer headers, few website have referer policy to not send referer header).

  • SQL Injection - When website accepts user input & uses the user input to construct & run sql queries without sanitizing the user input, attacker can use malicious payloads as user input to run arbitrary SQL queries.

    • Impact - Attacker can dump. modify or delete database.

    • Fix - Parameterized SQL Statements, Input Validation.

    • Variants - General, Blind

  • Broken Authentication - When server fails to validate if user is the person they say they are, i.e person is authenticated or not.

    • Impact - Attacker able to perform actions on server without any authentication or impersonating as someone else due to flaws in authentication logic.

    • Fix - Authenticate all important & sensitive post login urls, Use random, secure & long session id's, rate limit & use captcha for login endpoints, implement 2FA. Few Authentication vulnerabilities are specific to auth mechanisms like OAUTH ensure to follow security guidelines for specific auth mechanisms.

    • Variants - Guessable Session IDs, Accessing URLs without Cookie/Auth Headers, Credential Bruteforce, OAUTH/SAML/JWT Related vulnerabilities.

  • Broken Authorization - When server fails to validate user has necessary permission/privilege to perform particular action.

    • Impact - Attacker can access sensitive information or perform privileged actions on server without having necessary permissions/roles.

    • Fix - Implement proper authorization/role based checks on all authenticated endpoints.

    • Variants - IDOR, Privilege Escalation

  • Sensitive Data Exposure - Sensitive data is not encrypted/hashed & visible in plain text at rest or transit.

    • Impact - Attacker can view sensitive information affecting confidentiality triad

    • Fix - Encrypt/Hash the sensitive information, Use Secure protocols such as TLS to encrypt the data in transit, Do not hardcode credentials/secrets, Display only required amount of information in response to a request.

  • Security Misconfiguration - These occur when server or any dependedncies are misconfigured resulting in a security vulnerability.

    • Impact - Varies depending on misconfiguration like account takeover if default credentials are enabled, sensitive information disclosure if directory listing enabled/stack strace is disclosed.

    • Fix - Follow common security guidelines when configuring a web server, Do not use default credentials, Use security headers.

    • Variants - Default Credentials, Directory Listing, Stack Trace Disclosure, Missing or Misconfigured Security Headers, Unnecessary ports or features openly accessible by attacker, Misconfigured CORS.

  • Server Side Request Forgery - These occur when server fetches resources based on user input without any validation.

    • Impact - Internal Port Scanning, Access internal Services,Sensitive File Disclosure, Access Cloud Meta Data, Escalate to command execution in most of the cases.

    • Fix - Allow only Whitelisted IP, Domain, Scheme & Port, Validate user input, Do not show raw response to clients.

    • Variants - General, Cloud(Metadata), Blind.

  • XML External Entity Injection - When server accepts & parses user supplied input without validation, It might result in local file disclosure, ssrf & command execution vulnerabilities.

    • Impact - Local file disclosure, SSRF, Command execution depending on environment.

    • Fix - Disable DocType Declarations(DTD) completely, Disable External DTD's, Disable External General Entities, Disable External Parameter Entities, Disable or Limit Entity Expansion.

    • Variants - General, Blind, XSLT Injection, XInclude XXE.

  • Path Traversal - Occurs when server accepts untrusted user input & uses it to construct file system path to access/modify the resources.

    • Impact - Access/Modify/Delete unintended files in server, can be escalated to command execution in case of arbitrary file write.

    • Fix - Validate User Input, Normalize the final constructed file path & check whether it can be accessible by user & is inside server's directory(ensure using string startswith/equals for this check instead of contains).

    • Variants - Local File Inclusion, Remote File Inclusion, Arbitrary File Read, Arbitrary File Write, Zip Slip Vulnerabilities.

  • Open Redirect - Occurs when website uses untrusted user input & redirects to other resources based on user input.

    • Impact - Account Takeover(OAUTH Redirection URL), Redirect to attacker's webpage, Phishing, Sometimes can be escalated to XSS & SSRF.

    • Fix - Allow redirections to only whitelisted scheme, ip/domain, ports, validate user input.

  • Using Components With Known Vulnerabilities - Occurs when server components which has known vulnerabilities.

    • Impact - Depends on the vulnerable component, highest can be command execution.

    • Fix - Use SBOM & dependecy trackers to track all dependencies/packages used by the server, Update all the components to latest stable non-vulnerable versions.

  • Insecure Deserialization - Serialization is converting objects into bytes or any format which is easier to store or transport, Deserialization involves converting the serialized object back into it's own object(class). When server doesn't check for integrity of serialized object & accepts user input involving serialized object & directly deserializes it to object, It may lead to insecure deserialization vulnerability. [PortSwigger Blog]

    • Impact - Command Execution, Business logic vulnerabilities, Privilege Escalation etc depending upon how the object is being deserialized.

    • Fix - Do not deserialize from user input unless really necessary, Do integrity check for serialized object if you are deserializing from user input.

    • Variants - General, Gadget Chain Attack.

PreviousWebNextAuthentication Mechanism & Vulnerabilities

Last updated