Penetration Test - Select Your Attacks(12)

Code Vulnerabilities

UNSECURE CODE PRACTICES

• Comments in source code
  • Good for developers and technical personnel
  • Bad for keeping secrets
• Lack of error handling
  • Bad things happen - developers don't think of everything
• Overly verbose error handling
  • Error messages can give too much info
  • Bad error message:
    • "Password invalid for this user"
  • Better error message:
    • "User ID or password is invalid"
  • Hard-coded credentials
    • Happens often - compiled and interpreted(strings command)
    • Attackers can use login credentials
  • Race conditions
    • Resource should be validated before it's used
      • E.G. checking a file is in place
    • TOC(Time of Check)/TOU(Time of Use)
      • Gap between checking a condition and using that resource
      • Attackers can influence other events and affect operation
    • Unauthorized use of functions/unprotected APIs(Application Programming Interface)
    • Unintended API usage
    • Hidden elements
      • HIDDEN attribute in XML and HTML(doesn't hide data in the source code)
    • Code signing
      • Certificates can authenticate author's identity, ensure integrity
    • Lack of code signing
      • Lack of signing allows attackers to modify code between deployment and execution

QUICK REVIEW

• Source code comments can provide attackers with valuable insider information
• Error messages can also provide attackers with guidance on how to proceed with an attack
• Any software developer shortcuts (i.e. laziness) can make an attacker's job easier