Table of contents
- Injection Attacks
- Broken authentication & session management
- Cross site scripting
- Insecure direct object references
- Security Misconfiguration
- Sensitive data exposure
- Missing function level access control
- Cross site request forgery
- Unvalidated redirects & Forwards
In your Python Django/Flask code, How to prevent?
- is a type of application security vulnerability whereby a malicious user is able to manipulate the SQL statements that the application sends to the backend database server for execution. A successful SQL injection attack exposes the data of the underlying database directly to the attacker.
XML External Entity (XXE) Injection
- is a type of application security vulnerability whereby a malicious user can attack poorly configured/implemented XML parser within an application. Malicious external entity references can be forced by an attacker, which results in unauthorised read-access to sensitive files on the server that the XML parser runs from. Denial of Service is another potential outcome.
A Command Injection vulnerability
- when exploited by a malicious user, results in execution of arbitrary system commands on the host operating system. Command Injection attacks are possible when an application passes unsafe user supplied data (forms, cookies, HTTP headers, etc) to a system command. The malicious system command is run server side with the same privileges as the application.
Broken Authentication & session management
- is a type of application vulnerability where an application does not correctly renew session tokens when changing from a pre-login to post-login state. The same pre-login session token should not be used post-login, otherwise an attacker has the potential to steal authenticated sessions of legitimate users. When a session of one user is stolen by another, it is known as a “hijacked session”. Session fixation
Use of Insufficiently random values
- are an application security vulnerability whereby the application generates predictable values in sensitive areas of code that absolutely require strict randomness (unpredictability). As a result it may be possible for an attacker to predict the next value generated by the application to defeat cryptographic routines, access sensitive information, or impersonate another user.
Cross site scripting
Reflected Cross-site Scripting (XSS)
- Unlike Persistent XSS, with Reflected Cross-site Scripting (XSS) attacker-supplied script code is never stored within the application itself. Instead the attacker crafts a malicious request to the application to illicit a single HTTP response by the application that contains the attacker's supplied script code. Successful attacks require victim users to open a maliciously crafted link (which is very easy to do).
Persistent Cross-Site Scripting (XSS)
- is an application vulnerability whereby a malicious user tricks a web application into storing attacker-supplied script code which is then later served to unsuspecting user(s) of the application. The attacker-supplied script code runs on the client-side system of other end user(s) of the application. This type of vulnerability is widespread and affects web applications that utilize (unvalidated) user-supplied input to generate (unencoded) application output, that is served to users.
Document Object Model (DOM) Based XSS
- is a type of XSS attack wherein the attacker's payload is executed as a result of modifying the DOM “environment” in the victim’s browser used by the original client side script, so that the client side code runs in an “unexpected” manner. That is, the page itself (the HTTP response that is) does not change, but the client side code contained in the page executes differently due to the malicious modifications that have occurred in the DOM environment.
Insecure direct object references
Directory (Path) Traversal
- is an application vulnerability that allows an attacker to access directories and files that are stored outside the web root folder. This type of vulnerability is found in applications that make insecure references to files based on user supplied input. A classic example is manipulating file location input variables with “dot-dot-slash (../)” sequences and its variations, to access arbitrary files and directories of the server's file system, such as sourcecode or password files, or other sensitive files.
Privileged Interface Exposure
- is a type of application weakness whereby a privileged (administration) interface is accessible to regular (low-privileged) users of the system. Because administration interfaces are only used by trusted administrator users, they are often overlooked from a security perspective. When exposed to the public Internet a malicious attacker could use the interface to her advantage.
Leftover debug code
- A common development practice is to add “back door” code specifically designed for debugging or testing purposes that is not intended to be shipped or deployed with the application. When this sort of debug code is accidentally left in the application, the application is open to unintended modes of interaction. These back door entry points create security risks because they are not considered during design or testing and fall outside of the expected operating conditions of the application.
Sensitive data exposure
Authentication credentials in URL
- Insecure Logging is a type of application security vulnerability whereby the application is configured to either log sensitive data to log files (such as personally identifiable information, payment card information, or authentication credentials etc). Furthermore, if the application is not correctly validating user-supplied input that is then stored in logs, an attacker is able to maliciously manipulate log files.
Session Exposure within URL
- The most common flaw is simply not encrypting sensitive data. When crypto is employed, weak key generation and management, and weak algorithm usage is common, particularly weak password hashing techniques. Browser weaknesses are very common and easy to detect, but hard to exploit on a large scale. External attackers have difficulty detecting server side flaws due to limited access and they are also usually hard to exploit.
- is a type of application security vulnerability whereby the vulnerable web application reveals whether a username (email address or account name) exists or not, this can be a consequence of a misconfiguration or a design decision. The information obtained via user enumeration can then be used by an attacker to gain a list of users on system. This information can be used to further attack the web application, for example, such as through a brute force credential guessing attack. Play and Learn…
Missing function level access control
Horizontal Privilege Escalation
- is an application vulnerability that allows one (normal) User of an application to create, read, update and/or delete the data belonging to another (normal) User. This type of vulnerability is often the result of errors in the authorization logic.
Vertical privileage Escalation
- Missing Function Level Access Control is an application vulnerability that allows either an Anonymous User or Legitimate User of the application to access the create, read, update and/or delete functionality belonging to another user of the application. This example we show how Vertical Privilege Escalation is a potential outcome of this vulnerability.
Cross site request forgery
Cross site request forgery(POST)
- Cross-Site Request Forgery (CSRF) is an application security vulnerability that permits an attacker to force another logged-in user of the application to perform actions within that application without realising. The classic example is Bob and Alice both being logged-in users of an online banking application, and Bob tricks Alice into making a funds transfer to Bob's account with CSRF. Importantly, in CSRF attacks the attacker does not have a direct mechanism for seeing the application's response to the victim.
Cross site request forgery(GET)
Cross-Site Request Forgery (CSRF) is an application security vulnerability that permits an attacker to force another logged-in user of the application to perform actions within that application without realising. The classic example is Bob and Alice both being logged-in users of an online banking application, and Bob tricks Alice into making a funds transfer to Bob's account with CSRF. Importantly, in CSRF attacks the attacker does not have a direct mechanism for seeing the application's response to the victim.
- Clickjacking, also known as a “UI redress attack”, is when an attacker uses multiple transparent or opaque layers to trick a user into clicking on a button or link on another page when they were intending to click on the the top level page. Thus, the attacker is “hijacking” clicks meant for their page and routing them to another page, most likely owned by another application, domain, or both.
Unvalidated redirects & Forwards
Insecure URL redirect
- Unvalidated redirects and forwards are possible when a web application accepts untrusted input that could cause the web application to redirect the request to a URL contained within untrusted input. By modifying untrusted URL input to a malicious site, an attacker may successfully launch a phishing scam and steal user credentials.