Explore tens of thousands of sets crafted by our community.
Common Software Vulnerabilities
25
Flashcards
0/25
Insecure Direct Object References (IDOR)
A security flaw that arises when an application provides direct access to objects based on user input. Mitigation includes proper access control checks and avoiding exposure of direct references to internal implementation objects.
Directory Traversal
An HTTP exploit that allows attackers to access restricted directories and execute commands outside of the web server's root directory. Mitigation includes input validation, user access control, and use of chroot jails for file access.
Man-in-the-Middle (MitM) Attack
Occurs when an attacker secretly relays or alters the communication between two parties who believe they are directly communicating with each other. Mitigation includes using HTTPS encryption, certificate pinning, and strong mutual authentication.
Buffer Overflow
Occurs when a program writes more data to a buffer than it was intended to hold. Mitigation includes using memory-safe programming languages and functions, stack canaries, and Address Space Layout Randomization (ASLR).
Use of Hardcoded Credentials
Inclusion of sensitive information like passwords or secret keys directly within source code. Mitigation includes using environment variables, secure vaults, or configuration files to handle credentials.
Broken Authentication
Occurs when attackers are able to compromise passwords, keys, or session tokens, or exploit other implementation flaws to assume users' identities. Mitigation includes multi-factor authentication, strong password policies, and secure session management.
Session Hijacking
The exploitation of a valid computer session to gain unauthorized access to information or services in a computer system. Mitigation includes using HTTPS, secure cookies, and implementing proper session management.
XML External Entity (XXE) Attack
An attack against an application that parses XML input. This can include disclosing local files, causing DoS, and SSRF attacks. Mitigation includes disabling external entity and DTD processing in all XML parsers.
Race Condition
A condition where the system's substantive behavior is dependent on the sequence or timing of other uncontrollable events. Mitigation includes proper synchronization, atomic transactions, and thread-safe coding practices.
SQL Injection
An attack technique that exploits a security vulnerability occurring in the database layer of an application. Mitigation includes using prepared statements and parameterized queries.
Cross-Site Request Forgery (CSRF)
A web security vulnerability that allows an attacker to induce users to perform actions that they do not intend to perform. Mitigation includes using anti-CSRF tokens and SameSite cookie attributes.
Remote Code Execution (RCE)
Allows an attacker to execute arbitrary code on a target machine or in a target process. Mitigation includes input validation, keeping software updated, and using least privilege principles.
Improper Error Handling
Revealing too much information to the users through error messages, which can lead to further exploitation. Mitigation includes configuring error handling to prevent stack traces from being displayed and implementing custom error pages.
Component with Known Vulnerabilities
Using components with known vulnerabilities, leading to a weak link in the application. Mitigation involves keeping components updated and regularly checking for vulnerabilities in dependencies.
Insecure Cryptographic Storage
Failing to adequately protect sensitive data with proper encryption or hashing. Mitigation includes using strong cryptographic algorithms and properly managing keys.
Code Injection
Occurs when an attacker introduces malicious code into a program. Mitigation includes input validation, output encoding, and use of appropriate security mechanisms in the programming language.
Insufficient Logging & Monitoring
Inadequate logging of events and lack of monitoring systems that could detect or alert on malicious activities. Mitigation includes implementing comprehensive logging and real-time monitoring, along with incident response plans.
Security Misconfiguration
Occurs when security settings are defined, implemented, and maintained as defaults. Mitigation includes regular reviews of security configurations and least privilege access policies.
Sensitive Data Exposure
Involves unauthorized access to protected data such as financial, healthcare, or personal information. Mitigation includes encrypting data at rest and in transit, and not storing sensitive data unnecessarily.
Insecure Deserialization
A vulnerability that occurs when untrusted data is used to abuse the logic of an application. Mitigation includes using safe serialization libraries and validating serialized objects.
Unvalidated Redirects and Forwards
Web applications frequently redirect and forward users to other pages or websites, and attackers can exploit these unvalidated redirects. Mitigation includes avoiding such redirects if possible, and validating URLs to only allow whitelisted destinations.
Cross-Site Scripting (XSS)
A type of injection where malicious scripts are injected into trusted websites. Mitigation includes using Content Security Policy, validating and sanitizing user input, and using appropriate response headers.
Broken Access Control
Failure to implement proper restrictions on what authenticated users are allowed to do. Mitigation includes enforcing least privilege principles, using access control lists, and proper authentication checks before performing sensitive operations.
Server-Side Request Forgery (SSRF)
An exploitation where the attacker can make the application send a crafted request to an unexpected destination. Mitigation includes validation of user input, not passing raw responses to interpreters, and restricting server request targets.
Clickjacking
A technique where the attacker tricks a user into clicking on something different from what the user perceives. Mitigation includes using the X-Frame-Options header, framebusting scripts, and Content Security Policy (CSP).
© Hypatia.Tech. 2024 All rights reserved.