## CIA

### Confidentiality:
Only those authorized can access info.  
#### Vulnerabilities
Unauthorized access to sensitive info (identity theft, financial fraud, or loss of competitive advantage)

---

### Integrity:
Accuracy and completeness of info.  
#### Vulnerabilities
An attacker could cause incorrect info to be displayed/processed, leading to incorrect decision-making, fraude, etc.

---


### Availavility:
Authorized users have timely and reliable access to resources.  
#### Vulnerabilities
Exploits could disrupt services, resulting in loos of prouctivity, revenue, etc.


---
___

## Broken Access Control
Access controls are responsible for determining which users are allowed to access, modify, or delete specific resources within a system. Access control enforces that users cannot act outside of their intended permissions.  

#### Common access control vulnerabilities:

1. Violation of the principle of least privilege or deny by default.
2. Bypassing access control checks by modifying URL params, internal App state, the HTML page or API requests.
3. Insecure direct object references: permitting viewing or editing someone else's account.
4. Accessing API with missing access controls for POST, PUT and DELETE.
5. Elevation of privilege: Acting as a user without being logged, or as an admin without being one.
6. Metadata manipulation: JWTs, cookies, hidden fields.
7. CORS misconfiguration, allowing unauthorized/untrusted origins.
8. Force browsing to authenticated pages as an unauthenticated user or to privileged pages as a standard user.

---
___



## Insecure Direct Object Reference (IDOR)

A common sec vulnerability that happens when an app exposes direct acces con internal objects, such as files, db records, etc, without proper access control.  
Usually, this occurs when devs implement insufficient access controls on resources that are referenced by URL params, form fields or other user-controlled inputs.

---
---

## Insecure Session Management

A session is a temporary interaction between a user and a web application, established to maintain the user’s state and track their activities across multiple requests. These sessions are typically managed through the use of session tokens, which are unique identifiers assigned to each user during their interaction with the application.

Insecure Session Management can lead to unauthorized access, session hijacking, etc, compromising the CIA of user data and the app itself.

Some causes can be:

1. Weak session token generation.
2. Improper storage and transmission of session tokens.
3. Lack of session timeouts.
4. Ineffective session termination.


And some practices and guidelines to prevent ISM:

1. Use secure algorithms to generate session cookies.
2. Ensure the use of HTTPS.
3. Implement secure cookie attributes
4. Regularly expire session tokens.

More info on sessions here: [Session Management Testing](https://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/06-Session_Management_Testing/01-Testing_for_Session_Management_Schema)

Quiz:

- What is a session in the context of web application development?
  * A unique identifier used to track user state
- Which of the following is the primary purpose of session tokens?
  * Managing and tracking user activities across multiple requests
- Which security breach can result from Insecure Session Management?
  * Unauthorized access
- What is the main benefit of implementing secure cookie attributes in session management?
  * Protection against session hijacking

---
---


## Cross-Site Request Forgery (CSRF)
Enables an attacker to manipulate and execute unauthorized actions on behalf of an unsuspecting user. The attacker tricks the user into performing actions on a site they are already authenticated on, whithout them knowing/consenting.  

![Attack](https://d36ai2hkxl16us.cloudfront.net/course-uploads/e0df7fbf-a057-42af-8a1f-590912be5460/6fcr2jtrl9za-csrf1.png)

The attack is executed by exploiting the web application’s failure to properly validate the source of incoming requests. It typically involves crafting malicious links, embedding them in seemingly innocuous content such as emails or web pages, and then enticing the user to click on those links. When the user interacts with the malicious content, their browser inadvertently sends a request to the targeted web application, which then executes the unintended action.
The attack inherits the identity and privileges of the victim to perfom the undesired action. For most sites, browser requests automatically include any credentials associated with the site (session cookies, IP address, etc).

CSRF attacks taget functionality taht causes a state change / data mutation, as the attacker doesn't receive the response, the victim does.



## CSRF Lab

Run these commands in your terminal:

```bash
python3 -m venv .venv
source .venv/bin/activate
pip install flask
pip install request
```

In [None]:
# app.py

from flask import Flask, request, url_for, render_template, redirect, make_response
import requests

app = Flask(__name__, static_url_path='/static', static_folder='static')

app.config['DEBUG'] = True

@app.route("/")
def start():
  return render_template("evil.html")

if __name__ == "__main__":
  app.run(host='0.0.0.0', port=1337)

```html
<!-- templates/evil.html -->

<iframe style="display:none" name="csrf-frame"></iframe>
<form method='POST' action='http://0.0.0.0:5000/update' target="csrf-frame" id="csrf-form">
  <input type='hidden' name='color' value='Hackzord!'>
  <input type='submit' value='submit'>
</form>
<script>document.getElementById("csrf-form").submit()</script>
```

```

```html

Run the app with:

```bash
python app.py
```

Open a new browser tab => `http://localhost:1337/`

### CSRF Quiz:

* Which of the following actions could be performed by an attacker in a CSRF attack?
  - [x] **Changing the victim’s account settings**
  - [ ] Stealing the victim’s session cookie
  - [ ] Directly accessing the victim’s account data
  - [ ] Intercepting the victim’s network traffic
* What is a common method used by attackers to execute a CSRF attack?
  - [ ] Injecting malicious scripts into a web page
  - [ ] Exploiting server-side vulnerabilities
  - [x] **Tricking the user into clicking a malicious link**
  - [ ] Brute-forcing the user’s credentials
* Which of the following security measures can help prevent CSRF attacks?
  - [ ] Input validation
  - [x] **Anti-CSRF tokens**
  - [ ] Content Security Policy
  - [ ] Rate limiting
* What purpose does the SameSite attribute serve in relation to CSRF protection?
  - [x] **It prevents cookies from being sent in cross-site requests**
  - [ ] It encrypts cookies to protect them from theft
  - [ ] It sets a time limit for cookie expiration
  - [ ] It enforces strict transport security on cookies

---
---

## Cryptographic Failures:

These failures can involve the use of outdated cryptographic algorithms, insufficient key lengths, weak random number generation, or improper storage and management of cryptographic keys.

The first thing is to determine the protection needs of data in transit and at rest. For example, passwords, credit card numbers, health records, personal information, and business secrets require extra protection:


1. Is any data transmitted in clear text? This concerns protocols such as HTTP, SMTP, FTP also using TLS upgrades like STARTTLS. External internet traffic is hazardous. Verify all internal traffic, e.g., between load balancers, web servers, or backend systems.
2. Are any old or weak cryptographic algorithms or protocols used either by default or in older code?
3. Are default crypto keys in use, weak crypto keys generated or re-used, or is proper key management or rotation missing? Are crypto keys checked into source code repositories?
4. Is encryption not enforced, e.g., are any HTTP headers (browser) security directives or headers missing?
5. Is the received server certificate and the trust chain properly validated?
6. Are initialization vectors ignored, reused, or not generated sufficiently secure for the cryptographic mode of operation? Is an insecure mode of operation such as ECB in use? Is encryption used when authenticated encryption is more appropriate?
7. Are passwords being used as cryptographic keys in the absence of a password-base-key-derivation-function (PBKDF)?
8. Is randomness used for cryptographic purposes that were not designed to meet cryptographic requirements? Even if the correct function is chosen, does it need to be seeded by the developer, and if not, has the developer overwritten the strong seeding functionality built into it with a seed that lacks sufficient entropy/unpredictability?
9. Are deprecated hash functions such as MD5 or SHA1 in use, or are non-cryptographic hash functions used when cryptographic hash functions are needed?
10. Are deprecated cryptographic padding methods such as PKCS number 1 v1.5 in use?
11. Are cryptographic error messages or side channel information exploitable, for example in the form of padding oracle attacks?

### Insecure Randomness:

The use of predictable or weak random number generators, usually producing a predictable sequence of numbers based on a given seed. Attackers can exploit this predictability to compromise the security, as they can determine the seed or the sequence of random numbers.

Some security issues:

* **Session Hijacking:** predictable session identifiers can allow an attacker to hijack a user's session, gain access to their accounts and perform malicious actions.
* **Brute Force Attacks:** weakly generated pass, tokens or keys are more easily cracked by brute force.
* **Prediction:** predictable tokens can lead to vulnerabilities in authentication, authorization, anti-CSRF mechanisms, etc.

#### Quiz:

* What does insecure randomness refer to?
  - [ ] The use of strong random number generators in applications
  - [x] **The use of weak or predictable random number generators in applications**
  - [ ] The process of generating secure cryptographic keys
  - [ ] The process of generating unpredictable password hashes
* Why is insecure randomness a security issue in web applications?
  - [ ] It leads to slower performance of the application
  - [x] **It makes random numbers more predictable, leading to potential security breaches**
  - [ ] It increases the complexity of the application’s code
  - [ ] It makes the application less user-friendly
* Which security issue can result from predictable session identifiers?
  - [x] **Session hijacking**
  - [ ] Cross-site scripting
  - [ ] SQL injection
  - [ ] Buffer overflow
* Which of the following can help mitigate the risks associated with insecure randomness?
  - [ ] Using weaker random number generators
  - [ ] Using a single seed value for all random number generation
  - [x] **Employing cryptographically secure random number generators**
  - [ ] Storing random numbers in plain text format


### Intro to Deprecated Hash Functions:

Cryptographic algos that were once widely used and are now considered outdated or insecure. Some, like **MD5** and **SHA-1**, were designed to produce *unique, fixed-size hash values from input*, making it difficult to recreate data from the hash. However, as computing powers increased, these older functions become less secure. Using them can lead to:

* **Collision attacks:** when 2 different inputs produce the same hash value, undermining the fundamental property of a secure hash function. Atatckers may forge data with the same hash as legitimate data.
* **Brute-force attacks:** with increased computing power, it is easier to generate *all* possible hash values for a given input space, allowing an attacker to find a matching hash and reverse-engineer the original data.

#### Use this pass hash *a332233d395c415a99c6b16a2348c129* and find the plain text value:

Using **MD5** and reversing this hash, we get => 'Password01!'


---
---

## Injection:

Type of attacks where the attacker submits malicious data to an app, which gets executed/processed, leading to unintended consequences such as unauthorized access, data breaches, or even control over the application. Among the most common types of injection attacks are SQL, NoSQL, OS, and LDAP injections.

An app is vulnerable to attack when:

* User-supplied data is not validated, filtered, or sanitized by the application.
* Dynamic queries or non-parameterized calls without context-aware escaping are used directly in the interpreter.
* Hostile data is used within object-relational mapping (ORM) search parameters to extract additional, sensitive records.
* Hostile data is directly used or concatenated. The SQL or command contains the structure and malicious data in dynamic queries, commands, or stored procedures.

Some of the more common injections are:

* SQL injection
* NoSQL injection
* OS command injection
* Object Relational Mapping (ORM) injection
* LDAP injection
* Expression Language (EL) or Object Graph Navigation Library (OGNL) injection


### Intro to SQL Injection:

Malicious SQL code is inserted into an application’s database query. This injection attack can allow an attacker to manipulate the application’s database, gain unauthorized access to sensitive information, modify data, or even execute arbitrary commands on the underlying server. One of these attacks can end up in:

* **Unauthorized Access:** By injecting SQL code, an attacker can bypass authentication mechanisms and gain unauthorized access to restricted data or functionality.
* **Data Disclosure:** Attackers can extract sensitive information from the database, such as usernames, passwords, credit card details, or other personally identifiable information.
* **Data Manipulation:** SQL Injection allows attackers to modify, delete, or insert data into the database, altering the application’s behavior or compromising data integrity.
* **Remote Code Execution:** In severe cases, attackers can execute arbitrary commands on the underlying server, leading to a complete compromise of the system.

Example:

The following code is vulnerable to SQL injection as the user input is directly concatenated into query without any formofvalidation: PATH:/SQLI/models/sqlimodel.py

```
cur = db.execute('SELECTpageId,title,contentFROMpagesWHEREpageId='+pageId)
```

This code can be easily rewritten in a way that prevent the user input from interfering with the query structure:

```
cur = db.execute('SELECTpageId,title,contentFROMpagesWHEREpageId=?',(pageId,))
```


### Into to OS Command Injection:

Occurs when an attacker can execute arbitrary operating system commands on a target system. This is possible when the application does not properly validate or sanitize user input before it is passed to system commands. When an attacker successfully exploits an OS command injection vulnerability, they can potentially gain unauthorized access to sensitive data, modify system files, or even take complete control of the target system.
The main issues that lead to this vulnerability include:

* **Lack of input validation and sanitization:** When user input is not thoroughly checked for malicious code or characters, it may contain commands that can be executed by the underlying operating system.
* **Insecure coding practices:** Developers may inadvertently use functions that allow for direct execution of commands without proper validation or escape mechanisms in place.
* **Excessive privileges:** In some cases, web applications may run with higher privileges than necessary, which can broaden the range of executable binaries accessible to an attacker and allow them to access a wider set of files.

Additional links:

* [Command Injection | OWASP Foundation](https://owasp.org/www-community/attacks/Command_Injection)
* [OS Command Injection Defense | OWASP Cheat Sheet Series](https://cheatsheetseries.owasp.org/cheatsheets/OS_Command_Injection_Defense_Cheat_Sheet.html)


### Intro to Lightweight Directory Access Protocol Injection (LAPD):

LDAP (Lightweight Directory Access Protocol) is a widely used protocol for accessing and managing directory information services, such as user directories and organizational data. It is commonly used in web applications for authentication, authorization, and user management purposes.

LDAP injection occurs when an attacker is able to manipulate LDAP queries sent by a web application. This can lead to unauthorized access, information disclosure, and other security risks. It typically occurs when an app builds an LDAP query using user-supplied input without validating it. The injected LDAP query can modify the original query's behavior, allowing attackers to bypass authentication, retrieve sensitive information, or perform unauthorized operations on the directory service.

#### Possible security implications:

* **Authentication bypass:** By injecting LDAP query syntax, attackers can manipulate the authentication process and bypass username and password checks. This enables unauthorized access to restricted areas of the application or sensitive data.
* **Information disclosure:** Attackers can craft LDAP queries to retrieve sensitive information, such as usernames, passwords, or other confidential data stored in the directory service.
* **Data modification:** Injection attacks can modify the LDAP query to perform unauthorized operations on the directory service, such as adding, modifying, or deleting user accounts or data.
* **Denial of Service (DoS):** Attackers may abuse LDAP injection to craft malicious queries that consume excessive server resources, leading to a denial of service condition, and causing the application or system to become unavailable.


Additional links:

* [LDAP Injection | OWASP Foundation](https://owasp.org/www-community/attacks/LDAP_Injection)
* [LDAP Injection Prevention | OWASP Cheat Sheet Series](https://cheatsheetseries.owasp.org/cheatsheets/LDAP_Injection_Prevention_Cheat_Sheet.html)
* [What is LDAP Injection and How Does It Work? | Synopsys](https://www.blackduck.com/glossary/what-is-ldap-injection.html)


---
---

## Insecure Design:

There is a difference between insecure design and insecure implementation. We differentiate between design flaws and implementation defects for a reason, they have different root causes and remediation. A secure design can still have implementation defects leading to vulnerabilities that may be exploited. An insecure design cannot be fixed by a perfect implementation as by definition, needed security controls were never created to defend against specific attacks. One of the factors that contribute to insecure design is the lack of business risk profiling inherent in the software or system being developed, and thus the failure to determine what level of security design is required. Common examples of insecure design in web applications include:

* Insufficient input validation
* Insecure data storage
* Weak authentication and session management
* Insecure communication
* Misconfigured security settings

### Threat Modeling to counter Insecure Design:

A proactive approach to identifying potential security threats and vulnerabilities. It typically involves following these steps:

1. **Identify assets:** Determine what sensitive data or critical functionality your application needs to protect.
2. **Create a system model:** Document your application’s architecture, components, and data flows.
3. **Identify potential threats:** Analyze the system model to identify possible attack vectors and vulnerabilities.
4. **Determine risk:** Assess the likelihood and impact of each identified threat.
5. **Develop mitigations:** Design and implement security measures to address the highest-priority threats.


### 4 Question Framework:

1. **What are we building?** Understand the system, its context, components and their interaction, data flow, security controls, and dependencies.
2. **What can go wrong?** Identify threats and possible vulnerabilities. You could use techniques like STRIDE, attack trees or kill chains.
3. **What are we going to do about that?** Determine and implement security measures to protect the system against identified threats.
4. **Did we do a good enough job?** Validate the security measures and iterate the process. Verification can be done via methods like code review, penetration testing, and red teaming.


### Approaches to Threat Modeling:

1. **Asset-centric:** This approach starts by identifying and classifying a system’s assets and then focuses on the threats to those assets.
2. **System-centric (or architecture-centric):** This approach focuses on the system’s design and components and their interactions. It identifies threats based on the attack surface exposed by the system’s architecture.
3. **Attacker-centric:** This approach starts by assuming the perspective of the attacker, their skills, motives, and objectives, and then identifies threats based on what parts of the system the attacker would likely target.
4. **List-centric:** Approaches to threat modeling, using tools such as the Application Security Verification Standard (ASVS) from the Open Web Application Security Project (OWASP), provide a systematic and comprehensive checklist for evaluating the security of software applications.

### List-Centric Approaches to Threat Modeling with ASVS:

ASVS is a framework of sec requirements and controls that developers and sec testers can use to build and evaluate the security of web applications. It covers various categories like authentication, session management, access control, input validation, error handling, data protection, communication security, and many more.

*BENEFITS:*

* **Simplicity and Accessibility:** A checklist-based approach simplifies threat modeling by providing a set of predefined security requirements that must be addressed. This can be especially helpful for teams that don’t have a dedicated security expert.
* **Coverage:** Checklists like ASVS provide broad coverage of potential security threats, ensuring that important issues aren’t overlooked. They cover various types of vulnerabilities, so you’re less likely to miss an important aspect.
* **Standardization and Consistency:** Using a standardized checklist can promote consistency in security testing, making it easier to compare and benchmark the security of different applications.
* **Ease of Use:** Checklists can be easy to use, providing a straightforward way for teams to verify that they’ve addressed all relevant security issues.
* **Documentation and Traceability:** Checklists also provide a way to document the security requirements and controls that have been implemented, which can be useful for auditing, regulatory compliance, and other purposes.

*LIMITATIONS:*

* Can be less effective for identifying complex, context-specific threats.
* Might encourage a 'tick-the-box' approach to security, where teams focus on meeting checklist requirements rather than deeply understanding the underlying security principles.


### Requirement Traceability Matrix (RTM):

A document that helps in tracking and tracing the requirements of a system throughout its development lifecycle. An RTM typucally consists of a table/matrix with rows representinf de reqs, cand columns representing various stages of development.

---
---

## Security Misconfiguration:

The application might be vulnerable if the application is:

1. Missing appropriate security hardening across any part of the application stack or improperly configured permissions on cloud services.
2. Unnecessary features are enabled or installed (e.g., unnecessary ports, services, pages, accounts, or privileges).
3. Default accounts and their passwords are still enabled and unchanged.
4. Error handling reveals stack traces or other overly informative error messages to users.
5. For upgraded systems, the latest security features are disabled or not configured securely.
6. The security settings in the application servers, application frameworks (e.g., Struts, Spring, ASP.NET), libraries, databases, etc., are not set to secure values.
7. The server does not send security headers or directives, or they are not set to secure values.
8. The software is out of date or vulnerable (see A06:2021-Vulnerable and Outdated Components).

### Introduction to Default Configuration Settings:

These are the initial settings that are set by the developer when the software is installed or deployed. They are designed to provide a functional baseline for the application. However, if these settings are not properly configured, they can become a security risk. The use of default config settigns can lead to:

* **Predictable Credentials:** Default settings often include default usernames and passwords, which are well-known and can be easily guessed by attackers.
* **Unnecessary Features:** Some default configurations enable features or services that may not be needed for a specific application, potentially exposing additional attack surfaces.
* **Lack of Security Hardening:** Default settings may not be optimized for security, resulting in weaker encryption algorithms, insecure protocols, or outdated software versions.

*Examples:*

* MongoDB: In older versions of MongoDB, the default configuration did not enable authentication by default. This means anyone with network access to the database could potentially access and manipulate the data without providing any form of authentication. This lack of authentication posed a serious security risk, as it allowed unauthorized individuals to gain unrestricted access to sensitive information. Attackers could exploit this vulnerability to view, modify, or delete data, potentially leading to data breaches and compromised systems. It also allowed for the possibility of unauthorized privilege escalation, where attackers could gain administrative access and take control of the entire database.
* Elasticsearch: Similarly, older versions of Elasticsearch also had a default configuration that did not enable authentication by default. This meant that anyone who had network access to the Elasticsearch cluster could perform various actions, including reading, modifying, or deleting data, without providing any credentials. Without authentication, Elasticsearch clusters were exposed to potential unauthorized access and manipulation, posing a significant security risk. Attackers could exploit this vulnerability to tamper with data, perform unauthorized searches, or even delete critical indices.

These misconfigurations were often exploited by attackers leveraging services like Shodan. Shodan is a popular search engine for Internet-connected devices that allows users to discover publicly accessible systems and services. Attackers would utilize Shodan to identify exposed instances of MongoDB or Elasticsearch with default or insecure configurations. They could then target these vulnerable systems.

### Introduction to Insecure Settings in Web Applications:

These settings typically involve poor configuration, insufficient security controls, or a lack of awareness in securing sensitive data. Some examples of insecure settings in web applications include:

* Default or weak credentials for administrative interfaces
* Insecure storage of sensitive data (e.g., plaintext passwords or API keys)
* Misconfigured security headers and cookies
* Outdated or vulnerable software and libraries

Leading to security issues, such as:

* **Sensitive Data Exposure:** When sensitive data (e.g., user credentials, personal information, or financial data) is inadequately protected, it becomes an easy target for attackers.
* **Unauthorized Access:** Insecure settings can allow attackers to bypass authentication and authorization mechanisms, granting them unauthorized access to the system.
* **Session Hijacking:** Improper session management can enable attackers to hijack user sessions, leading to unauthorized access and potential data theft.


### Introduction to Outdated Software and Libraries: Security Problems in Web Applications:

In the constantly evolving world of technology, keeping up with the latest updates and security patches is essential to maintain a secure and reliable web application. Outdated software and libraries can expose web applications to a variety of security risks:

* **Security vulnerabilities:** Outdated software and libraries may contain known security vulnerabilities that can be exploited by hackers. By not updating your components, you leave your web application open to a wide range of attacks, such as SQL injection, cross-site scripting, and remote code execution.
* **Incompatibility issues:** As technology progresses, older versions of software and libraries may become incompatible with newer systems and standards. This can lead to performance issues, bugs, and even security vulnerabilities that are difficult to identify and fix.
* **Limited support:** Software and library developers typically focus their efforts on maintaining and improving the latest versions of their products. This means that older versions may receive less attention and support, making it harder to find and fix security issues.
* **Legal and compliance risks:** Outdated software and libraries may not meet the latest industry regulations and compliance standards, which can lead to legal and financial penalties for businesses.

To mitigate these risks and maintain a secure web application, it is crucial to keep your software and libraries up-to-date. This includes regularly updating your operating system, web server, database management system, and any third-party libraries your application relies on. Additionally, it is important to monitor security advisories and vulnerability databases to stay informed about potential threats and apply patches as needed. Stay vigilant!

---
---

## Vulnerable and Outdated Components:

You are likely vulnerable:

* If you do not know the versions of all components you use (both client-side and server-side). This includes components you directly use as well as nested dependencies.
* If the software is vulnerable, unsupported, or out of date. This includes the OS, web/application server, database management system (DBMS), applications, APIs and all components, runtime environments, and libraries.
* If you do not scan for vulnerabilities regularly and subscribe to security bulletins related to the components you use.
* If you do not fix or upgrade the underlying platform, frameworks, and dependencies in a risk-based, timely fashion. This commonly happens in environments when patching is a monthly or quarterly task under change control, leaving organizations open to days or months of unnecessary exposure to fixed vulnerabilities.
* If software developers do not test the compatibility of updated, upgraded, or patched libraries.
* If you do not secure the components’ configurations (see A05:2021-Security Misconfiguration).

### Intro to CycloneDX:

It is a lightweight software bill of materials (SBOM) specification that is easily created, diffed, tracked, and can be used for component, application, container, and system-level management. A SBOM is a comprehensive inventory of every item that’s needed to build your application. It lists the components, libraries, modules, and other resources, along with the relevant version numbers and other useful metadata.

1. install CycloneDX.
2. Generate an SBOM for your application, usually using the command line `cyclonedx-bom -o ./bom.xml` or similar.
3. Analyze the SBOM to identify any vulnerabilities or outdated components.
4. Update and track the SBOM as you update your application.

---
---

## Identifications and Authentication Failures:

Identification and authentication are fundamental elements of any security paradigm:

* **Identification** is asserting an identity—typically through a username or ID number in web applications.
* **Authentication** is verifying that identity—usually through a password, but it can also involve other methods like tokens, biometrics, and digital certificates.

There may be authentication weaknesses if the application:

* Permits automated attacks such as credential stuffing, where the attacker has a list of valid usernames and passwords.
* Permits brute force or other automated attacks.
* Permits default, weak, or well-known passwords, such as “Password1” or “admin/admin”.
* Uses weak or ineffective credential recovery and forgot-password processes, such as “knowledge-based answers,” which cannot be made safe.
* Uses plain text, encrypted or weakly hashed password data stores (see A02:2021-Cryptographic Failures).
* Has missing or ineffective multi-factor authentication.
* Exposes session identifier in the URL.
* Reuse session identifier after successful login.
* Does not correctly invalidate Session IDs. User sessions or authentication tokens (mainly single sign-on (SSO) tokens) aren’t properly invalidated during logout or a period of inactivity.

### Brute Forcing:

A brute force attack is one of the simplest, yet most effective methods to gain unauthorized access to a system. It involves systematically trying every possible combination of characters until the correct one is found.

The strength of brute force attacks is also their weakness. As the length and complexity of the password or encryption key increase, the number of possible combinations grows exponentially, making brute-force attacks more time-consuming and less feasible. That’s why security experts always stress the importance of strong, complex passwords and encryption keys.

Many modern systems have security measures in place to defend against brute-force attacks. These measures include account lockouts after a certain number of failed attempts, delays between attempts to slow down the process, and even notifications to users about multiple failed login attempts.

### Intro to Dictionary Attacks:

A dictionary attack is a type of brute force attack that uses a list of known passwords or patterns to try to guess the correct password. This method is often used when an attacker has a list (or a dictionary) of valid usernames and passwords.

### Intro to Sensitive Data in Comments:

In both client-side and server-side code, comments are often used by developers to explain complex coding structures, note areas for future improvement, or even provide debugging details. While this can improve collaboration and understanding amongst a development team, it can also provide an unintended goldmine of information for malicious actors. For instance, comments may point out vulnerabilities, reveal important details about the system architecture, or even contain hard-coded credentials intended for testing. Such exposure can give attackers a deeper understanding of the application’s workings and potential weak points.

---
---

## Software and Data Integrity Failures:

Software and data integrity failures relate to code and infrastructure that do not protect against integrity violations. An example of this is where an application relies upon plugins, libraries, or modules from untrusted sources, repositories, and content delivery networks (CDNs). Attackers could potentially upload their updates to be distributed and run on all installations.

*Example attack scenarios:*

1. Update without signing: Many home routers, set-top boxes, device firmware, and others do not verify updates via signed firmware.
2. Insecure Deserialization:A React application calls a set of Spring Boot microservices. Being functional programmers, they tried to ensure that their code is immutable. The solution they came up with is serializing the user state and passing it back and forth with each request. An attacker notices the “rO0” Java object signature (in base64) and uses the Java Serial Killer tool to gain remote code execution on the application server.

### Intro to Insecure Object Deserialization:

A vulnerability that occurs when an application doesn’t properly validate or sanitize input before attempting to “deserialize” it. Deserialization is the process of converting a serialized object (e.g., a string of bytes) back into an object.

How it can be a security risk:

* **Remote Code Execution (RCE):** If an attacker can modify the serialized data to include malicious code, and the application doesn’t validate or sanitize this data before deserializing it, then the attacker’s code can be executed.
* **Denial of Service (DoS):** Malicious serialized data can also cause the application to crash, resulting in a denial of service.
* **Injection Attacks:** Insecure deserialization can lead to various injection attacks, including but not limited to SQL Injection, NoSQL Injection, OS command injection, etc.

### Intro to Rogue Content Delivery Networks (CDNs) and Untrusted Data Sources:

* CDNs are a key part of modern web infrastructure, designed to efficiently deliver web content to users. A CDN’s main function is to serve content to users with high availability and high performance. Rogue CDNs can serve harmful content, either by hosting malicious files directly or by serving as a conduit for malware, thus putting users at risk.
* Loading data from untrusted sources, such as JavaScript (JS) files, is a common practice in web development. If the external source is compromised, the attacker can serve malicious JS files instead of legitimate ones. This can lead to a variety of attacks, including Cross-Site Scripting (XSS), data theft, and defacement of web pages.

*Potential Security Problems:*

1. **Data Integrity:** Rogue CDNs or compromised data sources can alter the data being sent to users. This could include injecting malicious scripts into legitimate web pages or altering the functionality of web applications.
2. **Privacy:** Malicious CDNs or data sources could collect sensitive user information without consent. For example, they could track user behavior, collect form data, or even steal login credentials.
3. **Availability:** A rogue CDN could deny service to intended users or serve them slow or inaccurate content. This can be particularly damaging for businesses that rely heavily on their online presence.

---
---

## Security Logging and Monitoring Failures:

Insufficient logging, detection, monitoring, and active response occurs at any time:

* Auditable events, such as logins, failed logins, and high-value transactions, are not logged.
* Warnings and errors generate no, inadequate, or unclear log messages.
* Logs of applications and APIs are not monitored for suspicious activity.
* Logs are only stored locally.
* Appropriate alerting thresholds and response escalation processes are not in place or effective.
* Penetration testing and scans by dynamic application security testing (DAST) tools (such as OWASP ZAP) do not trigger alerts.
* The application cannot detect, escalate, or alert for active attacks in real-time or near real-time.

### What is Security Logging?

Security Logging is the process of recording and storing actions and events within a system. This can include user activities, system errors, transactions, and more. Logs provide a traceable record of these activities and can be analyzed to uncover patterns or identify suspicious behavior.
```
# Example log entry:
[2023-06-09 10:15:32] - IP: 192.0.2.1 - User: exampleUser - Action: Login - Status: Success
```

### Importance of Security Logging:

Logs not only provide insights into system operations, but they also serve as an audit trail for security events. However, often, organizations overlook or inadequately address security logging. When critical logs are missing, unclear, or not actively monitored, the organization's security posture weakens.

**Missing Auditable Events:**

Auditable events, such as user logins, failed logins, and high-value transactions, form the crux of security logging. By not logging these events, organizations are essentially turning a blind eye to potentially malicious activities.

* Logins and Failed Logins: Tracking successful and unsuccessful login attempts can indicate brute force or password spraying attacks. Absence of this data means you might miss out on early signs of a breach.
* High-Value Transactions: These can be database modifications, money transfers, or any other critical operations. Without a log, malicious or erroneous transactions can go unnoticed, potentially leading to significant losses or damages.

**Inadequate Logging of Warnings and Errors:**

When these log messages are absent, unclear, or insufficient, it becomes challenging to identify the root cause, making mitigation more difficult and time-consuming.

**Ignoring App and API Logs:**

Not monitoring their logs for suspicious activity can lead to undetected breaches. An unusual API call or an unexpected application behavior logged can be the first sign of an intrusion. Ignoring these logs can mean missed opportunities for early detection.

**The Perils of Local Storage:**

Storing logs solely on local servers or devices poses various risks:

* Data Tampering: If an attacker gains access, they can modify or delete logs to hide their tracks.
* Data Loss: Hardware failures can lead to permanent loss of crucial log data.
* Limited Access: It is challenging to access logs in real-time for analysis or during an incident if they are only locally stored.

Centralized or cloud-based log storage solutions address these challenges, offering redundancy, accessibility, and often enhanced security features.

**Ineffective Alerting and Response Systems:**

Logs alone are passive data. For them to be effective in enhancing security, there must be systems in place to analyze and act upon them. If appropriate alerting thresholds are not set, or if there is no effective escalation process in place, even the most detailed logs can go unnoticed, rendering them useless.

**Unresponsive to Penetration Testing and DAST Tools:**

Security tools like OWASP ZAP are designed to probe applications for vulnerabilities actively. If these tools do not trigger alerts when they simulate attacks, it indicates a considerable gap in the organization's detection capabilities. It is almost like having a smoke detector that does not sound when there is smoke.

**Lack of Real-time Attack Detection:**

Modern cyber-attacks can be swift and devastating. If an application cannot detect, escalate, or alert for active attacks in real-time or near real-time, the damages can be extensive before any action is taken. This makes real-time monitoring and alerting not just a good-to-have feature but an essential one.

---
---

## Server-Side Request Forgery (SSRF):

SSRF flaws occur whenever a web application is fetching a remote resource without validating the user-supplied URL. It allows an attacker to coerce the application to send a crafted request to an unexpected destination, even when protected by a firewall, VPN, or another type of network access control list (ACL).
As modern web applications provide end users with convenient features, fetching a URL becomes a common scenario. As a result, the incidence of SSRF is increasing. Also, the severity of SSRF is becoming higher due to cloud services and the complexity of architectures.
This kind of attack enables an attacker to induce the server-side application to make HTTP requests to an arbitrary destination under the control of the attacker. Mitigation strategies often involve:
* whitelisting or validating user inputs,
* controlling what network requests your server-side application can make,
* employing a firewall to block outgoing network connections from your server to the internal network.

---
---

## Course Summary:

**Broken Access Control**
In this module, we explored the risk of broken access control, which arises when restrictions on authenticated users are improperly enforced. Attackers can exploit these vulnerabilities to access unauthorized functionalities or data. We’ve seen how enforcing strict access control measures and principle of least privilege helps to mitigate such risks.

**Cryptographic Failures**
This section introduced you to the concept of cryptographic failures. These are the risks associated with the misuse of cryptography, often resulting in the exposure of sensitive information. Our hands-on labs demonstrated the importance of implementing secure cryptographic practices, like using updated cryptographic algorithms and securing cryptographic keys.

**Injection**
We studied various injection attacks, such as SQL, NoSQL, OS, and LDAP injection. These vulnerabilities occur when untrusted data is sent as part of a command or query. You’ve seen firsthand the impact of successful injection attacks and learned how to prevent them using input validation, parameterized queries, and other secure coding practices.

**Insecure Design**
In this module, we emphasized the importance of secure design principles in software development. The insecure design risk underlines how design flaws can lead to large-scale security vulnerabilities. Through practical examples, we discovered how a ‘security by design’ approach can mitigate such risks.

**Security Misconfiguration**
Here we examined the potential dangers of security misconfiguration, which is often the result of insecure default configurations, incomplete or ad hoc configurations, or unprotected cloud storage. Our lab exercises demonstrated how to detect these vulnerabilities and the necessity of a well-defined, repeatable hardening process.

**Vulnerable and Outdated Components**
This part of the course focused on the risks posed by the use of vulnerable and outdated software components. We practiced identifying, updating, and removing such components to minimize the attack surface.

**Identification and Authentication Failures**
We learned about the threats arising from flawed identification and authentication strategies, which can allow attackers to impersonate users or bypass authentication. We explored techniques for implementing multi-factor authentication, strong password policies, and secure session management to help combat these threats.

**Software and Data Integrity Failures**
In this module, we addressed the importance of maintaining the integrity of software and data. You experienced how a lack of proper integrity controls can lead to unauthorized data modification or code execution. We also examined defenses such as checksums, digital signatures, and secure file permissions.

**Security Logging and Monitoring Failures**
Here we discussed the lack of adequate logging and monitoring, which could delay or prevent the detection of security breaches. We observed the value of comprehensive and proactive monitoring practices and learned how to implement effective logging mechanisms that capture important security-related events.

**Server-Side Request Forgery (SSRF)**
The course concluded with an exploration of SSRF, where malicious actors can induce the server to perform requests on their behalf. We discussed various techniques for mitigating this risk, such as validating and sanitizing all input data, employing allow-lists of approved servers, and applying the least privilege principle.
