5218COMP - Common Vulnerability Issues Quiz

Questions and Answers

What does the term 'attack vector' refer to?

• A method used to gain unauthorized access to a system (correct)
• A flaw in the design of software
• A measure to prevent security breaches
• A type of vulnerability in the system

Which of the following best describes a 'vulnerability'?

• A weakness that can be exploited by an attack (correct)
• A method for authenticating users
• A potential threat to a system's integrity
• A preventive measure against hacking

What is a common consequence of an 'implementation failure'?

• Increased security through untested procedures
• Exploitation of coded errors or bad practices (correct)
• The software is never deployed
• Designs are followed exactly

Which of the following is NOT considered a type of vulnerability?

Encryption strengths (C)

What is the primary purpose of input validation in software development?

To check the sanity of input data (A)

What role does 'authentication' play in secure software development?

It verifies the identity of a user or system. (B)

Which of the following is NOT a common source of data that requires validation?

Encrypted passwords (B)

Which of the following statements accurately reflects a potential vulnerability due to end-user misuse?

Designers assume users will read all documentation (C)

Which statement about 'threats' is accurate?

Threats represent potential issues needing protection. (A)

Which scenario exemplifies a 'design weakness'?

An unforeseen flaw in the software's design allowing an attack (A)

What percentage of vulnerabilities are attributed to poor input validation?

60% (C)

What might represent a common 'attack' in software security?

Failing to apply software updates regularly (A)

Which aspect of input validation checks whether data falls within a specific range?

Range validation (C)

What is a consequence of not validating user input properly?

Possible injection attacks (D)

Which scenario exemplifies a type mismatch vulnerability?

A string input where an integer is expected (A)

In input validation, what does checking for 'normality' imply?

The data must follow predefined criteria (D)

What is a key factor that should be checked when validating an email address?

It should contain an @ symbol. (A)

What is an important consideration regarding the validation of uploaded files in a web application?

Filename lengths should be validated against server limitations. (C)

Why is server-side validation preferred over client-side validation?

It cannot be bypassed by the user. (B)

What flaw is present in the basic validation of the wpshop plugin for file uploads?

No restrictions on file type uploaded. (D)

What is a significant risk associated with relying solely on client-side validation?

It can be bypassed by users, making it unreliable. (B)

What potential error is related to input validation that is noted as widespread in C/C++ programs?

Improper use of pointers and out-of-bounds errors. (A)

What should be considered when implementing password validation?

There should be no upper limit on password length. (C)

When should validation occur in a secure software development process?

When data passes between differing trust boundaries. (A)

Flashcards

Input Validation

The process of ensuring that user inputs are correct and safe.

Authentication

The process of verifying the identity of a user or system.

Authorisation

The process of granting permissions to an authenticated user.

Vulnerability

A weakness that can be exploited by an attacker.

Attack Vector

A method used by attackers to gain unauthorized access.

Design Weakness

A flaw in system design leading to security issues.

Implementation Failure

Incorrect application of a secure design.

End-user Misuse

Incorrect usage of the system by users that leads to vulnerabilities.

SQL Injection

A code injection technique that exploits security vulnerabilities in an application’s software.

Vulnerabilities

Weaknesses in software that can be exploited by threats.

Type Mismatch

An error that occurs when data types do not match expectations in code.

Data Input Sources

Various origins of data that need validation before use.

Email Validation

Check that an email is 1–100 characters and contains '@'.

Password Length

Password must be less than 8 characters with no upper limit.

Password Confirmation Match

Ensure that the password and its confirmation are the same.

Escape Non-Alpha Numeric

Function that removes non-alphanumeric characters from data.

Client-side Validation

Validates data before submission to reduce server load.

Server-side Validation

Validates data after it is submitted to the server.

Array Sizes Error

Common mistake related to pointer arithmetic and indexing.

Telegraph Pole Problem

How to calculate the number of poles spaced evenly along a distance.

Study Notes

Course Information

• Course title: 5218COMP – Secure Software Development
• Lecturers: Dr. Max Hashem Eiza ([email protected], Room BS/607A) and Dr. Nathan Shone ([email protected], Room BS/649)

Common Vulnerability Issues

• Approximately 60% of vulnerabilities are due to poor input validation.

Session Overview & Outcomes

• Session topics: Input validation, Authentication, Authorisation
• Learning outcomes: Understand and explain common vulnerabilities, and understand authentication and authorisation concepts.

Terminology Recap

• Threat: What needs protecting? What are you worried about?
• Vulnerability: How might threats become real? Where are the weaknesses in the system?
• Attack: How might someone break the security? Attacks exploit vulnerabilities to realise threats.
• Attack Vector: A path/route/method that exploits weak spots to gain unauthorised access to a computer system. A large part of exploits involve the human element since humans are often the weakest part of the system.

Vulnerabilities

• A weakness that allows an attack
  • Design weakness: A flaw in the design causes an attack not anticipated, e.g., TCP/SYN flood, Heartbleed, SSL RAM dumping
  • Implementation failure: Incorrectly following the design—e.g., incorrect use of Bluetooth, coding errors like SQL injection.
  • Change in requirements or environment: Original assumptions about design or development are no longer valid, e.g., encryption becoming weak, repurposing software without redesigning for the new setup (credit card use online).
  • End-user misuse: Users make incorrect assumptions about the technology, e.g., weak passwords, using sites with inadequate security (SSL certificates), sending executables by email.

Input Validation

• Critical but often overlooked, responsible for about 60% vulnerabilities

• Involves checking the validity of input data.

• Checks should consider:

  • Data type, length, range, and acceptance of null values
  • Checking for possible malicious code injection; e.g., SQL injection.

• Validation should be applied at points where data can enter or exit the software (e.g., URLs, user-supplied files, configuration files, 3rd party data, data loaded from file systems, data loaded from databases).

• Example input validation error: An issue occurs processing a JSP page at line 18 of /index.jsp; a form input causing an IllegalStateException due to mycustomer bean not being available in the request attribute.

• Three validation steps:

  • Constrain: allow known good data. Checks for length, type, and range constraints.
  • Reject: Reject known bad data. Filters for keywords, commands, etc. that may be used to exploit the system.
  • Sanitise: Make potentially malicious data safe. Strips out null characters or spaces.

Authentication and Authorisation

• Authentication: Identifying who you are

• Authorisation: Identifying what you can do.

• These processes should be kept separate in applications.

  • Consider CIA triad (confidentiality, integrity, availability)

• Custom implementations are often incorrectly done, such as in web apps (Guest access), and potential problems arise in logout, password management, or account updates.

  • Password leaks do occur in apps (not just related to sensitive data). This is a common developer error.

  • Password Storage:

    • Never directly store passwords
    • Hash passwords (use SHA-1, SHA256, or SHA512)
    • Use salted hashes for optimal security
    • Consider using a pepper for even more security
    • Consider using hash iterations

  • Password Resets:

    • Password resets are necessary but should be done securely
    • Do not send passwords in reset emails (violates security principle)
    • Request additional information for the user
    • Utilize a unique, temporary token in the confirmation email
    • Implement expiration rules to ensure that the unique token expires swiftly.
    • Prevent automatic log-ins after a successful reset; enforce re-authentication.
    • Session should be made to automatically expire when the session is not actively used or when the browser window is closed to avoid hijacking.

• Session Management:

  • Sessions are used to keep track of users as they navigate through an application. Sessions persist user data between different requests while in scope.
  • Sessions should automatically expire to maintain security
  • Ensure the session is killed when the user logs out.
  • Session IDs must be cryptographically secure (generate random and confidential IDs) and should not be directly sent to URL.

• Authorisation:

  • Limit app resources/actions to authorized users
  • Well-implemented authorisation is difficult
  • Defined roles and privileges crucial
  • Common attacker techniques: bypassing authentication, path traversal attacks, escalating privileges
  • Perform authorisation checks on the server side; do not trust client-side checks alone; and avoid including hard-coded authorisation management information.

• Common Themes:

  • Security is not straightforward (it requires planning and care)
  • Applications must be created securely from the start; relying on existing code requires careful consideration and planning.
  • Think holistically about application security before implementation.

Summary

• Input validation, authentication, and authorisation are crucial for secure software development. Avoiding common vulnerabilities, understanding user authentication and authorisation is imperative.