Code security tips

From PortSwigger, a free online resource for security.

PortSwigger is a cool free resources for learning stuff. There is a learning path you can follow.

Access Control Vulnerabilities

Access Control is the application of constraints on who or what can attempt to do actions or access resources they've requested.

  • insecure direct object reference
    • a vulnerability that allows an attacker to bypass authorization checks to access protected resources
    • occurs when a reference to an internal object, like a file or database key, is exposed through a link or parameter value. For example,
    • if no authorization check is in place, attackers can manipulate them to access unauthorized data
      • For example, replace the id with bob093 and access even though I am not bob but I know his username
      • without proper authorization, this is a leak
    • to prevent
      • use per user or per session indirect references instead
      • implement access control checks to make sure user is authorized for requested info
      • never rely on user-defined GET or POST parameters, cookies, or HTTP headers to authorize access to sensitive resources
      • always rely on server-side session information and use mapping values to access objects
      • all private pages should be protected using an authorization mechanism -- use centralized authorization routines
      • no two separate pieces fo code should verify if an account belongs to a certain user
  • missing functional level access control
    • occurs when users can perform functions they are not authorized for or when resources can be accessed by unauthorized users
    • caused when access checks have not bee implemented or when a protection mechanism exists but is not properly configured
    • examples
      • forced browsing URLs -- a user is authenticated but guesses and brute forces URLs to access admin pages
      • site uses popular framework; authenticated user takes advantage of this knowledge and brute forces /createUser function to create a user
    • ramifications
      • accounts can be taken over, sensitive customer or company data stolen
    • prevention:
      • protect all business functions using a role-based authorization mechanism implemented on sever side
      • authorization should be applied using centralized routines either provided by framework or easy-to-use external modules
      • DENY by default
      • implement functional access control on server, never client
  • using input from untrusted sources
    • occurs in apps that user input values to complete the authorization processes that determine what data users can access and manipulate
      • includes cookies, local storage, and hidden fields, input params, query params, etc
    • example
      • checking only whether a cookie exists
    • prevention
      • review any potential areas where an untrusted input could potentially enter the app
      • use a trusted framework in the app's architecture that prevents this weakness from occurring
      • if possible, try to avoid relying on any user input for authentication

More info: PortSwigger: Access Control Vulnerabilities and Privilege Escalation

Authentication vulnerabilities

  • Username enumeration vulnerability
    • someone brute forces through multiple usernames on login form to find different error responses that will detect valid usernames. then person can focus on brute forcing through password.
    • prevention with strong authentication controls
      • strong password policy
      • securely hashed passwords, using unique salts
      • a generic message
      • account lock on too many failed login attempts (rate limiting)
      • a secure password recovery mechanism
      • a secure communication channel
  • Forceful browsing vulnerability
    • occurs when access is allowed by default
    • most newer apps deny access by default so typically found in older apps
    • attackers can take advantage of typical URL patterns, links, etc. to find hidden web pages even without authentication
    • example:
      • attacker gains insight in product not yet released so attacker uses common naming conventions to find the hidden product page
    • prevention
      • ensure all relevant pages, routes, and endpoints require proper authentication and access checks
      • verify all endpoints, routes, and pages consistently follow business requirements rules
  • Insufficient Anti-automation vulnerability
    • occurs when parts of the app such as login forms, polls, etc. can be triggered using automated scripting techniques and there are a lack of checks to determine whether attempts are done by a human user. without checks, we can't tell whether a request is done by a script or a human.
    • example:
      • some functionality only for authenticated users that has a login form without rate limiting. attacker can brute force in...
      • or, submitting many fake users, fake votes, etc.
    • prevention to verify human users
      • sophisticated CAPTCHA techniques. Some of these can still be bypassed by sophisticated bots, so be careful and choose a good implementation.
        • a mixture of distorted text in an image, a mathematical calculation, audio question, or logical puzzle
        • be careful also about accessibility
      • of consecutive requests from same source could be limited or use account lockouts to avoid brute forcing

More Info: PortSwigger: Authentication vulnerabilities