CC1302 SECURE CODING

UNIT I
INTRODUCTION

Security, CIA Triad, Viruses, Trojans, and Worms In a Nutshell, Security Concepts-
exploit, threat, vulnerability, risk, attack. Malware Terminology: Rootkits, Trapdoors,
Botnets, Key loggers, Honeypots. Active and Passive Security Attacks. IP Spoofing, Tear
drop, DoS, DDoS, XSS, SQL injection, Smurf, Man in middle, Format String attack. Types
of Security Vulnerabilities- buffer overflows, Invalidated input, race conditions, access-
control problems, weaknesses in authentication, authorization, or cryptographic
practices. Access Control Problems

Security:
Computer Security
The protection afforded to an automated information system in order to attain
the applicable objectives of preserving the integrity, availability, and
confidentiality of information system resources (includes hardware, software,
firmware, information / data, and telecommunications)
Confidentiality
Data confidentiality
Assures that private or confidential information is not made available or disclosed to
unauthorized
Privacy
Assures that individuals control or influence what information related to them
may be collected and stored and by whom and to whom that information may
be disclosed.
Integrity
Data integrity
Assures that information and programs are changed only in a specified and
authorized manner.
System integrity
o Assures that a system performs its intended function in an unimpaired manner, free
from deliberate or inadvertent unauthorized manipulation of the system.
Availability
Assures that systems work promptly and service is not denied to authorized
users.
CIA Triad
Confidentiality
Preserving authorized restrictions on information access and disclosure,
including means for protecting personal privacy and proprietary information.
A loss of confidentiality is the unauthorized disclosure of information.
 Integrity
Guarding against improper information modification or destruction, including
ensuring information nonrepudiation and authenticity.A loss of integrity is the
unauthorized modification or destruction of information.
Availability
Ensuring timely and reliable access to and use of information
A loss of availability is the disruption of access to or use of information or an
information system.
Authenticity
The property of being genuine and being able to be verified and trusted.
Accountability
The security goal that generates the requirement for actions of an entity to be
traced uniquely to that entity.

Viruses, Trojans, and Worms In a Nutshell:

Viruses:
What is a Virus?
 Virus is a computer program or software that connects itself to another
software or computer program to harm the computer system.
 When the computer program runs attached to the virus it performs some
action such as deleting a file from the computer system.
 The virus can’t be controlled remotely.
How Does a Virus Work?
 An infected program or file contains the virus and once the host program
or file is run, the virus executes its functions.
 It is self-propagating, and it nests itself into other applications or
documents thus guaranteeing dissemination to other computers.
 Again, viruses are different from worms and cannot spread on their own
without input from a human, for instance, running an infected file.
What is a Worm?
 Worm on the other hand is a single malware program that copies itself to
other computers. Worms do not have to attach themselves to an existing
program which is unlike that of a virus.
  They take advantage of open holes in operating systems or applications
and spread by possessing the ability to fix themselves on the networks
 Consume a great deal of computing resources which can slow down a
system considerably.
 How Does a Worm Work?
 Worms usually propagate through the networks through link shares, e-
mail attachments, or weaknesses in the programs.
 Once a worm has infected a system, it is capable of replicating and
spreading to other systems, more so without any interference from the
users of the system.
 Certain worms give the end attacker some form of supervisory control
over infected hosts.
Trojan Horse
What is a Trojan Horse?
 A Trojan horse, or Trojan for short, is a kind of virus that is disguised as a
desirable piece of software.
 In this respect, Trojans do not self-replicate like viruses and worms but
are different programs that are subversively installed in computers.
 Instead, they trick users into downloading these apps, typically by
disguising themselves as useful apps or by tricking the user into
downloading an infected file.
 This type of malicious program can once installed in a system, earn for
itself by stealing important details, be it Login details, or credit card
details among others.
How Does a Trojan Horse Work?
 A Trojan commonly works by creating some kind of gateway (or
‘backdoor’) that can be used to compromise the target system.
 By keystrokes they can record the motions a person makes on the keys,
snap pictures of the screen, and transfer information unknowingly by the
user.
 Trojans can be disguised as other programs that are beneficial to the user.
Thereby, the user permits access to the system.
Security Concepts- exploit, threat, vulnerability, risk, attack:
 In cyber security, Risk vs. Threat vs. Vulnerability vs. Exploit is the
potential loss for the organization. That’s why need to implement a risk
management strategy in the organization.
 Data and its protection are key considerations for firms in today’s society.
 sensitive information expect that you have a strong data security
infrastructure in place.

Understanding the interrelationships of four components is essential:

• Risk
• Threat
• Vulnerability
• Exploit

Risk

What is Risk?
The probability of danger and the consequence of a vulnerability are combined
to form risk.
To put it another way, the risk is the possibility of a threat agent successfully
exploiting a vulnerability, which may be calculated using the risk formula:
Risk = Threat Probability * Vulnerability Impact.
 To reduce your risk exposure, develop and implement a risk management
strategy.
 It’s a never-ending process that constantly assesses new threats and
vulnerabilities.
 It takes into account not only the possibility or chance of a negative event but also
the impact that event could have on your infrastructure.
Examples of risk in business include
 Financial losses
 Loss of privacy
 Damage to your reputation Reputation
 Legal implication.
 Even loss of life

Threat
What is a Threat?
 A threat is an incident that is new or recently found and has the potential to harm a
system or your organization
 All of these threats are seeking a way in, a weak spot in your defences to exploit.
On the other hand, some dangers are more likely to be exploited than others
 Threats that are unintentional, such as an employee obtaining incorrect data.
Spyware, malware, adware companies, or the activities of a disgruntled employee
are all examples of intentional dangers.
 All of these threats are seeking a way in, a weak spot in your defences to exploit.
On the other hand, some dangers are more likely to be exploited than others.

Vulnerability
What is vulnerability?
 A vulnerability is a recognized weakness in an asset (resource) that one or
more attackers can exploit.
 To put it another way, it’s a well-known flaw that permits an attempt to succeed.
 Physical vulnerabilities, such as publicly exposed networking equipment
 Software vulnerabilities, such as a buffer overflow vulnerability in browser
 Human vulnerabilities, such as an employee vulnerable to phishing
assaults, are all examples of vulnerabilities.
Exploit:
 The term “exploit” is widely used to denote a software program designed
to attack an asset by exploiting a vulnerability. Many exploits are designed
to obtain control of an asset.
 A data breach is an example of exploit.

How do Exploit work

Exploits make use of a security hole in a computer system, operating system, piece of
software Internet of Things (IoT) device, or other security vulnerability.

 Once an exploit has been exploited, it is usually discovered by the

susceptible system’s or software’s software developers, and it is usually
 repaired with a patch and rendered unusably.
Type of Exploit:
 Hardware:- Poor encryption, a lack of configuration management, or
a firmware vulnerability are all examples of security flaws.

 Software:- Data validation mistakes (code injection, cross-site

scripting (XSS), directory traversal, email injection, format string attacks,
HTTP header injection, HTTP status trying to split, SQL injection.

 Network:- Guy attacks, domain hijacking, typosquatting, poor

network safety, lack of authentication, and default passwords are all
examples of security issues.

 Personnel:- Poor phishing, spear phishing, pretexting, honey

trapping, smishing, water holing, or whaling policies and processes, lack of
security awareness, poor adherence to information security policy, poor
password management, or falling victim to common and practical attacks
like phishing, spear phishing, spoofing, honey trapping, smishing, water
holing, or whaling.

 Personal site:- Tailgating, poor physical security, and a lack of room

key access control are all issues.

Rootkits, Trapdoors, Botnets, Key loggers, Honeypots:

 Malware stands for malicious software and denotes software that is

designed to execute computer instructions that are destructive to a
user’s system or in any other way hazardous for targeted individuals
and enterprises.

 Malware developers are usually called cyber attackers, hackers, or

adversaries. These persons and groups of people hide their identities to
 escape legal liability.
 Types of Malware:
 Rootkits
 Trapdoors
 Botnets
 Key loggers
 Honeypots

Rootkit:
 Rootkit is a type of malware that gains unauthorized access to a
computer’s root directory, a.k.a. kernel.
 This is the heart of any operating system.
 First of all, a rootkit can block antivirus calls to the system.
 As a result, the antivirus scan report says that everything fine,
 while the malware has gained complete control over the victim’s
device. A typical rootkit is a collection of malware containing
keyloggers, botnets, backdoors.

Note: In kernel mode, the rootkit might change system settings and be impossible to
remove.
One of the widely discussed rootkits is Stuxnet which led to serious problems in
Iran’s nuclear plant and other industrial facilities.

Bots and Botnets:

Good Bots:
 Customer support bots help users before routing to a human.
 Search engine crawlers (like Google bots) index websites.

Malicious Bots in Cybersecurity:

 Malware bots hijack computers to perform harmful tasks.
 Bots can self-replicate like viruses and worms.
 Victims often don’t realize their machine is infected.

Botnet (Bot Network):

 A botnet is a group of infected bots working together.
 Controlled by a malicious Command & Control (C&C) server.
 Used to launch cyber-attacks, steal data, or send spam.
Botnet Infection Signs:
 Slow shutdown, software, or Internet speed.
 Frequent crashes for no clear reason.
Advanced Botnet Threats:
 P2P botnets (peer-to-peer) are harder to trace.
 Victims may unknowingly aid attacks.

Example: GameOver Zeus used Domain Generation Algorithm (DGA) for stealthy
communication.

Keyloggers
Keylogger is short for keystroke logger. In other words, it’s malware that
records every action on a computer’s keyboard. Yet, it might record other inputs
as well:
•Everything that’s copied to the clipboard
•Mouse clicks
•Activity (opened programs, folders, etc.)
•Can make screenshots
•Can retrieve text value (passwords behind a mask)
Keyloggers: What They Do
 Log credentials, credit card numbers, chat/email conversations,
and browsing history.
 Can remotely control the victim’s machine.
How Keyloggers Work
 Often downloaded without user knowledge.
 Run silently in the background.
 Store logs in files on the victim's system.
Detection Methods
 Check for files that frequently update (log files).
 Look for outgoing connections to C&C servers (Command &
Control).

Trap Door
 Trap Door is a secret entry point into a program that allows unauthorized
access without following standard security procedures.
 It is also known as a Back Door, as it bypasses normal authentication
methods.
  Trap Doors are hard to detect, often requiring thorough examination of
system components by programmers or developers.
 Legal Use: Programmers may use trap doors legitimately for debugging
and testing during development.
 Security Risk: Trap doors become threats when dishonest programmers
exploit them for illegal access.
 Primary Security Focus: Security measures should first target program
development and software update activities.
 Implementation Challenge: The operating system’s control over trap doors
is complex and difficult to manage.

Active and Passive Security Attacks:

Security Attacks
• A useful means of classifying security attacks, used both in X.800 and RFC 4949, is in
terms of passive attacks and active attacks
• A passive attack attempts to learn or make use of information from the
system but does not affect system resources. An active attack attempts to
alter system resources or affect their operation.
• Passive Attack
• Passive attacks are in the nature of eavesdropping on, or monitoring of, transmissions.
• The goal of the opponent is to obtain information that is being transmitted.
• Two types of passive attacks are the
• Release of message contents
• Traffic analysis.
The release of message contents is easily understood. A telephone

conversation, an electronic mail message, and a transferred file may contain

sensitive or confidential information. We would like to prevent an opponent
from learning the contents of these transmissions.
• A second type of passive attack, traffic analysis, is subtler. Suppose that
we had a way of masking the contents of messages or other information
 traffic so that opponents, even if they captured the message, could not
extract the information from the message.
Active attack
 Active attacks involve some modification of the data stream or the
creation of a false stream and can be subdivided into four categories:
masquerade, replay, modification of messages, and denial of service.
 A masquerade takes place when one entity pretends to be a different
entity. A masquerade attack usually includes one of the other forms of
active attack.

• Replay involves the passive capture of a data unit and its subsequent
retransmission to produce an unauthorized effect.
• Modification of messages simply means that some portion of a
legitimate message is altered, or that messages are delayed or reordered,
to produce an unauthorized effect. For example, a message meaning “Allow
John Smith to read confidential file accounts” is modified to mean “Allow
Fred Brown to read confidential file accounts.”

Denial of service prevents or inhibits the normal use or management of

communications facilities. This attack may have a specific target;
for example, an entity may suppress all messages directed to a particular
destination.
IP Spoofing, Tear drop, DoS, DDoS, XSS, SQL injection, Smurf Attack,
Man in middle, Format String attack

IP Spoofing
•With IP spoofing, intruder sends message to a computer system with an IP address
indicating message is coming from a different IP address than its actually coming from.
 •If intent is to gain unauthorized access, then Spoof IP address will be that of a system
the target considers a trusted host.
•To successfully perpetrate an IP Spoofing attack, hacker must find IP address of a
machine that the target system considers a trusted source.
After they have obtained trusted IP address they can then modify packet headers of
their transmission so its appears that the packet coming from the host
Types of IP Spoofing
Denial-of-service attacks: In denial of service attack, an attacker can use IP Spoofing
to flood a network or system with a large number of requests, making it unavailable to
legitimate users.
Unauthorized access: An attacker can use IP Spoofing to bypass access controls and
gain unauthorized access to a system or network.
Data interception: An attacker can use IP Spoofing to intercept sensitive data, such as
login credentials, financial information, or personal information.
Reputation damage: IP Spoofing can damage the reputation of legitimate businesses
and organizations, as the attack can appear to be coming from their IP address.
How to Protect Against IP Spoofing?
Monitor incoming IP packets for signs of IP spoofing using network monitoring
software.
One popular product is "Netlog", is along side similar products, seeks incoming
packets to the external interface that have the both source and destination IP addresses
in your local domain.

Teardrop Attack
What is a Teardrop Attack
 A Teardrop Attack is a type of Denial-of-Service (DoS) attack.
 The attacker sends broken or fragmented data packets to the target
computer or server.
 When the system tries to reassemble these packets, it fails due to an
error, causing it to slow down or crash.
How Does It Work?
 Older operating systems (like some versions of Windows or Linux)
have a bug how they reassemble fragmented packets.
 The attacker sends overlapping fragments that cannot be
 combined properly.
 This leads to errors or crashes, disrupting normal system
operation.

Why Is It a Problem?
 Many organizations still use old or unpatched systems for legacy
applications.
 These systems are vulnerable to teardrop attacks.
 A successful attack can shut down important services or
applications.

Why Is It Important to Know?

 Teardrop attacks exploit system weaknesses, especially in
outdated systems.
 Keeping operating systems updated and patched is crucial to
prevent these attacks.
DoS, DDoS:
What is a Denial-of-Service (DoS) Attack?
 A DoS attack is a cyber attack that aims to make a website, network, or
system unavailable to its legitimate users.
 The attacker floods the target with an overwhelming amount of fake
traffic or requests.
 This causes the system to slow down or crash, preventing access for real
users.
Key Features of a DoS Attack
 Interrupts normal operations of a device, server, or network.
 Targets a single system using one attacking source.
 Results in denial of access to genuine users.

Types of DoS Attacks:

Volume-Based Attacks
Flood the network with large volumes of traffic to overwhelm bandwidth.
Goal: Make the entire network unusable for legitimate users.
Examples:
UDP Flood: Sends tons of UDP packets to random ports, forcing the server to
respond and use up resources.
ICMP Flood: Bombards the target with ICMP (ping) packets, slowing or crashing
the system.
Protocol attacks : Exploit vulnerabilities in network protocols to exhaust
server resources.
Goal: Keep systems busy handling incomplete or malformed requests.
Examples:
SYN Flood: Sends multiple SYN (connection start) requests without completing
the TCP handshake, causing half-open connections.
Ping of Death: Sends oversized or malformed packets that crash or destabilize
the system
Application layer attacks – target specific apps with requests.
Target specific applications (like web servers) at the top layer of the OSI
model.
Goal: Cause slowdowns or crashes in apps and services.
Examples:
 HTTP Flood: Bombards a server with a flood of HTTP requests,
overloading it.
 Slowloris: Opens many HTTP connections but sends data very
slowly, preventing the server from handling new users.
Distributed Denial-of-Service (DDoS) Attacks
 Use multiple systems (often part of a botnet) to attack one target.
 Makes the attack stronger and harder to block than regular DoS
attacks.
 Examples:
o Amplification Attack:
 Attacker sends a small request to a public server (e.g.,
DNS).
 The server sends a large response to the victim.
 The victim is flooded with data, overwhelming the
system.
o Botnet-Based Attack:
 Many infected devices (bots) are controlled remotely.
 All send traffic to the target at the same time, causing
disruption.

Resource Exhaustion Attack

 Attacker repeatedly requests access to a resource (e.g., a
webpage or service).
 The web application gets overloaded handling fake requests.
 This causes the application to slow down or crash.
 Legitimate users are unable to access the application or website.
XSS (Cross-Site Scripting)
 Cross-Site Scripting (XSS) attacks are a type of injection, in which
malicious scripts are injected into otherwise benign and trusted
websites.
 XSS attacks occur when an attacker uses a web application to send
 malicious code, generally in the form of a browser-side script, to a
different end user.
 Flaws that allow these attacks to succeed are quite widespread and occur
anywhere a web application uses input from a user within the output it
generates, without validating or encoding it.
 An attacker can use XSS to send a malicious script to an unsuspecting
user.
 The end user’s browser has no way to know that the script should not be
trusted and will execute the script.
 Because it thinks the script came from a trusted source, the malicious
script can access.
Cookies
Session tokens
Other sensitive information retained by the browser and used with that site.
These scripts can even rewrite the content of the HTML page.

Types of Cross-Site Scripting Attacks:

XSS comes in several forms, depending on how and where the script is
injected:
1. Persistent (Stored XSS):
 Malicious code is permanently stored in a server-side database or
application component.
 Triggered whenever a user loads the infected page (e.g., via a
comment field or message board).
  Example: Injected code in a public forum post that steals login
credentials.
2. Reflected XSS:
 Delivered through a URL or form that reflects user input back in
the server response.
 Often used in phishing attacks or malicious links.
 Example: A crafted search URL returns a page displaying the
attacker’s script.
3. DOM-Based XSS:
 Occurs entirely in the client browser’s DOM, without server
interaction.
 Manipulates the page’s JavaScript environment.
 Example: A script dynamically reads URL fragments and injects
HTML directly.
4. Blind XSS:
 Like stored XSS, but the malicious payload executes in an admin or
backend interface.
 The attacker never sees the immediate result but gets data later.
 Example: Attack embedded in a support form visible only to an
internal team.
Smurf Attack:
 A smurf attack is a type of distributed denial-of-service (DDoS)
attack that exploits weaknesses in the Internet Protocol (IP) and
Internet Control Message Protocol (ICMP).
 It works by sending a large number of ICMP "echo request" packets
to a network's broadcast address, with the source IP address
spoofed to be that of the intended victim.
 This causes all devices on the network to respond to the victim,
overwhelming their systems and potentially causing a denial of
service

Why it's called "smurf":

The name "smurf" refers to the cartoon characters who are small but can
defeat larger enemies by working together.
In this context, the attacker uses many small, seemingly insignificant packets to
overwhelm a larger target.
Key characteristics:
 DDoS attack:
Smurf attacks are a form of DDoS, meaning they target a system
with a flood of traffic from multiple sources.
  Network layer attack:
Smurf attacks operate at the network layer of the OSI model,
exploiting IP and ICMP protocols.
 Amplification:
The attack amplifies the initial traffic by leveraging broadcast
addresses, making it more effective.
 Spoofing:
The use of spoofed IP addresses makes it difficult to trace the
attack back to the attacker.
SQL injection (SQLi):
An SQL Injection attack is a type of code injection that exploits
vulnerabilities in a web application’s database layer. When input fields (such as
login forms or search boxes) fail to properly filter or sanitize user input,
attackers can insert malicious Structured Query Language (SQL) statements
into a query to gain unauthorized access to data.
What Can SQL Injection Do?
 Extract sensitive data (usernames, passwords, payment details)
 Bypass login authentication
 Modify or delete database records
 Execute administrative operations on the database
 Access internal system files
How SQL Injection Works: Step-by-Step
Retrieving hidden data
Imagine a shopping application that displays products in different categories.
When the user clicks on the Gifts category, their browser requests the URL:
https://insecure-website.com/products?category=Gifts
This causes the application to make a SQL query to retrieve details of the
relevant products from the database:
SELECT * FROM products WHERE category = 'Gifts' AND released = 1
This SQL query asks the database to return:
• all details (*)
• from the products table
• where the category is Gifts
• and released is 1.
The restriction released = 1 is being used to hide products that are not
released. We could assume for unreleased products, released = 0.
The application doesn't implement any defenses against SQL injection attacks.
This means an attacker can construct the following attack, for example:
https://insecure-website.com/products?category=Gifts'--
This results in the SQL query:
SELECT * FROM products WHERE category = 'Gifts'--' AND released = 1
Crucially, note that -- is a comment indicator in SQL. This means that the rest
of the query is interpreted as a comment, effectively removing it. In this
example, this means the query no longer

Types of SQL Injection Attacks

SQL Injection can take many forms. Understanding each helps build better
defenses:
1. Classic SQL Injection
 Direct insertion of malicious SQL.
 Occurs in dynamic queries built from unsanitized input.
2. Blind SQL Injection
 No visible error message.
 Attacker asks true/false questions and infers behavior from
application responses.
3. Time-Based Blind SQL Injection
 Uses SQL commands that delay response (e.g., SLEEP(5)) to infer
data.
4. Union-Based SQL Injection
 Extracts data by appending UNION SELECT to return additional
results.
5. Out-of-Band SQL Injection
 Uses external channels (e.g., DNS or HTTP requests) to extract data.

How to Prevent SQL Injection

Input Validation and Whitelisting
 Accept only expected data types.
 Reject unexpected characters (e.g., ‘, —, ;).
Stored Procedures
Encapsulate logic in the database and execute only safe, predefined
statements.
Least Privilege Principle
Ensure database users have only necessary permissions. Don’t let a
web app account perform admin functions.
Error Handling
 Don’t display detailed database errors to users.
 Use generic error messages to mask backend info.
Web Application Firewall (WAF)
Deploy a WAF to filter malicious input and detect attack patterns in
real time.
s Security Testing
 Use tools like OWASP ZAP, Burp Suite, and Xcitium’s threat
scanners.
 Integrate testing into CI/CD pipelines.
Man-in-the-Middle (MitM) attack
What is a man-in-the-middle (MitM) attack?
 A man-in-the-middle (MitM) attack is a type of cyber attack in which the
attacker secretly intercepts and relays messages between two parties who
believe they are communicating directly with each other.
 The attack is a type of eavesdropping in which the attacker intercepts and
then controls the entire conversation.
 MitM cyber attacks pose a serious threat to online security because they
give the attacker the ability to capture and manipulate sensitive personal
information -- such as login credentials, account details or credit card
numbers -- in real time.
 MitM attack in which the attackers focus on browser infection and inject
malicious proxy malware into the victim's device.
 The malware is commonly introduced through phishing emails. The main
objective behind these attacks is to steal financial information by
intercepting a user's traffic to a banking or financial website.

Attackers who are performing this MITM attack may have various reasons
and techniques for implying this MITM attack. However, some of the
common ones are like,
 To steal sensitive information such as credit card numbers, login details.
 Snooping into private communications or transactions, which may include
trading secrets or other valuable information.
Different Types of MITM Attacks:
1. Email Hijacking
Targets email accounts of organizations (especially banks) or individuals.
Hackers monitor email transactions to launch convincing attacks.
Example:
A hacker waits for a customer discussing money transfers.
They spoof the company’s email and insert their own bank details.
The customer unknowingly sends money to the hacker, thinking it’s the
organization.
2. Wi-Fi Eavesdropping
A type of MITM (Man-in-the-Middle) attack on Wi-Fi networks.
Hackers create a fake Wi-Fi hotspot called an "Evil Twin".
When users connect:
The attacker gains access to the device.
Steals personal data from connected users.
Common in public places like coffee shops using unencrypted Wi-Fi.

3. Session Hijacking
Occurs when a hacker hijacks the session between a user and a website.
Common method: stealing browser cookies.
 Cookies may contain:
 Login credentials
 Online activities
 Pre-filled forms
 Location data
Once accessed, the hacker can log in to the victim’s account without needing
credentials.

4. ARP (Address Resolution Protocol) Spoofing

Happens over Local Area Networks (LAN).
When a user sends an ARP request, the attacker responds with fake ARP
replies. The attacker pretends to be a trusted device (e.g., router).
Allows interception of the victim’s entire internet traffic.

5. Man-in-the-Browser
Exploits web browser vulnerabilities.
Common methods:
 Trojan Horses
 Java exploits
 SQL injection
 Malicious browser add-ons
 Mainly used to steal financial information.

Example:
Malware captures bank credentials.
It can even transfer money silently while altering the transaction receipt to
hide the theft.
Steps for Preventing Man-in-the-Middle Attacks
 Have Strong WEP/WAP Encrypted Access Points
 Strong Login Credentials for Your Routers
  Use Virtual Private Network
 Forced HTTPS
Buffer OverFlow Attack:
What is Buffer Overflow attack:
 Buffers are memory storage regions that temporarily hold data while it is
being transferred from one location to another.
 A buffer overflow (or buffer overrun) occurs when the volume of data
exceeds the storage capacity of the memory buffer.
 As a result, the program attempting to write the data to the buffer
overwrites adjacent memory locations

Buffer overflows can affect all types of software.

 They typically result from malformed inputs or failure to allocate enough
space for the buffer. If the transaction overwrites executable code,
 It can cause the program to behave unpredictably and generate incorrect
results, memory access errors, or crashes.
 Buffer overflow vulnerabilities are caused by programmer mistakes that
are easy to understand but much harder to avoid and protect against.

Types of Buffer Overflow Attacks

 Stack-based buffer overflows are more common, and leverage stack

memory that only exists during the execution time of a function.
 Heap-based attacks are harder to carry out and involve flooding the
memory space allocated for a program beyond memory used for
current runtime operations.
How to Prevent Buffer Overflows:
 Address space randomization (ASLR)—randomly moves around
the address space locations of data regions.
 Typically, buffer overflow attacks need to know the locality of
executable code, and randomizing address spaces makes this
virtually impossible.
 Data execution prevention—flags certain areas of memory as
non-executable or executable, which stops an attack from running
 code in a non-executable region.
 Structured exception handler overwrite protection (SEHOP)—
helps stop malicious code from attacking Structured Exception
Handling (SEH), a built-in system for managing hardware and
software exceptions.

Input validation attack:

 An input validation attack is any malicious action against a
computer system that involves manually entering strange
information into a normal user input field.
 Input validation attacks take place when an attacker purposefully
enters information into a system or application with the intentions
to break the system's functionality.
 When information is input by an application or user as part of a
user input attack it can make a computer vulnerable to
unauthorized changes and destructive commands.
 The type of unsafe data entered into a system can range from
simple words to malicious code to massive scale information
attacks
Types of input validation attacks:
 Buffer overflow
 Canonicalization attacks- A canonicalization attack takes place
when someone changes a file directory path that has digital
permissions to access parts of a computer
 XSS attacks
 SQL injection
Race Condition Vulnerability:

 A race condition is a situation that happens in a computing system

when two or more operations must execute in a particular
sequence, but the system’s control does not enforce this order.

 It’s like a competition, or race, where the sequence of actions

matters, and the lack of control over order leads to unexpected
results.

 A race condition vulnerability is a software bug that allows these

unexpected results to be exploited by malicious entities.

 It occurs when multiple threads access and manipulate shared data

concurrently, leading to unexpected and erroneous outcomes.
 What is Access Control?
Access Control plays a pivotal role in performing a penetration test.
 In web applications, access control is defined as the process of managing
users to access and restrict specific resources or functionalities within the
application.
 It ensures the user has only the required privileges to perform actions or
access specific parts (pages/resources) of the application while preventing
unauthorized access or misuse.
 Here are the core components under Access Control:
 Authentication
 Authorization
 Session Management
 User Roles & Permissions
We can divide the vulnerabilities related to Access Controls into two
categories:
 Broken Access Controls
 Missing Access Controls
The image below depicts access controls and the categories,
Proper Access Controls (PAC),
Broken Access Controls (BAC), and
Missing Access Controls (MAC) respectively.

Broken Access Control

 Broken Access Control vulnerabilities generally occur when the access
controls are in place but aren’t configured properly.
 Attackers can take advantage of this and perform malicious actions such
as retrieving sensitive data of other users or other malicious activity.
 This usually occurs when there are mistakes in how the application
works (flow), how it was made (designed), or how it was configured in
setup.
 When access controls are broken or not configured properly, it lets
attackers get into the application and do things they're not allowed to
(also known as unauthorized actions). This can lead to critical security
issues, like unauthorized access to sensitive information.
 Empty heading
 Missing Access Control
 Vulnerabilities associated with Missing Access Control (MAC) arise when
a system lacks a robust access control mechanism.Developers might
forget to add important checks like who is allowed to perform certain
 actions or if the data coming from the user to the application is safe.
 These vulnerabilities let attackers get into the application, manipulate
the data, or cause other problems.
 To prevent this, developers need to be careful and make sure they
include strong access control checks, such as validating user identity,
giving the proper and required permissions to employees or fellow
developers, and validating the information for any issues before using it.
 This helps to keep the system safe from unauthenticated access and
potential harm.
 Empty heading
Examples of Access Control Vulnerabilities
Insecure Function Level Authorization: This vulnerability occurs when
an application lacks proper checks and authorization at different
function levels. It can allow unauthorized users to access sensitive
functionalities or APIs directly.
1. Insecure Direct Object Manipulation (IDOR): This vulnerability
allows an attacker to modify object identifiers or parameters
associated with resources to gain unauthorized access to sensitive
data. For example, manipulating URLs or form inputs to access or
modify data to other users.
2. Vertical Access Control Bypass (Vertical Privilege
Escalation): This vulnerability arises when a lower-privileged user
gains unauthorized access to resources or actions of higher-
privileged users. For example, a user with no additional
permissions is able to access and modify admin settings or
sensitive data like resetting the passwords of other users.
3. Horizontal Access Control Bypass (Horizontal Privilege
Escalation): In this case, an attacker can access resources or
perform actions of another user with the same level of privilege.
For instance, one user viewing or editing the personal information
of another user (with same permissions) without proper
authorization comes under the same role group.
4. Failure to Enforce Authorization/Validation Checks: When an
application fails to enforce proper authorization checks at different
layers (such as on API gateway, mid-tier applications and API
level), it allows users to access restricted resources or perform
actions they shouldn't have permissions for.