Understanding Common Code Programming Issues Leading to Security Breaches
A great deal of focus when thinking about and or discussing security breaches is generally directed to issues with networks and or social engineering. In reality, many of these breaches stem from common issues in code writing. This blog explores different types of breaches, the potential damage each can inflict, and preventive measures that can be adopted to help protect against code vulnerabilities. We will not be provided in-depth examples of potential issues or even a road map to identify and resolve the issues, the purpose is to highlight how many potential pathways there are to running a business on exploitable code and what business owners and security teams should be thinking about within their organisation.
Exploits are pieces of software, a sequence of commands, or a technique that leverages a vulnerability in a system or application to cause unintended behaviour. Understanding the lifecycle of an exploit involves examining the stages from the discovery of a vulnerability to its eventual remediation. The exploit lifecycle is generally mapped as;
- Discovery
- Development
- Weaponisation
- Delivery
- Exploitation
- Installation
- Command and Control (C2)
- Actions on Objectives
- Remediation
The lifecycle of an exploit is a complex process, understanding each stage helps in implementing effective security measures to prevent, detect, and respond. Regular updates, security testing, and a robust incident response plan are essential components of a strong security posture. The speed at which an exploit moves from being discovered to delivered varies depending on a number of factors from complexity to ROI. Zero-day exploits generally move quickly to get ahead and take advantage before detection and patching, it is important to know that discovered opportunities for malicious actors can be leveraged quickly.
Injection Flaws
Injection flaws, such as SQL Injection and Command Injection, pose significant risks to application security. They occur when untrusted data is sent to an interpreter as part of a command or query. The attacker’s hostile data can trick the interpreter into executing unintended commands or accessing unauthorised data. Understanding the mechanisms and implementing robust preventive measures, businesses can protect their data and systems from unauthorised access and malicious manipulation. Regular security audits, secure coding practices, input validation, code scanning, and peer review are essential components of an effective defence strategy against injection attacks.
An SQL Injection is an injection flaw where attackers insert malicious SQL code into a query through user input fields. This can manipulate the execution of SQL statements to read, modify, or delete data. Command Injections occur when an application passes unsafe user-supplied data (forms, cookies, HTTP headers, etc.) to a system shell or command interpreter. The attacker can inject arbitrary commands that the host system will execute. Most mature businesses will have systems and practices in place to prevent SQL and Command injections, if unsure have the internal team or an outside consultant undertake a code review.
Cross Site Scripting
Cross-Site Scripting (XSS) is a type of security vulnerability typically found in web applications. It occurs when attackers inject malicious scripts into web content that is subsequently executed by other users’ browsers. The injected code can manipulate the content of the webpage, steal data, or perform actions on behalf of the user. It is a pervasive security issue that can have serious consequences for both users and web applications. Understanding the nature of XSS attacks and implementing robust preventive measures, such as input sanitisation, output encoding, and Content Security Policies, is essential for maintaining a secure web environment. Regular security practices, including code reviews and penetration testing, are vital in identifying and mitigating XSS vulnerabilities.
Cross-Site Request Forgery (CSRF)
Cross-Site Request Forgery (CSRF) is a type of attack where malicious actors trick a user into performing actions on a web application in which they are authenticated. This is achieved by exploiting the trust that a web application has in the user’s browser. When a user is authenticated, their browser automatically includes session cookies or authentication tokens with every request sent to the web application. An attacker can leverage this behaviour to make unauthorised requests on behalf of the user. CSRF is a serious security threat that can lead to unauthorised actions and data manipulation. It is a very common way in which app users are duped into exposing their protected data. By implementing anti-CSRF tokens, same-site cookies, CAPTCHAs, and other preventive measures, businesses can protect their web applications and users from these attacks. Regular security assessments and adopting secure coding practices are essential to maintaining robust defences against CSRF vulnerabilities.
Broken Authentication and Session Management
Refers to flaws in the way an application handles user authentication and session management. These flaws can lead to compromised credentials, session hijacking, or unauthorised access, allowing attackers to impersonate users and access sensitive information. Instances where there is broken authentication are where the business or the owner of the app has put their users/customers at risk. The owner of the app can and are held responsible for data breaches and losses as a result of poor practices. Broken authentication and session management vulnerabilities pose significant risks to web applications and their users. By implementing strong password policies, multifactor authentication, secure session management practices, and ensuring the use of HTTPS, businesses can mitigate these risks and protect their systems and data from unauthorised access and attacks. Regular security assessments and adherence to best practices in authentication and session management are critical to maintaining a secure application environment.
Security Misconfiguration
Security misconfiguration occurs when security settings in software, servers, network devices, or applications are improperly configured, leaving the system vulnerable to attacks. This can include using default settings, failing to implement security patches, and enabling unnecessary features or services. It is a significant threat that can lead to unauthorised access, system compromise, and data breaches. This is how many smaller businesses are caught out, not keeping their code and code dependency libraries up to date. Medium to larger organisations without a strong and clear security policy that includes regular scanning and auditing by external security consultants also tend to run foul of this breach. An organisation with a semi complex or complex infrastructure architecture must have great processes in place to ensure all areas of their software and network are effectively updated and maintained. By regularly updating and patching systems, disabling unnecessary features and services, and conducting regular security audits and configuration reviews, businesses can mitigate the risks associated with security misconfigurations. Implementing secure configuration management and hardening practices further enhances the security posture, reducing the attack surface and protecting against potential exploits.
Insecure Direct Object References (IDOR)
Insecure Direct Object References (IDOR) occur when an application exposes internal objects, such as files, directories, database keys, or records, directly to users without proper validation and access control. This vulnerability allows attackers to manipulate references to gain unauthorised access to sensitive information or perform unauthorised actions. Using indirect references, validating and authorising requests, implementing object-level security checks, and following best practices in access control and error handling, businesses can protect their applications from these vulnerabilities. Regular security assessments and adherence to secure coding practices are essential to maintaining a secure application environment and preventing unauthorised access to sensitive data.
Sensitive Data Exposure
When an application fails to adequately protect sensitive information, such as personal data, financial details, or intellectual property, either in transit or at rest, this can lead to a sensitive data exposure. A lack of encryption, weak encryption methods, improper handling of encryption keys, or insufficient access controls are the leading causes. Exposure can lead to significant risks, including data theft, privacy violations, and reputation damage. By encrypting sensitive data in transit and at rest, using strong encryption algorithms and key management practices, and masking or tokenising sensitive data, businesses can protect against these threats. Implementing robust access controls, secure transmission protocols, and regular security audits further enhances data protection, ensuring the security and confidentiality of sensitive information. Understanding the data pathways in a business is critical, and regular review and penetration testing to ensure there are no vulnerabilities or that no malicious data sniffers or breaches exist are critical components of digital business operations.
Insufficient Logging and Monitoring
This is the failure to adequately record and track activities and events within a system or network. This can result in a lack of visibility into potential security breaches, unauthorised access, and other malicious activities. Without proper logging and monitoring, organisations cannot detect or respond promptly to security incidents, allowing attackers to operate undetected. A lack of logging and monitoring can have severe consequences, including delayed detection of security breaches, prolonged exposure, and increased recovery costs. Logging and log monitoring will not prevent issues or breaches, it is more a focus on ensuring that if the situation should arise, it is detected, identified and addresses as quickly as possible, preferably before any damage has occurred. By implementing comprehensive logging, using IDS and SIEM tools, regularly reviewing and analysing logs, and ensuring log integrity and protection, organisations can significantly improve their ability to detect and respond to security incidents promptly. Adhering to industry standards and regulatory requirements further enhances the overall security posture and compliance.
Use of Components with Known Vulnerabilities
Most developers will rarely exercise the poor practice of utilising packages that have known vulnerabilities or existing exploitable code, libraries or dependencies. This may be possible with junior developers or individuals who do not follow the latest trends and security alerts in the project language and or framework they are working. Even when best practices are followed, vulnerabilities can quickly occur as a result of the velocity at which malicious players operate. Components with known vulnerabilities in software libraries, frameworks, or other dependencies that have publicly known security weaknesses can and will appear in source code. These vulnerabilities are present in both open-source and proprietary software components and may arise due to outdated versions, unpatched security flaws, or inherent design flaws. The use of components with known vulnerabilities will significantly increase the risk of security breaches. Regularly updating and patching software components, using automated tools to identify and manage vulnerabilities, and following a robust SDLC with security testing, organisations can mitigate these risks. Maintaining an inventory of software components and implementing comprehensive third-party risk management further enhances security and ensure that all dependencies are secure and up to date.
Unvalidated Redirects and Forwards
Unvalidated redirects and forwards occur when an application redirects or forwards users to another URL without properly validating or sanitising the target location. This can allow attackers to redirect users to malicious websites or pages, potentially leading to phishing attacks, malware infections, or other forms of social engineering. This is an issue all web platforms should be scanning regularly, especially where there is the ability for users to enter custom content blocks. By validating and sanitising redirect targets, using a whitelist of allowed URLs, and implementing user consent and warnings for redirects, organisations can protect users from malicious redirects. Additional measures such as server-side validation, logging, and monitoring further enhance the security of redirection mechanisms, ensuring that users are only directed to trusted and safe destinations.
Improper Error Handling
When an application exposes detailed error messages that reveal sensitive information about its internal workings, this is when improper error handling is experienced. The information can include stack traces, database queries, server paths, configuration details, or even user data. Such disclosures provide attackers with valuable insights into the application’s architecture and potential vulnerabilities. Collection of the error information is critical for the testing and development teams to be able to identify and back trace when an error occurs, but all customer/user/outward facing reporting should contain general sanitised information with simple instructions for what the user should do next after experiencing the issue. Improper error handling can expose sensitive information and provide valuable insights to attackers, leading to further exploitation of vulnerabilities. By using generic error messages for users, logging detailed error information securely on the server side, and implementing proper exception handling mechanisms, organisations mitigate their risks. Regular security testing and user education further enhance the overall security posture, ensuring that errors are handled gracefully and securely. Having and executing a plan for any and all external error handling will also provide a great deal of cover and safety to the organisation.
Insecure Deserialisation
When an application deserialises untrusted or maliciously crafted data, this is how and when an organisation experiences insecure deserialisation. Serialisation is the process of converting an object into a stream of bytes to store or transmit it, and deserialisation is the reverse process of converting the byte stream back into an object. To help understand the different components of data transfer; serialisation facilitates the portability of data, encryption provides confidentiality for data, encryption provides compatibility between systems in the data and hashing provides the data integrity. When deserialisation is performed on untrusted data, it can lead to vulnerabilities where attackers inject malicious payloads that can be executed or cause the application to behave in unintended ways. Insecure deserialisation can lead to severe security vulnerabilities, including arbitrary code execution, privilege escalation, and data corruption. By avoiding deserialising untrusted data, using secure deserialisation libraries, implementing integrity checks and validation, and adopting additional preventive measures, organisations can mitigate the risks associated with deserialisation vulnerabilities. Regular security audits and adherence to best practices further enhance the security posture and ensure that deserialisation is performed safely and securely. There are a number of different considerations when thinking about how to securly transmit data.
Lack of Input Validation
Most organisations with mature development capabilities will generally not face issues with input validation, this is coding 101. The failure to properly check and sanitise user input before processing it within an application tends to be mistakes found in the work of green or very new programmers, however, a complex system with numerous different input points can have elements slip through the cracks, which is why the issue is worth mentioning. This oversight can allow malicious data to be processed, leading to various security vulnerabilities such as code injection, data manipulation, and application exploitation. Injections are very well known, and are generally dealt with, but can be missed and are a critical part of the testing process. Ensuring validation and sanitisation of all inputs, using allow-lists, implementing robust validation mechanisms, and employing additional preventive measures, organisations can significantly reduce the risk of input-related security issues. Regular security testing and adherence to best practices based on the latest vulnerability alerts for input validation further enhance the security posture of applications.
Poor Cryptography
Poor cryptography refers to the use of weak or improper cryptographic algorithms, implementations, and practices that fail to provide adequate protection for sensitive data. This includes the use of outdated algorithms, insecure key management, and incorrect implementation of cryptographic protocols, which can result in vulnerabilities that attackers can exploit. Poor cryptography can lead to severe security vulnerabilities, including data breaches, data manipulation, and unauthorised access. By using strong, industry-standard cryptographic algorithms, regularly updating cryptographic protocols, and implementing proper key management practices, organisations can mitigate these risks. Adhering to best practices, conducting regular security audits, and educating developers on secure cryptographic implementations further enhance the security of applications and protect sensitive data from potential threats.
Access Control Issues
Access control issues arise when an application or system fails to properly restrict user permissions, allowing unauthorised access to sensitive data and functionality. This can occur due to inadequate access control mechanisms, misconfigurations, or the lack of enforcement of security principles such as the principle of least privilege. Access control issues lead to severe security vulnerabilities, including unauthorised access, privilege escalation, and data manipulation. By implementing role-based access control (RBAC), enforcing the principle of least privilege, and regularly reviewing and updating access controls, organisations mitigate these risks. Additional measures such as multifactor authentication (MFA), logging and monitoring, and user training further enhance the security posture and ensure that access controls are robust and effective in protecting sensitive data and systems.
So what does it all mean?
The fifteen different code considerations outlined in this article are just samples and discuss each type of vulnerability at a very high level, information on how malicious parties can and regularly do source and exploit issues with code, what sort of dangers is involved and how an organisation can be impacted by a breach are covered. For an organisation, their original code may have been property testing, peer reviewed and vetted prior to be releasing into a live/production environment, and may still be within the scheduled testing and review period. The issue is that the hacking or malicious actor areas is not static either, new opportunities are regularly uncovered and shared. The new opportunities are then be used to harass and or deliver financial and reputational damage or ruin for a business. If any of the topic areas are unfamiliar or not regularly discussing organisationally (without a very solid reason), it is time to do a deep diver review and explore the current safety posture of the organisation. Engaging with a cybersecurity and penetration testing expert will deliver a better result and comfort to the organisation.