Tips, Expertise, Articles and Advice from the Pro's for Your Website or Blog to Succeed
One of the priority areas for PVS-Studio development is to cover categories from the OWASP Top Ten 2017 in the C# analyzer. We also plan to cover the Top Ten 2021 in the future. The most unusual for us is the A9:2017 category: Using Components with Known Vulnerabilities. This category has the A6 position in the preliminary version of OWASP 2021. The rule implementation for this category is an important task for our analyzer. It allows us to classify PVS-Studio as an SCA (Software Composition Analysis) tool. Which approach to implementation should we choose? Let's figure it out!
The A9 threat category (which turned into A6 in the preliminary OWASP 2021 version) is dedicated to using components with known vulnerabilities. These are the components that have the corresponding entries in the CVE database. CVE (Common Vulnerabilities and Exposures) is a database of records about real-life vulnerabilities in software, hardware, service components, etc.
We continue to develop PVS-Studio as a SAST solution. Thus, one of our major goals is expanding OWASP coverage. You might ask, what's the use when there's no taint analysis? That's exactly what we thought - and decided to implement taint analysis in the C# analyzer. Curious about what we accomplished? Read on!
Note. This article briefly touches upon the topics of SQL injections and working with SQL in C#. This theory serves as context. For in-depth information on these topics, do additional research.
This week, we take a look at the recent API vulnerability at chess.com, resources for GraphQL API security, and some API security advice from Michael Cobb at TechTarget.
Sam Curry found an API vulnerability that allowed arbitrary account takeover in chess.com, a popular online chess community and app.
The surge of networked devices in the Internet of Things (IoT) increased the stakes for information security once more. IoT sensors and actors also pose a threat to existing information infrastructure. They can be used as remote-controlled drones in so-called Distributed-Denial-of-Service (DDoS) attacks.
How do we ensure the trustworthiness of information systems on the Internet of Things? How do we protect against attacks of a global bot army?
OWASP ZAP (Zed Attack Proxy) is an open-source and easy-to-use penetration testing tool for finding security vulnerabilities in the web applications and APIs. As a cross-platform tool with just a basic Java installation pre-requisite, it provides vulnerability scanning for beginners and penetration testing for professionals. It can be downloaded and installed as a standalone application or Docker image.
Additionally, the OWASP community has exposed ZAP APIs, which allows ZAPs to integrate with other tools/frameworks.
Over the past year, data breaches, through web, business, and mobile application exploitation, have continued to run rampant. In 2018, major household names like Ticketmaster, the United States Postal Service (USPS), Air Canada, and British Airways were hit by application-based exploits. To minimize vulnerabilities — and identify existing ones before they can do this level of damage — application security solutions need to be fast, provide good coverage for capturing all classes of vulnerabilities, and more importantly, they need to be highly accurate, to be useful to DevOps application development teams. Providing results fast but less accurately is counter-productive to an efficient and successful application security program. Time wasted by engineers to triage the false positives far outweighs the speedier results provided.
Most automated application security testing solutions have the ability to scan thousands of applications containing millions of lines of code and can produce results containing millions of attack vectors. But every application is different — different functionality, different code, different size, and different complexity —resulting in significantly different security findings with different accuracy. More so, selecting any single scanned application with the best accuracy from many and claiming accuracy is misleading. Even taking averages would be misleading, because it would be a measure of only the limited set of applications that the vendor’s solution scanned, and hence, incomparable to the accuracy of other solutions.
Keeping up with hackers is a time-consuming business. Those with malicious intent always seem to be a step ahead — or at least close behind — the latest vulnerabilities.
Because of the access to data and application functionality they provide, APIs hold the potential to be the chink in your security armor. And API security best practices are increasingly under review as a result.
Deliberately-vulnerable applications gained popularity in recent years for the purpose of learning and demonstrating application security concepts. Years ago, OWASP launched the WebGoat project, which has since become the gold standard and to this day is still one of the most popular platforms for teaching web application security.
The Open Web Application Security Project (OWASP) recently launched the serverless counterpart to WebGoat, named ServerlessGoat, which was contributed by serverless security vendor PureSec.
Another OAuth hack, and another reason why using OAuth for authentication can be dangerous. Researches by SafetyDetective found that Microsoft had 400 million users exposed. Outlook, Store, and other services allowed wildcard *.office.com as a valid wreply URL for tokens from login.live.com. Attackers noticed that and managed to grab the success.office.com domain in Azure. Now, the attackers could construct login URLs that, whenever users clicked the URLs, provided the attackers valid tokens they could intercept and use to access Microsoft Outlook and Microsoft Store as those users.
In addition, yet another intranet/open ports hack, similar to the printer hack last month. This time, attackers are using the Shodan search engine to locate Chromecast devices exposed to the Internet by local routers. Once located, attackers can take over the Chromecast devices and stream the videos that they want onto users’ TVs. Again, the reason is that Chromecast APIs were designed with home Wi-Fi network in mind, so it is assumed that whoever gets access to the API must be the device owner. To protect yourself, if you have a Chromecast device at home, make sure you disable UPnP on your home router.