Princess Sumaya University for Technology

The King Hussein School for Computing

Sciences
13434 Secure Software Development

Topic 4: Application security vulnerabilities

Dr. Ahmad Altamimi

Outline
o What is Security?
o CIA Triad
o Cybersecurity Cube
o Cyber Attack
o Attack Tools
o Types of Attack Surfaces
o Simple Attacks
What is Security?
What is Security?
o Security is the process of maintaining an acceptable level of perceived risk. It is a
process, not an end state.
o Another definition: “The quality or state of being secure—to be free from danger”
o Specialized areas of security:
▪ Software Security
▪ Physical Security
▪ Operations Security
▪ Communications Security
▪ Network Security

o No organization can be considered "secure" for any time beyond the last verification of
adherence to its security policy.
CIA Triad
CIA Triad
o The CIA Triad is actually a security model that
has been developed to help people think
about various parts of IT security.

o Securing the availability, confidentiality, and

integrity of an organization’s digital assets and
software against internal or external threats is
the primary objective of any organization.
CIA (Confidentiality)
o Confidentiality is about preventing the disclosure of data to unauthorized
parties (people, resources, or processes).
o It also means trying to keep the identity of authorized parties involved in sharing
and holding data private and anonymous.
o Often confidentiality is compromised by cracking poorly encrypted data, Man-in-
the-middle (MITM) attacks, and disclosing sensitive data.
o Standard measures to establish confidentiality include:
▪ Data encryption
▪ Two-factor authentication
▪ Biometric verification
▪ Security tokens
▪ Include access control lists
▪ File permissions
CIA (Confidentiality)
o Controlling Access
▪ Access control defines a number of protection schemes that prevent unauthorized access to
a system.
▪ The concepts of AAA involve three security services: Authentication, Authorization, and
Accounting.
 Authentication verifies the identity of a user to prevent unauthorized access. Users prove their
identity with a username or I.D.
 Authorization determines which resources users can access, along with the operations that users can
perform. Authorization can also control when a user has access to a specific resource.
 Accounting keeps track of what users do, including what they access, the amount of time they access
resources, and any changes made.
CIA (Integrity)
o Integrity refers to protecting information from being modified by unauthorized
parties.
o Integrity is the accuracy, consistency, and trustworthiness of data during its
entire life cycle. However, some organizations don’t matter about integrity. For
example, Facebook does not verify the data that user posts in a profile.
o Methods used to ensure data integrity include Hashing and Data validation.
o Standard measures to guarantee integrity also include:
▪ Cryptographic checksums
▪ Using file permissions
▪ Data backups
▪ Uninterrupted power supplies
CIA (Availability)
o It refers to the actual availability of your data. Availability is making sure that
authorized parties are able to access the information when needed.
o Attackers and system failures can prevent access to information systems and
services.
o Standard measures to guarantee availability include:
▪ Backing up data to external drives
▪ Implementing firewalls
▪ Having backup power supplies
▪ Data redundancy
▪ OS and systems updates
Cybersecurity Cube
The Cybersecurity Cube
o The Cybersecurity Cube has three dimensions and
looks somewhat like a Rubik’s Cube.
o The first dimension of the cybersecurity cube
identifies the principles/goals to protect the cyber
world.
o These three principles are confidentiality,
integrity, and availability (the CIA).
The Cybersecurity Cube
o The second dimension of the cube focuses on the
problems of protecting all of the states of data in
the cyber world.
o Data has three possible states:
▪ Data at rest or in storage
▪ Data in transit
▪ Data in process
The Cybersecurity Cube
o The third dimension of the cube defines the
types of powers used to protect the system. The
sorcery cube identifies the three types of powers:
▪ Technologies: devices, and products available to protect
systems and fend off cybercriminals.
▪ Policies and Practices: procedures, and guidelines that
enable people to stay safe and follow good practices.
▪ People: Aware and knowledgeable about their world and
the dangers that threaten their world.
Cyber Attacks
What is Cyberattack?
o A cyber attack is an assault launched by cybercriminals using one or more
computers against single or multiple computers or networks.

o Cyberattacks are usually aimed at accessing, changing, or destroying sensitive

information; extorting money from users; or interrupting normal business
processes.
o Security aims to reduce the risk of cyber-attacks and protect against the
unauthorized exploitation of systems and technologies.
o The general security objectives comprise the following:
▪ Availability
▪ Integrity, which may include authenticity and non-repudiation
▪ Confidentiality
Types of Attacks
1. Passive attack:
Ex: eavesdropping on, or monitoring of, transmissions to.
o The goal is to obtain information that is being transmitted but does not affect
system resources.
Two Types:
1. Obtain message contents: a transferred file may contain sensitive or
confidential information
2. Monitor traffic flows: to observe the pattern of these messages if encrypted
Cont.
2. Active attacks:
o Involve some modification of the data stream or the creation of a false stream.
o Attempts to alter system resources or affect their operation.
o Four Types:
1. Masquerade of one entity as some other
2. Replay previous messages: delays or resends the message to misdirect the
receiver into doing what the hacker wants
3. Modify messages in transit
4. Denial of service
Cont.
o Passive attacks are very difficult to detect because they do not involve any
alteration of the data.
o However, it is feasible to prevent the success of these attacks, usually by means
of encryption.
o Thus, the emphasis in dealing with passive attacks is on prevention rather than
detection.
o On the other hand, it is quite difficult to prevent active attacks absolutely,
because of the wide variety of potential physical, software, and network
vulnerabilities.
o Instead, the goal is to detect active attacks and to recover from any disruption or
delays caused by them.
Cont.
o Attacks can be classified also into the following categories:

o Web-based attacks:
 These are the attacks that occur on a website or web application.
o System-based attacks:
 These are the attacks that are intended to compromise a system or a computer
network.
o Cyber-attacks can be also classified into:
▪ Insider Attacks: Initiated by an entity inside the organization.
▪ Outsider Attacks: Initiated by an entity outside the organization.
Examples of Attacks

Src: https://www.edureka.co/
Cont.
Denial-of-service (DoS) and Distributed denial-of-service
(DDoS) attacks
o Overwhelms a system’s resources so that it cannot
respond to service requests.
o A DDoS attack is launched from many other host
machines that are infected by malicious software.

Man-in-the-middle (MitM) attack

o Occurs when a hacker inserts itself between a client
and a server. In an HTTP transaction, the target is the
TCP connection between client and server.
Src: https://cisomag.eccouncil.org/
Cont.
Zero-day Exploit:
o It refers to exploiting a network vulnerability when it is new and recently announced
before a patch is released and/or implemented (when no solution measures exist).
o Thus, preventing such attacks requires constant monitoring, proactive detection, and agile
threat management practices.

Sniffing:
o Sniffing is similar to eavesdropping on someone.
o It occurs when attackers examine all network traffic as it passes through their NIC
(Network Interface Card), independent of whether or not the traffic is addressed to them
or not.
o Criminals accomplish network sniffing with a software application, hardware device, or a
combination of the two.
Cont.
Spoofing:
o Spoofing is an impersonation attack that takes advantage of a trusted relationship between
two systems. If two systems accept the authentication accomplished by each other, an
individual logged onto one system might not go through an authentication process again to
access the other system.

Keyboard Logging:
o Keyboard logging is a software program that records or logs the keystrokes of the user of
the system.
o Criminals can implement keystroke loggers through software installed on a computer
system or through hardware physically attached to a computer. The criminal configures the
key logger software to email the log file. The keystrokes captured in the log file can reveal
usernames, passwords, websites visited, and other sensitive information.
Malware
o Malware short for Malicious Software, malware is any code that can be used to
steal data, bypass access controls, cause harm to, or compromise a system.
o Cyber criminals target users’ end devices through the installation of malware.

o Types of Malware:
o Viruses:
 A virus is malicious executable code attached to another executable file, such as a
legitimate program.
 Most viruses require end-user initiation and can activate at a specific time or date.
Cont.
Worms:
o Worms are malicious code that replicates by independently exploiting vulnerabilities in
networks.
o Worms usually slow down networks.
o Whereas a virus requires a host program to run, worms can run by themselves. Other than
the initial infection, worms no longer require user participation.

Ransomware:
o Ransomware holds a computer system, or the data it contains, captive until the target
makes a payment.
o Ransomware usually works by encrypting data in the computer with a key unknown to the
user.
Cont.
Rootkit and Backdoor:
o A rootkit or backdoor refers to the program or code introduced by a criminal who has
compromised a system.
o Attackers then use the backdoor to access the computer remotely.
o The backdoor bypasses the normal authentication used to access a system.
o Rootkit malware is designed to modify the operating system to create a backdoor to access the
computer remotely.
Bot:
o From the word robot, a bot is malware designed to automatically perform action, usually online.
o While most bots are harmless, one increasing use of malicious bots are botnets.
o Botnets a number of Internet-connected devices, each of which is running one or more bots.
o Botnets can be used to perform Distributed Denial-of-Service attacks, steal data, send spam, and
allows the attacker to access the device and its connection.
Malware Symptoms
o There is an increase in CPU usage.
o There is a decrease in computer speed.
o The computer freezes or crashes often.
o There is a decrease in Web browsing speed.
o There are unexplainable problems with network connections.
o Files are modified.
o Files are deleted.
o There is a presence of unknown files, programs, or desktop icons.
o There are unknown processes running.
o Programs are turning off or reconfiguring themselves.
o Email is being sent without the user’s knowledge or consent.
Email and Browser Attacks
o Email is a universal service used by billions worldwide. As one of the most popular services,
email has become a major vulnerability to users and organizations.

Spam
o Spam, also known as junk mail, is an unsolicited email. In most cases, spam is a method of
advertising. However, spam can send harmful links, malware, or deceptive content.

Spyware
o Spyware is software that enables a criminal to obtain information about a user’s computer
activities.
o Spyware often includes activity trackers, keystroke collection, and data capture. In an attempt
to overcome security measures, spyware often modifies security settings.
Email and Browser Attacks
Phishing:
o Phishing is a form of fraud. Cybercriminals use email, instant messaging, or other social
media to try to gather information such as login credentials or account information by
being hidden as a reputable entity or person.
o Phishing occurs when a malicious party sends a fraudulent email disguised as being from a
legitimate, trusted source. The message’ intent is to trick the recipient into installing
malware on his or her device or into sharing personal or financial information.
Spear phishing:
o Spear phishing is a highly targeted phishing attack. While phishing and spear-phishing
both use emails to reach the victims, spear-phishing sends customized emails to a specific
person.
o The difference between them is primarily a matter of targeting.
Email and Browser Attacks

Examples of phishing email

Email and Browser Attacks
Vishing:
o Vishing is phishing using voice communication technology. Criminals can spoof calls from
legitimate sources using voice over IP (VoIP) technology.
o Victims may also receive a being recorded message that appears legitimate.

Pharming:
o Pharming is the impersonation of a legitimate website in an effort to deceive users into
entering their credentials.

Whaling:
o Whaling is a phishing attack that targets high-profile targets within an organization such
as senior executives.
Email and Browser Attacks
o Plugins:
 The Flash and Shockwave plugins from Adobe enable the development of interesting
graphic and cartoon animations that greatly enhance the look and feel of a web page.
Plugins display the content developed using the appropriate software.

o SEO Poisoning:
 Search engines such as Google rank pages and present relevant results based on user’s
search queries. Depending on the relevancy of website content, it may appear higher or
lower in the search result list.
 SEO, short for Search Engine Optimization, is a set of techniques used to improve a
website’s ranking by a search engine. While many legitimate companies specialize in
optimizing websites to better position them, SEO poisoning uses SEO to make a
malicious website appear higher in search results.
Email and Browser Attacks
o Browser Hijacker:
 A browser hijacker is malware that alters a computer's browser settings to redirect
users to websites paid for by the cyber criminals' customers.
 Browser hijackers usually install without the user's permission and are usually part of a
drive-by download.
Deception- Social Engineering
o Social engineering is a completely non-technical means for a criminal to gather information
on a target.
o Social engineering is an attack that attempts to manipulate individuals into performing
actions or divulging confidential information.
o Social engineers often rely on people’s willingness to be helpful but also prey on people’s
weaknesses. For example, an attacker could call an authorized employee with an urgent
problem that requires immediate network access.
o These are some types of social engineering attacks:
 Pretexting: This is when an attacker calls an individual and lies to them in an attempt to gain
access to privileged data. An example involves an attacker who pretends to need personal or
financial data in order to confirm the identity of the recipient.
 Something for Something (Quid pro quo): This is when an attacker requests personal information
from a party in exchange for something, like a gift.
Types of Deception
1) Shoulder Surfing: refers to picking up PINs, access codes, or credit card numbers. An
attacker can be in close proximity to his victim, or the attacker can use eyeglasses or
closed-circuit cameras to shoulder surf.
2) Impersonation and Hoaxes: Impersonation is the action of pretending to be
someone else. For example, a recent phone scam targeted taxpayers. A criminal,
posing as an IRS employee, told the victims that they owed money to the IRS.
3) Piggybacking and Tailgating: Piggybacking occurs when a criminal tags along with an
authorized person to gain entry into a secure location or a restricted area. Tailgating
is another term that describes the same practice.
4) Online, Email, and Web-based Trickery: Forwarding hoax emails and other jokes,
funny movies, and non-work-related emails at work may violate the company's
acceptable use policy and result in disciplinary actions.
Types of Attack Surfaces
Types of Attack Surfaces
o Digital Attack Surface:
▪ Your digital attack surface contains any external vulnerabilities accessible through the internet.
▪ Focusing on system access points, websites, ports, and services.

o Physical Attack Surface:

▪ Covers access points into your company’s hardware, including both equipment on-premises
and equipment connecting to corporate networks from outside the office.
▪ It also contains access points vulnerable to malicious insider threats, like a rogue employee
sharing data outside the organization or allowing unauthorized entry into an office.
Types of Attack Surfaces
o Social Engineering Attack Surface
▪ Leverage psychology to convince users to expose sensitive data or passwords. This includes
capturing credentials through a phishing technique or sharing infected files with an employee.

o Artificial Intelligence (AI) Attack Surface

▪ Use machine learning to expose weaknesses companies may have never anticipated.
▪ Since these types of attacks can't be patched like traditional software, it's harder to protect
against potential threats. Plus, a malicious actor doesn't even need credentials to infiltrate an
algorithm; all they need to do is present harmful data to manipulate the AI system.
▪ Experts claim that hacking AI systems are even easier than accessing conventional IT systems.
Types of Attack Surfaces
o Internet of Things (IoT) Attack Surface
▪ Data leaks and Denial-of-Service (DoS) attacks threaten IoT configurations.
▪ IoT security measures must keep up so hackers can’t infiltrate other devices on the network.

o Each of these attack surfaces contains hundreds to thousands of attack vector

types, so it’s critical to represent all five types in a comprehensive enterprise
security plan.
Least Privilege Principle
Least Privilege Principle
o Means each part of a system has only the privileges that are needed for its function.
This way even if an attacker gains access to one part, they have only limited access to
the whole system.
o Examples:
 Least privilege in Linux (Create a file): When a Linux user creates a new file within their home
directory, the operating system only grants the user read and write access.
 Least privilege in Linux (Run a script): When you create a script on Linux, it assigns the least
amount of privileges you require so it protects the computer from viruses and malware. If
you need more than read-write access, you must perform explicit steps to obtain those
privileges.
Implement the Least Privilege Principle
o Securing Local Privileged Accounts and Groups in Active Directory.
o Implementing Robust Authentication Controls (Multi-factor Authentication).
o Develop a Privileged Identity Management (PIM). PIM provides mechanisms by which accounts are
granted temporary rights and permissions required to perform fix functions, rather than leaving
privileges permanently attached to accounts. PIM should provide one or more of the following
features:
 Time-bound restrictions on the use of privileged credentials.
 One-time-use credentials.
 Regularly auditing the access permissions.
 Workflow-generated granting of privilege with monitoring and reporting of activities performed
and automatic removal of privilege when activities are completed, or allotted time has expired.
 Replacement of hard-coded credentials such as user names and passwords in scripts with
application programming interfaces (APIs).
Attack Tools
Attack Tools
o To exploit a vulnerability, a threat actor must have a technique or tool.
Introduction
o Over the years, attack tools have become more sophisticated, and highly
to Attack
automated.
o These new tools require less technical knowledge to implement.
Tools
o To validate the security of a network and its systems, many network penetration
testing tools have been developed and many of these tools can also be used by
threat actors for exploitation.
o Note: Most of these tools are UNIX or Linux based; therefore, a security
professional should have a strong UNIX and Linux background.
The following table lists some of the categories of common network penetration testing tools.

Categories of Tools Description

Password crackers Used to crack or recover the password. Eg:John the Ripper, Ophcrack
Wireless hacking tools Used to intentionally hack into a wireless network to detect security vulnerabilities. Eg:
Aircrack-ng, Kismet
Network scanning and Used to probe network devices, servers, and hosts for open TCP or UDP ports. Eg: Nmap,
hacking tools SuperScan
Packet crafting tools Used to probe and test a firewall’s robustness. Eg: Hping, Scapy
Used to capture and analyze packets within traditional Ethernet LANs or WLANs. Eg:
Packet sniffers
Wireshark, Tcpdump
It is a directory and file integrity checker used by white hats to detect installed root kits.
Rootkit detectors
Eg: AIDE, Netfilter
Fuzzers to search Used by threat actors when attempting to discover a computer system’s security
vulnerabilities vulnerabilities. Eg: Skipfish, Wapiti
 Categories of Tools Description
White hat hackers use these tools to sniff out any trace of evidence existing in a
Forensic tools
particular computer system. Eg: Sleuth Kit, Helix
Used by black hats to reverse engineer binary files when writing exploits and used by
Debuggers
white hats when analyzing malware. Eg: GDB, WinDbg
These are preloaded with tools and technologies optimized for hacking. Eg: Kali Linux,
Hacking operating systems
SELinux
These tools use algorithm schemes to encode the data to prevent unauthorized access
Encryption tools
to the data. Eg: VeraCrypt, CipherShed
These tools identify whether a remote host is vulnerable to a security attack. Eg:
Vulnerability exploitation tools
Metasploit, Core Impact

These tools scan a network or system to identify open ports. They can also be used to
Vulnerability scanners scan for known vulnerabilities and scan VMs, BYOD devices, and client databases. Eg:
Nipper, Securia PSI
OWASP
OWASP
o The Open Web Application Security Project® (OWASP) is a nonprofit foundation
that works to improve the security of software.
o OWASP is globally recognized by developers as the first step towards more secure
coding.
o The OWASP document outlines the 10 most critical security concerns for web
application security.
o These concerns are determined by a team of security experts from all over the
world and from the data comes from a number of organizations that is then
analyzed.
o The top security concerns are continuously updated.
OWASP Top 10
The top security concerns are continuously updated.

Source https://owasp.org/www-project-top-ten/
OWASP Top 10
1. Broken Access Control: Violation of the principle of least privilege or Bypassing access
control checks by modifying the URL led to unauthorized modification or performing
functions outside the user's limits.
2. Cryptographic Failures: Using weak keys, cryptographic, hash, or protocol algorithms
allow attackers to decrypt information or monitor network traffic.
3. Injection: Un correctly checked input data before sending to the back-end database
servers may led to modify or delete the stored data.
4. Insecure Design: Not considering a secure development lifecycle led to design flaws
(missing or ineffective control design).
5. Security Misconfiguration: Enabling unnecessary features or revealing stack traces
errors led to potentially exposes sensitive information.
OWASP Top 10
6. Vulnerable and Outdated Components: Using unsupported or out of date systems
(DBMS, API, Libraries) leaving organizations open to exposure.
7. Identification and Authentication Failures: Authentication weaknesses permits
automated attacks such as credential filling or brute force attacks.
8. Software and Data Integrity Failures: Using of code that does not protect against
integrity violations (from untrusted sources) can introduce the potential for
unauthorized access, malicious code, or system compromise.
9. Security Logging and Monitoring Failures: Insufficient logging, detection, monitoring,
and active response, breaches cannot be detected.
10. Server-Side Request Forgery: fetching a remote resource without validating the URL
allows to force the application to send a crafted request to an unexpected destination,
even when protected by a firewall.
DEMO
Demo
o SQL injection
o Cross Site Request Forgery
o Cross Site Scripting (XSS)
o Integer arithmetic errors
o Buffer overruns
o Weak cryptography