Code Vulnerabilities
UNSECURE CODE PRACTICES
- Comments in source code
- Good for developers and technical personnel
- Bad for keeping secrets
- Lack of error handling
- Bad things happen - developers don't think of everything
- Overly verbose error handling
- Error messages can give too much info
- Bad error message:
- "Password invalid for this user"
- Better error message:
- "User ID or password is invalid"
- Hard-coded credentials
- Happens often - compiled and interpreted(strings command)
- Attackers can use login credentials
- Race conditions
- Resource should be validated before it's used
- E.G. checking a file is in place
- TOC(Time of Check)/TOU(Time of Use)
- Gap between checking a condition and using that resource
- Attackers can influence other events and affect operation
- Unauthorized use of functions/unprotected APIs(Application Programming Interface)
- Unintended API usage
- Hidden elements
- HIDDEN attribute in XML and HTML(doesn't hide data in the source code)
- Code signing
- Certificates can authenticate author's identity, ensure integrity
- Lack of code signing
- Lack of signing allows attackers to modify code between deployment and execution
- Resource should be validated before it's used
QUICK REVIEW
- Source code comments can provide attackers with valuable insider information
- Error messages can also provide attackers with guidance on how to proceed with an attack
- Any software developer shortcuts (i.e. laziness) can make an attacker's job easier