This document summarizes common software vulnerabilities and how to prevent them. It identifies 21 specific vulnerabilities including authentication issues, credential management problems, buffer errors, cross-site scripting, cryptographic issues, path traversal, code injection, format string vulnerabilities, configuration issues, information leaks, input validation errors, numeric errors, OS command injections, race conditions, resource management mistakes, SQL injection, link following vulnerabilities, design errors, and undefined vulnerabilities. It provides examples of each type of issue and recommends addressing them through strategies like access control, input validation, encryption, and avoiding race conditions.
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
Identifying Common Software Vulnerabilities
1. Identifying & Fixing the Most
Common Software Vulnerabilities
Graduate Research Fair 2012
Alireza Aghamohammadi
Dr. Ali Eydgahi
3/26/12
2. • What are software vulnerabilities ?
• Why software vulnerabilities are
important ?
• How can we prevent software
vulnerabilities ?
• Who creates software vulnerabilities ?
3. 1.Authentication Issues
-log in, set cookie but third person sets the cookie
and by pass.
2. Credentials Management
Poor passwords, password aging too long , weak
password recovery etc.
2.Permissions, Privileges, and Access Control
Access control, ownership of user/passwords etc
3.Buffer Errors
char array[15];
for( int i = 0; i < 64; i++ )
array[i] = (char)i;
4. 5.Cross-Site Request Forgery (CSRF) –
While session exist allow user to send request to
server. Attacker’s code becomes from the user web
browser.
6.Cross-Site Scripting (XSS)Hacker’s code is submitted via profile description to the
website..it’s stored but then every time user logs and
visits the page then hacker will receive an email.
7.Cryptographic Issues –
Missing Encryption of Sensitive Data –password and
DB
8.Path Traversal –
Hacker tries to access the files that are outside of root
directory of webserver. /var/www, Tomcat
7.0webappsROOT
8. References
National Institute of Standards and Technology. (2009). CWE - common
weakness enumeration. Retrieved November, 26, 2009,
from http://nvd.nist.gov/cwe.cfm
National Cyber Security Division of the U.S. Department of Homeland
Security. (2011). CWE -Common Weakness Enumeration. Retrieved
March 10, 2012, from http://cwe.mitre.org/index.html
Editor's Notes
#5 CSRF attacks can be launched by sending a formatted request to a victim, then tricking the victim into loading the request (often automatically), which makes it appear that the request came from the victim. CSRF is often associated with XSS, but it is a distinct issue