SlideShare a Scribd company logo

25 Most Dangerous Software Weaknesses Exposed

Ortus Solutions, Corp
Ortus Solutions, Corp

Some security vulnerabilities are more dangerous than others, or at least more commonly exploited. In this session we'll look at the top 25 most dangerous software weaknesses and learn how to mitigate them in your CFML code.

Software
1 of 52
Download to read offline
25 Most Dangerous Software Weaknesses LED BY Pete Freitag SESSION
About Me Pete Freitag • 20+ Years ColdFusion Experience • Company: Foundeo Inc. (Into The Box Sponsor!!) • Products: FuseGuard, HackMyCF, Fixinator • Consulting: Code Reviews, Server Review, CFML Security Training • You might also know me from: • Lockdown Guides CF9 - CF2021 CF2023 • CFDocs.org, cfscript.me, cfbreak.com • blog: petefreitag.com • twitter/github: @pfreitag
Where did the “25 Most Dangerous Software Weaknesses” list come from? The CWE Top 25 List
CWE - Common Weakness Enumeration From the people who brought you the CVE: Mitre
CWE Top 25 Scoring Metrics Source: https://cwe.mitre.org/top25/archive/2022/2022_cwe_top25.html
The thing about TOP N Lists There are more than 25 CWE’s… Source: https://cwe.mitre.org/top25/archive/2022/2022_cwe_top25.html
Trends of the CWE Top 25 Source: https://cwe.mitre.org/top25/archive/2022/2022_cwe_top25.html
#25 - Improper Control of Generation of Code CWE-94 Code Injection • A few different ways this can happen in CFML, most common: • Evaluate • IIF • cfinclude
#25 Fixing RCE Replace IIF with Ternary Operator <cfset greet = iif( len(name), de("Hi #name#"), de("Hi") )> <cfset greet = ( len(name) ) ? "Hi #name#" : "Hi">
#25 Fixing RCE Fixing Evaluate evaluate("url.#name#") url[name] Rid your code of evaluate() - terrible for both performance and security
#25 RCE Good News / Bad News • Good News • Easy to find • Easy to fix • Bad News • Very Dangerous • Might have a lot if your code was written early 2000’s
#24 - Improper Restriction of XML External Entity Reference CWE-611 XXE • What is an XML Entity? Similar to HTML Entities… • &lt; • &quot; • BUT XML documents can define their own new entities
#24 - XML Entities XML Lets you define your own custom entities <?xml version="1.0" ?> <!DOCTYPE d [ <!ENTITY xxe SYSTEM "http://httpbin.org/uuid">]> <tag>&xxe;</tag> Example: https://trycf.com/gist/64b7ec4e8d6774a51c1e99552030df7f/acf2021?theme=monokai
#24 - XML Entities Mitigating • No Global API in Adobe ColdFusion To Disable XML Entities: Feature Request #CF-4201057 • You can pass: xmlParse(xml, false, {allowExternalEntities=false}) in ACF, Lucee this.xmlSettings • Avoid Parsing XML From Untrusted Sources • HTTP Requests, APIs, Feeds • Check XML For Custom DocTypes, ELEMENT Definitions • Use a different parsing API: • SafeXmlParse: https://github.com/foundeo/safexmlparse • Convert to JSON: https://gamesover2600.tumblr.com/post/180776378949/convert-xml-to-json- in-1-line-of-code-using
#23 Uncontrolled Resource Consumption CWE-400 • Denial of Service • Use LIMIT / TOP on Queries • Add a maximum iteration when looping over an untrusted input • HashDOS - make sure post parameter limit is not set too high in CF Admin
#22 Concurrent Execution using Shared Resource with Improper Synchronization CWE-362 - Race Condition • Ensure Proper Use of cflock • Shared Scopes: application, server, session in some cases • Multithreaded code, eg: cfthread • Use Database Transactions • Use var / local scope within parallel ArrayEach
#22 Race Conditions When do you need to use cflock? application.winner_count = application.winner_count + 1;
#22 Race Conditions When do you need to use cflock? application.winner_count = 0;
#21 - Server-Side Request Forgery (SSRF) CWE-918 • SSRF Happens When your server makes a HTTP request to an arbitrary URL • Can allow attacker to hit other http services behind the firewall (dbs, caches) • Cloud Metadata APIs (eg: 169.254.169.254) can leak access keys or other sensitive info: • Tip: on AWS Disable IMDSv1 and use IMDSv2 instead
#21 - SSRF Some Functions / Tags That Can Request a URL • cfhttp • PDF: cfdocument / cfhtmltopdf (within HTML: img, iframe, etc) • Images: isImageFile • XML: XmlParse, XmlSearch, XmlValidate • Additional List: https://hoyahaxa.blogspot.com/2021/04/ssrf-in- coldfusioncfml-tags-and.html
#20 - Incorrect Default Permissions CWE-276 • Use OS File System Permissions • Can your CFML app write anywhere it wants? Does it need to? • Use the Lockdown Guide
#19 Improper Restriction of Operations within the Bounds of a Memory Buffer CWE-119 “Java is said to be memory- safe because its runtime error detection checks array bounds and pointer dereferences.” Thanks Java Source: https://en.wikipedia.org/wiki/Memory_safety
#18 - Missing Authentication for Critical Function CWE-306 • Authentication = User is who they attest to be • Authorization = User has permission to perform action • Without Authentication you cannot have Authorization • Recent Example: Optus Data Breach • Allegedly there was an API exposed to the internet without any authentication. • Check your app to make sure it requires authentication where it should. For bonus points automate this check in unit / integration tests.
#17 Improper Neutralization of Special Elements used in a Command CWE-77 Command Injection • Take care when using cfexecute, or other APIs that may wrap a native command <cfexecute name="c:bintool.exe" arguments="-n #url.n#">
#16 - Missing Authorization CWE-862 • Does your code check that the user is allowed to perform the requested function? • IDOR: Insecure Direct Object Reference: document.cfm?id=123 • Sounds simple but these types of issues fall under the radar, because “it works” • Need to test that it “doesn’t work” for X role • No easy way to do this, but you can write tests
#15 - Use of Hard-coded Credentials CWE-798 • API Keys / Passwords in Code • Embedded / Hard Coded Certificates
#15 - Hard Coded Credentials Avoiding Hard Coded Credentials • Environment Variables • Secure Key Store Services: • Self Hosted: Hashicorp Vault • AWS: EC2 Parameter Store, KMS, Secrets Manager • Azure: Key Vault • GCP: Key Vault, Secret Manager
#14 - Improper Authentication CWE-287 • So many ways Authentication can go wrong… • Weak Passwords, Credential Stuffing, Weak Session Cookie Config • Use SSO • Most orgs now have the ability a SSO provider, either through ActiveDirectory, Google Apps, Okta, etc. • You can use SAML to integrate with the identity provider in your ColdFusion Apps. SAML Features added to CF2021
#13 - Integer Overflow or Wraparound CWE-190 • Max value of a 32 bit unsigned integer is 4,294,967,295 • What happens when you add 1? • In MySQL < 5.5.5 it silently wraps around to 0
#12 - Deserialization of Untrusted Data CWE-502 • Java Deserialization Vulnerabilities • Has the ability to cause remote code execution if malicious content is added to the serialized class. • Avoid Untrusted Input to ColdFusion’s Deserialize Function • Good reason to make sure you have blocked the flash remoting endpoints • JSON Deserialization - Consider Validating JSON with a JSON schema first
#11 - NULL Pointer Dereference CWE-476 Thanks Java
#10 - Unrestricted Upload of File with Dangerous Type CWE-434 • Regularly review all your file upload code, and make sure that it: • Always checks the file extensions of uploaded files against a list of allowed extensions. • Does not upload directly under the web root (at least before validation) • Don’t rely on mime type checks alone, they don’t work! • Set this.blockedExtForFileUpload to full list of executable extensions
#9 - Cross-Site Request Forgery (CSRF) CWE-352 • Causing a request to be made by an authenticated and authorized user’s browser to perform an unwanted action.
#9 - CSRF Best Example • Netflix in 2006 - Remember when they rented DVDs? • To Add a Movie to your Queue: • Request to: http://www.netflix.com/AddToQueue • Pass a movie id: movieid=70011204
#9 CSRF Netflix Example <img src="http://www.netflix.com/AddToQueue?movieid=70011204"> Step 1: Create a Web Page With The Following img tag: Step 2: Get People to Visit the Page Step 3: Millions of people have added Sponge Bob Square Pants the Movie to their Queue
#9 CSRF Fixing CSRF • SameSite Cookies • Check HTTP Method (eg: require POST) • CAPTCHAs - Helpful but causes usability issues / AI • Use a CSRF Token • CFML Functions: CSRFGenerateToken() and CSRFVerifyToken()
#8 - Improper Limitation of a Pathname to a Restricted Directory CWE-22 Path Traversal • Path Traversal can happen whenever you construct a file path with unsafe variables. • Example: <cfinclude template="html/#url.name#">
#7 - Use After Free CWE-416 Thanks Java
#6 - Improper Neutralization of Special Elements used in an OS Command CWE-78 - OS Command Injection • Similar / Child of to #17, CWE-77 • Command vs OS Command • Same Protections Apply
#5 - Out-of-bounds Read CWE-125 Thanks Java
#4 - Improper Input Validation CWE-20 • This is a catch all CWE • Almost all vulnerabilities are caused by failing to validate an input! • TLDR: Add validation, improve security
#3 - Improper Neutralization of Special Elements used in an SQL Command CWE-89 SQL Injection • Classic Example: <cfquery> SELECT story FROM news WHERE id = #url.id# </cfquery>
#3 SQL Injection Fixing SQL Injection • Use cfqueryparam <cfquery> SELECT story FROM news WHERE id = <cfqueryparam value=“#url.id#”> </cfquery>
#3 SQL Injection With queryExecute queryExecute("SELECT story FROM news WHERE id = #url.id#”); queryExecute("SELECT story FROM news WHERE id = :id”, {id=url.id} );
#3 - SQL Injection When Parameters Don’t Work • Places that parameters may (depending on DB) not work: • ORDER BY clause • SELECT TOP n • LIMIT / OFFSET • Validate! • Use SELECT TOP #int(url.n)# • Use cfqueryparam whenever you can
#3 - SQL Injection Auto Fixing SQL Injection • Fixinator can scan your code and autofix certain vulnerabilities
#2 - Improper Neutralization of Input During Web Page Generation CWE-79 Cross-site Scripting / XSS <cfoutput>Hello #url.name#</cfquery>
#2 - Fixing XSS Encoder Methods <cfoutput>Hello #encodeForHTML(url.name)#</cfquery> <cfoutput encodefor="html">Hello #url.name#</cfquery>
#2 Fixing XSS Picking the correct encoder Context Method HTML encodeForHTML(variable) HTML Attribute encodeForHTMLAttribute(variable) JavaScript encodeForJavaScript(variable) CSS encodeForCSS(variable) URL encodeForURL(variable)
#1 - Out-of-bounds Write CWE-787 Thanks Java
Learn More • ColdFusion Security Guide • https://foundeo.com/security/guide/ • Ask Me • Resources: OWASP, CWE Site
THANK YOU Thanks to our sponsors pete@foundeo.com Weekly CFML Community Newsletter: cfbreak.com

Recommended

Securing Legacy CFML Code
Securing Legacy CFML CodeSecuring Legacy CFML Code
Securing Legacy CFML CodeColdFusionConference
 
CNIT 129S: 10: Attacking Back-End Components
CNIT 129S: 10: Attacking Back-End ComponentsCNIT 129S: 10: Attacking Back-End Components
CNIT 129S: 10: Attacking Back-End ComponentsSam Bowne
 
Securing applications
Securing applicationsSecuring applications
Securing applicationsColdFusionConference
 
Watch How The Giants Fall: Learning from Bug Bounty Results
Watch How The Giants Fall: Learning from Bug Bounty ResultsWatch How The Giants Fall: Learning from Bug Bounty Results
Watch How The Giants Fall: Learning from Bug Bounty Resultsjtmelton
 
DEF CON 24 - workshop - Craig Young - brainwashing embedded systems
DEF CON 24 - workshop - Craig Young - brainwashing embedded systemsDEF CON 24 - workshop - Craig Young - brainwashing embedded systems
DEF CON 24 - workshop - Craig Young - brainwashing embedded systemsFelipe Prado
 
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...Denim Group
 
Hack & Fix, Hands on ColdFusion Security Training
Hack & Fix, Hands on ColdFusion Security TrainingHack & Fix, Hands on ColdFusion Security Training
Hack & Fix, Hands on ColdFusion Security TrainingColdFusionConference
 
Spa Secure Coding Guide
Spa Secure Coding GuideSpa Secure Coding Guide
Spa Secure Coding GuideGeoffrey Vandiest
 

Recommended

Securing Legacy CFML Code
Securing Legacy CFML CodeSecuring Legacy CFML Code
Securing Legacy CFML CodeColdFusionConference
 
CNIT 129S: 10: Attacking Back-End Components
CNIT 129S: 10: Attacking Back-End ComponentsCNIT 129S: 10: Attacking Back-End Components
CNIT 129S: 10: Attacking Back-End ComponentsSam Bowne
 
Securing applications
Securing applicationsSecuring applications
Securing applicationsColdFusionConference
 
Watch How The Giants Fall: Learning from Bug Bounty Results
Watch How The Giants Fall: Learning from Bug Bounty ResultsWatch How The Giants Fall: Learning from Bug Bounty Results
Watch How The Giants Fall: Learning from Bug Bounty Resultsjtmelton
 
DEF CON 24 - workshop - Craig Young - brainwashing embedded systems
DEF CON 24 - workshop - Craig Young - brainwashing embedded systemsDEF CON 24 - workshop - Craig Young - brainwashing embedded systems
DEF CON 24 - workshop - Craig Young - brainwashing embedded systemsFelipe Prado
 
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...Denim Group
 
Hack & Fix, Hands on ColdFusion Security Training
Hack & Fix, Hands on ColdFusion Security TrainingHack & Fix, Hands on ColdFusion Security Training
Hack & Fix, Hands on ColdFusion Security TrainingColdFusionConference
 
Spa Secure Coding Guide
Spa Secure Coding GuideSpa Secure Coding Guide
Spa Secure Coding GuideGeoffrey Vandiest
 
Securing Your MongoDB Deployment
Securing Your MongoDB DeploymentSecuring Your MongoDB Deployment
Securing Your MongoDB DeploymentMongoDB
 
OWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADF
OWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADFOWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADF
OWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADFBrian Huff
 
Ten Commandments of Secure Coding
Ten Commandments of Secure CodingTen Commandments of Secure Coding
Ten Commandments of Secure CodingMateusz Olejarka
 
Ten Commandments of Secure Coding - OWASP Top Ten Proactive Controls
Ten Commandments of Secure Coding - OWASP Top Ten Proactive ControlsTen Commandments of Secure Coding - OWASP Top Ten Proactive Controls
Ten Commandments of Secure Coding - OWASP Top Ten Proactive ControlsSecuRing
 
Compliance Automation with InSpec - Chef NYC Meetup - April 2017
Compliance Automation with InSpec - Chef NYC Meetup - April 2017Compliance Automation with InSpec - Chef NYC Meetup - April 2017
Compliance Automation with InSpec - Chef NYC Meetup - April 2017adamleff
 
Introduction to cypress in Angular (Chinese)
Introduction to cypress in Angular (Chinese)Introduction to cypress in Angular (Chinese)
Introduction to cypress in Angular (Chinese)Hong Tat Yew
 
Splunk: Forward me the REST of those shells
Splunk: Forward me the REST of those shellsSplunk: Forward me the REST of those shells
Splunk: Forward me the REST of those shellsAnthony D Hendricks
 
AppSec Tel Aviv - OWASP Top 10 For JavaScript Developers
AppSec Tel Aviv - OWASP Top 10 For JavaScript Developers AppSec Tel Aviv - OWASP Top 10 For JavaScript Developers
AppSec Tel Aviv - OWASP Top 10 For JavaScript Developers Lewis Ardern
 
DevOps on AWS: Deep Dive on Continuous Delivery and the AWS Developer Tools
DevOps on AWS: Deep Dive on Continuous Delivery and the AWS Developer ToolsDevOps on AWS: Deep Dive on Continuous Delivery and the AWS Developer Tools
DevOps on AWS: Deep Dive on Continuous Delivery and the AWS Developer ToolsAmazon Web Services
 
Abusing bleeding edge web standards for appsec glory
Abusing bleeding edge web standards for appsec gloryAbusing bleeding edge web standards for appsec glory
Abusing bleeding edge web standards for appsec gloryPriyanka Aash
 
How to discover 1352 Wordpress plugin 0days in one hour (not really)
How to discover 1352 Wordpress plugin 0days in one hour (not really)How to discover 1352 Wordpress plugin 0days in one hour (not really)
How to discover 1352 Wordpress plugin 0days in one hour (not really)Larry Cashdollar
 
How do JavaScript frameworks impact the security of applications?
How do JavaScript frameworks impact the security of applications?How do JavaScript frameworks impact the security of applications?
How do JavaScript frameworks impact the security of applications?Ksenia Peguero
 
Ch 10: Attacking Back-End Components
Ch 10: Attacking Back-End ComponentsCh 10: Attacking Back-End Components
Ch 10: Attacking Back-End ComponentsSam Bowne
 
Ch 13: Attacking Other Users: Other Techniques (Part 1)
Ch 13: Attacking Other Users: Other Techniques (Part 1)Ch 13: Attacking Other Users: Other Techniques (Part 1)
Ch 13: Attacking Other Users: Other Techniques (Part 1)Sam Bowne
 
Mitigating Exploits Using Apple's Endpoint Security
Mitigating Exploits Using Apple's Endpoint SecurityMitigating Exploits Using Apple's Endpoint Security
Mitigating Exploits Using Apple's Endpoint SecurityCsaba Fitzl
 
Thick client pentesting_the-hackers_meetup_version1.0pptx
Thick client pentesting_the-hackers_meetup_version1.0pptxThick client pentesting_the-hackers_meetup_version1.0pptx
Thick client pentesting_the-hackers_meetup_version1.0pptxAnurag Srivastava
 
Common Web Application Attacks
Common Web Application Attacks Common Web Application Attacks
Common Web Application Attacks Ahmed Sherif
 
Web Exploitation Security
Web Exploitation SecurityWeb Exploitation Security
Web Exploitation SecurityAman Singh
 
Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...
Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...
Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...IBM Security
 
Paris FOD meetup - kafka security 101
Paris FOD meetup - kafka security 101Paris FOD meetup - kafka security 101
Paris FOD meetup - kafka security 101Abdelkrim Hadjidj
 
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASEBATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASEOrtus Solutions, Corp
 
Ortus Government.pdf
Ortus Government.pdfOrtus Government.pdf
Ortus Government.pdfOrtus Solutions, Corp
 

More Related Content

Similar to 25 Most Dangerous Software Weaknesses Exposed

Securing Your MongoDB Deployment
Securing Your MongoDB DeploymentSecuring Your MongoDB Deployment
Securing Your MongoDB DeploymentMongoDB
 
OWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADF
OWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADFOWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADF
OWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADFBrian Huff
 
Ten Commandments of Secure Coding
Ten Commandments of Secure CodingTen Commandments of Secure Coding
Ten Commandments of Secure CodingMateusz Olejarka
 
Ten Commandments of Secure Coding - OWASP Top Ten Proactive Controls
Ten Commandments of Secure Coding - OWASP Top Ten Proactive ControlsTen Commandments of Secure Coding - OWASP Top Ten Proactive Controls
Ten Commandments of Secure Coding - OWASP Top Ten Proactive ControlsSecuRing
 
Compliance Automation with InSpec - Chef NYC Meetup - April 2017
Compliance Automation with InSpec - Chef NYC Meetup - April 2017Compliance Automation with InSpec - Chef NYC Meetup - April 2017
Compliance Automation with InSpec - Chef NYC Meetup - April 2017adamleff
 
Introduction to cypress in Angular (Chinese)
Introduction to cypress in Angular (Chinese)Introduction to cypress in Angular (Chinese)
Introduction to cypress in Angular (Chinese)Hong Tat Yew
 
Splunk: Forward me the REST of those shells
Splunk: Forward me the REST of those shellsSplunk: Forward me the REST of those shells
Splunk: Forward me the REST of those shellsAnthony D Hendricks
 
AppSec Tel Aviv - OWASP Top 10 For JavaScript Developers
AppSec Tel Aviv - OWASP Top 10 For JavaScript Developers AppSec Tel Aviv - OWASP Top 10 For JavaScript Developers
AppSec Tel Aviv - OWASP Top 10 For JavaScript Developers Lewis Ardern
 
DevOps on AWS: Deep Dive on Continuous Delivery and the AWS Developer Tools
DevOps on AWS: Deep Dive on Continuous Delivery and the AWS Developer ToolsDevOps on AWS: Deep Dive on Continuous Delivery and the AWS Developer Tools
DevOps on AWS: Deep Dive on Continuous Delivery and the AWS Developer ToolsAmazon Web Services
 
Abusing bleeding edge web standards for appsec glory
Abusing bleeding edge web standards for appsec gloryAbusing bleeding edge web standards for appsec glory
Abusing bleeding edge web standards for appsec gloryPriyanka Aash
 
How to discover 1352 Wordpress plugin 0days in one hour (not really)
How to discover 1352 Wordpress plugin 0days in one hour (not really)How to discover 1352 Wordpress plugin 0days in one hour (not really)
How to discover 1352 Wordpress plugin 0days in one hour (not really)Larry Cashdollar
 
How do JavaScript frameworks impact the security of applications?
How do JavaScript frameworks impact the security of applications?How do JavaScript frameworks impact the security of applications?
How do JavaScript frameworks impact the security of applications?Ksenia Peguero
 
Ch 10: Attacking Back-End Components
Ch 10: Attacking Back-End ComponentsCh 10: Attacking Back-End Components
Ch 10: Attacking Back-End ComponentsSam Bowne
 
Ch 13: Attacking Other Users: Other Techniques (Part 1)
Ch 13: Attacking Other Users: Other Techniques (Part 1)Ch 13: Attacking Other Users: Other Techniques (Part 1)
Ch 13: Attacking Other Users: Other Techniques (Part 1)Sam Bowne
 
Mitigating Exploits Using Apple's Endpoint Security
Mitigating Exploits Using Apple's Endpoint SecurityMitigating Exploits Using Apple's Endpoint Security
Mitigating Exploits Using Apple's Endpoint SecurityCsaba Fitzl
 
Thick client pentesting_the-hackers_meetup_version1.0pptx
Thick client pentesting_the-hackers_meetup_version1.0pptxThick client pentesting_the-hackers_meetup_version1.0pptx
Thick client pentesting_the-hackers_meetup_version1.0pptxAnurag Srivastava
 
Common Web Application Attacks
Common Web Application Attacks Common Web Application Attacks
Common Web Application Attacks Ahmed Sherif
 
Web Exploitation Security
Web Exploitation SecurityWeb Exploitation Security
Web Exploitation SecurityAman Singh
 
Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...
Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...
Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...IBM Security
 
Paris FOD meetup - kafka security 101
Paris FOD meetup - kafka security 101Paris FOD meetup - kafka security 101
Paris FOD meetup - kafka security 101Abdelkrim Hadjidj
 

Similar to 25 Most Dangerous Software Weaknesses Exposed (20)

Securing Your MongoDB Deployment
Securing Your MongoDB DeploymentSecuring Your MongoDB Deployment
Securing Your MongoDB Deployment
 
OWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADF
OWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADFOWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADF
OWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADF
 
Ten Commandments of Secure Coding
Ten Commandments of Secure CodingTen Commandments of Secure Coding
Ten Commandments of Secure Coding
 
Ten Commandments of Secure Coding - OWASP Top Ten Proactive Controls
Ten Commandments of Secure Coding - OWASP Top Ten Proactive ControlsTen Commandments of Secure Coding - OWASP Top Ten Proactive Controls
Ten Commandments of Secure Coding - OWASP Top Ten Proactive Controls
 
Compliance Automation with InSpec - Chef NYC Meetup - April 2017
Compliance Automation with InSpec - Chef NYC Meetup - April 2017Compliance Automation with InSpec - Chef NYC Meetup - April 2017
Compliance Automation with InSpec - Chef NYC Meetup - April 2017
 
Introduction to cypress in Angular (Chinese)
Introduction to cypress in Angular (Chinese)Introduction to cypress in Angular (Chinese)
Introduction to cypress in Angular (Chinese)
 
Splunk: Forward me the REST of those shells
Splunk: Forward me the REST of those shellsSplunk: Forward me the REST of those shells
Splunk: Forward me the REST of those shells
 
AppSec Tel Aviv - OWASP Top 10 For JavaScript Developers
AppSec Tel Aviv - OWASP Top 10 For JavaScript Developers AppSec Tel Aviv - OWASP Top 10 For JavaScript Developers
AppSec Tel Aviv - OWASP Top 10 For JavaScript Developers
 
DevOps on AWS: Deep Dive on Continuous Delivery and the AWS Developer Tools
DevOps on AWS: Deep Dive on Continuous Delivery and the AWS Developer ToolsDevOps on AWS: Deep Dive on Continuous Delivery and the AWS Developer Tools
DevOps on AWS: Deep Dive on Continuous Delivery and the AWS Developer Tools
 
Abusing bleeding edge web standards for appsec glory
Abusing bleeding edge web standards for appsec gloryAbusing bleeding edge web standards for appsec glory
Abusing bleeding edge web standards for appsec glory
 
How to discover 1352 Wordpress plugin 0days in one hour (not really)
How to discover 1352 Wordpress plugin 0days in one hour (not really)How to discover 1352 Wordpress plugin 0days in one hour (not really)
How to discover 1352 Wordpress plugin 0days in one hour (not really)
 
How do JavaScript frameworks impact the security of applications?
How do JavaScript frameworks impact the security of applications?How do JavaScript frameworks impact the security of applications?
How do JavaScript frameworks impact the security of applications?
 
Ch 10: Attacking Back-End Components
Ch 10: Attacking Back-End ComponentsCh 10: Attacking Back-End Components
Ch 10: Attacking Back-End Components
 
Ch 13: Attacking Other Users: Other Techniques (Part 1)
Ch 13: Attacking Other Users: Other Techniques (Part 1)Ch 13: Attacking Other Users: Other Techniques (Part 1)
Ch 13: Attacking Other Users: Other Techniques (Part 1)
 
Mitigating Exploits Using Apple's Endpoint Security
Mitigating Exploits Using Apple's Endpoint SecurityMitigating Exploits Using Apple's Endpoint Security
Mitigating Exploits Using Apple's Endpoint Security
 
Thick client pentesting_the-hackers_meetup_version1.0pptx
Thick client pentesting_the-hackers_meetup_version1.0pptxThick client pentesting_the-hackers_meetup_version1.0pptx
Thick client pentesting_the-hackers_meetup_version1.0pptx
 
Common Web Application Attacks
Common Web Application Attacks Common Web Application Attacks
Common Web Application Attacks
 
Web Exploitation Security
Web Exploitation SecurityWeb Exploitation Security
Web Exploitation Security
 
Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...
Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...
Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...
 
Paris FOD meetup - kafka security 101
Paris FOD meetup - kafka security 101Paris FOD meetup - kafka security 101
Paris FOD meetup - kafka security 101
 

More from Ortus Solutions, Corp

BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASEBATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASEOrtus Solutions, Corp
 
Secure your Secrets and Settings in ColdFusion
Secure your Secrets and Settings in ColdFusionSecure your Secrets and Settings in ColdFusion
Secure your Secrets and Settings in ColdFusionOrtus Solutions, Corp
 
Daniel Garcia ContentBox: CFSummit 2023
Daniel Garcia ContentBox: CFSummit 2023Daniel Garcia ContentBox: CFSummit 2023
Daniel Garcia ContentBox: CFSummit 2023Ortus Solutions, Corp
 
ITB_2023_Human-Friendly_Scheduled_Tasks_Giancarlo_Gomez.pdf
ITB_2023_Human-Friendly_Scheduled_Tasks_Giancarlo_Gomez.pdfITB_2023_Human-Friendly_Scheduled_Tasks_Giancarlo_Gomez.pdf
ITB_2023_Human-Friendly_Scheduled_Tasks_Giancarlo_Gomez.pdfOrtus Solutions, Corp
 
ITB_2023_CommandBox_Multi-Server_-_Brad_Wood.pdf
ITB_2023_CommandBox_Multi-Server_-_Brad_Wood.pdfITB_2023_CommandBox_Multi-Server_-_Brad_Wood.pdf
ITB_2023_CommandBox_Multi-Server_-_Brad_Wood.pdfOrtus Solutions, Corp
 
ITB_2023_The_Many_Layers_of_OAuth_Keith_Casey_.pdf
ITB_2023_The_Many_Layers_of_OAuth_Keith_Casey_.pdfITB_2023_The_Many_Layers_of_OAuth_Keith_Casey_.pdf
ITB_2023_The_Many_Layers_of_OAuth_Keith_Casey_.pdfOrtus Solutions, Corp
 
ITB_2023_Relationships_are_Hard_Data_modeling_with_NoSQL_Curt_Gratz.pdf
ITB_2023_Relationships_are_Hard_Data_modeling_with_NoSQL_Curt_Gratz.pdfITB_2023_Relationships_are_Hard_Data_modeling_with_NoSQL_Curt_Gratz.pdf
ITB_2023_Relationships_are_Hard_Data_modeling_with_NoSQL_Curt_Gratz.pdfOrtus Solutions, Corp
 
ITB_2023_Extend_your_contentbox_apps_with_custom_modules_Javier_Quintero.pdf
ITB_2023_Extend_your_contentbox_apps_with_custom_modules_Javier_Quintero.pdfITB_2023_Extend_your_contentbox_apps_with_custom_modules_Javier_Quintero.pdf
ITB_2023_Extend_your_contentbox_apps_with_custom_modules_Javier_Quintero.pdfOrtus Solutions, Corp
 
ITB_2023_Practical_AI_with_OpenAI_-_Grant_Copley_.pdf
ITB_2023_Practical_AI_with_OpenAI_-_Grant_Copley_.pdfITB_2023_Practical_AI_with_OpenAI_-_Grant_Copley_.pdf
ITB_2023_Practical_AI_with_OpenAI_-_Grant_Copley_.pdfOrtus Solutions, Corp
 
ITB_2023_When_Your_Applications_Work_As_a_Team_Nathaniel_Francis.pdf
ITB_2023_When_Your_Applications_Work_As_a_Team_Nathaniel_Francis.pdfITB_2023_When_Your_Applications_Work_As_a_Team_Nathaniel_Francis.pdf
ITB_2023_When_Your_Applications_Work_As_a_Team_Nathaniel_Francis.pdfOrtus Solutions, Corp
 
ITB_2023_Faster_Apps_That_Wont_Get_Crushed_Brian_Klaas.pdf
ITB_2023_Faster_Apps_That_Wont_Get_Crushed_Brian_Klaas.pdfITB_2023_Faster_Apps_That_Wont_Get_Crushed_Brian_Klaas.pdf
ITB_2023_Faster_Apps_That_Wont_Get_Crushed_Brian_Klaas.pdfOrtus Solutions, Corp
 
ITB_2023_Chatgpt_Box_Scott_Steinbeck.pdf
ITB_2023_Chatgpt_Box_Scott_Steinbeck.pdfITB_2023_Chatgpt_Box_Scott_Steinbeck.pdf
ITB_2023_Chatgpt_Box_Scott_Steinbeck.pdfOrtus Solutions, Corp
 
ITB_2023_CommandBox_Task_Runners_Brad_Wood.pdf
ITB_2023_CommandBox_Task_Runners_Brad_Wood.pdfITB_2023_CommandBox_Task_Runners_Brad_Wood.pdf
ITB_2023_CommandBox_Task_Runners_Brad_Wood.pdfOrtus Solutions, Corp
 
ITB_2023_Create_as_many_web_sites_or_web_apps_as_you_want_George_Murphy.pdf
ITB_2023_Create_as_many_web_sites_or_web_apps_as_you_want_George_Murphy.pdfITB_2023_Create_as_many_web_sites_or_web_apps_as_you_want_George_Murphy.pdf
ITB_2023_Create_as_many_web_sites_or_web_apps_as_you_want_George_Murphy.pdfOrtus Solutions, Corp
 
ITB2023 Developing for Performance - Denard Springle.pdf
ITB2023 Developing for Performance - Denard Springle.pdfITB2023 Developing for Performance - Denard Springle.pdf
ITB2023 Developing for Performance - Denard Springle.pdfOrtus Solutions, Corp
 
Enterprise Messaging with RabbitMQ.pdf
Enterprise Messaging with RabbitMQ.pdfEnterprise Messaging with RabbitMQ.pdf
Enterprise Messaging with RabbitMQ.pdfOrtus Solutions, Corp
 

More from Ortus Solutions, Corp (20)

BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASEBATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
 
Ortus Government.pdf
Ortus Government.pdfOrtus Government.pdf
Ortus Government.pdf
 
Luis Majano The Battlefield ORM
Luis Majano The Battlefield ORMLuis Majano The Battlefield ORM
Luis Majano The Battlefield ORM
 
Brad Wood - CommandBox CLI
Brad Wood - CommandBox CLI Brad Wood - CommandBox CLI
Brad Wood - CommandBox CLI
 
Secure your Secrets and Settings in ColdFusion
Secure your Secrets and Settings in ColdFusionSecure your Secrets and Settings in ColdFusion
Secure your Secrets and Settings in ColdFusion
 
Daniel Garcia ContentBox: CFSummit 2023
Daniel Garcia ContentBox: CFSummit 2023Daniel Garcia ContentBox: CFSummit 2023
Daniel Garcia ContentBox: CFSummit 2023
 
ITB_2023_Human-Friendly_Scheduled_Tasks_Giancarlo_Gomez.pdf
ITB_2023_Human-Friendly_Scheduled_Tasks_Giancarlo_Gomez.pdfITB_2023_Human-Friendly_Scheduled_Tasks_Giancarlo_Gomez.pdf
ITB_2023_Human-Friendly_Scheduled_Tasks_Giancarlo_Gomez.pdf
 
ITB_2023_CommandBox_Multi-Server_-_Brad_Wood.pdf
ITB_2023_CommandBox_Multi-Server_-_Brad_Wood.pdfITB_2023_CommandBox_Multi-Server_-_Brad_Wood.pdf
ITB_2023_CommandBox_Multi-Server_-_Brad_Wood.pdf
 
ITB_2023_The_Many_Layers_of_OAuth_Keith_Casey_.pdf
ITB_2023_The_Many_Layers_of_OAuth_Keith_Casey_.pdfITB_2023_The_Many_Layers_of_OAuth_Keith_Casey_.pdf
ITB_2023_The_Many_Layers_of_OAuth_Keith_Casey_.pdf
 
ITB_2023_Relationships_are_Hard_Data_modeling_with_NoSQL_Curt_Gratz.pdf
ITB_2023_Relationships_are_Hard_Data_modeling_with_NoSQL_Curt_Gratz.pdfITB_2023_Relationships_are_Hard_Data_modeling_with_NoSQL_Curt_Gratz.pdf
ITB_2023_Relationships_are_Hard_Data_modeling_with_NoSQL_Curt_Gratz.pdf
 
ITB_2023_Extend_your_contentbox_apps_with_custom_modules_Javier_Quintero.pdf
ITB_2023_Extend_your_contentbox_apps_with_custom_modules_Javier_Quintero.pdfITB_2023_Extend_your_contentbox_apps_with_custom_modules_Javier_Quintero.pdf
ITB_2023_Extend_your_contentbox_apps_with_custom_modules_Javier_Quintero.pdf
 
ITB_2023_CBWire_v3_Grant_Copley.pdf
ITB_2023_CBWire_v3_Grant_Copley.pdfITB_2023_CBWire_v3_Grant_Copley.pdf
ITB_2023_CBWire_v3_Grant_Copley.pdf
 
ITB_2023_Practical_AI_with_OpenAI_-_Grant_Copley_.pdf
ITB_2023_Practical_AI_with_OpenAI_-_Grant_Copley_.pdfITB_2023_Practical_AI_with_OpenAI_-_Grant_Copley_.pdf
ITB_2023_Practical_AI_with_OpenAI_-_Grant_Copley_.pdf
 
ITB_2023_When_Your_Applications_Work_As_a_Team_Nathaniel_Francis.pdf
ITB_2023_When_Your_Applications_Work_As_a_Team_Nathaniel_Francis.pdfITB_2023_When_Your_Applications_Work_As_a_Team_Nathaniel_Francis.pdf
ITB_2023_When_Your_Applications_Work_As_a_Team_Nathaniel_Francis.pdf
 
ITB_2023_Faster_Apps_That_Wont_Get_Crushed_Brian_Klaas.pdf
ITB_2023_Faster_Apps_That_Wont_Get_Crushed_Brian_Klaas.pdfITB_2023_Faster_Apps_That_Wont_Get_Crushed_Brian_Klaas.pdf
ITB_2023_Faster_Apps_That_Wont_Get_Crushed_Brian_Klaas.pdf
 
ITB_2023_Chatgpt_Box_Scott_Steinbeck.pdf
ITB_2023_Chatgpt_Box_Scott_Steinbeck.pdfITB_2023_Chatgpt_Box_Scott_Steinbeck.pdf
ITB_2023_Chatgpt_Box_Scott_Steinbeck.pdf
 
ITB_2023_CommandBox_Task_Runners_Brad_Wood.pdf
ITB_2023_CommandBox_Task_Runners_Brad_Wood.pdfITB_2023_CommandBox_Task_Runners_Brad_Wood.pdf
ITB_2023_CommandBox_Task_Runners_Brad_Wood.pdf
 
ITB_2023_Create_as_many_web_sites_or_web_apps_as_you_want_George_Murphy.pdf
ITB_2023_Create_as_many_web_sites_or_web_apps_as_you_want_George_Murphy.pdfITB_2023_Create_as_many_web_sites_or_web_apps_as_you_want_George_Murphy.pdf
ITB_2023_Create_as_many_web_sites_or_web_apps_as_you_want_George_Murphy.pdf
 
ITB2023 Developing for Performance - Denard Springle.pdf
ITB2023 Developing for Performance - Denard Springle.pdfITB2023 Developing for Performance - Denard Springle.pdf
ITB2023 Developing for Performance - Denard Springle.pdf
 
Enterprise Messaging with RabbitMQ.pdf
Enterprise Messaging with RabbitMQ.pdfEnterprise Messaging with RabbitMQ.pdf
Enterprise Messaging with RabbitMQ.pdf
 

Recently uploaded

GOING AOT WITH GRAALVM – DEVOXX GREECE.pdf
GOING AOT WITH GRAALVM – DEVOXX GREECE.pdfGOING AOT WITH GRAALVM – DEVOXX GREECE.pdf
GOING AOT WITH GRAALVM – DEVOXX GREECE.pdfAlina Yurenko
 
Automate your Kamailio Test Calls - Kamailio World 2024
Automate your Kamailio Test Calls - Kamailio World 2024Automate your Kamailio Test Calls - Kamailio World 2024
Automate your Kamailio Test Calls - Kamailio World 2024Andreas Granig
 
Xen Safety Embedded OSS Summit April 2024 v4.pdf
Xen Safety Embedded OSS Summit April 2024 v4.pdfXen Safety Embedded OSS Summit April 2024 v4.pdf
Xen Safety Embedded OSS Summit April 2024 v4.pdfStefano Stabellini
 
CRM Contender Series: HubSpot vs. Salesforce
CRM Contender Series: HubSpot vs. SalesforceCRM Contender Series: HubSpot vs. Salesforce
CRM Contender Series: HubSpot vs. SalesforceBrainSell Technologies
 
What is Advanced Excel and what are some best practices for designing and cre...
What is Advanced Excel and what are some best practices for designing and cre...What is Advanced Excel and what are some best practices for designing and cre...
What is Advanced Excel and what are some best practices for designing and cre...Technogeeks
 
ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...
ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...
ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...Christina Lin
 
EY_Graph Database Powered Sustainability
EY_Graph Database Powered SustainabilityEY_Graph Database Powered Sustainability
EY_Graph Database Powered SustainabilityNeo4j
 
Cloud Data Center Network Construction - IEEE
Cloud Data Center Network Construction - IEEECloud Data Center Network Construction - IEEE
Cloud Data Center Network Construction - IEEEVICTOR MAESTRE RAMIREZ
 
Software Project Health Check: Best Practices and Techniques for Your Product...
Software Project Health Check: Best Practices and Techniques for Your Product...Software Project Health Check: Best Practices and Techniques for Your Product...
Software Project Health Check: Best Practices and Techniques for Your Product...Velvetech LLC
 
Unveiling Design Patterns: A Visual Guide with UML Diagrams
Unveiling Design Patterns: A Visual Guide with UML DiagramsUnveiling Design Patterns: A Visual Guide with UML Diagrams
Unveiling Design Patterns: A Visual Guide with UML DiagramsAhmed Mohamed
 
Buds n Tech IT Solutions: Top-Notch Web Services in Noida
Buds n Tech IT Solutions: Top-Notch Web Services in NoidaBuds n Tech IT Solutions: Top-Notch Web Services in Noida
Buds n Tech IT Solutions: Top-Notch Web Services in Noidabntitsolutionsrishis
 
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...stazi3110
 
Open Source Summit NA 2024: Open Source Cloud Costs - OpenCost's Impact on En...
Open Source Summit NA 2024: Open Source Cloud Costs - OpenCost's Impact on En...Open Source Summit NA 2024: Open Source Cloud Costs - OpenCost's Impact on En...
Open Source Summit NA 2024: Open Source Cloud Costs - OpenCost's Impact on En...Matt Ray
 
Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024
Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024
Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024StefanoLambiase
 
Implementing Zero Trust strategy with Azure
Implementing Zero Trust strategy with AzureImplementing Zero Trust strategy with Azure
Implementing Zero Trust strategy with AzureDinusha Kumarasiri
 
Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...
Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...
Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...soniya singh
 
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptx
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptxKnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptx
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptxTier1 app
 
Call Us🔝>༒+91-9711147426⇛Call In girls karol bagh (Delhi)
Call Us🔝>༒+91-9711147426⇛Call In girls karol bagh (Delhi)Call Us🔝>༒+91-9711147426⇛Call In girls karol bagh (Delhi)
Call Us🔝>༒+91-9711147426⇛Call In girls karol bagh (Delhi)jennyeacort
 
What are the key points to focus on before starting to learn ETL Development....
What are the key points to focus on before starting to learn ETL Development....What are the key points to focus on before starting to learn ETL Development....
What are the key points to focus on before starting to learn ETL Development....kzayra69
 
英国UN学位证,北安普顿大学毕业证书1:1制作
英国UN学位证,北安普顿大学毕业证书1:1制作英国UN学位证,北安普顿大学毕业证书1:1制作
英国UN学位证,北安普顿大学毕业证书1:1制作qr0udbr0
 

Recently uploaded (20)

GOING AOT WITH GRAALVM – DEVOXX GREECE.pdf
GOING AOT WITH GRAALVM – DEVOXX GREECE.pdfGOING AOT WITH GRAALVM – DEVOXX GREECE.pdf
GOING AOT WITH GRAALVM – DEVOXX GREECE.pdf
 
Automate your Kamailio Test Calls - Kamailio World 2024
Automate your Kamailio Test Calls - Kamailio World 2024Automate your Kamailio Test Calls - Kamailio World 2024
Automate your Kamailio Test Calls - Kamailio World 2024
 
Xen Safety Embedded OSS Summit April 2024 v4.pdf
Xen Safety Embedded OSS Summit April 2024 v4.pdfXen Safety Embedded OSS Summit April 2024 v4.pdf
Xen Safety Embedded OSS Summit April 2024 v4.pdf
 
CRM Contender Series: HubSpot vs. Salesforce
CRM Contender Series: HubSpot vs. SalesforceCRM Contender Series: HubSpot vs. Salesforce
CRM Contender Series: HubSpot vs. Salesforce
 
What is Advanced Excel and what are some best practices for designing and cre...
What is Advanced Excel and what are some best practices for designing and cre...What is Advanced Excel and what are some best practices for designing and cre...
What is Advanced Excel and what are some best practices for designing and cre...
 
ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...
ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...
ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...
 
EY_Graph Database Powered Sustainability
EY_Graph Database Powered SustainabilityEY_Graph Database Powered Sustainability
EY_Graph Database Powered Sustainability
 
Cloud Data Center Network Construction - IEEE
Cloud Data Center Network Construction - IEEECloud Data Center Network Construction - IEEE
Cloud Data Center Network Construction - IEEE
 
Software Project Health Check: Best Practices and Techniques for Your Product...
Software Project Health Check: Best Practices and Techniques for Your Product...Software Project Health Check: Best Practices and Techniques for Your Product...
Software Project Health Check: Best Practices and Techniques for Your Product...
 
Unveiling Design Patterns: A Visual Guide with UML Diagrams
Unveiling Design Patterns: A Visual Guide with UML DiagramsUnveiling Design Patterns: A Visual Guide with UML Diagrams
Unveiling Design Patterns: A Visual Guide with UML Diagrams
 
Buds n Tech IT Solutions: Top-Notch Web Services in Noida
Buds n Tech IT Solutions: Top-Notch Web Services in NoidaBuds n Tech IT Solutions: Top-Notch Web Services in Noida
Buds n Tech IT Solutions: Top-Notch Web Services in Noida
 
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
 
Open Source Summit NA 2024: Open Source Cloud Costs - OpenCost's Impact on En...
Open Source Summit NA 2024: Open Source Cloud Costs - OpenCost's Impact on En...Open Source Summit NA 2024: Open Source Cloud Costs - OpenCost's Impact on En...
Open Source Summit NA 2024: Open Source Cloud Costs - OpenCost's Impact on En...
 
Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024
Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024
Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024
 
Implementing Zero Trust strategy with Azure
Implementing Zero Trust strategy with AzureImplementing Zero Trust strategy with Azure
Implementing Zero Trust strategy with Azure
 
Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...
Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...
Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...
 
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptx
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptxKnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptx
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptx
 
Call Us🔝>༒+91-9711147426⇛Call In girls karol bagh (Delhi)
Call Us🔝>༒+91-9711147426⇛Call In girls karol bagh (Delhi)Call Us🔝>༒+91-9711147426⇛Call In girls karol bagh (Delhi)
Call Us🔝>༒+91-9711147426⇛Call In girls karol bagh (Delhi)
 
What are the key points to focus on before starting to learn ETL Development....
What are the key points to focus on before starting to learn ETL Development....What are the key points to focus on before starting to learn ETL Development....
What are the key points to focus on before starting to learn ETL Development....
 
英国UN学位证,北安普顿大学毕业证书1:1制作
英国UN学位证,北安普顿大学毕业证书1:1制作英国UN学位证,北安普顿大学毕业证书1:1制作
英国UN学位证,北安普顿大学毕业证书1:1制作
 

25 Most Dangerous Software Weaknesses Exposed

  • 1. 25 Most Dangerous Software Weaknesses LED BY Pete Freitag SESSION
  • 2. About Me Pete Freitag • 20+ Years ColdFusion Experience • Company: Foundeo Inc. (Into The Box Sponsor!!) • Products: FuseGuard, HackMyCF, Fixinator • Consulting: Code Reviews, Server Review, CFML Security Training • You might also know me from: • Lockdown Guides CF9 - CF2021 CF2023 • CFDocs.org, cfscript.me, cfbreak.com • blog: petefreitag.com • twitter/github: @pfreitag
  • 3. Where did the “25 Most Dangerous Software Weaknesses” list come from? The CWE Top 25 List
  • 4. CWE - Common Weakness Enumeration From the people who brought you the CVE: Mitre
  • 5. CWE Top 25 Scoring Metrics Source: https://cwe.mitre.org/top25/archive/2022/2022_cwe_top25.html
  • 6. The thing about TOP N Lists There are more than 25 CWE’s… Source: https://cwe.mitre.org/top25/archive/2022/2022_cwe_top25.html
  • 7. Trends of the CWE Top 25 Source: https://cwe.mitre.org/top25/archive/2022/2022_cwe_top25.html
  • 8. #25 - Improper Control of Generation of Code CWE-94 Code Injection • A few different ways this can happen in CFML, most common: • Evaluate • IIF • cfinclude
  • 9. #25 Fixing RCE Replace IIF with Ternary Operator <cfset greet = iif( len(name), de("Hi #name#"), de("Hi") )> <cfset greet = ( len(name) ) ? "Hi #name#" : "Hi">
  • 10. #25 Fixing RCE Fixing Evaluate evaluate("url.#name#") url[name] Rid your code of evaluate() - terrible for both performance and security
  • 11. #25 RCE Good News / Bad News • Good News • Easy to find • Easy to fix • Bad News • Very Dangerous • Might have a lot if your code was written early 2000’s
  • 12. #24 - Improper Restriction of XML External Entity Reference CWE-611 XXE • What is an XML Entity? Similar to HTML Entities… • &lt; • &quot; • BUT XML documents can define their own new entities
  • 13. #24 - XML Entities XML Lets you define your own custom entities <?xml version="1.0" ?> <!DOCTYPE d [ <!ENTITY xxe SYSTEM "http://httpbin.org/uuid">]> <tag>&xxe;</tag> Example: https://trycf.com/gist/64b7ec4e8d6774a51c1e99552030df7f/acf2021?theme=monokai
  • 14. #24 - XML Entities Mitigating • No Global API in Adobe ColdFusion To Disable XML Entities: Feature Request #CF-4201057 • You can pass: xmlParse(xml, false, {allowExternalEntities=false}) in ACF, Lucee this.xmlSettings • Avoid Parsing XML From Untrusted Sources • HTTP Requests, APIs, Feeds • Check XML For Custom DocTypes, ELEMENT Definitions • Use a different parsing API: • SafeXmlParse: https://github.com/foundeo/safexmlparse • Convert to JSON: https://gamesover2600.tumblr.com/post/180776378949/convert-xml-to-json- in-1-line-of-code-using
  • 15. #23 Uncontrolled Resource Consumption CWE-400 • Denial of Service • Use LIMIT / TOP on Queries • Add a maximum iteration when looping over an untrusted input • HashDOS - make sure post parameter limit is not set too high in CF Admin
  • 16. #22 Concurrent Execution using Shared Resource with Improper Synchronization CWE-362 - Race Condition • Ensure Proper Use of cflock • Shared Scopes: application, server, session in some cases • Multithreaded code, eg: cfthread • Use Database Transactions • Use var / local scope within parallel ArrayEach
  • 17. #22 Race Conditions When do you need to use cflock? application.winner_count = application.winner_count + 1;
  • 18. #22 Race Conditions When do you need to use cflock? application.winner_count = 0;
  • 19. #21 - Server-Side Request Forgery (SSRF) CWE-918 • SSRF Happens When your server makes a HTTP request to an arbitrary URL • Can allow attacker to hit other http services behind the firewall (dbs, caches) • Cloud Metadata APIs (eg: 169.254.169.254) can leak access keys or other sensitive info: • Tip: on AWS Disable IMDSv1 and use IMDSv2 instead
  • 20. #21 - SSRF Some Functions / Tags That Can Request a URL • cfhttp • PDF: cfdocument / cfhtmltopdf (within HTML: img, iframe, etc) • Images: isImageFile • XML: XmlParse, XmlSearch, XmlValidate • Additional List: https://hoyahaxa.blogspot.com/2021/04/ssrf-in- coldfusioncfml-tags-and.html
  • 21. #20 - Incorrect Default Permissions CWE-276 • Use OS File System Permissions • Can your CFML app write anywhere it wants? Does it need to? • Use the Lockdown Guide
  • 22. #19 Improper Restriction of Operations within the Bounds of a Memory Buffer CWE-119 “Java is said to be memory- safe because its runtime error detection checks array bounds and pointer dereferences.” Thanks Java Source: https://en.wikipedia.org/wiki/Memory_safety
  • 23. #18 - Missing Authentication for Critical Function CWE-306 • Authentication = User is who they attest to be • Authorization = User has permission to perform action • Without Authentication you cannot have Authorization • Recent Example: Optus Data Breach • Allegedly there was an API exposed to the internet without any authentication. • Check your app to make sure it requires authentication where it should. For bonus points automate this check in unit / integration tests.
  • 24. #17 Improper Neutralization of Special Elements used in a Command CWE-77 Command Injection • Take care when using cfexecute, or other APIs that may wrap a native command <cfexecute name="c:bintool.exe" arguments="-n #url.n#">
  • 25. #16 - Missing Authorization CWE-862 • Does your code check that the user is allowed to perform the requested function? • IDOR: Insecure Direct Object Reference: document.cfm?id=123 • Sounds simple but these types of issues fall under the radar, because “it works” • Need to test that it “doesn’t work” for X role • No easy way to do this, but you can write tests
  • 26. #15 - Use of Hard-coded Credentials CWE-798 • API Keys / Passwords in Code • Embedded / Hard Coded Certificates
  • 27. #15 - Hard Coded Credentials Avoiding Hard Coded Credentials • Environment Variables • Secure Key Store Services: • Self Hosted: Hashicorp Vault • AWS: EC2 Parameter Store, KMS, Secrets Manager • Azure: Key Vault • GCP: Key Vault, Secret Manager
  • 28. #14 - Improper Authentication CWE-287 • So many ways Authentication can go wrong… • Weak Passwords, Credential Stuffing, Weak Session Cookie Config • Use SSO • Most orgs now have the ability a SSO provider, either through ActiveDirectory, Google Apps, Okta, etc. • You can use SAML to integrate with the identity provider in your ColdFusion Apps. SAML Features added to CF2021
  • 29. #13 - Integer Overflow or Wraparound CWE-190 • Max value of a 32 bit unsigned integer is 4,294,967,295 • What happens when you add 1? • In MySQL < 5.5.5 it silently wraps around to 0
  • 30. #12 - Deserialization of Untrusted Data CWE-502 • Java Deserialization Vulnerabilities • Has the ability to cause remote code execution if malicious content is added to the serialized class. • Avoid Untrusted Input to ColdFusion’s Deserialize Function • Good reason to make sure you have blocked the flash remoting endpoints • JSON Deserialization - Consider Validating JSON with a JSON schema first
  • 31. #11 - NULL Pointer Dereference CWE-476 Thanks Java
  • 32. #10 - Unrestricted Upload of File with Dangerous Type CWE-434 • Regularly review all your file upload code, and make sure that it: • Always checks the file extensions of uploaded files against a list of allowed extensions. • Does not upload directly under the web root (at least before validation) • Don’t rely on mime type checks alone, they don’t work! • Set this.blockedExtForFileUpload to full list of executable extensions
  • 33. #9 - Cross-Site Request Forgery (CSRF) CWE-352 • Causing a request to be made by an authenticated and authorized user’s browser to perform an unwanted action.
  • 34. #9 - CSRF Best Example • Netflix in 2006 - Remember when they rented DVDs? • To Add a Movie to your Queue: • Request to: http://www.netflix.com/AddToQueue • Pass a movie id: movieid=70011204
  • 35. #9 CSRF Netflix Example <img src="http://www.netflix.com/AddToQueue?movieid=70011204"> Step 1: Create a Web Page With The Following img tag: Step 2: Get People to Visit the Page Step 3: Millions of people have added Sponge Bob Square Pants the Movie to their Queue
  • 36. #9 CSRF Fixing CSRF • SameSite Cookies • Check HTTP Method (eg: require POST) • CAPTCHAs - Helpful but causes usability issues / AI • Use a CSRF Token • CFML Functions: CSRFGenerateToken() and CSRFVerifyToken()
  • 37. #8 - Improper Limitation of a Pathname to a Restricted Directory CWE-22 Path Traversal • Path Traversal can happen whenever you construct a file path with unsafe variables. • Example: <cfinclude template="html/#url.name#">
  • 38. #7 - Use After Free CWE-416 Thanks Java
  • 39. #6 - Improper Neutralization of Special Elements used in an OS Command CWE-78 - OS Command Injection • Similar / Child of to #17, CWE-77 • Command vs OS Command • Same Protections Apply
  • 41. #4 - Improper Input Validation CWE-20 • This is a catch all CWE • Almost all vulnerabilities are caused by failing to validate an input! • TLDR: Add validation, improve security
  • 42. #3 - Improper Neutralization of Special Elements used in an SQL Command CWE-89 SQL Injection • Classic Example: <cfquery> SELECT story FROM news WHERE id = #url.id# </cfquery>
  • 43. #3 SQL Injection Fixing SQL Injection • Use cfqueryparam <cfquery> SELECT story FROM news WHERE id = <cfqueryparam value=“#url.id#”> </cfquery>
  • 44. #3 SQL Injection With queryExecute queryExecute("SELECT story FROM news WHERE id = #url.id#”); queryExecute("SELECT story FROM news WHERE id = :id”, {id=url.id} );
  • 45. #3 - SQL Injection When Parameters Don’t Work • Places that parameters may (depending on DB) not work: • ORDER BY clause • SELECT TOP n • LIMIT / OFFSET • Validate! • Use SELECT TOP #int(url.n)# • Use cfqueryparam whenever you can
  • 46. #3 - SQL Injection Auto Fixing SQL Injection • Fixinator can scan your code and autofix certain vulnerabilities
  • 47. #2 - Improper Neutralization of Input During Web Page Generation CWE-79 Cross-site Scripting / XSS <cfoutput>Hello #url.name#</cfquery>
  • 48. #2 - Fixing XSS Encoder Methods <cfoutput>Hello #encodeForHTML(url.name)#</cfquery> <cfoutput encodefor="html">Hello #url.name#</cfquery>
  • 49. #2 Fixing XSS Picking the correct encoder Context Method HTML encodeForHTML(variable) HTML Attribute encodeForHTMLAttribute(variable) JavaScript encodeForJavaScript(variable) CSS encodeForCSS(variable) URL encodeForURL(variable)
  • 51. Learn More • ColdFusion Security Guide • https://foundeo.com/security/guide/ • Ask Me • Resources: OWASP, CWE Site
  • 52. THANK YOU Thanks to our sponsors pete@foundeo.com Weekly CFML Community Newsletter: cfbreak.com