46 lines
2.8 KiB
Markdown
46 lines
2.8 KiB
Markdown
# Common vulnerabilities in programming and web development
|
|
|
|
1. Injection Vulnerabilities (SQL Injection)
|
|
- Use prepared statements and parameterized queries.
|
|
- Validate and sanitize user inputs.
|
|
- Web application firewalls should be able to detect and block injection attempts.
|
|
2. Cross-Site Scripting (XSS)
|
|
- Use output encoding for dynamic content.
|
|
- Use the Content Security Policy to restrict sources for scripts.
|
|
- Conduct regular code reviews for possible XSS vulnerabilities.
|
|
3. Insecure Direct Object References (IDOR)
|
|
- Stricter authorization checks for all user inputs.
|
|
- Prefer indirect references, like GUIDs, over direct object references.
|
|
- Review access controls and permissions on a regular basis.
|
|
4. Cross-Site Request Forgery
|
|
- Include anti-CSRF tokens in forms and AJAX requests.
|
|
- Set the SameSite attribute on cookies to prevent CSRF attacks.
|
|
- Validate the origin of requests to ensure they come from trusted sources.
|
|
5. Broken Authentication
|
|
- Implement strong password policies, including complexity requirements and expiration.
|
|
- Use multi-factor authentication (MFA) for sensitive actions.
|
|
- Implement secure session management practices, like session timeouts and secure cookie attributes.
|
|
6. Sensitive Data Exposure
|
|
- Employ strong encryption protocols such as TLS to protect data in transit.
|
|
- At rest, sensitive data should be protected using industry-standard encryption algorithms.
|
|
- Avoid storing sensitive data whenever possible.
|
|
7. Security Misconfiguration
|
|
- Regular security audit configurations and settings.
|
|
- Utilize automated tools to detect misconfigurations in environments.
|
|
- Apply best practices in terms of server hardening and application security.
|
|
8. Using Components with Known Vulnerabilities
|
|
- Keep libraries and dependencies updated to their latest versions.
|
|
- Known Vulnerability: Monitor vulnerability databases for known issues with components in use.
|
|
- Utilize a dependency management tool that can alert when components are out of date or have known vulnerabilities.
|
|
9. Insufficient Logging and Monitoring
|
|
- Implement logging of key actions and errors.
|
|
- Establish alerts on unusual activities or anomalies identified in logs.
|
|
- Periodically investigate logs for the detection of possible security incidents.
|
|
10. Server-Side Request Forgery (SSRF)
|
|
- Whitelist user-supplied URLs against a set of trusted domains.
|
|
- Limit server-side requests to internal resources when absolutely necessary.
|
|
- Monitor outgoing requests for suspicious patterns.
|
|
11. Insecure Data Handling
|
|
- Implement error and boundary checking and validation.
|
|
- Implement cleanup operations to avoid leaking resources.
|
|
- Avoid leaking raw references to memory.
|