Multi-dimensional Vulnerability Hierarchies

September 12, 2016

web-attacks-e1473718828364

As a leader of multiple OWASP projects, one of the things that’s always fascinated me is the fact that 1) there are so many ways to classify vulnerabilities, and 2) people naturally prefer certain methods.

Some people see the world as impacts (what could happen if the vulnerability were exploited) and they want to name issues based on that. Others want to name things based on the technical characteristics of the vulnerability. And there are many other preferences like these.

Regardless of which approach is best (something I’m still agnostic about) the one thing that pokes a stick in my eye is mixing the models in a single list.

So what I’ve done is created multiple hierarchies for viewing these vulnerabilities, based on the context you prefer.

Classification

This is a hierarchy based on the classification or type of vulnerability.

  • SQL Injection: submitting malicious SQL injection designed to get the application’s database to yield information it shouldn’t

    • Error-based: the application gives a clear error that you can use to improve your attack

    • Blind: the application only indicates whether a given query was successful or unsuccessful, resulting in the need for many requests to extract information

  • Command Injection: submitting input such that the application runs it as operating system commands, resulting in a security problem

  • XML External Entity Processing (XXE): injecting malicious XML into a target application that targets the XML parser and forces it to disclose sensitive information or results in other undesired outcomes, including denial of service

  • Authentication: bypassing the security of the explicit authentication process

  • Session Management: bypassing session management controls that are supposed to maintain proper authentication

  • Access Control: bypassing how the application ensures that only authorized people are able to perform authorized actions

  • Cross-site Scripting (XSS): tricking a user into executing a JavaScript payload that you control

    • Reflected: you send the target user a link, and they execute your payload, which interacts with the target application

    • Stored: you find a way to store your payload in the application itself, and when victims browse that page the payload executes

    • DOM-based: you are able to modify something in the application that results in your payload being executed by the DOM

    • Blind: you send payloads into the application with no exact knowledge of how, when, or by who they’ll be executed. You set up a persistent listener to catch evidence of execution when it does happen

  • Logic Flaws: flaws in the application designers’ assumptions of legitimate usage that allow an attacker to compromise its security

    • Step Bypass: bypassing certain pieces of a multi-step process, such as skipping payment and moving right to shipping

    • Negative Number Parsing: prices are changed to negative numbers, which the application accepts as non-malicious, and which later steps then process as refunds to the attacker

    • Inventory Exhaustion: taking ecommerce items out of circulation so that they cannot be purchased, without actually purchasing them yourself, e.g., adding 10,000 items to a cart that keeps them from being sold

    • Application DoS: submitting input to built-in functionality, such as in-app map displays or resource-intensive database lookups, that causes the application to become unresponsive for other users

  • Cross-site Request Forgery (CSRF): tricking a user into making a particular request into an application, which runs with their context

  • Misconfiguration: determining whether a misconfiguration in the application or its stack can lead to a security issue

  • Use of Known-vulnerable Components: the application uses components that have known vulnerabilities

Interaction Point

This is a hierarchy based on the initial interaction point of the attack, i.e. XSS starts by being executed by the user, not by the application, where SQLi interacts with the application, etc.

Unsupervised Learning — Security, Tech, and AI in 10 minutes…

Get a weekly breakdown of what's happening in security and tech—and why it matters.

  • Application: attacks that target the application

    • XML External Entity Processing (XXE): injecting malicious XML into a target application that targets the XML parser and forces it to disclose sensitive information or results in other undesired outcomes, including denial of service

    • Authentication: bypassing the security of the explicit authentication process

    • Session Management: bypassing session management controls that are supposed to maintain proper authentication

    • Access Control: bypassing how the application ensures that only authorized people are able to perform authorized actions

    • Stored XSS: you find a way to store your payload in the application itself, and when victims browse that page the payload executes

    • Logic: Step Bypass: bypassing certain pieces of a multi-step process, such as skipping payment and moving right to shipping

    • Logic: Negative Number Parsing: prices are changed to negative numbers, which the application accepts as non-malicious, and which later steps then process as refunds to the attacker

    • Logic: Inventory Exhaustion: taking ecommerce items out of circulation so that they cannot be purchased, without actually purchasing them yourself, e.g., adding 10,000 items to a cart that keeps them from being sold

    • Logic: Application DoS: submitting input to built-in functionality, such as in-app map displays or resource-intensive database lookups, that causes the application to become unresponsive for other users

    • Misconfiguration: Default Content: presence of insecure default content or functionality

    • SQL Injection: Error-based: the application gives a clear error that you can use to improve your attack

    • SQL Injection: Blind: the application only indicates whether a given query was successful or unsuccessful, resulting in the need for many requests to extract information

  • User: attacks that target the user

    • Reflected XSS: you send the target user a link, and they execute your payload, which interacts with the target application

    • DOM-based XSS: you are able to modify something in the application that results in your payload being executed by the DOM

    • Cross-site Request Forgery (CSRF): tricking a user into making a particular request into an application, which runs with their context

  • Platform: attacks that target the application

    • Directory Listings: the ability to see the contents of directories

    • Visible Access Files: the showing of access control files that can give information on how to bypass the security of the system

    • HTTP Security Headers: failure to use HTTP header protections

  • Multiple: attacks that target multiple surface areas

    • Misconfiguration: Default/Known Credentials: the credentials for this application are default and/or well-known

    • Use of Known-vulnerable Components: the application uses components that have known vulnerabilities

    • Blind XSS: you send payloads into the application with no exact knowledge of how, when, or by who they’ll be executed. You set up a persistent listener to catch evidence of execution when it does happen

    • Misconfiguration: Information Disclosure: application/system features like debugging or other verbose messages are enabled that disclose too much information about the application or system

Impact

This hierarchy is based on what the negative impact might be were the issue to be exploited. If a vulnerability is mostly one, but a little bit of another, I put that in the primary category instead of the multiple category, e.g., SQLi is mostly a Confidentiality issue, but can technically be used to change data as well, and it lives under Confidentiality.

  • Confidentiality: loss of data confidentiality

    • SQL Injection: submitting malicious SQL injection designed to get the application’s database to yield information it shouldn’t

      • Error-based: the application gives a clear error that you can use to improve your attack

      • Blind: the application only indicates whether a given query was successful or unsuccessful, resulting in the need for many requests to extract information

  • Integrity: loss of data confidentiality

  • Availability: loss of availability

  • Multiple: losses span at least two of confidentiality, integrity, and availability

Methodology

This hierarchy is based on my own, intuitive structure for thinking about vulnerabilities when performing security testing of an application.

  • Injection: entering content into the application that gets executed by the app in some way, resulting in a security problem

    • SQL Injection: submitting malicious SQL injection designed to get the application’s database to yield information it shouldn’t

      • Error-based: the application gives a clear error that you can use to improve your attack

      • Blind: the application only indicates whether a given query was successful or unsuccessful, resulting in the need for many requests to extract information

    • Command Injection: submitting input such that the application runs it as operating system commands, resulting in a security problem

    • XML External Entity Processing (XXE): injecting malicious XML into a target application that targets the XML parser and forces it to disclose sensitive information or results in other undesired outcomes, including denial of service

    • Server-side Request Forgery (SSRF): you access an internal, firewall-protected resource by tricking an externally-facing system to make that request itself, and then give you the results. Can be stacked with other vulns, such as XXE, to extract sensitive internal information.

    • Redirection: submit content to the app that causes it to redirect users to an unintended location in a potentially unsafe way

  • Access Control: bypassing how the application ensures that only authorized people are able to perform authorized actions

    • Authentication: bypassing the security of the explicit authentication process

    • Session Management: bypassing session management controls that are supposed to maintain proper authentication

    • Resource Access: determining whether it’s possible to interact with resources that you should not be able to given your context

      • Object Identifier Rotation: a number or ID within an application that can be rotated to pull various records without requiring additional authentication

      • Forceful Browsing: determine a list of sensitive resources that restricted users have access to, and then determining whether lower users can also access them

  • Cross-site Scripting (XSS): tricking a user into executing a JavaScript payload that you control

    • Reflected: you send the target user a link, and they execute your payload, which interacts with the target application

    • Stored: you find a way to store your payload in the application itself, and when victims browse that page the payload executes

    • DOM-based: you are able to modify something in the application that results in your payload being executed by the DOM

    • Blind: you send payloads into the application with no exact knowledge of how, when, or by who they’ll be executed. You set up a persistent listener to catch evidence of execution when it does happen

  • Logic Flaws: flaws in the application designers’ assumptions of legitimate usage that allow an attacker to compromise its security

    • Step Bypass: bypassing certain pieces of a multi-step process, such as skipping payment and moving right to shipping

    • Negative Number Parsing: prices are changed to negative numbers, which the application accepts as non-malicious, and which later steps then process as refunds to the attacker

    • Inventory Exhaustion: taking ecommerce items out of circulation so that they cannot be purchased, without actually purchasing them yourself, e.g., adding 10,000 items to a cart that keeps them from being sold

    • Application DoS: submitting input to built-in functionality, such as in-app map displays or resource-intensive database lookups, that causes the application to become unresponsive for other users

  • Cross-site Request Forgery (CSRF): tricking a user into making a particular request into an application, which runs with their context

  • Misconfiguration: determining whether a misconfiguration in the application or its stack can lead to a security issue

    • Default Content: presence of insecure default content or functionality

    • Default/Known Credentials: the credentials for this application are default and/or well-known

    • Information Disclosure: application/system features like debugging or other verbose messages are enabled that disclose too much information about the application or system

    • Directory Listings: the ability to see the contents of directories

    • Visible Access Files: the showing of access control files that can give information on how to bypass the security of the system

    • HTTP Security Headers: failure to use HTTP header protections

  • Use of Known-vulnerable Components: the application uses components that have known vulnerabilities

CREATED: NOVEMBER 2015

Related posts: