turingsecure. Top 10 Security Vulnerabilities

Our top 10 vulnerabilities found on the turingsecure. platform through manual penetration tests:

Guessable User Accounts

Guessable user accounts, also known as CWE-259, is an identity management vulnerability that occurs when user accounts are configured with easily guessable usernames or passwords. This vulnerability can occur in web and API applications, and can be exploited by attackers to gain unauthorized access to resources. According to the OWASP Testing Guide, the easiest way to detect guessable user accounts is to search for weak credentials in the application's source code, configuration files, or user-generated data. This vulnerability can be further classified as an authentication weakness (CWE-287).

Improper Access Control

Improper Access Control is an IT vulnerability that enables an individual to gain access to unauthorized information or resources. This vulnerability is categorized under Authentication and can be found in Web and API applications. According to the Common Weakness Enumeration (CWE) directory, Improper Access Control is defined as "a weakness that is related to a system's ability to restrict or prevent unauthorized access to resources or functionality" (CWE-284). The Open Web Application Security Project (OWASP) Testing Guide outlines a number of tests that can be used to detect Improper Access Control, such as authentication testing, authorization testing and session management testing (OWASP Testing Guide v4).

Insecure Direct Object References

Insecure Direct Object References (CWE-639) is a type of authentication vulnerability that occurs when a web application or API provides direct access to objects based on user-supplied input. According to the OWASP Testing Guide, an Insecure Direct Object Reference can occur when an application uses an “unvalidated parameter, such as a user supplied input, to directly access a backend object or resource”. This type of vulnerability can allow attackers to bypass authentication and gain unauthorized access to sensitive information.

Insecure Password Reset

Insecure password reset is a vulnerability (CWE-309) that is found in Identity Management systems. It allows an attacker to exploit the system and reset a user's account password without their knowledge or consent. This type of attack can be performed through web and API interfaces as well as through infrastructure components such as servers and databases. According to the OWASP Testing Guide, this type of attack can be performed with a variety of different methods, including social engineering, brute force attacks, guessing, and exploiting vulnerable code.

JWT HMAC Encryption

JWT HMAC Encryption is a type of encryption vulnerability that affects web and Application Programming Interfaces (APIs). According to the Common Weakness Enumeration directory (CWE), JWT HMAC Encryption is a vulnerability that occurs when a software system fails to properly validate digital tokens that are signed with symmetric key cryptographic algorithms (CWE-327). As outlined in the OWASP Testing Guide, JWT HMAC Encryption can be exploited to gain access to sensitive data, such as usernames, passwords, and other confidential information (OWASP).

Publicly Reported Vulnerabilities

Publicly reported vulnerabilities are security flaws reported by third parties or publicly available sources such as the Common Vulnerabilities and Exposures (CVE) directory. These vulnerabilities can affect Web and API, Infrastructure, and Mobile App systems. They are identified and classified according to the Common Weakness Enumeration (CWE) directory and the OWASP Testing Guide.

Reflected Cross Site Scripting

Reflected Cross-Site Scripting (XSS) is a type of computer security vulnerability typically found in web applications. It occurs when user input is not properly sanitized and is reflected back to the user in the application’s response. This type of attack can be used to inject malicious client-side scripts into a web page viewed by other users. According to the Common Weakness Enumeration (CWE) directory, Reflected XSS is defined as “a type of injection attack in which an attacker injects or manipulates input that the web application or server reflects back to the user in the response.” The OWASP Testing Guide provides further guidance on how to identify and test for this type of vulnerability.

SQL Injection

SQL Injection (CWE-89) is a type of input validation vulnerability where the attacker submits malicious code to a web application or API through the user interface. This malicious code is then used to execute arbitrary code or modify the application's data. According to the CWE directory, SQL Injection is categorized as a Top 25 most dangerous programming errors (CWE-2022). Furthermore, the OWASP Testing Guide gives further information about this vulnerability and gives examples on how to prevent it.

Stack Traces

Stack Traces (CWE-209) is a type of error handling vulnerability that occurs in web and API applications. It is a type of software defect that exposes the internal state of an application when the application is running. This can allow an attacker to gain access to the application and its data by exploiting the exposed internal state.

Stack Traces are often identified through dynamic application security testing (DAST) or by manual review of the application code. OWASP's Testing Guide recommends that developers use logging frameworks that obfuscate stack traces, as well as limit the types of data that are logged.

Use of Hard-Coded Credentials

Use of Hard-coded Credentials (CWE-798) is a type of Identity Management vulnerability that occurs when credentials such as passwords, usernames, or keys are hard-coded into applications or services. This type of vulnerability is commonly found in Web and API applications and is listed as one of the CWE Top 25 (2022). Hard-coded credentials are easily discovered by an attacker and can be used to gain unauthorized access to the application or service. According to the OWASP Testing Guide, an attacker can gain access to the application through the use of hard-coded credentials.