Glossary
- Abuse of Functionality
-
Abuse of Functionality is an attack technique that uses a web site’s own features and functionality to attack itself or others. Abuse of Functionality can be described as the abuse of an application’s intended functionality to perform an undesirable outcome. These attacks have varied results such as consuming resources, circumventing access controls, or leaking information. The potential and level of abuse will vary from web site to web site and application to application. Abuse of functionality attacks are often a combination of other attack types and/or utilize other attack vectors.
This category of attacks is broad and includes situations where an application’s features that are functioning properly can still be used in an unintended manner. Solutions to these types of attacks largely depend on what features are being abused and what methods are being used to compromise them.
Application features that send email are one method of such abuse. To prevent such attacks, it is absolutely essential to prevent the attacker from modifying key aspects of an email message. If an attacker can control the "From", "To", "Subject", and / or "Body" of a message, then the email feature can be used as a spam relay service. It is especially critical that developers protect the "To" portion of email messaging to assure that it comes only from trusted data sources.
- Application
-
One kind of asset that can be protected with Continuous Dynamic. An application; in this context, the code that is to be scanned by Continuous Dynamic for vulnerability to malicious users.
- Application Misconfiguration
-
This type of attack exploits configuration weaknesses found in applications. Many applications come with unnecessary and unsafe features, such as debug and QA features, enabled by default. These features may provide a means for a hacker to bypass authentication methods and gain access to sensitive information, perhaps with elevated privileges.
- Assessment
-
The process of evaluating an application, either in production/pre-production or in development, for vulnerabilities either automatically, manually, or both.
- Asset
-
A business property that is to be scanned by Continuous Dynamic; specifically, a site or an application.
- Associated host name (AHN)
-
These are usually subdomains that cannot be crawled from the primary host but are essential to the function of the site being assessed.
- Autocomplete Attribute
-
If the Autocomplete attribute for an authentication field is not turned off, an attacker can obtain sensitive information by exploiting the autocomplete feature during a login/authentication process.
- binary analysis
-
Binary analysis allows Continuous Dynamic to scan compiled binaries rather than code bases. This may be preferable if you make extensive use of third party applications for which you cannot access the code.
- Brute Force
-
A brute force attack is a method to determine an unknown value by using an automated process to try a large number of possible values. The attack takes advantage of the fact that the entropy of the values is smaller than perceived. For example, while an 8 character alphanumeric password can have 2.8 trillion possible values, many people will select their passwords from a much smaller subset consisting of common words and terms.
- Buffer Overflow
-
Buffer Overflow is a flaw that occurs when more data is written to a block of memory, or buffer, than the buffer is allocated to hold. Exploiting a buffer overflow allows an attacker to modify portions of the target process address space.
- Content Spoofing
-
Content Spoofing is an attack technique that allows an attacker to inject a malicious payload that is later misrepresented as legitimate content of an application. This attack compromises the trust relationship between the user and the application.
- Credential
-
This refers to the verification of identity or tools for authentication. Credentials may be part of a certificate or other authentication process that helps to confirm a user’s identity in relation to a network address or other system ID.
- Credential/Session Prediction
-
A method of hijacking or impersonating an application user. Deducing or guessing the unique value that identifies a particular session or user accomplishes the attack. Also known as Session Hijacking, the consequences could allow attackers the ability to issue site requests with the compromised user’s privileges.
- Cross Site Request Forgery
-
Cross-site request forgery is an attack that involves forcing a victim to send an HTTP request to a target destination unwittingly in order to perform an action as the victim. CSRF exploits the trust that an application has for a user by allowing attackers to change a user’s information without their permission or worse.
- Cross Site Scripting
-
In a cross-site scripting attack, a malicious site includes a particular URL from a target site in a page, and makes the user agent request it. The URL is created in such a way that it will cause the target site to include a script of the malicious site’s choosing. As the page is loaded with the user agents credentials, the script is able to perform actions at the target site in the user’s name.
- Denial of Service
-
An attack technique with the intent of preventing an application from serving normal user activity. DoS attacks, which are easily normally applied to the network layer, are also possible at the application layer. These malicious attacks can succeed by starving a system of critical resources, by a vulnerability exploit, or by abuse of functionality.
- Dependencies
-
A module or program has a dependency if it requires another module or program in order to run successfully. Basic information on dependencies is available on the nexB blog.
- Directed Remediation
-
Directed remediation provides instruction on remediating certain vulnerabilities, along with patches and a library to support ease of implementation.
- Directory Indexing
-
Insecure Indexing is a threat to the data confidentiality of the site. Indexing site contents via a process that has access to files that are not supposed to be publicly accessible has the potential of leaking information about the existence of such files, and about their content. In the process of indexing, such information is collected and stored by the indexing process, which can later be retrieved by a determined attacker, typically through a series of queries to the search engine.
- Directory Traversal
-
The Directory Traversal attack technique (AKA Path Traversal) allows an attacker access to files, directories, and commands that potentially reside outside the root directory. An attacker may manipulate a URL in such a way that the application will execute or reveal the contents of arbitrary files anywhere on the server. Any device that exposes an HTTP-based interface is potentially vulnerable to Directory Traversal.
- F5
-
F5 offers Application Security Manager (ASM) credentials. F5’s ASM is a web application firewall that applies a security policy to protect against attacks.
- F5 Credential
-
F5 offers Application Security Manager (ASM) credentials. F5’s ASM is a web application firewall that applies a security policy to protect against attacks.
- Fingerprinting
-
The most common methodology for attackers is to first footprint the target’s presence and enumerate as much information as possible, including information such as the target’s platform, application software technology, backend database version, configurations and possibly even their network architecture/ topology. With this information, the attacker may develop an accurate attack scenario, which will effectively exploit a vulnerability in the software type/version being utilized by the target host.
- Format String Attack
-
Format String Attacks alter the flow of an application by using string formatting library features to access other memory space. Vulnerabilities occur when user-supplied data are used directly as formatting string input for certain C/C++ functions (e.g. fprintf, printf, sprintf, setproctitle, syslog, …).
- host name
-
the URI or URL associated with a particular asset.
- HTTP Request Smuggling
-
A technique that abuses the discrepancy in parsing of non RFC compliant HTTP requests between two HTTP devices, typically a front-end proxy or HTTP-enabled firewall and a back-end server, to smuggle a request to the second device through the first device. This technique enables an attacker to send one set of requests to the second device while the first device interacts on a different set of requests. In turn, this facilitates several possible exploitations, such as partial cache poisoning, bypassing firewall protection and XSS.
- HTTP Request Splitting
-
An attack that enables forcing the browser to send arbitrary HTTP requests. The essence of the attack is the ability of the attacker, once the victim 's browser is forced to load the attacker’s malicious HTML page, to manipulate one of the browser’s functions to send two HTTP requests instead of one HTTP request.
- HTTP Response Smuggling
-
A technique to smuggle two HTTP responses from a server to a client, through an intermediary HTTP device that expects, or allows, a single response from the server.
- HTTP Response Splitting
-
HTTP Response splitting allows an attacker to manipulate the response received by a web browser. HTTP Response Splitting is the attacker’s ability to send a single HTTP request that forces the web server to form an output stream, which is then interpreted by the target as two HTTP responses instead of one response, in the normal case. The first response may be partially controlled by the attacker, but this is less important.
- Impact (aka Severity)
-
Impact, or severity if you’re using the legacy rating method, is the amount of damage that could be done to your business if this vulnerability is exploited. Again, scores can range from 1 (low), indicating that the vulnerability might expose general information such as developer comments, to 5 (urgent), indicating that the vulnerability could allow an attacker to assume root or administrator roles, expose personally identifiable information (e.g. credit card data), etc.
- Improper Filesystem Permissions
-
Improper filesystem permissions are a threat to the confidentiality, integrity and availability of an application. The problem arises when incorrect filesystem permissions are set on files, folders, and symbolic links. When improper permissions are set, an attacker may be able to access restricted files or directories and modify or delete their contents.
- Improper Input Handling
-
Generally, the term input handling is used to describe functions like validation, sanitization, filtering, encoding and/or decoding of input data. Improper input handling is one of the most common weaknesses identified across applications today. Poorly handled input is a leading cause behind critical vulnerabilities that exist in systems and applications.
- Improper Output Handling
-
Improper Output handling is a weakness in data generation allows the attacker to modify the data sent to the client.
- Information Leakage
-
An application weakness where an application reveals sensitive data, such as technical details of the application, environment, or user-specific data. Sensitive data may be used by an attacker to exploit the target application, its hosting network, or its users. Therefore, leakage of sensitive data should be limited or prevented whenever possible.
- Insecure Indexing
-
In the process of indexing, information is collected and stored by the indexing process. This information can later be retrieved by a determined attacker, typically through a series of queries to the search engine. The attacker does not thwart the security model of the search engine. As such, this attack is subtle and very hard to detect and to foil - it’s not easy to distinguish the attacker’s queries from a legitimate user’s queries.
- Insufficient Anti-automation
-
Occurs when an application permits an attacker to automate a process that was originally designed to be performed only in a manual fashion, e.g. registration for a site.
- Insufficient Authentication
-
Occurs when an application permits an attacker to access sensitive content or functionality without having to properly authenticate; for instance, accessing admin controls by going to the /admin directory without having to log in.
- Insufficient Authorization
-
Occurs when an application fails to prevent unauthorized disclosure of data or a user is allowed to perform functions in a manner inconsistent with the permission policy.
- Insufficient Cookie Access Control
-
The “Domain”, “Path”, and “Secure” cookie attributes should be utilized to limit access to cookies containing sensitive information. These attributes can be used by the User-Agent when determining cookie access rights.
- Insufficient Crossdomain Configuration
-
The crossdomain.xml file is used to determine what resources a flash application is allowed to access data from. If a poorly configured Flash application becomes compromised an attacker would have access to all the resources allowed in the crossdomain file. A crossdomain file should not make use of wild-card notation.
- Insufficient Password Aging
-
If password policy allows a user to maintain the same password for an extended length of time, this increases the risk of password-based attacks.
- Insufficient Password Recovery
-
Occurs when an application permits an attacker to illegally obtain, change or recover another user’s password. This happens when the information required to validate a user’s identity for recovery is either easily guessed or can be circumvented. Password recovery systems may be compromised through the use of brute force attacks, inherent system weaknesses, or easily guessed secret questions.
- Insufficient Password Strength
-
Password policy does not aid the user in selecting a password that is less vulnerable to Brute Force attacks; see Brute Force.
- Insufficient Process Validation
-
Occurs when an application fails to prevent an attacker from circumventing the intended flow or business logic of the application.
- Insufficient Session Expiration
-
This occurs when an application permits an attacker to reuse old session credentials or session IDs for authorization. Insufficient Session Expiration increases an application’s exposure to attacks that steal or reuse user’s session identifiers.
- Insufficient Session Invalidation
-
A user should be able to invalidate a session by logging out; this should not simply remove the session cookie but should invalidate the session.
- Integer Overflows
-
The condition that occurs when the result of an arithmetic operation, such as multiplication or addition, exceeds the maximum size of the integer type used to store it. Attackers can use these conditions to influence the value of variables in ways that the programmer did not intend.
- Invalid HTTP Method Usage
-
The GET method is not intended to contain sensitive information or change the site state. If it is used this way, it increases your vulnerability to Cross Site Request Forgery, Information Leakage, and accidental damage to your application through crawlers. It compromises the integrity of your application.
- LDAP Injection
-
Lightweight Directory Access Protocol (LDAP) is an open-standard protocol for both querying and manipulating X.500 directory services. The same advanced exploitation techniques available in SQL Injection can also be similarly applied in LDAP Injection.
- license period
-
The calendar period during which the license is valid.
- Likelihood (aka Threat)
-
Likelihood, or threat, is how likely it is that someone will be able to utilize this vulnerability to do harm. Scores can range from 1 (low), indicating low threat due to the obscurity of the attack method, difficulty of designing or executing the attack, etc., to 5 (urgent), indicating a vulnerability that is easily exploited by someone with little or no skill (even by accident), that is very widely understood.
- Non-HTTPOnly Session Cookie
-
A cookie value can be configured to be inaccessible to client-side JavaScript, by setting the “HttpOnly” attribute. This instructs the User-Agent to restrict access to the cookie only for use with HTTP messages. This best practice helps prevent manipulation of the cookie by malicious JavaScript.
- Null Byte Injection
-
An active exploitation technique used to bypass sanity checking filters in infrastructure by adding URL-encoded null byte characters (i.e. %00, or 0x00 in hex) to the user-supplied data.
- Path Traversal
-
The Path Traversal attack technique (AKA Directory Traversal) allows an attacker access to files, directories, and commands that potentially reside outside the root directory. An attacker may manipulate a URL in such a way that the application will execute or reveal the contents of arbitrary files anywhere on the server. Any device that exposes an HTTP-based interface is potentially vulnerable to Path Traversal.
- Persistent Session Cookie
-
Cookies whose values contain sensitive data should not have a future expiration date, but should expire with the session. (See Insufficient Session Expiration)
- Personally Identifiable Information
-
Information that identifies a single person or can be used with other information sources to identify a single person. Examples of Personally Identifiable Information include:
-
Name
-
Age
-
Birth date
-
Birth place
-
Credit Card numbers
-
Criminal record
-
Driver’s License number
-
Educational history (schools attended)
-
Fingerprint information
-
Gender
-
Genotype (full or partial)
-
ID Numbers such as Social Security Number
-
Parents' names/birthplaces
-
Race
-
Residence location
-
Vehicle license number
-
Work history
The U.S. government has defined PII as “Information which can be used to distinguish or trace an individual’s identity, such as their name, social security number, biometric records, etc. alone, or when combined with other personal or identifying information which is linked or linkable to a specific individual, such as date and place of birth, mother’s maiden name, etc.”
The European Union has defined a similar term, "personal data,`" as “any information relating to an identified or identifiable natural person ('data subject'); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity.”
Personally identifiable information is subject to a variety of forms of legally-mandated protection.
-
- Policy
-
A policy defines a set of vulnerability classes that are to be considered when scanning for vulnerabilities.
- Predictable Resource Location
-
By making educated guesses via brute forcing an attacker can guess file and directory names not intended for public viewing. Brute forcing filenames is easy because files/paths often have common naming convention and reside in standard locations. Predictable Resource Location is also known as Forced Browsing, Forceful Browsing, File Enumeration, and Directory Enumeration.
- Primary host name
-
This is the main domain associated with a site asset: for example, https://whitehatsec.com.
- Priority
-
Priority is a number from one to ten (1-10) assigned to a specific website by the customer to indicate the importance of a particular site to your business. It applies only to sites, not to applications. (Edit priority like any site setting.) One (1) indicates a low priority site, while ten (10) indicates a key business-critical site.
- Rating
-
Rating is a measurement of the degree of risk a given vulnerability poses to your business.
- Remote File Inclusion
-
Remote File Include (RFI) exploits dynamic file inclusion mechanisms in applications. When user input specifies a file inclusion, the application can be tricked into including remote files with malicious code.
- Risk
-
Risk is a measure of the importance of remediating a given vulnerability class on a given site. It reflects the damage that can be done via a vulnerability, and the probability that the vulnerability will be exploited; if you are using the WhiteHat Advanced Rating Methodology, then for sites it also factors in the priority you have placed on that site. In the legacy rating methodology, risk is used only for applications and severity is used for sites.
- Routing Detour
-
A type of “Man in the Middle” attack where intermediaries can be injected or “hijacked” to route sensitive messages to an outside location in such a way that the receiving application is unaware that this has occurred.
- Score
-
The overall score is based on the sum of the threat/likelihood, severity/impact, and (for sites) the site priority, giving a total value up to as much as 10 for applications, or 20 for sites. For the table display, that score is converted as follows: for Sites, a numerical score of 17 - 20 has a value of "Urgent," a numerical score of 13 - 16 has a value of "Critical," a numerical score of 09 - 12 has a value of "High," a numerical score of 05 - 08 has a value of "Medium," and a numerical score of 01 - 04 has a value of "Low." For Applications, a numerical score of 9 - 10 has a value of "Urgent," a numerical score of 7 - 8 has a value of "Critical," a numerical score of 5 - 6 has a value of "High," a numerical score of 3 - 4 has a value of "Medium," and a numerical score of 1 - 2 has a value of "Low."
- Score (CVSS Score)
-
The rating for this specific vulnerability in the Common Vulnerability Scoring System used by the National Vulnerability Database, a part of the National Institute of Standards and Technology (NIST)
- Server Misconfiguration
-
Configuration weaknesses found in servers and application servers can trivially allow abuse of default functionality.
- Session Fixation
-
An attack that forces a user’s session ID to a known value. After a user’s session ID has been fixed, the attacker will wait for that user to login and use the predefined session ID value to assume the same online identity.
In contrast to stealing a users session IDs after they have logged into an application, Session Fixation provides a much wider window of opportunity.
- Session/Credential Prediction
-
A method of hijacking or impersonating an application user. Deducing or guessing the unique value that identifies a particular session or user accomplishes the attack. Also known as Session Hijacking, the consequences could allow attackers the ability to issue site requests with the compromised user’s privileges.
- Severity (aka Impact)
-
Severity, or impact, is the amount of damage that could be done to your business if this vulnerability is exploited. Again, scores can range from 1 (low), indicating that the vulnerability might expose general information such as developer comments, to 5 (urgent), indicating that the vulnerability could allow an attacker to assume root or administrator roles, expose personally identifiable information (e.g. credit card data), etc.
- Site
-
One kind of asset that can be protected with Continuous Dynamic. A web site; in this context a site to be scanned by Continuous Dynamic for vulnerability to malicious users.
- SOAP Array Abuse
-
XML SOAP arrays are a common target for malicious abuse. A service that expects an array can be the target of a XML DoS attack by forcing the SOAP server to build a huge array in the machine’s memory, thus inflicting a DoS condition on the machine due to the memory pre-allocation.
- SQL Injection
-
An attack technique used to exploit applications that construct SQL statements from user-supplied input. When successful, the attacker is able to execute arbitrary SQL statements against the database.
- SSI Injection
-
SSI Injection (Server-side Include) is a server-side exploit technique that allows an attacker to send code into an application, which will later be executed locally by the server. SSI Injection exploits an application’s failure to sanitize user-supplied data before inserting the data into a server-side interpreted HTML file.
- Threat (aka Likelihood)
-
Threat, or likelihood, is how likely it is that someone will be able to utilize this vulnerability to do harm. Scores can range from 1 (low), indicating low threat due to the obscurity of the attack method, difficulty of designing or executing the attack, etc., to 5 (urgent), indicating a vulnerability that is easily exploited by someone with little or no skill (even by accident), that is very widely understood.
- Unsecured Session Cookie
-
If the session cookie does not have the secure attribute enabled, it is not encrypted between the client and the server. This means the cookie is exposed to theft.
- URL Redirector Abuse
-
URL redirectors represent common functionality employed by applications to forward an incoming request to an alternate resource. URL redirectors can be abused to provide an attacker’s URL that appears to be endorsed by the legitimate site, tricking victims into believing that they are navigating to a site other than the true destination. (See Content Spoofing)
- User
-
A person who has the ability to log in to your Continuous Dynamic product(s).
- Vulnerability
-
A place in an application (either live or in your code) that a hostile person could use to do things that are counter to your best interests.
- Vulnerability ID
-
A unique identifier for this specific vulnerability
- Vulnerability Status
-
A vulnerability may be:
Open - still vulnerable Closed - fully remediated Accepted - business risk accepted by customer Invalid - this vuln was a duplicate or an error, and should not have appeared in the Continuous Dynamic Portal Mitigated - this vulnerability has been mitigated through Runtime Application Self Protection (RASP)
- Vulnerability Class
-
Vulnerability classes provide a means to sort vulnerabilities by broad types. Application Misconfiguration, Clickjacking, Path Traversal, and Session Fixation are examples of vulnerability classes. Some of these vulnerabilities result from coding errors, and others result from logical errors in the design or business logic of an application. (See www.owasp.org for additional information.)
- Weak Cipher Strength
-
The application’s server allows the use of weak SSL/TLS ciphers. The server should not allow ciphers weaker than 128 bits and using signed certificates (using SHA-1 hash).
- Weak Password Recovery Validation
-
Occurs when an application permits an attacker to illegally obtain, change or recover another user’s password. This happens when the information required to validate a user’s identity for recovery is either easily guessed or can be circumvented. Password recovery systems may be compromised through the use of brute force attacks, inherent system weaknesses, or easily guessed secret questions.
- Continuous Dynamic
-
Continuous Dynamic is a highly scalable Software-as-a-Service platform for dynamic application security testing (DAST). Continuous Dynamic provides: Continuous, concurrent assessments Verified, actionable results Unlimited access to security experts Reporting and Intelligence metrics to support business risk management
- XML Attribute Blowup
-
This attack takes advantage of some XML parsers' parsing process. The attacker provides a malicious XML document, which vulnerable XML parsers process in an inefficient manner, resulting in severe CPU load. The essence of the attack is to include many attributes in the same XML node, resulting in a denial of service condition.
- XML Entity Expansion
-
This attack exploits a capability of XML DTDs that allows the creation of custom macros, called entities. By recursively defining a set of custom entities at the top of a document, an attacker can overwhelm parsers that attempt to completely resolve them, resulting in a denial of service condition.
- XML External Entities
-
This attack takes advantage of a feature of XML to build documents dynamically at the time of processing. An XML message can either provide data explicitly or by pointing to an URI where the data exists. In the attack technique, external entities may replace the entity value with malicious data; alternately, referrals may compromise the security of the data that the server/XML application has access to.
- XML Injection
-
An attack technique used to manipulate or compromise the logic of an XML application or service. The injection of unintended XML content and/or structures into an XML message can alter the intended logic of the application. Furthermore, XML injection can cause the insertion of malicious content into the resulting message/document.
- XPath Injection
-
An attack technique that exploits applications that construct XPath (XML Path Language) queries from user-supplied input to query or navigate XML documents.
- XQuery Injection
-
This attack is a variant of the classic SQL injection attack against the XML XQuery Language. XQuery Injection uses improperly validated data that is passed to XQuery commands.