Glossary

Abuse of Functionality is an attack technique that uses a web site’s own features and functionality to attack itself or others. Abuse of Functionality can be described as the abuse of an application’s intended functionality to perform an undesirable outcome. These attacks have varied results such as consuming resources, circumventing access controls, or leaking information. The potential and level of abuse will vary from web site to web site and application to application. Abuse of functionality attacks are often a combination of other attack types and/or utilize other attack vectors.

Binary analysis allows Sentinel to scan compiled binaries rather than code bases. This may be preferable if you make extensive use of third party applications for which you cannot access the code.

A brute force attack is a method to determine an unknown value by using an automated process to try a large number of possible values. The attack takes advantage of the fact that the entropy of the values is smaller than perceived. For example, while an 8 character alphanumeric password can have 2.8 trillion possible values, many people will select their passwords from a much smaller subset consisting of common words and terms.

Buffer Overflow is a flaw that occurs when more data is written to a block of memory, or buffer, than the buffer is allocated to hold. Exploiting a buffer overflow allows an attacker to modify portions of the target process address space.

Content Spoofing is an attack technique that allows an attacker to inject a malicious payload that is later misrepresented as legitimate content of an application. This attack compromises the trust relationship between the user and the application.

This refers to the verification of identity or tools for authentication. Credentials may be part of a certificate or other authentication process that helps to confirm a user’s identity in relation to a network address or other system ID.

A method of hijacking or impersonating an application user. Deducing or guessing the unique value that identifies a particular session or user accomplishes the attack. Also known as Session Hijacking, the consequences could allow attackers the ability to issue site requests with the compromised user’s privileges.

Cross-site request forgery is an attack that involves forcing a victim to send an HTTP request to a target destination unwittingly in order to perform an action as the victim. CSRF exploits the trust that an application has for a user by allowing attackers to change a user’s information without their permission or worse.

In a cross-site scripting attack, a malicious site includes a particular URL from a target site in a page, and makes the user agent request it. The URL is created in such a way that it will cause the target site to include a script of the malicious site’s choosing. As the page is loaded with the user agents credentials, the script is able to perform actions at the target site in the user’s name.

An attack technique with the intent of preventing an application from serving normal user activity. DoS attacks, which are easily normally applied to the network layer, are also possible at the application layer. These malicious attacks can succeed by starving a system of critical resources, by a vulnerability exploit, or by abuse of functionality.

A module or program has a dependency if it requires another module or program in order to run successfully. Basic information on dependencies is available on the nexB blog.

Directed remediation provides instruction on remediating certain vulnerabilities, along with patches and a library to support ease of implementation.

Insecure Indexing is a threat to the data confidentiality of the site. Indexing site contents via a process that has access to files that are not supposed to be publicly accessible has the potential of leaking information about the existence of such files, and about their content. In the process of indexing, such information is collected and stored by the indexing process, which can later be retrieved by a determined attacker, typically through a series of queries to the search engine.

The Directory Traversal attack technique (AKA Path Traversal) allows an attacker access to files, directories, and commands that potentially reside outside the root directory. An attacker may manipulate a URL in such a way that the application will execute or reveal the contents of arbitrary files anywhere on the server. Any device that exposes an HTTP-based interface is potentially vulnerable to Directory Traversal.

F5 offers Application Security Manager (ASM) credentials. F5’s ASM is a web application firewall that applies a security policy to protect against attacks.

F5 offers Application Security Manager (ASM) credentials. F5’s ASM is a web application firewall that applies a security policy to protect against attacks.

The most common methodology for attackers is to first footprint the target’s presence and enumerate as much information as possible, including information such as the target’s platform, application software technology, backend database version, configurations and possibly even their network architecture/ topology. With this information, the attacker may develop an accurate attack scenario, which will effectively exploit a vulnerability in the software type/version being utilized by the target host.

Format String Attacks alter the flow of an application by using string formatting library features to access other memory space. Vulnerabilities occur when user-supplied data are used directly as formatting string input for certain C/C++ functions (e.g. fprintf, printf, sprintf, setproctitle, syslog, …​).

A user-created collection of sites or applications.

the URI or URL associated with a particular asset.

A technique that abuses the discrepancy in parsing of non RFC compliant HTTP requests between two HTTP devices, typically a front-end proxy or HTTP-enabled firewall and a back-end server, to smuggle a request to the second device through the first device. This technique enables an attacker to send one set of requests to the second device while the first device interacts on a different set of requests. In turn, this facilitates several possible exploitations, such as partial cache poisoning, bypassing firewall protection and XSS.

An attack that enables forcing the browser to send arbitrary HTTP requests. The essence of the attack is the ability of the attacker, once the victim 's browser is forced to load the attacker’s malicious HTML page, to manipulate one of the browser’s functions to send two HTTP requests instead of one HTTP request.

A technique to smuggle two HTTP responses from a server to a client, through an intermediary HTTP device that expects, or allows, a single response from the server.

HTTP Response splitting allows an attacker to manipulate the response received by a web browser. HTTP Response Splitting is the attacker’s ability to send a single HTTP request that forces the web server to form an output stream, which is then interpreted by the target as two HTTP responses instead of one response, in the normal case. The first response may be partially controlled by the attacker, but this is less important.

Impact, or severity if you’re using the legacy rating method, is the amount of damage that could be done to your business if this vulnerability is exploited. Again, scores can range from 1 (low), indicating that the vulnerability might expose general information such as developer comments, to 5 (urgent), indicating that the vulnerability could allow an attacker to assume root or administrator roles, expose personally identifiable information (e.g. credit card data), etc.

Improper filesystem permissions are a threat to the confidentiality, integrity and availability of an application. The problem arises when incorrect filesystem permissions are set on files, folders, and symbolic links. When improper permissions are set, an attacker may be able to access restricted files or directories and modify or delete their contents.

Generally, the term input handling is used to describe functions like validation, sanitization, filtering, encoding and/or decoding of input data. Improper input handling is one of the most common weaknesses identified across applications today. Poorly handled input is a leading cause behind critical vulnerabilities that exist in systems and applications.

Improper Output handling is a weakness in data generation allows the attacker to modify the data sent to the client.

An application weakness where an application reveals sensitive data, such as technical details of the application, environment, or user-specific data. Sensitive data may be used by an attacker to exploit the target application, its hosting network, or its users. Therefore, leakage of sensitive data should be limited or prevented whenever possible.

In the process of indexing, information is collected and stored by the indexing process. This information can later be retrieved by a determined attacker, typically through a series of queries to the search engine. The attacker does not thwart the security model of the search engine. As such, this attack is subtle and very hard to detect and to foil - it’s not easy to distinguish the attacker’s queries from a legitimate user’s queries.

Occurs when an application permits an attacker to automate a process that was originally designed to be performed only in a manual fashion, e.g. registration for a site.

Occurs when an application permits an attacker to access sensitive content or functionality without having to properly authenticate; for instance, accessing admin controls by going to the /admin directory without having to log in.

Occurs when an application fails to prevent unauthorized disclosure of data or a user is allowed to perform functions in a manner inconsistent with the permission policy.

The “Domain”, “Path”, and “Secure” cookie attributes should be utilized to limit access to cookies containing sensitive information. These attributes can be used by the User-Agent when determining cookie access rights.

The crossdomain.xml file is used to determine what resources a flash application is allowed to access data from. If a poorly configured Flash application becomes compromised an attacker would have access to all the resources allowed in the crossdomain file. A crossdomain file should not make use of wild-card notation.

If password policy allows a user to maintain the same password for an extended length of time, this increases the risk of password-based attacks.

Occurs when an application permits an attacker to illegally obtain, change or recover another user’s password. This happens when the information required to validate a user’s identity for recovery is either easily guessed or can be circumvented. Password recovery systems may be compromised through the use of brute force attacks, inherent system weaknesses, or easily guessed secret questions.

Password policy does not aid the user in selecting a password that is less vulnerable to Brute Force attacks; see Brute Force.

Occurs when an application fails to prevent an attacker from circumventing the intended flow or business logic of the application.

This occurs when an application permits an attacker to reuse old session credentials or session IDs for authorization. Insufficient Session Expiration increases an application’s exposure to attacks that steal or reuse user’s session identifiers.

A user should be able to invalidate a session by logging out; this should not simply remove the session cookie but should invalidate the session.

The condition that occurs when the result of an arithmetic operation, such as multiplication or addition, exceeds the maximum size of the integer type used to store it. Attackers can use these conditions to influence the value of variables in ways that the programmer did not intend.

The GET method is not intended to contain sensitive information or change the site state. If it is used this way, it increases your vulnerability to Cross Site Request Forgery, Information Leakage, and accidental damage to your application through crawlers. It compromises the integrity of your application.

Lightweight Directory Access Protocol (LDAP) is an open-standard protocol for both querying and manipulating X.500 directory services. The same advanced exploitation techniques available in SQL Injection can also be similarly applied in LDAP Injection.

The calendar period during which the license is valid.

Likelihood, or threat, is how likely it is that someone will be able to utilize this vulnerability to do harm. Scores can range from 1 (low), indicating low threat due to the obscurity of the attack method, difficulty of designing or executing the attack, etc., to 5 (urgent), indicating a vulnerability that is easily exploited by someone with little or no skill (even by accident), that is very widely understood.

An attack technique used to exploit mail servers and webmail applications that construct IMAP/SMTP statements from user-supplied input that is not properly sanitized.

A cookie value can be configured to be inaccessible to client-side JavaScript, by setting the “HttpOnly” attribute. This instructs the User-Agent to restrict access to the cookie only for use with HTTP messages. This best practice helps prevent manipulation of the cookie by malicious JavaScript.

An active exploitation technique used to bypass sanity checking filters in infrastructure by adding URL-encoded null byte characters (i.e. %00, or 0x00 in hex) to the user-supplied data.

An attack technique used for unauthorized execution of operating system commands. AKA OS Commanding.

An attack technique used for unauthorized execution of operating system commands. AKA OS Command Injection

The Path Traversal attack technique (AKA Directory Traversal) allows an attacker access to files, directories, and commands that potentially reside outside the root directory. An attacker may manipulate a URL in such a way that the application will execute or reveal the contents of arbitrary files anywhere on the server. Any device that exposes an HTTP-based interface is potentially vulnerable to Path Traversal.

Cookies whose values contain sensitive data should not have a future expiration date, but should expire with the session. (See Insufficient Session Expiration)

A policy defines a set of vulnerability classes that are to be considered when scanning for vulnerabilities.

By making educated guesses via brute forcing an attacker can guess file and directory names not intended for public viewing. Brute forcing filenames is easy because files/paths often have common naming convention and reside in standard locations. Predictable Resource Location is also known as Forced Browsing, Forceful Browsing, File Enumeration, and Directory Enumeration.

This is the main domain associated with a site asset: for example, https://whitehatsec.com.

Priority is a number from one to ten (1-10) assigned to a specific website by the customer to indicate the importance of a particular site to your business. It applies only to sites, not to applications. (Edit priority like any site setting.) One (1) indicates a low priority site, while ten (10) indicates a key business-critical site.

Rating is a measurement of the degree of risk a given vulnerability poses to your business.

Remote File Include (RFI) exploits dynamic file inclusion mechanisms in applications. When user input specifies a file inclusion, the application can be tricked into including remote files with malicious code.

Risk is a measure of the importance of remediating a given vulnerability class on a given site. It reflects the damage that can be done via a vulnerability, and the probability that the vulnerability will be exploited; if you are using the WhiteHat Advanced Rating Methodology, then for sites it also factors in the priority you have placed on that site. In the legacy rating methodology, risk is used only for applications and severity is used for sites.

A type of “Man in the Middle” attack where intermediaries can be injected or “hijacked” to route sensitive messages to an outside location in such a way that the receiving application is unaware that this has occurred.

The overall score is based on the sum of the threat/likelihood, severity/impact, and (for sites) the site priority, giving a total value up to as much as 10 for applications, or 20 for sites. For the table display, that score is converted as follows: for Sites, a numerical score of 17 - 20 has a value of "Urgent," a numerical score of 13 - 16 has a value of "Critical," a numerical score of 09 - 12 has a value of "High," a numerical score of 05 - 08 has a value of "Medium," and a numerical score of 01 - 04 has a value of "Low." For Applications, a numerical score of 9 - 10 has a value of "Urgent," a numerical score of 7 - 8 has a value of "Critical," a numerical score of 5 - 6 has a value of "High," a numerical score of 3 - 4 has a value of "Medium," and a numerical score of 1 - 2 has a value of "Low."

The rating for this specific vulnerability in the Common Vulnerability Scoring System used by the National Vulnerability Database, a part of the National Institute of Standards and Technology (NIST)

Configuration weaknesses found in servers and application servers can trivially allow abuse of default functionality.

An attack that forces a user’s session ID to a known value. After a user’s session ID has been fixed, the attacker will wait for that user to login and use the predefined session ID value to assume the same online identity.

A method of hijacking or impersonating an application user. Deducing or guessing the unique value that identifies a particular session or user accomplishes the attack. Also known as Session Hijacking, the consequences could allow attackers the ability to issue site requests with the compromised user’s privileges.

Severity, or impact, is the amount of damage that could be done to your business if this vulnerability is exploited. Again, scores can range from 1 (low), indicating that the vulnerability might expose general information such as developer comments, to 5 (urgent), indicating that the vulnerability could allow an attacker to assume root or administrator roles, expose personally identifiable information (e.g. credit card data), etc.

One kind of asset that can be protected with Sentinel. A web site; in this context a site to be scanned by Sentinel for vulnerability to malicious users.

XML SOAP arrays are a common target for malicious abuse. A service that expects an array can be the target of a XML DoS attack by forcing the SOAP server to build a huge array in the machine’s memory, thus inflicting a DoS condition on the machine due to the memory pre-allocation.

An attack technique used to exploit applications that construct SQL statements from user-supplied input. When successful, the attacker is able to execute arbitrary SQL statements against the database.

SSI Injection (Server-side Include) is a server-side exploit technique that allows an attacker to send code into an application, which will later be executed locally by the server. SSI Injection exploits an application’s failure to sanitize user-supplied data before inserting the data into a server-side interpreted HTML file.

Threat, or likelihood, is how likely it is that someone will be able to utilize this vulnerability to do harm. Scores can range from 1 (low), indicating low threat due to the obscurity of the attack method, difficulty of designing or executing the attack, etc., to 5 (urgent), indicating a vulnerability that is easily exploited by someone with little or no skill (even by accident), that is very widely understood.

If the session cookie does not have the secure attribute enabled, it is not encrypted between the client and the server. This means the cookie is exposed to theft.

URL redirectors represent common functionality employed by applications to forward an incoming request to an alternate resource. URL redirectors can be abused to provide an attacker’s URL that appears to be endorsed by the legitimate site, tricking victims into believing that they are navigating to a site other than the true destination. (See Content Spoofing)

A person who has the ability to log in to your Sentinel product(s).

A place in an application (either live or in your code) that a hostile person could use to do things that are counter to your best interests.

A unique identifier for this specific vulnerability

A vulnerability may be:

Vulnerability classes provide a means to sort vulnerabilities by broad types. Application Misconfiguration, Clickjacking, Path Traversal, and Session Fixation are examples of vulnerability classes. Some of these vulnerabilities result from coding errors, and others result from logical errors in the design or business logic of an application. (See www.owasp.org for additional information.)

The application’s server allows the use of weak SSL/TLS ciphers. The server should not allow ciphers weaker than 128 bits and using signed certificates (using SHA-1 hash).

Occurs when an application permits an attacker to illegally obtain, change or recover another user’s password. This happens when the information required to validate a user’s identity for recovery is either easily guessed or can be circumvented. Password recovery systems may be compromised through the use of brute force attacks, inherent system weaknesses, or easily guessed secret questions.

WhiteHat Dynamic is a highly scalable Software-as-a-Service platform for dynamic application security testing (DAST). WhiteHat Dynamic provides: Continuous, concurrent assessments Verified, actionable results Unlimited access to security experts Reporting and Intelligence metrics to support business risk management

This attack takes advantage of some XML parsers' parsing process. The attacker provides a malicious XML document, which vulnerable XML parsers process in an inefficient manner, resulting in severe CPU load. The essence of the attack is to include many attributes in the same XML node, resulting in a denial of service condition.

This attack exploits a capability of XML DTDs that allows the creation of custom macros, called entities. By recursively defining a set of custom entities at the top of a document, an attacker can overwhelm parsers that attempt to completely resolve them, resulting in a denial of service condition.

This attack takes advantage of a feature of XML to build documents dynamically at the time of processing. An XML message can either provide data explicitly or by pointing to an URI where the data exists. In the attack technique, external entities may replace the entity value with malicious data; alternately, referrals may compromise the security of the data that the server/XML application has access to.

An attack technique used to manipulate or compromise the logic of an XML application or service. The injection of unintended XML content and/or structures into an XML message can alter the intended logic of the application. Furthermore, XML injection can cause the insertion of malicious content into the resulting message/document.

An attack technique that exploits applications that construct XPath (XML Path Language) queries from user-supplied input to query or navigate XML documents.

This attack is a variant of the classic SQL injection attack against the XML XQuery Language. XQuery Injection uses improperly validated data that is passed to XQuery commands.