Share this page!

Harsh Bothra Profile picture
Twitter logo
Mar 29 15 tweets 2 min read
#SecurityExplained S-88: CWE Top 25: CWE-732: Incorrect Permission Assignment for Critical Resource

The product defines permissions for a security-critical resource so that unwanted actors can read or modify it.

1/n
2/n
 When a resource's permissions are set to allow access to a broader range of actors than is required, sensitive information may be exposed, or undesired parties may modify the resource.
3/n
This is very risky when the resource is tied to program configuration, execution, or sensitive user data.
4/n

This flaw arises due to the deployment of an architectural security strategy. The developer may make assumptions about the product's operating environment, such as that the software runs on a single-user system or is only available to trusted administrators.
5/n
Permissions become a concern when the software is run in a different environment.
6/n

When the user starts the program, the developer may establish loose permissions to reduce difficulties, then add documentation saying that permissions should be tightened.
7/n
However, because system administrators and users do not always read the documentation, insecure permissions may be kept unaltered.
8/n

# Example:
This code creates a new user's home directory and makes that user directory's owner. If the user does not have permission to own the new directory, the directory is removed.

Example Language: PHP
9/n
The directory is created with the default permissions 0777 because the optional "mode" argument is absent from the call to mkdir(). Setting the new user as the directory's administrator does not modify the directory's permissions, which are still set to the default.
10/n
Any user can read and write to the directory by default, allowing an exploit on the user's files.
11/n

# Potential Impact:

An attacker may be able to delete or damage essential data in the related resource, such as entries from a database, by destroying or corrupting it.
12/n
An attacker could exploit this vulnerability to read private information from the connected resource, such as credentials or configuration information stored in a file.
13/n
To obtain privileges, an attacker may change crucial attributes of the related resource, such as replacing a world-writable executable with Malware.
14/n
 # Mitigations:
Verify whether a critical resource, such as a configuration file, has insecure permissions (such as being editable by any regular user) & generate an error or even quits the software if there is a chance an unauthorized person has updated the resource.
n/n
Run the code in a "jail" or similar sandbox environment where strict limits separate the process and the operating system.

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Harsh Bothra

Harsh Bothra Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @harshbothra_

Harsh Bothra Profile picture
Mar 30
11 MindMaps I have created that you may find useful!

🧵
1/

1. XML Attacks

xmind.net/m/xNEY9b/
2/
2. Account Takeover Techniques

xmind.net/m/M3WEqG/
Read 13 tweets
Harsh Bothra Profile picture
Mar 30
#SecurityExplained S-89: CWE Top 25: CWE-522: Insufficiently Protected Credentials

The product transfers or saves authentication credentials, but it does so improperly that it can be intercepted or retrieved by unauthorized individuals.

1/n
2/n
This flaw relates to an architectural security approach that has been misdesigned. Another form of credential attack uses flaws in how passwords are encoded, saved, and handled by a web application, network, or software system.
3/n
Risky development practices, such as storing passwords in insecure locations, storing credentials in plaintext, storing user passwords using poor or reproducible cryptographic techniques, or using hard-coded credentials, generate vulnerabilities....
Read 8 tweets
Harsh Bothra Profile picture
Mar 28
9 Free Practice Labs to Master Cross-Site Scripting
1/
1. PortSwigger XSS Labs
portswigger.net/web-security/c…
2/

2. Google XSS Game

xss-game.appspot.com
Read 12 tweets
Harsh Bothra Profile picture
Mar 28
#SecurityExplained S-87: CWE Top 25: CWE-200: Exposure of Sensitive Information to an Unauthorized Actor

The product makes sensitive information available to someone who isn't explicitly permitted to access it.

1/n
2/n
CWE-200 arises when confidential information (e.g., application systems and network information, user-supplied data such as names email addresses) is made available to individuals who are not authorized to see it.
3/n
This flaw could be the outcome of various issues involving the disclosure of sensitive information.

When the following conditions exist, the information is considered sensitive:
Read 9 tweets
Harsh Bothra Profile picture
Mar 27
#SecurityExplained S-86: Vulnerable Code - 65

This code is vulnerable to NoSQL Injection attack.

User-provided data such as URL parameters and POST body content should always be considered untrusted and tainted.

1/n
2/n
 Applications that perform NoSQL operations based on tainted data can be exploited similarly to regular SQL injection bugs. Depending on the code, the same risks exist as with SQL injections: The attacker aims to access sensitive information or compromise data integrity.
3/n
 Attacks may involve the injection of query operators, JavaScript code, or string operations. This problem can be mitigated by using an Object Document Mapper (ODM) library or by validating user-supplied data based on its size or allowed characters.
Read 4 tweets
Harsh Bothra Profile picture
Mar 26
#SecurityExplained S-85: Vulnerable Code - 64

This code is vulnerable to Insecure Deserialization Attack.

User-provided data such as URL parameters, POST data payloads or cookies should always be considered untrusted and tainted.

1/n
2/n
 Deserialization based on data supplied by the user could result in two types of attacks:

Remote code execution attacks, where the structure of the serialized data is changed to modify the behavior of the object being unserialized.
3/n
 Parameter tampering attacks, where data is modified to escalate privileges or change for example quantity or price of products.
The best way to protect against deserialization attacks is probably to challenge the use of the deserialization mechanism in the application.
Read 7 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Don't want to be a Premium member but still want to support us?

Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us on Twitter!

Like this author's thread?

Get emails when @harshbothra_ has new unrolls!

Check out other threads from @harshbothra_!

Read all threads by @harshbothra_

:(