Insecure designs are problems in the architecture and design of an application that can lead to security vulnerabilities.
Description: Ignoring security during the design or development phase of an application.
Example: Necessary security measures are not included in the planning and implementation of the application, resulting in vulnerabilities.
Description: Ignoring security during the design or development phase of an application.
Example: Necessary security measures are not included in the planning and implementation of the application, resulting in vulnerabilities.
Description: Improper management of access to functions and data.
Example: Lack of access segmentation or protection of sensitive data, allowing unauthorized users to gain access to critical functions.
Single Entry Point, or Front Controller, is an architectural pattern where all requests to a web application go through a single access point. This provides centralized processing of requests, simplifying security and routing controls.
In frameworks like Symfony, Laravel, and Yii2, this pattern is implemented through a single file, such as index.php, that handles all requests to the application.
If the Front Controller is configured incorrectly or contains vulnerabilities, attackers can try to bypass it or use it for attacks. This can cause them to gain access to files or directories, bypassing the main control mechanism. Such situations arise due to an incorrect configuration of the server, when direct access to files that should be protected is allowed.
curl http://target-site.com/config.php
If there are errors in the routing, attackers can try to manipulate the routes to access unwanted parts of the application.
curl http://target-site.com/index.php?controller=Admin&action=editUser&id=1
It is possible to use query parameters for manipulation or performing unwanted actions.
curl http://target-site.com/index.php?module=User&action=delete&id=1
Attackers can look for vulnerabilities in the code that handles requests through the Front Controller, such as SQL injection or other input-based attacks.
curl http://target-site.com/index.php?search=’ OR ‘1’=’1
Basic principles:
Minimize open ports: Only necessary ports should be available to users. For example, the ports for the web server (80/443 for HTTP/HTTPS) or the port for the database (if needed).
Limit access to critical ports: Some ports, such as port 22 for SSH, should be open only on demand or accessible only from an isolated environment, such as through a VPN or from specific IP addresses.
Monitoring and auditing: Continuous monitoring of open ports and auditing of settings help to detect and close unnecessary ports in time.
Firewall application: Use firewall rules to restrict access to ports, allowing access only for certain services and from certain IP addresses.
Using tools such as Nmap to scan the network and detect open ports. This is the first step in attacks on open ports.
nmap -p- target-ip
After detecting open ports, attackers can try to exploit vulnerabilities in the corresponding services.
hydra -l username -P password_list.txt ssh://target-ip
Open ports can be used to carry out Denial of Service (DDoS) attacks aimed at overloading the resource.
An attacker can use an open port to create a tunnel and access internal resources that are not normally accessible from the outside.
ssh -L 8080:localhost:80 user@target-ip
Deny by Default and Fail Early — are principles of application development and security that involve the system automatically blocking access or execution of actions if necessary conditions are not met, and stopping code at early stages when errors or problems are detected. This helps minimize risks and increases system reliability.
Deny by Default:
All actions and accesses should be denied by default, and only after the necessary checks have been successfully passed are actions or access allowed. This approach minimizes the risk of accidental or unauthorized access. Principle of Fail Early:
When an error or incorrect state is detected, the system must stop further execution immediately to avoid further problems or possible attacks.
Attacks on systems with incorrect implementation of these principles
If the system has hidden routes or functions that do not have explicit access checks, an attacker can gain access to them using a direct request.
curl -X POST https://target-app.com/hidden-route
If authentication is not performed properly at all stages of the process, an attacker can leave the session open and use it for an attack.
An attacker can attempt to perform administrative actions through the standard user interface if the system does not validate roles and permissions properly.
Whitelist and Blacklist are important methods for managing access and restricting actions in systems.
Whitelist: Includes only those items that are allowed. Everything else is automatically prohibited. This is an approach that provides a higher level of security because it clearly defines what can be done.
Blacklist: Includes only those items that are prohibited. Everything else is automatically allowed. This is a less reliable approach because it does not cover all possible threats.
If only certain extensions are disallowed in the blacklist (e.g. .php), an attacker can download a file with other extensions that can still be executed on the server (e.g. .phtml, .php5).
curl -X POST https://target-app.com/upload -F “[email protected]”
If the system allows certain types of files to be uploaded (such as images), an attacker can embed malicious code in the file’s metadata. Embedding malicious JavaScript in images via an XSS attack.
An attacker can try to use non-standard or new extensions that are not included in the whitelist, but can be executed on the server. Downloading a file with a .phar extension, which can also be done on some servers.