Vulnerabilities I am seeing in Summer 2022

Seeing a couple of vulnerabilities that are higher risk than they used to be floating around out there.  They are what the attackers are going after since the focus on AppSec from both backend and frontend libraries are preventing a lot of code injection errors (which is a good thing, don't get me wrong)

Security Headers

Amazing what attackers can do with lacking security headers these days. I recommend securityheaders.com to test your site.  Even if you don't go full Content Security Policy, there is a lot that can, and should be done.

Supply Chain Attacks

Everyone read about leftpad, right? Well, the libraries calling libraries in the build is becoming a real problem these days.  I recently tested a smallish application that had 60 separately hosted JavaScript libraries (!).  Best bet is to cut down on library use, if at all possible.  But, barring that, consider downloading and hosting the libraries locally, and updating them occasionally after review - this will assist in your CI-CD process as well.  Another solution: if you are lucky enough to have a Veracode instance, it will check the libraries against known vulnerable JavaScript for you on build.  Works pretty well too.

Flooding Protection

This is a little outside of AppSec and almost goes into networking.  I have noticed that a whole lot of login pages allow me to throw 30,000 tries at it in just a few seconds, and this is no good.  If you get to six bad tries, you should add a CAPTCHA to the login form. Unfortunately, Google has taken over reCAPTCHA, which was open source for a long time.  There is still a free version, and I still recommend it, but Google ... doesn't have the best reputation with projects like this.  Let's hope it works out.  If you have a favorite CAPTCHA, leave it in the comments below!

Add comment

Husband. Father. Pentester. Secure software composer. Brewer. Lockpicker. Ninja. Insurrectionist. Lumberjack. All words that have been used to describe me recently. I help people write more secure software.

 

 

profile for Bill Sempf on Stack Exchange, a network of free, community-driven Q&A sites

MonthList