- Comments in Source Code: Developers sometimes include sensitive information, such as passwords or API credentials, in the comments of their source code. Attackers can leverage this information if they find it.
- Lack of Error Handling and Overly Verbose Error Handling: Improper error handling can provide valuable information to attackers. Detailed error messages, including error codes, database dumps, and stack traces, can reveal potential vulnerabilities in the application.
- Hard-Coded Credentials: Hard-coded credentials in an application can allow attackers to compromise the application or the underlying system. This practice is a catastrophic flaw that should be avoided.
- Race Conditions: Race conditions occur when a system or application attempts to perform multiple operations simultaneously, requiring them to be done in a specific sequence. Attackers can exploit vulnerabilities during the small window of time between security controls taking effect and the attack being performed.
- Unprotected APIs:
- Hidden Elements: Web application parameter tampering attacks can be carried out by manipulating hidden form fields. Attackers may attempt to modify the values stored in these fields to manipulate application data.
- Lack of Code Signing: Code signing is the process of adding a digital signature to software to verify its authenticity and integrity. Lack of code signing allows attackers to modify and potentially impersonate legitimate applications.
- Additional Web Application Hacking Tools: Web proxies, such as Burp Suite and OWASP ZAP, are commonly used by ethical and malicious hackers to exploit web application vulnerabilities. These tools intercept, modify, or delete transactions between a web browser and a web application. Other tools like DirBuster, gobuster, ffuf, and feroxbuster can be used for reconnaissance and enumeration of files and directories in web applications.
Overall, these practices highlight various vulnerabilities that attackers can exploit, and it is essential to address them to ensure the security of applications and systems.
Source: Cisco Certified Ethical Hacker Course