Friday, December 27, 2013

Bug vs. Vulnerability

In last few years it is discovered that 9 out of 10 sites are vulnerable to possible security breach and some of them are easily exploitable as well. We are seeing rise in attack patterns on application layer accessible over HTTP (Hyper Text Transfer Protocol) using port 80 and 443. It is observed that 70% of cyber-attacks are happening over web ports and almost 95% companies are hacked through these ports in reported breaches. It is amazing to see more and more attacks are targeted to web ports and application layer. Fundamental reasons behind attacking these ports are obvious, one is availability of ports and second it is running with high value information which can be leveraged by an attacker.
We need to analyze top vulnerabilities pointed by different bodies to identify its root cause. At this point SQL injection and Cross Site Scripting (XSS) are top two vulnerabilities getting discovered on online sites or applications along with other vulnerabilities like path traversal, server side injections, information leakage or HTTP response splitting. The root cause of both SQL injection and XSS is insecure source written by developer. This poorly written source code gets exploited by an attacker to fulfill its malicious intent. Insecure code can range from having poor or no input validation to erroneous exception handling. Hence, one can conclude that insecure application code gives rise to vulnerability and an opportunity for an attacker to compromise an application. It is a rising threat for corporate world wide and needs better response to nail down these sorts of application layer vulnerabilities.
It is practically impossible to write an application without any bug. Bug is a developer’s mistake which gives rise to unexpected result or behavior in the application.
Figure 1 – Bug vs. Vulnerability
Bugs can be of different types like feature misbehavior, data access errors, logical issue etc. All bugs are not related with security but some of them are. These bugs which are related with security become root cause for vulnerability as shown in figure 1. As shown in the figure we have application layer security control in place but bug in application asset opens up a control and that gives rise to vulnerability. This vulnerability gets leveraged by an attack agent by crafting an exploit which eventually compromise the application and related assets in the corporate.
For example as shown in figure 2, developer has created a data access component in your enterprise application where he/she expected that input which is going to be passed by end user is going to be integer or number value always. Developer has provided exception handler for value falling into A to Z character set but no precaution is taken for meta-characters or any other special characters. This value is passed to database with a SQL query.
Figure 2 – State diagram for vulnerable application
Now this assumption itself has a defect in thinking and that generates a bug in the application routine. If an attack agent sends non integer/number value using special characters as input then application is going to behave in unintended fashion and leads to vulnerable state. This is when bug gets converted into vulnerability. This vulnerability can be exploited by an attacker to get unauthorized access by doing SQL injection.
Hence, bug and vulnerability are siblings in the source code and it brings risk into your application layer. Here is a list of important bug layers which gets converted into exploitable vulnerabilities:
Design and Architect layer bug – These bugs are very hard to fix and it comes into existence when at architecture or design layer some bad decisions are made. For example, authentication and authorization strategies are not designed in right fashion and it has a flaw which can be exploited by an attacker or cryptographic issues on the application layer.
Validation layer bug – This layer of bugs are at development layer when an input taken and consumed by application without any sanitizations then it has potential to break application and leads to a state where exploitation is possible either by various different means like information leakage or access escalation.
Logical layer bug – Logical bugs are very interesting to find and fix, these bugs come into existence when an actual implementation of the application is having logical coding error. It can leads to access level issue or flaw in business logic itself. It can cause devastation at application layer. These bugs are usually discovered while doing manual assessment.