What are the 4 main types of vulnerability in cybersecurity?

After all these years of experience in penetration testing if someone asks me what is the 4 main types of vulnerability in cybersecurity? My answer would be as following.

Here is the list of the 4 main types of vulnerabilities in cybersecurity:

• Injections
• Authorization based
• Sensitive data exposure
• Business logic based

Injections

One of the most dangerous types of vulnerabilities that a hacker could find in your website is the Injections. An injection vulnerability is a type of application flaw where the attacker tries to inject some malicious code into the legitimate application source code.

Doing so, give allows the attacker to manipulate the application logic or perform some malicious actions on both the application backend and front end.

Here is a list of some very common Injections vulnerabilities on the web:

SQL injection

SQL injection vulnerability happens when the application fails to verify the user inputs before injecting them directly in a legitimate SQL request. Unfortunately, most people think that the impact of this vulnerability is limited to data alteration and leak. However, advanced exploitation of this vulnerability could go as deep as full control over the hosting server.

Most of the developers and clients I worked with, was thinking that this vulnerability is over and that SQL injection does not work anymore. Unfortunately, this vulnerability still exists and it is just getting rarer as the new frameworks help developers to avoid it. I have written a nice series of blog posts about how to prevent this vulnerability in the three most used frameworks on the web, PHP, JEE, and ASP.NET.

These posts have also detailed directions on how to fix this vulnerability in the frameworks used in the three technologies, like Laravel and others.

LFI

Local file inclusion is also one of the most critical and common vulnerabilities on the web. This vulnerability happens when the web application fails to validate the user input before injecting it directly in a file call function. Unfortunately, this vulnerability is not very popular among developers even if it has a very dangerous impact that could reach the system full control in some situations.

It’s true that this vulnerability is getting rarer due to the use of the new development technologies, but it does not mean they have been eradicated and I keep finding it in many web applications.

XSS

Cross-site script (XSS) happens when the application does not filter the user input before displaying it on a legitimate HTML page. The idea of this vulnerability is to try to inject malicious Javascript code into a legitimate page. Unfortunately, the impact of this vulnerability is underestimated, as most of the time, people think that the maximum impact of this vulnerability is to steal user sessions. However, in some more advanced exploitation, this vulnerability could be used to take full control over the client machine.

I have written a blog post about this vulnerability and how you can avoid it in PHP, basically, it’s the same thing in the other ones too, and you just need to find the right syntax to do it.

Most of those vulnerabilities lead to a remote code execution which means full control over the webserver. Fortunately, most of these vulnerabilities could easily be detected using automated tools at the development phase. I have talked about the way this can be performed and some of the tools used for this, here and here.

Authorization

Another type of vulnerability that I usually find in web applications is related to authorizations stuff. In most cases, it’s precisely related to a privilege escalation. This type of vulnerabilities could also be considered as a Business logic vulnerabilities as you need to understand the application logic to say which action a simple user is allowed to perform and which is not.

Therefore, these kinds of vulnerabilities are not easily detected using automated tools. However, they can be discovered using a penetration test service, and that’s why I always recommend using both techniques, automated and manual verifications.

An example of authorizations vulnerabilities there is privileges escalations. This vulnerability for example happens when the application fails to verify that the user executing the functionality has the right permissions to do it.

Sensitive data exposure

Sensitive data exposure is one of the most easily and manually detected vulnerabilities will performing a penetration test. This vulnerability usually happens when some files with critical information are left accessible to the public on the webserver.

For example, the kind of files we can find is:

• Database backup files
• Configuration files
• Source code backup files
• …

Detecting this vulnerability by the developers is also easy as all they need to do is to look at the publicly accessible folders to see if there are any critical files that should not be there and remove them.

It might seems like this kind of vulnerability is rare and cannot exist, but trust me it is very common and extremely help the hackers to easily get access to the web application or even the server itself.

Business logic

Business logic vulnerabilities are the most complex and difficult to find vulnerabilities. They still cannot be discovered using automated tools and required a deep understanding of the application logic. To better understand this vulnerability I think it’s better to give an example to illustrate the situation.

Let’s say there are three steps in a specific functionality, for example, to perform a transaction, you need to first submit the destination RIB, then submitting the password, and then executing the transaction. A business logic vulnerability in this situation could be submitting the RIB and then directly executing the transaction without any password verification.

I know this illustration is not really common as when we talk about money all the verifications are well performed LOL. But it’s just an example of what a business logic vulnerability may look like.

As I already said, this type of vulnerabilities is difficult to find using automated vulnerability scanners and relies mainly on the penetration tester’s skills and experiences.

Finding the business logic vulnerabilities usually require performing a gray box penetration test and that’s why I recommend this type of penetration test to my clients.

In case these vulnerabilities were very difficult to be fixed in terms of budget, then you need to put in place some security solutions to detect and stop attacks before they reach the app.