Home / Companies / StackHawk / Blog / August 2021

August 2021 Summaries

8 posts from StackHawk

Filter
Month: Year:
Post Summaries Back to Blog
Rust, despite its reputation for robust security features, is not immune to command injection attacks, where hackers exploit vulnerabilities to execute commands on the operating system hosting the application. This type of attack is akin to a shell attack and differs from remote code execution as it targets the OS rather than the application server. The blog post highlights how Rust applications can be susceptible to such attacks, providing examples where user inputs can be manipulated to execute unintended commands on the host system. It emphasizes the importance of implementing best practices to mitigate these vulnerabilities, such as using kill methods to terminate processes and blocking arbitrary commands from being parsed. The post also suggests utilizing Rust's open-source resources and packages, like those found in cargo, to fortify applications against various security threats, including command injections. Continuous testing and incorporating security-focused practices in development are recommended to enhance the resilience of Rust applications against such exploits.
Aug 27, 2021 1,320 words in the original blog post.
SQL injection (SQLi) attacks are a significant threat to web applications, including those built with Java, due to their potential to manipulate database queries by injecting unauthorized SQL code. These attacks exploit vulnerabilities in applications that concatenate raw user input into SQL queries, allowing attackers to access, modify, or delete sensitive data. To prevent SQLi, developers should avoid trusting user input by using techniques such as parameterized queries or prepared statements, which separate query logic from user-supplied data. Additional preventative measures include leveraging Java's type system, employing input validation via allowlists, and practicing the principle of least privilege by limiting database user permissions. While object-relational mapping (ORM) tools can aid in reducing SQLi risks, they are not foolproof, and developers must remain vigilant about potential vulnerabilities. Overall, implementing these strategies helps safeguard applications from SQL injection attacks and other security threats.
Aug 26, 2021 1,533 words in the original blog post.
Go, often referred to as Golang, is a programming language developed by Google, known for its memory safety and concurrency features, particularly useful for distributed systems and microservices. Despite its strengths, Go is not immune to vulnerabilities such as cross-site request forgery (CSRF), which can exploit web applications by altering server-side states using forged requests. The article explains CSRF in the context of Golang applications, highlighting how attackers can manipulate the system to perform unauthorized actions, like redirecting payments in a hotel booking app. The piece also discusses popular Go frameworks like Gorilla and Gin, which offer middleware solutions to mitigate CSRF risks by obfuscating authentication cookies or using secret variables. The article suggests that understanding and implementing such security measures is crucial for developers to protect Go applications against potential CSRF attacks, emphasizing the importance of incorporating security practices from the start of a project.
Aug 20, 2021 1,312 words in the original blog post.
The text explores the concept of open redirect vulnerabilities, which occur when a website's URL redirection feature can be manipulated by users, potentially leading to phishing attacks. It explains that such vulnerabilities allow attackers to redirect users to malicious websites that mimic trusted ones, posing risks of credential theft. The document provides a practical example using a Node.js application, demonstrating how an attacker could exploit this vulnerability. It further discusses various mitigation strategies, including removing the redirect feature, using an allowlist of acceptable redirect paths, and ensuring redirections remain within the same domain. These methods aim to enhance security by controlling where a user can be redirected, thereby reducing the risk of exploitation.
Aug 13, 2021 2,100 words in the original blog post.
The new StackHawk code scanning integration with GitHub enhances developers' ability to integrate security testing into their CI pipelines by adding dynamic application and API security testing (DAST) directly within GitHub's security testing ecosystem. This integration allows developers to run security tests on applications and APIs whenever code is checked in, providing immediate notifications of vulnerabilities through the GitHub security tab. The integration aims to streamline the remediation process by allowing developers to address security issues swiftly, reducing the feedback cycle, and ensuring secure code delivery. With a straightforward configuration process that involves setting up a GitHub Actions workflow and configuring StackHawk YAML files, developers can efficiently incorporate StackHawk into their existing workflows. The integration supports customizable settings, including failure thresholds for notifications, and uses GitHub's secrets management for storing API keys, enabling continuous security testing with minimal overhead.
Aug 13, 2021 1,020 words in the original blog post.
Cross-Origin Resource Sharing (CORS) is a crucial security mechanism in web browsers that prevents unauthorized access to resources across different domains unless explicitly permitted by the server. It is a common challenge for developers working with web applications, particularly when testing locally or interacting with remote APIs, as CORS errors often arise. These errors occur when a web application from one domain attempts to fetch resources from another without proper authorization, typically requiring configuration of the Access-Control-Allow-Origin header on the server side. While tools like CURL and Postman can bypass CORS, browsers enforce these restrictions to enhance security. In Vue.js applications, developers can temporarily circumvent CORS issues by configuring a proxy in the vue.config.js file, although this method can pose security risks. Debugging CORS errors involves examining the developer console in the browser to identify issues related to mismatched domains or ports. Fixing CORS errors usually requires collaboration with back-end developers to adjust server settings, but caution is advised to avoid compromising security by indiscriminately allowing access with wildcards.
Aug 10, 2021 1,270 words in the original blog post.
Command injection is a critical cybersecurity threat that allows attackers to execute arbitrary shell commands on a server, potentially gaining complete control over a system. This form of attack is more dangerous than typical injection attacks as it provides attackers with elevated privileges, enabling them to access sensitive information, modify or delete files, and execute harmful commands. The text uses a React and NodeJS application as an example to illustrate how command injection can occur when a back-end server directly executes commands based on user input without proper validation. To mitigate such risks, developers should refactor their code to avoid using hardcoded file names directly in commands, employ more secure functions like execFile instead of exec, and implement stringent input validation to detect and prevent malicious query parameters. While client-side validations are essential, robust server-side protections are crucial for comprehensive security. The author, Siddhant Varma, emphasizes the importance of secure coding practices and routine code reviews to safeguard applications against command injection attacks.
Aug 06, 2021 1,752 words in the original blog post.
SQL injections remain a prevalent and dangerous security threat due to insufficient protection measures, even in the Go programming language, despite its popularity and strong backing. SQL injections allow unauthorized users to manipulate database queries, potentially accessing, altering, or deleting sensitive information. The post emphasizes the importance of understanding SQL injections and how they operate, providing a detailed guide on safeguarding Go applications through parameterized queries, which prevent attack vectors by ensuring proper query formation. It highlights the necessity of using the appropriate database drivers and packages in Go for implementing parameterized queries. The article also underscores the broader need for education in security practices, advocating for security training, adopting techniques like the principle of least privilege, and using automated tools for threat detection in CI/CD pipelines. By staying informed and applying these best practices, developers can significantly mitigate the risks of SQL injections and other vulnerabilities.
Aug 05, 2021 1,289 words in the original blog post.