Application Security Glossary
A
API Discovery
API discovery is the process of systematically searching through network communication or scanning of the code to find all APIs currently in use or publicly available. Discovery is essential to API security since you can’t protect what you can’t see. Discovery generally results in an API Catalogue that lists all APIs and their various attributes.
API Sprawl
API sprawl is a common issue where API endpoints pop–up without anyone’s knowledge. Old API versions or deprecated APIs may still be available publicly when some may think they’ve been shut down. These issues can happen when building API-first applications with architectures like microservices & mobiles due to developer autonomy and ease of deployment of new services.
API Endpoint
APIs allow distributed applications, services, and network components to communicate. An API endpoint is where that communication occurs. Endpoints are where APIs hook up with resources they need to perform their function.
API Gateway
API gateways are the entry point for client requests in an organization. They facilitate requests, forwarding requests to appropriate service or host, aggregate responses, and handle common functions like authentication, rate limiting enforcement etc.
Application Security
Application security is the discipline of applying right security principles to protect the confidentiality, integrity, and availability of applications and their data.
ATO
ATO, or Account Takeover, is the act of compromising a victim’s account in order to impersonate them to a web application and steal or modify their data. There are several flaws that can lead to ATO, such as poor authentication and authorization implementation, poor password/secret management practices etc. ATO is a dangerous attack and wider implications. It is one of the common attacks faced by online applications and should be a top-priority for development and security teams to prevent.
B
Blue Team
While an organization’s red team uses various tools and techniques to find and exploit vulnerabilities within a company’s software, hardware, and employees, the role of blue team is the opposite. They stand as the defense against red team activities. Blue teams design defensive mechanisms to prevent attack and exploitation. A red team’s output can be fed into the blue team to develop defense strategies to prevent real attackers from compromising the company’s systems and data.
Bots
Bots are software robots that often execute repetitive tasks. They come in many shapes and sizes, including chat bots (for customer service), spider bots, spam bots, and scraper bots. Bots can be good or evil depending on their actions.
Bot Attack
A “bot” is a compromised machine used to attack another application or system. Left on their own, bots can migrate through a network and cause slowdowns, breakdowns, and other unintended consequences. Bots are used to scrape data, break into user accounts, and disrupt systems. Many types of DDoS attacks are performed by armies of bots made up of compromised connected devices. Poor security used on these devices make it easy to compromise and use them to overload an application/website with high volume traffic.
Bot Management Tools
Bot management software authorizes the good bots (machines) and blocks the bad ones (bad actors/machines). Bot Management tools analyze bot behavior, identify a particular bot’s reputation, and rate-limit bot overuse.
Broken Access Control
Authentication is identifying “WHO” is accessing an application. Authorization is enforcing “WHAT” they’re allowed to do while logged in. It’s a critical distinction as broken access control allows attackers to gain access to data or functions they shouldn’t. They can view and/or modify other users’ accounts or steal data. One should look for following:
- Modifying the URL or input parameters to bypass access control checks
- Allowing the request’s ID to be changed to another user’s account.
- Elevation of privilege. Can a user act as an admin by modifying the request?
- APIs with missing access controls for POST, PUT, and DELETE HTTP verbs.
Broken Authentication/Broken User Authentication (BUA)
A flaw allowing an attacker to assume other users’ identities temporarily or permanently by compromising passwords, keys, or session tokens. One should look for:
- Missing authentication.
- Storing passwords in plaintext, or other poorly maintained forms.
- Poor session management.
- Permits brute force or other automated attacks.
- Weak credential recovery processes.
- Missing or ineffective multi-factor authentication.
Broken Function Level Authorization (BFLA)
A flaw allowing an attacker to gain access to other users’ resources and/or admin functions. One should look for:
- Can a regular user access admin endpoints?
- Can a user perform sensitive actions (e.g., creation, modification, or erasure) that they should not have access to by simply changing the HTTP method (e.g., from GET to DELETE)?
- Can a user from group X access a function that should be exposed only to users from group Y, by simply guessing the endpoint URL and parameters (e.g., /api/v1/users/export_all)?
Broken Object Level Authorization (BOLA)
It’s #1 attack technique used by hackers against the APIs. APIs often use object identifiers to access resources. This opens the application to attack by changing the object identifiers in the request to gain unauthorized access to resources. For example, a finance application is vulnerable to BOLA if a user can change the identifier and view another user’s data. Authorization checks must be done on every request to verify that the user requesting the resource has access to that resource.
Bug Bounty Program
Bug bounty programs encourage security professionals to find vulnerabilities in an application in exchange for a reward. Bug bounties use the real-world knowledge of security professionals to find vulnerabilities that internal security teams may miss. Main benefit of such program is that the company pays for results only when a vulnerability is verified.
Business Logic Attack
In a business logic attack, the bad actor uses the legitimate processing flow of an application to gain access and achieve outcome not expected as per the application logic. As these attacks are outside the norm of standard or common authentication exploits, most security solutions have difficulty detecting business logic attacks. The best solutions are those that can understand the application’s underlying business logic so an outlier presence can be detected and blocked. Business logic vulnerabilities should be addressed ideally by deploying security solutions early in the Development Process.
C
Click Fraud
Much of ecommerce is driven by users clicking on websites. Click fraud is the potentially illegal practice of repeatedly clicking on ads or content to artificially drive up traffic counts. Click fraud can be generated by humans or bots. It is mostly used to inflict loses on competitors or jack up traffic statistics of own application.
Client-Side Attacks
Client-side attacks occur when a user downloads malicious content. These attacks initiate from the victim who downloads content from the attacker. Cross-site scripting (XSS), cross-site request forgery (CSRF), drive-by downloads, and phishing are common types of Client-Side attacks.
Cloud-native Security
Cloud-native security is the discipline of securing cloud-native applications. Cloud-native technologies have many benefits, but they also introduce new avenues of attacks. Application security has to change to properly protect cloud-native applications from sophisticated attacks.
Coupon Scraping
Digital couponing is big business, so naturally criminals have found ways to take advantage. Coupon scraping is the practice by someone of scaping coupons from a website, changing the affiliate links to their own, and republishing the coupon codes on their own site and collecting an affiliate commission in the process. Another version is to redirect those coupon hunters to another site for the same product, in exchange for a commission.
Coupon Scraping
Digital couponing is big business, so naturally criminals have found ways to take advantage. Coupon scraping is the practice by someone of scaping coupons from a website, changing the affiliate links to their own, and republishing the coupon codes on their own site and collecting an affiliate commission in the process. Another version is to redirect those coupon hunters to another site for the same product, in exchange for a commission.
Credential Abuse
Credential abuse is the effort by a hacker to access a system using stolen or created credentials of authorized users. It’s an offshoot of credential stuffing, whereby attackers use a brute force attack to send a list of compromised user credentials (user names, passwords) to break into a system.
Credential Stuffing
A type of brute force attack, credential stuffing is an attempt to gain access to a system by using stolen log-ins and passwords. The attacker uses an automated web injection to enter a large number of credentials that may have been stolen or left vulnerable in hopes of matching an existing account. Credential stuffing is one of the most popular breaches and can yield personally identifiable information.
Cross-Site Scripting (XSS)
XSS the is act of running arbitrary scripts in a victim’s (client) browser in order to deface websites, compromise sessions, or redirect users to malicious websites. The vulnerability lies in using untrusted data to render HTML pages without validating, sanitizing, and escaping the values.
Cryptomining Malware
Mining cryptocurrencies such as Bitcoin is a data-intensive, energy-draining, and expensive undertaking. So cybercriminals have learned ways to spread the work, as it were, by farming out the solving of complex mathematical problems to unsuspecting computers used in smartphones, desktops, and servers. One method is to trick the user into downloading malware that works in the background to verify the cybercurrency transactions. Even the smartest companies are vulnerable. In 2018, Google was infected by cryptominers who used malware to jack into the processing power of YouTube’s ad network.
D
DAST
Dynamic Application Security Testing tools perform attacks against a running application to find vulnerabilities attackers can exploit. They typically crawl an application to find different paths to resources and then send payloads to try to exploit various common vulnerabilities. They report on the results, whether the attacks were successful or the application successfully resisted. DAST tools lack understanding of business logic and thus have trouble finding authentication and authorization vulnerabilities.
Data Breach
A data breach is an incident where a criminal steals confidential, sensitive, or protected information with the intent of using or selling the acquired data. Breaches are caused in a variety of ways. Attackers may exploit an organization’s technology weaknesses or human weaknesses, such as duping a user into revealing their password. But breaches may also be caused internally by poorly written code or by APIs that inadvertently expose protected information.
Data Exfiltration/Leakage
Data Exfiltration/leakage is the unauthorized transfer or exposure of data to an external entity. Data Loss Prevention technologies were created to prevent data leakage and help companies keep data within their borders.
DDoS
Distributed Denial of Service (DDoS) attacks are denial of service attacks performed by many distributed nodes across the Internet. A denial of service occurs when an attacker brings down an online application so that legitimate users cannot access it. DDoS is often performed by armies of bots pointed at one application. DDoS attacks are often used for political statements or to embarass and hurt the revenue of a company.
Defense-in-Depth (DiD)
Defense-in-depth is a security strategy that layers different security protections to present a more complex defense for attackers to navigate. If one defense fails, another protection layer steps up to defend.
Device Fingerprinting
Like cookies, device fingerprinting can be used to identify and track online users. The technology attempts to identify a unique device by capturing attributes such as the underlying operating system, the device’s IP address, and the type and version of the browser. Online advertising companies hit on device fingerprinting as an alternative to placing cookies on devices. The practice has drawn the ire of people who see the technology as a threat to user privacy.
DevSecOps
DevSecOps adds the security discipline to DevOps. Security teams work in collaboration with development and operations to ensure that environments and applications stay secure. DevSecOps includes security so each new environment created is locked down by default and safe for deployment without any manual configuration required.
E
Excessive Data Exposure
Many APIs tend to return all data fields within an object, expecting the client to filter and show the data it needs. This data exposure can aid in attacking the application or lead to data breaches. For example, returning all the personal information with a user object with every request or exposing an “admin” field an attacker may try to manipulate using other means. Look for API methods that return raw objects from the ORM with all fields included.
G
Gift Card Fraud
Fraudsters attempt to convince targets to pay them using a gift card, such as Apple’s iTunes or Google Play and request target to provide them with the gift card number and PIN — at which point they have control of whatever balance is on the card.
GraphQL
GraphQL is an open source query language for APIs, and a runtime for fulfilling those queries with existing data. Sitting between the client and data sources, GraphQL resolver receives client requests and retrieves the data based on the client’s requirements. In this way GraphQL makes APIs more responsive, developer-friendly, and flexible. Internally developed by Facebook, the GraphQL project is now coordinated by GraphQL Foundation and hosted by the Linux Foundation.
I
IAST
Interactive Application Security Testing tools are a relatively new addition to the web application security landscape. IAST tools aim to combine the benefits of SAST and DAST to create a more complete picture of application vulnerabilities. IAST tools are embedded within the application and have visibility into the code. While the application runs automated functional tests within a staging environment, IAST will search code execution paths for possible vulnerabilties. Some may even try to perform attacks on parts of the code that may be vulnerable to validate errors and reduce false positives. A downside of IAST is the heavy dependency on a large suite of automated functional tests.
Improper Assets Management
API proliferation can cause poor documentation and old API endpoints to be exposed, which lead to endpoints you didn’t know were exposed publicly. Outdated API inventory, API endpoints with unclear purposes, No retirement plan for old API versions AND endpoints with unknown method are some of the signs of improper asset management.
Injection
Injection occurs when untrusted data is sent as a command or query to be executed on the target system. Mostly interpreters that run code as it comes in rather than compiling, are easily tricked into using data as a command. Common injections include SQL, NoSQL, LDAP, Command, OS, and ORM. Look for:
- User-supplied data isn’t validated or sanitized.
- Untrusted data is sent directly to the interpreter (i.e. concatenated to an SQL query).
- Untrusted data is sent directly into an ORM search function.
Insecure Deserialization
Serialization changes the format of an object in code to make sending it to a server more efficient. The server then deserializes the object upon receipt so it can process the request. Insecure deserialization of objects allows attackers to make calls to system resources upon deserialization. This vulnerability leads to remote code execution along with replay attacks, injection attacks, and privilege escalation attacks. Look for:
- Accepting serialized objects from untrusted sources.
- Using serialization mediums that permit more than primitive data types.
Insecure Direct Object Reference (IDOR)
IDOR vulnerabilities are access control authorization issues made possible when an application exposes a reference to an internal implementation object. This allows attackers to launch an enumeration attack to access data associated to such objects. It is also called Broken Object Level Authorization (BOLA).
Insufficient Logging & Monitoring
Insufficient logging and monitoring allows attackers to persist longer, leading to devestating data exfiltration and destruction. Look for:
- Poor integration between logging and incident response.
- Not logging login attempts, login failures, and high-value transactions.
- No monitoring of log files.
- Log messages are unclear or too broad to be useful.
Inventory Hoarding
When an online shopper places an item into their shopping cart, the product is often removed, temporarily, from the merchant’s inventory, meaning it is not available to other shoppers. Typically, the cart will return the item to available inventory after a time of inactivity by the shopper. Inventory hoarding is the practice by an attacker of using a bot to repeatedly place an item in a cart, making it unavailable for sale over an extended time. An attacker’s motive may be to hurt store sales or perhaps drive up a product’s scarcity, and thus value, on the market.
K
Keystroke Loggers
Keystroke logging is the use of software to track a user’s keystrokes as they access an application or website. The program sends the data back to the attacker, who then has a ready-made log-in script with user name, password, and credit card numbers. More sophisticated keylogging software, used on a mobile device, can capture screen grabs, GPS data, and even audio or video data.
L
Lack of Resources & Rate Limiting
APIs that don’t limit the size or number of resources a user/client can request leave themselves open to denial of service and brute force attacks. Limits to enforce – Execution timeouts, Compute Resource restrictions like max memory, file descriptors, number of processes, payload size (e.g. uploads), Requests per client/resource, Records per page to return etc.
Leaking API
APIs are meant to exchange data – human to machines or machines to machines. They exist in cloud applications, integrate third-parties etc. Leaking API expose critical personal or business data of the users or business causing data exfiltration.
Local File Inclusion (LFI)
Local file inclusion is a vulnerability that allows a hacker to gain access to a system. By including a file in the attack that is already present on the target server, the attacker exploits vulnerable inclusion procedures implemented in the application. LFIs can be thwarted in part by avoiding the passing of user-submitted input. or creation of an allowed list of files.
M
Magecart
Magecart was a major client attack using JavaScript injected into a site, is transferred to the client. It was form of data-harvesting exploit and targeted online shoppers and web forms as customer checks out. The magecart script skims off user account information that may include passwords, e-mail addresses, and card numbers etc and is sent back to a server operated by the attacker.
Mass Assignment
Objects in modern applications have many properties, but not all the properties should be accessed or updated directly by a client. A mass assignment flaw exists when an API endpoint automatically converts client parameters into internal object properties without considering the sensitivity of the properties. Look for:
- Using objects instead of direct parameters in the API endpoints
- Relying on language frameworks to assign property values taken from parameters and request bodies.
N
Next Generation WAF
Next Generation WAFs, or NG-WAFs, are WAFs with added features to help overcome the shortcomings of rules-based security. NG-WAFs add few more application security features such as XML & JSON inspection, anomaly detection, schema conformance to find and prevent attacks traditional WAFs miss. Many of the NG-WAFs are also more compatible with cloud-native applications.
O
Open Authorization (OAuth)
OAuth is an authorization framework for REST APIs that allows users to to log-in to third-party services without having to expose their password. OAuth works over HTTPS and authorizes devices, APIs, servers, and applications with bearer tokens granting access, rather than relying on credentials.
OWASP
The Open Web Application Security Project is a nonprofit foundation that works to improve directions on application software security. Some of the well-known projects of OWASP are the Top 10 LIst, the Application Security Verification Standard etc.
OWASP Top 10
The OWASP Top 10 is a list of the 10 most common and impactful web application vulnerabilities. It was built by contributions from multiple companies, that sent vulnerability data so OWASP could determine the most common attacks happening in the wild. The list of vulnerabilities are graded based on easy of exploitation and it’s impact. The OWASP Top 10 is a foundational starting point for web application security.
OWASP API Top 10
Similar to the web application top 10, OWASP API Top-10 is the prioritized list of vulnerabilities targeting APIs. The API Top 10 brings attention to the common flaws seen in APIs that aren’t necessarily present in traditional web applications. If your application uses APIs, review the API Top 10 as you build them.
P
Penetration Testing
Penetration testing mimics an attacker to anticipate vulnerabilities within a software application. Highly trained and experienced testers understand how attackers think and what tactics they use to compromise applications and steal data. These testers use real-world techniques against a running application in order to find vulnerabilities.
Personally Identifiable Information (PII)
Personally Identifiable Information is any information that can be used to identify a specific person. Some examples are name, Social Security number, address, and birth date. Some data can be used alone to identify someone (like SSN), and others can be combined to identify a person (name, birth date, address). Attackers often want to steal PII for identity theft purposes or to sell on the dark web.
Policy Decision Point (PDP)
Policy Decision Point is a device in the network where decisions related to allowing/blocking specific traffic is taken. It may or may not itself enforce the action. It’s like the controlling entity that informs PEP to enforce the action.
Policy Enforcement Point (PEP)
The Policy Enforcement Point is the place on a network where policy decisions around access are enforced. Common examples of PEP’s are inline network devices like Firewalls, WAFs and even LBs.
Positive Security Model
Positive security is also known as the “whitelist model” or “Zero Trust”. The premise is everything is by default blocked unless it’s explicitly allowed/whitelisted.
Purple Team
Some organizations create purple teams to facilitate the communication and cooperation of the red and blue teams (red and blue make purple). It’s debatable whether a separate purple team is actually necessary, especially where red and blue teams collaborate well together. However, there can be value in a “purple team exercise” where red and blue teams work in tandem on a single project to build better relationships between the teams.
R
RASP / Runtime Application Self Protection
RASP is mostly built by instrumenting the application code. The premise is that application should do it’s own protection at run-time instead of relying on any other enforcement layer. RASP mostly addresses OWASP Top-10 vulnerabilities. It’s efficacy is not much different compared to WAF and due to resistance of organizations to modify the code, RASP adoption is pretty limited.
Red Team
Red teaming is the attack testing performed by a team of experts on the organizations resources. They use advanced tactics to find software, hardware, physical, and human vulnerabilities.
Remote Code Execution (RCE)
RCE attack allows a hacker to remotely inject code on an unsuspecting victim’s computer for execution. Post RCE, an attacker can generally execute arbitrary commands on the host operating system.
S
SAST
Static Application Security Testing is the process of scanning application code to find possible vulnerabilities. The term “static” refers to the testing of precompiled code to detect programming patterns that could lead to exploitation. For example, a SAST tool may find concatenation of untrusted input within the code and flag it as a possible injection vulnerability. A major downside of SAST is its tendency for false positives since code that it looks may not be a real vulerability.
Secure SDLC
A secure SDLC is the series of activities and milestones used to create secure software. It takes the typical stages of the SDLC and includes necessary security activities to ensure a piece of software is not vulnerable to attack.
Security Misconfiguration
Web application frameworks often have many options for developers to choose from that affect how they operate. This choice leads to misconfiguration, as making the wrong decision (or leaving unsecure defaults) leaves security holes attackers use to steal data or otherwise compromise the application.
Sensitive Data Exposure
Many applications don’t protect sensitive data, such as financial, healthcare, or PII. Attackers can steal or modify this data to perform fraud and identity theft. Sensitive data requires protection, such as encryption in transit and at rest.
Shadow APIs
Shadow APIs are unknown APIs that are publicly exposed. These APIs pose a risk because APIs that no one knows are publicly exposed could be a target for attackers. API discovery tools help find shadow APIs so you can protect them or shut them down if they’re unnecessary.
Software Composition Analysis (SCA)
As more open source software is incorporated into codebases, it is imperative for security teams and IT administrators to identify where and how it is used. Software Composition Analysis (SCA) is a method used to understand how open source components are utilized and generate a Bill of Material (SBOM) of various open-source used by the application.
Swagger
Swagger is a brand of open-source tools used to design, build, document, and use RESTful web services. Swagger was originally an open API specification that has since been renamed the OpenAPI Specification.
T
Taint Analysis
Taint analysis is part of Static Code Analysis to identify vulnerabilities in code that can be triggered by user input, whether deliberately or by mistake. Static Code Analysis tools analyze the flow of user input and identify potential unanticipated results.
Threat Actor
A threat actor tries to infiltrate a web application with the goal of stealing data, modifying data, or other malicious act for personal gain. This term is used in threat modeling to help discover those who may have reason to launch attacks against an application.
Threat Landscape
A threat landscape is a group of threats within a given context or environment. It includes threat actors, risks and vulnerable assets.
Threat Modeling
Threat modeling is the process of reviewing the architecture and design of an application to identify potential threats before it’s built. Mitigations can be designed into the application while its being built instead of bolted as an after-thought.
W
WAAP / Web Application & API Protection
Web application and API Protection (WAAP) is a term coined by Gartner as a replacement for WAFs. WAAP services protect modern web applications and APIs from a variety of attacks. WAAP services include NG-WAF and other capabilities like DDoS and malicious bot detection. WAAP aims to meet the security needs of modern, API and microservice-based web applications.
WAF / Web Application Firewall
Web application firewalls take the idea of network firewalls and apply them to web applications. It scans all traffic coming into a web application to find possible attacks, such as cross-site scripting and SQL injection. WAFs use rules and signatures to know what to look for within the request that flags it as a possible attack. They usual target or address OWASP Top-10 vulnerabilities.
Web Application Security
Web application firewalls take the idea of network firewalls and apply them to web applications. It scans all traffic coming into a web application to find possible attacks, such as cross-site scripting and SQL injection. WAFs use rules and signatures to know what to look for within the request that flags it as a possible attack. They usual target or address OWASP Top-10 vulnerabilities.
Web Scraping
Web application firewalls take the idea of network firewalls and apply them to web applications. It scans all traffic coming into a web application to find possible attacks, such as cross-site scripting and SQL injection. WAFs use rules and signatures to know what to look for within the request that flags it as a possible attack. They usual target or address OWASP Top-10 vulnerabilities.
WebSockets
WebSocket is a communication protocol between a browser and web server designed to speed real-time, two-way data transfer. As with many newer technologies, security best practices around WebSockets are not well evolved and can lead to a complete security breach, such as in the case of a cross-scripting attack. To protect against these attacks developers are often advised to avoid tunneling in favor of other secured protocols on top of WebSockets.
Z
Zero-day Attack
Often, companies will disclose application vulnerabilities along with the patches used to fix those vulnerabilities. A zero-day flaw is a vulnerability without an existing patch. Zero-day attacks use flaws not known to most people. Patches don’t exist likely because the maintainers of the software don’t know the vulnerability even existed. These vulnerabilities are traded on the darkweb for use by malicious actors.