Insecure Coding Practices
Last updated
Last updated
Comments containing excessive detail can be left in source code which could provide leverage to attackers. They could leave behind API credentials, password information or other details that could assist an attacker. MITRE tracks this as CWE-615.
Improper error handling can provide extra info to attackers to help them perform attacks against the target. Error messages like codes, database dumps or stack traces can leak valuable information. The best practice is to ensure error messages are meaningful to the user but are not useful to attackers.
Hard-coded credentials are catastrophic flaws that can be used by attackers to compromise an application or system. MITRE tracks this as CWE-798.
A race condition can occur when an app performs two or more operations at the same time. For example, two operations must be done in the correct sequence to ensure a security control is enforced. This means the attacker has a very short time window in which they could perform an attack. Race conditions are highly complex and difficult to exploit.
Application Programming Interfaces (APIs) are used widely across modern applications to allow other systems to interact with them. Key technologies behind APIs are:
Simple Object Access Protocol (SOAP): exclusively uses XML to provide API services, governed by the XML Schema Definition documents (XSD). SOAP specifications can be viewed .
Representational State Transfer (REST): easier to use than SOAP, uses JSON over XML and has standards like Swagger & OpenAPI Specification. The OpenAPI specification can be viewed .
GraphQL: query language for APIs providing many developer tools. More about GraphQL can be seen .
API documentation can reveal a lot about an application, API documentation can include:
Parameter tampering can be achieved by manipulating parameters exchanged between the client and server to modify application data. It could be possible to tamper with values stored in hidden form fields.
Code signing is the process of adding a digital signature to software to verify it. This is similar to the process used for SSL/TLS certificates. If a software or program is modified after signing, the public key will not be able to verify the private key. Subresource Integrity (SRI) is a feature which allows you to provide a hash of a file fetch by web browser. SRI verifies file integrity and prevents manipulation.
Swagger (OpenAPI): framework of API documentation and development that is the basis of the OpenAPI Specification (OAS). More info on Swagger can be found . More info on the OAS can be found .
Web Services Description Language (WSDL): XML-based language to document the functionality of a web service. WSDL specification can be accessed .
Web Application Description Language (WADL): XML-based language for describing web applications. This can be accessed .