Insecure Coding Practices

Comments in Source Code

Comments containing excessive detail can be left in source code which could provide leverage to attackers. They could leave behind API credentials, password information or other details that could assist an attacker. MITRE tracks this as CWE-615.

Lack of or Overly Verbose Error Handling

Improper error handling can provide extra info to attackers to help them perform attacks against the target. Error messages like codes, database dumps or stack traces can leak valuable information. The best practice is to ensure error messages are meaningful to the user but are not useful to attackers.

Hard Coded Credentials

Hard-coded credentials are catastrophic flaws that can be used by attackers to compromise an application or system. MITRE tracks this as CWE-798.

Race Conditions

A race condition can occur when an app performs two or more operations at the same time. For example, two operations must be done in the correct sequence to ensure a security control is enforced. This means the attacker has a very short time window in which they could perform an attack. Race conditions are highly complex and difficult to exploit.

Unprotected APIs

Application Programming Interfaces (APIs) are used widely across modern applications to allow other systems to interact with them. Key technologies behind APIs are:

• Simple Object Access Protocol (SOAP): exclusively uses XML to provide API services, governed by the XML Schema Definition documents (XSD). SOAP specifications can be viewed here.

• Representational State Transfer (REST): easier to use than SOAP, uses JSON over XML and has standards like Swagger & OpenAPI Specification. The OpenAPI specification can be viewed here.

• GraphQL: query language for APIs providing many developer tools. More about GraphQL can be seen here.

API documentation can reveal a lot about an application, API documentation can include:

• Swagger (OpenAPI): framework of API documentation and development that is the basis of the OpenAPI Specification (OAS). More info on Swagger can be found here. More info on the OAS can be found here.

• Web Services Description Language (WSDL): XML-based language to document the functionality of a web service. WSDL specification can be accessed here.

• Web Application Description Language (WADL): XML-based language for describing web applications. This can be accessed here.

Hidden Elements

Parameter tampering can be achieved by manipulating parameters exchanged between the client and server to modify application data. It could be possible to tamper with values stored in hidden form fields.

Lack of Code Signing

Code signing is the process of adding a digital signature to software to verify it. This is similar to the process used for SSL/TLS certificates. If a software or program is modified after signing, the public key will not be able to verify the private key. Subresource Integrity (SRI) is a feature which allows you to provide a hash of a file fetch by web browser. SRI verifies file integrity and prevents manipulation.