Comments in Source Code

Comments are helpful for developers to explain their code and their logic. Attackers can use comments to help them to understand the code and what it is doing. Sometimes comments can even contain sensitive information.

Lack of Error Handling

Developers are not able to predict everything that an attacker may attempt to exploit in their application. Attackers may input unexpected input into the application and perform attacks, such as a buffer overflow.

Overly Verbose Error Handling

If error handling routines explain too much about the inner workings of code, they may allow an attacker to find a way to exploit the code.

Hard-Coded Credentials

Developers sometimes include usernames and passwords in the source code. Attackers can find these credentials and use them to authenticate to other services. Additionally, developers may include API keys in the code.

Race Conditions

Race conditions occur when the security of a code segment depends upon the sequence of events occurring within the system. The time-of-check-to-time-of-use (TOCTTOU or TOC/TOU) issue is a race condition that occurs when a program checks access permissions too far in advance of a resource request. For example, if an operating system builds a comprehensive list of access permissions for a user upon logon and then consults that list throughout the logon session, a TOCTTOU vulnerability exists. If the system administrator revokes a particular permission, that restriction would not be applied to the user until the next time they log on. If the user is logged on when the access revocation takes place, they will have access to the resource indefinitely. The user simply needs to leave the session open for days, and the new restrictions will never be applied. To prevent this race condition, the developer should evaluate access permissions at the time of each request rather than caching a listing of permissions.

Unauthorized use of Functions/Unprotected APIs

If not properly secured, unprotected APIs may lead to the unauthorized use of functions. For example, an API that does not use appropriate authentication may allow anyone with knowledge of the API URLs to modify a service.

Hidden Elements

Hidden elements in HTML can be visible to any user and contain sensitive information.

Sensitive Information in the DOM

Developers should also avoid including sensitive information in the DOM through the use of hidden elements. Assume that any information sent to a user is accessible to that user.

Lack of Code Signing

Code signing provides developers with a way to confirm the authenticity of their code to end users. Developers use a cryptographic function to digitally sign their code with their own private key, and then browsers can use the developer’s public key to verify that signature and ensure that the code is legitimate and was not modified by unauthorized individuals. In cases where there is a lack of code signing, users may inadvertently run inauthentic code