CSA CCM AIS-05

The control outlines several testing approaches, including the use of automated tools, to identify and remediate vulnerabilities or weaknesses that can be exploited. Web shells provide attackers with unauthorized and persistent remote control over a compromised web server, allowing them to execute commands, manipulate files, and steal data. A web application is compromised when an attacker exploits a vulnerability to upload a malicious script, which then acts as a backdoor for ongoing malicious activity. Remediating the vulnerabilities that allow an attacker to upload a web shell can help mitigate this technique.

Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users. Some systems may automatically restart critical applications and services when crashes occur, but they can likely be re-exploited to cause a persistent denial of service (DoS) condition. The control outlines several testing approaches, which could help mitigate this technique, including the use of automated tools, to identify vulnerabilities throughout the software development lifecycle from development to production.

Adversaries may target resource intensive features of applications to cause a denial of service (DoS), denying availability to those applications. For example, specific features in web applications may be highly resource intensive. Repeated requests to those features may be able to exhaust system resources and deny access to the application or the server itself. The control outlines several testing approaches, including the use of automated tools, to identify and remediate vulnerabilities or weaknesses that can be exploited such as the use of the application exhaustion flood technique to exhaust system resources and deny access to the web application for others.

The control outlines several testing approaches, including the use of automated tools, to identify and remediate vulnerabilities or weaknesses that can be exploited. Attackers may use an existing, legitimate external Web service to exfiltrate data rather than their primary command and control channel. Regular testing should identify data exfiltration paths through applications and testing cloud APIs and web applications for unauthorized data access exfiltration.

The control outlines several testing approaches, including the use of automated tools, to identify vulnerabilities throughout the software development lifecycle from development to production. It emphasizes testing for risks such as injection attacks and session hijacking, and recommends alignment with industry standards like the OWASP Top 10 to enhance application security. Adversaries may manipulate software dependencies and development tools prior to receipt by a final consumer for the purpose of data or system compromise. A vulnerability scanner can be used to identify any third-party issues as outlined in the implementation guidelines.

The control outlines several testing approaches, including the use of automated tools, to identify vulnerabilities throughout the software development lifecycle from development to production. It emphasizes testing for risks such as injection attacks and session hijacking, and recommends alignment with industry standards like the OWASP Top 10 to enhance application security. Adversaries may attempt to exploit default admin or user accounts in cloud services, SaaS platforms, or cloud-deployed databases that weren't properly secured during setup.

The control outlines several testing approaches, including the use of automated tools, to identify vulnerabilities throughout the software development lifecycle from development to production. It emphasizes testing for risks such as injection attacks and session hijacking, and recommends alignment with industry standards like the OWASP Top 10 to enhance application security. Adversaries may use brute force techniques to gain access to accounts when passwords are unknown or when password hashes are obtained. Deprecated hash functions (MD5, SHA1) and weak key derivation make password cracking significantly faster, enabling successful brute force attacks .

The control outlines several testing approaches, including the use of automated tools, to identify vulnerabilities throughout the software development lifecycle from development to production. It emphasizes testing for risks such as injection attacks and session hijacking, and recommends alignment with industry standards like the OWASP Top 10 to enhance application security. Adversaries may search compromised services or applications to find and obtain insecurely stored API keys for SaaS services or cloud storage encryption keys.

The control outlines several testing approaches, including the use of automated tools, to identify vulnerabilities throughout the software development lifecycle from development to production. It emphasizes testing for risks such as injection attacks and session hijacking, and recommends alignment with industry standards like the OWASP Top 10 to enhance application security. Adversaries may passively sniff network traffic to capture traffic between microservices, API calls to SaaS platforms, or data transfers between on-premises and IaaS resources that lack proper TLS encryption.

The control outlines several testing approaches, including the use of automated tools, to identify vulnerabilities throughout the software development lifecycle from development to production. It emphasizes testing for risks such as injection attacks and session hijacking, and recommends alignment with industry standards like the OWASP Top 10 to enhance application security. Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. For example, replaying or tampering with a JSON Web Token (JWT) access control token to elevate privileges or abusing JWT invalidation.

The control outlines several testing approaches, including the use of automated tools, to identify vulnerabilities throughout the software development lifecycle from development to production. It emphasizes testing for risks such as injection attacks and session hijacking, and recommends alignment with industry standards like the OWASP Top 10 to enhance application security. Adversaries may attempt to bypass access controls and elevate privileges to gain unauthorized access. Therefore, testing for improper privilege escalation, such as scenarios where a user can act without authentication or gain administrative rights while logged in as a standard user, can help mitigate these risks.

The control outlines several testing approaches, including the use of automated tools, to identify vulnerabilities throughout the software development lifecycle from development to production. It emphasizes testing for risks such as injection attacks and session hijacking, and recommends alignment with industry standards like the OWASP Top 10 to enhance application security. Adversaries may attempt to bypass access controls and elevate privileges to gain unauthorized access. Therefore, testing for improper privilege escalation, such as scenarios where a user bypasses access control checks by modifying the URL, can help mitigate these risks.

The control describes multiple testing approaches with automated tools to identify vulnerabilities from development through production. The control outlines testing for injection attacks, session hijacking, and aligning with industry standards like OWASP Top 10 to ensure applications are secure. Adversaries may attempt to access the Cloud Instance Metadata API to collect credentials and other sensitive data. Testing for the unnecessary use of metadata services or restricting and disabling insecure versions of metadata services that are in use may prevent adversary use of this technique. Additionally, adversaries may exploit a Server-Side Request Forgery (SSRF) vulnerability in a public facing web proxy that allows them to gain access to the sensitive information via a request to the Instance Metadata API.

The control describes multiple testing approaches with automated tools to identify vulnerabilities from development through production. The control outlines testing for injection attacks, session hijacking, and aligning with industry standards like OWASP Top 10 to ensure applications are secure. With proper permissions (often via use of credentials such as Application Access Token and Web Session Cookie), adversaries may abuse cloud APIs to invoke various functions that execute malicious actions.

The control describes multiple testing approaches with automated tools to identify vulnerabilities from development through production. The control outlines testing for injection attacks, session hijacking, and aligning with industry standards like OWASP Top 10 to ensure applications are secure. Adversaries may attempt to exploit a weakness in an Internet-facing host or application by using techniques such as as SQL injection, command injections, Cross-site scripting (XSS), and Cross-Site Request Forgery (CSRF).

The control describes multiple testing approaches with automated tools to identify vulnerabilities from development through production. The control outlines testing for injection attacks, session hijacking, and aligning with industry standards like OWASP Top 10 to ensure applications are secure. Adversaries may attempt to exploit a weakness in an Internet-facing host or application by using techniques such as as SQL injection, command injections, Cross-site scripting (XSS), and Cross-Site Request Forgery (CSRF).

The control describes multiple testing approaches with automated tools to identify vulnerabilities from development through production. The control outlines testing for injection attacks, session hijacking, and aligning with industry standards like OWASP Top 10 to ensure applications are secure. An adversary may steal web application or service session cookies and use them to gain access to web applications, internet services, or cloud services, as an authenticated user without needing credentials.

The control describes multiple testing approaches with automated tools to identify vulnerabilities from development through production. The control outlines testing for injection attacks, session hijacking, and aligning with industry standards like OWASP Top 10 to ensure applications are secure. Adversaries can use stolen session cookies to authenticate to web applications and services. Authentication cookies are commonly used in web applications, including cloud-based services, after a user has authenticated to the service so credentials are not passed and re-authentication does not need to occur as frequently.

The control describes multiple testing approaches with automated tools to identify vulnerabilities from development through production. The control outlines testing for injection attacks, session hijacking, and aligning with industry standards like OWASP Top 10 to ensure applications are secure. Adversaries may forge web cookies that can be used to gain access to web applications or Internet services. Web applications and services (hosted in cloud SaaS environments or on-premise servers) often use session cookies to authenticate and authorize user access.