Defenses against common vulnerabilities
- Updated: 2021/10/09
Defenses against common vulnerabilities
The Automation 360 platform provides some defenses against common attacks on applications.
The list below contains several examples of these attacks and the security controls in place to prevent them.
SQL Injection (SQLi)
SQL injection is a high-risk vulnerability that can seriously impact the confidentiality, integrity, and availability of a database. It enables an attacker to execute any SQL of his or her choosing inside the DB, thus allowing them to read sensitive data, modify/insert data, and execute various operations.
The Control Room prevents SQL injection using query provided by the Hibernate framework.
Cross Site Scripting (XSS)
Cross-site scripting is a high-risk vulnerability that can seriously impact the confidentiality, integrity, and availability of any user web session. It enables an attacker to execute any JavaScript inside the victim's browser, allowing them to spy on the user's input/output or take unauthorized actions on behalf of the user. They could also redirect the user offsite to a malicious malware download or a credential phishing page.
The Control Room prevents cross-site scripting using automatic output encoding provided by the ReactJS framework.
OWASP Top 10
Risk | Control |
---|---|
A1: Injection | All input is escaped before commands or queries are executed. |
A2: Broken authentication and session management | See the identification and authentication section. |
A3: Cross-site scripting | All output is encoded before being returned. |
A4: Insecure direct object references | Centralized authorization via Spring Security. |
A5: Security misconfiguration | No default passwords, stack traces hidden, secure server configuration |
A6: Sensitive data exposure | See the Security at rest and Security in motion sections |
A7: Missing function level access control | Centralized authorization via Spring Security |
A8: Cross-site request forgery | Using authorization HTTP header |
A9: Using components with known vulnerabilities | Black Duck software composition analysis tool |
A10: Unvalidated redirects and forwards | N/A - No redirect functionality present |