ap_mitigation_descriptions.json

[
  "\n               In a J2EE setting, administrators can associate a role that is impossible for the authenticator to grant users, such as \"NoAccess\", with all Servlets to which access is guarded by a limited number of servlets visible to, and accessible by, the user.\n               Having done so, any direct access to those protected Servlets will be prohibited by the web container.\n               In a more general setting, the administrator must mark every resource besides the ones supposed to be exposed to the user as accessible by a role impossible for the user to assume. The default security setting must be to deny access and then grant access only to those resources intended by business logic.\n            ",
  "When implementing security features, consider how they can be misused and made to turn on themselves.",
  "Implement intelligent password throttling mechanisms such as those which take IP address into account, in addition to the login name.",
  "Use an allowlist rather than a denylist input validation.",
  "Canonicalize all data prior to validation.",
  "Take an iterative approach to input validation (defense in depth).",
  "Design: Input validation routines should check and enforce both input data types and content against a positive specification. In regards to IP addresses, this should include the authorized manner for the application to represent IP addresses and not accept user specified IP addresses and IP address formats (such as ranges)",
  "Design: Default deny access control policies",
  "Implementation: Perform input validation for all remote content.",
  "Implementation: Upgrade phone lines. Note this may be prohibitively expensive",
  "Use strong access control such as two factor access control for administrative access to the switch",
  "Design: Do not program input values directly on command shell, instead treat user input as guilty until proven innocent. Build a function that takes user input and converts it to applications specific types and values, stripping or filtering out all unauthorized commands and characters in the process.",
  "Design: Limit program privileges, so if metacharacters or other methods circumvent program input validation routines and shell access is attained then it is not running under a privileged account. chroot jails create a sandbox for the application to execute in, making it more difficult for an attacker to elevate privilege even in the case that a compromise has occurred.",
  "Implementation: Implement an audit log that is written to a separate host, in the event of a compromise the audit log may be able to provide evidence and details of the compromise.",
  "Strong input validation - All user-controllable input must be validated and filtered for illegal characters as well as SQL content. Keywords such as UNION, SELECT or INSERT must be filtered in addition to characters such as a single-quote(') or SQL-comments (--) based on the context in which they appear.",
  "Security by Obscurity is not a solution to preventing SQL Injection. Rather than suppress error messages and exceptions, the application must handle them gracefully, returning either a custom error page or redirecting the user to a default page, without revealing any information about the database or the application internals.",
  "If you have to use dangerous functions, make sure that you do boundary checking.",
  "Use secure functions not vulnerable to buffer overflow.",
  "Compiler-based canary mechanisms such as StackGuard, ProPolice and the Microsoft Visual Studio /GS flag. Unless this provides automatic bounds checking, it is not a complete solution.",
  "Use a language or compiler that performs automatic bounds checking.",
  "Use OS-level preventative functionality. Not a complete solution.",
  "Carefully review the service's implementation before making it available to user. For instance you can use manual or automated code review to uncover vulnerabilities such as buffer overflow.",
  "Compiler-based canary mechanisms such as StackGuard, ProPolice and the Microsoft Visual Studio /GS flag. Unless this provides automatic bounds checking, it is not a complete solution.",
  "Do not unnecessarily expose services.",
  "Apply the latest patches to your user exposed services. This may not be a complete solution, especially against a zero day attack.",
  "Use an abstraction library to abstract away risky APIs. Not a complete solution.",
  "Use a language or compiler that performs automatic bounds checking.",
  "Operational: Use OS-level preventative functionality. Not a complete solution.",
  "Use a language or compiler that performs automatic bounds checking",
  "Do not expose environment variable to the user.",
  "There are tools such as Sharefuzz [REF-2] which is an environment variable fuzzer for Unix that support loading a shared library. You can use Sharefuzz to determine if you are exposing an environment variable vulnerable to buffer overflow.",
  "Do not use untrusted data in your environment variables.",
  "Implementation: Server routines should be determined by content not determined by filename or file extension.",
  "\n               Associate some ACL (in the form of a token) with an authenticated user which they provide middleware. The middleware uses this token as part of its channel/message selection for that client, or part of a discerning authorization decision for privileged channels/messages.\n               The purpose is to architect the system in a way that associates proper authentication/authorization with each channel/message.\n            ",
  "Re-architect system input/output channels as appropriate to distribute self-protecting data. That is, encrypt (or otherwise protect) channels/messages so that only authorized readers can see them.",
  "Protect environment variables against unauthorized read and write access.",
  "Protect the configuration files which contain environment variables against illegitimate read and write access.",
  "Apply the least privilege principles. If a process has no legitimate reason to read an environment variable do not give that privilege.",
  "Assume all input is malicious. Create an allowlist that defines all valid input to the software system based on the requirements specifications. Input that does not match against the allowlist should not be permitted to enter into the system.",
  "Use OS-level preventative functionality. Not a complete solution.",
  "Perform input validation for length of buffer inputs.",
  "The client software should not install untrusted code from a non-authenticated server.",
  "Compiler-based canary mechanisms such as StackGuard, ProPolice and the Microsoft Visual Studio /GS flag. Unless this provides automatic bounds checking, it is not a complete solution.",
  "The client software should have the latest patches and should be audited for vulnerabilities before being used to communicate with potentially hostile servers.",
  "Ensure all buffer uses are consistently bounds-checked.",
  "Use an abstraction library to abstract away risky APIs. Not a complete solution.",
  "Use a language or compiler that performs automatic bounds checking.",
  "Design: Limit program privileges, so if commands circumvent program input validation or filter routines then commands do not running under a privileged account",
  "Implementation: Use type conversions such as JDBC prepared statements.",
  "Implementation: Perform input validation for all remote content.",
  "Design: Perform allowlist validation against a positive specification for command length, type, and parameters.",
  "Implement an intelligent password throttling mechanism. Care must be taken to assure that these mechanisms do not excessively enable account lockout attacks such as CAPEC-2.",
  "Leverage multi-factor authentication for all authentication services.",
  "Create a strong password policy and ensure that your system enforces this policy.",
  "Implementation: Perform testing such as pen-testing and vulnerability scanning to identify directories, programs, and interfaces that grant direct access to executables.",
  "Design: Enforce principle of least privilege",
  "Design: Run server interfaces with a non-root account and/or utilize chroot jails or other configuration techniques to constrain privileges even if attacker gains some limited access to commands.",
  "All output displayed to clients must be properly escaped. Escaping ensures that the browser interprets special scripting characters literally and not as script to be executed.",
  "In addition to the traditional input fields, all other user controllable inputs, such as image tags within messages or the likes, must also be subjected to input validation. Such validation should ensure that content that can be potentially interpreted as script by the browser is appropriately filtered.",
  "Patching software. There are many attack vectors for XSS on the client side and the server side. Many vulnerabilities are fixed in service packs for browser, web servers, and plug in technologies, staying current on patch release that deal with XSS countermeasures mitigates this.",
  "Disable scripting languages such as JavaScript in browser",
  "Utilize strict type, character, and encoding enforcement.",
  "Session tokens for specific host",
  "Privileges are constrained, if a script is loaded, ensure system runs in chroot jail or other limited authority mode",
  "Perform output validation for all remote content.",
  "Ensure all content that is delivered to client is sanitized against an acceptable content specification.",
  "Server side developers should not proxy content via XHR or other means. If a HTTP proxy for remote content is setup on the server side, the client's browser has no way of discerning where the data is originating from.",
  "Perform input validation for all remote content.",
  "Use browser technologies that do not allow client side scripting.",
  "Use commonly accepted algorithms and recommended key sizes. The key size used will depend on how important it is to keep the data confidential and for how long.",
  "In theory a brute force attack performing an exhaustive key space search will always succeed, so the goal is to have computational security. Moore's law needs to be taken into account that suggests that computing resources double every eighteen months.",
  "Implementation: Verify authenticity of all identifiers at runtime.",
  "Implementation: If the identifier is used for authentication, such as in the so-called single sign on use cases, then ensure that it is protected at the same level of assurance as authentication tokens.",
  "Design: utilize strong federated identity such as SAML to encrypt and sign identity tokens in transit.",
  "Implementation: Utilize a session timeout for all sessions, for example 20 minutes. If the user does not explicitly logout, the server terminates their session after this period of inactivity. If the user logs back in then a new session key is generated.",
  "Design: Use strong session identifiers that are protected in transit and at rest.",
  "Implementation: If the web or application server supports it, then encrypting and/or signing the identifier (such as cookie) can protect the ID if intercepted.",
  "Implementation: Use industry standards session key generation mechanisms that utilize high amount of entropy to generate the session key. Many standard web and application servers will perform this task on your behalf.",
  "Design: Ensure that client process and/or message is authenticated so that anonymous communications and/or messages are not accepted by the system.",
  "Design: Do not rely on client validation or encoding for security purposes.",
  "Implementation: Perform input validation for all remote content.",
  "Design: Utilize two factor authentication to increase authentication assurance.",
  "Design: Utilize digital signatures to increase authentication assurance.",
  "Design: Execute programs with constrained privileges, so parent process does not open up further vulnerabilities. Ensure that all directories, temporary directories and files, and memory are executing with limited privileges to protect against remote execution.",
  "Implementation: Virus scanning on host",
  "Implementation: Host integrity monitoring for critical files, directories, and processes. The goal of host integrity monitoring is to be aware when a security issue has occurred so that incident response and other forensic activities can begin.",
  "Design: Validate all input for content including files. Ensure that if files and remote content must be accepted that once accepted, they are placed in a sandbox type location so that lower assurance clients cannot write up to higher assurance processes (like Web server processes for example)",
  "Design: Enforce principle of least privilege",
  "Design: Proxy communication to host, so that communications are terminated at the proxy, sanitizing the requests before forwarding to server host.",
  "Make sure that ANY failure occurring in the filtering or input validation routine is properly handled and that offending input is NOT allowed to go through. Basically make sure that the vault is closed when failure occurs.",
  "Pre-design: Use a language or compiler that performs automatic bounds checking.",
  "Operational: Use OS-level preventative functionality. Not a complete solution.",
  "Pre-design through Build: Compiler-based canary mechanisms such as StackGuard, ProPolice and the Microsoft Visual Studio /GS flag. Unless this provides automatic bounds checking, it is not a complete solution.",
  "Design: Use an abstraction library to abstract away risky APIs. Not a complete solution.",
  "Use known algorithm to avoid deadlock condition (for instance non-blocking synchronization algorithms).",
  "For competing actions, use well-known libraries which implement synchronization.",
  "Be aware that improper use of access function calls such as chown(), tempfile(), chmod(), etc. can cause a race condition.",
  "Use safe libraries to access resources such as files.",
  "Pay attention to concurrency problems related to the access of resources.",
  "Use static analysis tools to find race conditions.",
  "Use synchronization to control the flow of execution.",
  "Ensure good compartmentalization in the system to provide protected areas that can be trusted.",
  "Use safe libraries when creating temporary files. For instance the standard library function mkstemp can be used to safely create temporary files. For shell scripts, the system utility mktemp does the same thing.",
  "Follow the principle of least privilege when assigning access rights to files.",
  "Access to the directories should be restricted as to prevent attackers from manipulating the files. Denying access to a file can prevent an attacker from replacing that file with a link to a sensitive file.",
  "Use fuzz testing during the software QA process to uncover any surprises, uncover any assumptions or unexpected behavior.",
  "Test to ensure that the software behaves as per specification and that there are no unintended side effects. Ensure that no assumptions about the validity of data are made.",
  "Use synchronization to control the flow of execution.",
  "Be aware that improper use of access function calls such as chown(), tempfile(), chmod(), etc. can cause a race condition.",
  "Pay attention to concurrency problems related to the access of resources.",
  "Use static analysis tools to find race conditions.",
  "Use safe libraries to access resources such as files.",
  "Application Architects must be careful to design callback, signal, and similar asynchronous constructs such that they shed excess privilege prior to handing control to user-written (thus untrusted) code.",
  "Application Architects must be careful to design privileged code blocks such that upon return (successful, failed, or unpredicted) that privilege is shed prior to leaving the block/scope.",
  "Implementation: Ensure the web server implements all relevant security patches, many exploitable buffer overflows are fixed in patches issued for the software.",
  "Design: Use input validation for cookies",
  "Design: Generate and validate MAC for cookies",
  "Implementation: Use SSL/TLS to protect cookie in transit",
  "Design: Server side developers should not proxy content via XHR or other means, if a http proxy for remote content is setup on the server side, the client's browser has no way of discerning where the data is originating from.",
  "Implementation: Session tokens for specific host",
  "Design: Utilize strict type, character, and encoding enforcement",
  "Implementation: Patching software. There are many attack vectors for XSS on the client side and the server side. Many vulnerabilities are fixed in service packs for browser, web servers, and plug in technologies, staying current on patch release that deal with XSS countermeasures mitigates this.",
  "Design: Use browser technologies that do not allow client side scripting.",
  "Implementation: Perform input validation for all remote content, including remote and user-generated content",
  "Implementation: Ensure all content that is delivered to client is sanitized against an acceptable content specification.",
  "Implementation: Perform output validation for all remote content.",
  "Implementation: Disable scripting languages such as JavaScript in browser",
  "Implementation: Privileges are constrained, if a script is loaded, ensure system runs in chroot jail or other limited authority mode",
  "Configuration: Ensure that HTTP infrastructure in the chain or network path utilize a strict uniform parsing process.",
  "Configuration: Install latest vendor security patches available for both intermediary and back-end HTTP infrastructure (i.e. proxies and web servers)",
  "Configuration: Disallow HTTP messages with both Transfer-Encoding and Content-Length or Double Content-Length Headers.",
  "Implementation: Utilize intermediary HTTP infrastructure capable of filtering and/or sanitizing user-input.",
  "Configuration: Prioritize Transfer-Encoding header over Content-Length, whenever an HTTP message contains both.",
  "Configuration: back-end HTTP agents reject ambiguous requests and close the network connection.",
  "Design: evaluate HTTP agents prior to deployment for parsing/interpretation discrepancies.",
  "Implementation: Utilize a Web Application Firewall (WAF) that has built-in mitigation to detect abnormal requests/responses.",
  "Configuration: Use HTTP/2 for back-end connections.",
  "Configuration: Disallow Malformed/Invalid Transfer-Encoding Headers used in obfuscation, such as:\n                  Headers with no space before the value \u201cchunked\u201d\n                  Headers with extra spaces\n                  Headers beginning with trailing characters\n                  Headers providing a value \u201cchunk\u201d instead of \u201cchunked\u201d (the server normalizes this as chunked encoding)\n                  Headers with multiple spaces before the value \u201cchunked\u201d\n                  Headers with quoted values (whether single or double quotations)\n                  Headers with CRLF characters before the value \u201cchunked\u201d\n                  Values with invalid characters\n               \n            ",
  "Configuration: front-end HTTP agents notice ambiguous requests.",
  "Configuration: Use the same web server software for front-end and back-end server.",
  "Configuration: Disable reuse of back-end connections.",
  "Configuration: Use HTTP/2 for back-end connections.",
  "Configuration: back-end HTTP agents reject ambiguous requests and close the network connection.",
  "Implementation: Utilize intermediary HTTP infrastructure capable of filtering and/or sanitizing user-input.",
  "Configuration: Ensure that HTTP infrastructure in the chain or network path utilize a strict uniform parsing process.",
  "Configuration: Disable reuse of back-end connections.",
  "Implementation: Utilize a Web Application Firewall (WAF) that has built-in mitigation to detect abnormal requests/responses.",
  "Configuration: front-end HTTP agents notice ambiguous requests.",
  "Configuration: Use the same web server software for front-end and back-end server.",
  "Configuration: Install latest vendor security patches available for both intermediary and back-end HTTP infrastructure (i.e. proxies and web servers)",
  "Design: evaluate HTTP agents prior to deployment for parsing/interpretation discrepancies.",
  "Implementation: Perform testing such as pen-testing and vulnerability scanning to identify directories, programs, and interfaces that grant direct access to executables.",
  "Implementation: Ensure that files that are not required to execute, such as configuration files, are not over-privileged, i.e. not allowed to execute.",
  "Design: Enforce principle of least privilege",
  "Design: Run server interfaces with a non-root account and/or utilize chroot jails or other configuration techniques to constrain privileges even if attacker gains some limited access to commands.",
  "Implementation: Implement host integrity monitoring to detect any unwanted altering of configuration files.",
  "Authenticating both services and their discovery, and protecting that authentication mechanism simply fixes the bulk of this problem. Protecting the authentication involves the standard means, including: 1) protecting the channel over which authentication occurs, 2) preventing the theft, forgery, or prediction of authentication credentials or the resultant tokens, or 3) subversion of password reset and the like.",
  "Design: Enforce principle of least privilege",
  "Implementation: Host integrity monitoring",
  "Design: Ensure that the program's compound parts, including all system dependencies, classpath, path, and so on, are secured to the same or higher level assurance as the program",
  "One solution to this problem is to protect encrypted data with a CRC of some sort. If knowing who last manipulated the data is important, then using a cryptographic \"message authentication code\" (or hMAC) is prescribed. However, this guidance is not a panacea. In particular, any value created by (and therefore encrypted by) the client, which itself is a \"malicious\" value, all the protective cryptography in the world can't make the value 'correct' again. Put simply, if the client has control over the whole process of generating and encoding the value, then simply protecting its integrity doesn't help.",
  "Make sure that all session tokens use a good source of randomness",
  "Perform validation on the server side to make sure that client side data tokens are consistent with what is expected.",
  "Make sure to protect client side authentication tokens for confidentiality (encryption) and integrity (signed hash)",
  "Design: Ensure that terminals are only writeable by named owner user and/or administrator",
  "Design: Enforce principle of least privilege",
  "Design: Perform validation on email header data",
  "Implementation: Mail servers that perform strict validation may catch these attacks, because metacharacters are not allowed in many header variables such as dns names",
  "Implementation: Implement email filtering solutions on mail server or on MTA, relay server.",
  "\n               Disable the 7 to 8 bit conversion. This can be done by removing the F=9 flag from all Mailer specifications in the sendmail.cf file.\n               For example, a sendmail.cf file with these changes applied should look similar to (depending on your system and configuration):\n               Mlocal, P=/usr/libexec/mail.local, F=lsDFMAw5:/|@qrmn, S=10/30, R=20/40,T=DNS/RFC822/X-Unix,A=mail -d $u\n                  Mprog, P=/bin/sh, F=lsDFMoqeu, S=10/30, R=20/40,D=$z:/,T=X-Unix,A=sh -c $u\n               \n               This can be achieved for the \"Mlocal\" and \"Mprog\" Mailers by modifying the \".mc\" file to include the following lines:\n               define(`LOCAL_MAILER_FLAGS',ifdef(`LOCAL_MAILER_FLAGS',`translit(LOCAL_MAILER_FLAGS, `9')',`rmn'))\n                  \n                  define(`LOCAL_SHELL_FLAGS',ifdef(`LOCAL_SHELL_FLAGS',`translit(LOCAL_SHELL_FLAGS, `9')',`eu'))\n                  \n               \n               and then rebuilding the sendmail.cf file using m4(1).\n               From \"Exploiting Software\", please see reference below.\n            ",
  "Use mail.local",
  "Stay up to date with third party vendor patches",
  "Use the sendmail restricted shell program (smrsh)",
  "Assume all input is malicious. Create an allowlist that defines all valid input to the software system based on the requirements specifications. Input that does not match against the allowlist would not be permitted to enter into the system.",
  "Make sure to perform input validation on canonicalized data (i.e. data that is data in its most standard form). This will help avoid tricky encodings getting past the filters.",
  "An iterative approach to input validation may be required to ensure that no dangerous characters are present. It may be necessary to implement redundant checking across different input validation layers. Ensure that invalid data is rejected as soon as possible and do not continue to work with it.",
  "Design: Static code analysis",
  "Implementation: Execute program in less trusted process space environment, do not allow lower integrity processes to write to higher integrity processes",
  "Perform appropriate bounds checking on all buffers.",
  "Implementation: Keep software patched to ensure that known vulnerabilities are not available for attackers to target on host.",
  "Design: Enforce principle of least privilege",
  "Pay attention to the fact that the resource you read from can be a replaced by a Symbolic link. You can do a Symlink check before reading the file and decide that this is not a legitimate way of accessing the resource.",
  "Use OS-level preventative functionality. Not a complete solution.",
  "Always check the size of the input data before copying to a buffer.",
  "Compiler-based canary mechanisms such as StackGuard, ProPolice and the Microsoft Visual Studio /GS flag. Unless this provides automatic bounds checking, it is not a complete solution.",
  "Use a language or compiler that performs automatic bounds checking.",
  "Pay attention to the resource pointed to by your symlink links (See attack pattern named \"Forced Symlink race\"), they can be replaced by malicious resources.",
  "Because Symlink can be modified by an attacker, make sure that the ones you read are located in protected directories.",
  "Use an abstraction library to abstract away risky APIs. Not a complete solution.",
  "Compiler-based canary mechanisms such as StackGuard, ProPolice and the Microsoft Visual Studio /GS flag. Unless this provides automatic bounds checking, it is not a complete solution.",
  "Use a language or compiler that performs automatic bounds checking.",
  "Use an abstraction library to abstract away risky APIs. Not a complete solution.",
  "Do not trust input data from user. Validate all user input.",
  "Use OS-level preventative functionality. Not a complete solution.",
  "Ensure that when parameter expansion happens in the code that the assumptions used to determine the resulting size of the parameter are accurate and that the new size of the parameter is visible to the whole system",
  "Design: Use browser technologies that do not allow client side scripting.",
  "Implementation: Perform input validation for all remote content.",
  "Implementation: Ensure all content that is delivered to client is sanitized against an acceptable content specification.",
  "Implementation: Disable scripting languages such as JavaScript in browser",
  "Implementation: Perform output validation for all remote content.",
  "Implementation: Ensure all configuration files and resource are either removed or protected when promoting code into production.",
  "Put together a strong password policy and make sure that all user created passwords comply with it. Alternatively automatically generate strong passwords for users.",
  "Passwords need to be recycled to prevent aging, that is every once in a while a new password must be chosen.",
  "Implement a password throttling mechanism. This mechanism should take into account both the IP address and the log in name of the user.",
  "E-mail the temporary password to the registered e-mail address of the user rather than letting the user reset the password online.",
  "Ensure that your password recovery functionality is not vulnerable to an injection style attack.",
  "Use multiple security questions (e.g. have three and make the user answer two of them correctly). Let the user select their own security questions or provide them with choices of questions that are not generic.",
  "Implementation: Implement communications to and from the registry using secure protocols",
  "Design: Harden registry server and file access permissions",
  "Design: Enforce principle of least privilege",
  "Properly handle the NULL characters supplied as part of user input prior to doing anything with the data.",
  "Properly handle Null characters. Make sure canonicalization is properly applied. Do not pass Null characters to the underlying APIs.",
  "Assume all input is malicious. Create an allowlist that defines all valid input to the software system based on the requirements specifications. Input that does not match against the allowlist should not be permitted to enter into the system.",
  "Application designers can wrap application functionality (preferably through the underlying framework) in an output encoding scheme that obscures or cleanses error messages to prevent such attacks. Such a technique is often used in conjunction with the above 'code book' suggestion.",
  "Application designers can construct a 'code book' for error messages. When using a code book, application error messages aren't generated in string or stack trace form, but are cataloged and replaced with a unique (often integer-based) value 'coding' for the error. Such a technique will require helpdesk and hosting personnel to use a 'code book' or similar mapping to decode application errors/logs in order to respond to them normally.",
  "Use salt when computing password hashes. That is, concatenate the salt (random bits) with the original password prior to hashing it.",
  "Design: Enforce principle of least privilege",
  "Design: Utilize defense in depth, do not rely on a single security mechanism like SSL",
  "Implementation: Implement message level security such as HMAC in the HTTP communication",
  "Design: Enforce principle of least privilege",
  "Implementation: Ensure that HTTP Get methods only retrieve state and do not alter state on the server side",
  "Implementation: Ensure that HTTP methods have proper ACLs based on what the functionality they expose",
  "Use a strong source of randomness to generate a session ID.",
  "Do not use information available to the user in order to generate session ID (e.g., time).",
  "Ideas for creating random numbers are offered by Eastlake [RFC1750]",
  "Encrypt the session ID if you expose it to the user. For instance session ID can be stored in a cookie in encrypted format.",
  "Use adequate length session IDs",
  "Protect the communication between the client and server. For instance it is best practice to use SSL to mitigate adversary in the middle attacks (CAPEC-94).",
  "Do not code send session ID with GET method, otherwise the session ID will be copied to the URL. In general avoid writing session IDs in the URLs. URLs can get logged in log files, which are vulnerable to an attacker.",
  "Encrypt the session data associated with the session ID.",
  "Always invalidate a session ID after the user logout.",
  "Setup a session time out for the session IDs.",
  "Use multifactor authentication.",
  "Use a strict session management mechanism that only accepts locally generated session identifiers: This prevents attackers from fixating session identifiers of their own choice.",
  "Regenerate and destroy session identifiers when there is a change in the level of privilege: This ensures that even though a potential victim may have followed a link with a fixated identifier, a new one is issued when the level of privilege changes.",
  "Use session identifiers that are difficult to guess or brute-force: One way for the attackers to obtain valid session identifiers is by brute-forcing or guessing them. By choosing session identifiers that are sufficiently random, brute-forcing or guessing becomes very difficult.",
  "Although less reliable, the use of the optional HTTP Referrer header can also be used to determine whether an incoming request was actually one that the user is authorized for, in the current context.",
  "Use cryptographic tokens to associate a request with a specific action. The token can be regenerated at every request so that if a request with an invalid token is encountered, it can be reliably discarded. The token is considered invalid if it arrived with a request other than the action it was supposed to be associated with.",
  "Additionally, the user can also be prompted to confirm an action every time an action concerning potentially sensitive data is invoked. This way, even if the attacker manages to get the user to click on a malicious link and request the desired action, the user has a chance to recover by denying confirmation. This solution is also implicitly tied to using a second factor of authentication before performing such actions.",
  "In general, every request must be checked for the appropriate authentication token as well as authorization in the current session context.",
  "Design: Utilize strict type, character, and encoding enforcement",
  "Implementation: Perform input validation for all remote content.",
  "Design: Use browser technologies that do not allow client side scripting.",
  "Implementation: Session tokens for specific host",
  "Implementation: Perform output validation for all remote content.",
  "Implementation: Patching software. There are many attack vectors for XSS on the client side and the server side. Many vulnerabilities are fixed in service packs for browser, web servers, and plug in technologies, staying current on patch release that deal with XSS countermeasures mitigates this.",
  "Implementation: Ensure all content that is delivered to client is sanitized against an acceptable content specification.",
  "Design: Server side developers should not proxy content via XHR or other means, if a http proxy for remote content is setup on the server side, the client's browser has no way of discerning where the data is originating from.",
  "Regular expression can be used to match safe URL patterns. However, that may discard valid URL requests if the regular expression is too restrictive.",
  "When client input is required from web-based forms, avoid using the \"GET\" method to submit data, as the method causes the form data to be appended to the URL and is easily manipulated. Instead, use the \"POST method whenever possible.",
  "There are tools to scan HTTP requests to the server for valid URL such as URLScan from Microsoft (http://www.microsoft.com/technet/security/tools/urlscan.mspx).",
  "Be aware of the threat of alternative method of data encoding and obfuscation technique such as IP address encoding.",
  "Refer to the RFCs to safely decode URL.",
  "Any security checks should occur after the data has been decoded and validated as correct data format. Do not repeat decoding process, if bad character are left after decoding process, treat the data as suspicious, and fail the validation process.",
  "Assume all input is malicious. Create an allowlist that defines all valid input to the software system based on the requirements specifications. Input that does not match against the allowlist should not be permitted to enter into the system. Test your decoding process against malicious input.",
  "Operation: Use \"ifconfig/ipconfig\" or other tools to detect the sniffer installed in the network.",
  "Implementation: Use SSL, SSH, SCP.",
  "Design: Encrypt all communication between the client and server.",
  "Use of parameterized queries or stored procedures - Parameterization causes the input to be restricted to certain domains, such as strings or integers, and any input outside such domains is considered invalid and the query fails. Note that SQL Injection is possible even in the presence of stored procedures if the eventual query is constructed dynamically.",
  "Strong input validation - All user-controllable input must be validated and filtered for illegal characters as well as SQL content. Keywords such as UNION, SELECT or INSERT must be filtered in addition to characters such as a single-quote(') or SQL-comments (--) based on the context in which they appear.",
  "Use of custom error pages - Attackers can glean information about the nature of queries from descriptive error messages. Input validation must be coupled with customized error pages that inform about an error without disclosing information about the database or application.",
  "\n               The code should be reviewed for misuse of the Syslog function call. Manual or automated code review can be used. The reviewer needs to ensure that all format string functions are passed a static string which cannot be controlled by the user and that the proper number of arguments are always sent to that function as well. If at all possible, do not use the %n operator in format strings. The following code shows a correct usage of Syslog():\n               syslog(LOG_ERR, \"%s\", cmdBuf);\n               The following code shows a vulnerable usage of Syslog():\n               syslog(LOG_ERR, cmdBuf);\n                     // the buffer cmdBuff is taking user supplied data.\n                  \n               \n            ",
  "If an attacker cannot attack the scheme directly, they might try to alter the environment that affects the signing and verification processes. A possible mitigation is to avoid reliance on flags or environment variables that are user-controllable.",
  "A given code signing scheme may be fallible due to improper use of cryptography. Developers must never roll out their own cryptography, nor should existing primitives be modified or ignored.",
  "Validate all untrusted data.",
  "Apply the latest patches.",
  "Avoid revealing information about your system (e.g., version of the program) to anonymous users.",
  "Check your program for buffer overflow and format String vulnerabilities which can lead to execution of malicious code.",
  "Scan your services and disable the ones which are not needed and are exposed unnecessarily. Exposing programs increases the attack surface. Only expose the services which are needed and have security mechanisms such as authentication built around them.",
  "Make sure that your program or service fail safely. What happen if the communication protocol is interrupted suddenly? What happen if a parameter is missing? Does your system have resistance and resilience to attack? Fail safely when a resource exhaustion occurs.",
  "Monitor traffic and resource usage and pay attention if resource exhaustion occurs.",
  "Protect your log file from unauthorized modification and log forging.",
  "If possible use a sandbox model which limits the actions that programs can take. A sandbox restricts a program to a set of privileges and commands that make it difficult or impossible for the program to cause any damage.",
  "Apply the principle of least privilege.",
  "Put together a strong password policy and make sure that all user created passwords comply with it. Alternatively automatically generate strong passwords for users.",
  "Passwords need to be recycled to prevent aging, that is every once in a while a new password must be chosen.",
  "Implement a password throttling mechanism. This mechanism should take into account both the IP address and the log in name of the user.",
  "Delete all default account credentials that may be put in by the product vendor.",
  "Ensure that filtering or input validation is applied to canonical data.",
  "Assume all input is malicious. Create an allowlist that defines all valid input to the software system based on the requirements specifications. Input that does not match against the allowlist should not be permitted to enter into the system.",
  "Ensure that the system is Unicode aware and can properly process Unicode data. Do not make an assumption that data will be in ASCII.",
  "Any security checks should occur after the data has been decoded and validated as correct data format. Do not repeat decoding process, if bad character are left after decoding process, treat the data as suspicious, and fail the validation process.",
  "There are tools to scan HTTP requests to the server for valid URL such as URLScan from Microsoft (http://www.microsoft.com/technet/security/tools/urlscan.mspx).",
  "Regular expression can be used to match safe URL patterns. However, that may discard valid URL requests if the regular expression is too restrictive.",
  "Assume all input is malicious. Create an allowlist that defines all valid input to the software system based on the requirements specifications. Input that does not match against the allowlist should not be permitted to enter into the system. Test your decoding process against malicious input.",
  "Be aware of the threat of alternative method of data encoding and obfuscation technique such as IP address encoding. (See related guideline section)",
  "When client input is required from web-based forms, avoid using the \"GET\" method to submit data, as the method causes the form data to be appended to the URL and is easily manipulated. Instead, use the \"POST method whenever possible.",
  "Refer to the RFCs to safely decode URL.",
  "Implementation: Scan dynamically generated content against validation specification",
  "Design: Use browser technologies that do not allow client side scripting.",
  "Implementation: Ensure all content that is delivered to client is sanitized against an acceptable content specification.",
  "Implementation: Perform input validation for all remote content.",
  "Implementation: Disable scripting languages such as JavaScript in browser",
  "Implementation: Perform output validation for all remote content.",
  "Do not rely solely on user-controllable locations, such as cookies or URL parameters, to maintain user state.",
  "Avoid sensitive information, such as usernames or authentication and authorization information, in user-controllable locations.",
  "All possible states must be handled by hardware finite state machines.",
  "Sensitive information that is part of the user state must be appropriately protected to ensure confidentiality and integrity at each request.",
  "Implementation: Enforce audit logging on code and configuration promotion procedures.",
  "Design: Backup copies of all configuration files",
  "Implementation: Load configuration from separate process and memory space, for example a separate physical device like a CD",
  "Design: Enforce principle of least privilege",
  "Implementation: Integrity monitoring for configuration files",
  "Design: Ensure all input is validated, and does not contain file system commands",
  "Design: Enforce principle of least privilege.",
  "Design: Run server interfaces with a non-root account and/or utilize chroot jails or other configuration techniques to constrain privileges even if attacker gains some limited access to commands.",
  "Implementation: Perform testing such as pen-testing and vulnerability scanning to identify directories, programs, and interfaces that grant direct access to executables.",
  "Design: For interactive user applications, consider if direct file system interface is necessary, instead consider having the application proxy communication.",
  "Separate the presentation layer and the business logic layer. Variables at the business logic layer should not be exposed at the presentation layer. This is to prevent computation of business logic from user controlled input data.",
  "\n               Do not allow override of global variables and do Not Trust Global Variables.\n               If the register_globals option is enabled, PHP will create global variables for each GET, POST, and cookie variable included in the HTTP request. This means that a malicious user may be able to set variables unexpectedly. For instance make sure that the server setting for PHP does not expose global variables.\n            ",
  "A software system should be reluctant to trust variables that have been initialized outside of its trust boundary. Ensure adequate checking is performed when relying on input from outside a trust boundary.",
  "Assume all input is malicious. Create an allowlist that defines all valid input to the software system based on the requirements specifications. Input that does not match against the allowlist should be rejected by the program.",
  "Use encapsulation when declaring your variables. This is to lower the exposure of your variables.",
  "Be aware of the threat of alternative method of data encoding.",
  "Regular expressions can be used to filter out backslash. Make sure you decode before filtering and validating the untrusted input data.",
  "Verify that the user-supplied data does not use backslash character to escape malicious characters.",
  "Avoid making decisions based on names of resources (e.g. files) if those resources can have alternate names.",
  "Any security checks should occur after the data has been decoded and validated as correct data format. Do not repeat decoding process, if bad character are left after decoding process, treat the data as suspicious, and fail the validation process.",
  "In the case of path traversals, use the principle of least privilege when determining access rights to file systems. Do not allow users to access directories/files that they should not access.",
  "Assume all input is malicious. Create an allowlist that defines all valid input to the software system based on the requirements specifications. Input that does not match against the allowlist should not be permitted to enter into the system.",
  "Assume all input is malicious. Create an allowlist that defines all valid input to the application based on the requirements specifications. Input that does not match against the allowlist should not be permitted to enter into the system.",
  "There are tools to scan HTTP requests to the server for valid URL such as URLScan from Microsoft (http://www.microsoft.com/technet/security/tools/urlscan.mspx)",
  "Be aware of the threat of alternative method of data encoding and obfuscation technique such as IP address encoding. (See related guideline section)",
  "Any security checks should occur after the data has been decoded and validated as correct data format. Do not repeat decoding process, if bad character are left after decoding process, treat the data as suspicious, and fail the validation process. Refer to the RFCs to safely decode URL.",
  "In the case of path traversals, use the principle of least privilege when determining access rights to file systems. Do not allow users to access directories/files that they should not access.",
  "When client input is required from web-based forms, avoid using the \"GET\" method to submit data, as the method causes the form data to be appended to the URL and is easily manipulated. Instead, use the \"POST method whenever possible.",
  "Test your path decoding process against malicious input.",
  "The Unicode Consortium recognized multiple representations to be a problem and has revised the Unicode Standard to make multiple representations of the same code point with UTF-8 illegal. The UTF-8 Corrigendum lists the newly restricted UTF-8 range (See references). Many current applications may not have been revised to follow this rule. Verify that your application conform to the latest UTF-8 encoding specification. Pay extra attention to the filtering of illegal characters.",
  "\n               The exact response required from an UTF-8 decoder on invalid input is not uniformly defined by the standards. In general, there are several ways a UTF-8 decoder might behave in the event of an invalid byte sequence:\n               \n                  \n                     1. Insert a replacement character (e.g. '?', '').\n                     2. Ignore the bytes.\n                     3. Interpret the bytes according to a different character encoding (often the ISO-8859-1 character map).\n                     4. Not notice and decode as if the bytes were some similar bit of UTF-8.\n                     5. Stop decoding and report an error (possibly giving the caller the option to continue).\n                  \n               \n               It is possible for a decoder to behave in different ways for different types of invalid input.\n               RFC 3629 only requires that UTF-8 decoders must not decode \"overlong sequences\" (where a character is encoded in more bytes than needed but still adheres to the forms above). The Unicode Standard requires a Unicode-compliant decoder to \"...treat any ill-formed code unit sequence as an error condition. This guarantees that it will neither interpret nor emit an ill-formed code unit sequence.\"\n               Overlong forms are one of the most troublesome types of UTF-8 data. The current RFC says they must not be decoded but older specifications for UTF-8 only gave a warning and many simpler decoders will happily decode them. Overlong forms have been used to bypass security validations in high profile products including Microsoft's IIS web server. Therefore, great care must be taken to avoid security issues if validation is performed before conversion from UTF-8, and it is generally much simpler to handle overlong forms before any input validation is done.\n               To maintain security in the case of invalid input, there are two options. The first is to decode the UTF-8 before doing any input validation checks. The second is to use a decoder that, in the event of invalid input, returns either an error or text that the application considers to be harmless. Another possibility is to avoid conversion out of UTF-8 altogether but this relies on any other software that the data is passed to safely handling the invalid data.\n               Another consideration is error recovery. To guarantee correct recovery after corrupt or lost bytes, decoders must be able to recognize the difference between lead and trail bytes, rather than just assuming that bytes will be of the type allowed in their position.\n            ",
  "For security reasons, a UTF-8 decoder must not accept UTF-8 sequences that are longer than necessary to encode a character. If you use a parser to decode the UTF-8 encoding, make sure that parser filter the invalid UTF-8 characters (invalid forms or overlong forms).",
  "Look for overlong UTF-8 sequences starting with malicious pattern. You can also use a UTF-8 decoder stress test to test your UTF-8 parser (See Markus Kuhn's UTF-8 and Unicode FAQ in reference section)",
  "Assume all input is malicious. Create an allowlist that defines all valid input to the software system based on the requirements specifications. Input that does not match against the allowlist should not be permitted to enter into the system. Test your decoding process against malicious input.",
  "Design: Validate all log data before it is output",
  "Design: Use input validation before writing to web log",
  "Use of custom error pages - Attackers can glean information about the nature of queries from descriptive error messages. Input validation must be coupled with customized error pages that inform about an error without disclosing information about the database or application.",
  "Use of parameterized XPath queries - Parameterization causes the input to be restricted to certain domains, such as strings or integers, and any input outside such domains is considered invalid and the query fails.",
  "Strong input validation - All user-controllable input must be validated and filtered for illegal characters as well as content that can be interpreted in the context of an XPath expression. Characters such as a single-quote(') or operators such as or (|), and (&) and such should be filtered if the application does not expect them in the context in which they appear. If such content cannot be filtered, it must at least be properly escaped to avoid them being interpreted as part of XPath expressions.",
  "Implementation: Run xml parsing and query infrastructure with minimal privileges so that an attacker is limited in their ability to probe other system resources from XQL.",
  "Design: Perform input allowlist validation on all XML input",
  "Design: Use browser technologies that do not allow client side scripting.",
  "Implementation: Perform input validation for all remote content.",
  "Implementation: Ensure all content that is delivered to client is sanitized against an acceptable content specification.",
  "Implementation: Patching software. There are many attack vectors for XSS on the client side and the server side. Many vulnerabilities are fixed in service packs for browser, web servers, and plug in technologies, staying current on patch release that deal with XSS countermeasures mitigates this.",
  "Implementation: Perform output validation for all remote content.",
  "Implementation: Disable scripting languages such as JavaScript in browser",
  "Implementation: Session tokens for specific host",
  "Implementation: Perform input validation for all remote content.",
  "Design: Use browser technologies that do not allow client side scripting.",
  "Design: Utilize strict type, character, and encoding enforcement",
  "Design: Server side developers should not proxy content via XHR or other means, if a http proxy for remote content is setup on the server side, the client's browser has no way of discerning where the data is originating from.",
  "Authenticate request to every resource. In addition, every page or resource must ensure that the request it is handling has been made in an authorized context.",
  "Forceful browsing can also be made difficult to a large extent by not hard-coding names of application pages or resources. This way, the attacker cannot figure out, from the application alone, the resources available from the present context.",
  "All application processes should be run with the minimal privileges required. Also, processes must shed privileges as soon as they no longer require them.",
  "Filter all incoming data to escape or remove characters or strings that can be potentially misinterpreted as operating system or shell commands",
  "Use language APIs rather than relying on passing data to the operating system shell or command line. Doing so ensures that the available protection mechanisms in the language are intact and applicable.",
  "All sensitive information must be handled over a secure connection.",
  "End users must ensure that they provide sensitive information only to websites that they trust, over a secure connection with a valid certificate issued by a well-known certificate authority.",
  "Known vulnerabilities in DNS or router software or in operating systems must be patched as soon as a fix has been released and tested.",
  "The server must initiate the handshake by issuing the challenge. This ensures that the client has to respond before the exchange can move any further",
  "The use of HMAC to hash the response from the server can also be used to thwart reflection. The server responds by returning its own challenge as well as hashing the client's challenge, its own challenge and the pre-shared secret. Requiring the client to respond with the HMAC of the two challenges ensures that only the possessor of a valid pre-shared secret can successfully hash in the two values.",
  "Introducing a random nonce with each new connection ensures that the attacker cannot employ two connections to attack the authentication protocol",
  "Always do bound checking before consuming user input data.",
  "Use a language or compiler that performs automatic bounds checking.",
  "Carefully review the service's implementation before making it available to user. For instance you can use manual or automated code review to uncover vulnerabilities such as integer overflow.",
  "Use an abstraction library to abstract away risky APIs. Not a complete solution.",
  "Carefully control access to physical log files.",
  "Avoid viewing logs with tools that may interpret control characters in the file, such as command-line shells.",
  "Use static analysis tools to identify log forging vulnerabilities.",
  "Use synchronization to control the flow of execution.",
  "Do not allow tainted data to be written in the log file without prior input validation. An allowlist may be used to properly validate the data.",
  "Exchange public keys using a secure channel",
  "Use Strong mutual authentication to always fully authenticate both ends of any communications channel.",
  "Encrypt communications using cryptography (e.g., SSL/TLS)",
  "Ensure Public Keys are signed by a Certificate Authority",
  "Ensure the WSDL does not expose functions and APIs that were not intended to be exposed.",
  "Review the functions exposed by the WSDL interface (especially if you have used a tool to generate it). Make sure that none of them is vulnerable to injection.",
  "Pay attention to the function naming convention (within the WSDL interface). Easy to guess function name may be an entry point for attack.",
  "It is important to protect WSDL file or provide limited access to it.",
  "Validate the received messages against the WSDL Schema. Incomplete solution.",
  "Ensure that application handles situations where access to APIs in external libraries is not available securely. If the application cannot continue its execution safely it should fail in a consistent and secure fashion.",
  "Use proven cryptographic algorithms with recommended key sizes.",
  "\n               Ensure that the algorithms are used properly. That means:\n               \n                  \n                     1. Not rolling out your own crypto; Use proven algorithms and implementations.\n                     2. Choosing initialization vectors with sufficiently random numbers\n                     3. Generating key material using good sources of randomness and avoiding known weak keys\n                     4. Using proven protocols and their implementations.\n                     5. Picking the most appropriate cryptographic algorithm for your usage context and data\n                  \n               \n            ",
  "Do not follow any links that you receive within your e-mails and certainly do not input any login credentials on the page that they take you too. Instead, call your Bank, PayPal, eBay, etc., and inquire about the problem. A safe practice would also be to type the URL of your bank in the browser directly and only then log in. Also, never reply to any e-mails that ask you to provide sensitive information of any kind.",
  "Compiler-based canary mechanisms such as StackGuard, ProPolice and the Microsoft Visual Studio /GS flag. Unless this provides automatic bounds checking, it is not a complete solution.",
  "If you have to use dangerous functions, make sure that you do boundary checking.",
  "Use OS-level preventative functionality. Not a complete solution.",
  "Utilize static source code analysis tools to identify potential buffer overflow weaknesses in the software.",
  "Use secure functions not vulnerable to buffer overflow.",
  "Use a language or compiler that performs automatic bounds checking.",
  "Set the OPTIONS IncludesNOEXEC in the global access.conf file or local .htaccess (Apache) file to deny SSI execution in directories that do not need them",
  "All user controllable input must be appropriately sanitized before use in the application. This includes omitting, or encoding, certain characters or strings that have the potential of being interpreted as part of an SSI directive",
  "Server Side Includes must be enabled only if there is a strong business reason to do so. Every additional component enabled on the web server increases the attack surface as well as administrative overhead",
  "Modify the session token with each transmission and protect it with cryptography. Add the idea of request sequencing that gives the server an ability to detect replay attacks.",
  "Make sure that HTTPS is used to communicate with the target system. Alternatively, use VPN if possible. It is important to ensure that all communication between the client and the server happens via an encrypted secure channel.",
  "When maintaining an authenticated session with a privileged target system, do not use the same browser to navigate to unfamiliar sites to perform other activities. Finish working with the target system and logout first before proceeding to other tasks.",
  "If using the Firefox browser, use the NoScript plug-in that will help forbid iFrames.",
  "Turn off JavaScript, Flash and disable CSS.",
  "Ensure that sufficient input validation is performed for any potentially untrusted data before it is used in any privileged context or zone",
  "Ensure proper HTML output encoding before writing user supplied data to the page",
  "Limit the sites that are being added to the local machine zone and restrict the privileges of the code running in that zone to the bare minimum",
  "Limit the flow of untrusted data into the privileged areas of the system that run in the higher trust zone",
  "Disable script execution.",
  "Configuration: back-end HTTP agents reject ambiguous requests and close the network connection.",
  "Configuration: Disable reuse of back-end connections.",
  "Configuration: Use HTTP/2 for back-end connections.",
  "Implementation: Utilize intermediary HTTP infrastructure capable of filtering and/or sanitizing user-input.",
  "Configuration: Install latest vendor security patches available for both intermediary and back-end HTTP infrastructure (i.e. proxies and web servers)",
  "Configuration: Ensure that HTTP infrastructure in the chain or network path utilize a strict uniform parsing process.",
  "Configuration: Use the same web server software for front-end and back-end server.",
  "Design: evaluate HTTP agents prior to deployment for parsing/interpretation discrepancies.",
  "Implementation: Utilize a Web Application Firewall (WAF) that has built-in mitigation to detect abnormal requests/responses.",
  "Configuration: front-end HTTP agents notice ambiguous requests.",
  "Administrators should disable support for HTTP TRACE at the destination's web server. Vendors should disable TRACE by default.",
  "Patch web browser against known security origin policy bypass exploits.",
  "Do not implicitly trust the data stored in the database. Re-validate it prior to usage to make sure that it is safe to use in a given context (e.g. as a command line argument).",
  "Disable MSSQL xp_cmdshell directive on the database",
  "Properly validate the data (syntactically and semantically) before writing it to the database.",
  "Remember to understand how to use the data access methods generated by the ORM tool / framework properly in a way that would leverage the built-in security mechanisms of the framework",
  "Ensure to keep up to date with security relevant updates to the persistence framework used within your application.",
  "Properly validate and sanitize/reject user input at the service provider.",
  "Ensure that prepared statements or other mechanism that enables parameter binding is used when accessing the database in a way that would prevent the attackers' supplied data from controlling the structure of the executed query.",
  "At the database level, ensure that the database user used by the application in a particular context has the minimum needed privileges to the database that are needed to perform the operation. When possible, run queries against pre-generated views rather than the tables directly.",
  "Make the URLs in the system used to retrieve JSON objects unpredictable and unique for each user session.",
  "Ensure that to the extent possible, no sensitive data is passed from the server to the client via JSON objects. JavaScript was never intended to play that role, hence the same origin policy does not adequate address this scenario.",
  "Ensure that server side code can differentiate between legitimate requests and forged requests. The solution is similar to protection against Cross Site Request Forger (CSRF), which is to use a hard to guess random nonce (that is unique to the victim's session with the server) that the attacker has no way of knowing (at least in the absence of other weaknesses). Each request from the client to the server should contain this nonce and the server should reject all requests that do not contain the nonce.",
  "On the client side, the system's design could make it difficult to get access to the JSON object content via the script tag. Since the JSON object is never assigned locally to a variable, it cannot be readily modified by the attacker before being used by a script tag. For instance, if while(1) was added to the beginning of the JavaScript returned by the server, trying to access it with a script tag would result in an infinite loop. On the other hand, legitimate client side code can remove the while(1) statement after which the JavaScript can be evaluated. A similar result can be achieved by surrounding the returned JavaScript with comment tags, or using other similar techniques (e.g. wrapping the JavaScript with HTML tags).",
  "Do not provide the means for an attacker to determine success independently. This forces the attacker to check their guesses against an external authority, which can slow the attack and warn the defender. This mitigation may not be possible if testing material must appear externally, such as with a transmitted cryptotext.",
  "Select a provably large secret space for selection of the secret. Provably large means that the procedure by which the secret is selected does not have artifacts that significantly reduce the size of the total secret space.",
  "Use a secret space that is well known and with no known patterns that may reduce functional size.",
  "Remove potentially sensitive information that is not necessary for the application's functionality.",
  "Minimize error/response output to only what is necessary for functional use or corrective language.",
  "Leverage encryption to encode the transmission of data thus making it accessible only to authorized parties.",
  "Refer to the RFCs to safely decode URL.",
  "When client input is required from web-based forms, avoid using the \"GET\" method to submit data, as the method causes the form data to be appended to the URL and is easily manipulated. Instead, use the \"POST method whenever possible.",
  "Be aware of the threat of alternative method of data encoding and obfuscation technique such as IP address encoding.",
  "Any security checks should occur after the data has been decoded and validated as correct data format. Do not repeat decoding process, if bad character are left after decoding process, treat the data as suspicious, and fail the validation process.",
  "Regular expression can be used to match safe URL patterns. However, that may discard valid URL requests if the regular expression is too restrictive.",
  "Assume all input is malicious. Create an allowlist that defines all valid input to the software system based on the requirements specifications. Input that does not match against the allowlist should not be permitted to enter into the system. Test your decoding process against malicious input.",
  "There are tools to scan HTTP requests to the server for valid URL such as URLScan from Microsoft (http://www.microsoft.com/technet/security/tools/urlscan.mspx).",
  "Ensure that production systems to not contain non-production interfaces and that these interfaces are only used in development environments.",
  "Configure account privileges such privileged/administrator functionality is not exposed to non-privileged/lower accounts.",
  "To help protect an application from buffer manipulation attacks, a number of potential mitigations can be leveraged. Before starting the development of the application, consider using a code language (e.g., Java) or compiler that limits the ability of developers to act beyond the bounds of a buffer. If the chosen language is susceptible to buffer related issues (e.g., C) then consider using secure functions instead of those vulnerable to buffer manipulations. If a potentially dangerous function must be used, make sure that proper boundary checking is performed. Additionally, there are often a number of compiler-based mechanisms (e.g., StackGuard, ProPolice and the Microsoft Visual Studio /GS flag) that can help identify and protect against potential buffer issues. Finally, there may be operating system level preventative functionality that can be applied.",
  "Specify expectations for capabilities and dictate which behaviors are acceptable when resource allocation reaches limits.",
  "Uniformly throttle all requests in order to make it more difficult to consume resources more quickly than they can again be freed.",
  "Ensure that protocols have specific limits of scale configured.",
  "Design: Proxy communication to host, so that communications are terminated at the proxy, sanitizing the requests before forwarding to server host.",
  "Implementation: Host integrity monitoring for critical files, directories, and processes. The goal of host integrity monitoring is to be aware when a security issue has occurred so that incident response and other forensic activities can begin.",
  "Implementation: Perform input validation for all remote content, including remote and user-generated content.",
  "Implementation: Validate user input by only accepting known good. Ensure all content that is delivered to client is sanitized against an acceptable content specification -- using an allowlist approach.",
  "Design: Input validation. Assume that user inputs are malicious. Utilize strict type, character, and encoding enforcement.",
  "Implementation: Use indirect references rather than actual file names.",
  "Implementation: Perform testing such as pen-testing and vulnerability scanning to identify directories, programs, and interfaces that grant direct access to executables.",
  "Design: Configure the access control correctly.",
  "Design: Execute programs with constrained privileges, so parent process does not open up further vulnerabilities. Ensure that all directories, temporary directories and files, and memory are executing with limited privileges to protect against remote execution.",
  "Implementation: Use possible permissions on file access when developing and deploying web applications.",
  "Design: Run server interfaces with a non-root account and/or utilize chroot jails or other configuration techniques to constrain privileges even if attacker gains some limited access to commands.",
  "Design: Enforce principle of least privilege.",
  "3. Suppressing error messages: using error 403 \"Forbidden\" message exactly like error 404 \"Not Found\" message.",
  "1. Using blank index.html: putting blank index.html simply prevent directory listings from displaying to site visitors.",
  "2. Preventing with .htaccess in Apache web server: In .htaccess, write \"Options-indexes\".",
  "Limit the amount of resources that are accessible to unprivileged users.",
  "Consider uniformly throttling all requests in order to make it more difficult to consume resources more quickly than they can again be freed.",
  "Assume all input is malicious. Consider all potentially relevant properties when validating input.",
  "Use resource-limiting settings, if possible.",
  "If possible, leverage coding language(s) that do not allow this weakness to occur (e.g., Java, Ruby, and Python all perform automatic garbage collection that releases memory for objects that have been deallocated).",
  "Memory should always be allocated/freed using matching functions (e.g., malloc/free, new/delete, etc.)",
  "Implement best practices with respect to memory management, including the freeing of all allocated resources at all exit points and ensuring consistency with how and where memory is freed in a function.",
  "Implementation: Use randomly generated file names for temporary files. Give the files restrictive permissions.",
  "Design: Check for the existence of files to be created, if in existence verify they are neither symlinks nor hard links before opening them.",
  "Design: Minimize switch and option functionality to only that necessary for correct function of the command.",
  "Implementation: Remove all debug and testing options from production code.",
  "Strong input validation - All user-controllable input must be validated and filtered for illegal formatting characters.",
  "Limit the usage of formatting string functions.",
  "Strong input validation - All user-controllable input must be validated and filtered for illegal characters as well as LDAP content.",
  "Use of custom error pages - Attackers can glean information about the nature of queries from descriptive error messages. Input validation must be coupled with customized error pages that inform about an error without disclosing information about the LDAP or application.",
  "Treat all user input as untrusted data that must be validated before use.",
  "Implement an audit log written to a separate host. In the event of a compromise, the audit log may be able to provide evidence and details of the compromise.",
  "Implementation: Use possible permissions on file access when developing and deploying web applications.",
  "Implementation: Use indirect references rather than actual file names.",
  "Implementation: Validate user input by only accepting known good. Ensure all content that is delivered to client is sanitized against an acceptable content specification -- using an allowlist approach.",
  "Design: Input validation. Assume that user inputs are malicious. Utilize strict type, character, and encoding enforcement",
  "Implementation: Perform input validation for all remote content, including remote and user-generated content.",
  "Implementation: Prefer working without user input when using file system calls",
  "Configuration: Disable client side caching.",
  "Implementation: Listens for query replies on a network, and sends a notification via email when an entry changes.",
  "Configuration: Disable client side DNS caching.",
  "Configuration: UNIX services like rlogin, rsh/rcp, xhost, and nfs are all susceptible to wrong information being held in a cache. Care should be taken with these services so they do not rely upon DNS caches that have been exposed to the Internet.",
  "Configuration: Make sure your DNS servers have been updated to the latest versions",
  "Implementation: For applications that leverage remote schemas, use the HTTPS protocol to prevent modification of traffic in transit and to avoid unauthorized modification.",
  "Design: Protect the schema against unauthorized modification.",
  "Implementation: For applications that use a known schema, use a local copy or a known good repository instead of the schema reference supplied in the XML document. Additionally, ensure that the proper permissions are set on local files to avoid unauthorized modification.",
  "Implementation: Provide for network flow control and traffic shaping to control access to the resources.",
  "Design: Build throttling mechanism into the resource allocation. Provide for a timeout mechanism for allocated resources whose transaction does not complete within a specified interval.",
  "Employ robust authentication processes (e.g., multi-factor authentication).",
  "Monitor network activity to detect any anomalous or unauthorized communication exchanges.",
  "Encrypt sensitive information when transmitted on insecure mediums to prevent interception.",
  "Obfuscate network traffic through encryption to prevent its readability by network sniffers.",
  "Employ appropriate levels of segmentation to your network in accordance with best practices.",
  "Implementation: Check the integrity of the dynamically linked libraries before use them.",
  "Implementation: Use obfuscation and other techniques to prevent reverse engineering the libraries.",
  "Implementation: Restrict the permission to modify the entries in the configuration file.",
  "Do not follow any links that you receive within your e-mails and certainly do not input any login credentials on the page that they take you too. Instead, call your Bank, PayPal, eBay, etc., and inquire about the problem. A safe practice would also be to type the URL of your bank in the browser directly and only then log in. Also, never reply to any e-mails that ask you to provide sensitive information of any kind.",
  "Do not follow any links that you receive within text messages and do not input any login credentials on the page that they take you too. Instead, call your Bank, PayPal, eBay, etc., and inquire about the problem. Safe practices also include leveraging the entity's mobile application or directly typing the entity's URL in the browser and only then logging in. Never reply to any text messages that ask you to provide sensitive information of any kind.",
  "Implementation: Use products that are Alternate Data Stream aware for virus scanning and system security operations.",
  "Design: Use FAT file systems which do not support Alternate Data Streams.",
  "Implementation: Use Vista dir with the -R switch or utility to find Alternate Data Streams and take appropriate action with those discovered.",
  "Encrypt and password-protect sensitive data.",
  "Shut down unnecessary services/ports.",
  "Curtail unexpected input.",
  "Avoid including information that has the potential to identify and compromise your organization's security such as access to business plans, formulas, and proprietary documents.",
  "Keep patches up to date by installing weekly or daily if possible.",
  "Change default passwords by choosing strong passwords.",
  "Implementation: Obfuscate database type in Database API's error message.",
  "Implementation: Hide HTTP response header software information filed.",
  "Implementation: Hide cookie's software information filed.",
  "Implementation: Hide inner ordering of HTTP response header.",
  "Implementation: Obfuscate server fields of HTTP response.",
  "Implementation: Customizing HTTP error codes such as 404 or 500.",
  "Implementation: Hide URL file extension.",
  "Implementation: Appropriately deal with error messages.",
  "An organization should provide regular, robust cybersecurity training to its employees.",
  "Avoid interacting with suspicious sites or clicking suspicious links.",
  "User input must be sanitized according to context before reflected back to the user. The JavaScript function 'encodeURI' is not always sufficient for sanitizing input intended for global Flash parameters. Extreme caution should be taken when saving user input in Flash cookies. In such cases the Flash file itself will need to be fixed and recompiled, changing the name of the local shared objects (Flash cookies).",
  "Configuration: Properly configure the crossdomain.xml file to only include the known domains that should host remote flash movies.",
  "Implementation: Only allow known URL to be included as remote flash movies in a flash application",
  "Design: Configure the access control correctly.",
  "Implementation: use validation on both client and server side.",
  "Implementation: use crossdomain.xml file to allow the application domain to load stuff or the SWF file called by other domain.",
  "Implementation: use SSL when loading external data",
  "Implementation: remove sensitive information such as user name and password in the SWF file.",
  "Implementation: remove debug information.",
  "Validate software updates before installing.",
  "Employ code obfuscation techniques to prevent the adversary from reverse engineering the targeted entity.",
  "Implementation: Make use of indirect references passed in URL parameters instead of file names",
  "Implementation: Only allow known files to be included (allowlist)",
  "Configuration: Ensure that remote scripts cannot be include in the \"include\" or \"require\" PHP directives",
  "Implementation: Perform input validation for all remote content, including remote and user-generated content",
  "Implementation: Use session IDs that are difficult to guess or brute-force: One way for the attackers to obtain valid session IDs is by brute-forcing or guessing them. By choosing session identifiers that are sufficiently random, brute-forcing or guessing becomes very difficult.",
  "Implementation: Regenerate and destroy session identifiers when there is a change in the level of privilege: This ensures that even though a potential victim may have followed a link with a fixated identifier, a new one is issued when the level of privilege changes.",
  "Design: Use libraries and templates that minimize unfiltered input. Use methods that limit entity expansion and throw exceptions on attempted entity expansion.",
  "Implementation: For XML based data - disable altogether the use of inline DTD schemas when parsing XML objects. If a DTD must be used, normalize, filter and use an allowlist and parse with methods and routines that will detect entity expansion from untrusted sources.",
  "Implementation: Normalize, filter and use an allowlist for any input that will be used in error messages.",
  "Design: Use libraries and templates that minimize unfiltered input.",
  "Implementation: The victim should configure the browser to minimize active content from untrusted sources.",
  "Implementation: Perform input validation for all remote content, including remote and user-generated content",
  "Design: Utilize strict type, character, and encoding enforcement",
  "Implementation: Ensure all content that is delivered to client is sanitized against an acceptable content specification.",
  "Implementation: Ensure all content coming from the client is using the same encoding; if not, the server-side application must canonicalize the data before applying any filtering.",
  "Design: Use browser technologies that do not allow client side scripting.",
  "Implementation: Patching software. There are many attack vectors for XSS on the client side and the server side. Many vulnerabilities are fixed in service packs for browser, web servers, and plug in technologies, staying current on patch release that deal with XSS countermeasures mitigates this.",
  "Implementation: Perform output validation for all remote content.",
  "Implementation: Disable scripting languages such as JavaScript in browser",
  "Configure the serialized data processor to only retrieve external entities from trusted sources.",
  "Employ robust identification and audit/blocking using an allowlist of applications on your system. Unnecessary applications, utilities, and configurations will have a presence in the system registry that can be leveraged by an adversary through this attack pattern.",
  "Employ a robust and layered defensive posture in order to prevent unauthorized users on your system.",
  "Ensure proper permissions are set for Registry hives to prevent users from modifying keys.",
  "Design: Use obfuscation and other techniques to prevent reverse engineering the client code.",
  "Design: For any security checks that are performed on the client side, ensure that these checks are duplicated on the server side.",
  "Design: Ship client-side application with integrity checks (code signing) when possible.",
  "When implementing security features, consider how they can be misused and compromised.",
  "Perform comprehensive threat modeling, a process of identifying, evaluating, and mitigating potential threats to the application. This effort can help reveal potentially obscure application functionality that can be manipulated for malicious purposes.",
  "Design: wrap application functionality (preferably through the underlying framework) in an output encoding scheme that obscures or cleanses error messages to prevent such attacks. Such a technique is often used in conjunction with the above 'code book' suggestion.",
  "Implementation: Obfuscate server fields of HTTP response.",
  "Implementation: Hide cookie's software information filed.",
  "Implementation: Customizing HTTP error codes such as 404 or 500.",
  "Design: Construct a 'code book' for error messages. When using a code book, application error messages aren't generated in string or stack trace form, but are catalogued and replaced with a unique (often integer-based) value 'coding' for the error. Such a technique will require helpdesk and hosting personnel to use a 'code book' or similar mapping to decode application errors/logs in order to respond to them normally.",
  "Implementation: Hide HTTP response header software information filed.",
  "Implementation: Hide inner ordering of HTTP response header.",
  "Implementation: Obfuscate database type in Database API's error message.",
  "Design the communication system such that it associates proper authentication/authorization with each channel/message.",
  "Encrypt all sensitive communications using properly-configured cryptography.",
  "Usage of configuration settings, such as stream ciphers vs. block ciphers and setting timeouts on SSL sessions to extremely low values lessens the potential impact. Use of later versions of TLS (e.g. TLS 1.1+) can also be effective, but not all clients or servers support the later versions.",
  "Implementation: Clients should only trust UDDI, ebXML, or similar messages that are verifiably signed by a trusted party.",
  "Design: Specify maximum number intermediate nodes for the request and require SSL connections with mutual authentication.",
  "Implementation: Use SSL for connections between all parties with mutual authentication.",
  "This attack may be mitigated by tweaking the serialized data parser to not resolve external entities. If external entities are needed, then implement a custom resolver that has a request timeout, data retrieval limit, and restrict resources it can retrieve locally.",
  "This attack may be mitigated by tweaking the XML parser to not resolve external entities. If external entities are needed, then implement a custom XmlResolver that has a request timeout, data retrieval limit, and restrict resources it can retrieve locally.",
  "Operation: When maintaining an authenticated session with a privileged target system, do not use the same browser to navigate to unfamiliar sites to perform other activities. Finish working with the target system and logout first before proceeding to other tasks.",
  "Operation: If using the Firefox browser, use the NoScript plug-in that will help forbid iFrames.",
  "Configuration: Disable iFrames in the Web browser.",
  "While some information is shared by systems automatically based on standards and protocols, remove potentially sensitive information that is not necessary for the application's functionality as much as possible.",
  "Potential mitigations include requiring a unique login for each resource request, constraining local unprivileged access by disallowing simultaneous engagements of the resource, or limiting access to the resource to one access per IP address. In such scenarios, the adversary would have to increase engagements either by launching multiple sessions manually or programmatically to counter such defenses.",
  "Implementation: Disallow the inclusion of DTDs as part of incoming messages.",
  "Implementation: Use XML parsing tools that protect against DTD attacks.",
  "Design: Sanitize incoming DTDs to prevent excessive expansion or other actions that could result in impacts like resource depletion.",
  "Mitigation may limit the number of configuration parameters per dataset.",
  "This attack may be mitigated completely by using a parser that is not using a vulnerable container.",
  "Carefully validate and sanitize all user-controllable data prior to passing it to the data parser routine. Ensure that the resultant data is safe to pass to the data parser.",
  "Perform validation on canonical data.",
  "Pick a robust implementation of the data parser.",
  "Carefully validate and sanitize all user-controllable serialized data prior to passing it to the parser routine. Ensure that the resultant data is safe to pass to the parser.",
  "Pick a robust implementation of the serialized data parser.",
  "Validate data against a valid schema or DTD prior to parsing.",
  "Perform validation on canonical data.",
  "Assurance: Use static analysis tool to do code review and dynamic tool to do penetration test on the standard library.",
  "Design: Use obfuscation and other techniques to prevent reverse engineering the standard libraries.",
  "Assurance: Sanitize the code of the standard libraries to make sure there is no security weaknesses in them.",
  "Configuration: Get latest updates for the computer.",
  "Ensure all input content that is delivered to client is sanitized against an acceptable content specification.",
  "Enforce regular patching of software.",
  "Perform input validation for all content.",
  "Perform input validation for all content.",
  "Enforce regular patching of software.",
  "Ensure all input content that is delivered to client is sanitized against an acceptable content specification.",
  "Utilize strict type, character, and encoding enforcement",
  "Design: Use libraries and templates that minimize unfiltered input.",
  "Implementation: Normalize, filter and use an allowlist for all input including that which is not expected to have any scripting content.",
  "Implementation: The victim should configure the browser to minimize active content from untrusted sources.",
  "Implementation: Disable scripting languages such as JavaScript in browser",
  "Implementation: Ensure all content that is delivered to client is sanitized against an acceptable content specification.",
  "Implementation: Perform input validation for all remote content, including remote and user-generated content",
  "Implementation: Perform output validation for all remote content.",
  "Design: Utilize strict type, character, and encoding enforcement.",
  "Implementation: Ensure all content coming from the client is using the same encoding; if not, the server-side application must canonicalize the data before applying any filtering.",
  "Implementation: Patching software. There are many attack vectors for XSS on the client side and the server side. Many vulnerabilities are fixed in service packs for browser, web servers, and plug in technologies, staying current on patch release that deal with XSS countermeasures mitigates this.",
  "Design: Use browser technologies that do not allow client side scripting.",
  "Implementation: Normalize, filter and sanitize all user supplied fields.",
  "Implementation: The victim should configure the browser to minimize active content from untrusted sources.",
  "Design: Use libraries and templates that minimize unfiltered input.",
  "Design: Use libraries and templates that minimize unfiltered input.",
  "Implementation: Normalize, filter and use an allowlist for any input that will be included in any subsequent web pages or back end operations.",
  "Implementation: The victim should configure the browser to minimize active content from untrusted sources.",
  "All user-controllable input should be validated and filtered for potentially unwanted characters. Using an allowlist for input is desired, but if use of a denylist approach is necessary, then focusing on command related terms and delimiters is necessary.",
  "Input should be encoded prior to use in commands to make sure command related characters are not treated as part of the command. For example, quotation characters may need to be encoded so that the application does not treat the quotation as a delimiter.",
  "Input should be parameterized, or restricted to data sections of a command, thus removing the chance that the input will be treated as part of the command itself.",
  "Use of custom error pages - Attackers can glean information about the nature of queries from descriptive error messages. Input validation must be coupled with customized error pages that inform about an error without disclosing information about the database or application.",
  "Strong input validation - All user-controllable input must be validated and filtered for illegal characters as well as content that can be interpreted in the context of an XML data or a query.",
  "Implementation: Avoid passing user input to filesystem or framework API. If necessary to do so, implement a specific, allowlist approach.",
  "Minimize attacks by input validation and sanitization of any user data that will be used by the target application to locate a remote file to be included.",
  "If the server either verifies the correctness of the stated array size or if the server stops processing an array once the stated number of elements have been read, regardless of the actual array size, then this attack will fail. The former detects the malformed SOAP message while the latter ensures that the server does not attempt to load more data than was allocated for.",
  "Assume all input is malicious. Create an allowlist that defines all valid input to the software system based on the requirements specifications. Input that does not match against the allowlist should not be permitted to enter into the system. Test your decoding process against malicious input.",
  "Assume all input might use an improper representation. Use canonicalized data inside the application; all data must be converted into the representation used inside the application (UTF-8, UTF-16, etc.)",
  "Identify programs that may be used to acquire process information and block them by using a software restriction policy or tools that restrict program execution by using a process allowlist.",
  "Implementation: For applications that use a known schema, use a local copy or a known good repository instead of the schema reference supplied in the schema document.",
  "Design: Protect the schema against unauthorized modification.",
  "Implementation: For applications that leverage remote schemas, use the HTTPS protocol to prevent modification of traffic in transit and to avoid unauthorized modification.",
  "Design: evaluate HTTP agents prior to deployment for parsing/interpretation discrepancies.",
  "Configuration: Ensure that HTTP infrastructure in the chain or network path utilize a strict uniform parsing process.",
  "Configuration: Use HTTP/2 for back-end connections.",
  "Configuration: Disallow Malformed/Invalid Transfer-Encoding Headers used in obfuscation, such as:\n                  Headers with no space before the value \u201cchunked\u201d\n                  Headers with extra spaces\n                  Headers beginning with trailing characters\n                  Headers providing a value \u201cchunk\u201d instead of \u201cchunked\u201d (the server normalizes this as chunked encoding)\n                  Headers with multiple spaces before the value \u201cchunked\u201d\n                  Headers with quoted values (whether single or double quotations)\n                  Headers with CRLF characters before the value \u201cchunked\u201d\n                  Values with invalid characters\n               \n            ",
  "Configuration: Disallow HTTP messages with both Transfer-Encoding and Content-Length or Double Content-Length Headers.",
  "Configuration: front-end HTTP agents notice ambiguous requests.",
  "Configuration: back-end HTTP agents reject ambiguous requests and close the network connection.",
  "Configuration: Prioritize Transfer-Encoding header over Content-Length, whenever an HTTP message contains both.",
  "Implementation: Utilize a Web Application Firewall (WAF) that has built-in mitigation to detect abnormal requests/responses.",
  "Implementation: Utilize intermediary HTTP infrastructure capable of filtering and/or sanitizing user-input.",
  "Configuration: Install latest vendor security patches available for both intermediary and back-end HTTP infrastructure (i.e. proxies and web servers)",
  "Configuration: Use the same web server software for front-end and back-end server.",
  "Configuration: Disable reuse of back-end connections.",
  "Design: Ensure that only legitimate HTTP verbs are allowed.",
  "Design: Do not use HTTP verbs as factors in access decisions.",
  "Design: IP Pinning causes browsers to record the IP address to which a given name resolves and continue using this address regardless of the TTL set in the DNS response. Unfortunately, this is incompatible with the design of some legitimate sites.",
  "Implementation: Employ DNS resolvers that prevent external names from resolving to internal addresses.",
  "Implementation: Reject HTTP request with a malicious Host header.",
  "Design: Ensure that function calls that should not be called by an unprivileged user are not accessible to them.",
  "Design: Range, size and value and consistency verification for any arguments supplied to applications and services from external sources and devise appropriate error response.",
  "Consider configuring firewall rules to block ICMP Echo requests and prevent replies. If not practical, monitor and consider action when a system has fast and a repeated pattern of requests that move incrementally through port numbers.",
  "Leverage stateful firewalls that allow for the rejection of a packet that is not part of an existing connection.",
  "Configure your firewall to block egress ICMP messages.",
  "Employ a robust network defense posture that includes an IDS/IPS system.",
  "FIN scans are detected via heuristic (non-signature) based algorithms, much in the same way as other scan types are detected. An IDS/IPS system with heuristic algorithms is required to detect them.",
  "Employ a robust network defensive posture that includes a managed IDS/IPS.",
  "Employ a robust network defensive posture that includes a managed IDS/IPS.",
  "Typically, an IDS/IPS system is very effective against this type of attack.",
  "UDP scanning is complicated by rate limiting mechanisms governing ICMP error messages.",
  "Firewalls or ACLs which block egress ICMP error types effectively prevent UDP scans from returning any useful information.",
  "Leverage encryption techniques during information transactions so as to protect them from attack patterns of this kind.",
  "An organization should provide regular, robust cybersecurity training to its employees to prevent successful social engineering attacks.",
  "An organization should provide regular, robust cybersecurity training to its employees to prevent successful social engineering attacks.",
  "An organization should provide regular, robust cybersecurity training to its employees to prevent social engineering attacks.",
  "An organization should provide regular, robust cybersecurity training to its employees to prevent social engineering attacks.",
  "An organization should provide regular, robust cybersecurity training to its employees to prevent social engineering attacks.",
  "An organization should provide regular, robust cybersecurity training to its employees to prevent social engineering attacks.",
  "Individuals should avoid complying with suspicious requests.",
  "An organization should provide regular, robust cybersecurity training to its employees to prevent social engineering attacks.",
  "An organization should provide regular, robust cybersecurity training to its employees to prevent social engineering attacks.",
  "An organization should provide regular, robust cybersecurity training to its employees to prevent social engineering attacks.",
  "An organization should provide regular, robust cybersecurity training to its employees to prevent social engineering attacks.",
  "Avoid sharing unnecessary information during interactions beyond what is absolutely required for effective communication.",
  "An organization should provide regular, robust cybersecurity training to its employees to prevent social engineering attacks.",
  "An organization should provide regular, robust cybersecurity training to its employees to prevent social engineering attacks.",
  "Leverage anti-virus products to detect and quarantine software with known virus.",
  "Assess software during development and prior to deployment to ensure that it functions as intended and without any malicious functionality.",
  "Assess software and software components during development and prior to deployment to ensure that they function as intended and without any malicious functionality.",
  "Assess software during development and prior to deployment to ensure that it functions as intended and without any malicious functionality.",
  "Leverage anti-virus products to detect and quarantine software with known virus.",
  "Assess software during development and prior to deployment to ensure that it functions as intended and without any malicious functionality.",
  "Assess design documentation prior to development to ensure that they function as intended and without any malicious functionality.",
  "Ensure that design documentation is saved in a secure location and has proper access controls set in place to avoid unnecessary modification.",
  "Leverage anti-virus products to detect and quarantine software with known virus.",
  "Leverage anti-virus products to detect stop operations with known virus.",
  "Do not connect untrusted USB devices to systems connected on an organizational network. Additionally, use an isolated testing machine to validate untrusted devices and confirm malware does not exist.",
  "Use anti-virus and anti-malware tools which can prevent malware from executing if it finds its way onto a target system. Additionally, make sure these tools are regularly updated to contain up-to-date virus and malware signatures.",
  "Ensure that proper, physical system access is regulated to prevent an adversary from physically connecting a malicious USB device themself.",
  "Certification Authorities need to stop using deprecated or cryptographically insecure hashing algorithms to hash the certificates that they are about to sign. Instead they should be using stronger hashing functions such as SHA-256 or SHA-512.",
  "Implementation: Use strict regular expressions in URL rewriting",
  "Design: Perform URL encoding",
  "Implementation: Beware of multiple occurrences of a parameter in a Query String",
  "Configuration: If using a Web Application Firewall (WAF), filters should be carefully configured to detect abnormal HTTP requests",
  "Design: Use a secure message authentication code (MAC) function such as an HMAC-SHA1",
  "Design: The browser's security model could be fixed to not leak timing information for cross domain requests",
  "Design: The victim's site could protect all potentially sensitive functionality (e.g. search functions) with cross site request forgery (CSRF) protection and not perform any work on behalf of forged requests",
  "Implementation: Do not leak information back to the user as to any cryptography (e.g., padding) encountered during decryption.",
  "Design: Use a message authentication code (MAC) or another mechanism to perform verification of message authenticity / integrity prior to decryption",
  "Design: Browser's design needs to be changed to limit where cookies can be stored on the client side and provide an option to clear these cookies in all places, as well as another option to stop these cookies from being written in the first place.",
  "Design: Safari browser's private browsing mode is currently effective against evercookies.",
  "Configuration: Disable in the browser the execution of Java Script, Flash, SilverLight, etc.",
  "Design: Ensure that the transparent proxy uses an actual network layer IP address for routing requests. On the transparent proxy, disable the use of routing based on address information in the HTTP host header.",
  "Design: Tunnel communications through a secure proxy",
  "Design: Trust level separation for privileged / non privileged interactions (e.g., two different browsers, two different users, two different operating systems, two different virtual machines)",
  "Usage: Users should not open other tabs in the browser when using a social networking site.",
  "Usage: Users should always explicitly log out from the social networking sites when done using them.",
  "Design: Prior to performing CSS parsing, require the CSS to start with well-formed CSS when it is a cross-domain load and the MIME type is broken. This is a browser level fix.",
  "Implementation: Perform proper HTML encoding and URL escaping",
  "Design: Use load balancing mechanisms",
  "Configuration: Configure web server software to limit the waiting period on opened HTTP sessions",
  "Usage: Do not place any trust in the database host on the internal network. Authenticate and validate all network activity originating from the database host.",
  "Usage: Do not use the DBMS machine for anything else other than the database",
  "Design: Ensure that the DBMS login used by the application has the lowest possible level of privileges in the DBMS",
  "Design: Ensure that DBMS runs with the lowest possible level of privileges on the host machine and that it runs as a separate user",
  "Implementation: Remove / disable all unneeded / unused functions of the DBMS system that may allow an attacker to elevate privileges if compromised",
  "Design: Follow the defensive programming practices needed to protect an application accessing the database from SQL injection",
  "Configuration: Ensure that the DBMS is patched with the latest security patches",
  "Usage: Use an intrusion detection system to monitor network connections and logs on the database host.",
  "Design: Sign system DLLs so that unauthorized DLLs can be detected.",
  "Design: Fix the Windows loading process to eliminate the preferential search order by looking for DLLs in the precise location where they are expected",
  "Configuration: Disable Java Script in the browser",
  "Ensure all remote methods are secured",
  "Restrict access to private keys from non-supervisory accounts",
  "Ensure all services are patched and up to date",
  "Restrict access to administrative personnel and processes only",
  "Use programs and products that contain cryptographic elements that have been thoroughly tested for flaws in the signature verification routines.",
  "Ensure the application is using parsing and data display techniques that will accurately display control characters, international symbols and markings, and ultimately recognize potential homograph attacks.",
  "Ensure the application is fully patched and does not allow the processing of unsigned data as if it is signed data.",
  "Ensure proper permissions are set for Registry hives to prevent users from modifying keys for system components that may lead to privilege escalation.",
  "Abide by the least privilege principle to avoid assigning users more privileges than necessary.",
  "Ensure virtualization software is current and up-to-date.",
  "Monitor connections, checking headers in traffic for contradictory domain names, or empty domain names.",
  "To mitigate this type of an attack, an organization can monitor incoming packets and look for patterns in the TCP traffic to determine if the network is under an attack. The potential target may implement a rate limit on TCP SYN messages which would provide limited capabilities while under attack.",
  "Ensure cryptographic elements have been sufficiently tested for weaknesses.",
  "To mitigate this type of an attack, modern firewalls drop UDP traffic destined for closed ports, and unsolicited UDP reply packets. A variety of other countermeasures such as universal reverse path forwarding and remote triggered black holing(RFC3704) along with modifications to BGP like black hole routing and sinkhole routing(RFC3882) help mitigate the spoofed source IP nature of these attacks.",
  "To mitigate this type of an attack, an organization can enable ingress filtering. Additionally modifications to BGP like black hole routing and sinkhole routing(RFC3882) help mitigate the spoofed source IP nature of these attacks.",
  "To mitigate this type of an attack, an organization can monitor the typical traffic flow. When spikes in usage occur, filters could examine traffic for indicators of bad behavior with respect to the web servers, and then create firewall rules to deny the malicious IP addresses. These patterns in the filter could be a combination of trained behavior, knowledge of standards as they apply to the web server, known patterns, or anomaly detection. Firewalling source IPs works since the HTTP is sent using TCP so the source IP can't be spoofed; if the source IP is spoofed is, then it's not legitimate traffic. Special care should be taken care with rule sets to ensure low false positive rates along with a method at the application layer to allow a valid user to begin using the service again. Another possible solution is using 3rd party providers as they have experts, knowledge, experience, and resources to deal with the attack and mitigate it before hand or while it occurs. The best mitigation is preparation before an attack, but there is no bulletproof solution as with ample resources a brute force attack may succeed.",
  "To mitigate this type of an attack, an organization can create rule based filters to silently drop connections if too many are attempted in a certain time period.",
  "To mitigate this type of an attack, an organization can attempt to identify the 3rd party services being used in an active attack and blocking them until the attack ends. This can be accomplished by filtering traffic for suspicious message patterns such as a spike in traffic where each response contains the same large block of data. Care should be taken to prevent false positive rates so legitimate traffic isn't blocked.",
  "Design: Use libraries and templates that minimize unfiltered input. Use methods that limit entity expansion and throw exceptions on attempted entity expansion.",
  "Implementation: For XML based data - disable altogether the use of inline DTD schemas when parsing XML objects. If a DTD must be used, normalize, filter and use an allowlist and parse with methods and routines that will detect entity expansion from untrusted sources.",
  "Test custom written Regex with fuzzing to determine if the Regex is a poor one. Add timeouts to processes that handle the Regex logic. If an evil Regex is found rewrite it as a good Regex.",
  "Enforce strict schema validation. The schema should enforce a maximum number of array elements. If the number of maximum array elements can't be limited another validation method should be used. One such method could be comparing the declared number of items in the array with the existing number of elements of the array. If these numbers don't match drop the SOAP packet at the web service layer.",
  "This attack may be mitigated by enforcing rules at the router following the guidance of RFC1858. The essential part of the guidance is creating the following rule \"IF FO=1 and PROTOCOL=TCP then DROP PACKET\" as this mitigated both tiny fragment and overlapping fragment attacks in IPv4. In IPv6 overlapping(RFC5722) additional steps may be required such as deep packet inspection. The delayed fragments may be mitigated by enforcing a timeout on the transmission to receive all packets by a certain time since the first packet is received. According to RFC2460 IPv6 implementations should enforce a rule to discard all fragments if the fragments are not ALL received within 60 seconds of the FIRST arriving fragment.",
  "This attack may be mitigated by changing default cache sizes to be larger at the OS level. Additionally rules can be enforced to prune the cache with shorter timeouts for packet reassembly as the cache nears capacity.",
  "This attack may be mitigated through egress filtering based on ICMP payload so a network is a \"good neighbor\" to other networks. Bad IP implementations become patched, so using the proper version of a browser or OS is recommended.",
  "Leverage file protection mechanisms to render these files accessible only to authorized parties.",
  "To mitigate this type of an attack, an application that may display sensitive information should clear the screen contents before a screenshot is taken. This can be accomplished by setting the key window's hidden property to YES. This code to hide the contents should be placed in both the applicationWillResignActive() and applicationDidEnterBackground() methods.",
  "To mitigate this type of an attack, explicit intents should be used whenever sensitive data is being sent. An explicit intent is delivered to a specific application as declared within the intent, whereas the Android operating system determines who receives an implicit intent which could potentially be a malicious application. If an implicit intent must be used, then it should be assumed that the intent will be received by an unknown application and any response should be treated accordingly. Implicit intents should never be used for inter-application communication.",
  "The only known mitigation to this type of attack is to keep the malicious application off the system. There is nothing that can be done to the target application to protect itself from a malicious application that has been installed and executed.",
  "To mitigate this type of an attack, explicit intents should be used whenever sensitive data is being sent. An 'explicit intent' is delivered to a specific application as declared within the intent, whereas an 'implicit intent' is directed to an application as defined by the Android operating system. If an implicit intent must be used, then it should be assumed that the intent will be received by an unknown application and any response should be treated accordingly (i.e., with appropriate security controls).",
  "Never use implicit intents for inter-application communication.",
  "To limit one's exposure to this type of attack, developers should avoid exporting components unless the component is specifically designed to handle requests from untrusted applications. Developers should be aware that declaring an intent filter will automatically export the component, exposing it to public access. Critical, state-changing actions should not be placed in exported components. If a single component handles both inter- and intra-application requests, the developer should consider dividing that component into separate components. If a component must be exported (e.g., to receive system broadcasts), then the component should dynamically check the caller's identity prior to performing any operations. Requiring Signature or SignatureOrSystem permissions is an effective way of limiting a component's exposure to a set of trusted applications. Finally, the return values of exported components can also leak private data, so developers should check the caller's identity prior to returning sensitive values.",
  "To mitigate this type of an attack, an application should limit permissions to only those required and should verify the origin of all web content it loads.",
  "The only known mitigation to this attack is to avoid installing the malicious application on the device. However, to impersonate a running task the malicious application does need the GET_TASKS permission to be able to query the task list, and being suspicious of applications with that permission can help.",
  "The only known mitigation to this attack is to avoid installing the malicious application on the device. Applications usually have to declare the schemes they wish to register, so detecting this during a review is feasible.",
  "To mitigate this type of attack, physical security techniques such as locks doors, alarms, and monitoring of targets should be implemented.",
  "Be mindful of your surroundings when discussing or viewing sensitive information in public areas.",
  "Pertaining to insider threats, ensure that sensitive information is not displayed to nor discussed around individuals without need-to-know access to said information.",
  "Employ the principle of least privilege: limit service accounts privileges to what is required for functionality and no more.",
  "Employ a robust password policy for service accounts. Passwords should be of adequate length and complexity, and they should expire after a period of time.",
  "Monitor system and domain logs for abnormal access.",
  "Enable AES Kerberos encryption (or another stronger encryption algorithm), rather than RC4, where possible.",
  "To limit one's exposure to this type of attack, tunnel communications through a secure proxy service.",
  "Detection of this type of attack can be done through heuristic analysis of behavioral anomalies (a la credit card fraud detection) which can be used to identify inhuman behavioral patterns. (e.g., spidering)",
  "Use tamper-resistant and tamper-evident packaging when shipping critical components (e.g., plastic coating for circuit boards, tamper tape, paint, sensors, and/or seals for cases and containers) and inspect received system components for evidence of tampering.",
  "Prevent or detect tampering with critical hardware or firmware components while in transit through use of state-of-the-art anti-tamper devices.",
  "Ensure that all contractors and sub-suppliers use trusted means of shipping (e.g., bonded/cleared/vetted and insured couriers) to ensure that components, once purchased, are not subject to compromise during their delivery.",
  "Implementation: Provide for network flow control and traffic shaping to control access to the resources.",
  "Design: Build throttling mechanism into the resource allocation. Provide for a timeout mechanism for allocated resources whose transaction does not complete within a specified interval.",
  "Identify programs that may be used to acquire peripheral information and block them by using a software restriction policy or tools that restrict program execution by using a process allowlist.",
  "Keep patches up to date by installing weekly or daily if possible.",
  "Ensure that proper access control is implemented on all systems to prevent unauthorized access to system files and processes.",
  "Deletion of data should be completed promptly when requested.",
  "Cloud providers should completely delete data to render it irrecoverable and inaccessible from any layer and component of infrastructure resources.",
  "Execute all suspicious files in a sandbox environment.",
  "Regularly patch all software.",
  "Implement system antivirus software that scans all attachments before opening them.",
  "Employ robust cybersecurity training for all employees.",
  "Limit privileges of user accounts so new service creation can only be performed by authorized administrators.",
  "Limit privileges of user accounts so service changes can only be performed by authorized administrators. Also monitor any service changes that may occur inadvertently.",
  "Prevent adversary access to privileged accounts necessary to install rootkits.",
  "Disable RDP, telnet, SSH and enable firewall rules to block such traffic. Limit users and accounts that have remote interactive login access. Remove the Local Administrators group from the list of groups allowed to login through RDP. Limit remote user permissions. Use remote desktop gateways and multifactor authentication for remote logins.",
  "Inspect registry for changes. Limit privileges of user accounts so changes to default file handlers can only be performed by authorized administrators.",
  "Do not reuse local administrator account credentials across systems.",
  "Do not allow accounts to be a local administrator on more than one system.",
  "Leverage multi-factor authentication for all authentication services and prior to granting an entity access to the domain network.",
  "Implement an intelligent password throttling mechanism. Care must be taken to assure that these mechanisms do not excessively enable account lockout attacks such as CAPEC-2.",
  "Monitor system and domain logs for abnormal credential access.",
  "Create a strong password policy and ensure that your system enforces this policy.",
  "Deny remote use of local admin credentials to log into domain systems.",
  "Ensure users are not reusing username/password combinations for multiple systems, applications, or services.",
  "Deny remote use of local admin credentials to log into domain systems.",
  "Do not allow accounts to be a local administrator on more than one system.",
  "Do not reuse local administrator account credentials across systems.",
  "Disallow shared content. Protect shared folders by minimizing users that have write access. Use utilities that mitigate exploitation like the Microsoft Enhanced Mitigation Experience Toolkit (EMET) to prevent exploits from being run.",
  "Ensure proper permissions on directories that are accessible through a web server. Disallow remote access to the web root. Disable execution on directories within the web root. Ensure that permissions of the web server process are only what is required by not using built-in accounts and instead create specific accounts to limit unnecessary access or permissions overlap across multiple systems.",
  "Restrict write access to logon scripts to necessary administrators.",
  "Implement an intelligent password throttling mechanism. Care must be taken to assure that these mechanisms do not excessively enable account lockout attacks such as CAPEC-2.",
  "Create a strong password policy and ensure that your system enforces this policy.",
  "Leverage multi-factor authentication for all authentication services and prior to granting an entity access to the domain network.",
  "Strong physical security can help reduce the ability of an adversary to install a keylogger.",
  "Identify programs that may be used to acquire process information and block them by using a software restriction policy or tools that restrict program execution by using a process allowlist.",
  "Identify programs that may be used to acquire service information and block them by using a software restriction policy or tools that restrict program execution by uaing a process allowlist.",
  "Identify programs that may be used to acquire account information and block them by using a software restriction policy or tools that restrict program execution by uysing a process allowlist.",
  "Identify programs (such as \"net\") that may be used to enumerate local group permissions and block them by using a software restriction Policy or tools that restrict program execution by using a process allowlist.",
  "Ensure that proper permissions on files and folders are enacted to limit accessibility.",
  "Ensure proper permissions are in place to prevent adversaries from altering the execution status of security tools.",
  "Changes to registry entries in \"HKLM\\Software\\Microsoft\\Windows NT\\Winlogon\\Notify\" that do not correlate with known software, patch cycles, etc are suspicious. New DLLs written to System32 which do not correlate with known good software or patching may be suspicious.",
  "Keep patches up to date by installing weekly or daily if possible.",
  "Identify programs that may be used to acquire peripheral information and block them by using a software restriction policy or tools that restrict program execution by using a process allowlist.",
  "Identify programs that may be used to acquire security tool information and block them by using a software restriction policy or tools that restrict program execution by using a process allowlist.",
  "Ensure rigorous physical defensive measures to keep the adversary from accessing critical systems..",
  "Implement Secure BGP (S-BGP protocol), which improves authorization and authentication capabilities based on public-key cryptography.",
  "Implement Ingress filters to check the validity of received routes. However, this relies on the accuracy of Internet Routing Registries (IRRs) databases which are often not well-maintained.",
  "\n               Implementation: Validate object before deserialization process\n            ",
  "\n               Design: Limit which types can be deserialized.\n            ",
  "\n               Implementation: Avoid having unnecessary types or gadgets available that can be leveraged for malicious ends. Use an allowlist of acceptable classes.\n            ",
  "\n               Implementation: Keep session state on the server, when possible.\n            ",
  "Employ techniques such as frame busting, which is a method by which developers aim to prevent their site being loaded within a frame.",
  "Avoid clicking on untrusted links.",
  "Utilize proper character encoding for all output produced within client-site scripts manipulating the DOM.",
  "Use browser technologies that do not allow client-side scripting.",
  "Ensure that all user-supplied input is validated before use.",
  "Avoid dependence on DNS",
  "Hard Coded Alternate DNS server in applications",
  "Ensure best practices with respect to communications channel protections.",
  "Include \"hosts file\"/IP address in the application.",
  "Use a .onion domain with Tor support",
  "Have a large pool of backup IPs built into the application and support proxy capability in the application.",
  "Utilize strict type, character, and encoding enforcement.",
  "Use browser technologies that do not allow client-side scripting.",
  "Ensure that all user-supplied input is validated before use.",
  "Ensure that all user-supplied input is validated before being stored.",
  "Use browser technologies that do not allow client-side scripting.",
  "Utilize strict type, character, and encoding enforcement.",
  "Properly encrypt and sign identity tokens in transit, and use industry standard session key generation mechanisms that utilize high amount of entropy to generate the session key. Many standard web and application servers will perform this task on your behalf. Utilize a session timeout for all sessions. If the user does not explicitly logout, terminate their session after this period of inactivity. If the user logs back in then a new session key should be generated.",
  "Design: Run server interfaces with a non-root account and/or utilize chroot jails or other configuration techniques to constrain privileges even if attacker gains some limited access to commands.",
  "Design: Execute programs with constrained privileges, so parent process does not open up further vulnerabilities. Ensure that all directories, temporary directories and files, and memory are executing with limited privileges to protect against remote execution.",
  "Design: Input validation. Assume that user inputs are malicious. Utilize strict type, character, and encoding enforcement.",
  "Implementation: Host integrity monitoring for critical files, directories, and processes. The goal of host integrity monitoring is to be aware when a security issue has occurred so that incident response and other forensic activities can begin.",
  "Design: Proxy communication to host, so that communications are terminated at the proxy, sanitizing the requests before forwarding to server host.",
  "Implementation: Perform testing such as pen-testing and vulnerability scanning to identify directories, programs, and interfaces that grant direct access to executables.",
  "Implementation: Validate user input by only accepting known good. Ensure all content that is delivered to client is sanitized against an acceptable content specification using an allowlist approach.",
  "Implementation: Perform input validation for all remote content, including remote and user-generated content.",
  "Design: Enforce principle of least privilege.",
  "Implementation: Use possible permissions on file access when developing and deploying web applications.",
  "Implementation: Use indirect references rather than actual file names.",
  "Design: Configure the access control correctly.",
  "Implementation: DNSSEC",
  "Design: Include \"hosts file\"/IP address in the application",
  "Design: Avoid dependence on DNS",
  "Implementation: Utilize a .onion domain with Tor support",
  "Implementation: DNS-hold-open",
  "Do not reuse local administrator account credentials across systems.",
  "Monitor system and domain logs for abnormal credential access.",
  "Create a strong password policy and ensure that your system enforces this policy.",
  "Deny remote use of local admin credentials to log into domain systems.",
  "Implement an intelligent password throttling mechanism. Care must be taken to assure that these mechanisms do not excessively enable account lockout attacks such as CAPEC-2.",
  "Leverage multi-factor authentication for all authentication services and prior to granting an entity access to the domain network.",
  "Ensure users are not reusing username/password combinations for multiple systems, applications, or services.",
  "Do not allow accounts to be a local administrator on more than one system.",
  "Countermeasures have been proposed for both disassociation flooding and RF jamming, however these countermeasures are not standardized and would need to be supported on both the retransmission device and the handset in order to be effective. Commercial products are not currently available that support jamming countermeasures for Wi-Fi.",
  "Mitigating this attack requires countermeasures employed on both the retransmission device as well as on the cell tower. Therefore, any system that relies on existing commercial cell towards will likely be vulnerable to this attack. By using a private cellular LTE network (i.e., a custom cell tower), jamming countermeasures could be developed and employed.",
  "Monitor cellular RF interface to detect the usage of weaker-than-expected cellular encryption.",
  "Use of hardened baseband firmware on retransmission device to detect and prevent the use of weak cellular encryption.",
  "Use of hardened baseband firmware on retransmission device to detect and prevent the use of weak cellular encryption.",
  "Monitor cellular RF interface to detect the usage of weaker-than-expected cellular encryption.",
  "Encryption of all data packets emanating from the smartphone to a retransmission device via two encrypted tunnels with Suite B cryptography, all the way to the VPN gateway at the datacenter.",
  "Commercial defensive technology to detect and alert to any attempts to modify mobile technology data flows or to inject new data into existing data flows and signaling data.",
  "When possible, use error-correcting (ECC) memory in local devices as non-ECC memory is significantly more vulnerable to faults.",
  "Authenticate all servers and perform redundant checks when using DNS hostnames.",
  "Automatic randomization of WiFi MAC addresses",
  "Frequent changing of handset and retransmission device",
  "Do not enable the feature of \"Hidden SSIDs\" (also known as \"Network Cloaking\") \u2013 this option disables the usual broadcasting of the SSID by the access point, but forces the mobile handset to send requests on all supported radio channels which contains the SSID. The result is that tracking of the mobile device becomes easier since it is transmitting the SSID more frequently.",
  "Frequently change the SSID to new and unrelated values",
  "Upgrade the SIM card to use the state-of-the-art AES or the somewhat outdated 3DES algorithm for OTA.",
  "Commercial defensive technology that monitors for rogue Wi-Fi access points, adversary-in-the-middle attacks, and anomalous activity with the mobile device baseband radios.",
  "Passively monitor cellular network connection for real-time threat detection and logging for manual review.",
  "Frequent changing of mobile number.",
  "Distort packet sizes and timing at VPN layer by adding padding to normalize packet sizes and timing delays to reduce information leakage via timing.",
  "Strong physical security of all devices that contain secret key information. (even when devices are not in use)",
  "Utilize side-channel resistant implementations of all crypto algorithms.",
  "None are known.",
  "Implement robust physical security countermeasures and monitoring.",
  "Strong physical security of all devices that contain secret key information. (even when devices are not in use)",
  "Frequent changes to secret keys and certificates.",
  "Strong physical security of the device.",
  "Authenticate all servers and perform redundant checks when using DNS hostnames.",
  "Purchase potential TypoSquatted domains and forward to legitimate domain.",
  "Purchase potential SoundSquatted domains and forward to legitimate domain.",
  "Authenticate all servers and perform redundant checks when using DNS hostnames.",
  "Utilize browsers that can warn users if URLs contain characters from different character sets.",
  "Authenticate all servers and perform redundant checks when using DNS hostnames.",
  "Prevent unknown code from executing on a system through the use of an allowlist policy.",
  "Patch installed applications as soon as new updates become available.",
  "Applications should insure that the content of the file is consistent with format it is expecting, and not depend solely on the file extension.",
  "Many tools are available to search for the hidden data. Scan regularly for such data using one of these tools.",
  "Employ a robust identification and audit/blocking via using an allowlist of applications on your system. Malware may contain the functionality associated with this attack pattern.",
  "While copying and pasting of data with the clipboard is a legitimate and practical function, certain situations and context may require the disabling of this feature. Just as certain applications disable screenshot capability, applications that handle highly sensitive information should consider disabling copy and paste functionality.",
  "Implement hardware RAID infrastructure.",
  "Leverage hardware components known to not be susceptible to these types of attacks.",
  "Verify that files have proper access controls set, and reduce the storage of sensitive information to only what is necessary.",
  "Leverage security kernel modules providing advanced access control and process restrictions like SELinux.",
  "Monitor API calls like CreateRemoteThread, SuspendThread/SetThreadContext/ResumeThread, QueueUserAPC, and similar for Windows.",
  "Properly restrict the location of the software being used.",
  "Prevent unknown or malicious software from loading through using an allowlist policy.",
  "Monitor processes and command-line arguments for unknown behavior related to code injection.",
  "Monitor API calls like ptrace system call, use of LD_PRELOAD environment variable, dlfcn dynamic linking API calls, and similar for Linux.",
  "Monitor API calls like SetWindowsHookEx and SetWinEventHook which install hook procedures for Windows.",
  "Use of sxstrace.exe on Windows as well as manual inspection of the manifests.",
  "Require code signing and avoid using relative paths for resources.",
  "Prevent unknown DLLs from loading through using an allowlist policy.",
  "Patch installed applications as soon as new updates become available.",
  "Properly restrict the location of the software being used.",
  "Insure that binaries commonly used by the system have the correct file permissions. Set operating system policies that restrict privilege elevation of non-Administrators. Use auditing tools to observe changes to system services.",
  "Identify unnecessary system utilities or potentially malicious software that may contain functionality to identify network share information, and audit and/or block them by using allowlist tools.",
  "Monitor system and domain logs for abnormal credential access.",
  "Create a strong password policy and ensure that your system enforces this policy.",
  "Prevent the use of Lan Man and NT Lan Man authentication on severs and apply patch KB2871997 to Windows 7 and higher systems.",
  "Leverage multi-factor authentication for all authentication services and prior to granting an entity access to the domain network.",
  "Leverage system penetration testing and other defense in depth methods to determine vulnerable systems within a domain.",
  "Monitor system and domain logs for abnormal access.",
  "Reset the built-in KRBTGT account password twice to invalidate the existence of any current Golden Tickets and any tickets derived from them.",
  "Identify programs that may be used to acquire peripheral information and block them by using a software restriction policy or tools that restrict program execution by using a process allowlist.",
  "Employ a robust and layered defensive posture in order to prevent unauthorized users on your system.",
  "Employ robust identification and audit/blocking via using an allowlist of applications on your system. Unnecessary applications, utilities, and configurations will have a presence in the system registry that can be leveraged by an adversary through this attack pattern.",
  "While screen capture is a legitimate and practical function, certain situations and context may require the disabling of this feature.",
  "Identify potentially malicious software that may have functionality to acquire screen captures, and audit and/or block it by using allowlist tools.",
  "File extensions should be checked to see if non-visible characters are being included.",
  "Ensure that the file permissions in directories on the web server from which files can be execute is set to the \"least privilege\" settings, and that those directories contents is controlled by an allowlist.",
  "Make sure your web server is up-to-date with all patches to protect against known vulnerabilities.",
  "If possible, physically disable the microphone on your machine if it is not needed.",
  "Be mindful of your surroundings when discussing sensitive information in public areas.",
  "Implement proper software restriction policies to only allow authorized software on your environment. Use of anti-virus and other security monitoring and detecting tools can aid in this too. Closely monitor installed software for unusual behavior or activity, and implement patches as soon as they become available.",
  "Create a strong password policy and ensure that your system enforces this policy for Kerberos service accounts.",
  "Do not reuse Kerberos service account credentials across systems.",
  "Do not allow Kerberos service accounts to be a local administrator on more than one system.",
  "Enable at least AES Kerberos encryption for tickets.",
  "Monitor system and domain logs for abnormal credential access.",
  "Ensure Kerberos service accounts are not reusing username/password combinations for multiple systems, applications, or services.",
  "Deny remote use of Kerberos service account credentials to log into domain systems.",
  "Leverage multi-factor authentication for all authentication services and prior to granting an entity access to the domain network.",
  "Deny remote use of local admin credentials to log into domain systems.",
  "Create a strong password policy and ensure that your system enforces this policy.",
  "Monitor system and domain logs for abnormal credential access.",
  "Implement an intelligent password throttling mechanism. Care must be taken to assure that these mechanisms do not excessively enable account lockout attacks such as CAPEC-2.",
  "Do not reuse local administrator account credentials across systems.",
  "Ensure users are not reusing username/password combinations for multiple systems, applications, or services.",
  "Do not allow accounts to be a local administrator on more than one system.",
  "The only known mitigation to this attack is to avoid installing the malicious application on the device. However, to impersonate a running task the malicious application does need the GET_TASKS permission to be able to query the task list, and being suspicious of applications with that permission can help.",
  "Do not accept calls from unknown numbers or from numbers that may be flagged as spam. Also, do not call numbers that appear on-screen after being unexpectedly redirected to potentially malicious websites. In either case, do not provide sensitive information over voice calls that are not legitimately initiated. Instead, call your Bank, PayPal, eBay, etc., via the number on their public-facing website and inquire about the problem.",
  "Inspect the application's memory for suspicious artifacts, such as shared objects/JARs or dylibs, after other Root/Jailbreak detection methods.",
  "Ensure mobile applications are signed appropriately to avoid code inclusion via hooking.",
  "Allow legitimate native methods, and check for non-allowed native methods during Root/Jailbreak detection methods.",
  "Inspect the application's stack trace for suspicious method calls.",
  "For iOS applications, ensure application methods do not originate from outside of Apple's SDK.",
  "Instantiate checks within the application code that ensures debuggers are not attached.",
  "Use strong, out-of-band mutual authentication to always fully authenticate both ends of any communications channel.",
  "Ensure software and applications are only downloaded from legitimate and reputable sources, in addition to conducting integrity checks on the downloaded component.",
  "Ensure browser sessions are regularly terminated and when their effective lifetime ends.",
  "Limit user permissions to prevent browser pivoting.",
  "Leverage anti-malware tools, which can detect Trojan Horse malware.",
  "Implementation: DAWG (Dynamically Allocated Way Guard) - processor cache properly divided between different programs/processes that don't share resources",
  "Implementation: KPTI (Kernel Page-Table Isolation) to completely separate user-space and kernel space page tables",
  "Configuration: Disable SharedArrayBuffer for Web Browsers",
  "Configuration: Architectural Design of Microcode to limit abuse of speculative execution and out-of-order execution",
  "Configuration: Privilege Checks on Cache Flush Instructions",
  "Implementation: Non-inclusive Cache Memories to prevent Flush+Reload Attacks",
  "Configuration: Disable Copy-on-Write between Cloud VMs",
  "Further down the process flow, examining the response and verifying that it is as expected before sending would be another way to secure the server.",
  "Handling incoming requests securely is the first line of action to mitigate this vulnerability. This can be done through URL validation.",
  "Enforce the usage of relevant URL schemas. By limiting requests be made only through HTTP or HTTPS, for example, attacks made through insecure schemas such as file://, ftp://, etc. can be prevented.",
  "Requiring authentication for local services adds another layer of security between the adversary and internal services running on the server. By enforcing local authentication, an adversary will not gain access to all internal services only with access to the server.",
  "Allowlist the DNS name or IP address of every service the web application is required to access is another effective security measure. This ensures the server cannot make external requests to arbitrary services.",
  "Configuration: Set Security Level to SL3 for Thunderbolt 2 system port",
  "Configuration: Disable PCIe tunneling to set Security Level to SL3",
  "Configuration: Enable UEFI option DisplayPort mode - Thunderbolt 3 system port operates as video-only DP interface",
  "Configuration: Enable UEFI option USB Passthrough mode - Thunderbolt 3 system port operates as USB 3.1 Type C interface",
  "Implementation: Kernel Direct Memory Access Protection",
  "Configuration: Disable Boot Camp upon MacOS systems",
  "Configuration: Enable UEFI option Mixed USB/DisplayPort mode - Thunderbolt 3 system port operates as USB 3.1 Type C interface with support for DP mode",
  "When using Bluetooth, set it to hidden or non-discoverable mode.",
  "Disable Bluetooth when not being used.",
  "Change default PIN passwords and always use one when connecting.",
  "Disable Bluetooth in public places.",
  "Verify incoming Bluetooth connections; do not automatically trust.",
  "Newer Bluetooth firmwares ensure that the KNOB is not negotaited in plaintext. Update your device.",
  "Have a Software Assurance Plan that includes maintaining strict configuration management control of source code, object code and software development, build and distribution tools; manual code reviews and static code analysis for developmental software; and tracking of all storage and movement of code.",
  "Require elevated privileges for distribution of software and software updates.",
  "Avoid giving elevated privileges to developers.",
  "Have a security concept of operations (CONOPS) for the development environment that includes: Maintaining strict security administration and configuration management of requirements management and database tools, software design tools, configuration management tools, compilers, system build tools, and software performance testing and load testing tools.",
  "Ensure that each supplier performing hardware development implements comprehensive, security-focused configuration management including for hardware requirements and design.",
  "Utilize DMEA\u2019s (Defense Microelectronics Activity) Trusted Foundry Program members for acquisition of microelectronic components.",
  "Conduct detailed vendor assessment before acquiring COTS hardware.",
  "Require that provenance of COTS microelectronic components be known whenever procured.",
  "Require that provenance of COTS microelectronic components be known whenever procured.",
  "Conduct detailed vendor assessment before acquiring COTS hardware.",
  "Utilize DMEA\u2019s (Defense Microelectronics Activity) Trusted Foundry Program members for acquisition of microelectronic components.",
  "Ensure that each supplier performing hardware development implements comprehensive, security-focused configuration management of microcode and microcode generating tools and software.",
  "Employ intrusion detection and malware detection capabilities on IDE systems where feasible.",
  "Have a security concept of operations (CONOPS) for the IDE that includes: Protecting the IDE via logical isolation using firewall and DMZ technologies/architectures; Maintaining strict security administration and configuration management of configuration management tools, developmental software and dependency code repositories, compilers, and system build tools.",
  "Ensure that each supplier performing hardware development implements comprehensive, security-focused configuration management including for FPGA programming and program uploads to FPGA chips.",
  "Utilize DMEA\u2019s (Defense Microelectronics Activity) Trusted Foundry Program members for acquisition of microelectronic components.",
  "Require that provenance of COTS microelectronic components be known whenever procured.",
  "Conduct detailed vendor assessment before acquiring COTS hardware.",
  "Exercise the principle of Least Privilege with regards to application accounts to minimize damage if a NoSQL injection attack is successful.",
  "If possible, leverage safe APIs (e.g., PyMongo and Flask-PyMongo for Python and MongoDB) for queries as opposed to building queries from strings.",
  "Additional mitigations will depend on the NoSQL database, API, and programming language leveraged by the application.",
  "If using PHP with MongoDB, ensure all special query operators (starting with $) use single quotes to prevent operator replacement attacks.",
  "Strong input validation - All user-controllable input must be validated and filtered for illegal characters as well as relevant NoSQL and JavaScript content. NoSQL-specific keywords, such as $ne, $eq or $gt for MongoDB, must be filtered in addition to characters such as a single-quote(') or semicolons (;) based on the context in which they appear. Validation should also extend to expected types.",
  "Ensure the most recent version of a NoSQL database and it's corresponding API are used by the application.",
  "Use of custom error pages - Adversaries can glean information about the nature of queries from descriptive error messages. Input validation must be coupled with customized error pages that inform about an error without disclosing information about the database or application.",
  "If using MongoDB, disable server-side JavaScript execution and leverage a sanitization module such as \"mongo-sanitize\".",
  "Utilize contract language requiring contractors and subcontractors to flow down to subcontractors and suppliers SCRM and SCRA (Supply Chain Risk Assessment) requirements.",
  "Purchase IT systems, components and parts from government approved vendors whenever possible.",
  "Require that Bills of Material (BoM) for critical parts and components be certified.",
  "Establish trusted supplier networks.",
  "Conduct rigorous threat assessments of suppliers.",
  "Establish diversity among suppliers.",
  "Maintain configuration control over operational systems.",
  "Harden centralized repositories against attack.",
  "Plan for and audit the security of configuration management administration processes.",
  "Implement configuration management security practices that protect the integrity of software and associated data.",
  "Establish acceptance criteria for configuration management check-in to assure integrity.",
  "Monitor and control access to the configuration management system.",
  "If memory regions must overlap, leverage memory priority schemes if memory regions can overlap.",
  "Ensure that original and mirrored memory regions apply the same protections.",
  "Ensure that protected and unprotected memory ranges are isolated and do not overlap.",
  "Ensure immutable code or data is programmed into ROM or write-once memory.",
  "Leverage automated tools to test that values are not reprogrammable and that write-once fields lock on writing zeros.",
  "Test security lock programming flow in both pre-silicon and post-silicon environments.",
  "Ensure that measurement data is stored in registers that are read-only or otherwise have access controls that prevent modification by an untrusted agent.",
  "Ensure security lock bit protections are reviewed for design inconsistencies and common weaknesses.",
  "Design proper access control policies for hardware register access from software and ensure these policies are implemented in accordance with the specified design.",
  "Test security identifier definition, access, and programming flow in both pre-silicon and post-silicon environments.",
  "Review generation of security identifiers for design inconsistencies and common weaknesses.",
  "Review security identifier decoders for design inconsistencies and common weaknesses."
]