Lack Of Binary Hardening
Lack of Binary Hardening
Overview of the Vulnerability
A lack of binary hardening of an application increases its attack surface and leaves it open to code analysis, reverse engineering, or modification of the application. An attacker with access to the code of an application with a lack of binary hardening can reverse engineer it and perform unauthorized code modification. From here, the attacker can access sensitive data stored, transmitted or processed by the application and perform further attacks on the application, the business, or its users.
Business Impact
This vulnerability can lead to indirect financial loss to the company due to data theft, application manipulation and corruption, or denial of service to customers and users of the application. It can also lead to reputational damage as customers may view the application as insecure.
Steps to Reproduce
Navigate to the source code files of the application
Observe that there is no binary hardening for the application
Proof of Concept (PoC)
The screenshot below shows the lack of binary hardening:
{{screenshot}}
Guidance
Provide a step-by-step walkthrough with a screenshot on how you exploited the vulnerability. Your submission must include evidence of the vulnerability and not be theoretical in nature. For this finding, please include a screenshot of the binary being vulnerable to some known exploit, the application running.
Attempt to show that the lack of binary hardening could be used by a malicious attacker in some impactful way. If this is possible, provide a full Proof of Concept (PoC).
Recommendation(s)
It is recommended that the application have binary hardening controls which prevent an attacker from analyzing, reverse engineering, or performing unauthorized code modifications. This can include jailbreak detections, source-code obfuscation, exploit mitigations, and runtime detection.
For further information, please refer to: https://owasp.org/www-project-mobile-top-10/2014-risks/m10-lack-of-binary-protections
Last updated