Lack Of Exploit Mitigations
Lack of Exploit Mitigations
Overview of the Vulnerability
A lack of exploit mitigations in an application increases its attack surface and leaves it open to code analysis, reverse engineering, or modification of the application. An attacker could abuse the lack of exploit mitigations in order to run known exploits on the application. From here, the attacker can access sensitive data stored, transmitted or processed by the application and perform further attacks on the application, the business, or its users.
Business Impact
This vulnerability can lead to indirect financial loss to the company due to data theft, application manipulation and corruption, or denial of service to customers and users of the application. It can also lead to reputational damage as customers may view the application as insecure.
Steps to Reproduce
Navigate to the source code files of the application
Run the following known exploit: {{payload}}
Observe that the application does not contain any mitigations to prevent this exploit
Proof of Concept (PoC)
The screenshot below shows the lack of exploit mitigation:
{{screenshot}}
Recommendation(s)
It is recommended that the application have exploit mitigation controls which prevent an attacker from analyzing, reverse engineering, or performing unauthorized code modifications. This can include jailbreak detections, source-code obfuscation, binary hardening, and runtime detection.
For further information, please refer to: https://owasp.org/www-project-mobile-top-10/2014-risks/m10-lack-of-binary-protections
Last updated