Using Google Remote Procedure Call (gRPC) channel security settings that are specified as to not be encrypted, do not support authentication, or lack the capacity of connection identity leaves the channel open to many forms of attack. Data sent with this insecure channel cannot be trusted.

Example 1: The following code shows a gRPC channel setup with insecure channel credentials

...
ManagedChannel channel = Grpc.newChannelBuilder("hostname", InsecureChannelCredentials.create()).build();
...

Using Google Remote Procedure Call (gRPC) server security settings that are specified as not be encrypted, or do not have the capacity of connection identity leaves the server open to many forms of attack. Data sent to and from this insecure server cannot be trusted.

Example 1: The following code shows a gRPC server setup with insecure server credentials

...
Server server = Grpc.newServerBuilderForPort(port, InsecureServerCredentials.create())
...

An HTTPS stripping attack is a type of man-in-the-middle attack where the attacker watches all the HTTP traffic for location headers and links that reference HTTPS and replaces them with HTTP ones. The attacker keeps a list of all HTTP substitutions made so that they can make the HTTPS request back to the server. All stripped HTTP connections are proxied out to the server over HTTPS. All traffic between the victim and the attacker is sent over HTTP, revealing usernames, passwords, and other private information, but the server is still receiving the expected HTTPS traffic from the attacker so nothing seems wrong.

HTTP Strict Transport Security (HSTS) is a security header that instructs the browser to always connect to the site that returning the HSTS headers over SSL/TLS during a period specified within the header. Any connection to the server over HTTP is automatically replaced with an HTTPS connection, even if the user types a URL with http:// in the browser's URL bar.

Example: The following code configures a Spring Security protected application to disable HSTS for subdomains:

	<http auto-config="true">
        ...
        <headers>
            ...
            <hsts include-sub-domains="false" />
        </headers>
	</http>

An HTTPS stripping attack is a type of man-in-the-middle attack where the attacker watches all the HTTP traffic for location headers and links that reference HTTPS and replaces them with HTTP versions. The attacker keeps a list of all HTTP substitutions made so that they can make the HTTPS request back to the server. All stripped HTTP connections are proxied out to the server over HTTPS. All traffic between the victim and the attacker is sent over HTTP, revealing usernames, passwords, and other private information, but the server is still receiving the expected HTTPS traffic from the attacker so nothing seems wrong.

HTTP Strict Transport Security (HSTS) is a security header that instructs the browser to always connect to the site that returning the HSTS headers over SSL/TLS during a period specified within the header. Any connection to the server over HTTP is automatically replaced with an HTTPS connection, even if the user types a URL with http:// in the browser's URL bar.

Example: The following code configures a Spring Security protected application to use a short expiration time:

    @Override 
    protected void configure(HttpSecurity http) throws Exception {
        http.httpStrictTransportSecurity().maxAgeInSeconds(300);
    }

SMTP command injection vulnerabilities occur when an attacker may influence the commands sent to an SMTP mail server.

1. Data enters the application from an untrusted source.

2. The data is used as or as part of a string representing a command that is executed by the application.

3. By executing the SMTP command, the attacker is able to instruct the server to carry out malicious actions such as sending spam.

Example 1: The following code uses an HTTP request parameter to craft a VRFY command that is sent to the SMTP server. An attacker may use this parameter to modify the command sent to the server and inject new commands using CRLF characters.

  ...
  String user = request.getParameter("user");
  SMTPSSLTransport transport = new SMTPSSLTransport(session,new URLName(Utilities.getProperty("smtp.server")));
  transport.connect(Utilities.getProperty("smtp.server"), username, password);
  transport.simpleCommand("VRFY " + user);
  ...
  

A cryptographic hash function is a one-way function that is considered practically impossible to invert; that is, to recreate the input data from its digest value alone. These hash functions were considered safe to store passwords in the past because even if an attacker could access the digest value for the original password, they wouldn't be able to recover the original password from the digest value. This was proved wrong, as attackers used a dictionary attack with "rainbow tables" so that they could pre-compute the digest value for millions of words/phrases and after they got a password digest, they only had to compare its value with the values stored within the "rainbow tables" to get back the original password. As the computational power of personal computers increased over time, this technique became obsolete and was rapidly replaced with a brute-force attack enabled by "GPU" units. Attackers no longer need to pre-compute the password hashes (which was almost impossible with the use of salts); now they have enough computational power to brute-force possible passwords byte by byte.

Example 1: The following shows an application configured to use Java Simplified Encryption (Jasypt) Password encoder that just uses an MD5 digest under the covers:

...
    <param name="foo" class="org.jasypt.util.password.BasicPasswordEncoder">
        ...
    </param>  
...

It is never a good idea to use an empty salt. Not only does an empty salt defeat its own purpose but all of the project's developers can view the salt. It makes fixing the problem extremely difficult because after the code is in production, the salt cannot be easily changed. If attackers know the value of the salt, they can compute "rainbow tables" for the application and easily determine the hashed values.

Example 1: The following code defines an empty salt for password hashing:

...
define('SECURE_AUTH_SALT', "");
...

This code runs successfully, but anyone who has access to it can see the salt. After the program ships, there is likely no way to change the empty salt. An employee with access to this information can use it to break into the system.