Cornucopia - Ecommerce Website - VE Q

Suit: Data Validation and Encoding

Card/Value: Q

Description:
Geoff can inject data into a client or device side interpreter because a parameterised interface is not being used, or has not been implemented correctly, or the data has not been encoded correctly for the context, or there is no restrictive policy on code or data includes.

Technical Note:
Due a failure of client-side input or output validation, encoding or sanitization, malicious code can be injected and treated as code rather than data, leading to code execution in the client application.

NB: This relates to actual exploitation of an injection vulnerability on the client-side. See VE K for the same attack server-side, and other cards in this suit for individual data validation and encoding issues (e.g. missing/by-passable/badly-implemented input/output validation, encoding or sanitization).

References:
« Previous Card | Data Validation and Encoding | Next Card »