Cornucopia - Ecommerce Website - VE J

Suit: Data Validation and Encoding

Card/Value: J

Description:
Dennis has control over input validation, output validation or output encoding code or routines so they can be bypassed.

Technical Note:
Validation and encoding are sometimes undertaken in client applications or external sources that interact with the system. This is a bad practice, as external sources are usually more vulnerable to attacks, can be spoofed and are generally less accountable for malicious behaviour. An attacker can try to bypass these routines using non-controlled unexpected behaviour: In general, all validation and encoding routines should be on the server-side using robust, tested and protected routines.
 * Modifying/deleting code.
 * Generating unexpected handcrafted requests.
 * Use an automated exploring tool (web crawler) to get information about the file structure and then try to access well known resource locations.
 * Abusing an ill-defined zone of trust.
 * Modifying data between the client application and the server (e.g. Trojan, modification in transit)
 * XSS.

NB: Unlike other cards in this suit, this VE J relates to an attacker being able to change the executing code. This may be due to inadequate source code control, deployment controls or server protection, but is more often a standard feature of client-side code.

References:
« Previous Card | Data Validation and Encoding | Next Card »