Cornucopia - Ecommerce Website - VE K

Suit: Data Validation and Encoding

Card/Value: K

Description:
Gabe can inject data into an server-side interpreter (e.g. SQL, OS commands, Xpath, Server JavaScript, SMTP) because a strongly typed parameterised interface is not being used or has not been implemented correctly.

Technical Note:
Due a failure of server-side input or output validation, encoding or sanitization, malicious code can be injected and treated as code rather than data, leading to code execution in the server application.

NB: This relates to actual exploitation of an injection vulnerability on the server-side. See VE Q for the same attack client-side, and other cards in this suit for individual data validation and encoding issues (e.g. missing/by-passable/badly-implemented input/output validation, encoding or sanitization).

References:
« Previous Card | Data Validation and Encoding | Next Card »