Cornucopia - Ecommerce Website - VE 7

Suit: Data Validation and Encoding

Card/Value: 7

Description:
Jan can craft special payloads to foil input validation because the character set is not specified/enforced, or the data is encoded multiple times, or the data is not fully converted into the same format the application uses (e.g. canonicalization) before being validated, or variables are not strongly typed.

Technical Note:
Without knowing the character encoding accurately, data validation routines could be inadequate. A web application firewall, a web server, an application server, a database server, and other interpreters could each be susceptible, and susceptible in different ways, to malicious character encoding issues.

Common protection techniques include:
 * Specify proper character sets, such as UTF-8, for all sources of input.
 * Encode data to a common character set before validating (Canonicalize).
 * Use system components that support UTF-8 extended character sets and validate data after UTF-8 decoding is completed.

NB: The key concept for this card is encoding.

References:
« Previous Card | Data Validation and Encoding | Next Card »