Cornucopia - Ecommerce Website - VE 10

Suit: Data Validation and Encoding

Card/Value: 10

Description:
Jerry can exploit the trust the application places in a source of data (e.g. user-definable data, manipulation of locally stored data, alteration to state data on a client device, lack of verification of identity during data validation such as Jerry can pretend to be Colin).

Technical Note:
Trust management is a popular technique for implementing information security, and specifically for access control policies. All data sources of an application are be classified into groups with varying degrees of trust. When doing this, it is imperative to ensure that trusted sources cannot be spoofed. This spoofing can be done in many ways: Attackers that are identified as trusted users or that are in a trusted zone with bad authentication techniques can do all sorts of things, depending on the services, such as:
 * Reflection attack.
 * Principal Spoof.
 * JSON Hijacking.
 * Registry Poisoning.
 * MITM.
 * XSS.
 * Sniffing.
 * Data tampering.
 * Code Injection.
 * DoS.

References:
« Previous Card | Data Validation and Encoding | Next Card »