Cornucopia - Ecommerce Website - VE 4

Suit: Data Validation and Encoding

Card/Value: 4

Description:
Dave can input malicious field names or data because it is not being checked within the context of the current user and process.

Technical Note:
Malicious data can be introduced voluntarily (as part of an attack) or involuntarily (e.g. XSS). Some input checks should be dependent upon the function or user's context (e.g. the data is valid for one user but not another). There are many alternatives to this kind of attack: Depending of the target of the attack, the results of this type of input varies widely:
 * Tampering request types, URLs, cookies, session identifiers, fields or values that are not validated.
 * Adding, removing or duplicating request fields or values to exploit code behaviour (e.g. mass parameter assignment, parameter pollution, passing partial authentication data).
 * Sending requests that are processed independently of the user activities (stage, amout of requests, privileges).
 * Fuzzing a file input.
 * Information disclosure (error logs, system responses, etc.).
 * Operations tampering (SQLi, eShoplifting).
 * Denial of Service.
 * Spoofing.
 * Code execution.

NB: This card relates to context-specific input validation. See VE 3 for the similar generic input validation checks.

References:
« Previous Card | Data Validation and Encoding | Next Card »