This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Cornucopia - Ecommerce Website - VE K
Suit: Data Validation and Encoding
Card/Value: K
Description:
Gabe can inject data into an server-side interpreter (e.g. SQL, OS commands, Xpath, Server JavaScript, SMTP) because a strongly typed parameterised interface is not being used or has not been implemented correctly.
Technical Note:
Due a failure of server-side input or output validation, encoding or sanitization, malicious code can be injected and treated as code rather than data, leading to code execution in the server application.
NB: This relates to actual exploitation of an injection vulnerability on the server-side. See VE Q for the same attack client-side, and other cards in this suit for individual data validation and encoding issues (e.g. missing/by-passable/badly-implemented input/output validation, encoding or sanitization).
References:
| OWASP SCP | OWASP ASVS | OWASP AppSensor | CAPEC | SAFECODE |
|---|---|---|---|---|
| 15 | 5.10 | CIE1 | 23 | 2 |
| 19 | 5.11 | CIE2 | 28 | 19 |
| 20 | 5.12 | 76 | 20 | |
| 21 | 5.13 | 152 | ||
| 22 | 5.14 | 160 | ||
| 167 | 5.16 | 261 | ||
| 180 | ||||
| 204 | ||||
| 211 | ||||
| 212 |
