This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Cornucopia - Ecommerce Website - VE Q
Suit: Data Validation and Encoding
Card/Value: Q
Description:
Geoff can inject data into a client or device side interpreter because a parameterised interface is not being used, or has not been implemented correctly, or the data has not been encoded correctly for the context, or there is no restrictive policy on code or data includes.
Technical Note:
Due a failure of client-side input or output validation, encoding or sanitization, malicious code can be injected and treated as code rather than data, leading to code execution in the client application.
NB: This relates to actual exploitation of an injection vulnerability on the client-side. See VE K for the same attack server-side, and other cards in this suit for individual data validation and encoding issues (e.g. missing/by-passable/badly-implemented input/output validation, encoding or sanitization).
References:
| OWASP SCP | OWASP ASVS | OWASP AppSensor | CAPEC | SAFECODE |
|---|---|---|---|---|
| 10 | 5.16 | IE1 | 28 | 2 |
| 15 | RP3 | 31 | 17 | |
| 16 | 152 | |||
| 19 | 160 | |||
| 20 | 468 |
