This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Cornucopia - Ecommerce Website - VE 10

From OWASP
Revision as of 14:18, 21 January 2016 by Dariodf (talk | contribs) (Created page with "{{DISPLAYTITLE:<span style="padding:2px 5px 0px 5px;color:white;background:#929292;">Cornucopia - Ecommerce Website - VE 10</span>}} File:Cornucopia_-_Ecommerce_Website_VE_1...")

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search
Cornucopia - Ecommerce Website VE 10.png

Suit: Data Validation and Encoding

Card/Value: 10

Description:

Jerry can exploit the trust the application places in a source of data (e.g. user-definable data, manipulation of locally stored data, alteration to state data on a client device, lack of verification of identity during data validation such as Jerry can pretend to be Colin).

Technical Note:

Trust management is a popular technique for implementing information security, and specifically for access control policies. All data sources of an application are be classified into groups with varying degrees of trust. When doing this, it is imperative to ensure that trusted sources cannot be spoofed. This spoofing can be done in many ways:

  • Reflection attack.
  • Principle Spoof.
  • JSON Hijacking.
  • Registry Poisoning.
  • MITM.
  • XSS.

Attackers that are identified as trusted users or that are in a trusted zone with bad authentication techniques can do all sorts of things, depending on the services, such as:

  • Sniffing.
  • Data tampering.
  • Code Injection.
  • DoS.

References:

OWASP SCP OWASP ASVS OWASP AppSensor CAPEC SAFECODE
2 10.6 IE4 12 14
19 IE5 51
92 57
95 90
180 111
145
194
195
202
218
463


« Previous Card | Data Validation and Encoding | Next Card »