Cornucopia - Ecommerce Website - VE 10
Jerry can exploit the trust the application places in a source of data (e.g. user-definable data, manipulation of locally stored data, alteration to state data on a client device, lack of verification of identity during data validation such as Jerry can pretend to be Colin).
Trust management is a popular technique for implementing information security, and specifically for access control policies. All data sources of an application are be classified into groups with varying degrees of trust. When doing this, it is imperative to ensure that trusted sources cannot be spoofed. This spoofing can be done in many ways:
- Reflection attack.
- Principal Spoof.
- JSON Hijacking.
- Registry Poisoning.
Attackers that are identified as trusted users or that are in a trusted zone with bad authentication techniques can do all sorts of things, depending on the services, such as:
- Data tampering.
- Code Injection.
|OWASP SCP||OWASP ASVS||OWASP AppSensor||CAPEC||SAFECODE|