This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Difference between revisions of "Cornucopia - Ecommerce Website - VE 4"
(Created page with "{{DISPLAYTITLE:<span style="padding:2px 5px 0px 5px;color:white;background:#929292;">Cornucopia - Ecommerce Website - VE 4</span>}} File:Cornucopia_-_Ecommerce_Website_VE_4....") |
|||
Line 14: | Line 14: | ||
* Tampering request types, URLs, cookies, session identifiers, fields or values that are not validated. | * Tampering request types, URLs, cookies, session identifiers, fields or values that are not validated. | ||
* Adding, removing or duplicating request fields or values to exploit code behaviour (e.g. mass parameter assignment, parameter pollution, passing partial authentication data). | * Adding, removing or duplicating request fields or values to exploit code behaviour (e.g. mass parameter assignment, parameter pollution, passing partial authentication data). | ||
− | * Sending requests that are processed independently of the user activities (stage, | + | * Sending requests that are processed independently of the user activities (stage, amount of requests, privileges). |
* Fuzzing a file input. | * Fuzzing a file input. | ||
Depending of the target of the attack, the results of this type of input varies widely: | Depending of the target of the attack, the results of this type of input varies widely: |
Latest revision as of 20:02, 29 March 2016
Suit: Data Validation and Encoding
Card/Value: 4
Description:
Dave can input malicious field names or data because it is not being checked within the context of the current user and process.
Technical Note:
Malicious data can be introduced voluntarily (as part of an attack) or involuntarily (e.g. XSS). Some input checks should be dependent upon the function or user's context (e.g. the data is valid for one user but not another). There are many alternatives to this kind of attack:
- Tampering request types, URLs, cookies, session identifiers, fields or values that are not validated.
- Adding, removing or duplicating request fields or values to exploit code behaviour (e.g. mass parameter assignment, parameter pollution, passing partial authentication data).
- Sending requests that are processed independently of the user activities (stage, amount of requests, privileges).
- Fuzzing a file input.
Depending of the target of the attack, the results of this type of input varies widely:
- Information disclosure (error logs, system responses, etc.).
- Operations tampering (SQLi, eShoplifting).
- Denial of Service.
- Spoofing.
- Code execution.
NB: This card relates to context-specific input validation. See VE 3 for the similar generic input validation checks.
References:
OWASP SCP | OWASP ASVS | OWASP AppSensor | CAPEC | SAFECODE |
---|---|---|---|---|
8 | 5.17 | RE3 | 28 | 24 |
10 | 15.2 | RE4 | 31 | 35 |
183 | 15.3 | RE5 | 48 | |
15.10 | RE6 | 126 | ||
AE8 | 162 | |||
AE9 | 165 | |||
AE10 | 213 | |||
AE11 | 220 | |||
SE1 | 221 | |||
SE3 | 261 | |||
SE4 | ||||
SE5 | ||||
SE6 | ||||
IE2 | ||||
IE3 | ||||
IE4 | ||||
HT1 | ||||
HT2 | ||||
HT3 |