This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Cornucopia - Ecommerce Website - VE 4

From OWASP
Revision as of 20:02, 29 March 2016 by Dariodf (talk | contribs)

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search
Cornucopia - Ecommerce Website VE 4.png

Suit: Data Validation and Encoding

Card/Value: 4

Description:

Dave can input malicious field names or data because it is not being checked within the context of the current user and process.

Technical Note:

Malicious data can be introduced voluntarily (as part of an attack) or involuntarily (e.g. XSS). Some input checks should be dependent upon the function or user's context (e.g. the data is valid for one user but not another). There are many alternatives to this kind of attack:

  • Tampering request types, URLs, cookies, session identifiers, fields or values that are not validated.
  • Adding, removing or duplicating request fields or values to exploit code behaviour (e.g. mass parameter assignment, parameter pollution, passing partial authentication data).
  • Sending requests that are processed independently of the user activities (stage, amount of requests, privileges).
  • Fuzzing a file input.

Depending of the target of the attack, the results of this type of input varies widely:

  • Information disclosure (error logs, system responses, etc.).
  • Operations tampering (SQLi, eShoplifting).
  • Denial of Service.
  • Spoofing.
  • Code execution.

NB: This card relates to context-specific input validation. See VE 3 for the similar generic input validation checks.

References:

OWASP SCP OWASP ASVS OWASP AppSensor CAPEC SAFECODE
8 5.17 RE3 28 24
10 15.2 RE4 31 35
183 15.3 RE5 48
15.10 RE6 126
AE8 162
AE9 165
AE10 213
AE11 220
SE1 221
SE3 261
SE4
SE5
SE6
IE2
IE3
IE4
HT1
HT2
HT3


« Previous Card | Data Validation and Encoding | Next Card »