This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit

Cornucopia - Ecommerce Website - VE J

Revision as of 14:19, 21 January 2016 by Dariodf (talk | contribs) (Created page with "{{DISPLAYTITLE:<span style="padding:2px 5px 0px 5px;color:white;background:#929292;">Cornucopia - Ecommerce Website - VE J</span>}} File:Cornucopia_-_Ecommerce_Website_VE_J....")

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search
Cornucopia - Ecommerce Website VE J.png

Suit: Data Validation and Encoding

Card/Value: J


Dennis has control over input validation, output validation or output encoding code or routines so they can be bypassed.

Technical Note:

Validation and encoding are sometimes undertaken in client applications or external sources that interact with the system. This is a bad practice, as external sources are usually more vulnerable to attacks, can be spoofed and are generally less accountable for malicious behaviour. An attacker can try to bypass these routines using non-controlled unexpected behaviour:

  • Modifying/deleting code.
  • Generating unexpected handcrafted requests.
  • Use an automated exploring tool (web crawler) to get information about the file structure and then try to access well known resource locations.
  • Abusing an ill-defined zone of trust.
  • Modifying data between the client application and the server (e.g. Trojan, modification in transit)
  • XSS.

In general, all validation and encoding routines should be on the server-side using robust, tested and protected routines.

NB: Unlike other cards in this suit, this VE J relates to an attacker being able to change the executing code. This may be due to inadequate source code control, deployment controls or server protection, but is more often a standard feature of client-side code.


1 5.5 RE3 56 2
17 RE4 87 17

« Previous Card | Data Validation and Encoding | Next Card »