This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Difference between revisions of "Cornucopia - Ecommerce Website - VE Q"
(Created page with "{{DISPLAYTITLE:<span style="padding:2px 5px 0px 5px;color:white;background:#929292;">Cornucopia - Ecommerce Website - VE Q</span>}} {{DISPLAYTITLE:<span style="padding:2px 5px...") |
|||
| Line 1: | Line 1: | ||
| − | |||
{{DISPLAYTITLE:<span style="padding:2px 5px 0px 5px;color:white;background:#929292;">Cornucopia - Ecommerce Website - VE Q</span>}} | {{DISPLAYTITLE:<span style="padding:2px 5px 0px 5px;color:white;background:#929292;">Cornucopia - Ecommerce Website - VE Q</span>}} | ||
[[File:Cornucopia_-_Ecommerce_Website_VE_Q.png|frame|right]] | [[File:Cornucopia_-_Ecommerce_Website_VE_Q.png|frame|right]] | ||
Latest revision as of 14:20, 21 January 2016
Suit: Data Validation and Encoding
Card/Value: Q
Description:
Geoff can inject data into a client or device side interpreter because a parameterised interface is not being used, or has not been implemented correctly, or the data has not been encoded correctly for the context, or there is no restrictive policy on code or data includes.
Technical Note:
Due a failure of client-side input or output validation, encoding or sanitization, malicious code can be injected and treated as code rather than data, leading to code execution in the client application.
NB: This relates to actual exploitation of an injection vulnerability on the client-side. See VE K for the same attack server-side, and other cards in this suit for individual data validation and encoding issues (e.g. missing/by-passable/badly-implemented input/output validation, encoding or sanitization).
References:
| OWASP SCP | OWASP ASVS | OWASP AppSensor | CAPEC | SAFECODE |
|---|---|---|---|---|
| 10 | 5.16 | IE1 | 28 | 2 |
| 15 | RP3 | 31 | 17 | |
| 16 | 152 | |||
| 19 | 160 | |||
| 20 | 468 |
