This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Cornucopia - Ecommerce Website - VE Q

From OWASP
Jump to: navigation, search
Cornucopia - Ecommerce Website VE Q.png

Suit: Data Validation and Encoding

Card/Value: Q

Description:

Geoff can inject data into a client or device side interpreter because a parameterised interface is not being used, or has not been implemented correctly, or the data has not been encoded correctly for the context, or there is no restrictive policy on code or data includes.

Technical Note:

Due a failure of client-side input or output validation, encoding or sanitization, malicious code can be injected and treated as code rather than data, leading to code execution in the client application.

NB: This relates to actual exploitation of an injection vulnerability on the client-side. See VE K for the same attack server-side, and other cards in this suit for individual data validation and encoding issues (e.g. missing/by-passable/badly-implemented input/output validation, encoding or sanitization).

References:

OWASP SCP OWASP ASVS OWASP AppSensor CAPEC SAFECODE
10 5.16 IE1 28 2
15 RP3 31 17
16 152
19 160
20 468


« Previous Card | Data Validation and Encoding | Next Card »