Monday, January 19, 2009

Technical vulnerabilities

• Unvalidated input:
o Tainted parameters - Parameters users in URLs, HTTP headers, and forms are often used to control and validate access to sensitive information.
o Tainted data
• Cross-Site Scripting flaws:
o XSS takes advantage of a vulnerable web site to attack clients who visit that web site. The most frequent goal is to steal the credentials of users who visit the site.
• Content Injection flaws:
o Data injection
o SQL injection - SQL injection allows commands to be executed directly against the database, allowing disclosure and modification of data in the database
o XPath injection - XPath injection allows attacker to manipulate the data in the XML database
o Command injection - OS and platform commands can often be used to give attackers access to data and escalate privileges on backend servers.
o Process injection
• Cross-site Request Forgeries

No comments: