Input Validation Attacks
Accepting input from users on the Internet or even an Intranet is fraught with danger. The correct way to design an application is to only accept input in a format you are expecting and can process, rejecting all other input.
The default was to design is of course to allow all, and needless to say most applications choose to filter specific things in an attempt to prevent certain types of problems. The common attacks that exploit inadequacies in input filters are listed in this section. They range from allowing users to directly make calls to the back-end databases, to users being able to steal other users credentials though attacks like cross site scripting. There is a long history of these problems yet they are still common. A slew of these sort of attacks have recently been discovered in high profile commercial applications like Entrust.
Hackers will typically try all user input form fields for these problems.
|
Input Validation
Client Side Validation
Cross-Site Scripting
Direct OS Command
Direct SQL Commands
Path Traversal
Meta Characters
Null Characters
Canonicalization
Case Sensitivity
Unicode Encoding
URL Encoding
File System/OS Specific Issues
Extension Handling
MIME Handling
Parameter
Manipulation
Cookie Manipulation
Form Field Manipulation
HTTP Header Manipulation
URL Manipulation
Authentication
& Session Management
Brute Force
Infrastructure Authentication
Session Hijacking
Session Replay
Configuration Management
Default Accounts
Vendor Patches
Cryptographic
Key Space
Chosen Plaintext
Known Ciphertext
Random Number Generation
Weak Algorithms
Open APIs
Public Interfaces
Overflows
Heap Overflow
Stack Overflow
Format Strings
Informational
and Privacy
Client-Side Comments
Debug Commands
Error Codes
File/Application Enumeration
Browser Cache
Browser History
Curious about the current state of a draft?
Review the Editorial Page |